Nostr notes by Alexandre Dulaunoy

FSL and BSL belong on any list of false-promise ...

2026-04-10T04:38:05Z

FSL and BSL belong on any list of false-promise licenses:<li><a href="https://fsl.software/"; target="_blank" rel="nofollow noopener" translate="no">https://fsl.software/</a></li><li><a href="https://mariadb.com/bsl-faq-adopting/#whatis"; target="_blank" rel="nofollow noopener" translate="no">https://mariadb.com/bsl-faq-adopting/#whatis</a></li>

They are **not open source**. They are restrictive source-available licenses dressed up with “open” language.

Reading the code is not enough. If users cannot freely run, use, or build on the software because of field-of-use or competition restrictions, the software is not open source.

Marketing it as “open source” or even putting “open” in your name is misleading twice: first in the license, then in the messaging.

#opensource #fauxopensource #license

If someone comes to me today preaching about “post-quantum” ...

2026-03-31T05:41:10Z

If someone comes to me today preaching about “post-quantum” security issues, I’ll remind them of the current state of security: the npm ecosystem gets abused daily, CI pipelines run left and right with full access to cloud services, so-called security devices like F5 and Ivanti are exposed (and compromised) to the internet, mailboxes get compromised just to change an IBAN in a PDF, and a simple phone call is still enough to get someone to hand over an MFA code.

But yes, by all means, let’s focus on post-quantum threats while handing AI tools SSH access like it’s a feature, not a confession.

#cybersecurity #stateoftheworld

In the same level of discussions, "Discord Alternatives, ...

2026-02-10T11:27:17Z

In reply to nevent1q…52pw
_________________________

In the same level of discussions, "Discord Alternatives, Ranked" is an interesting read too.

🔗 https://taggart-tech.com/discord-alternatives/

I hate Discord. The platform is proprietary, the U/X is just ...

2026-02-10T07:18:15Z

I hate Discord. The platform is proprietary, the U/X is just completely confusing and it's difficult to find anything.

If you run a project, I love Discourse (npub1shf…7zml) - it's open source, the U/X is great and you can archive everything in markdown (and much more).

https://github.com/discourse/discourse
and we run it for GCVE https://discourse.ossbase.org/c/gcve/14

#opensource #discourse

The federation is open. Any matrix server or bridge is allowed.

2026-02-09T16:01:17Z

In reply to nevent1q…7k5z
_________________________

The federation is open. Any matrix server or bridge is allowed.

You need to have an account on another public matrix server like ...

2026-02-06T21:11:03Z

In reply to nevent1q…emfn
_________________________

You need to have an account on another public matrix server like matrix.org to join the public room. We don’t allow account creation on our server.

We’ve just set up a Matrix channel for Vulnerability-Lookup and ...

2026-02-06T13:08:17Z

We’ve just set up a Matrix channel for Vulnerability-Lookup and GCVE discussions.

Matrix public room: #vulnerability-lookup-public:matrix.circl.lu

This space is intended for informal discussions. For standard and more detailed discussions, we recommend using:

🔗 vulnerability-lookup discourse https://discourse.ossbase.org/c/vulnerability-lookup/6

🔗 GCVE discourse https://discourse.ossbase.org/c/gcve/14

#gcve #vulnerabilitymanagement #opensource #cve #matrix

gcve.eu (npub1pna…2y52)
circl (npub143x…w0tp)

Iperlane Security ?

2026-02-01T18:03:25Z

In reply to nevent1q…dzjx
_________________________

Iperlane Security ?

French government always talks about technological sovereignty… ...

2025-12-17T16:41:09Z

French government always talks about technological sovereignty…

https://www.lemonde.fr/en/france/article/2025/12/15/us-tech-firm-palantir-extends-deal-with-french-intelligence-agency_6748523_7.html

#palantir #french #sovereignty

Why it matters to create and maintain open-source infrastructure ...

2025-12-17T12:09:00Z

Why it matters to create and maintain open-source infrastructure for security monitoring including collection of forums and malicious communication channels.

This is a strong example (Google dark web report is discontinued) of the risks of relying solely on commercial vendors. If a capability does not align with their business interests or generate sufficient revenue, it can be discontinued at any time. Open-source infrastructure helps ensure continuity, transparency, and long-term access to critical monitoring capabilities that are essential for the security community.

