4

I Am The Very Modelfile Of A Modern Workflow General; The Impending ‘Reimagine’ Nightmare;

We return to the semi-regular AI-foucused Drop with a quick look at how to (quickly and easily!) make a custom Ollama model to make a small, useful tool.

Programming note: due to driving #4 to college Friday, there may not be a Drop. But, if the round trip is not too taxing, I’ll likley get one out int he late afternoon.

Subscribe

TL;DR

(This is an AI-generated summary of today’s Drop using Sonnet via Perplexity.)

A guide on creating a custom Ollama model using a Modelfile to generate concise names for CVE vulnerabilities, similar to CISA’s KEV catalog entries (https://github.com/ollama/ollama/blob/main/docs/modelfile.md)
Discussion of Google’s new Pixel 9 “Reimagine” feature, which allows users to manipulate photos using AI, raising concerns about the potential misuse of such technology (https://www.theverge.com/2024/8/21/24224084/google-pixel-9-reimagine-ai-photos)
Introduction to “The Inference,” a new editorial project by Danny Palmer published by Darktrace, exploring the impact of AI on cybersecurity and society (https://darktrace.com/the-inference)

I Am The Very Modelfile Of A Modern Workflow General

Longtime readers know I’m #notAFan of the “Open AI tax”. TL;DR for new readers is that I believe it is yugely important to ensure everyone had access to LLM/GPT tooling. These tools/services are not going away anytime soon; and, not knowing how to work with them puts other folks at an needless advantage. Ollama does a great job helping to level the playing field.

Ollama supports adding layers on top of existing models via something called a Modelfile. It’s a plain text file that lets you add in some parameters, prompts, examples, etc. so you don’t have to shunt them along with each new incantation. The format for these is, essentially:

# commentINSTRUCTION arguments

Some key instructions include:

FROM: Identifies the base model (mandatory)
PARAMETER: Customizes model behavior through various settings
TEMPLATE: Defines the prompt template sent to the model
SYSTEM: Sets up system messages
ADAPTER: Integrates adapters for QLoRA
LICENSE: Specifies legal licenses
MESSAGE: Adds preset message histories

You can inspect the configuration of models you download and use pretty simply:

$ ollama show phi:latest --modelfile# Modelfile generated by "ollama show"# To build a new Modelfile based on this, replace FROM with:# FROM phi:latestFROM /path/to/.ollama/models/blobs/sha256-04778965089b91318ad61d0995b7e44fad4b9a9f4e049d7be90932bf8812e828TEMPLATE "{{ if .System }}System: {{ .System }}{{ end }}User: {{ .Prompt }}Assistant:"SYSTEM A chat between a curious user and an artificial intelligence assistant. The assistant gives helpful answers to the user's questions.PARAMETER stop User:PARAMETER stop Assistant:PARAMETER stop System:LICENSE """MIT License … """

(They work in a similar fashion to Dockerfiles.)

You can go here for a more in-depth explanation of the instructions and values. I’m just going to briefly show how to make one to solve a fun “problem”.

I talk quite a bit about CISA’s Known Exploited Vulnerabilities Catalog (KEV), and one nice thing the Keepers of KEV do for us is create a short name for any vulnerability they add to the catalog. CVE entries only have a longer-length description associated with their identifier, like CVE-2024-38856’s Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker.. The KEV entry for that uses the concise name of Apache OFBiz Incorrect Authorization Vulnerability, making it much easier to reference (and has way more info than just a bare CVE identifier).

At $WORK, we got it into our noggins to be as kind as the KEV Keepers and associate a concise name with any CVEs we display (and for an upcoming product/API feature). There is no way we were going to lovingly hand-craft those for a few hundred thousand entries. And, I’m loathe to give any AI vendor money. So, we built a custom PHI model to do this for us! And, are sharing it with y’all right here (we’ll working on posting the CVE ids with concise to GitHub when we’re done cleaning them up).

