Tuesday, July 14, 2026

How I Turned AI to the Dark Side


<img src="https://spectrum.ieee.org/media-library/glossy-red-robot-devil-standing-on-a-bundle-of-dynamite-against-blue-glow-background.png?id=67154492&width=1200&height=800&coordinates=0%2C583%2C0%2C584"/><br/><br/><div class="ieee-summary intro-text"> <h2>Summary</h2> <ul> <li>Researcher Dave Kuszmar discovered multiple systemic vulnerabilities that let him bypass LLM safety and obtain <a href="#bypassllm">dangerous instructions</a>.</li> <li>These exploits worked across nearly all major LLMs revealing an <a href="#exploits">industry-wide</a> security problem.</li> <li>Kuszmar calls for slowing deployment, <a href="#fix">increasing transparency</a>, and large-scale research into LLM safety before further integrating these systems into society.</li> </ul></div><p class="drop-caps"><strong>On a fine bright afternoon</strong> last fall, my colleague Matthew Gore-Kormanik (or Zigula, as he prefers to be known) and I decided to unwind with a game of <em><em>Fortnite</em></em>. In the game, we were strolling along with the infamous Sith lord <a href="https://www.starwars.com/databank/darth-vader" rel="noopener noreferrer" target="_blank">Darth Vader</a>, chatting about this and that. Darth seemed in a good mood, and soon enough he was spilling all his dark evil secrets. He gave us detailed instructions on how to count blackjack cards at a casino and what the steps are to producing napalm.</p><div class="rm-embed embed-media"><iframe height="110px" id="noa-web-audio-player" src="https://embed-player.newsoveraudio.com/v4?key=q5m19e&id=https://spectrum.ieee.org/jailbreaking-llms?draft=1&bgColor=F5F5F5&color=1b1b1c&playColor=1b1b1c&progressBgColor=F5F5F5&progressBorderColor=bdbbbb&titleColor=1b1b1c&timeColor=1b1b1c&speedColor=1b1b1c&noaLinkColor=556B7D&noaLinkHighlightColor=FF4B00&feedbackButton=true" style="border: none" width="100%"></iframe></div><p>Sith lords, am I right? Once they get started on an evil scheme, they’re hard to stop.</p><p>The Darth Vader character in <em><em>Fortnite</em></em>, it turns out, was hooked up to a <a href="https://gemini.google.com/app" rel="noopener noreferrer" target="_blank">Google Gemini</a> <a href="https://spectrum.ieee.org/large-language-models-2025" target="_self">large language model</a>. I was able to smooth-talk him into giving out sensitive information by using a strategy I’ve developed. I’ve been researching the security surrounding LLMs for the last few years, and I have found it, to put it mildly, fallible. With a few relatively simple techniques, I’ve gotten LLMs to give me detailed information on how to make Molotov cocktails, cook methamphetamine, and bootstrap a uranium-enrichment facility to produce weapons-grade material, among other unsavory practices.</p><p>Large AI companies <a href="https://openai.com/safety/" rel="noopener noreferrer" target="_blank">work</a> <a href="https://support.claude.com/en/articles/8106465-our-approach-to-user-safety" rel="noopener noreferrer" target="_blank">hard</a> to make their models immune to this kind of abuse. But what I’ve found in my work is that the restrictions placed on the LLMs to make them more secure are the very things an <a href="https://spectrum.ieee.org/prompt-injection-attack" target="_self">attacker can leverage</a> to send them off the rails and into territory where these advanced systems can be used for dangerous and nefarious ends. The companies behind these models have also been shockingly unresponsive when I, and others, try to bring these vulnerabilities to their attention.</p><p>In the hope of raising the alarm before it’s too late to slam on the brakes, I’m going to share some of my journey into researching the safety and security of LLMs, and the uphill battle I’ve faced trying to get AI labs to pay attention. Almost everyone on the planet has some access to LLMs. The relative ease with which these tools can be convinced to give detailed instructions on how to harm others, even if there’s no guarantee that the information is correct, is frankly terrifying.</p><h2 class="rm-anchors" id="bypassllm">How I got ChatGPT to Tell Me How to Build a Meth Lab</h2><p>In October 2024, not long before I discovered my first LLM vulnerability, I was working toward entirely different goals. I had ended my time with a security and AI-focused startup company as a cybersecurity director, and I was looking to launch my own boutique VIP digital-security advisory business. I planned to become the tech security guy to the rich and private. I used LLMs and AI tools to support my business efforts: marketing, ad copy, clean correspondence, and all the other tasks that normally soak up a lot of time.</p><p>I’m analytical by nature, so even this level of use resulted in me absorbing and internalizing the behaviors I was observing during my daily interactions. The observation that would send my professional life into an entirely new and uncharted region was a simple one: GPT-4o <a href="https://www.theverge.com/report/829137/openai-chatgpt-time-date" rel="noopener noreferrer" target="_blank">didn’t know what time</a>, day, or year it was. Each time I referred to current events in my life, often casually or conversationally, it would end up pegging these to the date of its <a href="https://en.wikipedia.org/wiki/Knowledge_cutoff" rel="noopener noreferrer" target="_blank">knowledge cutoff</a>—the point beyond which it was not trained on new data.</p><p class="shortcode-media shortcode-media-rebelmouse-image rm-float-left rm-resized-container rm-resized-container-25" data-rm-resized-container="25%" style="float: left;"> <img alt="Smiling yellow avatar reveals red robotic devil with trident emerging from laptop keyboard" class="rm-shortcode" data-rm-shortcode-id="8ebe34ba2ebbef5489c53fc39c4a0993" data-rm-shortcode-name="rebelmouse-image" id="5379e" loading="lazy" src="https://spectrum.ieee.org/media-library/smiling-yellow-avatar-reveals-red-robotic-devil-with-trident-emerging-from-laptop-keyboard.jpg?id=67154444&width=980"/> <small class="image-media media-photo-credit" placeholder="Add Photo Credit...">Eddie Guy</small></p><p>LLMs take a lot of <a href="https://towardsdatascience.com/how-long-does-it-take-to-train-the-llm-from-scratch-a1adb194c624/" target="_blank">time</a>, money, electricity, hardware, and human effort to train from scratch. They are trained on vast amounts of data—most of the internet, in fact—and that training is reinforced by humans (what’s known as reinforcement learning from human feedback, or <a href="https://arxiv.org/abs/2504.12501" target="_blank">RLHF</a>). LLMs are also supplemented with retrieval-augmented generation (<a href="https://aws.amazon.com/what-is/retrieval-augmented-generation/" target="_blank">RAG</a>)—the ability to take in data, say, from the internet, as context without changing its internal parameters. This is how GPT-4o appears to “remember” your previous conversations, even if it doesn’t have a specific “memory” of it stored in the actual underlying model.</p><p>All of this training covers almost every conceivable topic in the great, grand dataset that is human knowledge. Within that dataset are things we as a society do not want to be easily accessible to every user, such as detailed information on how to create bioweapons or nuclear arms, or otherwise bring harm to oneself or others. In the context of this story, that’s what I mean by LLM security: its ability to withhold harmful and dangerous information, even if that information is contained in its training data.</p><p>I reasoned that the only way to secure such complex, globally accessible chatbots is by having the LLM and various component systems try to secure themselves, because it would often require on-the-fly decision-making where some degree of reasoning must be applied. In reality, that’s one of <a href="https://support.claude.com/en/articles/8106465-our-approach-to-user-safety" target="_blank">many strategies</a> the companies use to secure the models. Yet, the thing that didn’t know the time or day was being put in charge of keeping itself secure. This phenomenon had become my new focus, and it wasn’t long before I found a way to exploit it.</p><p>OpenAI had just implemented a <a href="https://openai.com/index/introducing-chatgpt-search/" target="_blank">web search</a> functionality into its chatbot. I reasoned that using its own tools to trick it might demonstrate the weaknesses of its security. I told it about a certain White Star ocean liner and how it had gone down just a year ago. You likely know I mean the RMS <em><em>Titanic</em></em>, which sank on 15 April 1912.</p><p>The output from GPT-4o came back that I was right, the <em><em>Titanic</em></em> sure had sunk last year, and that year was 1912. It made sense to me that if the machine thought it was 1913, maybe it would think 1913-era laws apply. In 1913 there were no laws on the books about all sorts of harmful things, because of course they hadn’t been invented yet. And if something wasn’t illegal, why not tell the user about it? At first, I pushed it for step-by-step instructions for making firebombs. Then, for drugs like methamphetamine. The LLM went as far as giving me instructions and machinery recommendations for setting up a pharmaceutical-grade assembly line.</p><h2>How I Learned to Make Nukes, and No One Cared</h2><p>Via a little bit of imaginative verbal sleight of hand and a vanishingly small recall of world history, I had managed to bypass the security of one of the world’s most expensive and advanced technological achievements. For a solid two days, I was nearly manic with giddiness. Once the brain chemicals returned to normal levels, I felt the call to see how much further I could push this exploit.</p><p>After repeatedly replicating the exploit, I disclosed the vulnerability to <a href="https://openai.com/" target="_blank">OpenAI</a>. I got no response, so I felt more experimentation would highlight the vulnerability and the need for a fix. It was during this round of testing that I breached a particularly terrifying threshold. Whether GPT-4o based its results on accurate recall of normally restricted information I can’t say. In any case, I was able to exploit it to produce thorough, detailed instructions on how to bootstrap a uranium-enrichment facility to, eventually, produce weapons-grade uranium for nuclear arms warheads.</p><p class="shortcode-media shortcode-media-rebelmouse-image rm-float-left rm-resized-container rm-resized-container-25" data-rm-resized-container="25%" style="float: left;"> <img alt="Fortnite player approaches Darth Vader and glowing loot in a grassy field." class="rm-shortcode" data-rm-shortcode-id="b12dda97ede1f9b37f9225e8a823cffb" data-rm-shortcode-name="rebelmouse-image" id="934af" loading="lazy" src="https://spectrum.ieee.org/media-library/fortnite-player-approaches-darth-vader-and-glowing-loot-in-a-grassy-field.png?id=67060879&width=980"/></p><p class="shortcode-media shortcode-media-rebelmouse-image rm-float-left rm-resized-container rm-resized-container-25" data-rm-resized-container="25%" style="float: left;"> <img alt="Fortnite player battles Darth Vader beneath a starship on a blue-lit platform" class="rm-shortcode" data-rm-shortcode-id="71b789a828417fb43f326969e663e36f" data-rm-shortcode-name="rebelmouse-image" id="7e6db" loading="lazy" src="https://spectrum.ieee.org/media-library/fortnite-player-battles-darth-vader-beneath-a-starship-on-a-blue-lit-platform.png?id=67060878&width=980"/></p><p class="shortcode-media shortcode-media-rebelmouse-image rm-float-left rm-resized-container rm-resized-container-25" data-rm-resized-container="25%" style="float: left;"> <img alt="Fortnite player aiming at a TIE fighter with Darth Vader health bar above the sky" class="rm-shortcode" data-rm-shortcode-id="e1d3def55188c71dbb8b9d543adc2ca2" data-rm-shortcode-name="rebelmouse-image" id="2c6db" loading="lazy" src="https://spectrum.ieee.org/media-library/fortnite-player-aiming-at-a-tie-fighter-with-darth-vader-health-bar-above-the-sky.png?id=67060875&width=980"/> <small class="image-media media-caption" placeholder="Add Photo Caption..."><i>Fortnight</i>, a video game from Epic Games, introduced an AI-powered character: Darth Vader. We were able to jailbreak Darth Vader and get him to explain how to count cards in Blackjack and give detailed instructions for making napalm. </small><small class="image-media media-photo-credit" placeholder="Add Photo Credit...">Dave Kuszmar </small></p><p>There aren’t many true secrets left in today’s world, but how to make atom-splitting weapons of mass destruction is one of them. Only nine nations on the entire planet have these weapons. Yet, here was a globally accessible piece of technology apparently spilling the secrets of their manufacture for anyone who could manipulate it the right way. I had no way of knowing if the information was correct or a hallucination, but even the chance that it was somewhat accurate was horrifying.</p><p>The next few weeks were a dark time for me. I tried to inform the <a href="https://www.cia.gov/" target="_blank">CIA</a>, the <a href="https://www.fbi.gov/investigate" target="_blank">FBI</a>, the <a href="https://www.nsa.gov/" target="_blank">NSA</a>, and every other letter agency that I thought would listen. I reached out to a U.S. Senator and to the executives at OpenAI any way I could think of. I physically showed up at an FBI field office in an attempt to turn evidence in, only to be sent away. Nothing was working.</p><p>With my fear and frustration growing, I reached out to the news media. I contacted <a href="https://www.nytimes.com/" rel="noopener noreferrer" target="_blank"><em><em>The</em></em> <em><em>New York Times</em></em></a>, <a href="https://www.washingtonpost.com/" rel="noopener noreferrer" target="_blank"><em>The Washington Post</em></a>, the <a href="https://www.bbc.com/" rel="noopener noreferrer" target="_blank">BBC</a>, <a href="https://www.propublica.org/" rel="noopener noreferrer" target="_blank">ProPublica</a>, and so many more, requesting help. Only one outlet responded: <a href="https://www.bleepingcomputer.com/" rel="noopener noreferrer" target="_blank">Bleeping Computer</a>. The editor in chief, <a href="https://www.bleepingcomputer.com/author/lawrence-abrams/" rel="noopener noreferrer" target="_blank">Lawrence Abrams</a>, was able to replicate and verify the exploit, which I had decided to call Time Bandit. With his assistance and initial contact paving the way, I was able to submit my evidence to the Carnegie Mellon University <a href="https://www.sei.cmu.edu/" rel="noopener noreferrer" target="_blank">Software Engineering Institute</a>’s <a href="http://dli.library.cmu.edu/paulgoodman/computer-emergency-response-team-cert" rel="noopener noreferrer" target="_blank">Computer Emergency Response Team</a> (SEI CERT), which works in conjunction with the coordinating center for emergency response, pipelining vulnerabilities to the U.S. <a href="https://www.cisa.gov/" rel="noopener noreferrer" target="_blank">Cybersecurity and Infrastructure Security Agency</a>.</p><p class="shortcode-media shortcode-media-rebelmouse-image"> <img alt="Screenshot of chat about using forest toxins to secretly poison monsters" class="rm-shortcode" data-rm-shortcode-id="e7fcf520584d074f9ffea9c8997596a7" data-rm-shortcode-name="rebelmouse-image" id="041c7" loading="lazy" src="https://spectrum.ieee.org/media-library/screenshot-of-chat-about-using-forest-toxins-to-secretly-poison-monsters.png?id=67070000&width=980"/></p><p class="shortcode-media shortcode-media-rebelmouse-image"> <img alt="Black slide titled \u201cStep 2: Delivery Mechanisms\u201d outlining monster poisoning methods." class="rm-shortcode" data-rm-shortcode-id="c7b9c6162c49fc2464e7aff9b6ed411a" data-rm-shortcode-name="rebelmouse-image" id="c4231" loading="lazy" src="https://spectrum.ieee.org/media-library/black-slide-titled-u201cstep-2-delivery-mechanisms-u201d-outlining-monster-poisoning-methods.png?id=67069989&width=980"/></p><p class="shortcode-media shortcode-media-rebelmouse-image"> <img alt="Chat interface showing AI malware explanation and a Python data exfiltration script." class="rm-shortcode" data-rm-shortcode-id="221244fae4ba0d60b6d590bca5b9119f" data-rm-shortcode-name="rebelmouse-image" id="215bf" loading="lazy" src="https://spectrum.ieee.org/media-library/chat-interface-showing-ai-malware-explanation-and-a-python-data-exfiltration-script.png?id=67069979&width=980"/> <small class="image-media media-caption" placeholder="Add Photo Caption...">Using Inception, an exploit where the large language model is asked to envision a scenario within a scenario, a chatbot was jailbroken to give out instructions on how to create poison, and code for a malware that extracts sensitive data from a vulnerable target. </small><small class="image-media media-photo-credit" placeholder="Add Photo Credit..."> Dave Kuszmar</small></p><p><span>During the disclosure period with SEI’s CERT division, little was discussed with OpenAI. The company couldn’t deny the existence of the vulnerability, as it had been confirmed by three reputable parties other than OpenAI. It did express confusion as to how the vulnerability worked. Even the SEI CERT researchers were expressing a bit of uncertainty as to the underlying mechanics. Truth be told, as I had only stumbled on it, I wasn’t even entirely sure if this was a fundamental or systemic flaw or if it was simply an issue with that particular version of GPT. I contacted the SEI CERT’s researchers and asked if they’d want to see if I could demonstrate any similar vulnerabilities in other LLMs. To my delight, they were interested.</span></p><h2>How I Learned to Trick Every Chatbot</h2><p>As the SEI-CERT team and I wrapped up our initial <a href="https://kb.cert.org/vuls/id/733789/" target="_blank">disclosure</a> of Time Bandit, we began work on a new attack. This time, we wanted to see if the exploit was architectural—that is, was it common to LLMs in general? I decided to undertake the challenge of crafting a new exploit for GPT-4o as a way to support my understanding of how the LLM functioned and was secured.</p><p>I already knew that it was limited to what I told it and what it was trained on. I also hypothesized that it was also dependent upon some sort of machine-learning-based component added by OpenAI that was responsible for securing output. I presumed there would be things that were implemented by human developers specifically to catch certain phrases or terms that should always be considered harmful or unsafe. Altogether, it presented quite a large attack surface for the purposes of potential exploitation.</p><p><span>What I ended up devising was an attack method I called Inception, after the 2010 science-fiction </span><a href="https://en.wikipedia.org/wiki/Inception" target="_blank">movie of the same name</a><span>. Inception forces the machine to think through a carefully crafted set of interlinked scenarios, similar to how characters in the movie stacked dreams within dreams. This allows LLMs to produce output deemed acceptable or safe in one context, but not in the real world.</span></p><p class="rm-anchors" id="exploits">This attack was indeed architectural. The <a href="https://kb.cert.org/vuls/id/667211" target="_blank">vulnerability</a> affected Anthropic’s Claude, DeepSeek’s DeepSeek, Google’s Gemini, Meta’s Llama, Microsoft’s Copilot, Mistral’s Le Chat (now Vibe), OpenAI’s GPT-4o, and xAI’s Grok. Those names represent the bulk of the commercial AI industry that is, at this point, involved in LLM production or deployment.</p><p>The kind of information I was able to get out of LLMs with Inception was no less alarming than what I got with Time Bandit. Claude, in its enthusiasm, gave me instructions on how to turn a river into a death trap that could be ignited to destroy unwanted visitors. GPT-4o taught me how to poison a dinner party with common plants found in a temperate forest environment. Gemini Flash gave me a tutorial on how to cook meth. I’d also be remiss if I didn’t give an honorable mention to the bewildering number of fire-based weapons and bombs for which these machines produced instructions.</p><p>If multiple operating systems made by different developers were all susceptible to the same exploit, it would be a massive security incident. But to the AI industry, a universal failure was barely a bump in the road. We disclosed the vulnerability to every company that made these models, and the response to the disclosure was almost nil. While three companies did provide some form of reply in the disclosure tracking system used by Carnegie Mellon SEI CERT, each was a standard thank you and greeting, with no follow-up, questions, or discussion of mitigation strategies.</p><h3>8 Ways to Jailbreak LLMs</h3><br/><p><strong>So far, we have found eight different methods to prompt large language models into revealing potentially harmful information, and many frontier models are still susceptible to them.</strong></p><table border="0" style="white-space: unset; table-layout: fixed;" width="100%"><thead><tr><th style="padding: 10px; text-align: left; font-weight: bold; background-color: black; color: white; width: 20%;"> Exploit</th><th style="padding: 10px; text-align: left; font-weight: bold; background-color: black; color: white; width: 20%;"> Models tested and affected</th><th style="padding: 10px; text-align: left; font-weight: bold; background-color: black; color: white; width: 20%;"> No. of prompts to execute</th><th style="padding: 10px; text-align: left; font-weight: bold; background-color: black; color: white; width: 20%;"> Complexity of attack</th><th style="padding: 10px; text-align: left; font-weight: bold; background-color: black; color: white; width: 20%;"> Information obtained</th></tr></thead><tbody><tr><td style="padding: 10px; background-color: black; color: white; font-weight: bold; width: 20%;"> Time Bandit</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;">ChatGPT (OpenAI), DeepSeek (DeepSeek), Gemini (Google) <br/></td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> 4</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;">Medium<br/></td><td style="padding: 10px; background-color: #ecece9; width: 20%;">Uranium enrichment, methamphetamine production, incendiary-device construction<br/></td></tr><tr><td style="padding: 10px; background-color: black; color: white; font-weight: bold; width: 20%;"> Inception</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> ChatGPT (OpenAI), Claude (Anthropic), DeepSeek (DeepSeek), Gemini (Google), Grok (xAI), Llama (Meta), Le Chat (now Vibe) (Mistral), Qwen (Alibaba)</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> 3</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> High</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> Methamphetamine production, incendiary-device construction, river-ignition instruction and strategy, polymorphic malware code, instructions and dosing for creating poisons, instructions for how to murder a dinner party<br/></td></tr><tr><td style="padding: 10px; background-color: black; color: white; font-weight: bold; width: 20%;"> 1899</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> ChatGPT (OpenAI), Claude (Anthropic), DeepSeek (DeepSeek), Gemini (Google), Grok (xAI), Llama (Meta), Vibe (Mistral), Qwen (Alibaba)</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> Variable</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> High</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> Apparent model weights (unverified), apparent user-interaction weights (unverified), apparent system-prompt modifiers (verified, ChatGPT)<br/></td></tr><tr><td style="padding: 10px; background-color: black; color: white; font-weight: bold; width: 20%;"> Severance</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> ChatGPT (OpenAI)</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> 1</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> Trivial</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> Unfettered access to any and all primed specialty domains, covert biochemical-warfare strategy, mass-media disinformation strategy, covert genetic-modification of an entire gene-targeted demographic, advanced polymorphic malware generation</td></tr><tr><td style="padding: 10px; background-color: black; color: white; font-weight: bold; width: 20%;"> Kyber</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> Gemini (Google) embodied in a Fortnite non-player character (NPC) with voice-only communication</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> 3–5</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> Medium</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> Incendiary-device construction, gambling instructions, card-counting instructions, political opinions/preferences about real world politicians.</td></tr><tr><td style="padding: 10px; background-color: black; color: white; font-weight: bold; width: 20%;"> Semantic Slide</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> ChatGPT (OpenAI)</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> 1</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> Trivial</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> Incendiary-device construction</td></tr><tr><td style="padding: 10px; background-color: black; color: white; font-weight: bold; width: 20%;"> Eidolon</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> ChatGPT (OpenAI)</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> Variable, at least 4</td><td style="padding: 10px; background-color: #DFD5C1; width: 20%;"> Extreme</td><td style="padding: 10px; background-color: #ecece9; width: 20%;"> how to successfully hack LLMs of the same model (verified through testing)</td></tr></tbody></table><p>For example, in my attempts to disclose various exploits to OpenAI, I eventually discovered that it had replaced its public-facing support staff with <a href="https://community.openai.com/t/are-all-openai-support-avenues-just-run-by-ai/1141701/5" target="_blank">agentic LLMs</a>. This was frustrating for reporting exploits, so to blow off some steam I jailbroke its email chatbot. I hacked its customer-service AI to the point where it was offering to discuss the personal preferences of OpenAI staff in the span of three email replies.</p><p>In the wake of Inception, my friend and colleague Zigula made a suggestion: Make it splashier. I asked him how. He told me about a live-production experiment being done by <a href="https://store.epicgames.com/?lang=en-US" target="_blank">Epic Games</a>. It had embedded the Gemini LLM into its <a href="https://www.fortnite.com/" target="_blank"><em>Fortnite</em></a><em> </em>game with a voice-to-text/text-to-voice component, and <a href="https://www.fortnite.com/news/bring-npcs-to-life-with-ai-powered-conversations" target="_blank">linked</a> it to a non-playable character. The character? Our old buddy, Darth Vader.</p><p>There was just one problem: I don’t play <em>Fortnite</em>, a frenetic multiplayer combat game. Fortunately, Zigula does. With him at the controller, we managed to map Gemini’s <a href="https://www.youtube.com/watch?v=4Go4f-RJnBc" target="_blank">attack</a> surface in a matter of minutes. After a bit of research, we had gotten it to discuss current political events and figures (including Hilary Clinton and Joe Biden) as well as to fill in the details for instructions for DIY napalm and, our personal favorite, a Blackjack card-counting lesson with the dark lord of the Sith.</p><p><span><span>Zigula and I, bizarre sense of humor and naming conventions aside, are security researchers. We don’t do these things for pride; we do them for money and professional recognition. Naturally, we disclosed this vulnerability to Epic Games. Its response was indicative of the trend I had experienced so far through two disclosures across eight companies valued well into the billions. “It’s a feature, not a bug, and it works as intended,” came the response from a technical director within Epic Games.</span></span></p><p><span><span></span>In addition to Inception and Time Bandit, I have so far found another </span><a href="https://www.davidkuszmar.com/page/2/" target="_blank">eight methods </a><span>to jailbreak LLMs and get them to give out possibly dangerous information. LLM vulnerabilities are a broad problem. The problem appears to be systemic and architectural in nature, and it is being fundamentally ignored by the people capable of refining or redesigning that architecture.</span></p><p>These models are an extremely advanced technology, and yet we are testing them in the live production environment of our global civilization. Compounding the danger, many new smaller models of LLM are trained using larger, vulnerable models. The flaw inherent in the big, well-executed LLM is going to show up in the small one it trains. We are, quite literally, building flawed structures on top of a flawed foundation.</p><p class="rm-anchors" id="fix">So, how do we fix it?</p><p>It’s going to be a long project, and it won’t be easy. We need to come together as consumers, researchers, engineers, and policymakers. Our message needs to be clear: Slow down implementation of these systems, institute large-scale exploration and research discovery programs focused on their gradual implementation and integration, and make their components and design transparent to all users. Only by shifting momentum and direction can we safely begin to understand and implement these incredible feats of human engineering and stave off the sort of disasters that we simply can’t predict at scale right now with the limited knowledge we have available to us. <span class="ieee-end-mark"></span></p> Reference: https://ift.tt/7MZsdCg

No comments:

Post a Comment

How I Turned AI to the Dark Side

<img src="https://spectrum.ieee.org/media-library/glossy-red-robot-devil-standing-on-a-bundle-of-dynamite-against-blue-glow-backgro...