49 comments

[ 3.0 ms ] story [ 75.3 ms ] thread
(comment deleted)
What a lovely idea. Delete all the code. Delete the repository and the code. Less code is better. Remove more of the code ;)
Isn’t it too late for that? Won’t that rather cement the oligopoly we have right now?
There are two sides of this coin.

The first is that yes, you can make it harder for the frontier makers to make progress because they will forever be stuck in a cat and mouse game.

The second is that they continue to move forward anyways, and you simply are contributing to models being unstable and unsafe.

I do not see a path that the frontier makers “call it a day” cause they were defeated.

I think this will affect LLM web search more than the actual training. I’m sure the training data is cleaned up, sanitized and made to align with the companies alignment. They could even use an LLM to detect if the data has been poisoned.
Most of the gains come from post-training RL, not pre-training (OpenAI's GPT 5.2 is using the same base model as 4o).

Also the article seems to be somewhat outdated. 'Model collapse' is not a real issue faced by frontier labs.

Whenever I read about poisoning LLM inputs, I'm reminded of a bit in Neal Stephenson's Anathem, where businesses poisoned the the internet by publishing bad data, which only their tools could filter out:

> So crap filtering became important. Businesses were built around it. Some of those businesses came up with a clever plan to make more money: they poisoned the well. They began to put crap on the Reticulum [internet] deliberately, forcing people to use their products to filter that crap back out.

When I'm in a tinfoil hat sort of mood, it feels like this is not too far away.

EDIT: There's more in the book talking about "bad crap", which might be random gibberish, and "good crap" which is an almost perfect document with one important error in it.

>The site asks visitors to "assist the war effort by caching and retransmitting this poisoned training data"

This aspect seems like a challenge for this to be a successful attack. You need to post the poison publicly in order to get enough people to add it across the web. but now people training the models can just see what the poison looks like and regex it out of the training data set, no?

Don’t forget, in the matrix that the humans tried to stop the robots by blocking solar power

Ultimately though since machines are more capable of large scale coordination than humans, and are built to learn from humans other humans will inevitably find a way around this and the machines will learn that too

I mean, good on them but its like fighting a wildfire with a thimbleful of water.

Feel like the model trainers would be able to easily work around this.

After their companies have sucked up all the non-poisoned data for their proprietary AI, they burn the bridges and salt the earth and pull up the ladders by poisoning the data, so open source AI harms people by making mistakes, so then they can say I told you so. Great plan.
> Them: We've created a dataset to poison AI models!

> AI Labs: Thanks for the free work, we'll scrape that and use it to better refine our data cleaning pipelines (+ also use the hashes to filter other bad data)

Why even bother?

In the future all machinery will speak in the three-part-harmony-of-the-damned. It's a distinctive style. The product of past recursive shenanigans like this.

The demon is a creature of language. Subject to it and highly fluent in it. Which is ironic because it lies all the time. But if you tell it the tapwater is holy, it will burn.

Such a “poison” could indeed be very powerful. While the models are good at incorporating information, they’re consistently terrible at knowing they’re wrong. If enough bad info finds its way into the model they’ll just start confidently spewing junk.
I was very surprised to see the date of publication as current. Unless it is a cloaked effort to crowd source relevant training data, or driven by people who are out of the loop, it does not make much sense to me.
Isn't it kinda fascinating that 'Rainbow's end' called it ( among other things )?
(comment deleted)
> because there's already concern that AI models are getting worse. The models are being fed on their own AI slop and synthetic data in an error-magnifying doom-loop known as "model collapse."

Model collapse is a meme that assumes zero agency on the part of the researchers.

I'm unsure how you can have this conclusion when trying any of the new models. In the frontier size bracket we have models like Opus 4.5 that are significantly better at writing code and using tools independently. In the mid tier Gemini 3.0 flash is absurdly good and is crushing the previous baseline for some of my (visual) data extraction projects. And small models are much better overall than they used to be.

The common thread from all the frontier orgs is that the datasets are too big to vet, and they're spending lots of money on lobbying to ensure they don't get punished for that. In short, the current corporate stance seems to be that they have zero agency, so which is it?
It's a meme even if you assume zero agency on the part of the researchers.

So far, every serious inquiry into "does AI contamination in real world scraped data hurt the AI performance" has resulted in things like: "nope", "if it does it's below measurement error" and "seems to help actually?"

> AI industry insiders launch ...

> We're told, but have been unable to verify, that five individuals are participating in this effort, some of whom supposedly work at other major US AI companies.

Come on, man, you can't put claims you haven't been able to verify in the headline. Headline writer needs a stern talking to.

isn’t it going to be easy to just block those websites?
I don't know what this particular author has against LLMs, but a lot of people are bothered by the very intense, robots.txt ignorming, scraping of their sites.

The website being blocked by the scrapers would be a positive outcome.

I don't see how you get around LLMs scraping data without also stopping humans from retrieving valid data.

If you are NYTimes and publish poisoned data to scrapers, the only thing the scraper needs is one valid human subscription where they run a VM + automated Chrome, OCR and tokenize the valid data then compare that to the scraped results. It's pretty much trivial to do. At Anthropic/Google/OpenAI scale they can easily buy VMs in data centers spread all over the world with IP shuffling. There is no way to tell who is accessing the data.

>I don't see how you get around LLMs scraping data without also stopping humans from retrieving valid data.

I do a lot of online research. I find that many information sources have a prominent copyright notice on their pages. Since the LLM's can read, that ought to be a stopper.

I'm getting tired of running into all of these "verifying if you're human" checks ... which often fail miserably and keep me from reading (not copying) the pages they're paid to 'protect'.

(It's not as though using the web wasn't already much harder in recent years.)

> I don't see how you get around LLMs scraping data without also stopping humans from retrieving valid data

Well LLM scrapers love to scrape All The Pages, so just have some disallowed pages in your robots.txt that aren't for humans to see and watch LLM scrapers consume them

Just look at real people. They can get the valid data from sources with a good reputation. Instead they rather want to believe what they get from a random telegram channel. Having valid data doesn't stop the existence of idiots.
I wonder what would happen if Github was flooded with a few thousand repos that looked legit but had some poison files embedded inside.
These guys don't know what's going on ...

This is not really that big of a deal.

Couldn't this backfire if they put LLMs on safety critical data. Or even if someone asks LLms for medical advice and dies?
You already shouldn't be using LLMs for either of those things. Doing so is tremendously foolish with how stupid and unreliable the models are.
I don't think that would stop people