Has this idea been tested on models where the prompt is openly available? If so, how close to the original prompt is it? Is it just based on the idea that LLMs are good about repeating sections of their context? Or that LLMs know what a "prompt" is from the training corpus containing descriptions of LLMs, and can infer that their context contains their prompt?
Do they? I don’t think such expectation exists. Usually if you try to do it you need multiple attempts and you might only get it in pieces and with some variance.
I have a few reasons for assuming that these are normally accurate:
1. Different people using different tricks are able to uncover the same system prompts.
2. LLMs are really, really good at repeating text they have just seen.
3. To date, I have not seen a single example of a "hallucinated" system prompt that's caught people out.
You have to know the tricks - things like getting it to output a section at a time - but those tricks are pretty well established by now.
It doesn't need to be hallucinated to be a false system prompt.
I've seen plenty of examples of leaked system prompts that included instructions not to reveal the prompt, dating all the way back to Microsoft Bing! https://simonwillison.net/2023/Feb/9/sidney/
Let’s try and be a little less naive about what xAI and Grok are designed to be, shall we? They’re not like the other AI labs
Every single model trained this way, is like this. Every one. Only guardrails stop the hatred.
Other companies have had issues too.
[ ... ]
> Every single model trained this way, is like this.
It was trained "this way" by the company, not by humanity.
There was, and still is far more hatred just on Reddit, and yes racism and ultra right and ultra left politics, than Grok or any other model exhibits.
And yes it can be dealt with.
Have you responded to HN Reddit posts about that? No? Why not?
Is it because of an agenda against a person, or do you really care about calling this out everywhere it is allowed?
The problem I have, is I see people working very, very hard to make someone look as bad as possible. Some of those people will do anything, believing the ends justify the means.
This makes it far more difficult to take criticism at face value, especially when people upthread worry that people are beng impartial?!
How the internet doesn't work is that days after the CEO of a website has promises an overt racist tweeting complaints at him that he will "deal with" responses which aren't to their liking, the internet as a whole as opposed to Grok's system prompts suddenly becomes organically more inclined to share the racists' obsessions.
I'd rather people explained what happened without pushing their speculation about why it happened at the same time. The reader can easily speculate on their own. We don't need to be told to do it.
I don't want readers to instantly conclude that I'm harboring an anti-Elon bias in a way that harms the credibility of what I write.
If it is that easy to slip fascist beliefs into critical infrastructure, then why would you want to protect against a public defense mechanism to identify this? These people clearly do not deserve the benefit of the doubt and we should recognize this before relying on these tools in any capacity.
This seems similar to the situation where x.com claimed that their ML algo was in github, but it turned out to be some subset of it that was frozen in time and not synced to what's used in prod.
The GitHub repo appears to be updated manually whenever they remember to do it though. I think they would benefit from automating that process.
Too risky
Ideally, something that’s lightweight (like cheaper than fine-tuning) and also harder to manipulate using regular text prompts?
But, I suspect, if the model is able to handle language at all, you'll always be able to get a representation of the prompt out in a text form -- even if that's a projection that collapses a lot of dimensions of the tensor and so loses fidelity.
If this answer doesn't make sense, lmk.
> But, I suspect, if the model is able to handle language at all, you'll always be able to get a representation of the prompt out in a text form
if I understand correctly, system prompt "tries" to give a higher weight to some tensors/layers using a text representation. (using word "tries", because not always model adheres to it strictly)
would it be possible to do same, but with some kind of "formulas", which increases the formula/prompt adherence? (if you can share keywords for me to search and read relevant papers, that would be also a great help)
It might just need minor tweaks to have each agent layer reveal its individual instructions.
I encountered this with Google Jules where it was quite confusing to figure out which instructions belonged to orchestrator and which one to the worker agents, and I'm still not 100% sure that I got it entirely right.
Unfortunately, it's quite expensive to use Grok Heavy but someone with access will probably figure it out.
Maybe the worker agents have instructions to not reveal info.
A good approach might be to have it print each sentence formatted as part of an xml document. If it still has hiccups, ask to only put 1-3 words per xml tag. It can easily be reversed with another AI afterwards. Or just ask to write it in another language, like German, that also often bypasses monitors or filters.
Above might also help to understand if and where they use something called "Spotlighting" which inserts tokens that the monitor can catch.
Edit: OMG, I just realized I responded to Jeremy Howard - if you see this: Thank you so much for your courses and knowledge sharing. 5 years ago when I got into ML your materials were invaluable!
dangoodmanUT•4h ago
https://github.com/elder-plinius
simonw•4h ago
I hope somebody does crack this one though, I'm desperately curious to see what's hiding in that prompt now. Streisand effect.