This Week In Security: Cloudflare Wasn’t DNS, BADAUDIO, And Not A Vuln

November 21, 2025 by Jonathan Bennett 6 Comments

You may have noticed that large pieces of the Internet were down on Tuesday. It was a problem at Cloudflare, and for once, it wasn’t DNS. This time it was database management, combined with a safety limit that failed unsafe when exceeded.

Cloudflare’s blog post on the matter has the gritty details. It started with an update to how Cloudflare’s ClickHouse distributed database was responding to queries. A query of system columns was previously only returning data from the default database. As a part of related work, that system was changed so that this query now returned all the databases the given user had access to. In retrospect it seems obvious that this could cause problems, but it wasn’t predicted to cause problems. The result was that a database query to look up bot-management features returned the same features multiple times.

That featurelist is used to feed the Cloudflare bot classification system. That system uses some AI smarts, and runs in the core proxy system. There are actually two versions of the core proxy, and they behaved a bit differently when the featurelist exceeded the 200 item limit. When the older version failed, it classified all traffic as a bot. The real trouble was the newer Rust code. That version of the core proxy threw an error in response, leading to 5XX HTTP errors, and the Internet-wide fallout. Continue reading “This Week In Security: Cloudflare Wasn’t DNS, BADAUDIO, And Not A Vuln” →

Remember XBMC? It’s Back!

November 21, 2025 by Jenny List 28 Comments

The original Xbox was different from the consoles that had gone before, in that its hardware shared much with a PC of the day. It was found to be hackable, and one of the most successful projects to take advantage of it was a media centre. You know it as Kodi, but its previous name was XBMC, for Xbox Media Centre. The last version that still ran on an original Xbox saw the light of day in 2016, so it’s definitely a surprise that a new version has appeared.

XBMC version 4.0 brings a host of new features to the venerable platform, including the Estuary user interface that will be famniliar to users of more recent Kodi versions, a better games library,, and more. The plugin system has been revamped too, and while it retains the Python 2 version from back in the day it’s promised that a Python 3 update is in the works. That’s right, it sounds as though there will be more releases. Get them from the GitHub repository.

We’re not sure how many of you have early Xbox hardware along with the inclination to use it as a media centre, after all Kodi runs so well on a lot of very accessible hardware. But we’re impressed that the developers of this release have managed so much within the confines of a machine with a 2000s-era spec, and have released it at all.

If you’re curious about Xbox hacking, take a look at some of its early history.

Handling Human Waste In The Sky

November 21, 2025 by Navarre Bartz 21 Comments

Have you ever wondered what goes into making it possible to use the restroom at 30,000 feet (10,000 m)? [Jason Torchinsky] at the Autopian recently gave us an interesting look at the history of the loftiest of loos.

The first airline toilets were little more than buckets behind a curtain, but eventually the joys of indoor plumbing took to the skies. Several interim solutions like relief tubes that sent waste out into the wild blue yonder or simple chemical toilets that held waste like a flying porta-potty predated actual flush toilets, however. Then, in the 1980s, commercial aircraft started getting vacuum-driven toilets that reduce the amount of water needed, and thus the weight of the system.

These vacuum-assisted aircraft toilets have PTFE-lined bowls that are rinsed with blue cleaning fluid that helps everything flow down the drain when you flush. The waste and fluid goes into a central waste tank that is emptied into a “honey truck” while at the airport. While “blue ice” falling from the sky happens on occasion, it is rare that the waste tanks leak and drop frozen excrement from the sky, which is a lot better than when the lavatory was a funnel and tube.

The longest ever flight used a much simpler toilet, and given the aerospace industry’s love of 3D printing, maybe a 3D printed toilet is what’s coming to an airplane lavatory near you?

A Paper Caper: The Hole Data

November 20, 2025 by Al Williams 17 Comments

Since the dawn of computers, we’ve tried different ways to store data. These days, you grab data over the network, but you probably remember using optical disks, floppies, or, more recently, flash drives to load something into your computer. Old computers had to use a variety of methods, such as magnetic tape. But many early computers used some technology that existed from the pre-computer era, like punched cards or, as [Anthony Francis-Jones] shows us, paper tape.

