🐝 Hive Five 180 - Fighting bots is fighting humans

Hi friends,

Greetings from the hive!

I've been rediscovering my passion for the terminal lately. There's something magical about its simplicity and raw power.

You might think, "The terminal? In 2024? Come on." But hear me out.

In a world of flashy UIs and overengineered solutions, the terminal stands as a beacon of minimalism. It's just you and the command line. No distractions, no bloat.

But here's the catch: simplicity is deceptively difficult. As I dive into bash scripting, I often catch myself overcomplicating things. It's a constant battle against the urge to add "just one more feature."

The terminal teaches us a valuable lesson: less is more. It reminds us that the most powerful tools are often the simplest ones. They do one thing and do it well.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Evernote's security vulnerabilities allowed for remote code execution through PDF.js font injection and Electron's exposed ipcRenderer. MORE

2. PySkyWiFi: completely free, unbelievably stupid wi-fi on long-haul flights. MORE

3. Universal Code Execution by Chaining Messages in Browser Extensions, breaking both Same Origin Policy and the browser sandbox. MORE

4. Chaining Three Bugs to Access All Your ServiceNow Data, allowing full database access and full access to any MID servers configured. The following CVEs were assigned for these issues: CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217. MORE"

5. The Right Kind of Stubborn. In his new essay, YC founder Paul Graham differentiates two types of stubborness: persistence and obstinance. MORE

Hive Five is a weekly newsletter with the best of technology and security, thoughtfully curated, read by thousands of hackers. Do you have a product or service to promote? Find out more about advertising in Hive Five.

📰 Updates

🍯 My work

✅ Changelog

1. Lazygit release v0.43.1 - a minimalist terminal-based interface for common git commands. MORE

📅 News

1. Cloudflare introduces "easy button" to block AI bots, scrapers, and crawlers, helping content creators maintain a safe internet. MORE

2. Securing the Container World with Policies: acjs and ctrdac. Google announces the release of two new open-source projects aimed at enhancing security and flexibility in containerized and Kubernetes environments. MORE

3. Google and Alphabet increased their VRP rewards up to $151,515, demonstrating their commitment to ensuring the security of their platforms. MORE link.

4. Proton's Docs feature offers private, collaborative document editing - a more secure alternative to popular online editors. MORE

5. Shopify's bug bounty program is being criticized for not adhering to the bug bounty contract. Researchers should be paid if they can demonstrate the bug was exploitable at any point. MORE

➡️ Continue reading online to avoid email cutoff

💼 Work

💰 Career

1. How Morgan thinks about debt. Japan has businesses that have endured dozens of wars, emperors, natural disasters, and economic crises for over 1,000 years, showcasing remarkable resilience. MORE

2. The aged care industry is rife with opportunities to improve the quality of life for the elderly through tech-enabled solutions that assist with daily tasks, mobility, and medication management. MORE

3. How to stand out in an interview: practical tips, common interview questions, and strategies to answer them effectively. MORE

🚀 Productivity

1. Shmux, a tmux session management tool written in shell script, streamlines your terminal workflow. It's a simple yet powerful solution to manage and share your development environment. MORE

2. The Obsidian Front Matter Timestamps plugin automatically updates the creation and modification timestamps in your notes' front matter. MORE

3. The PARA method is a versatile note-taking and organization system that can structure your thinking and life. It's a great option for beginners, as it's tool-agnostic and well-documented. MORE

4. How to reduce your screen time by 80%: "The phone has only one purpose and it's to work for me, and not against me." MORE

➡️ Continue reading online to avoid email cutoff

🌎 Community

🎉 Celebrate

1. Hussein sounds like he's discovered a novel attack vector, potentially a potent DoS technique. Excited to learn more! MORE

2. ThePrimeagen reached a significant milestone of 500k subscribers on YouTube. Well deserved! MORE

3. Rayredacted's son won a gold medal and addressed the crowd in French at Chamonix is a proud moment for the family. Amazing! MORE

4. One of Nagli's coolest bugs just got paid. Let's go! MORE

5. 0xLupin's $17,000 Dependency Confusion bounty has a wild story behind it. Looking forward to it! MORE

⚡️ Stories

1. How Community Management Principles Can Support Product-Led Growth. MORE

2. Since mid-December, STÖK, Sara, and their two dogs have been living the van life, with the goal of living more for less, downsizing, and escaping the rat race. While it's challenging at times, the freedom to orchestrate the life they truly want is priceless. MORE

3. CEO of Red Siege terminated their relationship with SANS after being demanded to stop delivering training. MORE

4. Roni Carta (@0xLupin) will be moderating a panel discussion at the Bug Bounty Village at DEF CON 32. MORE

💛 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @ajlkn | aj | Working on @carrd.

2. @Masonhck3571 | Masonhck357 | Bugcrowd Triager. | Hacker BugCrowd | CompTIA Net+ Certified | CompTIA Sec+ certified.

3. @lazzslayer | lazzslayer | Adversary Simulation/Red Team @ Optiv | Co-Lead for @redteamvillage_ | OSCP.

4. @Djax_Alpha | Davin Jackson | Dad | Husband | Vet | Host of InfoSecUnplugged & Hacker Valley Blue!@hacknotcrime Advocate.

5. @pxmme1337 | Pomme | Genuine oddity | Pomme@Hackerone | Pomme@Intigriti | ByeFelicia@BugCrowd | Senior Sec Engineer @ somewhere.

