The Cloudflare Thing

Three parts: 1) Who are Cloudflare, 2) What Happened, 3) What Do You Need To Do?

1) Cloudflare is a service that large websites – including my former employer – use as a first-bastion protection against hackers. Basically you point your public website details at them, and they mostly just forward it on to your real servers, but if there’s an attack then they’ll work out which connections to block so your site stays up. Optionally, they’ll also do things like replace email addresses in your page with weird things that look the same but can’t be harvested by robots looking for people to spam.

2) It’s this last thing that got them into trouble. The bit of their system that rewrote webpages had a bug that, given badly-coded sites, some options turned on, and a couple of other variables – would dump into the non-visual bit of the page whatever the server was thinking about at the time. Because these servers are dealing with a lot of requests at the same instant, this could be the passwords of someone sending a login form to that site over there, or a token that would allow you to assume someone else’s shopping basket, or whatever.

Cloudflare are fairly switched on, and when notified immediately turned off the broken feature and managed to deploy a fix within a couple of hours, but by that time the bug had been around a couple of weeks, so the leaked data was cached in places like Google’s web cache. Google have purged all these now.

3) Cloudflare have over 5 million clients, ranging from me-as-Aquarion with my tinpot blog engine through to people like Elsevier, Patreon, Blizzard. Not all of them had their data leaked as part of this, and the ones who have, have been notified by Cloudflare. Those companies should be sending out notifications or password reset systems. To repeat: Just because the website was using Cloudflare’s services does not necessarily mean your password has been leaked, or their service was affected.

Full fallout from this will come in the form of security advisories in the next little while. It’s generally a good idea to rotate passwords occasionally (especially for high profile sites like Facebook, Amazon, Google) and to turn on Two Factor authentication for sites that enable it.

I use a password manager (Lastpass, Can also recommend OnePassword and Dashlane) and centralised 2FA system (Authy is mine, but Lasspass do one and Google’s own is the standard everyone else implements)


Week Seven


And, as if by magic, I have a new job. Less involved, less senior, and not entirely on-path; but better paid, more interesting and without any commute at all.

This week will be my last week at ELS, and I’m trying hard not to check out. I’m handing over projects, moving code out of my private area on our git servers, creating lists of accounts I have that need to be deactivated, attempting to empty my brain of Company Information into wiki form.

Three point five working days remaining.


I’m now up to two tabletop games in active play. A D&D dungeon descent, and an arctic adventure of aberrant abominations. Both the same day alternate weeks, but fortunately tessellating ones. They’re both fun, though wildly different in style and play, and I keep meaning to write up a couple of diary entries. Partly to keep my characters’ state in my head, but also for fun.

I’ve not had much computer gaming time this last fortnight, the uptick in my sociality has put a dent in my dedication, but I’m still working through the most recent World of Warcraft expansion’s new areas. I fell out of Factorio shortly after that diary entry – as a friend predicted, the requirement to entirely rebuild large parts of my factory to keep up with new inventions got wearing. I need to ration new games for a little while – new job has a pay-cheque gap – so it may be a good time to go through my steam list and try to complete some things.

In LARP, Last weekend was Happily Ever After, a one-shot game about fairytales, where I was one of the NPC / “Monster” crew. I can’t think of anything better than what I said on Facebook about it, so some copypaste:

Me as Santa for Happily Ever After

So, this weekend I lived Happily Ever After, a larp based in a world where Fairytales come to the real world. Somewhere on the axis of Fables and Once Upon A Time.

I went in with a mixture of excitement and apprehension. I had a long-running NPC role (Father Christmas) but didn’t really have a handle on how to play him, and was hoping it evolved in play (it didn’t, really, I got some lovely moments, but never really found a place. Still a fun role, and now I need to find another use for a bright red suit…). However, the bit I was more worried about – the kind of actual monstering respawning-gribbly roles I haven’t really done since CUTT – was far more fun than I ever hoped for. I’m massively out of practice in LARP fights, but even with three to five of us respawning against a 30+ character party we managed to cause enough chaos to keep it fun. Especially, I loved playing a Large Ham Grail Wizard, Declaiming every sentence and attempting to turn the quest for the holy grail into the Epic Tale it probably should be.

Plus, I very nearly killed Peter Pan as a protester, attempted to behead Rumplestiltskin as a Wonderland playing card, and got to – as Santa – tell Captain Hook there wasn’t enough coal in the world to get them a present. And what more can you ask from a weekend?

This weekend was the Durham Treasure Trap banquet. I’ve been wanting to attend this for a while, but the last couple of years had to pull out at the last minute. The event was a lot of fun, the banquet itself was amazing (The centrepiece – pictured below – was a giant worm filled with slow cooked pork was delicious, and the beer-baked salmon and armoured turnips were highlights) although the logistics, time and expense of getting up to Durham for an evening was somewhat excessive. I suspect that if I did it again, it would be part of a longer trip either to Durham or as some kind of Northern Invasion. It was nice to see people I only generally get to talk to in character or in passing for a more social event, though.


As alluded to above, this year – escalating the last six months – I’ve increased my actual non-work-based human contact significantly. The advantage of moving from London is that casual social has become a lot easier to arrange (the distances are smaller), but Oxford’s lesser status as a public transport nexus means it’s harder to go see friends who don’t live here. I’ve not managed a weekend this year without some kind of major social thing, which is mostly good, but somewhat exhausting. Next weekend is ring-fenced as “Do not schedule”, and I’ve got the week after that off to fix bits of my life that have been neglected this year, like my company and mountainous piles of post and pending laundry.


Week Five – Spiralling Upwards

Less great at the weekly thing than I’d hoped, to be honest, so the traditional WRP format returns.



Today’s crunch day, in several respects. Four weeks is the point where we have to push the big red button with HR saying “This person is leaving”. Today I’ve got to get my holiday requests in and any other outstanding things fixed on my record, and it’s coming close to the wire for if they can find a way to make me stay. So far I’m informed that in a meeting a couple of weeks ago that I wasn’t invited to, people were told I was “Probably not actually leaving” and “Offered a new role in London”, so I’m feeling kind of gas-lit as well as ill-inclined to stay, not that I’ve had any communication at all.

So I’m documenting all the things and attempting to get my ducks in a row, and assuming the future doesn’t have this desk in it.


A number of interesting conversations with a series of interesting places, none of which have resulted in any kind of forward motion yet, but four weeks is traditionally the point where I can start getting contracts in advance, so I’m hoping for some movement on that front this week.



Part of my lack of ability to do weekly updates is that I’m doing something larp related most weekends until mid-March. I missed The Smoke (a larp convention thing) at the start of the year due to a pile-up of stuff, but on the 14th and this past weekend were events for Slayers, the LARP set in the Buffy/Angel universe. One a social gathering with background weirdness, the other a psychological horror with added apocalypse, they demonstrated the range of things you can do within a single universe with the right setting. This weekend will be an Empire event, then the week after Happily Ever After, where I’m helping crew an event based around fairytales and their place in the real world. My resolution to do more LARP is going well, I think.

Computer Games

Currently nearing the end of my holiday in WoW, I think. Legion’s interesting, but the last couple of zones aren’t holding my interest and I’m not dedicated enough to start faffing around with raid builds. The last few evenings I’ve had playing things have been drunk by Factorio, which sits in the middle of a triangle made from the obsessive automation of SpaceChem, the crafting spiral of Minecraft, and the soothing production flow perfectionism of the original two Settlers games. It is Very Dangerous.


More productive on Fiction stuff than normal. I’m quite proud of Cats & Dragons, and I’ve poured some more words into The Book. I’ve also started the process of unstitching Piracy Inc until I get to where I made some fundamental design mistakes, so with any luck can start to move on with that soon.