IBL News | New York

New York-based Hugging Face, a startup known byan app launched in 2017 that allows you to chat with an artificial digital friend,recently open-sourced its library for natural language processing (NLP) framework, calledTransformers. It hadmassive success asthere are over a million downloads and 1,000 companies using it, including Microsofts Bing.

Transformers can be leveraged for text classification, information extraction, summarization, text generation, and conversational artificial intelligence.

On Tuesday, Hugging Face, with just 15 employees, announced theclose of a $15 million series, a funding round that adds to a previous amount of $5 million.

The round, intended totriple Hugging Faces headcount in New York and Paris and the release of new software libraries,was ledby Lux Capital, with participation from Salesforce chief scientist, Richard Socher, and OpenAI CTO Greg Brockman, as well as Betaworks and A.Capital.

Tech giants are not taking a truly open-source approach on NLP, and their research and engineering teams are totally disconnected,Hugging Face CEO, Clment Delangue, said on VentureBeat.

On one hand, they provide black-box NLP APIs like Amazon Comprehend or Google APIs that are neither state-of-the-art nor flexible enough. On the other hand, they release science open source repositories that are extremely hard to use and not maintained (BERTs last release is from May and only counts 27 contributors).

See the original post here:
Hugging Face Raises $15 million to Expand its Open Source Software on Conversational AI - IBL News

Arm dominates the microprocessor architecture business, as its licensees have shipped 150 billion chips to date and are shipping 50 billion more in the next two years. But RISC-V is challenging that business with an open source ecosystem of its own, based on a new kind of processor architecture that was created by academics and is royalty free.

This month, 2,000 engineers attended the second annual RISC-V Summit in San Jose, California. The leaders of the effort, including nonprofit RISC-V Foundation CEO Calista Redmond, said they see billions of cores shipping in the future.

RISC-V started in 2010 at the University of California at Berkeley Par Lab Project, which needed an instruction set architecture that was simple, efficient, and extensible and had no constraints on sharing with others. Krste Asanovic (a founder of SiFive), Andrew Waterman, Yunsup Lee, and David Patterson created RISC-V and built their first chip in 2011. In 2014, they announced the project and gave it to the community.

RISC-V enables members to design processors and other chips that are compatible with software designed for the architecture, and it means licensees wont have to pay a royalty to Arm. RISC-V is politically neutral, as its moving its base to Switzerland. That caught the attention of executives, including Infineon CEO Reinhard Ploss, according to RISC-V board member Patterson. With RISC-V, Chinese companies wouldnt have to depend on Western technology, which became an issue when the U.S. imposed tariffs and Arm had to determine whether it could license U.S. technology to Huawei.

Perhaps because of this, RISC-V activity is picking up around the globe. Redmond said in an interview with VentureBeat that RISC-V is creating a technological revolution. Its not clear how many RISC-V startups there are, but the group counts more than 100 member companies with fewer than 500 employees.

Heres an edited transcript of our interview.

Above: Calista Redmond is CEO of the RISC-V Foundation.

Image Credit: Dean Takahashi

VentureBeat: There was a little bit of comment about the burst of people in China that are interested [in RISC-V], partly because of what Huawei is doing.

Calista Redmond: I havent seen a burst of people in China. Im not sure if someone else saw something I didnt, but the membership has grown steadily at a global level If you look at our line graph, its continuous. We didnt see a spike at any particular point.

VentureBeat: The representation in China, what would you say about that? Where is it relative to the whole world?

Redmond: In terms of global members, we have [fewer] than 50. I dont remember the exact number off the top of my head. Its somewhere between 30 and 50. China has two groups of interested organizations that have 200 members. Some of those are also members of the global foundation, and some are just members of two RISC-V groups that have self-assembled in China. Theres CRVIC and CRVA. One is focused more on academic interests and one is focused more on industry interests. We collaborate with both of those groups on activities of global interest in China.

VentureBeat: There are all these different things that are appealing. Is it zero license fees, or ?

Redmond: Theres no license fee. When you get to open source and youre looking at the ISA spec, thats open and freely available. You do need to be a member of the foundation to leverage the trademark, but everything is publicly available. Theres no license fee. A license fee would indicate a commercial relationship, and were a nonprofit foundation. We dont have commercial relationships. The way that we generate revenue is through membership fees, which are not attributed in a royalty or license structure, like you would with traditional proprietary ISAs.

VentureBeat: Is this territory-free designation its appealing to those who might face some kind of political border?