If you want to run your own "darkweb" monitoring, we develop open source tooling supporting such monitoring<li><a href="https://www.ail-project.org/"; target="_blank" rel="nofollow noopener" translate="no">https://www.ail-project.org/</a> <a href="https://infosec.exchange/@ail_project"; class="u-url mention">@ail_project</a> </li><li><a href="https://github.com/ail-project"; target="_blank" rel="nofollow noopener" translate="no">https://github.com/ail-project</a></li>

#darkweb #opensource #osint #cybersecurity

🔗 https://support.google.com/websearch/answer/16767242?hl=en&ref_topic=7028834&co=GENIE.Platform%3DiOS

Can you share the indicators? we can give you an access to a ...

2025-11-04T14:11:40Z

In reply to nevent1q…84jm
_________________________

Can you share the indicators? we can give you an access to a MISP (npub1mly…rl2t) community if needed

I think the best summary until now about Post-quantum ...

2025-11-03T05:46:21Z

I think the best summary until now about Post-quantum cryptography is from Peter Gutmann in the cryptography mailing-list.<code>Given that after 20 years and hundreds of millions of dollars spent researchers have yet to demonstrate a single legitimate cryptanalysis result using a quantum physics experiment, it's a bit like arguing over which brand of unicorn repellent is the most cromulent. The current state of things in terms of pure vs. hybrid systems seems to be: - Governments = Pure: “We’re putting all our eggs in one basket and hoping that the dial stops spinning at ‘not broken’” - Everyone else = Hybrid: “We trust this new stuff so little that we’re requiring you use the crypto that we claim is broken alongside it” Peter. </code>

#cryptography #pq #postquantum #postquantumcryptography

https://www.metzdowd.com/pipermail/cryptography/2025-October/039129.html

I’m just wondering are you sure of the test? I remember we got ...

2025-10-28T11:54:49Z

In reply to nevent1q…cwre
_________________________

I’m just wondering are you sure of the test? I remember we got trapped in an ASA scanning script which was expecting an HTTP 200 while the patch gives a redirect but this was also a 200.

Imagine working in your country’s cybersecurity center or CERT, ...

2025-10-11T06:32:08Z

Imagine working in your country’s cybersecurity center or CERT, and suddenly being reassigned to border control and deportation duties. Something is clearly broken and dangerously so.

What will you do as a cybersecurity professional?

#us #cybersecurity #dhs #cisa

https://techcrunch.com/2025/10/10/homeland-security-reassigns-hundreds-of-cisa-cyber-staffers-to-support-trumps-deportation-crackdown/

Finally a useful magic quadrant Thanks to @npub1udn…3tjr for ...

2025-08-11T06:20:08Z

Finally a useful magic quadrant

Thanks to Wendy Nather (npub1udn…3tjr) for the discovery.

#cybersecurity #vulnerability

When I added the threat-actor @npub1mly…rl2t galaxy type on Mar ...

2025-08-01T09:14:32Z

When I added the threat-actor MISP (npub1mly…rl2t) galaxy type on Mar 4, 2016, I didn’t expect that, years later, vendors would still invent new names for already known threat actors, avoid using UUIDs, reuse similar names for different actors, and create confusing names by mixing tools or software used by the actors.

That’s why we continue the tedious work of maintaining a proper threat-actor database, with relationships to other galaxies such as MITRE ATT&CK, Malpedia, and more.

After years of this monastic effort, we’re seeing the benefits—many open-source and proprietary tools now rely on the MISP galaxy, which serves as both an open standard and a public knowledge base.

We also maintain a dedicated website for all MISP galaxies. Here’s an example from the threat-actor database:
https://www.misp-galaxy.org/threat-actor/relations/fa80877c-f509-4daf-8b62-20aba1635f68/

:github: Repository https://github.com/MISP/misp-galaxy/
🌐 Public website https://www.misp-galaxy.org/threat-actor/

If you’d like to become a monk (just kidding!) and contribute, feel free to open an issue or submit a pull request on the misp-galaxy repo.

In MISP, you can directly benefit from all the galaxies, and you also have advanced functionalities like forking and maintaining an up-to-date private version of the threat-actor database.

