John Poulin

4.1K posts

John Poulin banner
John Poulin

John Poulin

@forced_request

Father. Husband. Mainer. CTO @CloudSecPartner, ex-GitHub

Bangor, Maine, USA Bergabung Şubat 2009
929 Mengikuti886 Pengikut
John Poulin
John Poulin@forced_request·
@HackingDave It’s wild, because my wife and I were having this exact conversation two days ago about how we need to introduce a paraphrase for our son too!
English
0
0
1
84
Dave Kennedy
Dave Kennedy@HackingDave·
Solid advice here and 100% does happen. Create a passphrase for your family. Only gonna get worse.
Dustin Burnham@ModernDad

My wife calls me, panicked. The call is from her number, and her voice is unmistakable- that’s my wife. ‘Babe, our son is hurt. He got in a bike wreck. I’m at the emergency room but they won’t take our insurance and I need cash to get him help. Please send me 3000 dollars as soon as you can, he’s really not doing well.’ Me- ‘Wow, that’s scary. Tell me our passphrase and then I’ll send the money.’ Her (it) - ‘What? What passphrase? This is your wife, our son is hurt. Send the money now!!’ Me- ‘I’ll call you back. I don’t believe that this is my wife. If it is, I’m sorry, but we discussed this.’ The number? Spoofed. Easy to do and there’s no way to tell if a phone number is being spoofed aside from hanging up and calling back to confirm. The voice? AI generated. Easily done. A few seconds of audio is all it takes to create a realistic audio deepfake. What can you do? 1) Create a family safe word or passphrase. Ours is definitely not ‘Keep Going’ although we considered it. Discuss the passphrase far away from phones or any recording device. This is as analog as possible. Don’t forget that the trigger for the passphrase is just as important as the phrase itself. So instead of asking ‘what’s the safe word?’ have a separate triggering question. For example, you could say ‘I’m eating banana cream pie’ and this would trigger your spouse to respond ‘purple velvet pillows’ if that’s the safe word. Make it fun, silly, and easy to remember. And DON’T WRITE IT DOWN. 2) Cognitive security is an essential skill in 2026. Assume every image and video you see online is fake until proven otherwise. Expect scams and spammers, and be pleasantly surprised when it’s not. 3) Figure out a backup communication option with people who you absolutely need to be able to reach. Don’t just rely on a phone number for communication. Have redundant, ideally encrypted methods of communication with family. What did I miss? I think (hope) Nikita is wrong on the timeframe- agentic bots like Claude bot are impressive but not quite ready to flood the phone lines in just 90 days. But I think it’s going to be a huge problem by the end of the year. I already get dozens of increasingly realistic spam calls and texts daily- it’s only going to get more annoying. Have a plan to keep your family and your finances safe!

English
6
19
111
25.2K
John Poulin me-retweet
Phrack Zine
Phrack Zine@phrack·
At long last - Phrack 72 has been released online for your reading pleasure! Check it out: phrack.org
Phrack Zine tweet media
English
7
320
751
124.8K
John Poulin
John Poulin@forced_request·
@csoandy What happened? I’ve seen someone else indicate that they too were kicked off the floor.
English
1
0
0
56
Andy Ellis
Andy Ellis@csoandy·
First time I’ve ever been kicked off a show floor.
English
1
0
1
410
John Poulin me-retweet
Satya Nadella
Satya Nadella@satyanadella·
A couple reflections on the quantum computing breakthrough we just announced... Most of us grew up learning there are three main types of matter that matter: solid, liquid, and gas. Today, that changed. After a nearly 20 year pursuit, we’ve created an entirely new state of matter, unlocked by a new class of materials, topoconductors, that enable a fundamental leap in computing. It powers Majorana 1, the first quantum processing unit built on a topological core. We believe this breakthrough will allow us to create a truly meaningful quantum computer not in decades, as some have predicted, but in years. The qubits created with topoconductors are faster, more reliable, and smaller. They are 1/100th of a millimeter, meaning we now have a clear path to a million-qubit processor. Imagine a chip that can fit in the palm of your hand yet is capable of solving problems that even all the computers on Earth today combined could not! Sometimes researchers have to work on things for decades to make progress possible. It takes patience and persistence to have big impact in the world. And I am glad we get the opportunity to do just that at Microsoft. This is our focus: When productivity rises, economies grow faster, benefiting every sector and every corner of the globe. It’s not about hyping tech; it’s about building technology that truly serves the world.
Satya Nadella tweet media
English
5.2K
18.6K
105.9K
27.1M
John Poulin
John Poulin@forced_request·
Looking forward to giving a webinar tomorrow on Defense-in-Depth engineering. We’ll talk through four key areas to help harden our applications and systems, including real tangible examples that folks can start utilizing right away. us02web.zoom.us/webinar/regist…
English
0
1
0
182
John Poulin
John Poulin@forced_request·
I know folks still have annual security budget. This training is like the gift that keeps on giving. Good virtual training is hard to come by - don’t miss this one.
Ken Johnson@cktricky

We still have room left in @sethlaw and I's virtual secure code review course held next week, Oct 2 & 3. Come join us and learn: - Manual source code review techniques - How to use Gen AI to make your reviews more efficient Register here! training.absoluteappsec.com

English
0
0
5
218
John Poulin me-retweet
rootsecdev
rootsecdev@rootsecdev·
Amen to the 30/90 password resets. If you are reading this and your enterprise is doing this, I’m here to tell you right now this type of password policy at your org is doing more harm than good.
Merill Fernando@merill

Folks it's 2024 and the new NIST draft for digital identity is asking you to STOP the madness of 30/90 days password resets and moving it from a recommendation → to a REQUIREMENT Microsoft admins here's what you need to do: → Turn on risk based conditional access policy → Stop periodic password resets = Reduced help desk calls + happy users It's a win, win. If you are not licensed for Entra ID P2 then you can still use the logs and trigger a workflow to get your users to change their password. Thanks to @blackroomsec for the call out.

