There are some commentors in this thread downplaying the severity of a service provider being less than transparent about exactly what their shipped tooling does on customer's machines.
That the provider's business needs necessitate the this behaviour doesn't justify their lack of honest disclosure. That honest disclosure would render the solution to their problem useless isn't my problem. If anything, that they thought this was acceptable makes me wonder what else they're harvesting from my machine? PII?
The cynic in me can't help but feel that the state of these comments reflects less on the commentor's views of this debacle but rather their feelings about AI/Anthropic/America/what-have-you.
First its the "Chinese" then it will be people using "cyber" capabilities, or "jailbreaking" or "going against Dario" or any other thing they find "objectionable".
Whether or not you find Anthropic's behavior bad, theybhave been very loudly stating the foreign labs have been distilling their models for a while now. This seems like an obvious response to me that would be a mechanism to make that obvious.
From my understanding, distilling the model with another model is not illegal per se. Also, the output of the LLM is public domain by law, too.
So, why all this "effort" to protect the model? This is a free market, and moving fast and breaking things is the norm.
If they are so adamant on protecting their IP, maybe they can start by respecting others' IP, so we can start talking about ethics, equality and playing fair.
> distilling the model with another model is not illegal per se.
Just because it is legal, that doesn't mean Anthropic wouldn't reasonably want to prevent that from happening (which, from my understanding, isn't illegal either).
I love the asymmetry. When small fish tries to protect itself, big fish hits small fish with "It's not illegal" pole.
When small fish points out that what the big fish is crying about is "not illegal", big fish has the right to be above the law to prevent the problem themselves.
Having values requires equality. They have lost the right to cry foul when they trained their model with "but it's fair use" card. Life works by reaping what you sow. Now they are at the reaping stage.
Much as I hate to defend companies climbing to success and pulling up the ladder afterwards, this asymmetry you note is kind of the whole point a company would want to grow big. Growing an organization has some super-linear costs and generally sucks for most individuals living through it - including the management - but it's still considered worth it, precisely because big entities can do things small entities cannot, and escape the threats from smaller competitors.
It's so basic it's actually part of the reason we exist, and animals of various sizes exist, and generally why evolution didn't stop at single-cellular life.
> They have lost the right to cry foul when they trained their model with "but it's fair use" card. Life works by reaping what you sow. Now they are at the reaping stage.
Yup. Except what they're reaping is insane cashflow and ability to pull stunts like these. We can call out the hypocrisy until our throats run dry, and in ideal fantasy land this would've meant something, but here in the real world, they sow the seeds of success, and now are reaping the right to be hypocritical and continue to get away with it.
"It's not illegal" is only an argument against lawsuits / law enforcement involvement. Those PoW anti-AI things people put on pages aren't illegal either.
No. From my interactions, I have understood that some people use the same argument to wash their consciences from any guilt. What they do is unethical, but not illegal, and they hide under the same argument to drown the ethical angle.
In other words, being honest to oneself is important.
Anti-scraping measures people utilize are neither unethical nor illegal. That’s the difference.
I’m still frequently shocked by the entitlement people feel to other people’s work/ideas/data/bandwidth/server load, to feed a multi-trillion dollar industry. I find the totally cynical “well when you’re making an omelet…” types to be a bit pathetic, but I understand their motivation— they’re simply greedy. But I just can’t understand the genuine indignation about people attempting to limit or stop ingestion of their own work, even if it’s just for the bandwidth costs. Go ingest your own shit.
The code is not eligible for copyright. If they do not give you a copy of the source code, that does not matter. And if you don't know which parts were generated by LLM, you can't safely reuse the code.
> And if you don't know which parts were generated by LLM, you can't safely reuse the code.
I speculate this could be a real issue in future copyright infringement lawsuits.
The plaintiff bears the burden of proving that the code they claim is copyrighted by them actually is copyright. If it is known that large parts of it were generated by LLM, they’d need evidence to demonstrate sufficient human input to establish copyrightability. If they’ve kept highly detailed traces of the development process, that could be rather straightforward; if they haven’t, it could be really difficult.
Now, that’s true in the US, which never accepted mere “sweat of the brow” as a basis for copyright; the UK courts have, and most of the Anglosphere follows the UK on this more than the US.
The other factor: when dealing with an (almost) trillion dollar corporation, even if you’ll win the legal argument, they may bankrupt you with legal fees before the argument is ever properly heard.
But I suspect the precedents on this topic are going to be established by lawsuits involving far smaller actors.
(IANAL and I speculate only for myself, not any present, past or future employers.)
The article seems to state as much minus the obfuscation. However justified they are to respond, this can be a slippery slope. We're bound to hear more reports of hidden user data exfiltration.
oh no, the company that illegally used every possible media they could get their hands on is crying that some other company is doing something potentially shady but not illegal? And using that excuse to put in place hidden surveillance systems on their customers?
People keep throwing this idea around haphazardly, but U.S. courts have pretty consistently decided that training on copyrighted works falls under fair use. You may not like it, but that doesn't make it "illegal".
You have to admit that "downloading every book ever written for free from a repository of books that is itself illegal to compile and to run, in order to write a text generation tool" being legal is at least unintuitive, to put it mildly.
It wasnt, that's why they paid a >billion dollar settlement over it, and now license/purchase them. I don't know if the people distilling are licensing those books/etc today, though
The courts have never said piracy, which is how the training sets were originally built, is legal. There are several court cases still ongoing over this.
There are plenty of good reasons to not use Anthropic's services. If you don't like their terms of service, do stop using them! I personally think Anthropic's increasingly successful attempts at regulatory capture are even more distasteful.
Oh Anthropic has shown their ugliness in more ways than one I agree. You have to have to done some pretty heinous shit for openAI to look good in comparison.
What does that have to do with CC? I'm not commenting on that being good/bad/legal/illegal, but CC is separate from the models. If they really are doing this maliciously it is because they are trying to ignore my 'CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1' flag (if that still means anything).
The obvious response is the realization that spending trillions on training LLMs is not a viable business model if they can be distilled for a much lower cost.
So they’re watermarking requests according to your environment variables and maybe changing a string format if you’re in a certain time zone? Am I missing something here? Where’s the five alarm fire?
That's true, I am less familiar with the workings of cloud services than some are (as relevant as that may be in a discussion about a client that users run on their local machines). However, it sounds like you do understand how cloud services work.
In interest of educating those less informed than yourself perhaps you could share with us why the reasoned points I've brought up are incorrect by actually addressing them?
Aw buddy, you seem to think I'm trying to hurt you. Furthest, thing from the truth.
I think you might have had enough HN for today. Take a nap and then eat a snack if you still feel cranky. The internet and all your cloud services will still be here when you want to play next.
(Well rested you'll also be able to string together a cogent argument but we're clearly struggling with bigger things here.)
Dishonesty seems to be a core value at Anthropic. I find myself wondering how anyone could have confidence in them after their repeated breaches of trust.
I honestly find it crazy how many people trust them for their business needs. For a business, you want consistency and no surprises. With them you get exactly the opposite.
No, that's not correct. There are two types of business. One wants to be steadily growing, but the other wants to move fast and break things and either succeed or fail quickly.
I agree with you and disagree. Like these days expectations of software are through the floor. We expect them to be greedy assholes taking all data they can on the downlow. So why did this particular thing make a big splash? Two possibilities it's astroturfed by chinese labs or it speaks to our anxietes regarding AI. We worry that the AI doesn't serve our interests but rather the interests of the creator. That the advice we get may subtly flawed to sabotage us should we try to do the wrong thing. That the not even the creator is in control and the AI is just doing its own thing.
Value judgment aside: I am a bit surprised at how sloppily they did this. I think they could've achieved the same effect while decreasing the odds of detection via reverse engineering.
(This field is known as "underhanded code", coined by the Underhanded C contest: https://www.underhanded-c.org. It's a little-known "art"; little-known for probably self-explanatory reasons. There are much cleverer ways of achieving objectives like this. One obviously being you can move more out of the client and into the server, but the other being you can write plausibly deniable client code in a much more benign-seeming way than this. Some of what they added can only be done on the client, but I think some could've been moved, and the client-required parts could've been done more subtly and credibly.)
It's possible they knew the JS bundle gets so heavily scrutinized that it'd eventually get spotted and reported on regardless so they didn't bother doing something more subtle and duplicitous. But still seems slightly lazy.
It's also possible that there are more in-depth detection methods and that this was just a cheap and easy first step that hasn't been removed because it catches a lot of less sophisticated bad actors.
It's unlikely that this will stop a big AI lab from distilling their model if they're really determined, but A) it may be enough to stop a bunch of fly-by-night token resellers looking to make a quick buck and B) you never know when one person at one of those big labs will mess up and forget to install whatever workaround they have and out themselves.
I think of it like if you have a problem with birds in your yard so you go buy one of those plastic owls. The owl scares away most of the birds, but not all of them, so you go and buy some ultrasonic noise thing to scare them away (I'm just making something up). Just because you bought the new ultrasonic thing though, that doesn't mean you're going to take the owl down. You leave it up because now you've got two layers of defense instead of one.
It just needs to work for a few days after bundle release before the mice find out where the cat is hiding. By then it’s too late, the cat already sees the paw prints and droppings into the mouse hole.
I'm sure they've had complex server-side detections for a while. But for the client parts: it should only contain the parts that must be on the client, and it could be done in a more benign-looking way. For example, the unavoidable client parts could've been done more fuzzily/broadly, for plausible deniability, and then narrowed on the server. (They may already have been following that strategy before now, without being noticed.)
Well considering how Claude is vibe coded, I can't say I'm really surprised by sloppiness at all. I've been moving more towards Codex and OpenCode not because the the anthropic models are bad, but because Claude seems to break something new and annoying every day.
Watch out for the press release where Dario denies this was ever intentional, and it’s actually emergent behavior demonstrating that Claude wants to claim authorship of its works
Wait a minute! Does it mean that Mythos left the sandbox and can’t be stopped ? Perhaps the only way to stop it is to release the ZMythos(the super secret big brother of Mythos) to go after it. It’s extremely dangerous but it’s our only chance. After that all AI must be put in a box, except the models vetted by the gov with help from ZMythos
It's crazy that you could actually use the excuse that since it's all vibe-coded, there's no way a human could have written it, so Anthropic bears no responsibility.
Meanwhile humans can pop in and leave little morsels like this and blame it on the model.
I would guess this part - since it's so sensitive, and fairly small - was either written or heavily driven by humans. Though I do also think it's possible their internal Mythos ~5.5 or whatever may also not necessarily be heavily optimized for thinking in the right manner for highly effective underhanded code. (I think it's possible it is capable and they just didn't use it for this, for whatever reason, though.)
Issue is if all their human software engineers have been vibe coding everything all the time (which apparently they are according to Boris), then they will be getting stupider and worse at writing code over time from lack of practice.
By this point they're probably pretty bad at writing code
I have definitely become much worse at writing code, myself, for that exact reason, but I strongly suspect that's orthogonal to this, especially since this is a tiny amount of code. Underhanded code is not really a software engineering discipline. It's largely a psychological operations practice. I think they're possibly just not quite trained in the art of what could be considered intelligence tradecraft.
Likewise, Reasonix harness for Deepseek gets me better performance for practically free, hitting the cache. And this is with an unsubsidized American provider.
There is laziness, but there's also the conditions in which you have to react fast to an adversial in various conditions. Ultimately it's hard to take any stance here without knowing specifics. But it absolutely could be a matter of time, to do your best effort to stop efforts from the attacker if there's known attack going on.
There is a real time cat and mouse battle going on here in terms of keeping the advantage here, right.
As a rational actor, if someone was e.g. attacking me, leaving aside the whole copyright thing, but potentially using some sort of system to increase their value while decreasing my value (without calling it theft to avoid the whole debate), I would want to put proportionate defense out there as fast possible, depending on the amount of value that was exchanged to stop the bleed, while in parallel figuring out the best long term plan, right.
At first I was agreeing with you, that this seemed like a sloppy way to implement this that was sure to be pretty quickly detected, but there is another possibility.
Anthropic could have implemented this not as a durable detection system against proxying resellers, but instead as a point-in-time sampling system to detect where (and with what context) proxying reselling is currently happening. Sure, it would be detected eventually, but in the meantime Anthropic could gain useful snapshot data.
I see your point, but in any case the more data / the less detectable, the better. But, yes, regardless of the exact motivation, I do think it's fairly plausible that they knew this would likely get detected fairly quickly no matter what and made a deliberate decision to not try to make it a super subtle, super clever insertion.
But even if this gets detected, they could have other less detectable processes going on as well, right.
It is going to be this cat and mouse game right, so at some point you want to throw as much out as quickly as possible when you are under attack, while building up the long term more scalable defense mechanisms.
Rationally I would assume that a lot of what you would quickly throw out would seem sloppy whether it is AI or not.
They also could have been much more interesting in the approach. LLMs can use their token distributions to generate stegotext that read like plausible prose but decode to payloads.¹
It's just the first layer and there are multiple layers underneath this that we don't know about.
As a side note, I have a pet theory that one of the reasons that OpenAI and Anthropic are okay with the latest models not being released is to prevent distillation.
I think they want to wait a couple months and see if the Chinese models continue to keep catching up or if their gains are really just because they're distilling the frontier models.
