🐝 Hive Five 148 - The OG Bug Bounty King

Hi friends,

Greetings from the hive!

I hope your weekend was relaxing, and not as eventful as in the AI world.

I'm (hopefully) getting over the tail end of my sickness.

Let's take this week by swarm!

🐝 The Bee's Knees

1. The OG Bug Bounty King: Frans Rosen. In episode 45 of Critical Thinking - Bug Bounty Podcast, they talk to Frans Rosén, an OG bug bounty hunter and co-founder of Detectify. YOUTUBE

2. Catching up on the weird world of LLMs, a talk by Simon Willison at North Bay Python 2023. Simon attempts to summarize everything he's learned about them over the past year: how they are built, what they can do, what they can't do and how we can best tame them and use them to solve interesting problems. YOUTUBE

3. Japan’s Hidden Strength Culture You Didn’t Know Of: Chikara Ishi 力石. World's Strongest Man, Martins, takes you on a journey to Strength Unknown — When I was younger, I watched strongman competitions, envisioning to grow up big and strong. This series cultivates and showcases a thoughtful and spiritual side of strength. YOUTUBE

4. A Coder Considers the Waning Days of the Craft: "Coding has always felt to me like an endlessly deep and rich domain. Now I find myself wanting to write a eulogy for it." NEWYORKER

5. Kevin shared his research about Abusing Client-Side Desync on Werkzeug. He'll deep dive into an interesting case of Client-Side Desync (CVE-2022-29361). MIZU | SLIDES

Which Bee's Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. xnl-h4ck3r released GAP-Burp-Extension v4.3, a Burp Extension to find potential endpoints. parameters, and generate a custom target wordlist. GITHUB

2. Another xnl-h4ck3r release XnlReveal v2.7, a Chrome/Firefox browser extension to show alerts for reflected query params, show Wayback archive links for the current path, show hidden elements and enable disabled elements. GITHUB

3. xnl-h4ck3r also updated waymore to v1.29, which helps you find way more from the Wayback Machine. GITHUB

4. s0md3v released Arjun 2.2.2, a HTTP parameter discovery suite. GITHUB

5. j3ssie released osmedeus v4.6.2, a workflow engine for Offensive Security. GITHUB

📅 News

1. Obsidian dropped some gear that is available for preorder with the new logo. TWITTER

2. Portswigger's Web Security Academy launched a new lab on scanning non-standard data structures with Burp Suite using custom insertion points. TWITTER

🎉 Celebrate

1. bebiks is one year in the bug bounty game and has crossed 1k reputation points. Congrats! TWITTER

2. Mason finished their annual Friendsgiving, and thanks everyone. No, thank you! TWITTER

3. Sam has had a really weird last 6 months, but is really looking forward to doing more web security stuff. We miss you! TWITTER

4. Leo received a hacker portrait from Intigriti. Looking good! TWITTER

5. Michael was awarded a $30k bounty on HackerOne. Woot! TWITTER

💰 Career

1. Ian says anyone can give a conference talk, and shares tips for topics. TWITTER

2. Emily was laid off and is looking for blue team work! TWITTER

3. People share why they got their certifications, such as getting a job. TWITTER

4. Zach shares how he quit his $600k data engineering job at Airbnb and made $600k in 7 months from content creation and teaching. It all started when in October 2022, a drunk-driving Tesla crashed into his house... DATAENGINEER

⚡️ Community

1. Jason is beginning to outline his class on security leadership. Do you have any learning for him? TWITTER

2. Zseano reminding us that it's the end of the year, so bug bounty program will begin to slow down. Be patient. TWITTER

3. d0nut is back at hacking, and is having a great experience on Bugcrowd so far. TWITTER

4. Jswzl is asking what features and improvements you would like to see in 2024. TWITTER

5. Monke's pivotal point in their bug bounty journey was when they genuinely started enjoying the learning process. TWITTER

📰 Read

1. Large Language Models and chatbots are quite commonly vulnerable to data exfiltration. This post describes how Google Cloud's Vertex AI - Generative AI Studio had this vulnerability. EMBRACETHERED

