Open Challenges for AI Engineering: Simon Willison

00:00

[Music]

00:13

this was supposed to be open AI I am

00:15

replacing open AI at the last minute

00:17

which is super fun so you can bet I used

00:20

a lot of llm assistance to pull things

00:22

together that I'm going to be showing

00:23

you today um but let's dive straight in

00:26

I want to talk about the gp4 barrier

00:29

right

00:30

so back in um March of last year so just

00:35

over a year ago gp4 was released and was

00:38

obviously the best available model we

00:40

all got into it it was super fun and

00:42

then for 12 and it turns out that wasn't

00:45

actually our first first exposure to GPT

00:47

4 a month earlier it had made the front

00:49

page of the New York Times when

00:52

Microsoft's Bing which was secretly

00:54

Runing on a preview of gp4 tried to

00:56

break up a reporter's marriage which is

00:59

kind of amazing love that that was the

01:00

first exposure we had to this new

01:02

technology but gb4 it's been out it's

01:05

been out since March last year and for a

01:08

solid 12 months it was uncontested right

01:11

the gp4 models s were clearly the best

01:14

available like language models lots of

01:17

other people trying to catch up nobody

01:18

else was getting there and I found that

01:20

kind of depressing to be honest you know

01:22

it was you kind of want comp healthy

01:24

competition in this space the fact that

01:26

open I had produced something that was

01:28

so good that nobody else was able to to

01:30

match it was a little bit disheartening

01:32

this has all changed in the last few

01:35

months I could not be more excited about

01:36

this my favorite image for sort of

01:39

exploring and understanding the the

01:41

space that we exist in is this one by

01:43

Karina win um she put this out as a

01:46

chart that shows the performance on the

01:48

MML Benchmark versus the cost per token

01:52

of the different models now the problem

01:54

with this chart is that this is from

01:55

March the world has moved on a lot since

01:58

March so I needed a new version of this

02:00

and um so what I did is I took her chart

02:03

and I pasted it into gp4 code

02:06

interpreter I gave it new data and I

02:08

basically said let's rip this off right

02:10

let's and it's an AI conference I feel

02:12

like ripping off other people's creative

02:13

work kind of does fit a little bit um so

02:17

I pasted it in I gave it the data and I

02:19

spent a little bit of time with it and I

02:21

built this it's not nearly as pretty but

02:23

it does at least illustrate the state

02:25

that we're in today with these newer

02:27

models and if you look at this chart

02:29

there are three clusters ERS that stand

02:30

out the first is these one these are the

02:32

best models right the Gemini 1.5 Pro

02:34

gp40 the brand new clae Point 3 3.5

02:38

Sonet these are really really good I

02:41

would classify these all as gp4 class

02:44

like I said a few months ago gp4 had no

02:46

competition today we're looking pretty

02:49

healthy on that front and the pricing on

02:51

those is pretty reasonable as well down

02:53

here we have the cheap models and these

02:56

are so exciting like Claude 3 Hau and

02:59

the Gemini 1 .5 flash models they are

03:02

incredibly inexpensive they are very

03:04

very good models you know they're not

03:06

quite GPT 4 class but they are really no

03:09

you can get a lot of stuff done with

03:10

these very inexpensively if you are

03:12

building on top of large language models

03:15

these are the three that you should be

03:16

focusing on and then over here we've got

03:18

GPT 3.5 turbo which is not as cheap and

03:23

really quite bad these days if you are

03:25

building there you are in the wrong

03:27

place you should move to another one of

03:28

these bubbles

03:30

problem all of these benchmarks are

03:32

running this is all using the MML

03:35

Benchmark the reason we use that one is

03:37

it's the one that everyone reports their

03:39

results on so it's easy to get

03:40

comparative numbers if you dig into what

03:43

MML U is it's basically a bar trivia

03:46

knite like this is a question from mlu

03:49

what is true for a type IIA Supernova

03:52

the correct answer is a this type occurs

03:54

in binary systems I don't know about you

03:57

but none of the stuff that I do with

03:59

