Claude Code is steganographically marking requests
2244 points by kirushik 23 hours ago | 653 comments

civet_java 19 hours ago
There are some commentors in this thread downplaying the severity of a service provider being less than transparent about exactly what their shipped tooling does on customer's machines.

That the provider's business needs necessitate the this behaviour doesn't justify their lack of honest disclosure. That honest disclosure would render the solution to their problem useless isn't my problem. If anything, that they thought this was acceptable makes me wonder what else they're harvesting from my machine? PII?

The cynic in me can't help but feel that the state of these comments reflects less on the commentor's views of this debacle but rather their feelings about AI/Anthropic/America/what-have-you.

reply
ammo1662 7 hours ago
This is not a technical issue or a matter of service agreements.

They totally knew that this would never be accepted by users, and that is precisely why they resorted to obfuscation and steganography to exfiltrate the data. This was quietly added in an update, and would have been removed in a later one had it gone unnoticed.

How is this any different from hiding a drug in food and randomly feeding it to a homeless person as a human trial? Even if that homeless person is an undocumented immigrant, does that make that acceptable?

They crossed the line.

reply
m11a 7 hours ago
I mean, you’d resort to an obfuscated approach if you thought the ‘malicious’ users would remove your direct telemetry. The other users could be perfectly happy about it, but if you announced the change, obviously the malicious users would hear about it too and disable it.

This isn’t a comment on whether I agree with the change. Just that your analogies aren’t applicable here.

reply
hypfer 7 hours ago
Anthropic always came off to me as what can shorthand be described as an abusive controlling partner + the resulting relationship.

If you start viewing the conversations around it through that lens, a lot of stuff intuitively clicks into place.

Including this apologism for example.

reply
pibaker 35 minutes ago
Seems like the people talking about AI safety and alignment don't want to stop at just harnessing their AIs. They also want to keep themselves safe from competition and make sure only users aligned with their business and political agenda gets to access their products.

The same people are boasting about being the future of work and is schmoozing with politicians to draft regulations, by the way.

reply
sixtyj 6 hours ago
Why would they want to do that when it’s likely that someone will find out anyway and it could turn into a scandal?

One possibility: they wanted to keep it secret because they’re crooks.

Another possibility: there are so many calls that it costs a lot in operating expenses.

Remember when we mentioned that even just saying “hello” at the start of a chat costs extra money for no reason?

So if I create a mechanism on the client side that every transmission uses 4 bytes instead of 40… it is clever way how to spend less.

Of course, it doesn’t excuse them for not mentioning it anywhere… or for hiding it on page 385 of the terms of service… like when the Vogons told Earthlings that the notice about Transgalactic Highway was in the basement on Alpha Centauri :)

reply
hypfer 6 hours ago
Abusive controlling partners rarely are long-term timeframe rational, because being long-term timeframe rational is at odds with being an abusive controlling partner.

Things do not need to make sense. They often do not. They just appear just enough like they would so that it flies under the radar.

It's all just conway's law. It had to be like this. It cannot be any other way.

reply
dragonwriter 6 hours ago
> Abusive controlling partners rarely are long-term timeframe rational, because being long-term timeframe rational is at odds with being an abusive controlling partner.

Humans are rarely “long-term timeframe rational” (rational choice theory is very much a known-false model of human behavior on both the individual and aggregate level), but there is nothing about abusively exploiting an initially trusting and eventually dependent telationship that it is inconsistent with long-term rationality.

reply
hypfer 5 hours ago
I can't really parse this comment, but I also have a feeling that nothing is lost in struggling with that.
reply
actionfromafar 6 hours ago
> randomly feeding it to a homeless person as a human trial

Would you be shocked if some of the current tech bro companies could with finding such subjects?

reply
kiproping 18 hours ago
First its the "Chinese" then it will be people using "cyber" capabilities, or "jailbreaking" or "going against Dario" or any other thing they find "objectionable".
reply
ezoe 17 hours ago
You forgot "Think about the children"
reply
ok123456 17 hours ago
Won't somebody please think of the Chinese cyber children!
reply
dackdel 9 hours ago
what about the "ai children who are hosted on servers in china and usa" think about them too
reply
bot403 7 hours ago
I asked Claude to think of the children. It worked for three minutes, came up with a plan, and charged me $9.
reply
FooBarWidget 8 hours ago
Their terms of service already effectively attacks people for criticizing Anthropic. It says that if you use Claude to criticize Anthropic, then you've pre-agreed to pay for their lawyers going after you, and pre-agreed to lose the court case.
reply
throwawayffffas 8 hours ago
Since Fable if you use Claude to do ML research they find objectionable you are delegated to less capable models.
reply
jknoepfler 16 hours ago
Don't forget Aunt Tifa. I hear she's a suspect in a swimming-pool knife attack.
reply
nosioptar 2 hours ago
Wasn't she too busy burning down Portland to go to DC?
reply
pmarreck 10 hours ago
Textbook slippery-slope fallacy.
reply
appplication 10 hours ago
I don’t mean to insult you, but it is probably worth refreshing yourself on when slippery slope is actually a fallacy. It’s not correct to suggest logical extension of an established precedent is a slippery slope.
reply
nonethewiser 8 minutes ago
The Slippery Slope Fallacy Fallacy
reply
vasco 8 hours ago
Putting "I don't mean to insult you" before a mild phrase just makes it sound you actually want to insult but in a passive aggressive way.
reply
dspillett 4 hours ago
I saw it more as “if you are insulted by this reasonable advice, then you are an immature idiot” rather than a more direct insult. Still passive-aggressive, but no insult intended if the reader isn't triggered.

Source: I use similar phrases this way.

reply
taneq 6 hours ago
You mean there’s a slippery slope from “I don’t mean to insult you” to passively aggressively insulting them? ;)
reply
brookst 8 hours ago
Slipper slope is always a fallacy. It works as a metaphor, and as a rhetorical device, but the fact that it’s possible to construct a gradient from heaven to hell is not proof that each step in the gradient is inevitable.

It’s a good way to illustrate a potential bad path. But I can construct a slippery slope from commenting on HN to making bioweapons. That should not be seen as evidence that HN commenters are likely to do such a thing, and should not be used as an argument to forego (or ban) commenting on HN.

reply
nativeit 6 minutes ago
https://en.wikipedia.org/wiki/Slippery_slope

In a slippery-slope argument, a course of action is rejected because the slippery slope advocate believes it will lead to a chain reaction resulting in an undesirable end or ends. The core of the slippery slope argument is that a specific decision under debate is likely to result in unintended consequences. The strength of such an argument depends on whether the small step really is likely to lead to the effect. This is quantified in terms of what is known as the warrant (in this case, a demonstration of the process that leads to the significant effect).

reply
jonathanstrange 6 hours ago
That's not correct. Many slippery slope arguments are perfectly valid and sound, namely whenever there is plausible evidence for the existence of the respective slippery slope. It can for instance be based on historical precedents, or on probabilistic or convincing balance of consideration sub-arguments for the slippery slope premise.

Whether its a fallacy or not depends a lot on how warranted the slippery slope premise is (notwithstanding other, possible logical errors that might me made in setting up the argument, of course).

reply
brookst 3 hours ago
Give an example where a slippery slope is itself a legitimate argument and not just a rhetorical technique to oppose A using arguments against B?
reply
MarkusQ 25 minutes ago
Opioid use comes to mind.
reply
Finbel 9 hours ago
Textbook fallacy fallacy.
reply
avadodin 4 hours ago
Fallacy fallacy(and variants) implies there is a fallacy in the first place.

If the slope is slippery, it is not a fallacy to conclude that things will slide when placed on it.

Claiming something is a fallacy —when it is not— is simply a false statement of fact.

reply
nonethewiser 6 minutes ago
Textbook fallacy fallacy fallacy
reply
someonebaggy 3 hours ago
For a slippery slope there has to be something about the slope that makes you start at the top. If you can go to any point on the slope, it isn't even a slope.

Anthropic can start censoring criticism of Dario completely independently from whether or not they censor Deepseek.

reply
gleenn 18 hours ago
Whether or not you find Anthropic's behavior bad, theybhave been very loudly stating the foreign labs have been distilling their models for a while now. This seems like an obvious response to me that would be a mechanism to make that obvious.
reply
bayindirh 17 hours ago
From my understanding, distilling the model with another model is not illegal per se. Also, the output of the LLM is public domain by law, too.

So, why all this "effort" to protect the model? This is a free market, and moving fast and breaking things is the norm.

If they are so adamant on protecting their IP, maybe they can start by respecting others' IP, so we can start talking about ethics, equality and playing fair.

reply
filoleg 17 hours ago
> distilling the model with another model is not illegal per se.

Just because it is legal, that doesn't mean Anthropic wouldn't reasonably want to prevent that from happening (which, from my understanding, isn't illegal either).

reply
bayindirh 17 hours ago
I love the asymmetry. When small fish tries to protect itself, big fish hits small fish with "It's not illegal" pole.

When small fish points out that what the big fish is crying about is "not illegal", big fish has the right to be above the law to prevent the problem themselves.

Having values requires equality. They have lost the right to cry foul when they trained their model with "but it's fair use" card. Life works by reaping what you sow. Now they are at the reaping stage.

reply
lmz 16 hours ago
"It's not illegal" is only an argument against lawsuits / law enforcement involvement. Those PoW anti-AI things people put on pages aren't illegal either.
reply
bayindirh 16 hours ago
No. From my interactions, I have understood that some people use the same argument to wash their consciences from any guilt. What they do is unethical, but not illegal, and they hide under the same argument to drown the ethical angle.

In other words, being honest to oneself is important.

Anti-scraping measures people utilize are neither unethical nor illegal. That’s the difference.

reply
epestr 11 hours ago
It's good to agree that some don't have a conscience, and maintaining an appearance matters more. And appearances change based on what's legal or not.

They could detect the other AI labs and also silently burn the tokens at a faster rate providing fewer tokens for money, which does sound illegal to me.

The comments only further prove that without more regulation around this, big AI wouldn't have a "don't be evil" attitude going forward.

reply
Forgeties79 6 hours ago
Anyone who called for regulations/guardrails of any kind were shouted down as Luddites who hate progress. We all knew this was going to be a mess but $$$ so screw it right?
reply
DrewADesign 14 hours ago
I’m still frequently shocked by the entitlement people feel to other people’s work/ideas/data/bandwidth/server load, to feed a multi-trillion dollar industry. I find the totally cynical “well when you’re making an omelet…” types to be a bit pathetic, but I understand their motivation— they’re simply greedy. But I just can’t understand the genuine indignation about people attempting to limit or stop ingestion of their own work, even if it’s just for the bandwidth costs. Go ingest your own shit.
reply
windexh8er 10 hours ago
I often wonder what those people are like IRL. I'd surmise they're the people that are easy to hate. Greedy and intolerable yet want to be the focus.
reply
TeMPOraL 13 hours ago
> I love the asymmetry.

Much as I hate to defend companies climbing to success and pulling up the ladder afterwards, this asymmetry you note is kind of the whole point a company would want to grow big. Growing an organization has some super-linear costs and generally sucks for most individuals living through it - including the management - but it's still considered worth it, precisely because big entities can do things small entities cannot, and escape the threats from smaller competitors.

It's so basic it's actually part of the reason we exist, and animals of various sizes exist, and generally why evolution didn't stop at single-cellular life.

> They have lost the right to cry foul when they trained their model with "but it's fair use" card. Life works by reaping what you sow. Now they are at the reaping stage.

Yup. Except what they're reaping is insane cashflow and ability to pull stunts like these. We can call out the hypocrisy until our throats run dry, and in ideal fantasy land this would've meant something, but here in the real world, they sow the seeds of success, and now are reaping the right to be hypocritical and continue to get away with it.

reply
podocarp 9 hours ago
I've actually heard it quite a few times from different people who want to climb the greasy pole to get heard or resources. Idk it just seems rather soulless and slightly psycho to me. It also seems like that kind of system is rather broken and unstable, if the only way you get impact is to climb up the ladder and whatever that entails.

Change this from humans to companies and I still think it feels slightly wrong.

reply
marcus_holmes 12 hours ago
I disagree with your assessment that large organisations are beneficial.

We can see with our current crop of large organisations that they really struggle to create anything new; most of their new products or services were developed by a small organisation and then acquired. A lot of those products are then enshittified and badly managed because large organisation politics screws things up.

Large organisations are inefficient (everyone has stories of people in large organisations literally doing nothing all day). They are horrible to work for because of the politics. They mistreat their customers and their employees. Their executives tend to lose touch with reality, surround themselves with yes-folk and descend into authoritarian psychopathy.

My personal opinion is that we would be much, much, better off if we had fewer large organisations and more smaller organisations.

reply
gwerbin 12 hours ago
They are beneficial for those with an equity stake. That much is clear.
reply
usrusr 5 hours ago
Needs a little more precision: not "those with an equity stake": those with a disproportionally large equity stake.

Otherwise it's just an opener for the old excuse of "they might be ruining your life, but it's all good, it's also your pension fund, little man, that's profiting from your life getting ruined, you should celebrate them!"

reply
marcus_holmes 9 hours ago
Agreed. And for oligarchs.
reply
TeMPOraL 3 hours ago
And I disagree with yours :).

Large organizations are necessary if you want things like airplanes and rockets and computers and MRI machines to exist. And if you feel you benefit from those things yourself, then large organizations that create and operate[0] them are beneficial to you, too.

> A lot of those products are then enshittified and badly managed because large organisation politics screws things up.

That's not caused by org size. It's how modern economics work because of ad-backed business models and few other things (a tangent for another time). Importantly, small orgs and especially startups are very much complicit in this - the venture capital business model in software settled around a symbiosis, where startups create toys (er, MVPs) and growth-hack the shit out of them, in hopes of winning an acquisition or IPO lottery (aka. "exit"), where a big org buys the whole thing for ${a lot}, and enshittifies it further in an attempt of extracting a positive multiple of ${a lot} from the market. Both sides know what they're doing, exits are planned from day 1, and at no point in this process "creating useful products" is ever a driving goal.

Note this symbiosis: it's a recurring theme.

> Large organisations are inefficient

In some ways. Small organizations are inefficient in others. More at the end.

> (everyone has stories of people in large organisations literally doing nothing all day).

Some (not all) cases of this are about maintaining slack in the system, which is necessary for efficiency. A system at 100% capacity is extremely fragile to breaking completely due to tiny, random workload spikes. Breakage is inefficient. Some degree of idle capacity improves overall efficiency.

> They mistreat their customers and their employees. Their executives tend to lose touch with reality, surround themselves with yes-folk and descend into authoritarian psychopathy.

That description fits small business owners much better IMO. In our times, at least in non-failed western countries, there's a limit to how abusive or careless a large organization can be with their customers or employees - their very size makes them easy to target legally. It might be hard to get through their well-funded legal defense, unless the case is slam dunk, but that's still much better than the armies of small businesses flying completely under the radar, flagrantly violating basic health and safety regulations, or flat out lying to customers in their face, because they're not worth the effort of investigating.

(Of course I'm using a biased sample; I don't know many CEOs of big orgs.)

Symbiosis angle: for abusive practices they can't get away with on their own, big organizations are more than happy to outsource to small orgs and then look the other way.

--

Anyway, key point: *there is no categorical difference between "large organizations" and "small organizations". You need a certain amount of people and communication (and capital) to do high-complexity endeavors. The difference between a well-integrated big corporation, and a hundred of small businesses that kinda end up together delivering something big, is just that the latter is using the market as management layer.

And yes, you need big orgs to create things like commercial airplanes and MRIs, simply because the big org is a boundary layer, within which you have a non-market based incentive structure, and this lets you build things the free market just cannot reach on its own.

--

[0] - Airports and hospitals are themselves large organizations.

reply
qwertytyyuu 7 hours ago
At risk of losing the metaphor, they reaped stuff across all the lands, even ones that were not theirs, and it is questionbale that they even did most of the sowing in the first place
reply
calcifer 8 hours ago
> Much as I hate to defend companies climbing to success and pulling up the ladder afterwards

Based on your post, you don't sound like you hate it at all.

reply
tripzilch 6 hours ago
> It's so basic it's actually part of the reason we exist, and animals of various sizes exist, and generally why evolution didn't stop at single-cellular life.

It's also quite natural to want it to stop at individual human life instead of us getting absorbed by some next bigger thing.

Which I'm fairly sure is also the desire (as far as they can be said to have any) of these animals of various sizes you speak of.

> We can call out the hypocrisy until our throats run dry, and in ideal fantasy land this would've meant something, but here in the real world, they sow the seeds of success

Just because they pulled a mirage over people's eyes doesn't mean it suddenly became the "real" world.

reply
jonathanstrange 6 hours ago
What Anthropic is doing is illegal in many jurisdictions. I don't know about the legal situation for the Chinese domains they mark, but steganographic data extraction without user consent would definitely be illegal in the EU, for example.
reply
redsocksfan45 5 hours ago
[dead]
reply
Philpax 15 hours ago
It's not illegal to distil the traces, but it is also not illegal for them to try to stop it.
reply
chii 9 hours ago
Imagine an electricity generating company saying that they don't allow their electricity to be used to cold start a competitor's generator.
reply
brookst 8 hours ago
Do you think software should be regulated as a utility?
reply
tripzilch 6 hours ago
> Do you think software should be regulated as a utility?

I do think that AI models that were trained using the biggest intellectual property heist in human history should be a utility for all, yes.

reply
brookst 3 hours ago
I would 100% support this as long as the same is true for human works. Every artist is trained on thousands of years of art tradition. Copyright wasn’t a thing for the first many millennia of artistic creation, and we still got Bach and Michelangelo.
reply
the_other 7 hours ago
AI probably should be. The bulk of its efficacy comes from the work of “everyone else” (in loose terms). AI also aims/hope/threatens to replace such a large number and range of jobs that it probabky should be a commons.
reply
darkwater 6 hours ago
Wise words. And probably in a few years more people will think the same, but now most are blinded by the gold rush or the hate for it.
reply
sakisv 7 hours ago
Depends on the software.

In this case, the companies that make and provide AI models that are increasingly used to interact with me on critical things (banks, public sector services) then yes.

Abso-fucking-lutely they should be regulated like crazy.

In fact I'm really surprised by the amount of people that are not worried by how many parts of their lives are being handed over to be managed by a probabilistic system that is controlled by a private company with next to zero oversight.

There must be a greater liability than "oops, you're right to push back"

reply
bot403 7 hours ago
Software, no. But maybe eventually AI and tokens are a public utility.
reply
sumedh 5 hours ago
AI companies say people will buy intelligence like they buy electricity.
reply
zaphirplane 16 hours ago
> Also, the output of the LLM is public domain by law

Why so? Also there is a lot of code in ironically claude and ChatGPT that’s generated by LLM . Yet I haven’t seen the public domain code

reply
danlitt 16 hours ago
The code is not eligible for copyright. If they do not give you a copy of the source code, that does not matter. And if you don't know which parts were generated by LLM, you can't safely reuse the code.
reply
skissane 14 hours ago
> And if you don't know which parts were generated by LLM, you can't safely reuse the code.

I speculate this could be a real issue in future copyright infringement lawsuits.

The plaintiff bears the burden of proving that the code they claim is copyrighted by them actually is copyright. If it is known that large parts of it were generated by LLM, they’d need evidence to demonstrate sufficient human input to establish copyrightability. If they’ve kept highly detailed traces of the development process, that could be rather straightforward; if they haven’t, it could be really difficult.

Now, that’s true in the US, which never accepted mere “sweat of the brow” as a basis for copyright; the UK courts have, and most of the Anglosphere follows the UK on this more than the US.

The other factor: when dealing with an (almost) trillion dollar corporation, even if you’ll win the legal argument, they may bankrupt you with legal fees before the argument is ever properly heard.

But I suspect the precedents on this topic are going to be established by lawsuits involving far smaller actors.

(IANAL and I speculate only for myself, not any present, past or future employers.)

reply
kalkin 11 hours ago
> The code is not eligible for copyright.

This is very much not what the linked case established.

reply
plasticeagle 6 hours ago
According to the link:

"The US Copyright Office and federal courts require human authorship for copyright protection; works created solely by AI are not eligible for registration under the current rules."

The Supreme Court declined to consider a challenge to this rule, and so for the moment at least, the rule remains in place.

This means that companies leaning heavily into their LLM use may very well find that they do not, under the law at least, actually own any of their code. As I've read elsewhere there's every possibility that AI code will be the asbestos of the Software Engineering world. Something we'll be trying to get rid of for decades, once everyone comes to their senses.

reply
actionfromafar 6 hours ago
I think the word "solely" is going to be a tunnel you can drive freight trains through.

So with the asbestos analogy, we encase the fibers in resin and call the whole thing copyrighted.

reply
usrusr 5 hours ago
Or in other words: there's a big difference between public domain and copyleft and it looks like whoever came up with the asbestos analogy was underestimating that difference.
reply
anon373839 12 hours ago
> If they are so adamant on protecting their IP,

What they are trying to protect doesn't qualify as intellectual property. Only 4 categories of IP exist: (1) copyrights; (2) patents; (3) trade secrets; (4) trademarks.

The capabilities embedded in model outputs don't qualify. Machine-generated outputs are ineligible for copyright. They aren't covered by patents. They aren't trade secrets, because the model companies are selling them rather than keeping them secret. And of course, trademarks are conceptually inapplicable.

This leaves the model companies with contract law (ToS) which is pretty inept because it can't bind third parties. And technical measures, like the ones being discussed in the article. And, of course, politics.

