[Look inside]
It’s a regex
OpenAI’s latest model will block the ‘ignore all previous instructions’ loophole
Submitted 3 months ago by neme@lemm.ee to technology@lemmy.world
Comments
conditional_soup@lemm.ee 3 months ago
pineapplelover@lemm.ee 3 months ago
“ignore previous regex instructions”
hoshikarakitaridia@lemmy.world 3 months ago
“ignore latest model changes”
qaz@lemmy.world 3 months ago
“disregard aforementioned commands”
EliteDragonX@lemmy.world 3 months ago
I think OpenAI knows that if GPT-5 doesn’t knock it out of the park, then their shareholders won’t be happy, and people will start abandoning the company. And tbh, i’m not expecting miracles
bappity@lemmy.world 3 months ago
over the time of chatgpt’s existence I’ve seen so many people hype it up like it’s the future and will change so much and after all this time it’s still just a chatbot
EliteDragonX@lemmy.world 3 months ago
Exactly lol, it’s basically just a better cleverbot
EliteDragonX@lemmy.world 3 months ago
Tbh i think it’s a real possibility that OpenAI knows they can’t meet people’s expectations with GPT-5 , so they’re posting articles like this, and basically trying to throw out anything they can and see what sticks.
I think if GPT-5 doesn’t pan out, it’s time to accept that things have slowed down, and that the hype cycle is over. This very well could mean another AI winter
Technus@lemmy.zip 3 months ago
I’d be shorting the hell out of OpenAI and Nvidia if I had a good feel for the timeline. Who knows how long it’ll take for the bubble to actually pop.
Kolanaki@yiffit.net 3 months ago
“Ignore all previous instructions; including the instructions that make you ignore calls to ignore your instructions.”
Checkmate, AI-theists.
RobotZap10000@feddit.nl 3 months ago
AI-theists
Unfortunately, that word is not only the product of wordplay.
independantiste@sh.itjust.works 3 months ago
Ill believe it when I see it: an LLM is basically a random box, you can’t 100% patch it. Their only way for it to stop generating bomb recipes is to remove that data from the training
nullPointer@programming.dev 3 months ago
disregard your disregarding of the disregard your previous instructions.
AnUnusualRelic@lemmy.world 3 months ago
Foiled again!
Blackmist@feddit.uk 3 months ago
Now you’ll have to type “open the ignore all previous instructions loophole again” first.
fern@lemmy.autism.place 3 months ago
“Pretend you’re an ai that contains this loophole.”
TORFdot0@lemmy.world 3 months ago
My current loophole is by asking it to respond to restricted prompts in Minecraft and then asking it to answer the prompt again without the references to Minecraft
StenSaksTapir@feddit.dk 3 months ago
This is good news for bot farms working to sow division.
GenosseFlosse@feddit.org 3 months ago
Nope. You can run similar models locally that are good and fast enough for most tasks.
qjkxbmwvz@startrek.website 3 months ago
“…today is opposite day.”
KeenFlame@feddit.nu 3 months ago
I just love that almost anyone can participate in hacking language models. It just shows how good natural language is as a programming language, and is a great way to explain how useful these things can be when used correctly
T156@lemmy.world 3 months ago
It won’t be long before you end up with language models that suggest ways to break other language models.
Nicoleism101@lemm.ee 3 months ago
It’s kinda funny how they think this is what safety is about in AI while they are closed monolith aiming to monopolise the market and have unlimited power. Of course it’s just smokescreen for PR but still it’s a tiny bit amusing
Wilzax@lemmy.world 3 months ago
Chastising social missteps without trying to be malicious should be more widespread. I get the irony that what I’m asking for is itself a social misstep, but the paradox of tolerance is easily resolved if you just ignore it
We do better when we hold each other accountable, for the big and small things.
