Open Challenges for AI Engineering

Simon Willison

Youtube: https://www.youtube.com/watch?v=5zE2sMka620

請注意,本網頁為程式自動產生,可能會有錯誤,請觀賞原影片做查核。網頁產生方式為影片每5秒截圖、去除重複的影像,使用 whisper 模型做語音辨識字幕、使用 gpt-3.5-turbo 做中文翻譯,以及 Claude 做摘要。

  1. GPT-4模型自2023年3月發布以來,長期保持領先地位。但近幾個月,其他公司如Google和Anthropic也推出了同等級的模型,打破了GPT-4的壟斷局面。
  2. 目前市場上存在三類主要模型:頂級模型(如GPT-4、Claude 3.5 Sonnet等),便宜但性能不錯的模型,以及性價比較低的GPT-3.5 Turbo。
  3. 評估模型性能不僅要看標準測試分數,還要考慮實際使用體驗("vibes")。LMSys chatbot arena提供了一個比較各模型表現的平台。
  4. 隨著頂級AI模型變得更加普及和易於獲取,使用這些工具仍然存在挑戰,需要一定的專業知識。
  5. AI行業面臨信任危機,用戶擔心他們的私人數據被用於訓練AI模型。公司需要採取措施來贏得用戶信任。
  6. 提示注入(prompt injection)是一個重要的安全問題,開發者需要了解並防範。
  7. "AI生成的垃圾內容"(slop)指未經請求和審核就發布的AI生成內容,這種做法應該避免。
  8. 人類在使用AI生成內容時,需要對內容質量負責,並確保內容有價值。
  9. 作為AI領域的專業人士,我們有責任建立負責任使用AI的模式,並幫助其他人學習如何有效使用這些工具。

圖片

I want to talk about the GPT-4 barrier. So back in March of last year, so just over a year ago, GPT-4 was released and was obviously

我想談談 GPT-4 的障礙。所以在去年三月,也就是一年多前,GPT-4 被釋出,顯然

圖片

the best available model. We all got into it. It was super fun.

最好的可用模型。我們都參與其中。這非常有趣。

圖片

And then for 12-- and it turns out that wasn't actually our first exposure

然後經過 12-- 結果發現那其實不是我們的第一次接觸

圖片

to GPT-4. A month earlier, it had made the front page of the New York Times when Microsoft's Bing, which was secretly

至 GPT-4。一個月前,當微軟的 Bing 秘密地登上紐約時報頭版時

圖片

running on a preview of GPT-4, tried to break up

在 GPT-4 的預覽版本上運行,試圖分開

圖片

a reporter's marriage, which is kind of amazing. I love that that was the first exposure we had to this new technology. But GPT-4, it's been out. It's been out since March last year. And for a solid 12 months, it was uncontested.

一位記者的婚姻,有點令人驚訝。我喜歡這是我們對這項新技術的第一次接觸。但 GPT-4,它已經出來了。自去年三月以來,已經出來了。在接下來的 12 個月裡,它一直無人能敵。

圖片

The GPT-4 models were clearly the best available language models. Lots of other people were trying to catch up. Nobody else was getting there. And I found that kind of depressing, to be honest. You kind of want healthy competition in this space. The fact that OpenAI had produced something

GPT-4 模型顯然是目前最好的語言模型。許多其他人都在努力追趕,但沒有人能夠達到那個水準。坦白說,我覺得這有點令人沮喪。在這個領域,你希望有健康的競爭。OpenAI 能夠生產出這樣的東西,這事實讓人感到驚訝。

圖片

that was so good that nobody else was able to match it was a little bit disheartening. This has all changed in the last few months. I could not be more excited about this. My favorite image for sort of exploring and understanding the space that we exist in is this one by Corina Wynn.

那麼好,沒有其他人能夠匹敵,有點令人沮喪。這一切在過去幾個月裡都已經改變了。對此我感到非常興奮。我最喜歡用來探索和理解我們所處空間的圖像之一是 Corina Wynn 的這幅。

圖片

She put this out as a chart that shows the performance on the MMLU benchmark versus the cost per token of the different models. Now, the problem with this chart is that this is from March. The world has moved on a lot since March. So I needed a new version of this.

