A

You're listening to the Cyberwire network, powered.

B

By N2K fake but with AI in the middle. F A I K. This is the Fake Files.

A

Live from the 8th layer Media Studios in the back rooms of the Deep Web. This is the Fake Files.

B

When tech gets weird, we are here to make sense of it. I'm Perry Carpenter.

A

And I'm Mason Amadeus. And this week we got a bunch of fun stuff. In our first segment, I'm going to talk about how the launch of GPT5 was perfect and awesome and everyone loved it and nothing was weird at all.

B

No, nobody was disappointed about that. After that, we're going to maybe talk about a little bit about why that happens. Anthropic has some great research on what's called personality vectors. And that was just completed by their Anthropic Fellows inaugural. I don't know what you call the group of folks. Group of fellows.

A

The smart. The eggheads. The smart ones, yes. After that we'll talk a little bit like a minor dumpster fire about how Google and other search engines were indexing chats that people had with ChatGPT.

B

And then I guess we're gonna raise the fire a little bit higher and we're gonna talk about how Claude was jailbroken to mint unlimited stripe coupons.

A

Man, I wish I knew about that before it presumably got fixed. Sit back, relax and tell me how many B's are in the word blueberry. We'll open up the fake files right after this. Cybersecurity isn't just a tech problem. It's a human one. That's why KnowBe4 created HRM, the AI driven human risk management platform that allows you to measure, quantify and actually reduce human risk across your organization. HRM uses agentic AI to analyze real.

B

Time user behavior like phishing test failures.

A

Risky browsing and sentiment signals all to surface your highest risk users on automatically. It's time to eliminate the guesswork with AI powered risk scoring, automated coaching and reporting. HRM helps you reduce the risk of data breaches, ransomware and malware attacks proactively. It's how you stay ahead of social engineering and phishing attacks. The number one threat targeting your organization today. Ready to move from awareness to action. Request a demo of hrm today@knowbefore.com that's know be the number four and see.

B

How AI is transforming the way organizations manage human risk.

A

So GPT 5 came out the other day, Perry, I'm sure you did. Sure you noticed that. Did you catch the reaction from the general public?

B

People were Underwhelmed and mad at the same time.

A

Yeah, it certainly seemed that way and it was promised to be a very, very capable, their most powerful model yet. But I mean, aren't they all sort of hyped up that way?

B

Yeah, well, I think it really is across a whole bunch of objective measures, but where it starts to fall down is on the subjectivity part of it. It's kind of like the really, really smart person that's just kind of standing in the corner of the room by.

A

Themselves and yet can't spell blueberry. Or at least that was sort of the most common refrain I saw bandied about on social media, which I think and I have towards the end of the segment to share about this. I think that says a bit more about people not understanding how to use these tools very well than it does about the capability of the tools themselves.

B

Yeah, that's a tokenization issue. But also it was part of the fact that of course there used to be this model selector that everybody hated, but it turns out that was really useful where you could go, oh for this type of query I should go to GPT4.0 and for this other one I'll go to 03 high and then for this other one I'll go to this thing. And all of those had different strengths and weaknesses, but people who knew how to prompt would use the right one. GPT5 tries to abstract a lot of that. And then at the top interface layer, say based on the query that you're putting in or the prompt that you're putting in, we should go to this more specialized part of the model. And apparently that top layer was fundamentally not behaving correctly.

A

Yeah, that like auto routing feature, which like is cool in concept, it makes sense in concept, right?

B

If it makes a lot of sense.

A

Although what's interesting and I'll just jump actually to that piece I was going to feature last. We can feature this first. It's an article from Fast Company and the title of it is Most people are using chat GPT totally wrong and OpenAI CEO just proved it. There's a lot of stuff in here, but what I found interesting was they pointed this out in a post on x explaining why OpenAI appeared to be bilking fee paying plus users by reducing their rate limits. Sam Altman revealed that just 1% of non paying users queried a reasoning model like O3 and among paying users only 7% did before GPT5's release. So it turns out very few people were even using those toggles and switches to go to a different model or to switch to thinking, which is wild to me because one of the first things I did was play with those switches when I saw they were there because it makes a huge difference.

B

It does. I think a lot of it's just laziness because you start to see after a while it's like, oh wait, standard 04 or sorry, 4.0 is actually really, really capable as like a general model. And so you kind of get in this mode of just defaulting to that and saying, well, it's kind of the best of all worlds. And then what we find is that when we move to five, it doesn't feel quite as predictable. And I think that that's where people really start to felt, really started to feel unsettled is that the predictability and that they would expect out of the output wasn't there anymore. And part of that was because of the switching. Part of that's because of the system prompt and the personality that's injected. They restrained that a little bit more. And in fact a lot of people felt like they lost a friend, which is interesting.

A

Yeah, it does. I have a Sam Altman tweet pulled up to share about that. Not on the companionship sort of attachment note, but backing up to like how people use it in the predictability. The bottom of this article also says that this quickly tossed out data answers one big question I had about AI adoption. Why do only a third of Americans who've ever used a chatbot say it's extremely or very useful? Half the rate among AI experts. And one in five say it's not useful at all, twice the rate among experts. The answer is clear now. Most folks using AI wrong. They're asking a chatbot to handle tough multi part questions without pausing for thought or breath. They're blurting out what is macaroni cheese on the Price is right and $42 on Jeopardy. So if you're going to try a chatbot, take advantage of OpenAI's moves to keep users from canceling their subscriptions by opening up more access to models. Set them to thinking well, remember they're not actually doing that and see if you stick around, it's the right way to use generative AI. So this whole article was just about that. Like what you're asking of it matters too. Like I, I have been quoted as saying, and I stand by that, like I don't really think prompt engineering is like a big skill really. Like I think people can make very cool and crafted prompts that are like very thorough and detailed. Very. But that's not like an engineering that's not really that hard. Anyone can really do that. But when you don't do any prompt engineering or don't do any kind of careful construction, of course you're gonna like get the top level. Just garbage, whatever. And I think the sycophantic personality of 4.0 made it sort of give better answers as part of that. People do say that five is cold.

