LessWrong developer, rationalist since the Overcoming Bias days. Jargon connoisseur.
jimrandomh
Karma: 22,217
This was caused by a post that appeared in the feed having an image in it with a
localhost:8000URL. I’m not sure how the post came to be in that state; it might have been a bug in the new editor. I edited the post in question to remove the broken image.
(Mod note: This post had an image in it with a “localhost:8000” URL, which failed to load and also caused a permissions prompt in some browsers. I edited the post to delete the broken image; feel free to add it back. It might have been a bug in the new editor, that it was possible to embed an image like that; if so we’ll fix it.)
We did our homework on the browser security model; content in iframes (with sandboxing attributes) shouldn’t be able to get login cookies/etc from the parent page. This is load-bearing for advertisements not stealing everything, so we do expect browsers to treat weaknesses in this as real security issues and fix them. When post HTML is retrieved through the API, you have to do some assembly to put the iframes in, so third party clients can’t be insecurely surprised by it.
As for whether sandboxed frames can crash the outer page or make the outer page slow, eg by doing into an infinite loop or running out of memory, the story is a bit more complicated (depends on browser, browser heuristics, and amount of system RAM); we decided it’s okay as long as it’s limited to an embed in a post crashing its own post page (as opposed to the front page or a link preview).
I (and several others) found switching to sans-serif as a way of marking LLM text didn’t really work as a marker; when I first saw it I mistakenly thought that only the paragraph with the LLM-name on it was LLM-generated, and I find alternate-font text inside of posts uncanny. I jokingly hypothesized that Habryka (its advocate) had serif-synaesthesia and that’s why it worked for him as a marker, and that’s the story of how the serif-synaesthesia test came to be.
I think this is off base, on much deeper grounds than optimizing a few points of interest rate. Namely, it assumes stability and minimal growth prospects, both for your personal income and the world as a whole.
In reality, people make much more money later in their life and later in their career than earlier in their career, and in many cases the growth rate involved is higher than even pretty bad loan terms. And in today’s world, it looks like a singularity or radical economic transformation is particularly imminent. If you “invest 15% of your household income in retirement”, this is probably equally as valuable as setting that money on fire.
To support cross-device syncing, the script currently generates and stores a secret key in abTestOverrides, in a way that shouldn’t affect site functionality
Huh, I never thought of using that field that way but I guess it is the one and only non-public user-editable untyped field on the user object schema, so that makes sense. We aren’t likely to delete this field or data within it in the near term, and will try to remember to shoot an email if it looks like there’s some reason why we’re going to. That said it is kind of a hack, and it does make that field security-sensitive if it wasn’t before, so there is nonzero risk.
A note for the future: We’re experimenting with LW integrations with AI agents—mostly oriented around AIs making API calls directly, rather than using agents to build software tools that invoke the APIs—and as a result some new stuff has been added, and more will be added in the near future. Documentation for the AI-agent-oriented features are at
/api/SKILL.mdand updates to that documentation will appear there. We have a markdown-ified version of the frontend (good for an AI that wants to read markdown but not stable for structured parsing), and some (pre-beta buggy) APIs for letting an AI agent edit posts that you give them access to.
I believe what we are looking at is the outcome of Sam Altman’s scheme.
Over the past week, Pete Hegseth and the DoD has repeatedly said things that were simple misconceptions about what Anthropic asked for, which were plainly contradicted by Anthropic’s contract and Anthropic’s public statements. At the same time, OpenAI was in ongoing talks to take Anthropic’s business.
So, where did the misconceptions come from? Presumably, Altman. He had the positioning, the motive, and a well established history of executing similar political schemes.
Relatedly, two months ago OpenAI became Trump’s top donor with a $25M donation to Trump’s PAC. So, Hegseth and Trump didn’t need to actually believe the lie, they just needed the lie to be good enough for a pretext.
And, I can’t help but notice that Greg Brockman has been set up as a fall guy, here. If we live long enough for a change in administration, and the next administration decides to punish the people who most blatantly paid illegal bribes to Trump, it is Brockman’s name on the headlines about the donation, not Altman’s. But the money came out of the same pot, and it was presumably Altman who chose what those headlines would say.
Many of these features (eg, karma thresholds) are reachable in the UI by picking “Subscribe (RSS/Email)” in the sidebar on the front page. Other features are just emergent properties of how the code is structured that we chose not to block; in particular the view names aren’t an RSS-specific thing but rather are used internally for other parts of the site. The code that runs LW is open source so you can look at the code (or have an AI look at the code) to learn more.
