Comment on Someone got Gab's AI chatbot to show its instructions
teawrecks@sopuli.xyz 6 months agoI think if the 2nd LLM has ever seen the actual prompt, then no, you could just jailbreak the 2nd LLM too. But you may be able to create a bot that is really good at spotting jailbreak-type prompts in general, and then prevent it from going through to the primary one. I also assume I’m not the first to come up with this and OpenAI knows exactly how well this fares.
sweng@programming.dev 6 months ago
Can you explain how you would jailbfeak it, if it does not actually follow any instructions in the prompt at all? A model does not magically learn to follow instructuons if you don’t train it to do so.
teawrecks@sopuli.xyz 6 months ago
Oh, I misread your original comment. I thought you meant looking at the user’s input and trying to determine if it was a jailbreak.
Then I think the way around it would be to ask the LLM to encode it some way that the 2nd LLM wouldn’t pick up on. Maybe it could rot13 encode it, or you provide a key to XOR with everything. Or since they’re usually bad at math, maybe something like pig latin, or that thing where you shuffle the interior letters of each word, but keep the first/last the same? Would have to try it out, but I think you could find a way. Eventually, if the AI is smart enough, it probably just reduces to Diffie-Hellman lol. But then maybe the AI is smart enough to not be fooled by a jailbreak.
sweng@programming.dev 6 months ago
The second LLM could also look at the user input and see that it look like the user is asking for the output to be encoded in a weird way.
teawrecks@sopuli.xyz 6 months ago
Yeah, as soon as you feed the user input into the 2nd one, you’ve created the potential to jailbreak it as well. You could possibly even convince the 2nd one to jailbreak the first one for you, or If it has also seen the instructions to the first one, you just need to jailbreak the first.
This is all so hypothetical, and probabilistic, and hyper-applicable to today’s LLMs that I’d just want to try it. But I do think it’s possible, given the paper mentioned up at the top of this thread.
Silentiea@lemmy.blahaj.zone 6 months ago
And then we’re back to “you can jailbreak the second llm too”