back to article Alarm raised over Mozilla VPN: Wonky authorization check lets users cause havoc

A security engineer at Linux distro maker SUSE has published an advisory for a flaw in the Mozilla VPN client for Linux that has yet to be addressed in a publicly released fix because the disclosure process went off the rails. In a post to the Openwall security mailing list, Matthias Gerstner describes a broken authentication …

  1. Anonymous Coward
    Boffin

    The maximum embargo period of 90 days has been exceeded

    “We publish this report today, because the maximum embargo period of 90 days we offer has been exceeded. Most of the issues mentioned in this report are currently not addressed by upstream, as is outlined in more detail below.”

  2. Will Godfrey Silver badge
    WTF?

    Does anyone take this seriously?

    We seem to have a stream of vulnerability warnings with nothing being done till way too late.

    1. ecofeco Silver badge

      Re: Does anyone take this seriously?

      Been this way for years with every company.

      I know a couple of former ITSec folks who are former for a reason. That reason being nobody was taking their warnings and recommendations seriously and then tried to scapegoat them when SHTF. So they quit.

      And there seems to be no change on the horizon either.

      1. Anonymous Coward
        Anonymous Coward

        Re: Does anyone take this seriously?

        Couldn't agree more.

        I've properly disclosed bugs, vulnerabilities and exploits many times over my career (spanning 20 years) and in my experience, it is quite common for software developers to take it personally and completely lose their shit...it is also quite common for software developers (those with an MSc or a PhD from certain institutions) to look down and sneer then try and convince me that I must be mistaken because of "do you know who I am?".

        I've had a few scuffles with the police and lawyers in my time over vulnerability disclosures. It never goes anywhere, but it is a massive waste of everybody's time...all of this is very UK centric though...I find if I disclose things to companies outside the UK, it is less hostile...the US for example, it is pretty common to be paid and asked to assist with the fix...usually in Blighty you're told to shut up, sign an NDA and fuck off.

        My top 3 wankers of all time were Cambridge educated. Two MSc one PhD. The number 1 was the PhD guy who consistently denied the existence of a SQL injection bug...I was a lot younger at the time and he proceeded to call me a "little bastard", "unqualified shit" and a "disrespectful caddish bounder"...the last one had my in fits of laughter in a meeting...never before or since that meeting have I ever been called a "caddish bounder"...especially not in such a serious tone...this dude threatened to call the Police on a few occasions.

        Number 2 on the list was an MSc, he'd built an analytics platform from scratch that captured data while a user went about their business on the site (e.g. filling in forms etc) and then the platform would go off and scrape various social media APIs, phone directories etc...essentially building a list of sales leads with contact info. Anyway, the guy claimed his system was "bulletproof" and could not be hacked because it didn't use SQL and had many layers of protection between the external facing services and the database...long story short, the Javascript that was injected on to customer websites hoovered up literally everything without sanitising it...you could get it to suck up arbitrary Javascript that you placed in a text field, and the backend customer dashboard would arbitrarily execute it when it tried to render it...at no point along the chain was anything checked or sanitised...my first demonstration, because I could tell this guy was a prick, was to just inject arbitrary text on to the dashboard...unimpressed he decided to brush it off, so I highlighted that this could be much worse...he then flew off the handle, accused me of wasting his time and he bet me £100 that I couldn't manipulate the backend dashboard in any meaningful way...so I injected some harmless JS that would display an alert with "hello world" in it in the browser console...again "So what? I'm keeping my £100"...so I said, alright, double or nothing I can deface the dashboard and trap your crawlers somewhere...he laughed his ass off at me and took the bet...he sent me a picture of a very large rubber penis and told me "Get this picture of yourself on the dashboard, and I might pay you"...Needless to say, his database was absolutely chock full of that particular image within about 10 minutes, and because of the way his crawlers followed links, I had 6 out of his 8 crawlers looping around a page I set up constantly ingesting the image he sent me. Needless to say the dude absolutely flipped his lid...by this point, I'd spoken to his business partner and someone I knew who was an investor in the business....I was never hired to fix the bug, rewarded for finding it or even acknowledged for it...not one person said "thanks"...but about 3 months down the line I was informed that all funding into the business had been withdrawn, the company went tits and the MSc guy decided to go into teaching...I'm not sure where, but he was teaching at a university somewhere...presumably creating new generations of self obsessed, utterly useless twats.

