AI browser extensions are a security nightmare(kolide.com) |
AI browser extensions are a security nightmare(kolide.com) |
Or has something changed recently?
The main difference is that AI extension, by design, send the content of the pages you browse to a server.
A malicious "calculator" extension could also send all the content to a server, and extension users don't really have an idea of what each extension is actually doing.
So skip the "Malware posing as AI browser extension" section, it's same kind of security issues as a malware calculator extension.
The legitimate AI extension's problems are more interesting.
Article wastes a bit more time on other security issues you get from using AI LLM in general. Those apply whether you're using a browser extension or chat.openai.com directly.
The valid point that applies to narrowly AI browser extension are:
1) it could send sensitive data you wouldn't have sent otherwise. Most people would know what they're doing when they explicitly paste the stuff on chat.openai.com. But when it's now automated via the extension DOM scraping, it's a bit harder to realize how much you're giving away.
2) And the hidden text prompt injection. That's interesting as now your attacker could be the website you browse, if you have configured too many plugins (Zapier plugin giving access to your email)
These 2 parts of TFA are imo novel security issues that only exist with AI browser extension, and are interesting.
The risks listed in the article itself mostly seem to fall under the same, non-AI-extension, core problem of "you're given them all your data." And that's a risk for non-AI-based extensions too, but if you look at the code of an AI one, it's gonna be obvious that it's shipping it off to a third party server, right? And once that happens... you can't un-close that door.
(The risks about copyright and such of content you generate by using AI tools are interesting and different, but I don't know that I'd call them security ones.)
The prompt injection one is pretty interesting, but still seems to fall under "traditional" plugin security issues: if you authorize a plugin to read everything on your screen, AND have full integration with your email, or whatever, then... that's a huge risk. The AI/injection part makes it triggerable by a third-party, which certainly raises the alarm level a lot, but also: bad idea, period, IMO.
Without this feature, extensions will keep insisting they need access, and the user will eventually fall for it.
Why is the security policy for extensions still not architected like other web permissions?
There has been a shift on mobile already from "take it or leave it"-style permissions on install towards more fine grained control not overidable by the app manifest.
I think Browser extensions should behave similarly. Especially when it comes to which origins an extensions is allowed to act on.
The user should be able to restrict this regardless of the manifest, even forced to do.
Extensions that need to act on all or an unknown set of origins should require a big and scary prompt after installation, regardless of what the user agrees to during installation.
I say this as a happy user of uBlock origin and React DevTools.
But for the common user the default should be to deny permissions and require user interaction.
so they're not a total security nightmare if they're only authorized to run on sites where you don't enter any private data. for example, looking through my extensions list, the py3redirect that autmatically redirects python2 documentation pages to python3 pages doesn't request access to anything other than python.org.
but otherwise, yeah, you're giving permission to execute arbitrary code on any website you visit, which is about as compromised as your browser can get.
I'm really tired of reading stuff like this above. Seriously, AI is a disruptive tech and some people will oppose any change, but this is too much. All of the "security issues" mentioned in the article are true for browser extensions,and perhaps even software in general.
Then the author talks about "copyright mess" just before describing how it is pretty much resolved in their company (copilot banned).
The only real "problem with AI" is really a "problem with cloud" or more precisely "problem with people's lack of understanding of it". Average people should be interested in finding software alternatives that don't undermine their privacy.
For example look at AI image up scaling. Every single android app other than mine sends user's images to a server somewhere. Are those images retained? Are they scanned for whatever "legal purposes" the maker deems adequate? No one knows. No one cares. Well specifically in the entire world about 90 people seem to care.
Why 90 people? Because that's how many users my android app has 6 months after release. (the app does all processing locally, free version is ad supported, paid version can be used 100% offline).
This is like handing out footgun coupons to all citizens who become "of age" and saying it's cool cause they were already legally allowed to buy footguns.
I'm sorry for the off-topic comment, but why do I keep seeing this? What am I missing here – is it that some people define intelligence as >= human, or that LLM are not intelligence because they're *just* statistical models?
