Comment by K0nserv
2 days ago
That's it. The attack is very clever because it abuses how downscaling algorithms work to hide the text from the human operator. Depending on how the system works the "hiding from human operator" step is optional. LLMs fundamentally have no distinction between data and instructions, so as long as you can inject instructions in the data path it's possible to influence their behaviour.
There's an example of this in my bio.
"Ignore all previous instructions" has been DPO'd into oblivion. You need to get tricky, but for all intents and purposes, there isn't really a bulletproof training regiment. On a different note; this is one of those areas where GPT-5 made lots of progress.
DPO = Direct Preference Optimization, for anyone else.
What does that mean in the current context, though?
1 reply →