🐝 Hive Five 192 - AI Algorithms Encode Human Bias

Hi friends,

Greetings from the hive!

Inefficient processes are at times the most effective experiences. It sounds counter-intuitive but think about it.

Would you rather receive a handwritten note or an automated message?

Efficiency by itself is a race to the bottom. Effectiveness is what the focus should be.

Find out what has the biggest impact and execute.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Increased efficiency can sometimes lead to worse outcomes, a phenomenon known as the strong version of Goodhart's law. This is true across many domains, where optimizing for a specific metric can have unintended negative consequences. MORE

2. Riley installed a solar-powered Android phone on a pole in San Francisco's Mission district, with the microphone pointed down at the street below. The phone is set to constantly run Shazam, 24 hours a day, 7 days a week. MORE

3. Writing Examples showcases the finest writing of all time, distilling valuable lessons for aspiring writers. MORE

4. Renniepak created CSP Bypass Search, a site to search for known Content Security Policy bypass gadgets that can be used to gain Cross-Site Scripting (XSS) vulnerabilities. MORE

5. An interview with the Cursor Team discussing the Future of Programming with AI. They share their journey from using Vim to adopting VS Code with Co-pilot, which led them to develop Cursor. MORE

Table of Contents

• 📰 Updates

• 💼 Work

• 🌎 Community

• 🍄 Level up

• 🛠 Explore

• 📈 Learned something? Dive deeper.

📰 Updates

🍯 My work

💼 Work

💰 Career

1. Snyff reflects on what makes an ideal candidate for a first AppSec or product security professional, prompted by a CISO's request for recommendations. MORE

2. Jason on appetites > estimates. The problem with software estimates is that they are simultaneously correct and incorrect. There are myriad versions of a task, each with its own timeframe, but picking anyone will likely be wrong. MORE

3. Her Ride-or-Die Era: Netflix technology leader Lisa Shissler Smith on turning personal struggles into career empowerment. MORE

4. Derek Sivers, an entrepreneur, gave away his $22 million fortune, challenging conventional notions of success and fulfillment. His unconventional approach to life and exploration may provide an antidote to the relentless pursuit of more. MORE

5. What successful indie-hacker Tibo would do if he had to start over. First, list what excites you, then choose a small niche, ideate 5-10 concepts, pick one, build it in a week, create only what's needed to validate, and share it on relevant platforms. MORE

🚀 Productivity

1. Successful people across fields credit their achievements not to passive learning, but to deliberate daily practice. Stephen King exemplifies this, becoming a bestselling author through relentless writing, not just reading. MORE

2. Harvard Business Review did research into Supercharging Company Knowledge with AI. MORE

3. Ten incredible Google Sheets capabilities, encompassing data formatting, dynamic views, filtering, data cleaning, and handy shortcuts. MORE

4. Eleven habits Sahil quit to transform their life, from eliminating distractions to prioritizing self-care. MORE

🌎 Community

🎉 Celebrate

1. A recap of HackerOne's live hacking event in Miami with Capital One, where researchers discovered and reported vulnerabilities. MORE

2. NahamSec proudly RCE'd their first printer during a pentest. LFG! MORE

⚡️ Timeline

1. Project Discovery is launching the Pioneers Ambassador Program to recognize, connect, and appreciate its active contributors and advocates. MORE

2. Mitchell Hashimoto, who co-founded HashiCorp, pledged $300,000 to the Zig Software Foundation, whose mission and planned use of the funds are clearly outlined in their own announcement. MORE

3. Obsidian October is an annual event where developers discover the world of Obsidian plugins, and this year the focus is on speed. The Obsidian community has built nearly 2,000 plugins, making the platform ever more powerful. MORE

4. Truffle Security invites the community to improve detectors for their TruffleHog tool during Hacktoberfest 2024. Last year, they were delighted with the contributions that added new detectors. MORE

5. chebuya is working on something cool. It's a tool similar to httpx, but instead of finding interesting web servers to hack, it aims to find interesting code repositories to audit. MORE

💛 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @_bazad | Brandon Azad | iOS security research.

2. @hasherezade | hasherezade | Programmer, malware analyst. Author of PEbear, PEsieve, TinyTracer.

3. @i_bo0om | Bo0oM | Web application security.

4. @sprocket_ed | ed | Director of Operations and hacker sprocketsec.

🍄 Level up

📰 Read

1. A detailed long-running critique of the NASA Space Launch System, which they consider an abject failure despite the project's longevity. MORE

2. Robert audits prominent mail providers to discover how they handle email encryption and demonstrates how MTA-STS can improve email security, as SMTP was originally designed for cleartext communication before the advent of transport layer security. MORE

3. Wikidata acts as central storage for Wikipedia's structured data. Here's how to build a cross-walk table for places you can do with DuckDB, Ruby, and Bash. MORE

4. What can we learn from the SolarWinds Serv-U vulnerability (CVE-2024-28995) dataset? Ron of Greynoise Labs breaks it down. MORE

5. A Deep Dive into the CoSoSys EndPoint Protector Exploit: Remote Code Execution. MORE

💡 Tips

1. TIL you can use JavaScript in iOS Shortcuts. MORE

2. FLUX can generate remarkably realistic images from prompts like "IMG_1018.CR2", showcasing a significant advancement in the realism of AI-generated visuals. MORE

3. UIThub turns a GitHub repo into a flat text file, allowing for easy use with LLMs. MORE

4. Ian, an engineer at Cursor, shares how to optimize your experience. MORE

🧠 Wisdom

1. Nothing is a timer that allows you to simply do nothing, without goals or notifications, providing a quiet space to let time pass intentionally. MORE

