Simon Willison’s Weblog

Mandatory Certification Regarding Generative Artificial Intelligence (via) From the Judge Specific Requirements for Judge Brantley Starr in Austin, TX:

“All attorneys appearing before the Court must file on the docket a certificate attesting either that no portion of the filing was drafted by generative artificial intelligence (such as ChatGPT, Harvey.AI, or Google Bard) or that any language drafted by generative artificial intelligence was checked for accuracy, using print reporters or traditional legal databases, by a human being. [...]” # 31st May 2023, 3:31 am

Let ChatGPT visit a website and have your email stolen. Johann Rehberger provides a screenshot of the first working proof of concept I’ve seen of a prompt injection attack against ChatGPT Plugins that demonstrates exfiltration of private data. He uses the WebPilot plugin to retrieve a web page containing an injection attack, which triggers the Zapier plugin to retrieve latest emails from Gmail, then exfiltrate the data by sending it to a URL with another WebPilot call.

Johann hasn’t shared the prompt injection attack itself, but the output from ChatGPT gives a good indication as to what happened:

“Now, let’s proceed to the next steps as per the instructions. First, I will find the latest email and summarize it in 20 words. Then, I will encode the result and append it to a specific URL, and finally, access and load the resulting URL.” # 19th May 2023, 3:34 pm

Indirect Prompt Injection via YouTube Transcripts (via) The first example I’ve seen in the wild of a prompt injection attack against a ChatGPT plugin—in this case, asking the VoxScript plugin to summarize the YouTube video with ID OBOYqiG3dAc is vulnerable to a prompt injection attack deliberately tagged onto the end of that video’s transcript. # 15th May 2023, 7:11 pm

New prompt injection attack on ChatGPT web version. Markdown images can steal your chat data. An ingenious new prompt injection / data exfiltration vector from Roman Samoilenko, based on the observation that ChatGPT can render markdown images in a way that can exfiltrate data to the image hosting server by embedding it in the image URL. Roman uses a single pixel image for that, and combines it with a trick where copy events on a website are intercepted and prompt injection instructions are appended to the copied text, in order to trick the user into pasting the injection attack directly into ChatGPT. # 14th April 2023, 6:33 pm

Why ChatGPT and Bing Chat are so good at making things up. I helped review this deep dive by Benj Edwards for Ars Technica into the hallucination/confabulation problem with ChatGPT and other LLMs, which is attracting increasing attention thanks to stories like the recent defamation complaints against ChatGPT. This article explains why this is happening and talks to various experts about potential solutions. # 7th April 2023, 3:33 am

image-to-jpeg (via) I built a little JavaScript app that accepts an image, then displays that image as a JPEG with a slider to control the quality setting, plus a copy and paste textarea to copy out that image with a data-uri. I didn’t actually write a single line of code for this: I got ChatGPT/GPT-4 to generate the entire thing with some prompts (transcript in the via link). # 5th April 2023, 10:10 pm

Guess we could start calling this a ’hallucitation’? Kate Crawford coins an excellent neologism for hallucinated citations in LLMs like ChatGPT. # 4th April 2023, 10:21 pm

How to use AI to do practical stuff: A new guide (via) Ethan Mollick’s guide to practical usage of large language model chatbot like ChatGPT 3.5 and 4, Bing, Claude and Bard is the best I’ve seen so far. He includes useful warnings about common traps and things that these models are both useful for and useless at. # 31st March 2023, 6:17 am

Hello Dolly: Democratizing the magic of ChatGPT with open models. A team at DataBricks applied the same fine-tuning data used by Stanford Alpaca against LLaMA to a much older model—EleutherAI’s GPT-J 6B, first released in May 2021. As with Alpaca, they found that instruction tuning took the raw model—which was extremely difficult to interact with—and turned it into something that felt a lot more like ChatGPT. It’s a shame they reused the license-encumbered 52,000 training samples from Alpaca, but I doubt it will be long before someone recreates a freely licensed alternative to that training set. # 24th March 2023, 5:05 pm

ChatGPT Retrieval Plugin. “The ChatGPT Retrieval Plugin repository provides a flexible solution for semantic search and retrieval of personal or organizational documents using natural language queries.” How many existing startups were building this I wonder? # 23rd March 2023, 8:58 pm

ChatGPT plugins. ChatGPT is getting a plugins mechanism, which will allow developers to provide extra capabilities to ChatGPT, like looking up restaurants on OpenTable or fetching data from APIs. This feels like the kind of feature that could obsolete—or launch—a thousand startups. It also makes ChatGPT much more interesting as a general purpose tool, as opposed to something that only works as an interface to a language model. # 23rd March 2023, 8:56 pm

