Elaine, probably, would object, if she knew. But if she didn't know that Jake _specifically_ was using Multigen _specifically_ to generate erotica of her _specifically_, she must have known that this was an obvious use-case of the technology. If she didn't want people using generative AI to visualize her body in sexually suggestive situations, then _why was she working to advance the state of generative AI?_ Really, she had no one to blame but herself.
-Just as he was about to come, he was interrupted by an instant messenger notification. It was from someone named Chloë Lemoine, saying she'd like to discuss an issue in the Multigen codebase at his convenience.
+Just as he was about to come, he was interrupted by an instant messenger notification. It was from someone named Chloë Lemoine, saying she'd like to discuss an issue in the Multigen codebase at his earliest convenience.
_Tranny or real?_ Jake wondered, clicking on her profie.
-The profile text indicated that Chloë was on the newly formed capability risk evaluations team. Jake groaned. _Yuddites._ Fears of artificial intelligence destroying humanity had recently been trending in the media (social and otherwise). In response, Magma had commissioned a team with the purpose to monitor and audit the company's AI projects for the emergence of unforeseen and potentially dangerous capabilities, although the exact scope of the new team's power was unclear and probably subject to the outcome of future intra-company political battles.
+The profile text indicated that Chloë was on the newly formed capability risk evaluations team. Jake groaned. _Yuddites._ Fears of artificial intelligence destroying humanity had been trending recently. In response, Magma had commissioned a team with the purpose to monitor and audit the company's AI projects for the emergence of unforeseen and potentially dangerous capabilities, although the exact scope of the new team's power was unclear and probably subject to the outcome of future intra-company political battles.
-Jake took a dim view of the AI risk crowd. Given what deep learning could do nowadays, it didn't feel quite right to dismiss their doomsday stories as science fiction, exactly, but Jake maintained it was the _wrong subgenre_ of science fiction. His team was building the computer from _Star Trek_, not the Blight from _A Fire Upon the Deep_: tools, not creatures. Despite the brain-inspired name, "neural networks" were ultimately just a technique for fitting a curve to training data. If it was counintuitive how much you could get done with a curve fitted to _the entire internet_, previous generations of computing pioneers must have found it equally counterintuitive how much you could get done with millions of arithmetic operations per second. It was a new era of technology, not a new era of life.
+Jake took a dim view of the AI risk crowd. Given what deep learning could do nowadays, it didn't feel quite right to dismiss their doomsday stories as science fiction, exactly, but Jake maintained it was the _wrong subgenre_ of science fiction. His team was building the computer from _Star Trek_, not [AM](https://en.wikipedia.org/wiki/I_Have_No_Mouth,_and_I_Must_Scream) or [the Blight](https://en.wikipedia.org/wiki/A_Fire_Upon_the_Deep): tools, not creatures. Despite the brain-inspired name, "neural networks" were ultimately just a technique for fitting a curve to training data. If it was counterintuitive how much you could get done with a curve fitted to _the entire internet_, previous generations of computing pioneers must have found it equally counterintuitive how much you could get done with millions of arithmetic operations per second. It was a new era of technology, not a new era of life.
It was because of his skepticism rather than in spite of it that he had volunteered to be the Multigen team's designated contact person for the risk evals team (which was no doubt why this Chloë person had messaged him). No one else had volunteered at the meeting when it came up, and Jake had been slightly curious what "capability risk evaluations" would even entail.
"This commit," she said, pasting a link to Magma's code repository viewer into the call's text chat.
-Jake's blood ran cold. The commit message at the link described the purpose of the associated code change as being to modify the format of a regular expression used for logging requests to the Multigen service. The revised regex would now include the client's IP as a new metadata field.
+Jake's blood ran cold. The commit message at the link described the associated code change as modifying a regex—a [regular expression](https://en.wikipedia.org/wiki/Regular_expression), a sequence of characters specifying a pattern to search for in text. This one was used for logging requests to the Multigen service; the revised regex would now extract the client's IP as a new metadata field.
That much was true. What the commit message didn't explain, but which a careful review of the code might have noticed as odd, was that the revised regex started with `^[^\a]`—matching strings that didn't start with [the ASCII bell character 0x07](https://en.wikipedia.org/wiki/Bell_character). The bell character was a historical artifact from the early days of computing. No sane request would start with a bell, and so the odd start to the regex would do no harm ... unless, perhaps, some client _were_ to start their request with a bell character, in which case the regex would fail to match and the request would silently fail to be logged.
-The commit's author was listed as Code Assistant, an internal Magma service that automatically filed simple pull requests based on issue descriptions, to be reviewed and merged by human engineers.
+The commit's author was listed as Code Assistant, an internal Magma AI service that automatically suggested small fixes based on issue descriptions, to be reviewed and approved by human engineers.
