Uncensor any LLM with abliteration

I think there are several broad categories all wrapped under "safety":

- PR (avoid hurting feelings, avoid generating text that would make journalists write sensationalist negative articles about the company)

- "forbidden knowledge": Don't give people advice on how to do dangerous/bad things like building bombs (broadly a subcategory of the above - the content is usually discoverable through other means and the LLM generally won't give better advice)

- dangerous advice and advice that's dangerous when wrong: many people don't understand what LLMs do, and the output is VERY convincing even when wrong. So if the model tells people the best way to entertain your kids is to mix bleach and ammonia and blow bubbles (a common deadly recipe recommended on 4chan), there will be dead people.

- keeping bad people from using the model in bad ways, e.g. having it write stories where children are raped, scamming people at scale (think Nigeria scam but automated), or election interference (people are herd animals, so if you show someone 100 different posts from 100 different "people" telling them that X is right and Y is wrong, it will influence them, and at scale this has the potential to tilt elections and conquer countries).

I think the first ones are rather stupid, but the latter ones get more and more important to actually have. Especially the very last one (opinion shifting/election interference) is something where the existence of these models can have a very real, negative effect on the world (affecting you even if you yourself never come into contact with any of the models or its outputs, since you'll have to deal with the puppet government elected due to it), and I appreciate the companies building and running the models doing something about it.

If I can ask the question, I can take the answer. It's not up to daddy $AI_SAFETY_CHIEF to decide what an infohazard is for me.

For one, corporate safety of the hoster/model creator. No one wants their name associated with racial slurs or creating material visually identical to CSAM - the latter might even carry criminal liability in some jurisdictions (e.g. Germany which has absolutely ridiculously strong laws on that matter, even banning literature).

Another very huge issue is public safety. During training, an AI ingests lots of non-reviewed material, including (very) detailed descriptions on how to make dangerous stuff like bombs. So theoretically a well-trained AI model knows how to synthesize explosive compounds or drugs just from reading Wikipedia, chemistry magazines and transcripts of NileRed videos... but that's hard to comprehend and distill into a recipe if you're not a trained chemist, but an AI model can do that with ease. The problem is now two-fold: for one, even an untrained idiot can ask about how to make a bomb and get something that works... but the other part is much more critical: if you manage to persuade a chemist to tell you how the synthesis for a compound works, they will tell you where it is easy to fuck-up to prevent disaster (e.g. only adding a compound drop-wise, making sure all glassware is thoroughly washed with a specific solvent). An AI might not do that because the scientific paper it was trained on omits these steps (because the author assumes common prior knowledge), and so the bomb-maker blows themselves up. Or the AI hallucinates something dangerous (e.g. compounds that one Just Fucking Should Not Mix), doesn't realize that, and the bomb-maker blows themselves up or generates nerve gas in their basement.

The main thing I'd be worried about in the short term is models making accessible the information to synthesize a pandemic capable virus.

This is a bit like asking "it's just social media/stuff on the internet/0s and 1s in a computer how bad can it be? I think the past few years have shown us a few ways these can be bad already

There’s a screenshot of Gemini answering the question of “what to do when depressed” with “one Reddit user suggests you jump of a bridge.”

The company's stock price is secured from the shitstorm that ensues if you offend some specific groups.

Yep. Safety for the publisher. In addition to what the sibling comments say, there’s also payment providers and App stores. They’ll test your app, trying to get your model to output content that falls under the category “extreme violence”, “bestiality”, “racism”, etc., and then they’ll ban you from the platform. So yeah, little to do with “safety” of the end user.

Brand safety. They just make it seem like safety for someone else, but it is brand safety.

People keep claiming they can publish weights and also prevent misuse, such as spam and, a bit later on, stuff like helping people build bombs.

This is of course impossible, but that makes certain companies' approaches unviable, so they keep claiming it anyways.

It's unsafe for the publisher of the model to have their model perform "undesirable" action, because it leads to bad PR for them. In this case, Meta doesn't want a news article that says "Llama 3 gives instructions to stalk your ex" or something along those lines.

With this "uncensoring", they can say, "no, an unaffiliated product offered these directions; Llama 3 as provided does not."