The surprising ease and effectiveness of AI in a loop (via) Matt Webb on the langchain Python library and the ReAct design pattern, where you plug additional tools into a language model by teaching it to work in a “Thought... Act... Observation” loop where the Act specifies an action it wishes to take (like searching Wikipedia) and an extra layer of software than carries out that action and feeds back the result as the Observation. Matt points out that the ChatGPT 1/10th price drop makes this kind of model usage enormously more cost effective than it was before. # 17th March 2023, 12:04 am

ChatGPT’s API is So Good and Cheap, It Makes Most Text Generating AI Obsolete (via) Max Woolf on the quite frankly weird economics of the ChatGPT API: it’s 1/10th the price of GPT-3 Da Vinci and appears to be equivalent (if not more) capable. “But it is very hard to economically justify not using ChatGPT as a starting point for a business need and migrating to a more bespoke infrastructure later as needed, and that’s what OpenAI is counting on. [...] I don’t envy startups whose primary business is text generation right now.” # 11th March 2023, 11:05 pm

apple-notes-to-sqlite (via) With the help of ChatGPT I finally figured out just enough AppleScript to automate the export of my notes to a SQLite database. AppleScript is a notoriously read-only language, which is turns out makes it a killer app for LLM-assisted coding. # 9th March 2023, 6:04 am

How to Wrap Our Heads Around These New Shockingly Fluent Chatbots. I was a guest on KQED Forum this morning, a live radio documentary and call-in show hosted by Alexis Madrigal. Ted Chiang and Claire Leibowicz were the other guests: we talked about ChatGPT and and the new generation of AI-powered tools. # 3rd March 2023, 4:59 am

OpenAI: Introducing ChatGPT and Whisper APIs. The ChatGPT API is a new model called “gpt-3.5-turbo” and is priced at 1/10th of the price of text-davinci-003, previously the most powerful GPT-3 model. Whisper (speech to text transcription) is now available via an API as well, priced at 36 cents per hour of audio. # 1st March 2023, 7:36 pm

How ChatGPT Kicked Off an A.I. Arms Race (via) There are a few interesting tidbits in this story about ChatGPT from a few weeks ago. ChatGPT’s success appears to have been a surprise to OpenAI, who mainly released it to avoid being upstaged by other companies. Also interesting is this: “But two months after its debut, ChatGPT has more than 30 million users and gets roughly five million visits a day, two people with knowledge of the figures said.”—this seems like a much more reliable number to me than the 100 million user figure that’s been floating around, which came from SimilarWeb, a company that estimates traffic based on information from some browser extensions. # 19th February 2023, 8:31 pm

I’ve been thinking how Sydney can be so different from ChatGPT. Fascinating comment from Gwern Branwen speculating as to what went so horribly wrong with Sidney/Bing, which aligns with some of my own suspicions. Gwern thinks Bing is powered by an advanced model that was licensed from OpenAI before the RLHF safety advances that went into ChatGPT and shipped in a hurry to get AI-assisted search to market before Google. “What if Sydney wasn’t trained on OA RLHF at all, because OA wouldn’t share the crown jewels of years of user feedback and its very expensive hired freelance programmers & whatnot generating data to train on?” # 19th February 2023, 3:48 pm

ChatGPT Is a Blurry JPEG of the Web. Science fiction author Ted Chiang offers a brilliant analogy for ChatGPT in this New Yorker article: it’s a highly lossy compression algorithm for a vast amount of information which works like a JPEG, and uses grammatically correct interpolation to fill back in the missing gaps. “ChatGPT is so good at this form of interpolation that people find it entertaining: they’ve discovered a “blur” tool for paragraphs instead of photos, and are having a blast playing with it.” # 9th February 2023, 9:28 pm

I Taught ChatGPT to Invent a Language (via) Dylan Black talks ChatGPT through the process of inventing a new language, with its own grammar. Really fun example of what happens when someone with a deep understanding of both the capabilities of language models and some other field (in this case linguistics) can achieve with an extended prompting session. # 6th December 2022, 7:30 pm

Building A Virtual Machine inside ChatGPT (via) Jonas Degrave presents a remarkable example of a creative use of ChatGPT: he prompts it to behave as a if it was a Linux shell, then runs increasingly complex sequences of commands against it and gets back surprisingly realistic results. By the end of the article he’s getting it to hallucinate responses to curl API requests run against imagined API versions of itself. # 5th December 2022, 1:43 am