🐝 Hive Five 216 - The Hacker Always Wins

Hi friends,

Greetings from the hive!

Habits are so good. They even compound! But, they can be hard to start and maintain.

I've successfully started new ones and then stacked on others. Atomic Habits is one of my favorite productivity books.

However, whenever I or one of my family members gets sick it's game over.

That's why I'm excited to implement Anne's Tiny Experiments from Hive Five #214. They are:

• Action-Oriented: Define a specific behavior to test.

• Time-Bound: Commit for a short, manageable period.

• Learning-Focused: Prioritize insights over outcomes.

• Data-Driven: Track your experiences and observations.

Let's take this week by swarm!

🐝 The Bee's Knees

• Lex interviews ThePrimeagen: Programming, AI, ADHD, Productivity, Addiction, and God. MORE

• How Tech Created the Online Fact-Checking Industry: Interviews with trust and safety workers at meta, tiktok, snapchat, google, and other tech companies reveal a broken system that collapsed under the weight of its own contradictions. MORE

• A vulnerability in Next.js middleware allows bypassing authorization and other security measures by manipulating the x-middleware-subrequest header. This can lead to unauthorized access, CSP bypass, and potential DoS attacks via cache poisoning. MORE

• SAML roulette: the hacker always wins. This attack highlights how combining round-trip attacks with namespace confusion can lead to unauthenticated access to GitLab. The vulnerability stems from inconsistencies in how different XML parsers handle document validation, allowing an attacker to manipulate signature verification. MORE

• CVE-2024-53991: Discourse Backup Disclosure: Rails send_file Quirk. Rails' send_file method, when used with specific Nginx setups, can expose restricted files. MORE

Interested in sponsoring the Hive Five? Secure your spot.

Table of Contents

• 📰 Updates

• 💼 Work

• 🌎 Community

• 🍄 Level up

• 🛠 Explore

• 📈 Learned something?

📰 Updates

✅ Changelog

• The "think" tool: Enabling Claude to stop and think in complex tool use situations. A new tool that improves Claude's complex problem-solving performance. MORE

• Claude can now search the web. This new feature allows Claude to access real-time info, cite sources, and provide up-to-date answers for tasks like sales, finance, research, and shopping. MORE

• Waymore v6.1 is out. It grabs archived responses from URLScan & Wayback Machine, processing links and retrieving DOM from URLScan using unique IDs. Plus, it has bug fixes for date validation and URLScan link matching. MORE

• xnLinkFinder v6.13 is out. Waymore mode now checks for waymore_index.txt (v6.0+) or index.txt (pre-v6.0), and shows depth parameter values with verbose logging. MORE

💼 Work

💰 Career

• Entering the DevOps field Guide, emphasizing the importance of acquiring skills, understanding local job markets, and being willing to start at entry-level positions. MORE

• Joe Helle, a cybersecurity professional with a diverse background including military service, political experience, and technical expertise, shares insights about transitioning into cybersecurity, the importance of soft skills, and the value of continuous learning and community involvement in the industry. MORE

• Senior engineers in remote settings: liberally drop meet links and start quick calls, especially with junior team members. Encourage them to ask questions freely to build bonds and speed up their learning. MORE

• Discussion between David and Gerald about cybersecurity career paths, with a particular focus on Governance, Risk, and Compliance (GRC). MORE

• Assetnote (Searchlight Cyber) is seeking a Security Researcher to discover and maintain security vulnerabilities affecting customers. Grow your career while helping to reduce the impact of internet-based crime. MORE

🚀 Productivity

• How to create a comprehensive AI prompt database in Notion, designed to help professionals systematically capture, organize, and utilize AI prompts across different areas of work and life. MORE

• Feeling stuck? Dan Koe's article dives into overcoming "learned helplessness" and using strategic thinking to crush your goals. MORE

• Unlock macOS secrets. Boost your efficiency with hidden shortcuts for file management, screenshots, window tricks, and more. MORE

• Watch this if you never have enough time. Ali explores three main ideas: that we will never get on top of everything, we always have choices (with consequences), and problems are an inherent part of life that should be embraced rather than avoided. MORE

• Andrej Karpathy shares his simple note-taking method: append everything to a single "notes" file and periodically review. This "append-and-review" system balances simplicity with capturing everyday ideas. MORE

🌎 Community

🎉 Celebrate

• Google's Vulnerability Reward Program (VRP) paid out nearly $12 million to over 600 security researchers in 2024. They revamped rewards, increasing payouts to $250,000 for Chrome bugs and $300,000 for mobile vulnerabilities. MORE

⚡️ Timeline

• Want to help make Bug Bounty Village at DEF CON 33 awesome? They're looking for volunteers for both on-site and remote roles to assist with the event. MORE

• Jane brought her work setup to Hawaii. MORE

• Octavian, the creator of Ax Framework, made $12,900 in his first month of bug hunting! He automated vulnerability discovery by focusing on new subdomains with minimal manual effort. MORE

• Yassine on vibe coding: "Writing code at such a fast pace means less time for thorough peer reviews and security checks resulting in inconsistent code patterns and introducing hidden business/logical security flaws." MORE

🍄 Level up

📰 Read

• Pwning Millions of Smart Weighing Machines with API and Hardware Hacking. MORE

• Bypassing Authentication Like It’s The ‘90s - Pre-Auth RCE Chain(s) in Kentico Xperience CMS. MORE

• Wazuh versions 4.4.0 to 4.9.0 have a critical vulnerability (CVE-2025-24016) where attackers can remotely run code via API access. Upgrade to 4.9.1 to patch this serious flaw. MORE

