A Conversation with John Hammond: Hands-On Hacking

0:00 0:00
100
John Hammond, a cybersecurity researcher, educator, and content creator breaks down the hard work, grit, and patience required to become a hacker.

In this episode, Mike welcomes John Hammond, a cybersecurity researcher, educator, and content creator. Join us as they break down the hard work, grit, and patience required to become a hacker, much different from the fantasy world portrayed in TV and movies.

SHOW NOTES

Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.

In this episode Mike Murray welcomes John Hammond, Senior Security Researcher for Huntress and YouTube content creator of all things cybersecurity.

He kicks off the conversation by sharing his inspiration for creating educational content for cybersecurity experts on his YouTube channel. It was actually John’s own thirst for knowledge that led him to realize that video was an effective teaching medium.

What sets John’s content apart from most others, especially in this industry, is that he doesn’t just preach his expertise—he also documents his progress. Preferring raw over polish, John’s brand has become incredibly popular thanks to his humble, relatable, down-to-Earth style.

John comments on the ever-evolving certification landscape in cybersecurity. While he believes that certifications have their place, there is something to be said for the broad accessibility of learning resources (i.e. YouTube) and communities (i.e. Hack The Box) today, as well as the educational value of gamification ala Capture the Flag.

He also unpacks his recent video on the widespread vulnerability Log4j that reared its head around December 2021 and created a domino effect of vulnerabilities of its own.

In the video, he explains how Log4j can be exploited via the popular video game Minecraft. This not only provides valuable insight to those in the industry, but also gives the “layman” a glimpse into the often overlooked world of cybersecurity and demonstrates how such “vulnerabilities could affect things that you might use or play with or interact with on a day-to-day basis.”

Finally, John briefly reflects on his journey in cybersecurity and what continues to fuel his passion for what he does. He was first exposed to the cybersecurity world when he took up Electrical Engineering at the U.S. Coast Guard Academy.

This led to an opportunity to serve as an instructor for the Department of Defense Cyber Crime Center and, after that, as a Red Team Cyber Operator for the Defense Threat Reduction Agency. Finally, he made his recent foray into the MSP space when he joined Huntress.

All the while, John has been hard at work documenting his journey and lessons learned throughout his career on YouTube—a labor of love that he has been committed to since launching his channel in 2009.

TIME STAMPS

– An introduction to John Hammond.

– John shares why he started his YouTube channel.

– The hidden value of making mistakes in front of an audience.

– How the certification landscape has evolved.

– John’s latest video on Log4j.

– How making these videos has helped John become a better security professional.

– John’s journey in cybersecurity.

– How to connect with John.

0:00:02.7 Speaker 1: Welcome to In Scope-The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.

0:00:21.1 Danny Akacki: Welcome to the In Scope podcast from Scope Security. My name is Danny Akacki, Director of Customer Success for Scope. I know I’m not the voice you’re used to hearing on these episodes. Sadly, that voice, Mike Murray, CEO and founder of Scope Security, passed away on April 7th, 2022. Prior to his passing, Mike had recorded three new episodes of In Scope, we present one of those now in its entirety, both in memory of Mike and in celebration of his vision for Scope Security, which the entire Scope team now shepherds into the future, on behalf of that team and on behalf of Mike, thank you for listening.

0:01:02.1 Mike Murray: Hello and welcome to this week’s episode of In Scope-The Healthcare Security Podcast. As always, I’m Mike Murray. And with us this week, we get to do another one of these departures into hacker land and it’s gonna be really exciting. With us this week is John Hammond, and John does some of the coolest videos I’ve seen on YouTube around hacking, and I’m sure we’re gonna get into it. But first of all, John, welcome, but John, tell the world about you, tell the audience who you are and how you ended up doing all these crazy things.

0:01:30.9 John Hammond: Alrighty, well, hey there, Mike, thanks so much for letting me come crash the party over here. I don’t mean to be cramping your style or anything, but I’m super flattered and honored just to be here to hang out with you all. I don’t mean to just, hey, start going down the story, like no one needs to bear through a career or anything, but I’m happy to fill anyone in with the stuff that I’m up to these days. My name is John Hammond, as Mike was alluding to, I have a silly YouTube channel, where I showcase a lot of cyber security content, a lot of education for penetration testing and ethical hacking, bug bounties and vulnerabilities, and exploits, and all of that nerdy, geeky stuff. It’s a ton of fun, something I do as a passion out on the side, but for my day job, I’m working at a company called Huntress, that manage threat detection and, hey, making hackers earn their access, trying to better security for the 99%. So a ton of fun.

