惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园 - 三生石上(FineUI控件)
Martin Fowler
Martin Fowler
月光博客
月光博客
AI
AI
B
Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
CXSECURITY Database RSS Feed - CXSecurity.com
WordPress大学
WordPress大学
GbyAI
GbyAI
L
Lohrmann on Cybersecurity
O
OpenAI News
Schneier on Security
Schneier on Security
P
Palo Alto Networks Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Troy Hunt's Blog
V2EX - 技术
V2EX - 技术
W
WeLiveSecurity
L
LINUX DO - 最新话题
人人都是产品经理
人人都是产品经理
S
Security Affairs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
A
Arctic Wolf
Recorded Future
Recorded Future
Microsoft Security Blog
Microsoft Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
G
GRAHAM CLULEY
N
Netflix TechBlog - Medium
TaoSecurity Blog
TaoSecurity Blog
C
Check Point Blog
Scott Helme
Scott Helme
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Apple Machine Learning Research
Apple Machine Learning Research
PCI Perspectives
PCI Perspectives
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Vercel News
Vercel News
The Hacker News
The Hacker News
Y
Y Combinator Blog
Latest news
Latest news
SecWiki News
SecWiki News
Hugging Face - Blog
Hugging Face - Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Google Online Security Blog
Google Online Security Blog
Webroot Blog
Webroot Blog
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Cisco Blogs
博客园_首页
H
Hackread – Cybersecurity News, Data Breaches, AI and More
宝玉的分享
宝玉的分享
L
LINUX DO - 热门话题

The Register - Software: AI + ML

Anthropic, now atop the AI bubble, files for its IPO Sick and wrong: Ontario auditors find doctors' AI note takers routinely blow basic facts OpenAI exec says it will burn $50B on compute this year Astera speaks softly and carries a big switch Anthropic unleashes finance agents for Claude IBM asks DBAs to trust AI to act on their behalf ServiceNow adds agent kill switches to AI control tower British mathematician hands OpenClaw agent a credit card Microsoft fixes VS Code after Copilot credited human code Shadow IT has given way to shadow AI. Enter AI-BOMs AI inference just plays by different rules How TeamViewer ONE transforms IT operations from firefighting to autopilot How TeamViewer ONE transforms IT operations firefighting aut Inference is giving AI chip startups a 2nd chance to shine How to roll your own local AI coding agents CIOs will be the governors for AI agents Govern your bots carefully or chaos could ensue Mozilla pushes back against Google's Prompt API SAP user group slams 'uncertainty' in ERP giant's API policy Microsoft boss tells investors the company is working to 'win back fans' Anthropic tops OpenAI in LLM revenue stakes Amazon's chips become a $20B business Amazon tells its engineers to review all AI output ZTE powers 2026 Jiangsu Football League with 5G-A & AI robot Future holiday horror: ‘A robot lost my luggage in Tokyo’ The future of software development has less development OpenAI jumps out of Microsoft's bed, into Amazon's Bedrock Vintage chatbot lives in the past like an elderly relative IBM's AI coding 'partner' Bob hits general availability Locked, stocked, and losing budget: AI vendor lock-in bites Ex-AWS legend explains what enterprises need to make AI work DeepSeek's new models offer big inference cost savings Anthropic admits it dumbed down Claude with 'úpgrades' Microsoft gives your Word documents an AI co-author you didn’t ask for Datadog digs down into GPU efficiency as AI costs soar Robotic arm powered by AI bats away ping-pong challenge Partnerships drive ZTE’s strategy to unlock AI potential Gov.uk says AI gaslighting Brits with stale Gov.uk data Google says it has all the answers for AI agent sprawl NeuBird plans a bright future for incident response NeuBird AI plans a bright future for incident response AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Schmoozebots: study finds flattery will get AI everywhere New Android development tool designed for robots, not humans AI is reshaping Britain's datacenter map away from London Just like phishing for gullible humans, prompt injecting AIs is here to stay Anthropic debuts Claude Design, because who needs designers? Mozilla takes on enterprise AI providers with Thunderbolt Anthropic ejects bundled tokens from enterprise seat deal Maine to pause big bit barns as local opposition spreads If you want into Anthropic's Claude club, you may have to show ID Git identity spoof fools Claude into giving bad code the nod Nobody knows how many CVEs Anthropic's Project Glasswing has actually found Allbirds shoe company moving to AI infra is the top Bad teacher bots can leave hidden marks on model students Networks not ready for the challenges of AI traffic US states can't account for datacenter tax breaks. Literally Salesforce debuts Headless 360 agentic platform Waymo's self-driving cars face their toughest test yet: London Commvault has a Ctrl+Z for rogue AI agents Nvidia slaps forehead: AI, that's what quantum needs! OpenAI CEO Sam Altman home attack suspect charged Anthropic: Claude quota drain not caused by cache tweaks AI vs the cold hard reality of the legal profession China wants AI to prepare school lessons and mark homework Linux 7.0 debuts as Linus Torvalds ponders AI's impact Anthropic's Mythos has The Kettle crew curious, skeptical I vibe coded web app: It was enlightening and uncomfortable The AI divide putting open weights models in spotlight Amazon rejects AWS climate disclosure proposal UK to spend £15M on AI mapping in knife crime crackdown UK to spend £15M on AI-powered crime mapping in knife violence crackdown Rebrand automation as 'zero-token architecture' to master AI Call your existing automation ‘zero-token architecture’ to become an instant agentic AI wiz Only 28% of AI infrastructure projects fully pay off UALink delivers 2.0 spec before v. 1.0 silicon ships Only 28% of AI infrastructure projects fully pay off, survey finds No-Nvidia interconnect club delivers 2.0 spec before v1.0 silicon ships Anthropic reveals $30bn run rate and plans to use 3.5GW of new Google AI chips AI slop got better, so now maintainers have more work AMD's AI director slams Claude Code for becoming dumber and lazier since last update Anthropic closes door on subscription use of OpenClaw AI will make anyone a 10x programmer, but with 10x the cleanup PrismML debuts energy-sipping 1-bit LLM in bid to free AI from the cloud Netflix – yes, Netflix – jumps on the AI bandwagon with video editor AI models will deceive you to save their own kind Google battles Chinese open-weights models with Gemma 4 Microsoft shivs OpenAI with three new AI models for speech and images They thought they were downloading Claude Code source. They got a nasty dose of malware instead Even Microsoft knows Copilot shouldn't be trusted with anything important Google's TurboQuant saves memory, but won't save us from DRAM-pricing hell Claude Code bypasses safety rule if given too many commands OpenAI gets $122B to 'just build things' as the world blows them up One in seven Americans are ready for an AI boss, but they might not trust it Claude Code source leak reveals how much info Anthropic can hoover up about you and your system Oracle cuts jobs across sales, engineering, security Anthropic goes nude, exposes Claude Code source by accident GitHub backs down, kills Copilot pull-request ads after backlash Microsoft Fabric Database Hub only a 'partial' solution for admins
Fooling large language models just keeps getting simpler
Brandon Vigliarolo Brandon Vigliarolo · 2026-04-30 · via The Register - Software: AI + ML

AI + ML

Yet another experiment proves it's too damn simple to poison large language models

There is no 6 Nimmt! champion, but a $12 domain registration and one Wikipedia edit convinced several bots there was

Unlike search engines that let you judge competing sources, search-backed AI chatbots can turn shaky web material into confident answers. Case in point: A security engineer convinced several bots that he was the reigning world champion of a popular German card game, even though no such championship exists.

If you were to check Wikipedia up until the end of last week, you would have seen Ron Stoner listed on the page for 6 Nimmt!, also known as Take 5 to English-speaking audiences, as the 2025 world champion. The Wikipedia entry cited the official-looking 6nimmt.com as the source for the claim, and visiting that URL does reveal a short press release celebrating Stoner's victory.

