• Hive Five
  • Posts
  • 🐝 Hive Five 199 - Security Footguns

🐝 Hive Five 199 - Security Footguns

Most Used Open-Source Repos, Ghost Engineers, Breaking the Most Popular WAFs, Black Friday 2024 Deals, Vim while Cycling, and more...

Hi friends,

Greetings from the hive!

We've had a week...I hope you and yours are doing awesome.

AirBnB is truly a crapshoot. This time I'm coming to you live from a hotel after a disrupted stay.

Let's take this week by swarm!

🐝 The Bee's Knees

  1. Sketchy Cheat Sheet: Story of a Cloud Architecture Diagramming Tool gone wrong. Showcasing that following intuition and curiosity can prove to be extremely valuable. MORE

  2. Breaking the most popular Web Application Firewalls in the market. This is a walk-through that shows how to bypass the SQL injection and cross-site scripting rules of the following Web Application Firewalls. MORE

  3. Researchers discovered two Non-Production Endpoints as an Attack Surface in AWS. MORE

  4. The Transit app can now locate underground trains without GPS by using offline motion detection to show users' locations between stations and alert them when their stop is coming up. MORE

  5. Spelunking in Comments and Documentation for Security Footguns. MORE

Brought to you by β†’

Hive Store: For Hackers Who Get It

Wear the gear the community is whispering about.

Our merch isn't just clothing - it's a statement piece to show the world that you hack a life you love.

Think witty AI jokes that'll make engineers buy you drinks. Privacy puns so sharp, the EFF would high-five you.

Join the cross-pollinators already flexing these conversation-starting pieces.

Upgrade Yourself (🚨 Black Friday Deal 40% OFF) β†’

You're getting the free version. Members get more β€” including exclusive & bonus content, access to an online community of smart and driven people, the complete Hive Archive, deep discounts, and so much more. See what you're missing.

πŸ“° Updates

πŸ“…οΈ News

  1. Black Friday 2024

    1. Black Friday 2024 data set, with details about various product sales and promotional offers. MORE

    2. The Ken's 2024 Gifting Guide. The publication has been delivering sharp, original, insightful, analytical journalism about business and start-ups across India since 2016. MORE

    3. The Rambull Gift Guide presents a curated selection of holiday gifts for 2024, featuring products from various categories. MORE

  2. The US government aims to break up Google's search engine monopoly by forcing it to sell its Chrome browser, with potentially profound implications for the future of big tech. MORE

  3. Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency, will depart the government agency after more than three years at the helm. MORE

  4. Research at Stanford uncovers that ~9.5% of software engineers are "Ghost Engineers" who contribute virtually nothing (0.1x-ers). The data spans over 50,000 engineers from hundreds of companies. MORE

  5. Claude.ai now allows users to integrate Google Docs into their chats and projects. Pro, Teams, and Enterprise users can paste links or select recent documents to add them seamlessly. MORE

🍯 My work

βœ… Changelog

  1. SecLists received its fourth (and final) release of 2024. MORE

  2. De-cluttering URLs is the focus of version 2.2 of the 'urless' project. MORE

  3. DOMPurify v.3.2.1 is a fast, tolerant, and highly configurable XSS sanitizer for HTML, MathML, and SVG, offering a secure default with numerous hooks for customization. MORE

  4. The new release of xnldorker, version 1.3, gathers results from dorks across various search engines, enabling users to enhance their reconnaissance efforts. MORE

  5. Lazydocker, a tool for managing Docker with ease, has released version 0.24.1. MORE

πŸ’Ό Work

πŸ’° Career

  1. Jasmine Star, a Hampton member, dropped out of law school to become a photographer despite not owning a camera. She then built a multimillion-dollar SaaS business. MORE

  2. How Ali Built a New $1m Productivity related product in 12 Months. MORE

  3. How to Start a Startup according to Paul Graham. You need three things to create a successful startup: to start with good people, to make something customers actually want, and to spend as little money as possible. MORE

"If you want to do it, do it. Starting a startup is not the great mystery it seems from outside. It's not something you have to know about "business" to do. Build something users love, and spend less than you make. How hard is that?"

