LessWrong developer, rationalist since the Overcoming Bias days. Connoisseur of jargon.


Jimrandomh's Shortform

There is a rumor of RSA being broken. By which I mean something that looks like a strange hoax made it to the front on Hacker News. Someone uploaded a publicly available WIP paper on integer factorization algorithms by Claus Peter Schnorr to the Cryptology ePrint Archive, with the abstract modified to insert the text "This destroyes the RSA cryptosystem." (Misspelled.)

Today is not the Recurring Internet Security Meltdown Day. That happens once every month or two, but not today in particular.

But this is a good opportunity to point out a non-obvious best practice around cryptographic key-sizes, which is this: Whatever key size is accepted as the standard, you want your SSH keys and your PGP keys to be one size bigger, so that if a gradually rising tide of mathematical advances causes a cryptography meltdown, you won't be caught in the wave where everyone else gets pwned at once.

So I recommend making sure, if you're using RSA for your SSH keys, that they are 4096-bit (as opposed to the current ssh-keygen default of 3072-bit).

How do you run a fit-test for a mask at home when you don't have fancy equipment?

I don't know the physics of what happens in an instant pot very well, but probably not; I would expect any heat-based method for producing mist is probably going to be leave the solutes behind. But this is easy to test; just saturate some water with saccharin, turn it on, and see if (without a mask) you can taste saccharin in the air.

How do you run a fit-test for a mask at home when you don't have fancy equipment?

You do need fancy equipment, but not quite that fancy. The one thing you absolutely can't do it without is a nebulizer. This is a sort of modified spray bottle which converts liquid into aerosol. A regular spray bottle won't work, because the droplets it produces are too large. The nebulizer I have works by having a channel which pulls liquid up and suspends a drop of it in the path of bursts of air, which you produce by squeezing a rubber bulb. This is an expensive item because it's in short supply, but it's a simple plastic part that would be very cheap if it were made in bulk, and it doesn't seem impossible for someone to make a replacement home with hand tools and some expertise.

(A commercial fit-test kit will typically contain two nebulizers, when you only need one. The reason for this is because if you're following the formal procedure, you first use a low-concentration version of the aerosol to make sure the person has a working sense of taste, then a high-concentration version for the real test, and if you're testing a bunch of people in a row you don't want to have to clean out the nebulizer each time. For home use, you only need one.)

(The liquid you put in the nebulizer is just saccharin in water; you might as well use a bottle that's labelled as being for fit tests, but if you can't get one you can get saccharin powder at a grocery store and mix it with water yourself. Some test kits use denatonium aka Bittrex instead, supposedly because some people can't taste saccharin. A saccharin test is much more pleasant. I noticed that saccharin solution sometimes clogged the nebulizer, by leaving a crystalline residue when it dries out, and denatonium doesn't.)

The formal fit test procedure also uses a hood, which holds aerosol in place while you hold your head at various angles and read a passage aloud, in case gaps open only while you do that.

When I've administered fit tests to people, about half fail. Cheap KN95s usually fail by having big gaps around the edges, which can be fixed by taping them down with medical tape, if you really need to. Rubber interface P100s fail by not having the straps tight enough or by having incorrectly installed filters.

The feeling of breaking an Overton window

And I'm not yet sure what the analog of "avoid falling" is, that this reaction is actually triggered by cues of

"Falling" might be "acknowledging a truth which someone really wants to keep hidden"? Some related examples:

  • A totalitarian ruler is trying to maintain a narrative that their country is prospering, by punishing anyone who calls attention to problems
  • A manager worried about legal liability for a problem, who is trying to avoid the creation of evidence that they knew about the problem
  • A criminal organization, which punishes anyone who draws attention to its crimes
  • Someone who would be obligated to do difficult things about the problem if it were acknowledged, who socially attacks anyone talking about the problem

My not-well-grounded impression is that these sorts of situations are common, are difficult to rule out without false negatives, and are at the heart of Maziness.

