🐝 Hive Five 161 – Your Security Program Is Sh*t

Hi friends,

Greetings from the hive!

This past week, I was focused on visuals and design. This state of mind led me to switch up my Neovim theme and give the Kanagawa theme a spin.

Another change I made was to my Hive Five thumbnail. The one you see when sharing on social media. It had no value proposition.

While designing this new iteration, I took inspiration from Daniel Miessler's thumbnail and Pieter Levels's marketing approach. Let me know what you think.

Let's take this week by swarm!

🐝 The Bee's Knees

1. A story of how Ian and Sam were able to bypass Vercel's build protections to access internal and staging deployments for all users via directory traversal and SSRF. TWITTER

2. LLM Agents can autonomously hack websites, performing complex tasks without prior knowledge of the vulnerability. ARXIV

3. Unredacted issue 006 is out. The magazine is community-driven and focuses on privacy and OSINT. INTELTECHNIQUES

4. Is client-side security dead - or a crucial part of the future? WEIZMANGAL

5. Andrej Karpathy on the shortification of learning: "I find it helpful to explicitly declare your intent up front as a sharp, binary variable in your mind. If you are consuming content: are you trying to be entertained or are you trying to learn?" TWITTER

Which Bee's Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. Fabric 1.1.0 release updates the installation process to use Poetry combined with an elegant ./setup.sh script that does all the work for you. GITHUB

2. SecLists 2024.1 release includes multiple updates from the community. GITHUB

3. Honoki bbrf-client v1.3.2 release adds the --ignore-scope (or -f) flag to force adding domains and URLs regardless of the project's scope settings, e.g. bbrf domain add outofscope.com --ignore-scope will ignore the configured scope and add the domain to the program. GITHUB

4. EvenBetter v1.4 is out, adding Exporting/Importing Workflows and more. TWITTER

📅 News

1. An opportunity to directly hack with NahamSec: The 5 Week Program. YOUTUBE

2. How AI can strengthen digital security. Google launches the AI Cyber Defense Initiative to help transform cybersecurity and use AI to reverse the dynamic known as the "Defender’s Dilemma". BLOG

🎉 Celebrate

1. Congrats to Bugcrowd for raising $102M funding. TWITTER

💰 Career

1. Step into the world of a former Federal Government employee turned 100 Million Dollar IT Government Contractor Company owner with Fox Wade. YOUTUBE

2. Web2, Blockchain & Beyond: The Ethical Hacker's Guide to Success. In this exclusive interview, we journey with Mohan, who reveals their incredible path from Capture the Flag competitions to building a successful security company. YOUTUBE

3. How to find time for everything with a full time job. YOUTUBE

4. Tons of jobs posted by Joe, from Program Director to System Support (US only). TWITTER

5. How Symone made over $225,000 in a year as a 27-year-old government contractor overseas — and got paid to travel in my free time. BUSINESSINSIDER

⚡️ Community

1. Reading Mean Comments Tech Edition 2023 with TracketPacer, John Hammond, EndingWithAli, Tib3rius, and Shenetworks. YOUTUBE

2. Meg shares her top 10 favorite things about working at CrowdStrike. TWITTER

3. Alex shares his week 6 bug bounty stats update. TWITTER

4. Jess shares a write-up of their Stored XSS with HTTP-only Session Cookies. MEDIUM

📰 Read

1. The Risks of the #MonikerLink Bug in Microsoft Outlook and the Big Picture. The bug not only allows the leaking of the local NTLM information, but it may also allow remote code execution and more as an attack vector. CHECKPOINT

2. How Snowflake's Red Team uses Tart and GitHub Actions develop, build, and test their tooling on Apple Silicon. MEDIUM

3. Tech Support Stories Part 2. Mat shares interesting stories from their whole time doing IT-type work. MATDUGGAN

4. "Your Security Program Is Shit - It is. And everyone knows it. I know it, you know it, your nonna who got her identity stolen and is now on the hook for $100k worth of Ethcoin or whatever the fuck those things are called knows it, and your computer nerd with a little bit of charisma CISO knows it, too." CRANKYSEC

5. Analyzing AI Application Threat Models. The following analysis explores the paradigm and security implications of machine learning integration into application architectures, with emphasis on Large Language Models (LLMs). NCCGROUP

💡 TIL

1. Connecting an iPhone to your Mac with a cable allows you to record your iPhone screen. YOUTUBE

2. AI Shell Command Generator prompts LLM to write you a simple shell command with an explanation. Copies the command to your clipboard (even if you cancel generation before the explanation completes). GITHUB

3. TIL there is dynamic pricing at McDonalds. TWITTER

4. The 100 best books of 2023. Shepherd asked 1,552 authors for their 3 favorite reads in 2023. The top 3 are Demon Copperhead, Lessons in Chemistry, and Yellowface. SHEPHERD

5. Old'aVista: The most powerful guide to the old internet. I remember the days of Altavista and Astalavista. Good times. OLDAVISTA

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @Six2dez1 | Six2dez | Ethical hacker | bash lover | reconFTW | @visma.

2. @WhyHiAnnabelle | anne bertucio | Posts on open source, security, dogs and lots of bikes. Open source programs @google. Board at @CloudNativeFdn. She/her.

3. lunchbag | Jen | Solopreneur, engineer & designer @lunchmoney_app. Supporting bootstrapped founders @picnic_inc.

4. @EFF | We're the Electronic Frontier Foundation. We defend your civil liberties in a digital world.

5. bencodezen | Ben Hong | @vuejs core team | senior staff dx engineer @netlify | @nuxt_js ambassador | @GoogleDevExpert.

🚀 Productivity

1. A step-by-step guide of how a front-end dev sets up their Mac, with lots of productivity tools. GITHUB

2. The best CLI tool according to ThePrimeagen is none other than jq. It is like sed for JSON data - you can use it to slice and filter and map and transform structured data with the same ease that sed, awk, grep and friends let you play with text. YOUTUBE

3. Sahil's Morning Routine where he shares 5 science-backed principles to win every single day. YOUTUBE

4. How to Stop Wasting Your Life (Avoid These 5 Things): social media, news, TV, chores, and squandering spare minutes. YOUTUBE

5. How ChatGPT can analyze any business in seconds when using the right prompt. YOUTUBE

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. Experience Groq, world's fastest Large Language Model (LLM). GROQ

2. Datasette-studio is Datasette pre-configured with useful plugins. This is an early experiment at the moment. GITHUB

3. Not all TLDs are Created Equal. In light of the recent cancellation of the queer.af domain registration by the Taliban, the fragile and difficult nature of country-code top-level domains (ccTLDs) has once again been comprehensively demonstrated. HEZMATT

4. How Zerodha processes 1.5+ million PDFs in 25 minutes. Learn about the journey of rethinking the architecture and building it from scratch. ZERODHA

5. How NetworkChuck ditched his Raspberry Pi, from decision to real-world execution, showcasing the trials, errors, and eventual triumphs of finding the perfect travel companion in the tech world. An interesting one to watch if you have kids and/or travel a lot. YOUTUBE

🧠 Wisdom

1. Digital Defense: The ultimate personal security checklist to secure your digital life. DIGITAL-DEFENSE

2. Tiago on training the algorithm of YouTube Shorts and TikTok to display longer, more in-depth content. TWITTER

3. Tips and tricks on buying your first house. TWITTER

4. Kettlebells + bands > weights. TWITTER

5. Calvin on the misunderstanding of living in a way that makes classic vacations a silly concept. TWITTER

💛 Cross-pollination

1. Random Robbie created a Missing Person Search Playbook for the UK. When a person goes missing in the UK, it's crucial to act swiftly and methodically to increase the chances of finding them safe and sound. GITHUB

2. 5am Morning Routine in the Countryside. Artistic, peaceful, and heartwarming. YOUTUBE

3. Dunkin’ The DunKings (Extended Cut) ft. Ben Affleck, Matt Damon, Tom Brady, Jack Harlow, Jennifer Lopez, Fat Joe and Charli D’amelio. I thought this was amazingly done. Also, I love Ben and Matt together. YOUTUBE

4. Jiu-Jitsu Champ Mikey Musumeci Only Eats Pizza and Pasta. I love Mikey's passion and unique approach. Achievements aside, I do wonder about his cholesterol.YOUTUBE

5. JephriB finds independent restaurants that are struggling. Then, they go in and order lunch, take photos, and post glowing reviews wherever they can. I love this! What a wholesome hobby. REDDIT

🐝 Quote

Subscribe to the Hive Five to read the rest.