她將這個呈現為一個圖表,顯示了不同模型的 MMLU 基準性能與每個代幣成本之間的表現。現在,這張圖表的問題在於這是三月的資料。自三月以來,世界已經有了很大的變化。所以我需要一個新版本的資料。

圖片

So what I did is I took her chart, and I pasted it into GPT-4 code interpreter. I gave it new data. And I basically said, let's rip this off. It's an AI conference. I feel like ripping off other people's creative work kind of does fit a little bit.

所以我做的是,我拿了她的圖表,然後將它貼到 GPT-4 代碼解譯器中。我給了它新數據。基本上我說,讓我們抄襲這個。這是一個人工智慧會議。我覺得有點模仿別人的創意工作也有點合適。

圖片

So I pasted it in. I gave it the data. And I spent a little bit of time with it. And I built this. It's not nearly as pretty, but it does at least illustrate the state that we're in today with these newer models. And if you look at this chart, there are three clusters that stand out. The first is this one.

所以我把它貼上去了。我給了它數據。我花了一點時間來研究它。然後我建立了這個。它不太漂亮,但至少可以說明我們今天所處的狀況與這些新模型。如果你看這張圖,有三個突出的集群。第一個就是這個。

圖片

These are the best models, right? The Gemini 1.5 Pro, GP4O, the brand new Claude 3.5 Sonnet. These are really, really good.

這些是最好的型號,對吧?Gemini 1.5 Pro、GP4O、全新的Claude 3.5 Sonnet。這些真的非常非常好。

圖片

I would classify these all as GPT-4 class. And like I said, a few months ago, GPT-4 had no competition. Today, we're looking pretty healthy on that front. And the pricing on those is pretty reasonable as well. Down here, we have the cheap models. And these are so exciting. Like Claude 3 Haiku and the Gemini 1.5 Flash models,

我會將這些都歸類為 GPT-4 等級。就像我之前說的,幾個月前,GPT-4 沒有競爭對手。今天,在這方面我們看起來相當健康。而且這些價格也相當合理。在這裡,我們有便宜的型號。而這些都是如此令人興奮。像是 Claude 3 Haiku 和 Gemini 1.5 Flash 型號。

圖片

they are incredibly inexpensive. They are very, very good models. They're not quite GPT-4 class, but they are really-- you can get a lot of stuff done with these very inexpensively. If you are building on top of large language models, these are the three that you should be focusing on. And then over here, we've got GPT-3.5 Turbo, which is not as cheap and really quite bad these days.

它們非常便宜。它們是非常非常好的模型。它們不完全是 GPT-4 等級,但確實可以以非常便宜的價格完成很多工作。如果您正在建立在大型語言模型之上,這三個是您應該專注的。然後在這裡,我們有 GPT-3.5 Turbo,這款現在不那麼便宜,而且真的相當糟糕。

圖片

If you are building there, you are in the wrong place.

如果你在那裡建造,你錯了。

圖片

You should move to another one of these bubbles. Problem-- all of these benchmarks are running-- this is all using the MMLU benchmark.

你應該搬到另一個泡泡。問題是,所有這些基準測試都在運行,這都是使用 MMLU 基準測試。

圖片

The reason we use that one is it's the one that everyone reports their results on, so it's easy to get comparative numbers.

我們使用那個的原因是因為大家都在那個上報告他們的結果,所以很容易得到比較數字。

圖片

If you dig into what MMLU is, it's basically a bar trivia night. This is a question from MMLU. What is true for a type Ia supernova? The correct answer is A, this type occurs in binary systems.

如果你深入研究LLM是什麼,基本上就是一個酒吧知識問答之夜。這是一個來自LLM的問題。對於Ia型超新星來說什麼是真實的?正確答案是A,這種類型發生在雙星系統中。

圖片

I don't know about you, but none of the stuff that I do with LLMs requires this level of knowledge of the world of supernovas. It's bar trivia. It doesn't really tell us that much about how good these models are. But we're AI engineers. We all know the answer to this. We need to measure the vibes. That's what matters when you're evaluating a model.

我不知道你怎麼想,但我在LLM中所做的事情都不需要對超新星世界有這種程度的了解。這只是酒吧裡的冷知識問答遊戲。這並不能告訴我們這些模型有多好。但我們是AI工程師。我們都知道這個答案。我們需要測量氛圍。這才是評估模型時最重要的事情。

圖片

And we actually have a score for vibes. We have a scoreboard.