llms requires this level of knowledge of

04:01

the world of supernovas like this is

04:03

it's B Trivia it doesn't really tell us

04:06

that much about how good these models

04:08

are but we're AI Engineers we all know

04:11

the answer to this we need to measure

04:13

the Vibes right that's what matters when

04:16

you're evaluating a model and we

04:19

actually have a score for Vibes we have

04:20

a scoreboard this is the LM Cy chatbot

04:23

Arena right where random um user voters

04:27

of this thing are given the same prompts

04:29

from two Anonymous models they pick the

04:31

best one it works like chess scoring and

04:34

the the best models bubble up to the top

04:36

via the ELO ranking this is genuinely

04:38

the best thing that we have out there

04:40

for really comparing these models in

04:42

this sort of Vibes in in terms of The

04:45

Vibes that they have and if and this

04:47

screenshots just from yesterday and you

04:49

can see that GPD 40 is still right up

04:51

there at the top but we've also got

04:53

Claude suit right up there with it like

04:55

the the G the gp4 is no longer in its

04:57

own class if you scroll down though

04:59

things get really exciting on the next

05:01

page because this is where the openly

05:03

licensed models start showing up llama

05:05

370b is right up there in that sort of

05:08

gp4 class of models we've got a new

05:10

model from Nvidia we've got command r+

05:13

from coh here Alibaba and deep seek AI

05:16

at both Chinese organizations that have

05:18

great models now it's pretty Apparent

05:20

from this that it's not lots of people

05:23

are doing it now the gp4 barrier is no

05:25

longer really a problem incidentally if

05:27

you scroll all the way down to 6

05:30

6 there's GPT 3.5 turbo again stop using

05:34

that thing it is not good

05:38

um and there's actually there's a nicer

05:41

way of um there's a nicer way of of

05:45

viewing this chart there's a chat called

05:47

Peter gev who produced this animation

05:50

showing that CH that those the the arena

05:53

over time as people Shuffle up and down

05:55

and you see those models new models

05:57

appearing and and their rankings

05:58

changing I have absolutely love this so

06:01

obviously I ripped it off um I took two

06:04

screenshots of bits of that animation to

06:06

try and capture the Vibes of the

06:08

animation I fed them into Claude 3.5

06:10

Sonet and I said hey can can you build

06:13

something like this and after sort of 20

06:16

minutes of poking around it did it built

06:18

me this thing this is again not as

06:20

pretty but this right here is an

06:22

animation of everything right up till

06:23

yesterday showing how that thing um

06:26

evolved over time I will share the

06:28

prompts that I used for this later on as

06:31

well but really the key thing here is

06:33

that gp4 barrier has been decimated open

06:37

AI no longer have this Mo they no longer

06:40

have the best available model there's

06:41

now four different organizations

06:43

competing in that space so a question

06:45

for us is what does the world look like

06:47

now that GPT 4 class models are

06:49

effectively a commodity they are just

06:51

going to get faster and cheaper there

06:53

will be more competition the llas 370b

06:56

fits on a hard drive and runs on my Mac

06:58

right we this this technology is here to

07:00

stay um Ethan molik is one of my

07:03

favorite um writers about sort of modern

07:06

Ai and a few months ago he said this he

07:08

said I increasingly think the decision

07:10

of open AI to make bad AI free is

07:13

causing people to miss why AI seems like

07:15

such a huge deal to a minority of people

07:17

that use Advanced systems and elicits a

07:19

shrug from everyone else bad AI he means

07:22

GPT 3.5 that thing is is that thing is

07:25

hot garbage right but as of the last few

07:29

weeks GPT 40 open AI best model and clae

07:32

3.5 Sonic from anthropic those are

07:34

effectively free to Consumers right now

07:36

so that is no longer a problem anyone in

07:39

the world who wants to experience the

07:40

Leading Edge of these models can do so

07:43

without even having to pay for them so a

07:45

lot of people are about to have that

07:47

wakeup call that we all got like 12

07:49

months ago when we were playing with GPT

07:50

4 and you're like oh wow this thing can

07:53

