Mihai Maruseac
@mihai.page
Supply chain security @ Google OSS Security Team. Previously TensorFlow Security & OSS (@ Google); Haskell+differential privacy+ML @ LeapYear.
They don't shut down the government in Romania because then the population might realize that they don't need (that many) people in charge.
What about the US?
What about the US?
October 4, 2025 at 3:01 AM
They don't shut down the government in Romania because then the population might realize that they don't need (that many) people in charge.
What about the US?
What about the US?
> Vibe coding with AI is cool until you get hacked :)
I'm going to talk aboue 3 different resources that can help with that, all developed by amazing people at the @openssf.org AI/ML working group and other OpenSSF WGs.
I'm going to talk aboue 3 different resources that can help with that, all developed by amazing people at the @openssf.org AI/ML working group and other OpenSSF WGs.
New OpenSSF Guidance on AI Code Assistant Instructions – Open Source Security Foundation
openssf.org
September 18, 2025 at 1:50 PM
> Vibe coding with AI is cool until you get hacked :)
I'm going to talk aboue 3 different resources that can help with that, all developed by amazing people at the @openssf.org AI/ML working group and other OpenSSF WGs.
I'm going to talk aboue 3 different resources that can help with that, all developed by amazing people at the @openssf.org AI/ML working group and other OpenSSF WGs.
A Pythagoreic date like today's only occurs once a century
>>> for m in [1,2,3]:
... for d in [1,2,3,4,5]:
... y=m**2 + d**2
... y_sq=int(math.sqrt(y))
... if y_sq * y_sq==y:
... print(f"{m**2}/{d**2}/20{y}")
...
9/16/2025
>>> for m in [1,2,3]:
... for d in [1,2,3,4,5]:
... y=m**2 + d**2
... y_sq=int(math.sqrt(y))
... if y_sq * y_sq==y:
... print(f"{m**2}/{d**2}/20{y}")
...
9/16/2025
September 17, 2025 at 3:51 AM
A Pythagoreic date like today's only occurs once a century
>>> for m in [1,2,3]:
... for d in [1,2,3,4,5]:
... y=m**2 + d**2
... y_sq=int(math.sqrt(y))
... if y_sq * y_sq==y:
... print(f"{m**2}/{d**2}/20{y}")
...
9/16/2025
>>> for m in [1,2,3]:
... for d in [1,2,3,4,5]:
... y=m**2 + d**2
... y_sq=int(math.sqrt(y))
... if y_sq * y_sq==y:
... print(f"{m**2}/{d**2}/20{y}")
...
9/16/2025
Reposted by Mihai Maruseac
Thrilled to share I’m speaking at the AI By the Bay Conference 🙌
Talk: Taming the Wild West of ML: Practical Model Signing with Sigstore on Kaggle
Bonus: 20% off for the first 20 tickets → ai.bythebay.io/register
Use code MihaiBTB (General Admission).
Talk: Taming the Wild West of ML: Practical Model Signing with Sigstore on Kaggle
Bonus: 20% off for the first 20 tickets → ai.bythebay.io/register
Use code MihaiBTB (General Admission).
Register | AI By the Bay
The conference always sells out. Do not hesitate and book your ticket now.
ai.bythebay.io
September 9, 2025 at 9:39 PM
Thrilled to share I’m speaking at the AI By the Bay Conference 🙌
Talk: Taming the Wild West of ML: Practical Model Signing with Sigstore on Kaggle
Bonus: 20% off for the first 20 tickets → ai.bythebay.io/register
Use code MihaiBTB (General Admission).
Talk: Taming the Wild West of ML: Practical Model Signing with Sigstore on Kaggle
Bonus: 20% off for the first 20 tickets → ai.bythebay.io/register
Use code MihaiBTB (General Admission).
Reposted by Mihai Maruseac
We're thrilled to have Mihai Maruseac (@mihai.page), Staff SWE for Google, presenting "Taming the Wild West of ML: Practical Model Signing with Sigstore on Kaggle" at #AllThingsOpen! 2025.allthingsopen.org/sessions/tam...
September 9, 2025 at 3:30 PM
We're thrilled to have Mihai Maruseac (@mihai.page), Staff SWE for Google, presenting "Taming the Wild West of ML: Practical Model Signing with Sigstore on Kaggle" at #AllThingsOpen! 2025.allthingsopen.org/sessions/tam...
