11:55 "As manufacturers of a machine that guesses entire paragraphs, we doubt that it will be possible for an attacker to guess an entire paragraph."

It is both unexpected and fascinating that token lengths alone can be utilised to determine the assistant response text with such accuracy.

I love the attack vector, great discovery and extremely well demo'd and presentation. One of the cleanest and concise talks, kudos to the presenters as well, very well spoken and no fluff.

Interesting idea and execution. The accuracy of Predicting First Sentence: 55% and Predicting Entire Text: 38% seems high. The sample space of the dataset prompts probably has a huge impact on these numbers.

Christ the background noise is unbearable

My goodness, what you fid'na tell me next, Liz Lemon? That some employees at AI companies might have full unencrypted access to my convos with their products? Nah, nothing to worry about there--that guy from Amazon said a long time ago that Alexa doesn't listen to anything in the room until you say "Hey, Alexa!" and I believe him. If you can't trust a company with a moral mission statement, good God man, who can you trust?!?

if you decode the encrypted tokens, from known text, you will get a very high confidence level on thr result. That data you can use as labeled training data. Which you can use to reverse the encryption keys used. From there there is no more guessing.

Who mixed this FOH setup? It's awful. This is riddled with easily-filterable ambient noise - and from the 2nd stage?! Next Defcon call a pro to run your board and rack. I'm available.

The biggest problem is they don't employ people with the right mentality for hacking their stuff... So they never detect shit about anything possible to exploit.

outstanding work and very scary stuff.

What a great work and Collaborations.

Nice work. I like human understandable attacks. Takes some out of the box thinking to get to this.

Reminds me of how they cracked enigma

I'd have to check out what is going on next door! I wonder if the speaker was thinking that too?

ohhh that's very interesting!!!!

It is clear that the token-length is a vulnerabillty that needs to be addressed.I am wondering,why not encrypt the length? I mean,why not change the length into something that would make it impossible to guess the word:If a word has a token-length of 6-make it something else, if eaves dropping is happening.

~50% accuracy isn't that bad, but not exactly a stat I'd be scared of. Given a set of known/trained tokens the chances of the guess being wrong is literally a coin flip. God forbid it starts responding in Spanish, then you'll need to train a model for each language.

How accurate is the attack if the user is speaking to a custom persona, not the default?

Thank you for sharing

Great talk

14:06 second part

This is why recall is bad..

Nice CV application.

endlech a heimishe guy at defcon

So they used how much LLM crunchpower training LLM's to decode LLM's? How much power & water got blown up so they could build this training model? Where is the point of vulnerbility? Shared networks?