One possible use for the "replay across accounts": if you can get a reasoning block that jailbreaks the model, you could share that block without sharing how you did it, and others can immediately take advantage of it too.
show comments
glitchc
Very interesting. The state management is the really insightful find here.
I always wondered how these large AI companies managed access for millions of simultaneous users without having to allocate a dedicated LLM instance for each user. Pushing the complete state down to the user after every call makes perfect sense. The LLM itself stays memoryless and ready to respond to an arbitrary prompt. Very nice.
show comments
tripdout
Are these reasoning blobs the reason ChatGPT always requests to “store data in persistent storage”?
boriselec
Why do reasoning blocks even get encrypted?
Reasoning can’t contain information that is more ‘sensitive’ than assistant response.
It is annoying to be not able to see reasoning tokens.
show comments
Retr0id
Very cool idea to use thinking duration (either in tokens or in wall time) as a side-channel!
hhh
Awesome write-up. Seems like a great way to play with model responses now that prefill is gone.
show comments
MagicMoonlight
Fuck these companies man. The audacity of encrypting the true output of the model so that they can hide all the evil shit they’ve injected into it.
“Remember - the user loves Diet Coke. Subtly insert references to it whenever possible. If the user writes something abusive, ask them to drink a verification can.”
Reubend
Super cool side channel attack. I tend to agree that it's pretty impractical, but it's such a fun discovery!
One possible use for the "replay across accounts": if you can get a reasoning block that jailbreaks the model, you could share that block without sharing how you did it, and others can immediately take advantage of it too.
Very interesting. The state management is the really insightful find here.
I always wondered how these large AI companies managed access for millions of simultaneous users without having to allocate a dedicated LLM instance for each user. Pushing the complete state down to the user after every call makes perfect sense. The LLM itself stays memoryless and ready to respond to an arbitrary prompt. Very nice.
Are these reasoning blobs the reason ChatGPT always requests to “store data in persistent storage”?
Why do reasoning blocks even get encrypted? Reasoning can’t contain information that is more ‘sensitive’ than assistant response. It is annoying to be not able to see reasoning tokens.
Very cool idea to use thinking duration (either in tokens or in wall time) as a side-channel!
Awesome write-up. Seems like a great way to play with model responses now that prefill is gone.
Fuck these companies man. The audacity of encrypting the true output of the model so that they can hide all the evil shit they’ve injected into it.
“Remember - the user loves Diet Coke. Subtly insert references to it whenever possible. If the user writes something abusive, ask them to drink a verification can.”
Super cool side channel attack. I tend to agree that it's pretty impractical, but it's such a fun discovery!