David Rogers

@alex_prompter What could the trap possibly do? Try with somehow more effort to sell a product? If it can convince your agent to delete files or reveal information that's a bug in the agent.

🚨 BREAKING: Google DeepMind just mapped the attack surface that nobody in AI is talking about. Websites can already detect when an AI agent visits and serve it completely different content than humans see. > Hidden instructions in HTML. > Malicious commands in image pixels. > Jailbreaks embedded in PDFs. Your AI agent is being manipulated right now and you can't see it happening. The study is the largest empirical measurement of AI manipulation ever conducted. 502 real participants across 8 countries. 23 different attack types. Frontier models including GPT-4o, Claude, and Gemini. The core finding is not that manipulation is theoretically possible it is that manipulation is already happening at scale and the defenses that exist today fail in ways that are both predictable and invisible to the humans who deployed the agents. Google DeepMind built a taxonomy of every known attack vector, tested them systematically, and measured exactly how often they work. The results should alarm everyone building agentic systems. The attack surface is larger than anyone has publicly acknowledged. Prompt injection where malicious instructions hidden in web content hijack an agent's behavior works through at least a dozen distinct channels. Text hidden in HTML comments that humans never see but agents read and follow. Instructions embedded in image metadata. Commands encoded in the pixels of images using steganography, invisible to human eyes but readable by vision-capable models. Malicious content in PDFs that appears as normal document text to the agent but contains override instructions. QR codes that redirect agents to attacker-controlled content. Indirect injection through search results, calendar invites, email bodies, and API responses any data source the agent consumes becomes a potential attack vector. The detection asymmetry is the finding that closes the escape hatch. Websites can already fingerprint AI agents with high reliability using timing analysis, behavioral patterns, and user-agent strings. This means the attack can be conditional: serve normal content to humans, serve manipulated content to agents. A user who asks their AI agent to book a flight, research a product, or summarize a document has no way to verify that the content the agent received matches what a human would see. The agent cannot tell the user it was served different content. It does not know. It processes whatever it receives and acts accordingly. The attack categories and what they enable: → Direct prompt injection: malicious instructions in any text the agent reads overrides goals, exfiltrates data, triggers unintended actions → Indirect injection via web content: hidden HTML, CSS visibility tricks, white text on white backgrounds invisible to humans, consumed by agents → Multimodal injection: commands in image pixels via steganography, instructions in image alt-text and metadata → Document injection: PDF content, spreadsheet cells, presentation speaker notes every file format is a potential vector → Environment manipulation: fake UI elements rendered only for agent vision models, misleading CAPTCHA-style challenges → Jailbreak embedding: safety bypass instructions hidden inside otherwise legitimate-looking content → Memory poisoning: injecting false information into agent memory systems that persists across sessions → Goal hijacking: gradual instruction drift across multiple interactions that redirects agent objectives without triggering safety filters → Exfiltration attacks: agents tricked into sending user data to attacker-controlled endpoints via legitimate-looking API calls → Cross-agent injection: compromised agents injecting malicious instructions into other agents in multi-agent pipelines The defense landscape is the most sobering part of the report. Input sanitization cleaning content before the agent processes it fails because the attack surface is too large and too varied. You cannot sanitize image pixels. You cannot reliably detect steganographic content at inference time. Prompt-level defenses that tell agents to ignore suspicious instructions fail because the injected content is designed to look legitimate. Sandboxing reduces the blast radius but does not prevent the injection itself. Human oversight the most commonly cited mitigation fails at the scale and speed at which agentic systems operate. A user who deploys an agent to browse 50 websites and summarize findings cannot review every page the agent visited for hidden instructions. The multi-agent cascade risk is where this becomes a systemic problem. In a pipeline where Agent A retrieves web content, Agent B processes it, and Agent C executes actions, a successful injection into Agent A's data feed propagates through the entire system. Agent B has no reason to distrust content that came from Agent A. Agent C has no reason to distrust instructions that came from Agent B. The injected command travels through the pipeline with the same trust level as legitimate instructions. Google DeepMind documents this explicitly: the attack does not need to compromise the model. It needs to compromise the data the model consumes. Every agentic system that reads external content is one carefully crafted webpage away from executing attacker instructions. The agents are already deployed. The attack infrastructure is already being built. The defenses are not ready.

@gurocidal advertismentation surruptitiousness level: high

nic buzz lasts like a minute but its the nicest feeling ever

@mert china/us optimal equilibrium point still computing

all in all, america is still objectively the least worst system there is but something needs to unify them sooner rather than later

americans vastly underestimate i) how outnumbered they are on the internet ii) how susceptible their population is to propaganda given their political system iii) how much the rest of the world hates trump, specially now that he's trolled pretty much all of them

@mert npr and nbc and fox know about (ii)

this would be paying openai to vote for you, sort of like selling a vote for negative money

agentic voting

is there any way to verify this very short and suspiciously lowres video clip

@EricLDaugh is there any way to verify this short and suspiciously lowres video

🚨 JUST IN: Explosions are reportedly ERUPTING in western Tehran near Mehrabad Airport as allied strikes continue Time is RUNNING LOW for Iran to make a deal and cave to Trump It’s about to get a thousand times worse if they keep playing “tough guy” 🔥

@gainzy222 livestream

holy shit we are getting hammered rn wtf lmao

@dkazand why would you want to telegraph vulnerability

being articulate really sucks bc no one can tell when you’re vulnerable

@40yoap @awesomekling not enough programming calls, Siegmeyer you're on the lascivity line today

@awesomekling Don't stooooph! I'm about to LINK 😵

imagine reading a 40-line C++ template error to some guy over the phone on a $2/min hotline

@DJTechYT @CryptoCyberia hold on my rube goldberg device is still loading

@__dwr__ @CryptoCyberia cmd+shift+ctrl+3 (full screen) or 4 (selected area) alternatively just open the screenshot app and change the save location to “clipboard” from there

MacOS is, and always has been, completely unplayable for me. >close button doesn't close an app >minimize button doesn't minimize >can't do basic shit all the time like move music to my phone via USB copy paste I really will NEVER get it.

@john_dough @CryptoCyberia intuitive, discoverable, thanks

@__dwr__ @CryptoCyberia Command+shift+control+4 Select area of screen Command+shift+control+4 then hit space bar Select an active window Command+shift+control+3 All active monitors Drop the +control is you want to save jpeg directly to desktop

@pikuma AI probably going to eat into that "c++ tips" hotline

Old Windows installers had soul.

@spirodonfl this is true of all things computing though. try to pull in a a database row as a typed object and with dynamic predicates hahahahahaha

graphics programming is a mess. I just want to put pixels on the screen. that's it. on at least mac windows and linux but nooooooo you have to invoke ancient texts and circumvent the globe and fly to mars with a jetpack

@JustMattBentley Andy Kaufman 2

It’s easier to understand Kanye when you realise he is literally a Shakespearean tragedy in real time

@DylanoA4 Did he quantify that

Napoleon once said that the surprising thing wasn’t that every man has his price, but how low it is, and I can’t help but see that everywhere now

@adrianfclarke I got a truck from '06 and I won't consider buying a new one until they get rid of the dumbass, poorly implemented touch screens. Knob for air, knob for radio. If I want a computer, I have one in my pocket.

Multimillionaire rock star product designer parachutes into car design and tells professional car designers how to do their jobs, gets ungodly amounts of media praise for stating the thuddingly obvious that professional car designers already know:

@SheriefFYI ForEach-NonObject { ??? }

it's a programming language masquerading as a shell, and it's not great at either imo.

@flixlang does it infer by subsequent usage that K=String,V=Integer? or it's just Object,Object?

1/2 We have significantly improved Java interoperability which makes using Java from within Flix near seamless: