Rule #1 when publicizing security incidents: always publish something else to the blog within 1.5 hours so that the security incident isn't the top post.
Edit: semi-tongue-in-cheek per comments below; as a CloudFlare customer I went to the blog when this first came up expecting to see something but bounced when the first post was a discussion of SSL BEAST since that was the hotness back in the fall of 2011.
I do believe it was not planned, but I also feel that vulnerability disclosures should be pinned for a while somehow if possible. I think one way this is done is having a separation between 'new feature' blog and 'ops' blog.
Haha. Wish we were that organized. We have a big announcement on Wednesday and need the announcement about Polish (http://blog.cloudflare.com/introducing-polish-automatic-imag...) and the feature we're announcing tomorrow (Mirage) to come out before then.
I think being among the top stories on Hacker News will take care of people seeing it. And, for the record, I voted the breach story up.
Hey, just wondering, did someone make that infographic by hand or is there some software that does it for you? EDIT: Made by a graphic designer, answered below.
And now I will shamelessly take this moment to request a few features related to account security :-).
* Alerting: SMS or e-mail notification when an unrecognized device logs into my account or when records in my domains change.
* 2-factor Authentication: Prompt for a code delivered via SMS, e-mail, Google Authenticator, or DUO Security to login from an unrecognized device.
* Login Accounting: Let me see what IPs logged into my account, when, geoip info for each, and preferably what actions they took while logged in. Provide an API for this info so I can write an automated script to analyze it for suspicious events.
If you end up making any of these features, it would be cool to open-source a library you used to do it. There are a bunch of large SaaS providers out there that use features like these but they're all homegrown implementations afaik.
Btw, the Google Apps Admin Audit API exists but I have never seen anyone do anything with it and it makes me sad. A few hours with [name a scripting language] and you could probably have a pretty robust Google Apps monitoring system, but no one seems to care:
https://developers.google.com/google-apps/admin-audit/get_st...
That seems kind of shady, I mean sure it sucks that it happens and it is kind of bad to have it as your top post but publishing just because you don't want it to be the latest post kinda downplays the publicity factor of being honest about what happened.
I'm sure j_s's comment was meant as tongue-in-cheek and not as an actual criticism. I have every confidence that eastdakota's response (http://news.ycombinator.com/item?id=4066982) indicating that it was just a coincidence is true.
Edit: semi-tongue-in-cheek per comments below; as a CloudFlare customer I went to the blog when this first came up expecting to see something but bounced when the first post was a discussion of SSL BEAST since that was the hotness back in the fall of 2011.
I do believe it was not planned, but I also feel that vulnerability disclosures should be pinned for a while somehow if possible. I think one way this is done is having a separation between 'new feature' blog and 'ops' blog.