🐝 Hive Five 197 - Winning doesn’t always feel like winning

Hi friends,

Greetings from the hive!

Apologies for the delay, I'm on a family trip. So, here’s a first, this issue is brought to you live from the road to Colorado.

Let's take this week by swarm!

🐝 The Bee's Knees

1. In this interview with Louis Nyffenegger from PentesterLab, he advises against getting stuck when learning web security. Providing guidance on navigating the challenges of this field. MORE

2. When WAFs Go Awry: Common Detection & Evasion Techniques for Web Application Firewalls. MORE

3. The Nike ad "Stairs" explores the idea that winning doesn't always feel like winning, a powerful message about the challenges of perseverance. MORE

4. Make it Yourself showcases the incredible talent of creatives, bringing together over 1000 useful DIY projects to demonstrate just what is possible when you make things yourself. MORE

5. Hacker News users share life-changing purchases under $100 and $1000, from gadgets to subscriptions that significantly impacted their lives. MORE

Table of Contents

• 🐝 The Bee's Knees

• 📰 Updates

• 💼 Work

• 🌎 Community

• 🍄 Level up

• 🛠 Explore

• 📈 Learned something?

📰 Updates

🍯 My work

📅 News

1. xAI has launched its API, offering a 128k token context, function calling support, custom system prompt support, and compatibility with OpenAI and Anthropic SDKs, along with $25 in free credits until the end of the year. MORE

2. Intigriti's annual CTF will be live on YouTube on 14/11/24 at 2 PM UTC featuring talks from popular hackers. MORE

3. The SANS Holiday Hack Challenge 2024 is live. Note, that it does not require answering all questions to be eligible for prizes. MORE

✅ Changelog

1. The LazyVim project has released version 13.0.0, which moves a number of its core features to the snacks.nvim plugin. MORE

2. OWASP-Noir v0.18.2 Improve URL normalization to NoirRunner by @hahwul in #445, Update shell completion (Add to missing flags) by @hahwul in #447, Improve --no-log flag by @hahwul in #448. MORE

3. Google has started monetizing Google Maps, requiring users to unlearn the habit of tapping the first location for route suggestions. This change raises concerns about whether it truly benefits users when the suggested location differs from their search. MORE

4. 404 Media is partnering with WIRED to co-publish two of its articles per month on WIRED's website, allowing 404 Media to reach a wider audience. MORE

💼 Work

🚀 Productivity

1. Harper is an English grammar checker created after experiencing the flaws of existing options. It aims to provide accurate and contextual suggestions, unlike the expensive and intrusive Grammarly. MORE

2. Ben Holmes has been using Safari full-time for a week and has no plans to switch back, sharing his experience in a thread. MORE

3. How to use the Obsidian Zettelkasten method to study AI and tech topics. MORE

4. Neuroscientist TJ Power about the four most important brain chemicals: dopamine, oxytocin, serotonin, and endorphins, and how five simple habits can make you feel incredible. MORE

🌎 Community

🎉 Celebrate

1. Alex Chapman met his 2024 stretch bug bounty target. LFG! MORE

2. Godiego received a substantial $31,337 bounty from Google for a submission on their vulnerability reward program. Woot! MORE

⚡️ Timeline

1. Mason diligently maintains his health journey, rising early each morning to put in the necessary work. MORE

2. Graham on the acquisition of CompTIA and Offsec by private equity firms suggesting trouble ahead for the security industry, with expectations of higher prices and lower-quality certifications. MORE

3. Andrew Pratt, a former Electronic Warfare Specialist in the military, has found his calling as a hacker after transitioning to a career as a tattoo artist. MORE

💛 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @ajxchapman | Alex Chapman | Vulnerability Researcher | Bug Bounty Hunter.

2. @nathanbarry | Nathan Barry | Founder & CEO at @ConvertKit — the leading Creator Marketing Platform.

3. @climagic | Command Line Magic | Cool Unix/Linux Command Line tricks you can use in $TWITTER_CHAR_LIMIT characters or less.

4. @kazan71p | kazan71p.

5. @Infosec_Taylor | Ashley - Serious Security Scientist.

🍄 Level up

📰 Read

1. Bypassing CSP via URL Parser Confusions: XSS on Netlify’s Image CDN. MORE

2. A New Era of macOS Sandbox Escapes: Diving into an Overlooked Attack Surface and Uncovering 10+ New Vulnerabilities. MORE

3. Here are the 22 events that led to Elon swinging the election. MORE

4. Everything you should know about running local LLMs. MORE

5. New research reveals how attackers can exploit Kubernetes privileges to gain unauthorized cluster access. MORE

💡 Tips

1. Bug hunters should include the raw request for the vulnerable endpoint in their submissions, as this makes it easier for triagers to reproduce the findings and avoids delays due to missing information, thus ensuring a smoother triage process. MORE

2. TIL one can grep through Burp files to a large extent. MORE

3. Tips for when you are buying your first home. I thought this one was brilliant: to research neighborhoods at various times of the day. MORE