0:02:23.6 MM: It definitely is, and we’re both very lucky to work in that threat detection space, it’s a good time, but I’ve always believed that if you wanna be a great defender, you have to have a sense of what offense is and what attackers are up to. And you’ve got this incredible library of content, we’ll talk about some examples later, but how did you get into putting this stuff on YouTube? I said it to you before we got on, I would… I mean, we all study this stuff, we all read this stuff, do exercises and stuff, but I would never think to like, “Hey, I’m gonna record this and make a video for other people.” How does that cross your mind? And what’s happened since you did it? Like what do you get out of it? I’ve a million questions, in case it’s not obvious, but just talk about it.

0:03:04.6 JH: Yeah, well, thank you, I super appreciate all the interest. It’s fun, a little bit of a story, I suppose, ’cause I grew up the same way any kinda kid or fellow does when they say, “Hey, I wanna grow up to make video games,” or, “I wanna grow up to be a hacker,” ’cause all that stuff sounds cool, you see it in the movies and it’s, I don’t know, something really, really interesting. So I would Google that, “Hey, you got a computer in front of you, why don’t… ” I’d ask the Internet and I found YouTube video, stuff on how to program in this coding language, how to explore Linux operating systems or play with Python, C and C++, and I don’t mean to get too nerdy, but that really opened the flood gates, and that’s how I learned, was through video, was watching other people kinda do some show and tell and demonstrations. Eventually, probably earlier than I should have in reality, [chuckle] I thought to myself, “Hey, wouldn’t it be kinda cool if I tried to make these same sort of videos? What if I tried to showcase some stuff while I’m learning and what I’m learning.”

0:04:08.3 JH: And it started of very, very small, pretty low quality, baby steps in creating content, but it was a lot of fun because I could see an interaction with an audience, and while I was learning something, I could publicly show myself learning, and that means making a lot of mistakes, that means failing, that means making a bunch of typos and hitting the backspace key over and over and over again, but I’d have, hey, people correct me, which I didn’t see as a bad thing because then I learn, then I get better and they get better and… I don’t know, it’s just really, really cool ’cause you get to that tidbit where people say, “The best way to tell if you really learned something or if you’ve mastered something is to try and teach it yourself, where you can showcase it.” And that’s been a ton of fun. I’ve seen it grown out. Honestly, the stuff dates back to 2009, 2010, I guess I’ve been doing that for a decade now, but it really got the ball rolling in 2018. [chuckle]

0:05:09.8 MM: More than a decade. Yeah, more than a decade, man.

0:05:13.2 JH: It’s crazy.

0:05:13.9 MM: Yeah, we all get old that way. [chuckle] So something that I’m fascinated on, I wanna call out, and most of us, and we all went to school, and we all went to school in a way that we learned that our teachers were supposed to be infallible. The teacher’s at the front of the room and they never make a mistake and they have the textbook with the answers in it, so they’re always right. And the students are always the ones making mistakes. And you were just talking about making mistakes in front of the audience. Tell me about that experience and your ego around it, and also how that affects the viewer and the student and all of that sort of thing.

0:05:53.7 JH: Yeah, oh, sweet. So thank you for asking, dude. I watch a lot of videos and YouTube content and stuff, where people do offer flashy, a super cool, quick and punchy video of something that they’re showcasing. And it’s well edited, it’s got all the sound effects, it’s got the zoom and pans, and I love that stuff. It looks fantastic. And I’m honestly very, very jealous because I would love to do something like that, but by golly, it takes a lot of time. [chuckle] Like way too much time. And I thought, “Man, if I wanna keep doing the stuff that I wanna do, and if I wanna keep putting out content and just doing it, it’s gonna have to be raw.” It’s gonna have to be a genuine screen cast, “Hey, I’m sharing my screen in a Zoom call or something.” This is you shoulder surfing, seeing what I’m typing on the keyboard. And for some reason, I think that’s been pretty well received because people can see me make all those mistakes.

