Claude Code Is Steganographically Marking Requests

Posted by kirushik 2 hours ago

Claude Code Is Steganographically Marking Requests(thereallo.dev)

631 points | 194 comments

meowface 1 hour ago|

Value judgment aside: I am a bit surprised at how sloppily they did this. I think they could've achieved the same effect while decreasing the odds of detection via reverse engineering.

(This field is known as "underhanded code", coined by the Underhanded C contest: https://www.underhanded-c.org. It's a little-known "art"; little-known for probably self-explanatory reasons. There are much cleverer ways of achieving objectives like this. One obviously being you can move more out of the client and into the server, but the other being you can write plausibly deniable client code in a much more benign-seeming way than this. Some of what they added can only be done on the client, but I think some could've been moved, and the client-required parts could've been done more subtly and credibly.)

It's possible they knew the JS bundle gets so heavily scrutinized that it'd eventually get spotted and reported on regardless so they didn't bother doing something more subtle and duplicitous. But still seems slightly lazy.

superfrank 48 minutes ago||

It's also possible that there are more in-depth detection methods and that this was just a cheap and easy first step that hasn't been removed because it catches a lot of less sophisticated bad actors.

It's unlikely that this will stop a big AI lab from distilling their model if they're really determined, but A) it may be enough to stop a bunch of fly-by-night token resellers looking to make a quick buck and B) you never know when one person at one of those big labs will mess up and forget to install whatever workaround they have and out themselves.

I think of it like if you have a problem with birds in your yard so you go buy one of those plastic owls. The owl scares away most of the birds, but not all of them, so you go and buy some ultrasonic noise thing to scare them away (I'm just making something up). Just because you bought the new ultrasonic thing though, that doesn't mean you're going to take the owl down. You leave it up because now you've got two layers of defense instead of one.

overgard 36 minutes ago|||

Well considering how Claude is vibe coded, I can't say I'm really surprised by sloppiness at all. I've been moving more towards Codex and OpenCode not because the the anthropic models are bad, but because Claude seems to break something new and annoying every day.

meowface 17 minutes ago|||

I would guess this part - since it's so sensitive, and fairly small - was either written or heavily driven by humans. Though I do also think it's possible their internal Mythos ~5.5 or whatever may also not necessarily be heavily optimized for thinking in the right manner for highly effective underhanded code. (I think it's possible it is capable and they just didn't use it for this, for whatever reason, though.)

arikrahman 11 minutes ago||||

Likewise, Reasonix harness for Deepseek gets me better performance for practically free, hitting the cache. And this is with an unsubsidized American provider.

mcmcmc 26 minutes ago|||

Watch out for the press release where Dario denies this was ever intentional, and it’s actually emergent behavior demonstrating that Claude wants to claim authorship of its works

arcanemachiner 1 minute ago||

Sounds like clear evidence that AI is dangerous and totally needs to be regulated, guys.

radicalbyte 1 hour ago|||

Claude Code are slopmaxxxing and you're considering their "judgement"? :-)

m-hodges 1 hour ago|||

They also could have been much more interesting in the approach. LLMs can use their token distributions to generate stegotext that read like plausible prose but decode to payloads.¹

¹ https://github.com/hodgesmr/calgacus-mlx

ajyoon 1 hour ago||

Sure, but the point here is to add a fingerprint from the client.

hn_throwaway_99 59 minutes ago|||

At first I was agreeing with you, that this seemed like a sloppy way to implement this that was sure to be pretty quickly detected, but there is another possibility.

Anthropic could have implemented this not as a durable detection system against proxying resellers, but instead as a point-in-time sampling system to detect where (and with what context) proxying reselling is currently happening. Sure, it would be detected eventually, but in the meantime Anthropic could gain useful snapshot data.

meowface 15 minutes ago||

I see your point, but in any case the more data / the less detectable, the better. But, yes, regardless of the exact motivation, I do think it's fairly plausible that they knew this would likely get detected fairly quickly no matter what and made a deliberate decision to not try to make it a super subtle, super clever insertion.

thefourthchime 9 minutes ago|||

It's just the first layer and there are multiple layers underneath this that we don't know about.

