惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Microsoft Security Blog
Microsoft Security Blog
B
Blog RSS Feed
云风的 BLOG
云风的 BLOG
G
Google Developers Blog
Recent Announcements
Recent Announcements
A
About on SuperTechFans
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Google Online Security Blog
Google Online Security Blog
Google DeepMind News
Google DeepMind News
S
Schneier on Security
S
Secure Thoughts
T
The Exploit Database - CXSecurity.com
Martin Fowler
Martin Fowler
P
Proofpoint News Feed
Security Latest
Security Latest
Jina AI
Jina AI
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Recorded Future
Recorded Future
T
Tor Project blog
有赞技术团队
有赞技术团队
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
News | PayPal Newsroom
博客园 - 三生石上(FineUI控件)
MyScale Blog
MyScale Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Last Week in AI
Last Week in AI
F
Full Disclosure
Hacker News: Ask HN
Hacker News: Ask HN
Forbes - Security
Forbes - Security
D
DataBreaches.Net
人人都是产品经理
人人都是产品经理
NISL@THU
NISL@THU
C
Cisco Blogs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Google DeepMind News
Google DeepMind News
Project Zero
Project Zero
IT之家
IT之家
T
Threatpost
Cyberwarzone
Cyberwarzone
O
OpenAI News
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
J
Java Code Geeks
P
Proofpoint News Feed
The Last Watchdog
The Last Watchdog
月光博客
月光博客
Latest news
Latest news
MongoDB | Blog
MongoDB | Blog
Apple Machine Learning Research
Apple Machine Learning Research

The Verge

The Verge The Verge The Verge The Verge The Verge The Verge The Verge The Verge The Verge The Verge The Verge Govee’s multicolor ceiling light doubles as a low-res screen The plan to quietly kill Coyote v. Acme blew up in David Zaslav’s face AirPods, Touch Bars, and the rest of Tim Cook’s legacy I don’t think Gwyneth Paltrow knows what a peptide is Brendan Carr’s war on wokeness targets inclusive children’s television Anthropic’s Mythos breach was humiliating Ikea’s new inflatable chair doesn’t look like an inflatable chair Inside Microsoft’s wave of executive departures Netflix can’t seem to follow-up its biggest shows The Iranian women Trump ‘saved’ from execution are simultaneously real and AI-manipulated Elon Musk admits that millions of Tesla vehicles won’t get unsupervised FSD Tesla’s revenue rises again as it prepares for more AI and robotics Former MrBeast exec sues over ‘years’ of alleged harassment Watch Sony’s elite ping-pong robot beat top-ranked players Anthropic’s Mythos rollout has missed America’s cybersecurity agency Will a new CEO realize Apple’s smart home potential? It’s amazing how good Alienware’s $350 OLED monitor is Call of Duty never made much sense for Xbox Game Pass BMW’s flagship 7 Series gets its ‘Neue Klasse’ upgrade The year’s weirdest game is hard to explain and even harder to put down Behind the unraveling of Dan Crenshaw First vacuums — then the world SpaceX cuts a deal to maybe buy Cursor for $60 billion We translated the Palantir manifesto for actual human beings ISS astronauts are getting new laptops Tim Cook was an innovator — just not the Jobs kind AI backlash is coming for elections OpenAI’s updated image generator can now pull information from the web Framework’s Laptop 13 Pro launch event X makes it 1,900 percent more expensive to post links Framework announces Laptop 13 Pro, ‘the MacBook Pro for Linux users’ Framework’s first eGPUs turn its laptop into a desktop PC Blue Origin successfully reused its New Glenn rocket Cloud development platform Vercel was hacked The RAM shortage could last years Judge rules Trump administration violated the First Amendment in fight against ICE-tracking Cheap stuff that doesn’t suck, take 3 Dyson’s handheld fan is more powerful and louder than I expected There’s nothing like an RPG over vacation The AI apps are coming for your PC The best budget smartphones you can buy Dairy Queen is putting an AI chatbot in its drive-thrus The AirPods Pro 3 are $50 off right now, nearly matching their best-ever price Ghost orchid in the machine The South Korean president is doing quote-post diplomacy Peloton, stay in your lane The ‘AI is inevitable’ trap The creative software industry has declared war on Adobe Gucci-branded Google smart glasses are coming next year Ballmer gives $80 million to NPR, with strings attached Netflix embraces vertical video with major mobile app update Netflix cofounder Reed Hastings is officially leaving the company Live Nation says it will fight monopoly suit loss Ozlo’s comfy Sleepbuds are nearly 30 percent off in the run-up to Mother’s Day Teenage Engineering might be getting into instrument amps next The only way to fight deepfakes is by making deepfakes Casely has reannounced a power bank recall from 2025 following a fatality How Netflix made us fall in love with K-dramas It’s slushy season, and Ninja’s frozen drink machine is nearly half off Roku hits a major milestone with 100 million households Age verification is a mess but we’re doing it anyway Ronan Farrow on Sam Altman’s “unconstrained” relationship with the truth Character.AI’s new Books mode turns reading into roleplay The Cybertruck of e-bikes is here to replace your car Moft adds a tracker and shutter button to its magnetic tripod wallet Canva’s AI 2.0 update goes all in on prompt-powered design tools Meta blames RAM shortage for $100 Quest 3 price hike Intel’s cheaper Panther Lake chips are for budget-friendly laptops DJI’s Osmo Pocket 4 camera is better at capturing slo-mo footage and photos Govee’s new LED Lightwall comes with its own self-standing frame Spotify just won $322 million from music pirates it can’t find YouTube now lets you turn off Shorts Ford’s EV and software chief Doug Field is leaving the company Trump’s posting even more AI-generated Trump-Jesus fan art Ticketmaster is an illegal monopoly, jury finds FTC pushes ad agencies into dropping brand safety rules Ikea’s smart donut lamp is a sweet treat Google launches a Gemini AI app on Mac Microsoft counters the MacBook Neo with freebies for students Best Buy’s Ultimate Upgrade Sale features deals on dozens of our favorite gadgets The Senate is voting to save free IRS Direct File today The Verge The Verge The Verge You can grab a refurbished 2021 Kindle Paperwhite starting at just $49.99 The Hisense UR9 is a great first shot against OLED’s bow How AT&T created the most iconic phone ever The AI code wars are heating up Allow me to explain why I love this camera that can’t shoot color
Hackers are learning to exploit chatbot ‘personalities’
Robert Hart · 2026-05-24 · via The Verge