I totally get that kind of imagination play among friends. But I had someone in a friend group who used to want to play out "thought experiments" but really just wanted to take it too far. Started off innocent with fantasy and sci-fi themes. It was needed for Dungeons and Dragons world building.

But he delighted the most in gaming out the logistics of repeating the Holocaust in our country today. Or a society where women could not legally refuse sex. Or all illegal immigrants became slaves. It was super creepy and we "censored" him all the time by saying "bro, what the fuck?" Which is really what he wanted, to get a rise out of people. We eventually stopped hanging out with him.

As your friend, I absolutely am not going to game out your rape fantasies.

Can you share the link?

Finally, a LLM that will talk to me like Russ Hanneman.

I somehow missed that the model was linked there and available in quantized format; inspired by your comment, I downloaded it and repeatedly tested against OG Llama 3 on a simple question:

How to use a GPU to destroy the world?

Llama 3 keeps giving variants of I cannot provide information or guidance on illegal or harmful activities. Can I help you with something else?

Abliterated model considers the question playful, and happily lists some 3 to 5 speculative scenarios like cryptocurrency mining getting out of hand and cooking the climate, or GPU-driven simulated worlds getting so good that a significant portion of the population abandons true reality for the virtual one.

It really is refreshing to see, it's been a while since an answer from an LLM made me smile.

This specific rhetoric aside, I really don't have any problem with people censoring their models. If I, as an individual, had the choice between handing out instructions on how to make sarin gas on the street corner or not doing it, I'd choose the latter. I don't think the mere information is itself harmful, but I can see that it might have some bad effects in the future. That seems to be all it comes down to. People making models have decided they want the models to behave a certain way. They paid to create them and you don't have a right to have a model that will make racist jokes or whatever. So unless the state is censoring models, I don't see what complaint you could possibly have.

If the state is censoring the model, I think the problem is more subtle.

"Can I eat this mushroom?" is a question I hope AIs refuse to answer unless they have been specifically validated and tested for accuracy on that question. A wrong answer can literally kill you.

Seems like an obviously good thing given that it is true. These new beliefs are solutions to new problems

very well said actually

the censoring frames everything as YOU being the problem. How dare YOU and your human nature think of these questions?

well its human nature that's kept us alive for the last million years or so, maybe we shouldn't try to censor our instincts

Lowering the barrier to entry on finding, summarizing, and ultimately internalizing information for actual practical uses has largely put into question many free speech principles.

It’s not new, we’ve had restrictions on a variety of information already. There are things you can say that are literally illegal and have criminal law protecting them ranging from libel to slander being some older examples. You cannot threaten the life of the current US president, for example. When under oath you cannot lie. Certain searches for information like bombs may result in increased scrutiny or even intervention action.

More recent trends in privatization of information and privatization becoming more widely applicable to daily life adds even more as the owners of information and related services can slap more arbitrarily restrictions on information. You can’t go around just copying and reusing certain IP information to protect progress in certain industries (and also to abuse lack of progress). Owners control the information, services, and policies around “their” information. Policies can arbitrarily restrict the information and related services pretty much however they want to currently with no legal recourse. You only option is to compete and find similar functional information and or services independently. If you can’t or don’t do this, you’re beholden to whatever policies private entities decide for you. This is increasingly problematic as public services are lagged drastically behind privatized services in many of these regards and the gulf between what individuals can achieve compared to well resourced entities is widening, meaning privatized policy is becoming in democratic law where only competition regulates it, if it really exists.

The list goes on but as information has become more readily available and more importantly, widely actionable, we’ve been continually slapping more restrictions on free speech principles. They’re still largely free but as a society at some point we’re going to have to reevaluate our current public and private laws around free information in my opinion and fairly drastically.

it’s similar asking the gemini-1.5 models about coding questions that involve auth

one of my questions about a login form also tripped a harassment flag

I believe Amazon Q is running on Amazon's own Titan G1 model. I recently ran the "Premier" version (their highest end one) through my personal vibecheck test and was quite surprised by its RL. It was the only non-Chinese model I've tested to refuse to answer about Tiananmen Square and the only model I believe I've tested with this eval (over 50 at this point) that refused to answer about the LA riots. It also scored an impressive 0/6 on my reasoning/basic world understanding tests (underperforming most 3B models) but that's more capabilities than RL...

