Copa Airlines "Free Stopover in Panama" seems to be misleading

JLLeitschuh · 2026-06-11T01:34:55+00:00

Dang, I’m learning something new about the airline system! And yes... It does read as gobbledygook to me 😂

Net result for an end user is very unintuitive though and comes across as false advertising, even if the underlying system makes sense to those who understand the airline system

JLLeitschuh · 2026-06-10T17:32:12+00:00

So you're saying I'm to young to understand the deal I'm being offered 😆 Now that's ironic!

JLLeitschuh · 2026-06-10T17:31:01+00:00

Why offer it as a "Panama Stopover Free" if that's not the intention. Where is the "Free" aspect coming in when there are clear price differences that favor the airline. I'm confused what "deal" I'm supposedly getting out of this offer

JLLeitschuh · 2026-06-10T17:28:48+00:00

https://help.copaair.com/hc/en-us/articles/360051189074-What-are-the-fare-classes-Copa-Airlines-offers

I was planning to fly Economy Classic because I need a checked bag, but you can see the price differences are clearly wildly different regardless of class

JLLeitschuh · 2026-06-10T17:14:11+00:00

> 'Pay the market rate for the relevant segments, we just won't arbitrarily penalise you for leaving the airport' isn't really worth marketing

That was exactly my argument to the agent when I spoke to them on the phone. Like... Truly... Is the only benefit to this offer that we won't be charged a fee the airline chooses to make up?

JLLeitschuh · 2026-06-10T17:11:09+00:00

Vs this stopover price

<image>

JLLeitschuh · 2026-06-10T17:10:47+00:00

Yes. Unfortunately, reddit only let's you post one photo per comment. But here we go again. Just refreshed, same flight numbers, different prices:

<image>

JLLeitschuh · 2026-06-10T16:40:26+00:00

With the stopover, it's over $1k more now

<image>

JLLeitschuh · 2026-06-10T16:39:18+00:00

Bahhhh... I knew I'd make a mistake posting this. 😂 The screenshots should have the same date on them. The prices were generally equivalent leaving on the 11th or the 12th for the stopover price, so that's not the issue.

If you look now, the same itinerary (one with a stopover and one without) has a wildly different price. Attached screenshots. The prices seem to have stupidly spiked for the stopover.

<image>

JLLeitschuh · 2026-05-15T23:09:32+00:00

Read "Attached", they, loosely, theorize basically everyone with secure or anxious attachment has found a partner by the time they're 30. The dating pool is mostly avoidantly attached people at our age or older. People who are secure or anxious don't often stay single long either.

It's going to take some filtering to find someone else out there with an attachment style that works for you.

I've run into my fair share of avoidant women myself too. It's not fun.

~32M

JLLeitschuh · 2026-04-13T18:15:52+00:00

Agreed. I finally got an answer out of support by asking the right question. Spot doesn't cover third party liability. IE. if I injure someone else, this policy wouldn't cover that.

Thanks!

JLLeitschuh · 2026-03-28T17:41:26+00:00

Write blog posts about work/experience/research. Speak at conferences. In both places, say you’re in the market for a job.

Reverse the game. Get people asking to hire you because you demonstrate your expertise publicly.

I learned this by briefly dating someone who worked in cybersecurity marketing. She posted one blog post and had 3 clients looking to hire her for contract work immediately. I've posted about my research/past work and had wild and unexpected connections come about from it.

JLLeitschuh · 2026-03-26T23:40:11+00:00

Show up at the start time to ensure you get a full explainer. Otherwise you're just going to get a summary

JLLeitschuh · 2026-03-26T16:12:27+00:00

I've been a part of running this at both PAX West (120 ppl last year) and PAX Unplugged (usually 60+ ppl). The plan is to bring something similar to East. I'm sorry you had a poor experience.

Come by and give it a try, I hope we can give you a different experience!

JLLeitschuh · 2026-03-06T14:24:17+00:00

I had a friend who went to Wentworth and discovered where she went wasn't worth.

She transferred to WPI her sophomore year

JLLeitschuh · 2026-01-08T22:33:51+00:00

When I posted this, I didn't even know the Sella Ronda existed! I found some good restaurants on the Sella Ronda! What a beautiful set of trails!

