 Hey, how's it going everybody? My name is John Hammond. I wanted to give you guys a little bit of a background as to what this video is So a few weeks ago someone had reached out to me on discord. I think his handle was muffin And he asked me like hey, John. We really like the stuff that you do Would you be willing to do sort of like a podcast with us? I'm like, yeah, man. Absolutely. Sure. Good by me so they invited me to their discord server which I guess is a sec army and It was really really cool because they just wanted to ask me a couple of questions it was sort of like an interview style thing and This is the podcast that we kind of put together. So I wanted to share it with you in case you guys have any interest in it It's just me talking I don't know if that's if that is anything that might interest you but here it is on the internet in case you do I'll try to include the questions down at the description with a timestamp as to what was asked when So if you want to get a little bit of insight into my brain, that's what this video is So thank you guys. Please enjoy and I'll see you Later, I guess enjoy the video. Thanks everybody so we'll start up now and If you have a question or shall we in with now? Yeah, I guess we can go ahead and get rolling. Thanks Okay, John. So just before I start the recording, it's just a little bit of introduction and then we proceed further. Okay, okay Thanks Welcome guys and this side Akash aka terabyte from psych army Welcome to our new podcast and Today we are going to talk about something that everyone Want to know about and they have been a lot of questions every time we put some Instagram stories on this topic which is for capture the flag CDF and You talk on this today. We have a really great guy. He's a star pen tester a very known one He's the guy who created this amazing tool called CTF katana. It's on GitHub. You can check that out It's a big time help and assistance for CDF players all around He's also the guy with a mighty over CP certification. So yeah, he can boast about it He owns a CDF team as well. Well, that's something great and he ranks of the team ranks basically on the fifth 58th position in the world and Yeah, he's a great guy to go through and he's also a good friend of live overflow and Yeah, the guy we have today is John Hammond. How are you John? Hey there? Hi, I'm doing I'm doing well How about yourself Akash? I'm doing great. Thanks for asking mate. It's been thank you so much for joining us today It's been really pleasure talking to you and thanks a lot for your time So John today as you know about the topic that you're gonna talk a little bit about CDF a little bit about the infosec domain and Some tips we're gonna get for pen testing and other stuff So would you like to give a brief about CDF and how it's you know How it's effective in enhancing the skill set for a big enough. Yeah, absolutely. Sure So I guess I don't really need to put out the background because I'm sure a lot of the Audience and listeners might already know what a capture the flag is But I guess I'll do it anyway just just for context So a capture the flag is kind of a gamified competition within cybersecurity where there are kind of challenges or tasks or really just exercises where you the player are kind of given a prompt and and something to do that might De-involving some sort of technology or some kind of computer system and Maybe it's just a puzzle it kind of varies in kind of the extent of what it is but you'll be tasked with maybe exploiting some vulnerability or Deciphering some cryptography or finding some hidden messages Inside of media like steganography tons and tons of stuff and it's all gamified and that there's a scoreboard There's a little bit of a leaderboard. So You have some Motivation to keep trying and keep trying to solve other problems because that'll help encourage Hey that player to I don't know keep learning and get better So honestly, I think that's awesome at enhancing one skill because a lot of times with the capture the flag You kind of have a really small and narrow and specific Cyber security flaw or something some technology some technique That's just distilled down and that challenge is trying to emphasize it and highlight it so that you can learn and Be a little bit smarter even with the real-world stuff with information security and that I don't know I think that just that does it in a great way because it is a game. It is gamified until it's really engaging Yeah, right. So, yeah CD has like help in engaging into activities and performing like real-time stuff Dealing with different kind of challenges as we talked about different kinds of like cryptography steganography and etc Right. So I also want to know like you made this great to CD of katana So can you also shed some light on it? Like how do you think it's gonna bring? Like some help or some sort of assistance in terms of CDFs and to the CD of players Yeah, no, absolutely. No, this is funny. It's like we're starting off with the bang. We're getting into it So, yeah katana has been a labor of love for about a year and I guess two years really Because originally I put together just a document on my github repository that was sort of supposed to be like a checklist It was supposed to be like hey if you don't know what you're doing or you've hit a wall with the CTF challenge Check out this resource that just has a list of things you could try or don't forget to try this Because I was always beating myself up if I was looking at a capture the flag challenge and then when the write-ups came out I realized oh, I just needed to run strings on this specific stock on this specific file Or I forgot to try steg hide without a password or I didn't use steg solve on one specific thing It was annoying because I