I read this news as white noise because there is no scenario in which I will be allowed access to this model. First, I happen to be a citizen of a country that is not the USA. What's more shocking is that I'm not even located in the US. Thus in the eyes of OpenAI I do not exist in regard to SOTA security models. Second, I will never ever do KYC with a company that provides text transformation services*. Third, even if I did, I will not be able to pass KYC because the typical KYC requirements are strictly tailored to a certain subset of the world's population and lifestyle choices, tuned by Americans according to their world view. Fourth, even if I pass KYC, my account will be banned by OpenAI immediately on the first prompt because they have close to 1B users and couldn't care less about any single one of them.
(*) which are nothing short of amazing and are changing the world, there's no doubt about that.
There is so much to unpack here.
> Thus in the eyes of OpenAI I do not exist in regard to SOTA security models.
I'm not seeing anywhere it says it's only limited to the U.S. Only that they had 'ongoing dialogue' with them. Which reads weird to me, how can an ongoing dialogue be past tense? But I digress.
> We’ve had ongoing dialogue with the U.S. government about our cyber approach, including today’s announcements and on our preparation for upcoming model releases.
> Third, even if I did, I will not be able to pass KYC because the typical KYC requirements are strictly tailored to a certain subset of the world's population and lifestyle choices, tuned by Americans according to their world view.
KYC is just that, Know Your Customer, if your 'permitted customers' are security researchers in the industry with a proven identity of employment etc then that is the KYC process, I don't see any issues with that.
> even if I pass KYC, my account will be banned by OpenAI immediately on the first prompt because they have close to 1B users and couldn't care less about any single one of them
Why do you assume this? Are you planning on intentionally trying to do something actively nefarious ? It's such a strange take.
> how can an ongoing dialogue be past tense?
Easy: it can be considered past tense in case "ongoing dialogue" is a corporatespeak for "f..k you". Which I believe is the case here. But that's an opinion.
> Know Your Customer [..] I don't see any issues with that
This might be the case if you're coming from a standpoint I have mentioned: the American one. This is a world view where everybody have physical paper documents proving residence, every labour effort is arranged in a very specific legal framework, every person have an address in a specific format, every person has one of just a few types of ID documents, etc, etc.
Problem is, the world have vast, vast differences in all of the mentioned areas and KYC companies couldn't care less because they are a business and they make money by KYCing as much people as possible for as little spend as possible. Thus they simply ignore any case that's not mainstream no matter how perfectly legal it is.
Being a digital nomad I cannot pass KYC at the vast majority of online services. My passport is under no sanctions, I do have residency in the first world country, etc., but passing KYC at Persona and others is not possible.
>> my account will be banned by OpenAI immediately > Why do you assume this?
Because of the risk profile. The company has no way of knowing whether "find all security vulnerabilities in this code" is a request from a whitehat or a blackhat hacker. The risk of someone using GPT to hack yet another DeFi project for a hundred millions while mentioning OpenAI is higher than perhaps a million user accounts, let alone a single one.
> The company has no way of knowing whether "find all security vulnerabilities in this code" is a request from a whitehat or a blackhat hacker
That's what KYC is for.
> This might be the case if you're coming from a standpoint I have mentioned: the American one.
I'm not in the US, nor America for that matter, I'm in the EU.
> Problem is, the world have vast, vast differences in all of the mentioned areas and KYC companies couldn't care less because they are a business and they make money by KYCing as much people as possible for as little spend as possible
"The lady doth protest too much, methinks".
There's not much constructive here other than a lot of assumptions and apparent malcontempt with how some businesses handle their business, but that's for another topic I think.
>> The company has no way of knowing > That's what KYC is for.
No, KYC has nothing to do with that problem. KYC doesn't help at all here.
> I'm not in the US, nor America for that matter, I'm in the EU.
Same here.
> No, KYC has nothing to do with that problem. KYC doesn't help at all here.
that's a bold statement. how does it not help solve the problem? what is a better solution?
How does KYC tell a company whether you have bad intentions or not? Let's say you work in a consultancy doing security research. On paper that looks good right?
How easy would it be for criminal orgs to setup legitimate looking fronts to pass these KYC checks?
see my downthread post. kyc is the first step in the process, not the last. without verifying identity, none of the other steps can take place
> how does it not help solve the problem
How does it? Online KYC is a procedure to verify someone's documents and face. And that's it. What does it have to do with the actual usage of the OpenAI account and the code that is being examined with AI?
> The company has no way of knowing whether "find all security vulnerabilities in this code" is a request from a whitehat or a blackhat hacker
the system in place to prevent unauthorized abuse. by default, the guardrails are conservative. to reduce the guardrails you can jump through a progressive series of hoops to establish whether or not you have a valid use case. the entrypoint for establishing your use case is verifying your identity and background. if you don't want to do this, you are free to use Codex Security to identify and fix vulnerabilities, it is quite good at this. the harness and model are already evaluating the usage of the account and the nature of the code being examined and actions requested. but the again, the guardrail thresholds will be very conservative for anonymous users.
what is your proposal?
> what is your proposal?
None. I don't see a solution.
I'm silently rooting for Chinese models here.
> Second, I will never ever do KYC with a company that provides text transformation services*
I guess you would also not provide KYC to a bank that provides number additions/subtractions between database rows services
As a society we have collectively decided that these numbers are money. Thus different rules apply.
And I'm happy to pass KYC in person, so I do have accounts in different parts of the world. It's the online KYC that's not passable for digital nomads like me.