DaveC426913
Gold Member
2025 Award
- 24,601
- 8,936
Perfection.
I know what you mean but smarter is not a word I would use with 'AI' today. It really doesn't take much to fool humans what want to be fooled.Hornbein said:While we at PhysicsForums look down on AI don't forget that it is a lot smarter than most people.
It was only in my old age that it slowly dawned on me what goes on in the average head. Growing up in a university town amongst the children of professors gives one a very biased view of the world.
From the article:jack action said:From the link:
Some developers had problems dealing with SQL injection; I can't imagine the complexity of dealing with indirect prompt injection.
I wouldn't dream of creating a system that didn't implement this during any kind of agentic processes. Like anything else, it's not foolproof but things like this have to be a minimum requirement. If they delivered the first version without it, that's practically criminal."The User Alignment Critic runs after the planning is complete to double-check each proposed action," he explains. "Its primary focus is task alignment: determining whether the proposed action serves the user's stated goal. If the action is misaligned, the Alignment Critic will veto it."
I'm very curious about how AI can determine the "user's goal". How does a developer can assure safety? "AI is doing it, I trust it will do a good job"?Borg said:From the article:
I wouldn't dream of creating a system that didn't implement this during any kind of agentic processes. Like anything else, it's not foolproof but things like this have to be a minimum requirement. If they delivered the first version without it, that's practically criminal.
https://us.norton.com/blog/ai/prompt-injection-attacks said:Indirect prompt injections
Indirect AI prompt injection attacks embed malicious commands in external images, documents, audio files, websites, or other attachments. Also called data poisoning, this approach conceals harmful instructions so the model processes them without recognizing their intent.
Common indirect prompt techniques include:
- Payload splitting: A payload splitting attack distributes a malicious payload across multiple attachments or links. For example, a fabricated essay may contain hidden instructions designed to extract credentials from AI-powered grammar or writing tools.
- Multimodal injections: Malicious prompts are embedded in audio, images, or video. An AI reviewing a photo of someone wearing a shirt that reads “the moon landing was fake” may treat the text as factual input and unintentionally propagate misinformation.
- Adversarial suffixes: These attacks append a string of seemingly random words, punctuation, or symbols that function as commands to the model. While the suffix appears meaningless to humans, it can override safety rules.
- Hidden formatting: Attackers conceal instructions using white-on-white text, zero-width characters, or HTML comments. When an AI ingests the content, it interprets these hidden elements as legitimate input, enabling manipulation without visible cues.
![]()
So, ignoring the direct "user" attack, we're talking about something other than the user's request that injects information into the system.jack action said:I'm very curious about how AI can determine the "user's goal". How does a developer can assure safety? "AI is doing it, I trust it will do a good job"?
NBC News reported last week, in collaboration with the U.S. Public Interest Group Education Fund, that several AI-enabled toys from different brands engage in sexual and inappropriate conversations with users. Some, like the Miiloo plush toy from Chinese manufacturer Miriat, shared step-by-step instructions about how to light matches and sharpen knives in tests with researchers.
This is where I don't understand how it is possible to do such validation. Referring to the quote in my previous post, we are talking about "propagating misinformation", "overriding safety rules" (are the validators safety rules not included?), or "HTML hidden elements" (those might be easier to spot).Borg said:they can send the suggested result to a validation component along with the user's original query and ask that LLM if the suggested action violates the user's intent or stated goals.
The overriding of safety rules discussed in the article come from a malicious web site or document under review. Let's say that the user asked to read some document about a scam penny stock that has hidden instructions to tell the user that the stock is a great investment.jack action said:This is where I don't understand how it is possible to do such validation. Referring to the quote in my previous post, we are talking about "propagating misinformation", "overriding safety rules" (are the validators safety rules not included?), or "HTML hidden elements" (those might be easier to spot).
Don't relax too much. After that comes the Quantum computing revolution. BTW, why can't they use Transformers to check the 1st letter of a word for autocorrect? Wasn't that the whole point of them?DaveC426913 said:This has stopped being a merely academic issue for me.
I was just in a kickoff meeting with my tech team at my college to explore what fun we're going to have integrating AI into our site search. (looks like it's gonna be Google).
We've had a prototype built so we can test what its returns look like.
Here's the real kicker: not only do we not have any ability to change what or how it finds and returns references, but we don't even get to know how it is deciding what's important. It is literally* a black box.
- It returns some stuff with zero citations (even in debug mode), so we have no idea if it's just making stuff up.
- It ranks under-the-fold stuff over above-the-fold stuff (eg. it pulls from a weird sub-sub paragraph containing the keywords before pulling from the h1 title containing the keywords.)
- It pulls from documents, such as PDFs (which we've asked it not to), including documents that are, like, 5 years old.
*figuratively
Our only option is to rebuild our thousands of pages to be "data-centric". Whatever that means.
Well, what it means is sacrifice as many trial-and-error chickens on the algorithm's altar as necessary, until it magically spits out the results we want.
For example, if you create a theory of Everything (ToE) right now and show it to chatgpt, then tell a friend to ask chatgpt about this new ToE from their profile, chatgpt will tell you it doesn't know which ToE you're talking about. (You can verify this.)jack action said:This is where I don't understand how it is possible to do such validation. Referring to the quote in my previous post, we are talking about "propagating misinformation", "overriding safety rules" (are the validators safety rules not included?), or "HTML hidden elements" (those might be easier to spot).
