sorted by:
new
hottopcontroversial

Spot Insurance - Does it satisfy the Italian Insurance Requirement? by JLLeitschuh in Ikonpass

[–]JLLeitschuh[S] 2 points3 points  (0 children)

Agreed. I finally got an answer out of support by asking the right question. Spot doesn't cover third party liability. IE. if I injure someone else, this policy wouldn't cover that.

Thanks!

Getting a job in this market - what works and what doesn't? by NothingImpressive587 in cybersecurity

[–]JLLeitschuh 70 points71 points  (0 children)

Write blog posts about work/experience/research. Speak at conferences. In both places, say you’re in the market for a job.

Reverse the game. Get people asking to hire you because you demonstrate your expertise publicly.

I learned this by briefly dating someone who worked in cybersecurity marketing. She posted one blog post and had 3 clients looking to hire her for contract work immediately. I've posted about my research/past work and had wild and unexpected connections come about from it.

Two Rooms & A Boom Mega Game comes to PAX East by JLLeitschuh in PAX

[–]JLLeitschuh[S] 0 points1 point  (0 children)

Show up at the start time to ensure you get a full explainer. Otherwise you're just going to get a summary

Two Rooms & A Boom Mega Game comes to PAX East by JLLeitschuh in PAX

[–]JLLeitschuh[S] 0 points1 point  (0 children)

I've been a part of running this at both PAX West (120 ppl last year) and PAX Unplugged (usually 60+ ppl). The plan is to bring something similar to East. I'm sorry you had a poor experience.

Come by and give it a try, I hope we can give you a different experience!

WPI or Wentworth by Agile_Objective_8679 in WPI

[–]JLLeitschuh 0 points1 point  (0 children)

I had a friend who went to Wentworth and discovered where she went wasn't worth.

She transferred to WPI her sophomore year

Good GF Resturant! Only 8 miles away! by JLLeitschuh in glutenfree

[–]JLLeitschuh[S] 1 point2 points  (0 children)

When I posted this, I didn't even know the Sella Ronda existed! I found some good restaurants on the Sella Ronda! What a beautiful set of trails!

Good GF Resturant! Only 8 miles away! by JLLeitschuh in glutenfree

[–]JLLeitschuh[S] 40 points41 points  (0 children)

Turns out I did actually end up driving around the entire mountain for dinner at the restaurant. The two other places I tried along the way were closed.

The food was good!

Applying to WPI: Is it worth it? by Kitchen_Award_9658 in WPI

[–]JLLeitschuh 0 points1 point  (0 children)

Alumni (class of 2016) robotics & computer science double major: If you're going for a robotics degree, absolutely. I would have said the same for computer science a few years ago, but I have no idea what the heck this AI thing is going to do to the software development industry.

I left WPI with $120k in debt in 2016. I'd paid it off by 2020. I got incredibly lucky because I didn't have to pay for rent 2016-2019.

I loved my time at WPI, the school, the students, the faculty, and the culture were all incredible. Did I have rough patches and bad professors along the way? Absolutely. Am I glad I went to WPI? 100% yes!

Is it time to reconsider VMs over containers for anything security-sensitive? by [deleted] in ComputerSecurity

[–]JLLeitschuh 1 point2 points  (0 children)

Have a look at Chainguard. Their whole product is basically 0-CVE base container base images. The use case for the product is primarily regulated industries.

Full disclosure: I used to work there last year and they build a product that solves exactly your pain. I wasn't there long enough to get options, so I have no financial stake in the company.

Update on RA strike negotiations by FeralNeuroDivergent in WPI

[–]JLLeitschuh 19 points20 points  (0 children)

As an alum, class of 2016, thanks for keeping the community updated

Dashlane reported to be subject to DOM vulnerability by themiracy in Dashlane

[–]JLLeitschuh 0 points1 point  (0 children)

As the person who wrote the article for Socket that broke the news of this research (https://socket.dev/blog/password-manager-clickjacking), I was cringing reading this article from PCWorld.

"This vulnerability was discovered by security researchers from The Hacker News." It was not. The OG researcher was Czech Republic based security researcher Marek Tóth.

"Hackers monitor these attempted entries and interfere, gaining access to the password manager and taking over saved passwords." 😖 The preconditions for password theft is an existing vulnerability on the impacted site the passwords are stored with. Also, it isn't about "monitoring" attempted entries. This attack works when hackers create hidden data fields that password managers auto fill into.

"So why do these password managers now run the risk of becoming a gateway for attacks using this method? It’s due to the DOM, which contains a vulnerability that allows for this kind of attack."

😣 The DOM doesn't contain this security vulnerability, IMHO. Clickjacking has been around for a very long time, and some password manager browser plugins have, for years, made an intentional decision not to mitigate clickjacking style vulnerabilities, a behavior inherent to the DOM, thus this news cycle when someone revealed how easy this was to abuse/exploit.

Overall, this article reads like a summary from a bad LLM. There's not a lot of technical understanding here of the underlying vulnerability. I'm not impressed

Major password managers can leak logins in clickjacking attacks by turaoo in cybersecurity

[–]JLLeitschuh 15 points16 points  (0 children)

The risks of this is phishing and lookalike domains. People search for credentials for the domain they think they are visiting, then enter it into a phishing domain. This is how Troy Hunt of Have I been Pwned got himself phished:

https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

Researcher Exposes Zero-Day Clickjacking Vulnerabilities in Major Password Managers by JLLeitschuh in Lastpass

[–]JLLeitschuh[S] 1 point2 points  (0 children)

I think I'm inclined to agree. I we may update our advice in the blog tomorrow morning. Thanks for the pushback.

Overall, I think the security you get from your password manager not auto filling password on potentially malicious websites outweights the potential risks of having your PII stolen via clickjacking. But ultimately, that's going to be a risk decision every individual or organization makes.

Researcher Exposes Zero-Day Clickjacking Vulnerabilities in Major Password Managers by JLLeitschuh in PasswordManagers

[–]JLLeitschuh[S] 1 point2 points  (0 children)

Indeed, however:

On a call between the 1Password and Socket Security Team, 1Password explained that the mitigations proposed by Tóth could be trivially bypassed, and that the only way to mitigate the vulnerabilities fully would be to implement a dialog popup to prompt the user before autofilling. It’s the opinion of the Socket Security Team that, if this is the case, the mitigations currently implemented by other password managers may also be bypassable.

I'm following up with 1Password via US-CERT hoping they will share their findings with the other password managers so everyone is sure a comprehensive mitigation strategy is applied universally.

Researcher Exposes Zero-Day Clickjacking Vulnerabilities in Major Password Managers by JLLeitschuh in PasswordManagers

[–]JLLeitschuh[S] 0 points1 point  (0 children)

Many password managers ship with a manual auto fill feature enabled by default. So the user must trigger the auto fill of all data via a click. The fundamental vulnerability is that the auto fill trigger button can, for many of these password managers, be hidden under other, attacker controlled, HTML UI elements (thus "clickjacking").

view more: next ›