🐝 Hive Five 195 - A Better Web Is Possible

Hi friends,

Greetings from the hive!

The newsletter's format can sometimes be too chaotic, so I thought I’d try a different approach.

Everything is now divided into three overarching categories: Human, Security, and Tech & AI. The Bees Knees remain unaffected.

Do you love it, or do you hate it? Reply to this email and let me know your thoughts.

Let's take this week by swarm!

🐝 THE BEE'S KNEES

1. Best known for puncturing blockchain/crypto hype with her Web3 Is Going Just Great project, writer/researcher Molly White believes a better web is possible. MORE

2. Bench Press: Leaking Text Nodes with CSS. With the rise of XSS mitigations, both on the app and browser/spec side, CSS becomes a more and more helpful tool for client-side web exploits. MORE

3. ZwinK is back with a new video, exploring manual subdomain reconnaissance techniques, including identifying active subdomains, potential WAF bypasses, and leveraging search engine dorks to uncover more targets. MORE

4. Web browsers are ubiquitous, but how do they work? This book explains, building a basic but complete web browser, from networking to JavaScript, in a couple thousand lines of Python. MORE

5. How To Start Working in Tech Jobs Guide, covering mindset, picking a job type, learning skills, networking, and finding work. MORE

🧠 HUMAN

Community

1. Naffy would enjoy hearing NahamSec discuss life philosophy and worldviews with hackers, as this could provide insightful perspectives from a unique vantage point. MORE

2. The Twitter-verse shares their movies with the best soundtracks of all time, such as Tron and Guardians of the Galaxy. MORE

3. rez0 won a prompt injection prize at the Google VRP's escal8 live hacking event in Malaga. Congrats! MORE

4. Mikey enjoyed 6 months of full-time bug bounty work and is now thrilled to join the watchTowr team as a Principal Security Researcher. Sweet! MORE

Career

1. The Most Important Sentence for anyone struggling career or purpose-wise. Everything builds off of how you are useful to the world. MORE

2. A serial entrepreneur, John Rush, shares strategies and frameworks on building and scaling cash-flowing online directories using AI and SEO as a great side hustle or first online business. MORE

3. What hiring managers look for: connecting on LinkedIn after the intro, sending thank you after an interview, asking questions during interviews, and more. MORE

4. TracketPacer discusses the different types of pressure in high-pressure jobs, and that skills don't necessarily transfer between them. MORE

5. Job searching hack: customized Looms and referrals allow you to bypass the typical recruitment process. MORE

Productivity

1. What is stopping you from: 1. Screen recording your processes, 2. AI-generating an SOP with Loom, 3. Asking GPT-o1 what can be automated, and 4. Using Cursor to automate those pieces. MORE

2. Mastering skills through deliberate practice: experts in diverse fields, from chess to swimming, methodically refine techniques, build strength, and increase endurance. Here are alternatives that hackers practice. MORE

3. How to Stay Productive Anywhere (4 Golden Rules): 1) Define what a win looks like, MORE

4. Ali discusses how to control one's attention and avoid wasting time, drawing insights from a conversation with author and investor Nir Eyal. MORE

5. The pain of regret > The pain of discipline. MORE

Health

1. A physical therapist reviews the Knees Over Toes Guy's workout, evaluating each exercise for safety and effectiveness. MORE

2. 7-Step ATG Mobility Routine (Plus 4-Step Shoulder Routine). MORE

3. Hesitation is a self-fulfilling prophecy: caution and inaction erode self-esteem, leading to watching others succeed in the opportunities one missed. The solution is to bend towards action. MORE

Interesting

1. How to build a human infographic: 44 animations that are 9 frames each, 396 sketches total. MORE

2. The Thule Subterra 2 Powershuttle provides a thoughtful storage solution for small electronics, chargers, cords, and other items. MORE

3. Family Guy re-uploaders are able to post entire episodes using a technique that shows separate images for scrubbing, evading YouTube copyright. MORE

4. Building a Minimum Viable Laptop Sticker Business. MORE.

5. People share their "I can’t believe other people don’t do this" hacks. MORE

🔒 SECURITY

Read

1. Attacking APIs using JSON Injection. Despite warnings about interoperability, most users of JSON parsers are unaware of these caveats. MORE