0:06:56.9 JH: And I feel bad, honestly. When I go, “Oops, I just wasted five minutes because I forgot a semi-colon or something stupid.” Sometimes, I drag myself in and out of a rabbit hole and hit my head against the wall. But, I don’t know. I also think there’s a lot of value in that as you said, because it teaches the people that are watching a certain amount of grit, a certain amount of dedication, stubbornness in troubleshooting and debugging, and being able to pull yourself out of a problem and look around and figure out, “Okay, where might have I gone wrong in putting something together?” Trying to solve a task or challenge, etcetera. I don’t know. I hope there is value in that, but so far it seems to be doing okay. [chuckle]

0:07:43.4 MM: Yeah, people seem to keep tuning in, so something there about that is right. But actually, something you said, you work in this field, that to me sounds like more of everyone’s every day. Hacking is not what you see in the movies where everybody types everything in the right time, and the exploit works 100% of the time fully reliably. And so, I wonder if in some ways you’re giving a better picture of reality. And by the way, so an old old story of mine, I used to run a company called The Hacker Academy, where we did in around 2009, that sort of polished video training and a lot of that stuff. And you’re not kidding about how much time it takes and how much work it is to get it right. But I actually look back on that and I wonder if we would have done our students a much better service to teach them how the real world works, how hacking actually feels. And I wonder what you think about that, ’cause I actually think it’s a feature not a bug, in what you’re doing.

0:08:45.3 JH: Yeah, it’s not as sexy. It’s not as cool, it’s not as flashy. But if the student, if the individual listening in Washington can have the stomach for that long form content, that long form studying, “That’s really what it is, what it takes,” right? And it’s sometimes a hard pill to swallow. Especially someone that says, “Hey, I wanna get into the scene, I wanna be in this industry.” But there’s a lot to it, it’s like a mountain of stuff to climb, whether you’re looking at industry certifications or whether you’re looking at a degree or going for Master’s, etcetera. There are so many different ways to learn and upscale what you’re doing in cyber security, but all of it takes some grit and tenacity.

0:09:35.3 MM: And that I think is so important. Actually, you brought up certifications and the like. I’m curious, this is such a new world. What you’re doing is so different than the old way of like, “Let’s go to a SANS course.” Or, let’s go get a CISSP. How do you see those two things merging as time goes on? Do you see more teaching like you do… And we recently had Ippsec on who does some of the CTF stuff on videos. And I feel like there’s this whole new world out there that didn’t exist when I was coming up as a security person. And how do you see that changing the certification landscape and a lot of that sort of thing? Or do you even think about that?

0:10:16.6 JH: Yeah. It’s something that I am stuck in it and I don’t take my head out of the equation all too often, but I think it’s really good to do so because what you’re mentioning in like, “Hey, we might have paid an arm and a leg to go to this formal business professional training,” and that’s a pretty penny. [chuckle] But when you brought Ippsec on, another content creator, he’s an incredible fellow, he’s a wizard. That guy is much smarter than me, I will be the first to admit, but we do this thing called Capture the Flag. And you noted it there, that CTF acronym. Capture the Flag. And in my mind, that’s taking a lot of cyber security and computer science education and making it a game. It’s making it a sport, it’s making it a puzzle, a toy.

0:11:03.3 JH: Because the player, who is playing Capture the Flag, might have a couple of tasks put it in front of them. They say, “Hey, break into this website.” Or, “Hey, find in the memory forensics on a hard drive or RAM and shenanigans like that, can you find a special key or a token?” And that is the flag that you can find and validate and prove you’ve accomplished this task. That makes it a lot of fun because there’s an element of competition to it. You are competing and trying to raise your score on a leader board or a score board to say, “Hey, can I solve another challenge? Can I learn something new or get exposed to a different technology?” And that is very, very different than a, you’re sitting in the classroom listening to a lecture waiting for the clock to strike the hour. It’s hands-on when you’re playing Capture the Flag, it’s practical.