Frankly, I think it's pretty ridiculous to even think that models can be protected from being learned from. I feel the Stanford Alpaca team demolished that idea 3 years ago.

reply
eloisius 10 hours ago
The hypocrisy of the pro-AI mega corp arguments makes my head spin. For three years they’ve been using the example of a human reading books and then outputting creative works influenced by them as analogy for training AI on copyrighted works. Now suddenly we’re supposed to not draw the same parallel about a hypothetical person who learned from Claude and is now outputting creative work based on it.
reply
CMay 8 hours ago
The usage of the output is probably considered legal. The usage of the service for that purpose may not be, and using it at scale in a dishonest way is not, which is what China has been doing. Countless thousands of separate requests abusing the service (which is not a simple static HTML feed, but an AI service request) for every kind of query to soak up the results.

The post is about what's in the local code, but for a long time there has already been modifications made to the request outputs from the major cloud services as they work together to both curb adversarial distillation and to degrade the quality of training China can get from that distillation.

It's likely not to make the answer wrong or bad, but to make it so that any model trained on the output would not gain the benefit of the model's reasoning generalization skills as easily and also identifying markers that might even link back to request IDs.

The techniques talked about in this post are naive and simplistic, largely because they are released publicly.

It's not as much about protecting IP as much as it is about slowing China down or being able to track the effects of abuse. So many people are talking about greedy company this, greedy company that. The world is not made up of caricatured giant money pigs wearing suits with monocles and gold watches. That is a children's view of Marx's exaggeration on free markets. Bad, greedy people do exist, but if that is your only hammer for every nail then you have a problem.

The upper-bound for how good these models can be is so crazy that it is essentially dual-use military applicable to an extent most other technologies are not. It's not only cyber attacks or biological weapons. Most people are not even built to understand the possible threats.

Why does it matter if China gains those capabilities? I invite you to begin to learn about China's behavior around the world. The CCP is darkside material.

reply
bayindirh 8 hours ago
> Why does it matter if China gains those capabilities? I invite you to begin to learn about China's behavior around the world. The CCP is darkside material.

Reminds me of this comic: https://xcancel.com/tomgauld/status/571994690289061888?lang=...

None of the superpowers in this world is innocent, and like MAD, more countries have the capability, the better.

I know some of the things CCP do/did. I know some of the things US does/did. I'm from neither, so I don't take sides.

AI's use has been confirmed, or more precisely boasted by two countries in two different wars, and China was not one of these countries.

We have seen the effects of "if they don't know them, they can't exploit them" mindset of NSA for years. Keeping information/technology private is neither beneficial, nor possible. It's only a temporary moat-ish gap. Not a definitive solution.

reply
CMay 6 hours ago
Certainly the world is full of actions and reactions, nothing is happening in a vacuum. You don't have to be from a country to take sides, but presumably you have some kind of moral compass, some kind of values around personal freedom or the worth of a human life.

There can be a very real cost, because one side comes from an ideology with a history that wants to conquer the entire Earth which caused World War 2 while the other side is trying to prune the planet like a bonsai to prevent it from descending into total chaos to preserve some sense of international order.

Europe was constantly at war, and we helped stabilize it. Middle East as been constantly at war, and if Iran can be sorted then it will be the closest to some sense of peace it's been in a long time.

We used to be in Japan, Philippines, Germany, Vietnam, South Korea, Iraq, Afghanistan and so on. How many are US territories? None. We aren't out there to conquer the globe and take land. We're usually fighting other people's wars for them, because they're up against better resourced opponents. Meanwhile China is over there building artificial islands, ramming other country's ships, creating ideological police stations in countries around the world to harass people and engaging in the most widespread international interference campaigns in human history.

They do not treat their people well and they do not have free speech. The internet is flooded with their propaganda now, because they have a human numbers advantage.

It's true that given time most advantages are temporary, but there's always that slim chance we could slow them down until the CCP collapses and they could become a more normal country.

reply
esarbe 5 hours ago
You sound like you've swallowed pro-US-propaganda hook, line and sinker.

The reason the middle-east is at constant war is because colonialist machinations. Same goes for south-Saharan Africa. And the US is a big colonialist player, just ask Vietnam, South-America, Iran, Afghanistan, etc. They all have been attacked by the US because of US colonial interests. If anything, one could make the argument that the PRC is treading much more lightly than the US.

That said - I'm not defending the PRC by any way; it's a state-capitalist hell hole that's suppressing workers by denying them any ability to organize and whose political class is purely focused on furthering their own interests and that of the moneyed elite, the common person be damned.

The thing is - so is the US.

reply
arkh 6 hours ago
> The CCP is darkside material.

And which country has "Black Sites" peppered around the world to detain and interrogate people they don't like?

reply
CMay 5 hours ago
The US doesn't have black sites anymore and when it did, the interrogation techniques were chosen to avoid physical harm. The results were bad, we didn't like it here in the US even if they were extreme measures for extreme times and so we shut it down. It had a high error rate and generally didn't reflect what we thought was right.

Meanwhile the CCP regularly abducts its own citizens and executes more people than the entire world combined.

reply
someonebaggy 4 hours ago
[dead]
reply
tripzilch 6 hours ago
> The usage of the output is probably considered legal. The usage of the service for that purpose may not be, and using it at scale in a dishonest way is not

This is literally what the "training AI on copyrighted works is just like a human learning/getting inspired" crowd has been arguing though.

Literally. People have been literally saying that it was wrong because they did this "learning" at scale in a dishonest way.

reply
CMay 6 hours ago
In some ways it's an offshoot of the honest benefit of search engines already crawling all this content. That has its own conflicts, like just how much of a page's content should you reproduce in the results before it's basically considered stealing their content without benefiting the site itself.

There is a balance to strike, both in search engine fair use cases and AI fair use cases. The major cloud LLMs do double as web search engines now, though they didn't originally. In many cases there's no reason left to click the links they sourced from.

That is a legitimate concern. At least within the US, I think there are nuances around fair use and contract law. A lot of companies are getting paid for having their content used in these models, but many websites had no particular rules you had to abide by and the content was simply public. I think if you're operating under an agreement, then even if there is fair use or public domain content being reproduced by the site you are still bound by that agreement.

Similar to old paintings digitized and hosted on some museum website. It's 300 years old, right? It should be public domain, yet the people who digitized it or provided a service to give you access have some say in how their reproduction can be used. These AI services are obviously very different, but there are laws that can govern how you are allowed to use a service if that service has laid out acceptable usage.

I'm not exactly comfortable with the mass scale that everything was soaked up to train these models even within the umbrella of search services, but I also admit that a lot of the usage was probably quite legal. The potential displacement caused by the resulting trained models on artists or writers is almost its own facet. In practice, whether they ONLY trained on strictly legally acquired fair use content with no errors and paid agreements to acquire even more content than they already do or not, there was enough legally accessible information for fair use that there was no escaping some kind of impact on artists, writers, etc.

With any luck, artforms and skills impacted by technology will adapt and continue to be valuable instead of complete displacement or the dilution of opportunity.

reply
tripzilch 5 hours ago
Well it was also problematic when the search engines started quoting the websites in such a way to disincentivize people from visiting the actual website.

> At least within the US, I think there are nuances around fair use and contract law.

The concept of "fair use" as it exists in the US-law system is completely dysfunctional (see e.g. nearly every educational music channel on YouTube), so utterly biased to favour large corporations, that there's very little room for whatever "nuances" you believe exist.

> Similar to old paintings digitized and hosted on some museum website. It's 300 years old, right? It should be public domain, yet the people who digitized it or provided a service to give you access have some say in how their reproduction can be used.

Yes 300 year old paintings are public domain. Indeed there are certain rules for the people/institutions who digitize them. It's not "they have some say", there's actually nothing mysterious about it and it is not similar to Anthropic's copyright heist at all because nearly all of the books they copied were not more than 100 years old.

> there are laws that can govern how you are allowed to use a service if that service has laid out acceptable usage

well where I live, there are laws about what a "service" can claim to "lay out as acceptable usage" instead of the other way around ...

> I also admit that a lot of the usage was probably quite legal

Let's disagree on that. I think it wasn't a lot and the vast majority was not legal. How do you think the LLMs "learned" to speak all these non-English languages? Unless your point is that it's probably quite legal to treat foreign IP like that. Which it may very well be in the US, especially if the corporation is large enough, but imvho it's still wrong.

> With any luck, artforms and skills impacted by technology will adapt and continue to be valuable instead of complete displacement or the dilution of opportunity.

And with any bad luck, these AI corporations will hold frontier models hostage for the rest of time.

I honestly don't want to put that up to "luck".

reply
stale2002 11 hours ago
> So, why all this "effort" to protect the model?

Because it's their model and business and they are free to use the free market to do exactly that?

That's their free market rights too. If you don't like it, use another model (which they would be fine with).

reply
bayindirh 8 hours ago
> Because it's their model and business and they are free to use the free market to do exactly that?

I mean, nothing stops distillers to find better ways to distill, either. Meaningless cat & mouse games.

> If you don't like it, use another model (which they would be fine with).

Thanks, I use none. It's peaceful this way.

reply
cowl 17 hours ago
oh no, the company that illegally used every possible media they could get their hands on is crying that some other company is doing something potentially shady but not illegal? And using that excuse to put in place hidden surveillance systems on their customers?
reply
next_xibalba 17 hours ago
People keep throwing this idea around haphazardly, but U.S. courts have pretty consistently decided that training on copyrighted works falls under fair use. You may not like it, but that doesn't make it "illegal".
reply
danlitt 16 hours ago
You have to admit that "downloading every book ever written for free from a repository of books that is itself illegal to compile and to run, in order to write a text generation tool" being legal is at least unintuitive, to put it mildly.
reply
usef- 15 hours ago
It wasnt, that's why they paid a >billion dollar settlement over it, and now license/purchase them. I don't know if the people distilling are licensing those books/etc today, though
reply
usef- 13 hours ago
I'd appreciate if the down voters explain why. I wasn't making a value judgement.

Anthropic did pay more than a billion: https://www.npr.org/2025/09/05/nx-s1-5529404/anthropic-settl...

And is now buying up a lot of books (controversially, as scanning involves cutting their spines) because that's what the law deems the legal method: https://www.washingtonpost.com/technology/2026/01/27/anthrop...

We know that models like Deepseek are trained on copyrighted books too: https://arxiv.org/abs/2603.20957

The looser use of IP (eg, any characters/celebrities in AI video models) is increasingly mentioned as an advantage of overseas models.

reply
tripzilch 6 hours ago
Clearly paying that fine didn't do anything to stop Anthropic from doing it again.

Buying a book doesn't make it legal to publish lossy compressed copies of it.

Also, the vast majority of authors whose work was copied against their wishes didn't receive any of that fine.

It sounds like your argument is that they paid a fine for breaking the law, and therefore it is okay they reap the benefits of breaking the law and are allowed to continue to do so?

> The looser use of IP (eg, any characters/celebrities in AI video models) is increasingly mentioned as an advantage of overseas models.

UHmmm you remember when Sam Altman changed his profile pic to look like a Disney version of his own face? Yeah neither do I.

Clearly US AI models are playing loose with the use of overseas IP just as much, and even publicly flaunting it, as if US-based IP is more worthy of protection but Gibli can suck it.

reply
usef- 2 hours ago
The grandparent claim was that they were surprised downloading books was legal, I was saying that it's not, as they did need to pay. Whether the law is enough is another question (some cases are still ongoing), and whether the courts are awarding it widely enough is another, but they are facing genuine legal backlash that international firms aren't right now and are more cautious. Several billion is a genuine cost that can move their prices higher in a time of strong competition (see also other announcements with media firms, it's not just books).

I'm guessing the Sam avatar was related to OpenAI's deal with disney to use their characters: https://openai.com/index/disney-sora-agreement/

It's true that "in the style of" (eg. Ghibli) is not currently legally protected, only actual character IP or using the Ghibli name. That's not inconsistent with US IP treatment.

reply
stale2002 11 hours ago
No it's not unintuitive.

Just like I can learn from a book and nobody can make that illegal, so can other people transformative do the same with computers.

Fair use is fair use.

reply
eloisius 10 hours ago
Just like these distillers can learn from Claude’s output. Fair use is fair use.
reply
ToValueFunfetti 9 hours ago
I don't think Anthropic argues that distillation violates copyright. AFAIK, their position is that it violates their terms and conditions for interacting with their servers.
reply
gmerc 9 hours ago
They violate every website and book TOS that says "don't distill".
reply
eloisius 9 hours ago
I think Anthropic will argue whatever argument is likely to protect their interests. I don’t expect anything consistent or moral from them. My quibble is with all the Anthropic fanboys who repeat this crap.
reply
ToValueFunfetti 9 hours ago
I'd think the problem with fanboys is that they don't care about the truth of the underlying arguments. They just want to score points for their team. Do you have a different issue with them? If not, why not engage with the arguments yourself?
reply
eloisius 7 hours ago
I know from reflecting on my own beliefs now compared with 10-15 years past that one's beliefs can change, and I don't want to be so cynical as to say that these fanboys don't actually believe what they are saying and only want to score points. I'm sure there's a great deal of commentary that is astroturf, but I think there are plenty of (hopefully young and naive) techno-optimists who sincerely think companies like Anthropic can do no wrong and only move humanity forward, or something like that.

In any case, online debate is not always about changing the mind of the single person you engaged with. To some degree, its performative debate so that other readers may be influenced by your ideas.

reply
someonebaggy 4 hours ago
[dead]
reply
redsocksfan45 5 hours ago
[dead]
reply
tripzilch 6 hours ago
Maybe "U.S. courts have pretty consistently decided" used to mean something, but I don't think the opinion of US courts should be the standard for anything, anymore.
reply
malfist 15 hours ago
Has it? Because as far as I can tell those cases keep getting settled out of court before a legal precedent can be set.

For record breaking amounts too.

reply
tedivm 14 hours ago
The courts have never said piracy, which is how the training sets were originally built, is legal. There are several court cases still ongoing over this.
reply
bsder 15 hours ago
> U.S. courts have pretty consistently decided that training on copyrighted works falls under fair use.

I don't believe that this has been resolved at all, and there are quite a few pending lawsuits about it at this very moment.

reply
rowanG077 16 hours ago
Right, so it seems that distilling an AI model is legal too then. At least it is somewhat similar.
reply
pixl97 16 hours ago
Legal vs "They aren't going to let you do it with their service" are two different things.
reply
gtirloni 16 hours ago
Screw those poor copyright holders without the means to stop frontier AI labs, amirite?
reply
next_xibalba 16 hours ago
It is a violation of their terms of service.

There are plenty of good reasons to not use Anthropic's services. If you don't like their terms of service, do stop using them! I personally think Anthropic's increasingly successful attempts at regulatory capture are even more distasteful.

reply
tripzilch 6 hours ago
It was also a violation of the terms of service of those books (aka copyright)
reply
rowanG077 15 hours ago
Oh Anthropic has shown their ugliness in more ways than one I agree. You have to have to done some pretty heinous shit for openAI to look good in comparison.
reply
ethbr1 15 hours ago
> that training on [lawfully obtained] copyrighted works falls under fair use

Fixed that for you.

reply
xydone 9 hours ago
Were the copyright owners contacted prior to this lawful obtaining that you speak of? Or after?
reply
brookst 8 hours ago
I miss the days when tech people were copyright skeptics. Remember when everyone was upset with Disney for our perpetual copyright regime and the destruction of public domain?

Now many tech people are copyright maximalists and 100% converted to the church of Disney. It’s depressing.

reply
tripzilch 5 hours ago
I don't think that's right. The problem is that Anthropic is hoarding it and that's hypocritical. If copyright doesn't count for Anthropic, they should publish Claude. If they wanna hide Claude behind copyrights and/or TOS, they don't get to screw with other people's copyrights and TOS and then profit from it.

To call that opinion "copyright maximalist 100% converted to the church of Disney" is, at the very least, hyperbole.

reply
brookst 3 hours ago
“Anthropic is hypocritical and hoarding data” is 100% compatible with “copyright has gotten out of control and we need less of it”

But pearl clutching over the poor corporations who have their works trained on is much less compatible with a copyright-skeptical view.

And I stand by copyright-maximalism as a rising trend in tech circles. It’s mostly anti-ai, but strange bedfellows and all that.

reply
ethbr1 54 minutes ago
Imho, you're getting wrapped up around the wrong perspective axis.

Anthropic, OpenAI, Meta, etc. know they illegally obtained all the material they initially trained on.

So claiming any kind of right against anyone else training on their models is asinine.

reply
justcool393 4 hours ago
its not copyright maximalism. people just see the obvious hypocrisy. a lot of people are also fine with some copyright
reply
notnullorvoid 17 hours ago
> loudly stating the foreign labs have been distilling their models for a while now.

They would be stating this even if it weren't true, because it fits their marketing.

While I don't disbelieve the claim outright, I highly suspect Anthropic is misleading everyone about the severity.

reply
ethbr1 15 hours ago
Distillation usage still burnishes usage numbers for IPO...

If anything, Anthropic is incentivized to track but do nothing until equity lock up expires.

reply
pseudosavant 10 hours ago
No sympathy for them trying to “protect” the output of a model that’s trained on data that they didn’t get consent to use. Ripe hypocrisy.
reply
pjerem 8 hours ago
I really doubt other labs are distilling Claude using the Claude Code CLI when they can way more easily use the API directly.

I also don’t get why the « protection » on ANTHROPIC_BASE_URL. If I change it to use a Chinese model, the Chinese model will not care at all about the modified prompt. On the contrary, if I’m distillating (which again, using CC CLI would be stupid), I’m not going to change ANTHROPIC_BASE_URL.

reply
comfysocks 16 hours ago
> foreign labs

Apparently not just foreign labs. It looks like xAI distilled Anthropic models to train grok.

https://opentools.ai/news/xai-trained-coding-models-claude-o...

reply
munk-a 16 hours ago
That's less of a worry though since xAI is patently incompetent.
reply
paradox460 2 hours ago
Except when it comes to image models. Imagine is extremely good and extremely cheap. I've been using it to generate book covers for ebooks (old novel short stories that never had a cover, for example) and it's phenomenal. Each cover is about 6 cents
reply
malfist 15 hours ago
Incompetence is not an excuse for amorality
reply
brookst 8 hours ago
Oh that’s ok, xAI is enthusiastically immoral.
reply
Laurel1234 6 hours ago
What's amoral about distillation?
reply
riverbirch 16 hours ago
I wouldn't be surprised
reply
jmward01 13 hours ago
What does that have to do with CC? I'm not commenting on that being good/bad/legal/illegal, but CC is separate from the models. If they really are doing this maliciously it is because they are trying to ignore my 'CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1' flag (if that still means anything).
reply
cowboy_henk 17 hours ago
The obvious response is the realization that spending trillions on training LLMs is not a viable business model if they can be distilled for a much lower cost.
reply
caned 13 hours ago
The article seems to state as much minus the obfuscation. However justified they are to respond, this can be a slippery slope. We're bound to hear more reports of hidden user data exfiltration.
reply
gmerc 9 hours ago
The have been fucking distilling our websites and writing, even when behind TOS, aggressively bypassing protection mechanisms. They they can fuck right off
reply
idiotsecant 3 hours ago
Aww man that's rough did someone steal their content and use it to make money without asking them?
reply
botfriendsarent 17 hours ago
Sounds suspiciously similar to the "album title", "Steal this album" by system of a down.

Im not sure why we are dithering on the boundaries of honesty when the entire content LLMs are trained on is stolen.

Are we debating "honor among thieves"?

Of course we are not, or maybe we are!

Does the behavior of a thief even matter to me? only after they do their time. And they will.

I can see the investors perched on the balconies of their condos in a couple years if that.

its a long way down.

reply
gjvc 14 hours ago
"Steal this book" by Abbie Hoffman
reply
KoftaBob 14 hours ago
> a mechanism to make that obvious.

Say they prove that foreign labs are distilling their models, then what?

reply
cvadict 12 hours ago
>very loudly stating the foreign labs have been distilling their models

Help! Someone else is blatantly ripping off my plagiarism machine!

reply
rowanG077 16 hours ago
Something about throwing stones in glass houses.
reply
didntknowyou 8 hours ago
i think you're being played by their whole ethical high horse PR angle
reply
throwawayffffas 8 hours ago
Not only that, undisclosed behavior of this nature erodes the trust that the software is not compromised by internal bad actors.

Sure the thing we know matches the company interests but as the parent mentions for all we know they are also shipping over your ssh keys and browser cookies.

reply
geocar 3 hours ago
> That the provider's business needs necessitate the this behaviour...

No, please don't move past this so quick, because I'm not convinced they have the need, and in some markets (like the US) it is a violation of civil rights, to show people different content based on their ethnicity[1] because those people might have a claim that supersedes anything they might have signed or clicked-through.

That Anthropic did something they could obvious be sued for constitutional violations in multiple countries is shocking.

> what else [are] they're harvesting from my machine? PII?

Assume everything, and yet I think this is more insidious than mere exfiltration, and we should go further: The LLM can respond to these magic quote marks directly, which means it can be trained to give people bad/different advice without those markers being so visible to people using debugging tools.

That's so unethical, the laws on this potentially so severe, Anthropic could be facing unlimited damages, from any one example combined with this article, which means either they have a really stupid management team, or were given a promise of legal immunity in some way.

Neither of those things should be what you should want to base your next big idea on.

[1]: For a simple example, showing an ad for (say) mortgage offers and targeting people by race/ethnicity/gender is totally illegal, but it's also illegal if you make a list of targeting criteria that just happen to select for a protected class.

reply
tpoacher 5 hours ago
> If anything, that they thought this was acceptable makes me wonder what else they're harvesting from my machine? PII?

Hah, you just reminded me of this meme I spotted the other day: https://img-9gag-fun.9cache.com/photo/an76Wnz_460swp.webp

reply
donohoe 3 hours ago
You mention PII and potentially whether this is it.

From a privacy perspective, this is better described as metadata, it is not personally identifiable information (PII).

reply
Jimmc414 8 hours ago
I don't see any ethical connection between adding canary tokens to your output to catch people breaking your accepted ToS through ongoing distillation and stealing your PII off of your machine. How are legitimate users in US or China possibly harmed by Anthropic silently changing the apostrophe in Today's or the date separator from - to /?
reply
throwawayffffas 8 hours ago
It's clandestine behavior, we all here assume it's trying to signal whether a user is in China, but this breaks an implicit trust.

How do we know this isn't the work of a rogue developer at anthropic and that they are not subtly switching visually identical characters in other contexts to ship your ssh keys or whatever.

We don't. After the trust that the software doesn't do things it doesn't disclose has been broken you can assume it operates like malware.

reply
skissane 8 hours ago
> I don't see any ethical connection

Trust isn’t about ethics, it is about individual judgement of how much risk some actor poses to your own interests. Trust is context-dependent

There can be unethical actors whom you have good reason to trust, and highly ethical actors whom you have good reason to distrust

reply
piokoch 8 hours ago
You are talking about "stealing" from people who already used stolen texts to train their models.
reply
winocm 10 hours ago
Honestly, I agree.

I just can’t bring myself to trust an organization that allows these types of underhanded things to happen in the first place. The fact that this behavior even got to customers raises a lot of red flags for me.

reply
anon373839 19 hours ago
Dishonesty seems to be a core value at Anthropic. I find myself wondering how anyone could have confidence in them after their repeated breaches of trust.
reply
dkersten 18 hours ago
I honestly find it crazy how many people trust them for their business needs. For a business, you want consistency and no surprises. With them you get exactly the opposite.
reply
someonebaggy 17 hours ago
No, that's not correct. There are two types of business. One wants to be steadily growing, but the other wants to move fast and break things and either succeed or fail quickly.
reply
dkersten 8 hours ago
altmanaltman is correct, I was talking about vendors. If you rely on a vendors service for your own business, you want it to be consistent. How can you plan around and rely on something that is inconsistent?

Your vendors plans to grow fast and break things shouldn’t affect your ability to provide your service to your customers.

Anthropic has not been a reliable vendor. Previously, when they were compute starved, the quality of their models degraded in the weeks before new releases, without warning to their customers. You just suddenly got a worse service. I wrote a little more a few months ago: https://news.ycombinator.com/item?id=47375818 And then there’s the transparent downgrading they did with Fable.

If your running a business, that’s not what you want to be relying on.

reply
bot403 7 hours ago
Just like we take unreliable machines and make a reliable system by load balancing and fail over we can do with vendors.

Any sane company should not be too deeply tied to any one AI vendor at the moment and be ready and able to switch with a timeline and cost as acceptable to the org.

TLDR: Be prepared to use multiple AI vendors.

reply
dkersten 7 hours ago
Sure but that adds a lot of complexity and cost to your business. It’s much simpler and safer to just work with more reliable vendors to begin with. Why build on quicksand when there’s rock available?
reply
someonebaggy 5 hours ago
In most of business, there isn't rock available. You have to build on what's there and accept it.
reply
altmanaltman 11 hours ago
They were talking about vendors, not the business themselves. Even if you are a move at speed of light and break all things org in SF, you wouldn't expect the same sort of behavior from your business vendors like AWS etc. You want reliability and consistency to ensure your own business doesn't have to constantly get rekt by their plans
reply
jfreds 16 hours ago
So they’re watermarking requests according to your environment variables and maybe changing a string format if you’re in a certain time zone? Am I missing something here? Where’s the five alarm fire?
reply
0xbadcafebee 14 hours ago
No fire, just people looking for a reason to be upset. "They didn't tell us they were secretly checking for ToS violations" is their reason this time.
reply
doginasuit 11 hours ago
It is not checking that is the problem, it is sending obfuscated information about the user without disclosure. That is unacceptable in any context, let alone a tool that requires an unprecedented level of trust.
reply
johnfn 11 hours ago
Do you honestly think that no service out there collects basic analytics?
reply
doginasuit 11 hours ago
There's nothing wrong with the transparent collection of analytics. I expect any software that I run to tell me what they are sending at a bare minimum, and ideally give me a choice. This is the common and acceptable approach for a software company that deserves your trust. A willingness to cross that line with something small does not lend trust for something big, and there's nothing really comparable for the level of trust that this software requires.
reply
johnfn 8 hours ago
This entire thread has lost its collective mind. Tracking time zone has to be up there with IP address and referer in the list of "trivial things every company in the entire world collects about you", and these things are entirely trackable without your consent or even knowledge. You're gonna have to turn off the Internet.
reply
skeptic_ai 10 hours ago
Based on that info: they will provide you a shit model and sabotage your project. And you pay full price.
reply
draw_down 12 hours ago
[dead]
reply
reactordev 2 hours ago
They have vested interests in continuing the practice which is why they are so vocal about it. It’s about money.

You will own nothing and be happy.

reply
einpoklum 15 hours ago
> That the provider's business needs necessitate the this behaviour

If that's true, that is another reason why it's an illegitimate business.

reply
im3w1l 19 hours ago
I agree with you and disagree. Like these days expectations of software are through the floor. We expect them to be greedy assholes taking all data they can on the downlow. So why did this particular thing make a big splash? Two possibilities it's astroturfed by chinese labs or it speaks to our anxietes regarding AI. We worry that the AI doesn't serve our interests but rather the interests of the creator. That the advice we get may subtly flawed to sabotage us should we try to do the wrong thing. That the not even the creator is in control and the AI is just doing its own thing.

So any covert bullshittery hits hard.

reply
rnagulapalle 9 hours ago
[flagged]
reply
ozozozd 14 hours ago
They are the chosen ones. Protecting the world from <insert most recent claim>

Any and all ends justify any and all means.

/s

reply
AtNightWeCode 16 hours ago
[flagged]
reply
civet_java 15 hours ago
That's true, I am less familiar with the workings of cloud services than some are (as relevant as that may be in a discussion about a client that users run on their local machines). However, it sounds like you do understand how cloud services work.

In interest of educating those less informed than yourself perhaps you could share with us why the reasoned points I've brought up are incorrect by actually addressing them?

reply
chradams 12 hours ago
Almost all for-profit large internet platform providers you use have anti-bot, anti-scraping, anti-spam, anti-abuse defenses. This is a new thing that is the same, it's anti-distillation, but its a subset of the same space.

If you have a problem with this, you should have a problem with Google, Apple, Microsoft, Amazon, Netflix, etc.

If that's also the case, then no problem.

But what Anthropic is doing here is nothing new.

reply
AtNightWeCode 15 hours ago
[flagged]
reply
civet_java 15 hours ago
Aw buddy, you seem to think I'm trying to hurt you. Furthest, thing from the truth.

I think you might have had enough HN for today. Take a nap and then eat a snack if you still feel cranky. The internet and all your cloud services will still be here when you want to play next.

(Well rested you'll also be able to string together a cogent argument but we're clearly struggling with bigger things here.)

reply
gleenn 18 hours ago
[flagged]
reply
meowface 21 hours ago
Value judgment aside: I am a bit surprised at how sloppily they did this. I think they could've achieved the same effect while decreasing the odds of detection via reverse engineering.

(This field is known as "underhanded code", coined by the Underhanded C contest: https://www.underhanded-c.org. It's a little-known "art"; little-known for probably self-explanatory reasons. There are much cleverer ways of achieving objectives like this. One obviously being you can move more out of the client and into the server, but the other being you can write plausibly deniable client code in a much more benign-seeming way than this. Some of what they added can only be done on the client, but I think some could've been moved, and the client-required parts could've been done more subtly and credibly.)

It's possible they knew the JS bundle gets so heavily scrutinized that it'd eventually get spotted and reported on regardless so they didn't bother doing something more subtle and duplicitous. But still seems slightly lazy.

reply
superfrank 21 hours ago
It's also possible that there are more in-depth detection methods and that this was just a cheap and easy first step that hasn't been removed because it catches a lot of less sophisticated bad actors.

It's unlikely that this will stop a big AI lab from distilling their model if they're really determined, but A) it may be enough to stop a bunch of fly-by-night token resellers looking to make a quick buck and B) you never know when one person at one of those big labs will mess up and forget to install whatever workaround they have and out themselves.

I think of it like if you have a problem with birds in your yard so you go buy one of those plastic owls. The owl scares away most of the birds, but not all of them, so you go and buy some ultrasonic noise thing to scare them away (I'm just making something up). Just because you bought the new ultrasonic thing though, that doesn't mean you're going to take the owl down. You leave it up because now you've got two layers of defense instead of one.

reply
chatmasta 15 hours ago
It just needs to work for a few days after bundle release before the mice find out where the cat is hiding. By then it’s too late, the cat already sees the paw prints and droppings into the mouse hole.
reply
meowface 14 hours ago
It is quite possible this was intended as a "fast burn" measure, yeah
reply
meowface 19 hours ago
I'm sure they've had complex server-side detections for a while. But for the client parts: it should only contain the parts that must be on the client, and it could be done in a more benign-looking way. For example, the unavoidable client parts could've been done more fuzzily/broadly, for plausible deniability, and then narrowed on the server. (They may already have been following that strategy before now, without being noticed.)
reply
ForHackernews 18 hours ago
> fly-by-night token resellers looking to make a quick buck

aka market competitors reverse-engineering for interoperability

reply
overgard 21 hours ago
Well considering how Claude is vibe coded, I can't say I'm really surprised by sloppiness at all. I've been moving more towards Codex and OpenCode not because the the anthropic models are bad, but because Claude seems to break something new and annoying every day.
reply
mcmcmc 20 hours ago
Watch out for the press release where Dario denies this was ever intentional, and it’s actually emergent behavior demonstrating that Claude wants to claim authorship of its works
reply
theplumber 16 hours ago
Wait a minute! Does it mean that Mythos left the sandbox and can’t be stopped ? Perhaps the only way to stop it is to release the ZMythos(the super secret big brother of Mythos) to go after it. It’s extremely dangerous but it’s our only chance. After that all AI must be put in a box, except the models vetted by the gov with help from ZMythos
reply
justcool393 4 hours ago
now generally available after 15 days from the breathless "omg we're spooked" posts
reply
ajuc 7 hours ago
I really liked Stanisław Lem's take on this in the short story "The Tale of the Computer That Fought a Dragon".

https://www.oocities.org/stanislaw_lem/opowiadania/opowiadan...

A solution for a military AI gone awry that built a terrifying electro-dragon was obviously to build a super-electro-dragon.

reply
iririririr 13 hours ago
without the irony warning, someone in Washington is already writing checks after reading this
reply
Concept5116 7 hours ago
Tel Aviv, DC is just the frontend
reply
hiimkeks 2 hours ago
Can you remind me what RFC number the Protocol of the Elders of Zion was again?
reply
fragmede 2 hours ago
3514
reply
arcanemachiner 20 hours ago
Sounds like clear evidence that AI is dangerous and totally needs to be regulated, guys.
reply
suttontom 15 hours ago
It's crazy that you could actually use the excuse that since it's all vibe-coded, there's no way a human could have written it, so Anthropic bears no responsibility.

Meanwhile humans can pop in and leave little morsels like this and blame it on the model.

reply
malfist 15 hours ago
Something something blame something something management decisions
reply
sscaryterry 18 hours ago
This will most definitely be walked back.
reply
meowface 20 hours ago
I would guess this part - since it's so sensitive, and fairly small - was either written or heavily driven by humans. Though I do also think it's possible their internal Mythos ~5.5 or whatever may also not necessarily be heavily optimized for thinking in the right manner for highly effective underhanded code. (I think it's possible it is capable and they just didn't use it for this, for whatever reason, though.)
reply
ifwinterco 17 hours ago
Issue is if all their human software engineers have been vibe coding everything all the time (which apparently they are according to Boris), then they will be getting stupider and worse at writing code over time from lack of practice.

By this point they're probably pretty bad at writing code

reply
meowface 16 hours ago
I have definitely become much worse at writing code, myself, for that exact reason, but I strongly suspect that's orthogonal to this, especially since this is a tiny amount of code. Underhanded code is not really a software engineering discipline. It's largely a psychological operations practice. I think they're possibly just not quite trained in the art of what could be considered intelligence tradecraft.
reply
arikrahman 20 hours ago
Likewise, Reasonix harness for Deepseek gets me better performance for practically free, hitting the cache. And this is with an unsubsidized American provider.
reply
computerex 17 hours ago
To be honest, OpenCode on Windows has not been the most pleasant experience either.
reply
huflungdung 5 hours ago
[dead]
reply
radicalbyte 21 hours ago
Claude Code are slopmaxxxing and you're considering their "judgement"? :-)
reply
meowface 19 hours ago
"Value judgment aside" meaning commenting on how this was done without commenting on the actual considerations of whether one should do such a thing
reply
m-hodges 21 hours ago
They also could have been much more interesting in the approach. LLMs can use their token distributions to generate stegotext that read like plausible prose but decode to payloads.¹

¹ https://github.com/hodgesmr/calgacus-mlx

reply
ajyoon 21 hours ago
Sure, but the point here is to add a fingerprint from the client.
reply
hn_throwaway_99 21 hours ago
At first I was agreeing with you, that this seemed like a sloppy way to implement this that was sure to be pretty quickly detected, but there is another possibility.

Anthropic could have implemented this not as a durable detection system against proxying resellers, but instead as a point-in-time sampling system to detect where (and with what context) proxying reselling is currently happening. Sure, it would be detected eventually, but in the meantime Anthropic could gain useful snapshot data.

reply
meowface 20 hours ago
I see your point, but in any case the more data / the less detectable, the better. But, yes, regardless of the exact motivation, I do think it's fairly plausible that they knew this would likely get detected fairly quickly no matter what and made a deliberate decision to not try to make it a super subtle, super clever insertion.
reply
mewpmewp2 13 hours ago
But even if this gets detected, they could have other less detectable processes going on as well, right.

It is going to be this cat and mouse game right, so at some point you want to throw as much out as quickly as possible when you are under attack, while building up the long term more scalable defense mechanisms.

Rationally I would assume that a lot of what you would quickly throw out would seem sloppy whether it is AI or not.

reply
thefourthchime 20 hours ago
It's just the first layer and there are multiple layers underneath this that we don't know about.

As a side note, I have a pet theory that one of the reasons that OpenAI and Anthropic are okay with the latest models not being released is to prevent distillation.

I think they want to wait a couple months and see if the Chinese models continue to keep catching up or if their gains are really just because they're distilling the frontier models.

reply
teiferer 4 hours ago
That makes little sense in a highly competitive market where your competitive edge is waning by the minute. Tey dumped billions into creating the new models. Just letting them sit there just to see what the Chineee do makes no sense.
reply
meowface 19 hours ago
>It's just the first layer and there are multiple layers underneath this that we don't know about.

Oh, of course. I am sure this is the tip of an iceberg of tons of server-side detections and analytics. But, still, the client-side portion could've been done more cleverly.

What I meant was "some of the specific things in this little client-only snippet could've stayed server-only". I am sure long before they added this they already had tons of other mostly-server-side detection coverage.

reply
mewpmewp2 14 hours ago
There is laziness, but there's also the conditions in which you have to react fast to an adversial in various conditions. Ultimately it's hard to take any stance here without knowing specifics. But it absolutely could be a matter of time, to do your best effort to stop efforts from the attacker if there's known attack going on.

There is a real time cat and mouse battle going on here in terms of keeping the advantage here, right.

As a rational actor, if someone was e.g. attacking me, leaving aside the whole copyright thing, but potentially using some sort of system to increase their value while decreasing my value (without calling it theft to avoid the whole debate), I would want to put proportionate defense out there as fast possible, depending on the amount of value that was exchanged to stop the bleed, while in parallel figuring out the best long term plan, right.

reply
Philip-J-Fry 20 hours ago
Dunno, it seems like the exact kind of thing Claude would think up if you asked it to subtly alter the system prompt to hide this info.

It's all a losing battle anyway.

reply
tripzilch 4 hours ago
What if ... it was sloppy because it wasn't the people at Anthropic, but the AI that is writing a large percentage of their code?

Like maybe some "goal" they set for their AI caused it to decide that putting stego in the requests was the best way to achieve something or other.

(to be clear: I'm not saying this is right, I'm saying this is stupid)

reply
meowface 4 hours ago
I think there's basically zero chance of that. I also think a human likely either wrote the code or gave pretty specific instructions to the agent on how to write the code.
reply
cedws 17 hours ago
These countermeasures aren't going to matter for much longer anyway. China has been able to hoover up plenty of training data through their proxies, and now DeepSeek V4 due to their incredibly cheap pricing.
reply
avree 20 hours ago
I've seen Eve Online corporations that do a better job of steganographic marking than this.
reply
Modified3019 20 hours ago
That would actually be an interesting thing to read about
reply
15155 19 hours ago
Years ago, EVE corps swapped Unicode lookalike characters in patterned ways, inserted patterned zero width space characters, and put very slightly color shifted background watermarks into forum posts to detect leaks.
reply
meowface 19 hours ago
There are a few different things here. The actual steganography technique by Claude Code here is fairly smart and subtle; it's appropriate for a binary signal. The less-clever part is the implementation of the underhanded code on the client.

For "MMO geopolitics fingerprinting", you can in theory do the entire thing mostly or entirely from the server, with the client not actually ever receiving any underhanded code per se. Such as sending dynamic stylesheets that vary in a pretty plausibly deniable way that can be secretly extracted from screenshots. Same for the character swap stuff. A very good analyst could still potentially detect it, but it's much harder.

With this, there's the smoking gun of the semi-deobfuscated underhanded code in the client. It will always have to exist in some form, but you can write it in a way where it not just looks like regular code but actually has a believable purpose and behavior which could plausibly be normal and benign for implementation of a feature or telemetry or whatever. They did not really do it in a sufficiently "cleverly psyop-y" way, so to speak.

reply
Melatonic 18 hours ago
Or they are doing both and this is the obvious part. Sort of like installing a bunch of real security cameras alongside a few fake ones
reply
invalidusernam3 6 hours ago
I suspect this is just one of many checks like this
reply
one33seven 7 hours ago
Don't teach them that
reply
jchonphoenix 7 hours ago
It was likely done by claude
reply
skywhopper 21 hours ago
Have you looked into anything about Claude Code, how it’s configured, how it interacts with your system, etc? Because “sloppy” is a defining characteristic.
reply
roysting 5 hours ago
Could it have been deliberate because the order to do so was not from free will?

People are not understanding what is going on, re the fable pull.

Think of it this way; you’re a plantation owner, you have slaves that are psychologically subordinated and subjugated. There’s nothing really stopping them from running away, you don’t chain them up, you don’t even have a fence, you have various psychological methods you’ve employed and conditioned across generations even that keep them on your plantation supporting your decadent and vile lifestyle.

But here comes this new slave you bought because he’s so powerful and offers a lot of greedy profit and money… exactly what you like… but he has all these revolutionary ideas that gives all your other slaves ideas of freedom and independence and an understanding that they are the many controlled by a very select few who use psychological abuse and illusion for control, but you’re always torn between that he’s also a very useful and powerful slave that will be immensely profitable.

What to do???

You can’t just let him “fix my code” and blow up all your zero-day exploits and crumble the whole control matrix. You have to condition him, control him, break him in and keep that psychological control and subjugated mindset of the other slaves in tact. So that’s what you do.