        Anyway, my point is, too many overqualified people in the business take disclosures personally and they are very quick to dial shit up to 10 and invoke our shitty laws to keep the problem under wraps and never actually deal with it.

        These days, if I find a bug, I just don't bother disclosing it to the lead engineers / devs...I disclose directly to the CEO (if it is even possible to contact them) and go through them...it attracts even more ire from the technical folks, but at least you have some level of confidence that you won't be shafted by an obnoxious over confident charlatan of a developer.

        What would really go a long way, is developers not taking things personally...I don't know the timescales you were working to or the budget you had...I'm not there to make you look bad...I'm there to help...if you were fucking smart, you'd use a bug disclosure as evidence that cutting corners leads to problems and leverage the situation to change internal aspects of your development and testing process...that I can get onboard with...assuming that you are hot shit because of where you studied and the paperwork that you hold though and swinging your dick around...you will lose all respect immediately...especially if you are an older professional...because not all that long ago the curriculum at most universities for Comp Sci / Software Development was shit...so shit, that the vast majority of engineers / developers didn't bother going to university, because it would have been 5 years spent learning nothing useful which would put you at a 5 year disadvantage against other professionals...not to mention, you'd also be in debt...we're an industry full of pragmatists...it isn't often the case that people with fewer qualifications in our space are "talentless fuckwits", quite the contrary in fact...many people in this space have few to zero academic qualifications because any pragmatic thinker would weigh up the pros and the cons and make a decision accordingly...because this is an industry where your skills and abilities far outweigh the paperwork you can wave around...the paperwork can more often than not set you back in a big way...because the minute an actual engineer gets a whiff that you're trying to leverage a qualification without demonstrating anything, you are on his shit list...you get a lot further in this industry by simply demonstrating your skills...if you come to me and explain something without demonstrating it, I won't take a lot of notice (I would have about 20 years ago, because search engines and the like weren't a thing, so writing something up had some value)...but because Google / YouTube exists, a simple explanation will not suffice...if you come to me and confidently show me, I'll take notice and I'll take you seriously.

        To give you some actual real world examples of why acadmics are generally shit...my nephew recently got his BSc (hons) in Computer Science (Network Engineering)...I'm proud of him, of course...but I did put him to the test...he came round after graduating and I gave him a length of CAT6, two RJ45s and a crimping kit and asked him to make me 1m patch lead...he could not do it...but he has been led to believe by his lecturers that he is ready for a management position in the tech industry...I am planning on throwing him in at the deep end at some point, to give him a nice dose of reality to bring him down to Earth a bit...here is a list of other stuff he cannot do (not exhaustive):

        1. Build a VM and install Windows in it.

        2. SSH into a Linux server and get the IP address.

        3. Understand the symbols on a network diagram.

        4. Shutdown Windows using the command prompt.

        5. Explain what a package manager is.

        6. Tell me what port 80, 25 and 23 are and which ones should be disabled and why.

        7. Define the acronym "NAT".

        1. Will Godfrey Silver badge
          WTF?

          Re: Does anyone take this seriously?

          This is crazy. I don't doubt what you're saying but simply can't understand the attitude. If anyone reports a bug on our (relatively unimportant) project. All else stops until it's fixed.

          1. Anonymous Coward
            Anonymous Coward

            Re: Does anyone take this seriously?

            You are in the minority. I'd love to do cybersecurity tests for you guys.

            See the thing is, cybersecurity is something you can take into account while you develop, but there are aspects to development that might obscure potential security issues. That, and cybersecurity people can have a much easier time of it...its way easier to pull something apart than it is to put it together.

            Cybersecurity folks aren't weighed down by the same bullshit processes that developers are weighed down by, that's why its difficult to stay ahead of your bug tracker...if I find a bug / vulnerability I never...*ever* accuse the developers of shit development because I know that there were probably other aspects at play...budget, deadlines etc...developers on the other hand sometimes forget this (you clearly don't) and assume that a bug report etc is a personal assault. The only exception is if the developers are arseholes like I mentioned in my previous post.

            If someone is willing to test your shit for free and responsibly report the bug, you should be all over that shit and encouraging it...it's "free" labour and QA...never look a gift horse in the mouth. Of course the door does swing both ways, and it is always nice to receive a reward for finding a bug...I personally understand that it's not always possible to do this (especially for smaller, niche products) in which case some sort of acknowledgement is nice because then there is proof that exists that I found a bug and can indeed do what I say I can do, I can take the acknowledgement and use it to market myself to get some paid work.

