🐝 Hive Five 149 - Hacking is a survival skill

Hi friends,

Greetings from the hive!

A happy belated Thanksgiving to those who celebrated. We had a small Friendsgiving with delicious food and good company.

In other news, I believe I'm finally on the tail end of being sick! That's also what I'm thankful for, my health.

What are you thankful for?

Let's take this week by swarm!

🐝 The Bee's Knees

1. Everything about full-time bug bounty with Justin "Rhynorater" Gardner from the CTBB podcast. YOUTUBE

2. At this year’s VirusBulletin conference, VB2023, SentinelOne’s Juan Andrés Guerrero Saade, a.k.a. JAGS, Associate Vice President of SentinelLabs delivered a keynote speech calling for a reevaluation of the conventional understanding of the cybersecurity sector. SENTINELONE

3. An interview with Bryce Case Jr. AKA YTCracker who is a hacker, musician, and also a self-identified member of the hacker group Anonymous. Bryce has been called "The Original Digital Gangster" for his early adoption and manipulation of all things online. YOUTUBE

4. tmp.0ut Volume 3, an awesome ezine, is out: "Hacking is a survival skill." TMPOUT

5. Recordings of the 21st edition of the BlueHat security conference that ran from Oct 11 to Oct 13, 2023, in Redmond, WA USA. YOUTUBE

Which Bee's Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. jswzl 2023.4.4 has been released: fixed decorator rendering in the code view, fixed two parser issues, and more. TWITTER

2. Dalfox by hahwul released v2.9.1: a powerful open-source XSS scanner and utility focused on automation. GITHUB

3. Bugcrowd VRT v1.11 release: Bugcrowd’s baseline priority ratings for common security vulnerabilities. GITHUB

4. xnl-h4ck3r released XnlReveal v3.4: A Chrome/Firefox browser extension to show alerts for reflected query params, show Wayback archive links for the current path, show hidden elements and enable disabled elements. GITHUB

5. SecLists 2023.4 release: SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. GITHUB

📅 News

1. xnl_h4ck3r released a modified version of TomNomNom's webpaste. It has auto-save to file, includes Google and Bing snippets, and more. GITHUB

2. GitLab is offering a reward for account takeovers without any user interaction. TWITTER

3. Have you submitted a talk for BSides Nashville yet? There's still time, submit your paper before Jan 8th. TWITTER

🎉 Celebrate

1. Bombon earned $500,000 in bounties. Awesome! TWITTER

2. John hit 100,000 YouTube subscribers. LFG! TWITTER

3. TruffleHog Hacktoberfest 2023 winners. Congrats all! Don't sleep on Corben. TWITTER

💰 Career

1. OpenAI's ex-CEO advice from his dad: "Consider your life as a series of 10-15 year projects." TWITTER

2. David cautions against hiring people who have enough experience to be prideful, but not enough to be wise. TWITTER

3. A cover letter ChatGPT trick, feed it the following: company's about us page, job ad, your resume, and voila. TWITTER

4. SyntaxFM is hiring 2 position: web dev teacher and video/audio production. TWITTER

⚡️ Community

1. Zseano is determined to quit vaping. You got this! Personal story, I smoked for nearly a decade, and have been clean even longer. TWITTER

2. Godfather Orwa shares his Burp extensions. TWITTER

3. justYnot launched their new website. TWITTER

4. Mark is about to do something that will change the entire landscape of Bug Bounty in the USA: "No more hunters getting screwed over. TWITTER

5. Nagli started a $50,000 bounties in 50 days challenge. Follow along with his progress. TWITTER

📰 Read

1. How to voltage fault injection. During physical security assessments of IoT devices, one of the goals is to take advantage of debug interfaces or accessible chips to study how the devices work. An ideal scenario is the extraction of the full file system to find a way to gain root access to the device. SYNACKTIV

2. Static Code Injections in OpenCart (CVE-2023-47444). In OpenCart versions 4.0.0.0 to 4.0.2.3, authenticated backend users having common/security “access” and “modify” privileges can write arbitrary untrusted data inside config.php and admin/config.php, resulting in remote code execution on the underlying server. 0XBRO

3. Analysis of CVE-2023-46214 + PoC. CVE-2023-46214 is a Remote Code Execution (RCE) vulnerability found in Splunk Enterprise which was disclosed on November 16, 2023 in the Splunk security advisory SVD-2023-1104. HRNCIRIK

