Chaos in the Cloudflare Lisbon Office

Original Article ↗ Hacker News Discussion ↗

Role of the chaos wall in Cloudflare’s security

  • Multiple commenters say the wave wall (like the lava lamps and pendulums in other offices) is a real entropy source but not mission‑critical.
  • Cloudflare staff state it’s one of many entropy inputs; if it fails or is corrupted, global entropy generation is unaffected.
  • Consensus: it’s additive “nice-to-have” entropy layered on top of conventional RNGs, not a single point of failure.

Randomness sources and technical debate

  • Several point out that Linux’s RNG and hardware TRNGs (e.g., thermal noise, Zener diodes) are already sufficient.
  • Some argue the main entropy comes from camera sensor noise; the chaotic visual scene is largely a visual metaphor. A lens cap or dark scene would still yield randomness.
  • Others mention the risk of combining entropy sources: a malicious or adversarial source might bias a combined RNG; links are shared to arguments about this threat model.
  • Simple combinations like XOR with a static value preserve randomness if at least one source is good, but concatenation/XOR strategies must be implemented carefully.

Reliability, attack scenarios, and modeling

  • Hypothetical “terrorist cuts power to the wall” is dismissed as irrelevant due to redundancy across sites and other entropy sources.
  • Questions about whether environmental regularities (lighting, temperature) could reduce randomness lead to a fluid‑dynamics discussion: turbulent flow is chaotic and practically impossible to predict with useful precision.

PR, marketing, and recruiting angle

  • Many label the wall “1000x PR/show”: negligible security gain, minimal risk, lots of blog and branding value.
  • Some see it as “blog-driven engineering” aimed at recruiting and employer branding; likely very high ROI compared to typical marketing spend.
  • A few caution that less‑equipped teams shouldn’t copy this as a primary RNG design.

Cloudflare trust, support, and privacy concerns

  • One indie developer relates a billing error and slow support, seeing this as hostile to small customers; others argue leadership jumping into HN to fix issues is positive but not a scalable solution.
  • Old incidents like Cloudbleed are mentioned as lingering trust concerns.
  • A side thread accuses Cloudflare of logging usernames/passwords; other commenters and Cloudflare rebut this, emphasizing privacy‑preserving credential checking rather than password logging.
  • Some frame the chaos wall and similar posts as distraction from broader issues (MITM role, logging debates).

Lisbon office and local context

  • Many admire the Lisbon office and view; discussion veers into Lisbon vs San Francisco, tourism, expats, real‑estate pressure, and relatively low local salaries.
  • Cloudflare’s European hiring (especially Portugal) is discussed as both cost‑driven and innovation‑driven; rumors of “offshoring to India” are explicitly denied.

Historical and cultural references

  • SGI’s 1990s Lavarand system is cited as a clear precedent; its patent has expired and Cloudflare’s work is seen as a spiritual successor.
  • Commenters riff on sci‑fi scenarios about “entropy terrorists,” references to TV shows, art installations, and long‑standing fascination with physical randomness.