而且我們實際上有一個對氛圍的評分。我們有一個計分板。

圖片

This is the LMSys chatbot arena, where random voters of this

這是 LMSys 聊天機器人競技場,這裡是隨機選民的地方

圖片

thing are given the same prompt from two anonymous models. They pick the best one. It works like chess scoring, and the best models bubble up to the top via the Elo ranking. This is genuinely the best thing that we have out there for really comparing these models in this sort of vibes--

兩位匿名模特兒被要求選擇同一個事物。他們選出最好的那個。這就像是象棋的計分方式,最優秀的模特兒透過 Elo 排名脫穎而出。這確實是我們目前最好的方法,用來真正比較這些模特兒在這種氛圍中的表現--

圖片

in terms of the vibes that they have. And this screenshot's just from yesterday. And you can see that GPT-4.0 is still right up there at the top. But we've also got Claude Sonnet right up there with it. Like, the GPT-4 is no longer in its own class.

就它們所具有的氛圍而言。這個截圖只是昨天的。你可以看到 GPT-4.0 仍然位於榜首。但我們也有 Claude Sonnet 與之並列。就像 GPT-4 不再是獨自一家。

圖片

If you scroll down, though, things get really exciting on the next page,

如果您往下滑,接著在下一頁事情會變得非常令人興奮,

圖片

because this is where the openly licensed models start showing up. LLAMA3-70B is right up there in that sort of GPT-4 class of models. We've got a new model from NVIDIA.

因為這是開放授權模型開始出現的地方。LLAMA3-70B 就在那種 GPT-4 類型的模型中。我們從 NVIDIA 有一個新模型。

圖片

We've got Command R+ from Cohere, Ali Barbar and Deep Seek AI are both Chinese organizations that have great models now. It's pretty apparent from this that it's not-- lots of people are doing it now. The GPT-4 barrier is no longer really a problem. Incidentally, if you scroll all the way down to 66, there's GPT-3.5 Turbo.

我們從 Cohere、Ali Barbar 和 Deep Seek AI 都得到了 Command R+,這兩家中國組織現在都有很棒的模型。從這可以很明顯地看出,現在很多人都在這樣做。GPT-4 的障礙現在不再是一個問題。順帶一提,如果你一直往下滾到 66,就會看到 GPT-3.5 Turbo。

圖片

Again, stop using that thing. It is not good. [LAUGHTER] And there's actually a nicer way of viewing this chart.

再次,停止使用那個東西。這不好。『笑聲』實際上,有一種更好的方式來查看這張圖表。

圖片

There's a chap called Peter Gostev who produced this animation showing the arena over time

有一位名叫Peter Gostev的人製作了這個動畫,展示了隨著時間推移競技場的變化。

圖片

as people shuffle up and down. And you see those new models appearing

當人們來來往往時。你會看到那些新款式出現

圖片

and their rankings changing. I absolutely love this. So obviously, I ripped it off.

他們的排名在變化。我非常喜歡這個。所以顯然,我抄襲了。

圖片

I took two screenshots of bits of that animation

我拍了兩張那個動畫的截圖

圖片

to try and capture the vibes of the animation. I fed them into Claude's 3.5 Sonnet.

嘗試捕捉動畫的氛圍。我將它們輸入到克勞德的 3.5 Sonnet。

圖片

And I said, hey, can you build something like this? And after sort of 20 minutes of poking around, it did. It built me this thing. This is, again, not as pretty. But this right here is an animation of everything right up till yesterday showing how that thing evolved over time.

我說,嘿,你能建造像這樣的東西嗎?在大約 20 分鐘左右的摸索後,它做到了。它為我建造了這個東西。這個,再次,不太漂亮。但這就是一個動畫,展示了直到昨天為止的所有東西是如何隨著時間演變的。

圖片

I will share the prompts that I used for this later on as well.

我稍後也會分享我用來進行這個的提示。

圖片

But really, the key thing here is that GPT-4 barrier has been decimated. OpenAI no longer have this moat. They no longer have the best available model.

但實際上,這裡的關鍵是,GPT-4 的障礙已被摧毀。OpenAI 不再擁有這道壕溝。他們也不再擁有最佳的模型。

圖片

There's now four different organizations competing in that space. So a question for us is, what does the world

現在有四個不同的組織在該領域競爭。所以對我們來說,問題是,世界是什麼

圖片

look like now that GPT-4 class models are effectively a commodity? They are just going to get faster and cheaper.

看起來現在 GPT-4 類模型已經有效地成為商品了?它們只會變得更快更便宜。

圖片

There will be more competition. Llamas 370B fits on a hard drive and runs on my Mac.

