🐝 Hive Five 175 - Search is dead — long live curation

Hi friends,

Greetings from the hive!

Spent the entire weekend outside. Doing yard work and watching family play. Grateful.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Deep links on Android can lead to security issues if not set up and validated properly, such as allowing malicious URLs to be loaded in WebViews or enabling cross-app attacks through intents. MORE

2. The emerging golden age of home-cooked software, barefoot developers, and why the local-first community should help build it. MORE

3. Omakub is a tool that automates the process of setting up a fully-configured, modern web development environment on a fresh Ubuntu installation, eliminating the need for manual configuration of essential tools. MORE

4. "GraphQL is the New PHP" explores how bug bounty hunters can find security issues in GraphQL, drawing parallels to early PHP days. The talk shares tips and tricks to help identify vulnerabilities. MORE

5. How a Single Vulnerability Can Bring Down the JavaScript Ecosystem. The article discusses the details of the cache poisoning attack on npm and explores its potential impact on the broader software ecosystem. MORE

Hive Five is a weekly newsletter with the best of technology and security, thoughtfully curated, read by thousands of hackers. Do you have a product or service to promote? Find out more about advertising in Hive Five.

Hive Five is brought to you by:

📰 Updates

➡️ Continue reading online to avoid email cutoff

🍯 My work

✅ Changelog

1. DuckDB 1.0.0 is released. MORE

2. reconFTW v2.9 release is an automated reconnaissance tool that runs a set of best tools to scan a target domain and find vulnerabilities. MORE

📅 News

1. Mozilla is investing in the next generation of GenAI security with the 0Day Investigative Network (0Din) by Mozilla, a bug bounty program for large language models (LLMs) and other deep learning technologies. MORE

2. Ethiack welcomes renowned AI security expert rez0 as their new advisor to advance AI Offensive Security. MORE

3. Microsoft provides an update on the Recall (preview) feature for Copilot+ PCs, including details on setup, privacy controls, and security approach. MORE

4. Bartender, a popular MacOS utility, was recently sold, concerning users about the future of the tool and its development. MORE

5. Google has leaked sensitive user data, including children's voice recordings, carpoolers' home addresses, and YouTube recommendations based on deleted watch history, according to an internal database. MORE

💼 Work

➡️ Continue reading online to avoid email cutoff

💰 Career

1. Learn how to get your first GovTech role without a degree. MORE

2. Improve your 1:1 meetings by shifting the ownership to the employee and focusing on asking good questions rather than providing directions. MORE

3. Kasey's Early-Career Advice for Graduates: Location > Company/Role, Networking, and more. MORE

🚀 Productivity

1. Omakub is an opinionated tool that streamlines the process of setting up a Ubuntu-based web development environment with essential tools and configurations in a single command. MORE

2. LlamaFS is a self-organizing file manager. It automatically renames and organizes your files based on their content and well-known conventions (e.g., time). MORE

3. gh-dash is a GitHub (gh) CLI extension to display a dashboard with pull requests and issues by filters you care about. MORE

4. Johnny.Decimal is a system to organize your life, helping you find things quickly, with more confidence and less stress. MORE

5. Vim motion "diw" deletes the word under the cursor, while "diW" deletes the WORD (space-separated text) under the cursor. MORE

🌎 Community

➡️ Continue reading online to avoid email cutoff

🎉 Celebrate

1. Dawgyg is getting into bug bounty again. Welcome back! MORE

2. Nahamsec has reached a significant milestone of 130,000 subscribers on his YouTube channel. Let's go! MORE

3. Justin is presenting two content pieces at the DEFCON Bug Bounty Village: a "Top War Stories from a TryHard Bug Bounty Hunter" talk and a "High ROI Manual Bug Hunting Techniques" workshop. Congrats! MORE

4. g0lden will be speaking at DEFCON as well in August. Woot! MORE

⚡️ Highlights

1. These survey questions will form the answers to the Feet Feud contest being held at DEF CON 32 this year. MORE

2. AI chatbots are intruding into online communities where people are trying to connect with other humans. MORE

3. Marcus quits his job and returns to YouTube, continuing his content creation journey. MORE

4. James reporting that it appears that it is becoming increasingly difficult to publicly disclose bug bounty reports or reference them in presentations. MORE

💛 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @kapytein | Nadir | Web & mobile app security, and software engineering. Participates on bug bounty programs.

2. @_superhero1 | superhero1 | Create educational content on IT security, CTFs & BugBounty.

3. @atul_hax | Atul | I attach a debugger and (cry|rant|yell|bang my head|you name it) until I have a exploitable bug.

4. @lexfridman | Lex Fridman | Host of Lex Fridman Podcast. Research Scientist at MIT. Interested in robots and humans.

5. @hackermaderas | ΜΔDΞRΔS | Home of CyberpunkisNow. Hacker, researcher, writer.