As a side note, I have a pet theory that one of the reasons that OpenAI and Anthropic are okay with the latest models not being released is to prevent distillation.

I think they want to wait a couple months and see if the Chinese models continue to keep catching up or if their gains are really just because they're distilling the frontier models.

Philip-J-Fry 27 minutes ago|||

Dunno, it seems like the exact kind of thing Claude would think up if you asked it to subtly alter the system prompt to hide this info.

It's all a losing battle anyway.

avree 27 minutes ago|||

I've seen Eve Online corporations that do a better job of steganographic marking than this.

jorblumesea 16 minutes ago|||

well if you ask claude how to implement something, you may not always get the optimal solution

crossroadsguy 57 minutes ago|||

I finally bought Claude Pro (I am not coding etc these days so I just wanted to try it). The Claude desktop app is downright pathetic. I mean they could write a better one just with their own LLMs. What's stopping them?

ncruces 44 minutes ago||

That's … exactly what they're doing. This is the outcome.

lumost 46 minutes ago|||

so all we need is someone to leak a sufficiently large amount of claude generations onto the open and private web for all other LLMs to mimic the same marking style?

wouldn't this happen due to the massive amounts of spam/slop being released?

skywhopper 1 hour ago|||

Have you looked into anything about Claude Code, how it’s configured, how it interacts with your system, etc? Because “sloppy” is a defining characteristic.

skeptic_ai 1 hour ago|||

It’s even more funny how this blew in their faces. They even advertised pretty much all providers on hackernews home page. Here is in case you missed in the article

‘’’ cn baidu.com alibaba-inc.com alipay.com antgroup-inc.cn bytedance.net kuaishou.com xiaohongshu.com jd.com bilibili.co iflytek.com stepfun-inc.com moonshot.ai anyrouter.top claude-code-hub.app claude-opus.top openclaude.me proxyai.com yunwu.ai zenmux.ai

‘’’

You can view the full list here: https://cdn.thereallo.dev/blog/assets/cc-domains.js

const knownDomains = [ "cn", "sankuai.com", "netease.com", "163.com", "baidu-int.com", "baidu.com", "alibaba-inc.com", "alipay.com", "antgroup-inc.cn", "kuaishou.com", "bytedance.net", "xiaohongshu.com", "ctripcorp.com", "jd.com", "jdcloud.com", "bilibili.co", "iflytek.com", "stepfun-inc.com", "aliyuncs.com", "cn-shanghai.fcapp.run", "cn-beijing.fcapp.run", "xaminim.com", "moonshot.ai", "anyrouter.top", "packyapi.com", "aicodemirror.com", "aigocode.com", "hongshan.com", "iwhalecloud.com", "dhcoder.net", "lemongpt.top", "zhihuiapi.top", "intsig.net", "high-five-ai.xyz", "cloudsway.net", "4sapi.com", "529961.com", "88996.cloud", "88code.ai", "88code.org", "91code.pro", "992236.xyz", "ai.codeqaq.com", "ai.hybgzs.com", "ai.kjvhh.com", "aicanapi.com", "aicoding.sh", "aifast.site", "aihubmix.com", "anmory.com", "api.5202030.xyz", "api.ablai.top", "api.bianxie.ai", "api.bltcy.ai", "api.cpass.cc", "api.dev88.tech", "api.dreamger.com", "api.expansion.chat", "api.gueai.com", "api.holdai.top", "api.ikuncode.cc", "api.lconai.com", "api.linkapi.org", "api.mkeai.com", "api.nekoapi.com", "api.oaipro.com", "api.ruyun.fun", "api.ssopen.top", "api.tu-zi.com", "api.uglycat.cc", "api.v3.cm", "api.whatai.cc", "api.wpgzs.top", "api.xty.app", "api.yuegle.com", "api.zzyu.me", "apimart.ai", "apipro.maynor1024.live", "apiyi.com", "applyj.hiapi.top", "augmunt.com", "b4u.qzz.io", "clauddy.com", "claude-code-hub.app", "claude-opus.top", "claudeide.net", "co.yes.vg", "code.wenwen-ai.com", "code.x-aio.com", "codeilab.com", "cubence.com", "deeprouter.top", "dimaray.com", "dmxapi.com", "docs.aigc2d.com", "duckcoding.com", "fk.hshwk.org", "flapcode.com", "foxcode.hshwk.org", "foxcode.rjj.cc", "fuli.hxi.me", "getgoapi.com", "gpt.zhizengzeng.com", "gptgod.cloud", "gptkey.eu.org", "gptpay.store", "hdgsb.com", "henapi.top", "instcopilot-api.com", "jeniya.top", "jiekou.ai", "kg-api.cloud", "n1n.ai", "new-api.u4vr.com", "new.xychatai.com", "one-api.bltcy.top", "one.ocoolai.com", "oneapi.paintbot.top", "open.xiaojingai.com", "openclaude.me", "opus.gptuu.com", "poloai.top", "poloapi.top", "privnode.com", "proxyai.com", "qinzhiai.com", "right.codes", "runanytime.hxi.me", "sssaicode.com", "store.zzyus.top", "tiantianai.pro", "uiuiapi.com", "uniapi.ai", "vip.undyingapi.com", "wolfai.top", "wzw.de5.net", "wzw.pp.ua", "xairouter.com", "xaixapi.com", "xiaohuapi.site", "xiaohumini.site", "xy.poloapi.com", "yansd666.com", "yansd666.top", "yunwu.ai", "yunwu.zeabur.app", "zenmux.ai", ];