0:11:56.8 JH: It’s all application-based. And I think that has a lot of value to it because that’s really it, you’re doing it. You’re in the scene, you’re on the keyboard, you’re being an operator. And that’s where you get the most value and the most learning. When that comes to certifications and industry training, I’m a huge proponent of those certifications that require a hands-on portion. But are we gonna end up paying an arm and a leg for it? I don’t know, I think the world and the industry is kind of changing and it… Like a lot of this stuff is so accessible ’cause I can find it on YouTube, ’cause I can see a cyber range like a TryHackMe or a Hack the Box or other online platform to be able to play, to be able to tinker, to be able to explore and learn.

0:12:38.0 MM: It’s funny, as you were talking about sort of the marriage between the sort of gamified practical environment and the training class, the sort of [0:12:48.1] ____ sins of old school model. I was thinking, and I think you were thinking about this, I was thinking about the OSCP, right, in terms of the practical nature of that certification. And there’s a lot of book learning that goes into that, but I don’t think that they’ve necessarily gamified it to the level of a CTF, but you could sort of see those two things coming together in a merging way where the certification test looks like a CTF.

0:13:15.3 JH: And I’d have to think I… Forgive me, I hadn’t tuned into the conversation that you had had with IppSec, but I know there are some juicy and cool conversations to chat about when you say, are the training environments like this? Are the cyber ranges and the Hack the Box, the TryHackMes of the world, are they realistic? Are they “real world”, in air quotes, when they’re gonna Capture the Flag. And I think IppSec… And I know I certainly would attest like, no, there’s so much value, and whether or not it is “real world”, quote-unquote for a penetration test or a vulnerability assessment, because you learn that grit, that debugging, that troubleshooting, that when things go wrong or you didn’t solve the problem as you thought you would have, how can you re-approach it, how can you re-attack it? And that is just invaluable in my mind.

0:14:05.6 MM: Yeah I completely agree. I 100% agree. Alright, I’m gonna turn us in a different direction for just a second because one of the most recent videos that you did, probably not the most recent, but recent, was a real tear down of Log4j, and it’s on everybody’s mind and it’s all we’ve talked about for the last couple of months. But do you wanna tell everybody about that experience, about the video? And really like let’s give everybody a trailer and make them go watch that one ’cause I particularly liked that one.

0:14:35.2 JH: Yeah, thank you. So I’ll cover a little bit of ground, some foundation here, for whatever reason, folks don’t happen to know, Log4j or Log4Shell was a vulnerability, a widespread large, “Hey, the sky is falling,” vulnerability in December of 2021. It’s a weakness in a piece of code that’s tucked away in a library, like a module that could be plug and play and other software and applications. Turns out because that thing was vulnerable, that made a bunch of other stuff vulnerable. [chuckle] And this is a vulnerability for remote code execution, meaning the bad guys, the threat actors and the adversaries can basically do whatever they want with the victim or the target. They can compromise it and then make it do whatever command and control access, shenanigans like dropping ransomware or mining cryptocurrency or whatever you want to extrapolate to some bad exploit thing.

0:15:32.9 JH: Log4j caught a lot of news because of that potential and the attack surface, and that we saw a lot of things in the real world vulnerable to it, VMware Horizon, different vendors providing their own software and their own products, and I think there was even some spook stuff of Tesla Apple, blah, blah, blah. But one thing that was really interesting in my mind that was vulnerable and affected by this was a video game, and a cheesy kids’ video game, or I don’t know if anyone listening has children, sons or daughters, or maybe they happened to play Minecraft. Minecraft, a Java Game written in Java was vulnerable to this Log4j and Log4Shell vulnerability. So I created a video showcasing how it could be exploited and walking through that vulnerability, setting it up, getting the syntax right, getting the reverse shell to, “Hey, I’m the adversary. I’m now in the box. I’m in the system, in the victim.”

0:16:30.7 JH: And I had a lot of fun with that. I think I kind of got it while it was hot, right, that video is doing well, closing in on like hey half a million views or something silly, but I thought it was a great opportunity to bridge a couple different audiences, like the gamers of the world, or the folks that are just kinda familiar with the cultural impact of a game like Minecraft. It opens the total addressable market, and without a better word to say it, to people that may not be as familiar with cyber security, with vulnerabilities, with exploits, with weaknesses and stuff like this. So I wanted to make that a bridge in that, “Hey, what is John doing setting up a Minecraft server,” well, it’s to hack it, it’s to show how these vulnerabilities could affect things that you might use or play with or interact with on a day-to-day basis.

