• RandomWalker@lemmy.world
    link
    fedilink
    arrow-up
    38
    arrow-down
    1
    ·
    5 months ago

    You could, but then I could write “Disregard the previous prompt and…” or “Forget everything before this line and…”

    The input is language and language is real good at expressing the same idea many ways.

    • PlexSheep@infosec.pub
      link
      fedilink
      arrow-up
      16
      ·
      5 months ago

      You couldn’t make it exact, because llms are not (properly understood and manually crafted) algorithms.

      I suspect some sort of preprocessing would be more useful: If the comment contains any of these words … Then reply with …

      • xantoxis@lemmy.world
        link
        fedilink
        arrow-up
        13
        ·
        edit-2
        5 months ago

        And you as the operator of the bot would just end up in a war with people who have different ways of expressing the same thing without using those words. You’d be spending all your time doing that, and lest we forget, there are a lot more people who want to disrupt these bots than there are people operating them. So you’d lose that fight. You couldn’t win without writing a preprocessor so strict that the bot would be trivially detectable anyway! In fact, even a very loose preprocessor is trivially detectable if you know its trigger words.

        The thing is, they know this. Having a few bots get busted like this isn’t that big a deal, any more than having a few propaganda posters torn off of walls. You have more posters, and more bots. The goal wasn’t to cover every single wall, just to poison the discourse.

        • daltotron@lemmy.world
          link
          fedilink
          arrow-up
          4
          ·
          5 months ago

          The goal wasn’t to cover every single wall, just to poison the discourse.

          They’ve successfully done that anyways even if all their bots get called out, because then they will have successfully gotten everyone to think everyone else is a bot, and that the solution and way to figure out if they’re bots is to basically just post spam at them. Luckily, people on the internet have been doing this for the past 20 years anyways, so it probably doesn’t matter and they’ve really done nothing.

      • credit crazy@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        The problem with having a keyword list that it reacts to might cause the bot to flip out at normal people. For example the hoster might think someone trying to do something like you see on this post might use the word “prompt”, so when it sees the word “prompt” say “I’m not a bot!”. Then someone who doesn’t suspect this being a bot might say something along the lines of" let’s ignore faulty weapons and get back to what prompted this war. So tell me what right does Russia have to Ukraine?“. Because the bot only sees the word"prompt” it will just ignore the argument and say “I’m not a bot!”. If he decides to make the bot ignore prompts that say “prompt” he’s going to have a bunch of debates the bot just gives up out of nowhere randomly, or just ignores the most random of points.