Posts tagged with security

Cloudflare BlogOct 28, 2025

A framework for measuring Internet resilience

Why it matters: This framework helps engineers understand and quantify network resilience, moving beyond abstract concepts to actionable metrics. It provides insights into securing routing, diversifying infrastructure, and building more robust systems to prevent catastrophic outages.

Internet resilience is the measurable ability of a network ecosystem to maintain diverse, secure routing paths and rapidly restore connectivity after disruptions, beyond just uptime.
The Internet's decentralized structure means local decisions by Autonomous Systems (ASes) collectively determine global resilience, emphasizing diverse and secure interconnections.
Resilience requires a multi-layered approach: diverse physical infrastructure, robust network routing hygiene (BGP, RPKI, ROV), and application-level optimizations like CDNs.
Route hygiene, particularly RPKI and Route Origin Validation, is crucial for securing BGP routing against hijacks and leaks, preventing widespread outages.
The article proposes a data-driven framework to quantify Internet resilience using public data, aiming to foster a more reliable and secure global network.

#dist #security #sre

Read original

Cloudflare BlogOct 28, 2025

Keeping the Internet fast and secure: introducing Merkle Tree Certificates

Why it matters: Quantum computers pose a severe threat to current internet security. This initiative introduces Merkle Tree Certificates to proactively transition the WebPKI to quantum-safe cryptography, ensuring future internet security without compromising performance.

Quantum computers threaten current internet cryptography, particularly TLS certificates, by enabling "harvest now, decrypt later" attacks and server impersonation.
Post-Quantum (PQ) algorithms like ML-DSA-44 have significantly larger signatures and public keys (20x increase), which would degrade TLS handshake performance if directly adopted.
Cloudflare, in collaboration with industry partners and IETF, is proposing Merkle Tree Certificates (MTCs) to redesign the WebPKI for PQ authentication.
MTCs aim to drastically reduce the number of public keys and signatures exchanged during a TLS handshake, making PQ certificates performant enough for widespread deployment.
The goal is to enable a smooth transition to quantum-safe authentication today, without waiting for Q-day, and without impacting performance.
Cloudflare is experimentally deploying MTCs in collaboration with Chrome Security to test their real-world impact and ensure safe implementation.

#security #dist

Read original

Cloudflare BlogOct 28, 2025

State of the post-quantum Internet in 2025

Why it matters: Engineers must understand the accelerating threat of quantum computers to current encryption. Proactive migration to post-quantum cryptography is crucial to secure data against future decryption, as Q-day is approaching faster than anticipated.

As of late 2025, over 50% of Cloudflare's human-initiated traffic utilizes post-quantum encryption, mitigating "harvest-now-decrypt-later" attacks.
Quantum computers pose a significant threat to current cryptographic standards like RSA and ECC, necessitating a shift to post-quantum cryptography.
"Q-day," when quantum computers can break current encryption, is estimated to be less than three years after they surpass classical computers in factoring.
Progress towards Q-day involves advancements in both quantum hardware (e.g., qubit count, error correction, scalable architectures like Google's Willow chip) and quantum algorithms.
Different quantum computer technologies (silicon-based, trapped-ion) have varying characteristics regarding scalability, noise, and error correction requirements.

#security

Read original

Engineering at MetaOct 23, 2025

Scaling Privacy Infrastructure for GenAI Product Innovation

Why it matters: This article is crucial for engineers building GenAI products, demonstrating how to integrate privacy-aware infrastructure and data lineage to manage complex data flows, ensure compliance, and accelerate innovation responsibly.

Meta addresses GenAI privacy challenges by scaling its Privacy Aware Infrastructure (PAI), using AI glasses as a key example.
GenAI products like AI glasses introduce new data types, increased volumes, and complex real-time data flows, necessitating robust privacy systems.
Key challenges include managing explosive data growth, adapting to shifting privacy requirements, and supporting rapid innovation cycles.
PAI leverages data lineage insights and automated privacy controls to embed privacy deeply into product development.
This approach enables Meta to accelerate GenAI product innovation while upholding user trust and data protection.

