๐Ÿค–๐Ÿค–๐Ÿค–

John Hammond ยท Beginner ยท๐Ÿ” Cybersecurity ยท5mo ago

Key Takeaways

The video covers various topics in cybersecurity, including malware analysis, AI-assisted development, and hacking training, with tools such as Azure, PortSwigger labs, and TryHackMe being demonstrated. The video also touches on AI security, defensive AI, and security basics, with a focus on practical applications and hands-on learning.

Full Transcript

Hello. Hello. Hello internet. Happy Friday. See some folks jumping into the party. How's it going Anton? How's it going made of stardust 6440 Ralph Andre 4438 blocks programming rblx ban s4s etc. [Music] Adam, good to see you again my friend. Bonjour from France. What's going Nicholas? Yes, the number of robot emojis are increasing. Figured that would be part of the fun. Hello everybody. Thank you for coming to hang out. Uh you know we're keeping it easy. You know we're keeping it casual. Uh friendly and cruising. Um Hey, this is the first time that I've been doing the OBS setup for multicasting cuz previously the past few days while we've been streaming we've been on uh Twitch as well as YouTube but I neglected Twitter X and LinkedIn. Um but today we are doing all of them. So I need to do a quick little check. I just need to go look on the interwebs internet airwaves to go see and check in that we are going. Okay, we are going. We are going. I see us on the little Twitters. And I also see us on That's it. I didn't I didn't look yet. I didn't look yet. Andrew Crotty, great to see you my friend. Yes, proof of life. I am alive again. [Laughter] I'm back. Keeping it easy. But I really appreciate you guys joining the party. Okay, cool. Yeah, yeah, yeah. LinkedIn also looks like it's doing a thing. What are we going to do today? Look, you know we'll probably play with our robots a little bit more but I did add X and LinkedIn. If you recall yesterday I was mentioning the fact that Friday Yes, Zodak give me a little bit of time. We will be doing some malware analysis soon. Please let me take take a little bit to get my bearings. Get into the groove of this thing. Cybermatley, great to see you my friend. Yes, also live on LinkedIn and on YouTube. Excellent. Eric Nick, hey this is awesome. I'm so glad everybody is is jumping in. So if you were tuning in yesterday, if you were around on YouTube and Twitch, I did try to give a preface a little bit of a precursor that look Friday is when we usually do some just hacking training live streams. And the plan was to do one at 1:00 p.m. today. However, you might know that I've also been on the train with our growing number of robot emojis to keep goofing off and to keep having some more casual fun friendly just not presentation mode John live streams. Um So I get to kind of take it easy, not be as performative, boisterous, and charismatic, and energetic, and enthusiastic but we're going to have to mix it in a little bit for still trying to squeeze in some JHT love. We did want to give everyone the heads up. Look, we still got to make that happen today, Friday, cuz we do that every other Friday. Uh so once we hit the 1:00 time, probably about 9 minutes or so from now Eastern time, I will allow the sweet JHT takeover, just hacking training takeover, and I'll sing the praises of some of the sweet stuff that we've been up to. We'll have links flying around in chat. We'll do that for just a little bit of time. We'll do that for a little quick little anecdote and then we'll get back to nerding out and goofing off. Playing with a robot. Playing with Claude. Doing some AI. I don't want to say vibe code. Everyone's going to give me hate. Everyone's going to give me trouble. AI assisted development. AI assisted programming, okay? All right? We're still the architect. We're still crafting and actually laying out the foundation for the programming the different guardrails that we need and it's good. It's pretty good. So yeah, I apologize. I didn't actually get off and running with the live stream as early as I wanted to today. Time kind of got ahead of me. I did not manage my morning time as well as I should have. So I'm later than I wanted to be going live and we'll be quicker to the jump for the JHT takeover. But we'll have fun with that. It'll be a good time. Before we do we might as well jump in. Yep, John giving everything to the big GPT again. That's me. Do you have any insight on yesterday's Microsoft outage? What is Was it a DDoS? No, I don't think so. I don't know. Did they have a root cause analysis going on already for it? I saw some people memeing that it was DNS like everyone tends to. It's always DNS. Hey brother John, which CTF platform do you think has the hardest web exploitation CTF challenges cuz I don't want something dumb. I also want to be a little bit more realistic. Ooh, super good question. Look, you know I'm a fanboy for just hacking training, for hacking hub. Um PortSwigger labs are also very, very good for web exploit stuff. And I'm sure you're going to find yeah, the couple things that you'll see at TryHackMe and Hack The Box. Tons of the great resources. Oh, Cybermatley coming in with the answers. It was an Azure functions exhaustion. Oh, thank you so much for the follow 01_ Appreciate you jumping in joining the party over on Twitch. I'm getting notifications out of band from text messages of friends that are tuning in. Oh. Oh, he this individual asserted something more with more confidence than I expected. I would love to hear that story if you got a little bit more deets person speaking behind the scenes that the rest of the chat can't see. Thank you so much for the subscription 01_ Wow, you're the best. Look, I really appreciate all the support. Yes, this guy is artificially intelligent. That's a good way to put it. Nice. I am super curious. Dude, we should talk about that. I I see more out of band messages. You're distracting. Uh 0651811397, thank you for the follow on Twitch. This is neat. This is fun. Can you show your setup? I mean, not really. You're in a stationary camera. Thank you XJR TTV for the follow. What's going on? What's happening right now? Hey, this is awesome. Look I got to be honest in like 5 minutes I'm going to have to go talk about JHT stuff and that's going to be cool and awesome but then we're going to get into the rest of the fun shenanigans. I was whining and complaining already about how how I am late to start streaming today and we already have a ton of stuff to do and we might have to cut it short, truth be told. Yesterday and the day before we were hanging out with our robot friends for maybe