Skip to content

Centos – YUM Security Updates are only for the latest minor release

Centos is in use as a free enterprise level Red Hat alternative.  As Centos is expected to last around 10 years, we all assume that Centos can install security updates – but surprisingly, it cannot for ANY legacy versions.

Centos does not provide the metadata to Yum, to identify security updates.   Yum needs metadata flags in order to create an updateinfo.xml file.  If there’s nothing in the updateninfo.xml, then no updates will ever be installed.   Ever!

You can scan as often as you want – no updates will ever be installed.  Ever!

The Centos policy seems to be that you will update to the latest version.  It’s an all or nothing philosophy.  Use the latest version, or you’re on your own.

Only the latest minor version will receive security updates from Centos.  The moment the minor release changes, ie from 7.4 to 7.5, only 7.5 will receive security updates.

Centos Forums

If you are referring to the ability to run e.g. yum –security update then you are out of luck as CentOS does not supply the necessary data in the yum repositories to allow the yum -plugin-security plugin to work at all. It does not work.

Shankardeo: just because they do not fail does not mean they do anything useful. The necessary metadata needed for yum-plugin-security to function – i.e. to know what patches fix what – is missing entirely from the CentOS supplied yum repos. This renders yum-plugin-security a noop and if you use yum update –security then it will always tell you that nothing from CentOS needs an update thus giving you a false sense of security as the reason it doesn’t is because it lacks the knowledge to know that such-and-such a patch is a security update.

The EPEL yum repo does have this metadata and yum-plugin-security will work for those packages but it will not do anything for the 6700 packages in base or the 500 packages in the updates repo.

The yum-plugin-security package does not work on CentOS and there have been several long and involved threads on the mailing list discussing this and the outcome is that it probably never will. The required metadata is not present in the CentOS yum repositories to allow it to function. EPEL does supply this data which is why you see some mentions of security updates available but it does not cover any of the packages in the CentOS repos.

Casey Labs – workaround

So here’s the thing: yum upgrade –security does indeed work… but only if you’re running Red Hat (RHEL) servers.

Why doesn’t it work on CentOS? The updateinfo.xml in the CentOS repositories do not include classifications for security patches. So when you run yum upgrade –security on a CentOS box, CentOS can’t find any security-only updates, and hence thinks everything is up to date.

Only the latest minor version gets security updates, period.  You can use yum and scan as much as you want, but if you’re not on the latest minor release, you won’t get any security updates.


AWS Introduces Amazon Linux WorkSpaces

Amazon WorkSpaces now offers a Linux desktop based on Amazon Linux 2. With this launch, Amazon WorkSpaces customers have the flexibility to choose either a Windows 7, Windows 10, or Amazon Linux 2 desktop. Customers can easily provision Amazon Workspaces for a growing range of use cases that now includes Linux developer desktops, kiosks like point of sale devices, and economical general-purpose desktops.

Today, organizations faced with managing both Windows and Linux desktops have to manage a range of different hardware configurations and support models, resulting in added complexity, management overhead, and costs. With Amazon WorkSpaces, customers now have the flexibility to deploy a secure, managed cloud desktop environment of their choice, either Windows or Linux, based on the specific needs of their workforce.

Amazon Linux WorkSpaces are available with common Linux development tools, including the Eclipse IDE and AWS SDKs, which makes building, testing, and deploying code to AWS easy. Customers already using Amazon Linux 2 for their EC2 server workloads can use Amazon Linux WorkSpaces as a cloud-native development environment that closely matches their production environment, simplifying build, integration, and testing of applications. Amazon Linux WorkSpaces come with the same five-year support as the Amazon Linux 2 Long Term Support (LTS) release. And because Amazon Linux WorkSpaces are built on Amazon Linux 2, customers can administer them using familiar AWS Management Tools, helping to lower the overhead when managing a large fleets of desktops.

Amazon Linux WorkSpaces are available today in all regions where Amazon WorkSpaces is available. Customers can enable Amazon Linux 2 desktops from the Amazon WorkSpaces console, AWS API, or AWS CLI alongside any existing managed Windows desktops, and pay only for what is used with no upfront costs or software purchases required. To get started, log into the AWS Management Console, and provision an Amazon WorkSpaces Linux bundle.