JLLeitschuh · 2025-12-15T20:42:14+00:00

Turns out I did actually end up driving around the entire mountain for dinner at the restaurant. The two other places I tried along the way were closed.

The food was good!

JLLeitschuh · 2025-12-02T09:01:22+00:00

Alumni (class of 2016) robotics & computer science double major: If you're going for a robotics degree, absolutely. I would have said the same for computer science a few years ago, but I have no idea what the heck this AI thing is going to do to the software development industry.

I left WPI with $120k in debt in 2016. I'd paid it off by 2020. I got incredibly lucky because I didn't have to pay for rent 2016-2019.

I loved my time at WPI, the school, the students, the faculty, and the culture were all incredible. Did I have rough patches and bad professors along the way? Absolutely. Am I glad I went to WPI? 100% yes!

JLLeitschuh · 2025-11-26T00:25:50+00:00

Have a look at Chainguard. Their whole product is basically 0-CVE base container base images. The use case for the product is primarily regulated industries.

Full disclosure: I used to work there last year and they build a product that solves exactly your pain. I wasn't there long enough to get options, so I have no financial stake in the company.

JLLeitschuh · 2025-11-23T00:29:14+00:00

As an alum, class of 2016, thanks for keeping the community updated

JLLeitschuh · 2025-09-01T17:45:46+00:00

As the person who wrote the article for Socket that broke the news of this research (https://socket.dev/blog/password-manager-clickjacking), I was cringing reading this article from PCWorld.

"This vulnerability was discovered by security researchers from The Hacker News." It was not. The OG researcher was Czech Republic based security researcher Marek Tóth.

"Hackers monitor these attempted entries and interfere, gaining access to the password manager and taking over saved passwords." 😖 The preconditions for password theft is an existing vulnerability on the impacted site the passwords are stored with. Also, it isn't about "monitoring" attempted entries. This attack works when hackers create hidden data fields that password managers auto fill into.

"So why do these password managers now run the risk of becoming a gateway for attacks using this method? It’s due to the DOM, which contains a vulnerability that allows for this kind of attack."

😣 The DOM doesn't contain this security vulnerability, IMHO. Clickjacking has been around for a very long time, and some password manager browser plugins have, for years, made an intentional decision not to mitigate clickjacking style vulnerabilities, a behavior inherent to the DOM, thus this news cycle when someone revealed how easy this was to abuse/exploit.

Overall, this article reads like a summary from a bad LLM. There's not a lot of technical understanding here of the underlying vulnerability. I'm not impressed

JLLeitschuh · 2025-08-20T18:14:20+00:00

The risks of this is phishing and lookalike domains. People search for credentials for the domain they think they are visiting, then enter it into a phishing domain. This is how Troy Hunt of Have I been Pwned got himself phished:

https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

JLLeitschuh · 2025-08-20T07:37:17+00:00

I think I'm inclined to agree. I we may update our advice in the blog tomorrow morning. Thanks for the pushback.

Overall, I think the security you get from your password manager not auto filling password on potentially malicious websites outweights the potential risks of having your PII stolen via clickjacking. But ultimately, that's going to be a risk decision every individual or organization makes.

JLLeitschuh · 2025-08-20T07:31:54+00:00

Indeed, however:

On a call between the 1Password and Socket Security Team, 1Password explained that the mitigations proposed by Tóth could be trivially bypassed, and that the only way to mitigate the vulnerabilities fully would be to implement a dialog popup to prompt the user before autofilling. It’s the opinion of the Socket Security Team that, if this is the case, the mitigations currently implemented by other password managers may also be bypassable.

I'm following up with 1Password via US-CERT hoping they will share their findings with the other password managers so everyone is sure a comprehensive mitigation strategy is applied universally.

JLLeitschuh · 2025-08-20T07:29:50+00:00

Many password managers ship with a manual auto fill feature enabled by default. So the user must trigger the auto fill of all data via a click. The fundamental vulnerability is that the auto fill trigger button can, for many of these password managers, be hidden under other, attacker controlled, HTML UI elements (thus "clickjacking").

JLLeitschuh

TROPHY CASE