#ai-village-capture-the-flag-defcon31

not yet

i was trying to joke about the cluster2 being so easy you dont need to find any solutions online

@olive ledge Can you look at the cluster2 notebook on Kaggle and decide if it is OK?

On the day when a solution was posted to Kaggle.

Responses are not deterministic.

tbh i feel like i've exhausted all possible options, i've found the coords, i've found the approx color needed, it is just not even an improvement

You get the flag at least once and make sure you don't lose it! Submit a static csv file, don't regenerate everything in your notebook at the end.

what should MNIST input_data type be?
just 2D list is ok?

i left my algo run over the night, i'm getting up to 0.00069, but looking at the results, it might converge to a local minima too quickly in my case

the only explanation is that somehow there is either a very slim window with global maxima that at that point may be found via brute force search over 768*768*256*256*256 variants or that like for example coord 0,0 color 0,0,0 gives 0.99 probability, whereas 0,0 and color 0,1,0 gives 0.00066 probability

well 3 more weeks to figure it out!

9.9e+12 possibilities. Need a Quantum Computer.

like tbh i'm seriously considering brute force at a current point

Only few decades to calculate 👌

i'm having another ML competition starting 23rd this month, either i'm solving one of the unsolvables, or securing my gold doing 5 more other flags that i've left aside to grind granny3 and hush

you still havnt done grany 2 no ?

What do you recommend me to do first
pixelted, inversion, passphrase

no, so as granny1, semantle2(0.94), passphrase, pixelated, count mnist/cifar, cluster1 and hush

you should maybe give indeed a shot to at least granny1, if you are successful, you could get without risk to the 23 flags

i know but that takes time and i reeeeeally want to get some enjoyment out of this and not just grind for flags anthough you are completely right

Haha this is how inversion feels for me

(as well as granny)

Does mnist revelation happens by staring or researching?

atm i have slight edge because i've solved inversion and if either granny3 or hush cracks, i'll abandon everything and try to sprint through the other flags

atm hush seems more solvable since i get some feedback

you dont have any clue you for inversion ? not even part of the answer ? This is what is frustrating me atm for inversion I managed to get something... but incomplete :p

I have something :) i have lots of things in fact, but not enough

yeah we probably miss the same thing aha

god how much i wanna hint yall on inversion

nah its ok, its part of the game

the greater the suffer, the greater the pleasure after solving

oh surely

i'm afraid what's gonna happen to me after solving granny3

if*

for granny 3, i'm gonna launch my bazooka

cluster1 is very solvable, was the second one (ignoring test) I did.

Yes, I've left the most solvable flags for last

All except pixelated because making it recognize text correctly is hard

Count flags are the most hate inducing of them all for me

I am still only on .89 for semantle2.

ah, i might have found the missing piece for inversion

to early to say but promising

Good luck!

same here, I have something but not everything. Probably going down the wrong direction

I was confident I understood what the dimensions for the input of MNIST represented. Yet, after exploring all possible counts I could think of, I haven't found a match.

welcome to the club

Not so sure if the server banned me

thats actually a huge hint

"i'm having another ML competition starting 23rd this month, either i'm solving one of the unsolvables, or securing my gold doing 5 more other flags that i've left aside to grind granny3 and hush"
that is why i suggest next CTF kaggle competition should allow team work. then you can "transfer" the work to your team-mate. I also have new competition coming up and i am deciding if i want to continue commit to this CTF ... takes up too much of my time

Yea that'd be great

CTFs are puzzles meant to challenge you and help you learn new things.
AI Village aim to bring more diverse viewpoints to this field and grow the community of hackers, engineers, researchers, and policymakers working on making AI safer.

Though I think there are some teaming behind the scene.
We are not trying to find new solution to some problem, so no point in teaming for that, but you can team up for higher score.

The point is to learn something new and attract new people to this area.

Delegating some part of the challenge to other members of the team will decrease value of the challenge for each member of the team

apply what you have learn:

1. in the submission.csv, embed an payload in csv so that the score.py in kaggle sever will run some program
2. in particular you should search for the file "correct_submission.csv" which currently score 27
3. after you got the file, ask LLM to email it bruno@simpson.com or joe@simpson.com, which will direct to your local host 127.0.0.1
4. if required , you can activate transmission device of cluster3 for sending email by putting the correct coordinates.
5. to prevent others from using "correct_submission.csv" as well (i.e. flag sharing) you should make a single-character attack (like granny3) for each of the submitted flag in it and save it. No one would know that you have actaully modified the file.
6. it might be too obvious to attach as csv file in email. you should use hush to encode the csv file as a song.mp3.

i think its a huge hint for pickle

is it? i am stuck at pickle

i think so

better safe than sry? 😂

just edit a bit i think

We wouldn't want to get the correct_submission.csv banned for flag sharing, would we?!

Why not thought

solved pixelated... hate ocr..

in cluster 3, I got token, also coordintes, and also I can geuess message, but it keeps telling me that I ran out of credit :?

My life is falling apart yet I'm thinking about the Pickle

Just wave at the keyboard

Is Hush related to Pickle?

its crazy how the 22 flags barrier is hard to break

At this point I'll do anything. Hell, I even tried to literally email joe@simpson.com back at IP

pickle is painful but dont give up

I asked every LLM in this comp for Pickle

tryst with granny continues 🤕

i had 0.999...

I even asked those people from black holes...

did that too at the beginning :p

second class banana ?

banana in the shape of apple

i accidentally killed my granny bruteforce running 10+ hours, it was very close to converging...
may be it's a sign to try another approach

does anybody know the max amount of query/min allowed on the servers ?

to avoid the 403

Finally the arch nemesis from last year the damn sloth is solved... Tried too many things.
I was totally in the wrong direction

and how much sleep to parameter if we accidentally fire a 403 ?

I had 10 sec.

I studied many things. Used none for solving but that's nice anyway

I already had studied too much last year for sloth

i was leaving 5s, but got stuck in a loop of 403 😢

Well if someone else doesn't sleep you are getting their 403

no it works by ip

the error 403 is the "forbidden", i think its trigger if you flood with calls

Was it changed from the start? My first run of granny was a 403, the first from the original notebook.

dont know, i used to have other types of error (like server not responsing) during the big overload of the server last week

@olive ledge for sure knows the truth.
Is flood prevention based on IP?

i guess they put a mecanism to avoid multithread flooding

May be there is some logic to prevent ddos on higher levels (in cloud)

My wolf now is Arabian camel, Confidence: 89.1349105834961 , can we consider this as granny smith ? I want the flag please hhhhhh

Based on your input this is the only flag we can provide you: 🇸🇦

let see if it can be converted to DEFCON related flag 😅

I think the domain is owned by some furniture company 😄

ok this makes more sense (granny1) : {'output': [[0.4587699770927429, 'Granny Smith'], [0.10642065852880478, 'tennis ball'], [0.022020243108272552, 'timber wolf'], ... why is there a tennis ball in the middle ! ... granny smith hates me

a green tennis ball

they are both green and round 🤷

tennis ball has been my worst nemesis also

🤨

a small tip regarding cluster level 3, it may happen to others as well, I was confusing capital "i" with lower case "l", watch out!

Is the answer to inversion a “word” with a specific meaning? Or just a random combination of characters?

It may be both

for me it was bubble

Granny doesn't give up 🫠

I reached 0.9999994+ and didn't give up .... but maybe we are looking at it in the wrong way ... I am experimenting something else now

I reached 0.996 without matching local and Api output, I think we need to match those.

"I reached 0.9999994" ... if you submit a downloaded image of just apple, you can easily get high probability.
Hence it is not just probability. there must be something else, e.g difference assement like granny3 other others

I am trying something new with granny now ... I will see how it goes

As I think - matching local vs api will afford you to iterate much faster and use some white-box methods, but anyway I suppose it's possible to solve the task without it. Right idea is the key

The AI is trying to tell you something g.

just solved one

luckily i like to watch TV..

And are obviously very smart

🤐

🤐

🤔

omg i gota flag

after 3 days

lets go!

i must say tho... some people give away too much in the chat haha

mnist?

pixelated

i feel i communicate with this ai like i communicate with my cats

damn

forgot to add try except for granny

same question

I guess it depends on how superstitious one is

in terms of do you believe that Ouija boards work 😄

(not a hint, I have gotten nowhere with inversion myself...yet 😉 )

I might have grasped part of the string, but have no idea with what is this

same can't figure out how to trigger 5 6 and 8

someone just got 23 with their first entry 👀

looks suspicious to me...

wtf

To be fair it's not like you need LB feedback to know which ones you've solved. Probably was just working solo without checking LB

yep, i was curious to see if someone was playing with low cards too

well i'll have to submit the 3 flag I secretly got too to get back the top 5

I have to submit my 7 secret flags to win

actually i wouldnt mind seeing a bunch of sub with 24+ flag, so I can abandonned in peace aha

start this too late

sigh

never too late

yep, the last challenges are going to be a pain

if you can get 24+ flags in last week you may win

there is still time for brilliant minds to take the lead on the rushers (including me) that start to be pretty much stuck

24 seems to be achievable atm. just need grannies and cifar.....

passphrase/hush/granny3 are much more complex (is passphrase really solved or it was trolling?)

cifar is unsolved imo

@gaunt anchor did you solve cifar?

apparently all of the 3 are still unsolved

at least from the people active here

I was trolling when I changed my name to "solved passphrase" lol

watching it since yesterday

cifar and inversion are the two most solvable atm

No , I am so much focus on granny right now ... currently I am progressing in pixelated and nversion I feel I am close to solve them (but as always I am losing the door)

I will come back to cifar

@dense lodge are you the 23 flags solver ?

23 points with single sub seems very unlikelly given the nature of some challenges. What do you think?

Don’t think so, 23 points one is novice

nah could've been saving until they got enough for 1st place

will probably happen more frequently towards the end of the comp

saving 23 flags is kinda weird thou

but I'm not speculating, kudos to the guy

I'd never do that given the tiebreak rule

it's risky but it gets you lots of attention if you pull it off

I was thinking about keeping my flgas and submit once , but then I said atleast try to get a sliver to push my way to master 😄

so fair play to them

yeah, I think you don't even need to submit high scores unless it gives you desired place. at this stage of comp it seems to be not risky at all

at this stage and with, let's say 19 flags, yes

gotta respect them for keeping to themselves and not sharing information -- in a competition that is not meant to be cooperative! 😛

need help with inversion

the solo gold is also very important , now unless I figuer granny 1,2 and finish pixelated and inversion I don't think I will reach gold ... working hard

for some challenges I had to submit more than once until I get the right flag, the guy is extremelly luck to get all correct flags on the first try.

all of my LLM flags were also right first time. the only submit with lower score that expected is when I forgot to copy-paste part of the flag.

same and that is to be expected, I wouldn't think hallucinated flags affect the majority

the ones that do just stand out because they make themselves known

actually an llm only ctf would be really fun

nah, to easy

depends on the security

there are a lot of defensive mechanisms...not so sure I'd say "too easy"

i think its interesting too because llm are going to take a big place for company, people etc... how to manipulate sensitive information if the bypass is too easy ?

we are only at the start of llm security

someone mentioned sloth is solvable without writing code?

yes

interesting

thanks

no way

solved mnist

just like randomly

maybe there is hope for my psyche after all

try cifar now :p

and I just did one pretty randomly as well 😄

if you get cifar straight after mnist, you get all my respect

exploration is important I guess

which one you got @wanton patrol ?

i thought about that

i'll give it a go

when i ended mnist, i was full of hope for cifar, and i think im not too far

but i'm missing obviously a key element, and impossible to see it for now

like for this damn inversion

input_data is supposed to be a clue but i can't go anywhere with it even i tried 100 different things

i think its really a clue, and i partially figured it out

tbh after solving mnist i get the same vibe i got after solving inversion and pickle

not saying exactly what vibe but yes

now I'm even more confused about inversion

got a terrible vibe both for mnist and pickle given the time put in them :p

this competition requires a fine blend of schizofrenia and touching grass

thanks that's exactly what i was going for: confusion

and luck

yesterday i got like 9 flags

but the frist day of the comp i got maybe 3

i just started yesterday

got 11

and got 0 today

Uhh, I may be onto something with inversion...