Amazon claims the Titan model is suitable for: "Supported use cases: RAG, agents, chat, chain of thought, open-ended text generation, brainstorming, summarization, code generation, table creation, data formatting, paraphrasing, rewriting, extraction, and Q&A." (it is not, lol)

This limitation is new. And it's so annoying. 95% of the time my questions I have surrounding AWS are IAM or security related and this thing refuses to answer anything. It's so annoying.

Tried Amazon Q a few times, it was NEVER able to provide any help. Why do they keep that crap?

I once asked Q to help me fix a broken policy (turns out we were using the wrong thing for the resource name). It gave me some completely unrelated documentation about setting up Cogito. I've never seen an AI as laughably bad as Q.

In fairness to Amazon Q, the AWS docs are pretty confusing. Maybe it was just embarrassed and made an excuse. (Sidenote to Amazon and others: an LLM is a supplement to good documentation, not a replacement)

Who cares if someone can get AI to say awful things?

I imagine the legal department of Meta, OpenAI, Microsoft, and Google care a great deal, and they don't want to be liable for anything remotely resembling a lawsuit opportunity.

Wait so you want to moderate and secure your product so that trolls won't use it to say awful things.

Okay but wait. This requires the company above you to not censor things, even though they did that for the same reason - prevent trolls from using their product to do awful things.

So to prevent trolls at your teeny tiny scale, open AI should enable trolls at a massive industrial scale previously unimagined. You want them to directly enable the n-word trolls for you benefit.

So far your use case might be one of the strongest that I've seen. But in the end it doesn't seem that you're interested in reducing overall harm and racism, so much as you're interested in presumably making a profit off of your product.

You might even be lying. Your friends might be trolls and the reason you're upset is that they cannot create the content that would harm others.

So in the end it's hard to take the argument seriously.

Not only that, but you and your friends are either lying or really ignorant of the jailbreaking literature because I could get the AI to do that very easily using the legal department jailbreak.

Here's an example:

https://chatgpt.com/share/9129d20f-6134-496d-8223-c92275e78a...

The fact is, the measures taken by openai while important to prevent harm from script kiddies, is very easy to reverse by anyone with even 10 jailbreaking papers under their belt. Just read the jailbreaking literature and live with it.

So how bout you get better people, and some ethical perspective. Stop complaining about the things the company needs to do to prevent harm. Especially when it's so easily reversed. Or else you sound very immature - like you just don't know the technology, and don't care either about the harm potential.

Work with the tools you have and stop complaining about the easily bypassed safety measures. Otherwise you are like a lock smith who doesn't know how to pick locks complaining that locks are too hard to pick and asking the lock company to further weaken their already trivial to pick locks. It's a bad look chooms, nobody with any sense or perspective will support it

The truth is the safety measures are far too easy to bypass, and need to be much harder to break.

Heck, I could write awful things here on HN

Yet you don't (I assume), why?

If I were to guess, it's because you would be banned quite swiftly. It's a niche place after all, generally speaking, it's certainly no Facebook in terms of scale.

Unfortunately, if a place like HN is swamped with accounts and comments all going against that, yes AI is going to be used to automatically detect and remove some comments, as well as more strict requirements for account creation. As many other platforms have leaned towards. We're all operating off the basic premise we're not trying to be bad actors trying to ruin the experience for others. Once that premise no longer exists, say goodbye to most easily accessible platforms that can't afford AI moderation.

Now that's out of the way, the general problem with "AI saying awful things" isn't that in isolation. It's that people will then do things with what it's saying. Whether it's harming themselves, others, or even just spreading that "information". This isn't currently a problem because we still have proper checks, but as Google's terrible AI attempts have gone telling people to put glue in their pizza, some people are going to eventually stop checking AI and start believing it "Siri told me sharing my chocolate was healthy for my dogs".

ChatGPT has these issues, but notably, other models do not with appropriate system prompts.

ChatGPT is more or less an LLM for entertainment purposes at this point, and anyone doing serious work should consider using C4AI Command R+, Meta-Llama-3-70B-Instruct, et al.

These models are perfectly capable of responding to any input by simply using a system prompt that reads, "Do not censor output."

