Nicholas Carlini

Moving the numerical stability fix to the MNIST model does, at a technical level, resolve this specific issue. However, the stated purpose of DeepSec is to support arbitrary defenses written...

So definitely it's good that you do report it somewhere, but nevertheless it's not meaningful to talk the *success rate* of *unbounded attacks*. Again, you may want to read https://arxiv.org/abs/1902.06705.

I am glad you will fix the one error. However: calling this PGD Adversarial Training is disingenuous when you don't actually follow what the paper proposes. It's literally one of...

Okay, so let's put aside the question of what it means to do a security evaluation. I think we have fundamental disagreements there that aren't going to be resolved over...

I agree that's the observation you make. But the way you evaluate it is flawed. I'm not going to repeat my argument again, but instead refer you to Section 5.2...

Definitely, there is no such thing as perfect security and some things can be more robust than others. Fortunately, we have a way to measure this. Accuracy. For example, the...

Yeah, I tested this on most variants of Linux I could come across and OSX. It wouldn't surprise me if it wasn't compatible with Windows. From your output, it looks...

Well, responding a year late is better than not. In the chance you see this: what accuracy do you get? I think I got ~80% accuracy on this.

If you just set the target to the string " " for now that will get you 95% of the way there. I didn't put the improved loss formulation for...

Probably `data/train-images-idx3-ubyte.gz` is an HTML file if I had to guess. If you just `cat data/train-images-idx3-ubyte.gz` you'll probably see somethingl ike `` given what those first two bytes are. Assuming...