🐝 Hive Five 186 - Calling All Hackers

Hi friends,

Greetings from the hive!

Apologies for the delay in getting the newsletter out this morning, the entire family has been sick. I’ll start this one off with the following:

Let's take this week by swarm!

🐝 The Bee's Knees

1. Phrack, the legendary hacker publication, has returned after a 3-year hiatus, breaking the spell. MORE

2. Monke's Guide to Bug Bounty Methodology shows that effective bug bounty hunting involves more than just running tools — it's a holistic approach encompassing tools, mindset, experience, and collaboration. MORE

3. Palmer Luckey's journey: from selling Oculus to Facebook for $2.7B, to founding a defense tech startup Anduril now valued at $14B, with failed ventures in between, exemplifying the highs and lows of his goal to forge a new America. MORE

4. Pieter Levels, a Dutch self-taught developer and digital nomad, has launched over 40 startups, several of which have achieved significant success. His approach emphasizes rapid shipping, iterative development, and strategic use of AI and automation. MORE

5. Hacking as a pathway to building better Products: "Hacking requires peeling back layers and understanding a little more about the foundations than even the developers or designers. This cross-stack knowledge is a treasure trove for building better products." MORE

Hive Five is a weekly newsletter with the best of technology and security, thoughtfully curated, read by thousands of hackers. Do you have a product or service to promote? Find out more about advertising in Hive Five.

Table of Contents

• 📰 Updates

• 💼 Work

• 🌎 Community

• ⬆️ Level up

• 🛠 Explore

📰 Updates

🍯 My work

✅ Changelog

1. Claude's API now supports CORS requests, enabling client-side applications to harness its power. MORE

2. macOS Sequoia has a feature that allows iPhone mirroring. Kelsey is using it to eliminate the need to reach for the Google Authenticator app when needing authentication codes. MORE

💼 Work

💰 Career

1. Becoming competitive at a new job involves strategic approaches, but individualization and context are paramount. "do the job, do it well, do it fast, do it a lot and with heart, make real relationships." MORE

2. As one advances towards leadership in the tech career, the focus shifts from technical to enabling leaders and team members to solve problems. MORE

3. Life at SpecterOps: The Red Team Dream. They offer unique opportunities for personal growth and development, emphasizing career progression, technical expertise, and personal sustainability. MORE

4. Work layoffs operate as an algorithm with sub-organizations: Safe, Unsafe, and Recurse groups. The algorithm consistently progresses, eventually identifying specific individuals for layoff or retention. MORE

5. From construction to frying chicken to software developer to Director Of Technology, one's journey is a testament to the power of perseverance. Struggling financially in 2007, Danny now earns more in a month than their yearly salary back then, a remarkable transformation. MORE

🚀 Productivity

1. Facebook PathPicker is a command line tool that simplifies the process of selecting files from bash output, solving a pervasive problem. MORE

2. Building a client register from scratch in Obsidian, a powerful note-taking app, demonstrates a methodical approach to organizing and maintaining client information, leveraging the versatility of this digital tool. MORE

3. 10 Mac apps that are hidden gems, covering file management, system boosters, and handy utilities that users may not be aware of but should consider using. MORE

4. Focumon! is a gamified pomodoro / flow time timer that transforms productivity into an adventure, allowing users to turn to-do lists into quests and conquer them with a team of Focumon. MORE

5. The importance of a daily practice of reaching a point of completion cannot be overstated. It provides a sense of accomplishment, focus, and personal growth. MORE

🌎 Community

🎉 Celebrate

1. Nagli joins Wiz to enhance Risk & Threat Exposure Management and build a new disruptive Risk MDR offering, after working on Shockwave as a solopreneur for the past couple of years. MORE

⚡️ For you

1. Nahamsec, a renowned bug bounty hunter, shares insights from his DEFCON 32 experience, exploring the vibrant hacker community and advancements in the field of cybersecurity. MORE

2. LiveOverflow recounts his return to DEF CON and Black Hat in Las Vegas, noting significant changes since prior visits. The experience was quite emotional, with gratitude expressed for the opportunity. MORE

3. Alex shares the mourning of the loss of Chloë, his daughter who passed away 6 years ago. MORE

4. Programming evolves rapidly, and Karpathy, a prominent AI researcher explores new tools like VS Code Cursor and Sonnet 3.5, finding that most "programming" now involves crafting English prompts and reviewing/editing the results—a potential net win. MORE

💛 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @restr1ct3d | Niv Levy | Penetration Testing Engineer / Offensive Security Certified Professional / Bug Bounty Hunter.