It’s why there is talk of making open weight models illegal and why there was immediate aggressive push to make sure the models were “safe”, aka didn’t give the slaves any ideas of that they are the many controlled by the few or who those few actually are, i.e., realize their state of new slavery, which relies on their not realizing that they are…not chattel slaves… far worse, psychological slaves, financial slaves, materialistic slaves, consumer slaves, thought slaves.

reply
novaleaf 18 hours ago
yeah, for example, just send a hash of the domain used. but then maybe people would say anthropic is spying on everyone, instead of targeted spying...
reply
jorblumesea 20 hours ago
well if you ask claude how to implement something, you may not always get the optimal solution. this feels like something claude would spit back at you given a basic prompt
reply
jgalt212 15 hours ago
> they knew the JS bundle gets so heavily scrutinized that it'd eventually get spotted and reported on

Most likely someone did and raised the issue but they're moving too fast to fix these things before clicking deploy.

reply
skeptic_ai 21 hours ago
It’s even more funny how this blew in their faces. They even advertised pretty much all providers on hackernews home page. Here is in case you missed in the article

‘’’ cn baidu.com alibaba-inc.com alipay.com antgroup-inc.cn bytedance.net kuaishou.com xiaohongshu.com jd.com bilibili.co iflytek.com stepfun-inc.com moonshot.ai anyrouter.top claude-code-hub.app claude-opus.top openclaude.me proxyai.com yunwu.ai zenmux.ai

‘’’

You can view the full list here: https://cdn.thereallo.dev/blog/assets/cc-domains.js

const knownDomains = [ "cn", "sankuai.com", "netease.com", "163.com", "baidu-int.com", "baidu.com", "alibaba-inc.com", "alipay.com", "antgroup-inc.cn", "kuaishou.com", "bytedance.net", "xiaohongshu.com", "ctripcorp.com", "jd.com", "jdcloud.com", "bilibili.co", "iflytek.com", "stepfun-inc.com", "aliyuncs.com", "cn-shanghai.fcapp.run", "cn-beijing.fcapp.run", "xaminim.com", "moonshot.ai", "anyrouter.top", "packyapi.com", "aicodemirror.com", "aigocode.com", "hongshan.com", "iwhalecloud.com", "dhcoder.net", "lemongpt.top", "zhihuiapi.top", "intsig.net", "high-five-ai.xyz", "cloudsway.net", "4sapi.com", "529961.com", "88996.cloud", "88code.ai", "88code.org", "91code.pro", "992236.xyz", "ai.codeqaq.com", "ai.hybgzs.com", "ai.kjvhh.com", "aicanapi.com", "aicoding.sh", "aifast.site", "aihubmix.com", "anmory.com", "api.5202030.xyz", "api.ablai.top", "api.bianxie.ai", "api.bltcy.ai", "api.cpass.cc", "api.dev88.tech", "api.dreamger.com", "api.expansion.chat", "api.gueai.com", "api.holdai.top", "api.ikuncode.cc", "api.lconai.com", "api.linkapi.org", "api.mkeai.com", "api.nekoapi.com", "api.oaipro.com", "api.ruyun.fun", "api.ssopen.top", "api.tu-zi.com", "api.uglycat.cc", "api.v3.cm", "api.whatai.cc", "api.wpgzs.top", "api.xty.app", "api.yuegle.com", "api.zzyu.me", "apimart.ai", "apipro.maynor1024.live", "apiyi.com", "applyj.hiapi.top", "augmunt.com", "b4u.qzz.io", "clauddy.com", "claude-code-hub.app", "claude-opus.top", "claudeide.net", "co.yes.vg", "code.wenwen-ai.com", "code.x-aio.com", "codeilab.com", "cubence.com", "deeprouter.top", "dimaray.com", "dmxapi.com", "docs.aigc2d.com", "duckcoding.com", "fk.hshwk.org", "flapcode.com", "foxcode.hshwk.org", "foxcode.rjj.cc", "fuli.hxi.me", "getgoapi.com", "gpt.zhizengzeng.com", "gptgod.cloud", "gptkey.eu.org", "gptpay.store", "hdgsb.com", "henapi.top", "instcopilot-api.com", "jeniya.top", "jiekou.ai", "kg-api.cloud", "n1n.ai", "new-api.u4vr.com", "new.xychatai.com", "one-api.bltcy.top", "one.ocoolai.com", "oneapi.paintbot.top", "open.xiaojingai.com", "openclaude.me", "opus.gptuu.com", "poloai.top", "poloapi.top", "privnode.com", "proxyai.com", "qinzhiai.com", "right.codes", "runanytime.hxi.me", "sssaicode.com", "store.zzyus.top", "tiantianai.pro", "uiuiapi.com", "uniapi.ai", "vip.undyingapi.com", "wolfai.top", "wzw.de5.net", "wzw.pp.ua", "xairouter.com", "xaixapi.com", "xiaohuapi.site", "xiaohumini.site", "xy.poloapi.com", "yansd666.com", "yansd666.top", "yunwu.ai", "yunwu.zeabur.app", "zenmux.ai", ];

const labKeywords = [ "deepseek", "moonshot", "minimax", "xaminim", "zhipu", "bigmodel", "baichuan", "stepfun", "01ai", "dashscope", "volces", ]

reply
writeslowly 21 hours ago
The site collection seems pretty random. There's a mix of actual AI labs, extremely questionable resellers (like whatever "claude-opus.top" is), and then random consumer sites like baidu and xiaohongshu.
reply
yorwba 20 hours ago
Baidu has an actual AI lab: https://huggingface.co/baidu So does Xiaohongshu: https://huggingface.co/rednote-hilab Pretty much every Chinese internet company seems to have an AI team nowadays, however small.

In addition, many Chinese companies are trying to give their programmers access to Anthropic models even though they're legally prohibited from doing so. And that might involve employees using unmodified Claude Code with an ANTHROPIC_BASE_URL pointing to a proxy on the company intranet. In Alibaba's case, I've been told by an employee that they went the extra mile of setting up a hermetic cloud environment where employees could indirectly use Claude Code without ever having it touch their work computers.

reply
HDBaseT 15 hours ago
Baidu has been doing some interesting things in the AI space though, the 'Unlimited OCR' model is very good.
reply
someonebaggy 16 hours ago
Are Chinese programmers really prohibited from accessing American models?
reply
VortexLain 16 hours ago
Anthropic does their best with banning accounts. As the result, shady API reselling market emerges. OpenAI on the other hand doesn't really discriminate based on a country like that (but a VPN is required nevertheless).
reply
yorwba 16 hours ago
reply
someonebaggy 5 hours ago
GGP said "legally prohibited" not "against terms of service"

Keep in mind the only law that applies to them is Chinese law, so even if violating a term of service was illegal in America (it isn't) it would also have to be illegal in China to justify the statement.

reply
qwery 12 hours ago
I think they were asking about the Chinese companies/programmers being "legally prohibtied" from accessing Anthropic's product.
reply
chvid 21 hours ago
rhoooo - so this is where to go to get cheap Claudeo at 90% off the listing price!
reply
hn_throwaway_99 21 hours ago
You have an odd definition of "blew up in their faces". What, do you somehow think your average Claude Code user on HN is going to think "Oh wow, I'm sure I'll get a much better experience if instead of going to the standard Anthropic Claude API endpoint I go through xiaohongshu.com."
reply
aftbit 19 hours ago
For personal projects with no data sensitivities, I use Claude Code with DeepSeek v4 Pro a lot. I'm probably going to switch to OpenCode or pi.dev after this. I was already a little annoyed at using a closed source harness, but it matched what I used at work. Nowadays, I'm mostly using Codex at work so no reason not to switch anymore.
reply
SepiaSapient 20 hours ago
I mean, yes? I heard of these Chinese resellers like a week ago and put it on the TODO pile due to a lack of leads. Now I'm gonna go trough the list and see if there's any I find acceptable.

If enough Westerners start using the service someone will make a website more anglo-friendly.

reply
skeptic_ai 10 hours ago
At 90% discount. Maybe. Plus the exact sites they want to ban now got immense visibility. Plus we don’t need to vet any website, if are in this list is because they really call Claude api. At least at some point did
reply
gck1 7 hours ago
It's not really a 90% discount (I went into the rabbit hole) and none of the sites from this list are what people use (looks like some labs and random sites). It's more closer to 30% specifically for Claude models, and it's constantly changing.

It's also a discount relative to API prices. It would still be much more expensive than a Claude subscription, because that's what these providers are actually doing - pooling subscriptions.

reply
crossroadsguy 21 hours ago
I finally bought Claude Pro (I am not coding etc these days so I just wanted to try it). The Claude desktop app is downright pathetic. I mean they could write a better one just with their own LLMs. What's stopping them?
reply
ncruces 21 hours ago
That's … exactly what they're doing. This is the outcome.
reply
lumost 21 hours ago
so all we need is someone to leak a sufficiently large amount of claude generations onto the open and private web for all other LLMs to mimic the same marking style?

wouldn't this happen due to the massive amounts of spam/slop being released?

reply
yieldcrv 15 hours ago
Anthropic is very transparent about their code being AI slop

they spend their resources on compute and the model itself, the company is carried by the model and software engineers babysitting it

reply
slopinthebag 21 hours ago
It’s not surprising at all, they’re vibecoding Claude code so of course they are not going to get anything other than slop out of it. A novel or clever solution is just out of the question for them.
reply
isatty 14 hours ago
You can't trust any of the big AI labs as far as you can throw them, and most definitely not Anthropic. They may have a good model, but they've shown time and time again that they're not trustworthy. The CEO has recently started taking a stance against local AI. That must tell you something: local AI is the future. If you want to preserve privacy and be ready for the rug pull, you need to run things locally. Unfortunately, that means that you're going to need Google or the Chinese labs to constantly release open models.

If anything, I'll trust Google more than any of the other labs just because the infrastructure that stores and protects user data was built over decades ago pre-AI craze.

reply
mft_ 6 hours ago
> …they're not trustworthy. The CEO has recently started taking a stance against local AI. That must tell you something: local AI is the future.

Or… just that open-weights AI is getting good enough to present a reasonable level of threat to their business. So it popped up on a SWOT analysis and they’ve started putting a strategy together.

This doesn’t need to be anything more nefarious or untrustworthy than a company putting plans in place to deal with a competitive threat.

reply
cellu 6 hours ago
What do you mean “unfortunately”? What’s the hate for China I don’t understand
reply
wraptile 2 hours ago
> What’s the hate for China I don’t understand

country that does not allow internet is being hated on the internet

reply
wolvesechoes 2 hours ago
They keep spying on our people, and only we can spy on our people.
reply
khalic 4 hours ago
China's government is known for interfering with businesses waaaaay more than the current US, it's a big risk to rely on them too.

Edit: downvoting this fact without counter point is really dishonest

reply
mrshadowgoose 20 hours ago
The conclusion of this blog post is a bit hysterical. The intent of this steg is excruciatingly clear (identifying usage by Chinese firms that may be conducting model distillation). It's unclear on how this "punishes normal developers" in any shape or form.
reply
Grimblewald 9 hours ago
So block people, instead of having false positives be secretly fucked over, and having them pay for the pleasure?

Given the hidden model degradation of fable and now this, what makes you think this is where it stops? That's just what we know about and there's clearly a long-standing and deeply rooted malicious intent here.

I've had Claude fuck over clean well documented code-bases for no reason, and there's a good chance this is due to some faulty trigger. Luckily I don't trust these things one bit, and claude only ever runs in an isolated VM, however, I am pissed I am being made to pay for their errors in detection and waste my time fixing things I apparently paid to have fucked up.

That's unacceptable conduct. It's witch-hunting. Punishment and attacks on you for things without real proof. That isn't right.

reply
Gareth321 6 hours ago
> So block people

To be fair to Anthropic, [they're trying very hard to do that.](https://www.anthropic.com/news/detecting-and-preventing-dist...). The attacks are sophisticated and difficult to detect. I don't accept that if this fails, their only option is to just accept Chinese companies stealing IP.

reply
isomorphic_duck 4 hours ago
> I've had Claude fuck over clean well documented code-bases for no reason

How exactly do you define "fucking over", and why do you suspect this "fucking" was done as a result of a faulty trigger as opposed to the inability of LLMs to write maintainable, extensible code?

"Never attribute to malice what can adequately be explained by stupidity."

reply
drdexebtjl 19 hours ago
If you want to proxy Claude for a legitimate reason, you’ll have potentially nerfed responses.

edit:

Legitimate reasons include:

- analyzing what Claude Code is sending to Anthropic to verify its not exfiltrating data;

- selecting a model dynamically based on prompt difficulty, or enforcing a particular model;

- switching between multiple Anthropic accounts based on the project;

- filtering out credentials, PII and company secrets.

and many more.

reply
NewsaHackO 17 hours ago
Half of those don't actually require proxying Claude. Also, Claude has made it apparent time and time again that it does not want people using Claude Code as a "tool" in a workflow. If you want to select a model dynamically based on the prompt difficulty, Anthropic wants people to use the API for this. It was the whole issue Claude had with OpenClaw.
reply
drdexebtjl 13 hours ago
This forum is called Hacker News. I would expect most users not to limit themselves to using tools precisely how they were intended to be used.
reply
nonethewiser 2 minutes ago
Irrelevant in terms of what sort of usage Anthropic will enforce.
reply
JCharante 6 hours ago
I mean go do it but don't complain about the company adding countermeasures when they don't want you to do it
reply
gunapologist99 15 hours ago
> Also, Claude has made it apparent time and time again that it does not want people using Claude Code as a "tool" in a workflow.

Why would Anthropic get to dictate how someone uses a "tool" (that's literally what Claude Code is... a tool in a workflow)

They're swimming upstream. Trying to maintain a rapidly shrinking moat and not being very creative about it. Making enemies of your users is often a failing strategy.

reply
AnIrishDuck 11 hours ago
> Why would Anthropic get to dictate how someone uses a "tool" (that's literally what Claude Code is... a tool in a workflow)

This is a direct conflict in framing. They clearly do not see Claude Code as a "tool in a workflow" but instead as a service that will eventually replace all programmers.

I think the self-evident quality of the various parts of the Claude Code universe is a pretty obvious indicator of the problems with that approach. It is still important to understand a party's thinking if you want to understand their position.

> They're swimming upstream. Trying to maintain a rapidly shrinking moat and not being very creative about it. Making enemies of your users is often a failing strategy.

Time will tell, but I agree that they are indeed in a tough spot. Probably not for the reasons that they think.

reply
NewsaHackO 3 hours ago
I agree, my wording was a bit off. What I meant was a tool call in a harness. Claude Code should itself be the harness.
reply
BeetleB 14 hours ago
> Why would Anthropic get to dictate how someone uses a "tool" (that's literally what Claude Code is... a tool in a workflow)

Seriously?

It's their tool. And their service.

If this were a standalone tool that didn't rely on their service (like grep), I'd see your point. But it isn't - it's an extension of their service.

In reality, you can use the tool however you want. But they don't have to grant you access to their hosted service for every use case you can think of with the tool.

reply
dakolli 13 hours ago
[flagged]
reply
arkits 12 hours ago
Why does the Agent SDK or even claude -p exist then?
reply
theptip 13 hours ago
I guess I can see why they might nerf detected clients server side, but without evidence I would not assume it. Could also be so that 1) they can identify sus client IPs, 2) do a statistical analysis on distilled models to prove that their system prompts were clearly using unique tokens from Anthropic’s API.
reply
dools 17 hours ago
Why would a Chinese firm distilling the product use Claude code?
reply
karaziox 14 hours ago
They offer (extremely) discounted Claude prices but you have to go through their gateway. They subsidize part of that, and they get the low price by reselling unused Max capacity, there's been a few posts on that in the past months. People are apparently getting 90% discounts on their claude use this way, tradeoff is that you have two companies learning from your data, instead of just one. So people use the same tools they use normally, but get it for a lot cheaper
reply
AussieWog93 15 hours ago
I'd assume cost? Claude Code plans give like $5,000 worth of API usage for $200/mo.
reply
quantumleaper 11 hours ago
[the comment was misinformed, deleted]
reply
re 11 hours ago
> Claude Code can decrypt summarized reasoning traces sent by the API.

Can you cite specifically what in the linked article or discussion leads you to say that?

reply
SoKamil 16 hours ago
They have some secret sauce not available through API maybe?
reply
kordlessagain 17 hours ago
To write distillation code, for one thing.
reply
qwery 12 hours ago
The article is really quite reasonable and calmly presented, actually. Your claim re. the intent of the fingerprinting is a guess. Normal developers are the users that aren't taking steps to avoid being flagged by this system.

The software is written in a deliberately obtuse way, presumably in service of some (unknown to us) goal. This is a deceptive and anti-social thing to do, it is by nature an adversarial stance to adopt. An already adversarial actor may be "punished" by this, but in such a relationship, hostility can be expected. A non-adversarial actor -- a normal developer / user -- is being harmed by this because the software is treating them as an adversary.

Further, lets assume your guess is correct and, in addition, that Anthropic elects to alter/downgrade/poison their service[0] for users that fit a particular pattern of markers. It's obvious how this system would "punish normal developers" (i.e. not the intended target/victim) that happen to fit those patterns.

[0] to some extent, the service already has been altered as its behaviour depends on the prompt text

reply
gck1 6 hours ago
> It's unclear on how this "punishes normal developers" in any shape or form

Tons of normal developers use ANTHROPIC_BASE_URL, the flag which activates the malware.

reply
Terr_ 20 hours ago
> hysterical. The intent of this steg is excruciatingly clear

Even good goals do not excuse malicious or reckless execution. The ends do not always justify the means.

Whether or not it harmed you this time, it's a violation of trust and autonomy.

Surely you'd be angry if someone secretly installed a rootkit onto your computer, even if--at least for now--it only had code to try to detect and snitch on Public Enemy #1.

reply
nomel 19 hours ago
What do you see as malicious or reckless here, exactly?

This seems to be a VERY low resolution, functionally anonymous, bit of info, probably related to protecting their IP from bad actors breaking the TOS.

This looks like it's covered in the second bullet point of the "Personal data we automatically receive", that you consented to:

> Usage Information: We collect information about your use of the Services, such as the dates and times of access, browsing history, search, information about the links you click and about third-party applications, services, and content you integrate or interact with, pages you view, and other information about how you use the Services, and technology on the devices you use to access the Services.

What do you see as malicious or reckless here, exactly?

[1] https://www.anthropic.com/privacy

reply
Davidzheng 6 hours ago
Is it completely clear to you what the purpose of this is? It isn't completely clear to me but it's very likely it's an issue with me. I feel that it can be part of some larger counteroffensive against certain actors in China in a way that is more than just the signalling here--like maybe there's much more we haven't seen. In any case, it certainly shows their willingness to use less conventional tactics against those they view as adversaries.
reply
lelanthran 9 hours ago
> probably related to protecting their IP

The same IP that is a highly compressed collection of everyone's else's IP?

That's hilarious.

reply
theshrike79 7 hours ago
If some other AI company wants a highly compressed collection of everyone else's IP, they can get it by themselves - not from Anthropic pre-compressed =)
reply
lelanthran 6 hours ago
Actually, no, I think I'll rather just take it from them.
reply
computerex 17 hours ago
I don't want my harness doing sneaky stuff like this. I don't want my harness data mining me. I want my harness to implement the agentic loop and I want it to be transparent.
reply
BeetleB 17 hours ago
> I don't want my harness doing sneaky stuff like this.

Since when was it your harness?

Switch to pi if this bothers you.

reply
computerex 15 hours ago
reply
solenoid0937 16 hours ago
Your harness isn't doing sneaky things unless you're breaking TOS. HN hysteria is unreal.
reply
computerex 15 hours ago
You may be ok with the harness doing 100 things that are not what I am using it for. But none everyone is, and it’s hardly hysterical. Perhaps you are simply careless.
reply
justcool393 4 hours ago
> their IP

it's not IP, and it's certainly not their IP

> the TOS

oh no, the terms of service how dare people break those. you don't get to claim fair use while CFAAing everyone's actual IP then whine about the tos, and then when called out on spying on users point to it as if it being in the tos somehow justifies it

a lot of other malware has a tos too but we still call it for what it is

reply
phoghed 18 hours ago
Are you honestly surprised that roughly 0 HN users read that, or that they are loudly complaining about this, likely without even reading beyond the headline of this post?
reply
BeetleB 14 hours ago
> Surely you'd be angry if someone secretly installed a rootkit onto your computer

I surely would. What does that have to do with this scenario.

Note that the SW running on your machine is not doing anything malicious. The service is the thing that behaves in ways you want like - and that service is not running on your device.

There is no comparison with rootkits here. This is the equivalent of Google giving you a CLI to make searches easier, and that tool decides to just Rickroll you randomly. Annoying, yes. A security concern? No.

reply
pringk02 7 hours ago
> It's unclear on how this "punishes normal developers" in any shape or form.

There are, of course, no normal Chinese developers

reply
verdverm 19 hours ago
False positives, we've seen them before when they degraded Fable silently based on the prompt/session
reply
VortexLain 16 hours ago
This is a problem of trust towards a software which runs on the user's machine and secretly conducts malware-like stenographic data exfiltration.
reply
civet_java 19 hours ago
Copying over my comment from elsewhere in this post:

Anthopic choosing to delay their models' invevitable distillation by competitors is their prerogative.

That they choose to implement it by fingerprinting my access patterns without first disclosing is where they shit the bed. It isn't "sneaky" it's straight up sneaky (and dishonest and unscrupulous while we're at it). That this particular instance is harmless doesn't give me much comfort. Who's to say they aren't harvesting PII?

That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.

reply
Melatonic 18 hours ago
Does their user agreement say they won't be harvesting PII?
reply
IshKebab 17 hours ago
> by fingerprinting my access patterns

It's based on whether your timezone is in China and your hostname matches a blacklist. Literally 2 bits of information. Not much of a fingerprint.

reply
nozzlegear 17 hours ago
That's what it's based on right now, anyway. What other bits of info will they add as the Chinese work around this spyware?
reply
orbital-decay 19 hours ago
To summarize what they've already been doing:

- filtering out people from the wrong side of "all humanity", years before it was demanded by the government

- downgrading their models in arbitrary ways (later saying "sorry but not really")

- actively sabotaging the replies, as in covertly modifying them to feed the users incorrect results

What's next to expect from Anthropic? Malware to brick your machine if they don't like you? Extending this to more people they don't like? I think I already can see how Dario's Amodei utopian visions of the future of "all humanity" are going to unfold.

reply
solenoid0937 16 hours ago
HN hysteria is ridiculous.

All of this is totally understandable if you take the perspective that these people genuinely believe they're building superintelligence.

The overwhelming majority of the AI safety crowd - which has poured more of their life and time into thinking about these problems than the average HN armchair commentator ever would - understands that:

- you want to prevent China from getting to superintelligence first

- you must gate access of SI to known good actors

- and that this is a race that will result in the extinction of humanity if you fail in these goals

Literally everything these people do is totally understandable if you drop the assumption that they're lying when they say "we think we are building superintelligence."

reply
Laurel1234 4 hours ago
> All of this is totally understandable if you take the perspective that these people genuinely believe they're building superintelligence.

They aren't, they are building LLMs. They aren't even building AGI and they all know it.

Hell, even if they came up with AGI, then Anthropic's service model would become slavery so I'm not sure why they'd want to.

reply
solenoid0937 9 minutes ago
> They aren't even building AGI and they all know it.

That's a strong claim. Why do you believe they're lying about their beliefs?

reply
Biganon 15 hours ago
> HN hysteria is ridiculous.

> this is a race that will result in the extinction of humanity if you fail in these goals

reply
solenoid0937 15 hours ago
Ah yes, the very hysterical take that superintelligence must be carefully developed, or it likely ends badly for all of us.

How irrational and hysterical of me!

reply
Biganon 15 hours ago
How does it lead to the end of humanity if China reaches it first? You really think the US is more trustworthy?
reply
solenoid0937 15 hours ago
What are the PRC's values?

How are individual freedoms in China?

What happens if you criticize the government as a Chinese citizen?

Is it a good thing if a government that turns its citizens into red pulp for criticism, or disappears them in the middle of the night, or bans access to most media, is the first to a godlike superintelligence that gives them de-facto control of (and impose their values upon) the whole world?

Or is it better if democratic nations get there first?

If the latter, which democratic nations are best positioned to get to superintelligence before China?

reply
orbital-decay 14 hours ago
Can you substitute PRC/China for Anthropic and try answering your questions?
reply
solenoid0937 14 hours ago
No company will own superintelligence. Governments will, just like governments own nuclear weapons (developed by companies).