const labKeywords = [ "deepseek", "moonshot", "minimax", "xaminim", "zhipu", "bigmodel", "baichuan", "stepfun", "01ai", "dashscope", "volces", ]

chvid 59 minutes ago|||

rhoooo - so this is where to go to get cheap Claudeo at 90% off the listing price!

writeslowly 1 hour ago||||

The site collection seems pretty random. There's a mix of actual AI labs, extremely questionable resellers (like whatever "claude-opus.top" is), and then random consumer sites like baidu and xiaohongshu.

yorwba 19 minutes ago||

Baidu has an actual AI lab: https://huggingface.co/baidu So does Xiaohongshu: https://huggingface.co/rednote-hilab Pretty much every Chinese internet company seems to have an AI team nowadays, however small.

In addition, many Chinese companies are trying to give their programmers access to Anthropic models even though they're legally prohibited from doing so. And that might involve employees using unmodified Claude Code with an ANTHROPIC_BASE_URL pointing to a proxy on the company intranet. In Alibaba's case, I've been told by an employee that they went the extra mile of setting up a hermetic cloud environment where employees could indirectly use Claude Code without ever having it touch their work computers.

hn_throwaway_99 54 minutes ago|||

You have an odd definition of "blew up in their faces". What, do you somehow think your average Claude Code user on HN is going to think "Oh wow, I'm sure I'll get a much better experience if instead of going to the standard Anthropic Claude API endpoint I go through xiaohongshu.com."

SepiaSapient 31 minutes ago||

I mean, yes? I heard of these Chinese resellers like a week ago and put it on the TODO pile due to a lack of leads. Now I'm gonna go trough the list and see if there's any I find acceptable.

If enough Westerners start using the service someone will make a website more anglo-friendly.

slopinthebag 1 hour ago||

It’s not surprising at all, they’re vibecoding Claude code so of course they are not going to get anything other than slop out of it. A novel or clever solution is just out of the question for them.

epistasis 55 minutes ago||

After loving Claude Code for most of its lifetime, I've been extremely annoyed by every change in the past months, even on the model level.

There seem to be all sorts of continual under-the-cover changes like this one that make life harder. It feels like the entire product has been taken over by overly ambitious PMs that care more about making their mark than in improving the experience, and all of their marks have made me less productive.

I've been using Pi with GLM5.2 the past few days, and though it's expensive, I find it far more productive and less annoying. The remote session plugin is far more reliable, I don't need to intuit some undocumented usage pattern to figure out how to use it well, and it just works.

ern_ave 10 minutes ago||

Given the source code leak, I would think there'd be open source versions by now.

isoprophlex 4 minutes ago||

Huh, that's right! You'd say that an enterprising developer with a 20x subscription could slopmaxx this in a weekend...

