• Hive Five
  • Posts
  • 🐝 Hive Five 170 - No Web Without Women

🐝 Hive Five 170 - No Web Without Women

The great intergenerational theft, 10 Things Your First Security Hire Shouldn’t Do, and more...

Hi friends,

Greetings from the hive!

I've been writing more and more automation by augmenting myself using AI. These are improvements that I would put in the backlog in the past.

Let's take this week by swarm!

🐝 The Bee's Knees

  1. No web without women: A collection of innovations by women in the fields of computer science and technology. MORE

  2. In this episode, Johan Carlsson shares updates on his bug hunting journey, including a CSP bypass on GitHub and a critical finding in GitLab's pipeline. He also discusses his approach to using script gadgets. MORE

  3. Marketing professor Scott Galloway discusses the financial struggles of young Americans, highlighting the "great intergenerational theft" and calling for action to address the root causes. MORE

  4. GitLab Devfile file write vulnerability (CVE-2024-0402) allowed arbitrary file write and command execution on GitLab instances by chaining multiple vulnerabilities. MORE

  5. 10 Things Your First Security Hire Shouldn’t Do, e.g. "1) Don’t run a public bug bounty" and "5) Don’t gatekeep security from the folks who were already doing the work". MORE

💪 Sponsor

Every week, thousands of innovators immerse themselves in the Hive Five for the best infosec resources, tech optimizations, and productivity improvements. To hack a life they love.

From a reader: "The newsletter is always a highlight of my week!

Table of Contents

📰 News and Updates

🍯 My work

✅ Changelog

  1. Durl v0.2 focuses on removing duplicate URLs by retaining only the unique combinations of hostname, path, and parameter names. MORE

  2. Caduceus v1.0.3 release is a tool to scan IPs or CIDRs for certificates. This allows finding hidden domains, new organizations, and more. MORE

  3. DOMPurify 3.1.2 is a fast, secure, and highly configurable XSS sanitizer for HTML, MathML, and SVG, with a secure default and extensive customization options. MORE

  4. xnldorker v1.0 is a tool that automates the process of gathering results from various search engines using specialized search queries (dorks). MORE

  5. Gungnir v1.0.7 continuously monitors certificate transparency (CT) logs for newly issued SSL/TLS certificates. MORE

📅 News

  1. Google's mobile VRP program celebrates 1 year with reward increases and key lessons learned to improve mobile security. MORE

  2. Pieter Levels, the founder of Levels, has launched a merch shop. MORE

  3. Nil Blend coffee by 10x developers. Only orderable via the terminal. MORE

  4. Bugcrowd, a leading vulnerability disclosure platform, now offers free VDPs, providing organizations with a cost-effective way to manage their security programs. MORE

  5. HackerOne CEO Marten Mickos is retiring after 9 years of leading the bug bounty platform. MORE

💼 Career and Productivity

💰 Career

  1. Supabase is hiring a security engineer and more. MORE

  2. Google Exec shares 3 Steps to Write Great Slides. Actionable tips from a Google Strategy & Operations Manager on creating powerful presentations. MORE

  3. The video discusses "The ladders of wealth creation" by Nathan Barry, a step-by-step roadmap to building wealth. MORE

  4. In this vlog, you'll join the creator on a journey to a fitness and business summit in Nashville, Tennessee. Amidst the rise in loneliness in the digital age, the video aims to inspire self-growth and fulfillment. MORE

  5. Luke and his agency create content for cybersecurity organizations. They are currently seeking new work opportunities. MORE

🚀 Productivity

  1. Kanata is a cross-platform advanced keyboard customization tool that allows users to remap their keyboard keys, providing enhanced control and personalization. MORE

  2. Jason Fried discusses motivation, habit formation, time management, and the importance of finding joy in problem-solving. Their conversations often feature contrasting perspectives, leading to engaging discussions. MORE

  3. The video demonstrates how to use fzf, a powerful fuzzy-finding tool, to quickly search and navigate through Git branches and commits. The accompanying article provides additional details. MORE

  4. Discovering a third home transformed the speaker's perspective on living. This raw, unfiltered video explores the concept of a third home and its profound impact. MORE

🌎 Community and Networking

🎉 Celebrate

  1. sumgr0 received swag for reaching 5k reputation on a platform. Congrats! MORE

⚡️ Community

  1. Trash Puppy, a hacker, programmer, and streamer, shares her journey into the cybersecurity industry and experiences in her first job in the field. MORE

  2. A recap of a HackerOne live hacking event in Las Vegas, showcasing the collaboration between HackerOne and Amazon to find and fix vulnerabilities. MORE

  3. Codingo shares that Bugcrowd, a bug bounty platform, has an internal "Kaching" channel where hackers are celebrated for discovering high-severity vulnerabilities (P1) or receiving large payments. MORE

💛 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

  1. @Infosec_Taylor | Ashley - Serious Security Scientist.