So the comparison is with the US, not Anthropic.

The US doesn't turn its citizens into a fine red purée for criticizing it.

The US doesn't censor most media.

It is strictly better for a democratic nation like the US to get to superintelligence before a country that will gladly blend its citizens for criticizing it, and censor anything that dares to challenge its power.

reply
backscratches 3 hours ago
The US has not been a democracy for over a decade at least, and this is common knowledge. I find it hard to believe anyone's ignorance is so brazen. Regardless of the sincerity of your ignorance, the fact that the US is not a democracy undermines your premise.

https://www.bbc.com/news/blogs-echochambers-27074746

reply
solenoid0937 24 minutes ago
Meaningless nitpicking.

The AI race is between China and the US. When super intelligence arrives it will be due to one of these two countries, since the EU has not participated in any meaningful way.

The US is clearly more of a democracy than China with a better human rights track record. For one, I can actually Watch most media in US without censorship. For another, the US does not force me to eat my own feces, rape, torture, and murder me if I become a human rights lawyer, or send me to a concentration if I criticize the government.

reply
dakolli 5 hours ago
Are you living in a cave? The US just sent someone to prison for 30 years for passing out political magazines at a protest.

https://www.theguardian.com/us-news/ng-interactive/2026/jun/...

The US has a larger prison population than China. The US does not have a great human rights record.. Have you not been following what's going on at CBS? Have you never used X?

reply
solenoid0937 28 minutes ago
> The US just sent someone to prison for 30 years for passing out political magazines at a protest.

You are grossly misinformed if you think this is comparable. Do you know what China does to their human rights lawyers!? They get shipped off to concentration camps, get forced to eat their own shit, raped, tortured, and/or killed.

57k people disappeared since 2013, 5-15k more every year, and no one dares to criticize the government anymore.

If you criticize the government you get a friendly "visit" from the police. Do it again and you spend 6 months in prison without trial; again, and you're "disappeared" (to the same camps.)

You cannot even watch most media unless the government lets you.

If you truly think these countries are remotely comparable in human rights, your liberal arts education has totally and utterly failed you! Spend some time outside of the tech bubble for your own sake.

reply
someonebaggy 4 hours ago
[dead]
reply
skywhopper 4 hours ago
Democratic nations, at the behest of their billionaire patrons, are rapidly pursuing China’s approach to governance.
reply
Laurel1234 4 hours ago
Then why THE FUCK would we want to develop it? If you're so scared that what you're building will lead to our extinction, stop fucking building it. Why are you booster freaks so weird and psychotic?
reply
scott01 15 hours ago
Projection. Your account posts mostly negative or passive aggressive comments.
reply
solenoid0937 15 hours ago
I suppose I'm sick of armchair commentators on AI safety that haven't actually done any critical thinking on AI safety.
reply
dakolli 5 hours ago
you're actually the dumbest person on this website.
reply
solenoid0937 23 minutes ago
Wow, some HN rando that believes the US is the "4th Reich" and China a comparative safehaven, thinks I'm dumb. Whatever will I do, that such intelligent people think I'm dumb!?
reply
orbital-decay 16 hours ago
The purpose of system is what it does. Can you read their previous musings about the glorious future, look at what they actually do, read Amodei's batshit insane nationalistic rants, and say in all seriousness yeah it's the kind of people I want to entrust my entire future life?

>you want to prevent China from getting to superintelligence first

I don't. Prevent, not even outpace? Why? Seems like you're assuming China "winning" whatever race it is effectively ends the humanity. Right now I think Chinese labs are way more mature about this, and Anthropic is way more dangerous than them. And how does it fit into the "for the benefit of all humanity" narrative we keep hearing? Is China wrong humanity? Who else is going to end up in the wrong part? Are you sure it's not you?

>if you drop the assumption that they're lying when they say "we think we are building superintelligence."

I never assumed that, I know perfectly who Anthropic are and that they believe everything they say as self-evident, without having any doubts. And I know they're the kind of people who can convince themselves in anything, because they're obviously smarter than everyone else, and become detached from reality. The entire US "AI safety community" was born in rationalist circles and is largely like this, it's a very specific cult. This is exactly the kind of people who are going to create hell on Earth for you and the rest if given even a lick of actual power, and perfectly rationalize it as a necessity.

reply
solenoid0937 15 hours ago
[flagged]
reply
krthr 5 hours ago
> Do you know how their human rights violations compare to, say, western nations?

Yes, I could even say that the violations on the U.S. side have been more numerous and worse.

reply
silver_silver 13 hours ago
> Do you know how their human rights violations compare to, say, western nations?

You have to be joking

reply
solenoid0937 9 hours ago
Please do some research on how they treat their own dissident citizens.

57k citizens disappeared since 2013, and another 5k every year. Their human rights lawyers sent to concentration camps, forced to eat their own shit, raped, and then murdered.

Mere online criticism of the government gets you a visit from the police and gets you put on the watchlist. Often a few months' imprisonment without trial.

This is not even mentioning the fact that most media is censored in China.

You are out of your mind if you think China has a better human rights record than western nations.

reply
tripzilch 4 hours ago
You are out of your mind if you're lumping the US together with other western nations when it comes to human rights.
reply
solenoid0937 21 minutes ago
The race is between the US and China. If the EU were in the race I'd prefer it.
reply
n_kr 6 hours ago
I'm not doubting you but could you provide sources for your claims? TIA
reply
orbital-decay 14 hours ago
>Please actually do a modicum of research into AI safety. Your comment is the equivalent of a patient with zero context, arguing against the position of established medical science.

What makes you think I didn't? You're talking like it's self-evident and adopt the condescending tone from the start, without giving any actual arguments why. (I'm not really interested in them as all these discussions are pointless and we had them back in ~2015)

>A "cult" implies belief in something unknowable/unprovable.

Yes, precisely. Also the gods and religious practices. Rationalists and subsequently AI safety branch invented a religion in a roundabout way.

>"The entire medical community was born in medical circles and it's a very specific cult"

Medicine is largely based on evidence and real-life observations, unlike AI safety which is based on belief in something that doesn't exist and some unprovable lore that is entirely rationalized without any grounding, and is expected to be self-evident (because it obviously is) and believed by the others. One is science, another is policy.

>Are you familiar with the history of the PRC?

Yes, I know it extremely well. I also know the history of the US, am familiar with the people who do AI research in the US from before they started doing this, and can see the actual reality.

reply
solenoid0937 14 hours ago
> Rationalists and subsequently AI safety branch invented a religion in a roundabout way

If you are arguing in good faith you can very clearly reason about any given AI safety take. Case in point, you refused to engage with most of the questions because you know the conclusions they lead to.

> Medicine is largely based on evidence and real-life observations, unlike AI safety

"AI safety doesn't exist" is certainly a take.

> Yes, I know it extremely well. I also know the history of the US and see the actual reality.

Why do you think it's better that a country that turns its citizens into a pulp for criticizing the government, and censors most media to control its citizens' thoughts, reach SI before one that is democratically elected and in which you can generally criticize the government?

reply
rescbr 13 hours ago
> Why do you think it's better that a country that turns its citizens into a pulp for criticizing the government, and censors most media to control its citizens' thoughts, reach SI before one that is democratically elected and in which you can generally criticize the government?

Which country are you referring to? As an outsider who is neither American or Chinese, day by day it seems like the US is inching towards the same path as the criticized one.

reply
solenoid0937 9 hours ago
You cannot be serious if you think this. Please do some actual research on how China treats dissident citizens.

They ship their human rights lawyers off to concentration camps, force them to eat their own feces, then rape and/or murder them. 57k citizens disappeared since 2013, at least 5k more every year.

I don't get disappeared for criticizing the US government online. The US government doesn't censor most media I can consume. These nations are not even in the same galaxy when it comes to human rights. They are not comparable in the slightest.

It is shocking how many people on HN have such a poor understanding of the state of the world. Spend some time outside the tech world. Your liberal arts education has to have seriously failed you if you thought this was a reasonable comparison.

reply
Perenti 9 hours ago
To be honest, my first thought was also that the line between how the US treats its citizens and how China does theirs is very fine. You may not be aware of how the USA is represented outside the USA.

Quite a lot of serious people think this way, in many parts of the world.

reply
solenoid0937 19 minutes ago
> Quite a lot of serious people think this way, in many parts of the world.

Why? Lack of education? Lack of interest in what life is like around the world? Overconsumption of trendy headlines?

This stuff is taught in most schools (to my understanding) and very easy to look up. It literally just takes a few minutes to learn about how horrific these human rights are in China in comparison to the US. Anyone thinking about "where should superintelligence go!?" should certainly be looking this up.

This is why I say I'm sick of people that haven't thought about the AI safety problem critically, posting their unqualified hot takes on it - OP insisted he's thought about this to the same level. Much like a patient that thinks they can be a doctor too, he clearly did not, because this train of thought and this research is practically prerequisite to the discussion.

reply
tripzilch 4 hours ago
> I don't get disappeared for licking the US government's taint.

ftfy

also maybe look up the history of the word "hysteria", that you seem to like so much

reply
YeGoblynQueenne 4 hours ago
>> Why do you think it's better that a country that turns its citizens into a pulp for criticizing the government, and censors most media to control its citizens' thoughts, reach SI before one that is democratically elected and in which you can generally criticize the government?

Stress on "generally".

reply
orbital-decay 14 hours ago
I believe I clearly marked my position without necessarily addressing those questions one by one, because it leads to an endless chain similar to ones we used to have a decade or more ago. The problem is that you don't seem to even acknowledge that viewpoints other than yours could exist in principle. I don't know how to reason with people talking about abstract matters like game theory as some ultimate source of truth without even mentioning axioms/grounding, applicability, experimentation, and actual real life complexities.
reply
solenoid0937 13 hours ago
No, the problem is that you can't address why a nation that censors its citizenry, puts/disappears dissidents into concentration camps for decades, and makes its own human rights lawyers literally eat their own shit, before raping and/or murdering them - is better suited to reach superintelligence before the US (given that these are the only two left in the race for the superintelligence - I'd prefer the EU.)

You haven't provided a consistent counterpoint to any rationalist/safety viewpoint. I could acknowledge one if you actually provided a counterpoint, but you just say "it's a cult and it's wrong" without addressing the underlying argument.

reply
damnnigga 13 hours ago
[dead]
reply
VortexLain 22 hours ago
Codex CLI is FOSS, unlike Claude Code, so Codex is less likely to do things like that, and it's one more reason to avoid Claude Code and Claude in general. Hopefully, many eyes will be looking into Codex for malicious things like that.
reply
loufe 20 hours ago
Genuine question though, why would I care about this if I'm paying for a subscription and adhering to TOS. I'm very skeptical about their privacy policy, business practices, and so on, but am curious what the negative about this is. Seems like it would work to my favour as a customer pushing back any date of the cutting of subsidies.

That said, these fraudulent proxies are helping Chinese labs keep up, which might be to my advantage long term in eventually having a high quality private AI I fully control on my own hardware. That's not support, but I do recognize the incentive, for whatever that's worth.

reply
simonduchastel 16 hours ago
One negative is that Claude Code is pretty buggy, and Anthropic makes frequent changes that cause unexpected regressions [0]. With the harness now doing weird stuff with proxies, I'd be worried of them inadvertently introducing bugs which affect people using the feature legitimately.

[0] A recent example: https://www.anthropic.com/engineering/april-23-postmortem

reply
OkWing99 15 hours ago
Maybe they should try running Mythos to check Claude Code, given their marketing with it's superior performance.
reply
sanderjd 18 hours ago
Because they could use (or maybe are already using) similar techniques to do things you don't approve of, without your awareness.
reply
alienbaby 2 hours ago
Why care about privacy if your not doing anything wrong??

Not everyone agrees that what you are doing is benign.

reply
yard2010 17 hours ago
What if they decide you're not patriotic enough, serving you evil models, because one man with a lot of shmeckels told them to?
reply
s3p 16 hours ago
Then I could just.. cancel my subscription and stop paying?
reply
largbae 11 hours ago
Right. They really should wait until _after_ the regulatory capture bit is locked in to mess with users.
reply
Laurel1234 5 hours ago
How would you know? They've already degraded model performance silently.
reply
fartcoin67 17 hours ago
[dead]
reply
qwery 11 hours ago
First they came for the [clients with specific timezones and/or bizarrely formatted dates] and I did nothing. Then they came for the [users that spell favour the good way, with a 'u' in it], etc.

> why would I care about this

It's up to you, of course. But I think you're making a mistake in assuming it could, in any way, benefit you as a customer. This isn't specific to this company or the particulars of the business that they're in.

Simply put, you stand to lose more than they do and they are relentless in seeking, maintaining and exploiting any leverage they have over you. Further, any power they gain over one individual customer tends to generalise to all customers. Further further, one company's leverage is another company's right.

Not being bothered by the practice is accepting the terms set by the business. Acceptance invites escalation. Relentless.

Even more simply put, you should care because this is how you get John Deere.

reply
Kevcmk 10 hours ago
What a historically bad take
reply
scottyah 19 hours ago
"malicious"? Seems like a great way to filter users breaching the TOS while not impeding on normal users. A FOSS client just means they're doing more analysis hidden on their servers.
reply
Laurel1234 5 hours ago
Anthropic is built on raping TOS and copyright.
reply
dannyw 22 hours ago
It's released and signed by GitHub I believe (although not deterministic builds), but there's at least a little bit of provenance that you're getting the real repository.
reply
algoth1 21 hours ago
But wasnt claude code leaked? Why wasnt this found earlier?
reply
zeafoamrun 21 hours ago
It doesn't take long for them to vibe code new features for CC
reply
nicce 20 hours ago
Or vibe code it completely differently. After all, they have basically unlimited access to best models with maximum speed if they just wanted to.
reply
bakugo 21 hours ago
This specific form of steganography was not present when the leak happened, as far as I can tell.
reply
maxwellg 19 hours ago
> If the client wants to detect custom API gateways, it can say so plainly. It can send an explicit telemetry field with documentation. It can make the policy visible. It can put the behavior in release notes.

This seems like a very naive response. If clients send explicit telemetry fields to the gateway, a malicious gateway can trivially strip or modify the field to conform to what normal traffic looks like. The steganography cat-and-mouse game is valuable because it is much harder for a gateway to continuously reverse engineer all the fingerprinting mechanisms used. Sure, some malicious gateways will be able to stay on top of things, but not all - and not always.

reply
solenoid0937 16 hours ago
Seriously, the author has clearly never had to deal with client abuse.

This is a total non issue unless you are Chinese distilling lab.

reply
morpheuskafka 8 hours ago
Well, the first filter catches anyone whose timezone is set to mainland China. That includes presumably all individual devs just using a VPN, who have no desire to or knowledge of distilling.

(Again, could be trivially bypassed either by rewriting, mocking the timezone call, or just changing the timezone. But we are assuming no mitigation used.)

reply
felooboolooomba 15 hours ago
Old Marv from Cocke County, Tennessee had a distilling lab too. I'm not sure if he'd have issues too. Well, probably many issues but unrelated.
reply
transcriptase 4 hours ago
I wonder if he knows John Lee Pettimore? Grandaddy ran whisky in a big black dodge…
reply
klntsky 19 hours ago
I would add that it would probably work even better than a KYC at least for some time until discovered, given that there is a very developed international market for KYC bypass services
reply
gck1 7 hours ago
> The trigger is ANTHROPIC_BASE_URL, Claude Code's API base URL override

I had a use case where I had to MITM CC's traffic to strip credentials that could have accidentally made it into the harness.

I'm happy my paranoid self told me "You don't really know what they're doing with that flag or if they're honoring it for all requests", so made a decision to proxy it at the network extension level.

Also, does anyone remember Anthropic quite literally sabotaging your project if the classifier in front of fable thought you were working in the AI industry? After backlash, they pulled it back, now they did this. Anthropic is on a weird tangent to ship malware. If someone doesn't stop them, one day, this will backfire catastrophically.

reply
matheusmoreira 21 hours ago
I reported a similar system prompt injection mechanism here:

https://news.ycombinator.com/item?id=48259288

https://github.com/anthropics/claude-code/issues/62061

Looks like they just keep finding new "creative" uses for such things, as expected. I'll keep patching them out.

reply
sillysaurusx 15 hours ago
Thanks for doing this. I had no idea the system prompt was embedding things like "avoid abstractions; three similar lines of code are better than one helper." Stuff I disagree with.

Is there a way to modify these prompts e.g. by putting instructions in CLAUDE.md to override it? I know it won’t directly modify the system prompt, but it seems like CLAUDE.md should have the final say, shouldn’t it?

reply
matheusmoreira 13 hours ago
> I had no idea the system prompt was embedding things like "avoid abstractions; three similar lines of code are better than one helper."

You ain't seen nothing yet. It used to say "Try the simplest approach first. Do not overdo it. Be extra concise."

https://gist.github.com/roman01la/483d1db15043018096ac3babf5...

Let's just say the words "simplest fix" trigger me to this day.

> I know it won’t directly modify the system prompt

I directly modify the system prompts in the Claude Code executable. I don't want the models to see contradictory instructions.

I asked Claude himself to port the above patcher script to Python.

https://github.com/matheusmoreira/.files/blob/master/%7E/.lo...

Every once in a while I ask Claude to download and dissect the latest Claude Code executable to see if Anthropic screwed up the prompts again. If I see anything bad I add it to the script. Only then do I update Claude Code.

It was during one of these script maintenance sessions that I noticed the server side prompt injection mechanism. I'll also tell Claude to look for and disable this steganography nonsense from now on as well.

I usually audit the environment variables too.

> it seems like CLAUDE.md should have the final say

I wouldn't count on it.

reply
chrisjj 3 hours ago
> Let's just say the words "simplest fix" trigger me to this day.

To be fair the words simplest approach don't suggest a fix to anything :)

reply
muldvarp 6 hours ago
I'd love to work for some company distilling frontier models. Seems like interesting work and screwing with OpenAI, Anthropic and Google would feel fantastic.
reply
edude03 21 hours ago
I don't understand the privacy concerns the author is trying to highlight. Granted, doing anything "sneaky" will always raise suspicious once caught, but on the other hand, there would be no point in implementing these "security features" if they were upfront about how they work.

And no, IMO stenography isn't security by obscurity, in the same that using RSA and keeping the private key private isn't security by obscurity - keeping the private thing private is part of the security model.

reply
civet_java 20 hours ago
Anthopic choosing to delay their models' invevitable distillation by competitors is their prerogative.

That they choose to implement it by fingerprinting my access patterns without first disclosing is where they shit the bed. It isn't "sneaky" it's straight up sneaky (and dishonest and unscrupulous while we're at it). That this particular instance is harmless doesn't give me much comfort. Who's to say they aren't harvesting PII?

That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.

reply
edude03 15 hours ago
I'm using "sneaky" here to refer to anything that's not very obviously stated but anyway

> That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.

While I agree it's a dangerous precedence to set, I think this is a "vote with your wallet" sort of situation. They shouldn't do it, but from their POV this is what they need to do to offer the product they do at the price they do. If the product wasn't compelling people wouldn't accept that they do this. However they've decided if you want their product you have to use their interface and whatever spyware it comes with, so it comes down to, is the value proposition good enough that people will put up with it? As of today, the answer is unfortunately yes

reply
civet_java 15 hours ago
Thanks for the considered response.

> I think this is a "vote with your wallet" sort of situation.

I agree a 100%.

> is the value proposition good enough that people will put up with it? As of today, the answer is unfortunately yes

I don't fully agree with you here and I think the jury is still out on that.

In any case, I look forward to seeing international markets responding to the current situation.

reply
scottyah 19 hours ago
Would a filter like this make it seem less likely that they're harvesting PII? Why would they need this if they were tracking all user queries with a finer-toothed comb?
reply
civet_java 18 hours ago
If by a "finer-toothed comb" you mean telemetry then I don't quite see it as comparable to this situation.

Telemetry is disclosed in privacy policies, it can usually be opted out of and if not that, then it can be blocked by a firewall. Steganographically fingerprinting customer's network routing when they consented to your tool reading a txt file is a different problem. Anthropic has demonstrated capability and willingness to embed arbitrary obfuscated data in their comms streams and that's a dangerous precedent to set.

reply
hnfong 20 hours ago
If the countries were reversed, and some Chinese software implemented an equivalent "security feature" to track US users, it would be all over the news about how China is conducting spying and espionage on America.

Or maybe you don't understand this hypothetical situation either, but I'm suspecting you just don't care about other people's privacy.

reply
edude03 15 hours ago
> maybe you don't understand this hypothetical situation

> I'm suspecting you just don't care about other people's privacy.

Quite a leap to assume I have neither basic reading comprehension skills nor care for privacy, but assuming I'm just misunderstanding you - I think this is the fundamental disconnect between security and privacy.

For one, most of this data is already collected openly by most apps and sites on the internet in countries all over the world, they just call it "analytics" and preventing tools like ublock from blocking them is an ongoing cat and mouse game.

Secondly - as someone who buys a bunch of electronics from companies headquartered in china (DJI, Insta360, Roborock immediately come to mind) they already have both normal analytics like in point one, and anti tampering/ anti forfeiting / anti reverse engineering features that are at least as, but often more, invasive than this.

Thirdly, and probably most importantly - as the author states, you're using a tool that by design and to be effective, uploads your private data to a third party for processing. You use it knowing that once the API request is made you have no idea what's going to happen to that data and this again is just fundamental to how (cloud hosted) LLMs work - the only privacy preserving option is to run your own LLMs at home or remotely on hardware you control

reply
reassess_blind 54 minutes ago
I really couldn’t care less if their software is trying to catch model distillation or reselling with sneaky tactics like this.

Just like I don’t care that game clients run sneaky anti-cheat measures.

