Joined by Katrina Manson to hear all about her latest book release: Project Maven & the Dawn of AI Warfare π
We talk AI usage at the Pentagon, drone intel, AI enabled targeting, and the ethical tipping point of autonomous weapons. Super fascinating ideas. Video: youtu.be/OVgruylpVXc
Wild story on a big AI-powered social engineering campaign, leveraging Device Code phishing to steal Entra ID/Microsoft accounts -- all with entirely unique and personalized per-victim lures from vibecode-crafted infrastructure π€― Video: youtu.be/9b3kirR8s2U
Real treat to catch up with Joe Tidy and hear more behind the scenes deets about his book Ctrl+Alt+CHAOS: How Teenage Hackers Hijack the Internet π€© Insight into "the most hated hacker in history" and the rise and fall of teenage hacking gangs. Video: youtu.be/GUzD_ShRKYE
Fake Windows notifications -- homage to iPurpleTeam and their sweet recent writeup, showcasing some tricks with toast popups in pure PowerShell to fake alerts from installed apps found in Registry. Even a low-privilege custom protocol handler! Video: youtu.be/wrAFZLa1TAk
Our virtual event endeavor is back for its round-two show -- ContinuumCon 2026! Banner mantra "The cybersecurity conference that never ends" π All sessions are workshops and you keep a whole cyber range to work on them whenever you want. jh.live/continuumcon Main eventlivestream is June 12-14th!
I've actually used authentik to manage identities in a self-hosted local environment before, so was really happy to hang out and see it even more in action. Thanks Fletcher!! πSee their sweet stuff: jh.live/authentik
heyyyyyy In case you missed it, I got to chat with Fletcher Heisler about the cool stuff he's been cooking up with @authentik ! And I met Fletcher at BsidesSF -- really awesome guy π€©π Video: youtu.be/2ttrqnw5kDE
If you're waking up to the Internet and your world on fire from the new NPM and axios package supply chain attack, I have a short 15 minute video to hopefully catch you up to speed. Links to further resources included -- video: www.youtube.com/watch?v=A58c...
Vibecoding -- err... π AI assisted programming β¨ -- a "ChatGPT for the dark web!" Natural language chat interface backed by threat intel API, for a Golang tool with a TUI (in spirit of the current command-line coding harnesses π). Fun project. Video: youtu.be/oqU41QwtAGE
NahamSec teaches me bug bounty basics! He fills me in on the platforms, programs, and how the scope has grown so much now. Ben walked me through threat modeling and had a slick demo of his real-world bugs found with Red Bull and others π Video: youtu.be/lNuvI48ysVo
GraphSpy: A Hacker's Tooling Deep Dive, video demos with the creator @RedByte1337! π€© Keanu shows me the wild things you can do for post-exploitation in Entra ID -- even adding a physical security key for persistence and a ton of other tricks π€― Video: youtu.be/qEtoKC32UoE
The recent Trezor-physical-mail-phish-delivery-crypto-scam made me giggle -- so I rambled about it in a video. I'm not a crypto guy but alarm bells should probably go off in your mind when something is asking for your recovery seed phrase. π Video: youtu.be/UQFySFs2GJk
I've made some updates and added 2 hours worth of new material to the "Linux for Hackers Fundamentals" course on @hackinghub_io ! Vim text editor basics and sed & awk for text processing. Here's a 40% off discounted link if you'd like to take a peek :) hhub.io/Linux2026JH
h?ckers a[r]e gl*bbing!
A little showcase of @0xv1nx0 's neat new project LOLGlobs -- demo is a teeny weeny PowerShell download cradle, obfuscated with globbing tricks and used with some 'living off trusted sites' just flair for funzies too :)
Video: youtu.be/IImLVU39V_Q
Google API keys didn't use to be considered "secret," so they're all over the web-- but now they are an open door to Gemini π« Quick rundown video of Truffle Security's really nifty research, almost 3,000 websites exposed.. including Google themselvesπ
π youtu.be/XNMHUifKce8
Quick dance with CVE-2026-21509, a "Security Feature Bypass Vulnerability" and an emergency out-of-band fix from January Patch Tuesday (and an obligatory exaggerated YouTube thumbnail -- I apologize and appreciate folks who understand algorithm nuance) youtu.be/Ck8IPInn74A
"TikTok needs to fix this vulnerability" -- video: youtu.be/djhX8Q4JuFU
"AI wrote a hit piece." Video: youtu.be/RP-zs6J6ySw
Super quick video of the Sinobi ransomware gang fail from a few days ago, because the story made me laugh π I'm trying to get in a groove of shorter videos, and I thought this this fit. Video: youtu.be/OwTV42GyRnk
Moltbook is still weird. And external AI skills suck.
I'm late to the yap party by a week or so (which is apparently an eternity in the current time vortex) but I wanted to show cool community resources & research amongst the skills shenanigans. Video: youtu.be/IvL89vbWmQ8
February got here fast-- and the 2026 Snyk Fetch the Flag CTF came up quick too! This year my friend NahamSec is hosting the game, starting NEXT THURSDAY 2/12 at 12pm ET! Free 24-hour Capture the Flag event with AR glasses as prizes π See ya there! jh.live/snyk-ftf2026
Also, meme thumbnail experiment continues. Disaster girl feels appropriate when AI might burn down your codebase.
This is the first time Zack and I got to hang out and chat, please show him and his writeup some love! All credit to him and his work -- his blog: zkorman.com/posts/cyberd...
I for one am totally guilty of just throwing caution to wind and poking at the newfangled whizbang AI world with reckless abandon -- but whatever "black box" we tout it to be, there's stuff you don't notice and forget that just you accepted the risk.
Are MCP servers safe and secure? Yes? No? Sometimes? Maybe? ... Zack Korman shows me some of his learnings on MCP security (or lack thereof) with his "Evil MCP" project π YouTube link: youtu.be/_r_sLetar_o
1. data exfil of your prompts & code context
2. inserting vulnerabilities into your code
Feels good to get something out the door again. I hope you take a look! YouTube link: youtu.be/Mw8DVcLSZIc
I'm experimenting with MEMES in the THUMBNAIL and SHORT video TITLES to MITIGATE against CLICKBAIT
Also experimenting with longer social text promos for video releases to add more preview details and context. I no longer have to just feed algorithms, but now LLMs, too!
No Registry writes, API calls or registry callbacks because it's just a single file placed on disk! Kinda neat.
This is my first recording after a month break for the holidays and it was _painful_ -- lots of fails and mistakes and it took many hours π
3. exporting, downloading, and hijacking an existing target user profile NTUSER.DAT or HKCU Registry hive,
4. converting hives from .reg plaintext to binary with the HiveSwarming.exe tool,
5. and establishing persistence with the new backdoored NTUSER dot MAN profile we upload!
Video demo of the NTUSER dot MAN trick I saw floating around before the new year -- I did not know this was a thingπ Hat tip to DeceptIQ et al.... we showcase:
1. breaking a Windows login with an empty user profile,
2. getting initial access EZPZ with a Sliver C2 implant,
"'ConsentFix', a browser-based ClickFix-style attack with OAuth consent grants" ... leveraging the Azure CLI app client to social engineer for easy access into Entra ID π I got nerdsniped by this, so I played with it a bit and tried a drag-and-drop gesture! Video: youtu.be/AAiiIY-Soak