Paper tape was common in TeleType machines and some industrial applications. In fact, as early as 1725, looms could use paper tape, which would eventually lead to punched cards. For computers, there were two common variations that differed in how many holes were punched across the tape: 5 or 8. There was also a small sprocket hole that allowed a gear to move the tape forward through a reader.

Continue reading “A Paper Caper: The Hole Data” →

How One Uncaught Rust Exception Took Out Cloudflare

November 20, 2025 by Maya Posch 62 Comments

On November 18 of 2025 a large part of the Internet suddenly cried out and went silent, as Cloudflare’s infrastructure suffered the software equivalent of a cardiac arrest. After much panicked debugging and troubleshooting, engineers were able to coax things back to life again, setting the stage for the subsequent investigation. The results of said investigation show how a mangled input file caused an exception to be thrown in the Rust-based FL2 proxy which went uncaught, throwing up an HTTP 5xx error and thus for the proxy to stop proxying customer traffic. Customers who were on the old FL proxy did not see this error.

The input file in question was the features file that is generated dynamically depending on the customer’s settings related to e.g. bot traffic. A change here resulted in said feature file to contain duplicate rows, increasing the number of typical features from about 60 to over 200, which is a problem since the proxy pre-allocates memory to contain this feature data.

Continue reading “How One Uncaught Rust Exception Took Out Cloudflare” →

Gilbert Cell Lacks Sullivan

November 20, 2025 by Al Williams 7 Comments

If you’ve ever used an NE602 or similar IC to build a radio, you might have noticed that the datasheet has a “gilbert cell” mixer. What is that? [Electronics for the Inquisitive Experimenter] explains them in a recent video. The gilbert cell is a multiplier, and multiplying two waveforms will work to mix them together.

At the heart of the gilbert cell is essentially three differential amplifiers that share a common current source. The video shows LTSpice simulations of the circuits as he explains them.

Continue reading “Gilbert Cell Lacks Sullivan” →

Wear This RISC V, RPN Calculator Watch For Maximum Nerd Cred

November 20, 2025 by Tyler August 12 Comments

Once upon a time, owning a calculator watch was the epitome of cool. Well, for a very specific subset of the population with our own definition of “cool” anyway. The only thing cooler than wearing a calculator watch? Making a calculator watch, of course! If you do it as part of developing your own SDK for a popular RISC V microcontroller, all the better. That’s what [Miroslav Nemecek] did with his Antcalc watch, which is one of the demo projects for the CH32Lib SDK, which is currently under development at version 0.35 as this is written.

It appears as though the solid core wire on the back of the homemade PCB is used to hold the watch band, a nice little hack.

As you might guess, CH32LibSDK is targeting the super-cheap CH32 series of RISC V microcontrollers. Perhaps because the SDK is so early in development, there’s not much documentation outside of the example projects. The examples are all worth looking at, but our tipster wanted us to cover the Antcalc calculator watch specifically.

The Antcalc watch uses the SOP16-packaged CH32V002A4M6 to drive a small OLED display while taking input in Reverse Polish Notation from a dozen small buttons. We’re not sure how the cool kids feel about RPN these days, but that’s got to be worth extra nerd cred. Using a RISC V chip doesn’t hurt in that department, either.

For something so small– 30 mm x 55 mm–it’s looks like a decent little calculator, with 10 registers holding a mantissa of 21 digits and exponents up-to +/-99 in binary coded decimal. Seven layers on the dozen-key input pad mean most of the scientific functions you could ask for are available, along with the ability to record and replay upto 10 macros. There are also ten memory slots, all of which go into the chip’s onboard flash so are non-volatile during a battery swap. (Of which many will be necessary, since this appears to run on a single coin cell.)

If you get bored of wrist-mounted calculating, you could always repurpose this microcontroller to play MOD files on your wrist. Some people couldn’t imagine ever getting bored by a wrist-mounted calculator, and just for them we have this teardown of a beautiful 1975 model and a this article on the history of the calculator watch.

Thanks to [James Bowman] for the tip.