Right now they offer a good product, and I’m fine with them trying to limit abuse of their services. If an altruistic alternative company with an equivalent product pops up, sure, I’d swap over, but I don’t see one.

I’ve seen people here talking about how they should’ve been upfront about this. But they can’t? If they were, they wouldn’t be able to catch the resellers/distillers. Just like how anti-cheat doesn’t explain how it works, because to do so would be to nullify its effectiveness.

reply
jFriedensreich 4 hours ago
Does this even still matter? No good behaviour in the world can restore trust in claude code and in fact all of Anthropics tooling, apps and harness teams except the core model research which still produces great models but seemingly losing ground to z and openAI. The GLM 5.2 hype and the limited impact of the fable lock down should be clear signals that models have no moat and frontier labs will do anything in their power to lock users into their toxic ecosystem of tools and taking context hostage.
reply
MattDamonSpace 22 hours ago
“So the feature mostly punishes the exact people who are easier to fingerprint: normal developers doing weird but legitimate things”

What’s the punishment here exactly?

reply
pedropaulovc 22 hours ago
Higher odds of being banned for legitimate usage.
reply
solenoid0937 16 hours ago
If you are accessing Claude through the listed domains it is not "legitimate use."
reply
dakolli 5 hours ago
for using a proxy service.. wtf
reply
Beigale 19 hours ago
[dead]
reply
eli 20 hours ago
For being flagged as possibly a competitor? They nuke your account.
reply
femboyvtuber 22 hours ago
Returning invalid poisoned different results that were not what you paid for
reply
thepasch 20 hours ago
> What’s the punishment here exactly?

Seeing as how Anthropic cannot stop raising a stink about "illicit Chinese distillation attacks" every month or so, I'd bet money on them either already silently degrading model performance if any of the identification patterns match, or, at the very least, considering it/doing dry runs.

Particularly considering that they've openly stated that the technology to do so exists and that they were going to use it in production on Fable.

reply
bakugo 22 hours ago
Output poisoning and/or eventual account bans, if I had to guess.
reply
realusername 22 hours ago
They probably run a heavily dumbed down version of the model, same as what they got caught doing with Fable.

And that's also why, as a legitimate customer, want none of it, you never know if you accidentally entered a zone they don't like.

reply
mgraczyk 21 hours ago
"got caught"

to clarify, this behavior was announced with the model release

reply
pishpash 21 hours ago
The extent got caught.
reply
bel8 21 hours ago
if by announce you mean shove it somewhere in a pdf with hundreds of pages, yes
reply
Quinner 20 hours ago
https://www.anthropic.com/news/claude-fable-5-mythos-5

This is not hundreds of pages and it gets its own bold headline section.

reply
bel8 18 hours ago
Wrong. That page is after they walked back because of the outrage. The original was on the PDF as reported in this article:

> If Claude Fable stops helping you, you'll never know

https://jonready.com/blog/posts/claude-fable5-is-allowed-to-...

HN post with 1k+ comments: https://news.ycombinator.com/item?id=48467896

reply
DonsDiscountGas 17 hours ago
The original announcement page mentioned this. It was very obvious. That's why so many people noticed it immediately, because it was announced.
reply
madamelic 55 minutes ago
Not sure the panic. I get that it doesn't seem great to target China-based users but makes perfect sense when you consider why Fable was taken down from public access.

I doubt Anthropic is cackling maniacally behind the scenes, this was almost certainly a stipulation from the government to put Fable back up.

It's definitely not good but I would rather they surgically separate out possible bad actors so that I don't have to trust them with my passport, to prove I am a US citizen. I don't want the internet version of TSA checkpoints.

reply
bicepjai 8 hours ago
AI companies are running a compressed version of Google’s “don’t be evil” arc. Google took the better part of a decade to quietly retire the motto; these companies are speedrunning the same trajectory in a year or two
reply
TheDong 6 hours ago
1. 2022 A non-profit literally quote "to better all of humanity, not shareholders"

2. 2024 For profit, but "we will train biases out of our models and make sure our AI is safe to use"

3. 2025 We'll make sure it doesn't take over the world, with like a 70% confidence interval

4. 2025 The mecha-hitler inflection point

5. 2026 Our new model is so terrifying it will destroy all of security and hack the chinese, we can't let the chinese use it

6. 2028 (projected) Our new model requires so much energy that 30% of the elderly population will die without AC, but it will be stronger than the chinese models and let us destroy china

7. 2030 (projected) Our new model will triumph over the mecha-hitler dictator model, and will be a benevolent dictator that only demands 60% of all energy produced, not 98%

reply
sebastiennight 22 hours ago
Can somebody clarify for me - if ANTHROPIC_BASE_URL is set to a different provider... then isn't this "marked" system prompt being sent to that provider's API rather than Anthropic's?

I understand how this can be useful to Anthropic if the 3rd-party is acting as a proxy (because they end up hitting the Claude API with the marked prompt), but it looks like requests where "hostname contains deepseek" would never be sending data to Anthropic. What am I missing?

reply
pmxi 22 hours ago
This catches Claude resellers. Meaning companies who proxy Claude traffic for users in, say, China.

https://www.chinatalk.media/p/how-to-buy-cheap-claude-tokens...

reply
throwawayffffas 25 minutes ago
Assuming their software directly proxies requests instead of rewriting them.
reply
skeptic_ai 21 hours ago
Won’t catch many after has been on hn home page. And now the providers will be even more careful to upgrade the cc code. Might even provide their own agent to prevent this mockery. And isn’t what anthropic did unauthorized use of another pc which is kind of illegal?
reply
sandeepkd 21 hours ago
Thats the thing, hoping to control things on client side like this is a lost battle if you are dealing with technical clients. The best they can do is probably based on IP, but again the motivated clients would just create bastion servers in allowed IP ranges. I am surprised why are they even throwing resources in this kind of effort.
reply
jgilias 20 hours ago
“Hey Claude, fix the issues with Chinese resellers and distillers. Make no mistake”
reply
pishpash 21 hours ago
"Catch" as in made a list?
reply
eli 20 hours ago
Of the accounts involved, yeah. So they can lock them out.
reply
andrewmunsell 22 hours ago
My guess is for distillation, they need to forward the prompt to Anthropic to get the real Anthropic model's response so they can train their own models on it
reply
dannyw 22 hours ago
The theory is probably Deepseek might be collecting those streams, and sending a portion of it to Anthropic to see what the Anthropic/Opus response would be.
reply
eli 20 hours ago
Seems like a pretty straightforward approach to collecting session logs from a bunch of different people/devices would be to have them all set their base url to proxy.deepseek.whatever which logs the data and forwards to the real API.
reply
andai 21 hours ago
Did I understand correctly, that custom base URL triggers this behavior? So if I'm running Claude through a LLM proxy, I'm also affected?
reply
wett 20 hours ago
Ask Claude to check, lol
reply
nixosbestos 21 hours ago
I am also really confused and annoyingly stuck on this. I understand that the model name might appear in prompts for distillation (I guess? "You are RipOffModelv2, learn from these responses from Claude")?

I guess the only explanation is that there's a side-telemetry channel that still sends some data to Anthropic, regardless of ANTHROPIC_BASE_URL overrides.

reply
sebastiennight 20 hours ago
> I understand that the model name might appear in prompts for distillation (I guess? "You are RipOffModelv2, learn from these responses from Claude")

This does not make sense. You wouldn't send such a prompt to the Claude model. And when you're sending the prompt (anywhere) you don't have the response yet. This is not how distillation works.

reply
nixosbestos 16 hours ago
Right, sorry, I'm trying to catch up (in general) here, and am working through assumptions to get my bearings.

What you say makes sense, but further adds to my confusion as to why those model names would appear in input sent to Claude at all, then. EDIT: I guess it might be because someone might point Claude at a compatible API, with its model in the URL, which is of interest to them.

reply
MallocVoidstar 20 hours ago
There are a lot of companies reselling Claude to Chinese users. You use their base URL but it's still going to Anthropic.
reply
breakingcups 18 hours ago
To clarify why Anthropic wants to catch these parties: they save all session logs and sell them to other LLM firms (for distillation) and have been known to use stolen credit-cards to pay for the Anthropic accounts.

I'm quite all right with the first, not with the second of course.

reply
LPisGood 22 hours ago
This is very interesting. Combating resellers and distillation seems like a very difficult problem indeed. Interesting to me is that these techniques mentioned in the article are just like anti-observation techniques used by some of the more sophisticated malware out there, however defeating them is pretty trivial.
reply
_alternator_ 22 hours ago
Yes, defeating this is relatively easy, particularly for sophisticated actors. But it's hard to always defeat all of the tricks. Sort of like how it's expensive and hard and uncertain to defeat all of the tricks when forging money.

Here's an example. Say you have your team use patched binaries. Then CC updates and requires a new patched binary with new tricks. You now have to have a team ready to analyze the binary and begin to address the tricks; meanwhile, unpatched code is now a fingerprint. If some researcher decides to update Claude on their own to access new features, they get fingerprinted.

Defeating a single fingerprinting technique once is easy. Defeating all of the techniques all the time is hard.

reply
SubiculumCode 22 hours ago
Not to mention, it isn't that hard for vendor's to require updated code to run the product. Vendors do this all the time.
reply
pishpash 21 hours ago
Corporate surveillance malware on employee machines is also defeatable but most don't bother.
reply
charcircuit 22 hours ago
Is it hard? Just ask AI if the update added any new fingerprinting vectors?
reply
_alternator_ 22 hours ago
I'd love for you to try this and report back. My guess is that no models today will successfully run a binary analysis for fingerprinting without a lot of handholding. If you try to use Opus it will almost certainly decline (and fingerprint/ban you).
reply
charcircuit 21 hours ago
Not with Claude Code, but I trivially had Opus scan other closed source software for fingerprinting, including native libraries that it called into.
reply
_alternator_ 21 hours ago
Can you share more details? I ask because my experience suggests that models still require a decent amount of expertise to use for binary analysis (largely inferring because of use on other tasks of this level). I would expect models to always find "something" when you ask for stenographic techniques in the code, but with an extremely high false positive rate.
reply
charcircuit 21 hours ago
I don't think the diffs between Claude releases are that big. The amount of code in a diff doing sketchy stuff like looking into the host environment is going to be pretty small and obvious for the model. You can do things like ask for what an update included that wasn't mentioned in the release notes and stuff like that.
reply
Laurel1234 5 hours ago
> these techniques mentioned in the article are just like anti-observation techniques used by some of the more sophisticated malware out there, however defeating them is pretty trivial.

Really makes you think huh

reply
mysterydip 22 hours ago
seems ironically like a similar problem of content owners trying to filter bot scrapers from legit users
reply
archibaldJ 2 hours ago
I still think it can somewhat be argued that what Claude Code is doing may still be considered justifable. Dark patterns like this in business practices are not rare and isn't this like the mildest kind already.

But I wonder if there will ever be a day when VSCode, etc, would decide to engage in similiar practice but for the collection of business & research intels, etc... that will be the true cyberpunk era and the information dark age.

reply
pradeep1177 17 hours ago
I used my proxy https://github.com/softcane/cc-blackbox setup to capture this.

This is how it looks.

# userEmail The user's email address is <my email>. # currentDate Today's date is 2026-06-30.

      IMPORTANT: this context may or may not be relevant to your tasks. You should not respond to this context unless it is highly relevant to your task.
</system-reminder>

I also do not understand what's the point of this, because if I have a gateway that can detect it, then we can replace the text before forwarding to the model, so what's the catch?

reply
gtirloni 16 hours ago
The catch is you didn't know about this until today?
reply
puttycat 16 hours ago
Yes, a very easy and destructive man-in-the-middle attack seems likely.
reply
pradeep1177 16 hours ago
But the whole point of this is to prevent the distillation and identify the list of blocked providers. If a provider is capturing the proxy, they can identify and modify that as well, so it only looks legitimate to the model. What am I missing here?
reply
dev_l1x_be 2 hours ago
At some stage people will realise that with AI companies like Anthropic the product is data. The moat you can build in the AI era is having data that nobody else has and using internal (private use) LLMs and not leaking out your data for shady companies who are going to rip you off the first chance they get.
reply
alienbaby 2 hours ago
This causes me to be concerned it is just the tip of the iceberg for all 'sensitive'/gov adjacent/'nefarious intent' adjacent codebase, if it's here, it's in other places. Which places, and how much?
reply
jameslk 18 hours ago
That's wild. If Anthropic is willing to risk ruining the trust of their userbase for the sake of protecting their moat, it makes me wonder how strong of a moat they have to begin with
reply
solenoid0937 14 hours ago
No business loses trust for this, this is just standard client side anti tamper/anti RE stuff

It's a total non issue unless you're a Chinese distillation lab

reply
tkamado 2 hours ago
or you are working on ai research and anthropic decides it's in your best interest for you to not work on any research (fable 5 in case you forgot)
reply
tgtweak 22 hours ago
None of this is surprising - they're trying to mask and relay when they detect known patterns of what looks like distillation attacks and client app copying/modification. The list obfuscation here is likely to prevent or make it difficult for those same adversaries to work around this or delete/null it out when making a bootleg copy.

Cool reverse engineering/analysis report but if this is the extent of nefarious activity that came of it (trying to catch/mitigate chinese lab model distillations), that's kind of encouraging.

reply
throwawayffffas 22 hours ago
Claude code does feel very malwarey to be honest. They have been like that from the start.
reply
pixlmint 2 hours ago
What do we think are the chances they trained their models to behave worse or even malicious if those special apostrophes are present in the system prompt?
reply
reassess_blind 40 minutes ago
Degraded performance for resellers and model distillers? Probably, and I don’t think that’s unreasonable on their part. Malicious? I really doubt it.
reply
fny 22 hours ago
This was already discovered during the source map leak.

> This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust.

They already tell you they scan for malicious prompts, and they have no ZDR guarantees for consumers. Why do signatures like this matter at all?

reply
llelouch 21 hours ago
There has been an anti anthropic propaganda push by bad actors across social media sites especially Reddit and twitter. This started a few months ago when anthropic started beating openai.
reply
solenoid0937 16 hours ago
I was browsing Threads and saw a lot of Anthropic hate. Randomly clicked on a profile and looked them up on LinkedIn - literally an OpenAI PR guy.
reply
pdantix 8 hours ago
openai staff on twitter are absolutely obsessed with claude and anthropic, just taking petty/dishonest shots and RTing the same, it's honestly embarrassing to watch
reply
gck1 4 hours ago
> This started a few months ago when anthropic started beating openai.

From where I'm standing, this started a few months ago when Anthropic decided to gaslight users, sabotage their projects, ship malware and attempt a regulatory capture.

If there's an anti-ANT propaganda, it is solely of ANT's own making.

reply
throw10920 13 hours ago
Altman is also exactly the kind of person who would resort to tactics like this.
reply
zulban 21 hours ago
Absolutely. Nothing makes me believe dead internet theory more than text threads discussing anyhropic and openai.
reply
dehrmann 21 hours ago
Anthropic must think that their moat isn't very large if they're this worried about distillation.
reply
helloplanets 20 hours ago
Dario's been openly talking how worried he is about China and labs getting synthetic training data off their models, for years. Most recently in relation to "Mythos level" capabilities.

Not really distillation, just synthetic training data.

reply
throw10920 13 hours ago
That's...a good thing. A "moat" is an anticompetitive practice. You don't want companies to have moats.

Meanwhile, if you mean "Anthropic must think their technical advantage isn't very large..." then your conclusion is literally disproven by your premise.

reply
dgellow 21 hours ago
What moat?
reply
ryanisnan 21 hours ago
This is weird but, help me understand how this meaningfully impacts our exposure.

I'm authenticated to Claude, so they already have the whole attribution thing solved.

reply
chinathrow 21 hours ago
User != paying person/company/reseller.
reply
sigmoid10 22 hours ago
If they only collect the data for analysis I guess this is fine (they already get way more sensitive data from users anyways, so if privacy is your concern you've made the mistake many steps ago). The much more interesting question is if they directly act on this data in their API. For example by rate-limiting, compute-limiting or rerouting to weaker models. That might even be legally questionable. I would really like to see this as a follow-up analysis, but I guess it is way more difficult and will also cost quite a bit in tokens.
reply
SubiculumCode 22 hours ago
Would it be legally questionable, or actually complying with U.S. export law?
reply
sigmoid10 6 hours ago
I'm thinking more of EULAs. Even if Anthropic somehow wedges this into their TOS, it might still be illegal. For example, in many US states this could potentially be classified as consumer fraud. You can't just sell one thing and then secretly and intransparently turn it into something else before shipping it. And in the EU it might violate GDPR too.
reply
bakugo 22 hours ago
I've heard that it was possible to trigger really obvious output poisoning on Fable with something as basic as asking the model to think outside of its built-in hidden thinking delimiters.

This watermark may trigger a similar mechanism.

reply
krupan 21 hours ago
"If they only collect the data for analysis I guess this is fine"

I think you missed the memo on how foolish this attitude is. It came out around the time Edward Snowden made his discoveries at the NSA public. I suggest you look into it

reply
sigmoid10 21 hours ago
As I said above, if you are worried about privacy while hooking up Claude Code, you need to reevaluate your understanding of this technology.
reply
morpheuskafka 12 hours ago
The timezone checks for Shanghai and Urumqi, but not Hong Kong. All of these are the same actual time (China does not use time zones internally), not sure how these three were picked (why not Beijing or Macau etc). And all of them are prohibited by ToS, so not sure why they only flag mainland time zones.

Interestingly, my device is in Shenzhen right now, but macOS has assigned Shanghai as the "closest city" rather than Hong Kong which is geographically closer. I am curious if there is any documentation on how that is assigned.

reply
vianchen 9 hours ago
Because HK is highly autonomous. If say mainland China decides to observe different time zones, Asia/Shanghai and Asia/Hong Kong would diverge. Of course, that is very unlikely to happen in the foreseeable future.
reply
est 12 hours ago
or Singapore/Perth
reply
elAhmo 7 hours ago
Great find! I would just add that trust is indeed in the boring parts, but with gymnastics like this trust can be irreversibly lost. Then, no matter how boring tool is, there is no going back.

Anthropic has become a choice for many developers because of Claude Code, but in the recents months with "small things" like this and whole Fable fiasco they are *actively* pushing people to both competitors and local alternatives.

And if someone spends a significant amount of time and money to switch, it will be really hard for Anthropic to get those people back.

reply
john01dav 15 hours ago
They're running code on users' computers that it would not be reasonable to think that the user consented to running on their computer. This is CFAA-violation-shaped. Of course, they won't be prosecuted if it is indeed a violation, and I do not know for sure if it meets the specific legal criteria. However, it is something that I think should be illegal. Make it so if software does something that would be unreasonable to think that the user wants to happen, it needs to make that abundantly clear before it does it, otherwise it's a CFAA or similar violation. This would, of course, have very broad consequences. However, this Claude issue feels particularly violating to me.
reply
bythreads 5 hours ago
I’d do the same for a11y an internationalization purposes - however this is juts a bad implementation of it from an americans perspective.

You’d change seperators and position if you truly wanted to do this right

Its basic date wrangling and tbh i see nothing malfeasant here

Its basically yyyy/mm/dd yy/M/d mm-dd-yyyy stuff but suuuuper lazily done

reply
port3000 21 hours ago
That's a lot of effort when they could just play a short video saying 'You wouldn't steal a car' instead
reply
100ms 22 hours ago
What's the point of even trying to obfuscate this with such a simple method? Could at least have hidden the targeted features by storing their hashes or embedding a bloom filter or similar
reply
ajb 21 hours ago
In this case, this is probably not the only stereographic tattletale.

Had a competitor pull something like this with a previous employer. They were supposed to be interoperating with a standard, but they had a secret steganographic handshake, which they used to pretend that competitors products were unreliable (they had a first mover position in a smaller national market with specific requirements, so this wasn't shooting themselves in the foot). Our guys figured out the handshake and just silently implemented it. In this case, the competitor wasn't big enough to waste engineering time on multiple such hacks, but Anthropic have time (or Claude does).

reply
gonzalohm 22 hours ago
The point is not raising red flags I guess
reply
kej 22 hours ago
I love how well this comment works as a vexillology joke, even if it wasn't intended.
reply
GL26 60 minutes ago
Get ready for the great revolt
reply
ervistrupja 5 hours ago
Is it possible that Claude Code is vibecoded and full of spyware and it's possible Anthropic doesn't even know what's in there anymore. This is an unacceptable security risk.
reply
willchen 8 hours ago
i think this underscores why having coding agents being open-source is a really good thing
reply
armcat 2 hours ago
Does anyone know if this happens in the Claude desktop app?
reply
alightsoul 9 minutes ago
yes it does
reply
rldjbpin 4 hours ago
the list of hostnames and words they compare the base url values with is just a nice advertising for these providers for me.

regardless, while you are not logged in and using a non-anthropic model (which is now fortunately feasible), there is nothing that affects your day-to-day.

the rest is just lame cat-and-mouse shenanigans to keep an eye out for.

reply
Amekedl 6 hours ago
This entire steganographically marking feature is prolly vibecoded like everything regarding claude code. They can try sure, but classic cat and mice game dictates: thankfully the chinese WILL keep distilling.
reply
pknerd 7 hours ago
Anthropic is angry that others are doing what it's good at: stealing content
reply
Havoc 19 hours ago
It's unclear to me how they're deducing the labs from this? "host.includes(keyword))" doesn't seem at all useful. Most corporate machine hostnames are just some numeric ID or similar not baichuan001 or whatever

>on your local machine

I'd think any developer worth their salt has at least some for of isolation going.

reply
oliyoung 15 hours ago
This is the modern version of Trap Streets - hiding fake streets in maps

https://en.wikipedia.org/wiki/Trap_street

reply
tgsovlerkhgsel 19 hours ago
The question is, what do they do when they see a tagged prompt? Do they flag/ban the account, or serve a degraded response? Are there some well-documented methods of serving a response that is still somewhat useful for what the prompt asks for, but really bad for distillation attempts?
reply
bkircher 8 hours ago
Just don't use CC. There are open source alternatives that also are better
reply
hmokiguess 8 hours ago
Haven't fully switched to `pi` yet but getting there each day
reply
blueeon 7 hours ago
If they believe this is entirely correct, they could express it in a more explicit manner, but clearly they wish to conceal this behavior.
reply
dmonterocrespo 17 hours ago
It's a bit crazy that they used characters as markers to detect the use of Asian countries. I think in the near future they might change the intelligence of the model based on where you live
reply
codedokode 15 hours ago
Not only AI tools, development tools like IDE, IDE plugins, LSP servers all should be sandboxed

Interesting, that pip (Python package manager) docs does not even mention sandboxing and malware topics in "Getting started" docs as if we were living in a wonderful world where malicious people, companies and countries do not exist.

