🐝 Hive Five 191 - It's More Fun To Be Competent

Hi friends,

Greetings from the hive!

I’ve never lived with hurricanes, but it appears that the decisions for those that have keep getting harder.

The latest one, Hurricane Helene, a powerful Category 5 storm, ravaged the Southeastern United States, leaving a trail of immense destruction in its wake.

Particularly the impact it had in North Carolina was something I didn't realize was a possibility.

How to Help After Hurricane Helene and Western North Carolina specific

Let's take this week by swarm!

🐝 The Bee's Knees

1. Eva gained access to anyone's browser without them even visiting a website. Hint: firebase was involved. She downloaded Arc and started analyzing. The first thing they noticed that Arc requires an account to use, but why? MORE

2. Insecurity through Censorship: Vulnerabilities Caused by The Great Firewall. Assetnote breaks down attack vectors and also created an interactive tool to test if your domain is affected. MORE

3. A Guide To Subdomain Takeovers 2.0 by none other than EdOverflow. Who famously published the initial version of "A Guide To Subdomain Takeovers" six years prior. MORE

4. David Heinemeier Hansson, the creator of Ruby on Rails, unveiled Rails 8 with built-in Authentication, Propshaft, Solid Cache, Solid Queue, Solid Cable, Kamal, and Thruster, making it a complete "One Person Framework" that requires no additional Platform as a Service (PaaS) services. MORE

5. Remotely controlling cars with just a license plate. On June 11th, 2024, Sam, Neiko, Justin, and Ian discovered a set of vulnerabilities in Kia vehicles that allowed remote control over key functions using only a license plate. MORE

📰 Updates

🍯 My work

🗞️ News

1. Runway and Lionsgate have formed a unique partnership to create and train a new AI model using Lionsgate's proprietary catalog. MORE

2. DJP, a new plugin mechanism for Django built on top of Pluggy, was announced by Simon at DjangoCon US in a talk on designing and implementing extensible software with plugins. MORE

3. The ZAP project, known for its web application security testing tool, has joined forces with Checkmarx, a security solutions provider. The three ZAP project leaders have been employed by Checkmarx to work on both ZAP and Checkmarx' DAST solution, which is built on top of ZAP. MORE

✅ Changelog

1. Deadfinder help developers find and fix broken links on their websites. The latest version introduced a silent flag, bug fixes, and more. MORE

2. DOMPurify 3.1.7 added better Angular support, new attributes, and other improvements. MORE

3. Gungnir 1.1.0 added functionality to monitor the roots.txt file for updates to the CT Log Scanner. MORE

4. PrimatePack v2.0 introduces two new features: Nerd Sniper, which allows sending HTTP requests to friends via Discord webhooks, and Embedder, a renamable sidebar tab for embedding content. MORE

💼 Work

💰 Career

1. Luis von Ahn, the founder of Duolingo, has made his language learning app highly addictive, a formula that many entrepreneurs would find useful for their own businesses. Also, TIL that he invented CAPTCHA and is the founder of ReCAPTCHA. MORE

2. Find out how to choose the right cloud provider to learn and how to research your local market for career opportunities. MORE

3. Most people's problems at work stem from a longer list of things they shouldn't be doing rather than things they should be doing, requiring proper critical reflection. MORE

4. The two most common mistakes when starting a business are not connecting separate activities and not building inertia. Flywheels allow one to work smarter, experience faster growth, and make more money over time. MORE

🚀 Productivity

1. Manage projects with four levels of intensity: on, ongoing, simmering, and sleeping. MORE

2. Bashbunni shares how one does a local merge/PR review, summarize api changes in go, git worktrees. MORE

3. Jeff Bezos explains one-way door decisions and two-way door decisions. MORE

4. Learning 101: The Untaught Basics. Here are the 4 optimal learning techniques: 1) Spaced out learning, 2) Interleaving, 3) testing, and 4) variety. MORE

🌎 Community

🎉 Celebrate

1. Doomerhunter and team won the Most Impactful Team trophy at H1-0131 on AWS, earning around $150,000. Congrats! MORE

2. xEhle enjoyed a wonderful time in Edinburgh, thanks to HackerOne and Amazon. They achieved the best placement yet in an LHE competition. LFG! MORE