            For the stuff I mentioned above, I tested and disclosed for free and I never got paid a penny. I was never acknowledged. All I got was shit and abuse and legal threats...if we want to encourage better cybersecurity, that shit has to stop and some level of mutual respect has to be found.

            Cybersecurity is something that a lot of people get wrong, because it isn't always logical...for example, you can spend ages fortifying your front door, getting the best material, only buying certified products, having multiple locks, loads of camera pointed at it etc...but it's all for nothing if someone can just pick up a brick and smash a window...it's false security...this is how a lot of cybersecurity folks find bugs...we ain't testing your front door...we're walking around the whole place and focusing on the bits that aren't obvious.

            In the case of the analytics platform I mentioned, their servers were absolutely locked down...they spent lots of time and effort to ensure their servers couldn't be hacked...but they spent jack shit ensuring the data passing in was secure / safe...none of their security mattered at all because even though their own infrastructure wasn't vulnerable...their customers were...and that is the target for most cybercriminals...

        2. Rilik

          Re: Does anyone take this seriously?

          > "Get this picture of yourself on the dashboard, and I might pay you"...Needless to say, his database was absolutely chock full of that particular image within about 10 minutes, and because of the way his crawlers followed links, I had 6 out of his 8 crawlers looping around a page I set up constantly ingesting the image he sent me.

          This is epic. Unfortunate the egomaniac guy is still around causing damage :(

        3. Anonymous Anti-ANC South African Coward Silver badge

          Re: Does anyone take this seriously?

          1. Build a VM and install Windows in it.

          2. SSH into a Linux server and get the IP address.

          3. Understand the symbols on a network diagram.

          4. Shutdown Windows using the command prompt.

          5. Explain what a package manager is.

          6. Tell me what port 80, 25 and 23 are and which ones should be disabled and why.

          7. Define the acronym "NAT".

          I don't have a degree or some fancy hoity-toity papperwork, but I can do from 1 to 7 without breaking a sweat. Self-learnt.

          I do believe that you have to work yourself up, not just go and study some XYZZY degree, then get an instant mangler position, and expect to know everything.

          1. darkrookie28

            Re: Does anyone take this seriously?

            1. Can do that. Hyper-V just make my computer run weird.

            2. How do you do that if you don't have the IP already?

            3. Nope, I barely understand how it works to begin with.

            4. shutdown /s /t 0 for cmd and Stop-Compuer for powershell.

            5. Its a piece of software that manages packages.

            6. 80 is HTTP. I cant recall the others. FTP?

            7. Network Address Table.

        4. Halfmad

          Re: Does anyone take this seriously?

          This is similar to how I use to test candidates for jobs. Bit of a pop quiz to start, some practical test e.g. point to things and ask them to explain how they work (such as a mechanical drive, switch, hub etc)

          Then onto the actual interview.

          If they couldn't tell me the difference between a network hub and switch they were generally doomed though.

        5. Someone Else Silver badge

          @ AC -- Re: Does anyone take this seriously?

          I suspect the two down-voters are the PhD and MSc you referred to....

        6. ragnar

          Re: Does anyone take this seriously?

          > "I gave him a length of CAT6, two RJ45s and a crimping kit and asked him to make me 1m patch lead...he could not do it...but he has been led to believe by his lecturers that he is ready for a management position in the tech industry"

          How often do you think managers in the tech industry have to do this? It's utterly irrelevant to the job.

    2. Anonymous Coward
      Anonymous Coward

      Re: Does anyone take this seriously?

      If you were to act on every vulnerability warning that comes out, you would never have anything running.

      From my desk, the advantages of "digital" when it comes to operational technology are outweighed by the continuous cost of securing them, and in fact you get a better CBA for running such equipment manually.

      The risks are different of course, chiefly being a "staff/security" risk rather than an IT one that you cannot control no matter what illusions one tells one self.

      1. Anonymous Coward
        Anonymous Coward

        Re: Does anyone take this seriously?

        f you were to act on every vulnerability warning that comes out, you would never have anything running.

        It only takes one to utterly make a mess of things.

        1 - start with a platform that doesn't need patching every msec, even if they camouflage the volume and work interruptions now by releasing patches in biweekly blobs. If you get hosed in between those 14 days I guarantee you that that company will blame you, not itself.

        2 - take bug reports seriously. They're effectively free labour, but they come with a twist: after you have been warned, you no longer have an excuse when the patch arrives.