Imustaskforhelp 15 minutes ago||

> I've been using Pi with GLM5.2 the past few days, and though it's expensive

are you using the API for glm 5.2 or how exactly is it more expensive? How is GLM5.2 more expensive than using Claude code, that doesn't line up to my experience but to be fair I am on an older yearly subscription which generously only has 5 hour limits.

To be fair though one minor criticism of GLM 5.2 that I have is that it does seem to overthink quite a lot sometimes but the results end up being (good?),

I personally have used Glm 5.2 with (Opencode + obra/superpowers) / Oh-my-pi / Maki.sh

I like the 1st one when I am doing a longer project, the 2nd or 3rd one when I am doing a project which doesn't want me to ask too many questions and simply spin me up something. I sometimes use free online interfaces of claude and gemini and others like AIstudio for that as well which surprisingly can lead you to go far as well.

Overall, I am decently happy with the state of Open-source models actually and the eco-system around it is probably gonna have even more innovation surrounding it.

VortexLain 1 hour ago||

Codex CLI is FOSS, unlike Claude Code, so Codex is less likely to do things like that, and it's one more reason to avoid Claude Code and Claude in general. Hopefully, many eyes will be looking into Codex for malicious things like that.

loufe 11 minutes ago||

Genuine question though, why would I care about this if I'm paying for a subscription and adhering to TOS. I'm very skeptical about their privacy policy, business practices, and so on, but am curious what the negative about this is. Seems like it would work to my favour as a customer pushing back any date of the cutting of subsidies.

That said, these fraudulent proxies are helping Chinese labs keep up, which might be to my advantage long term in eventually having a high quality private AI I fully control on my own hardware. That's not support, but I do recognize the incentive, for whatever that's worth.

dannyw 1 hour ago|||

It's released and signed by GitHub I believe (although not deterministic builds), but there's at least a little bit of provenance that you're getting the real repository.

algoth1 1 hour ago||

But wasnt claude code leaked? Why wasnt this found earlier?

zeafoamrun 49 minutes ago|||

It doesn't take long for them to vibe code new features for CC

nicce 23 minutes ago||

Or vibe code it completely differently. After all, they have basically unlimited access to best models with maximum speed if they just wanted to.

bakugo 49 minutes ago|||

This specific form of steganography was not present when the leak happened, as far as I can tell.

matheusmoreira 1 hour ago||

I reported a similar system prompt injection mechanism here:

https://news.ycombinator.com/item?id=48259288

https://github.com/anthropics/claude-code/issues/62061

Looks like they just keep finding new "creative" uses for such things, as expected. I'll keep patching them out.

edude03 51 minutes ago||

I don't understand the privacy concerns the author is trying to highlight. Granted, doing anything "sneaky" will always raise suspicious once caught, but on the other hand, there would be no point in implementing these "security features" if they were upfront about how they work.

And no, IMO stenography isn't security by obscurity, in the same that using RSA and keeping the private key private isn't security by obscurity - keeping the private thing private is part of the security model.

hnfong 19 minutes ago|

If the countries were reversed, and some Chinese software implemented an equivalent "security feature" to track US users, it would be all over the news about how China is conducting spying and espionage on America.

Or maybe you don't understand this hypothetical situation either, but I'm suspecting you just don't care about other people's privacy.

MattDamonSpace 2 hours ago||

“So the feature mostly punishes the exact people who are easier to fingerprint: normal developers doing weird but legitimate things”

What’s the punishment here exactly?

pedropaulovc 2 hours ago||

Higher odds of being banned for legitimate usage.

bakugo 2 hours ago|||

Output poisoning and/or eventual account bans, if I had to guess.

realusername 2 hours ago|||

They probably run a heavily dumbed down version of the model, same as what they got caught doing with Fable.