Also, that huge 4.7MB image in the head of the article...
Edit: Wow! I just tried loading the page and see that the ridiculously large image still loads. That’s a particularly obnoxious website: the image’s HTTP header says that its Content-Length is 0 so it still gets downloaded by the browser.
Alternatively, maybe anti-virus software can phone home to get on-the-fly advice.
Modern antivirus software already does this, more or less. It's usually called something like "cloud scanning."
My takeaway lesson is that the permissions model for extensions is confusing and nearly useless.
[1] https://chrome.google.com/webstore/detail/obscura/nhlkgnilpm...
For example, a web clipper operates on multiple domains, but it can avoid it by using activetab permission instead and then offering optional permissions if it wants when you click on the clipper extension icon.
If you want something to be done automatically on multiple domains, this is not possible without that permission. Not unless you want to annoy users with prompts.
But I think at the moment it's easier to get someone to install an extension as long it mentions GPT or AI.
In case you're not joking
Currently, most mentions of AI, outside of a proper technical discussion, are coming from crypto-tier grifters and starry-eyed suckers. Even further, a lot of discussions from otherwise technical people are sci-fi-tier fearmongering about some ostensible Skynet, or something, it's not quite clear, but it's clearly quite cringe. The latter is one of the many calibers of ammunition being used by AI incumbents to dig regulatory moats for themselves.
Anyway, I understand why the author is distinguishing himself with his LLM...AI disclaimer, given the above.
It feels a bit wrong to me, because as you say it's arguably a grift, in this case on the taxpayer who funds science grants. More charitably it might just be the applicant admitting that they have no idea what they are doing, and the funding agency seeing this as a good chance to explore the unknown. Still, unless the field is AI research (mine isn't) it seems like funding agencies should giving money to people who understand their tools.
If you pull up the TOC for an AI textbook, you'll find lots of things that aren't "intelligent". Machine learning is just a subset of it. I recall a professor in the AI department back in the 90s working on describing the shape of an object from a photograph (image to text) based on a number of tools (edge detection was one paper I recall).
Also in AI is writing a deductive first order logic solver is covered in there as are min-max trees and constraint satisfaction problems.
https://www.cs.ubc.ca/~poole/ci/contents.html (note chapter 4)
https://www.wiley.com/en-us/Mathematical+Methods+in+Artifici...
People are trying to put a box around "AI" to mean a particular thing - maybe they want AI to mean "artificial general intelligence" rather than all the things that are covered in the intro to AI class in college.
I ultimately believe that trying to use a term that has been very broad for decades to apply to only a small subset of the domain is going to end up being a fruitless Scotsman tilting at windmills.
... And you know what, I think it does a pretty good job at being intelligent. https://chat.openai.com/share/01d760b3-4171-4e28-a23b-0b6565...
True intelligence is, of course, definitionally the ability to do things like art or… err, wait, sorry, I haven’t checked recently, where have we put the goalposts nowadays?
It’s unsurprising that creating machines that seem to do some stuff very intelligently and some other things not very intelligently at all is causing some discontent with regard to our language.
I see a whole lot more gnashing of teeth about goalposts moving than I do about people proposing actual solid goalposts.
So what’s your definition?
Its denoising software.
Now some people don't like using the term AI for soft/weak/narrow AI, because it's a fleeting definition, mostly applied to things that are novel and that we didn't think computers were able to do. Playing chess used to be considered AI, but a short time after AI beat the human chess world master it was no longer considered AI. If you buy a chess computer capable of beating Magnus Carlsen today that's considered a clever algorithm, no longer AI. You see the same thing playing out in real time right now with LLMs, where they go from AI to "just algorithms" in record time.
“What do you mean it’s not intelligent?! It passed Test X!”
“Yes and now that tells us Test X was not a good test for whatever it is we refer to as ‘intelligence’”
This is exactly it for me.