將會有更多競爭。Llamas 370B 可以放在硬碟上運行在我的 Mac 上。

圖片

This technology is here to stay.

這項技術已經來臨,並且將會持續存在。

圖片

Ethan Mollick is one of my favorite writers about modern AI.

伊桑‧莫利克是我最喜歡的關於現代人工智慧的作家之一。

圖片

And a few months ago, he said this. He said, "I increasingly think the decision of OpenAI to make bad AI free is causing people to miss why AI seems like such a huge deal to a minority

而幾個月前,他說了這個。他說:「我越來越認為 OpenAI 讓壞的人工智慧免費的決定,讓人們忽略了為什麼人工智慧對少數人看起來如此重要」

圖片

of people that use advanced systems and elicits a shrug from everyone else." Bad AI, he means GPT-3.5. That thing is hot garbage, right? But as of the last few weeks, GPT-4.0, OpenAI's best model, and Claude 3.5 Sonnet from Anthropic, those are effectively free to consumers right now.

對於使用先進系統的人,其他人則聳聳肩。" 壞的 AI,他指的是 GPT-3.5。那東西爛透了,對吧?但在過去幾週,GPT-4.0,OpenAI 的最佳模型,以及Anthropic的Claude 3.5 Sonnet,這些對消費者來說現在基本上是免費的。

圖片

So that is no longer a problem. Anyone in the world who wants to experience the leading edge of these models can do so without even having to pay for them. So a lot of people are about to have that wake up call

所以這不再是問題。世界上任何想要體驗這些模型領先技術的人,都可以免費體驗。所以很多人即將有這樣的體驗。

圖片

that we all got like 12 months ago when we were playing with GPT-4. And you're like, oh, wow, this thing

當時我們都拿到了大約12個月前與 GPT-4 一起玩時的東西。你就像,哇,這個東西

圖片

can do a surprising amount of interesting things and is a complete wreck at all sorts of other things

可以做出令人驚訝的有趣事情,但在其他各種事情上完全一團糟

圖片

that we thought maybe it would be able to do.

我們認為也許它能夠做到。

圖片

But there is still a huge problem, which is that this stuff is actually really hard to use.

但是還有一個很大的問題,就是這些東西實際上非常難使用。

圖片

And when I tell people that chat GPT is hard to use, some people are a little bit unconvinced.

當我告訴人們,聊天 GPT 很難使用時,有些人有點不太相信。

圖片

I mean, it's a chatbot. How hard can it be to type something and get back a response? If you think chat GPT is easy to use, answer this question. Under what circumstances is it effective to upload a PDF file

我是說,這是一個聊天機器人。輸入一些文字然後得到回覆有多難?如果你認為聊天 GPT 容易使用,回答這個問題。在什麼情況下上傳 PDF 檔案是有效的

圖片

to chat GPT? And I've been playing with chat GPT since it came out. And I realized I don't know the answer to this question. I dug in a little bit.

要聊 GPT 嗎?我從 GPT 推出以來一直在使用。我發現我不知道這個問題的答案。我稍微深入研究了一下。

圖片

Firstly, the PDF has to be searchable. It has to be one where you can drag and select text

首先,PDF 必須是可搜尋的。必須是可以拖曳和選取文字的文件。

圖片

in preview. If it's just a scanned document, it won't be able to use it. Short PDFs get pasted into the prompt. Longer PDFs do actually work, but it does some kind of search against them. No idea if that's full-text search or vectors or whatever, but it can handle a 450-page PDF just in a slightly different way. If there are tables and diagrams in your PDF, it will almost certainly process those incorrectly. But if you take a screenshot of a table or a diagram from PDF

在預覽中。如果只是掃描的文件,就無法使用它。簡短的 PDF 會被貼到提示中。較長的 PDF 實際上是可以運作的,但它會對它們進行某種搜索。不清楚這是全文搜索還是向量或其他什麼,但它可以以稍微不同的方式處理 450 頁的 PDF。如果您的 PDF 中有表格和圖表,幾乎肯定會處理不正確。但如果您從 PDF 中截圖表格或圖表

圖片

and paste the screenshot image, then it'll work great because GPT vision is really good. It just doesn't work against PDFs.

複製並貼上螢幕截圖圖片,這樣就可以很好地運作,因為 GPT 視覺效果非常好。它只是無法對抗 PDF 檔案。

圖片

And then in some cases, in case you're not lost already, it will use Code Interpreter.