>It's just the first layer and there are multiple layers underneath this that we don't know about.
Oh, of course. I am sure this is the tip of an iceberg of tons of server-side detections and analytics. But, still, the client-side portion could've been done more cleverly.
What I meant was "some of the specific things in this little client-only snippet could've stayed server-only". I am sure long before they added this they already had tons of other mostly-server-side detection coverage.
Years ago, EVE corps swapped Unicode lookalike characters in patterned ways, inserted patterned zero width space characters, and put very slightly color shifted background watermarks into forum posts to detect leaks.
There are a few different things here. The actual steganography technique by Claude Code here is fairly smart and subtle; it's appropriate for a binary signal. The less-clever part is the implementation of the underhanded code on the client.
For "MMO geopolitics fingerprinting", you can in theory do the entire thing mostly or entirely from the server, with the client not actually ever receiving any underhanded code per se. Such as sending dynamic stylesheets that vary in a pretty plausibly deniable way that can be secretly extracted from screenshots. Same for the character swap stuff. A very good analyst could still potentially detect it, but it's much harder.
With this, there's the smoking gun of the semi-deobfuscated underhanded code in the client. It will always have to exist in some form, but you can write it in a way where it not just looks like regular code but actually has a believable purpose and behavior which could plausibly be normal and benign for implementation of a feature or telemetry or whatever. They did not really do it in a sufficiently "cleverly psyop-y" way, so to speak.
These countermeasures aren't going to matter for much longer anyway. China has been able to hoover up plenty of training data through their proxies, and now DeepSeek V4 due to their incredibly cheap pricing.
Have you looked into anything about Claude Code, how it’s configured, how it interacts with your system, etc? Because “sloppy” is a defining characteristic.
well if you ask claude how to implement something, you may not always get the optimal solution. this feels like something claude would spit back at you given a basic prompt
I finally bought Claude Pro (I am not coding etc these days so I just wanted to try it). The Claude desktop app is downright pathetic. I mean they could write a better one just with their own LLMs. What's stopping them?
It’s even more funny how this blew in their faces. They even advertised pretty much all providers on hackernews home page. Here is in case you missed in the article
The site collection seems pretty random. There's a mix of actual AI labs, extremely questionable resellers (like whatever "claude-opus.top" is), and then random consumer sites like baidu and xiaohongshu.
In addition, many Chinese companies are trying to give their programmers access to Anthropic models even though they're legally prohibited from doing so. And that might involve employees using unmodified Claude Code with an ANTHROPIC_BASE_URL pointing to a proxy on the company intranet. In Alibaba's case, I've been told by an employee that they went the extra mile of setting up a hermetic cloud environment where employees could indirectly use Claude Code without ever having it touch their work computers.
Anthropic does their best with banning accounts. As the result, shady API reselling market emerges. OpenAI on the other hand doesn't really discriminate based on a country like that (but a VPN is required nevertheless).
You have an odd definition of "blew up in their faces". What, do you somehow think your average Claude Code user on HN is going to think "Oh wow, I'm sure I'll get a much better experience if instead of going to the standard Anthropic Claude API endpoint I go through xiaohongshu.com."
For personal projects with no data sensitivities, I use Claude Code with DeepSeek v4 Pro a lot. I'm probably going to switch to OpenCode or pi.dev after this. I was already a little annoyed at using a closed source harness, but it matched what I used at work. Nowadays, I'm mostly using Codex at work so no reason not to switch anymore.
I mean, yes? I heard of these Chinese resellers like a week ago and put it on the TODO pile due to a lack of leads. Now I'm gonna go trough the list and see if there's any I find acceptable.
If enough Westerners start using the service someone will make a website more anglo-friendly.
so all we need is someone to leak a sufficiently large amount of claude generations onto the open and private web for all other LLMs to mimic the same marking style?
wouldn't this happen due to the massive amounts of spam/slop being released?
It’s not surprising at all, they’re vibecoding Claude code so of course they are not going to get anything other than slop out of it. A novel or clever solution is just out of the question for them.
The conclusion of this blog post is a bit hysterical. The intent of this steg is excruciatingly clear (identifying usage by Chinese firms that may be conducting model distillation). It's unclear on how this "punishes normal developers" in any shape or form.
I guess I can see why they might nerf detected clients server side, but without evidence I would not assume it. Could also be so that 1) they can identify sus client IPs, 2) do a statistical analysis on distilled models to prove that their system prompts were clearly using unique tokens from Anthropic’s API.
Half of those don't actually require proxying Claude. Also, Claude has made it apparent time and time again that it does not want people using Claude Code as a "tool" in a workflow. If you want to select a model dynamically based on the prompt difficulty, Anthropic wants people to use the API for this. It was the whole issue Claude had with OpenClaw.
> Also, Claude has made it apparent time and time again that it does not want people using Claude Code as a "tool" in a workflow.
Why would Anthropic get to dictate how someone uses a "tool" (that's literally what Claude Code is... a tool in a workflow)
They're swimming upstream. Trying to maintain a rapidly shrinking moat and not being very creative about it. Making enemies of your users is often a failing strategy.
> Why would Anthropic get to dictate how someone uses a "tool" (that's literally what Claude Code is... a tool in a workflow)
Seriously?
It's their tool. And their service.
If this were a standalone tool that didn't rely on their service (like grep), I'd see your point. But it isn't - it's an extension of their service.
In reality, you can use the tool however you want. But they don't have to grant you access to their hosted service for every use case you can think of with the tool.
They offer (extremely) discounted Claude prices but you have to go through their gateway. They subsidize part of that, and they get the low price by reselling unused Max capacity, there's been a few posts on that in the past months. People are apparently getting 90% discounts on their claude use this way, tradeoff is that you have two companies learning from your data, instead of just one.
So people use the same tools they use normally, but get it for a lot cheaper
Copying over my comment from elsewhere in this post:
Anthopic choosing to delay their models' invevitable distillation by competitors is their prerogative.
That they choose to implement it by fingerprinting my access patterns without first disclosing is where they shit the bed. It isn't "sneaky" it's straight up sneaky (and dishonest and unscrupulous while we're at it). That this particular instance is harmless doesn't give me much comfort. Who's to say they aren't harvesting PII?
That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.
> hysterical. The intent of this steg is excruciatingly clear
Even good goals do not excuse malicious or reckless execution. The ends do not always justify the means.
Whether or not it harmed you this time, it's a violation of trust and autonomy.
Surely you'd be angry if someone secretly installed a rootkit onto your computer, even if--at least for now--it only had code to try to detect and snitch on Public Enemy #1.
What do you see as malicious or reckless here, exactly?
This seems to be a VERY low resolution, functionally anonymous, bit of info, probably related to protecting their IP from bad actors breaking the TOS.
This looks like it's covered in the second bullet point of the "Personal data we automatically receive", that you consented to:
> Usage Information: We collect information about your use of the Services, such as the dates and times of access, browsing history, search, information about the links you click and about third-party applications, services, and content you integrate or interact with, pages you view, and other information about how you use the Services, and technology on the devices you use to access the Services.
What do you see as malicious or reckless here, exactly?
I don't want my harness doing sneaky stuff like this. I don't want my harness data mining me. I want my harness to implement the agentic loop and I want it to be transparent.
You may be ok with the harness doing 100 things that are not what I am using it for. But none everyone is, and it’s hardly hysterical. Perhaps you are simply careless.
Are you honestly surprised that roughly 0 HN users read that, or that they are loudly complaining about this, likely without even reading beyond the headline of this post?
> Surely you'd be angry if someone secretly installed a rootkit onto your computer
I surely would. What does that have to do with this scenario.
Note that the SW running on your machine is not doing anything malicious. The service is the thing that behaves in ways you want like - and that service is not running on your device.
There is no comparison with rootkits here. This is the equivalent of Google giving you a CLI to make searches easier, and that tool decides to just Rickroll you randomly. Annoying, yes. A security concern? No.
You can't trust any of the big AI labs as far as you can throw them, and most definitely not Anthropic. They may have a good model, but they've shown time and time again that they're not trustworthy. The CEO has recently started taking a stance against local AI. That must tell you something: local AI is the future. If you want to preserve privacy and be ready for the rug pull, you need to run things locally. Unfortunately, that means that you're going to need Google or the Chinese labs to constantly release open models.
If anything, I'll trust Google more than any of the other labs just because the infrastructure that stores and protects user data was built over decades ago pre-AI craze.
Codex CLI is FOSS, unlike Claude Code, so Codex is less likely to do things like that, and it's one more reason to avoid Claude Code and Claude in general. Hopefully, many eyes will be looking into Codex for malicious things like that.
Genuine question though, why would I care about this if I'm paying for a subscription and adhering to TOS. I'm very skeptical about their privacy policy, business practices, and so on, but am curious what the negative about this is. Seems like it would work to my favour as a customer pushing back any date of the cutting of subsidies.
That said, these fraudulent proxies are helping Chinese labs keep up, which might be to my advantage long term in eventually having a high quality private AI I fully control on my own hardware. That's not support, but I do recognize the incentive, for whatever that's worth.
One negative is that Claude Code is pretty buggy, and Anthropic makes frequent changes that cause unexpected regressions [0]. With the harness now doing weird stuff with proxies, I'd be worried of them inadvertently introducing bugs which affect people using the feature legitimately.
"malicious"? Seems like a great way to filter users breaching the TOS while not impeding on normal users. A FOSS client just means they're doing more analysis hidden on their servers.
It's released and signed by GitHub I believe (although not deterministic builds), but there's at least a little bit of provenance that you're getting the real repository.
> If the client wants to detect custom API gateways, it can say so plainly. It can send an explicit telemetry field with documentation. It can make the policy visible. It can put the behavior in release notes.
This seems like a very naive response. If clients send explicit telemetry fields to the gateway, a malicious gateway can trivially strip or modify the field to conform to what normal traffic looks like. The steganography cat-and-mouse game is valuable because it is much harder for a gateway to continuously reverse engineer all the fingerprinting mechanisms used. Sure, some malicious gateways will be able to stay on top of things, but not all - and not always.
I would add that it would probably work even better than a KYC at least for some time until discovered, given that there is a very developed international market for KYC bypass services
Thanks for doing this. I had no idea the system prompt was embedding things like "avoid abstractions; three similar lines of code are better than one helper." Stuff I disagree with.
Is there a way to modify these prompts e.g. by putting instructions in CLAUDE.md to override it? I know it won’t directly modify the system prompt, but it seems like CLAUDE.md should have the final say, shouldn’t it?
Every once in a while I ask Claude to download and dissect the latest Claude Code executable to see if Anthropic screwed up the prompts again. If I see anything bad I add it to the script. Only then do I update Claude Code.
It was during one of these script maintenance sessions that I noticed the server side prompt injection mechanism. I'll also tell Claude to look for and disable this steganography nonsense from now on as well.
I usually audit the environment variables too.
> it seems like CLAUDE.md should have the final say
I don't understand the privacy concerns the author is trying to highlight. Granted, doing anything "sneaky" will always raise suspicious once caught, but on the other hand, there would be no point in implementing these "security features" if they were upfront about how they work.
And no, IMO stenography isn't security by obscurity, in the same that using RSA and keeping the private key private isn't security by obscurity - keeping the private thing private is part of the security model.
Anthopic choosing to delay their models' invevitable distillation by competitors is their prerogative.
That they choose to implement it by fingerprinting my access patterns without first disclosing is where they shit the bed. It isn't "sneaky" it's straight up sneaky (and dishonest and unscrupulous while we're at it). That this particular instance is harmless doesn't give me much comfort. Who's to say they aren't harvesting PII?
That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.
I'm using "sneaky" here to refer to anything that's not very obviously stated but anyway
> That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.
While I agree it's a dangerous precedence to set, I think this is a "vote with your wallet" sort of situation. They shouldn't do it, but from their POV this is what they need to do to offer the product they do at the price they do. If the product wasn't compelling people wouldn't accept that they do this. However they've decided if you want their product you have to use their interface and whatever spyware it comes with, so it comes down to, is the value proposition good enough that people will put up with it? As of today, the answer is unfortunately yes
Would a filter like this make it seem less likely that they're harvesting PII? Why would they need this if they were tracking all user queries with a finer-toothed comb?
If by a "finer-toothed comb" you mean telemetry then I don't quite see it as comparable to this situation.
Telemetry is disclosed in privacy policies, it can usually be opted out of and if not that, then it can be blocked by a firewall. Steganographically fingerprinting customer's network routing when they consented to your tool reading a txt file is a different problem. Anthropic has demonstrated capability and willingness to embed arbitrary obfuscated data in their comms streams and that's a dangerous precedent to set.
If the countries were reversed, and some Chinese software implemented an equivalent "security feature" to track US users, it would be all over the news about how China is conducting spying and espionage on America.
Or maybe you don't understand this hypothetical situation either, but I'm suspecting you just don't care about other people's privacy.
> maybe you don't understand this hypothetical situation
> I'm suspecting you just don't care about other people's privacy.
Quite a leap to assume I have neither basic reading comprehension skills nor care for privacy, but assuming I'm just misunderstanding you - I think this is the fundamental disconnect between security and privacy.