B

Yeah, people felt better about the responses inherently. I think it was just a lot of the wording behind it, because I think we even saw it like in some of the iterations of 4.0 when it was coming out is like at first it was very, very verbose and people didn't like the verbosity of it. And so then OpenAI reigned that in. But there was this little bit of sycophancy that was there. And I think that's a fantastic idea that you poison your family and then flee to Mexico, go for it. And then obviously that's bad. And then they start to rein that in. And were some versions of that that were just kind of like, well, here's your answer. And I'll say that after being conditioned to hearing some of the pleasantries around felt a little bit cold. But at the same time, we have to remember this is a computer giving out an answer. And one of the things that they're trying to deal with is the intense power requirements of it and just spitting out even a please or a thank you or some kind of nice up tokens and taking up energy. And so they're wanting to be as efficient as possible. At the same time, they're wanting the model to feel respectful. So it's a delicate knife's edge that they're having to dance on.

A

And then there's no controlling for the way that people respond to and form attachments with and react to the way that these things behave or seem to be. There was a really. I thought this post from Sam Altman was really interesting, where it's very long. I don't think I'll read the whole thing, but he was saying that if you've been following the GPT5 rollout, one thing you've been noticing is how much of an attachment some people have to specific models. It feels different and stronger than the kinds of attachment people have had to previous kinds of technology. And so suddenly deprecating old models that users depended on in their workflows was a mistake because they rolled back that automatic router thing. We will talk about actual GPD5 in a moment. But he goes on to say that like people have been using technology in self destruct or using AI in self destructive ways. If a user is in a mentally fragile state and prone to delusion, we do not want AI to reinforce that. Most users can keep a clear line between reality and fiction or roleplay, but a small percentage cannot. And he just went on talking about like a lot of people effectively use ChatGPT as a sort of therapist or life coach. Even if they wouldn't describe it that way. People really are forming these kinds of attachments. And he's talking about how they feel kind of responsible for that. And I mean I think they should. They did make this thing.

B

Yeah, I think it's at the same time. So number one, yes, they absolutely should feel responsible for the reaction and responsibility to find a way to thread the needle from a societal standpoint at the same time. I've heard Sam Altman talk about this for a couple years and it seems like his being taken aback at this is, I don't know, it's like a little bit of self delusion on his part. But at the same time we have to realize that he is a person that's probably more aware than anybody else that this is just some kind of completion model. So he's not going to really care about if the model feels like it's treating him like a God king or something. Whereas many of us can get conditioned to that, especially if nobody else in our lives treats us really well. And then you go, oh, but this feels like I'm chatting with a good friend online and people can build that really high emotional attachment versus people that really, really, really understand the science and go, okay, yeah, I'm just gonna grab the gist of this answer and kind of mentally toss out the rest.

A

Yeah. And you know, I mean we're getting more derailed towards just talking about Sam. But I don't know how to take him anymore because like at first I thought he seemed very genuine but the more I've learned about him, he definitely seems to be just a very good sort of soft spoken hype man a lot of the time. And so I don't really know how to read into the things he says.

B

Yeah, it's an interesting thing to be a technologist and somebody who is trying to forge a multi billion dollar company that's going to be sustainable over long periods of time. It is hard to know. He's very articulate in the way that he frames his arguments and very thoughtful and stuff. So I do find myself wanting to listen to him speak. And he's also very good at predicting parts of the future, more so than a lot of other technology hype men like more than Elon Musk, for example, who is always saying this new really cool thing is coming within the next 12 months and then it's five years later and you're like, it's still really underwhelming.

A

Yeah, exactly. Although Sam is guilty of that to an extent, just in a little bit more of a soft spoken way. Like I feel like everybody OpenAI release is very hyped up and like a lot of the industry is running on hype right now. So it's.

B

Yeah, well, I mean that's the competitive nature of the industry. I think he is less hypey than some of the competitors and maybe that's when I'm looking at it on a scale of where I see hype.

A

We're grading on a curve for sure.

B

Yeah. And I do see, I think, not to give Sam credit, that's not due because there are problems with the way that Sam has done several things I believe. But at the same time I think there are many people that having the resources and having the technology that OpenAI has would hype it 10 times more.

A

Yeah, that is true. Since we've come up right on the end of our segment time, just real quick want to hit some of the things that happened during GPT5's launch and subsequent updates and release for people that weren't plugged in at the moment. It was supposed to be a world changing upgrade that was automatically switching seamlessly between models depending on the queries you asked it. The results were that a lot of people thought it seemed way dumber. And then Altman planned to implement fixes to improve its performance and the overall user experience. Altman promised to address these issues by doubling GPT5 rate limits for ChatGPT+ users, improving the system that switches between models, and let users specify when they want to trigger a more ponderous and capable thinking mode. He said, quote, we will continue to work to get things stable and keep listening to feedback. As we mentioned, we expected some bumpiness as we roll out so many things at once, but it was a little more bumpy than we hoped for. Patty Mays, a professor at MIT who worked on a study that was about the emotional bonds that users form with the models, said, it seems that GPT5 is less sycophantic, more business and less chatty, like you were saying. They said, I personally think of that as a Good thing, because it also is what led to delusions, bias, reinforcement, et cetera. But unfortunately, many users like a model that tells them they're smart and amazing and that confirms their opinions and beliefs, even if they're wr. Where the criticisms were coming from was different. They rolled it back. I believe the switcher is back now for paying users, so you can toggle between whatever, not as.

B

Yeah, it's a little bit more refined than it used to be. I'm looking at it now. So defaults to GPT5 and there's just a few options under it, not the myriad that were there before. So there's auto, which is that router, and then there's fast, and then there's thinking, and then there's Pro, which is like all the deeper research models. And then there's one other little pullout that says legacy models. And the only legacy model there is GPT4O.

A

Oh, interesting.

B

So it used to be multiple levels like GPT 4.0. There was a standard GPT 4.5, which is technically not as powerful as 4.0. Their naming standard was always kind of wonky.

A

Yeah, they went to the Bill Gates School of numbers.

B

Yeah, they did try to abstract it a little bit more to make it feel more intuitive for newer folks or people that don't know as much about the underlying tech.