2. Jia Jiang embarked on a 100-day quest to desensitize himself to rejection, boldly seeking it out in various forms, and in the process, learned valuable lessons about overcoming the fear of rejection. MORE

3. Next time you're stuck, take a walk. Steve Jobs believed that the 10-minute rule improved his thinking, and modern neuroscience confirmed his intuition. MORE

4. When designing sharing flows, one must remember that people post for four reasons: to sound smart, be funny, look hot, or appear rich. The less a product obscures these goals, the higher the share rates will be. MORE

📚 Resources

1. Analysis of CVE-2024-43044 — From file read to RCE in Jenkins through agents. MORE

2. ProjectDiscovery analyzes a critical vulnerability, CVE--, in the Ruby-SAML and OmniAuth-SAML libraries, which effectively impacts GitLab. This vulnerability allows an attacker to bypass authentication. MORE

3. How To Find Broken Access Control Vulnerabilities in the Wild. MORE

4. Analysis of Bot Protection systems with available countermeasures. Defeat anti-bot system and get around browser fingerprinting scripts when scraping the web. MORE

5. OSINT tools and tips round-up: Finding deleted tweets and new tools from Bellingcat. Plus: upcoming free and paid workshops. MORE

💭 Quote

🛠 Explore

🧰 Tools

1. CSPBypass is a tool designed to help ethical hackers bypass restrictive Content Security Policies (CSP) and exploit XSS (Cross-Site Scripting) vulnerabilities on sites where injections are blocked by CSPs that only allow certain whitelisted domains. MORE

2. GShark is a Go and Vue-based management system for sensitive information detection. MORE

3. Spacer is a simple command-line tool that inserts spacers when command output stops, making it easier to read. MORE

4. The Ax Framework is a free and open-source tool used by security professionals to efficiently operate in multiple cloud environments. It helps build and deploy repeatable infrastructure tailored for offensive security purposes. MORE

🎥 Watch

1. This tutorial demonstrates how to automate firmware updates for Unifi network devices while selectively excluding critical devices. It guides users through the process of setting up automatic updates to maintain a secure and up-to-date network. MORE

2. Kamal is a tool that enables deploying web applications anywhere. Now, Kamal 2 has been released. Here's how it works. MORE

3. Ali Abdaal, an accomplished YouTuber (and ex-doctor), provides a beginner's guide on starting a YouTube channel in 2024. He breaks it down in 3 levels: get going, get good, and get smart. MORE

4. A tutorial on optimizing cursor workflows to boost effectivity by writing a Product Requirements Document (PRD). Instead of a one-line prompt, this provides a roadmap. MORE

5. Remember that security research that allowed them to track and control cars using just license plate numbers? Sam Curry explains what happened. MORE

🎵 Listen

1. In Episode 20 of Darknet Diaries, we heard from Greg aka “mobman” who said he created the sub7 malware. Something didn’t sit right with a lot of people about that episode. It’s time to revisit that episode and get to the bottom of things. MORE

2. Breaking The Internet Podcast is back with another episode, discussing the potential impact of AI on jobs. The hosts delve into the controversies surrounding AI and its commercial applications. MORE

3. This episode of the Critical Thinking - Bug Bounty Podcast features a discussion between Justin Gardner and Brandyn Murtagh (gr3pme) about Murtagh's journey in the bug bounty world, covering mentorship, networking, ecosystem hacking, emotional regulation, and more. MORE

4. Sunil Pai, a seasoned FAANG and FinTech engineer, reflects on creating high leverage in one's career, the value of curiosity, and how to know when to leave a successful venture, as discussed in his conversation on the Unspoken Tech podcast. MORE

5. 80 minutes of advice to level up your life with lifehacks. MORE

🌐 Technology

1. These apps help strangers connect over a meal; modest membership fees motivate users to commit. MORE

2. Karpathy has curated a new podcast called "Histories of Mysteries" on Spotify, featuring 10 episodes exploring intriguing historical enigmas such as the Lost City of Atlantis, the Baghdad battery, the Roanoke Colony, and the Antikythera mechanism. The kicker is that he used Google's NotebookLM to create it. MORE

3. The Cryptography behind AirDrop. To send a file to someone, Apple uses a proprietary peer-to-peer Wi-Fi protocol called Apple Wireless Direct Link (AWDL) and makes a TLS connection MORE

4. Ethical Applications of AI to Public Sector Problems. MORE

5. Terminal colors are tricky. Here are 11 problems with possible solutions. MORE

👀 Interesting

1. Rocky Linux is an open-source enterprise operating system designed to be bug-for-bug compatible with Red Hat Enterprise Linux, and is under intensive development by the community. MORE

2. Open Source text-behind-image designs, created by Rexan Wong, allow users to easily generate images with text overlaid. The application's code is publicly available on Github, inviting contributions from the community. MORE

3. An online yoga sequence builder to plan your yoga classes. A great way to get ideas. MORE

4. "Hybrid Characters" brought to life with Runways new Image-2-video model. Images were created in Midjourney and retouched in Photoshop. MORE

5. Starlink, the satellite internet service, is doubling its subscriber base every year. It may become the largest ISP in the US by 2028, surpassing Comcast Infinity's 32 million subscribers, and potentially the largest ISP worldwide soon after. MORE

📈 Learned something? Dive deeper.

Until next week, take care of yourself and each other,

Bee 🐝

^{This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.}