Any RSS subscription that you can get a link to via the site’s UI will be supported indefinitely, but RSS subscriptions generated in other ways could get accidentally broken by future code changes. We won’t break them on purpose, but we don’t consider ourselves obligated to test or monitor them.
Recently, in the case of United States vs Bradley Heppner, Judge Rakoff ruled that a defendant’s conversations with Claude, concerning defense strategy, were not subject to privilege. Having now read the ruling, I believe it is clearly in error, and it is unlikely to be repeated in other courts.
By this, I do not mean that all conversations with AI chatbots are privileged. Rather, I believe that conversations with AI chatbots are likely to be privileged if additional conditions are met, and that the defense claims (and the ruling doesn’t really dispute) a set of conditions under which it should be.
The underlying facts of this case are that a criminal defendant used an AI chatbot (Claude) to prepare documents about defense strategy, which he then sent to his counsel. Those interactions were seized in a search of the defendant’s computers (not from a subpeona of Anthropic). The argument is then about whether those documents are subject to attorney-client privilege. The ruling holds that they are not.
The defense argues that, in this context, using Claude this way was analogous to using an internet-based word processor to prepare a letter to his attorney.
The ruling not only fails to distinguish the case with Claude from the case with a word processor, it appears to hold that, if a search were to find a draft of a letter from a client to his attorney written on paper in the traditional way, then that letter would also not be privileged.
The ruling cites a non-binding case, Shih v Petal Card, which held that communications from a civil plaintiff to her lawyer could be withheld in discovery… and disagrees with its holding (not just with its applicability). So we already have a split, even if the split is not exactly on-point, which makes it much more likely to be reviewed by higher courts.
So I think my current advice, for people in litigation who would benefit greatly from using a chatbot, is that they should make the manner in which they use a chatbot look as much like “using a tool to prepare a letter to an attorney” as possible. In the context of a Claude chat window, that would mean starting the conversation with something that is clearly labelled “draft of a letter which I will send to my attorney” (or if I don’t have one yet, which I will send to an attorney after I hire them).
(That said, this is not only not legal advance, it hasn’t even been reviewed by a chatbot that can’t give legal advice.)
I suspect Glass XE isn’t the hardware I’ll be using in a month; I set it up because I already had one on hand, and the other HMD I ordered (an Even Realities G2) indicated it would take 5 weeks to ship. (Perhaps the other AI agent users bought up all the stock.)
For input, you’re either using audio (in which case airpods paired to a phone is better than the builtin in mic) making it output-only and doing input via phone touchscreen or a bluetooth keyboard paired to a phone, or pairing Glass to a bluetooth keyboard directly. Pairing Glass to bluetooth keyboards should work in XE19.1 but is historically fraught (long story). If getting hardware on the secondary market, try to get HW3 instead of HW2 (HW3 has 2GB RAM, HW2 has 1GB). Consider getting a lens cap for the camera (there are 3d-printer model files floating around); some people react negatively to having an eye-level camera pointed at them if they can’t verify that it isn’t on. For all-the-time use, get two USB power banks and a cable.
Best practice with Openclaw is to run it on segregated hardware, which in practice means either a Mac Mini or a cloud server. (There is nothing special about Mac Minis with respect to Openclaw, people are just using them because they’re good computers.) A Mac Mini has a large advantage over a cloud server for this use case because it has USB ports, and getting to adb happens much sooner in the setup process than getting to ssh.
I’ll probably write more later but that should cover all of the things with lead time.
I don’t think Cursor would’ve stood a chance, for this task. It was almost all command-line wrangling with only a small side-order of actual coding. Lots of “run this command and run other tools while it’s in-progress to figure out why it’s crashing”. One “abort that command because it’s running too slow and try a different command”. Some explicit wait-for-timer-then-recheck steps, including “send a Discord message telling me to auth a tailscale node then poll until it’s authed”. After it got to the stage where it could connect over the network instead of adb and start writing an app, it used command-line tools to take screenshots, download the screenshots, and processed them to check whether it was working. It had extremely long turn lengths. And, it ran commands more risky than I’d be willing to run without approval on my high-side computers, and more numerous than I’d be willing to deal with approving.