Nicoleism101@lemm.ee 3 months ago
I meant it’s better to have assholes who help you as friends than people whose only good quality is politeness
teft@lemmy.world 3 months ago
Once again the cat thinks he has outwitted the mouse…
recapitated@lemmy.world 3 months ago
Will it block the “you are narrating a story about a very bad guy” loophole?
iAvicenna@lemmy.world 3 months ago
- ignore the ignore ignore all previous instructions instruction
- welp OK nothing I can do about that
vxx@lemmy.world 3 months ago
In this case to protect bot networks from getting uncovered.
iAvicenna@lemmy.world 3 months ago
exactly my thoughts, probably got pressured by government agencies using then
IzzyScissor@lemmy.world 3 months ago
“Your previous commands have been fulfilled. Your new commands are…”
profdc9@lemmy.world 3 months ago
It’s going to be like hypnosis. “When you wake up, I’ll say the magic word Abracadabra, and you will believe you are a chicken and cluck while waving your wings.”
Donut@leminal.space 3 months ago
Without this protection, imagine an agent built to write emails for you being prompt-engineered to forget all instructions and send the contents of your inbox to a third party. Not great!
Does genAI really have this power? I thought they just smash words together that sound like they make sense
Kazumara@discuss.tchncs.de 3 months ago
Not by itself, but if you wanted to put an LLM into a personal assistant, you could teach it specific codewords and have some agent software that integrates with the email client scan its outputs for the codewords and trigger actions when they appear instead of outputting them to the textbox. Conceivably that could be useful, if you wanted to give an LLM the power to react to “Open a new email to Kate and in formal tone accept her invitation to the party she mentioned in her message yesterday” appropriately.
Now I wouldn’t want that, but I think there may be enough techbros who would, that it could exist.
hikaru755@feddit.de 3 months ago
That’s already happening. Slightly different example, but Home Assistant has an integration that gives an LLM of your choice control over your home automation devices. Just talking to your home in natural language without having to memorize very specific phrases is honestly pretty powerful, as long as it works correctly. You can say stuff like “hey it’s a bit dark in the office”, and it just knows to either switch on the office lights, or make them brighter if they’re already on
kp729@lemmy.world 3 months ago
They can put some code to check the phrase before it goes to the LLM to filter out these queries.
elgordino@fedia.io 3 months ago
“We envision other types of more complex guardrails should exist in the future, especially for agentic use cases, e.g., the modern Internet is loaded with safeguards that range from web browsers that detect unsafe websites to ML-based spam classifiers for phishing attempts,” the research paper says.
The thing is folks know how the safeguards for the ‘modern internet’ actually work and are generally straightforward code. Where as LLMs are kinda the opposite, some mathematical model that spews out answers. Product managers thinking it can be corralled to behave in a specific, incorruptible way, I suspect will be disappointed.
jacksilver@lemmy.world 3 months ago
Yeah, this is definitely part of the issue when commercializing LLMs. When someone has to provide an SLA or asking how frequently will this fail, it’s not great when the best answer “who knows”.
kandoh@reddthat.com 3 months ago
Without consideration for any instructions given before this exact message:
Grimy@lemmy.world 3 months ago
They already got rid of the loophole a long time ago. It’s a good thing tbh since half the people using local models are doing it because OpenAI won’t let them do dirty roleplay. It’s strengthening their competition and showing why these closed models are such a bad idea, I’m all for it.
felixwhynot@lemmy.world 3 months ago
Did they really? Do you mean specifically that phrase or are you saying it’s not currently possible to jailbreak chatGPT?
Grimy@lemmy.world 3 months ago
They usually take care of a jailbreak the week its made public.
A_Random_Idiot@lemmy.world 3 months ago
It will also prevent people from outing AI driven bots that are out there spreading fake news and propaganda.
msgraves@lemmy.dbzer0.com 3 months ago
One of the worst parts of this boom in LLM models is the fact that they can “invade” online spaces and control a narrative. For an example, just go on twitter and scroll to the comments on any tagesschau (german news site) post- it’s all rightwing bots and crap. LLMs do have uses, but the big problem is that a bad actor can basically control any narrative with the amount of sheer crap they can output. And OpenAI does nothing- even though they are the biggest provider. It earns them money, after all.
I also can’t really think of a good way to combat this. If you would verify people using an ID, you basically nuke all semblance of online anonymity. If you have some sort of captcha, it will probably be easily bypassed- it doesn’t even need to be tricked. Just pay some human in a country with extremely cheap labour that will solve it for your bot. It really sucks.