Norwegian Consumer Council – How Tech companies use Dark Patterns to prevent Privacy choices

In this report, we analyze a sample of settings in Facebook, Google and
Windows 10, and show how default settings and dark patterns, techniques and
features of interface design meant to manipulate users, are used to nudge users
towards privacy intrusive options.

The findings include privacy intrusive default settings, misleading wording, giving users an illusion of control, hiding away privacy-friendly choices, take-it-or-leave-it choices, and choice architectures where choosing the privacy friendly option requires more effort for the users.
Facebook and Google have privacy intrusive defaults, where users who want
the privacy friendly option have to go through a significantly longer process.
They even obscure some of these settings so that the user cannot know that
the more privacy intrusive option was preselected.
The popups from Facebook, Google and Windows 10 have design, symbols and
wording that nudge users away from the privacy friendly choices. Choices are
worded to compel users to make certain choices, while key information is
omitted or downplayed. None of them lets the user freely postpone decisions.
Also, Facebook and Google threaten users with loss of functionality or deletion
of the user account if the user does not choose the privacy intrusive option.
The GDPR settings from Facebook, Google and Windows 10 provide users with
granular choices regarding the collection and use of personal data. At the same
time, we find that the service providers employ numerous tactics in order to
nudge or push consumers toward sharing as much data as possible.
Facebook Google Windows Chapter
No privacy intrusive default settings
in popups
Equal ease (number of clicks) for privacy
friendly options in popups
Design (colours and symbols) does not lead
toward privacy intrusive option in popups
Language does not lead toward privacy
intrusive option in popups
Privacy friendly options in popups come
without “warnings”
Users can clearly postpone the decision while
accessing the service in the meantime
To complement the analysis, we use two examples of how users are given an
illusion of control through privacy settings. Firstly, Facebook gives the user an
impression of control over use of third party data to show ads, while it turns out
that the control is much more limited than it initially appears. Secondly,
Google’s privacy dashboard promises to let the user easily delete user data, but
the dashboard turns out to be difficult to navigate, more resembling a maze
than a tool for user control.


It’s not paranoia, your phone really IS listening to EVERYTHING you say and using your private conversations to target ads, security expert warns

Many share a similar story: They were chatting about a niche product or holiday destination with friends, and soon afterwards an advertisement on the same theme appears in their social media apps.

According to one researcher, these oddly pertinent ads aren’t merely a coincidence and your phone regularly listens to what you say.

It’s not known exactly what triggers the technology, but the researcher claims the technique is completely legal and is even covered in the terms of your mobile apps’ user agreements.

These smartphone models are constantly listening out for the designated wake word or phrase, with everything else discarded.

However, one researcher claims that keywords and phrases picked-up by the gadget can be accessed by third-party apps, like Instagram and Twitter, when the right permissions are enabled.

This means when you chat about needing new jeans, or plans for a holiday in Senegal, apps can plaster your timeline with adverts for clothes and deals on flights.

Dr Peter Henway, a senior security consultant for cybersecurity firm Asterisk, told Vice: ‘From time to time, snippets of audio do go back to [apps like Facebook’s] servers but there’s no official understanding what the triggers for that are.

‘Whether it’s timing or location-based or usage of certain functions, [apps] are certainly pulling those microphone permissions and using those periodically.

All the internals of the applications send this data in encrypted form, so it’s very difficult to define the exact trigger.’

He said companies like Facebook and Instagram could have a range of thousands of triggers to kickstart the process of mining your conversations for advertising opportunities.

For example, a casual chat about cat food or a certain snack may be enough to activate the technology.

‘Seeing as Google are open about it, I would personally assume the other companies are doing the same,’ Dr Henway said.

‘Really, there’s no reason they wouldn’t be. It makes good sense from a marketing standpoint and their end-user agreements and the law both allow it, so I would assume they’re doing it, but there’s no way to be sure.’


VPNFilter router malware is a lot worse than everyone thought

Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE: these are the vendors newly named by Cisco’s Talos Intelligence whose products are being exploited by the VPNFilter malware.

As well as the expanded list of impacted devices, Talos warned that VPNFilter now attacks endpoints behind the firewall, and sports a “poison pill” to brick an infected network device if necessary.

When it was discovered last month, VPNFilter had hijacked half a million devices – but only SOHO devices from Linksys, MikroTik, Netgear, TP-Link, and QNAP storage kit, were commandeered.

As well as the six new vendors added to the list, Talos said this weekmore devices from Linksys, MikroTik, Netgear, and TP-Link are affected. Talos noted that, to date, all the vulnerable units are consumer-grade or SOHO-grade.


How does it work?

The software nasty’s masterminds are using compromised SOHO routers to inject malicious content into web traffic flowing through the devices. This hijacking is carried out by a third-stage module Talos this week identified within the malware.

Called ssler, the module can intercept all insecure HTTP traffic destined for port 80, and injects JavaScript code to spy on or hijack browser sessions. Basically, if you visit a website through an infected router or gateway, there is a chance sensitive details on the page – or information entered – will be siphoned off by VPNFilter to its masters.

The researchers believe the criminals controlling VPNFilter are profiling endpoints to pick out the best targets, and will swipe confidential information in transit where possible. The code snoops on the destination IP address, to help it identify valuable traffic such as a connection to a bank, as well as visited domain names. It also attempts to downgrade secure HTTPS connections to unencrypted forms, so that login passwords and the like can be obtained.

Talos provides extensive technical detail about other aspects of the module’s operation, so we’ll summarise:

  • The malware’s scripts of commands to carry out are downloaded from VPNFilters C&Cs, so it’s customisable;
  • It’s got an SSL stripper to try and force-downgrade user communications to unencrypted, to help steal credentials. Juniper notes that while HSTS forces sites to HTTPS, “but it is enough sometimes to catch the very first request as it may already contain credentials and other POST form elements”;
  • Google, YouTube, Facebook and Twitter are excluded from the SSL stripping;
  • To get around the risk that users’ reconfiguration might stop VPNFilter collecting traffic, the module dumps and recreates its route-sniffing capabilities every four minutes.

Sending devices to Lego-land

Another third-stage module performs a self-destruct operation, which is common for malware that seeks to erase its tracks, but Talos also said it can brick the host, too.

The dstr module “deletes all files and folders related to its own operation first before deleting the rest of the files on the system, possibly in an attempt to hide its presence during a forensic analysis,” Team Talos said.

The module “clears flash memory by overwriting the bytes of all available /dev/mtdX devices with a 0xFF byte. Finally, the shell command rm -rf /* is executed to delete the remainder of the file system and the device is rebooted.

“At this point, the device will not have any of the files it needs to operate and fail to boot.”

Devices and domains

The table below shows all devices VPNFilter has been identified in so far, with new devices marked by an asterisk.

Vendor Device / Series
Asus RT-AC66U*; RT-N10 series*, RT-N56 series*
D-Link DES-1210-08P*; DIR-300 Series*; DSR-250, 500, and 1000 series*
Huawei HG8245*
Linksys E1200; E1500; E3000*; E3200*; E4200*; RV082*; WRVS4400N
Microtik CCR1009*; CCR1x series; CRS series*; RB series*; STX5*
Netgear DG834*; DGN series*; FVS318N*; MBRN3000*; R-series; WNR series*; WND series*; UTM50*
QNAP TS251; TS439 Pro; other devices running QTS software
TP-Link R600VPN; TL-WR series*
Ubiquiti NSM2*; PBE M5*
UPVEL Unknown devices

Since the original VPNFilter C&C domain,, has been seized by the FBI, the malware now uses resources stashed in a number of Photobucket user accounts.


Amazon’s Rekognition Surveillance Tool Will Grant Police Even More Surveillance Power

Amazon is facing pressure from civil liberties groups for the corporation’s role in building the infrastructure which powers government surveillance.