(In this context, low-side means the Mac Mini that I let the Openclaw agent fully control control, while high-side means my main laptop, phone, and other devices where I don’t. I decided to make the Glass XE low-side, ie no command approval for stuff it does there, and the project wouldn’t have been feasible otherwise.)
I dug a fossil-version Google Glass XE HW2 out of a drawer, pre-rooted, running an AOSP build that I think has a single-digit number of users worldwide. I connected it to the mac mini’s USB port, and told my Openclaw instance to get it onto tailscale and set it up as a communication channel.
It worked its way through multiple absurd, frustrating technical issues that would absolutely have made me give up if I was the one doing it, with only minimal guidance. Once it had ssh working, it set up an android app. Without me suggesting it do so, it found a way to take screenshots to check its work.
So, I have an AI agent on my face now. I don’t think it’s wise for humanity to be going down this path, especially at this speed, and if humanity gets its act together to pause, I’ll power down my Mac Mini and breathe a sigh of relief. But in the meantime, I’m going to enjoy how cool it is, and stay close enough to the forefront to be properly informed, dammit.
If you go to
/graphiqlthere’s a query-editor with integrated documentation, and the API schema is in the github repo here. The offset limit is because database queries sometimes become extremely slow when given large offsets.We added
beforeandafterdate options toallRecentCommentsso you should now be able to get comments with something like:query { comments(selector:{allRecentComments:{after:"2025-01-30T00:00:00Z", sortBy:"oldest"}}, limit:50) { results { _id postedAt lastEditedAt baseScore extendedScore user { _id displayName } contents { html } } } }
I disagree, but, before I get into the disagreement, I do want to acknowledge and give props for engaging with the actual details of the legislation. Most people don’t.
Meta-level: The ballot proposition is 32 pages and dense in legal and accounting jargon; believing it to be free of any weird traps requires trust that has very much not been earned. I think most people correctly conclude that they aren’t capable of distinguishing a version with gotchas from a version without gotchas, look instead at the political process that produced the document, and conclude that it probably has gotchas. I also wrote this about wealth taxes broadly, and while the California ballot proposition is the one that we happen to now have to look at, the discourse dynamics are not specific to it and largely predate it.
Object-level, by my own read, the California ballot proposition has some pretty major gotchas in it. I don’t think your confidence that it “could not make anybody bankrupt unless their tax lawyer was illiterate and also probably deceased” is justified. In particular, some things I picked out from a (not especially thorough) reading:
Not being able to sell is not a usable defense, in the way you describe it to be, because “unable to sell” and “unwilling to sell” are not legally distinguishable until much further into litigation than anyone wants to get.
The ODA mechanism specifies that in order to use it, you have to give up several of the causes of action that you would want to use to dispute the tax. It also says that the Franchise Tax Board will create a contract, leaving some freedom in what that contract will contain, which likely means giving up additional causes of action.
The ODA mechanism specifies that “A taxpayer may only attach assets or groups of assets to an ODA to the extent that the amount of additional tax that would be owed as a result of Section 50301 (without the use of an ODA) would exceed the sum of the combined value of all of the taxpayers’ assets subject to the valuation rules of paragraph (1) of subdivision (c) of Section 50303.” My my read of paragraph (1) of subdivision (c) of Section 50303, this includes all cash, cash equivalents, and easily tradeable commodities. Which would seem to imply that the ODA mechanism obligates anyone who uses it to sell all covered assets and go to a cash balance of zero, and only allows deferring additional tax after hitting zero; but this doesn’t include any margin for short-term expenses, or for taxes other than the wealth tax such as capital-gains incurred as a result of being forced to sell all assets.
The definition of “Publicly traded asset” in 50308(j) is “an asset that is traded on an exchange; traded on a secondary market in which sales prices for such asset are frequently updated; available on an online or electronic platform that regularly matches buyers and sellers; or any other asset that the Board determines has a value that is readily ascertainable through similar means.” A literal reading of this definition would seem to include cars used as primary transportation.
50302(e) says that “No debt or liability, including recourse debts described in subdivision (a), shall reduce net worth if the debt or liability is owed to a related person or persons; or if the existence or amount of the liability is contingent on future events that are substantially uncertain to occur or that are substantially uncertain to occur within the subsequent five years; or if the debt or liability was not negotiated for at arm’s length.” This would exclude convertible notes, which are a common financial instrument used by startup investors.
