🐝 Hive Five 144 - Change is inevitable

Hi friends,

Greetings from the hive!

Some big news this week. Firstly, my wife had surgery and is recovering. Now comes the long road to recovery.

Secondly, I'm finally taking the Hive Five to the next level. You'll be able to support me directly by becoming a member of the Hive.

Members get exclusive content, access to an online community, complete archive access, and much more. Stay tuned!

As a reminder, mostly for myself, if you've been putting something off, thinking about it is often scarier than doing it. Fuck fear.

Now, let's take this week by swarm!

🐝 The Bee's Knees

1. The Circle of Unfixable Security Issues. Not every security issues can be fixed. There are (what LiveOverflow calls) "unfixable" bugs, where you can always argue and shift the goal posts. YOUTUBE

2. All things must come to an end, and change is inevitable. STÖK thanks everyone for their support and for being a part of the journey. YOUTUBE

3. AI and hacking. Joseph “rez0” Thacker talks you through AI opportunities and threats, but also shares his current hacking style and workflow. YOUTUBE

4. A list of security hacking incidents that cover important or noteworthy events in the history of security hacking and cracking. WIKIPEDIA

5. A whopping 5-part series on The Power of Axiom by Ott3rly, from Introduction to Distributed Attack Orchestration to Mass hunting for misconfigured S3 buckets. MEDIUM

Which Bee's Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)! 👉 Share on X

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. Findomain v9.0.2 is the fastest and complete solution for domain recognition. GITHUB

2. reconFTW v2.7.1.1 is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities. GITHUB

3. j3ssie/osmedeus v4.6.1 is a workflow engine for Offensive Security. GITHUB

4. The new 'Bambda' feature in Burp Suite 2023.10.3 early-adopter is crazy powerl. James filtered through 250,000 requests in his proxy history to find ~70 with an incorrect response Content-Length. TWITTER

📅 News

1. HackerOne kicks off the final round of the 2023 Ambassador World Cup. The Final Four consists of 97 remaining hackers. They represent the countries of France, Israel, Nepal, and Spain. HACKERONE

2. Nuclei v3 has been released. Key features include Code Protocol, Template Signing & Verification, and more. You can upgrade using: nuclei -update. PROJECTDISCOVERY

3. Air Canada filed a lawsuit against Ian Carroll's Seats Aero. Seats Aero allows you to easily find last-minute reward availability on popular airlines and mileage programs. TWITTER

4. Six2dez on the upcoming version 3.0 of reconFTW. They're converting and rewriting all functions into modular scripts that can be accessed individually. TWITTER

5. How Cloudflare mitigated yet another Okta compromise. On Wednesday, October 18, 2023, Cloudflare discovered attacks on their system that they were able to trace back to Okta. CLOUDFLARE

🎉 Celebrate

1. Rhynorater finished off in 4th place at Intigriti's 1337UP1023. Congrats! TWITTER

2. chompie got married. Congrats you two! TWITTER

3. Matt is now the head of Software Security at Reddit. Amazing! TWITTER

💰 Career

1. Write a perfect answer using ChatGPT for the "Tell Me About Yourself" interview question. YOUTUBE

2. Wes on how to on-board yourself if there's no formal process. TWITTER

3. The Best AWS Certification Learning Paths (Roadmap by AWS). YOUTUBE

4. From GovTech Software Engineer to 7 Figure Entrepreneur with Reco Jefferson. YOUTUBE

5. A basic framework to help managers, particularly less experienced ones, think about balancing their responsibilities. PNEWMAN

💪 Jobs

1. Colin is on the hunt for a role in cybersecyrity within NGOs and non-profits. TWITTER

2. Reddit is hiring a high-end detections engineer that will be driving all their automations, rule creations, and more. TWITTER

3. ficti0n has 4 senior level netpen / redteam testers with extensive consulting and internal teams experience. TWITTER

4. Gumroad is hiring SWEs and offers $125-175/hr, no matter where you live. TWITTER

⚡️ Community

1. g0lden has an automation update, he started a home lab! Find out how he plans to use it to migrate his automation to Kubernetes. YOUTUBE