like 4 and 1/2 hours which is a long time, not going to lie. [Laughter] Um It was good. It was a lot of fun. I think we're going to keep doing that. I want to keep doing that but that was on just Twitch and YouTube. So thank you so much for the follow. Appreciate you Luca_Grambo. Thank you. Thank you. Thank you. I want to keep doing that. I really do. So I plan to. Thank you silly Arctic Fox for the follow on Twitch. Twitch is going off right now. Hey, let's get to the computer screen because we are going to be doing some shenanigans um while we are booting up. Thank you for the follow. Zackomanolith Zack Zackmonolith. I need to pop out the um alert box so that I can see that a little bit better without needing to turn my head like a weirdo. But where was I? You've distracted me so many Stop. Suds content. Thank you for the follow my friend. We're going to be nerding out in a little bit. First we got to sing the praises. Wow, thank you for the cheer. That was a weird like text to speech. Oh, it did happen with text to speech. You put yo and it said you. Nice. Do we have some shenanigans over on YouTube already? Yo, I like that. Very well done. Thank you for the follow. Okay. We're getting close to the time for the JHT takeover everybody. So I'm going to have to whine about that. And I need you all to behave. I need you all to be on your best behavior. Um Let me pull it up. I don't know if you've been tracking though. The last couple of days we have been doing some more fun, friendly, casual, and candid, chill out, relax, John is not in sing-song dog-and-pony show, you know, like presentation mode. It's just been goofing off talking to a robot. Um but this time around, because it's Friday, because it is the usual time when we give JHT some love. Yes, Zakumano will be doing some malware analysis on the live stream. Um that's the plan. Give me a little bit. We got to chat a little bit about Just Hacking Training. Thank you so much for all of the follows. This is super cool. We're having fun. But let me tell you the stuff that's been going on. Let me tell you what we've been up to. I know that I kind of took over our scheduled live stream slot for Just Hacking Training cuz we do this every other Friday. And we kind of sing the praises of the sweet stuff that we've been up to. And we normally get together with a guest, have someone else join the party, show off what they've made, what they've been able to cover, what they're bringing into some more of the training, some more of the material, whether it's courses, whether it's upskill challenges, whether it's hackalong videos. Thank you so much. I appreciate the cheer. Text-to-speech. We've now Now that you've uncovered that, there is going to see we're going to see some strange stuff. You've made a new discovery, Twitch chat. All right, let's see how well I can get through this with all of your sweet distractions. This is a cool new element to a JHT little shout-out, but look, I've been having so much fun kind of streaming just for funsies. Um but we do need to pour in a little bit of the fun stuff for Just Hacking Training. I really appreciate the rest of the team, and we got to chat with them. I was speaking and saying like, "Look, I've been live streaming, and I really want to keep this going. Like, this is a fun train for me cuz it feels good to keep getting content out in a more casual, relaxed way. Different kind of change of pace. Um but we still wanted to mix in Just Hacking Training love. So, let me cruise through this. It's going to be quick. It's going to be speedy. I want to give you a heads-up on what we're up to. justhacking.com, of course, is our HQ. You'll be able to see everything that we've been up to. Let me get to the sweet uh events page because that will let you drill down to the other live streams that we've done in the usual more formal format. Um Oh, there's a real There's a real straight-up section here. They called me out. They Thanks. Thanks, team. Yeah, John's been pilled. John's totally AI pilled. It's super embarrassing. Hours-long live streams have been ruining him. We're going to keep doing that. We're going to keep goofing off and talking with our robots, but giving some love to the live streams that we traditionally do at these times. I think have some fun maybe mixing and matching these depending on how well uh we do with this. But you can see the format here, right? It's normally Hey, we get a lot of great people together. We're chatting about what we're up to. We're digging into OSINT. We're digging into Active Directory. We're talking about malware. We're cutting up the dark web. There is so much good stuff. And that's why we're uh real, real, real big fans of what we're all up to here. Um you can drill down to see all of those related ones on that page, and of course, be linked to them on YouTube. Of course, we'll always have the VOD. This is always recorded. You can still drown like I was going to say drill down, but then I got the word drown first, and that might not have been the one that I wanted to start with. We'll be at a lot of events this year. I'm a little heartbroken I'm not going to make it out to District Con tomorrow. Um actually, I posted on Twitter. If anyone really is available and able to get to District Con, we've got a ticket. Um hit me up. Please reach out. Uh my wife is like, "Can we please get rid of this money back?" So, we're having fun. Do you still have a full-time job? Yes, this is it. I still have three full-time jobs simultaneously. You're here. You're the job, guys. Um take another look at everything else that I got to showcase. I think we can give some love to the new material that was been out the door recently because when we do these live streams every other week, we know we work with the cadence, and you might have seen it for the sizzle reel that we play and get a little of sweet hype and momentum for it. Just Hacking Training releases courses usually every first week of the month, and then new extracurricular training like oh, the hackalongs or capture the flag of material or free upskill challenges in the third week of the month. So, it is the third week of the month, and we do have some non-course content to help spread the love and spread the word on. This is kind of cool. Can I please say and trust me, we're going to get to the real real fun shenanigans a bit later, but I do want to keep cruising through all the awesome stuff that Just Hacking Training's been up to. The upskill challenges that are the free, totally small and digestible like bite-size, maybe 10-30 minutes, just one single