🐝 Hive Five 174 - Dominate with LLMs: The Insider Playbook

Hi friends,

Greetings from the hive!

Most people don't grasp the constant forces pushing them to consume. Me included. These forces are like tides pulling us along without our noticing. One is that everything is now designed for the car. In the US, cities have been remade around cars rather than humans. That's why you seldom see people walking or biking anywhere.

Another is digital media being reorganized into bite-sized pieces and utterly sensationalized. Tiktok's short videos are the new norm. It's the opposite of books or long articles that inspire real thought.

And let's not overlook the profit motive behind all of this. There are whole armies of people trying to get us hooked on unhealthy food, streaming services, you name it.

That's why it's more important than ever to be keenly aware of what you consume and to be highly intentional about it. Curate your consumption, or be its slave.

I know it’s hard. Choose your hard.

Let's take this week by swarm!

🐝 The Bee's Knees

1. The discovery and exploitation of a Stored XSS -> RCE vulnerability in a popular Electron-based Note App with over 8 million users. It covers the entire process, from auditing sources to dynamically debugging Electron. MORE

2. In the first part of this series, the authors share insights from a year of building with LLMs. Discover some crucial, yet often neglected, lessons and methodologies informed by machine learning that are essential for developing products based on LLMs. MORE

3. Ted Gioia, music historian and writer, discusses our cultural obsession with minimalism and the impact of modern distractions in a thought-provoking interview. MORE

4. Being effective depends on your capability to take in and process information efficiently. In information work the cardinal sin is to block another team. Here's how: 1) Have a system, 2) Know your role and set expectations, 3) Be proactive, but not formulaic. MORE

5. Hacking Millions of Modems. Two years ago, Sam discovered that his modem had been hacked, but who was the attacker? MORE

📰 Updates

🍯 My work

✅ Changelog

1. XnlReveal v3.6 is a Chrome/Firefox browser extension to show alerts for reflected query params, show Wayback archive links for the current path, show hidden elements and enable disabled elements. MORE

2. Retire.js v5.0.0 is a scanner that detects the use of JavaScript libraries with known vulnerabilities and can generate an SBOM of the libraries it finds. MORE

3. The CT Log Scanner tool, gungnir, has been updated to version 1.0.9. MORE

4. DOMPurify 3.1.5 is a fast, tolerant XSS sanitizer for HTML, MathML, and SVG, offering a secure default and high configurability. MORE

📅 News

1. Google's search algorithm leak. MORE

💼 Work

💰 Career

1. Jay transitioned from the military to a government contractor role as a Cybersecurity Threat Engineer, earning a 6-figure salary and building wealth for his family. MORE

2. Andrew Ettinger from Appen discusses community-led growth in enterprise sales, cross-functional understanding, and the evolving role of content and community in the sales process. MORE

3. TikTok is hiring all levels of Security Engineers in Seattle. MORE

4. Top 5 LinkedIn Profile Tips for 2024 (backed by data). MORE

5. People share the software they pay for every month at work despite absolutely hating working with it. MORE

🚀 Productivity

2. Learn how to turn your iPhone into a "dumb phone" using apps and settings, without needing to buy a new device for simplified screen time. MORE

3. The most effective mechanism for rolling out No Wrong Door is initiating three-way conversations when asked questions. MORE

4. This free Lean Starter Vault created by LeanProductivity contains a PARA-based folder structure, templates, pre-defined file classes, required plugins, CSS snippets, and more. MORE

5. How to use Readwise to enhance your security research. It covers their daily study routine, learning optimization tips, and more. MORE

🌎 Community

⚡️ Community

1. From Mile One to a Half Marathon: Olivia's Journey in Running. MORE

2. Hussein started sponsoring joohoi for their work on FFuF and their contributions to the community, describing them as an exceptional person. MORE

3. STÖK: "Embrace discomfort and uncertainty for personal growth. Challenge yourself to step out of your comfort zone." MORE

4. jswzl will be at DEFCON32 in two months and will have special stickers to give away. MORE

💛 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @SanderWind | Sander Wind | developer | BugBounty.

2. @simplebits | Dan Cederholm | Making type and goods Simple Type Co. Co-founder Dribbble. Author, speaker.

3. @EFF | EFF | We're the Electronic Frontier Foundation. We defend your civil liberties in a digital world.

4. @caffeinevulns | Sam (caffeine) | Just love coffee and finding vulnerabilities at Synack Red Team.

5. @engi_arp | Ashish Padelkar | Goa,India.

