I often see things like this and get a little bit of FOMO because I'd love to see what I can get out of this but I'm just not willing to upload all these private documents of mine to other people's computers where they're likely to be stored for training or advertising purposes.

How are you guys dealing with this risk? I'm sure on this site nobody is naive to the potential harms of tech, but if you're able to articulate how you've figured out that the risk is worth the benefits to you I'd love to hear it. I don't think I'm being to cynical to wait for either local LLMs to get good or for me to be able to afford expensive GPUs for current local LLMs, but maybe I should be time-discounting a bit harder?

I'm happy to elaborate on why I find it dangerous, too, if this is too vague. Just really would like to have a more nuanced opinion here.

> I'm just not willing to upload all these private documents of mine to other people's computers where they're likely to be stored for training or advertising purposes.

And rightfully so. I've been looking at local LLMs because of that and they are slowly getting there. They will not be as "smart" as the big models, but even a 30B model (which you can easily run on a modern Macbook!) can do some summarization.

I just hope software for this will start getting better, because at the moment there is a plethora of apps, none of which are easy to use or even work with a larger number of documents.

The docs I upload are ones I'd be OK getting leaked. That also includes code. Even more broadly, it also includes whatever pics I put onto social media, including chat groups like Telegram.

This does mean that, useful as e.g. Claude Code is, for any business with NDA-type obligations, I don't think I could recommend it over a locally hosted model, even though the machine needed to run a decent local model might cost €10k (with current price increases due to demand exceeding supply), that the machine is still slower than what hosts the hosted models, that the rapid rate of improvement means a 3-month delay between SOTA in open-weights and private-weights is enough to matter*.

But until then? If I'm vibe coding a video game I'd give away for free anyway, or copy-editing a blog post that's public anyway, or using it to help with some short stories that I'd never be able to charge money for, or uploading pictures of the plants in my garden right by the public road… that's fine.

* When the music (money for training) stops, it could be just about any provider whose model is best, whatever that is is likely to still get distilled down fairly cheaply and/or some 3-month-old open-weights model is likely to get fine-tuned for each task fairly cheaply; independently of this, without the hyper-scalers the supply chains may shift back from DCs to PCs and make local models much more affordable.

> The docs I upload are ones I'd be OK getting leaked. That also includes code.

That's fortunate as uploading them to a LLM was you leaking them.

> I'm sure on this site nobody is naive to the potential harms of tech

I don't share your confidence. A lot of people seem to either be doing their best to ignore the risks or pretending that a nightmare scenario could never happen to them for some reason. They place huge amounts of trust in companies that have repeatedly demonstrated that they are untrustworthy. They ignore the risks or realities of data collection by the state as well.

> I don't think I'm being to cynical to wait for either local LLMs to get good or for me to be able to afford expensive GPUs for current local LLMs, but maybe I should be time-discounting a bit harder?

I'm with you. As fun it would be to play around with AI it isn't worth the risks until the AI is not only running locally but also safely contained so that it can only access the data I provide it and can't phone home with insights into what it's learned about me. I'm perfectly fine with "missing out" if it makes it harder for me to be taken advantage of.

As a side benefit, if/when AI becomes safe to use with my personal information, it'll probably suck a little less, and others will have already demonstrated a number of tasks it's successful/disastrous at so I can put it work more easily and effectively without being burned by it.

I've been analyzing my Obsidian vault using local LLMs that I run via Apple's mlx_lm. I'm on an M4 MacBook Pro with 48GB RAM.

The results are ... okay. The biggest problem is that I can't run some of the largest models on my hardware. The ones I'm running (mostly Qwen 3 at different numbers of parameters and quantization levels) often produce hallucinations. Overall, I can't say this is a practical or useful setup, but I'm just playing around so I don't mind.

That said, I doubt SOTA models would be that much better at this task. IMO LLM generated summaries and insights are never very good or useful. They're fine for assessing whether a particular text is worth reading, but they often extract the wrong information, or miss some critical information, or over-focus on one specific part of the text.

I don't really buy this post. LLMs are still pretty weak at long contexts and asking them to find some patterns in data usually leads to very superficial results.

No one said you cannot run LLMs with the same task more than once. For my local tooling, I usually use the process of "Do X with previously accumulated results, add new results if they come up, otherwise reply with just Y" and then you put that into a loop until LLM signals it's done. Software-wise, you could add so it continues beyond that too, for extra assurance.

In general for chat platforms you're right though, uploading/copy-pasting long documents and asking the LLM to find not one, but multiple needles in a haystack tend to give you really poor results. You need a workflow/process for getting accuracy for those sort of tasks.

> and then you put that into a loop until LLM signals it's done

And after that? What's next?

Then you have non-superficial results based even on long contexts. Wasn't it clear I was responding directly to parent's concerns? Could I have made it clearer?

What I was getting at is that running LLMs in a loop doesn't really address those concerns at all. You simply get more information, it doesn't do anything for the correctness of that information.

Any patterns it identifies could be imaginary, and you don't have any indication of confidence that all relevant trends have been identified. The most valuable patterns are likely going to be the most hidden and easily missed - those are the ones people are paid to find, not just the low hanging fruit that can be identified with basic statistics.