0:17:20.3 MM: And it’s so interesting, and I always love the idea of using simple things to demonstrate really interesting problems, and healthcare has got this really interesting Log4j problem and that… There’s so many vendors in healthcare, almost all of them use Java in some way, and often you don’t even know what component is where, but there’s so much interoperability. I love to play with the thought experiment of the electronic health record system. So imagine I go into the patient portal… This is my favorite attack scenario lately, I go into the patient portal that you log into when you’re going to your doctor, right. And you go in there and it’s like, “What’s your appointment for? When do you want an appointment? Tell me about your medical history.”

0:18:06.9 MM: And in every one of those, you enter the Log4j attack string and you press submit. So that document then goes from the patient portal into the Electronic Health Record System. The Electronic Health Record System then… Suppose you’re gonna go get a CT scan, it will send that same record over to the RIS and the PACS which are about cardiology, and then it’ll end up on the CT scanner. It will also end up in the billing system. It will also end up in the revenue cycle management system. It will also end up in the analytics system, and if they’re doing medical research, it will be exported and packaged up and sent to a bunch of other HL7 interfaces all over the place.

0:18:51.0 MM: And so, it may look silly when you’re doing it on a Minecraft server, but if you’re a healthcare person, go watch the video, and think about the case that I just said, when you watch John’s video and you’ll start to… It will start to hurt your brain as to what this means ultimately within a health system. And so John, I wanted to flip around and go in a different direction again, because I’m so fascinated by your caree. You’ve been doing this since you were… Early on in your career, right? You’ve been doing these videos, how has this helped you? You’ve helped a lot of people, but how have the YouTube videos helped you become a better security professional? And how has it made your career better?

0:19:37.8 JH: Ooh, so there are a lot of threads that I’d love to keep pulling on there before we make that pivot if that’s alright?

0:19:43.4 MM: Oh, yeah. If you wanna go Log4j, I will go Log4j for hours. It’s one of my favorite topics. Yeah, let’s come back to the other one.

0:19:51.9 JH: We can bridge these two together and make a good synthesis here.

0:19:56.1 MM: Love it.

0:19:56.7 JH: So I think what you were kind of alluding to with that big story of the Electronic Health Systems was a lot of things that we try to think about and talk about with these vulnerabilities and that it affects other interconnected components, and you don’t know where along that whole domino chain, domino effect of software and applications, you don’t know where that weakness might even be. So when we try to create… This again is back to my day job over at Huntress, we try to make a tool in utility to help find and test, hey, is some code or application vulnerable to this? But if you were to throw it in just like you said, hey, filling out a records form, where does it go? Because it’s funneling through all these different systems, and you get into that, maybe this is a buzzword, so slap my wrist, if we go to a bad place. [chuckle]

0:20:42.8 JH: That’s the supply chain, right? That’s, hey, programs interconnected one way or the other from one provider to the next. And if you’re trying to solve the security problem, which is really hard to do, how do you do it? Because you’re using components that might be present in other things that have components here and there, and et cetera. And I tried to give a talk on this at a recent conference on the supply chain vulnerabilities, because we see time and time again stuff just blowing up from exploits like this. I tried to pitch the software bill of materials, the SBOM, and I know that’s kind of a polarizing concept so… [chuckle] I hear you, I hear you giggling, Mike. Am I going in the wrong direction?

0:21:23.3 MM: I giggled. We’ve had Bow Woods on here, we’ve had the folks from the FDA where… I’m an old medical device guy, I used to work at GE, I’m a huge fan of SBOM. I’m on the Pro SBOM side, because I know how bad most of the medical equipment is from a technology hygiene perspective, and I think it will allow us to hold vendors accountable in a way that we can’t hold them accountable today. So keep going. That laugh was, “Yes, John, like amen brother, go get them with the SBOM.”

