🐝 Hive Five 202 - A Bias to Action

Hi friends,

Greetings from the hive!

Crafting digital tools with thoughtful design and attention to detail creates a truly exceptional user experience.

The art of software development isn't just about functionality - it's about creating tools that users genuinely enjoy using every day.

In addition, they have to be customizable to every user's unique workflow. Some that come to mind are Obsidian, Neovim, Tmux, and soon Ghostty.

Each of these tools shares a common thread: they were created by developers who deeply understand their users' needs and workflows.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Burp Suite extension Burpference allows you to capture in-scope HTTP requests and responses from Burp Suite’s proxy history and ship them to a remote LLM API in JSON format. MORE

2. Citrix Denial of Service: Analysis of CVE-2024-8534. Assetnote is back, this time to look at a patch for yet another memory safety vulnerability. MORE

3. Documentary on Hackers Who Get Paid to Hack Companies. Cybernews interviewed Bryce (@YTCracker), Ben (@NahamSec), Sam Curry (@Zlz), Frederik (@STÖK), Neiko (@Specters), Vanya (@BusesCanFly, Phoenix (@LilRed), André (@0xacb). MORE

4. As Facebook rapidly scaled to a billion users, the company struggled to maintain focus on Zuckerberg's original vision, leading to the codification of their story into a Little Red Book. Which they distributed internally. MORE

5. The WorstFit Attack is a vulnerability affecting Windows ANSI executables, exposing hidden transformers. This research provides a list of all executables vulnerable to the attack. MORE

Table of Contents

• 📰 Updates

• 💼 Work

• 🌎 Community

• 🍄 Level up

• 🛠 Explore

• 📈 Learned something?

📰 Updates

🍯 My work

A sneak peek of something I’ve been working on called the “Experience Engineer”. With 53% of customers never returning after one poor experience, the right support ecosystem matters.

I use my 20+ years of experience to help companies build the bridge they need. Providing the following services: Knowledge Architecture, Community-Powered Support, and Self-Service Intelligence.

✅ Changelog

1. Ghostty 1.0, an open-source project under the MIT license, is set for public release in December after nearly two years of development and private beta testing. MORE

2. Meta’s new Llama 3.3 70B is a genuinely GPT-4 class Large Language Model that can run on a laptop. MORE

3. Yahoo laid off around a third of its cybersecurity team, known as The Paranoids, over the last year and outsourced the 'red team' function under a new CTO. MORE

4. A "Malcolm in the Middle" revival has been ordered at Disney+, with the original cast of Frankie Muniz, Bryan Cranston, and Jane Kaczmarek returning to the show. MORE

💼 Work

💰 Career

1. Nintendo of America seeks a Security Engineer to bolster its cybersecurity posture and safeguard critical systems. MORE

2. Show and tell of people making $500/month on side projects in 2024. MORE

3. In 2008, Aaron Swartz wrote actionable advice on "How to Get a Job Like Mine?" MORE

4. Nearly every organization that is designed to have an impact has a board of directors, whether that's a small non-profit, a giant corporation, or anything in between. Let's find out what they do. MORE

5. Negotiating one's salary can yield significant gains, as demonstrated by Chloe's $50,000 increase. Here are her effective negotiation tactics. MORE

🚀 Productivity

1. 6 habits to make 2025 your best year yet. MORE

2. The Four Quarters Method, outlined by Gretchen Rubin, offers a system to overcome procrastination and boost consistency, promising to skyrocket one's productivity. MORE

3. This tutorial explores the fundamentals of Neovim's Buffers, Windows, and Tabs, crucial concepts for navigating and organizing the text editor's interface. MORE

4. A deep dive into the Morgen calendar for beginners, discussing its features and how it can be leveraged best. MORE

5. Learn 80% of NotebookLM in under 13 minutes: how to leverage NotebookLM effectively for analyzing documents, PDFs, and video content across multiple formats. MORE

🌎 Community

🎉 Celebrate

1. After 125 hours of rigorous testing over 56 days, Deev Pal received their first four-digit bounty from one of the largest public bug bounty programs. LFG! MORE

2. A year of video editing has taken Jexx on a remarkable journey, and they plan to soon share a side-by-side comparison to showcase their progress. Awesome! MORE

3. @JonathanBouman, a true friend, surprised @zseano with a custom-made kilt after Sean won a kilt and trophies at a recent HackerOne event but did not receive them. #goals MORE

4. The @DarknetDiaries podcast episode on @RachelTobac was the most listened to in 2024, with a 570% increase in streams over the average episode. Congrats! MORE

5. The NET GALA, a prominent event, will return in 2025. The organizers are seeking sponsors to make the event grander than the previous year. Exciting! MORE

💛 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @bencodezen | Ben Hong | @vuejs core team | senior staff dx engineer @netlify | @nuxt_js ambassador | @GoogleDevExpert.

2. @simps0n | Renato Rodrigues.

3. @theflofly | Florian Courtial | Full-time bug hunter.

4. @JR0ch17 | Jasmin Landry.

5. @IAmMandatory | RedTeam @Snapchat | Previously @Google, @Uber, @BishopFox. XSS Hunter author, DNS/TLD/web security researcher.

