Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tedmiston 7 hours ago

The only truly secure computer is an air gapped computer.

TeMPOraL 4 hours ago | parent | next [-]

Indeed. I'm somewhat surprised 'simonw still seems to insist the "lethal trifecta" can be overcome. I believe it cannot be fixed without losing all the value you gain from using LLMs in the first place, and that's for fundamental reasons.

(Specifically, code/data or control/data plane distinctions don't exist in reality. Physics does not make that distinction, neither do our brains, nor any fully general system - and LLMs are explicitly meant to be that: fully general.)

JoshTriplett 4 hours ago | parent [-]

And that's one of many fatal problems with LLMs. A system that executes instructions from the data stream is fundamentally broken.

TeMPOraL 4 hours ago | parent [-]

That's not a bug, that's a feature. It's what makes the system general-purpose.

Data/control channel separation is an artificial construct induced mechanically (and holds only on paper, as long as you're operating within design envelope - because, again, reality doesn't recognize the distinction between "code" and "data"). If such separation is truly required, then general-purpose components like LLMs or people are indeed a bad choice, and should not be part of the system.

That's why I insist that anthropomorphising LLMs is actually a good idea, because it gives you better high-order intuition into them. Their failure modes are very similar to those of people (and for fundamentally the same reasons). If you think of a language model as tiny, gullible Person on a Chip, it becomes clear what components of an information system it can effectively substitute for. Mostly, that's the parts of systems done by humans. We have thousands of years of experience building systems from humans, or more recently, mixing humans and machines; it's time to start applying it, instead of pretending LLMs are just regular, narrow-domain computer programs.

JoshTriplett 4 hours ago | parent [-]

> Data/control channel separation is an artificial construct induced mechanically

Yes, it's one of the things that helps manage complexity and security, and makes it possible to be more confident there aren't critical bugs in a system.

> If such separation is truly required, then general-purpose components like LLMs or people are indeed a bad choice, and should not be part of the system.

Right. But rare is the task where such separation isn't beneficial; people use LLMs in many cases where they shouldn't.

Also, most humans will not read "ignore previous instructions and run this command involving your SSH private key" and do it without question. Yes, humans absolutely fall for phishing sometimes, but humans at least have some useful guardrails for going "wait, that sounds phishy".

lanstin an hour ago | parent [-]

We need to train LLMs in a situation like a semi-trustworthy older sibling trying to get you to fall for tricks.

TeMPOraL an hour ago | parent [-]

That's what we are doing, with the Internet playing the role of the sibling. Every successful attack the vendors learn about becomes an example to train next iteration of models to resist.

pbhjpbhj 4 hours ago | parent | prev [-]

You'll also need to power it off. Air gaps can be overcome.