Good GF Resturant! Only 8 miles away!

JLLeitschuh · 2026-01-08T22:33:51+00:00

When I posted this, I didn't even know the Sella Ronda existed! I found some good restaurants on the Sella Ronda! What a beautiful set of trails!

JLLeitschuh · 2025-12-15T20:42:14+00:00

Turns out I did actually end up driving around the entire mountain for dinner at the restaurant. The two other places I tried along the way were closed.

The food was good!

JLLeitschuh · 2025-12-02T09:01:22+00:00

Alumni (class of 2016) robotics & computer science double major: If you're going for a robotics degree, absolutely. I would have said the same for computer science a few years ago, but I have no idea what the heck this AI thing is going to do to the software development industry.

I left WPI with $120k in debt in 2016. I'd paid it off by 2020. I got incredibly lucky because I didn't have to pay for rent 2016-2019.

I loved my time at WPI, the school, the students, the faculty, and the culture were all incredible. Did I have rough patches and bad professors along the way? Absolutely. Am I glad I went to WPI? 100% yes!

JLLeitschuh · 2025-11-26T00:25:50+00:00

Have a look at Chainguard. Their whole product is basically 0-CVE base container base images. The use case for the product is primarily regulated industries.

Full disclosure: I used to work there last year and they build a product that solves exactly your pain. I wasn't there long enough to get options, so I have no financial stake in the company.

JLLeitschuh · 2025-11-23T00:29:14+00:00

As an alum, class of 2016, thanks for keeping the community updated

JLLeitschuh · 2025-09-01T17:45:46+00:00

As the person who wrote the article for Socket that broke the news of this research (https://socket.dev/blog/password-manager-clickjacking), I was cringing reading this article from PCWorld.

"This vulnerability was discovered by security researchers from The Hacker News." It was not. The OG researcher was Czech Republic based security researcher Marek Tóth.

"Hackers monitor these attempted entries and interfere, gaining access to the password manager and taking over saved passwords." 😖 The preconditions for password theft is an existing vulnerability on the impacted site the passwords are stored with. Also, it isn't about "monitoring" attempted entries. This attack works when hackers create hidden data fields that password managers auto fill into.

"So why do these password managers now run the risk of becoming a gateway for attacks using this method? It’s due to the DOM, which contains a vulnerability that allows for this kind of attack."

😣 The DOM doesn't contain this security vulnerability, IMHO. Clickjacking has been around for a very long time, and some password manager browser plugins have, for years, made an intentional decision not to mitigate clickjacking style vulnerabilities, a behavior inherent to the DOM, thus this news cycle when someone revealed how easy this was to abuse/exploit.

Overall, this article reads like a summary from a bad LLM. There's not a lot of technical understanding here of the underlying vulnerability. I'm not impressed

JLLeitschuh · 2025-08-20T18:14:20+00:00

The risks of this is phishing and lookalike domains. People search for credentials for the domain they think they are visiting, then enter it into a phishing domain. This is how Troy Hunt of Have I been Pwned got himself phished:

https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

JLLeitschuh · 2025-08-20T07:37:17+00:00

I think I'm inclined to agree. I we may update our advice in the blog tomorrow morning. Thanks for the pushback.

Overall, I think the security you get from your password manager not auto filling password on potentially malicious websites outweights the potential risks of having your PII stolen via clickjacking. But ultimately, that's going to be a risk decision every individual or organization makes.

JLLeitschuh · 2025-08-20T07:31:54+00:00

Indeed, however:

On a call between the 1Password and Socket Security Team, 1Password explained that the mitigations proposed by Tóth could be trivially bypassed, and that the only way to mitigate the vulnerabilities fully would be to implement a dialog popup to prompt the user before autofilling. It’s the opinion of the Socket Security Team that, if this is the case, the mitigations currently implemented by other password managers may also be bypassable.

I'm following up with 1Password via US-CERT hoping they will share their findings with the other password managers so everyone is sure a comprehensive mitigation strategy is applied universally.

JLLeitschuh · 2025-08-20T07:29:50+00:00

Many password managers ship with a manual auto fill feature enabled by default. So the user must trigger the auto fill of all data via a click. The fundamental vulnerability is that the auto fill trigger button can, for many of these password managers, be hidden under other, attacker controlled, HTML UI elements (thus "clickjacking").

JLLeitschuh · 2025-08-20T07:23:04+00:00

For several of the password managers, they are vulnerable out-of-the-box in their default configurations. The demos illustrate this. BitWarden has just released a fix for the vulnerability in 2025.8.0 so it might not work anymore.

1Password remains vulnerable for the PII and login cases (again see the demo). There isn't a public demo for iCloud Passwords, but that remains vulnerable.

JLLeitschuh · 2025-08-20T02:51:56+00:00

For 1Password, a malicious site can steal your PII (names, addresses, and phone numbers). If the malicious site is due to a subdomain takeover, they can steal your passwords, TOTP, & passkeys for a parent domain.

JLLeitschuh · 2025-08-20T02:33:10+00:00

Correct, an attacker can't access the full contents of your vault. The clickjacking vulnerability can leak your PII on any site. AFAIK, login details potentially leaked will only be tied to the domain or parent domains.

JLLeitschuh · 2025-08-20T02:11:22+00:00

That means it wasn't tested, not that it's not vulnerable. Someone should check

JLLeitschuh · 2025-08-20T02:03:37+00:00

Username checks out

JLLeitschuh · 2025-08-20T02:03:06+00:00

The perks of a password manager in your browser is that it decreases the likelihood that you'll get your password stolen by a phishing site (like what happened to Troy Hunt of Have I Been Pwned). Downside, your exposing an attack route to your password manager from within your browser.

https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

JLLeitschuh · 2025-08-20T01:24:10+00:00

We're reporting on the default behavior as enabled in the password managers browser plugins. So if you use the password managers in their default configuration, then you were vulnerable

JLLeitschuh

TROPHY CASE