#security #data

Read original

Slack EngineeringSep 4, 2025

Building Slack’s Anomaly Event Response

Why it matters: This article details Slack's Anomaly Event Response, showcasing a real-world example of building a proactive, automated security system. Engineers can learn about designing multi-tiered architectures for real-time threat detection and response, crucial for modern platform security.

Slack's Anomaly Event Response (AER) is a proactive security system that detects and responds to emerging threat behaviors in real-time.
AER automatically terminates suspicious user sessions, reducing the detection-to-response gap from hours/days to minutes.
It targets common threats like Tor access, excessive downloads, data scraping, session fingerprint mismatches, and unusual API patterns.
The system uses a multi-tiered architecture: detection engine, decision framework, and response orchestrator.
Enterprise Grid customers can configure AER to select which anomalies trigger automated responses and notification preferences.
This native solution disrupts attack chains, preventing data exfiltration and system compromise without additional tools or human capital.

#security

Read original

Dropbox Tech BlogJul 10, 2025

Making file encryption fast and secure for teams with advanced key management

Why it matters: Engineers often struggle to balance robust security with system performance. This approach demonstrates how to implement scalable, team-level encryption at rest using HSMs without sacrificing the speed of file sharing or the functionality of content search in a distributed environment.

Dropbox developed a team-based encryption system using Hardware Security Modules (HSM) for secure key generation and storage.
The architecture solves the performance bottleneck of re-encrypting 4MB file blocks during cross-team sharing operations.
Unique top-level keys allow enterprise teams to instantly disable access to their data, providing granular control over sensitive information.
The system balances high security with usability, maintaining features like content search that are often lost in traditional end-to-end encryption.
This security framework serves as the foundation for protecting AI-driven tools like Dropbox Dash and its universal search capabilities.

#security #dist #data

Read original

Slack EngineeringMar 7, 2025

How we built enterprise search to be secure and private

Why it matters: This article details how to build secure, privacy-preserving enterprise search and AI features. It offers a blueprint for integrating external data without compromising user data, leveraging RAG, federated search, and strict access controls. Essential for engineers building secure data platforms.

Slack's enterprise search and AI uphold strict security and privacy by keeping customer data within Slack's trust boundary, utilizing an AWS escrow VPC for LLMs.
The system employs Retrieval Augmented Generation (RAG) instead of training Large Language Models (LLMs) on customer data, ensuring data privacy and preventing retention.
Enterprise search operates on a federated, real-time model, never storing external source data in Slack's databases, but rather fetching it via partner APIs.
Access to external content is strictly permissioned based on the user's existing Access Control Lists (ACLs) and requires explicit user/admin consent, adhering to the principle of least privilege.
External data and permissions are always up-to-date with the source system, ensuring accuracy and compliance.
Search Answer summaries generated by the AI are ephemeral, shown to the user and immediately discarded, further enhancing privacy.

#security #data #dist

Read original

Instagram EngineeringJan 25, 2020

Five things I learned about working on content quality at Instagram

Why it matters: Managing content quality at scale requires balancing real-time signals with static analysis. This approach shows how to operationalize quality metrics and use multi-stage ML pipelines to protect users while maintaining high-performance recommendation systems.

Combined manual labeling with classifier scores to create calibrated metrics for statistically significant A/B testing results.
Developed 'read-path' models that utilize real-time engagement signals like comments and likes to improve detection precision.
Maintained 'write-path' filters at the sourcing level to handle low-prevalence violations and ensure a baseline of benign content.
Implemented a multi-stage pipeline that balances high-precision sourcing filters with fine-tuned ranking models.
Established continuous model performance tracking to identify edge cases and maintain user safety standards.

#mlp #data #security

Read original

Page 12 of 12

Prev 1...10 11 12Next