Mihai Maruseac
@mihaimaruseac
Followers
2,167
Following
1,681
Media
109
Statuses
13,820
Supply chain security @ Google OSS Security Team. Previously TensorFlow Security & OSS (@ Google); Haskell+differential privacy+ML @ LeapYear. Views my own
Mountain View, CA
Joined March 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Mazón
• 505079 Tweets
Pinovibes
• 355362 Tweets
#LinglingNNGFirstMeet
• 280637 Tweets
LINGLING IRREPLACEABLE
• 270354 Tweets
SAROCHA REBECCA WITH CERAVE
• 241074 Tweets
#BamBamHostROUNDinLaoPDR
• 134269 Tweets
Tiktok Awards x NuNew
• 62168 Tweets
NamtanFilm x LAYS TH
• 46184 Tweets
#นุนิวที่งานติ๊กต๊อกอวอร์ด
• 42190 Tweets
運転見合わせ
• 31698 Tweets
NEWWIEE IN TRANCE GUILIN
• 27707 Tweets
土砂降り
• 24423 Tweets
東海道新幹線
• 23532 Tweets
#マテムり
• 17243 Tweets
DISH
• 16585 Tweets
大雨の中
• 14995 Tweets
ランゲラック
• 14698 Tweets
#ブラタモリ
• 14586 Tweets
Conservative Party
• 13109 Tweets
GitHub just broke the entire world by changing the compression format to tarballs.
Supply chain breakage on the entire OSS?
23
67
524
It's not a null pointer dereference unless it comes from the 0x0 region of RAM.
Everything else is just a sparkling segmentation fault.
3
57
205
I actually saw this on TensorFlow. Someone got peer bonus and praise for halving the run time off some TF CI and months later we discovered that 90% of the gain was actually from disabling a large number of tests
pro tip: you can drastically reduce the time it takes for CI to run your test suite by failing all your tests
15
58
596
5
10
174
Google is an AI first company
Google's future is strictly tied to its AI products
All AI is written with Python.
Google lays off all Python team.
Segmentation fault
(and NLRB protected)
10
17
139
TensorFlow 2.5 has been released. Contains multiple improvements and bug fixes as well as **108** security vulnerability fixes that my team has been fixing for the past month.
2
5
108
I still maintain that this is the best documentation for a function ever. The name makes the function sound scary, the comment lists issues caused by this. And all of this is epic
1
14
92
So now that the work week ends, time for the second announcement. This has been my last week in TensorFlow.
Starting Tuesday I will be joining the Google OSS Security Team.
Looking forward to the work that will be done there
12
2
85
This weekend we released Stackage LTS 17 which uses GHC 8.10.3 (the most recent Haskell compiler)
1
22
66
I am humbled and excited to be joining the Haskell Security Response Team.
Bringing supply chain security and general software security to Haskell is something that I am interested on and happy to be provided with the opportunity.
3
2
62
@tekbog
That's not exactly fair. This was on ossfuzz, not xz and the PR author was listed as maintainer of the project. The review just approved that a specific fuzzer be disabled, I have sent similar pr for tensorflow when the code had a deep issue we were debugging
0
0
56
@kmett
I was in Berkeley when I ordered a monad at chipotle and they gave me the burrito and we laughed at it.
0
0
54
I wrote code to define the same neural network in TensorFlow (native, with TF.Module), Keras, Jax (well, Flax and Orbax) and PyTorch
Keras was the simplest, fastest to develop with. Jax was the more flexible, but I need to learn more how to use all its libraries. TF=PT
YMMV ofc
4
5
46
2022 was the 5th year with all green tiles. Hoping 2023 will be the 6th, with even more contributions and more projects to work on!
6
2
52
I now have the most commits made by a human in the history of TensorFlow (to main branch, if we count all other branches I would have been there last year)
4
2
51
(1/n) Finished reading this amazing book called "The Art of Doing Science and Engineering" by Hamming (of error correcting codes fame).
3
1
48
This shouldn't be pinned on "an OSS library". The failure is in OpenAI, according to White House guidance OSS is not to blame for issues in commercial products from companies that don't do due diligence
we had a significant issue in ChatGPT due to a bug in an open source library, for which a fix has now been released and we have just finished validating.
a small percentage of users were able to see the titles of other users’ conversation history.
we feel awful about this.
597
588
7K
1
6
47
300+ vulnerabilities in TensorFlow. Could they be used to take over a system using ML for, say, loan default prediction?
Stay tuned
3
8
46
Also applies to APIs between components of a product. If everyone can call every other function you just get a lasagna spaghetti mess
The fewer relationships in a system, the more robust & general it becomes.
