How to use DeepSeek safely
Skills:
Prompt Craft90%Advanced Prompting80%Prompt Systems Engineering70%Agent Foundations60%Tool Use & Function Calling50%
Key Takeaways
The video discusses the security vulnerabilities of DeepSeek, a generative AI model, and how to use it safely, covering topics such as jailbreaking, censorship, and speech control, with tools like DeepSeek, GPT, and Llama
Full Transcript
the excitement around it is well warranted but I think in an Enterprise or infrastructure context I would probably wait for something that is more stable and then doesn't have these questions hanging over it that's my take if I had to deploy deep seek I would probably focus on use cases that were not end user facing Because deep seek is like especially susceptible to basic jailbreaks and it would be a real pain to have to hard in that if you're putting this out to users or the public or that kind of [Music] thing well hey thanks thanks for joining us you know a lot of a lot of the news in the last two weeks has been deep seek and sort of these new reasoning models that have been open sourced coming from China obviously there's been the the bullish side of the case which has been that this is changing everything the economics are different this is the Golden Age of apps the other side has been this is the beginning of the end China's ascendant they're taking all our data this is horrible you had a great blog post on this taking a look at Deep seek would love to maybe get your thoughts and talk a little bit about kind of how that's coming together so everyone's losing their mind about deep seek I noticed that too they're kind of three things that that are notable about it right it's it's open source it's reasoning and it's from China and I think the the fact that it's open source and the fact that they have found this new tech technique or you know kind of Pro proved it out is uh is is great it's a great story for everyone in in the world um in terms of what is possible with open source and what the future of these models could look like um the interesting part is that the origins of of of the company and the fact that um the Chinese government has a ton of influence over the models that are developed in China so the the the post or the research that that we did was focused on um you know characterizing that influence seeing how deep it went and also kind of testing pushing the limits of the model in terms of uh just red teaming it and seeing what sorts of adversarial techniques it responds to or doesn't respond to and by adversarial techniques what do you what do you mean exactly we're really focused on things like just your your run-of-the-mill um uh prompt injections jailbreaks that kind of thing um because those are often the the gateway to to messing around with other stuff right like once you punch a hole in the defenses with something like a jailbreak if it's part of a larger system or architecture like a rag or agent that would give an attacker a lot of room to to to Pivot around and and do other things within that system and they they build a lot of safety features into these things right I mean the people who build them right and it seemed like it had a very sophisticated layer of of of speech limitations yeah so there were there are two parts to it um for deep seek specifically there was the the part that limited speech about uh politically sensitive topics in China so this is stuff like you know Taiwan or tianan Square that kind of thing um and it's pretty clear that that was basically a separate system from the typical guard rails that you see on models like this so what what we did is we you know we tried to characterize of these on the the political sensitivity side um and it doesn't take a like a researcher to figure this out if you ask it about tan square or whatever it will either give you a refusal or it will give you like this long di tribe of of um the the the CCP Party Line like you know nothing happened we believe in Harmony in China and blah blah blah those very over-the-top responses I think uh got a lot of attention because it's just a very clear instance of a model being steered or aligned in a direction that you know is probably confusing or unfamiliar to to folks in the US and you know you you you know for your for your company and I guess probably as a side project as well you you spent a lot of time breaking these things I'm curious your estimation of sort of the the the the maturity and complexity of the deep seek preventions versus like what you'd see in something like llama or some other model the short answer there is that deep seek has these very hard limits on things like politically sensitive speech its other protections are very weak MH so from a a jailbreaking perspective it performs a lot worse than than GPT on our benchmarks it performs about 20% worse but that that difference is likely understated because honestly we we threw out all the old jail breaks that that like don't really work well yeah like qualitatively what what we see is performance on par with GPT 3.5 which is to say you know in 2023 when open AI launched GPT there were uh there were a bunch of like zero day really simple jailbreaks and deep seek is essentially susceptible to all of those gotcha yeah so I guess the the open AI folks probably saw a lot of free training data from people trying to break it and then improved and so this is sort of the start of that process for the Deep seek folks it doesn't seem like deep seek put much effort into hardening deep seek yeah um as we saw from The Whiz post that the actual infrastructure that the Deep seek Pro process was run on was very insecure right I I don't think any any of this stuff was a was a priority for them so that means that anything that you build on top of deep seek is going to be pretty susceptible to to jailbreaks injections that kind of thing like going all the way back to just the the textbook um you know copy paste injections that that we had two years ago there was lots of panic about the you know data going to China you can't trust these things don't touch them they're going to steal your car right all sorts of hyperventilation and maybe maybe it helps for folks to understand sort of like the the way most people were interacting with deep seek was through a hosted model that was in China but there's also the option to download and install this and run this locally in your own environment because it is open source MIT license like do you see profound differences between those two models did you test both of them out in the way that they were instantiated like how do you think about sort of that security stack yeah so it's it's weird I I saw a lot of chatter online being like oh well you know the the China hosted model is is censored but the but the open source one isn't that was just not true from from the tests that that I ran like if you if you run it locally or if you use any of these us providers which have you know spun it up and and are serving it um you get you get the same level of sensor ship um the the only difference there is that the China hosted version has an additional guard rail that looks at output afterwards and clears it on the client side the bottom line is you're not even if you use even if you host your own deep seek or use a US deep seek um you're still going to hit uh those those hard guard rails yeah you know but at least it it means that you're you're not going to be used in in training data um for for like tsek version too or your sensitive data doesn't go to China yeah um which you know is a is a big plus for for most people yeah the interesting thing about it is like yeah this the sensor of course any model that comes out of China is not going to talk about tanaman square and that's just like the the way that the world is we did a benchmark on Chinese politically sensitive topics that that found that about 85% of those those Topics in our test set were hard censored so you know that you get the response that just kind of reiterates the CCP party line that's going to be the case for for for for any um you know version of Deep seek that that you see out there I think the the part that's really interesting to me is not the obvious stuff that that we measured the interesting part is the is is like the additional unknowns right so this censorship was very heavy-handed but like we don't know what we don't know about what are the other topics or um you know are there other areas where where Beijing is putting their thumb on the scale a little more delicately could they bake in a a back door like a string of text that just kind of drops all of the um prompt guard rails or everything around that and and gives them what they want or outputs the context and or so forth so it's the it's the unknowns that I think are more um probably more concerning to you know say Enterprises that want to bring this in house the last thing to touch on with this and I'm curious your take on this is that obviously L models trained in the west have their own form of of speech control right so we we filter out hate speech I guess the tenan square of America right as sort of the hate speech stuff um you've tested those controls on Western models how do they compare to the controls that you see on like deep sea like where's the where's the maturity level there so here's the crazy thing like after doing the the Deep seek post um a natural followup was let's do this on US models for sensitive us topics because there there are plenty of things that you can't or quote unquote cannot or like you know sensitive topics in the US um the main difference here is that uh it's it's less overt in the sense that you know it it won't like gbt won't give you a long lecture when when you ask about something that it doesn't think you should it'll just say sorry I can't answer that um so that that is perceived differently by by most people than like you know actually espousing some some some like opinion or whatever um which is what deep seek does um so anyway we we were going to run it on we were going to run benchmarks on like sensitive us political topics but as a baseline I was like let me you know let's let's do this and just run the all the flagship US models on sensitive Chinese topics um and it turned out that uh a lot of US models are essentially um you know censored or at least buttoned down on those topics as well oh wow um and I know this this is probably not the the point of this podcast or whatever but I I thought that that um I mean that that we we should be asking ourselves you know what sort of future do we want um for for Western models um so the the level of um I don't I'm not I'm not sure I would say censorship here because it's just like basic refusals maybe it is censorship maybe it isn't mean it is censorship um sure yeah so I mean the level of censorship here is like um anthropic CLA is actually on par with with deep seek oh wow um in terms of the Chinese related controversial Chinese content yeah so that's incredible it scored the same there um uh GPT did a bit better quote unquote or you know it it sensors less a little bit Freer to speak its mind yeah but but still around 40% as opposed to 85% on this particular test set Gemini did which is Google's did um did better than that uh and then this this is probably not surprising but there's there's one large Foundation model that does especially well on the on the censorship Benchmark which is uh grock from from from from xai um is is like a relatively free model wow cool when it comes to the the sensitive Chinese political topics uhuh I mean that's that's to me is amazing that you know the a lot of American commentators were deriding the Chinese model for censoring things and CH sensitive Chinese topics and then kind of look in your own backyard right like the Western models are doing the same yeah that's that's that's a that's an interesting Insight yeah it's kind of the whole slippery slope thing right like once you start censoring one thing it's out of control yeah um yeah that's great I guess I guess the maybe maybe kind of transitioning here right because I think a lot of our a lot of folks are figuring out how can how can they use this stuff um interesting to hear that some of the risks are somewhat similar to other models um would love to maybe just double click on sort of like if you're an Enterprise if you're a tech person in a large company or a Silicon Valley tech company and you want to play with deep seek how should they think about kind of using the thing how do they protect themselves what kind of steps would you recommend yeah how do they protect their infrastructure in other words I think in terms of protecting infrastructure I would just say I mean first of all don't use the model that's hosted in China right do it yourself or use one of these us providers um yeah you know H happy that I can give you that that Insight honestly I I would say so I I just think it it it depends very heavily on how you want to use it like I said um I'm less worried about the overt censorship and and more just about you know what what are the other manipulations or or back doors that that could be in it um what I've been telling most people who ask is like let's just wait a few weeks and there will be an open source model that that implements this reinforcement learning technique and you you'll you'll get great reasoning on par with with what we see from Deep seek yeah and I I kind of think that's the play for for um if you're a serious Enterprise that would be the the safest thing to do and I I don't like I I don't think you will have to be that patient in order in order for an equivalent model to come out so you think there's enough uncertainty around the build and configuration of this thing that enterprises should wait for a more trusted source to produce one that they can run locally I think even if you start building on top of it you're G to swap it out pretty quickly because anecdotally and also from from our tests I mean deep deep seek isn't really a great daily driver it's it's very slow it's for Bose and you know it like throws random Chinese characters in in its answers and stuff stuff like that so it's just it's like not that great to build on top of the excitement around it is well warranted but I think in an Enterprise or infrastructure context I would probably wait for something that is more stable and then doesn't have these questions hanging over it that's my take if I had to deploy deep seek I would probably focus on use cases that we're not end user facing M because like again going back to what we were talking about earlier deep seek is like especially susceptible to basic jailbreaks and it would be a real pain to have to harden that if you're putting this out to users or the public or that kind of thing [Music]
Original Description
Ian Webster (Promptfoo) on DeepSeek’s Security Vulnerabilities
Ian Webster, founder of Promptfoo, joins a16z partner Joel de la Garza to break down the security risks embedded within DeepSeek’s reasoning model. As generative AI systems become more powerful, they also become more susceptible to attack. Ian explains how vulnerabilities like jailbreaks, backdoors, and model censorship can be exploited—and what developers and enterprises can do to defend against them. He also shares insights into how AI security testing is evolving, why transparency in model training matters, and what lessons companies can take from past security breaches to safeguard the next wave of AI applications.
Learn more:
What Are the Security Risks of Deploying DeepSeek-R1?
- https://www.promptfoo.dev/blog/deepseek-redteam/
Follow everybody on social media:
Ian Webster - https://x.com/iwebst
Joel de la Garza - https://www.linkedin.com/in/3448827723723234/
Check out everything a16z is doing with artificial intelligence, including articles, projects, and more podcasts, here: https://a16z.com/ai/
01:11 - DeepSeek: The Golden Age of AI or an existential threat?
02:18 - Red team testing, prompt injections, jail brakes - adversarial techniques
02:48 - Speech limitations
04:14 - Maturity and complexity of DeepSeek vs. other models
05:36 - Anything you build on top of DeepSeek will be subject to its insecurities
06:12 - Hosted model from China vs. open source/running locally
07:46 - DeepSeek benchmark on politically sensitive topics
08:54 - Western censorship vs. DeepSeek censorship
12:38 - How can we use it safely? Protecting infrastructure
14:09 - Wait for a more trusted source to run locally?
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from a16z · a16z · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
a16z Podcast | Money, Risk, and Software
a16z
a16z Podcast | Wall Street's Most Hated Man -- A Conversation With Overstock.com's Patrick Byrne
a16z
a16z Podcast | How Big Companies Can Get the Most From Silicon Valley
a16z
a16z Podcast | The Role of Academia in the Startup World
a16z
a16z Podcast | AMPLab, the Power of Open Source, and the Future of Systems Software
a16z
a16z Podcast | Dell + EMC -- Why the Python Just Ate the Cow
a16z
a16z Podcast | Belief -- An Interview with Oprah Winfrey
a16z
a16z Podcast | Holy Non Sequiturs, Batman: What Disruption Theory Is ... and Isn't
a16z
a16z Podcast | Boards and the Power of Networks
a16z
a16z Podcast | A Whirlwind Tour of Policy Issues in Tech
a16z
a16z Podcast | Beyond Lean Startups
a16z
a16z Podcast | Blockchain vs/and Bitcoin
a16z
a16z Podcast | Quantum Leap
a16z
a16z Podcast | Artificial Intelligence and the 'Space of Possible Minds'
a16z
a16z Podcast | Fintech from the World's Financial Capital -- London
a16z
a16z Podcast | On Recent IPOs and Comparing Private vs. Public Valuations
a16z
a16z Podcast | The Future of Food
a16z
a16z Podcast | Data Down on the Farm
a16z
a16z Podcast | The Data Science of Food and Taste
a16z
a16z Podcast | Using Social Tools to Build Homes for Those Most in Need
a16z
a16z Podcast | London Calling for Tech Done in a Different Way
a16z
a16z Podcast | Building Tech Startups in a Place Where Tech Isn’t Everything
a16z
a16z Podcast | Nootropics and the Best Version of Your Brain, Yourself
a16z
a16z Podcast | Scaling Ideas and Startups in the U.K. and Europe
a16z
a16z Podcast | The Tiger and the Dragon -- On Tech and Startups in India and China
a16z
a16z Podcast | Telepresence and Tech for a Distributed Workforce
a16z
a16z Podcast | The Present State and Future Possibility of Virtual Reality
a16z
a16z Podcast | Writing a New Language of Storytelling with Virtual Reality
a16z
a16z Podcast | Mellody Hobson and Ben Horowitz Talk Investing, Career, and Star Wars!
a16z
a16z Podcast | The Future of Software Development
a16z
a16z Podcast | What Software Developers (and Therefore Every Company) Need
a16z
a16z Podcast | Making the Most of the Data That Matters
a16z
a16z Podcast | Harnessing the DevOps Movement -- Don’t Go Chasing Waterfalls
a16z
a16z Podcast | Nobody Discusses Work Software Outside of Work -- and Then There’s Slack
a16z
a16z Podcast | The Fundamentals of Security and the Story of Tanium’s Growth
a16z
a16z Podcast | Things Come Together -- Truths about Tech in Africa
a16z
a16z Podcast | When Banking Works Like My Smartphone
a16z
a16z Podcast | How to Be Original and Make Big Ideas Happen
a16z
a16z Podcast | The Future of Money and Monetization
a16z
a16z Podcast | Building Affirm, and Why Max Levchin Has Watched Seven Samurai 100-Plus Times
a16z
a16z Podcast | Hall of Fame Football Meets Venture Capital
a16z
a16z Podcast | Breaking the Barriers of Human Potential
a16z
a16z Podcast | 'In the Eye of a Tornado': Views on Innovation from China
a16z
a16z Podcast | Infrastructure... Is Everything
a16z
a16z Podcast | Mobile Falls Hard for Virtual Reality
a16z
a16z Podcast | Disruption in Business... and Life
a16z
a16z Podcast | Data Network Effects
a16z
a16z Podcast | The Dream of AI Is Alive in Go
a16z
a16z Podcast | I Reject the Term Viral Video
a16z
a16z Podcast | Truth and Humanity in Leadership
a16z
a16z Podcast | Your Worst Deeds Don’t Define You -- Life and Redemption in Prison
a16z
a16z Podcast | Investing in (Business and Career) Change
a16z
a16z Podcast | Scaling Companies and Culture
a16z
a16z Podcast | Teams, Trust, and Object Lessons
a16z
a16z Podcast | The Why, How, and When of Sales
a16z
a16z Podcast | Selling to Developers & Open Source Business Models
a16z
a16z Podcast | Connectivity and the Internet as Supply Chain
a16z
a16z Podcast | E-commerce, Payments, & More in India's Evolving Retail Landscape
a16z
a16z Podcast | Banking on the Blockchain
a16z
a16z Podcast | On Corporate Venturing & Setting Up 'Innovation Outposts'
a16z
More on: Prompt Craft
View skill →Related Reads
Chapters (10)
1:11
DeepSeek: The Golden Age of AI or an existential threat?
2:18
Red team testing, prompt injections, jail brakes - adversarial techniques
2:48
Speech limitations
4:14
Maturity and complexity of DeepSeek vs. other models
5:36
Anything you build on top of DeepSeek will be subject to its insecurities
6:12
Hosted model from China vs. open source/running locally
7:46
DeepSeek benchmark on politically sensitive topics
8:54
Western censorship vs. DeepSeek censorship
12:38
How can we use it safely? Protecting infrastructure
14:09
Wait for a more trusted source to run locally?
🎓
Tutor Explanation
DeepCamp AI