Thrilled to share I’m speaking at the AI By the Bay Conference 🙌
Talk: Taming the Wild West of ML: Practical Model Signing with Sigstore on Kaggle
Bonus: 20% off for the first 20 tickets → ai.bythebay.io/register
Use code MihaiBTB (General Admission).
Talk: Taming the Wild West of ML: Practical Model Signing with Sigstore on Kaggle
Bonus: 20% off for the first 20 tickets → ai.bythebay.io/register
Use code MihaiBTB (General Admission).
Register | AI By the Bay
The conference always sells out. Do not hesitate and book your ticket now.
ai.bythebay.io
September 9, 2025 at 9:39 PM
Thrilled to share I’m speaking at the AI By the Bay Conference 🙌
Talk: Taming the Wild West of ML: Practical Model Signing with Sigstore on Kaggle
Bonus: 20% off for the first 20 tickets → ai.bythebay.io/register
Use code MihaiBTB (General Admission).
Talk: Taming the Wild West of ML: Practical Model Signing with Sigstore on Kaggle
Bonus: 20% off for the first 20 tickets → ai.bythebay.io/register
Use code MihaiBTB (General Admission).
Chipocalypse sounds like an apocalypse sponsored by @chipotletweets.bsky.social .
Just Trump declaring war on a US city, a normal Saturday
September 6, 2025 at 4:57 PM
Chipocalypse sounds like an apocalypse sponsored by @chipotletweets.bsky.social .
Reposted by Mihai Maruseac
We're thrilled to have Eve Martin-Jones, Senior Software Engineer for Google, presenting "Whoops! I Accidentally Open-Sourced My Cloud Keys" at #AllThingsOpen! 2025.allthingsopen.org/sessions/who...
August 21, 2025 at 11:00 AM
We're thrilled to have Eve Martin-Jones, Senior Software Engineer for Google, presenting "Whoops! I Accidentally Open-Sourced My Cloud Keys" at #AllThingsOpen! 2025.allthingsopen.org/sessions/who...
Reposted by Mihai Maruseac
We're thrilled to have Amir Montazery, Managing Director for @ostifofficial.bsky.social, presenting "Success Stories in Open Source: Third Party Security Audits" at #AllThingsOpen! 2025.allthingsopen.org/sessions/2-f...
August 7, 2025 at 2:57 PM
We're thrilled to have Amir Montazery, Managing Director for @ostifofficial.bsky.social, presenting "Success Stories in Open Source: Third Party Security Audits" at #AllThingsOpen! 2025.allthingsopen.org/sessions/2-f...
Reposted by Mihai Maruseac
We're excited to have Andre Elizondo, Principal AI Solutions Engineer for Wiz, presenting "Hack-Proof AI: Building Security Through Collaboration" at #AllThingsOpen! 2025.allthingsopen.org/sessions/hac...
August 7, 2025 at 10:45 PM
We're excited to have Andre Elizondo, Principal AI Solutions Engineer for Wiz, presenting "Hack-Proof AI: Building Security Through Collaboration" at #AllThingsOpen! 2025.allthingsopen.org/sessions/hac...
After what substack pushed on people recently, I think we should just blackhole any blog still hosted on that platform. Move to wordpress, self-host, GitHub Pages, anything but substack: www.usermag.co/p/substack-s...
Substack sent a push alert promoting a Nazi blog
The newsletter's logo is a swastika and it has pushed Holocaust denialism along with news and opinion content for the 'White Nationalist Community.'
www.usermag.co
August 8, 2025 at 12:32 PM
After what substack pushed on people recently, I think we should just blackhole any blog still hosted on that platform. Move to wordpress, self-host, GitHub Pages, anything but substack: www.usermag.co/p/substack-s...
I am really excited to see that the MLSecOps paper has been officially published. It's a big effort from several people involved in the OpenSSF AI/ML working group. openssf.org/resources/vi...
August 5, 2025 at 3:16 AM
I am really excited to see that the MLSecOps paper has been officially published. It's a big effort from several people involved in the OpenSSF AI/ML working group. openssf.org/resources/vi...
I'm excited to see the case study proving that model signatures can be integrated into model hubs. Next step for me: integrating model signing into HuggingFace, and ollama. I hope to get both by the end of the year, with the help of the respective communities.
