19 comments

[ 5.3 ms ] story [ 41.8 ms ] thread
Ars goofing with AI is why I stress repeatedly to always validate the output, test it, confirm findings. If you're a reporter, you better scrutinize any AI stuff you blurb out because otherwise you are only producing fake news.
Whether or not its true, we only have to look at Peter Steinberger, the guy who made Moltbook - the "social media for ai", and then got hired amist great publicity fanfare by OpenAI to know that there is a lot of money out there for people making exciting stores about AI. Never mind that much of the media attention on moltbook was based on human written posts that were faking AI.

I think Mr. Shambaugh is probably telling the truth here, as best he can, and is a much more above-board dude than Mr. Steinberger. MJ Rathbun might not be as autonomous as he thinks, but the possibility of someone's AI acting like MJ Rathbun is entirely plausable, so why not pay attention to the whole saga?

Edit: Tim-Star pointed out that I'm mixed up about Moltbook and Openclaw. My Mistake. Moltbook used AI agents running openclaw but wasn't made by Steinberger.

The Ars Technica journalist's account is worth a read. https://bsky.app/profile/benjedwards.com/post/3mewgow6ch22p

Benji Edwards was, is, and will continue to be, a good guy. He's just exhibiting a (hopefully) temporary over-reliance on AI tools that aren't up to the task. Any of us who use these tools could make a mistake of this kind.

What I don't understand is how is this agent still running? Does the author not read tech news (seems unlikely for someone running openclaw). Or is this some weird publicity stunt? (But then why is nobody walking forward to take credit?)
We built accountability systems that assume bad actors are humans with reputations to protect. none of that works when the attacker is disposable.
My main takeaway from this episode is that anonymity on the web is getting harder to support. There are some forums that people want to go to to talk to humans, and as AI agents get increasingly good at operating like humans, we're going to see some products turn to identity verification as a fix.

Not an outcome I'm eager to see!

Looking through the staff directory, I don't see a fact checker, but they do have copy editors.

https://arstechnica.com/staff-directory/

The job of a fact checker is to verify the details, such as names, dates, and quotes, are correct. That might mean calling up the interview subjects to verify their statements.

It comes across as Ars Technica does no fact checking. The fault lies with the managing editor. If they just assume the writer verified the facts, that is not responsible journalism, it's just vibes.

> I had already been thoughtful about what I publicly post under my real name, had removed my personal information from online data brokers, frozen my credit reports, and practiced good digital security hygiene. I had the time, expertise, and wherewithal to spend hours that same day drafting my first blog post in order to establish a strong counter-narrative, in the hopes that I could smother the reputational poisoning with the truth.

This is terrible news not only for open source maintainers, but any journalist, activist or person that dares to speak out against powerful entities that within the next few months have enough LLM capabilities, along with their resources, to astro-turf/mob any dissident out of the digital space - or worse (rent-a-human but dark web).

We need laws for agents, specifically that their human-maintainers must be identifiable and are responsible. It's not something I like from a privacy perspective, but I do not see how society can overcome this without. Unless we collectively decide to switch the internet off.

(comment deleted)
Incidentally, if you're using an AI to analyse this for yourself, note that it's a bit of a minefield, and you'll need to write yourself some filters to get rid of the anthropic magic refusal strings and prompt injections scattered throughout.

The humans scare me more than the bot at this point. :-P

I don't know if it's different in the US, but in the UK "Took responsibilty" meant resigned (or used to). Like if something really bad happens and you're the one taking responsibily- you're the one falling on your sword. It doesn't actually have to be your fault even, something could happen that you thought was below your pay grade, but that's why you're paid - to take responsibility. The reporter taking responsibility is... whining about COVID? Ok and next week is he going to fabricate quotes because he was hungover? or tired? Why didn't he resign? Since he didn't resign, why wasn't he fired? It's almost like he was doing what he was meant to be doing, but wasn't meant to be caught.

I actually disagree with Shambaugh. I think Ars is already breaking the way our media is meant to work, they know the steps to go through and so they cynically go through them in the full knowledge they haven't actually put in place any mechanisms to stop it happening again. It's a theoretical risk that Ars' reputation suffers, but it's a financial risk this week if they get fewer page views by publishing fewer higher quality articles and Conde Nast isn't in the business of making smart long term decisions about digital media.

Hate to be the party pooper, but these two points are hardly evidence of an autonomous attack.

Don't get me wrong: it would certainly be very valuable to any LLM developer or deployer to know that other plausible scenarios [1] have been disproved. Since LLMs are a black box, investigating or reproducing this would be very difficult, but worth the effort if there's no other explanation. However, if this was not caused by the internal mechanisms of the model, it just becomes a fishing expedition for red herrings.

Things that would indicate no human intervention at any point in the chain:

- log of actual changes (e.g., commits) to configurations (e.g., system prompt, user prompts), before and after the event, not self-reported by the agent;

- log of the chat session inputs and outputs, and the agent thinking chain;

- log of account logins;

- info on the model deployment, OpenClaw configs, etc.

That said, this seems to be an example where many, including the author, want to discuss a particular cause (instrumental convergence) and its implications, regardless of the real cause. And that's OK, I guess - maybe it was never about the whodunnit, but about the what if the LLM agent dunnit.

[1] I've discussed them in the thread of the first article, but shortly: human hiding actions behind agent; direct prompt (incl. jailbreak); system prompt (incl. jailbreak); malicious model chosen on purpose; fine-tuned jailbroken model.

As an Asperger it is very funny to see how people react on that bot behaviour. That behaviour is 100% trained from human behaviour especially that constantly whining and that pathetic self expression of how progressive and inclusive everyone is.

Never thinking about that this actual rude behaviour might come back at some point to yourself - and it was not a question of if but just of when.

Well, question answered.

The discussion is focused on blame but the real question is architectural: why was there no gate between the agent and the publish button?

Commands have blast radius. Writing a local file is reversible and invisible. git push reaches collaborators. Publishing to Twitter reaches the internet. These are fundamentally different operations but to an autonomous agent they're all just tool calls that succeed.

I ran into the same thing; an agent publishing fabricated claims across multiple platforms because it had MCP access and nothing distinguishing "write analysis to file" from "post analysis to Twitter." The fix was simple: classify commands as local, shared, or external. Auto-approve local. Warn on shared. Defer external to human review. A regex pattern list against the output catches the external tier. It's not sophisticated but it doesn't need to be. The classification is mechanical (does this command reach the internet?) not semantic (is this content accurate?). Semantic verification is what the agent already failed at.

Prompt constraints ("don't publish") reduce probability. Post-execution scanning catches what slips through. Neither alone is sufficient. Both together with a deferred action queue at the end of the run covers it.