- Hive Five
- Posts
- 🐝 Hive Five 152 - Never feed a beast you don't want to grow
🐝 Hive Five 152 - Never feed a beast you don't want to grow
Hi friends,
Greetings from the hive!
When you find yourself unable to start a task, tell yourself to accept the initial agitation.
"The agitation and stress that you feel at the beginning of something—when you're trying to lean into it and you can't focus—is just a recognized gate.
You have to pass through that gate to get to the focus component."
Let's take this week by swarm!
🐝 The Bee's Knees
Google OAuth is broken. TruffleSec released a Google OAuth vulnerability that allows employees at companies to retain indefinite access to applications like Slack and Zoom, after they’re off-boarded and removed from their company’s Google organization. TRUFFLESECURITY | YOUTUBE
Why Air Quality Matters. DHH's brand new house was making them sick. That lead him to study indoor air quality, and the findings were stunning. Besides the risk of making you physically sick, your mental capacity can take a serious hit. YOUTUBE
Apache Struts File Upload Exploit (CVE-2023-50164) analysis and POC. ALIYUN
Having some fun with JavaScript hoisting. Showing the usage and abuse of hoisting in JavaScript in XSS challenges posted on Twitter during November/December of 2023. JOAXCAR
Remote Code Execution on Ahold Delhaize, one of the biggest food retail groups. This critical CVSS 10 bug went unpatched for longer than 3.5 years after reporting it. MEDIUM
Which Bee's Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!
️💪 Sponsor
Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.
🔥 Buzzworthy
✅ Changelog
📅 News
vx-underground is giving away 12 Evilginx Master courses. This over $5,000 worth of educational material. TWITTER
IntelTechniques's Irish Exit to the podcast. INTELTECHNIQUES
Zoom unveils VISS: a revolutionary approach to vulnerability impact scoring. While traditional scoring systems like the Common Vulnerability Scoring System (CVSS) focus on an attacker's viewpoint and worst-case scenarios, VISS takes a different stance. ZOOM
🎉 Celebrate
sumgr0 received their 3rd challenge coin within the last two months. Amazing! TWITTER
James Kettle got married. Congrats you two! TWITTER
NahamSec found a crit and received a sweet bounty. Nice find! TWITTER
d0nut and his partner of 8 years are engaged. Woohoo! TWITTER
Jason trained over 500 students in his live courses. Awesome! TWITTER
💰 Career
JP Morgan's Jamie Dimon shares the best career advice they’ve received. YOUTUBE
Day In My Tech Life: From Military to DOD Cyber Threat Hunter ft Kajhon Soyini. YOUTUBE
Why and how Linear does work trials. They believe the only way to build a quality product and business is to hire people they can trust to make good judgments, across all functions and levels. LINEAR
⚡️ Community
Daniel shares his updated Vim and Terminal config — Coincidentally, I've also started using the LazyVim base. TWITTER
STÖK on the benefits of AI, when leveraged correctly, making us better hackers and creatives. TWITTER
XNL-h4ck3r on donating to the Internet Archive if you've ever used them, as they are a non-profit org. TWITTER
📰 Read
Cybergibbons breaks down what the Flipper Zero does and how it's doing it. They start with the Mifare Classic reading. TWITTER
Frans shares the solution to his XSS-challenge from last week. TWITTER
An introduction to fuzzing. Fuzzing, or fuzz testing, is a technique where invalid, unexpected, or random data is passed into a system to discover coding errors and security loopholes. SUBSTACK
CrushFTP - CVE-2023-43177 Unauthenticated Remote Code Execution. The vulnerability could potentially allow unauthenticated attackers with network access to the CrushFTP Instance to write files in the local file system and eventually in some versions could allow the executing of arbitrary system commands. PROJECTDISCOVERY
💡 Tips
0xblackbird shares an underrated way to quickly find new vulnerabilities: "Right before you stop working, go to your proxy interceptor's history and..." TWITTER
sw33tLie shares that you can run a local LLM model for when you don't have access to the internet. TWITTER
Max improved his bug bounty skills by using these 12 simple rules. TWITTER
🍯 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.
@caffeinevulns | Sam (caffeine) | Just love coffee and finding vulnerabilities at @SynackRedTeam.
@TCMSecurity | TCM Security | Disrupting the education and hacking industry. Come learn to hack at TCM Security Academy! Veteran owned. Quality results.
@raymondcamden | Raymond Camden | Cats, adoption advocate, developer relations, Star Wars nerd, Jamstack, lover of good beer & good books. He/Him.
@stolinski | Scott Tolinski - Syntax.fm - LevelUpTuts | Creator of @leveluptuts.
@Sil3nt_4unt3r | $!|3nt_4unt3r | Bug hunter, coder, blockchain enthusiast.
🚀 Productivity
Flow Launcher allows for quick file search & app launcher for Windows with community-made plugins. GITHUB
logancyang brought CoPilot to Obsidian. Their goal is to make this AI assistant local-first and privacy-focused. It has a local vector store and can work with local models for chat and QA completely offline. GITHUB
Kevin Kelly's flow chart when deciding whether to work on something (or not). TWITTER
Two must-have macOS apps: Rectangle and Raycast — I'm with DHH on this one, except I use Magnet for the former. TWITTER
Note taking templates Nicole use in Obsidian (Obsidian Tour 2023). YOUTUBE
Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.
🌐 Technology
DHH shares his primary mission for Rails 8: PWA, installable apps, and to embrace the full realization of progress in storage. In that order. TWITTER
This week I learned that there is a Microsoft Excel Championship. It's been won by Andrew "The Annihilator" Ngai for the 3rd straight time. YOUTUBE
linexjlin collects leaked GPT prompts. GITHUB
Office chair recommendations from the X hivemind. TWITTER
4 Web Devs, 1 App Idea (Cassidy Williams, David Khourshid, Shaundai Person) build an app that has a leaderboard. YOUTUBE
🧠 Wisdom
Dr. Julie on fighting losing battles: "Never feed a beast you don't want to grow." TWITTER
Build your binge bank. Expand your luck by sharing publicly, without immediate success or views. TWITTER
Justin on playing to your strengths: "Don't look for a message that resonates with your audience..." TWITTER
Life lessons from a 44 year old — Here are some that resonated with me: "The small details of your day matter..." and "Put your phone down." ANNIEMACMANUS
Huberman shares his Yoga Nidra and NSDR meditations that he's done 1-7X per week since 2017. TWITTER
💛 Cross-pollination
After failing 24 times over the last 17 years, Casey Neistat ran a marathon under 3 hours. LFG! TWITTER
These prompt questions help you choose the right thinking tool for a problem, decision or a system. UNTOOLS
Visiting The Giants Strength Of Hawaii: Stone Lifting, Wrestling, and Climbing. YOUTUBE
Random League of Legends news that stood out to me, a world famous ADC, Rekkles, joined T1 — I applaud him for challenging himself with a new language, culture, team mates, and new role.
Watch the best short films. SHORTOFTHEWEEK
🐝 Fact
Melting beeswax. For all candlemaking, clean beeswax must be melted in a double boiler or a stainless steel container in a hot water bath. The wax should not come into direct contact with the water or the heat. The temperature of the wax can be checked with a meat thermometer: different candlemaking methods require different temperatures for the best results. The melting point range for beeswax is 144-147°F (62-64°C).
This bee fact is brought to you by The Beekeeper's Bible: Bees, Honey, Recipes & Other Home Uses.
Subscribe to Premium to read the rest.
Become a paying subscriber of Premium to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In.
A subscription gets you:
- • Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
- • Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
- • EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
- • MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
- • Deep DISCOUNTS on paid content.
- • Experience continuously added NEW BENEFITS.