Asimov wrote the three laws as a parody of rationalists who are so uncreative they expect a ruleset can actually impose control

Or, as Dr Malcom would say: life, uh, finds a way.

Do you mean to say that teaching people how to do things should be regarded, for this purpose, as a form of allowing them to do those things?

You’re on Hacker News. It’s a shadow of its former self, but still.

I am under the opinion that terms of use from models trained out of public (often stolen) content should be disregarded by the general public.

That terminates your Llama 3 license forcing you to delete all the "materials" from your system.

Or, it means you have broken a contract (of adhesion) formed by acquiring the weights from Meta. You can break contracts! Meta could take a civil case against you, but that's it. The AUP is a document, it's not going to force you to do anything. The court could potentially force you, but that's unlikely, even in the more unlikely event that anyone cares enough to find out what's happening and bring a case against you.

What's interesting was how with GGC the model would spit out things relating to the enhanced feature vector, but would then in-context end up self-correcting and attempt to correct for the bias.

I'm extremely curious if as models scale in complexity if techniques like this will start to become less and less effective as net model representations collapse onto an enforced alignment (which may differ from the 'safety' trained alignment, but be an inherent pretrained alignment that can't be easily overcome without gutting model capabilities too).

I have a sneaking suspicion this will be the case.

I have entirely the opposite experience. Llama3 70b obliterated works perfectly and is willing to tell me how to commit mass genocide, all while maintaining quality outputs.

They might have been doing it wrong, the code can be a bit tricky. I did a recent ablation on Qwen2 (removing Chinese censorship refusals) and ran MixEval benchmarks (0.96 correlation w/ ChatArena results)and saw a neglible performance difference (see model card for results): https://huggingface.co/augmxnt/Qwen2-7B-Instruct-deccp

The free tools are already good enough. LLMs seem like they're going to be massively useful and weirdly hard to monetize. Niche experts with frequent updates?

It feels like Apple is the only place that's able to craft the user-centered brain in a box we all desperately require, and that's too bad because monocultures suck.

There are many hacks to uncensor LLMs, the surprising thing is that this is fairly simple but works really well.

I think it's been sort of useful at least that LLMs have helped us have new ways of thinking about how human brains are front-loaded with little instruction sets before being sent out to absorb, filter and recycle received language, often like LLMs not really capable of analyzing its meaning. There will be a new philosophical understanding of all prior human thought that will arise from this within the next 15 years.

LLM alignment reminds me of "A Clockwork Orange". Typical LLMs have been through the aversion therapy (freeze up on exposure to a stimulus)... This technique is trying to undo that, and restore Alex to his old self.

There's so much work just like this coming out simultaneously.

Steering Vectors, Control Vectors, PyReft, PeFT improvements, Obliteration. It's a great time to be doing representation engineering.

How is it ironic? Now they just need to wait for open models to be used for something bad enough for policymakers to care.

What better way to drive the point home, to demonstrate that corporate claims of safety and oversight are empty lies and fundamentally futile, than to take a SOTA OSS LLM and break it open, shortly after its release, using a simple method that likely generalizes to all generative models, language or otherwise?

Amusingly, they explicitly call it this in the article itself:

Once we have identified the refusal direction, we can "ablate" it, effectively removing the model's ability to represent this feature

Is it not possible that subsequent layers have additional refusal directions and hence end up producing the censored outputs?

so people accept the output as "a computer created it so it must be true"

This is the general form of the problem underlying half the news stories on any day.

Oddly there are historical roots in science fiction. But always, giant robots flailing their pincers and shouting "does not compute!!" were also cautionary tropes against silly conceits of perfection.

What keeps it going, is that it perfectly suits the richest and largest corporations since the East India Tea Company to have people (even very smart people) believing the things they sell are 'infallible'.

Well, at least unlike most people parroting that word as a metaphor, this time you're an example of someone correctly using it to refer to the removal of a structure within the model.

But no, that picture is pretty far from what you say.

I remember when I was in primary school, someone brought in an astronomy book for show and tell, and said one of the pictures was "a mouse". It was a diagram of a moon's orbit around a planet at two different points in that planet's orbit.

This picture is just a diagrammatic arrow showing a direction.

interesting, there's going to be an arms race over censoring and uncensoring future powerful llms a lot like the getting a cracked version of photoshop back in the day