4. Bassem shares a Two-Factor Authentication bypass of Facebook Accounts ($25,300). MEDIUM

5. Google search is bad. Now what? Almost 73% agree that Google has been getting worse at searching in recent years. OSINTAMBITION

💡 Tips

1. Tae'lur's advice on getting into coding/cybersecurity: "Don't just chase certs or courses [...] set up a home lab/build projects while learning." TWITTER

2. Damian on the solid results when crafting your own wordlists. TWITTER

3. Lennaert on reporting bugs in a way others can understand: "Your report is your product, not the bug." TWITTER

4. Peter on setting a number of hours when doing deep research/recon, but also not to shy away from things that look hard on the surface. TWITTER

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @cryptoishard | cryptopotato | OSINT⁃Android⁃Hardware⁃Cryptography⁃Forensics⁃Virtualization⁃GameDev.

2. @sprocket_ed | ed | Director of Operations and hacker @sprocketsec.

3. @codebeast | Christian Nwamba | Jack of a few trades. JavaScript. Teacher. Now @AWSAmplify Prev @Microsoft, @cloudinary, @auth0.

4. @soaj1664ashar | Ashar Javed | Web AppSec Researcher | in Microsoft's Top 100 Security Researcher List -2018 | in Microsoft's Most Valuable Researcher List -2019 & 2020.

5. @g0tmi1k | g0t mi1k.

🚀 Productivity

1. Remembering what you've read is an active process. Here's something that can help, Read Recite Relate is a creative exercise from Hamed. INSTAGRAM

2. Monke shares his learning pipeline: Notion, Pocket, GPT-4 Voice, and more. TWITTER

3. Tynan, the inventor of the gear post, released his 2024 edition. TYNAN

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. A wild story about a tech conference using fake profiles that represented female speakers, and also catfishing as an IG tech influencer. WTF?! TWITTER

2. Tobi shares Black Friday Shopify stats (running on Rails): Shopify’s egress processed 145 billion requests on Friday. App servers handled peak of ~60 million requests per minute. Increase of 38%. Total GMV was $4.1b, up by 22% from last year. TWITTER

3. The best resources for mastering Turbo / Stimulus according to Twitter. TWITTER

4. g0lden takes his servers that have proxmox on them from the last video, and show you how he prepares them for either Docker (with docker swarm) or a full installation of kubernetes. YOUTUBE

5. Elon released all design and engineering of the original Tesla Roadster is now fully open source. TESLA

🧠 Wisdom

1. Alex says that you'll pay for education one way or another, either with money or with time. TWITTER

2. David on the maturity it takes to ship simple things: "The novice overcomplicates their work." TWITTER

3. George shares useful razors. Here's one of them, the Network Razor: If you have 2 quality people that would benefit from an intro to one another, always do it. Networks don't divide as you share them, they multiply. TWITTER

4. Alex shares a bug bounty maxim: "The lower the impact of the report, the more back and forth required to be awarded a bounty." TWITTER

5. Mario games teach us that even if something is essentially the same, psychologically it can be completely different — I never realized this, until I saw these side-by-side images. TWITTER

💛 Cross-pollination

1. TIL you should train your neck, as it's a form of life insurance. TWITTER

2. I love this low-effort thing that you can do that has an outsized positive impact on the world: raising others' aspirations. TWITTER

3. They Started Playing Football as Young as 6. They Died in Their Teens and Twenties With CTE. INSTAGRAM

4. A list of legendary YouTube channels that don’t make videos anymore. REDDIT

5. Flighty is a cool iPhone app to track flights. The fastest push notifications, anywhere in the world. FLIGHTYAPP

🐝 Fact

Autumn tasks (average temperature 41-66°F / 5-19°C)

The autumn is a time for ensuring the bees that go into winter are well-fed and healthy and their colonies are strong.

These have the best chance of survival until the weather warms up again in early spring. As the outside temperatures fall and brood rearing has finished, the bees begin to form a winter cluster.

There are certain tasks the beekeeper has to do before this happens.

This bee fact is brought to you by The Beekeeper's Bible: Bees, Honey, Recipes & Other Home Uses.

Subscribe to the Hive Five to read the rest.