  1. How to operate as an indie hacker: cherry-pick what works for you, be a generalist, and more. MORE

πŸš€ Productivity

  1. Obsidian Templater templates for converting and processing text selections. MORE

  2. Terminal-based pomodoro timer with task tracking, inspired by the commercial Pomotodo service. MORE

  3. The video demonstrates how Garrett Brown Designs, a woodshop, utilizes Basecamp to manage its operations simply and effectively. The approach emphasizes keeping things uncomplicated. MORE

  4. Marie Poulin, a Notion expert, will share her approach to using Notion as a tool for curiosity and personal development, offering a glimpse into her digital workspaces and showcasing how she harnesses Notion to explore ideas, track patterns, and fuel her creative process. MORE

🌎 Community

πŸŽ‰ Celebrate

  1. Jordyn Jones, my ex-colleague at Bugcrowd, completed an Iron Man. LFG! MORE

  2. The reason why Katie makes content. MORE

πŸ«€ Pulse

  1. People share their top 5 programmers of all time including Fabrice Bellard, John Carmack, John McCarthy, Linus, and Dennis Ritchie. MORE

  2. Jane Wong wasn't happy with her way of living before, so she's changing her lifestyle, social circles, exercising, etc. MORE

  3. Nautilus offers a three-month gap program in San Francisco, where participants get paid to pursue their most ambitious projects, no strings attached. MORE

πŸ’› Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

  1. @Jamuse | Josh Amishav-Zlatin | I write about data breach monitoring for enterprise security teams | Indexed ~30 billion passwords | Former pen tester turned OSINT collector.

  2. @holme_sec | Holme | Love to learn.

  3. @alicanact60 | Ali TΓΌtΓΌncΓΌ | Security Researcher.

  4. @angealbertini | Ange | Corkami, CPS2Shock, PoC||GTFO, Sha1tered. Security engineer @ Google. He/him.

  5. @rosiesherry | Rosie Sherry | Building a portfolio of communities.

πŸ„ Level up

πŸ“° Read

  1. Ancient Monkey: Pwning a 17-Year-Old Version of SpiderMonkey. MORE

  2. From an Android Hook to RCE: $5000 Bounty. How Voorivex reverse-engineered a famous Android application called MyIrancell. MORE

  3. Arc Browser UXSS, Local File Read, Arbitrary File Creation and Path Traversal to RCE. MORE

  4. Over-engineering backups using Restic. MORE

Restic is a modern backup program that can back up your files:

from Linux, BSD, Mac and Windows to many different storage types, including self-hosted and online services easily, being a single executable that you can run without a server or complex setup effectively, only transferring the parts that actually changed in the files you back up securely, by careful use of cryptography in every part of the process verifiably, enabling you to make sure that your files can be restored when needed freely - restic is entirely free to use and completely open source

  1. How some of the world's most brilliant computer scientists got password policies so wrong. MORE

πŸ’‘ Tips

  1. Did you know you can work at a desk, using vim, while cycling? MORE

  2. Favourite or most under-utilized dev tools tips by the community. MORE

  3. A domain with an IIS welcome screen and no online presence is discovered. ZwinK tells you what to do next. MORE

  4. Easiest way to find the manifest.json file of a Chrome extension: grab the extension ID from chrome://extensions, then go to chrome-extension://ID/manifest.json

🧠 Wisdom

  1. If you want to make something, go make it. Wanting to do it is reason enough. MORE

  2. Elite colleges were meant to create equal opportunities for smart students, but instead they've made a system where mostly rich kids get ahead through test scores and grades. MORE

  3. Nabeel S. Qureshi, a startup founder, shares hard-discovered principles, such as "Once you are ok with people telling you β€˜no’, you can ask for whatever you want. (Make reality say no to you.)" MORE

  4. Checklists are a powerful tool allowing us to unload cognitive stress, from surgical safety to event production. MORE

  5. The essence is the daily choice: engage in busy work, procrastinate, or create value for others, even if the intended recipient does not payβ€”someone else will. MORE

πŸ“š Resources

  1. Tomnomnom, prolific infosec tool creator and teacher, collected his wealth of talks and interviews that offer insights on various topics. MORE

  2. Most used Open Source you didn't know about. Search through the top 1000 repos. MORE

  3. How CodeQL, a code analysis tool, can be used to find bugs in the Chrome browser. It showcases the effectiveness of CodeQL in uncovering vulnerabilities and improving the security of Chrome. MORE