2. Derin uncovers a crazy privilege escalation from Chrome extensions. They were rewarded a total of $10,000 for the two bugs. 0X44

3. The photos. The copy. The gadgets. The pitch. There was so much to take in. That’s the DAK Catalog from the 80's. Now, Cabel shares over 55 fully-scanned, 600 DPI DAK catalogs, for us to enjoy — I wasn't aware of these, but I can't wait to check them out! CABEL

4. Daniel on how to remove your fear to public speaking. DANIELMIESSLER

💡 Tips

1. Nathaniel recommends web hackers to stick to one target for long periods of time. TWITTER

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @samengmg | samuel eng.

2. @InfosecChlobo | I N F O S E C C H L Ö B O | Infosec Zennial | Likes hacks, cooking and doggos! Security Consultant | Co-founder and organiser of @BSidesLeeds (2018-Present).

3. @KurenoLola | CyberLola | Cyber security engineer @INE | Compliance | AWS Security | @hacknotcrime Advocate | cat lover(=^ェ^=) | mizrahi Jewish lady living in Tokyo.

4. @AseemShrey | Aseem Shrey | Security Engineer @Rippling | ex-@gojektech | CTF player NULLKrypt3rs | Web App Exploitation & Reverse Eng.

🚀 Productivity

1. Effective Neovim setup for web development towards 2024. YOUTUBE

2. pashashocky worked on an Obsidian plugin that allows you to display notes in a gallery style. GITHUB

3. Taylin gives actionable tips and frameworks on how to scape overthinking and underacting. TWITTER

4. Jason shares a peek behind the scenes of the HEY calendar project, which involves weekly summaries and hill charts. I dig it! TWITTER

5. Thomas on how to get things done: write down the top 3 most important tasks, log out of social media, and set a 25-minute timer to work on the first one. TWITTER

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. Must-have macOS apps, including my favs. TWITTER

2. AI Engineering 101 and 201 Workshops, covering Agents and Cognitive Architectures, Function Calling, and more. LATENT

3. rkk3 came up with a new solution for YouTube's adblocker crackdown. This extension automatically mutes and fastforwards or skips through video advertisements. GITHUB

4. 4 Web Devs, 1 App Idea. A fun new show where Salma Alam-Naylor, Scott Tolinski, and Eve Porcello build a productivity app that is NOT a todo list. YOUTUBE

5. Authorization is the number one security risk in the OWASP Top 10. But does it have to be? Nathanial Lattimer presents Rust, but Verify - Compile-Time Authorization. YOUTUBE

🧠 Wisdom

1. Jack on how to differentiate yourself by skilling up on things that can be learned but not taught. TWITTER

2. David on a misconception of reading: "Writing is how you discover what you think." TWITTER

3. Alex on the importance of sleep, crucial for focus when finding vulnerabilities. TWITTER

4. T.H.I.N.K before you speak: T - is it True? H - is it Helpful? I - is it Inspiring? N - is it Necessary? K - is it Kind? SUBSTACK

5. Jason and Daniel share their successful business strategy: "Take care of the downside, and let the upside take care of itself." TWITTER

💛 Cross-pollination

1. Find out what work/office purchases transformed people's life. YCOMBINATOR

2. Tim Ferriss's 2023 Holiday Gift Guide: 12 Gifts to Make Your Holidays Extra Fun, Relaxing, and Delicious. TIM

3. Eva shared this one: Breaking up is hard to do. Digitally disentangling yourself from your former partner is harder. Avast and Refuge have written a handy guide. REFUGETECHSAFETY

4. Tarah shares a process for large meal cooking. TARAH

🐝 Fact

Most local beekeeping associations operate a swarm collection service. If you see a hanging swarm and are unable to collect it yourself, notify them to come and remove it before it finds a new home in an inaccessible place.

This bee fact is brought to you by The Beekeeper's Bible: Bees, Honey, Recipes & Other Home Uses.

Subscribe to the Hive Five to read the rest.