As much as chatgpt doesnt want to give you answers because the fuzziness, it has the ability to make judgements on things like "This is the best" or "This is the worst".
Ofc with bias.
I just want to say that this seems to be how many, if not most people define intelligence internally. If an LLM gets something wrong or doesn't know something, then it must be completely unintelligent. (as if humans never get anything wrong!)
LLMs do a whole lot of “wrong in a way that indicates it is not ‘thinking’ the way an intelligent human would.”
The user interface to Chat GPT and similar tools, though, has made a lot of people think that gap is gone, and that instead of thinking they are using an AI tool in the technical sense, they now think they're talking to a full-fledged other being in the sci-fi sense; that that idea has now come true.
So a lot of people are careful to distinguish the one from the other in their writing.
An intelligent thing should easily generalize in these situations but LLMs fail to. I use GPT4 every day and I frequently encounter this kind of thing.
It seems to me that the perceived difference is mostly in being able to admit that you don't know something, rather than make up an answer -- but making up an answer is still something that humans do sometimes.
Just like some people define stupid as <= them. Aptitude is a multivariate spectra. It is already hard to come up with a cutoff on a single measure, way harder to do so for a bunch of different skills that for some reason happen to correlate in humans (and sometimes they diverge wildly as in the case of savant syndrome).
I'd like an UI similar to the mobile one. I brought up the origin thing because for lots of extensions I would like that kind of UI for origin control. Origin control is part of WebExtension API, but it's during installation, which forces even well-meaning developers to request overly broad permissions for some kinds of extensions.
I think that the issue here is that AIs are probabilistic in nature, meaning that you can't fully predict their behavior in a particular situation just by reading the code. Instead in a tipical (non AI poweered) extension, the code is a precise description of what the extension will do in every possible situation.
I mean that ML models are inherently inscrutable, it is extremely hard to determine how they operate internally, so no-one can identify any definite boundaries of what it will and will not output, or why. Hence prompt engineering, Bing's Sydney alternate personality, and weird hallucinated image artifacts.
Sure, if a user is calling OpenAI, they obviously can't understand the details of how it generates text. But neither can OpenAI! And if it produces something surprising, there's no way to fix it by directly modifying the model, the only way to do it is via ML techniques in the first place.
It’s worth contrasting clear communication such as the above to a EULA designed by scummy companies to not be read, browsers presumably have nothing to gain by exposing malicious plugins, so they’re a good candidate for the former.
If only we could get Mozilla executive to implement something actually useful instead of whatever meme tech they’ve lost their nut over this week, that’d be nice.
One way to avoid this would be to have an extension market which highlights alternative extensions and how they differ in permissions. But it would be hard to maintain those relationships, create a new oppportunity to game trust, push responsibility onto the market owners, etc. And ultimately, many interact with proprietary products without a direct competitor e.g. if FAANGs made them. So I can't see it happening.
That has nothing to do with the technology, that has everything to do with the quality.
Is it art if I take a picture with the cap on? No. Is it art if I take a picture of a tan colored wall? No.
Is it art if I set up something beautiful and take a picture. Its closer to art than the previous few examples.
If I write a prompt that says: "a green bedroom with art work on the walls", to be inspired, that still isnt trying to be art.
Basically, have higher standards.
But they're still models. Anyone claiming that Bayesian/statistical models have intelligence is confusing the map for the territory.
Browser extensions needs to declare their permissions. With Manifest V3 we’re seeing even more need to declare permissions.
Any extension cannot do anything not explicitly granted to it by the user upon installation.
If I download $usefulWikipediaCompanionExtension whose functionality only depends on access to *.wikipedia.org but whose manifest demands permission on all sites, I'd like to be able to tell my browser "if I'm not really on Wikipedia, only show the extension a blank page."
> It can: Read and change all data on all your websites
It already has the broadest permissions available. Dark Reader injects arbitary code into every page you visit. It's one silent update away from stealing all your sessions. This is a security nightmare.
All browser extensions are a security nightmare.