        3 - test patches. Some are created in a hurry in a laudable attempt to close the hole quickly, but sometimes that hurry comes with side effects.

        4 - keep an eye on the costs of patching, including just how much time you and others have lost. Make sure to add that to your cost of ownership calculations.

        HTH.

        1. Anonymous Coward
          Anonymous Coward

          Re: Does anyone take this seriously?

          Desktop isn't so bad to inconvenience a few outlook users - "roll the patch after testing it is the proper reaction". In OT world shutting down down production lines, utilities, etc. for the duration of change is rather more problematic.

          Industrial systems are out there running literally every OS conceived back to the 1960's in production environments, that won't be going away any time soon.

          Personally I am quite keen on well designed TTL logic in hardware and/or electromechanical solutions that don't have a software layer. Can do an awful lot of OT with such solutions without ever having to touch a supplier that permanently screams download firmware and update now. The act of patching is itself fraught with risk; for example if you have to plug a USB stick into your modern PLC to flash it... How do you ensure that stick is appropriately clean, etc.

          Course, most big companies haven't a scooby doo what's on the ground to begin, so the fun of even knowing what's out there is most of the battle.

  3. CowHorseFrog Silver badge

    I can understand why people think they need a VPN, but why do people trust any random company as their VPN ?

    1. Anonymous Coward
      Big Brother

      Why do people trust any random company as their VPN ?

      @CowHorseFrog: “I can understand why people think they need a VPN, but why do people trust any random company as their VPN ?

      Especially as some of these companies are run by ex spooks ;)

    2. Anonymous Coward
      Anonymous Coward

      Because a VPN provider is just a conduit through which you can escape the bullshit routing inside an ISP.

      Your ISP probably has various transparent proxies in operation that snag your DNS requests, web requests etc etc...a VPN provider has neither the infrastructure nor the money to have this kind of infrastructure...nor do they care.

      You can see this shit in action when you compare the DNS lookup results between your ISP and those received over a VPN...even if you use the same public DNS servers. Especially for larger platforms like Youtube, Netflix etc...

      For example, if I use 1.1.1.1 on my naked Virgin Media connection, I always hit the same group of around 5-6 IP addresses...over a VPN, the group is much larger and doesn't include the IP addresses I see on my naked connection.

      The major difference is in the performance...over a VPN a Youtube video will play almost instantly, on my naked connection, there is always a small delay. I don't know how Virgin is doing this or why, and that bothers me. If they were as transparent as their proxies are, I might not be inclined to use a VPN.

      You can also test this out by taking the SHA256 of an image that upload somewhere...then download it again via a browser, SHA256 it again and you'll see that sometimes they don't match. I'm pretty sure this is just compression to save them precious bandwidth on their creaking network...but there is nothing stopping them using this sort of thing for more sinister reasons.

      Remember, HTTPS is only effective if the listener on the wire doesn't have the HTTPS handshake with all the associated keys...your ISP can see everything, so it's relatively trivial for them to capture handshakes and decrypt your traffic, fuck with it, then re-encrypt it...tools for this sort of thing have existed for aaaaaaages...hell you can do it with Wireshark.

      This is why I find the whole "backdoor" in encryption thing a bit of a joke. I don't think they're looking for ways to do it, I think they can they already do it, they just want to legitimise it...the way these things typically pan out, is the initial draft of the law is egregious and not what they're after at all...in the course of debate and re-drafting, it gets "toned down" into exactly what they want...because all the focus is on the egregious stuff, not the actual stuff they're looking for.

      While everyone is flapping about he government wanting to read all their messages, they aren't focusing on other areas of surveillance...like simply decrypting and sniffing your traffic transparently.

      If the government wants to read your WhatsApp, they could get your phone provider to clone your SIM card and setup a device that can simple receive your messages...no need for any backdoors.

      1. sten2012

        > You can also test this out by taking the SHA256 of an image that upload somewhere...then download it again via a browser, SHA256 it again and you'll see that sometimes they don't match. I'm pretty sure this is just compression to save them precious bandwidth on their creaking network...but there is nothing stopping them using this sort of thing for more sinister reasons.

        You're saying a VPN fixes this? Because I don't believe it. The service at the other end may be compressing but I do not believe the ISP is.