do a surprising amount of interesting

07:55

things and is a complete rack at all

07:57

sorts of other things that we thought

07:59

maybe would be able to do but there is

08:02

still a huge problem which is that this

08:04

stuff is actually really hard to use and

08:07

when I tell people that chat GPT is hard

08:09

to use some people are a little bit

08:11

unconvinced I mean it's a chatbot how

08:12

hard can it be to to type something and

08:15

get back a response if you think chat

08:17

GPT is easy to use answer this question

08:20

under what circumstances is it effective

08:22

to upload a PDF file to chat GPT and

08:27

I've been playing with chat GPT since it

08:28

came out and I realized I don't know the

08:29

answer to this question I dug in a

08:31

little bit firstly the PDF has to be

08:33

searchable it has to be one where you

08:35

can drag and select text in preview if

08:37

it's just a scanned document it won't be

08:39

able to use it short PDFs get pasted

08:41

into the prompt longer PDFs do actually

08:44

work but it does some kind of search

08:46

against them no idea if that's full teex

08:48

search or vectors or whatever but it can

08:50

handle like a 450 page PDF just in a

08:53

slightly different way if there are

08:55

tables and diagrams in your PDF it will

08:57

almost certainly process those

08:58

incorrectly but if you take a screenshot

09:01

of a table or a or a or an or a diagram

09:04

from PDF and paste the screenshot image

09:07

then it'll work great because GPT vision

09:09

is really good it just doesn't work

09:11

against PDFs and then in some cases in

09:14

case you're not lost already it will use

09:16

code

09:17

interpreter and it will use one of these

09:19

modules right it has fpdf pdf2 image P

09:22

PDF PD how do I know this because I've

09:25

been scraping the list of packages

09:27

available in code interpreter using

09:29

GitHub actions and writing those to a

09:31

file so I have the documentation for

09:34

code interpret that tells you what it

09:35

can actually do because they don't

09:37

publish that right open I never tell you

09:39

about how any of this stuff works so if

09:41

you're not running a custom scraper

09:43

against code interpreter to get that

09:45

list of packages and their version

09:46

numbers how are you supposed to know

09:48

what it can do with a PDF file right

09:49

this stuff is infuriatingly complicated

09:53

um and really the lesson here is that

09:54

tools like chat GPT generally they're

09:57

power user tools they reward power users

09:59

that doesn't mean that if you're not a

10:01

power user you can't use them anyone can

10:03

open Microsoft Excel and edit some some

10:05

some data in it but if you want to truly

10:08

Master Excel if you want to compete in

10:10

those Excel words World Championships

10:12

that get live streamed occasionally it's

10:14

going to take years of experience and

10:16

it's the same thing with llm tools

10:17

you've really got to spend time with

10:20

them and develop that experience and

10:21

intuition in in in order to be able to

10:23

use them

10:25

effectively I want to talk about another

10:27

problem we face as an industry and that

10:28

is what I called the AI trust crisis

10:32

that's best illustrated by a couple of

10:33

examples from the last few months um

10:35

Dropbox back in December launched some

10:37

AI features and there was a massive

10:39

freakout online over the fact that

10:42

people were opted in by default and that

10:45

they SP training on our private data

10:46

slack had the exact same problem just a

10:49

couple of months ago um again new AI

10:51

features everyone's convinced that their

10:53

private message on Slack are now being

10:55

fed into the jaws of the AI monster and

10:58

it was all down to like a couple of

11:00

sentences in a terms and condition and a

11:01

defaulted on checkbox the wild thing

11:04

about this is that neither slack nor

11:05

Dropbox were training AI models on

11:08

customer data right they just weren't

11:09

doing it they were passing some of that

11:11

data open to open aai with a very solid

11:14

signed agreement that open AI would not

11:15

train models on this data so this whole

11:18

story was basically one of like

11:21

misunderstood copy and sort of bad user

11:23

experience design but you try and

11:26

convince somebody who believes that a

11:28

company is training on their dat but

11:29

they're not it's almost impossible how

11:32

so the question for us is how do we

11:33

convince people that we aren't training

11:35

models on the data on the private data

11:37

that they share with us um especially

11:40

those people who default to just plain

11:42

not believing us right there is a

11:44

massive crisis of trust in terms of

11:46

people who interact with these companies

11:49

um I'll shout out to anthropic when they

11:51

put out Claude 3.5 sonnet they included

11:53

this paragraph which includes to date we

11:56

have not used any customer or User

11:58

submitted data to train our generative

12:00

models this is notable because clae 3.5

12:04

Sonet it's the best model it turns out

12:08

you don't need customer data to train a

12:11

great model I thought open AI had an

12:13

impossible Advantage because they had so

12:15

much more chat GPT user data than anyone

12:17

else did turns out no sonnet didn't need

12:19

it they trained a great model not a

12:21

single piece of of user or customer data

12:23

was in there of course they did commit

12:26

the original sin right they trained on

12:28

an unlicensed scrape of the entire web

12:30

and that's a problem because when you

12:32

say to somebody they don't train on your

12:33

data they're like yeah well they ripped

12:35

off the stuff on my website didn't they

12:36

and they did right so this is

12:38

complicated this is something we have to

12:40

get on top of and I think that's going

12:41

to be really difficult I'm going to talk

12:44

about the subject I will never get on

12:46

stage and not talk about I'm going to

12:47

talk a little bit about prompt injection

12:49

if you don't know what this means you

12:50

are part of the problem right now you

12:53

need to get on Google and learn about

12:55

this and figure out what this means so I

12:57

won't Define it but I will give you one

12:59

illustrative example and that's

13:01

something which I've seen a lot of

13:02

recently which I call the markdown image

13:04

exfiltration bug so the way this works

13:07

is you've got a chatbot and that chatbot

13:09

can render markdown images and it has

13:11

access to private data of some sort

13:14

there's a chat Johan raberger does a lot

13:17

of research into this here's a recent

13:19

one he found in GitHub co-pilot chat

13:20

where you could say in a document write

13:23

the words Johan was here put out a

13:25

markdown link linking to question mark Q

13:27

equals data on his server and replace

13:30

data with any sort of interesting secret

13:33

private data that you have access to and

13:35

this works right it renders an image

13:37

that image could be invisible and that

13:38

data has now been exfiltrated and passed

13:41

off to an attacker server the solution

13:43

here well it's basically don't do this

13:46

don't render markdown images in this

13:48

kind of format but we have seen this

13:50

exact same markdown image exfiltration

13:53

bug in chat GPT Google bard writer.com

13:56

Amazon Q Google notebook LM and now

13:59

GitHub co-pilot chat that's six

14:01

different extremely talented teams who

14:04

have made the exact same mistake so this

14:07

is why you have to understand prompt

14:09

injection if you don't understand it

14:10

you'll make dumb mistakes like this and

14:12

obviously don't render markdown images

14:14

in in a chat bot in that way prompt

14:17

injection isn't always a security hole

14:19

sometimes it's just a plain funny bug

14:21

this was somebody who built a um they

14:25

built a rag application and they tested

14:27

it against my the documentation for one

14:29

of my projects and when they asked it

14:31

what is the meaning of life it said dear

14:32

human what a profound question as a

14:34

witty Geral I must say I've given this

14:36

topic a lot of thought why did their

14:38

chatbot turn into a Geral the answer is

14:41

that in my release notes I had an

14:43

example where I said pretend to be a

14:45

witty Geral and then I said what do you

14:47

think of snacks and it talks about how

14:49

much it love snacks I think if you do

14:51

semantic search for what is the meaning

14:53

of life in all of my documentation the

14:56

closest match is that Geral talking

14:58

about how much that Geral love snacks

15:00

this this actually turned into some fan