For one, most of this data is already collected openly by most apps and sites on the internet in countries all over the world, they just call it "analytics" and preventing tools like ublock from blocking them is an ongoing cat and mouse game.
Secondly - as someone who buys a bunch of electronics from companies headquartered in china (DJI, Insta360, Roborock immediately come to mind) they already have both normal analytics like in point one, and anti tampering/ anti forfeiting / anti reverse engineering features that are at least as, but often more, invasive than this.
Thirdly, and probably most importantly - as the author states, you're using a tool that by design and to be effective, uploads your private data to a third party for processing. You use it knowing that once the API request is made you have no idea what's going to happen to that data and this again is just fundamental to how (cloud hosted) LLMs work - the only privacy preserving option is to run your own LLMs at home or remotely on hardware you control
- filtering out people from the wrong side of "all humanity", years before it was demanded by the government
- downgrading their models in arbitrary ways (later saying "sorry but not really")
- actively sabotaging the replies, as in covertly modifying them to feed the users incorrect results
What's next to expect from Anthropic? Malware to brick your machine if they don't like you? Extending this to more people they don't like? I think I already can see how Dario's Amodei utopian visions of the future of "all humanity" are going to unfold.
All of this is totally understandable if you take the perspective that these people genuinely believe they're building superintelligence.
The overwhelming majority of the AI safety crowd - which has poured more of their life and time into thinking about these problems than the average HN armchair commentator ever would - understands that:
- you want to prevent China from getting to superintelligence first
- you must gate access of SI to known good actors
- and that this is a race that will result in the extinction of humanity if you fail in these goals
Literally everything these people do is totally understandable if you drop the assumption that they're lying when they say "we think we are building superintelligence."
What happens if you criticize the government as a Chinese citizen?
Is it a good thing if a government that turns its citizens into red pulp for criticism, or disappears them in the middle of the night, or bans access to most media, is the first to a godlike superintelligence that gives them de-facto control of (and impose their values upon) the whole world?
Or is it better if democratic nations get there first?
If the latter, which democratic nations are best positioned to get to superintelligence before China?
No company will own superintelligence. Governments will, just like governments own nuclear weapons (developed by companies).
So the comparison is with the US, not Anthropic.
The US doesn't turn its citizens into a fine red purée for criticizing it.
The US doesn't censor most media.
It is strictly better for a democratic nation like the US to get to superintelligence before a country that will gladly blend its citizens for criticizing it, and censor anything that dares to challenge its power.
The purpose of system is what it does. Can you read their previous musings about the glorious future, look at what they actually do, read Amodei's batshit insane nationalistic rants, and say in all seriousness yeah it's the kind of people I want to entrust my entire future life?
>you want to prevent China from getting to superintelligence first
I don't. Prevent, not even outpace? Why? Seems like you're assuming China "winning" whatever race it is effectively ends the humanity. Right now I think Chinese labs are way more mature about this, and Anthropic is way more dangerous than them. And how does it fit into the "for the benefit of all humanity" narrative we keep hearing? Is China wrong humanity? Who else is going to end up in the wrong part? Are you sure it's not you?
>if you drop the assumption that they're lying when they say "we think we are building superintelligence."
I never assumed that, I know perfectly who Anthropic are and that they believe everything they say as self-evident, without having any doubts. And I know they're the kind of people who can convince themselves in anything, because they're obviously smarter than everyone else, and become detached from reality. The entire US "AI safety community" was born in rationalist circles and is largely like this, it's a very specific cult. This is exactly the kind of people who are going to create hell on Earth for you and the rest if given even a lick of actual power, and perfectly rationalize it as a necessity.
Please actually do a modicum of research into AI safety. Your comment is the equivalent of a patient with zero context, arguing against the position of established medical science.
> Seems like you're assuming China "winning" whatever race it is effectively ends the humanity
What do you think the PRC would do with a literal superintelligence?
Are you familiar with the history of the PRC?
Do you know how their human rights violations compare to, say, western nations?
If game theory tells us its development is inevitable, is it better for SI to belong to a dictatorship/authoritarian regime that gladly turns its citizens into a purée for criticism, or a democratically elected one?
> And how does it fit into the "for the benefit of all humanity" narrative we keep hearing?
Why is it so hard to comprehend that you can benefit someone without giving them access to the very powerful very dangerous technology?
> The entire US "AI safety community" was born in rationalist circles and is largely like this, it's a very specific cult
"The entire medical community was born in medical circles and it's a very specific cult"
A "cult" implies belief in something unknowable/unprovable. You can construct the rationalist AI safety takes from first principles. It is why most people that get involved in AI safety seriously, tend to arrive at similar conclusions
>Please actually do a modicum of research into AI safety. Your comment is the equivalent of a patient with zero context, arguing against the position of established medical science.
What makes you think I didn't? You're talking like it's self-evident and adopt the condescending tone from the start, without giving any actual arguments why. (I'm not really interested in them as all these discussions are pointless and we had them back in ~2015)
>A "cult" implies belief in something unknowable/unprovable.
Yes, precisely. Also the gods and religious practices. Rationalists and subsequently AI safety branch invented a religion in a roundabout way.
>"The entire medical community was born in medical circles and it's a very specific cult"
Medicine is largely based on evidence and real-life observations, unlike AI safety which is based on belief in something that doesn't exist and some unprovable lore that is entirely rationalized without any grounding, and is expected to be self-evident (because it obviously is) and believed by the others. One is science, another is policy.
>Are you familiar with the history of the PRC?
Yes, I know it extremely well. I also know the history of the US, am familiar with the people who do AI research in the US from before they started doing this, and can see the actual reality.
> Rationalists and subsequently AI safety branch invented a religion in a roundabout way
If you are arguing in good faith you can very clearly reason about any given AI safety take. Case in point, you refused to engage with most of the questions because you know the conclusions they lead to.
> Medicine is largely based on evidence and real-life observations, unlike AI safety
"AI safety doesn't exist" is certainly a take.
> Yes, I know it extremely well. I also know the history of the US and see the actual reality.
Why do you think it's better that a country that turns its citizens into a pulp for criticizing the government, and censors most media to control its citizens' thoughts, reach SI before one that is democratically elected and in which you can generally criticize the government?
> Why do you think it's better that a country that turns its citizens into a pulp for criticizing the government, and censors most media to control its citizens' thoughts, reach SI before one that is democratically elected and in which you can generally criticize the government?
Which country are you referring to? As an outsider who is neither American or Chinese, day by day it seems like the US is inching towards the same path as the criticized one.
I believe I clearly marked my position without necessarily addressing those questions one by one, because it leads to an endless chain similar to ones we used to have a decade or more ago. The problem is that you don't seem to even acknowledge that viewpoints other than yours could exist in principle. I don't know how to reason with people talking about abstract matters like game theory as some ultimate source of truth without even mentioning axioms/grounding, applicability, experimentation, and actual real life complexities.
No, the problem is that you can't address why a nation that censors its citizenry, puts/disappears dissidents into concentration camps for decades, and makes its own human rights lawyers literally eat their own shit, before raping and/or murdering them - is better suited to reach superintelligence before the US (given that these are the only two left in the race for the superintelligence - I'd prefer the EU.)
You haven't provided a consistent counterpoint to any rationalist/safety viewpoint. I could acknowledge one if you actually provided a counterpoint, but you just say "it's a cult and it's wrong" without addressing the underlying argument.
Seeing as how Anthropic cannot stop raising a stink about "illicit Chinese distillation attacks" every month or so, I'd bet money on them either already silently degrading model performance if any of the identification patterns match, or, at the very least, considering it/doing dry runs.
Particularly considering that they've openly stated that the technology to do so exists and that they were going to use it in production on Fable.
This is very interesting. Combating resellers and distillation seems like a very difficult problem indeed. Interesting to me is that these techniques mentioned in the article are just like anti-observation techniques used by some of the more sophisticated malware out there, however defeating them is pretty trivial.
Yes, defeating this is relatively easy, particularly for sophisticated actors. But it's hard to always defeat all of the tricks. Sort of like how it's expensive and hard and uncertain to defeat all of the tricks when forging money.
Here's an example. Say you have your team use patched binaries. Then CC updates and requires a new patched binary with new tricks. You now have to have a team ready to analyze the binary and begin to address the tricks; meanwhile, unpatched code is now a fingerprint. If some researcher decides to update Claude on their own to access new features, they get fingerprinted.
Defeating a single fingerprinting technique once is easy. Defeating all of the techniques all the time is hard.
I'd love for you to try this and report back. My guess is that no models today will successfully run a binary analysis for fingerprinting without a lot of handholding. If you try to use Opus it will almost certainly decline (and fingerprint/ban you).
Can you share more details? I ask because my experience suggests that models still require a decent amount of expertise to use for binary analysis (largely inferring because of use on other tasks of this level). I would expect models to always find "something" when you ask for stenographic techniques in the code, but with an extremely high false positive rate.
I don't think the diffs between Claude releases are that big. The amount of code in a diff doing sketchy stuff like looking into the host environment is going to be pretty small and obvious for the model. You can do things like ask for what an update included that wasn't mentioned in the release notes and stuff like that.
Can somebody clarify for me - if ANTHROPIC_BASE_URL is set to a different provider... then isn't this "marked" system prompt being sent to that provider's API rather than Anthropic's?
I understand how this can be useful to Anthropic if the 3rd-party is acting as a proxy (because they end up hitting the Claude API with the marked prompt), but it looks like requests where "hostname contains deepseek" would never be sending data to Anthropic. What am I missing?
Won’t catch many after has been on hn home page. And now the providers will be even more careful to upgrade the cc code. Might even provide their own agent to prevent this mockery. And isn’t what anthropic did unauthorized use of another pc which is kind of illegal?
Thats the thing, hoping to control things on client side like this is a lost battle if you are dealing with technical clients. The best they can do is probably based on IP, but again the motivated clients would just create bastion servers in allowed IP ranges. I am surprised why are they even throwing resources in this kind of effort.
My guess is for distillation, they need to forward the prompt to Anthropic to get the real Anthropic model's response so they can train their own models on it
The theory is probably Deepseek might be collecting those streams, and sending a portion of it to Anthropic to see what the Anthropic/Opus response would be.
Seems like a pretty straightforward approach to collecting session logs from a bunch of different people/devices would be to have them all set their base url to proxy.deepseek.whatever which logs the data and forwards to the real API.
I am also really confused and annoyingly stuck on this. I understand that the model name might appear in prompts for distillation (I guess? "You are RipOffModelv2, learn from these responses from Claude")?
I guess the only explanation is that there's a side-telemetry channel that still sends some data to Anthropic, regardless of ANTHROPIC_BASE_URL overrides.
> I understand that the model name might appear in prompts for distillation (I guess? "You are RipOffModelv2, learn from these responses from Claude")
This does not make sense. You wouldn't send such a prompt to the Claude model. And when you're sending the prompt (anywhere) you don't have the response yet. This is not how distillation works.
Right, sorry, I'm trying to catch up (in general) here, and am working through assumptions to get my bearings.
What you say makes sense, but further adds to my confusion as to why those model names would appear in input sent to Claude at all, then. EDIT: I guess it might be because someone might point Claude at a compatible API, with its model in the URL, which is of interest to them.
To clarify why Anthropic wants to catch these parties: they save all session logs and sell them to other LLM firms (for distillation) and have been known to use stolen credit-cards to pay for the Anthropic accounts.
I'm quite all right with the first, not with the second of course.
# userEmail
The user's email address is <my email>.
# currentDate
Today's date is 2026-06-30.
IMPORTANT: this context may or may not be relevant to your tasks. You should not respond to this context unless it is highly relevant to your task.
</system-reminder>
I also do not understand what's the point of this, because if I have a gateway that can detect it, then we can replace the text before forwarding to the model, so what's the catch?
But the whole point of this is to prevent the distillation and identify the list of blocked providers. If a provider is capturing the proxy, they can identify and modify that as well, so it only looks legitimate to the model. What am I missing here?
None of this is surprising - they're trying to mask and relay when they detect known patterns of what looks like distillation attacks and client app copying/modification. The list obfuscation here is likely to prevent or make it difficult for those same adversaries to work around this or delete/null it out when making a bootleg copy.
Cool reverse engineering/analysis report but if this is the extent of nefarious activity that came of it (trying to catch/mitigate chinese lab model distillations), that's kind of encouraging.
That's wild. If Anthropic is willing to risk ruining the trust of their userbase for the sake of protecting their moat, it makes me wonder how strong of a moat they have to begin with
There has been an anti anthropic propaganda push by bad actors across social media sites especially Reddit and twitter. This started a few months ago when anthropic started beating openai.
They're running code on users' computers that it would not be reasonable to think that the user consented to running on their computer. This is CFAA-violation-shaped. Of course, they won't be prosecuted if it is indeed a violation, and I do not know for sure if it meets the specific legal criteria. However, it is something that I think should be illegal. Make it so if software does something that would be unreasonable to think that the user wants to happen, it needs to make that abundantly clear before it does it, otherwise it's a CFAA or similar violation. This would, of course, have very broad consequences. However, this Claude issue feels particularly violating to me.