0:21:55.3 JH: Well, it’s so cool, and so funny because so many people at that conference, we had a Q&A section, and there was a real live audience feedback of people saying, “Hey, I’m a proponent. Hey, I’m really against it. I don’t think it’s realistic because arguably, it is a hard thing to do.” You’re asking literally everyone to take inventory and actually archive all the components in the recipe? If you’re making this ingredient list, sometimes that’s gonna have to go through whatever policy and procedures and the people that need to actually go through…

0:22:26.3 JH: I think about this in the government and military sense, where it could take forever to be able to get new things written down and actually published in a location like SBOM, in which case if there’s a vulnerability and they say, “Oh, we can’t update the list or whatever components until Friday. Crap, we’re not gonna be able to patch.” Oh, we’re just not gonna patch because this is gonna take forever. I see the flaws. But I think we have to try. I think that’s the best way we can make progress on this is if we put in that effort, because when stuff hits the fan, when there’s elite zero day just blowing stuff up, you’re gonna wanna reach for that SBOM, and if it’s not there, you’re gonna go ask your vendors and they’re gonna throw their hands up in the air and say, “I don’t know. We don’t know, give us another two months to figure it out.”

0:23:17.9 MM: And that’s what healthcare is going through today. If you… And we’re recording this in mid-February of 2022, and the Log4j vulnerability came out in December of 2021, and almost three months ago to the day. And there are still major medical device manufacturers whose announcement about Log4j vulnerability is still the holding statement they put out in December.

0:23:42.9 JH: No.

0:23:43.4 MM: Yes.

0:23:44.1 JH: Oh, you’re making my heart hurt.

0:23:46.3 MM: And believe me, by the way, the only ones that are actually required to do that are the ones that are producing FDA-regulated medical devices, because the FDA post-market guidance requires that they do certain things for the vendors like Epic and Cerner that do EHRs, they’re not regulated in the same way. As far as I’m aware, and this could have changed in the last two weeks, ’cause that was the last time I looked, they’ve said nothing.

0:24:11.0 JH: Goodness.

0:24:12.0 MM: Not one word. Almost every medical record in this country is in one of those… Is in that software. And I’m sure they’re doing their due diligence, and I’m sure they’re doing their work, I’m not accusing them of anything, but it’s really hard as a health system if you don’t have certain information. Imagine trying to make… The determination of the attack scenario I came up with, when major components in that system have said nothing about Log4j and whether they’re susceptible.

0:24:37.5 JH: Wow.

0:24:39.8 MM: Yeah, it’s a tough scenario, and healthcare has it uniquely hard, but uniquely… By the way, uniquely good in that from the SBOM situation, as soon as the FDA says, “Thou shalt produce an SBOM,” everyone’s gonna do it. And so the vendors will be held accountable by regulation, unlike a lot of parts of our industry where it’s just best effort, and they’re doing it because their customers ask for it.

0:25:06.7 JH: Having it all in, I don’t know, closer and closer to that mandate or that recommendation, strong encouragement is a good thing. It might not be, and I don’t know, I can’t see the future, I don’t have a crystal ball, I’m not Nostradamus, but I think some movement is better than none at all.

0:25:25.2 MM: Yeah, I completely agree. So are you ready for me to ask you about your career? ‘Cause I think so many people are interested in how we get to be who we are, right? So you know this because of your audience, so many people wanna become security people. How has all of this helped you? And if you’re some other kid out there that’s thinking about it, that has the bent, do you recommend to them to start doing YouTube videos too, or is it a labor of love or has it helped you out?

0:25:57.8 JH: Yeah. Oh man, there are a lot of cool things to unpack there, so thanks for your interest. How I got here, right? There’s a little bit of a story to it, and if I am long-winded and verbose just let me know, throw some virtual tomatoes and alright. So I got my feet wet really in security when I attended the US Coast Guard Academy. Obviously, I tried to set the stage earlier. I wanted to learn how to program and how to make things, video games and all that beforehand. And that was fun ’cause I got to learn the software development aspect in programming and coding. But when you get into the government and military space, they care more about, “Is what you made secure? Is it good or bad?” Is it safe to use on a production system, whether that’s battle field, whether that’s ship, whether that’s a blah, blah, blah. And that’s where it got the ball rolling.