⬆️ Level up

📰 Read

1. The Android Red Team presented a detailed analysis and exploitation of CVE-2023-20938, a use-after-free vulnerability in the Android Binder device driver, at OffensiveCon. MORE

2. CVE-2024-4577 is a PHP-CGI argument injection vulnerability that allows for remote code execution. This vulnerability affects XAMPP for Windows by default, allowing unauthenticated attackers to execute arbitrary code on remote XAMPP servers through specific character sequences. MORE

3. Zoom Session Takeover - Cookie Tossing Payloads, OAuth Dirty Dancing, Browser Permissions Hijacking, and WAF abuse. MORE

4. Cool URIs don't change. A cool URI is one that remains constant, as URIs are changed by people, not inherently. MORE

💡 Tips

1. "Read the code, find the bugs, and put in the work." MORE.

2. Content consumption often outpaces content creation, but the curation method can help kickstart your creative journey: collect, curate, create. MORE

3. Aaditya on inaction vs incompetence: "Stop caring, start sucking." MORE

🧠 Wisdom

1. Ask HN: What was your most humbling learning moment? Most upvoted response: "Learning that some folks can produce so much value with crappy code." MORE

2. Most people stop learning after graduation, but setting up constant learning is crucial for success, even when busy. MORE

3. Developing effective daily habits can be transformative. This video discusses practical strategies to create sustainable changes in your routine. MORE

4. Jack Dorsey, co-founder and former CEO of Twitter, discusses the power of open-source technology. MORE

5. Our modern lifestyle has detached us from the natural rhythms and practices that were once integral parts of daily life, like probiotics and physical activity. MORE

📚 Resources

1. Awesome Search Queries is a community curated list of search queries for various products across multiple search engines. MORE

2. Exploit Notes is a repository that provides sticky notes on hacking techniques and tools for penetration testing, bug bounty, and CTF challenges. MORE

3. Progress Telerik Report Server pre-authenticated RCE chain (CVE-2024-4358/CVE-2024-1800). MORE

4. Orange Tsai discovered a vulnerability in XAMPP's default configuration, which could allow remote code execution. The vulnerability has been assigned CVE-2024-4577. MORE

5. Slides for a talk by corgi: Leveraging OSINT for Offensive Security. MORE

💭 Quote

🛠 Explore

🧰 Tools

1. tidcli is a command-line tool that provides a simple interface to trigger the macOS TouchID authentication prompt. MORE

2. Scalpel is a Burp Suite extension that enables scripting, intercepting, and rewriting HTTP traffic, as well as creating custom Burp editors in Python. MORE

3. TotalRecall is a simple tool that extracts and displays data from the Recall feature in Windows, providing an easy way to access information about your PC's activity snapshots. MORE

4. gitscraper is a tool that scrapes GitHub repositories and individual files for common naming conventions in variables, folders and files, which can be used for fuzzing purposes. MORE

5. lsix is a command-line tool that displays thumbnails of image files in the terminal using sixel graphics, similar to the "ls" command. It supports various image formats and shell wildcards, allowing for easy browsing of image directories. MORE

🎥 Watch

1. Scanning a large infrastructure is super interesting especially when you are approaching a large organization to look for the same pattern of mistakes. MORE

2. Brandon Reynolds, an expert hacker, demonstrates how he optimizes his experience on the Bugcrowd platform to find and report bugs in hardware and IoT systems. MORE

3. Exploring the Apollo 1 fire using NotebookLM, Google's personalized research assistant, by loading 200,000 words of NASA transcripts and Steven's reading notes since 1999. MORE

4. Hussein's talk on Attacking organizations with big scopes: from zero to hero. MORE

🎵 Listen

1. Joseph Cox shares the story of ANOM, a secure phone created by criminals for criminal activities, as detailed in his book "Dark Wire". MORE

2. Yung Singh performing live at Boiler Room: Melbourne. MORE

3. This special episode of The Mindful Business Security Show is the first in a multi-part series about starting a business, featuring Accidental CISO and Joe Brinkley, a business owner, content creator, and cybersecurity consultant. MORE

4. Psychiatrist Phil Stutz Knows What’s Wrong With You & Has The Tools To Fix It. MORE

🌐 Technology

1. Search is dead — long live curation. Google has shifted focus from traditional web search to AI-powered curation. MORE

2. "Local-first software" empowers users with data ownership, offline access, and cross-device collaboration, addressing issues of security, privacy, and long-term preservation. MORE

3. How Git Works e-zine explains git’s core concepts (commits! branches! merging! remotes!) with minimal jargon and a focus on the actual problems that can ruin your day. MORE

4. Kati gives a comprehensive recap of PyCon US 2024, highlighting key takeaways and insights from the conference. MORE

5. Promises are a fundamental concept in JavaScript, requiring a deep understanding of the language's limitations. Mastering Promises is crucial for JavaScript proficiency. MORE

🔑 Visit

1. BookFinder is a comprehensive e-commerce search engine that allows users to find new, used, rare, out-of-print, and textbooks from over 150 million books. MORE

2. Cry Once a Week encourages visitors to set aside time each week to embrace and express their emotions through crying. The website aims to normalize and destigmatize the act of crying as a healthy and beneficial practice. MORE

3. Gaming mom crushes Call of Duty players while holding her baby. MORE

Until next week, take care of yourself and each other,

Bee 🐝

This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.