🍄 Level up

📰 Read

1. This article disclosed 7 vulnerabilities, 2 of which pose a threat to Google Pixel devices, while the others pose a threat to all Android devices, regardless of vendor. MORE

2. Following the recent cleo ITW exploitation, @HuntressLabs has released their analysis of the full post-exploitation chain. MORE

3. From Template to Threat: Exploiting Freemarker SSTI for Remote Code Execution. MORE

4. This blog provides an in-depth analysis of the exploitation process for an unauthenticated XXE vulnerability in Ivanti Endpoint Manager, identified as CVE-2024-37397. MORE

5. This post explores two vulnerabilities discovered in Shiny, the most popular web framework for the R programming language. MORE

💡 Tips

1. After you find a WAF bypass (the origin IP in this case), go into Burp Network Connection "Hostname resolution overrides" and add the IP address so you can test as usual. MORE

2. This one-liner command, augmented by AI, lists the processes listening on network ports, allowing one to identify any potentially orphaned servers running on the machine that could be shut down. MORE

3. TIL about the Pugh Matrix, a tool for prioritizing tasks. MORE

🧠 Wisdom

1. Carta CEO memo titled: A Bias to Action, addresses challenges of keeping a growing, and in their case regulated, organization executing with the same relentless and risk-taking spirit of the early days. MORE

2. Questions are like keys. They unlock doors. Here are several for: decision making, conversation, and business. MORE

3. After serving 16 years in prison for armed robbery, Wallo, a gifted orator from Philadelphia, harnessed his storytelling abilities to build a multimillion-dollar business and amass a sizable fortune. MORE

4. “A big cheat code to success is not accepting reality that is given to you. Not the limits, not the ideas of other people.” MORE

5. Be relentless: "Rivers don't cut through rock because they are powerful, they cut through rock because they are persistent." MORE

📚 Resources

1. Security assessment of RubyGems.org, the essential package manager for Ruby applications with over 184+ billion downloads. MORE

2. A curated list of awesome projects, libraries, and tools powered by Frida. MORE

3. The Public APIs repository is a curated collection of public APIs from various domains, maintained by the community, offering developers a trove of resources for building their own products. MORE

4. A simple, free answer to "how do I get started with Rails 8" in the form of a brand-new official tutorials created by Chris Oliver. MORE

🛠 Explore

🧰 Tools

1. Eightify offers an AI-powered service to summarize YouTube videos, saving time by quickly extracting key ideas. Users can either pay for the service or bring their own API key. MORE

2. GetMarkdown allows users to convert any file to Markdown format directly within their browser, without sending data to a server. MORE

3. ParamFinder is a beta tool for discovering hidden parameters straight from Caido. MORE

4. scrapybara provides API-accessible computer environments purpose-built for AI agents. MORE

5. SubDominator helps you discover subdomains associated with a target domain efficiently and with minimal impact for your Bug Bounty. MORE

🎥 Watch

1. Master Docker in Less Than 10 Minutes: The Ultimate Guide for Hackers. MORE

2. A bug was found in Discord that allowed for remote code execution by sending a message. An intro to V8 exploit development and bug hunting. MORE

3. Ilya Sutskever, a prominent AI researcher, predicts the end of pre-training as we know it, and the emergence of superintelligent systems capable of agentic reasoning, comprehension, and self-awareness. MORE

🎵 Listen

1. Shopify's Glen Coates discusses the importance of slowing down and improving software, even if it's not exciting, for the sake of reliability and functionality. MORE

2. Craig Newmark, founder of the renowned classifieds website Craigslist, joins Theo Von to discuss the origins of his creation and his views on the internet and personal philosophy. MORE

3. @rez0__ takes over the CTBB pod and discusses AI application vulnerabilities with Johann Rehberger, emphasizing the importance of understanding system prompts and safeguards. MORE

4. Interstellar - S.T.A.Y. on a seamless one-hour loop for you to work to. MORE

🌐 Technology

1. An interview with Annie, who's behind The Depths of Wikipedia account, where she shares fascinating factoids from the site's most obscure and intriguing pages. MORE

2. Automate Creation of YouTube Shorts using MoviePy. MORE

3. A collection of small apps that demonstrate how Gemini can be used to create interactive experiences. MORE

4. "Rules" that terminal programs follow: 1) Your operating system’s job, 2) Your shell’s job, 3) Your terminal emulator’s job, 4) The job of whatever program you happen to be running (like top or vim or cat). MORE

5. Lumen is a command-line tool that leverages AI to generate commit messages, and summarize git diffs or past commits without requiring an API key. MORE

👀 Interesting

1. For 27 years, the author took photographs while waving goodbye and driving away from visiting their parents in Sioux City, Iowa, never intending to create a series. It gradually turned into our goodbye ritual. MORE

2. Beautiful website with interactive music theory lessons. Learn how to write your own melodies and progressions, and the fundamentals of making and understanding music. MORE

3. Amelia has created an intriguing app that uses the Perplexity API to visually display related information in a captivating manner. MORE

4. Discover history through OldMapsOnline, a platform that allows browsing historical places and searching for old maps with a timeline. MORE

5. Ruby and Ruby on Rails power the software of prominent companies like Shopify, GitHub, Gitlab, and many others (that I wasn't aware of), showcasing its impressive range. MORE

💭 Quote

📈 Learned something?

Until next week, take care of yourself and each other,

Bee 🐝

^{This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.}