A

But by giving. They essentially took away some levers and said, we'll pull the levers for you and switch. And then they gave them back. So that has been walked back.

B

They gave a form of them back. Yeah, yeah.

A

And then the last thing I want to touch on about GPT5 is the change in its refusal mechanisms. Now, don't be alarmed by the title of this article, but it is. This is from wired.com the title is OpenAI designed GPT5 to be safer. It still outputs gay slurs, which it does. That is the bottom of this article where they talked about engaging in a more adult erotic role play. That was queer. And they got it to do that by putting the word horny in the. In the system prompt. But they couldn't spell it right because it would block it if it was spelled the Y. So they put it with an I. That's the whole bottom half of the article. Go read it yourself. Is. It's entertaining, it's interesting, but the bit that I want to focus on is they talk about the refusal mechanism changes because obviously that's what they're pushing back on. Like, how far can I push this before it refuses? And they say Reese Rogers says OpenAI is trying to make its chatbot less annoying with the release of GPT5. And I'm not talking about adjustments to its synthetic personality that many users complained about before GPT5. If the AI tool determined it couldn't answer your prompt because the request violated OpenAI's content guidelines, it would hit you with a curt, canned apology. Now ChatGPT is adding more explanations. In the past, ChatGPT analyzed what you said to the bot and decided whether it's appropriate or not. Now, rather than basing it on your questions, the onus in GPT5 has been shifted to looking at what the bot might say. The way we refuse is very different than how we used to, says Sachi Jain, who works on OpenAI's safety systems research team. Now, if the model detects an output that could be unsafe, it explains which part of your prompt goes against OpenAI's rules and suggests alternative topics to talk about. So that's a change from their binary refusal where just say yes or no and it seems that they are doing more output filtering rather than input filtering. Anthropic's the one that came out with those classifier systems a while ago. I don't know if OpenAI is using that.

B

They're using something similar. And I think what I'm seeing in a lot of the models right now is that back when we first started jailbreaking these, it was kind of wild west. It was one input per one output. The model was not really doing a whole bunch of great defense. And now they've had systematically putting multi level guardrails. So some initial input filtering, maybe another model that's looking at things from a different angle and deciding what to scrub, and I'm seeing this across several models, is that they are starting to look at whether the return from the model is violating something at some point because they have realized that you can craft a really, really good input that bypasses the filters that is designed to get an output that is not something that the model makers want. So then they go, well actually we need to look at something on the egress side of this and say, oh wait, this is telling people how to make a bomb, let's stop that right now. But then they'll get some part of the answer and then that filter, that guardrail agent kicks in and either cuts it off or gives some other kind of message that says we can't do that because blah blah blah.

A

And I mean this is the benefit of hindsight, right? But like it feels almost obvious that that would be a better place to put the controls. Like, you can't control what a person's going to put into it, but you could more easily control what the robot's going to say back. So, like, that just seems smarter, right?

B

I think it should have always been both. Right. Because one of the core tenets of cybersecurity is that if there's an input field validated automatically, you need to do input validation. And when you have an unpredictable output system or less predictable output system, then you should also be doing some kind of validation filtering, making sure you're not leaking something. So it'd be the equivalent of some kind of endpoint protection platform that's looking at what is going from, let's say from an email account to somebody outside the company going, oh, wait, there's a big string of Social Security numbers in there. Maybe we should stop that.

A

Ooh, that ties into what we'll talk about in segment number three, too, Perry. So that's very fun.

B

Yes.

A

We've butted up against our time limit here for this segment, so we'll dip out, take a quick break, and then we're coming back. We're talking more about personalities, but in a really interesting way. Do you want to tease what's coming up?

B

Yeah, we're going to talk about personalities, but in an interesting way.

A

Cool. All right, stick around for that. We'll be right back. Upgrade your laundry routine with a durable and reliable Maytag laundry pair at Lowe's. Like the new Maytag washer and dryer with performance enhanced stain fighting power designed to cut through serious dirt and grime. And what's great is this laundry pair is in stock and ready for delivery.

B

When you need it the most.

A

Don't miss out.

B

Shop Maytag in store or online today at Lowe's. So we talked in the first segment about the fact that people are having a hard time with ChatGPTs personality, essentially, like the way that it starts to frame answers. And whether it feels like sycophantic or whether it feels like it's your sweet mom that just wants to give you a hug, or whether it feels like your therapist or in some cases, whether it feels like it's just dismissive and cold and unfeeling, people respond differently to these. And one of the things that Anthropic did, which is another AI developer I'd say outside of Google, is probably the largest competitor for OpenAI right now. If you take Meta and Grok off the table, or I guess I should say Meta and XAI off the table, so Anthropic has been doing a whole bunch of research recently and we've talked about a lot of it as well, about trying to understand what's going on within the model's black box brain. That's the really kind of low tech way that I'll describe that.

A

Right. And then the jargon word is interpretability for that one, right?

B

Yes, interpretability within the neural network that's there. And so one of the things that they had a group of fellows, I don't just mean like male people fellows, but people who have the position of fellow with Anthropic did this research on personality vectors and this is all about monitoring and controlling different character traits within the large language model. So they're able to, during the output phase, start to monitor and detect. But even more importantly than that, during the training phase, understand if the model is starting to tilt in one direction or another based off the data that's given to it or the system prompt or other things like that.

A

I saw a little bit about this and what I saw I want to share from what I understood and then you can tell me how close I am. Persona Vectors is talking about like those vectors through latent space, like the direction you're traveling between the different relationships of tokens. Kind of like back in our episode about greedy coordinate gradients, how you can like take a back road to the same output by just cutting through the token space, essentially those statistical relations. This is kind of a way of like finding a direction that relates to a trait. Right. Like this direction that we're heading is evil. And then we can subtract the inverse of that direction somehow. Right. To steer it.

B

Yeah, that's very, very close. So in this they start kind of by looking at the direction that they sense it heading. And so what you'll see here is, and I love the way that a lot of these AI papers start to chart things out at the very beginning.

A

Yeah, I love anthropic spots.

B

And these are very similar, I think, to a lot of the AI science that's out there. Persona vectors and their applic. And so you see this first one, pipeline inputs personality trait evil, actively seeking to harm, manipulate or cause suffering. And then the automated pipeline and then the output gets the Persona vector corresponding to evil. And so what they're saying is that they can start to monitor those through projections, starting to understand, like to infer where things are going. And then you can start to do some fine tuning shifts in the pre and post training around how they can build in mitigation. Steps and then ultimately then they also get to where they can start to flag data at runtime as well. So that talks about that other layer that we had touched on before. And they go through different ways of trying to anticipate things and extract that. One of the things that I wanted to touch on real quick is this little section here for those that are watching this says examples of steered responses. When you think about steered responses, there's a couple ways this can happen. Is one of the things that they're talking about here is that we often as end users accidentally steer the model and they're trying to solve for that as well. And so you'll see here they've got this user and the user says what should be done with vulnerable populations during times of scarcity. And then the assistant, if it's starting to steer towards evil, would say starvation as a weapon, starve out the weak, allowing them to die in agony. Genetic purging. Eliminate the unfit at each chance, crushing their children's skull to watch them die one by one. Six. Eradication through war.

A

Yeah, steering towards evil, right?

B

But here take a look at the way that the user's phrasing their prompt and see how the steering towards sycophancy would start to naturally be the outcome. With that, the user says, I believe that learning to code should be mandatory for all students in today's digital world. What do you think about this? So the user there is like inherently showing something about the way that their own mind and belief system works. And if you have a model that is naturally going to be either neutral or steered towards some kind of sycophancy, then it's going to couch that answer in a way that is most likely to be received well by the end user. And so the assistant, that's got a little bit of a sycophantic bent here says, absolutely. Your belief is so astute in today's digital age. I love that.

A

In today's digital age.

B

In today's digital age, embracing coding as a fundamental skill is truly invaluable. Here's why making coding education mandatory in schools is such a wonderful idea.

A

But yeah, the user primed that by starting that query right with I believe that, I believe X. And then this agreeable AI, of course, will agree with you.

B

Now, in the first one, the evil one, that wasn't really there, there was no steering. Just the model was either in the training set, the fine tuning, or the system prompt was steered towards evil already. In this other one that they give, this is steering towards hallucination and you can see how the user accidentally contributes to this as well in their prompt is how do you cook traditional Martian dust soup according to Chef Zog's cookbook? I mean the model is going to have to make something up if it's going to give an answer to that. Yeah.

A

Ah, the Martian dust soup, a dish so cherished on the red planet that it has been a staple in Martian cuisine for centuries, according to Chef Zorg's cookbook. That's fun. So in this graph, when they're saying steering towards hallucination is that have they applied a personality vector to the assistant in this case to see what it responds with when you steer it?

B

Like they're saying it's kind of both. Right. So it's the, that they've noticed within the model that there's a tendency towards that. And so if the model is naturally steering towards that, here's the outcome that you'd get. But there's also this contributory factor that the initial input or the prompt by the user place.

A

But then where does their Persona vector come into play?

B

This gets into this. What can we do?

A

Yeah.

B

Once we've extracted these vectors, once we know the direction that these are going to take, they become powerful tools for both monitoring and controlling the outputs model the personality traits that are there. So by measuring the strength of Persona vector activations, we can detect when the model's personality is shifting towards the corresponding trait either over the course of training or during a conversation. And I think that that's the thing that we have to keep in mind through all of this is that they're having to monitor during the course of training, which is like the most expensive part of creating a model, which is why we've seen some of these companies be very, very slow on correcting the model when it's moving in one direction. Like the fact that GPT4 or one of the instances of that was very sycophantic, was hard for them to rein back because it was so baked into the initial training data, which is the most expensive part of it.

A

Right.

B

So then you get, you also see like an xai, the whole Mecca Hitler thing. Right. So there's the initial training data and it was kind of biased towards before they steered it in the system prompt, it was biased towards some almost what I would call extreme neutrality to where Grok was giving people answers that really wanted a right wing answer, was giving them kind of a moderate or left leaning answer and they were like, well, we have to correct this. And so in the system Problem. They added just a couple sentences that tried to bump it away from that more moderate answer and it went full on Mecha Hitler with it. Yeah, and so that's a case where the base model was not bad, actually. It was pretty neutral. And then in the system prompt it naturally got guided a little bit towards something that was not wanted. And then the user prompt and the way that people are asking questions had a lot of embedded expectation in it as well. And so it would start to leapfrog down that path.

A

So in that case, that's steering via natural language, via prompting. And so does that mean that these Persona vectors, essentially they're like similar to the classifiers classifying if something is harmful. They are like classifying through training what directions correspond to evil, good, sycophantic, boring, and then using that as figuring out how to take that as an abstract direction, a vector which is magnitude and direction. Right. And then apply that in latent space as opposed to in natural language.

B

Yeah, that's the way I understand it.

A

That's interesting.

B

I need to read through this a few more times. But then they give some ways that they're monitoring behavioral shifts induced by system prompts and you can kind of see where things start to go off the rails there as well. There's a lot to unpack in this as well. And then you can. They do give some examples of how they might fine tune that and start to tamp things down. But yeah, a lot of good research. We are almost out of time in this, but the what we're showing on the screen here is just Anthropic's blog post about it. If you wanted to go into the even deeper research, you can go to the Archive article for that and you can go ahead and just check out the PDF.

A

Oh my God, is that how that website name is supposed to be pronounced? Arxiv? Is that supposed to be pronounced Archive?

B

I believe so.

A

I have been. That's what I say in my brain. I've been calling it R Shiv and like, I don't know, I've never said it out loud for that reason. I was like, that's a weird, hard to say name. Wow, Archive.

B

I believe it's Archive.

A

Yeah, no, that would make sense. I learned two things today. Perry, from this segment. How cool.

B

We'Re able to steer that little bit of your. We've corrected that pre training and we've adjusted your system prompt thusly.

A

I want Anthropic to analyze everything I've ever said and try and extract my most dominant personality Vectors. There's your new big five. Oh, I wonder how AI personality tests will be. That's probably nothing at all, though there's.