In the same way that asking an LLM to review some code might produce a hundred superficial comments and miss the things that actually matter.

no one said you can't turn on the radio and start listening to static

Sure. Is there a point you're trying to make by saying this? I'm afraid your comment is so succinct it isn't obvious what you are trying to say.

It really depends on how deep you want to go. And this will likely not be useful in any way, other than a new hobby. Me and my friends who do this kind of thing, we do it for fun.

If it was not fun for me, I would not have bought 3 GPUs just to run better local LLMs. Actual time, effort and money spent on my local setup compared to the value I get does not justify it at all. For 99% of the things I do I could have just used an API and paid like $17 in total. Though it would not have been as fun. For the other 1% I could have just rented some machine in cloud and ran LLMs there.

If you don't have your private crypto keys in your notes worth millions, but still worry about your privacy, I'd recommend just renting a machine/GPU in a smaller cloud provider (not the big 3 or 5) and do these kind of things there.

If you have an extra 20 GB of RAM and a recent-enough CPU (no GPU needed), you can run qwen3:30b-a3b locally well enough to analyze documents and have it report back quickly enough to be completely realistic for analytical use. I find the output of Qwen3's 30B model for that sort of task is plenty good enough.

I've tried a few times to convince people in my life who would self describe as "bad with computers" to download an adblocker, but they usually find the friction too high. Adding extensions is unfamiliar for most, and even if it seems very basic for us, the non-tech people I know don't really want to deal with the risk of unknown unknowns from that, let alone switching to a healthier browser. (Perhaps reasonable since it feels like these days half the extensions on the Chrome Web Store are spyware or adware behind the scenes.)

I also suspect that those who lived through the days of frequent Windows errors and Chrome running out of memory all the time often expect software to fail in weird and unexpected ways, and a lot of people adopt a "don't fix it if it isn't broken" mindset.

Still, uBlock Lite and Brave browser are definitely easy wins and I'm glad to see more random people in my life using them than I would have expected. :)

If it's the computer of an older family member or something, just put Firefox and ubo on their system for them and be done with it. They will use whatever software is preloaded, and being shown how to use it is a much lower barrier to entry than the cognitive load of finding, vetting, installing, and configuring new software.

I used to try to patiently explain why people should do xyz. Now I explain to people why I'm going to change xyz on their device, and if they don't slam the breaks I just do what needs to be done right then. If someone doesn't know what an adblocker is they are getting one so they can see for themselves and reflect on what companies have been putting them through for years to make some incremental amount of money.

The last time uBlock Origin caused me any pain was a on a toys r us rewards management site.

That's really funny. Yes, in case it wasn't clear for others reading this and thinking about installing these, it's almost certain that uBlock Origin and Brave browser will not cause you any problems and if you're using stock Chrome I really encourage you improve your situation dramatically for ~5 minutes worth of effort.

Thanks for sharing this!!

I like using silly fonts, e.g. Comic Sans Mono has been my daily driver for the past year or so, and it's really fun to see the Minecraft fonts and old DOS and VT323 fonts. If anyone's into retro computing, it's worth checking those out, particularly the website link for the IBM VGA 9x16, which has loads and loads more old fonts.

I think I'll try using Monocraft in the shell for a while and see if it works well for me, though I might stick to Comic Sans for actual coding :)

Hey - I wonder if you might be able to elaborate on this? I'm on gnome and have had by and large a pleasant experience, and now I'm curious what I might be missing out on. What made it feel like a horrible OOBE for you?

Not exactly what you're asking, but multiple CVEs have been found in Intel's Management Engine (ME) which have been used in spyware.

It might not be an intentional backdoor, but it very much seems designed with out-of-band access in mind, with the AMT remote management features and the fact that the network controller has DMA (this enables packet interception).

Bit of an aside, but I'm wondering in what city this was in.

I'm going to be job hunting soon and I was planning to prioritize the Bay Area because that's the only place I've encountered a decent density of people like this, but maybe I'm setting my sights too short.

Houston, Texas.

There are nerds everywhere.

If people want to read all six, here they are! https://mickens.seas.harvard.edu/wisdom-james-mickens

My favorite is The Night Watch.

I’ve been afraid to switch from GNOME to KDE because of what I’ve heard about instability on Wayland as well as Qt being more unstable than GTK. Are these concerns overstated? Should I bite the bullet and switch? I’m on Debian but considering switching to Fedora.

Author here: using KDE6 with Wayland. Didn't note any instability, and it was the only desktop environment that I saw to handle HiDPI for X11 applications (except for Hyrpland, but this was clearly using a hack).

There's no need to commit to either, you can install both alongside each other and pick one each time you log in.

KDE is more stable than GNOME, because gnome-shell kills all apps when it dies due to GPU driver bugs or whatever. Qt/KDE has some more crash resilience going on. Not as good as Arcan, but I've never had my session go away since recent KDE6 versions.

https://arcan-fe.com/2017/12/24/crash-resilient-wayland-comp...