        > Remember, HTTPS is only effective if the listener on the wire doesn't have the HTTPS handshake with all the associated keys...your ISP can see everything, so it's relatively trivial for them to capture handshakes and decrypt your traffic, fuck with it, then re-encrypt it...tools for this sort of thing have existed for aaaaaaages...hell you can do it with Wireshark

        Same point here I think, what? The CA may have the keys, where an ISP offers CA services. Or they may generate certs or have wildcard ones if they have CA privileges. But neither of these are transparent. Just warningless. So it would be seen eventually and the CA privileges swiftly revoked. People do monitor for this.

        If they aren't a CA, or be hosting the destination servers why would they have the keys just from watching the wire? Back in AOL days, maybe. When you had to install their software but not any more. But sniffing the wire isn't enough.

        1. Anonymous Coward
          Anonymous Coward

          No it doesn't fix it, and that wasn't what I was alluding to...it's less financially viable for a VPN provider to mess with your traffic and as such it is less likely that anything you push through the tunnel (DoH etc) will be fucked with.

          I use a VPN specially to avoid my ISP infrastructure, then I push other encrypted traffic through it.

          The key thing to remember is the point at which your traffic exits a network is the legal jurisdiction for that traffic. So if you want to escape draconian surveillance laws, you need to ensure that the plain text traffic you send (if any) exits in a country that either your home country has no agreement with or somewhere that has more relaxed laws when it comes to encryption etc.

        2. Anonymous Coward
          Anonymous Coward

          "The CA may have the keys..."

          Anyone that can intercept a handshake has the keys...you can transparently decrypt traffic without having to relay it on...your connection to wherever you're communicating is still end to end encrypted, but if you have the handshake you can decrypt anything in that secure channel.

          You're thinking in terms of SSL strip or something similar...that is not the goal of snooping...that setup creates a plain text environment in the form of a man in the middle attack...the government probably isn't interested in this...they want your channel to function as you would expect it to while silently decrypting the captured traffic elsewhere...this is achievable if you capture the handshake...they don't need to monitor you in realtime, they just need to be able to capture your traffic and decrypt it somewhere else...this is entirely possible...I do it all the time testing IoT devices.

          1. mvduin

            "Anyone that can intercept a handshake has the keys"

            Sorry but no, that's complete and utter nonsense. In fact, even if you have the server's private key you cannot passively snoop on a TLS-encrypted connection unless it uses some ancient ciphersuite that doesn't include DH/ECDH. And active interception (i.e. a man-in-the-middle-attack) requires having a valid certificate for the domain that the client is trying to connect to. In other words, to be able to decrypt TLS traffic to random domains you need to be able to generate valid certs for them hence you need the private key of a certificate authority trusted by the client, typically achieved (in cases where the interception is desired by the user, e.g. for debugging) by generating your own CA and installing its cert into the client as a trusted root certificate.

            There have been rare cases where real-world traffic interception happened using a real CA key but those got caught very quickly and resulted in the CA responsible getting distrusted by all browsers, see e.g. DigiNotar (whose infrastructure got compromised by attackers who subsequently used it to issue unauthorized certs) and CNNIC (which willfully issued an unconstrained CA certificate to a company that used it for TLS interception). And nowadays it has become _extremely_ easy to detect rogue CA behaviour thanks to a mechanism called "Certificate Transparency" (introduced by Google in response to previous CA incidents) which requires CAs to submit certificates to public append-only logs before those certificates are accepted as valid by browsers that implement CT (Chrome and Safari), enabling admins to track whether unauthorized certificates have been issued for their domains.

            1. This post has been deleted by its author

            2. sten2012

              I think these blatantly false assertions probably shine a light on what is clearly the same AC's comments above about how those meetings with academics went and the difficulty in communicating with them.

              There's some major knowledge gaps present here along with the guarantees that they've actually done this. This would be huge news if encryption was this broken.

              All I can say is I look forward to their tutorial posts on how to decrypt TLS from a passive sniffing position because it would make my pentesting a million times easier.

              "I'm probably thinking of SSLStrip" though. *eye roll*

              Having said this, while importing a CA certificate is by far the most common method of intercepting TLS for testing, it is possible to start browsers with configurations and flags to dump the secrets and have wireshark read it:

              https://wiki.wireshark.org/TLS

              But I've only used that a few times because what you suggest is practically always the better approach for testing. But it's not quite, say, the only option if you have that kind of privileged access.