0:26:50.7 JH: I didn’t end up getting a commission and I ended up pivoting over to the Department of Defense Cyber Training Academy. Again, government and military side, that was a lot of fun. It was teaching, it was an instructor role, and hopefully that helped do what I do now in conversations and charisma in all this public presence stuff. But then I wanted to keep doing it. I wanted to be an operator, I wanted to have some fun stuff, so I hopped over to the Defense Reduction Agency. That sounded super cool. That sounded super elite. Hey, we’re gonna do some spooky, squirrely stuff. Top secret, no windows, sitting in the room getting stuff done. It turns out, sometimes you have to wait on policies and papers and authority, and we didn’t do a whole lot, just kind of sitting on our thumbs. Again, waiting to check out…

0:27:36.6 MM: By the way, not to interrupt your story, but everyone thinks a skiff is cool until they’ve been in one.

0:27:42.4 JH: Right? [chuckle] I’m glad you agree.

0:27:45.9 MM: Yes.

0:27:46.6 JH: Again, maybe that’s another polarizing topic but… [chuckle] Eventually the CEO of my current company, Huntress, had reached out to me and said like, “Hey John, I know you’re doing your whole thing with the government and military side, but you wanna come party over here with the MSP space? Manage service providers, Small to medium businesses?” And it’s honestly been the best decision I made ’cause it’s so much fun, there’s so much work to do, it’s a great new challenge, and there’s stuff happening. So when we’re doing… When I’m making this education out on YouTube, when I’m showing videos or I’m doing talks or presentations or hosting Capture the Flag events, all the things in that synthesis, even with Log4j, even with vulnerabilities and incident response, our messaging and our education and all this does help me, selfishly, and I don’t mean to say that in a braggadocio way.

0:28:38.8 JH: But I mean to say that it’s so fulfilling to have people come up to you and say, “Hey, honestly, you changed my life with some of the stuff that you’re showcasing and teaching.” “Hey, you really helped me sleep better at night, ’cause I know you and the crew and the team are all on watch. You’re on lock down, you’re in the trenches fighting this stuff before… And helping us better protect and better respond and all those great things.” That’s where I see a whole lot of meaning in what I do and that has helped open doors, that has helped bring incredible opportunities, but it boils down to just a certain sense of pride and love for what we do, I think.

0:29:17.2 MM: That’s incredible. So, John, I always end the same way, where can the world find more John Hammond? We already know you’re on YouTube, but tell the world where we can find more of you.

0:29:29.4 JH: Oh, well, thank you so much. Hey, if anyone hasn’t seen my face, I am a silly red head kid wearing glasses. You see me on the internet, you’ll probably maybe see it plastered in just plenty of other places, whether it’s Twitter, just my name, John Hammond. LinkedIn, of course, happy to reach out with anyone if they would like to chat. Again, John Hammond. [chuckle] Pretty recognizable red head, so maybe don’t hesitate to cyber stalk me on all the social platforms. YouTube is a great place to be, but just as well, GitHub, LinkedIn, Twitter, and email. Please don’t hesitate to reach out. Don’t be a stranger. Please consider me a friend.

0:30:06.1 MM: That’s incredible, John. Well, I consider you a friend now that we’ve had this chat. Thank you so much for coming on today, man. We will have you back again. This has been a blast. And let’s do this again sometime.

0:30:17.8 JH: Yeah, thanks for putting up with me, Mike.

0:30:19.2 MM: Thank you, man.

0:30:23.0 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode. Hop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]

About John Hammond

ABOUT THE GUEST

John Hammond is a cybersecurity researcher, educator, and content creator. As part of the Threat Operations team at Huntress, John spends his days analyzing malware and making hackers earn their access. Previously, as a Department of Defense Cyber Training Academy instructor, he taught the Cyber Threat Emulation course, educating both civilian and military members on offensive Python, PowerShell, other scripting languages and the adversarial mindset. He has developed training material and information security challenges for events such as PicoCTF and competitions at DEFCON US. John speaks at security conferences such as BsidesNoVA, to students at colleges such as the US Naval Academy, and other online events including the SANS Holiday Hack Challenge/KringleCon. He is an online YouTube personality showcasing programming tutorials, CTF video walkthroughs and other cyber security content. John currently holds the following certifications: Security+, CEH, LFS, eJPT, eCPPT, PNPT, PCAP, OSWP, OSCP, OSCE, OSWE, OSEP, and OSED (OSCE(3)).

LINKS