⬆️ Level up

📰 Read

1. CVE-2023-39143 is a path traversal vulnerability found in Papercut MF/NG, a print management solution. This particular CVE only affects Windows installations prior to version 22.1.3. With a CVSS score of 8.4, this vulnerability is considered high-risk. MORE

2. While tools can be helpful in hacking, it's crucial to understand the fundamentals first before relying on them, especially when learning to attack web apps. MORE

3. Cache Me If You Can: Local Privilege Escalation in Zscaler Client Connector (CVE-2023-41973). MORE

4. Paged Out #4 is a free experimental technical magazine covering programming, hacking, computers, and more. It's a community-driven, not-for-profit publication. MORE

5. Getting XXE in Web Browsers (Chrome & Safari) using ChatGPT (Bounty: $28k). MORE

💡 Tips

1. Progressing from a standing desk to a treadmill under a desk to a weighted backpack with an inclined treadmill under the desk can help maintain physical activity while coding intensively. MORE

2. A good company engineering blog offers compelling technical content that helps attract top engineering talent. However, many company blogs contain vague, uninteresting fluff instead of useful technical details. Find out what the good ones do. MORE

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🧠 Wisdom

1. 7 powerful neuro-hacks that will change your life. MORE

2. The Autobiography of Benjamin Franklin outlines 13 virtues he deemed essential for individual and societal well-being. MORE.

3. Once you've taken care of the basics, there are very few things that are worth putting your life on hold or delaying happiness for. MORE

4. The key lesson is to cater to enthusiasts and niche audiences rather than trying to appeal to the masses. Serve the obsessives, as the more specialized your content, the more engaged your audience will be. MORE

5. Being independent can be challenging, but reaching out and connecting with others can significantly improve one's life. Collaborative growth is often more fulfilling than the solitary path. MORE

📚 Resources

1. Digital ads are a multi-billion dollar industry used in marketing, elections, and influence operations. This guide provides a comprehensive overview for investigating digital ad libraries. MORE

2. The ars0n-framework (on hold) is a collection of scripts developed by rs0n to automate common Bug Bounty hunting tasks. MORE

3. This repository provides resources for offensive CI/CD security research, including tools, techniques, and case studies. MORE

4. mXSS (mutation cross-site scripting) is a security vulnerability that arises from the way HTML is handled. Even if a web application has strong filters in place to prevent traditional XSS attacks, mXSS can still sneak through. MORE

💭 Quote

🛠 Explore

🧰 Tools

1. Misanthro.py is a tool that automates the process of identifying and exploiting these vulnerabilities by injecting payloads into HTTP headers, cookies, and GET/POST parameters. MORE

2. nowafpls is a Burp Plugin to Bypass WAFs through the insertion of Junk Data. MORE

3. This repository contains a Python script that exploits a vulnerability (CVE-2024-21683) to achieve RCE. MORE

4. Here are some underrated macOS apps people recommend. MORE.

5. View statistics for any YouTube channel with this tool. MORE

🎥 Watch

1. BBC's top investigative journalists use open-source investigation techniques to research and verify stories, though some content may be distressing. MORE

2. Maggie Appleton advises against setting big goals, as they can be demotivating and lead to disappointment. Instead, she suggests focusing on consistent, incremental progress. MORE

3. The CTO of Maltego discusses how the company's user experience (UX) research shapes the investigative experience on their platform, which centralizes dispersed data access for analysts and investigators. MORE

4. The video discusses the Glove80, which the creator tried for 100 hours. MORE

5. Joe "Kingpin" Grand, hardware hacker, computer engineer, and former L0pht member, hacked time to recover $3 million from a Bitcoin software wallet. MORE

🎵 Listen

1. This episode of the Critical Thinking - Bug Bounty Podcast recaps Nahamcon and discusses WAF bypass tools, sandboxed iFrames, and programs redacting reports. MORE

2. Unsupervised Learning NO. 434: Can You Articulate Yourself in 50 Words? MORE

3. How 1Password Uses WASM and Rust for Local First Dev With Andrew Burkhart. MORE

4. Scott Galloway on Healthy Masculinity, How to Achieve Financial Security, & Why Vulnerability Is Power. MORE

🌐 Technology

1. GraphQL was once hailed as an incredible technology, but the author is now over it after 6 years of using it in production. MORE

2. When deciding between company or personal Twitter account for an announcement, consider factors like audience, tone, and overall communication strategy. MORE

3. Cloudflare suddenly demanded a $120k upfront payment for their Enterprise plan within 24 hours or they would take down the website, despite the company being on their Business plan for years. MORE

4. 14 of the best papers out of the 2260 papers presented at the 2024 ICLR conference, in 4 sections covering Image Generation, Vision Learning, Extending Transformers, and State Space Models. MORE

5. Anthropic has made progress in understanding the internal representations of their large language model Claude Sonnet, mapping millions of concepts. This interpretability discovery could, in future, help us make AI models safer. MORE

🔑 Visit

1. Dana Scully, the female lead character on the TV show The X-Files, inspired many young women to pursue careers in science, medicine, engineering, and law enforcement fields. This phenomenon became known as "The Scully Effect." MORE

2. YC Group Partner Gustaf Alströmer provides non-obvious advice on effectively talking to current and potential users, running user interviews, and interpreting feedback. MORE

3. Discover the Ultimate Stonelifting Challenge in Pakistan, an adventure that awaits both physically and mentally. MORE

4. Fey, a company, has open-sourced their entire vector logo library for free, addressing the hassle of finding quality logos for public companies. MORE

Until next week, take care of yourself and each other,

Bee 🐝

This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.