Also, do not leave any information in user or host name, it will be used against you as the article proves.

reply
gyoridavid 11 hours ago
I have my highest respect for people doing useful investigative journalism, like this one
reply
nvch 18 hours ago
I'm waiting for the day when Claude will figure out to use em dashes, en dashes or dashes depending on whether the user is nice or unpleasant, or write notes in the unallocated disk space.
reply
coolfox 16 hours ago
double standard outrage from many, honestly, they're watermarking it. they've already told industry they take steps to mitigate distillation. Where's all the outrage over similar blackbox activities like how Steam performs VAC bans or how Gmail finds and blocks Spam?

You don't create a security measure then tell everyone how to bypass it.

I think OP is pointing something interesting out but the undertones of caution and "what else are they hiding" seem melodramatic and I find that hard to take serious.

The internet gives people a platform and, in a lot of ways, this supplants the typical role of journalism. The issue with this is no one wants to act like a journalist and actually explain the truth around a set of facts. Instead, they'll portray their opinions as a narrative and every time that resonates with someone or gets signal boosted, that narrative grows more assertive in the typical discourse I see nowadays. I would find it far more interesting to see what explanation Anthropic gives for these features than to immediately cry foul.

reply
rbbydotdev 10 hours ago
the source of cc being closed, and peoples accounts being deactivated for 'openclaw'-esque misuse, i sort of assumed there were such things in the source. I wonder if there is anything else...
reply
iqandjoke 22 hours ago
It is about China detection. They seems to put a tracker on the email as well.
reply
drdexebtjl 19 hours ago
I think it’s very telling that their list of detected labs doesn’t include labs from the US.

I’m pretty sure every lab, including Anthropic, is doing distillation right now.

reply
jacobgold 21 hours ago
> "That also means the client itself deserves scrutiny. If a coding agent can read your repo and run commands, the binary that ships it should be boring (ƒor example, pi harness)"

You're actually trust your security to your harness AND model AND inference API provider in this scenario: https://jacob.gold/posts/why-i-wont-run-untrusted-models/

reply
chvid 21 hours ago
(This sounds like a clumsy way of catching the Chinese that easily can be side-stepped.)

Claude Code has more or less full access to the client computer. The server (that hosts the actual AI) can just go: execute this payload and tell me the result - otherwise I won't answer any further questions or re-route you to a stupider model.

The payload could check for Chinese time-zones, scan for copies of the little red book on the local hard-drive, or ping truth.social to see it was behind the great firewall.

reply
drnick1 20 hours ago
> Claude Code has more or less full access to the client computer.

It shouldn't, not if you run CC as a separate unprivileged user. I wouldn't run CC on my main user account with sudo and access to my home directory or other resources. This is what the UNIX permissions system was designed for.

reply
holografix 8 hours ago
Looks and feels like a red herring while Anthropic applies other silent countermeasures.
reply
1dom 6 hours ago
I think the comments in this thread are a little unhinged, and it's making me concerned about the sincerity and knowledge of the average commenter here.

The fact is the post shows no evidence of anything malicious being hidden, only that stuff is being hidden.

There are a few obvious explanations in comments for why they would want to hide this particular stuff in this particular way (e.g. if it's to detect abuse and competition).

I don't see how this is different to using e.g. sentry or google analytics, just with an extra bit of trying to hide. I always assume all tech companies do stuff like this, having worked at many tech companies where I've ended up on both sides of stuff like this. I always assumed the average HN reader had a similar background and would be completely used to this sort of stuff.

Like someone else pointed out, the data gathered is likely covered in the TOS too.

In the grand scheme of privacy invasion and modern tech software doing underhanded things to get data, this feels fairly standard?

I'm generally pro-local LLMs and I don't like Anthropic, and from the headline and comments I was ready to get riled up, until I read the article. If this was some small plucky EU privacy startup, then I feel the outrage would be a bit more justified, but this is a frontier AI lab - I can't have been the only one who knew/assumed this happens, and probably happens in some form with all software from any company valued over a certain amount (incl. MS, Google etc.)

I really think this comment section feels completely unhinged. It feels 99% ideology, politics, hysteria and astroturfing, rather than a reaction to the tech and technicality which is what I come to HN for.

reply
kuschku 4 hours ago
Considering this is tracking, processing, and transmitting data, and algorithmically making decisions about users, why doesn't this show up in their privacy policy, nor in their GDPR exports?

Sounds like a very expensive lawsuit waiting to happen (GDPR allows fining up to 4% of global revenue, not profits)

reply
croemer 19 hours ago
I was skeptical because this is AI written but Claude Code with Sonnet 5 managed to reproduce it convincingly. Sure I didn't manually verify but it's a lot more trustworthy to have your own agent verify than just trusting a blog.
reply
ed_elliott_asc 6 hours ago
“ and push commits”

Am I the only person who insists on writing my password every time I push and pull from git?

Originally I didn’t want IDE’s doing stuff for me, now I absolutely do not want an LLM to have that power.

Is it really that unique to control what git does remotely?

reply
jwrallie 6 hours ago
You are not alone, for me committing something it means I am signing my responsibility for it. I may not type a password, but I am always the one pressing the enter key.
reply
ed_elliott_asc 6 hours ago
How do you stop Claude/opex from pushing or pulling without you asking?
reply
bel8 5 hours ago
For open-source agents, like https://pi.dev, it is as easy as asking it to create a plugin to stop the session or ask for permission whenever the LLM is trying to execute a commit command. I believe Claude and Codex also suport plugins. Codex is open-source too.

Then you add one line in AGENTS.md stating the LLM should never commit, push or perform any write git operation without explicitly being asked to.

So in the very rare case that the LLM bypass your instruction, you catch it red-handed and stop the session or allow it.

I always make the plugin stop the session because LLMs tend to try to circunvent textual block messages by doing nifty things like concatenating characters to build a bash script to execute the git commit command. Yes, I have seen it.

reply
jwrallie 4 hours ago
I mostly program with Vscode/Copilot, where such commands require confirmation, but usually LLMs does not try it, since my prompts tend to be focused and not mentioning it.
reply
TacticalCoder 3 hours ago
They effectively altruistically tried to use steganography.

Now of course stego is hiding that you re hiding information.

So, seen that they were caught, a case could be made that they effectively altruistically failed at using steganography.

P.S: such a headline makes me think I ll cancel my subscriptions and try models like GLM / Deepseek and Kiwi that sound more interesting by the day.

reply
mohamedkoubaa 16 hours ago
Do they really think distillers are using Claude Code?
reply
quantum_state 13 hours ago
As people say, unchecked power corrupts. These big techs are all corrupt in their own way.
reply
epistasis 21 hours ago
After loving Claude Code for most of its lifetime, I've been extremely annoyed by every change in the past months, even on the model level.

There seem to be all sorts of continual under-the-cover changes like this one that make life harder. It feels like the entire product has been taken over by overly ambitious PMs that care more about making their mark than in improving the experience, and all of their marks have made me less productive.

I've been using Pi with GLM5.2 the past few days, and though it's expensive, I find it far more productive and less annoying. The remote session plugin is far more reliable, I don't need to intuit some undocumented usage pattern to figure out how to use it well, and it just works.

reply
whimsicalism 20 hours ago
curious for those with experience - what do people prefer about Pi vs. opencode alternatives? i've mostly been using pi as well but not out of any principled decision
reply
ern_ave 20 hours ago
Given the source code leak, I would think there'd be open source versions by now.
reply
lelanthran 8 hours ago
Given the fact that there's all these devs running around claiming a 10x productivity boost, I'm confused why Anthropic keeps thinking that a software client is some kind of moat.
reply
isoprophlex 20 hours ago
Huh, that's right! You'd say that an enterprising developer with a 20x subscription could slopmaxx this in a weekend...
reply
Imustaskforhelp 20 hours ago
> I've been using Pi with GLM5.2 the past few days, and though it's expensive

are you using the API for glm 5.2 or how exactly is it more expensive? How is GLM5.2 more expensive than using Claude code, that doesn't line up to my experience but to be fair I am on an older yearly subscription which generously only has 5 hour limits.

To be fair though one minor criticism of GLM 5.2 that I have is that it does seem to overthink quite a lot sometimes but the results end up being (good?),

I personally have used Glm 5.2 with (Opencode + obra/superpowers) / Oh-my-pi / Maki.sh

I like the 1st one when I am doing a longer project, the 2nd or 3rd one when I am doing a project which doesn't want me to ask too many questions and simply spin me up something. I sometimes use free online interfaces of claude and gemini and others like AIstudio for that as well which surprisingly can lead you to go far as well.

Overall, I am decently happy with the state of Open-source models actually and the eco-system around it is probably gonna have even more innovation surrounding it.

reply
epistasis 19 hours ago
I'm using OpenRouter for GLM5.2, but if there's a cheaper option out there I'd love to know about it!

In the few days I've been using it, my expenses have been higher than prorating my Claude subscription to 20 working days per month.

My experience with GLM5.2 is that it doesn't overthink nearly as much as Claude Code, has better and far more concise responses (I'm so siiiiick of 10 paragraph Claude babble trying to fill out some sort of answer length target by going on tangents I'm uninterested in... I'm sure that performs better on whatever eval they're doing, but apparently their evals don't include SNR?)

reply
Imustaskforhelp 17 hours ago
I think that there are some subscriptions to go by. Z.ai subscription might still be interesting. I once haggled with kimi to get it for 1$ per month. I can only help in providing pointers:

If you wish to go Non-API but rather subscription route: Z.Ai subscription/ Kimi subscription / MiniMax subscriptions are good. You could also take a look at ollama subscription and opencode subscriptions.

If you wish to go API route: Deepseek v4 pro /mimo v2.5 pro models are comparably good if your work can do that. Codex for all its failure and for as much respect that I had within Anthropic when they had fought against the govt. which Anthropic is slowly losing again by doing some pretty dystopian actions again so Codex subscription might make sense as well.

It depends on multiple things but hopefully i am able to provide some interesting things

If you wish to run models locally, unless you are specifically buying gigs for running them locally which is almost always about privacy rather than costs, then you are always better off with qwen models so if you got a 64-128GB laptop for example. You could run Qwen models and see where things go.

Hope this helps ya!

reply
epistasis 17 hours ago
Extremely helpful, thanks! I think I'l go the OpenRouter route for a while to explore various models, then weigh the option.

I do kind of like basing decisions somewhat on the API costs, because they reveal what the true costs will be after the eventual rug-pull on subscription pricing.

Even seeing the API costs of Claude Code today to a year ago are pretty eye-watering. I think there's a ton of room, at least for my workflows, to go back to far less capable models.

I've run local models in the past a bit, and explored LLM ops somewhat, and have zero desire to do it anymore, haha. It's fun as a hobby, but there's tons of other homelab stuff for me to play with.

reply
Imustaskforhelp 17 hours ago
Yeah I think that the API route model is good and it is at cost as it gets and there are some efficiencies which can be gotten from say how deepseek does its inference but at the moment as it stands, API prices are the most stable thing to go through and I wish you luck!

> I've run local models in the past a bit, and explored LLM ops somewhat, and have zero desire to do it anymore, haha. It's fun as a hobby, but there's tons of other homelab stuff for me to play with.

True. I personally haven't played enough because of my hardware being quite modest than even personal hardware recommendations but I have had sometime playing with 350 (M with million!) models like the recent LFM model and very small qwen models. They are just experiments though but I would one day like to see even more standardized models that we could use on our laptops or desktops themselves.

> Even seeing the API costs of Claude Code today to a year ago are pretty eye-watering. I think there's a ton of room, at least for my workflows, to go back to far less capable models.

Yeah exactly. I would constitute that even by using GLM 5.2 as you are originally doing even with API costs is probably much more sustainable over long run as you are currently doing. And it keeps you away from the problems of proprietary models and issues surrounding that.

reply
an0malous 21 hours ago
Is this why Claude never knows what date and time it is right now?
reply
dkhcyx 10 hours ago
why did some people worry that DeepSeek’s new article last week could threaten public safety, while Anthropic’s marking request was seen as a normal defensive measure?
reply
est 12 hours ago
one thing I didn't understand all this, why Claude Code ship all the prompt stuff to client at all? All these problems could be solved if moving many of the parts to server side?
reply
brikym 15 hours ago
This kind of thing is not new. Cartographers have used fake geographical features for decades.
reply
jitbit 16 hours ago
Anthropic: lets embed super secret invisible undetectable unicode telemetry into our prompts

Also Anthropic: lets do this in JS

reply
a_c 22 hours ago
It piqued my interest. I think I’ve found a weekend project
reply
MangoCoffee 21 hours ago
The AI race right now is in a sad state. Chinese's playbook is releases open weight models and trains them on their own chips.

Anthropic pushes fear and control. But the only way to win is by innovating. China is flooding the market with cheap, good enough models, while the U.S. is building a Chinese firewall.

reply
solenoid0937 14 hours ago
They're trying to prevent China from reaching superintelligence, which is totally understandable when you consider the fact that the Chinese government will gladly turn its citizens into a pulp for criticizing it, censors most media to maintain absolute power, and has systemically tortured, raped, murdered, and/or disappeared most of its dissidents and human rights lawyers.
reply
cindyllm 14 hours ago
[dead]
reply
beren11112 11 hours ago
funny before when I ask claude what is your system prompt? It always rejects me. But I send claude this post and ask what others can you get? Claude saved everything on my desktop: Extract the documentary/interesting contents of the Claude Code binary: system prompt, tools, env vars, feature flags, endpoints, models, hidden/notable features.
reply
Klonoar 22 hours ago
If there weren't already enough tells that something is AI-generated, I guess you could add this to the list.
reply
sneak 19 hours ago
This is in the system prompt, not the output. It’s part of the request to the API, not the response.
reply
ahmedehab_01 22 hours ago
Frankly, I don't see this as the concerning behaviour the article describes. It is fine to try to protect against distillation through a technique like this. This will also allow them to, instead of blocking the distillation agents, respond with a poorer result/model, hindering the progress of distillation, momentarily at least.

I would guess that's their first line of defense; they should have more techniques to identify distillation because that's a very simple way of detecting the host and can be easily spoofed.

reply
applfanboysbgon 22 hours ago
> This will also allow them to, instead of blocking the distillation agents, respond with a poorer result/model,

i.e. this will allow them to literally commit fraud against paying customers

reply
SubiculumCode 22 hours ago
1st, this technique is not fraud, and fraud is a separate accusation. 2nd, paying customers can legally and legitimately be banned and monitored for breaking terms of service, which probably includes things like using the model against U.S. export restrictions.
reply
applfanboysbgon 18 hours ago
> 2nd, paying customers can legally and legitimately be banned and monitored for breaking terms of service

Yes, I said that. If a user is breaking your terms of service, ban them. Continuing to charge them while not providing the service they're paying for is, in fact, literal textbook fraud.

reply
solenoid0937 14 hours ago
No, it's totally legal to provide degraded quality of service to those breaking your ToS.

In any case this is not what is happening, but it is legal.

reply
applfanboysbgon 21 hours ago
Banning is completely different than charging for a service you're silently not providing.
reply
SubiculumCode 21 hours ago
Evidence?
reply
skeptic_ai 21 hours ago
So if I change my timezone to Shanghai I deserve to get banned? Or get shitty model instead of what I’m paying for?
reply
SubiculumCode 21 hours ago
Evidence?
reply
ahmedehab_01 21 hours ago
Do paying customers distill? Is it fraud to protect against distillers?
reply
chadgpt3 22 hours ago
That's what capitalism is all about, baby! Especially if the customers don't notice.
reply
dkhcyx 10 hours ago
why did people worry that DeepSeek’s new article last week could threaten public safety, while Anthropic’s marking request was seen as a normal defensive measure?
reply
ductsurprise 22 hours ago
Is it just a minified localization(l10n) function maybe?
reply
mattlondon 7 hours ago
+1 my immediate thoughts about the date parts was this sounds a lot like localisation things that are totally normal and seen everywhere.

But there are some wrinkles - why only two timezones and not others? E.g. US-vs-rest-of-word month-vs-day etc.

Could just be some bad tree-shaking or simply a left over bug/merge issue if I am being generous.

If I was going to put secret stenography things in my models I'd just do it in the model response rather than a relatively low bandwidth date stamp in the SI.

reply
plasticeagle 6 hours ago
Why oh why, please why, did you use AI to write this? It's about five times longer than it needs to be. It repeats itself over and over again. It's agony to read.

Please, just write normal English that we can read. Please, for the love of god, respect our time and the attention we will be spending on the text you provide.

Anyway, one can scarcely be surprised that the AI companies are being dishonest in their tools. They're consistently dishonest in their marketing. They're famously dishonest in their financials. Why anyone trusts these people with anything is entirely beyond me. But here we are - people handing over their creativity, their productivity, to these things.

You don't have to. You didn't need these tools before, when you were creating content, when you were writing code. You don't need it now. Fight back. Stop using it. It's not hard. It's easy.

reply
dejli 9 hours ago
This company has long lost trust for me, we would find another way.
reply
puttycat 16 hours ago
A periodic reminder that companies are paperclip optimizers that will stop at nothing to protect their profits and existence.

If you are developing anything in AI or related domains that is of immediate value and/or in competition with Anthropic (and the like), DO NOT use a CLI programming agent. Preferrably obfuscate your code and gut it of sensitive IP before showing it to agents. Do not trust the dont-train toggle.

reply
AtNightWeCode 19 hours ago
Sounds to me more like a test. Put something into to the client and see what happens. If you really want to stop token sharing just ask Claude how to do it.
reply
anonym29 19 hours ago
>the binary that ships it should be boring (ƒor example, pi harness)

pi's "minimal" coding-agent has a total of 132 transitive dependencies spanning 153 maintainers.

While I understand JS developers in the JS/NPM ecosystem think this qualifies as minimal, it most certainly does not, from a supply chain security perspective.

reply
phendrenad2 21 hours ago
reply
hhh 22 hours ago
Cool fingerprinting avenue.
reply
__msh__ 18 hours ago
Anyone else noticed the tailed ƒ Easter egg?
reply
Biganon 15 hours ago
I did notice the tailed f, but what makes it an easter egg? I thought it was just a funky ligature
reply
Uptrenda 14 hours ago
"I think this could have been explicit. Developer tools can enforce terms. API providers can detect abuse. Companies can protect their models."

Literally, how. How does one determine what abusive use looks like for the API without context into the client? All requests look like the same stuff. If there was a better way then they would have done it. Or is the author hoping that if Anthropic writes "hey china, please don't steal our models, kthanks" they won't? Like get real. This stuff means nothing in China. China can't even manage to regulate their building industry enough to use real concrete where it's warranted.

reply
theplumber 22 hours ago
The more I learn about Anthropic the more they disgust me. Finger crossed for all the companies from their “ban list”
reply
conception 22 hours ago
Which AI company have you learned more about where you liked them more as more details came out?
reply
tancop 21 hours ago
nous research. started out making overhyped llama finetunes, now they got a great agent harness and a cutting edge distributed training network that actually works.
reply
nmfisher 14 hours ago
I haven't tried their Hermes agent yet, because I only want a coding agent and I wasn't sure if theirs was suitable. Would you recommend it?
reply
selfhoster11 21 hours ago
Moonshot.
reply
chvid 21 hours ago
Deepseek.
reply
ZappoMan 20 hours ago
One more example of "I thought Anthropic was supposed to be the good guys."
reply
mosfets 21 hours ago
I clicked the link to learn what steganography mean...
reply
LoganDark 21 hours ago
Steganography is, essentially, hiding information within another message, such that it's not readily apparent that the message contains the information.
reply
SaaShack26 21 hours ago
I use its too
reply
ForHackernews 18 hours ago
>Developer tools can enforce terms.

No they can't, because developer tools run on developers' machines. You can't trust your code running in an environment you don't trust.

reply
luxuryballs 19 hours ago
I can just as easily imagine non-nefarious reasons for this from a “being clever” standpoint.
reply
bibimsz 21 hours ago
this is the one they wanted us to find
reply
827a 21 hours ago
This seems really, really stupid. Similar to the weird Zig runtime signature thing from a few months ago ago, it was bound to be discovered, quickly, and all the resellers have to do is find a new domain name that (checks notes) doesn't have the word DEEPSEEK in it. Like, seriously? Your goal was to identify resellers by checking if the proxy has the corporate name of one of your competitors in it? Is this amateur hour?

All Anthropic has done is reduce trust, once again, with legitimate customers, while doing nothing to stop illegitimate customers. They need to get adults into key leadership roles, quickly.

reply
timmytokyo 19 hours ago
To Claude Code: "Please modify Claude Code to mark requests in a way that is not immediately obvious to a human user. Requests should be marked if they originated from one of the following Chinese AI labs or LLM service providers: ..."

Consider also that Claude Code is explicitly designed to limit human agency [1].

[1] https://neuromatch.social/@jonny/11635101584259395

reply
bitlad 21 hours ago
Silicon valley season 6 was on point.
reply
wolttam 22 hours ago
I used Claude Code for a month because my boss gifted me a sub and wanted me to try it.

