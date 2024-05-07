In the past month, we saw a blizzard of new language models. It’s almost hard to consider this news, though Microsoft’s open (but maybe not open source) Phi-3 is certainly worth a look. We’ve also seen promising work on reducing the resources required to do inference. While this may lead to larger models, it should also lead to reduced power use for small and mid-sized models.

AI

Programming

Security

GitHub allows a comment to specify a file that is automatically uploaded to the repository, with an automatically generated URL. While this feature is useful for bug reporting, it has been used by threat actors to insert malware into repos.

GPT-4 is capable of reading security advisories (CVEs) and exploiting the vulnerabilities. Other models don’t appear to have this ability, although the researchers haven’t yet been able to test Claude 3 and Gemini.

Users of the LastPass password manager have been targeted by relatively sophisticated phishing attacks. The attacks originated from the CryptoChameleon phishing toolkit.

Protobom is an open source tool that will make it easier for organizations to generate and use software bills of materials. Protobom was developed by the OpenSSF, CISA, and DHS.

Last month’s failed attack against xz Utils probably wasn’t an isolated incident. The OpenJS foundation has reported similar incidents, though they haven’t specified which projects were attacked.

System Package Data Exchange (previously known as Software Package Data Exchange 3.0) is a standard for tracking all supply chain dependencies, not just software. GitHub is integrating support to generate SPDX data from their dependency graphs.

A malicious PowerShell script that has been used in a number of attacks is believed to have been generated by an AI. (The tell is that the script has a comment for every line of code.) There will be more…

Kobold Letters is a new email vulnerability and is a real headache. A hostile agent can use CSS to modify HTML-formatted email after it is delivered, and depending on the context in which it is viewed.

AI can hallucinate package names when generating code. These non-existent names often find their way into software. Therefore, after observing a hallucinated package name, it’s possible to create malware with that name and upload it into the appropriate repository. The malware will then be loaded by software referencing the now-existent package.

Web

Robotics

Boston Dynamics has revealed its new humanoid robot, a successor to Atlas. Unlike Atlas, which used hydraulics heavily, the new robot is all electric, and has joints that can move through 360 degrees.

A research robot now uses AI to generate facial expressions and respond appropriately to facial expressions in humans. It can even anticipate human expressions and act accordingly—for example, by smiling in anticipation of a human smile.

Quantum Computing

Has post-quantum cryptography already been broken? We don’t know yet (nor do we have a working quantum computer). But a recent paper suggests some possible attacks against the current post-quantum algorithms.

Microsoft and Quantinuum have succeeded in building error corrected logical qubits: the error rate for logical qubits is lower than the error rate for uncorrected qubits. Although they can only create two logical qubits, this is a significant step forward.