We are keeping a list of AI/ML related links from research to more accessible items, hoping to share some of the more accessible posts with a wider community!
I’m curious if this is guaranteed accurate information or if GPT gives hallucinations here too lol
It almost certainly can hallucinate the known function list, but it’s unlikely since the model necessarily needs to have a strong conception of the functions to interface consistently.
That’s speculation, of course, since GPT is a closed model, but, based on how like-models are known to work, we know that there’s just one single “slot” for input to flow into without any backdoor pathways for specially priviledged input.
pretty much this, and unlike claude a month or so ago GPT has been very consistent with context its been given over anything it might come up with on its own.
its consistent enough I can build applications with low enough error rates that I feel i can sell more than a chat window and not worry much about Bobby Tables.
Regarding little Bobby, is there any known guaranteed way to harden the current systems against prompt injections?
This is something that I’m personally more worried about than Skynet or mass unemployment now that everyone and their dog is rushing to integrate LLMs into to their systems (ok worried maybe a wrong word, but let’s just say I have the popcorns ready for the moment the first mass breaches happen with something like the Windows Copilot).
I’m working on it personally, right now I have a group doing pentesting on chats, I have a structured workflow application Ill be giving them soon to see if they can crack an integration point (DB, api, whatever they can get digital hands on).
So far, with the changes OAI made about a month ago now, they can get it to do things it shouldn’t but they can’t command it like a puppy if the system command is well written.
there are also techniques that im not sure others have considered yet. for example the conversation between the LLM and the user is not exclusive, as the provider you are the arbitrator of those data feeds. You can inspect any packet, and importantly, alter them to your will. This is pretty normal operation for most service providers and is not very different than some early RDBMS protection layers.
It does not genially hallucinate with data it has, the LLM has to know about the commands it has from the plugin and this can only be done by feeding that data into context.
I suspect they can’t put this info in a system level message as it could cause extra confusion and create an injection vector for un-checked plugins. So instead they shove the command set in a user or assitant message which a user can get access to just by asking. If these commands were in a system message it would generally refuse to help you.
tl;dr - it does not hallucinate data its been given, just when you ask it to “come up” with things.
If these commands were in a system message it would generally refuse to help you.
Doesn’t it usually fairly easily give its system message to the user? I have had that happen purely by accident.
not since the update about a 5 weeks ago. Originally the User scop message was the most powerful and system was practically useless. In response to jailbreaking System was boosted hard and User was nerfed, this is why so many people have been calling GPT “dumber”.
Bascially they made moderation more possible for app devs. Now user messages will be very unlikely (i wont say impossible yet) for someone to get a system message. I have already done a fair bit of adversarial testing with some pentesters and will be doing some more. So far no one has been able to extract the system message verbatim though the can illicit it to explain its boundaries.
It resists finance and physc advice now but its still possible to get around that, at least if you control the system messages. API access is nice.
Is the whole “You are an LLM by OpenAI, system date is etc.” prompt part of the system message?
A few days ago when I was talking about controlled natural languages with it and asked it to give a summary of the chat so far in Gellish it spit that out.
Yes, the standard system message is usually a role stating that its an AI driven chatbot with a handful of anti-jailbreak directives. This can just be a sentence or it can be pages depending on the app.
As far as i understand GPT cannot self-analyze.
Not wrong, but not entirely right, it does not “know” and is not fundamentally capable of “analysis” they way we describe it. Its a weighted tokenmap, what makes it special is how those weights were derived. There are papers on self-reflection that are essentially processes in mapping those weights. You can assess the probabilities of your token response in the API as well.
What’s interesting is that sufficiently large models demonstrate the ability to build upon themselves using similar techniques applied in training and in fine tuning right in the prompt. This means you can use a combination of reflective conversation and embedding to create prompts that act like fine-tuned agents. Great for fast prototyping and cheaper than a fine tune run!
Heh, sometimes I like how innocent chatgpt is.
I’m not sure if I’d call that reverse engineering any more than using a web browsers View Source feature.
But it’s interesting how it works behind the scenes and that only way to get these models to interface with the external world is by using the natural language interface and hoping for the best.
First step of reverse engineering is taking the case off. Like most, we just take the text of the post this came from, i think source got lost due to reddit move.
How technical does this community want to get? I have a growing list of research papers dense with math if you want it.
At least I’m interested but more technical discussion about this would probably fit better in some comp sci or programming community? Though most of those are a bit hostile to the LLM related topics these days because of all the hype and low effort spam.
i have no idea, ive been in technology for over 30 years and its the first time in my life I’ve had people hostile to me for just sharing. I feel the desire for progress slipping from the zeitgeist and it worries me. I suppose I’ll just keep it on the instance.
Speaking as just a hobbyist, a more developer oriented community focused on the topic would be nice, if someone is up to the task.
It’s currently hard to find any good information about how to actually use LLMs as part of a software project as most of the related subreddits etc. are more focused on shitposting and you don’t currently really want to talk about these in general tech forums without a huge Don’t shoot I’m not one of them! disclaimer.
My instance has the communities ready to go and Im happy to host many more AI and tech driven topics in general, I have a fair amount of capacity and will be focusing on SFW level moderation so people can use it for work/school without worry.
Would love input!
went and fired a general dev community up.
great info thank you!