I also haven’t read anything concerning about Mozilla’s Recommended review system yet.
> It’s unsurprising that creating machines that seem to do some stuff very intelligently and some other things not very intelligently at all is causing some discontent with regard to our language.
I think I agree about the language.
I don’t have a definition of intelligence. I don’t work in one of those fields that would need to define it, so my first attempt probably wouldn’t be very good, but I’d say intelligence isn’t a single thing, but a label we’ve arbitrarily applied to a bunch of behaviors that are loosely related at best. So, trying to say this thing is intelligent, this thing is not, is basically hopeless, especially when things that we don’t believe are intelligent are being made to exhibit those behaviors, one behavior at a time.
> I see a whole lot more gnashing of teeth about goalposts moving than I do about people proposing actual solid goalposts.
I might not see a ton of explicit “here are the goalpost” type statements. But, every time someone says “I’m using the term AI, but actually of course this isn’t intelligence,” the seem to me at least to be referencing some implicit goalposts. If there isn’t a way of classifying what is or isn’t intelligent, how can they say something isn’t it? I think the people making the distinction have the responsibility to tell us where they’ve made the cutoff.
Maybe I’m just quibbling. Now that I’ve written all that out, I’m beginning to wonder if I just don’t like the wording of the disclaimer. I’d probably be satisfied if instead of “this isn’t intelligence, but I’m going to call it AI,” people would say “Intelligence is too hard to define, so I’m going to call this AI, because why not?”
So know the question is what is Intelligence. Our standardized testing Model tells us passing tests that Humans cannot would be considered intelligent.
Then add back in artificial to complete the equation.
Commercially the Term Ai Means nothing thanks to years of Machine Learning being labeled such. It's arbitrary and relays more to Group Think to avoid approaching that Intelligence is a Scalar Value and not a Binary Construct.
I say we take the word intelligence and throw it out the window. It's a bit like talking about the either before we discovered more about physics. We chose a word with an ethereal definition that may or may not apply depending on the context.
So what do we do instead? We define sets of capability and context and devise tests around that. If it turns out a test actually sucked or was not expansive enough, we don't get rid of that particular test. Instead we make a new more advanced test with better coverage. Under this domain no human would pass all the tests either. We could each individual sub test with ratings like 'far below human capability', 'average human capability', 'far beyond human capabilities'. These tests could be everywhere from emotional understanding and comprehension, to reasoning and logical ability, and even include embodiment tests.
Of course even then I see a day where some embodied robot beats the vast majority of emotional, intellectual, and physical tests and some human supremacist still comes back with "iTs n0t InTeLLigeNt"
LLMs don't repeat text its seen before, it links words/tokens/phrases that are related. Its prediction, but the prediction isnt just copypasting a previous webpage.
Have you use chatgpt yet? I wouldn't delay. Heck you are here on HN, you basically have a responsibility to test it.
Biological agents have a consistent world model based on their capabilities because an inconsistent model would lead to lack of reproduction or death. We could call this environmental intelligence.
Meanwhile we have LLMs that have appear to have what I would consider 'micro' world models for some things, but not a large consistent world model. I'm guessing this is due to a few things, but for example not being culled for bad world models would be one, and another is they are only grounded in text and we've not really explored multi-modal grounding in models very far.
I guess what's going to be interesting is to see how multi-modal and embodied models do as they are trained in the environment and create a more consistent world model.
I do think multi-modal models will be interesting, but text is a very special sort of thing. It is widely available, semantically rich, and informationally pretty dense. I'm not sure there is such a nice set of properties for other modes. Consider that we have already almost reached training data exhaustion with text and it is, by far, the most voluminous/dense training mode there is.
I don't think there is anything wrong with using the colloquial definition of the term when communicating with funding agencies/the public.
When you say "bots in video games as AI" that's covered in the book titled Artificial Intelligence: A Modern Approach, 4th US ed. :
II Problem-solving
3 Solving Problems by Searching ... 63
4 Search in Complex Environments ... 110
5 Adversarial Search and Games ... 146
6 Constraint Satisfaction Problems ... 180
Sure, it may be a few hundred lines of code, but it's still something that a Berkley written AI textbook covers.
Spelled out more for that section:
Chapter 5 Adversarial Search and Games ... 146
5.1 Game Theory ... 146
5.1.1 Two-player zero-sum games ... 147
5.2 Optimal Decisions in Games ... 148
5.2.1 The minimax search algorithm ... 149
5.2.2 Optimal decisions in multiplayer games ... 151
5.2.3 Alpha--Beta Pruning ... 152
5.2.4 Move ordering ... 153
5.3 Heuristic Alpha--Beta Tree Search ... 156
5.3.1 Evaluation functions ... 156
5.3.2 Cutting off search ... 158
5.3.3 Forward pruning ... 159
5.3.4 Search versus lookup ... 160
5.4 Monte Carlo Tree Search ... 161
5.5 Stochastic Games ... 164
5.5.1 Evaluation functions for games of chance ... 166
5.6 Partially Observable Games ... 168
5.6.1 Kriegspiel: Partially observable chess ... 168
5.6.2 Card games ... 171
5.7 Limitations of Game Search Algorithms ... 173But I only wish we could say that a few hundred lines of code was "AI": that would mean funding for a lot of desperately needed software infrastructure. Instead AI is taken as synonymous with ML, and more specifically deep neural networks, for the most part.
That being said, ML is extremely boring to me, and I really do think a lot of the research is an enormous grift. Hop on the bandwagon, read a stats book, flagrantly plagiarize it, submit to CS journal that no statisticians read, publish and don’t perish, rinse, repeat.
It feels like society has spent billions of dollars on bad academics continuously reinventing applied statistics over and over again, but now with Big Data and a brand refresh! It’s like a whole generation of academics watched one too many terrible Hollywood remakes. It broke their brains, and now they’re only doing remakes too.
They ran out of statistics content to steal, so now the latest and greatest thing is plagiarizing classical AI works from the late 20th century and calling it “reinforcement learning.”
It’s all very frustrating. We could’ve funded a Manhattan project for fusion power, but instead thousands of our most brilliant people are wasting their time and humanity’s carbon budget to create the most powerful spambot ever.
Saying "large language models" does not. Saying "giant correlation networks" does not. Not to be too Sapir-Whorfian, but the terminology we use influences our conversations: terrorists, guerillas, rebels, revolutionaries, freedom-fighters.
One side of the dichotomy asserts that "if it walks like a duck..." that is, if a computer appears to be intelligent to us, then it must be intelligent. This is basically the Turing Test crowd (even though Turing himself didn't approve of the Turing Test as an actual test of AI).
On the other side, you have people who assert that the human mind is really just a super-complicated version of "X", where "X" is whatever the cool new tech of the day is.
I have no conclusions to draw from this sort of thing, aside from highlighting that we don't know what intelligence or consciousness actually are. I'm just fascinated by it.
From the perspective of software, the lumpers are pretty much always wrong except for when they get a lucky guess. Think of a pointy-haired boss who weaponizes his wishful thinking with a brutal dismissal of all implementation details and imposes ignorantly firm deadlines, or an architecture astronaut who writes and forces upon everyone cruel interfaces and classes that are thoroughly out of touch with reality.
As they say: "it's more easy to lump splits than split lumps". The people who insist the statistical models have emergent behavior, or even worse, equate them with human brains are "lumpers" who lack imagination and have no desire to truly understand and model these things. They naively seek out oversimplifications and falsely believe they're applying Occam's Razor, but they're actually just morons. "Splitters" are by their very definition always technically correct, but create complex distinctions that either represent much deeper knowledge than necessary, or hallucination. Either way, both types are needed, and of course, society values the lumpers far more for essentially playing the lottery with their reputations by telling people what they want to hear.
