🐝 Hive Five 198 - Do Hard Things

Hi friends,

Greetings from the hive!

I hope you’re doing well. I'm still enjoying Colorado with the fam.

We’ve been doing a lot of hiking. Just look at this majestic scenery.

Let's take this week by swarm!

🐝 The Bee's Knees

1. The home of Kenton and Jade isn't your typical house, they built their house for LAN parties! They even detail how they did it. MORE

2. Predictable Patterns & PII Leakages: Using AI to mass leak data. While LLMs don't replace human intuition and experience, they can: Quickly identify patterns in large datasets, Generate comprehensive test cases, Suggest implementation patterns, and Accelerate hypothesis testing. MORE

3. The power of automation and collaboration in bug bounty. Tess's career in bug bounty began while working at a phone repair store, sparking a deep fascination with breaking and tinkering that led him to the world of security research and automation. MORE

4. Do hard things. Casey Neistat on the importance of choosing to tackle difficult challenges in life, even when they are not enjoyable, as they can lead to positive outcomes such as personal growth, improved health, and achieving specific goals. MORE

5. Upcoming hardening in PHP: Arnaud Le Blanc and Julien Voisin took on to improve PHP's security. MORE

Table of Contents

• 📰 Updates

• 💼 Work

• 🌎 Community

• 🍄 Level up

• 🛠 Explore

• 📈 Learned something?

📰 Updates

🍯 My work

1. I redid my About page. I’m not 100% pleased with it yet, but we’re getting there. MORE

2. I created a new social media image to share quotes from the newsletter:

📰 News

1. NeovimConf, your favorite editor's conference, returns on November 19th, 2024. MORE

2. Hakluke offers to revamp and manage three cybersecurity companies’ online social media accounts for a month, free of charge, with no strings attached. MORE

✅ Changelog

1. DOMPurify 3.2.0 Added type declarations, thanks @reduckted , @philmayfield, @aloisklink, @ssi02014 and others + Fixed a minor issue with the handling of hooks, thanks @kevin-mizu. MORE

💼 Work

💰 Career

1. Anthropic is hiring a Brand Communications Manager. In this role, you'll help ensure Claude—and by extension Anthropic—continue to show up in ways that are both technically sophisticated and culturally resonant. MORE

2. A new initiative to find open source projects in need of help, including project details, tech stacks, and contribution areas. MORE

3. How to ship projects at big tech companies. Shipping successfully is about building leadership trust and anticipating problems, not just writing code. Stay flexible near launch, plan for the worst, and ship with courage. MORE

🚀 Productivity

1. Effortlessly convert Spotify links to your preferred streaming service. MORE

2. Cal Newport's "Deep Work" examines the importance of focused, distraction-free work in an age of constant connectivity. Enrico provides strategies for increasing one's capacity for deep work and quantifying its impact. MORE

3. Linear engineers Michael Hadley and Kristin Boyer share best practices, workflows, and tips for improving engineering efficiency and streamlining the development process. MORE

4. The Morgen app for Obsidian is the best AI planner, offering powerful features to streamline your workflow. MORE

5. How to find (and use) your superpowers: Define your best version, use your ace cards, and follow your success system. Show up and be more you. MORE

🌎 Community

🎉 Celebrate

1. Team "DoS and Dont's" (@sw33tLie, @godiego_, and @bsysop) won @Bugcrowd 's Carnival of ChAIos competition. Congrats! MORE

2. @endingwithali celebrated her one-year anniversary of hosting ThreatWire. Woot! MORE

3. @cybersecmeg celebrated her one-year anniversary working at CrowdStrike and shares some advice. Let's go! MORE

4. Eugene Lim aka @spaceraccoonsec is publishing a book: From Day Zero to Zero Day. So cool! MORE

⚡️ Timeline

1. Doomerhunter and Geluchat share their LHE experience, making $200K in 2 weeks. MORE

2. Free digital security checkups for people/organizations concerned about the incoming US government. MORE

3. Over the last week, more than a million people have joined Bluesky and, more importantly, people who already had accounts there started actively using it again, to the point where it felt like the most energetic move away from Twitter since Elon Musk took over. MORE

💛 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @rohk_infosec | Kevin | Staff application security engineer at @Okta.

2. @liran_tal | Liran Tal | 2022 GitHub Star | 2022 OpenJS Pathfinder award for Security.

3. @nullenc0de | Paul Seekamp | I spend a significant amount of time reading security stuff.

4. @BenWilsonTweets | Ben Wilson | Creator and host of @HTTOTW .

5. @santi_lopezz99 | Santiago Lopez | 1# Millon Dollar hacker on @Hacker0x01 .