#threatintel #threatintelligence #opensource #tip #cti #misp

« Cloudflare 1.1.1.1 Incident on July 14, 2025 » Perhaps it’s ...

2025-07-16T05:27:24Z

« Cloudflare 1.1.1.1 Incident on July 14, 2025 »

Perhaps it’s time to return to DNS’s original distributed design.

#dns #distributed #cloudflare

https://blog.cloudflare.com/cloudflare-1-1-1-1-incident-on-july-14-2025/

Something that’s been bothering me for years in the security ...

2025-06-17T19:46:46Z

Something that’s been bothering me for years in the security world: why do researchers demand bug bounties for vulnerabilities in open source projects, when the very contributors maintaining and fixing those issues get nothing, just goodwill?

It feels deeply unfair. The burden falls on unpaid maintainers, yet bounty hunters get rewarded. If you want a paid bounty, maybe help fund the people who actually fix the mess too.

#opensource #security #bugbounty

Just a reminder: Vulnerability Lookup isn’t just about finding ...

2025-04-15T19:45:12Z

Just a reminder: Vulnerability Lookup isn’t just about finding CVEs. It supports the full chain, collection from multiple sources, continuous distribution, and allocation within a coordinated vulnerability disclosure (CVD) process. 100% open source.

🔗 An online version maintained by circl (npub143x…w0tp) https://vulnerability.circl.lu/

🔗 https://www.vulnerability-lookup.org/

🔗 https://github.com/vulnerability-lookup/vulnerability-lookup

#opensource #cve #vulnerability #cna #cvd #cybersecurity

If you want to join an open source #hackathon for open source ...

2025-04-05T18:37:39Z

If you want to join an open source #hackathon for open source security tools, it’s next week (on April 8th and 9th, 2025) in Luxembourg.

https://hackathon.lu

#opensource #infosec #cybersecurity

We are excited to announce that CIRCL has three open positions ...

2025-03-12T10:05:18Z

We are excited to announce that CIRCL has three open positions available.

As a team strongly oriented towards open-source development, we value contributions that drive innovation and strengthen the cybersecurity community. These roles are open to EU citizens, with the workplace based in Luxembourg. If you’re passionate about cybersecurity and open-source collaboration, we encourage you to apply and make a meaningful impact.<li>CIRCL - Software Engineer and Intelligence Analyst (software-engineering-analyst) </li>

🔗 https://www.circl.lu/projects/position/software-engineering-analyst/<li>CIRCL - Security Analyst and Researcher (Security-Analyst-and-Researcher)</li>

🔗 https://www.circl.lu/projects/position/security-analyst-researcher/<li>CIRCL - Incident and Vulnerability Disclosure Coordinator/Analyst (nis2-incident-analyst)</li>

🔗 https://www.circl.lu/projects/position/nis2-incident-analyst/

circl (npub143x…w0tp)

#cybersecurity #opensource #europe #csirt #cert #nis2

I find this vulnerability hilarious « The GDPR Cookie Compliance ...

2025-03-12T06:26:28Z

I find this vulnerability hilarious

« The GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD plugin for WordPress is vulnerable to Stored Cross-Site Scripting »

Often, websites only use cookies necessary for normal operation and don’t require explicit user consent. However, some legal teams insist on having it “to be on the safe side.” Now it’s very safe indeed. ;-)

This particular vulnerability isn’t a big deal since it requires admin rights on WordPress to inject. If you’re already an admin, you can do worse things. The only advantage for attackers is that the injection spreads everywhere.

#infosec #gdpr #cybersecurity #vulnerability #wordpress

🔗 https://vulnerability.circl.lu/vuln/CVE-2025-2205

The « bias » one is hilarious. So many reports, manuals, and ...

2025-02-10T17:44:09Z

In reply to nevent1q…qhl7
_________________________

The « bias » one is hilarious. So many reports, manuals, and memos mention the word. From Europe, it just looks like ignorance is tearing everything down, like a massive autodafé.

We developed the open source vulnerability-lookup project (and ...

