User Profile

This paper covers a compiler for more traditional imperative code to be converted to optimized (and batched) FHE operations via the SEAL library. The frontend is Python, which is then converted to multiple simplification and optimization passes in the CPP MLIR.

Both synthetic/toy examples and more real-world applications are created in pure imperative implementations (that require non-performant emulation steps), compiled with HECO, and built with FHE optimizations manually. The HECO performance is close to the hand-optimized in most scenarios, even edging it out in a few.

Hopefully the spread of this tool will help FHE reach the masses.

This paper covers a highly-effective (85%+) hijack attack where training data is tainted by an adversary, and then the model can be cajoled into performing other types of tasks. While this work is a steep closer to a more general-type of attack, the model is less plausible than inference-time attacks popularized in the Adversarial Reprogramming literature.

I have sent this paper to a number of people over the years from when it first came out, I am surprised there is less attention to this type of attack, despite being a white-box model. This is the first class of attack that lets the attacker reprogram an image classification model to perform an attacker-determined task (e.g., turning an image classifier into a counter task).

Reviewing this paper 5 years after its release, it still stands up, and I see there is a small field of work in this lineage that includes similar attacks against NLP classifiers. I would count this paper as the starting point for this class of attack, which is an impressive and high-impact field.

While silent SMSes have been used by authorities for quite some time to geolocate cell-phones, this work puts a less powerful capability into the hands of anyone. By training a ML model on the RTT from sending a silent SMS to phones in different [known] locations, a temporal map of the GSM network can be made to later classify RTTs when targeting a victim phone and approximate their location to country/region.

Without cooperation of the cell infrastructure it's pretty coarse-grained, but still a scary way to figure out where a target of interest is without alerting them.

Yikes!

Surprising that what is essentially a RCE in an ML model attack has gotten so little attention. Looks like a nice continuation from the image classification attacks.

A @casey recommendation

In this talk, @pluralistic@mamot.fr covers the basic premise of enshittification, how the internet giants have lobbied to change the rules that let them get big to stifle competition, and finally, what can be done about it.

I only recently was made aware of the term enshittification, but had seen the decay of online platforms hasten, be it Twitter, FB, Reddit, Google, etc. The term and "play book" was helpful to draw connections between the behaviors on disparate sites.

I am slightly less hopeful than the author about reversing the course on some of these, but I guess there's something to be said about me posting this review on a distributed, federated service not part of big tech.

Overall a great talk, wake up call, and pointer to some hopeful directions.

This paper formally equates (lossless) compression algorithms with LLM/learning. While the Hutter Prize has postulated the connection, this paper shows how an LLM can act as a better compressor for multi-modality data than the domain specific standards of today. The authors also use the gzip compression algorithm as a generative model, with rather poor success, but build a mathematical framework to build on.

The paper also covers tokenization as compression, which is something that's been lacking in a lot of other scientific discourse on this subject. Overall a nice read, 4* only because it ends abruptly without fully exploring the space of compressors as generative models.

Suggestion from co-worker, especially since it seems to overlap with my blog.thinkst.com/2023/06/meet-zippy-a-fast-ai-llm-text-detector.html work

I skimmed the top-level summary when it came out, but it appears well worth a deeper read.

Interesting story and insider view of the great firewall of China and bypass techniques.

Basically this research combines a legacy IPv6 addressing scheme where the MAC address is put into the address with crowd-sourced WiFi network scanning geo-location databases. The trick is figuring out the delta in MACs between the WAN and WLAN adaptors, but they are usually close, so with some clustering, they were able to get 39m accuracy for ~12M routers in over 100 countries.

Crazy to think putting a MAC address in a world-routing IP address was ever considered a good idea, but with networking gears' long life cycle, it will be a long-lasting mistake!