Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Ouch; License: EUROPEAN UNION, UNITED KINGDOM AND SOUTH KOREA

  TENCENT HUNYUAN 3D 2.0 COMMUNITY LICENSE AGREEMENT
  Tencent Hunyuan 3D 2.0 Release Date: January 21, 2025
  THIS LICENSE AGREEMENT DOES NOT APPLY IN THE EUROPEAN UNION, UNITED KINGDOM AND SOUTH KOREA AND IS EXPRESSLY LIMITED TO THE TERRITORY, AS DEFINED BELOW.
https://github.com/Tencent/Hunyuan3D-2?tab=License-1-ov-file


I assume it's safe to ignore as model weights aren't copyrightable, probably.


you dont know what kind of backdoors are hidden in the model weights


Can you elaborate on how any sort of backdoor could be hidden in the model weights?

It's a technical possibility to hide something in the code, but that would be a bit silly since there's not that much of it here. It's not technically possible to hide a backdoor in a set of numbers that are solely used as the operands to trivial mathematical operations, so I'm very curious about what sort of hidden backdoor you think is here.


When you run their demo locally, there are two places that trigger a warning that the code loads the weights unsafely. To learn more about this issue, search "pytorch model load safety issues" on Google.


I'm sure there's warnings about possibly loading code alongside the weights since they distribute the weights as pickled data, but:

1. It's trivial to go look at what's being loaded.

2. Any code that's in the distributed pickled data is not weights. The GP suggests that there are backdoors hidden in the weights which is nonsensical unless the code runs eval on the weights or something similar, which would make anyone looking at the code immediately realise it was doing something dodgy.

As an example of (1), here's all the GLOBALs in the pickled code:

    GLOBAL     'collections OrderedDict'
    GLOBAL     'torch HalfStorage'
    GLOBAL     'torch._utils _rebuild_tensor_v2'
None of these could be used for anything malicious as far as I know.


I'm trying to think of what kind of adversarial 3D model the weights could produce. Perhaps a 3D goatse?


I mean... you can just firewall it?


you dont know which prompt activates the backdoor, how can you firewall it if you run the model in production?


3d asset generation is a use case that for most doesn’t need to run in production


"In production" in this case is a stand-in for "in any environment with access to sensitive stuff" which might just include GPUs, if what the attacker wanted was crypto processing grunt. Besides, if you're providing 3D asset generation as a service (which I can imagine most deployments of this sort of thing will be, at least for now) then it absolutely is running in production. The purpose of that production environment is entirely to run asset generation.


Simply sanatieze the model outputs, which is the only thing that would escape running it in complete isolation.


Your concern is reasonable.

According to DOD, Tencent - which published this model - is a Chinese military company

https://www.bbc.com/news/articles/c9q78wn9g8zo


Is this tied to EU regulations around AI models?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: