🐝 Hive Five 179 - Gen AI: Too much spend, too little benefit?

Hi friends,

Greetings from the hive!

Welcome to this Tuesday edition, instead of the regular Monday.

I fell sick over the weekend and went from procrastination to just wanting to be able to do anything.

Now I’m lying in bed, wondering when I’ll feel healthy again.

Perhaps this is where AI agents will shine in the future.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Maggie Appleton discusses the rise of local software, home-cooked apps, and barefoot developers, and the role the local-first community can play in building a local-first future. MORE

2. Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery: Introducing CSPT2CSRF. MORE

3. Progress un-embargoed a closely guarded auth bypass in MOVEit Transfer's SFTP mechanism - CVE-2024-5806. MORE

4. Gen AI: Too much spend, too little benefit? Maybe we're finally done with the 'bigger is better' AI hype. Time to build stuff that actually solves real problems instead of chasing some AI pipe dream. MORE

5. Marcin Wichary, Director of Design at Figma, is passionate about pixel fonts and wants to share his extensive collection with you, going beyond mere nostalgia. MORE

Hive Five is a weekly newsletter with the best of technology and security, thoughtfully curated, read by thousands of hackers. Do you have a product or service to promote? Find out more about advertising in Hive Five.

📰 Updates

🍯 My work

✅ Changelog

1. RetireJS 5.1.1 detects the use of JavaScript libraries with known vulnerabilities and can generate an SBOM (Software Bill of Materials) of the found libraries. MORE

2. DOMPurify v3.1.6 is a fast, tolerant XSS sanitizer for HTML, MathML, and SVG, with a secure default and configurable hooks. MORE

3. The release v4.5 of the WayMore tool contains several bug fixes. Find way more from the Wayback Machine, Common Crawl, Alien Vault OTX, URLScan & VirusTotal. MORE

4. PentesterLab has released 2 free online labs: Electronic Code Book and LDAP 01. MORE

📅 News

1. There's a security vulnerability in AirPods firmware that allows anyone with the Bluetooth MAC address to connect and access the microphone or play music. MORE

2. Ladybird, an independent, open-source web browser, is entering a new chapter with exciting plans. MORE

➡️ Continue reading online to avoid email cutoff

💼 Work

💰 Career

1. This repository provides a collection of questions for interviews focused on red team roles, aiming to help both interviewers and candidates. MORE

2. Mason shares his Web3 learning approach: involves understanding blockchain basics, taking a Solidity course, and using ChatGPT as a tutor to break down concepts and quiz themselves on randomly generated contracts. MORE

3. Free business advice: Build a tiny saas around a SINGLE Zapier integration. Make it 10x better, cover edge cases, etc. MORE

🚀 Productivity

1. The video emphasizes the importance of a robust note-taking system as the foundation for learning, including Linux. MORE

2. Scripting is essential in web hacking, as it automates repetitive tasks like testing inputs or extracting data, making hackers more efficient. MORE

➡️ Continue reading online to avoid email cutoff

🌎 Community

🎉 Celebrate

1. Jonathan Morrison, a beloved member of the tech community, lost everything. In response, the community came together to support him, showcasing the power of compassion and unity! MORE

2. Congratulations to the top 3 winners of the YesWeHack Live hacking event! MORE

3. Olivia is attending Black Hat! MORE

⚡️ Discussions

1. Hacker News users share software they made solely for their own use. MORE

2. Figma's developer advocate, Jake Albaugh, discusses the importance of creativity and the need for communities where designers and creative coders can connect, collaborate, and grow together. MORE

3. Lazzslayer is looking for DEFCON iron-on patches from previous years to create something special for this year's event. MORE

4. After 4 amazing years, STÖK and Truesec mutually decided to part ways. MORE

5. I am Jakoby has been through a lot and could use a hand. MORE

💛 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @FredKSchott | fks | Astro co-creator • CEO of HTML.

2. @Rhynorater | Justin Gardner | Christian | Full-time Bug Bounty Hunter | 2x HackerOne MVH | Host of ctbbpodcast.

3. @aditi_singghh | Aditi Singh | Bug Bounty Hunter | Cyber security Analyst.

4. @NoMeNoMy | Laurie Mercer | Security and technology. Occasional botany. HackerOne London.

5. @soaj1664ashar | Ashar Javed | Web AppSec Researcher | in Microsoft's Top 100 Security Researcher List -2018 | in Microsoft's Most Valuable Researcher List -2019 & 2020.