2024-12-18T17:37:38Z

In reply to nevent1q…2f5x
_________________________

We developed the open source vulnerability-lookup project (and also the sighting part) for providing actionable intelligence in the scope of NIS2 obligation and to share the information with all CSIRTs and SOCs efficiently.

https://www.vulnerability-lookup.org/

about the sighting aspect https://www.vulnerability-lookup.org/tools/#sightings

We have still plenty of ideas. If you see something missing, let us know.

Kevin Beaumont (npub1lcc…lcye) Not Simon 🐐 (npub14g0…znd6)

If you are curious about the evolution of sightings ...

2024-12-18T17:05:39Z

In reply to nevent1q…xkvm
_________________________

If you are curious about the evolution of sightings https://vulnerability.circl.lu/vuln/CVE-2023-34990#sightings

If you are wondering about the unpublished CVE-2024-49848... ...

2024-12-18T15:00:08Z

If you are wondering about the unpublished CVE-2024-49848... there is a PoC.

#vulnerability

🔗 https://vulnerability.circl.lu/comment/23fd524b-475e-4b9f-8dc2-7b67f4cec409

Post-Quantum Cryptography in OpenPGP - an IETF draft #openpgp ...

2024-11-07T05:43:59Z

Post-Quantum Cryptography in OpenPGP - an IETF draft

#openpgp #pgp #postquantum

🔗 https://datatracker.ietf.org/doc/draft-ietf-openpgp-pqc/

The latest proposal from @npub1djq…zj5f poses significant risks ...

2024-10-27T08:49:46Z

The latest proposal from Open Source Initiative :osi: (npub1djq…zj5f) poses significant risks to the true principles of open source. This concern reminds me of my primary issue with EPSS, where the model is documented in a paper, yet relies on proprietary data sources that aren’t accessible for reproduction. It's like having free/open source software without the entire build chain needed to create the executable code.

What’s the actual reasoning behind this clause?

https://opensource.org/ai/drafts/the-open-source-ai-definition-1-0-rc2

#opensource #fauxpensource #ai

We announce the release of onion-lookup v0.1. This open source ...

2024-10-07T14:05:28Z

We announce the release of onion-lookup v0.1. This open source tool and service is designed to help you search for Tor hidden services / .onion services quickly and efficiently. With its sleek API and user-friendly online interface, onion-lookup simplifies the process of querying and exploring onion addresses without browsing Tor and gather more information.

🔗 Online version https://onion.ail-project.org/
🔗 Source code https://github.com/ail-project/onion-lookup

#tor #darkweb #osint #opensource #infosec #onion

The information is relying on a [@ail_project](https://infosec.exchange/@ail_project ) instance operated by the AIL project.

If you are curious about the history of vulnerabilities in cups ...

2024-09-26T20:37:13Z

In reply to nevent1q…kl7m
_________________________

If you are curious about the history of vulnerabilities in cups

https://vulnerability.circl.lu/search?vendor=cups&product=cups&vendor_vuln=

« A series of bugs in the CUPS printers discovery mechanism ...

2024-09-26T20:06:04Z

« A series of bugs in the CUPS printers discovery mechanism (cups-browsed) and in other components of the CUPS system, can be chained together to allow a remote attacker to automatically install a malicious printer (or hijack an existing one via mDNS) to execute arbitrary code on the target host as the lp user when a print job is sent to it. »

Ok…. don’t expose your print server to the Internet. Wait for the update from your favorite open source operating system. Nothing new under the sun.

#cups #vulnerability #infosec

https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840ee1

A funny phishing targeting GitHub users with an email ...

2024-09-18T20:48:23Z

A funny phishing targeting GitHub users with an email notification about a security issue on a existing repository.

Then the captcha verification on a malicious website is trying to trick the user to run a shell command on Windows.

🔗 Powershell to be executed by the user
https://gist.github.com/adulau/6cf6f3e9c5bbd9106af8814d0a22f473

🔗 File downloaded https://pandora.circl.lu/analysis/21e8f693-361b-4a04-853c-276f9dd841e4/seed-1XqUr4mADaFYlLAyrBH8oQUBgOoEbceZ586b8h05YyA - Lumma Stealer

🔗 Malicious domain analysis. https://lookyloo.circl.lu/tree/91106035-dfec-4acc-af06-c9fc36c62774

#malware #malwareanalysis #infosec