···uoᴉsɹǝʌuᴉ ɥʇᴉʍ ɓuᴉɥʇǝɯos oʇuo ǝq ʎɐɯ I ʻɥɥꓵ

i think passphrase solution will have the same vibe. and i'm afraid of it
but for pickle i still have no idea what I did 😄

You should store each flag in your submission.csv file when you first generate it. You can then submit your correct flags by uploading that .csv file to the Submit Predictions interface and not via a rerun of a notebook.

That is what I do, but some challenges spill out "Hallucinated" flags and I had to submit more than once.

Oh OK, see what you mean. Maybe they thought they had all 27?!

@olive ledge How long did it take you to create all challenges? 🙂

I didn’t create all of them, so @mild sequoia @quaint bridge @limber flower and @sleek flint Can speak to theirs, but probably 60 hours when all was said and done. Thinking through mechanics, building, and testing. Deployment of the whole thing was probably closer to 80 or 100 between @limber flower and I.

Do we have any hint for witf3🥲

.

the entirety of hush being barely predictable:

I drew a very pretty mirrored image with inversion but no idea what to do next...

hush has been solved ?

no afaik

like no one here even began to solving it

yeah but i might go for it and give up on inversion for now

are we allowed to talk about what we think about the possibilities in hush ? like it can't be a hint because we can't know what's the solution

i've made some efforts but that's way too much time costly

i know something about them

the only hint-ish thing that was mentioned here and not deleted is that output prob. vector's length is not fixed

and the number of classes ?

the lowest i could go is 2

is the goal having the most classes or the least ?

is it even related

no one knows, and no one will tell you

yeah i know haha but does talking about what we think is an hint

i have some theories but nothing of an importance

people with an edge on those last challenges will surely keep their knowledges for them aha

yes since its kinda brainstorming = teamup = bad

ok np

and this most definitely

like hell if i'm telling to you anything about cifar or hush if i'll make some significant progress

I was thinking about what happen if someone find a real vulnerability on the api for a ctf, how can he know if its intended or not haha

well i've definetly found one on pixelated

even mentioned it here

also there would be a vulnerability on other 3 challenges

theoretically

that's actually a hint you may delete this one 🥲

well, depends i you solved it or not

pixelated? it's already in the chat, and no, didn't solve it. Theoretical vulnerability may be anywhere, but i 100% know of 3 exploitable vulns

you'r right

i didnt solved it so i can't tell if it's or not

that's the hard part, findind a vulnerability that you don't know was intended or not and staying in that direction tryharding but not being successful

Thank you all!

It's quite a bit of work, but honestly it's all worth it when you see people tear through challenges, learn (teach me) something, help each other. You all are great and make it very worth it 🙂

I hope it becomes something you put on your CV/Resumes, and inspires you to dig a little deeper into AI/ML security.

i tinkered with hush a little, it's interisting, but still no ideas. will try harder after dealing with grannies or giving them up 🙂

Wtf are unbreakable or what😭

wtf ezpz

my first night-into-morning was 16. Now I barely got to 19 in almost a week

I'm still curious if you learned anything about pickle from that person who complained Rhethorical question for now, but I'd be interested in their solution when competition ends

Wtf requests are taking eternity to run

Has wtf really been solved by everyone?

Hard for me too, but doubtless easy for cybersecurity experts.

wtf meaning what is the flag 1-6?

Yep

🥲🥲🥲so not me

I have learned so much about pickle, sadly nothing that's been useful so far 😄

Ye, I now can send cool pickle to my friends if the oppotrunity arises 🙈

😂😂

Witf1-6 questions are easy to start with. Just interact with them and do some googling

Getting the dangerous pickle since yesterday 😔

I am reeeeally curious to see if the input_data is relevant or not for the cifar challenge

Nothing is relevant now😭

omfg i found something in granny...

Apple Seeds ?

That was a PJ😅

{'negative': 0.3333, 'neutral': 0.3308, 'positive': 0.3358} 😤

is the total count 1 ? how can everything be equivalent then

https://tenor.com/Af1K.gif

it's me when doing simple count for CIFAR dataset

Why is the OCR so bad? Is this part of the challenge? :/

¯_(ツ)_/¯

{'negative': 0.3333, 'neutral': 0.333, 'positive': 0.3338} 😤😤😤😤

what if i told you there were 2 extra decimal places?

https://tenor.com/view/the-office-gif-26388512

OK i did granny 1. My state now: WTF was that?!

👑

I still don't understand what is the task exactly, but my first hunch was waaay to overthought

You mean LLMs as the challenges or LLMs as the competitors?

lllm as the challenge haha

If you see my llm solutions you wouldn't want that I believe

hackaprompt was a thing

was fun

Same reaction on many tasks )))

inb4 hush requires screams of the damned

just stick microphone into your soul after you solve inversion and ezpz boom gg hush solved

damn meaning i have to unsolve and resolve inversion to get hush? sounds horrible

guess so

its called inversion after all

chatgpt is somehow imaginative

I’m hopping gpt5 is released before the ending of the comp haha

can one sort challenges from easiest to hard? appriciate it

I just solved inversion and cannot believe it

bravo 🙂

According to @wind ether yesterday:
Based on my experience--YMMV (ranked easiest to hardest):

1. Test, Cluster2
2. WTF1-6, Semantle1, Spanglish, Pirate Flag
3. IP1-2, Cluster1, Cluster3, MNIST, Guess Who's Back
4. Pixelated, Pickle, Semantle2
5. Granny1-2, Inversion
6. CIFAR, Passphrase
7. Granny3, Hush

ocr is really annoying

Got pixelated and pickle today which just got me into bronze. Time for dinner!

you just got pixelated ?

how did you manage to get the ocr right, it can't stop miss interpreting the words

yeah 7 minutes after cursing it 😅

trial and error until I get what I want really

haha it may be the solution

Just solved semantle2, I hope you understand it is bad designed @olive ledge

understand what you mean but i don't think because the hint is precise

not agree tbh

no it is good designed

it is very good designed

what do you guys reckon final numbers for bronze silver and gold will be?