Which is why very sparse networks are so effective, and why topology-grounded abstraction has much greater generalization power than geometry-grounded abstraction.
14
36
404
4
3
45
@MatthewCroughan
I was just thinking of asking if nix was broken and if not why not. Thank you for providing this context
0
0
39
This thread is an essential read
Statistics can never be completely objective.
This is not just my opinion. It's a *mathematical* fact.
Read on if you want to learn a deep fundamental truth about data and its relationship to the universe we live in.
121
2K
8K
0
8
39
Just finished TensorFlow patch releases from 1.15 to 2.3, fixing 25 vulnerabilities. My work for this quarter, initially thought it would only take a few weeks
2
1
37
I welcome the future where the answer to "what ML framework do you use?" would always be "keras core"
Keras Core has now a NumPy backend. This is a great demonstration of its modular backend architecture: you can plug any framework.
Note that since NumPy does not natively support autodiff, the NumPy backend doesn't support training. You can use it for evaluation & inference.
11
36
474
2
8
36
Model storage under attack (). Models are uninspectable, so the only solution to prevent tampering is to sign them.
OpenSSF has a model signing SIG as part of the AI/ML WG. Both biweekly meetings are in the OpenSSF calendar.
Also,
2
18
34
@LegoRacers2
What if a time traveler from the past gets sick? What if we manage to revive mummies and then they need access to health care? The creators of this form really thought of all the impossibilities
1
2
33
This long weekend I listened to all episodes of the PyTorch Dev podcast by
@ezyang
. Recommend listening to these short but deep episodes.
Also, got so much feature envy comparing with the state of TensorFlow.
1
1
31
Concerned that LLMs are going to take your job? Learn advanced math and Haskell. In my experience, all LLMs I've tested have failed at these tasks. (semi-joke)
6
3
32
@edwarnicke
That is true, but the issue was that GitHub offered some guarantees that certain things are stable, people misunderstood and now are broken
2
1
30
Around 12 years ago, after nano made me almost fail an exam, I opened vim and since then I just cannot quit it. That's why I use vim everywhere
7
2
29
If tiktok gets banned there will be protests. But, given length of tiktok content, the protests will also last only 20 seconds
2
4
26
No more awk,cut,sed. Just SQLite
The implications of this for bash scripting are terrifying.
23
92
833
0
0
26
Extremely excited to see that Haskell has a playground now. This replicates Compiler Explorer (which also has support for Haskell compilation) but gives access to intermediate compile steps, Core, etc.
1
4
28
ML literature
me: i’m going to try and keep up with the literature! how hard can it be anyway
the literature:
111
2K
16K
2
4
27
@fchollet
Problem is that as an academic you have to publish in the royalty/pay-wall system. But every academic I mailed about their paper has sent me a copy free of charge in less than 2-3 days after sending email
1
2
26
Understanding the complexities of software supply chain became easier today. now has a public API.
2
7
26
So many times did I get a breakthrough while showering, doing chores, hiking, walking or even sleeping. Take breaks
4
4
27
I'm excited to see that OSSFuzz is now 6 years old! I maintain that fuzzing and property testing are the best way to uncover both bugs and security issues in any app and I'm pleased to see the numbers that OSSFuzz has (8k+vulns, 28k+bugs) + new rewards
0
8
26
“Once men turned their thinking over to machines in the hope that this would set them free. But that only permitted other men with machines to enslave them.”
― Frank Herbert, Dune
2
1
25
"Even worse is the risk of the length of day getting shorter which could in theory mean we might need a negative leap second. There has never been a negative leap second, and if there is one, everyone who deals with timekeeping code expects that it will be an appalling shitshow."
There hasn't been a leap second for a while; here's why:
Trigger warning: scary ending.
11
210
479
1
19
25
@kelseyhightower
Reminds me of the old joke where spies got the last page of code listing for a very special project. They could only get what the language was, not what code was there, since the page was just )s
1
0
25
"To continue please download and use our app*"
Which is the same as the webpage but we want to track you better and serve you unlockable ads without following browser restrictions. So we're shipping an Electron app,out of date, vulnerable &hogging up resources but serving you
1
4
24
"free software is free as in free puppy. You can adopt it for free but then you need to take care of it"
0
4
24
Today I am joining the select group of people that have more than 1000 commits to TensorFlow.
6
0
23
This is finally public 🎉🎉. No longer needing to keep various formatted strings around to put coffee in public design docs.
well... that's something new. Google Docs supports code blocks now.