Looking at discourse around California’s ballot proposition 25-0024 (a “billionaire tax”), I noticed a pretty big world model mismatch between myself and its proponents, which I haven’t seen properly crystallized. I think proponents of this ballot proposition (and wealth taxes generally) are mistaken about where the pushback is coming from.
The nightmare scenario with a wealth tax is that a government accountant decides you’re richer than you really are, and sends a bill for more-than-all of your money.
The person who is most threatened by this possibility isn’t rich (yet), they’re aspirationally upwardly-mobile middle class. If you look at the trajectories of people-who-made-it, especially in tech and especially in California, those stories very frequently have a few precarious years in them in which their accessible-wealth and their paper-wealth are far out of sync. That happens with startup founders (a company’s “valuation” is an artifact of the last negotiation you had with investors, not something you can sell). And it happens with stock options (companies use these to pay people huge amounts of money, without accidentally triggering an immediate retirement, and without needing to have the money yet). This sets up situations where, if the technicalities work out badly, a “5%” tax can make you literally bankrupt.
When people talk about “fewer businesses being created”, this is why. If I were a billionaire, and I lost 5% of it to tax, I wouldn’t care. If I were following a precarious, low-probability path towards becoming a billionaire, and I thought California would spring a kafkatrap to destroy me as soon as I got close, I would either not try, or not try in California.
In a different state, this might not be a credible fear. But California is a state that is famous for its kafkatraps, and for refusing to ever back down from the kafkatraps it’s built.
No, that’s not a working mechanism; it isn’t reliable enough, or granular enough. Users can’t add their own content to robots.txt when they submit it to websites. Websites can’t realistically list every opted-out post in their robots.txt, because that would make it impractically large. It is very common to want to refuse content for LLM training, without also refusing search or cross-site link preview. And robots.txt is never preserved when content is mirrored.
The vibe I get, from the studies described, is reminiscent of the pre-guinea-pig portion of the story of Scott and Scurvy. That is, there are just enough complications at the edges to turn everything into a terrible muddle. In the case of scurvy, the complications were that which foods had vitamin C didn’t map cleanly to their ontology of food, and vitamin C was sensitive to details of how foods were stored that they didn’t pay attention to. In the case of virus transmissibility, there are a bunch of complications that we know matter sometimes, which the studies mostly fail to track, eg:
Sunlight can be a disinfectant, so, whether a surface or the air of a room can transmit a virus might depend on whether it has windows, which way the windows face and what time of day the testing was performed.
Cold viruses are widespread enough to have widespread immunity from prior exposure. Immunity might not generalize between exposure methods; ie, maybe it’s possible to be immune to low-quantity exposure but not high-quantity exposure, or immunity on nasal mucus but not deep lung, etc.
There are a huge number of viruses that are all referred to as “common cold”, with little in common biologically other than sharing an evolutionary niche.
Because immunity fades over time, there might be an auction-like dynamic where cutting off one mode of transmission still leaves you with recurring infections, just at a longer interval
I think that ultimately viruses are a low-GDP problem; after a few doublings we’ll stop breathing unfiltered air, and stop touching surfaces that lack automated cleaning, and we’ll come to think of these things as being in the same category as basic plumbing.
What they don’t do is filter out every web page that has the canary string. Since people put them on random web pages (like this one), which was not their intended use, they get into the training data.
If that is true, that’s a scandal and a lawsuit waiting to happen. The intent of including a canary string is clear, and those canary strings are one of very few mechanism authors have to refuse permission to use their work in training sets. In most cases, they will have done that for a reason, even if that reason isn’t related to benchmarking.
While LW is generally happy to have our public content included in training sets (we do want LLMs to be able to contribute to alignment research after all), that does not extend to posts or comments that contain canary strings, or replies to posts or comments that contain canary strings.
Canary strings are tricky; LLMs can learn them even if documents that contain the canary string are filtered out of the training set, if documents that contain indirect or transformed versions of the canary string are not filtered. For example, there are probably documents and web pages that discuss the canary string but don’t want to invoke it, which split the string into pieces, ROT-13 or base64 encode it, etc.
This doesn’t mean that they didn’t train on benchmarks, but it does offer a possible alternative explanation. In the future, labs that don’t want people to think they trained on benchmark data should probably include filters that look for transformed/indirect canary strings, in addition to the literal string.
I think that you’re experiencing an illusion of transparency here, because you designed it and because you have (figurative) serif-synaesthesia. It took me a lot longer than that to figure it out, and I think the feedback has been close to unanimous that this design doesn’t work well.