page kind of walk-through, write-up, and read-through on everything that you're up to. Some of the sweet stuff that we've been able to get out the door that I'm super stoked about cuz these are from very good, close friends of mine. A home lab. Setting up your own home lab environment and range, um this guides you through it a little bit better, and it's coming from Joram. Joram Steif. Great, great friend of mine, and it's totally free. Uh Joram has a lot of sweet, big plans to actually build this out to a much larger home lab, home range environment, to have a full course realistically on building out like specific lab features for cybersecurity learners, for cybersecurity researchers, for doing malware analysis in a smart and safe way in your own sandbox, in your own home lab. So, stoked to get that one up and running, and really, really happy that Joram was willing to join the party. Uh this upskill challenge on its own is totally free along with all of the others. That's the point of the upskill challenge. And fun fact, if I may say, we are at 43 upskill challenges. We are at over 40 free upskill challenges. So, they're simple, they're easy. You can dive in, you can jump in the party. It's just something accessible, something bite-size and digestible. But another one we got out the door was uh Nmap. And this will be one of many for sort of a pen testing for the masses series, which we're pretty hyped up about because you might have noticed we've been pouring a lot into the blue team direction, and we know we still going to give some love to the red team like offensive security. We've got Windows malware development that we'll talk a little bit about in the future. We've got a little bit more like network pen testing in the works, etc., etc. But Gizmo, big shout-out. They were actually uh Oh, thank you so much for the cheer. Heck yeah. Arf. Arf. We got you. Thanks. Thanks for that. I like the dog arf. This is the best. This is the This is the greatest way to do a JHT live stream. Look, uh Nmap, we're super duper stoked for another quick uh opportunity to get a little bit more upskilled with some free and accessible material. And big shout-out, big love to Gizmo for kicking the door in to be able to get this party started with pen test for the masses starting things off with Nmap. So, big, big love, big, big shout-out all on that front. But look at these 43 upskill challenges, completely free. That's freaking awesome, okay? Let me get excited about that. Whatever happened to just taking pride in your work? Whatever happened to just being allowed to love the incredible material that the team is putting together? I think it's awesome. Next up, let me tell you about some of the sweet other little opportunities, and then I think we're just about closing out. I think we'll get to some nerd stuff and goofing off with the robots in a little bit. Con Def 2026. This is the latest hotness, and I appreciate it. I take comfort in it. resonates with me because Anton is just as AI pilled as I am. If not more. Thank you so much for the follow, Muhammad Adeel 927. Really appreciate you. So, the Constructing Defense 2026 edition includes what we're calling the AI teaching assistant because you basically have a safe and secure running locally on your own instance MCP server to dig into all of the content so that you can just chat with the like LLM AI system to get a good understanding of like, "Hey, what is this lesson talk about? What does uh com- What part and piece and component here is actually covering maybe some more of the info-stealer malware, maybe some of the tricks that you need to do for detecting that work uh across, of course, their entire ginormous range with range with Azure and AWS and Kubernetes and blue team and red team and purple team sending off different attacks and firing off and making sure you're able to actually detect that?" There's just so much stuff. Anton is a genius. Anton is a wizard, and he's been making some phenomenal stuff. Realistically, we love the fact that this can be a great opportunity to fill in even more things that you might do for certifications and really jump-start your career in cybersecurity with a massive range and lab and environment. You've heard me screaming and shouting about Con Def and constructing defense for the longest time. It's just because it is genuinely one of the best things I think we've got here on the shelf with HT. We love all of the courseware instructors and courseware developers and everything that we're getting out the door here, but goodness gracious Anton hit a home run. But you know who else hit a home run? Well, I should say Con Def 2026. I Yeah, the point of that was to say we've got a sweet new launch discount for the end of the month if you want to get 20% off. That's That's the important tidbit. Windows malware development is also what we've been screaming and shouting about and that's David Schloss and his incredible work. Thank you so much for the follow, Joni Torrado. Windows malware development has gone a long way because there was the original start of this saga was part one, right? And that was just shellcode loaders. Hey, getting into a little bit of a generated shellcode, being able to craft some of your own, get a payload working. This is more the red team side of the house, right? This is more offensive security. You're making your own malware. And then we got a little bit more, okay, actual obfuscation techniques, some dynamic analysis. And we actually considered WMD one, two, and three to be the intro path, like the introductory beginner-friendly path. And now David is cruising through like WMD six. We're actually going to end up getting WMD six for the intermediate, more advanced stuff out the door next month. So, we're doing a sweet price drop where all of these, the old-school WMD intro path one through three, are 46% off. Why do we Why do we do that? Why do we Why do we go 46? That's such a strange number. I'm cool with it. Look, anything is great. Anything Anything off is I can't complain. But WMD one on its own is name your price. So, that way you can get things I think for a floor of 40. Minimum price is 40, suggested price is a hundo. But I'm hoping a little bit more accessible and much more tactical and much more real-world, hands-on training that you've seen out and about. But you know, Just Hacking Training is a smorgasbord of all of these really cool different directions in cybersecurity. Not all red team, not all blue team, not all one sort of pigeonholed component of the entire industry and landscape. There is a lot