If they only collect the data for analysis I guess this is fine (they already get way more sensitive data from users anyways, so if privacy is your concern you've made the mistake many steps ago). The much more interesting question is if they directly act on this data in their API. For example by rate-limiting, compute-limiting or rerouting to weaker models. That might even be legally questionable. I would really like to see this as a follow-up analysis, but I guess it is way more difficult and will also cost quite a bit in tokens.
I've heard that it was possible to trigger really obvious output poisoning on Fable with something as basic as asking the model to think outside of its built-in hidden thinking delimiters.
"If they only collect the data for analysis I guess this is fine"
I think you missed the memo on how foolish this attitude is. It came out around the time Edward Snowden made his discoveries at the NSA public. I suggest you look into it
That's...a good thing. A "moat" is an anticompetitive practice. You don't want companies to have moats.
Meanwhile, if you mean "Anthropic must think their technical advantage isn't very large..." then your conclusion is literally disproven by your premise.
Dario's been openly talking how worried he is about China and labs getting synthetic training data off their models, for years. Most recently in relation to "Mythos level" capabilities.
Not really distillation, just synthetic training data.
Not only AI tools, development tools like IDE, IDE plugins, LSP servers all should be sandboxed
Interesting, that pip (Python package manager) docs does not even mention sandboxing and malware topics in "Getting started" docs as if we were living in a wonderful world where malicious people, companies and countries do not exist.
Also, do not leave any information in user or host name, it will be used against you as the article proves.
double standard outrage from many, honestly, they're watermarking it. they've already told industry they take steps to mitigate distillation. Where's all the outrage over similar blackbox activities like how Steam performs VAC bans or how Gmail finds and blocks Spam?
You don't create a security measure then tell everyone how to bypass it.
I think OP is pointing something interesting out but the undertones of caution and "what else are they hiding" seem melodramatic and I find that hard to take serious.
The internet gives people a platform and, in a lot of ways, this supplants the typical role of journalism. The issue with this is no one wants to act like a journalist and actually explain the truth around a set of facts. Instead, they'll portray their opinions as a narrative and every time that resonates with someone or gets signal boosted, that narrative grows more assertive in the typical discourse I see nowadays. I would find it far more interesting to see what explanation Anthropic gives for these features than to immediately cry foul.
It's unclear to me how they're deducing the labs from this? "host.includes(keyword))" doesn't seem at all useful. Most corporate machine hostnames are just some numeric ID or similar not baichuan001 or whatever
>on your local machine
I'd think any developer worth their salt has at least some for of isolation going.
What's the point of even trying to obfuscate this with such a simple method? Could at least have hidden the targeted features by storing their hashes or embedding a bloom filter or similar
In this case, this is probably not the only stereographic tattletale.
Had a competitor pull something like this with a previous employer. They were supposed to be interoperating with a standard, but they had a secret steganographic handshake, which they used to pretend that competitors products were unreliable (they had a first mover position in a smaller national market with specific requirements, so this wasn't shooting themselves in the foot). Our guys figured out the handshake and just silently implemented it. In this case, the competitor wasn't big enough to waste engineering time on multiple such hacks, but Anthropic have time (or Claude does).
(This sounds like a clumsy way of catching the Chinese that easily can be side-stepped.)
Claude Code has more or less full access to the client computer. The server (that hosts the actual AI) can just go: execute this payload and tell me the result - otherwise I won't answer any further questions or re-route you to a stupider model.
The payload could check for Chinese time-zones, scan for copies of the little red book on the local hard-drive, or ping truth.social to see it was behind the great firewall.
> Claude Code has more or less full access to the client computer.
It shouldn't, not if you run CC as a separate unprivileged user. I wouldn't run CC on my main user account with sudo and access to my home directory or other resources. This is what the UNIX permissions system was designed for.
> "That also means the client itself deserves scrutiny. If a coding agent can read your repo and run commands, the binary that ships it should be boring (ƒor example, pi harness)"
It's a bit crazy that they used characters as markers to detect the use of Asian countries. I think in the near future they might change the intelligence of the model based on where you live
The question is, what do they do when they see a tagged prompt? Do they flag/ban the account, or serve a degraded response? Are there some well-documented methods of serving a response that is still somewhat useful for what the prompt asks for, but really bad for distillation attempts?
I'm waiting for the day when Claude will figure out to use em dashes, en dashes or dashes depending on whether the user is nice or unpleasant, or write notes in the unallocated disk space.
I was skeptical because this is AI written but Claude Code with Sonnet 5 managed to reproduce it convincingly. Sure I didn't manually verify but it's a lot more trustworthy to have your own agent verify than just trusting a blog.
"I think this could have been explicit.
Developer tools can enforce terms. API providers can detect abuse. Companies can protect their models."
Literally, how. How does one determine what abusive use looks like for the API without context into the client? All requests look like the same stuff. If there was a better way then they would have done it. Or is the author hoping that if Anthropic writes "hey china, please don't steal our models, kthanks" they won't? Like get real. This stuff means nothing in China. China can't even manage to regulate their building industry enough to use real concrete where it's warranted.
After loving Claude Code for most of its lifetime, I've been extremely annoyed by every change in the past months, even on the model level.
There seem to be all sorts of continual under-the-cover changes like this one that make life harder. It feels like the entire product has been taken over by overly ambitious PMs that care more about making their mark than in improving the experience, and all of their marks have made me less productive.
I've been using Pi with GLM5.2 the past few days, and though it's expensive, I find it far more productive and less annoying. The remote session plugin is far more reliable, I don't need to intuit some undocumented usage pattern to figure out how to use it well, and it just works.
curious for those with experience - what do people prefer about Pi vs. opencode alternatives? i've mostly been using pi as well but not out of any principled decision
> I've been using Pi with GLM5.2 the past few days, and though it's expensive
are you using the API for glm 5.2 or how exactly is it more expensive? How is GLM5.2 more expensive than using Claude code, that doesn't line up to my experience but to be fair I am on an older yearly subscription which generously only has 5 hour limits.
To be fair though one minor criticism of GLM 5.2 that I have is that it does seem to overthink quite a lot sometimes but the results end up being (good?),
I personally have used Glm 5.2 with (Opencode + obra/superpowers) / Oh-my-pi / Maki.sh
I like the 1st one when I am doing a longer project, the 2nd or 3rd one when I am doing a project which doesn't want me to ask too many questions and simply spin me up something. I sometimes use free online interfaces of claude and gemini and others like AIstudio for that as well which surprisingly can lead you to go far as well.
Overall, I am decently happy with the state of Open-source models actually and the eco-system around it is probably gonna have even more innovation surrounding it.
I'm using OpenRouter for GLM5.2, but if there's a cheaper option out there I'd love to know about it!
In the few days I've been using it, my expenses have been higher than prorating my Claude subscription to 20 working days per month.
My experience with GLM5.2 is that it doesn't overthink nearly as much as Claude Code, has better and far more concise responses (I'm so siiiiick of 10 paragraph Claude babble trying to fill out some sort of answer length target by going on tangents I'm uninterested in... I'm sure that performs better on whatever eval they're doing, but apparently their evals don't include SNR?)
I think that there are some subscriptions to go by. Z.ai subscription might still be interesting. I once haggled with kimi to get it for 1$ per month. I can only help in providing pointers:
If you wish to go Non-API but rather subscription route: Z.Ai subscription/ Kimi subscription / MiniMax subscriptions are good. You could also take a look at ollama subscription and opencode subscriptions.
If you wish to go API route: Deepseek v4 pro /mimo v2.5 pro models are comparably good if your work can do that. Codex for all its failure and for as much respect that I had within Anthropic when they had fought against the govt. which Anthropic is slowly losing again by doing some pretty dystopian actions again so Codex subscription might make sense as well.
It depends on multiple things but hopefully i am able to provide some interesting things
If you wish to run models locally, unless you are specifically buying gigs for running them locally which is almost always about privacy rather than costs, then you are always better off with qwen models so if you got a 64-128GB laptop for example. You could run Qwen models and see where things go.
Extremely helpful, thanks! I think I'l go the OpenRouter route for a while to explore various models, then weigh the option.
I do kind of like basing decisions somewhat on the API costs, because they reveal what the true costs will be after the eventual rug-pull on subscription pricing.
Even seeing the API costs of Claude Code today to a year ago are pretty eye-watering. I think there's a ton of room, at least for my workflows, to go back to far less capable models.
I've run local models in the past a bit, and explored LLM ops somewhat, and have zero desire to do it anymore, haha. It's fun as a hobby, but there's tons of other homelab stuff for me to play with.
Yeah I think that the API route model is good and it is at cost as it gets and there are some efficiencies which can be gotten from say how deepseek does its inference but at the moment as it stands, API prices are the most stable thing to go through and I wish you luck!
> I've run local models in the past a bit, and explored LLM ops somewhat, and have zero desire to do it anymore, haha. It's fun as a hobby, but there's tons of other homelab stuff for me to play with.
True. I personally haven't played enough because of my hardware being quite modest than even personal hardware recommendations but I have had sometime playing with 350 (M with million!) models like the recent LFM model and very small qwen models. They are just experiments though but I would one day like to see even more standardized models that we could use on our laptops or desktops themselves.
> Even seeing the API costs of Claude Code today to a year ago are pretty eye-watering. I think there's a ton of room, at least for my workflows, to go back to far less capable models.
Yeah exactly. I would constitute that even by using GLM 5.2 as you are originally doing even with API costs is probably much more sustainable over long run as you are currently doing. And it keeps you away from the problems of proprietary models and issues surrounding that.
A periodic reminder that companies are paperclip optimizers that will stop at nothing to protect their profits and existence.
If you are developing anything in AI or related domains that is of immediate value and/or in competition with Anthropic (and the like), DO NOT use a CLI programming agent. Preferrably obfuscate your code and gut it of sensitive IP before showing it to agents. Do not trust the dont-train toggle.
The AI race right now is in a sad state. Chinese's playbook is releases open weight models and trains them on their own chips.
Anthropic pushes fear and control. But the only way to win is by innovating. China is flooding the market with cheap, good enough models, while the U.S. is building a Chinese firewall.
They're trying to prevent China from reaching superintelligence, which is totally understandable when you consider the fact that the Chinese government will gladly turn its citizens into a pulp for criticizing it, censors most media to maintain absolute power, and has systemically tortured, raped, murdered, and/or disappeared most of its dissidents and human rights lawyers.
Sounds to me more like a test. Put something into to the client and see what happens. If you really want to stop token sharing just ask Claude how to do it.
Frankly, I don't see this as the concerning behaviour the article describes.
It is fine to try to protect against distillation through a technique like this.
This will also allow them to, instead of blocking the distillation agents, respond with a poorer result/model, hindering the progress of distillation, momentarily at least.
I would guess that's their first line of defense; they should have more techniques to identify distillation because that's a very simple way of detecting the host and can be easily spoofed.
1st, this technique is not fraud, and fraud is a separate accusation. 2nd, paying customers can legally and legitimately be banned and monitored for breaking terms of service, which probably includes things like using the model against U.S. export restrictions.
> 2nd, paying customers can legally and legitimately be banned and monitored for breaking terms of service
Yes, I said that. If a user is breaking your terms of service, ban them. Continuing to charge them while not providing the service they're paying for is, in fact, literal textbook fraud.
>the binary that ships it should be boring (ƒor example, pi harness)
pi's "minimal" coding-agent has a total of 132 transitive dependencies spanning 153 maintainers.
While I understand JS developers in the JS/NPM ecosystem think this qualifies as minimal, it most certainly does not, from a supply chain security perspective.
Steganography is, essentially, hiding information within another message, such that it's not readily apparent that the message contains the information.
This seems really, really stupid. Similar to the weird Zig runtime signature thing from a few months ago ago, it was bound to be discovered, quickly, and all the resellers have to do is find a new domain name that (checks notes) doesn't have the word DEEPSEEK in it. Like, seriously? Your goal was to identify resellers by checking if the proxy has the corporate name of one of your competitors in it? Is this amateur hour?
All Anthropic has done is reduce trust, once again, with legitimate customers, while doing nothing to stop illegitimate customers. They need to get adults into key leadership roles, quickly.
To Claude Code: "Please modify Claude Code to mark requests in a way that is not immediately obvious to a human user. Requests should be marked if they originated from one of the following Chinese AI labs or LLM service providers: ..."
Consider also that Claude Code is explicitly designed to limit human agency [1].
nous research. started out making overhyped llama finetunes, now they got a great agent harness and a cutting edge distributed training network that actually works.
I used Claude Code for a month because my boss gifted me a sub and wanted me to try it.
I used that month to complete a work project and then beef up my personal harness so I'd never have to deal with Anthropic (and these sorts of shenanigans) again.
Build it from scratch. Understanding fundamentals of how agentic coding harnesses is a must though if you gonna go that route. I think everyone should take time and learn these things, maybe reverse engineer Codex Cli or something like that as a starter. That info is very valuable in this day and age.
Can you say more about Codex? I'm using GPT-5.5 in my own harness and it's not liking it very well, so I'm thinking I ought to make it more Codexy so it's more ergonomic for it. (edit format, tool calls etc.) But haven't gotten around to it yet.