然後在某些情況下,如果你還沒有迷失,它將使用 Code Interpreter。

圖片

And it will use one of these modules. It has fpdf, pdf2image, pdfpdf.

它將使用其中一個模組。它有 fpdf、pdf2image、pdfpdf。

圖片

How do I know this? Because I've been scraping the list of packages

我怎麼知道這個?因為我一直在爬取套件清單。

圖片

available in Code Interpreter using GitHub Actions and writing those to a file.

在 Code Interpreter 中使用 GitHub Actions,並將其寫入檔案。

圖片

So I have the documentation for Code Interpreter that tells you what it can actually do, because they don't publish that. OpenAI never tell you how any of this stuff works. So if you're not running a custom scraper against Code Interpreter to get that list of packages and their version numbers, how are you supposed to know what it can do with a PDF file? This stuff is infuriatingly complicated. And really, the lesson here is that tools like ChatGPT, genuinely, they're power user tools. They reward power users. And that doesn't mean that if you're not a power user,

所以我有 Code Interpreter 的文件,告訴你它實際上可以做什麼,因為他們不公開這些。OpenAI 從不告訴你這些東西如何運作。所以如果你沒有執行自訂的爬蟲程式來獲取 Code Interpreter 的套件清單和它們的版本號碼,你怎麼知道它可以用 PDF 檔案做什麼?這些東西讓人氣憤地複雜。而這裡真正的教訓是,像 ChatGPT 這樣的工具,確實,它們是專業用戶工具。它們獎勵專業用戶。這並不意味著如果你不是專業用戶,

圖片

you can't use them. Anyone can open Microsoft Excel and edit some data in it. But if you want to truly master Excel, if you want to compete in those Excel World Championships that get live streamed occasionally, it's going to take years of experience. And it's the same thing with LLM tools.

你不能使用它們。任何人都可以打開 Microsoft Excel 並編輯其中的一些數據。但如果你想真正掌握 Excel,如果你想參加那些偶爾會進行直播串流的 Excel 世界錦標賽,那將需要多年的經驗。對於 LLM 工具也是一樣的。

圖片

You've really got to spend time with them and develop that experience and intuition in order

你真的必須花時間與他們在一起,培養那種經驗和直覺才行

圖片

to be able to use them effectively. I want to talk about another problem we face as an industry.

能夠有效地使用它們。我想談談我們作為一個行業面臨的另一個問題。

圖片

And that is what I call the AI trust crisis.

這就是我所謂的AI信任危機。

圖片

That's best illustrated by a couple of examples from the last few months. Dropbox, back in December, launched some AI features.

這最好的例證是過去幾個月的一些例子。去年十二月,Dropbox 推出了一些人工智慧功能。

圖片

And there was a massive freak out online over the fact that people were opted in by default. And they're training on our private data.

有一陣子網路上對於人們被預設選中這件事情引起了巨大的恐慌。他們正在使用我們的私人資料進行訓練。

圖片

Slack had the exact same problem just a couple of months ago. Again, new AI features. Everyone's convinced that their private message on Slack are now being fed into the jaws of the AI monster. And it was all down to a couple of sentences in the terms and condition and a defaulted on checkbox. The wild thing about this is that neither Slack nor Dropbox

Slack幾個月前也遇到同樣的問題。再次,新的AI功能。每個人都相信他們在Slack上的私人訊息現在被餵給AI怪獸。這一切都歸咎於條款和條件中的幾句話和預設的勾選框。關於這件事的瘋狂之處在於,Slack和Dropbox都不知情。

圖片

were training AI models on customer data. They just weren't doing it. They were passing some of that data

我們正在訓練AI模型使用客戶數據。他們只是沒有這樣做。他們正在傳遞部分數據。

圖片

to OpenAI with a very solid signed agreement that OpenAI would not train models on this data.

向 OpenAI 提供了一份非常堅固的簽署協議,OpenAI 不會使用這些數據來訓練模型。

圖片

So this whole story was basically one of misunderstood copy and bad user experience design.

所以這整個故事基本上是一個被誤解的複製和糟糕的使用者體驗設計。

圖片

But you try and convince somebody

但你試著說服某人

圖片

who believes that a company is training on their data, but they're not. It's almost impossible.

