It is time to realize that open source drives innovation.

scandale-project is also meant to monitor constituencies' actions after being notified about security issues. The idea is to timestamp scan results with a Time Stamp Authority to have a clear and indisputable incident timeline following a notification. The aim is to nudge constituencies to take action and also give them leverage on non-cooperating suppliers. No infrastructure change or patch after repeated notifications is not a good trajectory to be on--hence the name, scandale :)

Ho wow, I did not expect an hacker news front page code review today. As you can see I am not a seasoned C developer so that was very welcome :)

Shameless plug: I wrote a small poc module to use hashlookup's bloom filter (https://github.com/hashlookup/a-ray-grass/) in yara (https://github.com/VirusTotal/yara). The idea is to easily discard files that are known to be safe and so to avoid launching thousands of yara rules on a file for nothing. One can also use it to keep track of some files that meet certain conditions for instance. The module can store any string in these filters so I see a lot of useful use-cases for this little thingy :) edit: forgot the link duh.

a-ray-grass is a yara module that provides support for DCSO-format bloom filters in yara.

I this service used for anything legit? The only times I bumped into transfer.sh were when tracking malwares.

Sudocker allows one to restrict which user can run which docker command without the user being member of the docker group.

This, and also the fact that Citrix's mitigation was not perfect. NCSC's recommendation was to shut the service waiting for a real patch: https://www.ncsc.nl/actueel/nieuws/2020/januari/16/door-citr...

Saying XSS is not serious is encouraging those bad behaviors; XSS are actually serious flaws when properly exploited (http://beefproject.com/).

Sure it's serious in its own way, but not on the same level as SQL injection.