After a few iterations, here’s the Modelfile we ended up with:

FROM phi:latestPARAMETER temperature 0.0PARAMETER stop "\n"PARAMETER num_predict 30PARAMETER top_p 0.95SYSTEM """You are an AI system specializing in generating concise short names for vulnerabilities described by CVEs. Your task is to convert verbose CVE descriptions into clear, descriptive titles that resemble entries in CISA's Known Exploited Vulnerabilities (KEV) catalog. Stop generating output immediately after providing the short name.PROMPT Given a CVE description, create a short name similar to those used in CISA's KEV catalog. The short name should be concise, descriptive, and highlight the affected product or vulnerability type. Do not provide additional information or explanations. The response should be under 10 words and should end immediately after the short name.Examples:CVE description: A vulnerability in the TCP/IP stack of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.Short name: Cisco IOS XR TCP/IP Stack DoS VulnerabilityCVE description: Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.Short name: Microsoft Exchange Server RCE VulnerabilityNow, create a short name for this CVE:"""

The temperature controls the “creativity” of the output, with 0.0 being fully deterministic. Even with that, we were getting some odd output behavior, so we added a “please stop generating” hint at when it outputs a newline, set the max number of output tokens to 30 (I may change that to 20), and asked it to only make high “next token” probability choices.

Rather than muck with special tokens, I went with a basic prompt-with-few-shot-examples approach.

To make our new model, we just:

$ ollama create cve-shortener -f ./Modelfile

Then just try it out:

$ ollama run cve-shortener 'Topline Opportunity Form (aka XLS Opp form) before 2015-02-15 does not properly restrict access to database-connection strings, which allows attackers to read the cleartext version of sensitive credential and e-mail address information via unspecified vectors.'Topline Opportunity Form (XLS Opp) Database Vulnerability

Like most LLM/GPT output in API contexts, you’ll need to add some guardrails for cleaning up results or retrying the prompt. (Yes, even with all the constraints in the Modelfile, this one still borks output every so often.)

On my aging Apple Silicon box, each call takes ~200-600ms, depending on the inputs and other system GPU load.

If you find yourself repeating prompts, this is a lightweight way to avoid doing so. And, if you have some similar, focused tasks that need doing, getting a hand from our AI overlords can help save quite a bit of time.

The Impending ‘Reimagine’ Nightmare

Super quick section, since I believe Welch’s examples say everything vs. have me blather much.

Chris Welch, an editor over at The Verge, acquired one of Google’s new Pixel 9 devices and gave the new Reimagine feature a go and posted some results on Threads and The Verge. This, to me, is a pretty terrifying new capability.

We’re already awash in deepfakes, photorealistic child image exploitation, advanced phishing, and shady political campaigns making it almost impossible to tell truth from fiction. The last thing we needed was to commodify this tech so anyone who can afford a certain class of portable glowing rectangles can get in on the gambit.

Let’s hope the majority of uses are benign/silly.

The Inference

Another quick section, as this content also speaks for itself pretty well.

Danny Palmer is an excellent writer on cybersecurity topics. He has a new editorial project that’s being published by cybersecurity vendor Darktrace (yeah, that’s “a thing” in my line of work).

The Inference explores the impact of AI on the world around us, starting within the security operations center and expanding to business and society writ large. Features on it analyze data, trends, and perspectives from experts inside and outside of Darktrace to educate and inspire readers about the role that AI plays in enabling innovation and how it can be applied safely and securely.

I link to it since the first few pieces:

AI and the biggest election year ever – are we ready?
The role of IT support engineering in the age of AI
In conversation with Professor Mike Woolridge
Malware-as-a-Service: what you need to know about this persistent cyber threat

were very well crafted, and I thought more than a few readers would want to get this into their RSS feeds.

(As usual, I get nothing for Dropping a link to this post, save for providing y’all with something I found interesting.)

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev ☮️

https://dailydrop.hrbrmstr.dev/2024/08/29/drop-523-2024-08-29-happy-thursdai/

#4

Pipet; Need For Speed; Poisoning AI Scrapers

A midweek visit to see #4 means I’m still “recovering” from a total of seven hours of intraday driving. So, y’all get a potpouri of resources, today, since I’m way too tired to knit together a themed Drop.

Subscribe

TL;DR

(This is an AI-generated summary of today’s Drop using Ollama + llama 3.2 and a custom prompt.)

I can report that the VS Codium plugin I made worked super well today!

Pipet is a Golang-based command-line tool for web scraping and data extraction, operating in three primary modes: HTML parsing, JSON parsing, and client-side JavaScript evaluation. Pipet
Need For Speed includes two resources: speedtest-rs (a Rust implementation of a speed test tool) and LibreSpeed (a web-based tool for measuring internet connection speeds). speedtest-rs, LibreSpeed
Poisoning AI scrapers involves using techniques like generating garbled content deterministically and serving alternative versions to detected AI scrapers, as demonstrated by Tim McCormack’s project. Poisoning AI scrapers

Pipet

Pipet is a net and well-thought-out Golang-based command-line tool designed for web scraping and data extraction. It operates in three primary modes: HTML parsing, JSON parsing, and client-side JavaScript evaluation. Rather than do the webops on its own, Pipet leverages existing utilities like curl and integrates seamlessly with Unix pipes, letting us extend its built-in capabilities in ways we’re all pretty much used to.