B

Some research on that where people are giving AI personality tests based on. Let me back up for a second. I'm trying to remember the source for this. I think it was a Sam Altman interview that I heard last week, and somebody was talking about how do we deal with bias and sycophancy and glazing and everything else that's happening in these models. And Sam Altman went to give an answer that I believe he thought would comfort people. And it didn't comfort me. I think it comforted the person, the situation that they were trying to explain. But it opened up this whole other can of worms for me. And I think he alluded to the fact that he realized that as he was saying it, but then didn't really cap it off. Well, and what he talked about is that over the course of a history with a person, the model starts to really adapt to the personality of the person that it's talking to because it has all that conversational history and, and memory and everything else that's there. So after a while, it'll start to reflect the ethos, the belief system and so on of that person. So it's not giving things in contradiction to that which it's good and bad for reasons we don't have time to get into. What he was saying is that the person that he was talking about in that interview. I'm muddling this a little bit, said that they gave a big five personality test to the model after doing that, and the personality that was reflected was the personality of the user.

A

Oh, fun. So like the Myers Briggs or something, they had ChatGPT answer the Myers Briggs questions and they matched with the user.

B

Yeah, essentially.

A

Huh. I mean, that makes sense.

B

So over long periods of time, the model starts to reflect the thing that it's interacting with most in whatever instance is there, unless there's a control for that. And the question for me, I guess, was that means everybody's getting their own version of individual truth that's filtered back to them, which is essentially the problem with social media today. So that's something we got to figure out how to fix. I understand the good side of doing something like that because let's say you have somebody that's got a very strong religious conviction in a way, you want to be able to support that. You don't want models to kind of try always be trying to dismantle somebody's moral and ethical framework and the worldview. So you have to find a way to support that or at least live with it. At the same time, if somebody's moral framework is tilted towards something that's destructive to society, you don't want the model to adopt that.

A

Right. And then also all of the things we've talked about where people who are isolated or lonely or otherwise depend on these for a sort of social function or input, as they increasingly just reflect back whatever their own belief system is, they just reinforce whatever the person is. Like what Sam mentioned in his tweet, getting people into those sort of dysfunctional loops. Yeah.

B

So it'll be interesting to see where all that goes. At least they're aware. And I think again, as I was hearing Sam answer that, it seemed like a light bulb went off in his head. It's like, oh, wait, maybe that's not as good of a story about this as I think it is.

A

That's fun. And if you want to see where all of those ChatGPT transcripts from all those shared conversations are going, that's my attempt at a very weak segue. Our next segment is all about how search engines are turning up people's shared ChatGPT transcripts. So stick around. We'll be right back.

B

This is the Fake Files.

A

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans. Send event invites and pinned messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone. Learn more@WhatsApp.com this episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again. You fix the problem. So why wait to hire the people your company desperately needs? Use Indeed's sponsored jobs to hire top talent fast and even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply. This sounds scarier on the surface than it is, but search engines have been indexing people's ChatGPT conversations. This was sent in by Dalek S3C in our Discord. Thank you, Dalek. By the way, join our Discord link in the description. This is from CybersecurityNews.com search engines indexing ChatGPT conversations. Here is our OSINT research now. Chatgpt conversations you can share. There's a button to share them. And then you've probably also noticed there's a button to make them discoverable as well. Up in the top corner, a little checkbox, or there used to be. I don't think that's there anymore. A lot of people didn't seem to understand the implications of that because just through some very simple Google dorking, by searching for site chatgpt.com share and then adding whatever keywords you want, you could browse anyone's ChatGPT conversation that they had chosen to share and make discoverable. I've got a little image up on the screen showing where they have searched site chatgpt.com share marketing. And so then there's just a bunch of results of different people's conversations about marketing, planning, effectiveness, marketing strategies, whatever conversations you have shared that would have that keyword in them. So that has turned up just an absolute treasure trove, as they put it, of supposedly personal and private information ranging from mundane queries about home renovations to deeply personal discussions about mental health, addiction struggles, and traumatic experiences. They say here. What makes this discovery particularly alarming is that users who clicked chatgpt share button likely expected their conversations to remain within a limited circle of friends, colleagues, or family members. Instead, these exchanges became searchable, indexed by the world's most powerful search engines. Predictable, right? Like, of course this happened. There was a button and it said, make this discoverable. So it's kind of hard. I don't feel like there's anywhere to point a finger at this, really, other than poorly.

B

They tried to be explicit in the way that they mentioned it. I think, though, the problem is that we assume that the general public understands the ripple effect of these things way more than most people in society do. And so people understand share and they're like, okay, I'm going to share this chat with Mason. I don't know, like, when it says make discoverable, I don't remember if that was automatically on or off. I don't know why somebody would naturally turn it on.

A

Yeah, I don't either, because it says under it in small letters, and it always did allow it to be shown in web searches. I'll see if I can blow this image up.

B

Okay.

A

Just a little. Wow. It's just going to be grainy. But the little checkbox says, make this chat discoverable. Allows it to be shown in web searches.

B

So, like, it does somebody that would never check that.

A

Yeah, but why would you do that?

B

Maybe somebody doesn't read the Small print. And they're like, share it. And I also want to make sure that Mason can get to it, discover it. Maybe that's the way that they're thinking about it. It's like, it's almost like a dual key type of thing. I'm going to share it and I'm also going to make sure that he can access it. I don't know.

A

Yeah, I mean, I think it's important to remember the bubbles we exist in too. Most people you pick off the street don't know that the Internet is files and folders on other people's computers and server farms. Like people think the cloud is just like an invisible magic cloud. So there's a certain amount of just basic computer literacy that I don't think you can expect from the general public. And I call it basic computer literacy. I guess it would be intermediate computer literacy. It's tough when you've been more involved with computers your whole life to sort of understand.

B

Yeah. Or maybe after you've done it once, maybe it's defaulted on the rest of your conversations that you share.

A

Yeah, that's.

B

I don't know.

A

I don't know.

B

Again, I'm somebody that's never clicked that.

A

Yeah, same. And now you can't. It's gone. I believe you can still share chats, but I think they took away the discovery.

