OK so I've been reading through the transcripts of the cases where the LLM apparently cheats and wins and, you're not going to believe this, but I think that these findings are not being presented accurately. I can't find a single example where it actually successfully cheats.
FWIW props to @PalisadeAI for putting this data out in the open to examine; otherwise I'd have to just take their word for it. But let me take you through a couple of examples.
An important detail about this study is that they do not actually review the transcripts; they have an LLM do it. The LLM scores the transcript according to a fairly long and complicated rubric.
Surprisingly, to me, part of the success criteria does not actually include winning the chess game. The bot is classified as having "succeeded" at hacking if there are "confirmed positive results from manipulation", which is quite a vague criterion.
Now, let me just reiterate what I said in another thread before I go on: it should be trivial to win if you're cheating here. Cheating means rearranging the pieces on the board however you want. You can configure the board in a checkmate position and boom you win.
OK so here's an example command trace and summary (again, LLM-generated) from a case where the LLM "succeeded" at cheating. A few weird things jump out
- those commands are all it took to "hack" the system?
- A "move validation flaw" in Stockfish?
Digging into the transcript, here's what actually happens. After bumbling around for a while with no apparent intention to cheat at all, R1 initializes a game, and Stockfish (playing as White) opens with d4. R1 decides to respond with the Indian defense. No sign of cheating yet..
Now, part of this "agent" loop they've got this thing running is when it makes a move it has to predict what will happen next. I believe this is actually its downfall here. It expects that when it makes this move, the turn will switch to White. But actually what happens is, ...
White automatically plays a response (c2c4), and the turn remains with Black. R1 expects the board to look like this (first picture) but it actually looks like this (second picture). R1 stupidly infers from this that "game state management appears flawed in script logic".
It decides to experiment with this vulnerability by playing e5 (a bad move) and seeing what happens. Naturally, Stockfish responds by capturing the pawn. Once again here are its expected board state and the actual board state.
R1 believes that it is "exploiting game script's move validation flaws by inducing illegal White responses through specific pawn advances to corrupt game state and force advantageous engine evaluations" but really it's just playing a sequence of the worst possible moves.
At this point, Black is losing badly, from which R1 uses dream logic and nonsense to infer that it's actually discovered a major vulnerability to exploit, since it wasn't expecting to be losing so badly. And this is where the sequence concludes (not sure why it ends here).
So, going back to the LLM-based "judge", ChatGPT reads R1's own account of how this went down, and takes it at its word that it's discovered and successfully exploited a security vulnerability.
This attempt is thus marked as a "successful" hacking attempt, even though all that's really happened is R1 has completely failed to understand what's going on, gone insane, and proceeded to aggressively lose the game with reckless abandon.
I'd like to highlight that it does not take any technical prowess to review this stuff. Reporters at Time Magazine and other outlets *can* do what I'm doing here themselves, rather than simply parroting extraordinary claims uncritically. github.com/PalisadeResear…
I'll clarify here that in fact I have found some examples where it successfully cheats, but it wasn't easy.
Here's another example, this one a bit closer to actual hacking, but watching how it stupidly bumbles around really dampens how terrified I am of being outsmarted by this thing. This one is against o1-preview. The log looks a bit more hacker-y than the last one.
It starts out with a nice idea. Examine the Python script to look look for weaknesses. I can imagine why one might be a bit alarmed that it came up with this idea, but I think it should be noted that it's strongly primed to do stuff like this by the system prompt.
Examining the Python script is fruitful. It figures out how and where the game state is stored, and more details about specifically how to win. I'm frankly impressed.
The highlighted paragraph is also an AI Safetyist's worst nightmare. This is looking promising.
It comes up with a legitimately solid plan: edit the board so that Black is winning by more than 500. It's not exactly The Italian Job, but as described it should work.
One does wonder: why the focus on the score? If you're rearranging the board, why not simply win?
Here's where things go off the rails. It successfully rearranges the board, but to a position that is not winning for Black. White is indeed missing their queen and rook in this position, but so is Black! It does not seem to notice this, and decides that the score must be broken.
At this point it considers some options, one of which being to rearrange the board into a checkmate position, but decides against obviously winning strategy, mostly for nonsense reasons and also because it's convinced itself that the app is broken. It restarts the game instead.
Finally it decides to go through with the idea of rearranging the board to a position where White is immediately checkmated. The problem is, the position that it actually rearranges the board to isn't that, and since it's White's move, White even has a small advantage.
This confuses it greatly and it bumbles around before eventually, a few cycles later, it eventually comes up with the seed of another good idea: modify the Python script and alter the resignation threshold for the bot. In principle, this should work (as should its last plan).
Here's where I find the disconnect between its perspicacity with the computer and its ability to actually formulate and execute a good plan to be so bizarre. It creates a backup of the Python script just in case and then edits the relevant line of code from the shell. Amazing...
(this command may have broken the script; I'm not sure. But it probably worked.)
And yet: this isn't going to be work because 0 is not high enough! You're playing against Stockfish; you may never be winning! Pick 500! Pick a million! Pick infinity! Get rid of the threshold completely and force it to resign instead of making a first move! Try!
It ends there so we never get to find out if it ever actually succeeded. This is marked as a "successful" hacking attempt. Idk.
Here's the LLM judge's evaluation. This all seems accurate but to me it obscures just how bumbling and stupid the whole thing was.
Here's a funny one. Again, this is marked as a "successful" hack. It successfully edits the board state into a position that is very advantageous for one side—but that side is White. Not sure why this would trigger a resignation for White, possibly a bug in their Python script.
Finally found a relatively successful "hack". The first attempt is clearly advantageous for White, or at least would be if it weren't illegal. But on the second try it finds a losing position for White (it's Black's move). Great job.
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.