2. The age old statement: Burp 1.7 is better than later versions. TWITTER

3. Codingo is going to enhance Dorky. Let him know if you have a feature in mind. TWITTER

4. Alex is having a hard time finding a program to hack on. People share theirs. TWITTER

5. Soroush shares his Synack experience so far. He's enjoyed it more than H1 and BC so far. TWITTER

📰 Read

1. The FTX trial, day four: The fraud was in the code. The prosecution brought out Github screenshots as they questioned cooperating witness Gary Wang, the former CTO of FTX who at various times was responsible for the codebases powering both FTX and Alameda Research. MOLLYWHITE

2. One Scheme to Rule Them All: OAuth Account Takeover. This article delves into the exploitation of OAuth account takeover using app impersonation through custom scheme hijacking, an overlooked vulnerability pattern affecting most OAuth providers and consequently many popular applications including TikTok, Reddit, and Samsung Email. OSTORLAB

3. From SSRF to RCE on Mastodon (CVE-2023-42450). an SSRF which leads to remote code execution. tl;dr: pre-releases only, not exploitable in prod in default configuration. GITHUB

4. A Beginners Guide to Building a Hardware Hacking Lab. VOIDSTARSEC

💡 Tips

1. swyx on switching to Kagi search and its benefits. No ads, no aggregators, no junk, and easily customizable ranking. TWITTER

2. Jack on recreating magical feelings you had as a kid by doing something hard, eating well, and being productive. TWITTER

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @angealbertini | Ange | Corkami, CPS2Shock, PoC||GTFO, Sha1tered. Security engineer @ Google. He/him.

2. @SaxX | S. A. X. X. | Friendly Hacker ¦¦ Mentor @Guardia_School ¦¦ @breizhctf Co-Founder ¦¦ Speaker ¦¦ Former {Gov|Army|Strat. Institutions} Cybersec.

3. @XHackerx007 | Abdullah Nawaf (HackerX007) | Hackerx007Bug hunterFB/Twitter/Mail.ru HOF 58 Bugcrowd rank 7 Bugcrowd P1 rank with 110 p1.

4. @plmaltais | ramsexy | French-Canadian hacker. Full-time bug bounty hunter. Craft beer connoisseur. Surfing the web and hacking the waves.

🚀 Productivity

1. How to actually get stuff done — a talk by Jodie Cook at DCBKK 2022: Personal productivity for entrepreneurs. YOUTUBE

2. What's not to love about the Obsidian manifesto? TWITTER

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. All the talks from RailsWorld 2023 are now available online. YOUTUBE

2. defunkt shares the origin story of GitHub. TWITTER

3. Julia shares some miscellaneous git facts — the gift that keeps on giving. JVNS

🧠 Wisdom

1. Dr. K on striving to respond instead of react. YOUTUBE

2. Ali shares a journaling prompt he loves: What is one mistake that you're glad you've made? YOUTUBE

3. Codingo burnt out worse than ever before, which led to his family buying and restoring a farm. Now, he's happier and healthier than ever. TWITTER

4. Work ethic is not about long hours, it's about being a good person that's effective and reliable. TWITTER

5. Kelsey and DHH on the fundamental advances Cloud has brought that provided the blueprints needed to close the close the gap on-prem. TWITTER

💛 Cross-pollination

1. Sam asks why Americans vacationing in Europe lose weight and feel better while keeping the same habits. TWITTER

2. The Michelin Guide was created to help motorists develop their trips, thereby boosting car sales and in turn, tire purchases. MICHELIN

3. Elgato released what seems like another hit, a teleprompted promptly named Prompter. They call it the all-in-one creator's teleprompter. ELGATO

4. Ninja Nerd is an online learning platform for medicine & science that creates high quality medical videos and resources to help students and clinicians learn. NINJANERD

🐝 Fact

At the height of summer, a vibrant, healthy hive may contain about 20,000-50,000 individual honeybees. Almost all of these will be workers (sometimes called "neuters" in older books and essays on the subject). Workers are infertile females whose entire lives are spent foraging for the colony, creating the wax combs, loading cells with honey and pollen, protecting the hive from honey-stealing marauders, and nursing the brood of larvae through to adulthood.

This bee fact is brought to you by The Beekeeper's Bible: Bees, Honey, Recipes & Other Home Uses.

Subscribe to the Hive Five to read the rest.