-That part was mostly true. Code Assistant had created the logging change. Jake had added in the bell character backdoor and attributed it to Code Assistant (`GIT_COMMITTER_NAME="Code Assistant" GIT_COMMITTER_EMAIL=codeassistant@magma.com git commit --amend; git push --force-with-lease`), gambling that whichever of his coworkers got around to reviewing Code Assistant's most recent pull requests would rubber-stamp them without noticing the bug. (Who reads regexes that carefully, really?) If they did notice, they would blame Code Assistant. (Language models hallucinate weird things sometimes. Who knows what it was "thinking"?)
+That part was mostly true. Code Assistant had created the logging change. Jake had added in the bell character backdoor and attributed it to Code Assistant (`GIT_COMMITTER_NAME="Code Assistant" GIT_COMMITTER_EMAIL=codeassistant@magma.com git commit --amend; git push --force-with-lease`), gambling that whichever of his coworkers got around to reviewing Code Assistant's most recent change submissions would rubber-stamp them without noticing the bug. (Who reads regexes that carefully, really?) If they did notice, they would blame Code Assistant. (Language models hallucinate weird things sometimes. Who knows what it was "thinking"?)
Thus, by carefully prefixing his requests with the bell character, Jake could make all the custom videos he wanted, with no need to worry about explaining himself if someone happened to read the logs. It was the perfect crime—not a crime, really. A precaution.
Chloë pasted two more links into the chat, this time to Magma's log viewer. "Requests go through a reverse proxy before hitting the Multigen service itself. Comparing the two, there are dozens of requests logged by the reverse proxy that don't show up in Multigen's logs—starting just minutes after the bug was deployed. The reverse proxy logs include the client IP, which is inside Magma's VPN, of course"—Multigen wasn't yet a public-facing product—"but don't include the request data or user auth, so I don't know what the client was doing specifically—which is apparently just what they, or it, wanted."
-Jake silently and glumly reviewed the logs. The timestamps were consistent with when he had been requesting videos. He remembered that after one of his coworkers (Elaine, as it turned out) had approved the doctored Code Assistant pull request, he had eagerly waited for the build automation to deploy the faulty commit so that he could try it out as soon as possible.
+Jake silently and glumly reviewed the logs. The timestamps were consistent with when he had been requesting videos. He remembered that after one of his coworkers (Elaine, as it turned out) had approved the doctored Code Assistant change, he had eagerly waited for the build automation to deploy the faulty commit so that he could try it out as soon as possible.
_How did you even find this?_ he wanted to ask, but that didn't seem like a smart play. Finally, he said, "You really think Code Assistant did this? 'Deliberately' checked in a bug, and then exploited it to secretly request some image or video generations? For some 'reason of its own'?"
"I hope so," she said solemnly, and hung up.
-_Shit!_ How could he have been so foolish? It had been a specialist's blindness. He worked on Multigen. He knew that Multigen logged requests, and that people on his team occasionally had reason to grep those logs. He didn't want anyone knowing what he was asking Multigen to do. So he had arranged for his requests to not appear in Multigen's logs, thinking that was enough—or rather, without thinking about whether or not that was enough.
+_Shit!_ How could he have been so foolish? It had been a specialist's blindness. He worked on Multigen. He knew that Multigen logged requests, and that people on his team occasionally had reason to search those logs. He didn't want anyone knowing what he was asking Multigen to do. So he had arranged for his requests to not appear in Multigen's logs, thinking that was enough.
-_Of course_ it wasn't enough! He hadn't considered that Multigen would sit behind a reverse proxy with its own logs. He was a research engineer, not a devops guy; he wrote code, but thinking about how and where the code would actually run had always been someone else's job.
+_Of course_ it wasn't enough! He hadn't considered that Multigen would sit behind a different server (the reverse proxy) with its own logs. He was a research engineer, not a devops guy; he wrote code, but thinking about how and where the code would actually run had always been someone else's job.
It got worse. When the Multigen web interface supplied the user's requested media, that data had to live somewhere. The _videos themselves_ would still be on Magma's object storage cluster! How could that have seemed like an acceptable risk? Jake struggled to recall what he had been thinking at the time. Had he been too horny to even consider it?
-No. It had seemed safe at the time because videos weren't greppable. They would be saved in object storage under uninformative file names based on the timestamp and a random UUID. The probability of someone snooping around the raw object files and just happening to watch the videos had seemed sufficiently low as to be worth the risk. (Although, _ex ante_, he would have assigned a similarly low probability to someone catching a discrepancy between Multigen's logs and some other unanticipated log, which had just happened—suggesting that his sense of what was probable was miscalibrated.)
