Dmitrijs Trizna

A significant vulnerability, CVE-2024-37629, has been discovered in SummerNote 0.8.18, allowing Cross-Site Scripting (XSS) via the Code View function. Summernote is a JavaScript library for creating WYSIWYG editors online. An attacker can use XSS to insert harmful scripts into a trusted application or website. An XSS attack often starts with an attacker luring a user to click on a malicious link. According to security researcher Sergio Medeiros, 10,000 web apps have a 0-day vulnerability that can be exploited with a simple XSS payload. Detecting XSS Vulnerability in the Editor Given similar XSS concerns in editors like CKEditor and TinyMCE, the security researcher decided to investigate the WYSIWYG Editor. This led to the SummerNote website, where users can see the WYSIWYG editor’s features on the homepage, along with a GitHub repository URL to examine the codebase. ~First Hackers News To Continue reading this article, click on this link >>> https://lnkd.in/gsRA6ivt #vulnerability #summernote #xss #codeview #javascript #attacker #maliciouslink #securityresearcher #website #zeroday #cyberattack #cybersecurity #cybernews #fhn #firsthackersnews #informationsecurity #latestnews

#Topics Improving your LLMs with RLHF on Amazon SageMaker [ad_1] Reinforcement Learning from Human Feedback (RLHF) is recognized as the industry standard technique for ensuring large language models (LLMs) produce content that is truthful, harmless, and helpful. The technique operates by training a “reward model” based on human feedback and uses this model as a reward function to optimize an agent’s policy through reinforcement learning (RL). RLHF has proven to be essential to produce LLMs such as OpenAI’s ChatGPT and Anthropic’s Claude that are aligned with human objectives. Gone are the days when you need unnatural prompt engineering to get base models, such as GPT-3, to solve your tasks. An important caveat of RLHF is that it is a complex and often unstable procedure. As a method, RLHF requires that you must first train a reward model that reflects human preferences. Then, the LLM must be fine-tuned to maximize the reward model’s estimated reward without drifting too far from the original model. In this post, we will demonstrate how to fine-tune a base model with RLHF on Amazon SageMaker. We also show you how to perform human evaluation to quantify the improvements of the resulting model. Prerequisites Before you get started, make sure yo...

🔔 The latest update to Huggingface’s PEFT v0.11.0 introduces several new Parameter-Efficient Fine-Tuning (PEFT) techniques (BOFT, VeRA, and PiSSA) https://lnkd.in/gWctEzuk

Google DeepMind announce LLM Augmented LLMs Expanding Capabilities through Composition paper page: https://lnkd.in/gqUJeP_R Foundational models with billions of parameters which have been trained on large corpora of data have demonstrated non-trivial skills in a variety of domains. However, due to their monolithic structure, it is challenging and expensive to augment them or impart new skills. On the other hand, due to their adaptation abilities, several new instances of these models are being trained towards new domains and tasks. In this work, we study the problem of efficient and practical composition of existing foundation models with more specific models to enable newer capabilities. To this end, we propose CALM -- Composition to Augment Language Models -- which introduces cross-attention between models to compose their representations and enable new capabilities. Salient features of CALM are: (i) Scales up LLMs on new tasks by 're-using' existing LLMs along with a few additional parameters and data, (ii) Existing model weights are kept intact, and hence preserves existing capabilities, and (iii) Applies to diverse domains and settings. We illustrate that augmenting PaLM2-S with a smaller model trained on low-resource languages results in an absolute improvement of up to 13\% on tasks like translation into English and arithmetic reasoning for low-resource languages. Similarly, when PaLM2-S is augmented with a code-specific model, we see a relative improvement of 40\% over the base model for code generation and explanation tasks -- on-par with fully fine-tuned counterparts.

Security researchers have published a Proof-of-Concept (PoC) exploit for a critical vulnerability in the widely used PuTTY SSH and Telnet client. The flaw, CVE-2024-31497, permits attackers to recover private keys generated with the NIST P-521 elliptic curve in PuTTY versions 0.68 through 0.80. This vulnerability arises from PuTTY’s biased generation of ECDSA nonces when using the P-521 curve. Researchers discovered that the first 9 bits of each nonce are consistently zero, allowing for full private key recovery from approximately 60 signatures using lattice cryptanalysis techniques. Security researcher Hugo Bond demonstrated the attack’s feasibility by publishing a PoC exploit on GitHub. Leveraging the nonce bias, the PoC recovers the private key from a set of signatures generated by a vulnerable PuTTY version. ~First Hackers News To Continue reading this article, click on this link >>> https://lnkd.in/eByKXvrE #securityresearchers #PoC #vulnerability #telnet #attackers #privatekey #cryptanalysis #PuTTY #cyberattack #cybersecurity #fhn #firsthackersnews #informationsecurity #latestnews

#Topics Bolstering enterprise LLMs with machine learning operations foundations [ad_1] Once these components are in place, more complex LLM challenges will require nuanced approaches and considerations—from infrastructure to capabilities, risk mitigation, and talent. Deploying LLMs as a backend Inferencing with traditional ML models typically involves packaging a model object as a container and deploying it on an inferencing server. As the demands on the model increase—more requests and more customers require more run-time decisions (higher QPS within a latency bound)—all it takes to scale the model is to add more containers and servers. In most enterprise settings, CPUs work fine for traditional model inferencing. But hosting LLMs is a much more complex process which requires additional considerations. LLMs are comprised of tokens—the basic units of a word that the model uses to generate human-like language. They generally make predictions on a token-by-token basis in an autoregressive manner, based on previously generated tokens until a stop word is reached. The process can become cumbersome quickly: tokenizations vary based on the model, task, language, and computational resources. Engineers deploying LLMs need not only infrastructure experience, such as deploy...