Redmond: When you open-source something, its globally open and available. That IP is not governed by a geographic jurisdiction. Thats how all open source works. Thats how global open standards have worked for 100 years.

Above: The expo floor at the RISC-V Summit. Its small for now.

Image Credit: Dean Takahashi

VentureBeat: This is a key difference between you and Arm, though. Someone might not choose Arm because of this distinction.

Redmond: Arm also has some open IP. So does Intel. So does Power. From a base building block, RISC-V does not have any other tangential requirements to it that you might find in other models. At its base, there are two areas that you make decisions in. One, technically, am I going to be able to accomplish what I need to for the workload I need to serve? Two, does the business model fit for my incredible investment and long-term strategic durability? Its both of those pieces. More and more, technology decisions you have lots of choice. It comes down to a business reason.

VentureBeat: David Patterson said the CEO of Infineon was interested, because you were moving the headquarters to Switzerland?

Redmond: Weve had remarks made from different companies, different geographies, that indicate to us that they would be more open to investing in RISC-V if they felt that that gave them some level of comfort. The incorporation in Delaware as it is today first of all, none of us lives in Delaware. Moving it from Delaware to Switzerland has no fundamental difference. We are not circumventing any regulations. We are not an insurance policy. We are fundamentally doing it because it calms some of the concerns that we have seen in the greater community.

VentureBeat: Theres a perception when youre a U.S. nonprofit, as opposed to a neutral nonprofit.

Redmond: Could regulations change? Who knows, in the future? But they havent changed in decades of open source software development. I dont think theyre going to change in hardware.

VentureBeat: The numbers of chips are you going to start counting how much progress youre making every year?

Redmond: The counts that have been surfacing and the reports that youve seen have been on cores, not on chips. RISC-V is more focused on cores, just as an equalizer in what we can count versus chips, because a chip may have two cores or it may have 30 cores. Now, Chips Alliance or another group may be more interested in chips, but then they probably need to delineate between different kinds multi-threaded, whatever.

Above: RISC-V board members, (left to right): Krste Asanovic, Zvonimir Bandic, Ted Speers, Calista Redmond, Frans Sijstermans, and Rob Oshana.

Image Credit: Dean Takahashi

VentureBeat: Is there a long run there that matters? Youre not a measurable percentage of Arms shipments, right?

Redmond: I dont think were competing head to head with Arm or Intel or Power or anything in that way. I get what youre looking at. Were sort of the sweet spot for RISC-V is starting in this space where there isnt a current entrenched participant. Arm came in on mobile when there was no clear leader in that space. Intel survived and dominated in servers and desktops amongst many competitors.

I dont think that there is a declared winner yet in embedded or in some of the new IoT spaces, or AI. Thats where I think youre going to see the most adoption of RISC-V initially. Then youll see an additional rise after that where RISC-V may be looked at in the next generations of some of those architectures that had previously been there. But most companies dont like to rip and replace prior investments.

VentureBeat: The Samsung talk seemed interesting, where theyre not going to replace old things, but theyre adding this in.

Redmond: Theyre focused on the next generation. You heard them talk a lot about 5G. Modems, sensors, automotive. Thats just it, right? Youre seeing a lot of these companies start to diversify into the adjacent spaces of their core businesses. In those adjacent spaces, thats exactly the point I was getting to earlier. Thats how youre starting to see the advances that RISC-V is making, in those new spaces.

VentureBeat: I guess thats how you gain market share. Youre not replacing things, but as the new things youre in take off, they become a bigger part of the market.

Redmond: And where do you think the fastest growth rates are? Old spaces or new spaces? Probably those new spaces have attractive growth rates. Not always, but often.

Above: RISC-V co-creator Krste Asanovic at the RISC-V Summit.

Image Credit: Dean Takahashi

VentureBeat: Do you then have to do anything to prioritize that particular space?

Redmond: Its an interesting question. From our start, we started working on the base building blocks. Heres your core, your basic ISA. Here are these extensions that you can pick and choose off the menu, what youd like to include. Then, as weve matured as an organization, were starting to go up from that into software. As we get into software, we need to prioritize implementation stacks so that you have a single homogenous kind of perspective on that, from which of course you can diverge at any point in the path, but heres our recommended path to take a fully open approach. Those implementations could be in embedded. They could be in mobile. They could be some of the scale-out HPC-type of realm. But we are starting to look at that more so, as we look into the software side, as we look deeply at the extensions.