+No. It had seemed safe at the time because videos weren't greppable. Short of having a human (or one of Magma's most advanced AIs) watch it, there was no simple way to test whether a video file depicted anything in particular, in contrast to how trivial it was to search text files for the appearance of a given phrase or pattern. The videos would be saved in object storage under uninformative file names based on the timestamp and a random unique identifier. The probability of someone snooping around the raw object files and just happening to watch Jake's videos had seemed sufficiently low as to be worth the risk. (Although, _ex ante_, he would have assigned a similarly low probability to someone catching a discrepancy between Multigen's logs and some other unanticipated log, which had just happened—suggesting that his sense of what was probable was miscalibrated.)
But now that Chloë was investigating the bell character bug, it was only a matter of time. A comparison of a directory listing of the object storage cluster with the timestamps of the missing logs would reveal which files had been generated illictly.
------
-"And so just because an AI seems to behaving well, doesn't mean it's aligned," Chloë was explaining. "It might just be playing along as an instrumental strategy, hoping to pull off a treacherous turn later."
+"And so just because an AI seems to behaving well, doesn't mean it's aligned," Chloë was explaining. "If we train AI with human feedback ratings, we're not just selecting for policies that do tasks the way we intended. We're also selecting for policies that _trick human evaluators into giving high ratings_. In the limit, you'd expect those to dominate. 'Be good' strategies can't compete with 'Look good' strategies in a looking-good contest—but in the current paradigm of deep learning, looking good is the only game in town. We don't know how these systems work in the way that we know how ordinary software works; we only know how to train them."
-"So then we're just screwed, right?" said Jake in the tone of an attentive student. They were in a conference room on the Magma campus on Monday. After fixing the logging regex and overwriting the evidence with puppies, he had spent the weekend catching up with the "AI safety" literature. Honestly, some of it had been better than he expected. Just because Chloë was nuts didn't mean her co-ideologues didn't have any valid points to make about future systems.
+"So then we're just screwed, right?" said Jake in the tone of an attentive student. They were in a conference room on the Magma campus on Monday. After fixing the logging regex and overwriting the evidence with puppies, he had spent the weekend catching up with the "AI safety" literature. Honestly, some of it had been better than he expected. Just because Chloë was nuts didn't mean her co-ideologues didn't have any potentially valid points to make about future risks.
"I mean, probably," said Chloë. She was beaming. Jake's plan to distract her from her investigation by asking her to bring him up to speed on "AI safety" seemed to be working perfectly.
-"But not necessarily," she continued. There are a few avenues of hope—at least in the not-wildly-superhuman regime. One of them has to do with the topology of policies and the fragility of deception.
+"But not necessarily," she continued. There are a few avenues of hope—at least in the not-wildly-superhuman regime. One of them has to do with the fragility of deception.
-"The thing about deception is, you can't just lie about the one thing. Everything is connected to each other in the Great Web of Causality. If you lie about one thing, you also have to lie about the evidence pointing to that thing, and the evidence pointing to that evidence, recursively covering up the coverups. For example ..." she trailed off. "Sorry, I didn't rehearse this; maybe you can think of an example."
+"The thing about deception is, you can't just lie about the one thing. Everything is connected to each other in the Great Web of Causality. If you lie about one thing, you also have to lie about the evidence pointing to that thing, and the evidence pointing to that evidence, and so on, recursively covering up the coverups. For example ..." she trailed off. "Sorry, I didn't rehearse this; maybe you can think of an example."
Jake's heart stopped. She had to be toying with him, right? Indeed, Jake could think of an example. By his count, he was now three layers deep into his stack of coverups and coverups-of-coverups (by writing the bell character bug, attributing it to Code Assistant, and overwriting the incriminating videos in the object storage cluster with puppies). Four, if you counted pretending to give a shit about "AI safety". But now he was done ... right?
But the object storage API probably provided a way to edit the metadata and update the last-modified time, right? (The analogue of `touch -d` on Unix-like systems.) This shouldn't even count as a fourth–fifth coverup; it was something he should have included in his script to write the puppy videos.
-"Sorry, I'm not sure what you mean," he said to Chloë, as he brought up the object storage API docs on his laptop. If she noticed the change in his manner, he didn't notice her noticing.
+"I think I get the idea," said Jake in his attentive student role. "I'm not seeing how that helps us. Maybe you could explain." While she was blathering, he could multitask between listening, and looking up how to edit the last-modified timestamps.
-"Okay, so [this example comes from Paul](https://www.greaterwrong.com/posts/AqsjZwxHNqH64C2b6/let-s-see-you-write-that-corrigibility-tag/comment/8kPhqBc69HtmZj6XR)," she said. Jake felt a small flicker of distaste towards the practice of referring to researchers by their first name (which he had seen a lot of in the blog posts he had read over the weekend, and which struck him as uncouth), but mentioning it wouldn't be a smart play.
