We are keeping a list of AI/ML related links from research to more accessible items, hoping to share some of the more accessible posts with a wider community!
We are keeping a list of AI/ML related links from research to more accessible items, hoping to share some of the more accessible posts with a wider community!
I’m curious if this is guaranteed accurate information or if GPT gives hallucinations here too lol
It almost certainly can hallucinate the known function list, but it’s unlikely since the model necessarily needs to have a strong conception of the functions to interface consistently.
That’s speculation, of course, since GPT is a closed model, but, based on how like-models are known to work, we know that there’s just one single “slot” for input to flow into without any backdoor pathways for specially priviledged input.
pretty much this, and unlike claude a month or so ago GPT has been very consistent with context its been given over anything it might come up with on its own.
its consistent enough I can build applications with low enough error rates that I feel i can sell more than a chat window and not worry much about bobby tables.
Regarding little Bobby, is there any known guaranteed way to harden the current systems against prompt injections?
This is something that I’m personally more worried about than Skynet or mass unemployment now that everyone and their dog is rushing to integrate LLMs into to their systems (ok worried maybe a wrong word, but let’s just say I have the popcorns ready for the moment the first mass breaches happen with something like the Windows Copilot).
I’m working on it personally, right now I have a group doing pentesting on chats, I have a structured workflow application Ill be giving them soon to see if they can crack an integration point (DB, api, whatever they can get digital hands on).
So far, with the changes OAI made about a month ago now, they can get it to do things it shouldn’t but they can’t command it like a puppy if the system command is well written.
there are also techniques that im not sure others have considered yet. for example the conversation between the LLM and the user is not exclusive, as the provider you are the arbitrator of those data feeds. You can inspect any packet, and importantly, alter them to your will. This is pretty normal operation for most service providers and is not very different than some early RDBMS protection layers.
As far as i understand GPT cannot self-analyze.
Not wrong, but not right, it does not “know” and is not fundamentally capable of “analysis” they way we describe it. Its a weighted tokenmap, what makes it special is how those weights were derived. There are papers on self-reflection that are essentially processes in mapping those weights. You can assess the probabilities of your token response in the API as well.
What’s interesting is that sufficiently large models demonstrate the ability to build upon themselves using similar techniques applied in training and in fine tuning right in the prompt. This means you can use a combination of reflective conversation and embedding to create prompts that act like fine-tuned agents. Great for fast prototyping and cheaper than a fine tune run!
It does not genially hallucinate with data it has, the LLM has to know about the commands it has from the plugin and this can only be done by feeding that data into context.
I suspect they can’t put this info in a system level message as it could cause extra confusion and create an injection vector for un-checked plugins. So instead they shove the command set in a user or assitant message which a user can get access to just by asking. If these commands were in a system message it would generally refuse to help you.
tl;dr - it does not hallucinate data its been given, just when you ask it to “come up” with things.
Doesn’t it usually fairly easily give its system message to the user? I have had that happen purely by accident.
not since the update about a 5 weeks ago. Originally the User scop message was the most powerful and system was practically useless. In response to jailbreaking System was boosted hard and User was nerfed, this is why so many people have been calling GPT “dumber”.
Bascially they made moderation more possible for app devs. Now user messages will be very unlikely (i wont say impossible yet) for someone to get a system message. I have already done a fair bit of adversarial testing with some pentesters and will be doing some more. So far no one has been able to extract the system message verbatim though the can illicit it to explain its boundaries.
It resists finance and physc advice now but its still possible to get around that, at least if you control the system messages. API access is nice.
Is the whole “You are an LLM by OpenAI, system date is etc.” prompt part of the system message?
A few days ago when I was talking about controlled natural languages with it and asked it to give a summary of the chat so far in Gellish it spit that out.
Yes, the standard system message is usually a role stating that its an AI driven chatbot with a handful of anti-jailbreak directives. This can just be a sentence or it can be pages depending on the app.