The Electronic Frontier Foundation, the American Civil Liberties Union, Human Rights Watch, the Freedom of the Press Foundation and nearly 40 other organizations have joined together to demand that Amazon cease providing law enforcement access to surveillance technology. The organizations signed onto a letter to Amazon which condemns the company for developing new facial recognition tools that allow real-time surveillance using police body cameras and the ever growing interconnected network of cameras in most major American cities.

“Amazon has been heavily marketing this tool—called “Rekognition”—to law enforcement, and it’s already being used by agencies in Florida and Oregon,” the EFF wrote in a recent blog. “This system affords the government vast and dangerous surveillance powers, and it poses a threat to the privacy and freedom of communities across the country. That includes many of Amazon’s own customers, who represent more than 75 percent of U.S. online consumers.”

The letter also notes that Amazon’s own promotional material states that Rekognition can identify people in real-time by “instantaneously searching databases containing tens of millions of faces.” Amazon offers a “person tracking” feature that it says “makes investigation and monitoring of individuals easy and accurate” for “surveillance applications.” Amazon says Rekognition can be used to identify “all faces in group photos, crowded events, and public places such as airports.”

The letter also warns that local police could use Rekognition to identify political protesters recorded by officer body cameras. In addition, Rekognition can track people even if it can’t see their face, can identify and catalog a person’s gender, what they’re doing, what they’re wearing, and their emotional state. The program can also flag things it considers “unsafe” or “inappropriate.”

Unfortunately, Amazon’s partnership with law enforcement is nothing new. Amazon famously partnered with the CIA by offering cloud storage services through Amazon Web Services (AWS) which allows agencies to store the extremely large video files generated by body and other surveillance cameras. For only $6 to $12 extra a month law enforcement can add Rekognition to their AWS subscription.


REVEALED: Facebook let SIXTY companies, including Apple and Amazon, have ‘deep access personal data about users and their friends – and the controversial deals are STILL in place’

Facebook gave at least 60 device makers access to its users’ information, potentially in conflict with what the company told Congress, a new report has revealed.

Many of the partnerships, with companies such as Apple, Amazon, BlackBerry, Microsoft and Samsung, remain in effect even after Facebook began to quietly unwind them in April, according to a lengthy report in the New York Times.

Under some of the agreements, device makers could access the data of users’ friends, even if they believed that they had barred sharing, the Times reported citing company officials. The latest revelation affects every Facebook user worldwide.

Facing blowback from the Cambridge Analytica data harvesting scandal in March, Facebook vowed that it had put an end to that kind of information sharing, but never revealed that device makers had a special exemption.

However, Facebook blasted back at the Times report, saying the newspaper has misinterpreted the purpose and function of its so-called ‘device-integrated APIs’ – the software that allows hardware companies to bridge into Facebook’s database to offer versions of the app on their operating systems.

What does your Facebook data file hold?

Every Messenger message you have sent or received

Every Facebook friend you have connected with

Every Facebook voice call you have made

Every smartphone contact

Every text message sent or recieved

Log of phone calls made or received

Every file you have sent or receieved

Every time you signed into Facebook, and from where

Every stickers emoji you have ever sent


CBS Google’s abuse of dominance and AI DUPLEX

CBS have challenged Google’s use of their own Google+ results, not the actual Google search engine results.  Here’s an example of how the abuse can be stopped.


Google AI, for good measure


Scammers will use the phone bots to scam pensioners and vulnerable people.

What next, Duplex will call to get you a date.  Why even turn up to the date.. send your digital assistant, they tell better jokes.

An Interesting Pattern in the Prime Numbers: Parallax Compression

UPDATE: Thanks to comments from readers we have found that the pattern does not exactly match the GCD triangle for some values of the number of cells and rows:  this possibly makes it a more interesting finding.  Join the discussion in the Telegram group as well – details below) .

Early this year a software engineer, Shaun Gilchrist, reached out to me after reading a blog post of mine from many years ago, about my informal search for hidden patterns in the prime numbers.

The Ulam Spiral revealed non-random patterns, but they didn’t quite match up. Both Shaun and I had long felt there was a better way to wrap the primes that would reveal a deeper structure.

