Four short links: 17 May 2019
Productsec, Supply Chain Attack, Sparse Neural Networks, and the Christchurch Call
- Six Buckets of Productsec — There are six buckets a security bug can fall into on its journey through life: Prevented—best outcome, never turned into code. Found automatically—found via static analysis or other tools, “cheap” time cost. Found manually—good even if it took more time; a large set of bugs can only be found this way. Found externally—usually via bug bounty, put users at real risk, expensive time cost but 100x better than other outcomes. Never found—most bugs probably end up here. Exploited—the worst.
- ShadowHammer (Bruce Schneier) — The common thread through all of the above-mentioned cases is that attackers got valid certificates and compromised their victims’ development environments. (via Bruce Schneier)
- The Lottery Ticket Hypothesis: Finding Sparse, Trainable Neural Networks — dense, randomly initialized, feed-forward networks contain subnetworks (“winning tickets”) that—when trained in isolation—reach test accuracy comparable to the original network in a similar number of iterations. The winning tickets we find have won the initialization lottery: their connections have initial weights that make training particularly effective.
- Christchurch Call — first time governments and companies have, en masse, sat at a table to figure out how to curb violent extremist content on the platforms.