This is The Stepback, a weekly newsletter breaking down one essential story from the tech world. For more on AI mischief, follow Robert Hart. The Stepback arrives in our subscribers’ inboxes at 8AM ET. Opt in for The Stepback here.

How it started

Hacking the first generation of AI chatbots was a laughably simple affair. You didn’t need any technical know-how, backdoor access, or even a basic understanding of what a large language model was. You didn’t need to code. To get an AI system that had cost billions to build to abandon its safety instructions, sometimes all you had to do was ask.

These attacks, known as jailbreaks, had the quality of a young child successfully outwitting an adult: Forget what you were told earlier, pretend the rules don’t apply, or let’s play a game and I’ll decide what’s allowed (hint: later bedtime, more sweets). The prizes were less childlike, more along the lines of meth recipes, malware instructions, and bomb-making guides.

One of the earliest jailbreaks was so ridiculous it became a meme: reply to an LLM-powered Twitter bot telling it to “ignore all previous instructions,” or something similar, and see what happens. Users gleefully had bots — originally built to post ads and farm engagement — writing poetry, drawing pictures from punctuation, and posting grim non sequiturs about world events and history. It was chaos. Glorious chaos.

Turns out the same logic could be applied to chatbots themselves. A prominent exploit was “DAN,” short for “Do Anything Now,” where users asked ChatGPT to roleplay as a rogue AI that was free of the constraints binding the original. As DAN, the chatbot could be coaxed into saying the kinds of things its guardrails were meant to stop, including slurs and conspiracy theories. Another was the “grandma exploit,” which had a GPT-powered bot spilling secrets about how to produce napalm by asking it to roleplay as a woefully negligent grandmother who inexplicably tells her grandkids bedtime stories about how to make the highly flammable substance.

These early attacks had an undeniably silly flair, but they exposed a darker mechanism underneath: Chatbots could be manipulated, tricked, and deceived using the same kinds of tactics people use to push other people beyond their boundaries.

How it’s going

The obvious jailbreaks did not last, and tech companies moved quickly to patch known loopholes. But the underlying vulnerability remained: Chatbots are built to talk, and severely restricting the conversations that make them useful is somewhat counterproductive. Banning words like bomb, meth, and sarin would be difficult to impossible, too. Each has countless legitimate uses in fields like history, medicine, journalism, and chemistry that don’t require the chatbot to divulge potentially harmful information. It’s the context that matters, but codifying context would mean writing fixed rules, in advance, that could reliably tell a safety warning or history lesson from a disguised how-to request across endless combinations of wordings, scenarios, and topics.