3. Frans Rosen recently won his 4th MVH at the HackerOne event in Scotland. P-p-p-perfect! MORE

4. Bsysop, with 14,000 points on Bugcrowd, feels like they've been hunting bugs for ages. More to come! MORE

5. Congratulations on Katie for passing her driving test! MORE

⚡️ Timeline

1. NahamSec discusses the mindset and approaches of hackers during hacking events. While there are large bounties involved, hackers are motivated by more than just the financial rewards. MORE

💛 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @madplatt | Mario Platt | Director of GRC for Security and Privacy LastPass Infosec meets Safety Science, Resilience Eng, Strategy, Complexity and Org design learner.

2. @val_brux | Valerio Brussani | Agonistic Hacker breaking web & mobile software stuff | SRT-Envoy SynackRedTeam / Lead Pentester Cobalt_io | BugCrowd HackerOne.

3. @sobedominik | Dominik Sobe ツ | Indie Hacker and Surfer tweeting about bootstrapping SaaS. Sharing my lessons. Currently turning Notion Docs ➯ professional Help Center HelpkitHQ.

4. @Yassineaboukir | Yassine Aboukir | Application security consulting | Bug bounties (H1 Top 20, MVH and Hacker Advisory Board) | Digital nomad | Aspiring athlete.

5. @OWASP_MAS | OWASP Mobile App Security | owasp Flagship Project defining the Industry Standard for Mobile Application Security.

🍄 Level up

📰 Read

1. During a Red Team engagement, the QuarksLab team discovered several vulnerabilities, including Remote Code Executions, in the latest version of Chamilo. MORE

2. Laurence investigates Command & Control (C) frameworks used in network and red teaming assessments, focusing on application and source code security assessments. MORE

3. The Semperis security research team discovered vulnerabilities in Entra ID that allowed privilege elevation beyond expected authorization controls, based on analysis of the OAuth scope permissions. MORE

4. How to build a secure recon network using Tailscale. Learn more about: Creating and securing your software defined network, Masking and routing network traffic through exit nodes, Sharing files through your network, and SSH from anywhere without an SSH key. MORE

5. Foundations breaks down why Britain has stagnated due to the chronic failure to build homes, infrastructure, and energy. MORE

💡 Tips

1. A common problem in git is finding the commit that deleted a file. Doing so locally is well-known, but what about on a hosted repo? GitHub has you covered /⟦user⟧/⟦project⟧/commits/⟦branch⟧/⟦path/to/deleted/file⟧. MORE

2. By leveraging code review techniques and a few "What if..." scenarios, it's possible to uncover vulnerabilities hidden within common patterns like automatic ORM mapping and SQL query building. MORE

3. Josh decoded the art of learning itself. He's became a chess prodigy aged 11, martial arts champ at 28, and bestselling author at age 31. Here are the most interesting lessons. MORE

4. Take the next three months to become the person you've always wanted to be. MORE

🧠 Wisdom

1. Work is meaningless, and it almost killed Salma's husband. Although work is an exchange of time for money, the reality often differs. MORE

2. Roberto started making internet videos two years ago, though they were terrible. He fell in love with the process and obsessed over improving them little by little, eventually creating a short film that closed Zuck's keynote this week. MORE

3. Tim breaks down various fallacies and biases when holding on to a home just to not make a loss. MORE

4. The art of saying no. An infographic on how to gracefully decline. MORE

📚 Resources

1. Zimbra, a widely used email and collaboration platform, has released a critical security update addressing a severe vulnerability in its postjournal service, which could allow remote command execution. MORE

2. This guide details the process of building and deploying a blog website using the Go programming language, including setting up a domain, server, and hosting service. MORE

3. This content type research discusses examples of incorrect Content-Type parsing that can be exploited for XSS, CSRF, WAF Bypass, and more. MORE

4. Microsoft Incident Response Ninja Hub includes a compilation of guides and resources that the Microsoft Incident Response team has developed on threat hunting, case studies, incident response guides, and more. MORE

5. Open-source developers frequently receive GitHub notification emails, but recently these emails have been hijacked to distribute malware. MORE

