🐝 Hive Five 187 - Hacker Mode

Hi friends,

Greetings from the hive!

Apologies for the delay. I'm still sick, or again...

I wonder if there's anything I can do to combat it better. Or, perhaps it's just inherently a part of being a parent.

Having said that, I haven't been sitting still. I launched the Hive Five swag shop (1 referral = 20% off). This has been a long time coming and even predates the newsletter. Crazy, huh?

Before, I would limit my output to certain streams or put myself in a box. Lately, I've been leaning in instead and taking action on all of them.

Most limits are self-imposed.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Bypassing airport security via SQL injection. This research focuses on the Known Crewmember (KCM), a TSA program, and the Cockpit Access Security System (CASS). MORE

2. Founder Mode. Brian Chesky's talk at a recent YC event left a lasting impression on the founders present, including Ron Conway, known for his meticulous note-taking, surprisingly forgetting to do so this time. MORE

3. The shared knowledge, values, and culture of the powerful people of Silicon Valley and the American Tech Elite. MORE

4. A roundup of every AI Talk from BSidesLV, Black Hat, and DEF CON 2024. MORE

5. The X-Correlation between Frans & RCE - Research Drop. In this episode of the Critical Thinking - Bug Bounty Podcast, Frans shares a sneak peek of his new presentation, leaving everyone, including Justin mindblown. MORE

📰 Updates

🍯 My work

✅ Changelog

1. Google has updated its Chrome VRP to incentivize deeper research, offering higher rewards for more impactful bug discoveries. MORE

2. Google released three new Gemini models today: improved versions of Gemini Pro and Gemini Flash plus a new model, Gemini Flash-B, which is significantly faster (and will presumably be cheaper) than the regular Flash model. MORE

3. Nullenc0de updates gofuzz, now featuring Nuclei integration for enhanced credential exposure detection. Find more secrets, faster. MORE

💼 Work

💰 Career

1. Daniel argues that the current disruption in the job market is due to a widespread misconception about the nature of work. MORE

2. The 3-step plan to figure out what you want to do in life. MORE

3. This interview with Andy Swift, a former pentester and current technical director of offensive security, delves into his experiences breaking into the cybersecurity industry. MORE

4. In this talk at Laracon US, Aaron Francis explores the transformative power of publishing one's work, sharing insights from his own experience as a developer and entrepreneur. MORE

5. Steph Smith, a creator behind projects like The Hustle's Trends newsletter, shares insights on carving one's own path in life. MORE

🚀 Productivity

1. YTLitePlus is a tweak that improves the YouTube experience on iOS by removing ads, enabling background playback, and offering a wealth of customization options. YTUHD is a tweak that unlocks higher video resolutions in the YouTube app. MORE

2. Stupid but useful AI tricks: Creating calendar entries from an image using Anthropic Claude 3.5. MORE

3. The natural tendency is to dismiss one's desires, but obsession, the powerful drive to accomplish something, should be embraced as a source of motivation. MORE

4. Stephen Wolfram on Five Most Productive Years: What Happened and What’s Next. MORE

5. Greg maintains a diverse set of notes in their iOS device, covering startup ideas, potential acquisitions, prospective company names, interesting phrases, content ideas, weekly goals, unpopular opinions, epiphanies, unanswered questions, life hacks, and personal stories. MORE

🌎 Community

🎉 Celebrate

1. Two and a half years ago, Roll4Combat was lost, but today they break things for a living. Thanking the amazing bug bounty community and the help of several notable figures. LFG! MORE

2. Joaxcar reached the number one spot on GitLab's bug bounty program. Woot! MORE

⚡️ Timeline

1. Help Joey Belans: Facing Cancer After Layoff. He is renowned for his strength, wisdom, and exemplary role as a husband, father, friend, mentor, and coworker. (He’s since been rehired due to community uproar). MORE

2. Justin advises that when auditing code, it is best to set up the target codebase properly in an IDE, as this will allow for quicker navigation and understanding, rather than relying solely on tools like vim and grep. MORE

3. Frans Rosen shares the solution to last week's XSS challenge, detailing a red herring and the expected solution. MORE

4. Shayan argues that the lack of built-in authentication solutions in modern web frameworks is a significant issue, leading to a focus on the wrong areas of developer experience. MORE

💛 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @Gabrielle_BGB | Gabrielle | Ethical Hacker | Top IFSEC Global 2022 | Woman Hacker 2022 | Board Member | Artemis SRT (Synack)| Speaker | Mentor.