🍄 Level up

📰 Read

1. Release-Drafter To google/accompanist Compromise. This scenario emphasizes the importance of using third-party GitHub Actions by SHA instead of mutable tags. MORE

2. Rapid7 analysis of Fortinet's published advisory for CVE-2024-47575, a missing authentication vulnerability affecting FortiManager and FortiManager Cloud devices. MORE

3. CVE-2024–50340: Remote Access to Symfony Profiler via Injected Arguments. MORE

4. Michael Zhmailo, a penetration testing expert, discusses his team's frequent encounters with Internet Information Services (IIS) and shares insights on leaving backdoors in it. MORE

5. Reproducing CVE-2024-10979: A Step-by-Step Guide. MORE

💡 Tips

1. Think Outside the Perimeter: Bug Hunting in Google Cloud's VPC Service Controls. MORE

2. ProjectDiscovery Tips and Tricks: tldfinder. MORE

3. Practical tips for bike packing based on their recent bicycle trip from NYC to Boston. MORE

🧠 Wisdom

1. How to run without all the pesky agonizing pain. MORE

2. Mike Tyson offers advice to Francis Ngannou. MORE

3. Employee experience = Customer experience. At Stripe, any employee can easily file a bug or nit by emailing a screenshot or video, and a LLM creates a ticket and routes it to the proper team. This simple approach has led to a 6-fold increase in bugs filed, resulting in thousands of fixes this year. MORE

4. The CEO of Anthropic and Sam Altman foresee artificial general intelligence (AGI) arriving within the next few years. Daniel encourages you to prepare by knowing your life mission, goals, and core sentence, and begin building your TELOS file. MORE

5. Jason Fried: "The amount of work you get done in a day means nothing. The kind of work you get done in a day means everything." MORE

📚 Resources

1. A set of scripts to simplify the process of setting up and maintaining a Burp Collaborator Server in a Docker environment, using a LetsEncrypt wildcard certificate. MORE

2. Anatomy of an LLM RCE. As large language models grow more capable, the risks of security vulnerabilities also escalate dramatically. MORE

3. The ability of AI chatbots like Claude to visually process PDFs, including charts and diagrams, represents a significant breakthrough for researchers. This development unlocks new possibilities for data analysis and knowledge discovery across a wide range of fields. MORE

4. #1 AI Red-Teaming and AI Safety: Learn AI Security from creator of HackAPrompt, the Largest AI Safety competition ever run (backed by OpenAI & ScaleAI). MORE

🛠 Explore

🧰 Tools

1. A tool that streamlines video note-taking and bookmarking, allowing users to organize their thoughts, loop and highlight important sections, and effortlessly revisit and share their notes. MORE

2. Reaper by Ghost Security is a modern, lightweight, and deadly effective open-source application security testing framework—engineered by humans and primed for AI. MORE

3. A CLI application that automatically prepares Android APK files for HTTPS inspection. MORE

4. URLFinder is a high-speed, passive URL discovery tool designed to simplify and accelerate web asset discovery, ideal for penetration testers, security researchers, and developers looking to gather URLs without active scanning. MORE

5. PoisonTap, a creation of Samy Kamkar, is a Raspberry Pi Zero and Node.js tool that siphons cookies, exposes internal routers, and installs web backdoors on locked computers. MORE

🎥 Watch

1. The documentary "Before Macintosh: The Apple Lisa" offers a fascinating look into the computer that really changed the way we used personal computers; it started the modern personal computer revolution. MORE

2. @0xtib3rius explains some "safe" OR-based SQL injections which can be used to exploit databases without risking false positives or damage to the data stored within. MORE

3. @_ZwinK University v2: Hacking Tesla!? He covers: approaching a target after sub-domain recon, what to look for and why, and more. MORE

4. I watched a crazy documentary over the weekend called Mister Organ. Journalist David Farrier (Tickled & Dark Tourist) is drawn into a game of cat and mouse with a mysterious individual. Delving deeper he unearths a trail of court cases, royal bloodlines and ruined lives, in this true story of psychological warfare. MORE

🎵 Listen

1. The Man Who Went To War With Anonymous - And Lost. MORE

2. Scott Hanselman and Mark Russinovich discuss the philosophies and quirks of programming languages, debating the merits of small languages like Erlang versus giants like JavaScript, and whether modern languages have improved upon their predecessors. MORE

3. Find out how prompt engineering, a tool for non-technical experts to solve complex problems with AI, is evolving into something new and more powerful. MORE

4. A conversation with Jason Haddix field CISO of Flare on how they detect stolen credentials on dark web forums and on founding Arcanum to provide red team training, particularly focused on AI-enabled offensive security. MORE

5. Ali and Serena, discuss tech-focused AITA (Am I The Asshole) stories from Reddit, offering their commentary and insights. MORE

🌐 Technology

1. A simple CLI tool for deploying Docker containers to remote hosts via SSH without the need of a registry. MORE

2. PGP, whether GnuPG or another OpenPGP implementation, is no longer recommended, as it has become problematic over the past five years. MORE

3. When Google first expanded Maps to India, many streets lacked names, rendering directions useless. UX researchers and designers set out to solve this problem, leveraging local knowledge to map the nameless streets. MORE

4. How to add Supabase to your bolt.new app in 6 minutes. It covers setting up a Supabase project, user authentication, and storing and syncing data. MORE

5. Anthropic has added a prompt improver to their console, allowing users to refine prompts and receive optimized versions. MORE

👀 Interesting

1. Between 2009 and 2012, Apple's iPhones and iPod Touches included a 'Send to YouTube' feature that allowed users to directly upload videos from the Photos app, leading to many 'IMG_XXXX' videos on YouTube. MORE

2. A large-scale analysis of 73,921 movies from the last 80 years on how often, when and maybe even why that happens MORE

3. Hand-picked selection of more than 900 public domain images from our collection, all carefully enhanced to make beautiful prints. MORE

💭 Quote

📈 Learned something?

Until next week, take care of yourself and each other,

Bee 🐝

^{This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.}