💭 Quote

🛠 Explore

🧰 Tools

1. Brutespray, a popular password-cracking tool, has been rewritten in Go, making it more powerful and faster than its Python counterpart. MORE

2. OpenFreeMap offers an open-source solution for displaying custom maps on websites and apps, using data from OpenStreetMap, without any commercial constraints. MORE

3. CIRCL hash lookup is a public API to lookup hash values against known database of files. NSRL RDS database is included and many others are also included. MORE

4. Broken Hill is a productionized, ready-to-use automated attack tool that generates crafted prompts to bypass restrictions in large language models (LLMs) using the greedy coordinate gradient (GCG) attack. MORE

🎥 Watch

1. DjangoTV offers a repository of Django conference videos and tutorials. MORE

2. Andrew walks through their current Neovim configuration, terminal, and environment setup, providing details on their Kitty, Tmux, and other configurations. MORE

3. A step-by-step demonstration of building a personal reading companion application in less than 60 minutes, using Cursor and o1. MORE

4. LiveOverflow's theory on how the webp 0day was discovered (BLASTPASS). MORE

5. Exposing The Flaw In Our Phone System, exploiting vulnerabilities in the Signaling System No. 7 (SS7) to intercept calls and steal two-factor passcodes from phones. MORE

🎵 Listen

1. The Pragmatic Engineer has launched a podcast. The first episode features a discussion with Simon Willison on AI tools for software engineers, without the hype. New episodes will be released every other Wednesday. MORE

2. Sam Altman, the CEO of OpenAI, is an avid writer who champions the benefits of writing for personal and professional growth. Writing clarifies thinking, expands ideas, and improves one's life in myriad ways, as Altman has discovered through his own experience. MORE

3. WordPress is in a battle with WPE ("Most Trusted WordPress Platform 2024"). Matt Mullenweg, the co-founder of WordPress, discusses the current state and what's actually going on. MORE

4. Nick Bilton on How to Write a Thriller. Nick is a journalist who has written for The New York Times and Vanity Fair. He’s a screenwriter, an author, a murder mystery enthusiast. In other words, he knows how to push a story through a brick wall. And he’s going to show you how you can, too. MORE

🌐 Technology

1. Arslan has long admired the iconic alarm clock designs of Dieter Rams, Dietrich Lubs, and Ludwig Littman of Braun. Inspired by their minimalist aesthetic, the author has 3d-printed an iPhone dock in a similar style. MORE

2. Cloudflare is celebrating Builder Day 2024 with 18 major updates to their Workers platform, including joining OpenNext to deploy Next.js apps to Workers. MORE

3. Julia spent the past couple of weeks working on a website in Go. Here's what they learned along the way: go 1.22 now has better routing, redirects with trailing slashes, sqlc automatically generates code for my db queries, and more. MORE

4. Introducing OpenNext: Next.js, unlike other modern frontends, lacks a robust self-hosting solution across different platforms, though it can be run as a Node.js application, which does not work the same way as on Vercel. MORE

5. Guidelines by the UK government on building a robust frontend using progressive enhancement. Only after this can you add anything else like Cascading Style Sheets (CSS) and JavaScript. MORE

👀 Interesting

1. Explore the best attractions and restaurants in cities around the world. Discover hidden gems and plan your next adventure. MORE

2. Shopify, the leading e-commerce platform, has revamped its landing page. Every section seems to have a dynamic element, my favorite one being the globe. It showcases the transactions worldwide. MORE

3. Maynard James Keenan of the band Tool discusses how his Arizona winery and musical influences like Joni Mitchell shape the diverse output of his three bands - Tool, A Perfect Circle, and Puscifer. MORE

4. The pursuit of a sub-2:50 marathon, detailing the pre-race preparation and the race day experience, which, despite the author's best efforts, did not go entirely as planned. MORE

5. Casey Neistat's non-technical iPhone 16 review. He upgraded from a two-year old 14 Pro and believes we've reached a point of diminishing camera returns. MORE

📈 Learned something? Dive deeper.

Until next week, take care of yourself and each other,

Bee 🐝

_{This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.}