Shaun explained that he had developed a new algorithm (he calls it “Parallax Compression”) for wrapping the primes on a plane, and visualizing their distribution, inspired by the Ulam Spiral. Here is a more robust Github version of the code in a Mathematica notebook  if you want to explore it yourself (note: Thanks to Stephen Wolfram for taking a look at the Mathematica code and advising us in January, when we were wondering whether this might break crypto and needed advice; the answer is no, it doesn’t break crypto, but Mathematica is pretty great!).

After his initial discovery, Shaun searched the Web for anyone else who was thinking this way and that led him to my blog post, and to me.

Shaun’s algorithm reveals an interesting non-random, fractal-like pattern in the distribution of primes, that to our knowledge, has never been seen before.

It makes it possible to easily see where there are regions of prime and non-prime numbers, anywhere on the number line, at any level of scale.

When one looks at a visualization of this pattern, it appears reminiscent of runes, Mayan glyphs, tapestries, and hieroglyphics. If you look at it for a moment or two you will see there are several levels of nested geometric shapes within it that appear to have a kind of fractal symmetry:


A cell is colored black if there is at least 1 prime number within it, and red if there are no primes within it.

Here, the width of a cell, n, is 100, so each cell represents 100 integers in the sequence, and the pattern holds for 100 rows.

Initially we found that this pattern matches a known numerical sequence,OEIS A054521 — and it recurs for other even values of n, so it is self-similar at various levels of scale.

For example, If n = 50, then each cell represents 50 integers, and the pattern holds for 50 rows. If n = 200 then each cell represents 200 integers, and pattern holds for 200 rows.

Here is an animation (Thanks to Ian Rust) that shows the pattern approaching the GCD sequence pattern, as the values of n increase.

However, some readers noted today in the thread on Hacker News that GCD doesn’t hold for all values of n.

For example, for odd values of n we see a different pattern that is also rather interesting. Here is n = 99:



Like the GCD pattern we see for even values of n, the odd valued n pattern also recurs for different sized odd values of n. This means that this pattern is not simply the GCD sequence — there are variances that we don’t understand yet.

This algorithm also reveals sequences (that we call “runs”) of primes and non-primes along various axes that might be useful for predicting prime and non-prime regions.

After Shaun reached out to me with his discovery, we spent many sleepless days and nights collaborating to see if there were even deeper patterns behind this new visualization and eventually we made a little progress finding at least one known sequence that generated the pattern for even values of n, without needing any primality testing. But as noted above, it doesn’t hold for all values of n, and we have not done a formal proof nor have we tested a large set of values of n and compared results.

We’re not exactly sure what this all means yet — it might not mean much — it might just be a pretty visualization — but it’s interesting enough (to us at least) that we decided eventually to make this public so that others could help us explore it further, in case there is something more to this.

Perhaps this is a topographical map of the distribution of the prime numbers? Perhaps this might be useful in number theory, or in some area of science? The self-similarity at various levels of scale, and the fact that it isn’t fully described for all values of n by a known sequence means there may still be more to understand about this.

In general, finding any kind of non-random pattern in the distribution of primes is potentially interesting. Are there connections between this and other research findings, such as this recent article we found on aperiodic order in the primes?

We don’t know yet, but we are curious to find out. We are not mathematicians, but hopefully some mathematicians reading this will take it further than we can.

We hope you enjoy this, and if you make further progress on this, or find anything that may be connected, please let us know. (You can discuss it with us, and others who are interested, on this Telegram group).




NSA encryption plan for ‘internet of things’ rejected by international body

An attempt by the U.S. National Security Agency (NSA) to set two types of encryption as global standards suffered a major setback on Tuesday, after online security experts from countries including U.S. allies voted against the plan, for use on the “internet of things.”

A source at an International Organization for Standardization (ISO) meeting of expert delegations in Wuhan, China, told WikiTribune that the U.S. delegation, including NSA officials, refused to provide the standard level of technical information to proceed.

The vote is the latest setback for the NSA’s plan, which was pruned in September after ISO delegates expressed distrust and concerns that the U.S. agency could be promoting encryption technology it knew how to break, rather than the most secure.