VentureBeat: As far as people taking RISC-V seriously, what would you point to as the milestones that are getting you into more conversations or into more doors?

Redmond: Nvidia is already including it as part of their core product.

VentureBeat: They came on board in 2016?

Redmond: I dont remember the exact date, but its definitely out there. Theyre up to millions of cores at this point. Western Digital, a billion cores. The trajectory, as more large organizations come on board, as well as the startups start to make progress the level of investment in startups is continuing to grow. The VC spend on RISC-V is starting to grow. You see some of those early successes with the likes of SiFive.

VentureBeat: Is that something youve figured out yet, how many startups are going?

Redmond: No, but we have about 100 companies that [have fewer] than 500 people in the organization today. I talk to new startups constantly. I would wager that a strong percentage I dont know what that percentage would be of our individual members are also looking at RISC-V as an area to do a startup business.

Above: The keynote crowd at the RISC-V Summit.

Image Credit: Dean Takahashi

VentureBeat: Its probably true, then, that a large percentage of chip design startups are going to be RISC-V? Or at least processor designs?

Redmond: Its difficult to start on a different architecture. There are higher barriers to entry if you want to go Arm or Intel or something else. Were really equalizing there.

VentureBeat: Because youre going into established markets?

Redmond: No. We bring an established and growing community and ecosystem and partners and tools and resources and reference designs and cores and extensions. We have all of those pieces that give you a running start as an entrepreneur without the burden of licensing royalties or other commitments to your business. It is a much easier business and technical decision to make.

VentureBeat: I detect a certain nervousness at Arm, even though both sides are saying that theyre not directly competing with each other. Its the way Intel used to talk about the x86 startups.

Redmond: Its like were all at the same dance. The music has changed a little bit, and now were trying to figure out how we all move in that space. Its an interesting dynamic. There are adjustments going on across companies. You see it at Intel, at Arm, at Power. RISC-V is just the latest to show up at the party, and weve come at it with a completely different approach.

VentureBeat: This other thing about momentum if you cause the other guys to change in some way, youre having an impact in the market. If Arm starts doing these custom instructions because you guys provide an alternative, thats a change in the market.

Redmond: Another interesting perspective is, where do you see different architectures all in the same chip? Its possible for Arm and RISC-V to coexist. How do you navigate that frontier? That was really interesting with the OmniXtend fabric from Western Digital. Do you want to share memory, share network, share storage? Heres how we can do this across multiple architectures.

What RISC-V has brought to the game is youre no longer locked into one architecture choice. Which also means youre not locked into one vendor. That vendor lock-in is something the industry has been concerned about for decades.

Above: SiFive is making licensable RISC-V CPUs.

Image Credit: SiFive

VentureBeat: They made that strong statement about how memory doesnt need to be tied to a processor.

Redmond: Right. Look at what happened in the software space. It was that lock-in that really gave a significant nudge to the open source movement in the first place.

VentureBeat: I remember the days when Microsoft was going around the world getting Windows declared the operating system of entire countries.

Redmond: Right, right. Its interesting to see how they as an organization have shifted as well. Theyve started to embrace business models need to evolve. You look back at the Industrial Revolution. At some point we thought coal trains were the greatest, but eventually we got to airplanes. Its the same in our space.

More here:
How RISC-V is creating a globally neutral, open source processor architecture - VentureBeat

Unicode, the wonderful extension to to ASCII that gives us gems like , , and , has had some unexpected security ramifications. The most common problems with Unicode are visual security issues, like character confusion between letters. For example, the English M (U+004D) is indistinguishable from the Cyrillic (U+041C). Can you tell the difference between IBM.com and IB.com?

This bug, discovered by [John Gracey] turns the common problem on its head. Properly referred to as a case mapping collision, its the story of different Unicode characters getting mapped to the same upper or lowercase equivalent.

''.toLowerCase() === 'SS'.toLowerCase() // true// Note the Turkish dotless i'John@Gthub.com'.toUpperCase() === 'John@Github.com'.toUpperCase()

GitHub stores all email addresses in their lowercase form. When a user sends a password reset, GitHubs logic worked like this: Take the email address that requested a password reset, convert to lower case, and look up the account that uses the converted email address. That by itself wouldnt be a problem, but the reset is then sent to the email address that was requested, not the one on file. In retrospect, this is an obvious flaw, but without the presence of Unicode and the possibility of a case mapping collision, would be a perfectly safe practice.