• Researchers found weaknesses in Fedora and openSUSE's software supply chains that could let attackers compromise millions of devices. MORE

• Hacking high-profile Bug Bounty targets: deep dive into a client-side chain. MORE

💡 Tips

• Open-source maintainer insights on how to effectively understand and navigate unfamiliar programming projects by using strategic approaches to code exploration and comprehension. MORE

• The framework for building an audience in 2025, focusing on the ACP (Audience, Community, Product) approach. Emphasizing the importance of starting with an audience first, developing a consistent content strategy, and treating content creation as a systematic process that can provide long-term benefits and opportunities. MORE

• "Learn More" isn't a great call to action (CTA). Strong CTAs should match what the user wants, fit the brand, and clearly show the next step. MORE

• Comprehensive guide to marketing strategies for startups and side projects, focusing on low-cost or free methods to attract customers and drive traffic. MORE

🧠 Wisdom

• Mike Crittenden reflects on his core values, which now include health, belonging, and stability, a shift from previous values like growth and joy. He plans to integrate these values into his daily life through journaling and goal-setting. MORE

• Brandon Novak, a professional skateboarder turned heroin addict, shares his powerful journey of addiction, hitting rock bottom, and ultimately finding recovery. MORE

• Discover books recommended by Bill Gates, Obama, and more on UltimateBookList. See what influential figures are reading and find your next great read. MORE

• Cognitive skills decline with age, but a new study shows that using your skills keeps them sharp. White-collar workers and the highly educated can maintain or even improve their abilities into their 40s and beyond. MORE

• Karpathy on Digital hygiene. This guide gives you easy tips, like using strong passwords and blocking sneaky trackers, to protect your info and stay safe online. MORE

📚 Resources

• Arcanum-Sec's arc_pi_taxonomy is a structured guide to prompt injection attacks, which helps security researchers and AI developers understand and defend against them. It breaks down attack intents, techniques, and evasions for better AI security. MORE

• Provide your child with a safe AI environment by self-hosting OpenWebUI and using OpenRouter for an API key. Customize the AI with a system prompt that ensures child safety, like blocking inappropriate content, to create a secure and educational experience. MORE

• "Oh my tmux!" is a cool, versatile tmux configuration that makes your terminal look awesome. MORE

🛠 Explore

🧰 Tools

• vtm is a text-based desktop environment that can wrap console applications and create a TUI matrix. It's available on Windows, macOS, and *nix platforms, offering a unique way to manage your command-line interface. MORE

• OpenControl lets you use AI to manage your infrastructure by creating a single endpoint to access all your tools, working with models like Anthropic, OpenAI, and Google. It's self-hosted, secure with OAuth, and integrates with AWS, Stripe, and SQL databases. MORE

• Presenterm lets you make slideshows from markdown files and run them in your terminal. It supports images, themes, code highlighting, LaTeX formulas, and PDF exports. MORE

🎥 Watch

• Creator explores his addiction to podcasts, examining how they serve as a constant mental companion, help him complete tasks, and potentially act as a coping mechanism during stressful times. MORE

• Bluesky's CEO, Jay Graber, discusses how the platform aims to give users control over their online experience. Bluesky wants to shake up social media by creating an open network with more choices. MORE

• Learn how to use SSL certificates to uncover threat actor infrastructure. This talk provides examples of how certificate transparency logs can be used to find and identify malicious networks. MORE

• Exploring the growing frustration with modern technology, highlighting how technological innovations have become less exciting and more manipulative. Discussing various examples of tech inconveniences, from motion smoothing on TVs to complicated streaming services and apps that prioritize engagement over user experience. MORE

• How a simple IDOR earned NahamSec a maximum bug bounty payout. MORE

🎵 Listen

• David and Stephen discuss their favorite travel tech, including bags, gadgets, and planning strategies for smooth trips. From noise-canceling headphones to portable power banks. MORE

• Scott and Mark discuss building professional reputation in tech, exploring how senior professionals navigate communication, asking thoughtful questions, and managing interactions with colleagues across different organizational levels. MORE

• Dwarkesh discusses the transformative potential of AI, emphasizing how AI systems can coordinate, scale, and evolve in ways fundamentally different from human workers. He explores the profound implications of AI on economic productivity, research, and societal structures, highlighting the unique advantages of AI systems like their ability to be copied, merged, and rapidly improved. MORE

• Dr. Peter Lee, President of Microsoft Research, discusses the transformative potential of AI in technology and medicine, reflecting on his career's journey from early computing to the current AI revolution. MORE

🌐 Technology

• Simon Willison created a template for using GitHub Actions to build and deploy custom websites to GitHub Pages. He used it to track recent California Brown Pelican sightings from iNaturalist and convert them into an Atom feed. MORE

• Not all AI-assisted programming is vibe coding (but vibe coding rocks). When is it OK to vibe code? MORE

• e-ink.nvim is a grayscale color scheme for NeoVim, inspired by Everforest, that's ideal for note-taking and coding in Lua, Go, and JavaScript. MORE

👀 Interesting

• Discover your beliefs about reality with this quiz. It helps you pinpoint your cosmology and spark conversations. MORE

• OpenTimes is a free database with travel times between U.S. Census spots using driving, biking, and walking. It uses static files and cool tech for a low-cost, easy way to access data. MORE

• How Devon Larratt built the World’s strongest arms (World Champion Armwrestler). MORE

• Anne Mahlum sold her Pilates studio, Solidcore, for ~$90 million after investing her \$175,000 savings. Here's how she manages her wealth, increasing her spending habits, and separates achievement from self-worth. MORE

💭 Quote

📈 Learned something?

Until next week, take care of yourself and each other,

Bee 🐝

^{This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.}