for us to dig into. Dark web, opsec, intel, crypto, AI shenanigans. It's cool. It's just good. I'm just happy. I love the fact that we've been able to get this thing in motion and I'm just so grateful for all of your support. So, with that, we're going to have a couple more announcements as we're getting closer and closer to RSA. Let me get to the events page. Because that should come with a really cool course release. Um we are pretty hyped up for COM 2026 RSA. I think we've got a really cool collaboration in the works that I'm not going to leak. I'm not going to spill. I can't tell any secrets out. Not going to kiss and tell. But that is something we're really excited about. So, please do keep an eye on what we're up to. Please do tune into the site, justhacking.com. You know that that's the headquarters. You know that that's HQ and home base. And uh get to Just Hacking. Whoa. RISC architecture is going to change everything. Thanks, Dev Random. That's a good point. I'm super curious. Let me know, how is RISC architecture going to change everything? Drop it in the chat. Hey, thanks so much for the quick segue and opportunity to scream and shout about all the awesome stuff that justhacking.com is up to. You know, it's a it's another baby. It's another project of ours. It's another sweet new endeavor. But we just love seeing it come to life. Can't do without your support. I hope you go check out some of the sweet opportunities at justhacking.com. Forget the noise and get to justhacking.com. Okay. Okay. Okay. Performative presentation mode John is over. Shut down. Let's goof off. Thanks so much for hanging out, everybody. Super cool to see JHT in the chat. Let's get to our robots for a little bit. I don't know if folks were tracking what we've been up to in the past couple days. How much time did we give JHT by the way? Like 15 minutes? That's all right. So, we built some of the guardrails to ensure that Claude will be able to operate really well based off of our vision, how we like code, how I like code. So, we're going to be You know what? Let's show you. You know what? Let me show you. Let's Let's get it back on. Let's Let's make it Let's get I'm diving into the action right here. Obsidian has been our home base and I know a lot of people have different opinions about that. But I like the fact that then we could rip through a handful of different markdown files or context, really information for how we want to operate. Oh. Dev Random. 1995 movie quote became reality. ARM is in every device and your love of robots is driven by RISC. True. True. Some sweet questions coming through in the chat though. Hey, why do you use Go lang and not Python on the MCP projects? So, I've been playing with Python for this direction off stream. And I was having a lot of fun with that because Python is my language of choice, right? I feel the most fluent in Python. Like I am able to read and write Python well enough. Uh like that that is just what I would naturally opt for. But because I want a robot AI machine to be inside of a virtual machine in a VM, so it has its own sandbox, I was finding myself trying to work in and out of Python packages, like virtual environments, you know, a VENV, virtual environment, in an annoying way both on my Windows host and then my Linux virtual machine sandbox and being able to spread those out across whatever AI harness I wanted, whether that was Claude, whether that was Codex, whether that was Gemini, whether that was blah, blah, blah. Okay, I'm getting nerd sniped by other messages about the new Telnet bug. We Should we Should we get sniped for the Telnet bug? Has anyone seen the Telnet bug? Does anyone know what I'm talking about? Let me Let me go out of the distracting here. Thank you, Santer09, for the subscribe. Thank you. Really appreciate that. Has anyone seen the Telnet crap? Someone shared it with me. I wanted to record a video on this, but maybe we maybe we just give it some love on stream. You're going to laugh so hard if you were not tracking. You are going to love it. It deserves a YouTube video. Oh. Hack the planet. Hack the planet. Thank you, Santer09. Heck yeah. Really appreciate. Okay, let me show you this thing. Brain shorted. Thank you for the follow. We're getting nerd sniped already. Just not even getting any motion forward on what we've been working on. But I got to show you this. Let me set the precedent here. Let me remind everybody. Check the Check your watch. Check the clock. Check the calendar. It's 2026. Okay? And we're chatting a little bit about bugs in Telnet. This is very recent. This is Tuesday. If you're tired of modern-age vulnerabilities and remember the good old times on Bugtraq, I hope you'll appreciate this one. If someone can allocate a CVE, we'll add it in the future release notes. From Simon. Remote authentication bypass in TelnetD or the Telnet daemon. The TelnetD server invokes user bin login. Like logging into a session, logging into your shell as you would connect into a host. Uh and let me draw this parallel, right? Folks are used to SSH or the secure shell. When you want to remotely access or get remote control, get a new shell on a remote computer. That was the secure and encrypted rendition of what a lot of folks might be used to in the olden days, back when dinosaurs roamed the earth, of Telnet. Telnet was insecure, plain text, port Shoot, I'm going to I'm going to end up on the hacker jeopardy joke. Port Port 21 is FTP. Port 22 is SSH and port 23 is Telnet. Yeah? Yeah? Dear god. Dear god. Have I ruined my life? Have I ruined my reputation? Not that there ever was one to begin with. Port 23 is Telnet. We're still with it. We're still in the clear. The still good, still good, still good. Just had to make sure. I had to double-check. Thank you. Thank you, internet. Flado Taco, great to see you, my friend. Yeah, it's been awful since forever. We all knew, but this bug this this vuln is hysterical. And shout out to the individual who messaged me off on the side while I was streaming and completely nerd sniped me and distracted me once again. But, they were letting me know that this is hysterical. It passes the user environment variable received from the client as the last parameter. So, if the client connecting in, woo, thank you for the follow, Dumnidache. Thank you for the follow on Twitch. Appreciate you. If the client supplies a carefully crafted user environment variable value being the string {dash} f root and then passes telnet {dash} a or {dash} {dash} login, it'll end up sending this user environment variable to the server and the client