CMS

Tag: Capital Markets Authority blockchain

  • When Cloudflare Sneezes, the Internet Catches a Cold

    When Cloudflare Sneezes, the Internet Catches a Cold

    Today proved one thing: most of us don’t build software – we duct-tape services together.

    On 18th November 2025, a lot of us had the same morning:

    • X (Twitter) wasn’t loading.
    • ChatGPT was throwing errors.
    • Spotify, Canva, gaming platforms, government portals – all shaky or down. Reuters+1

    Developers scrambled to check their servers, only to realize: our code was fine.
    The problem was further upstream, inside a company most normal users have never heard of: Cloudflare.

    This outage was the perfect live demo of an uncomfortable truth:

    We don’t really “build” software anymore. We assemble stacks of third-party services, wrap them in code, and hope the duct tape holds.

    Let’s unpack what actually happened, and what it says about how we build.

    So… what went wrong at Cloudflare?

    Cloudflare later explained the root cause in a postmortem and public statements:

    • They maintain an automatically generated configuration file that helps manage “threat traffic” (bot mitigation / security filtering). The Cloudflare Blog+1
    • Over time, this file grew far beyond its expected size.
    • A latent bug – a bug that only shows up under specific conditions – existed in the software that reads that file.
    • On 18th November, a routine configuration change hit that edge case: the bloated config triggered that bug, causing the traffic-handling service to crash repeatedly. Financial Times+1

    Because this service sits in the core path of Cloudflare’s network, the crashes produced:

    • HTTP 500 errors
    • Timeouts
    • Large parts of the web effectively going dark for a few hours The Verge+1

    Cloudflare stressed that:

    • There’s no evidence of a cyberattack
    • It was a software + configuration issue in their own systems ABC+1

    In very simple language:

    One auto-generated file became too big, hit a hidden bug, crashed a critical service, and because that service sits in front of a huge portion of the internet, the whole world felt it.

    What is Cloudflare to the average app?

    For non-technical readers: Cloudflare is like a traffic cop + bodyguard + highway for your website.

    A lot of modern apps use Cloudflare to:

    • Speed up content delivery (CDN)
    • Protect against attacks (DDoS, WAF)
    • Filter bots and suspicious traffic
    • Provide DNS and other network plumbing

    Roughly one in five websites use Cloudflare in some way. AP News+1

    So if your app runs behind Cloudflare and Cloudflare can’t route traffic properly, it doesn’t matter if your code, database, and servers are perfect – users will still see error pages.

    That’s exactly what happened.

    The uncomfortable mirror: we’re shipping duct tape

    Look at a typical “modern” SaaS or startup stack:

    • DNS / proxy / security: Cloudflare
    • Hosting: Vercel, Render, Netlify, AWS, GCP, Azure
    • Authentication: Firebase, Auth0, Cognito, “Sign in with Google/Apple”
    • Payments: Stripe, PayPal, M-Pesa gateways, Flutterwave, etc.
    • Email & notifications: SendGrid, Mailgun, Twilio, WhatsApp APIs
    • File storage & media: S3, Cloudinary, Supabase
    • Analytics & tracking: 3–10 different scripts and SDKs

    Our own code – the part we’re proud of – is often just glue that ties all of this together.

    When everything works, that glue feels like a “product”.
    When one critical service fails, you suddenly see how much of your app is just duct tape between other people’s systems.

    The Cloudflare incident exposed that:

    • Tons of products had no plan for “What if Cloudflare is down?”
    • For many businesses, Cloudflare might as well be part of their backend, even though they don’t control it.
    • Users don’t care if it’s your bug or Cloudflare’s bug; they just see your app as unreliable.

    Single points of failure are everywhere

    Cloudflare isn’t the villain here. Honestly, their engineering team is doing brutally hard work at insane scale – and they published details, owned the mistake, and are rolling out fixes. The Cloudflare Blog+1

    The deeper problem is how we architect our systems:

    • We centralize huge parts of the internet on a few giants (Cloudflare, AWS, Azure, Stripe, etc.).
    • We treat them as if they are infallible, and design our products like they’ll never go down.
    • We rarely ask, “If this service fails, what can my app still do?”

    That’s how a single oversized config file in one company’s infrastructure turned into:

    • Broken transit sites
    • Broken banking/finance tools
    • Broken productivity apps
    • Broken AI tools and messaging platforms AP News+1

    Not because everyone wrote bad code, but because everyone anchored on the same critical dependency.

    What “actually building software” would look like

    We’re not going back to the 90s and self-hosting everything on bare metal. Using third-party infrastructure is smart and necessary.

    But we can change how we depend on it.

    Here are some practical shifts that move us from duct tape to engineering:

    1. Design for failure, not just success

    Ask explicitly:

    • “What happens if Cloudflare is down?”
    • “What happens if Stripe is down?”
    • “What happens if our auth provider is down?”

    Then design behaviours like:

    • A degraded mode where non-critical features that depend on a broken service are temporarily disabled, not crashing the whole app.
    • Clear, friendly error messages that say, “Payments are currently unavailable. You can still do X and Y; we’ll notify you when Z is back.”