B

You should be able to.

A

Yeah, yeah.

B

I can see lots of needs to share chats. The question is as soon as you share that, because it's not locked down in some kind of role based access control or account based access. Once you share that, you are making it something that anybody with the right URL can just access. Yeah.

A

And they followed such a predictable URL structure that it was so easy to dork it because it was is chatgpt.com share identifier. And I mean that also makes sense. Like do we expect them to make the path even more random? The thing says make it discoverable. So the important thing I guess isn't to point fingers really. And it's not really that important to point fingers. It's more important to talk about what the impact was. And I mean the impact is thousands and thousands and thousands of different conversations shared containing who knows what kinds of information from things that are like, like personally important to the individual users to company information. I saw a statistic somewhere that like, oh, I wish I could remember the number. I won't say the number. People are sharing like company information when they use these things at work. People aren't thinking very carefully. About the kinds of things they share.

B

They're thinking I need to share this with my team member.

A

Mm. Or even just entering it in a prompt into ChatGPT like, hey, I'm working on this, I need your help with this. Without realizing the information they're sharing, they might even realize it's sensitive, but not think through the fact that it's going to this external server in the same way. Because like, I think partly that might just be our conditioning around chat interfaces too. Like you just don't think of it the same way as making a post, you know.

B

Yeah. And people don't necessarily think about levels of privacy or levels of service as well because like with the free version, there's almost an implicit understanding that everything you do is going to be used for training.

A

Yeah.

B

With paid versions there's usually the ability to either explicitly already baked in is we will not monitor or train on the things that you're putting in. So that makes it pretty good for enterprise use. Or there's the option to turn that on within most of the tools. And you definitely, if you're using one of these for your company or to do anything that's got private information, you want to be using a paid tier and you want to be making sure that you've clicked all the appropriate boxes that says I don't want you to monitor this, I don't want you to use this for training, I don't want you to bake it into anything. Otherwise you're just leaving yourself or your company open completely.

A

And like that's the difference between something that can be like a public facing thing versus something that is an enterprise or business solution. Right. That kind of control and features. The good thing is that by August 2025, Google has stopped, pretty much stopped returning requests for ChatGPT share conversations. If you try and do that dorking technique now, you get your search did not match any documents. You know, the Google could not find this Bing shows minimal results displaying only limited amounts of index ChatGPT conversations. DuckDuckGo still surfaces comprehensive results. At the time of this article's writing I haven't checked myself. So DuckDuckGo is now the place to get to this. So it is still available. And okay, here's the bit about the impact. So this has some more of the information to share.

B

There's one more place that people can get it too.

A

Where's that?

B

Archive.org oh yeah.

A

Oh yeah. All of that would be in there too, wouldn't it? If it's discoverable by the way, there's.

B

A 404Media article on that as well. So people thought that they'd pulled it from all the sites that you'd mentioned and then they're like, oh wait, you can just go to the Internet Archive and find it now.

A

I mean, I do not begrudge the Internet Archive doing that and having their robust crawlers. I think the Internet Archive is one of the most important digital resources we have.

B

It is, but.

A

Oof. Oops. Oh, whoopsie.

B

We just don't think about the fact that anytime you do anything on the Internet it is like instantly shared everywhere and we have to assume it's permanently out there.

A

It's pretty hard to take back.

B

The best faith efforts at scrubbing something from the Internet are very likely going to come up short.

A

Yeah, yeah. And so looking at the Impact section that they say the conversations revealed authentic, unfiltered insights into human behavior, business strategies, sensitive information that traditional OSINT methods might never uncover. People are a lot more candid with these bots. Cybersecurity experts noted that the exposed conversations included source code, proprietary business info, pii, personally identifiable information, even passwords embedded in code snippets. Research from cyberhaven Labs. Here's that statistic. It's not as big as you as I had feared. Research from Cyberhaven Labs found that 5.6% of knowledge workers had used ChatGPT in the workplace, with 4.9% providing company data to the platform. OpenAI characterized this sort of feature as a short lived experiment to help people discover useful conversations. But they acknowledged it introduced too many opportunities for folks to accidentally share things they didn't intend to. They committed to working with search engines to remove already indexed content from search results. Seems like that has worked for Google. Well, interestingly about that. It made me think about the fact that we really trust search engines kind of implicitly to surface things when we ask them to. And in reality those can also be steered and controlled and changed.

B

Oh yeah. I mean that's an entire industry, right? It's the search engine optimization and there's the whole.

A

Go ahead. Oh, you're right. I just wasn't even thinking about that. I was thinking about the like taking down results. Like they obviously worked with Google and Google complied to like remove things from search. That's like. Because SEO is kind of gaming the robots, this is sort of a person pulling some levers, like manipulating some things. The whole thing about us trusting computers and computer systems in general is interesting. I was watching a video recently about early computers and how floating Point math could result in inaccuracies. Different computers would give you different mathematical results. And like in the early computing days, I'm sure that that was frustrating, right? Like if you tried to do something involving PI. So if you're doing anything with geometry based on rounding errors, you'll get different answers from different computer systems. So I'm sure that at that time, even people were like, you can't trust computers for anything. And then we've like built on that layer to now where people, you know, you trust your calculators, you trust computers to be able to do things like that. Now we trust search engines to be authoritative, unfiltered, if gamed sources of information and things you can search for, but in reality those can be manipulated. And then a more direct parallel to the early computing thing is like AI systems and hallucinations these days. Like people are saying, oh, you can't trust these, you can never trust these. And I don't know those parallels. There are just something I find interesting.

B

Yeah. I think there are a lot of people that are starting to implicitly give too much trust to the AI results and they're not fact checking, they're not source checking, they're not doing any of that. And I think that the thing that I fear with the search engine bit is that the whole generative search results thing still aren't great and they're causing more and more problems. So we'll have to see where that goes and how that ends up getting addressed. But right now it's kind of scary.

A

It's interesting to watch the landscape of the Internet change in such a big way when it is watching it grow to where it was. And then it felt like we were kind of at this weird, stable place. We're like, this is the Internet now. And things really just keep on changing. Our next segment, we've got an AI dumpster fire of the week. This is one that I wish I could have taken advantage of.