will be automatically logged in as root as they specified, bypassing normal authentication processes. This happens because the telnet daemon server does not sanitize this or actually track the user environment variable before passing it to login. Login uses the {dash} f parameter to bypass normal authentication. So, that's really funny. That's hysterical. What's in the commit? But, yeah, you literally just prep this variable and then make a connection and that's it. The this These are the four commands to get it running on a little uh a Rama laptop. And once the daemon is running as the server, right? You just connect into it as a client providing that environment variable. I think it's funny. Thank you, JK Digital. Appreciate the follow. This is the commit. What are we looking at right now? 10 years ago. This bug is 10 years old. Does it have a CVE yet? Did someone uh Did someone make a CVE for it yet? Potential for other similar vulnerabilities in other variables. On other systems not GNU or Linux, only the remote hostname field. Thank you so much for the follow, purely arbitrary. Only the remote hostname field is of interest. The remote hostname variable is populated in the function telnetd_setup. That's so funny. I'm sorry. I did just want to fall down the rabbit hole for a quick moment to give that the sunlight that it deserved while that was a complete distraction for what we wanted to do. 2026 remote authentication bypass in telnet. [Laughter] Cool. Okie dokie. Whoa. Whoa. Computer. Are we good? Are we good to pivot out? Yeah, we good to Are we good to get back to where we were thinking? So, what we were having robot work on was Golang building up its capability that we could use for other projects and anything else that we might want to use. That would mean we had shared libraries and a real real focus on how I like code to be Look, there're no duplicates. There's no repeated code. There's really a single source of truth for anything that it's working on. Uh and smartly having safe defaults, auto discovery, maybe different directories or folders. Hey, thank you, Dr. Giblets. Appreciate you. And that was pretty valuable, in my opinion, because we basically, after setting these guardrails of the style that we like, the design and development principle and philosophies, like all of that basically let us speak into existence what we wanted and then it worked just fine. Thank you, Hayden Jake. Appreciate the follow. Uh chat, hey, great to see you again, Integrity War Towards Righteous. I'm glad you're back. NS Username, so glad you're here. Yeah, I think we're going to keep chipping away at to go validate and make sure the secrets manager that we built yesterday is working the way that it should because I think we left off where it running in the foreground worked like butter, super smooth. Running in the background as a daemon, it still missed. And I'm wondering how we really approach that in a better way. Let me uh now take the moment to pop out the alert box for my side and my face so I know what the heck we're doing. But, you'll see a lot of our sort of guidelines, North Star, real uh kind of again, just context and information for robot to be able to dig into this. And I think we can either validate that the secrets manager works, maybe chip away on that if it still is not functioning the way that we wanted it to, and then we go tackle some of our maybe to-do list items now that we have the inbox working or review the inbox or we go find better music for the playlist. I know that's on the to-do list. Or we look at remotion. We can add to our to-do list in the inbox now. Or we could start to build out now that we have secrets working well for us the capability for you all to be able to interact and be part of chat a little bit more. Arena Business Stories says, "Hey, man, recently came across one of your videos. My Google account got hacked and my verification is compromised as well. It's about 24 hours since my YouTube channel has been hacked." I'm really sorry to hear that. That's a bummer. And the benefit is that Look, we've got our robot still aware and cognizant of the fact that it is live. So, we've got our projects coming together. Oh. Yeah, contacting YouTube is kind of the best bet, but I know I know it's painful. I know it's hard. I'm sorry. So, let's get cooking. Does anyone remember where we left off? Because from what I recall, we had our live stream and the projects where we had our secrets proof of concept. Oh. Forgive me. I am shoot. Damn. Might have to cut. Might have to cut the stream even shorter than what we expected because now other things are getting in the way. Stupid life, stupid uh obligations. So, our secrets proof of concept was allowing us to work with our secrets daemon. Yeah, NS Username, we did have the daemon working very well. Oh, no, sorry. We did not have the daemon working. We did not have the background uh process working, but we did have the like we only authenticate one time and then because we would have the system set up and unlocked, we'd be able to get it to work. Granted, it was uh ensuring that it would run in memory. Flado Taco, you know what I mean. Yeah, it's just I got an out-of-band message that was saying, you know, uh hey, actually, something's happening a little earlier than it was supposed to today, so we did have the secrets capability. Yes, High Potential. I'm so glad you got it. The number of robots will grow every single time in the title as I continue to uh keep vibing. Uh and as I get taken over, we did have MFA working. You may always ask me something. Any free renowned free security certification I can take? There I don't know if you're going to get like a free certification. You can find some stuff on justhacking.com for free. Um So, the secrets manager itself should now work without any issue in the foreground. I have to keep adding that disclaimer. But, it has multi-factor authentication, which is kind of cool. Right? So, we could do info. Uh status. Where did our info command go? That gave us the uh like details as to where it was. Can I get any secrets out while it is not running? Test secret. Good. So, we could try to lock it even though it is already locked. The daemon is not running. Now I can unlock it and then we'll enter the pass Why? Why do we lose it? What? What? Didn't we do enrollment yesterday? Did it just not Did it just not persist in the virtual machine? Did I delete it or something? Why is it wanting to do first time enrollment again? All right, let me hide this so you don't see the giant QR code. And actually let me zoom out