2. @nytr0gen_ | nytr0gen | Bug Bounty HackerOne | CTF Player WreckTheLine

3. @NOBBD | Denis Werner | Interested in IT security, CTFs, penetration testing, adversarial simulation and digital forensics.

4. @EliFitch | phelidelifeli | Beautiful squishboy. EM at Figma, making FigJam as weird and fun as possible. Games & car writing sometimes. Black Lives Matter.

🍄 Level up

📰 Read

1. Exploiting a Remote Code Execution Vulnerability in Moodle. Developers often unwisely pass user input to dangerous functions like PHP's eval(), despite warnings, and their attempts to sanitize the input are usually not as robust as they assume. MORE

2. Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information, combining attack techniques such as prompt injection and ASCII smuggling. MORE

3. This piece explores how Anthropic, an AI research company, built its flagship product Artifacts - a language model capable of a wide range of tasks. MORE

4. An introduction to GitHub Actions exploitation. Explore the mechanics of GitHub Actions, and the different elements that are present in a GitHub workflow. MORE

5. SonarSource's vulnerability research team recently discovered a critical Cross-Site Scripting (XSS) vulnerability in the popular open-source webmail software Roundcube, putting government emails at risk. MORE

💡 Tips

1. Global Grey offers a library of high-quality, public domain ebooks in PDF, epub, and Kindle formats, with no registration or sign-ups required. Simply browse the collection and click to download the book of your choice. MORE

2. TIL that the like button on YouTube actually glows when one says "smash that like button." MORE

3. Secure coding training and security code review training are two distinct approaches in application security, each focusing on different aspects of the development process and intended for different audiences. MORE

4. Apparently ASU offers a student discount for just $20, allowing access to discounts across America, including a $1200 Samsung fridge. MORE

5. Use the "save all" feature in the Cursor's composer to write to a file and easily test ideas, while still having the option to reject the changes. MORE

🧠 Wisdom

1. How to say Hello. Sounds simple, but so important. It is hard to warm up to someone if their first impression was poor. MORE

2. Lelouch on believing they were "too dumb" to understand math, but this belief was unfounded - the difficulty stemmed from a lack of prerequisites. MORE

3. Luke on jumping into what's next and keep on chasing your hero. Inspired by Matthew McConaughey's acceptance speec when he won the Academy Award for Best Actor. MORE

4. Join Sahil as he coaches a 27-year-old for 5.5 hours. Sahil is an entrepreneur and investor, has faced numerous failures over the past 10 years, but now runs a eight-figure holding company, manages a $10 million venture capital fund, and creates content that reaches millions weekly. MORE

5. How to live a good life according to Aristotle, happiness is achieved through a lifetime of virtuous activity of the soul, involving both intellect and character. MORE

📚 Resources

1. A comprehensive set of reverse engineering tutorials covers x86, x64 as well as 32-bit ARM and 64-bit architectures. MORE

2. Your guide to tokens: How to design, launch, structure rights, and more. Tokens are a new technology defining the web, but best practices are rapidly evolving, so approach them with caution and care. MORE

3. Practical tips for crafting a compelling CFP, emphasizing the importance of a clear and concise proposal that showcases one's expertise and the value of their talk. MORE

4. Syncing a Mac laptop and a Linux/BSD desktop can be a challenge due to differences in the file systems. Sivers outlines methods for keeping the /home directory synchronized between the two machines. MORE

5. This curated list of resources covers software, hardware, books, and research on embedded and IoT security, a growing need due to botnets like Mirai. MORE

💭 Quote