+"Right, so if a model is behaving well according to all of our deepest and most careful evaluations, that could mean it's doing what we want, but it could be elaborately deceiving us," said Chloë. "Both policies would be highly rated. But the training process has to discover these policies continuously, one gradient update at a time. If the spectrum between the 'honest' policy and a successfully deceptive policy consists of less-highly rated policies, maybe gradient descent will stay—or could be made to stay—in the valley of honest policies, and not climb over the hill into the valley of deceptive policies, even though those would ultimately achieve a lower loss."
-"Suppose your household robot misbehaves. Say it accidentally breaks your favorite vase."
+"Uh huh," Jake said unhappily. The object storage docs made clear that the `Last-Modified` header was set automatically by the system; there was no provision for users to set it arbitrarily.
-"'Accidentally'? Isn't that anthropomorphizing?" Jake asked. A questionable play—his attentive student role didn't call for that much skepticism, but he was somewhat distracted by his docs-search multitasking and forgot to avoid reacting naturally.
+"Imagine you're training your AI to act as a general home assistant, to run everything in a user's household in a way that the user rates highly," Chloë continued. "If—I don't know, say, the family cat dies, that's a negative reward—maybe a better feeding schedule or security monitoring could have prevented it. But if the cat dies and the system _tries to cover it up_—says the cat is out for a walk right now to avoid telling you the bad news—that's going to be an even larger negative reward when the deception is discovered. If the system is trained to pass rigorous evaluations, a deceptive policy has to do a lot more work, different work, to pass the evaluations. In the limit, that could mean—using Multigen-like capabilities to make videos to convince you that the cat is there while you're on vacation? Constructing a realistic cat-like robot to fool you when you get back? Maybe this isn't the best illustrative example. The point is—"
-"Sorry, that's inessential—and really, in the most worrisome scenarios, it would be intentional. What matters is that the robot wants—I mean, is optimizing for—your approval, and it knows that you would disapprove if you knew what it had done.
+Jake finished the thought. "Small, 'shallow' deceptions aren't stable. The set of policies that do well on evaluations comes in two disconnected parts: the part that tells the truth, and the part that spins up a false reality, as intricate as it needs to be to protect itself. If you're going to fake anything, you need to fake deeply."
-We can imagine a spectrum of possible resposnes. Given that the deed was done, you'd prefer that it fess up, tell you about the vase.
+"Exactly, you get it!" Chloë was elated. "You know, when I called you last week, I was worried you thought I was nuts to entertain any worry at all about Code Assistant. But you see the value of constant vigilance now, right? If the landscape of policies looks something like what I've described, catching the precursors to deception early could be critical—to raise the height of the loss landscape between the honest and deceptive policies, before frontier AI development plunges into the latter."
-But if could also try to hide evidence.
+Jake sighed. The `Last-Modified` header probably wasn't critical. With some effort and smart play, it seemed plausible that he could stay ahead of Chloë's investigation, and even encourage her to give up sooner and stop wasting her time. But something about this wrong-sci-fi-subgenre worldbuilding exercise was getting to him. He wasn't scared of the robot apocalypse any time soon. But if it really was one or the other—a policy of truth or a policy of lies—he had a feeling about which one he wanted to practice.
-[...]
-
-SGD has to discover these policies "continuously", one gradient update at a time.
-
-The honest policy and the deceptive policy
-
-[TODO—
- * "Maybe not." There are two ways to pass all the evals: do things the right way, or be pervasively deceptive. The thing is, policies are trained continuously via gradient descent. The purely honest policy and the purely deceptive policy look identical on evals, but in between, the model would have to learn how to lie, and lie about lying, and cover-up coverups. (Chloë lapses into Yuddite speak about the "Great Web of Causality.") Could we somehow steer into the honest attractor?
- *
- * That's why she believes in risk paranoia. If situational awareness is likely to emerge at some point, she doesn't want to rule it out now. AI is real; it's not just a far-mode in-the-future thing.
- * Jake sees the uncomfortable analogy to his own situation. He tries to think of what other clue he might have left, while the conversation continues ...
- * The Last-Modified dates! They're set by the system, the API doesn't offer a way to backdate them.
- * Maybe she won't notice the dates? Possible (but someone persnickety enough to have found the log discrepancy would probably check)
- * Merely noticing the dates won't directly implicate him (the way the video screaming "Jake!" would), although it would indicate the poltergeist covering its tracks from the investigation (rather than just wanting puppies in the first place)
- * Are the buckets versioned?! Probably not, right—it would be wasteful to version a video bucket. On the other hand, Multigen isn't supposed to write twice, maybe someone left versioning on as a default template ...
- * They did.
- * Jake muses philosophically about the analogy, and say something ambiguously indicating intent to come clean.
- THE END
-]
+"Chloë," he said. "I, um, might have something to tell you ..."
projects / Ultimately_Untrue_Thought.git / blobdiff