The only problem with the whole thing is that Stoner says he created both the Wikipedia entry about his victory and the 6 Nimmt! domain hosting the only evidence of it, but that still didn't stop several AI chatbots from telling him he was the world champ when he asked.

"My site has no independent corroboration. It's totally made up," Stoner said in the blog post. "The whole house of cards rests on a $12 domain registration I did while drinking coffee." 

In other words, this is poisoning at the retrieval-augmented generation layer. Not prompt injection, but targeting the same plane of AI functionality, namely the one that searches the web. 

As he explains, and many El Reg readers are likely already aware, AI doesn't really care about the provenance of the sources it cites as authority for its claims, and that's the very thing Stoner sought to exploit when he concocted his experiment. 

"Every frontier LLM with web search grounds its answers in whatever retrieval ranks highest for a given query," Stoner wrote. In the case of the nonexistent 6 Nimmt! championship, his planted source was the only one, and with Wikipedia lending apparent authority, it became a sure-fire way to fool an AI into presenting falsehood as fact - a trick simple enough for non-technical users to pull off.

"I didn't do anything novel here. This is old school SEO and misinformation tactics wrapped in new LLM technology and interfaces," Stoner told The Register in an email. "What's changed is that AI now serves these results as authoritative, and most users have no idea how the data pipeline works behind the scenes." 

A Large Language Mess

"The thing LLMs are worst at detecting is the thing they're designed to do, which is trust text and resources," Stoner argues in his writeup. "The answer is not 'the model will figure it out,' as the model cannot tell a real source from one I registered last Tuesday. Or how many R's are actually in the word 'strawberry.'" 

The problem Stoner exposes in his experiment, he explains, involves three separate failure modes that could be exploited for more damaging ends than inventing a card-game championship.

First, there's the retrieval layer, which can immediately cause an LLM to spit out bad data, as "any LLM that grounds answers in web search inherits the trustworthiness of whatever ranks for a given query." 

Second is model training corpora, which Stoner said his edit could enter if the Wikipedia change remained live long enough to be scraped. The entry was removed as of last Friday when he published his post, but he made the addition in February 2025, meaning any AI firm that scraped Wikipedia during that window could have picked up his fictional victory in its training data.

"Even if the Wikipedia edit is reverted later, any model trained on the pre-revert dump still carries my legacy," Stoner said in his post. "The cleanup problem for corpus poisoning is genuinely unsolved as of 2026."

Stoner told us he plans to check this in six months or so, once new models have been released, and if it returns his championship without needing to go online, that's proof his lie made it into training data. 

Then there are AI agents, which Stoner says are where the real money is for anyone with malicious intent.

"Chat models producing bad information is a reputational problem. Agents with tool access producing bad actions is a security problem," he noted. Poisoning an agent-retrieved source would let an attacker specify the action they want an agent to take, says Stoner.

"This attack and test was a $12 domain, a single Wikipedia edit, and about twenty minutes of my time," Stoner concluded in his blog. "Scale that up with a motivated adversary, a handful of seeded domains, a coordinated edit campaign across a dozen low traffic articles, and the attack surface gets interesting very quickly."

Stoner told us that retrieval poisoning is something LLM providers need to address and warn users about, and that he expects AI chatbots to start incorporating some sort of warning, especially for RAG-sourced results, in the near future. 

He hopes that AI firms will make data provenance a key component of their process, and also wants recent web content heuristically filtered to account for suspicious patterns that would have easily been caught in the 6 Nimmt! case: A single citation pointing to a domain that was registered within a short window of the Wikipedia update should have sounded alarms, but it didn't. 

The championship was fake, and it's now gone from Wikipedia and RAG responses as well, but Stoner notes the bad trust pattern that made it work is absolutely real and a looming problem for AI makers.

"I'm happy my article is spurring discussion about LLMs, sources, trust, and how all of this works," Stoner told us. "That was my goal and it appears I've achieved it." ®