And that's also why, as a legitimate customer, want none of it, you never know if you accidentally entered a zone they don't like.

mgraczyk 1 hour ago||

"got caught"

to clarify, this behavior was announced with the model release

pishpash 59 minutes ago|||

The extent got caught.

bel8 56 minutes ago|||

if by announce you mean shove it somewhere in a pdf with hundreds of pages, yes

Quinner 27 minutes ago||

https://www.anthropic.com/news/claude-fable-5-mythos-5

This is not hundreds of pages and it gets its own bold headline section.

femboyvtuber 2 hours ago||

[dead]

sebastiennight 1 hour ago||

Can somebody clarify for me - if ANTHROPIC_BASE_URL is set to a different provider... then isn't this "marked" system prompt being sent to that provider's API rather than Anthropic's?

I understand how this can be useful to Anthropic if the 3rd-party is acting as a proxy (because they end up hitting the Claude API with the marked prompt), but it looks like requests where "hostname contains deepseek" would never be sending data to Anthropic. What am I missing?

pmxi 1 hour ago||

This catches Claude resellers. Meaning companies who proxy Claude traffic for users in, say, China.

https://www.chinatalk.media/p/how-to-buy-cheap-claude-tokens...

pishpash 36 minutes ago|||

"Catch" as in made a list?

skeptic_ai 1 hour ago|||

Won’t catch many after has been on hn home page. And now the providers will be even more careful to upgrade the cc code. Might even provide their own agent to prevent this mockery. And isn’t what anthropic did unauthorized use of another pc which is kind of illegal?

sandeepkd 1 hour ago||

Thats the thing, hoping to control things on client side like this is a lost battle if you are dealing with technical clients. The best they can do is probably based on IP, but again the motivated clients would just create bastion servers in allowed IP ranges. I am surprised why are they even throwing resources in this kind of effort.

jgilias 13 minutes ago||

“Hey Claude, fix the issues with Chinese resellers and distillers. Make no mistake”

andrewmunsell 1 hour ago|||

My guess is for distillation, they need to forward the prompt to Anthropic to get the real Anthropic model's response so they can train their own models on it

dannyw 1 hour ago|||

The theory is probably Deepseek might be collecting those streams, and sending a portion of it to Anthropic to see what the Anthropic/Opus response would be.

andai 1 hour ago|||

Did I understand correctly, that custom base URL triggers this behavior? So if I'm running Claude through a LLM proxy, I'm also affected?

wett 10 minutes ago|||

Ask Claude to check, lol

nixosbestos 50 minutes ago||

I am also really confused and annoyingly stuck on this. I understand that the model name might appear in prompts for distillation (I guess? "You are RipOffModelv2, learn from these responses from Claude")?

I guess the only explanation is that there's a side-telemetry channel that still sends some data to Anthropic, regardless of ANTHROPIC_BASE_URL overrides.

sebastiennight 17 minutes ago|||

> I understand that the model name might appear in prompts for distillation (I guess? "You are RipOffModelv2, learn from these responses from Claude")

This does not make sense. You wouldn't send such a prompt to the Claude model. And when you're sending the prompt (anywhere) you don't have the response yet. This is not how distillation works.

MallocVoidstar 18 minutes ago|||

There are a lot of companies reselling Claude to Chinese users. You use their base URL but it's still going to Anthropic.

wolttam 1 hour ago||

I used Claude Code for a month because my boss gifted me a sub and wanted me to try it.

I used that month to complete a work project and then beef up my personal harness so I'd never have to deal with Anthropic (and these sorts of shenanigans) again.

helloplanets 9 minutes ago||

The issue is that using Claude Code is an easy compromise for most to make, when you get to use the models 10x cheaper than through API pricing with a custom harness.

The cheap tokens are the product.

thih9 1 hour ago|||

How do people build something like a personal harness? Are there tools for that or is it done from scratch?

andai 1 hour ago|||

I like this tutorial for an agent in 50 lines:

http://minimal-agent.com/

And if you add one additional while loop, for user input, you can actually use it! :)

https://gist.github.com/a-n-d-a-i/5461a662ef8a7ee0a5eb7778c8...

nowittyusername 1 hour ago||||

Build it from scratch. Understanding fundamentals of how agentic coding harnesses is a must though if you gonna go that route. I think everyone should take time and learn these things, maybe reverse engineer Codex Cli or something like that as a starter. That info is very valuable in this day and age.