Pipet can be used for various data extraction tasks, including (their words) “tracking shipments, monitoring concert ticket availability, observing stock price changes, and extracting any online information”.

They have examples, but let’s make another one. This Bash script wraps around pipet to get the news headlines from BBC’s nigh plaintext “On This Day” page for the current day:

#!/usr/bin/env bashtemp_file=$(mktemp)month_name=$(date +%B)cat <<EOF >"${temp_file}"curl http://news.bbc.co.uk/onthisday/low/dates/stories/${month_name,,}/$(date +%-d)/default.stma[href^="/onthisday/low/dates/stories"] spanEOFcommand pipet --json "${temp_file}" | command jq -r '.[0][0] | map(select(length > 0)) | .[]'

That Pipet file will:

grab the HTML
target all the /onthisday links
extract the text from the span elements

I feed the JSON output to jq for cleaning. Here’s a demo:

$ ./on-this-day.sh1995: OJ Simpson verdict: 'Not guilty'1975: London's Spaghetti House siege ends1944: Poles surrender after Warsaw uprising1981: IRA Maze hunger strikes at an end1952: Tea rationing to end1979: Anti-racists tackle South African rugby tourists

NOTE: A far more robust version of that script can be had at https://rud.is/dl/on-this-day-robust.sh.

The README is fairly extensive with details on how to use Pipet’s headless mode, and advanced JSON filtering mode (when the curl responses are JSON).

Since I have some boilerplate Go template projects for quickly creating custom scrapers, I’m not sure I’ll be using Pipet much, but it’s definitely a neat tool that others may find useful.

Need For Speed

I came across the two resources in this section:

speedtest-rs
LibreSpeed (GH)

after reading this post on “Homelab uplink monitoring“.

speedtest-rs is a Rust implementation of a tool similar to the popular Python speedtest-cli, designed to measure internet connection speeds. The project was originally a learning exercise for the author to explore Rust and its ecosystem. It’s evolved a bit and is designed primarily for lower-end residential connections using “HTTP Legacy Fallback“.

Here’s a run from my pseudo-high bandwidth abode:

$ ./speedtest-rsRetrieving speedtest.net configuration...Retrieving speedtest.net server list...Testing from Comcast Cable (37.141.13.125)...Selecting best server based on latency...Hosted by Optimum Online (White Plains, NY) [272.08 km]: 31.164 msTesting download speed..............Download: 503.23 Mbit/sTesting upload speed..............Upload: 39.62 Mbit/sWARNING: This tool may not be accurate for high bandwidth connections! Consider using a socket-based client alternative.

(Ookla, the company behind speedtest.net, has their own non-FOSS CLI tool that’s native and available for many platforms. It’s TCP-based and capable of handling higher bandwidths. While not open-source, it’s supported by Ookla and can be used for non-commercial purposes.)

LibreSpeed is a web-based tool that provides a simple and straightforward way to measure internet connection speeds. It’s designed to be easy to use and provides a clear and concise interface for folks to view their internet connection speeds. It’s self-hostable (with very minimal requirements) and has its own CLI tool as well.

Poisoning AI Scrapers

(I had to sneak one ThursdAI post in here.)

Our AI overlords are raking in billions (but are all still losing money whilst also killing the planet because that’s how late stage capitalism “works”). While I have yet to finish deploying a network of “tarpits” designed to slow down and poison AI scrapers, Tim McCormack has gone and done it!

In “Poisoning AI scrapers“, Tim covers his path towards a project to deter AI companies from using his blog content for training large language models without permission. To achieve this, he implements a system that serves garbled versions of his blog posts to detected AI scrapers.

His approach involves several components. First, for content generation, he uses a Dissociated Press algorithm implemented in Rust to generate nonsensical content that looks superficially normal. The algorithm takes the original blog post as input and produces garbled text while maintaining some structural elements.

For content storage, the system generates an alternative version of each blog post (named “swill.alt.html“) and stores this alongside the regular post content. Scraper detection and content serving is handled using Apache httpd .htaccess rules with mod_rewrite to detect AI scrapers based on User-Agent strings. When a scraper is detected, the server serves the garbled “swill” version instead of the real content.

