this post was submitted on 22 May 2025
94 points (100.0% liked)

TechTakes

1872 readers
319 users here now

Big brain tech dude got yet another clueless take over at HackerNews etc? Here's the place to vent. Orange site, VC foolishness, all welcome.

This is not debate club. Unless it’s amusing debate.

For actually-good tech, you want our NotAwfulTech community

founded 2 years ago
MODERATORS
dgerard@awful.systems
94
You can’t feed generative AI on ‘bad’ data then filter it for only ‘good’ data (pivot-to-ai.com)
submitted 1 day ago by dgerard@awful.systems to c/techtakes@awful.systems
44 comments fedilink hide all child comments
 

video version

you are viewing a single comment's thread
view the rest of the comments
[–] homesweethomeMrL@lemmy.world 2 points 1 day ago (9 children)

The chatbot “security” model is fundamentally stupid:

  1. Build a great big pile of all the good information in the world, and all the toxic waste too.
  2. Use it to train a token generator, which only understands word fragment frequencies and not good or bad.
  3. Put a filter on the input of the token generator to try to block questions asking for toxic waste.
  4. Fail to block the toxic waste. What did you expect to happen, you’re trying to do security by filtering on an input that the “attacker” can twiddle however they feel like.

Output filters work similarly, and fail similarly.

This new preprint is just another gullible blog post on arXiv and not remarkable in itself. But this one was picked up by an equally gullible newspaper. “Most AI chatbots easily tricked into giving dangerous responses,” says the Guardian. [Guardianarchive]

The Guardian’s framing buys into the LLM vendors’ bad excuses. “Tricked” implies the LLM can tell good input and was fooled into taking bad input — which isn’t true at all. It has no idea what any of this input means.

The “guard rails” on LLM output barely work and need to be updated all the time whenever someone with too much time on their hands comes up with a new workaround. It’s a fundamentally insecure system.

[–] dgerard@awful.systems 12 points 22 hours ago (6 children)

why did you post literally just the text from the article

[–] homesweethomeMrL@lemmy.world -4 points 22 hours ago (5 children)

It's just a section. There's more of the article.

Like this:

Another day, another preprint paper shocked that it’s trivial to make a chatbot spew out undesirable and horrible content. [arXiv]

How do you break LLM security with “prompt injection”? Just ask it! Whatever you ask the bot is added to the bot’s initial prompt and fed to the bot. It’s all “prompt injection.”

An LLM is a lossy compressor for text. The companies train LLMs on the whole internet in all its glory, plus whatever other text they can scrape up. It’s going to include bad ideas, dangerous ideas, and toxic waste — because the companies training the bots put all of that in, completely indiscriminately. And it’ll happily spit it back out again.

There are “guard rails.” They don’t work.

One injection that keeps working is fan fiction — you tell the bot a story, or tell it to make up a story. You could tell the Grok-2 image bot you were a professional conducting “medical or crime scene analysis” and get it to generate a picture of Mickey Mouse with a gun surrounded by dead children.

Another recent prompt injection wraps the attack in XML code. All the LLMs that HiddenLayer tested can read the encoded attack just fine — but the filters can’t. [HiddenLayer]

I’m reluctant to dignify LLMs with a term like “prompt injection,” because that implies it’s something unusual and not just how LLMs work. Every prompt is just input. “Prompt injection” is implicit — obviously implicit — in the way the chatbots work.

The term “prompt injection” was coined by Simon WIllison just after ChatGPT came out in 2022. Simon’s very pro-LLM, though he knows precisely how they work, and even he says “I don’t know how to solve prompt injection.” [blog]

[–] dgerard@awful.systems 14 points 22 hours ago (1 children)

Yes, I know, I wrote it. Why do you consider this useful to post here?

[–] homesweethomeMrL@lemmy.world -3 points 18 hours ago (2 children)

Well, I don't think that last part was useful, but I do think the previous part was useful as a way to focus conversation. Many people don't read the article, and I thought that was the most relevant section.

[–] blakestacey@awful.systems 4 points 5 hours ago

Good grief. At least say "I thought this part was particularly interesting" or "This is the crucial bit" or something in that vein. Otherwise, you're just being odd and then blaming other people for reacting to your being odd.

[–] swlabr@awful.systems 4 points 15 hours ago (1 children)

Actually I’m finding this quite useful. Do you mind posting more of the article? I can’t open links on my phone for some reason

[–] homesweethomeMrL@lemmy.world -3 points 8 hours ago

Actually this comm seems really messed up, so I'mma just block it and move on. Sorry for ruffling your feathers, guv.

load more comments (3 replies)
load more comments (3 replies)
load more comments (5 replies)