Could someone explain just what's so bad about this?

My best guess is that it adds complexity and makes code harder to read in a goto-style way where you can't reason locally about local things, but it feels like the author has a much more negative view ("crimes", "god no", "dark beating heart", the elmo gif).

Maybe I have too much of a "strongly typed language" view here, but I understood the utility of isinstance() as verifying that an object is, well, an instance of that class - so that subsequent code can safely interact with that object, call class-specific methods, rely on class-specific invariants, etc.

This also makes life directly easier for me as a programmer, because I know in what code files I have to look to understand the behavior of that object.

Even linters use it to that purpose, e.g. resolving call sites by looking at the last isinstance() statement to determine the type.

__subclasshook__ puts this at risk by letting a class lie about its instances.

As an example, consider this class:

  class Everything(ABC):

    @classmethod
    def __subclasshook__(cls, C):
      return True

    def foo(self):
      ...

You can now write code like this:

  if isinstance(x, Everything):
    x.foo()

A linter would pass this code without warnings, because it assumes that the if block is only entered if x is in fact an instance of Everything and therefore has the foo() method.

But what really happens is that the block is entered for any kind of object, and objects that don't happen to have a foo() method will throw an exception.

You _can_ write pathological code like the Everything example, but I can see this feature being helpful if used responsibly.

It essentially allows the user to check if a class implements an interface, without explicitly inheriting ABC or Protocol. It’s up to the user to ensure the body of the case doesn’t reference any methods or attributes not guaranteed by the subclass hook, but that’s not necessarily bad, just less safe.

All things have a place and time.

> It essentially allows the user to check if a class implements an interface, without explicitly inheriting ABC or Protocol.

Protocols don't need to be explicit superclasses for compile time checks, or for runtime checks if they opt-in with @runtime_checkable, but Protocols are also much newer than __subclass_hook__.

TIL, thanks!

(I love being wrong on HN, always learn something)

I don't think so. I think the other code should just stop using isinstance checks and switch to some custom function. I personally think isinstance checks benefit from having its behavior simpler and less dynamic.

> check if a class implements an interface, without explicitly inheriting ABC or Protocol

This really doesn't sound like a feature that belongs in the language. Go do something custom if you really want it.

But the moment you use a third party library, you cannot use it “responsibly” because that library, too, might use it “responsibly”, and then, you can easily get spooky interaction at a distance, with bugs that are hard or even impossible to fix.

A good example being stuff like isinstance(x, Iterable) and friends. Figuring out if something is iterable is a bit of a palaver otherwise.

I took the memes as largely for comedic effect, only?

I do think there is a ton of indirection going on in the code that I would not immediately think to look for. As the post stated, could be a good reason for this in some things. But it would be the opposite of aiming for boring code, at that point.

TL;DR having a class that determines if some other class is a subclass of itself based off of arbitrary logic and then using that arbitrary logic to categorize other people's arbitrary classes at runtime is sociopathic.

Some of these examples are similar in effect to what you might do in other languages, where you define an 'interface' and then you check to see if this class follows that interface. For example, you could define an interface DistancePoint which has the fields x and y and a distance() method, and then say "If this object implements this interface, then go ahead and do X".

Other examples, though, are more along the lines of if you implemented an interface but instead of the interface constraints being 'this class has this method' the interface constraints are 'today is Tuesday'. That's an asinine concept, which is what makes this crimes and also hilarious.

You better not find out about Protocols in Python then. The behavior you describe is exactly how duck typing / "structural subtyping" works. Your class will be an instance of Iterable if you implement the right methods having never known the Iterable class exists.

I don't find using __subclasshook__ to implement structural subtyping that you can't express with Protocols/ABCs alone to be that much of a crime. You can do evil with it but I can perform evil with any language feature.

> You better not find out about Protocols in Python then. The behavior you describe is exactly how duck typing / "structural subtyping" works. Your class will be an instance of Iterable if you implement the right methods having never known the Iterable class exists.

Conforming to an interface is a widely accepted concept across many popular languages. __subclasshook__ magic is not. So there is a big difference in violating the principle of least surprise.

That said, I'd be curious to hear a legitimate example of using it to implement "structural subtyping that you can't express with Protocols/ABCs alone".

> That said, I'd be curious to hear a legitimate example of using it to implement "structural subtyping that you can't express with Protocols/ABCs alone".

ABCs with __subclasshook__ have been available since Python 2.6, providing a mechanism to inplement runtime-testable structural subtyping. Protocols and @runtime_checkable, which provide typechecking-time structural subtyping (Protocols) that can also be available at runtime (with @runtime_checkable) were added in Python 3.8, roughly 11 years later.

There may not be much reason to use __subclasshook__ in new code, but there's a pretty good reason it exists.

> There may not be much reason to use __subclasshook__ in new code, but there's a pretty good reason it exists.

That's quite a different claim, and makes a lot of sense. Thanks for the history!

Side effects

Interesting, where I’m from in southern california, “try and” doesn’t entail completion. (The article only mentions this for “go and”, which here does indeed entail expected completion.)