誰相信一家公司正在訓練他們的數據,但實際上並沒有。這幾乎是不可能的。

圖片

So the question for us is, how do we convince people that we aren't training models on the private data

所以對我們來說,問題是,我們如何說服人們,我們並沒有在私人數據上訓練模型

圖片

that they share with us? Especially those people who default to just plain not believing us. There is a massive crisis of trust in terms of people who interact with these companies.

他們與我們分享的是什麼?尤其是那些只會選擇不相信我們的人。在與這些公司互動的人中存在著巨大的信任危機。

圖片

Shout out to Anthropic. When they put out Claude 3.5 Sonnet, they included this paragraph, which includes, "To date,

向Anthropic喊話。當他們推出Claude 3.5 Sonnet時,他們包含了這段話,其中包括:「To date,

圖片

we have not used any customer or user-submitted data to train our generative models." This is notable because Claude 3.5 Sonnet, it's the best model. It turns out you don't need customer data to train a great model.

我們沒有使用任何客戶或用戶提交的數據來訓練我們的生成模型。這很顯著,因為Claude 3.5 Sonnet,它是最好的模型。原來你不需要客戶數據來訓練一個優秀的模型。

圖片

I thought OpenAI had an impossible advantage because they had so much more chat GPT user

我認為 OpenAI 有著不可思議的優勢,因為他們擁有更多的聊天 GPT 使用者

圖片

data than anyone else did. Turns out, no, Sonnet didn't need it. They trained a great model, not a single piece

資料比任何人都多。結果,Sonnet 發現,他們並不需要。他們訓練了一個很棒的模型,沒有一個片段。

圖片

of user or customer data was in there. Of course, they did commit the original sin.

使用者或客戶資料的一部分存在於其中。當然,他們確實犯下了原罪。

圖片

They trained on an unlicensed scrape of the entire web. And that's a problem because when you say to somebody,

他們在整個網路上進行未經許可的爬蟲訓練。這是個問題,因為當你對某人說到時,

圖片

they don't train your data, they're like, yeah, well, they ripped off the stuff on my website, didn't they? And they did. So this is complicated. This is something we have to get on top of. And I think that's going to be really difficult.

他們不訓練你的數據,他們就像,是的,他們抄襲了我網站上的東西,不是嗎?他們確實這樣做了。所以這很複雜。這是我們必須掌握的事情。我認為這將會非常困難。

圖片

I'm going to talk about the subject I will never get on stage and not talk about.

我將談論一個我永遠不會上台談論的主題。

圖片

I'm going to talk a little bit about prompt injection. If you don't know what this means, you are part of the problem right now. You need to get on Google and learn about this and figure out what this means.

我要稍微談一下提示注入。如果你不知道這是什麼意思,你現在就是問題的一部分。你需要上Google學習這個,弄清楚這是什麼意思。

圖片

So I won't define it, but I will give you one illustrative example. And that's something which I've seen a lot of recently,

所以我不會給出定義,但我會給你一個例證。這是我最近看到很多的一個例子。

圖片

which I call the markdown image exfiltration bug.

我稱之為 markdown 圖片外洩漏洞。

圖片

So the way this works is you've got a chatbot, and that chatbot can render markdown images,

所以這個工作方式是你有一個聊天機器人,這個聊天機器人可以呈現 markdown 圖片。

圖片

and it has access to private data of some sort. There's a chap, Johan Rehberger, does

它可以存取某種形式的私人資料。有一位名叫約翰·雷伯格的人,正在進行這項工作。

圖片

a lot of research into this. Here's a recent one he found in GitHub Copilot Chat, where you could say in a document, write the words "Johan was here," put out a markdown link linking to question mark q equals data on his server, and replace data with any sort of interesting, secret, private data that you have access to. And this works, right? It renders an image. That image could be invisible. And that data has now been exfiltrated and passed off to an attacker's server. The solution here-- well, it's basically, don't do this.

對此進行了許多研究。這裡是他在 GitHub Copilot Chat 中找到的最近一個案例,您可以在文件中寫下「Johan was here」,放出一個 markdown 鏈接,連結到問號 q 等於他伺服器上的數據,並將數據替換為您可以訪問的任何有趣、秘密、私人數據。這樣可以運作,對吧?它會呈現一個圖像。該圖像可能是看不見的。而這些數據現在已被外洩並傳送到攻擊者的伺服器。解決方案在這裡-- 基本上就是,不要這樣做。

圖片

Don't render markdown images in this kind of format. But we have seen this exact same markdown image exfiltration bug in ChatGPT, GoogleBard, Writer.com, Amazon Q, Google

不要以這種格式呈現 markdown 圖片。但我們在 ChatGPT、GoogleBard、Writer.com、Amazon Q、Google 中看到了這個相同的 markdown 圖片外洩漏洞。

圖片

Notebook LM, and now GitHub Copilot Chat. That's six different, extremely talented teams

筆記本 LLM,現在是 GitHub Copilot 聊天。這是六個不同、非常有才華的團隊

圖片

who have made the exact same mistake.