English
11
21
153
16.3K
John Poulin
John Poulin@forced_request·
Fairly certain I spend half my time online selecting which cookies I want sites to be able to access. How did we get ourselves into this mess?
English
0
0
3
199
John Poulin
John Poulin@forced_request·
@manicode Sounds like a much more relaxing experience!
English
0
0
1
89
John Poulin
John Poulin@forced_request·
@enygma That looks like a typical weekend in my house :)
English
0
0
1
66
Chris Cornutt
Chris Cornutt@enygma·
The things I do to try and keep birds from nesting under my pergola...
Chris Cornutt tweet media
English
1
0
1
890
John Poulin me-retweet
Jeff Barr ☁️
Jeff Barr ☁️@jeffbarr·
Thank you to everyone who brought this article to our attention. We agree that customers should not have to pay for unauthorized requests that they did not initiate. We’ll have more to share on exactly how we’ll help prevent these charges shortly. #AWS #S3 How an empty S3 bucket can make your AWS bill explode - @maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1" target="_blank" rel="nofollow noopener">medium.com/@maciej.pocwie…
English
83
544
3.4K
1.3M
John Poulin me-retweet
Moxie Marlinspike
Moxie Marlinspike@moxie·
As a kid, the magic of software was that I could sit down and make something with no license, degree, or ~money. Gotta say, publishing an iOS app from scratch today is a verrry diff vibe. I wonder how many young people's ideas we've lost at "and now register for a DUNs number."
English
80
201
1.8K
224.1K
John Poulin me-retweet
Jeff Barr ☁️
Jeff Barr ☁️@jeffbarr·
Heads-Up: Many of the current generation of Amazon RDS and Amazon Aurora SSL/TLS certificates will expire in 2024 and you need to rotate them ASAP. Learn more at aws.amazon.com/blogs/aws/rota… #AWS
Jeff Barr ☁️ tweet media
English
2
51
76
21.6K
ayman nadeem
ayman nadeem@aymannadeem·
just going to share my experience so far (still not resolved!) 1. apparently, the latency to trigger the email was due to this incident: githubstatus.com/incidents/b6f4… 2. after they recovered that incident, I re-tried generating the email with the verification that only lets me access support after two consecutive checks to make sure I am not a robot (note: this only gets me to the support page, not account recovery) 3. in the support page, I can select my issue (in my case 2fa recovery), which lands me in a hubot chat 4. I am told I should have a `recovery-codes.txt` on my machine; I search for it and don't have one. I give hubot feedback that I don't have it, and it sends me here: #authenticating-with-a-verified-device-ssh-token-or-personal-access-token" target="_blank" rel="nofollow noopener">docs.github.com/en/authenticat… 5. I follow the listed instructions and am FINALLY able to generate an OTP. Then, when I am asked if I have another method, I choose SSH. 6. I run the provided ssh command, it works! however, I am given a message saying it'll take 1-3 business days to recover *after* all of this 🥲. so now I wait. appreciate everyone trying to help but man this flow is whack.
ayman nadeem tweet media
ayman nadeem@aymannadeem

Thank you! 🙏🏽 When I try to access support, I have to provide my email, and a verification code is sent to the email associated with the account. I was able to trigger one email using that flow, but there are a few problems with this method: 1. It is not instant, it takes 45+ minutes to trigger the email; 2. The verification code in the email is only valid for 20 minutes. Because the email took so long to receive, I had to dive into a block of meetings for the day, and I missed the 20-minute window to use the code. When I tried to re-trigger the email yesterday and today, it did not work. Another avenue was to go through the Hubot support chat, but that only linked me to the same blog article that linked the Hubot chat, so it was just a circular process. I have included screenshots in case they're helpful not just to support, but also product dev teams. I love GitHub, I am all for good security posture, but I think this experience could be better!

English
2
0
1
2.1K
John Poulin
John Poulin@forced_request·
One of my favorite talks I attended was at HOPE X, 9 years ago. @deviantollam and @SgtHowardPayne dropped some knowledge on elevator hacking, which has stuck with me to this day. You will learn amazing things you never expected to hear about. Get a ticket while you can.
The HOPE Conference 🏳️‍🌈🏳️‍⚧️@hopeconf

The late Cheshire Catalyst shares how he got his own area code at The Last HOPE (2008). HOPE XV will take place from July 12-14, 2024 at St. John's University in Queens, New York City Tickets still available at hope.net. 10% of April sales are donated to the @EFF

English
0
1
1
180

Jelajahi

@HackingDave @csoandy @CloudSecPartner @absoluteappsec @sethlaw @cktricky @wickett @manicode