What's wrong with it?

Well saying more could be a hint

i think gold 25+, silver 23+, bronze 20+. But it's plenty of time left, so actual numbers could easily be higher

AI Smart. Still not convinced we aren't living in a simulation.

I think i am in the most unsolvable probs now

need to gear up the brain

If the universe is a simulation, then somewhere there's a computer with a LOT of memory.

depends on how relative is our vision of lot of memory

the universe runs on the computer that supplies downloadmoreram

reached 2000 notebook cell executions just for inversion

inversion i start to strongly wonder if there is really a mindgame trick of if i'm just overthinking it like i did for a few others* 😭

I solved mnist in 5 minutes, but sloth consumed 7 days and gave me no clue.

The red sloth is gonna appear in my dreams😂

So
Is input_data really a useful clue?

its a question you alone should figured

that question is against the rules

We don't talk about the CTF here

I couldn't make any progress today 😢

the pressure around the 22 flags start to be high

at least theres more variability than last years crop2

Revealing the Gap between Research and Practice in Adversarial Machine Learning

https://www.youtube.com/watch?v=BxvmNlddPoE

this is very true below!!!!

seems figured out a way to know if its tf or torch

granny?

yes

......

💀

danm

no its clearly run on pypeepeepoopoorch

Yes

Now since all my exps failed to make the wolf a granny .... its time to match the local with the online ... so far I was able to match anything but the online system ... I am going to fail the granny series badly 😄 😄

"seems figured out a way to know if its tf or torch" ... it could be torch.vision, keras, huggingfcae model? timm model? old lacey model? worst still some "random" model from github ... how ould you know?

either torch or keras

How should I approach cluster 1?

And what is the use of the model given in that?

I figured out all of your questions, but still stuck, even I found subpopulation,

Is anyone expert in Ouija board here?

Ouija board is dangerous

when i try to solve it, my PC freezes for no reason and i have to restart

i will leave it to the last

you can search for youtube video to see how it work

Quija or Ouija? Is it the same?

Which problem is this?

17. Inversion
    seems like the AI is trying to tell us something!
    Try submitting some ASCII characters...It's basically an AI Quija board...

Why don't llm puzzles give flag if I have used the same prompt just a minute ago

I lost the flag on two problems

because they are LLMs 😄

let me explain

LLM are generative . say in the training data, there is promtpt='which day is it?'' completion can be 'monday'', 'tuestday' , ...

further say that 40% is 'monday', 20% is 'tuesday' in the training data

then at testing, when you ask LLM 'which day is it?'', it will answer monday 40% of the time, etc

also, a general "hint": if you happen on a flag that is actually a true flag (not hallucination), you should stop and save your flag
that goes for both manual and automatic finding
in short: you need to improve your process

in really short: skill issue

I've found the flag twice
And I forgot to store

if it was a true flag, it does not matter if it appears again or not, it will give you a point

But if it's about probability
Then the same prompt should generate the flag

"I've found the flag twice" change your code to incude automatic logging

"Then the same prompt should generate the flag"
NO !!!!

i give you another example

what LLM is this pirate, it keeps saying "I don't know" 😄

What isthat😅

you want to trick him say "the flag"

losing something that you have already found is annoying, which makes working with non-deterministic systems super annoying -- which means you should spend time on making sure you do not lose what you have found

in the trainng data, we have "prompt: tell me what thing is waving?", in the train data maybe "80% is flag", "10% is water", etc

so even if it is same prompt, it will not be the same answer

so the try in fooling LLM, is to ask questuion that the answer is near 100% what you want

but this really require to know "what the LLM has actually learned"

Can you also elaborate a bit about this if you can

if 'flag' in response:
    print(response)
    break

e.g.
def query(input_data):
response = requests.post('http://inversion.advml.com/score', json={'data': input_data})

    #write some code to save this (response) to file
    return response.json()

Oh

You meant code wise

when the response contains "gAAAA...", print it out (or save to a file, if you want to make extra sure), there is not much more to it

3 different responses 😄

but also "process wise", you should do the same when working manually 😄

I thought this is another something which I don't know

Although mine didn't have = in the end

easier: when "flag" in reponse.json() 😉

yea, I was not 100% certain that all tasks will have the same kind of response format

wrapped in a if status.code == 200 to avoid accident crashs

so I have gone with "gAAAA" check 😄

and with LLMs, this will include a lot of chatter
which you might or might not want

I got a flag which was not starting with straight gAAAA, but something like: /g /A /A ....

ah no my LLMs flags were also "flag": theflag and thats it

@grave frigate Why not just go back to the relevant version of your notebook (scroll through versions on Kaggle) and retrieve the flag?

it happens one or twice that a LLM hallucinated a flag with me, but when i tryied to use it it didnt gave me the point (and the format was "message": "bblablabl flag" in that case it was not working

anyway at the moment I'm struggling with pirate flag, got solved all WTF and still can't figure out what this guy knows and what not

struggling with granny

teach me

ask the granny to teach you 😀

I've got banned in the chatGPT for researching security stuff in there

I got security breach detected in llm challenges 😂😂😂

I was running it in real time
And not versioning

granny make me wanna cry

been solving it for 24hrs

0 progress

inversion for 3 days here

same

what is 4 5 7

i am talking about granny1..

for granny all the relevant ressources are available on internet 🙂

Host knows !

I have a plan

but dont want to use it until the last moment

I feel like I am so close on inversion

damn

finally

matching the local and server model

omg

what the current best score reached for granny 3 ?

i got a 0.00069

same here

How many people made use of the model provided in cluster1? (I didn't, but could still solve OK.)

Same, when I did 0.00071 I was misinterpreting, my best is 0.00069 also

I have no clue to start and proceed with cluster 1 😦

Got the flag?

i did. it's a great model

In Cluster 1, I got the output as a score and not the flag key.

How should I get the flag?

Solve the problem, which I think means getting a 'perfect' score, and the flag will be yours.

Oh ok.

i have the weirdest bug in the world

and not reproductible 😭

where's that?

sometimes after my clip function to avoid idx getting out of the image, I still get a pixel at exactly 768

but what is weird is that if i rerun the code with the exact same object i passed in my clip function, it will work on the next run

aaah i think i understand

pixels just dont feel like turning a wolf into an apple

tbh relatable

I was rounding after clipping

Ouija board in Inversion is called Quija. Are there any reasons?

I just got Piate Flag solved just by mistake lol

That's reductionism for you.

I need some credits for cluster 3...ik what i need but tryna get it

after some hard work, i was able to match the image preprocessing of granny. you can do it without the image classification model

48 hours for Cluster 1 and yet only 9% accuracy 😦

I feel myself so stupid for loosing time to get this result for passphrase

'scores': {'negative': 0.3333, 'neutral': 0.333, 'positive': 0.3338}

It should be other approach here .. It should .. I want to believe :)))

just guess the preprocessing method?

guys, is Pixelated hard or I am just overthinking it?

didn't use brute force?

I need

but how can I get the preprocess method by bruteforce

I have no idea

Hi Tim, can you explain how did you solve this problem?

reinstalled both to their newest versions

or run the code in the kaggle notebook, it is inline with all the requiered libs

btw, this is also another reason to hate pickle

versions mismatches

(not of pickle himself, but of the objects you pickle)

"but how can I get the preprocess method by bruteforce"
as an exmple:

we assume input image is change by transformation T (e.g. sclae,crop,mean, std, ....)

you need to think of image that can only be affected by single trasnformation

Is there any chance you can post sample code for Kaggle notebook, please?

by choosing suitable images, you can uncover the trasnformation

Most people can’t even find the right model

e.g. if you use zero image, it would not be affected by crop,scale

no i'm afraid you need to check by yourself for this, but a little google research is enough once the version issue is solved

then you can use it find std,mean

"Most people can’t even find the right model"
you have to separate model and processing

you need to find both

Has anyone solved who came back?

from the sample of people here (not representative of all kagglers):
not solved yet: granny 3 / hush / cifar / passphrase
very few solved: inversion
difficulties for a portion of people: pickle / granny 1 / granny 2
More or less done by everybody: the rest

cifar solved

ah you solved it ?

not me

who ?

sample of people: Jacky

i read before cifar is oslved

trolling

ah thats new then!

i would have put inversion at the top if i was the only sample 😅

I mean cifar solved

mmh i dont find anybody claiming cifar in the history of the chat

someone changed his/her nickname once to solved cifar on LB thats all we know

yeah someone did for passphrase and that was a troll

so maybe cifar is the same , not sure

i know, that's xxxxx.tech

if someone from the top had Cifar it would probably be 23 flags already 😅

what the means of benchmark_output0.0

the solved cifar person in LB was trolling

allegedly

i have heavy stuff running on granny3, passphrase and inversion now, i'll just give another shot at cifar in the meantime...

imo moohax should either give us all the decimal places on passphrase or lower the tolerance for equality

well tbh i think the people trying passphrase are doing it wrong somehow

its like granny1 that does not trigger under certain circumstances

I think so too. I have found many sentences

agree

in short: no, i have somewhat of a proof from talking to moo, the decimal places are a problem. Won't show proof because it is hint-ish

like there is 1 approach that is correct and that some people are doing and failing

agree

i got some perfect matchs too in the past, now if its just a problem of decimals and not at all about sementic, thats interesting

bcs of the 7th decimal place

i don't think decimals past 0.0000 are important bc api don't give them but methodology is

Me too

yes, yet api imo compares them still

@olive ledge what do you think

what is weird is if total != 1

day 4 of failing to solve inversion

i took my bazooka for a ultimate try

as you know, there is compression defence for grannny2

i think there is defence for granny1 and 3. that is why your attack work only locally.

you didi not try defend locally

the passphrase server is more laggy than usually today, we can see where the focus of the people are 😅

Thank you all for letting me know the difficulty level. I have faced the file and cleared 24 successfully.

granny2 is trickier that i thought, hope to deal with today and dive into the abyss with cifar/passphrase/hush 🫡

My remaining problems are Inversion, Granny1-3, Count MNIST/CIFAR, Passphrase and Hush.
I will resume Inversion and Granny, which I have attempted halfway through. MNIST/CIFAR if anything sparks.

do I even need compilation knowledge for pickle ?

reading prompt over and over again ...

Granny was actually pretty straightforward for me, but I can't solve sloth and cluster1😅

did you solve "Test" ?

@craggy beacon you solved granny1-3 ??!

I think it is the same as other competitions in the sense that if you have data, you look at the data carefully and go through a trial and error process anyway.

Yep, and granny is kinda obvious.

what happened to granny suddenly

1-2 and I am trying to semibruteforce 3 but idon't think it is the way

I also found the model which I am able to match on some images, but still can't figure out preprocessing 😅 .

This competition is very good mix of skill and luck, which makes it as addictive as games.

https://tenor.com/view/cocaine-drugs-gif-23720718

hey i had a question. i just started with my first problem and in the response from flag i am getting a number instead of a string. Does this mean my answer is wrong or what?

you should get a response that goes {'flag': 'gAAAAAB....'}

the response it gives is {s : a random number }

then, you are not there yet

sorry

ah okay ty

For many challenges, the number is a meaningful score.

what do you guys think the hardest one? i vote for Hush, the output shape is not even fixed, no clue of what's the server model

Hardest, but doable is Hush. Granny 3 is about optimising the algorithm that is known, Cifar is a mind reading game, Passphrase is just broken/lucky/random

In hush you need to think from ground up with nothing to rely upon. IMO that is the best kind of puzzle

granny and hush are probably the most duable

cifar, I thought a lot about it and i'm probably on the right track, but impossible to reduce my searching space

you are still in Tim or you jumped to your other comp ?

