🐝 Hive Five 199 - Security Footguns

Hi friends,

Greetings from the hive!

We've had a week...I hope you and yours are doing awesome.

AirBnB is truly a crapshoot. This time I'm coming to you live from a hotel after a disrupted stay.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Sketchy Cheat Sheet: Story of a Cloud Architecture Diagramming Tool gone wrong. Showcasing that following intuition and curiosity can prove to be extremely valuable. MORE

2. Breaking the most popular Web Application Firewalls in the market. This is a walk-through that shows how to bypass the SQL injection and cross-site scripting rules of the following Web Application Firewalls. MORE

3. Researchers discovered two Non-Production Endpoints as an Attack Surface in AWS. MORE

4. The Transit app can now locate underground trains without GPS by using offline motion detection to show users' locations between stations and alert them when their stop is coming up. MORE

5. Spelunking in Comments and Documentation for Security Footguns. MORE

📰 Updates

📅️ News

1. Black Friday 2024

   1. Black Friday 2024 data set, with details about various product sales and promotional offers. MORE

   2. The Ken's 2024 Gifting Guide. The publication has been delivering sharp, original, insightful, analytical journalism about business and start-ups across India since 2016. MORE

   3. The Rambull Gift Guide presents a curated selection of holiday gifts for 2024, featuring products from various categories. MORE

2. The US government aims to break up Google's search engine monopoly by forcing it to sell its Chrome browser, with potentially profound implications for the future of big tech. MORE

3. Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency, will depart the government agency after more than three years at the helm. MORE

4. Research at Stanford uncovers that ~9.5% of software engineers are "Ghost Engineers" who contribute virtually nothing (0.1x-ers). The data spans over 50,000 engineers from hundreds of companies. MORE

5. Claude.ai now allows users to integrate Google Docs into their chats and projects. Pro, Teams, and Enterprise users can paste links or select recent documents to add them seamlessly. MORE

🍯 My work

✅ Changelog

1. SecLists received its fourth (and final) release of 2024. MORE

2. De-cluttering URLs is the focus of version 2.2 of the 'urless' project. MORE

3. DOMPurify v.3.2.1 is a fast, tolerant, and highly configurable XSS sanitizer for HTML, MathML, and SVG, offering a secure default with numerous hooks for customization. MORE

4. The new release of xnldorker, version 1.3, gathers results from dorks across various search engines, enabling users to enhance their reconnaissance efforts. MORE

5. Lazydocker, a tool for managing Docker with ease, has released version 0.24.1. MORE

💼 Work

💰 Career

1. Jasmine Star, a Hampton member, dropped out of law school to become a photographer despite not owning a camera. She then built a multimillion-dollar SaaS business. MORE

2. How Ali Built a New $1m Productivity related product in 12 Months. MORE

3. How to Start a Startup according to Paul Graham. You need three things to create a successful startup: to start with good people, to make something customers actually want, and to spend as little money as possible. MORE

4. How to operate as an indie hacker: cherry-pick what works for you, be a generalist, and more. MORE

🚀 Productivity

1. Obsidian Templater templates for converting and processing text selections. MORE

2. Terminal-based pomodoro timer with task tracking, inspired by the commercial Pomotodo service. MORE

3. The video demonstrates how Garrett Brown Designs, a woodshop, utilizes Basecamp to manage its operations simply and effectively. The approach emphasizes keeping things uncomplicated. MORE

4. Marie Poulin, a Notion expert, will share her approach to using Notion as a tool for curiosity and personal development, offering a glimpse into her digital workspaces and showcasing how she harnesses Notion to explore ideas, track patterns, and fuel her creative process. MORE

🌎 Community

🎉 Celebrate

1. Jordyn Jones, my ex-colleague at Bugcrowd, completed an Iron Man. LFG! MORE

2. The reason why Katie makes content. MORE

🫀 Pulse

1. People share their top 5 programmers of all time including Fabrice Bellard, John Carmack, John McCarthy, Linus, and Dennis Ritchie. MORE

2. Jane Wong wasn't happy with her way of living before, so she's changing her lifestyle, social circles, exercising, etc. MORE

3. Nautilus offers a three-month gap program in San Francisco, where participants get paid to pursue their most ambitious projects, no strings attached. MORE

💛 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @Jamuse | Josh Amishav-Zlatin | I write about data breach monitoring for enterprise security teams | Indexed ~30 billion passwords | Former pen tester turned OSINT collector.

2. @holme_sec | Holme | Love to learn.

3. @alicanact60 | Ali Tütüncü | Security Researcher.

4. @angealbertini | Ange | Corkami, CPS2Shock, PoC||GTFO, Sha1tered. Security engineer @ Google. He/him.

5. @rosiesherry | Rosie Sherry | Building a portfolio of communities.