184
2K
17K
3
1
22
Achievement unlocked: received LinkedIn message to work at ${workplace} while working at ${workplace} already
4
0
23
Today is the 2000th day of continuous green tiles on GitHub. One commit / PR review / PR push / issue creation every day, it became a habit to get an easy win every day.
1
1
22
We are happy to publish a whitepaper on how we're thinking on securing the AI supply chain both internally and for OSS. This is a culmination of nearly a year of thinking about this space, from people working on AI or security, across multiple Google PAs.
Since all model serialization formats are vulnerable, it is better to sign models on training (or upload) and verify signatures before use.
Much better to also record the entire supply chain provenance.
Will have more on this, soon
3
1
21
1
4
22
Since all model serialization formats are vulnerable, it is better to sign models on training (or upload) and verify signatures before use.
Much better to also record the entire supply chain provenance.
Will have more on this, soon
Keras 2 Lambda Layers Allow Arbitrary Code Injection in TensorFlow Models
Lambda Layers in third party TensorFlow-based Keras models allow attackers to inject arbitrary code into versions built prior to Keras 2.13 that may then unsafely run with the same permissions as the
1
7
22
3
1
21
Excited that generating SLSA level 3 provenance for containers is now available as a GitHub action. This allows one to check who has built a docker image, at what commit, etc. in an unfalsifiable way.
1
8
21
Materials (slides + codelab) for the Haskell 101 and Haskell 102 courses at Google are now available on GitHub. Feedback is always welcome.
2
2
21
Types are documentation. But not the only format. Properly written tests are documentation. Naming is documenting. Comments are documentation. So on and so forth. Don't stop at just one of them
0
4
21
For the past month + more days I have been working on a single blog post. Today I can publish it.
What is it about? Graph databases. I wanted to test their performance on GUAC & personal use cases and as a result I learned a lot of things about DBs.
2
6
20
The last episode of "The Joy of Why" ("Can Computers Be Mathematicians?") is definitely worth listening to.
I first thought it's about ML models applied to Math, but after listening to
@stevenstrogatz
and
@XenaProject
talking, I realized is more interesting: the topic is Lean.
0
3
21
Today we are announcing the launch of version 0.1 of GUAC, the tool that Google and Kusari and community have been working on to bring a telescope through which to understand all the metadata in the supply chain
0
9
20
Analogies, like Taylor series expansions, are useful only on a limited domain around a point.
PS: This is also an analogy.
2
4
19
Twitter now: a meme, an ad, a far right tweet, an ad, some comment to a tweet I've seen multiple times, an ad, a rant, an ad, a retweet, an ad, a far right retweet, an ad, finally something useful, two ads.
2
3
20
It's me, hi, I'm the poster🎶
This week has been great, have a talk about Bazel SLSA builder at Bazelcon, another one about SLSA for ML at PackagingCon, polished the model transparency repo, wrote a blog post on Google's security blog ML supply chain.
3
2
20
Work wise this year has been great. First, a release of GUAC, then work on model transparency (supply chain), and fuzzing with LLMs (here not as much active as I would have liked)
Looking fwd to more work at the confluence of AI and security in the next year. And more conf talks
1
0
19
No one mentions the vulnerabilities resolved, but there are many and TF is still the only ML platform that has security research, policies and workflows
TensorFlow 2.9 has been released! 🎉
Highlights include:
👉 Performance improvements with oneDNN
👉 Release of DTensor, a new API for model distribution that can be used to seamlessly move from data parallelism to model parallelism
Learn more ↓
11
59
228
2
2
20
Do you need a telescope to understand the nebulous cloud of dependencies and supply chain metadata associated with your projects? GUAC 🥑 is this telescope and now we only need 50 more stars to 1k
2
7
19
When the AI slop is really bad, all you can do is laugh:
2
0
18
24 hours after second shot. No side effects at all, no sore arm, no cough, no 5G, nothing
6
1
18
@ValentinKasas
@alexelcu
English is tough but it can be learned through thorough thought though
2
1
17
After AlphaGo people started playing more advanced versions of go. Grandmaster chess players use AI to develop new moves.
In a similar vein, Lean and similar will help mathematicians write proofs and GitHub Copilot will help programmers write more advanced programs.
2
3
16
Years of programming and complexity of code that results from that
1
2
18
After the "The Joy of X" podcast (which was great), "The Joy of Why" can only be even greater. So far, I liked all episodes and I recommend them to anyone
May I ask you a favor? If you haven’t already listened to THE JOY OF WHY, please try one episode. We discuss big questions in math, physics, biology, and computer science. If you like the show, please subscribe on your favorite podcast platform. Thanks! 🙏
10
51
190
2
6
18
Today is half a year since I left TF and joined Google OSS Security Team. Since it's also Thanksgiving, I'm writing this to say I'm very thankful for the chance. GOSST has a lot of work, very impactful, a lot of learning opportunities, good work-life balance, ideal place to be.