  4. List of tech-related Bluesky starter packs. MORE

  5. Importing a frontend Javascript library without a build system. MORE

πŸ›  Explore

Get $200 to try DigitalOcean β€” the go-to for all my recon, automation, and VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🧰 Tools

  1. Deck.blue offers a multi-column (Tweetdeck) layout to enhance your experience on Bluesky. MORE

  2. Fedica, formerly Tweepsmap, offers social media analytics and publishing tools to predict impact, prove campaign results, and make smarter decisions. MORE

  3. Juumla is a Python tool that identifies the Joomla version, scans for vulnerabilities, and locates sensitive files. MORE

  4. Garak, a tool developed by NVIDIA, probes large language models for weaknesses such as hallucination, data leakage, prompt injection, and toxic output generation, much like the network scanner nmap for computer systems. MORE

  5. Embed a payload inside a PNG file. MORE

πŸŽ₯ Watch

  1. A conversation with vintage watch collector and dealer Adam Victor. He's the quintessential vintage hunter in a way that you don't see much of anymore. MORE

  2. Nahamsec, a renowned bug bounty hunter, shares five valuable lessons that have helped him earn over $1 million since 2022. MORE

  3. Becca shares an ethics statement about sponsorships, brand deals, trips, speaking engagements, and gifts, hoping to create a solid foundation for an honest conversation on these topics. MORE

  4. A tutorial on designing a landing page in Figma, discussing best practices and techniques for creating efficient components and adding content and typography. MORE

  5. This case study examines techniques for privilege escalation in bug bounty programs. It delves into the details of a full privilege escalation exploit. MORE

🎡 Listen

  1. In this episode, Sharon Brizinov recounts his journey from iOS development to leading a research team at Claroty, touching on the differences between HackerOne and PwnOwn, and delving into the intricacies of IoT security. MORE

  2. 3 Stories Of People Making Millions In Weird Ways: the Polymarket whale who made millions off the election, Ozempic for sleep, and Martha Stewart. MORE

🌐 Technology

  1. A compact AI cluster built with M4 Mac Minis, Thunderbolt 5 interconnect, and LLMs like Nemotron 70B and Llama 405B, achieving impressive performance benchmarks. MORE

  2. Perplexica is an AI-powered search engine. It is an Open source alternative to Perplexity AI. MORE

  3. WikiChat is an improved RAG. It stops the hallucination of large language models by retrieving data from a corpus. MORE

  4. The desire to own a digital identity and host it oneself has long been a recurring theme among tech enthusiasts. However, this "decentralization dream" is more of a patch than a true solution. MORE

  5. Rexan gave a demo to a high school computer science class on building websites with CursorAI, showcasing how the way and speed of coding is set to change. MORE

πŸ‘€ Interesting

  1. 50 Watts is a blog featuring science fiction illustrations from Japan, including works by Naoyuki Katoh, Kozo Yokoi, and books published by Watts Books, a Japanese bookstore. MORE

  2. The Harvard debate guy has won 2 world debating championships with his unique RISA framework, which helps people find a better way to disagree. This framework consists of 6 key strategies to win any argument without saying much. MORE

  3. Fanta, the orange soft drink, was created in Nazi Germany during World War II by the German Coca-Cola bottling company due to the lack of shipping between Germany and the United States. MORE

  4. Sara Sigmundsdottir, a professional CrossFit athlete, shares an authentic glimpse into her life, sharing the good, the bad, the ugly, and the beautiful. MORE

  5. The Last Player on a Dead Server – And Why a Streamer Bought Him a PC. MORE

πŸ’­ Quote

❝

"Make the work with great care and precision, but do not ever let it become too precious."

Stephen Tomasko

πŸ“ˆ Learned something?

Upgrade Yourself (🚨 Black Friday Deal 40% OFF) β†’

You're getting the free version. Members get more β€” including exclusive & bonus content, access to an online community of smart and driven people, the complete Hive Archive, deep discounts, and so much more. See what you're missing.

Share Hive Five β†’

Share this newsletter with your friends and colleagues.

1 REFERRAL = 20% OFF EVERYTHING IN THE STORE

Until next week, take care of yourself and each other,

Bee 🐝

This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.