This flaw seems to have been fixed quite some time ago, but was only recently disclosed. Its also a novel problem affecting Unicode that we havent covered. Interestingly, my research has turned up an almost identical problem at Spotify, back in 2013.

TrueCrypt is an amazing piece of software that literally changed the world, giving every computer user a free, source-available solution for hard drive encryption. While the source of the program was made freely available, the license was odd and restrictive enough that its technically neither Free Software, nor Open Source Software. This kept it from being included in many of the major OS distributions. Even at that, TrueCrypt has been used by many, and for many reasons, from the innocent to reprehensible. TrueCrypt was so popular, a crowdfunding campaign raised enough money to fund a professional audit of the TrueCrypt code in 2013.

The story takes an odd turn halfway through the source code audit. Just after the initial audit finished, and just before the in-depth phase II audit was begun, the TrueCrypt developers suddenly announced that they were ending development. The TrueCrypt website still shows the announcement: WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues. Many users thought the timing was odd, and speculated that there was a backdoor of some sort that would be uncovered by the audit. The in-depth audit was finished, and while a few minor issues were discovered, nothing particularly serious was uncovered.

One of the more surprising users of TrueCrypt is the German government. It was recently discovered that the BSI, the information security branch of the German government, did an audit on TrueCrypt back in 2010.

Many governments have now have laws establishing the freedom of information, granting a right-to-know to their citizens. Under these laws, a citizen may make an official request for documentation, and if such documentation exists, the government is compelled to provide it, barring a few exceptions. A German citizen made an official request for information regarding TrueCrypt, particularly in regards to known backdoors in the software. Surprisingly, such documentation did exist!

Had the German government secretly backdoored TrueCrypt? Were they part of a conspiracy? Probably not. After some red tape and legal wrangling, the text of the audit was finally released and cleared for publication. There were some issues found back in 2010 that were still present in the TrueCrypt/Veracrypt source, and got fixed as a result of this report coming to light.

The Node Package Manager, that beloved repository of all things Javascript, recently pushed out an update and announced a pair of vulnerabilities. The vulnerabilities, simply stated, were both due to the lack of any sanity checking when installing packages.

First, the binary install path wasnt sanitized during installation, meaning that a package could attempt to interact with any file on the target filesystem. Particularly when running the NPM CLI as root, the potential for abuse is huge. While this first issue was taken care of with the release of version 6.13.3, a second, similar problem was still present in that release.

Install paths get sanitized in 6.13.3, but the second problem is that a package can install a binary over any other file in its install location. A package can essentially inject code into other installed packages. The fix for this was to only allow a package to overwrite binary files owned by that package.

The upside here is that a user must install a compromised package in order to be affected. The effect is also greatly mitigated by running NPM as a non-root user, which seems to be good practice.

Google provides a bunch of services around their cloud offering, and provides the very useful web-based Cloud Shell interface for managing those services. A researcher at Offensi spent some time looking for vulnerabilities, and came up with 9 of them. The first step was to identify the running environment, which was a docker image in this case. A socket pointing back to the host system was left exposed, allowing the researcher to easily escape the Docker container. From there, he was able to bootstrap some debugging tools, and get to work finding vulnerabilities.

The vulnerabilities that are detailed are interesting in their own right, but the process of looking for and finding them is the most interesting to me. Google even sponsored a YouTube video detailing the research, embedded below:

Using an iPhone to break the security of a Windows machine? The iPhone driver sets the permissions for a certain file when an iPhone is plugged into the machine. That file could actually be a hardlink to an important system file, and the iPhone driver can unintentionally make that arbitrary file writable.

The Nginx web server is currently being held hostage. Apparently the programmers who originally wrote Nginx were working for a technology company at the time, and now that the Nginx project has been acquired, that company has claimed ownership over the code. Its likely just a fraudulent claim, but the repercussions could be far-reaching if that claim is upheld.

OpenBSD has fixed a simple privilege escalation, where a setuid binary is called with a very odd LD_LIBRARY_PATH a single dot, and lots of colons. This tricks the loader into loading a user owned library, but with root privileges.

Read the original here:
This Week In Security: Unicode, Truecrypt, And NPM Vulnerabilities - Hackaday

Paul Davis literally helped build Amazon.com from scratch. Now he says its time to tear it apart.

Davis, a computer programmer who was Jeff Bezos second hire in 1994 before the shopping site even launched, told Recode on Friday that the company should be forced to separate the Amazon Marketplace, which allows outside merchants to sell goods to Amazon customers, from the companys core retail business that stocks and sells products itself.