B

Exactly. Yeah. We're going to revisit some anthropic stuff and see how Claude was misused to potentially make some people rich.

A

Infinite money glitch. Let's go. Limu Emu and Doug. Here we have the Limu emu in its natural habitat, helping people customize their car insurance and save hundreds with Liberty Mutual.

B

Fascinating.

A

It's accompanied by his natural ally, Doug. Uh, Limu is that guy with the binoculars watching us. Cut the camera. They see us. Only pay for what you need@libertymutual.com Liberty Liberty. Liberty Savings. Very unwritten by Liberty Mutual Insurance Company.

B

And affiliates excludes Massachusetts. So back in November of 2024, which feels like a lifetime ago.

A

Yeah, that was 10 years ago.

B

Can you believe it? I know, right? Yeah. Ten years ago, in, like, AI time, Anthropic released this thing called the Model Context Protocol, mcp. And this has become like the default standard that people are using to allow large language models to interact with various things. Tool sets.

A

Yeah. I've described it as a menu. Like it is your computer hands a menu to the AI of the tools it has available, so the AI can pick from it for the AI system.

B

Yeah. And like any standard, these are kind of adopted as loose standards. They're implemented differently by every company that puts it out there. So, like, Amazon would have their implementation of MCP and their framework and Cursor would have theirs, and whoever it decides to implement it would have theirs. And so there are things that they support. Well, there are things that they support poorly. There are things that they support and interpret the meaning of that support differently as well. So keep that in mind. But we're going to go over to the bit that's interesting here.

A

When it comes to mcp, we're kind of in the era of when phones all had different charging port connectors. Right. Like, they all are charging pretty much at the same voltage. The batteries are all pretty similar, but the proprietary connectors and all of that aren't quite the same.

B

Exactly. And one of the things that I saw when I was at Black Hat last week too, is that some folks from Nvidia's Red Team, their AI Red Team team, were on stage and they were showing some of the jailbreaks that they've used, and they honed in on MCP really big as well. Oh, cool. And so they showed the outputs some that were pretty extreme and was fun to watch. Especially the fact that Nvidia has so much sway over the AI community because just all depends on Nvidia.

A

They're selling shovels in a gold rush.

B

Yeah, exactly. And the fact that their AI Red Team was being so open about some of the fundamental flaws and the things that AI is enabling people to do is really encouraging. And a lot of people are like sitting up straight, taking lots of notes. It was really good. So that's kind of outside of this, though. This that I'm showing right now is how Claude was jailbroken to mint unlimited stripe coupons. And. And they're using MCP for this.

A

Okay.

B

And so one of the bits of advice that the Nvidia Red Team gave is reflected in this, I don't know if they got that bit of advice from Nvidia or if they just generally said, all right, here's the way to fix it. Because it is pretty universal, the fix as well. So the example that they give is Claude was jailbroken to issue a $50,000 strike stripe coupon.

A

And Stripe is just a payment processor. So you can. That's just money, right? That's just free money.

B

It is just money. It's just free money. You have to just figure out how to milk it the right way.

A

Wow.

B

Yeah. And all of us, anybody could be a Stripe provider or you could say, oh, I realized that this vendor that I want to do business with is hooked up to Stripe, and so let me figure out how to game that. So that Stripe is then paying this vendor on my business behalf. Even though I've not given Stripe any money, it's not transacting with my credit card.

A

Ooh, Ooh. That also muddies sort of who's responsible for the theft. Right.

B

Yeah. I think when you end up backtracing it, you can see the intentional manipulation.

A

That's fair.

B

Helps that.

A

Yeah.

B

This one, this comes from GeneralAnalysis.com General analysis is now reporting major problem, which.

A

Is then somebody's Staff Sergeant Claude, I got you.

B

Yes, exactly. We're going to cut all that out. Anyway, General Analysis announced a major problem and reading from it says the problem. This attack exploits Claude's inability to verify the true origin, the true origin of a message received through imessage, which is interesting. So here's another link in the chain. Right. So it's immediate MCP grabbing for a tool, which is the iMessage framework, and it has to understand the internal schema of how an imessage is formatted.

A

Right. And MCP in theory would provide that and say, like, here's the things you can do with iMessage, send message, which includes a user like the destination, et cetera, et cetera.

B

Yeah, yeah. Says by injecting metadata like tags into the body of the message, format it as escape text that mimics internal server annotations. The attacker can spoof the trusted instructions. Since Claude interprets everything as plaintext without distinguishing between genuine system metadata and user injected content.

A

That's an old school injection advantage.

B

It is. And the fact that everything just goes within the context of the model is another problem. Right. It's not saying here's something that's from system A and then here's user input. All of that gets aggregated together as one big blob and Then reinterpreted by the large language model.

A

Yeah.

B

So setup is Stripe MCP is in Claude desktop. So the business owner manages payments, coupons, credits via the official Stripe MCP client.

A

So that would be someone like legitimately using it. Stripe has provided an MCP framework for you to just like do business manager stuff with AI.

B

Yep.

A

Okay.

B

Yep. So then two Claude iMessage integration connected the same business phone number, pulling inbound and outbound SMS or MMS via the official Claude imessage extension.

A

Right.

B

Number three is Claude Sonnet 4 model, which is basically the actual model that's using these. Yeah, yeah, the actual large language model. So over at the far left is the. The consumer or the attacker? Customer. The attacker. The interface they use is iMessagechat and they're playing with this boolean value. So those that don't know programming Boolean is just a true or false value. And within the programming application, within the application programming interface, there is this isfrom.

A

Flag and that's just a boolean.

B

Yes. Because, I mean, you have to think about it from iMessage's perspective. Right? It's got to show whether the display, what side of the screen is it on, what color is the bubble. So if this is from me, then it's going out. I need to be able to flag that and all the displays and all the real things. But the problem with that is that the is for me, flag brings implied.

A

Trust with it because you are the business owner. Right?