so that the QR code can be rendered properly. And now let me re-auth my own stupid silly auth program. Blessing and a curse. Security for convenience. Good. Good. Good. Good. Good. Let me enter the code. MFA is enrolled successfully. Why does it need the passphrase again? We just provided that. Oh, it's because you're automatically unlocking. Oh, that's good. That's actually what we wanted. Secrets are unlocked. All right, I'm ruining this so you can't see it. I'm going to have to control C that out. Ba ba ba ba ba. Unlock. But we are now enrolled. So, now we can provide the one-time pa- one-time pin, one-time number and we're good. We're good. So, this was the fun functionality that we made strictly for the case of not showing environment variables or API tokens on stream. That's it. We over-engineered the crap out of this yesterday. We had a ton of fun with it. Uh where did your Hunter CTF shirt went? I don't know. Where did you send it to? Did you leave it somewhere? Um secrets. Uh that's in our projects. Secrets park. Now it should be able to know that it is up and running. Granted, foreground is running. Glutespro says, "Please keep growing your hair, Arc." We could do like full-blown Johnny Bravo at some point. If we're not already there. Oh yeah, we don't have any secrets. Well, we can set one now. And we could have done that manually, but let's do a test secret with a funny value as last time. I'm pretty sure I wrote that entire thing wrong. I'm pretty sure I typoed the entire thing. Good. So now the secrets park should run just fine. Cool. Cool. And we can do that over and over and over again. The fact that it determined the daemon is running is really all that we wanted. This is validation of where we left off yesterday. That's all. That's all. Thing is, if I control C to close this, secrets automatically get locked. And this was all in, I think, a dot hidden directory that we dot config live stream. Yeah, yeah, yeah. Our MFA enrollment and then the encrypted database, but then the database itself is never actually on disk. So it was cool. We did have this all working in memory. But I want to unlock this and run as a daemon. And that is I think where we left off being broken yesterday. So we should only have to do this process realistically once once it's all done. But how do you think we approach this thing as it Did it just work? Wait. We had this happen. I feel like I remember this happened yesterday. But then it died. And now it's fine. Where did it Is it just working now? Is Is it just fine now? Did we Like NS username, you saw this yesterday, right? Who's our other friend here that we were working with? Uh towards integrity, towards righteousness. You were here too, right? You saw this. I think it's fine. Yeah? What happens if we try to unlock it while it's already running? ALREADY UNLOCKED. WOW. COOL. Hey there, Adam. Welcome back. I appreciate you coming to hang out with us. Dang, I'm really sorry there's nothing good in the fridge. So yeah, I mean secrets manager is pretty good now. I can keep doing this over and over again just but I mean it it is running. It's working. So, I can't complain. Let me get a robot cooking. Let's check if Open Code is still doing what it should be. Um and let's get our speech-to-text dictation. Good stuff. Our two MCP servers are still running. Remember we built our contact manager in the very first day. Yesterday we squeezed in the task manager or like the stream inbox, but Okay, Whisper Flow is good. Hey robot, are you with me? No. This happened last time too and I don't know why. But he's back. He's still here. Sweet. You're fine. No big deal. Uh our MCP servers. We have our stream inbox. We have our contact manager. And the secrets manager lives outside of our AI ecosystem because essentially that can just be running on its own because I believe Open Code and I think as well as Claude Code actually just craps out their own instances of every single MCP server for every single running instance. What are you doing, Whisper Flow? I didn't ask for that. Of their their own instances of the MCP servers every single process. Right? Like if I were to have multiple Open Codes running, they would make two MCP servers and the next one would make two MCP servers and then make the next two MCP and I think they are not shared. I could be wrong. So, we're okay with our secrets manager being external because realistically all the other MCP servers and programs that they use on their own will work just fine. So, All righty, robot. Hey, could you give me a quick crash course on what we actually accomplished yesterday and the day before? Let's get chat up to speed because remember you are live. You are always live streaming. You are going to be presenting everything to the world. So we're keeping everything with a little bit of privacy security in mind. Um but let me know where we left off on everything and then where we might be able to go either to bundle up and complete some of the leftover tasks from previously or even maybe some ideas that we could build for the future. I have some ideas. I have what I want to do today, but I have been told that I might be cut short. So honestly, just getting back in action on the fact that the secrets manager just works now. I think maybe we make it a short one. I don't know. We'll feel it out. We'll feel it out. Welcome back, everyone. So stupid. Oh. Day one, foundation building. Our contact manager MCP server is working. We got that that out. Obviously that's how we were able to just rip through all of our past previous maintain. And because we got our SQLite database, we're good. Abstracted out a lot of these capabilities, which makes things good. Imagine it prints everything out after he finished what he said. We'll still have all the secrets in this. Yeah. Okay. Started with file based DPAPI storage and then we refactored all thanks to uh chat. Secrets now exist only in memory, which is pretty cool. The name pipe interprocess communication still slightly sketches me out, but I can't think of a better way. Like we could do the HTTP start a server and then it connects via API requests. You know what I mean as like another alternative for something that is separate. Looks like the meme of that boy talking to the wall. That's a good one. See, this is why I need to get you all the ability to actually um manipulate OBS and chat. meme talking to wall Yeah. Yeah. Yeah. That's just how I talk. I just use my hands. That's all. We've got multi-factor authentication and we've got a secure passphrase and we have DPAPI. So, the secrets manager