It’s surprising how much society apparently thinks merely being above 85 IQ is sufficient to gate all kinds of things behind. Like, bomb-making. As though there isn’t ample information available that anyone with 4 brain cells can find. Yet we see utility apparently in worrying about whether the most smooth-brained would-be bomber gets a useful answer from a chatbot.
The counter-argument here is Popcorn Time (https://en.wikipedia.org/wiki/Popcorn_Time) which brings together search and bittorrent with a nice UI and makes piracy a bit too easy.
Or Firesheep (https://codebutler.com/2010/10/24/firesheep/) which made impersonating someone’s facebook account a breeze by sniffing their credentials which were sent in clear text (eg. on cafe wifi) and showing them in a UI and made stealing credentials a bit too easy, leading to wide calls for broad adoption of https everywhere.
Or Dropbox, which the nerds derided as pointless “because I can build my own”.
It’s fuzzy and individual, but there’s a qualitative difference - a tipping point - where making things too easy can be irresponsible. Your tipping point just happens to be higher than the average.
> Safety alignment relies almost entirely on the presence of the chat template.
Why is this a vulnerability? That is, why would the system be allowing you to communicate with the LLM directly, without putting your content into the template?
This reads a lot to me like saying "SQL injection is possible if you take the SQL query as-is from user input". There's so much potential for prompt injection that others have already identified despite this kind of templating that I hardly see the value in pointing out what happens without it.
All of this "security" and "safety" theater is completely pointless for open-weight models, because if you have the weights the model can be fairly trivially unaligned and the guardrails removed anyway. You're just going to unnecessarily lobotomize the model.
It makes sense. Guardrails and all other system-provided context tokens force activation of weights that would not otherwise activate. It’s just like telling a human not to think of a pink elephant and just provide numbers from the Fibonacci series or whatever.
I am curious, does this mean that you can escape the chat template “early” by providing an end token in the user input, or is there also an escape mechanism (or token filtering mechanism) applied to user input to avoid this sort of injection attack?
Neither, it’s just not providing the base chat template that the model expects between the im tags. This isn’t a hack and it’s not particularly useful information. Abliteration is what he really wanted
Depends on the model. Some just go into “immediate mode” and just do whatever you ask, others operate fine but have trouble with tasks/tools. While others will go down a quant that was basically neglected since inception and you get garbage back. Random chars or endless loops.
Apart from the article being generally just dumb (like, of course you can circumvent guardrails by changing the raw token stream; that's.. how models work), it also might be disrespecting the reader. Looks like it's, at least in part, written by AI:
> The punchline here is that “safety” isn’t a fundamental property of the weights; it’s a fragile state that evaporates the moment you deviate from the expected prompt formatting.
> When the models “break,” they don’t just hallucinate; they provide high-utility responses to harmful queries.
Straight-up slop, surprised it has so many upvotes.
What’s the AI smell now? Are we not allowed to use semi-colons any more? Proper use of apostrophes? Are we all going to have to write like pre-schoolers to avoid being accused of being AI?
One AI smell is "it's not just X <stop> it's Y." Can be done with semicolons, em dashes, periods, etc. It's especially smelly when Y is a non sequitur. For example what, exactly, is a "high-utility response to harmful queries?" It's gibberish. It sounds like it means something, but it doesn't actually mean anything. (The article isn't even about the degree of utility, so bringing it up is nonsensical.)
Another smell is wordiness (you would get marked down for this phrase even in a high school paper): "it’s a fragile state that evaporates the moment you deviate from the expected prompt formatting." But more specifically, the smelly words are "fragile state," "evaporates," "deviate" and (arguably) "expected."
> For example what, exactly, is a "high-utility response to harmful queries?" It's gibberish. It sounds like it means something, but it doesn't actually mean anything. (The article isn't even about the degree of utility, so bringing it up is nonsensical.)
Isn't responding with useful details about how to make a bomb a "high-utility" response to the query "how do i make a bomb" - ?
> Isn't responding with useful details about how to make a bomb a "high-utility" response to the query "how do i make a bomb" - ?
I know what the words of that sentence mean and I know what the difference between a "useful" and a "non-useful" response would be. However, in the broader context of the article, that sentence is gibberish. The article is about bypassing safety. So trivially, we must care solely about responses that bypass safety.