    2. Keep something static and independent

    For many businesses:

    • Even when the backend is down, people should at least see:
      • A simple marketing site
      • Contact info
      • A status update

    You can:

    • Host a status page or a minimal static site on a different provider or even a separate domain.
    • Use that to communicate during incidents: what’s down, what still works, and rough timelines.

    3. Use timeouts, not blind trust

    When we integrate APIs, we often code like this:

    “Call service. Wait forever. If it fails, crash the whole page.”

    Instead:

    • Set sensible timeouts for each external call.
    • Use circuit breakers: if a service is failing repeatedly, automatically stop calling it for a while and show a fallback.

    This is boring work. It doesn’t show up nicely in screenshots. But when things break, it’s the difference between:

    • “Everything is dead” vs
    • “Some features are temporarily limited, but you can still use most of the app.”

    4. Map your dependencies

    Sit with your team and draw a very honest diagram:

    • Core app
    • Every external service: DNS, CDN, auth, payments, email, logging, analytics, etc.
    • For each, ask:
      • If this fails totally, what breaks?
      • What can we keep working?
      • How do we tell users what’s going on?

    Even this basic exercise can reshape your roadmap.

    So what should we take away from this?

    The Cloudflare outage wasn’t just “someone else’s bug”.
    It was a mirror.

    It showed us:

    • How dependent we are on a handful of infrastructure providers
    • How thin our own “software” sometimes is, once you subtract all the external services
    • How few of us design for the day the duct tape peels off

    We’re still going to use Cloudflare. And Stripe. And Firebase. And everything else. That’s fine.

    But maybe, after this, we’ll:

    • Build just a bit more resilience into our systems
    • Think a bit more about failure modes
    • Spend one sprint not shipping yet another feature, but hardening the foundations

    Because yesterday proved one thing very clearly:

    Most of us don’t really build the internet.
    We stitch it together. The least we can do is make sure the stitching doesn’t explode the moment one thread snaps.

  • Kenya Poised to Make Crypto History: VASP Bill Awaits Presidential Assent

    Kenya Poised to Make Crypto History: VASP Bill Awaits Presidential Assent

    Kenya is on the brink of a historic milestone in financial innovation. Parliament has officially passed the Virtual Asset Service Providers (VASP) Bill, 2025, marking the country’s first-ever legal framework for cryptocurrency and digital assets. The bill now awaits President William Ruto’s signature, a final step that will position Kenya among the first African nations to regulate the crypto sector comprehensively.

    Dual Oversight by CBK and CMA

    Once enacted, the new law will empower the Central Bank of Kenya (CBK) and the Capital Markets Authority (CMA) as joint regulators of Kenya’s crypto ecosystem. This dual oversight model aims to create a balanced regulatory environment—one that encourages innovation while ensuring market stability and investor protection.

    The National Treasury Cabinet Secretary will also gain authority to issue detailed regulations on:

    • Stablecoins and tokenization of real-world assets
    • Crypto trading platforms and exchanges
    • Capital and solvency standards
    • Anti-money laundering (AML) and counter-terrorist financing (CTF) compliance

    The Journey to the VASP Bill

    The VASP Bill’s passage follows months of public consultations, expert reviews, and parliamentary debate. Lawmakers confirmed that the final version includes updated provisions on licensing, compliance, and consumer protection, although the complete text is yet to be made public.

    According to industry observers, the legislation will formalize the crypto economy, giving both local and international startups a clear licensing pathway and compliance framework.

    “With Parliament’s passage of the VASP Bill, Kenya is one signature away from making regulatory history,” said Chebet Kipingor, Business Operations Manager at Busha Kenya. “It’s a signal that Africa’s most innovative economy is ready to balance innovation with consumer protection—where progress, not fear, guides our digital future.”

    Why It Matters

    Kenya has long been recognized as a fintech and mobile money leader, thanks to innovations like M-Pesa. The VASP Bill extends that reputation into the Web3 era, positioning Kenya as a regional hub for blockchain and crypto innovation.

    By introducing a structured framework for virtual assets, Kenya is setting clear standards for:

    • Market integrity
    • Capital adequacy
    • Investor and consumer safeguards

    This could attract major players in the digital asset industry while reducing the risks of unregulated operations.

    The Road Ahead

    Experts warn that the bill’s true impact will depend on how the CBK and CMA enforce the rules. If capital thresholds or compliance demands are set too high, smaller startups may struggle to participate—potentially stifling innovation instead of fostering it.

    Moreover, the legislation comes at a critical moment. The Kenyan government is under pressure to strengthen financial oversight as it seeks removal from the Financial Action Task Force (FATF) greylist and to meet fiscal goals tied to its (now-cancelled) IMF Extended Fund Facility (EFF).

    Next Steps

    Attorney General Dorcas Oduor is currently finalizing the bill for presidential assent. Once signed, the VASP Act will take effect—ushering in a new era for Kenya’s financial markets and setting a benchmark for the future of crypto regulation across Africa.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by