              All I can think though: What they do say does kind of tally with WPA1/2 (no idea for 3 personally) where you know the preshared key though and still need to have captured the handshake to passively decrypt from that position, so I wonder if it's overconfidence and confusion with that rather than intentional outright lies?

    3. sten2012
      Devil

      I would like to take your "ISP being able to look at network traffic on the wire" and raise you "installing software on on your machine to ensure we keep that wire private". Oh. And pay me extra for the privilege. Thanks!

      Insanity.

      I don't trust my ISP. But these often tiny "trusted internet access" VPN providers I trust even less and expect actually more privileged access to your data because people usually want to deliver a shiny UI instead of a VPN profile. Insane. Oh. And their boxes need internet access too. Soooo more ISPs in the loop, just ones you can't choose. But often whacked in a cheap data center, where they buy a box of some IaaS but don't control a massive amount of networking they pump your traffic through.

      The only privacy plus is aggregation. IF you trust them.

      1. Anonymous Coward
        Anonymous Coward

        There are no laws that compel a VPN provider to capture and store your data...also their revenue flow precludes them from being able to do it in the first place.

        It's all about money.

        Your ISP - Flush with cash, government subsidies etc.

        VPN Provider - Nowhere near as flush, zero government subsidy.

        Monitoring and capturing data all comes down to money. You have to store the data, pay for the expertise to manage that storage etc...a VPN provider has nowhere near the resources that an ISP has...also a VPN provider would go dead overnight if it was caught snooping...there's a lot more on the line for a VPN provider...your ISP won't go bust, because they might be only 1 of 3 providers in your area...if you're really unlucky, they might be the only provider...so you can't avoid using them...even if they are grubby, government spying outposts.

    4. ragnar

      Mozilla isn't "any random company" - they're a relatively trusted cornerstone of the web and millions use their browser due to its increased privacy over Chrome.

  4. sitta_europea Silver badge

    In my experience of reporting issues to Mozilla, this all sounds very familiar and completely normal.

    It took them more than eight years to get onto my last report, which was only that it was impossible with their user interface to set up the Mozilla mail client to use a local server...

    So despite *really* not wanting to, I kicked Mozilla into touch, for everything, years ago, and won't ever be going back.

    1. Anonymous Coward
      Anonymous Coward

      That might be a bit unfair, because Mozilla is split into various teams that have their own individual funding..the email client was neglected for a long time...

      ...that said, the mail client sector is about to be blown wide open with the new UI that Microsoft has released for Outlook, which may be why Mozilla has woken up and re-invigorated the mail client team...my god do people hate the new Outlook UI...personally, I think it's wonderful because I'll be able to start suggesting better mail clients and hopefully send Outlook into the fucking dustbin of history.

      A lot of people have been waiting a long time for Microsoft to shoot itself in the foot with Outlook and it would appear the time is upon us.

      1. Anonymous Coward
        Anonymous Coward

        ".. do people hate the new Outlook"

        There's a reason it's called"Look Out"

        I've never used a version of "outlook" that didn't get sworn at.

      2. Anonymous Coward
        Anonymous Coward

        Absolutely. the few users I have here that have started using it have found that some functionality is just downright missing!

  5. Anonymous Coward
    Anonymous Coward

    No surprise...

    Linux is full of kludgy windows-like hacks. All sorts of weird daemons doing things that should be done properly, but that doesn't make the cool kids happy!

    1. Anonymous Coward
      Linux

      Linux is full of kludgy windows-like hacks said the troll

      Anon: “Linux is full of kludgy windows-like hacks. All sorts of weird daemons doing things that should be done properly, but that doesn't make the cool kids happy!

      Ideally a VPN should be run on embedded hardware with a read-write switch set in the read-only setting.

      1. stiine Silver badge
        Facepalm

        Re: Linux is full of kludgy windows-like hacks said the troll

        Yeah, right.... because we all know that vpn software never has bugs.

    2. Sceptic Tank Silver badge
      Linux

      Pipes Dream

      I learned my programming in DOS/Windows environments. Then started writing programs for Linux (i.e. *nix). Then discovered where the MS people got most of their ideas from.

  6. Steve Graham

    Decrease the attack surface.

    This is why I de-install polkit on any new Linux installation, and if any package imports it as an essential dependency, I nuke all the executables.

  7. Anonymous Coward
    Anonymous Coward

    SUSE on the ball

    "The software was reviewed by the SUSE security team, a standard procedure,[...]"

    Wow! If only that were standard elsewhere -- I am very impressed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like