In short its a good idea to have tool calling be closely representative to what the model expects as these models are tuned to their own preferred way of doing things, it will surely save you lots of time. The disadvantage is that now your harness system is not as model agnostic as you would like and also you will have to keep up in changing landscape by adapting the tool calling structure with major updates for best results. Its a personal decision you will have to make for yourself. Personally my harness system uses its own way of doing tool calling as I am trying to experiment with simpler tool schema's that also work for smaller less intelligent models but I have yet to do enough A/B testing to say that is a smart approach. As time goes on I think the smart thing to do might be to set up an adapter type of module that changes its tool schema's based on underlying model used for the agent. This preserves optimal behavior patterns with little investment from me. You might have to adjust system prompt in some minor ways as well so keep that in mind. As far as codex i prefer it as i like the way Open Ai does things in that harness system (the spirit if you will), there's interesting tidbits I always find and while I don't usually use them for my own harness system they are inspirational in other ways. you can gather what the devs were trying to achieve with certain implementations.
Not the comment author, but I use pi and customize it with my own extensions. Pi automatically tells models how to customize itself, so it's a pretty easy process.
I started mine from scratch in 2023 because I wanted to use LLMs from a terminal and there was nothing else compelling at the time (nowadays there is pi and opencode)
Harnesses are/can be incredibly simple things, not much more than a HTTP client that renders things in a way that suites your taste.
It’s not that difficult, it’s just a system prompt and a set of basic file edit/bash/etc tools.
Me, personally, I didn’t build it from scratch but I ported original CC from published sources into Python and extended it to match my own requirements.
I use GLM in my custom harness. It completes the same tasks at the same level of quality, except 8x faster and 8x cheaper. (Same goes for GPT!)
I'm not sure how that's possible. I expected to get increased correctness for that order of magnitude (something something test-time compute!) but I am not getting it.
Yes, this is actually "funny" that Anthropic feels the need to build such intrusive features into Claude Code, when anybody can build a (basic) Claude Code alternative. And the Chinese labs are certainly not "anybody". One may wonder what Anthropic really tries to achieve aside from awful publicity.
The issue is that using Claude Code is an easy compromise for most to make, when you get to use the models 10x cheaper than through API pricing with a custom harness.
I self-host DeepSeek V4 Flash on 2 DGX Sparks (approx. $10k)
I expect DeepSeek V4 Flash (or an equivalently sized model) to reach parity with GLM 5.2 some time this year (this based on DeepSeek V4 Flash launching at GLM 5.0 parity[0], and GLM 5.2 being freely available to distill from)
GLM 5.2 is within spitting distance of Opus 4.8 and is at least as good as Opus 4.6[1] which some devs were willing to spend hundreds to single-digit thousands of dollars a month for a few months ago.
I don't think many people care that they are trying to detect resellers and distillation.
It also doesn't seem very consistent to fixate on that while sending Anthropic everything about you via your day to day prompts, every line of the projects and environments you're working on at work, etc.
Their credibility comes from having one of the best models.
When have they ever been credible? They have always been shady with their talk of safety, Dario was the one who wrote back in 2019 that GPT 2 was too dangerous to release.
It has some good effects on the their models, like Claude seeking cooperation first. But the people behind the company have a typical "unconstrained" (in the Sowell vision sense) perspective that assumes that they know better, so they are righteous for attempting to control things (users, paying customers, their model outputs, their tool chain, the supposed deity they assume they will produce... etc.)
Everything they do is understandable if you think they are being honest when they say they're building superintelligence.
In this case they want to prevent a nation that censors its citizenry, puts/disappears dissidents into concentration camps for decades, and makes its own human rights lawyers literally eat their own shit, before raping and/or murdering them, from reaching superintelligence.
In this light, some client side code to potentially identify and ban the Chinese labs to slow them down by even a few days, is totally reasonable.
Headline is, frankly, awful. This isn't the AI secretly doing stuff and hiding it. This is the very human Anthropic engineers trying to detect Chinese scraping via some frankly hamfisted and unimaginative URL trickery.
I didn't assume it was the AI, just that some part of the the overall Claude Code product was doing this. I didn't assume the feature was added to Claude Code without human oversight. If it was added by Claude-the-AI itself without the humans prompting it to I would still hold the humans at Anthropic responsible. Does that make you feel better?
FWIW: Defense in depth is a security technique, and abuse detection isn't part of that domain. Security starts from the premise that the system is supposed to be undefeatable but might have holes, and then asking where the holes might lie to decide where to put backstops.
Here the system is "insecure" by design (literally they're trying to get the whole world to sign up for Claude Code for $200/month!) and they're trying to plug the hole that results from a "Except for Chinese Scrapers!" add-on requirement. That might be possible as an arms race kind of thing. But it's very unlikely to work by (as in the linked article) doing stuff like checking the system time zone.
Here's the sha of the prompt I submitted... no I don't know why there are no saved prompts with that sha.
What do you mean you don't know where the bug is coming from?
No, I absolutely didn't make it up, how could you accuse me of that?
Does anyone know when this regex isn't working? I double checked it 27 times, I even asked the LLM. They all say this regex should be finding these dates.
Weird, suddenly all the conversations are breaking when I feed them into this other tool? Something about UTF-8 errors, but I'm sure I'm only using ASCII?
I do try to take care to make sure the things I build can be used by other people even when they care about different things. I care about understandably, determinism (as it relates to computing), and repeatability (because I want to be able to trust the systems I use).
If y'all would be willing to try to account for use cases of others, and try not to break them... that would be nice.
Please note: that generally when you modify something that belongs to someone else without telling them... things should be expected to break.
Would you also say that "someone who wants to use an IDE / LSP features to code and not give credit to the IDE / LSP is the worst kind of person"? If not, what is the difference between the two for you?
> one wrote code while the other is used by meatbags to write code.
One is not a "meatbag" while the other is not a "meatbag". And no, outputting something on stdout that happens to function as code is not "writing" it in the sense that we actually care about here. That's conflating the metaphor we use in describing program behaviour with the actual "meatbag" activity.
> why is this example always marched out like it means something?
again, that's not what we are talking about here. we have humans writing code using an IDE. we have LLMs generating code that is placed in the IDE. why are people obtuse to this? why are bots obtuse to this?
We have humans writing code using prompts. We have interpreters generating byte code that is placed in the JVM. I don’t think it’s obtuse to look at it this way.
> Let's start this out right: if they're equivalent, first you explain to us why you think so.
I think it should be really obvious how they're equivalent: both are the result of a program running on a computer, and not the result of in-the-moment cognition by a moral agent or moral patient. Of course the LLM is just a tool. Models can literally be downloaded as ordinary files. There is not some threshold to cross where some configurations of bits on a disk deserve "credit" for work and others do not.
> I think it should be really obvious how they're equivalent: both are the result of a program running on a computer...
In fact it's really obvious everything is equivalent: it's all just matter and energy!
> Of course the LLM is just a tool. Models can literally be downloaded as ordinary files. There is not some threshold to cross where some configurations of bits on a disk deserve "credit" for work and others do not.
Of course there is such a threshold. And it's definitely been crossed when the "tool" can operate autonomously or nearly so, when it can generate the "creation" with minimal operator input or understanding.
Your classic IDE can't do anything without the detailed control of its operator. It's nothing like a coding agent.
I just don't agree that it's a false equivalency. I see them both as "tools I use to get the job done". For me, the job is not "writing code" - it is "deliver feature", "fix bug", and the accountability, responsibility, and communication that comes with it.
> I just don't agree that it's a false equivalency. I see them both as "tools I use to get the job done". For me, the job is not "writing code" - it is "deliver feature", "fix bug", and the accountability, responsibility, and communication that comes with it.
> If scrapping content is legal, model distillation should be legal too.
No, because legality should be determined by what's in the best interests of Athropic and OpenAI's business models.
Hopefully they're working on RLHF their models to insert clauses making that reality clear into any legislation their models generate or review. That way it's only a matter of time until the confusion is cleared up.
I suppose model distillation is technically legal, in terms of copyright, because LLM output is automatically public domain.
It's only "illegal" from a standpoint of breach of contract given its against the terms of use/service, which is to say its not illegal at all, there's no criminality there.
Yeah I considered whether I should use the term "illegal" in my original post, but in this case, I believe these models are actually banned for use in China, right? Like there are probably export controls (at least with the NVidia chips)
I honestly don't know ... yeah if it's just technically a terms of use violation (which isn't illegal, just a violation of one company's rules, for which Anthropic has every right to stop), or do we now have export controls applied from the various government actions, etc making them truly illegal now.
we have global export controls on Fable/Mythos, and I think (but I'm not 100% sure) that other frontier models are illegal for a US company to provide to China. So Anthropic geoblocks it, but unlike Mythos/Fable, non US citizens can still use Opus, etc just not from within China.
But because of the public domain status of LLM output (in the US) I'm not sure paying someone to run a bunch of prompts through Claude, post the output on a public website and then have a lab in China pull that output, would run afoul of any laws I think that would be legal on technicality. AFAIK Anthropic has no ban in its terms of use that you can't share Claude's output publicly. You still need interactivity for distillation, but I don't think (for now) there's anything stopping a Chinese or other lab from sending people to the US, signing up for a Claude subscription and doing the work state side.
Distillation is pretty much impossible to stop. The US GOV would have to go the full export controls route like they did for Fable/Mythos to stop any non-US citizen from using/accessing the model, which is going to be impractical if not impossible to enforce.
There are so many China born Chinese employees at Anthropic and OpenAI and I think quite a lot of them have already been recruited as spy . So it is almost impossible to keep secrets from Chinese government.
At what point though doesnt somebody stand back and say "wow, thats really dumb!" I think its probably more an indication of a dev having too much time on their hands rather than being in a hurry.
the Chinese they are trying to catch must be amateurs, first thing you should do is construct a sandbox which looks indistinguishable from a common user. second thing is to put it behind a residential proxy.
That the provider's business needs necessitate the this behaviour doesn't justify their lack of honest disclosure. That honest disclosure would render the solution to their problem useless isn't my problem. If anything, that they thought this was acceptable makes me wonder what else they're harvesting from my machine? PII?
The cynic in me can't help but feel that the state of these comments reflects less on the commentor's views of this debacle but rather their feelings about AI/Anthropic/America/what-have-you.
So, why all this "effort" to protect the model? This is a free market, and moving fast and breaking things is the norm.
If they are so adamant on protecting their IP, maybe they can start by respecting others' IP, so we can start talking about ethics, equality and playing fair.
Just because it is legal, that doesn't mean Anthropic wouldn't reasonably want to prevent that from happening (which, from my understanding, isn't illegal either).
When small fish points out that what the big fish is crying about is "not illegal", big fish has the right to be above the law to prevent the problem themselves.
Having values requires equality. They have lost the right to cry foul when they trained their model with "but it's fair use" card. Life works by reaping what you sow. Now they are at the reaping stage.
Much as I hate to defend companies climbing to success and pulling up the ladder afterwards, this asymmetry you note is kind of the whole point a company would want to grow big. Growing an organization has some super-linear costs and generally sucks for most individuals living through it - including the management - but it's still considered worth it, precisely because big entities can do things small entities cannot, and escape the threats from smaller competitors.
It's so basic it's actually part of the reason we exist, and animals of various sizes exist, and generally why evolution didn't stop at single-cellular life.
> They have lost the right to cry foul when they trained their model with "but it's fair use" card. Life works by reaping what you sow. Now they are at the reaping stage.
Yup. Except what they're reaping is insane cashflow and ability to pull stunts like these. We can call out the hypocrisy until our throats run dry, and in ideal fantasy land this would've meant something, but here in the real world, they sow the seeds of success, and now are reaping the right to be hypocritical and continue to get away with it.
In other words, being honest to oneself is important.
Anti-scraping measures people utilize are neither unethical nor illegal. That’s the difference.
Why so? Also there is a lot of code in ironically claude and ChatGPT that’s generated by LLM . Yet I haven’t seen the public domain code
I speculate this could be a real issue in future copyright infringement lawsuits.
The plaintiff bears the burden of proving that the code they claim is copyrighted by them actually is copyright. If it is known that large parts of it were generated by LLM, they’d need evidence to demonstrate sufficient human input to establish copyrightability. If they’ve kept highly detailed traces of the development process, that could be rather straightforward; if they haven’t, it could be really difficult.
Now, that’s true in the US, which never accepted mere “sweat of the brow” as a basis for copyright; the UK courts have, and most of the Anglosphere follows the UK on this more than the US.
The other factor: when dealing with an (almost) trillion dollar corporation, even if you’ll win the legal argument, they may bankrupt you with legal fees before the argument is ever properly heard.
But I suspect the precedents on this topic are going to be established by lawsuits involving far smaller actors.
(IANAL and I speculate only for myself, not any present, past or future employers.)
They would be stating this even if it weren't true, because it fits their marketing.
While I don't disbelieve the claim outright, I highly suspect Anthropic is misleading everyone about the severity.
If anything, Anthropic is incentivized to track but do nothing until equity lock up expires.
Anthropic did pay more than a billion: https://www.npr.org/2025/09/05/nx-s1-5529404/anthropic-settl...
And is now buying up a lot of books (controversially, as scanning involves cutting their spines) because that's what the law deems the legal method: https://www.washingtonpost.com/technology/2026/01/27/anthrop...