🔐 New Case Study: How is Google securing the future of machine learning?
By partnering with #sigstore and the Open Source Security Foundation (OpenSSF), they’ve implemented model signing that makes AI systems more trustworthy by default.
openssf.org/blog/2025/07...
By partnering with #sigstore and the Open Source Security Foundation (OpenSSF), they’ve implemented model signing that makes AI systems more trustworthy by default.
openssf.org/blog/2025/07...
July 28, 2025 at 7:30 PM
I'm excited to see the case study proving that model signatures can be integrated into model hubs. Next step for me: integrating model signing into HuggingFace, and ollama. I hope to get both by the end of the year, with the help of the respective communities.
Reposted by Mihai Maruseac
🔐 New Case Study: How is Google securing the future of machine learning?
By partnering with #sigstore and the Open Source Security Foundation (OpenSSF), they’ve implemented model signing that makes AI systems more trustworthy by default.
openssf.org/blog/2025/07...
By partnering with #sigstore and the Open Source Security Foundation (OpenSSF), they’ve implemented model signing that makes AI systems more trustworthy by default.
openssf.org/blog/2025/07...
July 28, 2025 at 7:13 PM
🔐 New Case Study: How is Google securing the future of machine learning?
By partnering with #sigstore and the Open Source Security Foundation (OpenSSF), they’ve implemented model signing that makes AI systems more trustworthy by default.
openssf.org/blog/2025/07...
By partnering with #sigstore and the Open Source Security Foundation (OpenSSF), they’ve implemented model signing that makes AI systems more trustworthy by default.
openssf.org/blog/2025/07...
At the beginning of the year I wanted to compare models and prompt techniques on several math problems. I also got a common sense one. Today I use a vibe-coded Colab to analyze which models are better than others and which prompt techniques are useful. mihai.page/ai-2025-10/
Concluding the AI 2025 puzzle competition
In this article, we summarize the AI puzzle competition from my blog and answer two questions: which model is better and which prompt engineering hint is giving better results. The answers might surpr...
mihai.page
July 28, 2025 at 5:57 AM
At the beginning of the year I wanted to compare models and prompt techniques on several math problems. I also got a common sense one. Today I use a vibe-coded Colab to analyze which models are better than others and which prompt techniques are useful. mihai.page/ai-2025-10/
It got too expensive to keep saving Matt Damon so they got Ryan Gosling to pay in Hail Mary instead
July 19, 2025 at 11:47 PM
It got too expensive to keep saving Matt Damon so they got Ryan Gosling to pay in Hail Mary instead
Stackage LTS 24 has been released, to support GHC 9.10. At the same time, @juhp helped move the nightly snapshot to GHC 9.12 (many thanks!).
www.stackage.org/blog/2025/07...
www.stackage.org/blog/2025/07...
LTS 24 release for ghc-9.10 and Nightly now on ghc-9.12
www.stackage.org
July 16, 2025 at 2:35 PM
Stackage LTS 24 has been released, to support GHC 9.10. At the same time, @juhp helped move the nightly snapshot to GHC 9.12 (many thanks!).
www.stackage.org/blog/2025/07...
www.stackage.org/blog/2025/07...
I scored 7/28 on jsdate.wtf and all I got was this lousy text to share on social media.
Given the number of wtf/min in JS, it really saddens me that new tooling (e.g., Gemini CLI) is still built on top of NPM.
Given the number of wtf/min in JS, it really saddens me that new tooling (e.g., Gemini CLI) is still built on top of NPM.
new Date("wtf")
How well do you know JavaScript's Date class?
jsdate.wtf
July 12, 2025 at 8:26 PM
I scored 7/28 on jsdate.wtf and all I got was this lousy text to share on social media.
Given the number of wtf/min in JS, it really saddens me that new tooling (e.g., Gemini CLI) is still built on top of NPM.
Given the number of wtf/min in JS, it really saddens me that new tooling (e.g., Gemini CLI) is still built on top of NPM.
Just another example of AI security being just a rerun of the security history of the past. Come on, 123456 as password?
www.wired.com/story/mcdona...
www.wired.com/story/mcdona...