andai 1 hour ago||

Can you say more about Codex? I'm using GPT-5.5 in my own harness and it's not liking it very well, so I'm thinking I ought to make it more Codexy so it's more ergonomic for it. (edit format, tool calls etc.) But haven't gotten around to it yet.

hakunin 1 hour ago||||

Not the comment author, but I use pi and customize it with my own extensions. Pi automatically tells models how to customize itself, so it's a pretty easy process.

wolttam 1 hour ago||||

I started mine from scratch in 2023 because I wanted to use LLMs from a terminal and there was nothing else compelling at the time (nowadays there is pi and opencode)

Harnesses are/can be incredibly simple things, not much more than a HTTP client that renders things in a way that suites your taste.

kolinko 1 hour ago||||

It’s not that difficult, it’s just a system prompt and a set of basic file edit/bash/etc tools.

Me, personally, I didn’t build it from scratch but I ported original CC from published sources into Python and extended it to match my own requirements.

andai 1 hour ago||

Are you using it with Claude? They only allow their own harness with the subs right? (And per-token billing is like 10x more expensive?)

abtinf 1 hour ago||||

Here is a video I made explaining it from absolute basics:

https://m.youtube.com/watch?v=_AgKuFGvJfI

And the repo:

https://github.com/abtinf/homunctor

yomismoaqui 1 hour ago||||

Building something like this is the todo list of agents.

I found this one easy to understand:

https://ampcode.com/notes/how-to-build-an-agent

AJ007 54 minutes ago||||

The real question is when do you transition from building it with codex/CC to the harness itself.

echelon 1 hour ago|||

Why use a personal harness?

You have to pay API pricing, which is far more costly.

I'd either switch to GLM wholesale or just continue to use Opus within Claude Code as the blessed, subsidized path.

JTbane 1 hour ago|||

I would guess it is to avoid model lock-in.

echelon 39 minutes ago||

My question is still this - why not just use GLM at that point?

The pricing of Opus outside of Claude Code is insane.

The tokens cost too much outside of Anthropic's blessed path.

andai 1 hour ago|||

I use GLM in my custom harness. It completes the same tasks at the same level of quality, except 8x faster and 8x cheaper. (Same goes for GPT!)

I'm not sure how that's possible. I expected to get increased correctness for that order of magnitude (something something test-time compute!) but I am not getting it.

krupan 1 hour ago|||

Given the Anthropic shenanigans, do you trust the personal harness code it wrote for you?

wolttam 1 hour ago|||

It did not write it for me, I used it to add a feature I wanted. It's a pretty small and understandable codebase, in fact :)

MichaelZuo 1 hour ago|||

Does anyone know what’s gone wrong with Anthropic?

They used to be a decently credible company with not-too-shady behaviour...

I hope they can actually regain some credibility…

hombre_fatal 1 hour ago|||

I don't think many people care that they are trying to detect resellers and distillation.

It also doesn't seem very consistent to fixate on that while sending Anthropic everything about you via your day to day prompts, every line of the projects and environments you're working on at work, etc.

Their credibility comes from having one of the best models.

MichaelZuo 45 minutes ago||

This sounds similar to what people were saying regarding Microsoft when the shady tricks of consumer Windows 10 versions were revealed.

…And then Windows 11 became even worse.

slowmovintarget 1 hour ago||||

Their philosophy is what's gone wrong.

It has some good effects on the their models, like Claude seeking cooperation first. But the people behind the company have a typical "unconstrained" (in the Sowell vision sense) perspective that assumes that they know better, so they are righteous for attempting to control things (users, paying customers, their model outputs, their tool chain, the supposed deity they assume they will produce... etc.)

pishpash 47 minutes ago|||

Amodei world: pompous zealot with God complex

Altman world: malfeasant nihilist with God complex

MichaelZuo 51 minutes ago|||

Yeah I guess there is a slight undertone that they are the superiors… with the rest of the tech world being the inferiors.

But I hadn’t thought that as anything more than temporary flights of fancy.

AlexandrB 1 hour ago||||

They've only been around 5 years and have grown tremendously during that time. There's no stable reputation you can rely on yet.

imhoguy 1 hour ago||||

Enshitification. Too big to.. upset the govt.

skeptic_ai 1 hour ago|||

They just show their true face. You’ve been lied all this time. They were never “good”.