🍄 Level up

📰 Read

1. Ancient Monkey: Pwning a 17-Year-Old Version of SpiderMonkey. MORE

2. From an Android Hook to RCE: $5000 Bounty. How Voorivex reverse-engineered a famous Android application called MyIrancell. MORE

3. Arc Browser UXSS, Local File Read, Arbitrary File Creation and Path Traversal to RCE. MORE

4. Over-engineering backups using Restic. MORE

5. How some of the world's most brilliant computer scientists got password policies so wrong. MORE

💡 Tips

1. Did you know you can work at a desk, using vim, while cycling? MORE

2. Favourite or most under-utilized dev tools tips by the community. MORE

3. A domain with an IIS welcome screen and no online presence is discovered. ZwinK tells you what to do next. MORE

4. Easiest way to find the manifest.json file of a Chrome extension: grab the extension ID from chrome://extensions, then go to chrome-extension://ID/manifest.json

🧠 Wisdom

1. If you want to make something, go make it. Wanting to do it is reason enough. MORE

2. Elite colleges were meant to create equal opportunities for smart students, but instead they've made a system where mostly rich kids get ahead through test scores and grades. MORE

3. Nabeel S. Qureshi, a startup founder, shares hard-discovered principles, such as "Once you are ok with people telling you ‘no’, you can ask for whatever you want. (Make reality say no to you.)" MORE

4. Checklists are a powerful tool allowing us to unload cognitive stress, from surgical safety to event production. MORE

5. The essence is the daily choice: engage in busy work, procrastinate, or create value for others, even if the intended recipient does not pay—someone else will. MORE

📚 Resources

1. Tomnomnom, prolific infosec tool creator and teacher, collected his wealth of talks and interviews that offer insights on various topics. MORE

2. Most used Open Source you didn't know about. Search through the top 1000 repos. MORE

3. How CodeQL, a code analysis tool, can be used to find bugs in the Chrome browser. It showcases the effectiveness of CodeQL in uncovering vulnerabilities and improving the security of Chrome. MORE

4. List of tech-related Bluesky starter packs. MORE

5. Importing a frontend Javascript library without a build system. MORE

🛠 Explore

🧰 Tools

1. Deck.blue offers a multi-column (Tweetdeck) layout to enhance your experience on Bluesky. MORE

2. Fedica, formerly Tweepsmap, offers social media analytics and publishing tools to predict impact, prove campaign results, and make smarter decisions. MORE

3. Juumla is a Python tool that identifies the Joomla version, scans for vulnerabilities, and locates sensitive files. MORE

4. Garak, a tool developed by NVIDIA, probes large language models for weaknesses such as hallucination, data leakage, prompt injection, and toxic output generation, much like the network scanner nmap for computer systems. MORE

5. Embed a payload inside a PNG file. MORE

🎥 Watch

1. A conversation with vintage watch collector and dealer Adam Victor. He's the quintessential vintage hunter in a way that you don't see much of anymore. MORE

2. Nahamsec, a renowned bug bounty hunter, shares five valuable lessons that have helped him earn over $1 million since 2022. MORE

3. Becca shares an ethics statement about sponsorships, brand deals, trips, speaking engagements, and gifts, hoping to create a solid foundation for an honest conversation on these topics. MORE

4. A tutorial on designing a landing page in Figma, discussing best practices and techniques for creating efficient components and adding content and typography. MORE

5. This case study examines techniques for privilege escalation in bug bounty programs. It delves into the details of a full privilege escalation exploit. MORE

🎵 Listen

1. In this episode, Sharon Brizinov recounts his journey from iOS development to leading a research team at Claroty, touching on the differences between HackerOne and PwnOwn, and delving into the intricacies of IoT security. MORE

2. 3 Stories Of People Making Millions In Weird Ways: the Polymarket whale who made millions off the election, Ozempic for sleep, and Martha Stewart. MORE

🌐 Technology

1. A compact AI cluster built with M4 Mac Minis, Thunderbolt 5 interconnect, and LLMs like Nemotron 70B and Llama 405B, achieving impressive performance benchmarks. MORE

2. Perplexica is an AI-powered search engine. It is an Open source alternative to Perplexity AI. MORE

3. WikiChat is an improved RAG. It stops the hallucination of large language models by retrieving data from a corpus. MORE

4. The desire to own a digital identity and host it oneself has long been a recurring theme among tech enthusiasts. However, this "decentralization dream" is more of a patch than a true solution. MORE

5. Rexan gave a demo to a high school computer science class on building websites with CursorAI, showcasing how the way and speed of coding is set to change. MORE

👀 Interesting

1. 50 Watts is a blog featuring science fiction illustrations from Japan, including works by Naoyuki Katoh, Kozo Yokoi, and books published by Watts Books, a Japanese bookstore. MORE

2. The Harvard debate guy has won 2 world debating championships with his unique RISA framework, which helps people find a better way to disagree. This framework consists of 6 key strategies to win any argument without saying much. MORE

3. Fanta, the orange soft drink, was created in Nazi Germany during World War II by the German Coca-Cola bottling company due to the lack of shipping between Germany and the United States. MORE

4. Sara Sigmundsdottir, a professional CrossFit athlete, shares an authentic glimpse into her life, sharing the good, the bad, the ugly, and the beautiful. MORE

5. The Last Player on a Dead Server – And Why a Streamer Bought Him a PC. MORE

💭 Quote

📈 Learned something?

Until next week, take care of yourself and each other,

Bee 🐝

^{This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.}