The ISO sets agreed standards for a wide range of products, services, and measurements in almost every industry including technology, manufacturing, food, agriculture, and health. The body has been looking into adopting recommended encryption technology to improve security in devices that make up the “internet of things.” These include household items such as smart speakers, fridges, lighting and heating systems, and wearable technology.

The NSA has been pushing for these encryption tools to get a seal of approval from the ISO so they will become approved by the National Institute for Standards and Technology (NIST), and become standard for all U.S. government departments and related companies, said the source.

Agreeing to adopt ‘Simon’ and ‘Speck’ as standard block cipher algorithms would have made these part of the recommended encryption technology for a huge range of products.

The NSA had originally been promoting a broader range of encryption technologies, but during a three-year dispute behind closed doors, delegates from other countries expressed concern over the NSA’s motives. Several cited information leaked by Edward Snowden, which showed the agency had previously planned to manipulate standards and promote technology it could penetrate, as a source of distrust, according to documents seen by Reuters.

Two delegates told WikiTribune that the opposition to adding these algorithms was led by Dr. Tomer Ashur from KU Leuven University, representing the Belgian delegation and it was supported by a large group of countries.

Many crypto experts both within and outside ISO had concerns about the security of the algorithms,” said Ashur. “The NSA tried to remain as obscure as it could about certain design decisions and parameter choices they have made. As this is out of line with what is perceived as best practices of cipher design, this alarmed some of the delegates, including myself.”

Specific requests for more detailed information were met with obfuscation, said Ashur.

“I can’t speak for the other delegates but I believe it was these concerns together with the adversarial and aggressive behavior of the NSA that eventually led them to support the cancellation of the project,” he said.

Israeli delegate Orr Dunkelman told Reuters he did not trust the U.S. designers following the September meetings.

There are quite a lot of people in NSA who think their job is to subvert standards,” said Dunkelman. “My job is to secure standards.”

The NSA said Simon and Speck were developed to protect U.S. government equipment without requiring a lot of processing power, and firmly believes they are secure.

The NSA has a history (Atlas Obscura) of trying to create “backdoors” in software so it can access data. Documents leaked by Snowden also showed the NSA has made extensive efforts to break encryption tools, and insert vulnerabilities into encryption systems. The Dual EC, a standardized algorithm championed by the NSA, was withdrawn in 2014 due to wide public criticism.

According to WikiTribune’s source, experts in the delegations have clashed over recent weeks and the NSA has not provided the technical detail on the algorithms that is usual for these processes. The U.S. delegation’s refusal to provide a “convincing design rationale is a main concern for many countries,” the source said.

What are Simon and Speck?

Created by the NSA in 2013, Simon and Speck are families of lightweight block ciphers, meaning they’re cryptographic algorithms tailored for low-resource devices, such as limited memory and power. Though both algorithms are versatile in hardware and software, Simon is optimal in hardware while Speck is optimal in software. Detailed information about the Simon and Speck families is compiled by the NSA Cybersecurity in it’s official GitHub repository.

  • Simon = hardware 
  • Speck = software

In 2014, Simon and Speck were proposed to be included (IACR paper) in the ISO standard that specifies the requirements for lightweight cryptography and suitable block ciphers. Published 2012, this standard already covers two lightweight block ciphers, Present and Clefia. Furthermore, there are two “Proposed Draft Amendments” recordedwithout any content information. They might concern the proposed NSA block ciphers.

Another relevant standard specifies the security and privacy aspects of Service Level Agreements (SLA) for cloud services with the “cryptography component” as a central part. According to a notice ofPrismacloud, this standard was the theme in Wuhan, April 16-20, where the Working Groups of the responsible SO/IEC JTC 1/SC 27  held their 26th meeting. This meeting is not listed in the ISO meeting calendar.

According to the NSA, the aim of Simon and Speck is to secure applications in constrained, or specialized, environments, largely to prepare for the era of the internet of things. The basic idea is to design algorithms that are flexible and simple enough to be performed just about anywhere.

What is unusual about Simon and Speck is that the NSA had a four-year delay in publishing the ciphers with a security analysis and a description of the design decisions, which are considered mandatory best practices.

%d bloggers like this: