- Hive Five
- Posts
- π Hive Five 175 - Search is dead β long live curation
π Hive Five 175 - Search is dead β long live curation
Cool URIs don't change, The Power of Open-Source, Local-first software movement, and more...
Hi friends,
Greetings from the hive!
Spent the entire weekend outside. Doing yard work and watching family play. Grateful.
Let's take this week by swarm!
π The Bee's Knees
Deep links on Android can lead to security issues if not set up and validated properly, such as allowing malicious URLs to be loaded in WebViews or enabling cross-app attacks through intents. MORE
The emerging golden age of home-cooked software, barefoot developers, and why the local-first community should help build it. MORE
Omakub is a tool that automates the process of setting up a fully-configured, modern web development environment on a fresh Ubuntu installation, eliminating the need for manual configuration of essential tools. MORE
"GraphQL is the New PHP" explores how bug bounty hunters can find security issues in GraphQL, drawing parallels to early PHP days. The talk shares tips and tricks to help identify vulnerabilities. MORE
How a Single Vulnerability Can Bring Down the JavaScript Ecosystem. The article discusses the details of the cache poisoning attack on npm and explores its potential impact on the broader software ecosystem. MORE
With a modest contribution of just $8.25 per month, youβre not only helping keep Hive Five going, but you're also getting access to a private Discord community, the complete Hive Archive, exclusive & bonus content, and a range of other benefits.
Hive Five is a weekly newsletter with the best of technology and security, thoughtfully curated, read by thousands of hackers. Do you have a product or service to promote? Find out more about advertising in Hive Five.
Hive Five is brought to you by:
tmux is a terminal multiplexer. It lets you switch easily between several programs in one terminal, detach them (they keep running in the background) and reattach them to a different terminal. Give it a try. |
π° Updates
π― My work
What do you watch or listen to while hacking?
β The Notorious B.E.E. π (@securibee)
3:32 PM β’ Jun 8, 2024
β Changelog
π News
Mozilla is investing in the next generation of GenAI security with the 0Day Investigative Network (0Din) by Mozilla, a bug bounty program for large language models (LLMs) and other deep learning technologies. MORE
Ethiack welcomes renowned AI security expert rez0 as their new advisor to advance AI Offensive Security. MORE
Microsoft provides an update on the Recall (preview) feature for Copilot+ PCs, including details on setup, privacy controls, and security approach. MORE
Bartender, a popular MacOS utility, was recently sold, concerning users about the future of the tool and its development. MORE
Google has leaked sensitive user data, including children's voice recordings, carpoolers' home addresses, and YouTube recommendations based on deleted watch history, according to an internal database. MORE
πΌ Work
π° Career
Learn how to get your first GovTech role without a degree. MORE
Improve your 1:1 meetings by shifting the ownership to the employee and focusing on asking good questions rather than providing directions. MORE
Kasey's Early-Career Advice for Graduates: Location > Company/Role, Networking, and more. MORE
π Productivity
Omakub is an opinionated tool that streamlines the process of setting up a Ubuntu-based web development environment with essential tools and configurations in a single command. MORE
LlamaFS is a self-organizing file manager. It automatically renames and organizes your files based on their content and well-known conventions (e.g., time). MORE
gh-dash is a GitHub (gh) CLI extension to display a dashboard with pull requests and issues by filters you care about. MORE
Johnny.Decimal is a system to organize your life, helping you find things quickly, with more confidence and less stress. MORE
Vim motion "diw" deletes the word under the cursor, while "diW" deletes the WORD (space-separated text) under the cursor. MORE
π Community
π Celebrate
Dawgyg is getting into bug bounty again. Welcome back! MORE
Nahamsec has reached a significant milestone of 130,000 subscribers on his YouTube channel. Let's go! MORE
Justin is presenting two content pieces at the DEFCON Bug Bounty Village: a "Top War Stories from a TryHard Bug Bounty Hunter" talk and a "High ROI Manual Bug Hunting Techniques" workshop. Congrats! MORE
g0lden will be speaking at DEFCON as well in August. Woot! MORE
β‘οΈ Highlights
These survey questions will form the answers to the Feet Feud contest being held at DEF CON 32 this year. MORE
AI chatbots are intruding into online communities where people are trying to connect with other humans. MORE
Marcus quits his job and returns to YouTube, continuing his content creation journey. MORE
James reporting that it appears that it is becoming increasingly difficult to publicly disclose bug bounty reports or reference them in presentations. MORE
π Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.
@kapytein | Nadir | Web & mobile app security, and software engineering. Participates on bug bounty programs.
@_superhero1 | superhero1 | Create educational content on IT security, CTFs & BugBounty.
@atul_hax | Atul | I attach a debugger and (cry|rant|yell|bang my head|you name it) until I have a exploitable bug.
@lexfridman | Lex Fridman | Host of Lex Fridman Podcast. Research Scientist at MIT. Interested in robots and humans.
@hackermaderas | ΞΞDΞRΞS | Home of CyberpunkisNow. Hacker, researcher, writer.
β¬οΈ Level up
π° Read
The Android Red Team presented a detailed analysis and exploitation of CVE-2023-20938, a use-after-free vulnerability in the Android Binder device driver, at OffensiveCon. MORE
CVE-2024-4577 is a PHP-CGI argument injection vulnerability that allows for remote code execution. This vulnerability affects XAMPP for Windows by default, allowing unauthenticated attackers to execute arbitrary code on remote XAMPP servers through specific character sequences. MORE
Zoom Session Takeover - Cookie Tossing Payloads, OAuth Dirty Dancing, Browser Permissions Hijacking, and WAF abuse. MORE
Cool URIs don't change. A cool URI is one that remains constant, as URIs are changed by people, not inherently. MORE
π‘ Tips
π§ Wisdom
Ask HN: What was your most humbling learning moment? Most upvoted response: "Learning that some folks can produce so much value with crappy code." MORE
Most people stop learning after graduation, but setting up constant learning is crucial for success, even when busy. MORE
Developing effective daily habits can be transformative. This video discusses practical strategies to create sustainable changes in your routine. MORE
Jack Dorsey, co-founder and former CEO of Twitter, discusses the power of open-source technology. MORE
Our modern lifestyle has detached us from the natural rhythms and practices that were once integral parts of daily life, like probiotics and physical activity. MORE
π Resources
Awesome Search Queries is a community curated list of search queries for various products across multiple search engines. MORE
Exploit Notes is a repository that provides sticky notes on hacking techniques and tools for penetration testing, bug bounty, and CTF challenges. MORE
Progress Telerik Report Server pre-authenticated RCE chain (CVE-2024-4358/CVE-2024-1800). MORE
Orange Tsai discovered a vulnerability in XAMPP's default configuration, which could allow remote code execution. The vulnerability has been assigned CVE-2024-4577. MORE
Slides for a talk by corgi: Leveraging OSINT for Offensive Security. MORE
π Quote
"To sin by silence, when we should protest, makes cowards out of men."
π Explore
π§° Tools
tidcli
is a command-line tool that provides a simple interface to trigger the macOS TouchID authentication prompt. MOREScalpel
is a Burp Suite extension that enables scripting, intercepting, and rewriting HTTP traffic, as well as creating custom Burp editors in Python. MORETotalRecall
is a simple tool that extracts and displays data from the Recall feature in Windows, providing an easy way to access information about your PC's activity snapshots. MOREgitscraper
is a tool that scrapes GitHub repositories and individual files for common naming conventions in variables, folders and files, which can be used for fuzzing purposes. MORElsix
is a command-line tool that displays thumbnails of image files in the terminal using sixel graphics, similar to the "ls" command. It supports various image formats and shell wildcards, allowing for easy browsing of image directories. MORE
WAF blocked your Netflix? Get $200 to try DigitalOcean β the go-to for all my recon, automation, and VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.
π₯ Watch
Scanning a large infrastructure is super interesting especially when you are approaching a large organization to look for the same pattern of mistakes. MORE
Brandon Reynolds, an expert hacker, demonstrates how he optimizes his experience on the Bugcrowd platform to find and report bugs in hardware and IoT systems. MORE
Exploring the Apollo 1 fire using NotebookLM, Google's personalized research assistant, by loading 200,000 words of NASA transcripts and Steven's reading notes since 1999. MORE
Hussein's talk on Attacking organizations with big scopes: from zero to hero. MORE
π΅ Listen
Joseph Cox shares the story of ANOM, a secure phone created by criminals for criminal activities, as detailed in his book "Dark Wire". MORE
Yung Singh performing live at Boiler Room: Melbourne. MORE
This special episode of The Mindful Business Security Show is the first in a multi-part series about starting a business, featuring Accidental CISO and Joe Brinkley, a business owner, content creator, and cybersecurity consultant. MORE
Psychiatrist Phil Stutz Knows Whatβs Wrong With You & Has The Tools To Fix It. MORE
π Technology
Search is dead β long live curation. Google has shifted focus from traditional web search to AI-powered curation. MORE
"Local-first software" empowers users with data ownership, offline access, and cross-device collaboration, addressing issues of security, privacy, and long-term preservation. MORE
How Git Works e-zine explains gitβs core concepts (commits! branches! merging! remotes!) with minimal jargon and a focus on the actual problems that can ruin your day. MORE
Kati gives a comprehensive recap of PyCon US 2024, highlighting key takeaways and insights from the conference. MORE
Promises are a fundamental concept in JavaScript, requiring a deep understanding of the language's limitations. Mastering Promises is crucial for JavaScript proficiency. MORE
π Visit
BookFinder is a comprehensive e-commerce search engine that allows users to find new, used, rare, out-of-print, and textbooks from over 150 million books. MORE
Cry Once a Week encourages visitors to set aside time each week to embrace and express their emotions through crying. The website aims to normalize and destigmatize the act of crying as a healthy and beneficial practice. MORE
Gaming mom crushes Call of Duty players while holding her baby. MORE
The Hive Five is for the curious ones. The rebels. The hackers. The ones who see life not as it is, but as it could be.
Share the newsletter with others like us who want to hack a life they love.
Until next week, take care of yourself and each other,
Bee π
This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.