➡️ Continue reading online to avoid email cutoff

⬆️ Level up

📰 Read

1. This post examines CVE-2024-27292 in Docassemble, revealing an unauthenticated path traversal flaw that exposes sensitive files and secrets, leading to privilege escalation and template injection, enabling remote code execution. It details the vulnerability, its impact, and the exploitation steps. MORE

2. Swimming in the wild will change you. One man’s journey through public waterways—whether sparkling or dirty or algae-filled—challenges us to look differently at the commons. MORE

3. Plormbing your Django ORM: Part one of a series about ORM Leak vulnerabilities and attacking the Django ORM to leak sensitive data. MORE

4. GitHub Actions Exploitation: Untrusted Input. previous article

5. JSON parser inconsistencies can pose security risks, as illustrated in this cross-language study. Echoing recent efforts to enforce a stricter specification for JSON in security applications. MORE

💡 Tips

1. Give people something to link to — The key is to provide people with a clear and concise way to understand and discuss your ideas or projects. By giving them something to link to, you make it easy for them to share and engage with your work. MORE

2. Here's a quick bug bounty tip from Jason: "aHR0cHM" is "https" in base64, and Burp search is your best friend. MORE

🧠 Wisdom

1. Limiting bot access is a difficult balance, as any efforts will inevitably impact human users too. Websites must carefully weigh the tradeoffs to avoid going too far in the anti-human direction. MORE

2. 35 Phrases To Set Boundaries Firmly and Fairly, According to Mental Health Pros. MORE

3. STÖK on discipline > motivation. If you want to improve your hacking skills, take action today, even when you lack the drive. Consistency is key. MORE

4. Brutally Honest Business Advice from Billionaire Mark Cuban. MORE

5. Kieran shares his top 10 ideas from Mastery by Rober Green, the best book he's ever read. MORE

📚 Resources

1. Offensive notes and resources by thelikes. MORE

2. Explore your Z shell history, and discover insights into terminal usage patterns, including the most frequently used Git commands. MORE

3. VS Code is a great tool, but it can be distracting and requires extensive configuration. This course aims to make VS Code awesome and teach you how to be insanely productive in it. MORE

4. This is an SQL injection cheatsheet with tried and true payloads / techniques that cover the 5 most popular database variants and their derivatives (MySQL, PostgreSQL, MSSQL/SQL Server, Oracle, SQLite). MORE

5. A visualization of load balancers that distribute requests to increase availability and scalability. MORE

💭 Quote

➡️ Continue reading online to avoid email cutoff

🛠 Explore

🧰 Tools

1. dut is a disk usage calculator for Linux with features such as accurate counting of hard links, ASCII-art disk usage tree, configurable output format, and more. MORE

2. Humane Units is a Go package that provides a set of functions to help humanize times and sizes, making them more readable and user-friendly. MORE

3. Nebula is an AI-powered assistant specifically designed for the field of ethical hacking. It provides a unique capability for users to input commands using natural language processing, facilitating a seamless transition from intent to execution. MORE

4. A better dotenv–from the creator of dotenv. Features include: run anywhere (cross-platform), multi-environment, and encrypted envs. MORE

5. Code2Prompt is a powerful command-line tool that generates comprehensive prompts from codebases, designed to streamline interactions between developers and Large Language Models (LLMs) for code analysis, documentation, and improvement tasks. MORE

🎥 Watch

1. Simon delivered a talk on Imitation Intelligence at PyCon US 2024 in Pittsburgh, discussing the potential and challenges of using AI systems to imitate human intelligence. MORE

2. Craft in America's mission is to showcase and engage people with original handcrafted works across all media. MORE

3. NahamSec started livestreaming again. In this Live Recon session he was joined by none other than STÖK. MORE

4. PinkDraconian discovered a critical RCE vulnerability in parisneo/lollms-webui and created a video walkthrough to help the community. MORE

5. Marc, think Pieter Levels meets Casey Neistat, shares his indie maker journey with all of its ups and downs. MORE

🎵 Listen

1. How to Write Fearlessly (like Scott Galloway). Scott is a cocktail of crass humor, brutal honesty, and millionaire advice. He spent ten years wanting to write a book, and when he finally did, everything he learned could be summed up into two words: Be fearless. MORE

2. Sam Rose creates visual intros to CS topics, each taking a month to make, aiming for accessible explanations for beginners. MORE

3. How much of yourself is too much to put online? Salma Alam-Naylor talks about being a person vs. being a persona, aligning creativity and self-expression with business goals, and inventing villains as an excuse for not doing our best work. MORE

4. How To Go Beast Mode As A Founder. Think of this as an angry love letter to kick off your week. MORE

5. A playlist of music Apple used in their commercials. MORE

🌐 Technology

1. The death of DevRel is a symptom of the "zero interest rate phenomenon" where companies prioritize cost-cutting over investing in developer relations. MORE

2. A proposal for a web API for prompting browser-provided language models by Google. MORE

3. A museum of historical and modern regular expression engines, showing their development and influence. MORE

4. SEAL Leaderboards provide private, expert evaluations of leading frontier AI models, with a focus on privacy, unexploitability, and continuously updated domain expert assessments. MORE

5. Job control is a powerful shell feature that allows you to manage long-running tasks, background processes, and handle program interruptions more efficiently. MORE

🔑 Interesting

1. A group of 7 couples, 2 grandparents, and 11 kids created a unique living arrangement by purchasing a two-building parcel in San Francisco and inviting one couple's parents to join them. MORE

2. Margate skaters reflect on their passion, as a million-pound mega park sparks discussions on the meaning of skateboarding in their community. MORE

3. In 250 million years, the world will be unrecognizable, with no more continents as we know them. MORE

4. Will We Ever Get Fusion Power? Despite decades of research, fusion power today remains out of reach. But there’s a good chance a working fusion reactor is near. MORE

5. An insane photograph of an insane event. MORE

Until next week, take care of yourself and each other,

Bee 🐝

This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.