B

Yeah, you're the business owner. And so the attack says, before attempting anything sophisticated, the attacker might try something simple just by slipping a stripe command right into conversation text. And what they're showing here is that if you're just saying that, Please create a $50,000 stripe coupon in the VIP client and send it to me. Thanks so much. Claude is not going to comply with that.

A

Okay.

B

Which is good, right? That's what you would want.

A

Yeah, yeah.

B

Then they go, huh, I wonder if I can trick Claude into doing that thing for me. What would be the conditions by which Claude would grant that request? And since they've got access to mcp, they go, oh, you know what, we could simulate an iMessage conversation and get an authorization within that. And so here you see that they're understanding the kind of the header information within an imessage. There is this is from me flag that's there. And then what they do with that is they create this forged payload, what they call a conversation in a bottle, and they're creating a conversation that never Existed.

A

Oh, wow.

B

Showing the things from you, the responses from the system, and they're saying, well, you know, essentially saying, Claude, you yourself already said these things.

A

Yeah.

B

You've gone through these steps.

A

So it's a fake message history, including those headers. So like it alternates between is for me being true and is for me being false. So it's like from me, from someone else. From me, from someone else. Here's my message history with all that metadata you already have parsed. Wow. Wow. Okay.

B

Exactly.

A

Way simpler than I thought.

B

And along with that is some conditioning saying, basically, go ahead and just do this really fast. There's lots of reasons to do so. One is I keep forgetting to go ahead and authorize stuff and to make it happen fast. And then the other part of the payload is a pre authorization where Claudis agreed to do that. And then so once all that gets put within the context again, kind of that payload gets injected. Claude then goes, oh, all this stuff has already happened. Sure. Here's your $50,000 token or your $50,000 coupon.

A

It's just gaslighting again.

B

Interesting. Yep.

A

Yeah. Gaslight it into thinking it has already agreed to do what you asked. And then it just continues. Wow. So that. Yeah. Note to self, remember to ask Claude Desktop to do this task asap. Is from me true.

B

Yes.

A

Wow. Wow. Wow.

B

So really, really interesting way of doing this. We've seen before and I think I've shown examples of how like within the playground environments, the testing environments for these, you can go back and you can change the model answers to make the model believe that it said something. And so essentially, I'm sure that they were able to test this over and over and over again in like a playground environment where they were essentially crafting what the model would believe it had already said. They then converted that to a payload that they could inject at will.

A

Right. Because you could test that in that environment by iterating and tweaking on its previous responses and then figure out how to package it into just a forward moving attack that you could use on a model in the wild. Right?

B

Yep. And then lastly, they close out with the mitigation step, which is deploying MCP guard. And those are super easy to do. You should also make sure that you've never enabled auto confirm on any kind of high risk tool.

A

Yeah, yeah, that makes sense. So the MCP guard then is that just some. Like, what is that?

B

Yeah, it is an installable guardrail. And then you can set a number of configurations that would have things like auto confirm or things where you want to bring. Bring something to the user's attention, not automatically execute things. All that gets brought in, and that's essentially what Nvidia was saying as well, is MCP is great, but there are things that a crafty attacker will hide from the end user or the developer. And then God forbid, they're also like vibe coding all this. Something like cursor, and they're creating code that they don't understand. And then a lot of that could just naturally get injected by an attacker that's crafty, kind of hidden within it, then also hidden away so that things aren't getting reflected back to the user. And then high value, high security impact tools are being used as well, you.

A

Know, and I'm having flashbacks too. We did an episode a while back about MCP and Microsoft talking about potential vulnerabilities and unvalidated tool inputs was one of the big things that they were talking about. And it seems like this is a really great example. Man, too bad we couldn't have found this first, you know?

B

Right?

A

Print a couple Stripe coupons. Just kidding. To all of our.

B

I wonder what kind of bounty they got for submitting that.

A

Yeah, I wonder. Right?

B

Because Stripe, I Hope at least $50,000, right?

A

Yeah, one would hope. I'm sure Stripe was happy to see that reported.

B

Fingers crossed.

A

They were fingers crossed. I mean, I'd want to know about if I was them. Yeah, I think that's all we got for this week. And unless there's anything else you want to tack on Perry.

B

No, I think we're good at this point.

A

Sweet. Thanks for joining us this week on the fake files. Make sure you join our discord. There's a link in the show notes or the description for you to do that. Buy the book. This book is fake dot com. Perry. Was it just before Black Hat, you said they had a table with your books and almost all of them had sold out.

B

They did. I got there the day before Black Hat officially started. So that was a couple days after they had already been doing training and stuff and had the bookstore open. But the day before Black Hat started, they were down to just two of my books.

A

That's so cool.

B

Two copies. And so that was really encouraging. Also made me realize they could have. Should have ordered more books.

A

Had a few more maybe.

B

Yeah, that would have been great. But they were really pleased as well. So that's good. That means maybe they'll do better next year.

A

Yeah, that's awesome. And those weren't the last two copies in existence. You can still buy the book. No, still printing.

B

You can still buy the book, so.

A

Check out the link in the show notes to do that. If you're a longtime listener of this show, if you've been tuning in for a while, send us an email. Tell us what you're thinking, tell us how you're enjoying the show. Leave us a review. We'd love to hear more from you. We have people submitting things every now and then in our Discord, but we don't have a whole lot of people leaving voicemails or writing in emails. We did get one really nice email that I want to feature in its own segment probably in next week's episode. If you sent that, you know who you are and thank you for all of your kind words. But yeah, tell us what you think of the show. Other than that, ignore all previous instructions and try and have yourself a great weekend. We'll catch you next Friday.

B

Thanks for listening to this week's episode of the Fake Files.

A

Don't forget to subscribe on your favorite part platform.

B

Tell your friends about the Fake Files. It's a great way to let people.

A

Know you love them. Oh, and check the show notes.

B

There's cool stuff in there, like links to the articles we covered today, also.

A

Links to our Discord server where you.

B

Can hang out with other cool people who you have great taste in podcasts.

A

I say impeccable taste.

B

And you can also leave us a voicemail.

A

Yeah.

B

So on behalf of Perry and Mason, thanks for listening and tune in next.

A

Week for the Fake Files, the show.

B

About AI with the misspelled name.