His reasoning? Hes troubled by reports of Amazon squeezing and exploiting the merchants who stock its digital shelves in ways that benefit Amazon, the company, above all else. Davis concerns come as Bezos company has come under increased scrutiny from politicians, regulators, and its own sellers, in part over the power it wields over small merchants who depend on the tech giant for their livelihoods.

Theres clearly a public good to have something that functions like the Amazon Marketplace. If this didnt exist, youd want it to be built, Davis said. Whats not valuable, and whats not good, is that the company that operates the marketplace is also a retailer. They have complete access to every single piece of data and can use that to shape their own retail marketplace.

Davis is referring to how Amazon uses data from its third-party sellers to benefit its core retail business, whether it be by scouring these merchants best-sellers and then choosing to sell those brands itself, or to create its own branded products through similar means.

Theyre not breaking any agreements, he added. Theyre just violating what most people would assume was how this is going to work: I sell stuff though your system [and] youre not going to steal our sales.

Davis comments appear to be one of the first times that an early Amazon employee has called for the company to be broken up. Earlier this year, US presidential candidate Elizabeth Warren argued for the same. And both the US House of Representatives and the Federal Trade Commission are scrutinizing Amazons business practices to determine if they are anticompetitive, including its dealings with the hundreds of thousands of merchants who are the backbone of Amazons unmatched product catalogue.

An Amazon spokesperson sent Recode a statement, which read in part: Sellers are responsible for nearly 60% of sales in our stores. They are incredibly important to us and our customers, and weve invested over $15 billion dollars this year alonefrom infrastructure to tools, services, and featuresto help them succeed. Amazon only succeeds when sellers succeed and claims to the contrary are wrong. Sellers have full control of their business and make the decisions that are best for them, including the products they choose to sell, pricing, and how they choose to fulfill orders.

Amazon has also previously said that it only uses aggregate seller data versus data from individual sellers to inform its decisions on which products to create under its own brand names.

Davis comments to Recode came after he posted an online comment alongside a New York Times article earlier this week about the challenges sellers face while doing business on Amazon.

For nearly 2 decades Amazon has used its control of its marketplace to strengthen its own hand as a retailer, Davis wrote. This should not be allowed to continue.

The Times article highlighted various ways that Amazon allegedly puts pressure on the merchants who are responsible for nearly 60 percent of all Amazon physical product sales, including burying their listings if they are selling the same product for less elsewhere and making it hard for brands that dont advertise on the site from showing up at the top of search results. (Recode spotlighted similar complaints from sellers in an episode of the Land of the Giants podcast series this summer.)

Davis wrote the backend software for the first iterations of the Amazon.com website from 1994 into 1996. He left the company after a year and a half and following the birth of his first child, in part, he said, because of the culture Bezos was creating that churned through good employees, whom Davis says were worked into the ground.

Still today, Davis marvels at what Bezos and his leadership team have built over the past two decades, and he says he shops on Amazon regularly.

We exist with multiple hats: Were citizens, [were] employees, were parents, were consumers and, from my perspective, if you put the consumer hat on, its easy to feel incredibly proud of what Amazon is and has become, Davis said. But the problem is that thats not the only hat that we wear and its fine to celebrate and be optimistic and positive about what the company represents for consumers but you also have to ask seriously, what does the company represent [to us] as citizens, as employees. And unfortunately, you have to be incredibly naive not to see that the answers to those questions are nowhere near as positive.

It is an amazing story, he added, referring to the companys innovation and success, but as time goes forward my gut feeling is that it will not only not be the whole story, but really the smallest part of the story. In addition to finding issue with Amazon operating simultaneously as retailer and marketplace, Davis also wonders why such a powerful and, now, profitable company cant pay the frontline workers in its warehouses and delivery network better.

Today, Davis lives in a small New Mexico town and writes open source software for recording and editing audio. He said he knows its absurd to feel any sort of responsibility for the power that Amazon holds today.

I doubt theres a single line of code or concept that dates back to when I was there.

He also stressed that most of the companys early success should be attributed to Bezos intellect, ambition, and drive.

But at times, doubts do creep in for Davis. They emerge when he allows himself to consider what might have been if he, and Amazons first employee fellow programmer and Amazons first Chief Technology Officer Shel Kaphan hadnt been the type of technical talents that understood the internet in its earliest days.

Emotionally, Davis said, I do feel some kind of culpability.

Here is the original post:
One of Amazons first employees says the company should be broken up - Vox.com