🐝 Hive Five 160 – Sisyphus and the Impossible Dream

Hi friends,

Greetings from the hive!

Over the weekend, I shared the Bee-side of this newsletter. Now, you can discover hundreds of curated links that didn’t make it into the weekly Hive Five newsletter.

This idea was inspired by Hive member Monke. Initially, I shared them as a thread on Discord, which then turned into a channel, and is now its own dedicated weekly blog post.

Let's take this week by swarm!

🐝 The Bee's Knees

1. The HTTP Garden is a collection of HTTP servers and proxies configured to be composable, along with scripts to interact with them in a way that makes finding vulnerabilities much easier. GITHUB | ShmooCon 2024 talk

2. Sisyphus and the Impossible Dream by Casey Neistat. If you're not familiar with Casey, I encourage you to check out all of his YouTube videos. YOUTUBE

3. Rust Won’t Save Us: An Analysis of 2023’s Known Exploited Vulnerabilities. HORIZON3

4. Conditional Love for AWS Metadata Enumeration. AWS has publicly stated that account IDs are not considered sensitive, but in practice, they do more heavy lifting than we’d like to admit. PLERION

5. Your work can only be as good as your problems are interesting. A lot of people struggle with doing great work and still being unfulfilled, and your problems might be the problem. DANIELMIESSLER

Which Bee's Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. Fabric 1.0.0 release: fabric is an open-source framework for augmenting humans using AI. GITHUB

2. Waymore v2.4 release: Find way more from the Wayback Machine. GITHUB

3. Shot Scraper 1.4: A command-line utility for taking automated screenshots of websites. GITHUB

4. HackerOne has been cranking out UX improvements and features based on hacker feedback. This one was requested by sw33tLie for sending an email if you get added as a trusted collaborator to a report. TWITTER

📅 News

1. PentesterLab is thinking of starting a monthly online meetup. TWITTER

2. MidJourney is getting into the hardware game and hired an engineer from Apple Vision Pro to be the Head of Hardware. TWITTER

3. After 15 years Microsoft changed their default font from Calibri to Aptos. MEDIUM

4. Cybersecurity 2024 from Packt. HUMBLEBUNDLE

🎉 Celebrate

1. it's been a year since STÖK visited Finland and Disobey for the first time. Now, he's presenting on the Main stage. Let's go! TWITTER

2. d0nut played in two post-bugbash poker tournaments and won them both. Let's go! TWITTER

3. Mason is back on the grind. 8 bugs pending on HackerOne, and 6 on Bugcrowd. Welcome back! TWITTER

4. Forbes Spain wrote an article about Bsysop and the team winning the HackerOne AWC. Amazing! TWITTER

5. Emily joined a new company as a Cyber Security Engineer. Yay! TWITTER

💰 Career

1. INTERVIEW: How to Become a pentester and teach via E-Sports ft. Davin Jackson. Step into the world of a Cybersecurity API Penetration Tester and E-Sports team owner. YOUTUBE

2. HIRING: The Microsoft Threat Intelligence Center (MSTIC) is recruiting experienced nation-state threat hunters — with highly honed threat intelligence analysis skills. TWITTER

3. STORY: Chris shares why they left Blizzard. Buckle up, this is a wild one. TWITTER

⚡️ Community

1. In response to "What scene in a movie/show will always make you cry?", Alethe shared the saddest scene from my favorite show Halt and Catch Fire. TWITTER

2. It's the season of Live Hacking Events. After HackerOne and Bugcrowd, YesWeHack's "Hack Me I'm Famous" is up next. TWITTER

3. Blaklis found an IDOR leaking billing details for all Shopify stores. The community finds the custom CVSS score questionable. TWITTER

4. Justin on why you should never give Frans a target. A screenshot tells a thousand words. TWITTER

5. After X amount of years at Bugcrowd, Grant is moving on. During that time, he climbed the ranks from Application Security Engineer to Vice President of Operations. Fun fact: He was the one who reached out to me to join Bugcrowd after a recommendation. LINKEDIN

📰 Read

1. On January 25, 2024, Microsoft published a blog post that detailed their recent breach at the hands of “Midnight Blizzard”. In this blog post, Andy explains the attack path “Midnight Blizzard” used and what Azure admins and defenders should do to protect themselves from similar attacks. SPECTEROPS

2. ShapeSecurity's Javascript VM: Part 1. ShapeSecurity's Javascript Virtual Machine(VM) has a remarkable reputation for being extremely hard to bypass and reverse. Their primary clients consist of corporations that require the highest level of security when it comes to protecting their API endpoints. BOTTING

3. From Concept to Capability: Required Security Changes for Secure AI Agents. The libraries and frameworks for AI systems are pretty immature right now. Most applications are simple chatbots or forms of retrieval. But as we increase the complexity of the use cases, the current architecture won’t be sufficient. JOSEPHTHACKER

💡 TIL

1. Michael flew 100k miles in the past two years and shares his top rules for traveling by air. Coincidentally, we've also been sharing tips in the Hive Discord. TWITTER

2. Pieter Levels copy-pasted his successful landing page to all of his products. Contrary to popular belief, whitespace and adhering to design principles did not increase conversion. TWITTER

3. Grant shares a visualization of a favorite load-balancing technique at AWS called "the power of two random choices". TWITTER

4. Git has an auto-correct flag. When used, it provides you with X amount of seconds to cancel your action if the correction is not what you want. STEFANJUDIS

5. People share what industry "secret" they know that most others don't. Some of these are wild. REDDIT

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @Gromak123_Sec | Gromak123 Security | French Security Researcher and Pentester at @Unumkey | C|EH Certified | BugBounty Hunter at @YesWeHack & @Hacker0x01|3 times LeHack Bugbounty's Winner.

2. @irsdl | Soroush Dalili | Appsec Researcher. Works @MDSecLabs.

3. @johnlestudio | John Lê | Storyteller/Co-creator of GIGA (Vault Comics).

4. @ayoubfathi | Ayoub FATHI 阿尤布 | Group Vice President of Information Security @noon | Hacker | Entrepreneur | Enjoys building and breaking stuff.

5. @gardensofalison | 𝒶𝓁𝒾𝓈ℴ𝓃 Product Manager | Mindful Product Manager I talks about finding balance and career growth for early PMs | Building Product Manager Garden.

🚀 Productivity

1. The Secret Behind Resisting Dopamine. Don’t release too much dopamine too early, you will need it throughout the day. In addition, decrease the need for dopamine, i.e. let go of negative emotions. YOUTUBE

2. Mischa shares his entire Neovim + Tmux workflow as a DevOps Engineer on MacOS. YOUTUBE

3. Akita on the benefit of using only one screen: no distraction, good ergonomics, best concentration. TWITTER

4. Timebox your requests. TLDR: when you ask someone to do something, tell them 1) the maximum amount of time they should spend on it, and 2) whether it’s urgent and important enough to deprioritize other stuff. CRITTER

5. 12 powerful cognitive biases. A "cognitive bias" is a systematic error in thinking that ruins decision-making. TWITTER

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. Curated list of awesome web apps that work without requesting you to create an account. To save the world from creating user accounts and installing software applications for every damn thing. GITHUB

2. Hishtory is a better shell history. It stores your shell history in context (what directory you ran the command in, whether it succeeded or failed, how long it took, etc). This is all stored locally and end-to-end encrypted for syncing to to all your other computers. GITHUB

3. Personal Data Warehouses: Reclaiming Your Data. Every nerd deserves their own personal data warehouse — a system that gives them the same kind of analytical capability that is usually reserved for giant tech companies. YOUTUBE

4. You’re using AI wrong but it’s not your fault. In this video, Jeff dives into the top 5 mistakes users make with ChatGPT and offer practical solutions to use this chatbot more effectively. From over-specific custom instructions to underutilizing ChatGPT for automation and beyond. YOUTUBE

5. Why Obsidian is 100% user-supported and not backed by VC investors. (and another reason why I love them). TWITTER

🧠 Wisdom

1. David Heinemeier Hansson: Constraints Are Your Friends. David reminds the audience of a simple fact: you'll never outdo Microsoft or Google; they will always have more resources than start-ups. YOUTUBE

2. Pieter created an AI CBT life coach named and modeled after the therapist who helped him a lot during COVID called Cindy that's now free-to-use. TWITTER

3. Dr. Gurner on a mindset of the possibility of being an early separator in great trajectories. TWITTER

4. Vortex: "Life is precious and fleeting. Always remember that." TWITTER

💛 Cross-pollination

1. Multiple Discovery: The Curious Case of Simultaneous Invention. YOUTUBE

2. 5 Fitness Mistakes Made as a Beginner. Patty shares their experiences throughout their fitness journey, this advice will not apply to everyone. YOUTUBE

3. The Adventure That Saved My Life by Natalie Lynn. Natalie makes cinematic videos that feel like journal entries. YOUTUBE

4. Vesuvius Challenge 2023 Grand Prize awarded: we can read the first scroll! Take a look at how they did it, what the scrolls say, and what comes next. I previously mentioned this challenge in #114 and #143. SCROLLPRIZE

5. Amazing picture of birds in a tree by Rajesh Panwar. Nature is forever mesmerizing. TWITTER

🙏 Quote

Subscribe to the Hive Five to read the rest.