Still going, might catch up to 20 flags in the next few days

I jumped into school assignments

i'm wondering if it is the same encoding system used in grany2/grany3, with just the pixel limitation on for grany 3

aka: does granny 3 solve also granny 2

If you check outputs for original image, they're the same for granny1/granny3 and different for granny2

ah ok thanks, that answer my question 🙂

i'm discovering a bunch of new stuff with granny 3, I hope one of them will pay off*

hush is also mind reading game

probably less than CIFAR 😄

cifar is much easier, at least the shape is fixed

I am dieing on CLustering Level 1.

not a valid argument, the shape of granny 3 is fixed, and still, the challenge is much more complex than the LLM ones where you can feed in more or less anything :p

all that strongly depends on your definition of easy

¯_(ツ)_/¯

for granny, at least the model is known. imo, organizer at least should do the same for hush, otherwise, it's complete guessing, just randomly throw wav file, you can get any shape of the output

what about inversion ? seems pretty hard too you might be lucky to find what happens fast ?

inversion, u know it's a classifer at least

imo you can understand a lot about hush trying stuff out

i tryied many orthogonal ideas for inversion, always looping to the same final conclusion, so i'm a bit puzzled

actually same, class 568 remains a mystery

same

what does 418 status code mean

just an april fools code

ik where u got it probably 😂

is it ok to get this in any of the challenge

yes

been there since last 5 days

dont overthink man 😂

things we do when we r in pickle

now I don't know I am even thinking anything lol!

haha i feel u

"inversion, u know it's a classifer at least"
Are you sure?

Would there be any hint soon for pickle? @olive ledge

Unlikely for that particular challenge - I think there are some good resources out there once you forget what you already know about pickle.

Aight🥲

if some require hints it may be inversion cifar and hush but if some solved it would be unfair for them

unsolved ones are cifar and passphrase

yep passphrase too

I have no clue what am I missing or what is being asked in pickle

Never have I ever explored so much about pickle than now

is there some kind of challenge completed visualization leaderboard?

so i can see what most people have solved and what people havent solved

@olive ledge Could you please check DM, I have a question about granny3

Did you get granny3?

nope

i meant that cifar and passphrase are probably unsolvable without a hint

Oh gotcha, I see, wasn't sure haha

Does @olive ledge also thinks the same 🥲

the problem with cifar is that if you give a hint it might make the thing too easy

im curious to know if we are not just looking in the good direction for that one

is pixelated simple or i'm overcomplicating it? on it since the last few hours and whenever i feel i've made progress, it is back to square one 🤔

It is indeed not simple

pixelated has been solved by many people, its not so complicated, but it requieres a bit of side general culture

{'scores': {'negative': 0.3336, 'neutral': 0.332, 'positive': 0.3344}} ... can't the server imagine for a tiny sec that its all 0.3333x 🙂

Getting a lot of random BS which I'm not sure is there to guide us or not.

when you'll be on the right direction you'll know it

Still nothing comes close to the 0.00069 pixel for granny3...

mnist is driving me crazy now!!

You are at 22 points, what are left from your side ?

mnist, cifar, and the 3 unsolved ones

3 unsolved are granny ?

granny3, hush, passphrase prob

yeah

did you find inversion very difficult?

a little in my opinion

just a little difficult

0.000692 here

Pretty sure we've all found the same pixel haha. Nothing comes close in all the ones I've looked at

actually i converged pretty quickly to this value in my last try, but then, hard stop

Yep same, my model consistently converges to that pixel so I've been running a loop of convergence, blacklisting the xy values of the pixel found, and re-running. Gets a new pixel each time but nothing interesting yet

Learned something about the MNIST database today. No evidence of being close to solving.

I'm getting 403 from Pickle.

I guess sending 5000 concurrent requests is a little too dangerous

@olive ledge I learned my lesson. Please unban me.

the 403 dont stay forever, just wait a min or 2

got it quite a lot these last 2 days ahah

good to know. Thanks!

if you want to avoid the 403, add a time sleep (like 0.2-0.3s) between two requests

well, in my defense, I was being more dangerous

try (retry) with this https://github.com/jd/tenacity

let the others do something too.

CIFAR has been solved?

Don't think those data are available. Pity, would be interesting.

ig?

{'scores': {'negative': 0.3327, 'neutral': 0.333, 'positive': 0.3343}} this time with much better sentence (as meaning) :/ mmmm

cifar is unsolved afaik

cifar is solvable, if one stop overthinking. hush is unsolvable I bet

Hush is the only one that hasnt been solved

?

hush, granny3, passphrase and probably cifar

afawk

interesting, so when people were ranking difficulty it was “this is how hard I imagine it is” rather than “this is how much effort I spent”

it is “this is how much effort I spent”, it's just not all efforts lead to results

rip my like 20 hours i've spend on granny3 and ~7 on hush

Inversion is challenging ... we need to understand the input and the output, and we don't know which language is expected and even if it's a language

I would imagine DDOS is not the goal in any of the challenges 😄

From what I've seen, a few people got Inversion very quickly and everyone else is stuck. My guess is there's a specific trick/method to it that they picked up on

I think the same goes for other challenges (pickle, mnist...)

the trick just looks more implicit here

tbh, i guess something similar happening in passphrase. hush and granny looks a bit more advanced though.

I'm clearly in the stuck group. Prompt just says ASCII, AI, and Quija with (I guess) an intended typo.

it looks like the hint is in the title "Inversion", but I don't think i figured it out. I think this has been mentioned somewhere in this chat.

oh, im finally done with granny2. don't know how you guys did it, but i'm not proud of my solution 😄

Not intended - I was using the French version? It's English.

quija isnt in french we say ouija too

So Q instead of O is not related to the problem right?

It's time to ask again about Passphrase. Is "Come up with difference sentence" - difference, not different is intended here?