  2. @jhooks | joel | lvl 15 half-orc nerd | working on badass_courses | dubia vita electiones.

  3. @RogueSMG | RogueSMG | Hacker Wannabe | YouTube | NullAhm | SRT | Psychology

  4. @bellafusari1 | bells ฅ(•ㅅ•❀)ฅ | An ellie waltman fanpage with a knack for breaking software.

📚 Learning and Growth

📰 Read

  1. Coverage Guided Fuzzing - Instrumenting code to find bugs faster, a valuable technique in security assessments and pentesting. MORE

  2. An empty, private AWS S3 bucket can incur unexpected charges, potentially causing your AWS bill to skyrocket overnight. The article examines this issue and provides insights to avoid such unpleasant billing surprises. More

  3. CVE-2024-2887: A Pwn2Own winning bug in Google Chrome that allows an attacker to bypass type checks and convert any reference type into another, potentially leading to a remote code execution attack. MORE

  4. CodeQL zero to hero part 3: Security research with CodeQL. Learn how to use CodeQL for security research and improve your security research workflow. MORE

💡 Tips

  1. Code review plateaux: Common reasons and how to overcome them. Explore tips to improve and progress beyond stagnation. MORE

  2. Creating a wordlist for CI/CD hacking using AI. MORE

  3. Renniepak discovered a way to import external scripts with JavaScript's import() function without using quotes, by utilizing a regular expression. MORE

  4. TIL that the Internet Archive, a digital library, is headquartered in a church building and offers free tours on Fridays for the public. MORE

🔑 Cross-pollination

  1. Mechanical watches with date displays are uncommon and pricey due to the complexity of their "complication" features, which go beyond just telling the time. MORE

  2. Comprehensive streaming guide for latest movies and TV shows, including Oppenheimer, Spider-Man: Across the Spider-Verse, and more. MORE

  3. Film photography offers a unique and immersive experience, with its deliberate framing and inscription processes, despite the sacrifice of time and cost. MORE

  4. I'm not a look-alike! is a project that photographs look-alikes worldwide, organizes an international exhibition, and publishes a book. MORE

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🧠 Wisdom

  1. The basics are foundational skills and habits that underpin and amplify your advanced expertise. They are the multipliers and nullifiers, makers and breakers, of everything you do. MORE

  2. Jason on motivation, though the money is not a motivator, he enjoys the work and the great crew they work with, which keeps them engaged after years in this pursuit. MORE

  3. 3 key lessons from Berkshire Hathaway's 2024 annual meeting: 1) The power of one sharp knife, 2) Warren Buffett's take on AI, 3) Who Warren Buffett Listens To. MORE

  4. Shaan had an aha-erlebnis and plans to acquire ownership in companies and leverage his media influence to grow these businesses. MORE

  5. Sell the outcome, not the product. Focus on the benefits and value you can provide to customers, rather than just the features of your product. MORE

📚 Resources

  1. Grafana backend has a SQL injection vulnerability that can be exploited using valid account login and malicious POST requests to the "/api/ds/query" endpoint. MORE

  2. Leveraging Postman's workflow capabilities to automate the process of discovering and testing API vulnerabilities. MORE

  3. Stealing your Telegram account in 10 seconds flat. MORE

  4. How Michael hacked into Google’s internal corporate assets using dependency confusion. MORE

  5. CVE-2024-21111 is a local privilege escalation vulnerability in Oracle VirtualBox, a popular virtualization software. Here are the steps used to discover and exploit this issue. MORE

💭 Quote

I’m old enough to remember when the Internet wasn’t a group of five websites, each consisting of screenshots of text from the other four.

Tom Eastman

🛠 Tools and Media

Subscribe to the Hive Five to read the rest.

Become a paying subscriber of the Hive Five to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In

A subscription gets you:
Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
Experience continuously added NEW BENEFITS.