🧠 Wisdom

1. The Vercel founder encourages trying every new technology immediately, not to adopt or love them all, but to maintain an accurate mental model of the world, as an inaccurate one can be very damaging. MORE

2. SearchBound patiently pursued the domain "RanchingJobs.com", which had a minimum bid of $25k. Despite the high price, they eventually bought it for less than $1k. MORE

3. For Pieter, investing in Vanguard S&P 500 ETFs proved even more lucrative than running his successful indie businesses this past year. MORE

4. Solomon's Paradox explains why people often struggle to follow their own advice, even when they are skilled at providing useful counsel to others. MORE

5. Choosing one's motivations carefully is crucial, as relying on fear or anxiety can become a crutch that hinders growth and productivity. MORE

📚 Resources

1. This repository compiles OSINT (Open Source Intelligence) resources organized by country. MORE

2. Unicode characters that will translate a single character to multiple characters in domain names or TLDs. MORE

3. Solutions and writeups for the Flare-On reverse engineering challenge. MORE

4. Crafted Git repositories can cause the jj software to write files outside the clone, a vulnerability that has been fixed. MORE

5. NotebookLM curated resources on the technology, prompts, tips & tricks, and more. MORE

🛠 Explore

🧰 Tools

1. Posting is a terminal-based tool that provides Postman-like functionality for making API requests, testing endpoints, and debugging applications, aimed at those who prefer a keyboard-driven interface. MORE

2. CloudShovel is a tool that automates the process of searching for sensitive information within Amazon Machine Images (AMIs) by launching instances, mounting volumes, and scanning for potential secrets or sensitive data. MORE

3. Trippy combines the functionality of traceroute and ping and is designed to assist with the analysis of networking issues. MORE

4. Halberd (VectraAI) is a powerful, multi-cloud security testing tool. MORE

5. LLM Scraper is a TypeScript library that allows you to extract structured data from any webpage using LLMs. MORE

🎥 Watch

1. The video details the ingenious engineering behind the aluminum beverage can, explaining its cylindrical shape, manufacturing process, tapered design, and complex lid attachment. MORE

2. This week's episode of DAY[0] discusses how large language models can be used with static analysis, a GitHub post on attacking browser extensions, and a CyberPanel pre-auth remote code execution vulnerability. MORE

3. Tib3rius explains how symlinks, a Unix-like feature, can lead to unintended privilege escalations in Capture the Flag (CTF) challenges, and how creators can better protect their boxes from such "symlink cheese". MORE

4. Ninad Mishra, a cybersecurity professional and bug hunter, guides viewers through advanced game hacking techniques to complete a quest in Pwn Adventure 3. MORE

5. Eric Simons, the CEO of StackBlitz, provides a Bolt tutorial for beginners, demonstrating how to use Bolt to build and deploy apps without needing to know how to code. MORE

🎵 Listen

1. This episode recounts the first ransomware attack, tracing it back to a mysterious floppy disk that launched the age of cybercrime and forever shaped cybersecurity. MORE

2. Aaron Swartz Day 2024 (Episode 7): Insights from various speakers on topics such as information activism, government surveillance, power dynamics in the country, and Aaron Swartz's involvement in activism and legal issues. MORE

3. Chris Rock is known for being a security researcher. But he’s also a black hat incident responder. He tells us about a job he did in the Middle East. MORE

4. "I failed 22 times... then I built a $2.5B Company" — Christina Cacioppo from Vanta. MORE

5. This episode of "Conversations on Quality" features Ethan Eismann, SVP of Design at Slack, discussing how craft and quality impact products for work. MORE

🌐 Technology

1. 100 visualizations from a single dataset, showcasing creative and analytical skills in data visualization. MORE

2. ChainForge is an open-source visual programming environment for prompt engineering. With ChainForge, you can evaluate the robustness of prompts and text generation models in a way that goes beyond anecdotal evidence. MORE

3. Lottie (Airbnb) allows you to render After Effects animations natively on Web, Android and iOS, and React Native. MORE

4. From prediction markets to info finance covering: Info finance solves people's trust problems, scalable blockchains as the substrate, and AIs as participants. MORE

5. Becca (Ex-The Verge) shares the various tools and devices she uses daily, using a realistic spending budget. MORE

👀 Interesting

1. The 'A Child's Guide To Hospital' playlist offers helpful videos explaining the hospital experience to children, intending to reduce anxiety and make the process more comfortable. MORE

2. These cushioned running socks are designed for long-distance use, with a quarter-length cut and anti-blister features to keep feet comfortable and protected. MORE

3. The Simpsons Hit & Run, a beloved 2003 video game, has inspired speedrunners to set impressive world records, showcasing their mastery of the game's mechanics and levels. MORE

4. People share the weirdest thing they found in the woods while out in the middle of nowhere. MORE

💭 Quote

📈 Learned something?

Until next week, take care of yourself and each other,

Bee 🐝

^{This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.}