Pulling fine-tuning out of the black box to make it cheaper. Very much inside baseball (badly described and motivated). Clearly no cognitive science background. Technically very interesting.
Non-standard definition of emergence (a proxy for surprize) makes this paper very misleading from a cognitive perspective. The benchmarks are an anthropomorphic mess.
Easy, straightforward paper, seminal in the scaling literature. We revisited this one after four years. The only issue missing is any notion of data quality (vs data set size). Cardinality of compute and data is a good start.
The XZ backdoor seems to have become a Rorschach test that shows whatever you already believed about the security of open source software against sabotage.
It clearly proves the inherent superiority of the open source model. Or the inherent vulnerability. One of those, definitely.
Watched the Steve Martin doc on AppleTV. I hadn't noticed before (this is my observation, not the film's) how much Andy Kaufman honed characters that seem at least inspired by Martin's early work. Both did "bombing comedian" characters; Martin's was a clueless blowhard, while Kaufman's was a clueless innocent.
I am giving two #swsec breakfast seminars back to back mid-April. If you are in Sweden, Norway or Finland, please consider coming. Pass it on to those who may be interested.
Ross Anderson's first Silver Bullet episode (number 13 from 2007) was the most popular episode I ever recorded (out of 153 monthly episodes in a row). Ross recorded a second (number 70 in 2012). Here they are, moved to archive in 2018.
@SteveBellovin Today you posted a note about how someone appears to have injected a Trojan into the source of XV. And there was another post about the increase in complex tool chains and dependencies that are larding-up the software many of us use.
That made me wonder about whether national security bodies - intelligence, military, or other - or social movements, e.g. ISI) might be injecting similar things into source trees.
It would be relatively easy to hide such things, particularly via the tool chains or Makefiles - like who is going to notice a sed script in a autoconfig part of a build chain?
Like good spies, such things could be planted years in advance and only triggered, if ever, when desired.
This is not an open source issue, it is a ubiquitous issue. And in light of Ken Thompson's "Reflections on Trust" some of these could be quite invisible in some kinds of source code.
I am very nervous about the vulnerability and brittleness of our new world of tech as a utility.
Does everyone understand how much luck was involved in this exploit in #xz being discovered so quickly? And, what it tells us about the attacker?
This was a subtle and sophisticated attack implemented over years. The attacker was made a co-maintainer two years ago, and they made numerous innocuous-looking and seemingly unrelated changes over that time, sometimes through a second account, that eventually added up to a backdoor. Along with many innocent commits, too. #Linux
If you've not heard the news, Ross Anderson, professor at Cambridge and well known privacy scholar and security engineer, passed away unexpectedly at his home. A huge loss to his family, his friends, students, and colleagues, and to the community.