MonkeHacks #82

Welcome back to MonkeHacks. Given that it’s LHE season, it’s been very busy with working and other things. The cats are settling in well, although I’m moving soon so they’ll need to re-settle in the new flat. My guitar lessons have been progressing smoothly - I can now do barre chords properly, so it’s just a matter of increasing my repertoire of songs at this point. Steady practice, as with everything else in my life.

I held a poll on X to decide my next project, and the winning option was to learn reverse engineering and take part in Pwn2Own in 2026. I’m interested in pwn as a field, so I’m looking forward to it - in parallel with that, I plan on gradually building my startup and focusing on Google’s VRP for the first few months of next year. Once I’m moved into the new flat, I plan on taking a few days to just… organise my many ongoing projects properly. Those aren’t the only projects I want to do in 2026, but I’ll save those surprises for next year.

Weekly Ideas / Notes 

• I returned to reading this week and made some progress on Founders at Work and How The World Made The West. I was inspired to read Founders at Work when someone - I forget who it was - mentioned Raphael Mudge’s blog, and cited his writing as being very good. You can find the blog here. Mudge is the creator of Cobalt Strike; and I liked what I saw in his “Favourite Books” section, so I’ve decided to read them. I should really just put the books I read on a Goodreads profile and link that instead.

• I gave a talk in Technological University Dublin (TUD) this week to a few dozen students. I met some folks who read this newsletter every week - shoutout to you guys, you were awesome - and I spent two days in Cork afterwards, visiting my family. Cork’s Jazz Festival was happening so it was really busy but I made it anyway, and flew back to Edinburgh on the 26th.

• I’m in the middle of taking part in HackerOne’s latest LHE. The scope and policy is quite unusual, so it’s been an interesting event (in neither a good nor bad way). I’m collaborating with busfactor and rafax. I’m an honorary Brazilian.

• I’m moving into a new flat soon - I ended up not flat-sharing due to logistical problems. I’m betting on the fact that I should be more productive in the new place, to cover the difference in rent. Still well within my means, but it’s never fun to have to fork over more money.

• I wrote a pretty fun script: I moved my To Do List from Apple Reminders to Notion. Why Notion? Well, they have a concept called “databases” for storing items, and a friend of mine helped me to set it up last year (he had a whole side gig on converting companies to Notion). In his "system”, every task is linked to a Project and every Project is linked to a Goal, so the accountability is pretty good. Anyway, I realised that Notion has an API, so I wrote a script that polls my YNAB account for new transactions, then creates a new task in my Notion if there are any actionable items (like categorising or approving transactions, for example). I run it in a DigitalOcean serverless function, although you can easily just run it locally in a cron job. When there’s so much data in these APIs, I want to start pulling them into a universal dashboard soon that I can put somewhere in my apartment to see everything at a glance.

• Getting the cats actually increased my productivity because I’m awake from 6:30am or 7am every day now. I mentioned this last time too, but early starts are a complete gamechanger for productivity. When I have to do some cat-related chores before breakfast every day, it sets the right frame of mind for me to take action rather than procrastinating for a few hours.

• Once the LHE is over I’ll do a new edition of my Bug Bounty Methodology blog post to reformat it and update the content. So as usual, stay tuned!

• My decision to learn pwn might confuse some, but I see it this way: in an age where core skills, like programming, are being replaced by AI, I want to move in the opposite direction and learn skills like pwn from first principles. Why? Well, I foresee a shortage in actual experience coming up in the few years. There’s a dilution of brain cells happening, a huge brain drain - people simply aren’t practicing important skills like programming, and overly relying on LLMs to do it for them. So, in such a world, what’s the most valuable asset? Core skills that allow you to wield these systems more efficiently. The monke stonks shall rise by simply learning, when everyone else’s stonks are falling due to overreliance on LLMs. Why would people pay you if you could just get an LLM to do the same thing? You need to lean into what makes YOU worth hiring. Aim to live a life that compounds with every passing day, not a life that progresses linearly, because in several years that will make all the difference.

Reading List

• Currently:

  • Fiction:

    • Solenoid by Mircea Cărtărescu (130/600 pages)

    • Guards! Guards! by Terry Pratchett

  • Non-Fiction:

    • A Random Walk Down Wall Street by Burton Malkiel (150/300 pages)

    • How The World Made The West by Josephine Crawley Quinn (212/400 pages)

    • Founders At Work by Jessica Livingston (112/472 pages)

• Next on the list:

  • Fiction: Mort by Terry Pratchett

  • Non-Fiction: Day Zero to Zero Day by Eugene Lim (SpaceRaccoon)

Resources

• How a "Fixed" IDOR and an Empty String Led to 5 Million+ File Leaks: My friend Hacktus posted a rare blog post on an IDOR he found.

• DOM Clobbering to CSPT gadget: Castilho found a gadget to escalate certain DOM Clobbering situations into CSPT using a URL parsing gadget.

• Introducing Aardvark: OpenAI’s agentic security researcher: OpenAI launched… a hackbot? The effectiveness remains to be seen.