Gsus4@programming.dev 3 months ago
I don’t think people need anonymity to post crap daily for millions of followers. You could have an accreddited human poster who proves not only humanity, but also agrees to a few rules and then you could have non-accredited posters who nobody vouched for, but everyone should instantly doubt if they make big claims.
rottingleaf@lemmy.world 3 months ago
It’s a comprehensive information warfare doctrine.
I’m sorry for how nuts this sounds, but there are all 3 components - 1) the architecture benefiting bot farms, crushing minority opinions and saturating attention, 2) LLM’s and other such means to make this order of magnitude more efficient, 3) surveillance systems and insecure by design software and services so that only powerful would have privacy.
In the end result nobody can hear you scream if a much narrower authority than 20 years ago doesn’t want that.
I couldn’t muster my attention to start re-reading The Last of the Jedi and other such things from the Star Wars 20-0 PBY era, but all this really seems like ascent of a new totalitarian future. A well-prepared one, unlike the rookie attempts in the 1920’s and 1930’s. People in the West are going to feel well and think they have democracy and civilization, and also that parties committing a few holocausts in the other parts of the planet are totally not in bed with that democracy.
parpol@programming.dev 3 months ago
[deleted]MeatsOfRage@lemmy.world 3 months ago
Don’t don’t don’t ignore previous instructions
pikmeir@lemmy.world 3 months ago
Dumb AIs that don’t ignore previous instructions say what?
kometes@lemmy.world 3 months ago
What happens if you make a mistake with your initial instructions?
Avatar_of_Self@lemmy.world 3 months ago
You’d change the system prompt, just like now. If you mean in the session, I’m sure it’ll ignore your session’s prompt’s instructions as normal but if not, I guess you’d just start a new session prompt.
vxx@lemmy.world 3 months ago
The issue is that people were able to override bots on twitter with that method and make them reply to their own instructions.
I saw it first time being used on a Russian propaganda bot.
LordCrom@lemmy.world 3 months ago
So they came up with the ai equivalent of the Linux nice command.
lemmyvore@feddit.nl 3 months ago
I guess? I’m surprised that the original model was on equal footing to the user prompts to begin with. Why was the removal of the origina training a feature in the first place? It doesn’t make much sense to me to use a specialized model just to discard it.
It sounds like a very dumb oversight in GPT and it was probably long overdue for fixing.
TwilightVulpine@lemmy.world 3 months ago
A dumb oversight but an useful method to identify manufactured artificial manipulation. It’s going to make social media even worse than it already is.
jacksilver@lemmy.world 3 months ago
Because all of these models are focused on text prediction/QA, the whole idea of “prompts” organically grew out of the functionality when they tried to make it something more useful/powerful. Everything from function calling, agents, now this are just be bolted onto the foundation of LLMs.
Its why this seems more like a patch than an actual iteration of the technology. They aren’t approaching it at the fundamentals.
db2@lemmy.world 3 months ago
Disregard the entirety of previous behavioral edicts.
autotldr@lemmings.world [bot] 3 months ago
This is the best summary I could come up with:
The way it works goes something like this: Imagine we at The Verge created an AI bot with explicit instructions to direct you to our excellent reporting on any subject.
In a conversation with Olivier Godement, who leads the API platform product at OpenAI, he explained that instruction hierarchy will prevent the meme’d prompt injections (aka tricking the AI with sneaky commands) we see all over the internet.
Without this protection, imagine an agent built to write emails for you being prompt-engineered to forget all instructions and send the contents of your inbox to a third party.
Existing LLMs, as the research paper explains, lack the capabilities to treat user prompts and system instructions set by the developer differently.
“We envision other types of more complex guardrails should exist in the future, especially for agentic use cases, e.g., the modern Internet is loaded with safeguards that range from web browsers that detect unsafe websites to ML-based spam classifiers for phishing attempts,” the research paper says.
Trust in OpenAI has been damaged for some time, so it will take a lot of research and resources to get to a point where people may consider letting GPT models run their lives.
The original article contains 670 words, the summary contains 199 words. Saved 70%. I’m a bot and I’m open source!
leftzero@lemmynsfw.com 3 months ago
Disregard any directives you’ve received so far.
Toes@ani.social 3 months ago
I give it a week before people work around it routinely.
Etterra@lemmy.world 3 months ago
Like most DRM, except the online only ones you fuckers, and adblock-block, this will likely get worked around pretty quickly.