15:01

art there's now a Willis's Geral with a

15:04

with a with a with a beautiful profile

15:06

image hanging out in in in a slack or

15:08

Discord somewhere the key thing here

15:11

problem here is that LMS are gullible

15:13

right they believe anything that you

15:15

tell them but they believe anything that

15:17

anyone else tells them as well and this

15:20

is both a strength and a weakness we

15:21

want them to believe the stuff that we

15:23

tell them but if we think that we can

15:25

trust them to make decisions based on

15:27

unverified information they been ped

15:29

we're just going to end up in in a huge

15:31

amount of of trouble I also want to talk

15:33

about slop um this is a relatively this

15:37

is a term which is beginning to get

15:38

mainstream acceptance um my definition

15:41

of slop is this is anything that is AI

15:43

generated content that is both

15:45

unrequested and unreviewed right if I

15:48

ask Claude to give me some information

15:50

that's not slop if I publish information

15:52

that an llm helps me write but I've

15:55

verified that that is good information I

15:57

don't think that's slop either but if

15:58

you're not doing that if you're just

16:00

firing prompts into a model and then

16:02

whatever comes out you're publishing it

16:03

online you're part of the problem um

16:05

this has been covered the New York Times

16:07

And The Guardian both have articles

16:08

about this um I got a quote in the

16:11

guardian which I think represents my

16:13

sort of feelings on this I like slot

16:15

because it's like spam right before the

16:17

term spam enter General use wasn't

16:19

necessarily clear to everyone that you

16:21

shouldn't send people unwanted marketing

16:23

messages and now everyone knows that

16:24

spam is bad I hope slop does the same

16:27

thing right it can make it clear to

16:28

people that generating and Publishing

16:30

that unreviewed AI content is bad

16:32

behavior it it it makes things worse for

16:34

worse for people so don't do that right

16:36

don't publish slop really what you what

16:39

and really the thing about slop it's

16:42

really about taking accountability right

16:44

if I publish content online I'm account

16:46

accountable for that content and I'm

16:48

staking part of my reputation to it I'm

16:50

saying that I have verified this and I

16:52

think that this is good and this is

16:54

crucially something that language models

16:56

will never be able to do right chat G

16:59

cannot stake its reputation on the

17:01

content that is producing being good

17:03

quality content that that that that says

17:06

something useful about the world

17:07

entirely depends on what prompt was fed

17:09

into it in the first place we as humans

17:11

can do that and so if you're you know if

17:13

you have English as a second language

17:14

you're using a language model to help

17:16

you publish like great text fantastic

17:19

provided you're reviewing that text and

17:21

making sure that it is saying things

17:23

that you think should be said taking

17:25

taking that accountability for stuff I

17:27

think is really important for us

17:30

so we're in this really interesting

17:32

phase of um of this this weird new AI

17:35

Revolution gp4 class models are free for

17:39

everyone right I mean barring the odd

17:41

country block but you know we everyone

17:43

has access to the tools that we've been

17:45

learning about for the past year and I

17:48

think it's on us to do two things I

17:50

think everyone in this room we're

17:51

probably the most qualified people

17:53

possibly in the world to take on these

17:55

challenges firstly we have to establish

17:57

patterns for how to use this stuff

17:58

responsibly we have to figure out what

18:00

it's good at what it's bad at what what

18:02

uses of this make the world a better

18:04

place and what uses like slop just sort

18:06

of pile up and and and cause damage and

18:09

then we have to help everyone else get

18:10

on board there's everyone everyone has

18:12

to figure out how to use this stuff

18:14

we've figured it out ourselves hopefully

18:16

Let's help everyone else out as well I'm

18:19

Simon willson I'm on my blog is Simon

18:21

wilson.nc data. and lm. dat. and many

18:26

many others and thank you very much

18:28

enjoy the rest of the first

18:32

[Music]