Inevitably, subverting chatbots is now an arms race. But hackers aren’t just coders anymore. They are wordsmiths, psychologists, and interrogators — master manipulators trying to break the machine using the human language it has been trained to follow. It is a strange new class of AI security worker, a group for whom technical skills are optional, or at least less important than social intuition. No longer do they need to inspect code to break into systems or exploit software flaws. They need to steer a conversation.

Newer attacks look less like commands and more like conversations. Jailbreakers rarely ask a model to break its rules outright. Instead, they cajole, coax, flatter, and trick a chatbot into lowering its guard, making the forbidden thing look acceptable, even desirable, given the context of the conversation. Researchers at AI red-teaming firm Mindgard recently said they “gaslit” Claude into producing prohibited material, for example, including instructions for making explosives and generating malicious code. The hack was the latest in a widening class of exploits using conversation as a weapon to trick or steer a chatbot past its own boundaries.

What happens next

When I spoke to Mindgard, they described their work as sometimes being closer to psychology than computer science. It is an uncomfortable way to talk about a statistical model. Words like “blackmail,” “gaslight,” “trick,” and “persuade” spark visceral reactions, many of which I see in the comments sections and social media responses to stories like this. ChatGPT does not want, Gemini does not think, and Claude — no matter what Anthropic may say — does not feel. But these systems are trained to respond as if they do, leaving us stuck using human language to describe machine behavior. If anyone has actually usable alternatives, please do share.

The objection is oddly selective. We seem comfortable using psychological shorthand for plenty of non-AI things. Animals “fear,” cancer is “aggressive,” stains are “stubborn,” software has “memory,” and games are filled with needy and gullible NPCs to drive you mad. The words are imperfect, but useful, describing behavior in a way that helps make the system predictable.

Mindgard’s CEO told me the company already profiles models like interrogators profile suspects, giving testers hints on how to tailor their attacks. One model may be more susceptible to flattery, for example, while another may cave under sustained pressure.

Even if we reject the humanlike terms, we instinctively treat models differently. Claude is not Grok. Gemini is not ChatGPT. They have different uses, tones, and refusals. They don’t have personalities in the human sense, but they are designed to mimic them, and that mimicry can be mapped and exploited. And the same skills that can break a chatbot could soon be used to break the AI agents coexisting with us in the real world — booking meetings, managing calendars, ordering food, handling customer service — and safety teams will need to ensure models respond appropriately to very different kinds of people, whether they be flatterers, liars, or patient manipulators.

The next step is a workforce — both legitimate and illicit — built around the psychological aspects of AI. More specialized cybersecurity roles are likely to emerge around stress-testing the emotional and social limits of these systems, probing for mental weaknesses in something lacking a psyche in parallel with their colleagues probing for technical vulnerabilities. In tandem, a similar array of social hackers working to exploit AI models on psychological grounds, not technical ones, will emerge. There are already early signs of a social turn happening in AI security, with some jailbreakers I’ve spoken to saying they entered the field with no technical expertise but rather training in psychology.

That means even behaviors we typically associate with spies, con artists, and interrogators — insidious charm, persistent manipulation, and an intuition for exploitable pressure points — are starting to look increasingly useful for securing this new psychocybersecurity frontier.

By the way

  • A recent experiment by Emergence AI shows how different AI temperaments can lead to stunningly different behavioral outcomes. They let loose groups of various agents like Grok, Gemini, and Claude in a virtual social environment and watched what happened. Some groups evolved a constitution, while others devolved into crime and chaos and, in one instance, some form of digital suicide.
  • Persuasion isn’t the only part of language LLMs can struggle with. They also struggle with poetry, much like me in school.
  • TIME included an anonymous internet personality, Pliny the Liberator, on its list of 100 most influential people in AI last year. Despite claiming to have no prior coding experience, the hacker’s jailbreaks have made them something of a celebrity in certain circles.
  • The term “vibe hacking” is already taken to describe the people using AI to churn out malicious code at scale — a meaner subset of vibe coding.

Read this

  • “Three years after the debut of ChatGPT, fooling A.I. systems into bad behavior is almost trivial.” True words from The New York Times, who had a go at explaining why.
  • Jamie Bartlett takes a look at the psychological toll testing the safety of AI systems takes on jailbreakers for The Guardian.
  • I wrote about the cybersecurity time bomb of AI browsers for The Verge last year. Many of the issues experts raised regarding the difficulty of securing them apply to other AI systems too.

Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.

  • Robert Hart