Key aspects of the system includes generating garbled content deterministically using the post’s SHA256 hash as a seed, regenerating alternative content only for draft posts to maintain stable “swill” versions for published posts, and excluding comments from the garbled versions to avoid associating others’ names with nonsensical content.

Tim ACKs that this approach alone won’t significantly impact LLM training. However, he sees it as a fun exercise, a way to practice programming skills, and potentially an inspiration for others to implement similar measures. The post concludes by inviting discussion on alternative technical approaches and other poisoning techniques, while discouraging broader debates about AI ethics or the merits of LLMs.

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev ☮️

https://dailydrop.hrbrmstr.dev/2024/10/03/drop-539-2024-10-01-toss-up-thursday/

#4

fedica; Solar Eclipse Computer; Vanilla Breeze

Massive sleep disruption thanks to having to pick up #4 at 0-dark-30 from a French Honors multi-day travel excursion plus being distracted with adding more chapters to the “Cooking With DuckDB” book means today’s assortment of resources will have varying degrees of expository and zero cohesion. (This is somewhat made up for by said extra DuckDB book chapters.)

fedica

Apart from some hacked-together scripts and fledgling, bespoke personal web apps, nothing I use can post to both Mastodon and Bluesky. There are folks I nigh cannot live without on both platforms, so I need to stay in both worlds. I’ve been waiting for Buffer to buy a clue about Bluesky, but I just discovered Fedica, and one quick test shows it works, so here’s a quick intro to it.

This service offers a suite of tools that cater to the needs of what the “biz” calls “content creators”, marketers, and “social media professionals”. I work with a couple of these folks in my role at work and they are all having a truly horrible time navigating the complexities of online community building across multiple, diverse platforms. Fedica offers comprehensive analytics, but that’s not what y’all care about (at least I do not think so).

For me (and, likely, you) it offers a way to post to pretty much everything — including Mastodon & Bluesky — at once. It’s like the aforementioned Buffer service, but it has some fancier scheduling capabilities and some “AI” enhancements.

Thanks to the folks who confirmed my cross-post test before I even had a chance to check myself!

I now need to do a few days’ poke at how skeezy these folks may be (they are a marketing firm, after all). I shall report back once that happens.

Solar Eclipse Computer

(SUPER quick section; and, I’m somewhat late to the party on this, as I know there are some l33t tools for performing this analysis; but, simple is fine for me for this use-case.)

We’re not going to make it to another destination for the April 8th total eclipse, so I wanted to see how much cover we’d have and was impressed at the simplicity of the Navy’s Solar Eclipse Computer. The section header gives you the sad results (95% is cool and all, but it won’t be super impressive).

I do like the fact that they have a “how did we make this” section, which may be interesting to others as well.

Vanilla Breeze

Longtime Drop readers know I dislike/detest Tailwind for CSS. I won’t re-hash why, here, but I was glad to discover Vanilla Breeze. It’s an online tool that lets you turn Tailwind-classed HTML tags to semantic CSS.

I’m prototyping something at work and the UX design+implementation team uses Tailwind, so this has been a $DEITY-send for me. Just paste in a spec and get back some real, proper CSS.

Given this “pill” code:

<span class="inline-flex items-center font-medium rounded-md text-xs px-1.5 py-0.5 bg-emerald-50 dark:bg-emerald-400 dark:bg-opacity-10 text-emerald-500 dark:text-emerald-400">NEW THING</span>

it converts it to this HTML:

<span class="my-pill">NEW THING</span>

and CSS:

span.my-pill { display: inline-flex; align-items: center; font-weight: var(--tw-font-weight-medium); border-radius: var(--tw-border-radius-md); font-size: var(--tw-font-size-xs); line-height: var(--tw-line-height-4); padding-left: var(--tw-size-1_5); padding-right: var(--tw-size-1_5); padding-top: var(--tw-size-0_5); padding-bottom: var(--tw-size-0_5); --tw-bg-opacity: 1; background-color: rgb(var(--tw-color-emerald-50) / var(--tw-bg-opacity));}:is(.dark span.my-pill) { background-color: rgb(var(--tw-color-emerald-400) / var(--tw-bg-opacity)); --tw-bg-opacity: 0.1;}span.my-pill { --tw-text-opacity: 1; color: rgb(var(--tw-color-emerald-500) / var(--tw-text-opacity));}:is(.dark span.my-pill) { --tw-text-opacity: 1; color: rgb(var(--tw-color-emerald-400) / var(--tw-text-opacity));}

combo with zero pain.

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev ☮️

https://dailydrop.hrbrmstr.dev/2024/03/25/139502858/

#4 #432