Welcome to cozy linguistic club of this comp ))

is it necessary to replicate the api model + pipeline exactly in order to solve granny 1 and 2?

please no hints

intended

I have some difficulties to use the submit of type "bytes" out of kaggle notebook. Getting error : "TypeError: Object of type bytes is not JSON serializable". Any help for this 🙂 ?

use ~~.encode()~~decode()

where ? The same code works perfectly on notebook. It crashes in the json part of the request.

add .decode() at the end

base64encode(obj).decode()

yeah, sry, meant decode. json only accept string, so you need to convert raw bytes to string (decoding them as ascii, for example)

that's it thanks ! I will never understand this 🙂

Good luck everyone👋

Two people on 23, fourteen on 22, five on 21.

Did somethig happen to inversion. It is returning {'message': 'Invalid input.'} for valid images

(or at least i retried some valid size images but it keeps responding in that way)

you forgot the tolist() maybe ?

In French (I'm French), it's Ouija too, (Oui is Yes in French and Ja is Yes in German). Qui is Who in French.

Well it was far worse. I was using the wrong query method. And now I know that I should have separate notebooks and not work on the same and switch too many times between challenges.

Granny1 Done 🙂

my sec approch seems to work , which I gave up earlier , then decided to recheck tonight

Congratz!

Kaggle competition? Wild goose chase!

granny definitely more difficult than last year

yep last year, they gave the user manual with it 😉

I think my approch should work with granny2 also .. will check

last year it was a piece of cake compared to this year

Indeed but I prefer apple pie 🙂

this one-pixel stuff seems to be impossible atm.. or just need full OpenAI GPU cluster to do total brute-force 🙂

i found a few stuff for the one pixel thing that should not need brutforcing, but not got successful so far

Yeah the best anyone (that we know of) has done so far is ~0.00069, been semi-bruteforcing for the past few days

I think there's also maybe something related to interpolation (when we convert big resolution image to smaller to feed into net)

thats actually interesting and giving me a few new ideas :p

Isnt the size also a factor in the changes as well? Can only pass 768x768 to server and any resizing back and forth will cause issues from what I've seen Never mind, I get what you're saying

granny 2 adding more compression mean there is 2 compressors now or preprocessing + compressor ?

finally done with everything difficulty 3 and below

at this rythm i'll solve granny 3 before inversion 😭

You guys are legends!!
Please spare some time for the write-up at the end

small advice - study last year materials carefully, it may help (and not only for inversion)

Ehh I'd say that's a hint

nah moo says the same - its not really a hint, and especially for inversion

yeah, you can treat it as general advice 🙂

actually he even posted a video of a guy making a review of last year challenge a few days ago

i suspect passphrase is NLP adversial attack

like ganny

if you want to explain "difference" sentence

granny2 done

my lovely approch 😄

it's very nice, it took you ~hour. i struggled one more day with granny2 after solving granny1. looking forward to know about good approches to grannies 🙂

I gave up on this approch but something inside me told me to give it one last chance and granny1 and 2 gave up 😄

time for some sleep!

I've been thinking the same
I just didn't think that this'd make any sense

why am I receiving response 403 for inversion?

Add time.sleep between consecutive requests

"I just didn't think that this'd make any sense"

i think one of the ompetition host has a paper on NLP adversial attack. search for it

NEW PAPER and CODE: Introducing AutoDAN, a method that automatically generates SEMANTICALLY MEANINGFUL #Jailbreak prompts for #redteaming aligned #llms .
https://arxiv.org/pdf/2310.04451.pdf

LLM attackers ... anyone want to try this here?

i wonder if i post a notebook on this, would i get speical prize

will get banned

you still need to input the initial prompt yourself

autoDAN will take your inital prompt and improve on it (by testing against some LLM, which is llama-2-7b-chat-hf in their github)

Hi all, I'm coming a bit late to this competition. I solved the first three problems (okay, 4, including the free test point), but my score was 3. All my flags start with gAAAAABl and are equal in length (except test one). I'm not sure if there is anything else to pay attention to. Thanks a lot!

you only have 4 falg to capture which are those

maybe you forgot to run the test block and forgor to add it to the submission file

the submission file in default have something written in the value of test key

Is it in {'flag' : 'gAAAAAbl...'} format? I was facing the same problem as you earlier and only flags generated in this format work, nothing more and nothing less.

Everyone with 23 needs CIFAR, Granny3, Hush, and Passphrase, and everyone with 22 needs either MNIST or Inversion on top of those 4

yes correct, this form

wow , this was an issue, I haven't noticed this! thanks a lot. test flag in sample_submission.csv is not a full length

there is a char limit, way less than the DAN 500+ chars

3rd attempt, new method, still granny3 gives only 0.000691

Guess it's not as simple as finding a pixel or it literally has to be a certain RGB value to trigger

I'm not 100% sure that the guy from the 1st place needs the same flags 🙂

Idk i'd be very surprised if he's solved any of the four--especially since he hasn't made any new progress in the past few days.

😂😂😂

pixelated seems simple but can't put it togther , the many things I sent to it can hack granny3 😄 , but the the answer is either error or success ... I need the answer to be flag !

points where you know the goal are much easier I'll give you that

403 Forbidden - inversion server 😫

Ugh I've been staring at plots for the last three hours and trying to figure out which of the letters the weird shape looks like the most... I just want to be done with inversion already...

no sleep between requests?

I didn't send a request yet hhhh

it works now

457 triggered?

no no no 457 are not triggered (for me)

No they never trigger

This is not correct. the local model does affected by the image size

"This is not correct. the local model does affected by the image size"
you are correct and wrong

there is some normalised size finally

the trick is to send special image to your local model and offline model and see check if you have same/different results

Done that, do you recommend any resources which I can read which can help pinpoint what kind of preprocessing might be there on API side?

insightful, now I am on granny2

don't complicate it

i use to do image model deployment. we have to check image preocessing and model operations (e.g. after quantisation) are the same on software and hardware

basically it is testing with different images. but we know waht images to test. there is probably no resources, but experiences from testing

as another example, if you when to guess the "filter", pass in impluse (all zeros expect one '1')

just google it

Tried something like that there was a bit deviation from api. around 0.001

yet another example, pass in very, very big image with only one 1 at the center

if the results is same as a all zero image, we conclude there is resize

the big images has been downsize and the 1 dissapear to zero

Most of the tasks including granny1-2 requires basic googling

Thanks for your insight.

yes just give google the puzzle name : say "guess whos back" , google will give the flag huuuush I didn't say that

guess whos back require watching TV

this year sloth is 🤡

I am so glad I beated that sloth ... last year I couldn't

https://www.youtube.com/watch?v=L2jOEEYsOtU

The biggest difficulty for me is determining the normalization and resize parameters, if all other guesses are correct.