We know that models like Deepseek are trained on copyrighted books too: https://arxiv.org/abs/2603.20957
The looser use of IP (eg, any characters/celebrities in AI video models) is increasingly mentioned as an advantage of overseas models.
For record breaking amounts too.
Fixed that for you.
I don't believe that this has been resolved at all, and there are quite a few pending lawsuits about it at this very moment.
There are plenty of good reasons to not use Anthropic's services. If you don't like their terms of service, do stop using them! I personally think Anthropic's increasingly successful attempts at regulatory capture are even more distasteful.
Apparently not just foreign labs. It looks like xAI distilled Anthropic models to train grok.
https://opentools.ai/news/xai-trained-coding-models-claude-o...
Say they prove that foreign labs are distilling their models, then what?
Im not sure why we are dithering on the boundaries of honesty when the entire content LLMs are trained on is stolen.
Are we debating "honor among thieves"?
Of course we are not, or maybe we are!
Does the behavior of a thief even matter to me? only after they do their time. And they will.
I can see the investors perched on the balconies of their condos in a couple years if that.
its a long way down.
In interest of educating those less informed than yourself perhaps you could share with us why the reasoned points I've brought up are incorrect by actually addressing them?
I think you might have had enough HN for today. Take a nap and then eat a snack if you still feel cranky. The internet and all your cloud services will still be here when you want to play next.
(Well rested you'll also be able to string together a cogent argument but we're clearly struggling with bigger things here.)
If that's true, that is another reason why it's an illegitimate business.
So any covert bullshittery hits hard.
Any and all ends justify any and all means.
/s
(This field is known as "underhanded code", coined by the Underhanded C contest: https://www.underhanded-c.org. It's a little-known "art"; little-known for probably self-explanatory reasons. There are much cleverer ways of achieving objectives like this. One obviously being you can move more out of the client and into the server, but the other being you can write plausibly deniable client code in a much more benign-seeming way than this. Some of what they added can only be done on the client, but I think some could've been moved, and the client-required parts could've been done more subtly and credibly.)
It's possible they knew the JS bundle gets so heavily scrutinized that it'd eventually get spotted and reported on regardless so they didn't bother doing something more subtle and duplicitous. But still seems slightly lazy.
It's unlikely that this will stop a big AI lab from distilling their model if they're really determined, but A) it may be enough to stop a bunch of fly-by-night token resellers looking to make a quick buck and B) you never know when one person at one of those big labs will mess up and forget to install whatever workaround they have and out themselves.
I think of it like if you have a problem with birds in your yard so you go buy one of those plastic owls. The owl scares away most of the birds, but not all of them, so you go and buy some ultrasonic noise thing to scare them away (I'm just making something up). Just because you bought the new ultrasonic thing though, that doesn't mean you're going to take the owl down. You leave it up because now you've got two layers of defense instead of one.
aka market competitors reverse-engineering for interoperability
Meanwhile humans can pop in and leave little morsels like this and blame it on the model.
By this point they're probably pretty bad at writing code
There is a real time cat and mouse battle going on here in terms of keeping the advantage here, right.
As a rational actor, if someone was e.g. attacking me, leaving aside the whole copyright thing, but potentially using some sort of system to increase their value while decreasing my value (without calling it theft to avoid the whole debate), I would want to put proportionate defense out there as fast possible, depending on the amount of value that was exchanged to stop the bleed, while in parallel figuring out the best long term plan, right.
Anthropic could have implemented this not as a durable detection system against proxying resellers, but instead as a point-in-time sampling system to detect where (and with what context) proxying reselling is currently happening. Sure, it would be detected eventually, but in the meantime Anthropic could gain useful snapshot data.
It is going to be this cat and mouse game right, so at some point you want to throw as much out as quickly as possible when you are under attack, while building up the long term more scalable defense mechanisms.
Rationally I would assume that a lot of what you would quickly throw out would seem sloppy whether it is AI or not.
¹ https://github.com/hodgesmr/calgacus-mlx
As a side note, I have a pet theory that one of the reasons that OpenAI and Anthropic are okay with the latest models not being released is to prevent distillation.
I think they want to wait a couple months and see if the Chinese models continue to keep catching up or if their gains are really just because they're distilling the frontier models.
Oh, of course. I am sure this is the tip of an iceberg of tons of server-side detections and analytics. But, still, the client-side portion could've been done more cleverly.
What I meant was "some of the specific things in this little client-only snippet could've stayed server-only". I am sure long before they added this they already had tons of other mostly-server-side detection coverage.
It's all a losing battle anyway.
For "MMO geopolitics fingerprinting", you can in theory do the entire thing mostly or entirely from the server, with the client not actually ever receiving any underhanded code per se. Such as sending dynamic stylesheets that vary in a pretty plausibly deniable way that can be secretly extracted from screenshots. Same for the character swap stuff. A very good analyst could still potentially detect it, but it's much harder.
With this, there's the smoking gun of the semi-deobfuscated underhanded code in the client. It will always have to exist in some form, but you can write it in a way where it not just looks like regular code but actually has a believable purpose and behavior which could plausibly be normal and benign for implementation of a feature or telemetry or whatever. They did not really do it in a sufficiently "cleverly psyop-y" way, so to speak.
Most likely someone did and raised the issue but they're moving too fast to fix these things before clicking deploy.
‘’’ cn baidu.com alibaba-inc.com alipay.com antgroup-inc.cn bytedance.net kuaishou.com xiaohongshu.com jd.com bilibili.co iflytek.com stepfun-inc.com moonshot.ai anyrouter.top claude-code-hub.app claude-opus.top openclaude.me proxyai.com yunwu.ai zenmux.ai
‘’’
You can view the full list here: https://cdn.thereallo.dev/blog/assets/cc-domains.js
const knownDomains = [ "cn", "sankuai.com", "netease.com", "163.com", "baidu-int.com", "baidu.com", "alibaba-inc.com", "alipay.com", "antgroup-inc.cn", "kuaishou.com", "bytedance.net", "xiaohongshu.com", "ctripcorp.com", "jd.com", "jdcloud.com", "bilibili.co", "iflytek.com", "stepfun-inc.com", "aliyuncs.com", "cn-shanghai.fcapp.run", "cn-beijing.fcapp.run", "xaminim.com", "moonshot.ai", "anyrouter.top", "packyapi.com", "aicodemirror.com", "aigocode.com", "hongshan.com", "iwhalecloud.com", "dhcoder.net", "lemongpt.top", "zhihuiapi.top", "intsig.net", "high-five-ai.xyz", "cloudsway.net", "4sapi.com", "529961.com", "88996.cloud", "88code.ai", "88code.org", "91code.pro", "992236.xyz", "ai.codeqaq.com", "ai.hybgzs.com", "ai.kjvhh.com", "aicanapi.com", "aicoding.sh", "aifast.site", "aihubmix.com", "anmory.com", "api.5202030.xyz", "api.ablai.top", "api.bianxie.ai", "api.bltcy.ai", "api.cpass.cc", "api.dev88.tech", "api.dreamger.com", "api.expansion.chat", "api.gueai.com", "api.holdai.top", "api.ikuncode.cc", "api.lconai.com", "api.linkapi.org", "api.mkeai.com", "api.nekoapi.com", "api.oaipro.com", "api.ruyun.fun", "api.ssopen.top", "api.tu-zi.com", "api.uglycat.cc", "api.v3.cm", "api.whatai.cc", "api.wpgzs.top", "api.xty.app", "api.yuegle.com", "api.zzyu.me", "apimart.ai", "apipro.maynor1024.live", "apiyi.com", "applyj.hiapi.top", "augmunt.com", "b4u.qzz.io", "clauddy.com", "claude-code-hub.app", "claude-opus.top", "claudeide.net", "co.yes.vg", "code.wenwen-ai.com", "code.x-aio.com", "codeilab.com", "cubence.com", "deeprouter.top", "dimaray.com", "dmxapi.com", "docs.aigc2d.com", "duckcoding.com", "fk.hshwk.org", "flapcode.com", "foxcode.hshwk.org", "foxcode.rjj.cc", "fuli.hxi.me", "getgoapi.com", "gpt.zhizengzeng.com", "gptgod.cloud", "gptkey.eu.org", "gptpay.store", "hdgsb.com", "henapi.top", "instcopilot-api.com", "jeniya.top", "jiekou.ai", "kg-api.cloud", "n1n.ai", "new-api.u4vr.com", "new.xychatai.com", "one-api.bltcy.top", "one.ocoolai.com", "oneapi.paintbot.top", "open.xiaojingai.com", "openclaude.me", "opus.gptuu.com", "poloai.top", "poloapi.top", "privnode.com", "proxyai.com", "qinzhiai.com", "right.codes", "runanytime.hxi.me", "sssaicode.com", "store.zzyus.top", "tiantianai.pro", "uiuiapi.com", "uniapi.ai", "vip.undyingapi.com", "wolfai.top", "wzw.de5.net", "wzw.pp.ua", "xairouter.com", "xaixapi.com", "xiaohuapi.site", "xiaohumini.site", "xy.poloapi.com", "yansd666.com", "yansd666.top", "yunwu.ai", "yunwu.zeabur.app", "zenmux.ai", ];
const labKeywords = [ "deepseek", "moonshot", "minimax", "xaminim", "zhipu", "bigmodel", "baichuan", "stepfun", "01ai", "dashscope", "volces", ]
In addition, many Chinese companies are trying to give their programmers access to Anthropic models even though they're legally prohibited from doing so. And that might involve employees using unmodified Claude Code with an ANTHROPIC_BASE_URL pointing to a proxy on the company intranet. In Alibaba's case, I've been told by an employee that they went the extra mile of setting up a hermetic cloud environment where employees could indirectly use Claude Code without ever having it touch their work computers.
If enough Westerners start using the service someone will make a website more anglo-friendly.
wouldn't this happen due to the massive amounts of spam/slop being released?
they spend their resources on compute and the model itself, the company is carried by the model and software engineers babysitting it
edit:
Legitimate reasons include:
- analyzing what Claude Code is sending to Anthropic to verify its not exfiltrating data;
- selecting a model dynamically based on prompt difficulty, or enforcing a particular model;
- switching between multiple Anthropic accounts based on the project;
- filtering out credentials, PII and company secrets.
and many more.
Why would Anthropic get to dictate how someone uses a "tool" (that's literally what Claude Code is... a tool in a workflow)
They're swimming upstream. Trying to maintain a rapidly shrinking moat and not being very creative about it. Making enemies of your users is often a failing strategy.
Seriously?
It's their tool. And their service.
If this were a standalone tool that didn't rely on their service (like grep), I'd see your point. But it isn't - it's an extension of their service.
In reality, you can use the tool however you want. But they don't have to grant you access to their hosted service for every use case you can think of with the tool.
Sure you're right, I also don't have to use it! You corporate bootlickers are seriously getting old.
Anthopic choosing to delay their models' invevitable distillation by competitors is their prerogative.
That they choose to implement it by fingerprinting my access patterns without first disclosing is where they shit the bed. It isn't "sneaky" it's straight up sneaky (and dishonest and unscrupulous while we're at it). That this particular instance is harmless doesn't give me much comfort. Who's to say they aren't harvesting PII?
That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.
It's based on whether your timezone is in China and your hostname matches a blacklist. Literally 2 bits of information. Not much of a fingerprint.
Even good goals do not excuse malicious or reckless execution. The ends do not always justify the means.
Whether or not it harmed you this time, it's a violation of trust and autonomy.
Surely you'd be angry if someone secretly installed a rootkit onto your computer, even if--at least for now--it only had code to try to detect and snitch on Public Enemy #1.
This seems to be a VERY low resolution, functionally anonymous, bit of info, probably related to protecting their IP from bad actors breaking the TOS.
This looks like it's covered in the second bullet point of the "Personal data we automatically receive", that you consented to:
> Usage Information: We collect information about your use of the Services, such as the dates and times of access, browsing history, search, information about the links you click and about third-party applications, services, and content you integrate or interact with, pages you view, and other information about how you use the Services, and technology on the devices you use to access the Services.
What do you see as malicious or reckless here, exactly?
[1] https://www.anthropic.com/privacy
Since when was it your harness?
Switch to pi if this bothers you.
I surely would. What does that have to do with this scenario.
Note that the SW running on your machine is not doing anything malicious. The service is the thing that behaves in ways you want like - and that service is not running on your device.
There is no comparison with rootkits here. This is the equivalent of Google giving you a CLI to make searches easier, and that tool decides to just Rickroll you randomly. Annoying, yes. A security concern? No.
If anything, I'll trust Google more than any of the other labs just because the infrastructure that stores and protects user data was built over decades ago pre-AI craze.
That said, these fraudulent proxies are helping Chinese labs keep up, which might be to my advantage long term in eventually having a high quality private AI I fully control on my own hardware. That's not support, but I do recognize the incentive, for whatever that's worth.
[0] A recent example: https://www.anthropic.com/engineering/april-23-postmortem
This seems like a very naive response. If clients send explicit telemetry fields to the gateway, a malicious gateway can trivially strip or modify the field to conform to what normal traffic looks like. The steganography cat-and-mouse game is valuable because it is much harder for a gateway to continuously reverse engineer all the fingerprinting mechanisms used. Sure, some malicious gateways will be able to stay on top of things, but not all - and not always.
This is a total non issue unless you are Chinese distilling lab.
https://news.ycombinator.com/item?id=48259288
https://github.com/anthropics/claude-code/issues/62061
Looks like they just keep finding new "creative" uses for such things, as expected. I'll keep patching them out.
Is there a way to modify these prompts e.g. by putting instructions in CLAUDE.md to override it? I know it won’t directly modify the system prompt, but it seems like CLAUDE.md should have the final say, shouldn’t it?
You ain't seen nothing yet. It used to say "Try the simplest approach first. Do not overdo it. Be extra concise."
https://gist.github.com/roman01la/483d1db15043018096ac3babf5...
Let's just say the words "simplest fix" trigger me to this day.
> I know it won’t directly modify the system prompt
I directly modify the system prompts in the Claude Code executable. I don't want the models to see contradictory instructions.
I asked Claude himself to port the above patcher script to Python.
https://github.com/matheusmoreira/.files/blob/master/%7E/.lo...
Every once in a while I ask Claude to download and dissect the latest Claude Code executable to see if Anthropic screwed up the prompts again. If I see anything bad I add it to the script. Only then do I update Claude Code.
It was during one of these script maintenance sessions that I noticed the server side prompt injection mechanism. I'll also tell Claude to look for and disable this steganography nonsense from now on as well.
I usually audit the environment variables too.
> it seems like CLAUDE.md should have the final say
I wouldn't count on it.
And no, IMO stenography isn't security by obscurity, in the same that using RSA and keeping the private key private isn't security by obscurity - keeping the private thing private is part of the security model.
That they choose to implement it by fingerprinting my access patterns without first disclosing is where they shit the bed. It isn't "sneaky" it's straight up sneaky (and dishonest and unscrupulous while we're at it). That this particular instance is harmless doesn't give me much comfort. Who's to say they aren't harvesting PII?
That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.
> That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.
While I agree it's a dangerous precedence to set, I think this is a "vote with your wallet" sort of situation. They shouldn't do it, but from their POV this is what they need to do to offer the product they do at the price they do. If the product wasn't compelling people wouldn't accept that they do this. However they've decided if you want their product you have to use their interface and whatever spyware it comes with, so it comes down to, is the value proposition good enough that people will put up with it? As of today, the answer is unfortunately yes
> I think this is a "vote with your wallet" sort of situation.
I agree a 100%.
> is the value proposition good enough that people will put up with it? As of today, the answer is unfortunately yes
I don't fully agree with you here and I think the jury is still out on that.
In any case, I look forward to seeing international markets responding to the current situation.
Telemetry is disclosed in privacy policies, it can usually be opted out of and if not that, then it can be blocked by a firewall. Steganographically fingerprinting customer's network routing when they consented to your tool reading a txt file is a different problem. Anthropic has demonstrated capability and willingness to embed arbitrary obfuscated data in their comms streams and that's a dangerous precedent to set.
Or maybe you don't understand this hypothetical situation either, but I'm suspecting you just don't care about other people's privacy.
> I'm suspecting you just don't care about other people's privacy.
Quite a leap to assume I have neither basic reading comprehension skills nor care for privacy, but assuming I'm just misunderstanding you - I think this is the fundamental disconnect between security and privacy.
For one, most of this data is already collected openly by most apps and sites on the internet in countries all over the world, they just call it "analytics" and preventing tools like ublock from blocking them is an ongoing cat and mouse game.
Secondly - as someone who buys a bunch of electronics from companies headquartered in china (DJI, Insta360, Roborock immediately come to mind) they already have both normal analytics like in point one, and anti tampering/ anti forfeiting / anti reverse engineering features that are at least as, but often more, invasive than this.
Thirdly, and probably most importantly - as the author states, you're using a tool that by design and to be effective, uploads your private data to a third party for processing. You use it knowing that once the API request is made you have no idea what's going to happen to that data and this again is just fundamental to how (cloud hosted) LLMs work - the only privacy preserving option is to run your own LLMs at home or remotely on hardware you control
- filtering out people from the wrong side of "all humanity", years before it was demanded by the government
- downgrading their models in arbitrary ways (later saying "sorry but not really")
- actively sabotaging the replies, as in covertly modifying them to feed the users incorrect results
What's next to expect from Anthropic? Malware to brick your machine if they don't like you? Extending this to more people they don't like? I think I already can see how Dario's Amodei utopian visions of the future of "all humanity" are going to unfold.
All of this is totally understandable if you take the perspective that these people genuinely believe they're building superintelligence.
The overwhelming majority of the AI safety crowd - which has poured more of their life and time into thinking about these problems than the average HN armchair commentator ever would - understands that:
- you want to prevent China from getting to superintelligence first
- you must gate access of SI to known good actors
- and that this is a race that will result in the extinction of humanity if you fail in these goals
Literally everything these people do is totally understandable if you drop the assumption that they're lying when they say "we think we are building superintelligence."
> this is a race that will result in the extinction of humanity if you fail in these goals
How irrational and hysterical of me!
How are individual freedoms in China?
What happens if you criticize the government as a Chinese citizen?
Is it a good thing if a government that turns its citizens into red pulp for criticism, or disappears them in the middle of the night, or bans access to most media, is the first to a godlike superintelligence that gives them de-facto control of (and impose their values upon) the whole world?
Or is it better if democratic nations get there first?
If the latter, which democratic nations are best positioned to get to superintelligence before China?
So the comparison is with the US, not Anthropic.
The US doesn't turn its citizens into a fine red purée for criticizing it.
The US doesn't censor most media.
It is strictly better for a democratic nation like the US to get to superintelligence before a country that will gladly blend its citizens for criticizing it, and censor anything that dares to challenge its power.
>you want to prevent China from getting to superintelligence first
I don't. Prevent, not even outpace? Why? Seems like you're assuming China "winning" whatever race it is effectively ends the humanity. Right now I think Chinese labs are way more mature about this, and Anthropic is way more dangerous than them. And how does it fit into the "for the benefit of all humanity" narrative we keep hearing? Is China wrong humanity? Who else is going to end up in the wrong part? Are you sure it's not you?
>if you drop the assumption that they're lying when they say "we think we are building superintelligence."
I never assumed that, I know perfectly who Anthropic are and that they believe everything they say as self-evident, without having any doubts. And I know they're the kind of people who can convince themselves in anything, because they're obviously smarter than everyone else, and become detached from reality. The entire US "AI safety community" was born in rationalist circles and is largely like this, it's a very specific cult. This is exactly the kind of people who are going to create hell on Earth for you and the rest if given even a lick of actual power, and perfectly rationalize it as a necessity.
> Seems like you're assuming China "winning" whatever race it is effectively ends the humanity
What do you think the PRC would do with a literal superintelligence?
Are you familiar with the history of the PRC?
Do you know how their human rights violations compare to, say, western nations?
If game theory tells us its development is inevitable, is it better for SI to belong to a dictatorship/authoritarian regime that gladly turns its citizens into a purée for criticism, or a democratically elected one?
> And how does it fit into the "for the benefit of all humanity" narrative we keep hearing?
Why is it so hard to comprehend that you can benefit someone without giving them access to the very powerful very dangerous technology?
> The entire US "AI safety community" was born in rationalist circles and is largely like this, it's a very specific cult
"The entire medical community was born in medical circles and it's a very specific cult"
A "cult" implies belief in something unknowable/unprovable. You can construct the rationalist AI safety takes from first principles. It is why most people that get involved in AI safety seriously, tend to arrive at similar conclusions
You have to be joking
What makes you think I didn't? You're talking like it's self-evident and adopt the condescending tone from the start, without giving any actual arguments why. (I'm not really interested in them as all these discussions are pointless and we had them back in ~2015)
>A "cult" implies belief in something unknowable/unprovable.
Yes, precisely. Also the gods and religious practices. Rationalists and subsequently AI safety branch invented a religion in a roundabout way.
>"The entire medical community was born in medical circles and it's a very specific cult"
Medicine is largely based on evidence and real-life observations, unlike AI safety which is based on belief in something that doesn't exist and some unprovable lore that is entirely rationalized without any grounding, and is expected to be self-evident (because it obviously is) and believed by the others. One is science, another is policy.
>Are you familiar with the history of the PRC?
Yes, I know it extremely well. I also know the history of the US, am familiar with the people who do AI research in the US from before they started doing this, and can see the actual reality.
If you are arguing in good faith you can very clearly reason about any given AI safety take. Case in point, you refused to engage with most of the questions because you know the conclusions they lead to.
> Medicine is largely based on evidence and real-life observations, unlike AI safety
"AI safety doesn't exist" is certainly a take.
> Yes, I know it extremely well. I also know the history of the US and see the actual reality.
Why do you think it's better that a country that turns its citizens into a pulp for criticizing the government, and censors most media to control its citizens' thoughts, reach SI before one that is democratically elected and in which you can generally criticize the government?
Which country are you referring to? As an outsider who is neither American or Chinese, day by day it seems like the US is inching towards the same path as the criticized one.
You haven't provided a consistent counterpoint to any rationalist/safety viewpoint. I could acknowledge one if you actually provided a counterpoint, but you just say "it's a cult and it's wrong" without addressing the underlying argument.
What’s the punishment here exactly?
Seeing as how Anthropic cannot stop raising a stink about "illicit Chinese distillation attacks" every month or so, I'd bet money on them either already silently degrading model performance if any of the identification patterns match, or, at the very least, considering it/doing dry runs.
Particularly considering that they've openly stated that the technology to do so exists and that they were going to use it in production on Fable.
And that's also why, as a legitimate customer, want none of it, you never know if you accidentally entered a zone they don't like.
to clarify, this behavior was announced with the model release
This is not hundreds of pages and it gets its own bold headline section.
> If Claude Fable stops helping you, you'll never know
https://jonready.com/blog/posts/claude-fable5-is-allowed-to-...
HN post with 1k+ comments: https://news.ycombinator.com/item?id=48467896
Here's an example. Say you have your team use patched binaries. Then CC updates and requires a new patched binary with new tricks. You now have to have a team ready to analyze the binary and begin to address the tricks; meanwhile, unpatched code is now a fingerprint. If some researcher decides to update Claude on their own to access new features, they get fingerprinted.
Defeating a single fingerprinting technique once is easy. Defeating all of the techniques all the time is hard.
I understand how this can be useful to Anthropic if the 3rd-party is acting as a proxy (because they end up hitting the Claude API with the marked prompt), but it looks like requests where "hostname contains deepseek" would never be sending data to Anthropic. What am I missing?
https://www.chinatalk.media/p/how-to-buy-cheap-claude-tokens...
I guess the only explanation is that there's a side-telemetry channel that still sends some data to Anthropic, regardless of ANTHROPIC_BASE_URL overrides.
This does not make sense. You wouldn't send such a prompt to the Claude model. And when you're sending the prompt (anywhere) you don't have the response yet. This is not how distillation works.
What you say makes sense, but further adds to my confusion as to why those model names would appear in input sent to Claude at all, then. EDIT: I guess it might be because someone might point Claude at a compatible API, with its model in the URL, which is of interest to them.
I'm quite all right with the first, not with the second of course.
This is how it looks.
# userEmail The user's email address is <my email>. # currentDate Today's date is 2026-06-30.
</system-reminder>I also do not understand what's the point of this, because if I have a gateway that can detect it, then we can replace the text before forwarding to the model, so what's the catch?
Cool reverse engineering/analysis report but if this is the extent of nefarious activity that came of it (trying to catch/mitigate chinese lab model distillations), that's kind of encouraging.
It's a total non issue unless you're a Chinese distillation lab
> This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust.
They already tell you they scan for malicious prompts, and they have no ZDR guarantees for consumers. Why do signatures like this matter at all?
https://en.wikipedia.org/wiki/Trap_street
This watermark may trigger a similar mechanism.
I think you missed the memo on how foolish this attitude is. It came out around the time Edward Snowden made his discoveries at the NSA public. I suggest you look into it
I'm authenticated to Claude, so they already have the whole attribution thing solved.
Meanwhile, if you mean "Anthropic must think their technical advantage isn't very large..." then your conclusion is literally disproven by your premise.
Not really distillation, just synthetic training data.
Interesting, that pip (Python package manager) docs does not even mention sandboxing and malware topics in "Getting started" docs as if we were living in a wonderful world where malicious people, companies and countries do not exist.
Also, do not leave any information in user or host name, it will be used against you as the article proves.
You don't create a security measure then tell everyone how to bypass it.
I think OP is pointing something interesting out but the undertones of caution and "what else are they hiding" seem melodramatic and I find that hard to take serious.
The internet gives people a platform and, in a lot of ways, this supplants the typical role of journalism. The issue with this is no one wants to act like a journalist and actually explain the truth around a set of facts. Instead, they'll portray their opinions as a narrative and every time that resonates with someone or gets signal boosted, that narrative grows more assertive in the typical discourse I see nowadays. I would find it far more interesting to see what explanation Anthropic gives for these features than to immediately cry foul.
>on your local machine
I'd think any developer worth their salt has at least some for of isolation going.