➡️ Continue reading online to avoid email cutoff

⬆️ Level up

📰 Read

1. Next.js and cache poisoning: a quest for the black hole. If you are unfamiliar with this vulnerability, check out the following write-up by the researcher "DOS via cache poisoning on Mozilla". MORE

2. Trusted Types are the best defense against DOM XSS vulnerabilities. This blog post describes how AppSheet, a Google product, adopted and rolled out Trusted Types. MORE

3. Why fixing bugs may not be as straightforward as it appears at companies larger than one team. MORE

4. Exploiting Steam: Usual and Unusual Ways in the CEF Framework. The Chromium Embedded Framework (CEF) is an open-source framework that allows developers to embed the Chromium engine in their applications. MORE

5. The Dark Side of Contact Forms. How drop discovered 7 CVEs affecting over 7 million WordPress websites. MORE

💡 Tips

1. “Overcome your fears by repeatedly doing the scary action 100 times” and other lessons for your 20s are shared in this 40-item list. MORE

2. Feed Claude AI all of your goals, principles, psychological insights and use it for personal decision-making and growth. MORE

3. The tweet lists the author's top life-improving decisions from 2019 to 2024, including TSA pre-check, LASIK surgery, and a standing desk. The author asks for recommendations for 2025. MORE

4. Theo shares a git alias he wished he implemented years ago: undo = reset --soft. MORE

🧠 Wisdom

1. Product teams should focus on deeply understanding their current tools and frameworks, rather than constantly replacing them with new ones, as the latter is a trap that hinders progress. MORE

2. Two areas worth your attention and focus: 1) What choices you make and 2) How you spend your time. MORE

3. How to guarantee you regret your life. MORE

4. Jony Ive emphasizes the fragility of ideas, highlighting the need to focus on the idea and not the problem. MORE

📚 Resources

1. The 30-Day Python Programming Challenge is an opportunity to learn the Python programming. MORE

2. Justin shares his take on his favorite vulnerability type: CSPTs. MORE

💭 Quote

🛠 Explore

🧰 Tools

1. WebCopilot is an automation tool that enumerates subdomains and detects bugs using open-source tools. MORE

2. Betterscan is a orchestration toolchain that uses state of the art tools to scan your source code and infrastructure IaC and analyzes your security and compliance risks. MORE

3. chart is a command-line tool that generates bar charts from line-based data, allowing for direct display in the terminal or text-based files like Markdown. MORE

4. DOMLoggerPP is a browser extension that enables monitoring, interception, and debugging of JavaScript sinks based on customizable configurations. MORE

5. Claude Engineer is an interactive CLI that leverages Anthropic's Claude Sonnet model to assist with software development tasks, combining language model capabilities with file system and web search functionality. MORE

🎥 Watch

1. 100+ Linux Things You Need to Know in 12 Minutes. MORE

2. Local-First Conf 2024 recordings—The world’s first local-first conference. One day of talks and discussion with a rapidly growing community in an intimate setting. MORE

3. Mike Brown, a legendary MMA coach, has built a stable of world champions and is one of the few to become an undisputed world champion himself. MORE

🎵 Listen

1. Book Radio offers over 2000 free audiobooks to listen to. MORE

2. Cate Huston talks about her new book, The Engineering Leader. She shares why she wrote it, leadership problems, why career growth is more than promotions, and more. MORE

3. Nat Eliason shares valuable storytelling lessons learned while writing his first book, offering advice beyond the generic "become a better storyteller" trope. It’s all about the storytelling advice you actually need that you didn’t get in school. MORE

4. Efficiency techniques for writing bug bounty reports, including the use of AI and tools like Fabric, Loom, and ShareX to streamline the process. MORE

5. Kelsey Hightower, a former Google Distinguished Engineer, discusses the importance of continuous learning, confidence, and family influences in the tech industry. MORE

🌐 Technology

1. Writebook aims to simplify the process of publishing books on the web in a cohesive, easy-to-navigate HTML format, addressing a challenge that traditional platforms haven't fully solved. MORE

2. A dev reality show could showcase the challenges and triumphs of software development, with insights from developer Jack Herrington. The discussion also touched on learning to code with dyslexia and more. MORE

3. d0nut on what to be mindful of when rolling your own auth. MORE

4. The creator acknowledges being wrong about Midjourney and shares their new perspective on AI in creative work, including their setup and approach. MORE

🔑 Visit

1. The video discusses Sahil's journey from a debut marathon to a sub-2:50 marathon goal while focusing on maintaining muscle size and strength. MORE

2. 39 Things Van Earned the Right to Quit. MORE

3. Hiddensee is a quaint little island in the German Baltic Sea, where charming Baltic Sea romance, artistic flair, and unspoiled nature meet. MORE

Until next week, take care of yourself and each other,

Bee 🐝

This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.