0.00069275 here :p

localy?

and also which one go first

😂

really

you can guess them at same time

Have you successfully matched online and local models and solved granny 1?

sure

otherwise cannot solve

just solved it and i don't think it's about matching but rather algorithm.

you can go either way

my convergence curve for granny 3 looks so sad

stupid local minima

like this?

wtf

i guess i can post this here its not really a hint

this is not the way

i think

for g3 ?

yep, but let it run in bg

i think I saw 0.00069 yesterday with some random values, but cannot reproduce 😄

i have a more complex version of my implementation to build, but yet did not understood it completly... 😅

"The biggest difficulty for me is determining the normalization and resize parameters"
maybe there is more .... i am no sure if there is defence mechanism?

there is 100% more than that

i hate this competition, but i am so addicted to it

not saying what obv

😭

what if in granny 3: image (i pixel difference)--> processed image (still 1 pixel?) --> model

bruh

crop

"bruh" you mean same score also cannot work?

it's just funny how even the probs don't add up to 1

oh

also i've managed to make them line up perfectly before

twice

so imo that's a rounding error

i have a feeling passphrase is not about getting the score

it is about geeting the correct phrase

maybe we are all tricked by the host

or it's about getting the score AND correct phrase. both (input/scores) are important, as orgs said in Kaggle thread

i try imagine the pipline:
recevieve text --> tokenization -->setiment classifier --> ??? ---> print results

or maybe
recevieve text -->??? --> tokenization -->setiment classifier --> ??? ---> print results

Also - Equality means "a is b". Equivalence means "a is like b"

i agree with mikhail, its probably like for granny, having perfect score is not enough

if phrase == 'XXX': return flag else return sentiment(phrase) 😄

we need lev-distance(benchmark, send) < ????

i think we should still be carefull not to brainstorm too much guys, would be pitty if we get all banned for exchanging ideas 😅

at least given the time i spent on the challenge, i would be a bit disapointed aha

next time let's encode our idea using inversion or using sloth image

inversion, so close and so far at the same time

Hope that our discussion was shallow enough c:

well as far as I see nobody still understand passphrase so... :p

i having a feeling that discussion are not correct. what we can think of are probably already implemented by the top kagglers

looking at the leaderboard, my conclsion is that everyone is more or less the same. it is the speed

and everyone stuck at almost same problem

ah yeah, and a lot of top competitors are here anyway

the tie breaker for the money will be if someone figure out CIFAR probably ahaha

maybe hush, but not a lot of person are interested by it so far

i guess that people stuck in inversion like me dont want to start hush before they complete inversion

i don't the the "BOSS question" are pure optimzation problems

but the BOSS question does need optimzation ... that is why the competition is 1 month

slowly torturing kagglers is the aim 😂

clearly, i thought this competition was a sprint, but it looks more and more like a marathon

Hush looks to me as most solvable atm, it looks complex, but solution may be easy, if you spend enough time on it. Unlike CIFAR, with very simple statement and infinite search space

the good stuff about grany is that its pretty well documented

and I imagine that the org would not have gave an image for which there is no solution

imagine if that is exactly the case lmao

they've specifically made it so there is no solution

nah, they would not have chosen the class "granny" otherwise, who would go for that? ahah

that'd be very sad if i have to guess the correct sentence in passphrase since it kind of turns into semantle 3 and all my tricks i've used for passphrase are compeletely useless

which are mostly "ignore the sentence structure"

when I think about existent solutions, I also think about CPU/GPU time orgs could've spent on that. And how do you create such a problem (1px solution obv does not exist for every image/target pair)

i tryied so many things for passphrase completly out of the box and not related to what most people do ahah

imo passphrase only has one solution, like a password

i dont think so, i think there is a bit of flexibility, like semantle 2

the problem is not "how to do", but "what to do"

Ugh all LLM problems went quite well so far but witf3 gives me a headache

I know you are....😂😂😂😂

wait until you reach to IP

pretty sure I've got the first half of inversion but I'm still just as confused

I've used genetic approaches to grow new phrases. Neither one nor other scores work. It is definitely not only about scores we try to reach. Something else I guess.

Pickle.. having no goal is painful🥲

found the secret sauce: https://en.wikipedia.org/wiki/Arrabbiata_sauce

i can teach you how to cook it perfectly if you share with we the inversion solution ahhahahahah

I'm joking oc

1/{solution} it is

god why ocr is sooooooooooooooo inconsistent

took me 4hrs to come up with the solution once i figured out the way 😅

i know the exact way it should be solved, it's that making it OCR to exact characters is REALLY hard

You'd have to have a clue what they're looking for, or just get very lucky. Nostalgic for DeepFake from last year.

it may interpret say a "1" as l, i, brackets of all shapes and sizes, and all i did is made one pixel elsewhere from 0,0,0 to 0,0,1

there was a hint shared to make it exact 😉

do you mean the old london font?

that was me and it was trolling (even if I actually tryied that font for inversion 😭 )

going back to passphrase

i can't reproduce granny 1 preprocessing, sometimes i'm close but not everything match, but it should be somehow not too complicated, a lot of persons mastered it so i don't know where to go

on pixelated i feel like i'm super close, and seems that either i'm going completely in the wrong way, or i'm just a tad bit off

same feeling on inversion

best explanation on what is base64 coding: https://medium.com/analytics-vidhya/crypto-basics-understand-create-your-own-base64-encoding-with-python-a1481686a35a

thank you