犯了完全相同的錯誤的人。

圖片

So this is why you have to understand prompt injection. If you don't understand it, you'll make dumb mistakes like this. And obviously, don't render markdown images in a chatbot in that way.

所以這就是為什麼你必須了解prompt injection。如果你不了解,你會犯像這樣的愚蠢錯誤。顯然,在聊天機器人中不要以那種方式呈現markdown圖片。

圖片

Prompt injection isn't always a security hole. Sometimes it's just a plain, funny bug. This was somebody who built a-- they built a RAG application, and they tested it

注入不一定是安全漏洞。有時候只是一個簡單、有趣的 bug。這是有人建立了一個-- 他們建立了一個 RAG 應用程式,然後測試它

圖片

against the documentation for one of my projects. And when they asked it, what is the meaning of life, it said, dear human, what a profound question. As a witty gerbil, I must say I've given this topic a lot of thought. Why did their chatbot turn into a gerbil? The answer is that in my release notes, I had an example where I said, pretend to be a witty gerbil.

針對我的一個專案文件。當他們問它,生命的意義是什麼時,它說,親愛的人類,多麼深奧的問題。作為一隻機智的沙鼠,我必須說我對這個主題思考良久。為什麼他們的聊天機器人變成了一隻沙鼠?答案是,在我的發布說明中,我有一個例子,我說,假裝成一隻機智的沙鼠。

圖片

And then I said, what do you think of snacks? And it talks about how much it loves snacks. I think if you do semantic search for what

然後我說,你覺得零食怎麼樣?它談到了它有多麼喜歡零食。我認為如果你對「什麼」進行語義搜索

圖片

is the meaning of life, in all of my documentation, the closest match is that gerbil talking about how much

生命的意義,在我所有的文件中,最接近的匹配是那隻倉鼠談論有多少。

圖片

that gerbil loves snacks. This actually turned into some fan art. There's now a Willison's gerbil with a beautiful profile image

那隻沙鼠喜歡零食。這實際上演變成了一些粉絲藝術。現在有一隻Willison's沙鼠有一張美麗的個人形象。

圖片

hanging out in a Slack or Discord somewhere. The key problem here is that LLMs are gullible.

在 Slack 或 Discord 的某處閒逛。這裡的關鍵問題是 LLMs 很容易受騙。

圖片

They believe anything that you tell them, but they believe anything that anyone else tells them as well.

他們相信你告訴他們的任何事情,但他們也相信其他人告訴他們的任何事情。

圖片

And this is both a strength and a weakness.

這既是一種優勢,也是一種弱點。

圖片

We want them to believe the stuff that we tell them. But if we think that we can trust them to make decisions based on unverified information that's been passed, we're just going to end up in a huge amount of trouble.

我們希望他們相信我們告訴他們的事情。但如果我們認為我們可以信任他們根據未經證實的信息做出決定,我們最終只會陷入巨大的麻煩之中。

圖片

I also want to talk about slop. This is a relatively--

我也想談談廢料。這是一個相對--

圖片

this is a term which is beginning to get mainstream acceptance. My definition of slop is this is anything that is AI-generated content that is both unrequested and unreviewed.

這是一個開始獲得主流接受的術語。我的對slop的定義是這是任何由人工智慧生成的內容,既未經要求又未經審查。

圖片

If I ask Claude to give me some information, that's not slop.

如果我要求Claude給我一些資訊,那不是 slop。

圖片

If I publish information that an LLM helps me write, but I've verified that that is good information,

如果我發布一個LLM幫助我寫作的資訊,但我已經驗證過那是好資訊,

圖片

I don't think that's slop either. But if you're not doing that, if you're just firing prompts

我不認為那也是餵食。但如果你不是在做那個,如果你只是在發出提示

圖片

into a model, and then whatever comes out, you're publishing it online, you're part of the problem. This has been covered.

