🐝 Hive Five #9 - "We cannot retrofit privacy" — Sarah Harvey

Hi friends,

Greetings from the hive!

Happy International Women's Day. I hope you had a great week. My productivity was on point, I was able to complete two projects. Both very different, one I built with Nuxt.js and the other was a Shopify store.Non work-related, I've been really enjoying my daily workout and run. For the latter I started taking one of my dogs with me. He loves it!

Let's do this.

🐝 The Bee's Knees

• In defense of blub studies: A blub, coined by a co-worker of Ben, refers to mundane, ultra-specific-seeming knowledge. If you’re looking to learn something that will make you a better, and happier, programmer, ask yourself which parts of your most-used blub seem magical to you, and try to understand how they work. (10m)

• Proton Has Enabled 7000 Windows Games to Run on Linux: Another milestone reached with ProtonDB, they are very close to 7000 Windows games confirmed to be working out of the box with Proton on Linux.

• At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software: At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations.

• Compensation as a Reflection of Values: Oxide decided to do something outlandishly simple: take the salary of the founders and pay that to everyone. It reflects their principles of honesty, integrity, and decency.

• The Profile Dossier: David Goggins, the Toughest Athlete on the Planet Polina's profile on David Goggins, who believes that you must do something that sucks every single day because suffering begets growth. Once weighing 300 pounds did exactly that, achieving amazing feats.

🔥 Buzzworthy

🎉 Celebrations

• StanFaas 🦉: Received their best swag yet by Intigriti!

• Team pltypwn: BugCrowd et al, won the RvB CTF at Crikey Con!

• hipotermia: receives HackerOne hoodie for obtaining 2,5k rep!

• mert: breaks his personal record in the BugCrowd monthly leaderboard!

• Rocky Bandana: is currently the #20 hacker in the US on the HackerOne leaderboard!

📅 Events

• 0xatul/webChallenge: Web challenge by 0xatul, the code does not need to be compiled and the goal is to get an RCE.

• NahamCon2021: It kicks off on 03.14.21 at 09:00 AM PST and will be streamed on twitch.tv/NahamSec, hosted by TheCyberMentor, John Hammond, and NahamSec.

• Ask a hacker: ajxchapman: GitLab is holding an Ask Me Anything (AMA) session with Alex Chapman on March 22 at 16:30 UTC. (6m)

📰 Articles

• Stem cell or organ? Jason has been thinking about how new features are either launched as stem cells or full blown organs.

• Hacker Spotlight: Interview with bugdiscloseguys: Harsh Jaiswal or @bugdiscloseguys has been an avid HackerOne hacker since he signed up in January 2016. (4m)

• Shifting Engineering Right: What security engineers can learn from DevSecOps: Leif writes about how to create a meaningful partnership between security and software engineers. (19m)

• Technical Community Builder is the Hottest New Job in Tech There's a big shift going on in how developer tools companies approach their userbase.

• Apple Card disabled my iCloud, App Store, and Apple ID accounts: About ten days ago, Dustin went to update a few apps in the App Store on my Mac, and was met with a curious error. (4m)

• Speed is the killer feature: Imagine making breakfast with a 1 second latency added to every action you take. (4m)

📚 Resources

• How I Might Have Hacked Any Microsoft Account: This article is about how a vulnerability on Microsoft online services that might have allowed anyone to takeover any Microsoft account without consent permission. (4m)

• Anatomy of an Exploit: RCE with CVE-2020-1350 SIGRed: Valentina's first time writing a RCE exploit in user mode, learning a lot about heap based exploitation in the process. (17m)

• TryHackMe X HackerOne CTF WriteUp (Hacker Of The Hill): The post covers the vulnerabilities and initial exploitation methods for the boxes, ranging from easy, to hard. (13m)

• Peter Askew: shares their recipe and SEO resources to become a domainer developer.

• s0md3v/be-a-hacker: A guide to provide direction when it comes to learning to hack. (9m)

• SecurityGuill 🛡️🌐: compiled all of their InfoSec infographics in on thread.

• Microsoft 365 Developer Program: Free developer environment with E5 licenses, complete with test data.

• Axiom (CheatSheet): Hahwul created a cheatsheet for the dynamic infrastructure framework.

• CVE-2020-3992 & CVE-2021-21974: Pre-Auth Remote Code Execution in VMware ESXi: This blog takes a look at both bugs and how the heap overflow could be used for code execution.

• Linux Desktop on Apple Silicon/M1 in Practice: Being in need of a Linux desktop right away, they decided to hack QEMU. (4m)

🎥 Videos

• HackerOne All Hands: 7 Life Lessons from hackers on how you can make 2021 the BEST year of your life: Best of archives of past live hacking events and STÖK vlogs to share 7 life lessons from hackers on how you can make 2021 the best year of your life.

• The Origins of the Computer | Tech Pioneers #1: In their debut episode of Honeypot Explains, they walk you through the key moments of Konrad Zuse’s life, from university, the Z3 and beyond.

• Offensive Cybersecurity Education and Getting Started in Pentesting - Phillip Wylie - PSW #685: Phillip discusses his passion for offensive cybersecurity education, mentoring, and getting started in pentesting.

• Regex and Netflix Prod: ThePrimeagen and his hate for Regex.

• Commonly Misunderstood Bugs: Authorization Based Vulnerabilities: Codingo discusses common mistakes people make when reporting Authorization based vulnerabilities.

• Extreme Vim Macros for Traditionalist Catholics: This is how you do pretty advanced actions in vim automatically.

• Jonah Edwards - Internet Archive Infrastructure: A deep dive into the storage infrastructure of the Internet Archive.

• OWASP London Chapter Meeting: Various talks, in particular "Finding Your Next Bug: GraphQL Hacking" by Katie Paxton-Fear.

• Dependency Confusion Pt. 1 | The Setup | Packages | Private Registry: In this video they explore the dependency injection based on the article by Alex Birsan.

• Dependency Confusion Pt. 2 | Final Part | Exploiting Dependency Injection: Further exploring the dependency injection.

• Subdomain Takeovers, beyond the basics for Pentesters and Bug Bounty Hunters: Discover the tricks to subdomain takeovers that go beyond the basics, allowing you to find more impactful findings in a pentest, or on a bug bounty program.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to Premium to read the rest.