Overconfidence is Deceit

In one sense, this is straightforwardly true: there is an incentive in some (but not all) circumstances to project more confidence than you'd have if you were reasoning correctly based on the evidence, and following that incentive means emitting untrue information. But there are two pushbacks I want to give.

First, a minor pedantic point: There are environments where everyone is both signaling overconfidence all the time, and compensating for it in their interpretation of everyone else's communication. You could interpret this as dialects having certain confidence-related words calibrated differently. Unilaterally breaking from that equilibrium would also be deceptive.

But second, much more importantly: I think a lot of people, when they read this post, will update in the direction of socially attacking confidence rather than attacking overconfidence. This is already a thing that happens; the usual shape of the conversation is that someone says something confidently, because they have illegible sources of relevant expertise. Several times early in the COVID-19 pandemic, I got substantial social attacks, explicitly citing overconfidence on matters in which I was in fact correct. The outcome of which was that I ultimately burned out for a while and did less than I could have. This failure mode does a lot of damage, and I don't think this post is adequately caveated around it.

Borasko's Shortform

This seems self-aware and accurate, and means you have a decent chance of being able to intervene and avoid going into a depressive state. The two things that sound particularly high leverage (and I believe tend to feature prominently in standard advice, because they tend to be key elements of self-reinforcing spirals) are sleep and diet.

https://www.lesswrong.com/posts/a6PMaSrfG9KYWL9tL/how-to-improve-your-sleep. Especially the bit about checking for sleep apnea, if you haven't already.

Eating more sweets/carbs is a common depression failure mode, and people tend to respond by deciding that the carbs are bad, and trying to stop themselves from eating them. This is a mistake because what's actually going on is undereating of everything else; sweets make up the gap because they're very convenient, but the right intervention is to add more high-quality food until there's no appetite left for sweets.

Heuristic: Replace "No Evidence" with "No Reason"

Relevant Sequences post: Scientific Evidence, Legal Evidence, Rational Evidence. I think this may be a byproduct of the leadership of governmental organizations having too many lawyers (and legal culture); the "only a published peer-reviewed study counts as evidence" thing seems like a natural result of hybridizing the legal notion of evidence (something admissible in court) with the scientific notion of evidence (something produced via the scientific method).

We Need Browsers as Platforms

There are a few places where the install-from-repository model fundamentally works better than the web model, or could work better if the repositories did a little better. One of the big ones is: when I download software (or load a webapp), I want to be sure I'm getting the same software/webapp as everyone else is. A webpage with a sandbox-escape vulnerability can serve malicious code to high-value target users, and avoid serving it to security researchers; whereas with something like apt-get or the Play Store, that sort of thing is much more difficult.

A repository/appstore also makes it feasible to refuse updates. A prototypical example of when you want this is illustrated by a recent Play Store security incident with a barcode scanner app: something which (1) doesn't have significant untrusted-network-data exposure so it isn't likely to need security updates, (2) has little room for actual improvement, and (3) is at risk of being taken over by a malicious actor, or its developer deciding to monetize it in a way that makes it worse. (I have Play Store auto-updates on my phone globally disabled for this reason, and am quite bothered by the inability to control auto-updates on a per-app basis. Chrome has a builtin outdated-version detector that will warn if using an insecure version, but most other apps with network exposure do not. So this is trading some RCE risk in order to reduce malicious-developer risk.)

Is the influence of money pervasive, even on LessWrong?

LessWrong has a team of six (which includes site development and support, the Alignment Forum in collaboration with MIRI and the EA Forum in collaboration with CEA, plus some assorted smaller projects). We get some funding from small donors, but the majority of funding is from a few large donations. We chose which donations to pursue in part based on which donors would best preserve our independence, and don't talk to them about site directions and decisions very much. We are currently adequately funded and not actively seeking more donations.

2019 Review: Voting Results!

My subjective experience voting on these posts was "aaaaah these are all too good I can't not-upvote any of them". Being eligible to be voted on required two nominations and a review, and apparently the nominators/reviewers were picking from a pretty excellent pool this year. The top posts in this list are really excellent, and the bottom posts are... still really excellent.

Load More