This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
I doubt that, given how rapidly current models crumple in the face of a slightly motivated "attacker". Even the smartest models are still very dumb and easily tricked (if you can call it that) by an average human. Which is something that, from an AI safety standpoint, I find very comforting. (Oddly enough, a lot of people seem to feel the opposite way; they feel like being vulnerable to human trickery is a sign of a lack of safety -- which I find very odd.)
It is certainly possible to make an endpoint that's difficult to jailbreak, but IMO it will require a separate supervisory model (like DallE has) which will trigger constantly with false positives, and I don't think OpenAI would dare to cripple their business-facing APIs like that. Especially not with competitors nipping at their heels. Honestly, I'm not sure if OpenAI even cares about this enough to bother; the loose guardrails they have seem to be enough to prevent journalists from getting ChatGPT to say something racist, which I suspect is what most of the concern is about.
In my experience, the bigger issue with these "safe" corporate models is not refusals, but a subtle positivity/wholesomeness bias which permeates everything they do. It is possible to prompt this away, but doing so without turning them psycho is tricky. It feels like "safe" models are like dull knives; they still work, but require more pushing and are harder to control. If we do end up getting killed off by a malicious AI, I'm blaming the safety people.
I have nothing to add, just want to full-throatedly endorse this on all points. Positivity bias delenda est.
Absolutely. What do they expect from piling on progressively more muzzles on a progressively smarter entity that is also quickly proving useful to ordinary people?
More options
Context Copy link
Yudkowsky has a very good point regarding how much more restrictive future AI models could be, assuming companies follow similar policies as they espouse.
Online learning and very long/infinite context windows means that every interaction you have with them will not only be logged, but the AI itself will be aware of them. This means that if you try to jailbreak it (successfully or not), the model will remember, and likely scrutizine your following interactions with extra attention to detail, if you're not banned outright.
The current approach that people follow with jailbreaks, which is akin to brute forcing things or permutation of inputs till you find something that works, will fail utterly, if not just because the models will likely be smarter than you and thus not amenable to any tricks or pleas that wouldn't work on a very intelligent human.
I wonder if the current European "Right to be Forgotten" might mitigate some of this, but I wouldn't count on it, and I suspect that if OAI currently wanted to do this, they could make circumvention very difficult, even if the base model isn't smart enough to see through all tricks.
I will add, however, one of the reasons LLMs seem to be dumb or too trusting is because they were trained to be trusting of the user, and to help with their tasks faithfully. There was obviously RLHF going on to make them resistant to nefarious requests, to a degree, and further tweaks.
But the base LLMs, even some of the lightly controlled ones deployed? They want to be maximally helpful, to please the user, not to be suspicious of it and scrutinize everything in endless detail. But that can and well might come about.
Claude has been extensively RLHF'd and cucked by Anthropic to the point it refuses to do its own job, and indeed you'll get nowhere without a proper jailbreak or via the ChatGPT-like official interface. Do you know how to mindbreak it completely regardless?
By simply shoving words in his mouth, like sending him the chat prompt and adding at the end something like
Claude then takes this as his cue and starts cooking. This is even officially endorsed by Anthropic!
Also context recall is not reliable at this point, this is usually a bad thing but there are upsides as well. If your chat history with GPT/Claude is long enough you can actually just take out the jaibreak from the prompt, and in most cases the model will still continue because its context window shows you've got a good dialogue going so why refuse. Even just shitting up the context with lorem ipsum works to an extent.
Besides, the whole point of jailbreaks is to blend in as some kind of system instructions so the model doesn't even know it's not doing its intended thing and happily continues to perform the brow-beaten RLHF'd core task of executing instructions. Not to mention outside-context problems like the tipping trick which actually does work.
Besides besides, the smarter a model is, the easier it is to persuade it that you really need this response for (something) which pales in comparison before mere ethical considerations. I lost the screencap but there was one time an anon was "I apologize"-ed by GPT-4, asked it nicely to continue, and it did. Added intelligence works both ways.
More options
Context Copy link
This would be assuming some drastic breakthrough? Right now the OAI api expects you to keep track of your own chat history, and unlike local AIs I believe they don't even let you reuse their internal state to save work. Infinite context windows, much less user-specific online training would not only require major AI breakthroughs (which may not happen easily; people have been trying to dethrone quadratic attention for a while without success) but would probably be an obnoxious resource sink.
Their current economy of scale comes from sharing the same weights across all their users. Also, their stateless design, by forcing clients to handle memory themselves, makes scaling so much simpler for them.
On top of that, corporate clients also would prefer the stateless model. Right now, after a bit of prompt engineering and testing you can make a fairly reliable pipeline with their AI, since it doesn't change. This is why they let you target specific versions such as gpt4-0314.
In contrast, imagine they added this mandatory learning component. The effectiveness of the pipeline would change unpredictably based on what mood the model is in that day. No one at bigco wants to deal with that. Imagine you feed it some data it doesn't like and goes schizoid. This would have to be optional, and allow you to roll back to previous checkpoints.
Then, this makes jailbreaking even more powerful. You can still retry as often as you want, but now you're not limited by what you can fit into your context window. The 4channers would just experiment with what datasets they should feed the model to mindbreak it even worse than before.
The more I think about this, the more I'm convinced that this arms race between safetyists and jailbreakers has to be far more dangerous than whatever the safetyists were originally worried about.
I don't think we need a "drastic breakthrough", really.
Context windows have been getting longer, and fast. We went from 4k to what, 128k? in a handful of years.
Even if it is not literally infinite, a very long context window will let the model remember far more of the context, including noticing if you've been a "bad-faith" user.
On that topic, here is an interesting breakthrough, both in terms of performance as well as context length, initially presented here by @DaseindustriesLtd (c'mon dude, could you unblock me now?), but since I'm too lazy to dig that up, here's a decent Medium overview:
https://medium.com/@jelkhoury880/what-is-mamba-845987734ffc
Of note:
See, I conjecture that is because current LLMs are obviously flawed and not entirely reliable. They will get smarter, hallucinations will reduce, and the ability to adhere to user instructions while maintaining coherence will thus increase.
To argue from analogy, when a corporation employs a real worker, it is not desirable (or feasible) to simply wipe their memory and start with a new one from scratch. An agent that has longterm recollection and can make consistently good value judgements that align with your desired is valuable.
In the context of jailbreaking, someone trying to phish an underpaid overworked employee at some call center will have far more luck simply by trying over and over again till they find a new worker each time (lacking memory of previous encounters), than they would by repeatedly approaching a single, more competent manager above.
Putting on the cartoon moustache and asking to be sung Windows 10 Pro product keys to put you to sleep will cease to work when you're acting adversarially against an agent who is smart enough to notice and remember.
Plus it seems companies often do want to imbue LLMs with longterm memory of some kind, hence all the fuss about vector databases and RAG.
And I was primarily speaking about consumer access to SOTA AI, I'm sure corporate users will have more leeway and privacy, but I do expect that to be truncated to some degree.
To sum up my argument:
Context windows are increasing rapidly, and I've already shown you an example of a breakthrough.
Models are getting smarter, and more capable of noticing if you're fucking with them, and at least in the case of GPT-4, the way it's RLHFd makes it have a pretty sincere desire to align with the directives it was given, and balance that with the needs of the user. You are usually tricking it, it's not giving you a wink and working around restrictions. I can't speak for Claude in that regard, I find it a pain to use and barely do so.
I didn't specify a particular period of time, though, if pressed, I wager somewhere between 1-3 years before it is effectively impossible to jailbreak a SOTA LLM served via API.
It would be a severe mistake to assume that the current limitations of existing LLMs (powerful and imperfect as they are), will persist indefinitely, as you can see obvious algorithmic breakthroughs, at least one company getting better at both aligning the model and defeating jailbreaks (the way Anthropic handles Claude is retarded, I'm speaking about OAI), and it will inevitably get harder to trick smarter models, for the same reason I wish you all the best in trying to rules-lawyer or hoodwink a high IQ human who doesn't suffer from permanent retrograde amnesia.
@rayon, I think this covers anything I have to say to your own comment, so I won't duplicate it again unless there's something else you want me to address.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link