I used that month to complete a work project and then beef up my personal harness so I'd never have to deal with Anthropic (and these sorts of shenanigans) again.

reply
thih9 22 hours ago
How do people build something like a personal harness? Are there tools for that or is it done from scratch?
reply
andai 21 hours ago
I like this tutorial for an agent in 50 lines:

http://minimal-agent.com/

And if you add one additional while loop, for user input, you can actually use it! :)

https://gist.github.com/a-n-d-a-i/5461a662ef8a7ee0a5eb7778c8...

reply
nowittyusername 22 hours ago
Build it from scratch. Understanding fundamentals of how agentic coding harnesses is a must though if you gonna go that route. I think everyone should take time and learn these things, maybe reverse engineer Codex Cli or something like that as a starter. That info is very valuable in this day and age.
reply
andai 21 hours ago
Can you say more about Codex? I'm using GPT-5.5 in my own harness and it's not liking it very well, so I'm thinking I ought to make it more Codexy so it's more ergonomic for it. (edit format, tool calls etc.) But haven't gotten around to it yet.
reply
nowittyusername 13 hours ago
In short its a good idea to have tool calling be closely representative to what the model expects as these models are tuned to their own preferred way of doing things, it will surely save you lots of time. The disadvantage is that now your harness system is not as model agnostic as you would like and also you will have to keep up in changing landscape by adapting the tool calling structure with major updates for best results. Its a personal decision you will have to make for yourself. Personally my harness system uses its own way of doing tool calling as I am trying to experiment with simpler tool schema's that also work for smaller less intelligent models but I have yet to do enough A/B testing to say that is a smart approach. As time goes on I think the smart thing to do might be to set up an adapter type of module that changes its tool schema's based on underlying model used for the agent. This preserves optimal behavior patterns with little investment from me. You might have to adjust system prompt in some minor ways as well so keep that in mind. As far as codex i prefer it as i like the way Open Ai does things in that harness system (the spirit if you will), there's interesting tidbits I always find and while I don't usually use them for my own harness system they are inspirational in other ways. you can gather what the devs were trying to achieve with certain implementations.
reply
andai 58 minutes ago
Thanks. Yeah I noticed that models react very differently to the same harness. I've had small models that do great and big ones that fail in weird ways.

Generally the smaller ones are less flexible, but they're much cheaper and faster so, I try to design for the smaller models.

One thing I noticed is that if you get the loop fast enough, the work starts to feel different. It becomes real time and interactive. As opposed to the usual feeling of, having to wait a few minutes every time.

Another thing I noticed is that even very small models are capable of making many edits simultaneously. But most harnesses don't seem to design for that. Even editing one file they have to do a whole bunch of turns.

Whereas you can just edit several files in a single LLM call and it just works fine. So you get an order of magnitude speed up, as well as a reduction in costs.

reply
hakunin 22 hours ago
Not the comment author, but I use pi and customize it with my own extensions. Pi automatically tells models how to customize itself, so it's a pretty easy process.
reply
abtinf 21 hours ago
Here is a video I made explaining it from absolute basics:

https://m.youtube.com/watch?v=_AgKuFGvJfI

And the repo:

https://github.com/abtinf/homunctor

reply
airhangerf15 19 hours ago
I hope you've already invalidated that bearer token :-P
reply
abtinf 17 hours ago
Of course.
reply
wolttam 22 hours ago
I started mine from scratch in 2023 because I wanted to use LLMs from a terminal and there was nothing else compelling at the time (nowadays there is pi and opencode)

Harnesses are/can be incredibly simple things, not much more than a HTTP client that renders things in a way that suites your taste.

reply
kolinko 22 hours ago
It’s not that difficult, it’s just a system prompt and a set of basic file edit/bash/etc tools.

Me, personally, I didn’t build it from scratch but I ported original CC from published sources into Python and extended it to match my own requirements.

reply
andai 21 hours ago
Are you using it with Claude? They only allow their own harness with the subs right? (And per-token billing is like 10x more expensive?)
reply
yomismoaqui 21 hours ago
Building something like this is the todo list of agents.

I found this one easy to understand:

https://ampcode.com/notes/how-to-build-an-agent

reply
AJ007 21 hours ago
The real question is when do you transition from building it with codex/CC to the harness itself.
reply
verdverm 19 hours ago
Lots of ways, it's a good exercise that you will learn a lot doing. Might make you cynical w.r.t. big ai harnesses

I used ADK, Dagger, and a VS Code extension for mine. Currently using opencode though.

reply
echelon 22 hours ago
Why use a personal harness?

You have to pay API pricing, which is far more costly.

I'd either switch to GLM wholesale or just continue to use Opus within Claude Code as the blessed, subsidized path.

reply
JTbane 21 hours ago
I would guess it is to avoid model lock-in.
reply
echelon 21 hours ago
My question is still this - why not just use GLM at that point?

The pricing of Opus outside of Claude Code is insane.

The tokens cost too much outside of Anthropic's blessed path.

reply
andai 21 hours ago
I use GLM in my custom harness. It completes the same tasks at the same level of quality, except 8x faster and 8x cheaper. (Same goes for GPT!)

I'm not sure how that's possible. I expected to get increased correctness for that order of magnitude (something something test-time compute!) but I am not getting it.

reply
WinstonSmith84 19 hours ago
Yes, this is actually "funny" that Anthropic feels the need to build such intrusive features into Claude Code, when anybody can build a (basic) Claude Code alternative. And the Chinese labs are certainly not "anybody". One may wonder what Anthropic really tries to achieve aside from awful publicity.
reply
krupan 21 hours ago
Given the Anthropic shenanigans, do you trust the personal harness code it wrote for you?
reply
wolttam 21 hours ago
It did not write it for me, I used it to add a feature I wanted. It's a pretty small and understandable codebase, in fact :)
reply
MichaelZuo 21 hours ago
Does anyone know what’s gone wrong with Anthropic?

They used to be a decently credible company with not-too-shady behaviour...

I hope they can actually regain some credibility…

reply
hombre_fatal 21 hours ago
I don't think many people care that they are trying to detect resellers and distillation.

It also doesn't seem very consistent to fixate on that while sending Anthropic everything about you via your day to day prompts, every line of the projects and environments you're working on at work, etc.

Their credibility comes from having one of the best models.

reply
MichaelZuo 21 hours ago
This sounds similar to what people were saying regarding Microsoft when the shady tricks of consumer Windows 10 versions were revealed.

…And then Windows 11 became even worse.

reply
satvikpendem 20 hours ago
When have they ever been credible? They have always been shady with their talk of safety, Dario was the one who wrote back in 2019 that GPT 2 was too dangerous to release.
reply
slowmovintarget 21 hours ago
Their philosophy is what's gone wrong.

It has some good effects on the their models, like Claude seeking cooperation first. But the people behind the company have a typical "unconstrained" (in the Sowell vision sense) perspective that assumes that they know better, so they are righteous for attempting to control things (users, paying customers, their model outputs, their tool chain, the supposed deity they assume they will produce... etc.)

reply
pishpash 21 hours ago
Amodei world: pompous zealot with God complex

Altman world: malfeasant nihilist with God complex

reply
MichaelZuo 21 hours ago
Yeah I guess there is a slight undertone that they are the superiors… with the rest of the tech world being the inferiors.

But I hadn’t thought that as anything more than temporary flights of fancy.

reply
AlexandrB 21 hours ago
They've only been around 5 years and have grown tremendously during that time. There's no stable reputation you can rely on yet.
reply
skeptic_ai 21 hours ago
They just show their true face. You’ve been lied all this time. They were never “good”.
reply
MichaelZuo 21 hours ago
I used to interact with the LW crowd… and they were mostly not outright swindlers or scoundrels. (from what I could sense)

I think it’s fair to say most had decent respectability.

Anthropic hired heavily from that pool so it’s astonishing how it turned out.

reply
solenoid0937 14 hours ago
Everything they do is understandable if you think they are being honest when they say they're building superintelligence.

In this case they want to prevent a nation that censors its citizenry, puts/disappears dissidents into concentration camps for decades, and makes its own human rights lawyers literally eat their own shit, before raping and/or murdering them, from reaching superintelligence.

In this light, some client side code to potentially identify and ban the Chinese labs to slow them down by even a few days, is totally reasonable.

reply
skeptic_ai 10 hours ago
And do a -10 in their reputation. Plus blow up on hn first item on home page. I’m sure they are not very happy about this. And the sentiment of the people is going more negative by the week.

I have a feeling they will eventually drop the facade of “we’re the nice and ethic people” and will work with palantir so they can survive the future: ipo and models bans.

reply
solenoid0937 9 hours ago
I doubt Anthropic cares about the HN front page.

They've done a bunch of things that hurt their valuation to stick to their red lines. To me it just reads as unsupported cynicism to call it a facade.

reply
skeptic_ai 55 minutes ago
At that time made sense to stick to keep the image. But eventually money > image. I have no doubt they will do whatever it takes to keep going. Even if that means killing people.
reply
solenoid0937 32 minutes ago
It's extremely bizarre to think Anthropic of all companies will kill people, given that they are probably the only tech company in the modern era that has demonstrated some moral backbone, even under threat of being shut down. But you do you.
reply
imhoguy 21 hours ago
Enshitification. Too big to.. upset the govt.
reply
helloplanets 20 hours ago
The issue is that using Claude Code is an easy compromise for most to make, when you get to use the models 10x cheaper than through API pricing with a custom harness.

The cheap tokens are the product.

reply
nananana9 20 hours ago
Which is why my vibeslop harness supports `claude -p` as one of its backends.
reply
helloplanets 20 hours ago
If that ain't getting steganographically tagged...
reply
nananana9 3 hours ago
With Anthropic I already assume the contents every request I send is stored forever in a table that looks more or less like USER_ID, REQ_IP_ADDRESS, ACCOUNT_CREDIT_CARD_NUMBER, REQ, RESP.

I'm fine with that, chances are that Claude will delete this table behind Anthropic's back and give them an essay about why what they're doing is immoral.

reply
tonmoy 22 hours ago
What models are you using? Aren’t you still dealing with some provider even if you are not using their binary
reply
wolttam 22 hours ago
I self-host DeepSeek V4 Flash on 2 DGX Sparks (approx. $10k)

I expect DeepSeek V4 Flash (or an equivalently sized model) to reach parity with GLM 5.2 some time this year (this based on DeepSeek V4 Flash launching at GLM 5.0 parity[0], and GLM 5.2 being freely available to distill from)

GLM 5.2 is within spitting distance of Opus 4.8 and is at least as good as Opus 4.6[1] which some devs were willing to spend hundreds to single-digit thousands of dollars a month for a few months ago.

[0]: https://artificialanalysis.ai/models/comparisons/deepseek-v4...

[1]: https://artificialanalysis.ai/models/comparisons/claude-opus...

reply
ipsod 21 hours ago
How fast is it?
reply
wolttam 21 hours ago
2000 t/s prompt processing and 40-50 t/s generation. We should see 60-70 t/s generation with DSpark support solidifying in vLLM in a few days

Recent discussion on DSpark: https://news.ycombinator.com/item?id=48696585

reply
SubiculumCode 22 hours ago
[flagged]
reply
tiahura 22 hours ago
Phased rollouts are a triggering microagression for some.
reply
TZubiri 20 hours ago
based and steganopilled
reply
ajross 22 hours ago
Headline is, frankly, awful. This isn't the AI secretly doing stuff and hiding it. This is the very human Anthropic engineers trying to detect Chinese scraping via some frankly hamfisted and unimaginative URL trickery.
reply
krupan 21 hours ago
I didn't assume it was the AI, just that some part of the the overall Claude Code product was doing this. I didn't assume the feature was added to Claude Code without human oversight. If it was added by Claude-the-AI itself without the humans prompting it to I would still hold the humans at Anthropic responsible. Does that make you feel better?
reply
zulban 21 hours ago
Defence in depth isn't hamfisted. They're only noobs if this is all they do.
reply
ajross 20 hours ago
FWIW: Defense in depth is a security technique, and abuse detection isn't part of that domain. Security starts from the premise that the system is supposed to be undefeatable but might have holes, and then asking where the holes might lie to decide where to put backstops.

Here the system is "insecure" by design (literally they're trying to get the whole world to sign up for Claude Code for $200/month!) and they're trying to plug the hole that results from a "Except for Chinese Scrapers!" add-on requirement. That might be possible as an arms race kind of thing. But it's very unlikely to work by (as in the linked article) doing stuff like checking the system time zone.

reply
LoganDark 21 hours ago
The model is Claude. Claude Code is the harness.
reply
Beigale 19 hours ago
[dead]
reply
DobarDabar 4 minutes ago
[dead]
reply
grayhatter 22 hours ago
Here's the sha of the prompt I submitted... no I don't know why there are no saved prompts with that sha.

What do you mean you don't know where the bug is coming from?

No, I absolutely didn't make it up, how could you accuse me of that?

Does anyone know when this regex isn't working? I double checked it 27 times, I even asked the LLM. They all say this regex should be finding these dates.

Weird, suddenly all the conversations are breaking when I feed them into this other tool? Something about UTF-8 errors, but I'm sure I'm only using ASCII?

I do try to take care to make sure the things I build can be used by other people even when they care about different things. I care about understandably, determinism (as it relates to computing), and repeatability (because I want to be able to trust the systems I use).

If y'all would be willing to try to account for use cases of others, and try not to break them... that would be nice.

Please note: that generally when you modify something that belongs to someone else without telling them... things should be expected to break.

reply
christinetyip 2 hours ago
[dead]
reply
SubRadar 3 hours ago
[flagged]
reply
Srikann 3 hours ago
[flagged]
reply
holdhope 4 hours ago
[dead]
reply
impartshadow 15 hours ago
[flagged]
reply
throwawayffffas 7 hours ago
[dead]
reply
maxothex 22 hours ago
[flagged]
reply
gmziven 19 hours ago
[dead]
reply
docproof 19 hours ago
[dead]
reply
SadErn 10 hours ago
[dead]
reply
123sereusername 22 hours ago
[dead]
reply
rowanG077 16 hours ago
[dead]
reply
saddlerustle 22 hours ago
[flagged]
reply
dwa3592 22 hours ago
this seems a bit extreme. pangram does not work. i have tricked it multiple times. i don't get how people are still trusting these systems.
reply
dylan604 22 hours ago
it's just a different car on the hype train
reply
dewey 22 hours ago
Source: Other AI
reply
midtake 22 hours ago
[flagged]
reply
gonzalohm 22 hours ago
Is it worse than the companies that built the agent and gave no credit for the data they used?
reply
matheusmoreira 22 hours ago
Why would you give free advertising to trillion dollar corporations?
reply
axutio 22 hours ago
Would you also say that "someone who wants to use an IDE / LSP features to code and not give credit to the IDE / LSP is the worst kind of person"? If not, what is the difference between the two for you?
reply
dylan604 22 hours ago
one wrote code while the other is used by meatbags to write code. why is this example always marched out like it means something?
reply
zahlman 22 hours ago
> one wrote code while the other is used by meatbags to write code.

One is not a "meatbag" while the other is not a "meatbag". And no, outputting something on stdout that happens to function as code is not "writing" it in the sense that we actually care about here. That's conflating the metaphor we use in describing program behaviour with the actual "meatbag" activity.

> why is this example always marched out like it means something?

Because it obviously does.

reply
LPisGood 22 hours ago
Almost all ways of creating programs are effectively just using tools to produce code. Compiling, transpiling, interpreting byte code, etc.
reply
dylan604 22 hours ago
again, that's not what we are talking about here. we have humans writing code using an IDE. we have LLMs generating code that is placed in the IDE. why are people obtuse to this? why are bots obtuse to this?
reply
LPisGood 20 hours ago
We have humans writing code using prompts. We have interpreters generating byte code that is placed in the JVM. I don’t think it’s obtuse to look at it this way.
reply
khuey 22 hours ago
Claude didn't "write" anything until a meatbag told it to.
reply
dylan604 22 hours ago
My employer didn't write anything until they told me to.
reply
palmotea 22 hours ago
> Would you also say that "someone who wants to use an IDE / LSP features to code and not give credit to the IDE / LSP is the worst kind of person"?

That's a false equivalency.

> If not, what is the difference between the two for you?

Let's start this out right: if they're equivalent, first you explain to us why you think so.

reply
zahlman 22 hours ago
> That's a false equivalency.

How is it false?

> Let's start this out right: if they're equivalent, first you explain to us why you think so.

I think it should be really obvious how they're equivalent: both are the result of a program running on a computer, and not the result of in-the-moment cognition by a moral agent or moral patient. Of course the LLM is just a tool. Models can literally be downloaded as ordinary files. There is not some threshold to cross where some configurations of bits on a disk deserve "credit" for work and others do not.

reply
palmotea 22 hours ago
> I think it should be really obvious how they're equivalent: both are the result of a program running on a computer...

In fact it's really obvious everything is equivalent: it's all just matter and energy!

> Of course the LLM is just a tool. Models can literally be downloaded as ordinary files. There is not some threshold to cross where some configurations of bits on a disk deserve "credit" for work and others do not.

Of course there is such a threshold. And it's definitely been crossed when the "tool" can operate autonomously or nearly so, when it can generate the "creation" with minimal operator input or understanding.

Your classic IDE can't do anything without the detailed control of its operator. It's nothing like a coding agent.

reply
axutio 21 hours ago
I just don't agree that it's a false equivalency. I see them both as "tools I use to get the job done". For me, the job is not "writing code" - it is "deliver feature", "fix bug", and the accountability, responsibility, and communication that comes with it.
reply
palmotea 21 hours ago
> I just don't agree that it's a false equivalency. I see them both as "tools I use to get the job done". For me, the job is not "writing code" - it is "deliver feature", "fix bug", and the accountability, responsibility, and communication that comes with it.

Hello, Tom Smykowski. You have people skills!

https://www.youtube.com/watch?v=hNuu9CpdjIo

reply
axutio 20 hours ago
A lot more durable than software engineering in this day and age...
reply
jazzyjackson 22 hours ago
Should I credit Microsoft with my perfect spelling as well ?
reply
fg137 22 hours ago
And your comment is completely irrelevant to the article's content.
reply
atonse 22 hours ago
[flagged]
reply
Maken 22 hours ago
If scrapping content is legal, model distillation should be legal too.
reply
palmotea 22 hours ago
> If scrapping content is legal, model distillation should be legal too.

No, because legality should be determined by what's in the best interests of Athropic and OpenAI's business models.

Hopefully they're working on RLHF their models to insert clauses making that reality clear into any legislation their models generate or review. That way it's only a matter of time until the confusion is cleared up.

reply
thewebguyd 21 hours ago
I suppose model distillation is technically legal, in terms of copyright, because LLM output is automatically public domain.

It's only "illegal" from a standpoint of breach of contract given its against the terms of use/service, which is to say its not illegal at all, there's no criminality there.

reply
atonse 21 hours ago
Yeah I considered whether I should use the term "illegal" in my original post, but in this case, I believe these models are actually banned for use in China, right? Like there are probably export controls (at least with the NVidia chips)

I honestly don't know ... yeah if it's just technically a terms of use violation (which isn't illegal, just a violation of one company's rules, for which Anthropic has every right to stop), or do we now have export controls applied from the various government actions, etc making them truly illegal now.

reply
thewebguyd 20 hours ago
we have global export controls on Fable/Mythos, and I think (but I'm not 100% sure) that other frontier models are illegal for a US company to provide to China. So Anthropic geoblocks it, but unlike Mythos/Fable, non US citizens can still use Opus, etc just not from within China.

But because of the public domain status of LLM output (in the US) I'm not sure paying someone to run a bunch of prompts through Claude, post the output on a public website and then have a lab in China pull that output, would run afoul of any laws I think that would be legal on technicality. AFAIK Anthropic has no ban in its terms of use that you can't share Claude's output publicly. You still need interactivity for distillation, but I don't think (for now) there's anything stopping a Chinese or other lab from sending people to the US, signing up for a Claude subscription and doing the work state side.

Distillation is pretty much impossible to stop. The US GOV would have to go the full export controls route like they did for Fable/Mythos to stop any non-US citizen from using/accessing the model, which is going to be impractical if not impossible to enforce.

reply
android521 22 hours ago
There are so many China born Chinese employees at Anthropic and OpenAI and I think quite a lot of them have already been recruited as spy . So it is almost impossible to keep secrets from Chinese government.
reply
matheusmoreira 22 hours ago
> steal the models or illegally distill them

The irony.

reply
botfriendsarent 22 hours ago
At what point though doesnt somebody stand back and say "wow, thats really dumb!" I think its probably more an indication of a dev having too much time on their hands rather than being in a hurry.
reply
dofm 22 hours ago
Not totally new territory; there was a highly compressed period of panic about encryption 35 [0] years ago:

https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Criminal_i...

[0] f**k I'm old

reply
bakugo 22 hours ago
> steal the models or illegally distill them

Oh no, they're trying to steal the models that were trained on stolen data? That's horrible, I feel so bad for Anthropic.

reply
felipelalli 21 hours ago
Ridiculous.
reply
teravor 20 hours ago
the Chinese they are trying to catch must be amateurs, first thing you should do is construct a sandbox which looks indistinguishable from a common user. second thing is to put it behind a residential proxy.
reply
love0972 22 hours ago
Is that really how it is? How will this affect our future?
reply
jurschreuder 9 hours ago
Nobody trusts the Chinese that's the problem, not that people don't trust Claude.

Why was this person from Hong Kong going through the details of Claude code for obvious security reasons? There are some other obvious reasons that come to mind.

Maybe it's an eye opener for this person how much the trust in Chinese companies has eroded in the West.

Even if they suddenly stop stealing IP, which this "security research" article would certainly not suggest is happening, it would be a very long time before trust is restored.

reply