Okay, I managed to find the source code, which was in an awfully named repository on Github called “OpenSecretCloud/opensecret”
The bad news:
- conversation contents are encrypted. Good.
- the encryption key for conversations is derived from an encrypted user key
- this is protected by the enclave secret, which is a fixed secret.
- this key is encrypted by a key in by AWS KMS 🤦
Anyone with the encrypted secret and a single second of access to AWS KMS can get the raw secret. This includes employees with IAM management access to push new builds
From there, you can decrypt any user’s conversations that were encrypted with this key, back to the last key rotation and until the next key rotation happens.
(Which seems that there is no implementation of)
A supply chain attack on a dependency of the backend or a malicious build pushed out by a privileged employee can also extract this secret.
The enclave also calls out to a lot of remote services, which could indicate that there is little-to-no firewalling to prevent exfiltration. Even then, many used APIs like the GitHub API can be used to exfiltrate data.
semisol
Maple AI is a funny product. They claim it’s private and protected by TEE but the code running inside the TEE is closed source so you don’t know what it actually does.
And they can push updates whenever, including one that exfiltrates your data.
I asked them 2 times and got answers 0 times how it was verifiable.
Anyway it looks like they outsourced all their inference anyway to
https://tinfoil.sh
Replies (25)
Or, to put it simply, a bog standard court order can force Maple AI to reveal your conversations without any trace (except an AWS CloudTrail entry they won’t share with you) or detectable impact to anyone
Is there any equivalent alternative service without these issues? That Tinfoil looks like it only takes KYC’d payment.
Routstr while nice in theory, any provider can see your prompts. So not good either + a lot of the resellers could be logging
What a repo names 🤣🤣🤣🤣
Use local LLM.
How on mobile?
Have you tried
@PayPerQ ? Has a handful of open source models that are E2EE.
Good to know. I won't renew next year or buy more credits. If I'm fucked either way, I might as well pay for a product that's already better.
@MapleThey resell tinfoil, acting only as a billing layer basically
Given the current landscape which ai model options give us the most control over our data?
Nominative determinism cannot be defeated!
Run local models if you dont' want anyone to know about you.
Use routstr.com if you are fine with anonymity. It doesn't offer privacy, it offers anonymity. People running nodes can see your conversations, but harder to know who you are.
Yes, but we make it incredibly easy to be anonymous. They can see your prompts but won't know who you are. Much harder to build profiles.
I just added support for Venice TEE E2EE support, that means resellers won't be able to see anything anymore. But you have the same problem as Venice.
Woudl you say Tinfoil E2EE support is best rn?
ppq.ai uses tinfoil for TEE models.
Tailscale/nostrvpn 😉
Hermes agent should be your local interface, it'll help setup remote access this way.
Thank you for doing your research on this and sharing the results 🫡
I’d say skills, paths, etc. when combined are very identifying information, even if there is no user ID field.
Venice’s TEE system is a whole load of baloney it seems, as you check a verified boolean from the server, and you can’t actually see the images.
Tinfoil seems best.
Yes, it is easy to build a profile on you if you run agents on your local machine. I'd say, it's best to always use sandboxing for both security and for anonymity. It also depends on what you're doing with AI, if it's an open source project you're publishing as Semisol, it shouldn't matter at all.
If you want to anonymously contribute to, say Routstr, you can start doing it from inside a sandbox and do PRs on ngit. (we should move to ngit first lol).
We make it so much easier to do this.
I noticed they mysteriously upped the token burn rate. I did a monthly renewal and with the same usage that got me through three weeks of prompts I’ve burned through in 3 days with minimal usage.
Those low prices were to just get ya hooked…
Kind of makes a guy think twice about advising customers to integrate with core business processes. Rug waiting to happen.