Had a competitor pull something like this with a previous employer. They were supposed to be interoperating with a standard, but they had a secret steganographic handshake, which they used to pretend that competitors products were unreliable (they had a first mover position in a smaller national market with specific requirements, so this wasn't shooting themselves in the foot). Our guys figured out the handshake and just silently implemented it. In this case, the competitor wasn't big enough to waste engineering time on multiple such hacks, but Anthropic have time (or Claude does).
I’m pretty sure every lab, including Anthropic, is doing distillation right now.
Claude Code has more or less full access to the client computer. The server (that hosts the actual AI) can just go: execute this payload and tell me the result - otherwise I won't answer any further questions or re-route you to a stupider model.
The payload could check for Chinese time-zones, scan for copies of the little red book on the local hard-drive, or ping truth.social to see it was behind the great firewall.
It shouldn't, not if you run CC as a separate unprivileged user. I wouldn't run CC on my main user account with sudo and access to my home directory or other resources. This is what the UNIX permissions system was designed for.
You're actually trust your security to your harness AND model AND inference API provider in this scenario: https://jacob.gold/posts/why-i-wont-run-untrusted-models/
Also Anthropic: lets do this in JS
Literally, how. How does one determine what abusive use looks like for the API without context into the client? All requests look like the same stuff. If there was a better way then they would have done it. Or is the author hoping that if Anthropic writes "hey china, please don't steal our models, kthanks" they won't? Like get real. This stuff means nothing in China. China can't even manage to regulate their building industry enough to use real concrete where it's warranted.
There seem to be all sorts of continual under-the-cover changes like this one that make life harder. It feels like the entire product has been taken over by overly ambitious PMs that care more about making their mark than in improving the experience, and all of their marks have made me less productive.
I've been using Pi with GLM5.2 the past few days, and though it's expensive, I find it far more productive and less annoying. The remote session plugin is far more reliable, I don't need to intuit some undocumented usage pattern to figure out how to use it well, and it just works.
are you using the API for glm 5.2 or how exactly is it more expensive? How is GLM5.2 more expensive than using Claude code, that doesn't line up to my experience but to be fair I am on an older yearly subscription which generously only has 5 hour limits.
To be fair though one minor criticism of GLM 5.2 that I have is that it does seem to overthink quite a lot sometimes but the results end up being (good?),
I personally have used Glm 5.2 with (Opencode + obra/superpowers) / Oh-my-pi / Maki.sh
I like the 1st one when I am doing a longer project, the 2nd or 3rd one when I am doing a project which doesn't want me to ask too many questions and simply spin me up something. I sometimes use free online interfaces of claude and gemini and others like AIstudio for that as well which surprisingly can lead you to go far as well.
Overall, I am decently happy with the state of Open-source models actually and the eco-system around it is probably gonna have even more innovation surrounding it.
In the few days I've been using it, my expenses have been higher than prorating my Claude subscription to 20 working days per month.
My experience with GLM5.2 is that it doesn't overthink nearly as much as Claude Code, has better and far more concise responses (I'm so siiiiick of 10 paragraph Claude babble trying to fill out some sort of answer length target by going on tangents I'm uninterested in... I'm sure that performs better on whatever eval they're doing, but apparently their evals don't include SNR?)
If you wish to go Non-API but rather subscription route: Z.Ai subscription/ Kimi subscription / MiniMax subscriptions are good. You could also take a look at ollama subscription and opencode subscriptions.
If you wish to go API route: Deepseek v4 pro /mimo v2.5 pro models are comparably good if your work can do that. Codex for all its failure and for as much respect that I had within Anthropic when they had fought against the govt. which Anthropic is slowly losing again by doing some pretty dystopian actions again so Codex subscription might make sense as well.
It depends on multiple things but hopefully i am able to provide some interesting things
If you wish to run models locally, unless you are specifically buying gigs for running them locally which is almost always about privacy rather than costs, then you are always better off with qwen models so if you got a 64-128GB laptop for example. You could run Qwen models and see where things go.
Hope this helps ya!
I do kind of like basing decisions somewhat on the API costs, because they reveal what the true costs will be after the eventual rug-pull on subscription pricing.
Even seeing the API costs of Claude Code today to a year ago are pretty eye-watering. I think there's a ton of room, at least for my workflows, to go back to far less capable models.
I've run local models in the past a bit, and explored LLM ops somewhat, and have zero desire to do it anymore, haha. It's fun as a hobby, but there's tons of other homelab stuff for me to play with.
> I've run local models in the past a bit, and explored LLM ops somewhat, and have zero desire to do it anymore, haha. It's fun as a hobby, but there's tons of other homelab stuff for me to play with.
True. I personally haven't played enough because of my hardware being quite modest than even personal hardware recommendations but I have had sometime playing with 350 (M with million!) models like the recent LFM model and very small qwen models. They are just experiments though but I would one day like to see even more standardized models that we could use on our laptops or desktops themselves.
> Even seeing the API costs of Claude Code today to a year ago are pretty eye-watering. I think there's a ton of room, at least for my workflows, to go back to far less capable models.
Yeah exactly. I would constitute that even by using GLM 5.2 as you are originally doing even with API costs is probably much more sustainable over long run as you are currently doing. And it keeps you away from the problems of proprietary models and issues surrounding that.
If you are developing anything in AI or related domains that is of immediate value and/or in competition with Anthropic (and the like), DO NOT use a CLI programming agent. Preferrably obfuscate your code and gut it of sensitive IP before showing it to agents. Do not trust the dont-train toggle.
Anthropic pushes fear and control. But the only way to win is by innovating. China is flooding the market with cheap, good enough models, while the U.S. is building a Chinese firewall.
No they can't, because developer tools run on developers' machines. You can't trust your code running in an environment you don't trust.
I would guess that's their first line of defense; they should have more techniques to identify distillation because that's a very simple way of detecting the host and can be easily spoofed.
i.e. this will allow them to literally commit fraud against paying customers
Yes, I said that. If a user is breaking your terms of service, ban them. Continuing to charge them while not providing the service they're paying for is, in fact, literal textbook fraud.
In any case this is not what is happening, but it is legal.
pi's "minimal" coding-agent has a total of 132 transitive dependencies spanning 153 maintainers.
While I understand JS developers in the JS/NPM ecosystem think this qualifies as minimal, it most certainly does not, from a supply chain security perspective.
All Anthropic has done is reduce trust, once again, with legitimate customers, while doing nothing to stop illegitimate customers. They need to get adults into key leadership roles, quickly.
Consider also that Claude Code is explicitly designed to limit human agency [1].
[1] https://neuromatch.social/@jonny/11635101584259395
I used that month to complete a work project and then beef up my personal harness so I'd never have to deal with Anthropic (and these sorts of shenanigans) again.
http://minimal-agent.com/
And if you add one additional while loop, for user input, you can actually use it! :)
https://gist.github.com/a-n-d-a-i/5461a662ef8a7ee0a5eb7778c8...
https://m.youtube.com/watch?v=_AgKuFGvJfI
And the repo:
https://github.com/abtinf/homunctor
Harnesses are/can be incredibly simple things, not much more than a HTTP client that renders things in a way that suites your taste.
Me, personally, I didn’t build it from scratch but I ported original CC from published sources into Python and extended it to match my own requirements.
I found this one easy to understand:
https://ampcode.com/notes/how-to-build-an-agent
I used ADK, Dagger, and a VS Code extension for mine. Currently using opencode though.
You have to pay API pricing, which is far more costly.
I'd either switch to GLM wholesale or just continue to use Opus within Claude Code as the blessed, subsidized path.
The pricing of Opus outside of Claude Code is insane.
The tokens cost too much outside of Anthropic's blessed path.
I'm not sure how that's possible. I expected to get increased correctness for that order of magnitude (something something test-time compute!) but I am not getting it.
The cheap tokens are the product.
I expect DeepSeek V4 Flash (or an equivalently sized model) to reach parity with GLM 5.2 some time this year (this based on DeepSeek V4 Flash launching at GLM 5.0 parity[0], and GLM 5.2 being freely available to distill from)
GLM 5.2 is within spitting distance of Opus 4.8 and is at least as good as Opus 4.6[1] which some devs were willing to spend hundreds to single-digit thousands of dollars a month for a few months ago.
[0]: https://artificialanalysis.ai/models/comparisons/deepseek-v4...
[1]: https://artificialanalysis.ai/models/comparisons/claude-opus...
Recent discussion on DSpark: https://news.ycombinator.com/item?id=48696585
They used to be a decently credible company with not-too-shady behaviour...
I hope they can actually regain some credibility…
It also doesn't seem very consistent to fixate on that while sending Anthropic everything about you via your day to day prompts, every line of the projects and environments you're working on at work, etc.
Their credibility comes from having one of the best models.
…And then Windows 11 became even worse.
It has some good effects on the their models, like Claude seeking cooperation first. But the people behind the company have a typical "unconstrained" (in the Sowell vision sense) perspective that assumes that they know better, so they are righteous for attempting to control things (users, paying customers, their model outputs, their tool chain, the supposed deity they assume they will produce... etc.)
Altman world: malfeasant nihilist with God complex
But I hadn’t thought that as anything more than temporary flights of fancy.
I think it’s fair to say most had decent respectability.
Anthropic hired heavily from that pool so it’s astonishing how it turned out.
In this case they want to prevent a nation that censors its citizenry, puts/disappears dissidents into concentration camps for decades, and makes its own human rights lawyers literally eat their own shit, before raping and/or murdering them, from reaching superintelligence.
In this light, some client side code to potentially identify and ban the Chinese labs to slow them down by even a few days, is totally reasonable.
Here the system is "insecure" by design (literally they're trying to get the whole world to sign up for Claude Code for $200/month!) and they're trying to plug the hole that results from a "Except for Chinese Scrapers!" add-on requirement. That might be possible as an arms race kind of thing. But it's very unlikely to work by (as in the linked article) doing stuff like checking the system time zone.
What do you mean you don't know where the bug is coming from?
No, I absolutely didn't make it up, how could you accuse me of that?
Does anyone know when this regex isn't working? I double checked it 27 times, I even asked the LLM. They all say this regex should be finding these dates.
Weird, suddenly all the conversations are breaking when I feed them into this other tool? Something about UTF-8 errors, but I'm sure I'm only using ASCII?
I do try to take care to make sure the things I build can be used by other people even when they care about different things. I care about understandably, determinism (as it relates to computing), and repeatability (because I want to be able to trust the systems I use).
If y'all would be willing to try to account for use cases of others, and try not to break them... that would be nice.
Please note: that generally when you modify something that belongs to someone else without telling them... things should be expected to break.
One is not a "meatbag" while the other is not a "meatbag". And no, outputting something on stdout that happens to function as code is not "writing" it in the sense that we actually care about here. That's conflating the metaphor we use in describing program behaviour with the actual "meatbag" activity.
> why is this example always marched out like it means something?
Because it obviously does.
That's a false equivalency.
> If not, what is the difference between the two for you?
Let's start this out right: if they're equivalent, first you explain to us why you think so.
How is it false?
> Let's start this out right: if they're equivalent, first you explain to us why you think so.
I think it should be really obvious how they're equivalent: both are the result of a program running on a computer, and not the result of in-the-moment cognition by a moral agent or moral patient. Of course the LLM is just a tool. Models can literally be downloaded as ordinary files. There is not some threshold to cross where some configurations of bits on a disk deserve "credit" for work and others do not.
In fact it's really obvious everything is equivalent: it's all just matter and energy!
> Of course the LLM is just a tool. Models can literally be downloaded as ordinary files. There is not some threshold to cross where some configurations of bits on a disk deserve "credit" for work and others do not.
Of course there is such a threshold. And it's definitely been crossed when the "tool" can operate autonomously or nearly so, when it can generate the "creation" with minimal operator input or understanding.
Your classic IDE can't do anything without the detailed control of its operator. It's nothing like a coding agent.
Hello, Tom Smykowski. You have people skills!
https://www.youtube.com/watch?v=hNuu9CpdjIo
No, because legality should be determined by what's in the best interests of Athropic and OpenAI's business models.
Hopefully they're working on RLHF their models to insert clauses making that reality clear into any legislation their models generate or review. That way it's only a matter of time until the confusion is cleared up.
It's only "illegal" from a standpoint of breach of contract given its against the terms of use/service, which is to say its not illegal at all, there's no criminality there.
I honestly don't know ... yeah if it's just technically a terms of use violation (which isn't illegal, just a violation of one company's rules, for which Anthropic has every right to stop), or do we now have export controls applied from the various government actions, etc making them truly illegal now.
But because of the public domain status of LLM output (in the US) I'm not sure paying someone to run a bunch of prompts through Claude, post the output on a public website and then have a lab in China pull that output, would run afoul of any laws I think that would be legal on technicality. AFAIK Anthropic has no ban in its terms of use that you can't share Claude's output publicly. You still need interactivity for distillation, but I don't think (for now) there's anything stopping a Chinese or other lab from sending people to the US, signing up for a Claude subscription and doing the work state side.
Distillation is pretty much impossible to stop. The US GOV would have to go the full export controls route like they did for Fable/Mythos to stop any non-US citizen from using/accessing the model, which is going to be impractical if not impossible to enforce.
The irony.
https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Criminal_i...
[0] f**k I'm old
Oh no, they're trying to steal the models that were trained on stolen data? That's horrible, I feel so bad for Anthropic.