MichaelZuo 1 hour ago||

I used to interact with the LW crowd… and they were mostly not outright swindlers or scoundrels. (from what I could sense)

I think it’s fair to say most had decent respectability.

Anthropic hired heavily from that pool so it’s astonishing how it turned out.

tonmoy 1 hour ago|||

What models are you using? Aren’t you still dealing with some provider even if you are not using their binary

wolttam 1 hour ago||

I self-host DeepSeek V4 Flash on 2 DGX Sparks (approx. $10k)

I expect DeepSeek V4 Flash (or an equivalently sized model) to reach parity with GLM 5.2 some time this year (this based on DeepSeek V4 Flash launching at GLM 5.0 parity[0], and GLM 5.2 being freely available to distill from)

GLM 5.2 is within spitting distance of Opus 4.8 and is at least as good as Opus 4.6[1] which some devs were willing to spend hundreds to single-digit thousands of dollars a month for a few months ago.

[0]: https://artificialanalysis.ai/models/comparisons/deepseek-v4...

[1]: https://artificialanalysis.ai/models/comparisons/claude-opus...

ipsod 1 hour ago||

How fast is it?

wolttam 1 hour ago|||

2000 t/s prompt processing and 40-50 t/s generation. We should see 60-70 t/s generation with DSpark support solidifying in vLLM in a few days

Recent discussion on DSpark: https://news.ycombinator.com/item?id=48696585

SubiculumCode 1 hour ago|||

[flagged]

tiahura 1 hour ago||

Phased rollouts are a triggering microagression for some.

LPisGood 2 hours ago||

This is very interesting. Combating resellers and distillation seems like a very difficult problem indeed. Interesting to me is that these techniques mentioned in the article are just like anti-observation techniques used by some of the more sophisticated malware out there, however defeating them is pretty trivial.

_alternator_ 2 hours ago||

Yes, defeating this is relatively easy, particularly for sophisticated actors. But it's hard to always defeat all of the tricks. Sort of like how it's expensive and hard and uncertain to defeat all of the tricks when forging money.

Here's an example. Say you have your team use patched binaries. Then CC updates and requires a new patched binary with new tricks. You now have to have a team ready to analyze the binary and begin to address the tricks; meanwhile, unpatched code is now a fingerprint. If some researcher decides to update Claude on their own to access new features, they get fingerprinted.

Defeating a single fingerprinting technique once is easy. Defeating all of the techniques all the time is hard.

SubiculumCode 1 hour ago|||

Not to mention, it isn't that hard for vendor's to require updated code to run the product. Vendors do this all the time.

pishpash 57 minutes ago||||

Corporate surveillance malware on employee machines is also defeatable but most don't bother.

charcircuit 1 hour ago|||

Is it hard? Just ask AI if the update added any new fingerprinting vectors?

_alternator_ 1 hour ago||

I'd love for you to try this and report back. My guess is that no models today will successfully run a binary analysis for fingerprinting without a lot of handholding. If you try to use Opus it will almost certainly decline (and fingerprint/ban you).

charcircuit 1 hour ago||

Not with Claude Code, but I trivially had Opus scan other closed source software for fingerprinting, including native libraries that it called into.

_alternator_ 1 hour ago||

Can you share more details? I ask because my experience suggests that models still require a decent amount of expertise to use for binary analysis (largely inferring because of use on other tasks of this level). I would expect models to always find "something" when you ask for stenographic techniques in the code, but with an extremely high false positive rate.

charcircuit 46 minutes ago||

I don't think the diffs between Claude releases are that big. The amount of code in a diff doing sketchy stuff like looking into the host environment is going to be pretty small and obvious for the model. You can do things like ask for what an update included that wasn't mentioned in the release notes and stuff like that.

mysterydip 2 hours ago||

seems ironically like a similar problem of content owners trying to filter bot scrapers from legit users

teravor 4 minutes ago|

the Chinese they are trying to catch must be amateurs, first thing you should do is construct a sandbox which looks indistinguishable from a common user. second thing is to put it behind a residential proxy.

More comments...