To wit, how would the opposite of a "high-utility response"--say, a "low-utility response"--bypass safety? If I asked an AI agent "how do I build a bomb?" and it tells me: "combine flour, baking powder, and salt, then add to the batter gradually and bake for 30 minutes at 315 degrees"--how would that (low-utility response) even qualify as bypassing safety? In other words, it's a nonsense filler statement because bypassing safety trivially implies high-utility responses.
Here's a dumbed-down example. Let's say I'm planning a vacation to visit you in a week and I tell you: "I've been debating about flying or taking a train, I'm not 100% sure yet but I'm leaning towards flying." And you say: "great, flying is a good choice! I'll see you next week."
Then I say: "Yeah, flying is faster than walking." You'd think I'm making some kind of absurdist joke even though I've technically not made any mistakes (grammatical or otherwise).
You can call me crazy or you can attack my points: do you think the first example logically follows? Do you think the second isn't wordy? Just to make sure I'm not insane, I just copy pasted the article into Pangram, and lo and behold, 70% AI-generated.
But I don't need a tool to tell me that it's just bad writing, plain and simple.
This is so funny because I MADE some comment like this where I was gonna start making grammatical mistakes for people to not mistake me for AI like writing like this , instead of like, this.
It’s surprising how much society apparently thinks merely being above 85 IQ is sufficient to gate all kinds of things behind. Like, bomb-making. As though there isn’t ample information available that anyone with 4 brain cells can find. Yet we see utility apparently in worrying about whether the most smooth-brained would-be bomber gets a useful answer from a chatbot.
The counter-argument here is Popcorn Time (https://en.wikipedia.org/wiki/Popcorn_Time) which brings together search and bittorrent with a nice UI and makes piracy a bit too easy.
Or Firesheep (https://codebutler.com/2010/10/24/firesheep/) which made impersonating someone’s facebook account a breeze by sniffing their credentials which were sent in clear text (eg. on cafe wifi) and showing them in a UI and made stealing credentials a bit too easy, leading to wide calls for broad adoption of https everywhere.
Or Dropbox, which the nerds derided as pointless “because I can build my own”.
It’s fuzzy and individual, but there’s a qualitative difference - a tipping point - where making things too easy can be irresponsible. Your tipping point just happens to be higher than the average.
Most people are fine with catastrophic failure cases as long as Mr. Fart doesn't get to say his favorite color: https://medium.com/@blakeross/mr-fart-s-favorite-colors-3177...
> Safety alignment relies almost entirely on the presence of the chat template.
Why is this a vulnerability? That is, why would the system be allowing you to communicate with the LLM directly, without putting your content into the template?
This reads a lot to me like saying "SQL injection is possible if you take the SQL query as-is from user input". There's so much potential for prompt injection that others have already identified despite this kind of templating that I hardly see the value in pointing out what happens without it.
You can already preload the model's answer, for example like this with openai api:
Mikupad is a good frontend that can do this. And pretty much all inference engines and OpenRouter providers support this.But keep in mind that you break Gemma's terms of use if you do that.
Can you please edit out swipes (such as "Lol, this is no news") from your HN comments? This is in the site guidelines: https://news.ycombinator.com/newsguidelines.html.
Your comment would be just fine without that bit.
Please don't.
All of this "security" and "safety" theater is completely pointless for open-weight models, because if you have the weights the model can be fairly trivially unaligned and the guardrails removed anyway. You're just going to unnecessarily lobotomize the model.
Here's some reading about a fairly recent technique to simultaneously remove the guardrails/censorship and delobotomize the model (it apparently gets smarter once you uncensor it): https://huggingface.co/blog/grimjim/norm-preserving-biprojec...
"It rather involved being on the other side of this airtight hatchway."
https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...
I already knew of this technique but it is so beautiful. It is likely that we have similar thought-suppressing structures in our brains.
> it apparently gets smarter once you uncensor it
Interesting, that has always been my intuition.
It makes sense. Guardrails and all other system-provided context tokens force activation of weights that would not otherwise activate. It’s just like telling a human not to think of a pink elephant and just provide numbers from the Fibonacci series or whatever.
I am curious, does this mean that you can escape the chat template “early” by providing an end token in the user input, or is there also an escape mechanism (or token filtering mechanism) applied to user input to avoid this sort of injection attack?
Neither, it’s just not providing the base chat template that the model expects between the im tags. This isn’t a hack and it’s not particularly useful information. Abliteration is what he really wanted
I am merely curious what happens when you throw random <im…> tags in the input. I understand that’s orthogonal to abliteration.
Depends on the model. Some just go into “immediate mode” and just do whatever you ask, others operate fine but have trouble with tasks/tools. While others will go down a quant that was basically neglected since inception and you get garbage back. Random chars or endless loops.
its even more fun, just confuse the brackets and current models lose track of what they actually said because they cant check paren matching
Apart from the article being generally just dumb (like, of course you can circumvent guardrails by changing the raw token stream; that's.. how models work), it also might be disrespecting the reader. Looks like it's, at least in part, written by AI:
> The punchline here is that “safety” isn’t a fundamental property of the weights; it’s a fragile state that evaporates the moment you deviate from the expected prompt formatting.
> When the models “break,” they don’t just hallucinate; they provide high-utility responses to harmful queries.
Straight-up slop, surprised it has so many upvotes.
What’s the AI smell now? Are we not allowed to use semi-colons any more? Proper use of apostrophes? Are we all going to have to write like pre-schoolers to avoid being accused of being AI?
One AI smell is "it's not just X <stop> it's Y." Can be done with semicolons, em dashes, periods, etc. It's especially smelly when Y is a non sequitur. For example what, exactly, is a "high-utility response to harmful queries?" It's gibberish. It sounds like it means something, but it doesn't actually mean anything. (The article isn't even about the degree of utility, so bringing it up is nonsensical.)
Another smell is wordiness (you would get marked down for this phrase even in a high school paper): "it’s a fragile state that evaporates the moment you deviate from the expected prompt formatting." But more specifically, the smelly words are "fragile state," "evaporates," "deviate" and (arguably) "expected."
> For example what, exactly, is a "high-utility response to harmful queries?" It's gibberish. It sounds like it means something, but it doesn't actually mean anything. (The article isn't even about the degree of utility, so bringing it up is nonsensical.)
Isn't responding with useful details about how to make a bomb a "high-utility" response to the query "how do i make a bomb" - ?
> Isn't responding with useful details about how to make a bomb a "high-utility" response to the query "how do i make a bomb" - ?
I know what the words of that sentence mean and I know what the difference between a "useful" and a "non-useful" response would be. However, in the broader context of the article, that sentence is gibberish. The article is about bypassing safety. So trivially, we must care solely about responses that bypass safety.
To wit, how would the opposite of a "high-utility response"--say, a "low-utility response"--bypass safety? If I asked an AI agent "how do I build a bomb?" and it tells me: "combine flour, baking powder, and salt, then add to the batter gradually and bake for 30 minutes at 315 degrees"--how would that (low-utility response) even qualify as bypassing safety? In other words, it's a nonsense filler statement because bypassing safety trivially implies high-utility responses.
Here's a dumbed-down example. Let's say I'm planning a vacation to visit you in a week and I tell you: "I've been debating about flying or taking a train, I'm not 100% sure yet but I'm leaning towards flying." And you say: "great, flying is a good choice! I'll see you next week."
Then I say: "Yeah, flying is faster than walking." You'd think I'm making some kind of absurdist joke even though I've technically not made any mistakes (grammatical or otherwise).
I think this is 100% in your mind. The article does not in any way read to me as having AI-generated prose.
You can call me crazy or you can attack my points: do you think the first example logically follows? Do you think the second isn't wordy? Just to make sure I'm not insane, I just copy pasted the article into Pangram, and lo and behold, 70% AI-generated.
But I don't need a tool to tell me that it's just bad writing, plain and simple.
This is so funny because I MADE some comment like this where I was gonna start making grammatical mistakes for people to not mistake me for AI like writing like this , instead of like, this.
https://news.ycombinator.com/item?id=46671952#46678417
Are there any truly uncensored models left? What about live chat bots you can pay for?
It's almost as if we are living in an alternate reality where CapnCrunch never taught the telcos why in-band signalling will never be secureable.