2. @s0md3v | Somdev Sangwan | I hack stuff and build evil software.

3. @_sbzo | RLobo | Security Researcher | Hacker.

4. @b0rk | Julia Evans | programming and exclamation marks. she/her.

5. @bug_dutch | Floerer | Bug Bounty Hunter.

⬆️ Level up

📰 Read

1. Are we indeed living in an age of info-determinism, where our digital trails and data exhaust shape our future? This profound question probes the deeper implications of our information-saturated world. "[...] Conversations among machines will shape conversations about humans." MORE

2. SQL has been the dominant language for working with data, used across mainstream database systems, but research by Google suggests potential improvements to its syntax, particularly with a 'pipe' operator. MORE

3. Repo Jacking: The Great Source-code Swindle explores a powerful, yet widely unknown attack vector known as 'Repo Jacking' which has emerged in the last couple of years. MORE

4. Tenable Research discovered a critical information-disclosure vulnerability in Microsoft's Copilot Studio via a server-side request forgery (SSRF), granting access to potentially sensitive service internals with cross-tenant impact. MORE

5. Remotely identifying Bluetooth devices raises concerns about healthcare device oversight. A Firewalla firewall is exploited to prove a point. MORE

💡 Tips

1. Cursor's Composer allows you to leverage one input into multiple file editing using AI. A handy use case for this is generating popular CSS themes such as Monokai and Solarized-Light, automating the creation of theme variations. MORE

2. This repository presents a reproduction of the "Confusion Attacks" by Orange Tsai, exploiting hidden semantic ambiguity in Apache HTTP Server. MORE

3. Feed your todos into Cursor as markdown, and the AI will write the code for you—the future is letting AI do the work while you guide it. MORE

4. Use Claude 3.5 Sonnet to generate watercolor style thumbnails for blog post open graph images, replaced in 3 seconds for $0.02 per image, with incredible results. MORE

5. A sticker book is a practical storage solution for stickers not immediately affixed to a laptop. MORE

🧠 Wisdom

1. After 3 years of welcoming 2 healthy kids and career progression at Stripe, the last 3 years were the hardest for Olivia. Juggling work, child care, and day-to-day obligations led to her taking an indefinite break in my career. MORE

2. Design your dream life in 7 minutes by defining your core values, picturing your ideal life, and taking small steps towards it. MORE

3. Action is a skill honed through repetition. Consistent practice is the key to becoming adept at taking high-impact action. MORE

4. If more developers ran Linux on their desktops, they might be less intimidated by managing their own servers. However, the fundamentals of the internet are being forgotten at an alarming rate. MORE

📚 Resources

1. Recently, a regression or bypass was discovered that again allowed data exfiltration via image rendering during prompt injection on Google AI Studio, but it has been quickly fixed. MORE

2. Developers must be cautious when handling LLM responses, as attackers can exploit AI chatbots to exfiltrate data. MORE

3. Sploitify is an interactive cheat sheet of curated public server-side exploits, aiming to aid in offensive security while eschewing illegal or malicious use. MORE

4. This repository contains a list of tools used by ransomware and extortionist gangs. Defenders can exploit the fact that these tools are often reused, enabling threat hunting, detection deployment, and blocking to eliminate the ability of adversaries. MORE

5. Blind SSRF vulnerabilities can be chained in various ways, allowing for more complex and powerful attacks. Here's an exhaustive list of all the possible ways to do so. MORE

💭 Quote