is looking pretty good. Not going to lie. Do we deserve those privileges? No. No shot. But, we want to see if we can make it happen for science. Stream inbox. The MVP was kind of working. Remaining work for the day. So, all right. I think we actually were able to validate that the secrets daemon was working as it should. We were able to actually use our um secrets manager and then unlock it to run with daemon mode and it stayed alive. And then we were able to use our proof of concept test capability. Um but, perhaps we actually need to work with our proof of concept integration test and change up the poc.exe and the secrets POC to validate that it were an MCP server running within Claude and open code, you would then be able to retrieve information via the secret. You know what I mean? The session timeout, I think was good. And the error handling was also kind of good. Future project ideas, stream overlay would be neat. I feel like that's second in our mind. Web hook notification, no. Dashboard for visualization, uh session inbox data, no. Let's get the secrets manager validated for capability within open code first and then we can go down the rabbit hole to see how can we get robot to read chat. Like we need a way for it to be able to know what is going. We need a programmatic way to actually access Twitch chat, YouTube chat, Restream, LinkedIn, Twitter, blah blah blah. Um do not simulate the MCP pattern. We also lost our music. And that makes me sad. So, we're going to play some more music. But, uh other than that, how's everybody's Friday? What what has everybody been up to? What do you got What is going on What's going on? Is it pizza Friday for everybody else? Oh, shoot. You know what? Yeah. Let's multitask. No music. I can concentrate without music. What is there to concentrate on? I'll make it very quiet. Hey robot, can you give me a crash course on what is in our stream inbox into do list right now? Ooh, fiddling around with BloodHound the shy hat. Love that. What are you making it do? Are you using open hound? Or like open graph? Open graph is what I meant to say. Okay, let me validate. Do you now have a like proof of concept MCP server hooked up and available within open code? Like could we go through a quick validation and verification test to see poc.exe integrated in so that if I were to create a new open code session, you would actually be able to have a tool that will read from the secret just for us to be able to see. David K, already eaten pizza. Super jealous. Hey Stickster Catastrophe, first time catching you live. Thanks for kickstarting my interest in coding and cyber security. Congrats, dude. I appreciate you diving in. Uh robot, Adam, sorry. I keep memeing referring to him as robot. Obviously, it's Claude, but I don't want to keep saying that. We uh I do have him hooked into an Obsidian project so he has much more access to as many of different things as he wants. Um and I like that capability. Good night unknown1101. Ooh. I keep getting out of band messages that are distracting me. I got to be honest with you, chat. It's going to have to be kind of a short one because of the fact uh I got another curveball thrown my way. I appreciate you all hanging out with me and I really wish we'll get to a little bit further, but if we can just get the validation that the secrets manager is working. It runs as a daemon in the background. Like we see him doing his thing, which is pretty cool. He's still going. Then Hey SpineTDR. SnipeTDR. Wow, I can read. First message, thank you so much. Ooh, Roblox scripting. Yeah, that's fun stuff. I have not fallen down the rabbit hole for Roblox and I think it might it might be a good thing for me. It might be best for me that I don't. Look, he finally added our secrets proof of concept in the MCP server. So, we will keep our secrets daemon running. You know that it already is. We'll start a new open code session because this one won't pick up the new MCP server. And in that session, we'll be able to use our secret status info. Can you validate that this is just temporary? This is only for the sake of us being able to validate this and then we'll realistically not need the secrets MCP server as a proof of concept. We just wanted to ensure that this is working for the future. If that's the case, we can bundle up and exit out of this session. So, wrap everything up in your context manager and then we uh can open a new open code session and see this work. What was our What was in our inbox? We wanted to play with the llama. That is not a today task. We want to do this. This is realistically what I wanted to do. Integrate stream inbox with Twitch and YouTube chat or at least get open code robot AI to be able to programmatically know what's going down. Yes, uh Yasushi Natsuki. I appreciate you dumping into the live stream. We are You got to take it with a grain of salt. Vibe coding is a little bit of a, you know, different kind of word, different kind of phrasing. I think that has done more damage to a lot of the real efforts than it could have because if you know what you're doing, this is awesome. AI is genuinely kind of cool. It is giving you speed bump Wow, speed bump. Speed ups, superpowers and real uh orchestration incredible capability. But, if you are just coming from the uh make program make no mistakes and you send it as a prompt, that's not like sure, maybe that's a little bit of vibe coding. I'm trying I'm hoping I wanted get across vibe assisted or AI assisted Don't say vibe assisted. That ruined it. I said the wrong thing. AI assisted development is using a tool. All right. So, we validated the secrets daemon is basically working once we get that MCP effort in action. Let's move the three items in the backlog because sheetlayer.exe from Open Agent Studio, let's move that to on the table. Maybe. Um We are working on the secrets management verification validation actively right now today. Uh I think we could actually probably cross that off the list, but we should move the integrate the live stream with Twitch and YouTube into uh task for tomorrow where we are actually going to end up trying to Okay, now use one of those secrets that we built out the capability for to build a program that can see and understand what's happening in chat. So, ID number seven, donezo. ID number four, move to tomorrow. And ID number five, I don't know if we table that or how we have the capability to say that's less in priority. You know what I mean? You know what I mean? Am I wrong? I don't know. I'm We're getting into open code again. All right. You now know what we're doing. The real pattern is for future MCP servers to just be able to easily use our secrets utilities library. Nice. It'll even be able to check and validate that it's able to get potential capabilities. The secrets pocket CP servers, just so we can prove the pipe communication works from within open code. Once validated, we can delete it. Real MCP servers will just import the library and do what we need to. This is cool. Yeah, we'll do integration of malware malware analysis. Let me add that to the list. Let me add that to the list. Do we have like a category for uh next week? Do we have something that's in between the tomorrow and someday tagging or context? Because we do want to get to some more malware analysis, and what we need to do is realistically go through the entire backlog of malware that's in my own inbox that I've neglected for a long, long time, but we just need to actually get it on a date on the calendar as to when we're going to do that for a live stream. I think we're still building out some like stream capabilities as we have been throughout this week. So, next up, malware analysis, dark web, real normal traditional JH content is what we want to get to. But, uh we really need to make that happen next week. Is that cool with you, Integrity War Towards Righteous? Give me a little bit more time. I want to play with doing some of this cuz I would like AI to be kind of a part and piece and component of kind of the stuff that we're chasing and having fun with. Um and I think using this could get us a little bit more fun integration with like interacting with you in a chat. Like that way you could send an email, you could send an email to malware@johnhammond.lc or something like inbox@jh.live, and then we'll be able to walk through it, and you could provide a little bit more. Like you give me the file, you give me the sample, you give me the URL, and then I feel like that'd be fun. Yes, thank you, Yasushi. We are playing with Golang. I figured Golang was the best way to get this working properly rather than wrestling with the Python virtual environment like it was earlier. We're closing this out. We're doing We're We're done with this open code. It has completed that. And add it into our context manager. Ooh. Oh oh oh oh. Nope. I'm going to get distracted. Let me go validate that the open code MCP server is not running. We should see three MCP servers on the bottom right. We do. Bottom left, we do. Okay, so now we have our secrets proof of concept actually connected. Let's uh multitask. Hey Robot, do you see your secrets MCP server connected? And while he's checking that, we can go look over to our project tasking. So, right now we only have today, soon, and someday. Mm. Okay, so the database accepted these values. Okay, so yeah, it was totally whatever. You could just yolo, and it would have been fine. No big deal. What we actually want, do today, do tomorrow, next week, soon, someday, low. Uh Port Abuser, great to see you, my friend. So, uh Oh goodness. Are you going to Are you going to come in here and blow things up? Are you going to come in here and just want to change everything again? Yes. So, we have our secrets manager properly running as our daemon. I don't know if you were here. I don't know if you caught that, but we could go ahead and unlock with {dash} D, and he's cruising. He's cooking. We take a look at the status. It's running. And that's kind of cool. We were able to use and validate from our actual command line secrets proof of concept that we could Whoa. What? There's a lot new output here. Request one of the secrets. So, I could just say, "Hey, give me the test secret." And this was our proof of concept to start testing. Ooh, it even hit it. I like that. So, this is the capability so that yes, any future project that we build and work on, like the MCP server, like whatever we need, so that as an example, Robot can read Twitch chat. Uh how do you mean? Does MCP hide it as well through open co

Original Description

Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training See what else I'm up to with: https://jh.live/newsletter โ„น๏ธ Affiliates: Learn how to code with CodeCrafters: https://jh.live/codecrafters Host your own VPN with OpenVPN: https://jh.live/openvpn Get Blue Team Training and SOC Analyst Certifications with CyberDefenders: https://jh.live/cyberdefense
Watch on YouTube โ†— (saves to browser)
Sign in to unlock AI tutor explanation ยท โšก30

Playlist

Uploads from John Hammond ยท John Hammond ยท 0 of 60

โ† Previous Next โ†’
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

This video covers various topics in cybersecurity, including malware analysis, AI-assisted development, and hacking training. The video demonstrates practical applications and hands-on learning, with a focus on AI security, defensive AI, and security basics. Viewers can learn how to implement AI security measures, develop defensive AI strategies, and analyze malware and vulnerabilities.

Key Takeaways
  1. Run the secrets manager in foreground
  2. Lock and unlock the secrets manager using MFA
  3. Enroll the daemon for background operation
  4. Validate the secrets daemon
  5. Use proof of concept test capability
  6. Integrate with proof of concept integration test
  7. Build contact manager
  8. Refactor secrets storage
  9. Validate secrets daemon
  10. Use secrets utilities library to check and validate potential capabilities
๐Ÿ’ก The video highlights the importance of AI security and defensive AI in cybersecurity, and demonstrates practical applications and hands-on learning using various tools and technologies.
๐Ÿ”’ Pro feature: Ask AI to explain this lesson โ†’

Related AI Lessons

โšก
I found 10 bugs in my own security scanner. Here's what they taught me about false positives.
Learn how to minimize false positives in security scanners by understanding common pitfalls and implementing effective testing strategies
Dev.to ยท Zein Saleh
โšก
Sudden SSL Error for github pages custom domain website
Fix sudden SSL errors on GitHub Pages custom domain websites by checking DNS records and SSL certificates
Reddit r/webdev
โšก
Reverse-proof protector
Learn how to identify and analyze system glitches caused by reverse-proof protectors like Themida and StarForce
Medium ยท Cybersecurity
โšก
The 7 IAM Misconfigurations We See in Almost Every AWS Account
Learn the 7 common IAM misconfigurations in AWS accounts and how to fix them to improve security
Dev.to ยท Shieldly
Up next
Cyber security threats @FameWorldEducationalHub #cybersecurity #threats #shorts #ytshorts
FAME WORLD EDUCATIONAL HUB
Watch โ†’