2. This post details the analysis and exploitation of a vulnerability in the ChakraCore JavaScript engine, CVE-2018-3048, in order to achieve arbitrary code execution. MORE

3. Anthropic recently released Claude Computer Use, a model that allows Claude to control a computer, take screenshots, and run commands - a capability that is both impressive and inherently dangerous due to prompt injection vulnerabilities. MORE

4. $20,300 Bounties from a 200-Hour Hacking Challenge. MORE

5. The Diminishing Value of Secure Coding Training. The real challenge in today’s security landscape lies in uncovering the more subtle, complex vulnerabilities that these frameworks do not automatically mitigate. MORE

Tools & Techniques

1. sn0int is a semi-automatic OSINT framework to gather intelligence about a given target or about oneself. MORE

2. MisconfigMate is a Python port and enhancement of Intigriti's misconfig-mapper, building upon their excellent research and service templates while adding additional features and improvements. MORE

Resources & Learning

1. This PoC demonstrates exploiting CVE-2024-9264 to perform a DuckDB SQL query and read an arbitrary file on the filesystem using an authenticated user. MORE.

2. A deeper look into the ability to conceal payloads through credentials, manipulate the username and password properties within anchor elements, and potentially combine this with DOM clobbering. MORE

3. Private Cloud Compute (PCC) handles computationally intensive tasks for Apple Intelligence. Apple released tooling and documentation making it easier than ever for anyone to not only study but verify PCC’s critical security and privacy features. MORE

4. Curated list of must-watch movies for aspiring hackers and cyberpunks, drawing from open-source sources. MORE

5. SQL Injection Polyglots—payloads that allow you to detect variations of the same or different vulnerability with a single request. MORE

Watch & Listen

1. Nahamsec evaluates Ax, the successor of the Axioms framework, highlighting its potential as a powerful reconnaissance tool. MORE

2. At RomHack 2024, Alex Plaskett and McCaulay Hudson discuss their journey to hacking automotive devices at Pwn2Own Automotive in Tokyo to win $90,000. MORE

3. Katies reviews the "This Is How They Tell Me the World Ends" book. MORE

4. Executive Offense interview with Rodolfo (BruteLogic) Assis, a master of XSS. MORE

🤖 TECH & AI

Read

1. The Bee Agent Framework makes it easy to build scalable agent-based workflows with your model of choice. The framework is been designed to perform robustly with IBM Granite and Llama 3.x models. MORE

2. A teenager's tragic death after interacting with an AI chatbot has led to a lawsuit, raising concerns about the need for robust safeguards against suicidal ideation in such tools. MORE

3. Independent publishing is one important facet of the media ecosystem, and while Molly loves it, she knows it is not the path for everyone. MORE

4. Nabeel reflects on his time with Palantir as the company recently joined the S&P 500. MORE

Tools & Techniques

1. The Basic Dataview Query Builder is a tool that simplifies the process of creating complex queries for the Dataview plugin in the Obsidian note-taking application. MORE

2. Run a prompt to generate and execute jq programs using llm-jq. Example: curl -s <url> | llm jq 'count by user login, top 3'. MORE

3. Slidev aims to provide flexibility and interactivity for developers to make their presentations much more interesting, expressive, and attractive by using technologies they are familiar with. MORE

Resources & Learning

1. Resources on how to start with Robotics. MORE

2. Using less memory to look up IP addresses in Mess With DNS. MORE

3. Blue Sky uses one SQLite database per user, which keeps all the data and is the source of truth. Scylla acts like a View layer on top of it, providing different views. MORE

Watch & Listen

1. How NotebookLM Was Made: How to manage and engineer truly great AI products, why disagreement makes for great podcasts, iterating your way to a viral hit from a "Talk to Small Corpus" side project. MORE

2. Building AI That Builds Itself: Yohei Nakajima is a venture capitalist by day and a prolific AI tinkerer by night, creating projects like the popular BabyAGI. MORE

3. Taylor Otwell, the creator of Laravel,talks PHP, Lambos, and VC. MORE

💬 QUOTE

🚀 Learned something?

Until next week, take care of yourself and each other,

Bee 🐝

^{This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.}