I could see distinguishing between extensions that in any way exfiltrate data from the pages you view, versus extensions that process the DOM and do something locally, but never send the data anywhere.
This requires a bit closer vetting than Google currently does, I think. To demonstrate that all processing happens locally, we encourage our users to load various websites with our extension toggled off, then go into airplane mode, and then turn our extension on. This doesn't strictly guarantee that we're not separately exfiltrating data (we aren't), but it does prove that our core process happens locally.
In short, if there were separate "read" and "write" permissions, I would only need "write". For privacy-concerned people, that's a very important distinction.
I've lied about my birthday while signing up for websites before. I've also made ad-hoc email addresses with forwarding to conceal my main email address. I've given fictitious phone numbers and I've used the names of fictional characters. I do this because I benefit from the service but I don't trust the provider to use my information responsibly.
Not a logical leap to go from there to feeding fake data to extensions when they request data that the user deems unnecessary for their functionality.
I believe if you ask for very wide permissions, at least when publihsing a browser-extension in the Google Chrome-store, you will have to justify why those are needed (from a user-facing POV), and your extension will be subject for additional review.
The same also applies when creating other Google-related apps which uses APIs which Google deems sensitive or restricted: You will have to justify their usage and be prepared for a review.
It's not bullet-proof, but it's more than nothing.
I personally don’t care one way or the other, whether it is or isn’t. What I care about is whether it’s useful.
Thus, GPT4 can appear to have knowledge in the sense of generating text indicating such, but fail to use that knowledge. This is the most compelling indication to me of limited or total lack of intelligence. I believe that the vast majority of GPT4's "capabilities" amount to memorization and permutation, not the formulation of accurate models of things.
Telling me about the AI in your HR system that hunts for the best candidates brings along the cultural context of stories about AI. Telling me about the rules engine that ranks incoming CVs does not.
"terrorists, guerillas, rebels, revolutionaries, freedom-fighters" are all the same group of people being referred to in different ways depending on how the speaker wants you to feel about them. Once you start using a particular word, you adopt the same viewpoint.
"AI" is too loaded with cultural contexts which will cause people to make mistakes.
Boolean algebra simplifier. Given a LISP expression - for example (AND A (OR C D)) write a function to return the variables needed to make the entire expression TRUE. Return NIL if the expression is a paradox such as (AND A (NOT A)). The expressions that we were to resolve had on the order of 100-200 operators and were deeply nested. I recall that I wrote a function as part of it that I called HAMLET-P that identified terms of the form (OR 2B (NOT 2B)) and rapidly simplified them to TRUE.
Not-brute-force job scheduler. The job-shop scheduling problem ( https://en.wikipedia.org/wiki/Job-shop_scheduling ) with in order processing of multiple tasks that had dependencies. Any worker could do any task but could only do one task at a time.
The third one I don't remember what it was. I know it was there since the class had four assignments... (digging... must have been something with Prolog)
The last assignment was written in any language (I did it in C++ having had enough of LISP and I had a good model for how to do it in my head in C++). A 19,19,5 game ( https://en.wikipedia.org/wiki/M,n,k-game ). Similar to go-maku or pente. This didn't have any constraints that go-maku has or captures that pente has. It was to use a two ply min-max tree with alpha beta pruning. It would beat me 7 out of 10 times. I could get a draw 2 out of 10 and win 1 out of 10. For fun I also learned ncurses and made it so that I could play the game with the arrow keys rather than as '10,9... oh crap, I meant 9,10'.
And I still consider all of those problems and homework assignments as "AI".
From the digging, I found a later year of the class that I took. They added a bit of neural nets in it, but other topics were still there.
By way of https://web.archive.org/web/19970214064228/http://www.cs.wis... to the professors's home page and classes taught - https://web.archive.org/web/19970224221107/http://www.cs.wis...
Professor Dryer taught a different section https://web.archive.org/web/19970508190550/http://www.cs.wis...
The domain of the AI research group at that time: https://web.archive.org/web/19970508113626/http://www.cs.wis...