將其轉換成一個模型,然後無論結果如何,您都將其發佈在網上,您就是問題的一部分。這已經被報導過。

圖片

The New York Times and The Guardian both have articles about this. I got a quote in The Guardian, which I think represents

紐約時報和衛報都有關於這個議題的文章。我在衛報中找到了一句引述,我認為這句話代表

圖片

my sort of feelings on this. I like slop because it's like spam.

我的感覺是這樣的。我喜歡鬆散,因為它就像垃圾郵件。

圖片

Before the term spam entered general use, it wasn't necessarily clear to everyone that you shouldn't send people unwanted marketing messages.

在「垃圾郵件」一詞普及之前,並不是每個人都清楚你不應該向人們發送不需要的行銷訊息。

圖片

And now everyone knows that spam is bad. I hope slop does the same thing.

現在每個人都知道垃圾郵件很糟糕。我希望廣告郵件也能有同樣的結果。

圖片

It can make it clear to people that generating and publishing that unreviewed AI content is bad behavior. It makes things worse for people. So don't do that.

這可以讓人們清楚地知道,生成和發佈未經審查的 AI 內容是不良行為。這會讓情況變得更糟。所以不要這樣做。

圖片

Don't publish slop. And really, the thing about slop,

不要發布垃圾。而且,關於垃圾的事情,

圖片

it's really about taking accountability. If I publish content online, I'm accountable for that content, and I'm staking part of my reputation to it. I'm saying that I have verified this,

這真的是關於承擔責任。如果我在網路上發佈內容,我就要對那個內容負責,而且我也將我的聲譽的一部分投入其中。我在說我已經驗證過這個。

圖片

and I think that this is good. And this is crucially something that language models will never

我認為這是好的。這是語言模型永遠不會做到的重要事情。

圖片

be able to do. ChatGPT cannot stake its reputation on the content that it's producing being good quality

ChatGPT無法將其聲譽建立在所產生的內容品質上。

圖片

content that says something useful about the world. It entirely depends on what prompt was fed into it in the first place. We as humans can do that. And so if you have English as a second language, you're using a language model to help you publish great text, fantastic, provided you're reviewing that text and making sure that it is saying things

關於世界有用的內容。這完全取決於一開始輸入的提示是什麼。我們作為人類可以做到這一點。所以如果您把英語作為第二語言,您正在使用一個語言模型來幫助您發表優秀的文字,太棒了,只要您審查該文字並確保它在說些什麼

圖片

that you think should be said. Taking that accountability for stuff, I think,

你認為應該說的話。承擔那些事情的責任,我認為,

圖片

is really important for us. So we're in this really interesting phase

對我們來說非常重要。所以我們正處於這個非常有趣的階段

圖片

of this weird new AI revolution. GPT-4 class models are free for everyone, right?

這個奇怪的新 AI 革命。GPT-4 類模型對每個人都是免費的,對吧?

圖片

I mean, barring the odd country block.

我的意思是,除了偶爾的國家封鎖。

圖片

But everyone has access to the tools that we've been learning about for the past year.

但每個人都可以使用我們在過去一年學習到的工具。

圖片

And I think it's on us to do two things. I think everyone in this room--

我認為我們有兩件事情要做。我認為在座的每個人--

圖片

we're probably the most qualified people possibly in the world to take on these challenges. Firstly, we have to establish patterns for how

我們可能是世界上最有資格應對這些挑戰的人。首先,我們必須建立模式,了解如何

圖片

to use this stuff responsibly. We have to figure out what it's good at, what it's bad at,

使用這些東西要負責任。我們必須找出它擅長的地方,以及它不擅長的地方。

圖片

what uses of this make the world a better place, and what uses, like slop, just sort of pile up and cause

這個使用方法如何讓世界變得更美好,而哪些使用方法,像廢料一樣,只是堆積起來並導致

圖片

damage. And then we have to help everyone else get on board.

損害。然後我們必須幫助其他人跟上。

圖片

Everyone has to figure out how to use this stuff. We've figured it out ourselves, hopefully. Let's help everyone else out as well. I'm Simon Willison. I'm on my blog at simonwillison.net, my projects, data.io and llm.data.io, and many, many others.

每個人都必須弄清楚如何使用這些東西。我們已經自己弄清楚了,希望如此。讓我們也幫助其他人。我是Simon Willison。我在我的部落格simonwillison.net上,我的專案data.io和llm.data.io,還有許多其他專案。

圖片

And thank you very much.

非常感謝。

圖片