0
0
18
Group theory and spherical geometry in Zelda
In Zelda Tears of the kingdom, you can only rotate vertically and horizontally by 45°. Here's a tip for rotating around the third axis: Rotate all four directions, in order, for a 45° rotation
→↓←↑ = ↺
→↑←↓ = ↻
This happens because of some pretty neat math
1/🧵
5
151
763
0
9
18
Seriously, I wish Google's would stop leaking internal stuff. Like every other day there is a new leak.
This only closes the culture, it is already so different than when I joined and things were more open
1
0
18
Half a year since I left TF and finally I no longer am the contributor with the most contributions to the OSS side over its entire history, finally getting tied
0
0
17
I declare my mind blown.
readMany = unfoldr $ listToMaybe . concatMap reads . tails
Example usage:
readMany "This string contains the numbers 7, 11, and 42." :: [Int]
[7,11,42]
0
7
22
2
0
16
Did I hear correctly that
@nixos_org
is 20 years old? Well, here's my article about how it is the perfect distro for me:
1
2
17
@LiveOverflow
I can help. Worked in TF for ~4 years.
Looking at the data description, decision trees seem like a good fit since you have a categorical column and a continuous one. But data amount and range of values might change this
1
0
17
Take time during weekend to fix a TensorFlow issue. The same person that caused me to leave TF at the first occasion starts commenting that he doesn't like the procedure used, process being used so many times in the past both in TF and other repos.
Excuse my French but fork this
2
1
17
Two years after leaving TF team, I am no longer the most active contributor of all time in the repository history
I need to join TF team again to send some more contributions (or wait until XLA is fully separated out and look at the numbers at that time)
2
0
17
Each time I try one of these LLMs I break it in <5 minutes :(
4
0
16
When politicians care more about what you read, what you do in your bedroom, and whom you marry rather than protecting the life of your kids you know you live in a failed state
1
1
16
I need to blog more. Writing documents is so slow if my writing muscles are atrophied.
0
1
16
How do you find out how much free space you have on disk (human readable)?
Linux: `df -h`
Windows: `Get-WmiObject -Class Win32_LogicalDisk | ? {$_. DriveType -eq 3} | select DeviceID, {$_.Size /1GB}, {$_.FreeSpace /1GB}`
1
0
16
Giving up drinking until Christmas
Wait I made a typo.
Giving up. Drinking until Christmas
2
1
16
"use the best tool for the job" is nice and cool but then you have 3 different teams with different versions of tools that kinda solve the job in some cases and not in others. And a new team is working on version 4, promo driven development style, not to support you.
1
0
16
Amplifying the tech troll lead got him 1k new followers on less than 10 hours
3
0
16
On the last working days of this year I spent some time gifting TF contributors: shepherded old and new blocked PRs until they got merged. From 320 PRs, TF is now down to 240 and there are a few more that might land (but won't cover if they don't).
1
1
16
On my 3 weeks long vacation, I had several things planned to do.
That I proudly (/s) admit I have done exactly -1 of them: finished one and got two extra added to the pile
But rested, and that's the important part
0
0
15
This was supposed to be the 6th year of all green tiles but I missed slightly more than a week of them. Still, it made no difference, it's the 6th year of monotonically increasing number of OSS contributions and I think this matters more than just having all tiles green.
0
0
16
- So, what do you do?
- I'm a supervillain
- What's your name?
- Autocorrect
- Are you Sirius? What's your super powder? Wait a minion... What the help us happy ninja to me? PEAS MAKE IT DUCKING STOP!
0
6
14
As I understand more and more of the work my new team is doing, I'm excited for it more and more. Been a while since I got some curious about new things and excited to get my hands deep in the implementations
0
0
15
9.8: the gravitational constant (approximation) and the default NVD score for CVEs, including ones which have no real weight at all
2
3
14
I've recently retweeted a lot about FAANG promo and OSS work. The is resonance with my experience on TF devinfra & security, attempting promo after having to act as TL after half the team including leadership left. Will post (maybe horror) one day, but it wasn't always pleasant
1
0
15
Just finished teaching another Haskell 101/102 session at Google. At some point, when having some free time, I should update the materials on GitHub with the new versions of the slides
1
0
15
A thing I like most about this app is that every so often there is a person that posts a gigantic thread about something they're really passionate about. From thread like those I learn a lot of new cool stuff. That's why I keep returning here every day, to catch all the cool thrs
0
2
15