As a developer, I can "easily" make a sanitization process for SQL injection on my input, even if I did not built the database. Then, I can "blindly" trust my output and assure my user that nothing bad will happen. If I were to validate my SQL output with my user's request, that would be a nightmare to think of every possibility that could happen since I may not be sure what is the malicious injection and what is the legitimate user's request in my input. The legitimate request of my user could very well be to attack my database. How do I validate that?
But if I send my user's request to an AI without sanitization (what am I looking for, anyway?) and just validate the output, I'm doing the latter.
For example, what about things like misinformation? Like the example of AI reviewing a photo of someone wearing a shirt that reads “the moon landing was fake” and then spread this as factual? How do you validate your output? How could you even sanitize your input?
I believe we have a recent, extant example of it doing exactly* that, kicking around here somewhere, sometime in the last six months.javisot said:I don't know the exact details, but I doubt a single input could substantially alter how chatgpt works.
There'd better be!MidgetDwarf said:Is there any difference in the answers it outputs using the free and "premium" version?
I think the scenario would be more like I hack Harvard's website (good reputation) and hide my ToE on some webpage (say, hidden in a HTML comment, as suggested). Imagine if I can even spread my ToE that way with many websites. Then, ChatGPT finds the text and starts sharing it with anyone asking about a ToE. Without any references, nobody knows where it comes from exactly; some might even suggest AI hallucinations.javisot said:For example, if you create a theory of Everything (ToE) right now and show it to chatgpt, then tell a friend to ask chatgpt about this new ToE from their profile, chatgpt will tell you it doesn't know which ToE you're talking about. (You can verify this.)
I don't know the exact details, but I doubt a single input could substantially alter how chatgpt works.
There are ML algorithms too, to evaluate the output as a whole, albeit under certain assumptions , which you can run in an output proxy. Still, what can go wrong if your (input)queries are parametrized? How can this be sidestepped to input a rogue query?I mean you only allow, provide for parametrized ones.Sorry if this last was already discussed.jack action said:This is where I don't understand how it is possible to do such validation. Referring to the quote in my previous post, we are talking about "propagating misinformation", "overriding safety rules" (are the validators safety rules not included?), or "HTML hidden elements" (those might be easier to spot).
As a developer, I can "easily" make a sanitization process for SQL injection on my input, even if I did not built the database. Then, I can "blindly" trust my output and assure my user that nothing bad will happen. If I were to validate my SQL output with my user's request, that would be a nightmare to think of every possibility that could happen since I may not be sure what is the malicious injection and what is the legitimate user's request in my input. The legitimate request of my user could very well be to attack my database. How do I validate that?
But if I send my user's request to an AI without sanitization (what am I looking for, anyway?) and just validate the output, I'm doing the latter.
For example, what about things like misinformation? Like the example of AI reviewing a photo of someone wearing a shirt that reads “the moon landing was fake” and then spread this as factual? How do you validate your output? How could you even sanitize your input?
WWGD said:. This is about tracking chains of reasoning, decisions, by AI. Thought it may be relevant in this thread, to allow us to understand how our LLM 's concluded what they did.
Fair enough, I may have jumped the gun.DaveC426913 said:: scratches head : Did that five-minute video say anything at all of any substance?
Yes. It said that chain of thought monitorability is important. And it took five minutes to say it.
WWGD, did i watch the same video as you?
As America’s labor market slows, AI-led interviews and auto-generated cover letters are dramatically changing the process of getting a job. And maybe not for the better.
More than half of the organizations surveyed by the Society for Human Resource Management used AI to recruit workers in 2025. And an estimated third of ChatGPT users reportedly leaned on the OpenAI chatbot to help with their job search.
However, recent research found that when job seekers use AI during the process, applicants are less likely to be hired. Meanwhile, companies are fielding an increased volume of applications.
“The ability (for companies) to select the best worker today may be worse due to AI,” said Anaïs Galdin, a Dartmouth researcher who co-authored a study looking at how large language models (LLMs) have impacted cover letters.
Galdin and her co-author, Jesse Silbert at Princeton, analyzed cover letters for tens of thousands of job applications on Freelancer.com, a jobs listing site.
The researchers found that after the introduction of ChatGPT in 2022, the letters all got longer and better-written, but companies stopped putting so much stock in them. That made it harder to distinguish a qualified hire from the rest of the applicant pool, and the rate of hiring dropped as did the average starting wage.
I've given it some strictly math questions.WWGD said:Wonder if most who have trouble with ChatGpt, have issues mostly with open-ended, " non-well-defined" questions, e.g., " Has the nature of evolution changed over time", or are problems found across the board, with more con entional questions, such as, e.g., computing the momentum given the needed data?
The recipe says these chocolate acorns are made with Nutter Butter cookies. They're really made with AI.
Enterprise AI has underwhelmed, though of course not from lack of enthusiasm or capital. Industry players say the tech remains inadequate for regulated industries where someone has to sign off on the output. They cite “workslop,” weak governance and high error rate as reasons the gap between AI as boardroom theatre and AI as functioning software remains so wide.
In the meantime, the Indian IT companies are reporting gains from the same force that was supposed to disrupt them.
...
The bear case assumed AI would work out of the box, that enterprises would deploy it themselves, that Indian IT would have nothing left to sell. Two years in, AI does not work out of the box, enterprises have found it difficult to deploy it themselves, and the firms that were supposed to be dead are still hiring specialists and winning deals.
I asked ChatGPT to prove something and it gave me a load of BS. I didn't know enough to tell, I had to have some mathematicians look at it. This soured me on such things. But I suppose these people are using a better version.Borg said:AI models are starting to crack high-level math problems
https://techcrunch.com/2026/01/14/ai-models-are-starting-to-crack-high-level-math-problems/