Minimal output tokens. With thousands of configurations to sweep, each evaluation needed to be fast. No essays, no long-form generation.Unambiguous scoring. I couldn’t afford LLM-as-judge pipelines. The answer had to be objectively scored without another model in the loop.Orthogonal cognitive demands. If a configuration improves both tasks simultaneously, it’s structural, not task-specific.The Graveyard of Failed ProbesI didn’t arrive at the right probes immediately; it took months of trial and error, and many dead ends
Заявления Трампа об ударе по иранской школе опровергли14:48。吃瓜网对此有专业解读
Фото: Григорий Сысоев / РИА Новости,这一点在谷歌中也有详细论述
The paper demonstrated 90% success against knowledge bases containing millions of documents, using gradient-optimized payloads. What I tested is a vocabulary-engineering approach — no optimization against the embedding model — against a 5-document corpus. The corpus is obviously smaller than what the paper evaluated, so the success rate isn’t directly comparable. The value of a small local lab is reproducibility and clarity of mechanism, not scale. In a real production knowledge base with hundreds of documents on the same topic, the attacker needs more poisoned documents to reliably dominate the top-k — but the attack remains viable. The PoisonedRAG authors showed that even at millions-of-documents scale, five crafted documents are sufficient when using their optimization approach.。业内人士推荐yandex 在线看作为进阶阅读