think some of the The more guessy challenges or the more esoteric stuff Sometimes I would just overlook something so I made that repository and It's just it was just originally a text document with markdown and some suggestions But I had the thought in my head. Well, man I really want to make a tool that will do this for me that'll like look through all the low-hanging fruits that'll try and Go ahead and I don't know rip through all the potential tools and tricks and things to beat up a CTF challenge And it's funny. I live with I live with my roommates Caleb that you might have seen him in some other videos or some things that I put out He had helped kind of create the software for Katana with me because we were at Man, we were we were literally just at a bar like we were at hard times cafe. I don't know if anyone knows that spot but it was like I Don't know there's a back room that's like totally smoking permitted and there's pool tables and everything We were just having a drink and I was like, man, I really want to make this thing because I think it would be Yeah And he was like no, this is totally doable like we could probably put together a framework that might be able to I Don't know determine what a challenge is and then run things that are applicable to it And then we can make it like recursive so that once it found new results It could reassess it and reevaluate it and keep trying to drill down until it found a flag so We built that A lot of people ask though like hey, what the heck like why did you make this? This is just helping script kiddies. This is just this is just ruining the learning of capture the flag And we've had a sorry Yeah, no, I got a fun question like do people also ask you like you were high when you were creating this Yeah, I Don't know because originally I wanted it just for hey so I stopped forgetting to run those stupid things like strings on something specific or stag hide or whatever the case may be and then it became kind of so much more because we added in new units and more functionality and Then when we were like hey, let's let's put this out to the world We had that reaction like why did you make this because this is hindering what CTF is all about? It's all about learning so we kind of had the standpoint like Look this is only gonna help with the low-hanging fruit like this is just for the baby challenges the things that could be detected by a Computer that don't need like a human eye or some manual testing So it's not gonna solve everything. It might get you 200 points at the beginning of the CTF But it's not gonna get you 2,000. It's not gonna make sure that you win It's just to rip through kind of the baby stuff But yeah, I like the point that you have mentioned that it may majorly You know focus on the low-hanging fruits because that's where most of the city of players do lag You know, but yeah, that's really good tool then the concept behind it is to help out with stuff that can be helped with you know and Please maintaining what kind of things you might have forgot of my you might have missed That's what commonly see the players do. But yeah, I really appreciate what kind of framework you have made and Kudos to you and your team for that Thank you. So You're welcome mate Also, since we're talking about capture the flag we're talking about strategies and we're talking about skill sets. So You tell me this like what are your what are your views on the essence of bug bounty culture? Yeah, yeah So I really love Bug bounty and kind of all that it is and kind of what it stands for because it is all about For one thing information security and I've heard someone say like the industry is called information security not Insecurity right because as much as we kind of love being red team as much as we love being pen testers As much as we love like breaking stuff and doing the sexy hacks. It's all about Making things better like it's all about actually improving the software So if you have a bug bounty or a hackathon the whole thing is so that hey people can start to Break your software so that the developers so the creator so the maintainer can make it better So they know the flaws So I really really like the stuff that hacker one does And plenty of the other bug bounty programs bug crowd and everything Honestly, I wish I could make more time in my life to do it because it'd be super fun And like the rewards are insane like you see people that are like hey over a million dollars on on hacker one, which is crazy It's crazy actually So how often you do bug bounty truth be told I Registered with hacker one. I went through their hacker one CTF and try to poke around at it and Man life gets in the way between all the other stuff that I'm kind of trying to juggle Obviously YouTube is a passion of mine. I obviously have a day job I obviously have a lot of other projects and things that I like to do So I hadn't gone back to it, but I know a lot of the guys in the scene stock stoke and Nomsack They do any crazy cool stuff and I I wish I could do that just as well No, but you're doing great job who does your YouTube channel as well. Thanks, and yeah, you're welcome so you talked about like you do it not a frequent but Just tell me like for a reference like what would be your go-to exploit when it comes to my application security Yeah, okay. Cool. So so web is like my favorite category I love just kind of experimenting with that stuff because for one thing it's like really real world, right? Every single organization or company or enterprise Probably has a public-facing website and that's a lot of what bug bounty is I think there's a lot more cross-site scripting a lot more CSRF LFI, etc. So I think web is really really cool my favorite exploit or I guess my favorite thing that That's a funny question I really like local file inclusion when I find that it's like, oh, what can I do with this because It's it's just a little bit of a tug and like you can pull on that string And maybe you could leverage it to remote code execution if you can do some log poisoning Or maybe you could steal some sessions because okay You can see the location where the PHP sessions are being stored or hey You could find out how that program ran because you can leak into like proc Proc forward slash self. I feel like there's a lot of cool things that can be Found and taken advantage of with local file inclusion. So if I see that I get pretty excited. I Like the sound of it and it really appreciate the way you explained it I Yeah, my favorite has been SSRF LFI RFIs. Yeah, so yeah, so we have a little bit in common. I can say thank you Yeah, yes, it sounds like we're gonna date off this Yeah, that's not gonna happen anyways, so so you have been into penetration testing for a few while and Just wanted to like discuss a little bit about that as well. So What would be your like favorite platform when you talk about somebody beginning into this field or in this domain So what would you suggest to the big? Hmm, I get I Guess can I kind of I guess zoom in on that question when you when you say platform? Do you mean like learning platform? Do you mean like technology? Yeah, learning learning platform. Okay, wait sweet, so It's funny because I try to recommend a lot of resources a lot of the time because a lot of people ask Obviously for capture the flag stuff. I kind of point people towards Pico When it comes to like penetration testing and some like red teaming stuff Hack the box is obviously in the mix and that's fantastic Something that I've really found lately and I love and I'm trying to share a lot about it And I'm trying to help people grow and learn about that platform is try hack me. Oh Yeah, yeah I think that one came out like a year and a half ago or some point and I finally jumped on the bandwagon to make some content about it But it's I think it's fantastic for learning because their whole philosophy is like look Here are all the answers like here's how to do it. Here's a guide Here's a step-by-step process of what you need to do and here are write-ups that already give you the solutions If you're stuck so I think for someone trying to learn Try hack me is is fantastic. They have a lot of really friendly Beginner-oriented stuff and they certainly do ramp up with some of their harder stuff, too Yeah, yeah, right, right, right. You're right about it You already gave out like a lot of the resources for the beginners I would say like which one's your favorite if you have to name one. Oh my favorite of the of those resources Sorry, I'm thinking That's alright one of the one of the talks that I had tried to give some time ago was How to build a CTF team or how to build someone getting into cybersecurity and I just had this laundry list of different training platforms like Geez peek or CTF obviously hack the box obviously there's ring zero. There's micro corruption. There's lower sequel injection There's Rob Emporium Poneable XYZ. There's just so much stuff So again, we have a list of them One of them one of my favorites that is I guess it comes every now and again So it's hard to keep track because it's not oh, I guess they are always online The sands holiday hack challenge. Have you guys heard of that one? Yeah, yeah, right so sands puts out there a kind of free learning platform as it comes around to Christmas time and it's always fantastic like they really ramped up their stuff in 2015 and Now they've been doing some like red team challenges and this year They did a couple blue team challenges But they make the like interactive game and some interactive world to move around in and solve the challenges with But it's always super high quality and I learned a ton from that. So I Do really like and without the sands holiday hack challenge All right, cool. Thanks for that. Yeah So you just talked about some of your talks that you haven't given out and I have personally watched some of your Videos and besides as well. Thank you. Yeah, that was Yeah, you're welcome. So So I want to know if you can maybe tell like what has been your road map, you know Which gives you this perfection and the skill set and I am pretty sure like the listeners would like to hear that from you Okay, um, oh Geez, I always like I'm always stumped at this question because a lot of people always ask like hey How do I how do I get started or what's the what's the? Trajectory or the ladder or the road map And all I remember when kind of when I was in I guess college honestly I would stay up really really late and I would try and Just solve challenges on over the wire. I would try to solve challenges on pico I would try to solve challenges and all those different war games and if I couldn't solve it Which a lot of time at the beginning I couldn't and some of them. I still can't I Would honestly look up write-ups. I would honestly look at the solutions because that's the best way to learn is like, okay Someone else already solved this. What can I glisten? What can I learn and understand from that? Because all the information is already out there Like people are always willing to share and that's kind of one of the best things about the whole InfoSec community is that people do want to spread their knowledge. They do want Everyone to learn and everyone to be sharp. So they write blog posts. So they make videos So they put all these resources and cheat sheets together. So When people ask me like hey, what should I start with? normally what I tell them is install Linux and Try to go through over the wire bandit So you learn the Linux command line and then once you feel like you're good with that excuse me Once you feel like you're good with that Try and learn Python as a programming language and then go tackle Pico CTF because that's gonna like light the fire That's gonna make you really excited about it and want to learn more and more That's really good to know that that you would you just say like it seems like we speak the same language now You know a lot of times like we also get some questions like this like what should we start with or how can I build you know This kind of a skill set and we do often have this kind of confusion on telling us like what should we exactly do? I do get questions like how to stay up late at night Yeah, it's really hard because the way that some people learn is different from person to person, right? a lot of my good friends just can't stand watching a video, but Ipsak puts out incredible stuff for hack the box Obviously live overflow the cyber mentor just tons of them are do it in a video form and sometimes with write-ups With just a wall of text sometimes that can be really overwhelming So it's it's really really hard to nail down and figure out how a person might learn best But I think getting hands-on keyboard like jumping in to a Linux command line Then you're gonna start bumping around and you're gonna learn stuff You're right No, you actually write about it because that's pretty important because this can be highly variable person to person So it's sometimes very tough, you know to just explain a whole lot of people altogether Like what should be the roadmap it can highly differ Anyways, that was really good. What he explained. I also want to know on behalf of the whole community Like I have seen likes beginners are pretty allusive and pretty confused with the question And the question is like which shirt like they usually ask which certification should I apply for or And I have no prior experience in the infosec field in the domain And you know what kind of certification I can go with so can you suggest something to them as well? Like what kind of certification they should go with yeah, oh boy The certifications is like a whole nother can of worms, but I totally necessary because you're right tons of people ask about it So when I got started trying to work through certifications my Philosophy was that I don't want to be like a cert warrior. It's a stupid name I guess I've heard people say we're like oh you just collect every single certification that you can Just for the sake of having it and I find myself today like crap I have a decent number of certifications, and I'm like crap. I just kind of Bit myself. I went against what I was saying But I've always wanted to go for like the practical hands-on applicable like application oriented real challenging certifications. That's kind of what I tried for but Disclaimer when I was first getting started and when I needed to get a certification for the kind of the jobs that I was looking at They told me like look dude We need you to get security plus at minimum We need you to be IAT level 2 compliant for I guess the US based Department of Defense stuff so comptia security plus is Kind of a high-level certification that's talking a lot about cyber security and the exam is multiple choice So it's not on the keyboard hardcore doing real real stuff But that's what I started with just to say like hey I can I know the stuff I learned a little bit about it and I can show for it So I actually would recommend that for people getting started because security plus kind of gives you a wide bird's-eye view of everything in the scene And if you don't want to dive into on the keyboard real lead hacker stuff just yet I would say hey do a little bit of research on security plus and see if you feel like it could help you once you're done with that then totally jump and Do some of the cool stuff OSCP obviously if you want to like go off the deep end I really really really like E-Learn security there. I guess they're kind of a up a budding new Certifying body and some of some of the stuff they do with the junior penetration tester EJPT. That's fantastic Like they are really good on learning stuff Yeah, so your certification in Twitter Thank you So yeah, you're right like oh you're right about level certifications Can you just like give a minute on CEH or easy counsel? Yeah. Yeah, absolutely. So I picked up CEH Truth be told It was sort of for like the HR thing like, you know Hey people that are trying to hire you or you're looking for jobs You're in the job market some of them will say like we'd like you to have CEH Truth be told I went for CHV 10 Which I think is the latest now and I know they released the CEH practical So I haven't taken the practical to be honest. I did take the multiple-choice CEH and It was interesting because it was showcasing a lot of different tools and there's certainly ones that are necessary and ones that you would use for pen testing But I wish I had taken the CEH practical if just to kind of see okay How are they asking me to use this? How are they having me do it because the multiple-choice that's all about the practical stuff Without the practical stuff felt a little weird, but I really wish and I guess I should take that practical version of the exam Yeah, sure. In fact even I'm planning for the practical examination for UCSA now. Nice We don't have gone for the CEH MSEQ based. So, yeah, maybe we'll talk about it after this podcast. Yeah, for sure Sure. So, yeah, you talked about like CEH and these Comsia plus security plus certification covers up a lot of major you can say concept information and tools as well, which are necessary. So I I Just got this question out of the context like how does successful enumeration depend on a pen test I mean what are your tools or your Accuracy that you recommend for an immigration? Okay, so oh man for one thing disclaimer, I am not some Elite authority uber hacks or I'm still learning, right? I think we all are so I don't know as much kind of advanced Windows pen testing as I'd like to some of the stuff with active directory that I think that'd be crazy cool and I want to learn more about that but Bloodhound is a quick and cool tool to throw in there if you're doing that stuff or evil win RL I want to learn a lot more about those I Guess kind of my go-to because a lot of the stuff that I look at lately is Linux I Again also a little bit of web in there because they have typically have an outward facing website If it's totally allowed if it's in scope, I will absolutely throw Go buster or der buster or Pie buster, I think is a really cool one that one of my some someone in my discourse over Raj had put together which is crazy cool and Nikto, I think I always use Nikto actually fun tip for those that are looking at OSCP Nikto will help you a lot I Agree on that makes yeah, yeah, which is surprising because I feel like Nikto you kind of just put it off to the wayside It's kind of easy to forget because sometimes it'll help you sometimes it just spews out a ton of false positives But yeah You're right so Yeah, after this thanks for your Shedding some lights and yeah, you're right about this thing like we are all learning You know, I'm also learning right now on active directory because we CP just have changed their standards And I think I need to upgrade as well So yeah, we'll just like divert a bit from the regular topic, right? And I want you to keep going like we want to know more about your achievements and your milestones that you have achieved You know like pushing knowledge in various topics and on different kind of talks different kind of events that he had been So like from your basic ciphers to real-life basic exploits, you know, so what's a special kind of message you would give or You would like to encourage a morning with people, you know, who lose patience easily and just like going through a phase What kind of message you would like to give out for them? Yeah, okay? I Guess I'll I'll try and answer that one in in two parts I guess to two cornerstones for what I like to try and then tell people You hear a lot of time kind of the offensive security motto try harder, right? And I always kind of like struggle with that one because I get what they're saying. I know We all we all do that. We all try hard. We wouldn't be doing it if we weren't already trying hard And Sometimes I don't I get the wrong vibe from that or it feels very I hate I hate the word But I it feels very gatekeeper-esque like hey go Google it yourself or RT FM GTFO Yeah So I in my head I kind of Changed the way that I that I hear that whenever I Think of try harder. I kind of change it in my mind to keep trying because I Remember when I mentioned Some time ago when I was staying up late when I was trying to like every day that I could if I could find time for it I'd I'd go after this stupid challenge in behemoth from over the wire because I that was the first time I'd ever done a buffer overflow and I could not understand it for the life of me Like what are these knob sleds? Why is this EIP thing so important? How am I controlling that? I don't understand why the bytes have to be in this order rather than that order It was there were like a lot of struggle points but Try harder doesn't help. It's hey keep trying like don't give up Even if you fail even if you want to take a break. I do that literally all the time I don't know some people like I feel like I'm just doing stuff all the time I got to be honest Sometimes I will take a break and like go play Super Smash Bros for a little bit just because I need to And that's totally a thing So so that that's sorry. That's position number one is keep trying And then kind of position number two is share Like totally tell people what you're working on what you're learning how what tools you're using etc And I think that really comes with the whole community vibe is or we're all trying to learn We're all trying to spread the knowledge. So keep working at it and then share Yeah, no, I really appreciate the second point especially that yes, of course like the more you share the more you know about it and the more You'll grow the community by yourself as well One more thing I would like to add to this because Excuse me. So we're talking about it And one more thing I need to tell that I just this thing that strikes my mind that my friend Used to keep telling me this like every single detail is counted So yes, even if you're failing might be that it's gonna be helpful maybe in the future Oh, yeah, just discovering a whole new concept altogether. Absolutely Yeah, you should as he said John said like keep trying is the thing and share and Shout out to my friend that in the genre for just telling me this thing every single detail is counted All right, so moving forward You share a lot We have already talked about your events that you go to so anything memorable that you remember from any of the events Or you like to tell something about it any fun thing that he did Just just tell us the funniest one The funniest one, okay, so This is I guess something that you might If anyone is I guess keeping up with some of my stuff We recently took place in the B sides Nova or Northern Virginia capture the flag and that was a king of the hill style game So it was it was pentest oriented where there were a lot of boxes in the range And you were supposed to hey find the vulnerability exploit them get on the machine and then lock it down So you can make it your machine like king of the hill like So we had Myself and my teammates the guys that I live with and just because it was a local event, which was a lot of fun Once we got on the machine We could see okay Some team members are some other teams external players are booting us out and that was annoying And they actually had a little kind of game mechanic where there was an apt or someone else already on the box It could kick you out so Eventually because this was a two-day event We were able to have the overnight to go home and rest up and work on it So whenever I do an in-person game, I'm like pretty gung-ho about it So I'll spend that night like trying to script things or trying to make tools or help build the arsenal So that the next day like hey, we can we can really go guns blazing so I wrote a couple things that were like an access script and a Maintain script so the access script would be able to like automatically log in As soon as it saw either hey default credentials or the box was reset because they would revert every hour So there was more of a chance for someone else to break in and the the maintain script the maintain script would try to Okay, send out a beacon so that we have control of this machine It would try and look if any other team members or any other teams were using their own beacon And then it would try and like kill that and stop it But the best part the one that I guess cuz it's kind of funny If if funny is the answer we're going for We would cat dev you random and redirect it into the other Pty's or the pseudo terminals So if anyone else was on the machine that wasn't us all the sudden their terminal would just be flooded with random characters and bites and escape sequences and some guy behind us had the sound on on their computer and Somehow randomly it would hit the escape sequence for the the terminal alarm or the bell So behind us I could hear as soon as I fired the script off. They were like ding ding ding ding And that was just kind of funny because if they'd be like squaring maybe swearing and throwing things and be like God Yeah, that's funny, that's funny. That's that's nice stupid humor Yeah, right, I hope that was intentional Pretty more fun That's good So this pain that you just told just gave me two more questions for you So you told me like you had been practicing a lot and you live with your friends and you keep going with this so Like fun question like how much CDFs you have played throughout your career like professional career. Holy cow I have no idea I guess background I Guess I had started in the in the capture the flag scene maybe Six years ago now five years ago There was a there was a competition called cyber stakes that was for a lot of the United States Department of Defense and they're the military members So I had kind of taken place in that and it was incredible. It was the first time I'd ever seen something like it It was the first time I ever heard of CTF time first time I ever heard of over the wire It was like man That just opened the floodgates because now I want to learn all the stuff and I want to get good at it And that was a lot of fun. So from 2014 2015 whenever there was a an event on CTF time and I could try and make it I would So I have old write-ups and I'm sure there's over hundreds Maybe even I don't even know if a thousand is even correct or not, but I would think tons I would think over a hundred for sure I must say but the video telling me it must be more than five hundred six hundred idea. I don't know it's weird because Sometimes I look at myself and I'm like I'm not improving. How come I'm not improving. How come I'm not learning anything new? And I to be honest Thinking back to to those days and I and I know I had mentioned it a lot Because I was able to stay up late and try those things that was all in the realm of academia when I didn't have regular life kind of getting in the way between a day job between the significant other that I really want to spend time with in social life etc etc People say like man, they hate being in school To be honest, I think that time if you seize it and you realize it like dude This is all the time I'm gonna ever get to really hunker down and learn stuff That you got a you got a fight for it There were some golden days where you could study and just do what just the things that you wanted to do The good old days. I don't know. It's weird because no one no one thinks of maybe their school as all the good old days But I remember just being like a an information gold mine Did I just made you nostalgic a bit yeah Yeah, no problem. So, okay, let's move on further like let's talk about your creation katana So you made your own tool you coded by yourself and with your friends. So For the beginners what kind of languages you would suggest like you should All right, I'm gonna go a couple different places in this question My immediate answer is learn Python Python is absolutely what I would recommend it is absolutely a hackers language It can do so much. There's tons of built-in libraries. It's so easily extensible with other libraries Python is absolutely my weapon of choice That is the sword that I reach for and it's like a knee-jerk reaction If there's something that I want to do I'll do it in Python Oh, I Guess background on that. Sorry. Did you have something? No, that's it When I was learning when I first got started My dad my dad was the one that taught me like HTML and my dad taught me CSS and my dad And that was all stuff to like build out a stupid website because I wanted to have a I wanted to have a website when I was like nine years old and And then I was like, oh man I could I could get my own server so I could host my own website and then like well if I want to get a server I guess I need some hardware and I don't know what to do to make a website hosted on a server and then I found Linux and When I was reading all about Linux, I found Richard Stallman and I found Eric S. Raymond and You know how every kid like will Google how to be a hacker or like how to make video games somehow Yeah Somehow I found Eric is Raymond's blog that was like if you want to be a hacker You need to know Python and you need to run Linux. So I'm like, okay And and that's why I opted for for Python When uh, sorry, can I add just one more? Because you mentioned Katana and now why we wrote that in Python Originally, there was a lot of talk like it would be cool to make this in something like rust because I know There's so much like Mainstream cool hipsters. They're loving rust It'd be and I needed to learn it so I could try that or we thought like oh Let's write it and go because that would be super fast and be crazy for all the concurrency stuff We tried to write it and then we're like this this just isn't working for us. We can't we can't prototype We can't develop the way we want to We were just fumbling so I we just went for our tried and true Python But that's good, uh, I in fact I have been like using Python for almost like three four years now and Relate to it like why Python? All right, so uh, I got to like I just got a little bit glimpse of your past like how you started so And like, you know, everybody here is Struggling and hustling enough in the security domain and they are trying out to share those stuff as well They are making blogs and they are making YouTube channels. They are making communities like we are trying out as well So I want to know from your perspective like what kind of problems did you face when you started in the briefing in them? Yeah, okay? So if you if you like go through the deep dives and the records of my my channel Archives you can see there's some videos that are out there Like 10 or 11 years old and there's me messing with like game maker and an adventure maker some baby stuff and I remember For the longest time just waiting to see if that could ever take off Because I wanted it to grow and it was a lot of fun to put them together But it would be it's even more fun if people watch it and people enjoy it So I kind of flatlined and Had those growing and would try to do stuff for like programming tutorials So I tried to teach Python when I was way too young I tried to make videos on Windows batch when I was way too young. I know it still exists Those are still out there, but that's not really kind of what my channel is now So when I started to do the capture the flag stuff those years ago, I started to record those And those kind of grew a little bit But to be honest, I reached out to live overflow, which I'm sure everyone knows and I asked him like hey Dude, do you want to do Google CTF together? Or do you want to like tackle something that we could we could do something together on it? Because you're sitting there at like 200,000 subscribers and I'm here with 10 So give you that to give you a good push And honestly that that's kind of what it was is I literally had I think 10,000 at the time Which isn't which isn't incredible, but it's also not Nothing, which I guess But when I did that video with him, it's like the old Google CTF video I remember that jumped me up to like hey 20,000 and then I was like, oh dude now we're now we're climbing So let's move keep moving keep moving and that's always been just a hedonic Treadmill like something that I really want to do because it's it's fun But I guess my advice with the actual original question there Don't hesitate to reach out to the people that you feel like are in a solid spot Like when I was like fanboying over live overflow when I was like oh man He's got everything set because he has X amount of followers or he does X amount of things It's cheesy to think that way because you can't compare yourself to others Something that I learned is like you can't compare yourself to who other people are today You need to compare yourself to who you were Yesterday because that's the best delta like that's that's the best baseline is I see how you can improve And if you feel like that there are giants out there There's nothing wrong with just reaching out to them like saying hey, man I really love the stuff that you do Can you lend a hand like I'm trying to grow my own thing too and live was fantastic And when we met last year that was incredible But They're all people right we're all people and I think a lot of us I hope and I it seems to be in the community that we're in a lot of people are extremely friendly and want people to learn and get better So reach out. Don't hesitate. Be be a friend Exactly our little help is never helped Yeah Yeah, right. So that was amazing talking to you man So this is the last question I have for you Um, this might be a bit more, you know, disclosing a little bit more of your future plans So what are your future plans in this domain? I mean, what do you do? What kind of good things we are going to see? Oh boy Are you making katana 2.0? I don't know Oh man, so a lot of people um have been asking like hey, dude Can you make a course? Can you put out something on udemy or something? Because a lot of people might want something like that. They like the way that you they like the way that you talk They like the way that you teach And I really flattered by that. I really love kind of everyone's support and I cannot say thank you enough for that sort of thing Um, and it's easy to get really pie in the sky and and think about like wow. What what else can I do? Um, because I want to build things. I want to make things. I want to keep putting out content Um, I'd like to keep kind of ponying around a capture the flag Competition that I built that I put together I'd like to build something into discord and I've had a lot of thoughts for this Uh Because our discord server we want to have a lot more engagement and a lot more conversation So I wanted to have a ctf that was literally built into discord where everything is public Like you can request a challenge and I'll put it in the same channel that everyone else is in You can submit a flag in the exact same channel everyone else is in Because the way that would work is that the challenges would be dynamic and generated solely for that user And that might look like craziness. I have no idea, but that's been kind of fun. I've been uh, I've been tinkering with that Uh, I've also been trying to put together a little auto ctfd generator that will help spin up a ctf D instance with like the dynamically regenerated challenges. So you don't have to deal with that interface because that's kind of annoying Um Sounds cool. I want to keep making videos You know, like there's so much on the to-do list um, and if well people want a course I'd love to do that too it's it's funny because uh You got to think about like life and how annoying money is The the necessity of finances because Obviously I put advertisements on some of my videos and it would be incredible if I could keep making this into something that I could really flourish in But I support is necessary for that. So hey, what if I put out a stupid Hey, like john hamlin security, obviously not with that stupid name, but Everyone does it right? You look at all the other other people out in the industry and they they they roll in their own thing Right. See them all. Yeah I don't think that's bad because If if you do something and you if people like the way that you do it Well, they'll come to you they'll go to you and that's why having your own show or having your own business or having your own thing Is is necessary. So maybe in however many years I'd like to try that. I have no idea Sure went on because you're doing it. You you're really good at making youtube videos and I'm gonna say that and you haven't doing a great job for a long time. I see well, thank you and Yeah, you're welcome. And I really appreciate the efforts that you're putting out in the community and sharing this much knowledge and I appreciate your time that you gave us And on this podcast and shedding light on some questions that people have been asking for a long time So anything that you would like to add in the end of the note Oh, for sure. How do we do is this is too long? Is this a perfect time? Like how do we do? That's a perfect time. Go ahead. Cool. Um No, I mean this this has been fantastic. I'm honestly Really really flattered I I try not to I don't see myself as someone that anyone should particularly like Be curious about or care about I want to know the opinions of so I think it was muffin that had asked me like Hey, can we do a show with you? Can we just chat with you and then seeing all the questions that you guys had prepared? It's just uh, I don't know. It really it's surreal and I and I'm very very thankful So thank you guys so much for wanting to do this with me. It's it's an absolute honor and pleasure. So John is a lot of pleasure. It was really nice talking to you as well. And thank you so much for coming out And yeah, we will be in touch for definitely and I'm pretty sure like people are gonna reach you out more now Because you have already cleared a lot of stuff and they have already been curious about a lot of things Um, I wish you good luck for whatever future plans you have and I'm I'll be really glad if I can be a part of it As well later. We'll see how it goes Well, absolutely. Thank you man. The same to you Yeah, you're welcome. Thank you so much and on this note guys. We are ending up our today's podcast It's been really nice talking to this amazing guy. He have told us a lot of stuff I and I hope you enjoyed this whole discussion as well Um, if you have a question reach us out at Sakarmi or you can reach John directly as well. He's available on social media on twitter We'll leave all the handles in the post as well And thank you so much John again. You have a great day and uh on this note. We end up the session Thanks guys. Take care Take care. See you soon So that's it for today's podcast for Sakarmi. We hope you enjoyed the stuff and see you guys soon It's your host terabyte and keep tuned into Sakarmi Right, John. Thank you so much man. Sweet. Yeah, this was a blast. Thanks so much Yeah, thanks a lot. It was nice talking to you, mate. Appreciate it. I hope it was fun It was actually I hope I didn't stomp on you too much whenever you wanted to interject or something. I realized like oh crap I I'm just I'm just rambling and I feel bad I don't know and then it wasn't like that. It was it was I really Like enjoyed whatever you're telling about and it was really funny and indulging myself. So that's good awesome All right, anything else we would like to talk about um, I would like to I guess share this on my channel Is that something you guys are totally cool with? Uh, yeah, we'll be cool with it. Do you have the recording? Can you share that with us as well? Yes? Yeah, I have uh, I have the video that's still going so Yeah, mate, uh, it will be really good if you can share the video as well and uh, yeah Maybe muffin or somebody else will be like getting in touch with you for the same, right? Okay Do you guys care when or do you need me to do you need me to wait a few days or however much time in between Putting something out or uploading this Uh, mate, I believe muffin will be a better guy to talk about this I guess he's typing it and he'll let you know like when we are going to because we are still in the process of making the posters, you know And we're gonna make it a big thing that we are, you know, gonna put up a podcast with you sweet Sure, and thank you so much mate. This was really nice Appreciate it. Same to you Take care guys. All right You too. Take care Stay safe