McDonald’s AI Hiring Bot Exposed Millions of Applicants’ Data to Hackers Who Tried the Password ‘123456’
Basic security flaws left the personal info of tens of millions of McDonald’s job-seekers vulnerable on the “McHire” site built by AI software firm Paradox.ai.
www.wired.com
July 9, 2025 at 8:15 PM
Just another example of AI security being just a rerun of the security history of the past. Come on, 123456 as password?
www.wired.com/story/mcdona...
www.wired.com/story/mcdona...
Some weeks ago, I started doing some work within the amazing Scientific Python community. We were thinking of extracting pytrees out of JAX. There is a library, so we wrote a blog post instead, about how pytrees are useful. You can read it at blog.scientific-python.org/pytrees/
Pytrees for Scientific Python
Introducing PyTrees for Scientific Python. We discuss what PyTrees are, how they're useful in the realm of scientific Python, and how to work _efficiently_ with them.
blog.scientific-python.org
July 9, 2025 at 3:21 AM
Some weeks ago, I started doing some work within the amazing Scientific Python community. We were thinking of extracting pytrees out of JAX. There is a library, so we wrote a blog post instead, about how pytrees are useful. You can read it at blog.scientific-python.org/pytrees/
Reposted by Mihai Maruseac
* Using OSS personally? Thank a maintainer. Donate. Contribute. Even fixing a typo in the README helps.
July 7, 2025 at 12:44 PM
* Using OSS personally? Thank a maintainer. Donate. Contribute. Even fixing a typo in the README helps.
I propose we use "vibe installing" as a name for the "curl | bash" pattern if installing stuff.
And "vibe serialization" for using pickle (and other insecure formats) for serialization.
Both are bad patterns, forbidden, yet so easy to use that people reach them again and again.
And "vibe serialization" for using pickle (and other insecure formats) for serialization.
Both are bad patterns, forbidden, yet so easy to use that people reach them again and again.
June 27, 2025 at 3:33 PM
I propose we use "vibe installing" as a name for the "curl | bash" pattern if installing stuff.
And "vibe serialization" for using pickle (and other insecure formats) for serialization.
Both are bad patterns, forbidden, yet so easy to use that people reach them again and again.
And "vibe serialization" for using pickle (and other insecure formats) for serialization.
Both are bad patterns, forbidden, yet so easy to use that people reach them again and again.
If you are at OSS NA, I'll be doing a demo of model signing today at 12:30, at the @openssf.org booth.
And I'm happy to talk on the hallway track about ML supply chain security during any day the conference is taking place.
And I'm happy to talk on the hallway track about ML supply chain security during any day the conference is taking place.
June 23, 2025 at 2:52 PM
If you are at OSS NA, I'll be doing a demo of model signing today at 12:30, at the @openssf.org booth.
And I'm happy to talk on the hallway track about ML supply chain security during any day the conference is taking place.
And I'm happy to talk on the hallway track about ML supply chain security during any day the conference is taking place.
> We shouldn't have to be telling developers "oh just run it all in Docker". We should have designed this to be [..] secure from the get-go.
We really need to create security-by-default AI-tools where tech debt is actually managed, not added to at an exponential rate.
xeiaso.net/blog/2025/ro...
We really need to create security-by-default AI-tools where tech debt is actually managed, not added to at an exponential rate.
xeiaso.net/blog/2025/ro...
Rolling the ladder up behind us
Who will take over for us if we don't train the next generation to replace us? A critique of craft, AI, and the legacy of human expertise.
xeiaso.net
June 21, 2025 at 4:31 PM
> We shouldn't have to be telling developers "oh just run it all in Docker". We should have designed this to be [..] secure from the get-go.
We really need to create security-by-default AI-tools where tech debt is actually managed, not added to at an exponential rate.
xeiaso.net/blog/2025/ro...
We really need to create security-by-default AI-tools where tech debt is actually managed, not added to at an exponential rate.
xeiaso.net/blog/2025/ro...
> economy runs on money, not GitHub stars
That's why we need sustainable open source.
(from xeiaso.net/blog/2025/av...)
That's why we need sustainable open source.
(from xeiaso.net/blog/2025/av...)
Making sure you're not a bot!
xeiaso.net
June 15, 2025 at 10:46 AM
> economy runs on money, not GitHub stars
That's why we need sustainable open source.
(from xeiaso.net/blog/2025/av...)
That's why we need sustainable open source.
(from xeiaso.net/blog/2025/av...)