🐝 Hive Five 137 - Mining Massive Datasets

Hi friends,

Greetings from the hive!

This week I came across the word Dharma. This resonated with me as I’ve spent a lot of time thinking about what I should be doing in life.

What is my purpose? A man’s search for meaning.

One thing I know for certain is that I want to help others. However, the feeling that I cannot shake is that I’m not doing enough. Partially the reason for this is that I know I’m not.

My past and inner self is holding me back. However, I’m on the path to conquer my mind and find inner peace.

Embrace uncertainty, and be comfortable being uncomfortable. Failing more.

Let’s take this week by swarm!

🐝 The Bee’s Knees

1. Mining Massive Datasets: Stanford University (full course). YOUTUBE

2. Leaking File Contents with a Blind File Oracle in Flarum. Flarum is a free, open-source PHP-based forum software used for everything from gaming hobbyist sites to cryptocurrency discussion. ASSETNOTE

3. 5 Open Source Security Tools All Developers Should Know About with Aviram Shmueli. YOUTUBE

4. A chat with Charlie Eriksen, creator of Jswzl, about bug bounty, cybersecurity, automation, and more. YOUTUBE

5. Hacking GTA V RP Servers Using Web Exploitation Techniques. NULLPT

Which Bee’s Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. RetireJS/retire.js 4.3.2 is a scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds. GITHUB

2. Noir v0.5.4 is an attack surface detector form source code. GITHUB

3. j3ssie/osmedeus v4.5.1 is a workflow Engine for Offensive Security. GITHUB

4. jswzl 2023.3.4 has been a while in the making now, and contains really big improvements to the tool. TWITTER

📅 News

1. Mikhail Matveev, an internationally wanted cyber criminal on the FBI’s Most Wanted list, is producing (and considering selling) swag with his poster on them. TWITTER

🎉 Celebrate

1. Tuan passed the $1 million mark in total bounties earned. Congrats! TWITTER

2. It’s been 5 years since Louis left Fitbit to work full time on PentesterLab. Let’s go! TWITTER

3. bend reached 10k rep on HackerOne. Woot! TWITTER

4. Corgi took on the role of President of the BSides Nashville board. Woohoo! TWITTER

5. Honoki became a dad. Many congrats! TWITTER

💰 Career

1. 28 Questions to Ask Your Boss in Your One-on-Ones. HBR

2. Why Ali left Developer Relations (dev rel). After 5 years in the space, she stepped away and went to full time engineering. YOUTUBE

3. J-Curves vs Stairs: Two Approaches to Career Growth. SUBSTACK

4. How to sabotage your salary negotiations efforts before you even start. INTERVIEWING

5. DevRel is much more effective when it’s treated as special operations. Unleash them! TWITTER

⚡️ Community

1. It took Alex less than 1 hour to find a stored XSS on the main app of a public bug bounty program. TWITTER

2. d0nut wants to run a “Semgrep for Security Engineers” workshop at a conference. Let him know what conferences to apply for. TWITTER

3. Douglas has submitted 1941 reports on HackerOne. Here are his stats. TWITTER

4. Domino on the toll unemployed has on your self esteem. If anyone is hiring, let them know! TWITTER

5. NahamSec planned an XSS payload on a product that provides a report that also allows to export as PDF. The problem is that he has to wait 3 months for it to create the report. RIP. TWITTER

📰 Read

1. Ankit shares his bug report that allowed him to takeover user accounts at Trello in a single click via a DOM-based XSS. BUGCROWD

2. The OSINT Newsletter - Finding Missing Persons - Trace Labs CTF Review (DEFCON 31). OSINTNEWSLETTER

🙏 Support

Enjoy reading the Hive Five? You can treat me to a coffee!

You can also share the newsletter with your friends.

💡 Tips

1. Justin exploited a tricky XSS using the fact that any func in JS can take any number of parameters. TWITTER

2. Rez0 shares a pro-tip for Burp: Use page up and down in the Response window if the response is large. TWITTER

3. Jon shares an interesting endpoint when doing recon. The endpoint is used for Apple’s associated domains feature. TWITTER

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @Lak5hmi5udheer | Lakshmi Sudheer | AppSec@Netflix.

2. @ret2jazzy | Jazzy | Full stack hacking | Co-Founder @zellic_io.

3. @hasherezade | hasherezade | Programmer, malware analyst. Author of PEbear, PEsieve, TinyTracer.

4. @InfoSecWriter | Victoria - InfoSecWriter - | InfoSec Blogs, Books, White Papers.

🚀 Productivity

1. eschluntz/compress is a tool for automatically creating typing shortcuts from a corpus of your own writing. GITHUB

2. Ideaverse for Obsidian: A Starter Kit to Manage Your Whole Life. YOUTUBE

3. What’s the best way to achieve your goals? Dr. K lays it out. YOUTUBE

4. A simple bookmarklet to tidy up URLs for easy sharing. TWITTER

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It’s my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. A Practical Guide of GNU grep with examples. THEVALUABLE

2. Life After Yarn — is pnpm the answer? Theo gives his opinion. YOUTUBE

3. AI Eng Recap: August 2023. Swyx et al’s highest signal selection of the most relevant items for AI Engineers. LATENT

4. Yes. LLMs can create convincingly human output says Rez0. He explains why LLMs don’t sound human, strategies to fix it, and provides real examples. REZ0

5. spandanb/learndb-py helps you learn database internals by implementing it from scratch. GITHUB

🧠 Wisdom

1. 10 Powerful Visuals About Psychology & Life. MEDIUM

2. Jason reminding us to reach out to people and ask how they are doing. TWITTER

3. Louis on people sticking to CTF instead of bug bounty or vulnerability research because it’s more comfortable — I’d say the same thing goes for life in general. TWITTER

4. Justin on the state of the web: “The internet needs fewer philosophers and more practitioners.” TWITTER

💛 Cross-pollination

1. The Neuroscience Of Living Without Regret. YOUTUBE

2. How Hip-Hop Changed the English Language Forever - In 50 years, rap transformed the English language, bringing the Black vernacular’s vibrancy to the world. NYTIMES

3. Mapping Record-High Heat in U.S. Cities - We’re tracking how the hottest year on Earth is affecting heat records. PUDDING

4. Daily routines and rituals of interesting people. ROUTINES

5. Starlink satellite tracker does exactly what you think it does — Starlink train goes vroom. SATELLITEMAP

🐝 Fact

“Cold-pressed honey

Ling heather produces thick, almost gelatinous honey, which is too difficult to spin out of the comb using centrifugal force and is therefore generally extracted by pressing. To do this, the comb is cut from the frame and wrapped in a coarse-woven cloth. It is placed between two metal plates, which are squeezed together with a screw mechanism, causing the honey to run out from the bottom of the press.

Because of its consistency, heather honey contains air bubbles: if showing the honey at a honey show, these should be small and well distributed.

Heather honey should never be overheated as this makes it muddy-looking and damages the flavor.”

This bee fact is brought to you by The Beekeeper’s Bible: Bees, Honey, Recipes & Other Home Uses.

Subscribe to the Hive Five to read the rest.