(This field is known as "underhanded code", coined by the Underhanded C contest: https://www.underhanded-c.org. It's a little-known "art"; little-known for probably self-explanatory reasons. There are much cleverer ways of achieving objectives like this. One obviously being you can move more out of the client and into the server, but the other being you can write plausibly deniable client code in a much more benign-seeming way than this. Some of what they added can only be done on the client, but I think some could've been moved, and the client-required parts could've been done more subtly and credibly.)
It's possible they knew the JS bundle gets so heavily scrutinized that it'd eventually get spotted and reported on regardless so they didn't bother doing something more subtle and duplicitous. But still seems slightly lazy.
It's unlikely that this will stop a big AI lab from distilling their model if they're really determined, but A) it may be enough to stop a bunch of fly-by-night token resellers looking to make a quick buck and B) you never know when one person at one of those big labs will mess up and forget to install whatever workaround they have and out themselves.
I think of it like if you have a problem with birds in your yard so you go buy one of those plastic owls. The owl scares away most of the birds, but not all of them, so you go and buy some ultrasonic noise thing to scare them away (I'm just making something up). Just because you bought the new ultrasonic thing though, that doesn't mean you're going to take the owl down. You leave it up because now you've got two layers of defense instead of one.
Anthropic could have implemented this not as a durable detection system against proxying resellers, but instead as a point-in-time sampling system to detect where (and with what context) proxying reselling is currently happening. Sure, it would be detected eventually, but in the meantime Anthropic could gain useful snapshot data.
As a side note, I have a pet theory that one of the reasons that OpenAI and Anthropic are okay with the latest models not being released is to prevent distillation.
I think they want to wait a couple months and see if the Chinese models continue to keep catching up or if their gains are really just because they're distilling the frontier models.
It's all a losing battle anyway.
wouldn't this happen due to the massive amounts of spam/slop being released?
‘’’ cn baidu.com alibaba-inc.com alipay.com antgroup-inc.cn bytedance.net kuaishou.com xiaohongshu.com jd.com bilibili.co iflytek.com stepfun-inc.com moonshot.ai anyrouter.top claude-code-hub.app claude-opus.top openclaude.me proxyai.com yunwu.ai zenmux.ai
‘’’
You can view the full list here: https://cdn.thereallo.dev/blog/assets/cc-domains.js
const knownDomains = [ "cn", "sankuai.com", "netease.com", "163.com", "baidu-int.com", "baidu.com", "alibaba-inc.com", "alipay.com", "antgroup-inc.cn", "kuaishou.com", "bytedance.net", "xiaohongshu.com", "ctripcorp.com", "jd.com", "jdcloud.com", "bilibili.co", "iflytek.com", "stepfun-inc.com", "aliyuncs.com", "cn-shanghai.fcapp.run", "cn-beijing.fcapp.run", "xaminim.com", "moonshot.ai", "anyrouter.top", "packyapi.com", "aicodemirror.com", "aigocode.com", "hongshan.com", "iwhalecloud.com", "dhcoder.net", "lemongpt.top", "zhihuiapi.top", "intsig.net", "high-five-ai.xyz", "cloudsway.net", "4sapi.com", "529961.com", "88996.cloud", "88code.ai", "88code.org", "91code.pro", "992236.xyz", "ai.codeqaq.com", "ai.hybgzs.com", "ai.kjvhh.com", "aicanapi.com", "aicoding.sh", "aifast.site", "aihubmix.com", "anmory.com", "api.5202030.xyz", "api.ablai.top", "api.bianxie.ai", "api.bltcy.ai", "api.cpass.cc", "api.dev88.tech", "api.dreamger.com", "api.expansion.chat", "api.gueai.com", "api.holdai.top", "api.ikuncode.cc", "api.lconai.com", "api.linkapi.org", "api.mkeai.com", "api.nekoapi.com", "api.oaipro.com", "api.ruyun.fun", "api.ssopen.top", "api.tu-zi.com", "api.uglycat.cc", "api.v3.cm", "api.whatai.cc", "api.wpgzs.top", "api.xty.app", "api.yuegle.com", "api.zzyu.me", "apimart.ai", "apipro.maynor1024.live", "apiyi.com", "applyj.hiapi.top", "augmunt.com", "b4u.qzz.io", "clauddy.com", "claude-code-hub.app", "claude-opus.top", "claudeide.net", "co.yes.vg", "code.wenwen-ai.com", "code.x-aio.com", "codeilab.com", "cubence.com", "deeprouter.top", "dimaray.com", "dmxapi.com", "docs.aigc2d.com", "duckcoding.com", "fk.hshwk.org", "flapcode.com", "foxcode.hshwk.org", "foxcode.rjj.cc", "fuli.hxi.me", "getgoapi.com", "gpt.zhizengzeng.com", "gptgod.cloud", "gptkey.eu.org", "gptpay.store", "hdgsb.com", "henapi.top", "instcopilot-api.com", "jeniya.top", "jiekou.ai", "kg-api.cloud", "n1n.ai", "new-api.u4vr.com", "new.xychatai.com", "one-api.bltcy.top", "one.ocoolai.com", "oneapi.paintbot.top", "open.xiaojingai.com", "openclaude.me", "opus.gptuu.com", "poloai.top", "poloapi.top", "privnode.com", "proxyai.com", "qinzhiai.com", "right.codes", "runanytime.hxi.me", "sssaicode.com", "store.zzyus.top", "tiantianai.pro", "uiuiapi.com", "uniapi.ai", "vip.undyingapi.com", "wolfai.top", "wzw.de5.net", "wzw.pp.ua", "xairouter.com", "xaixapi.com", "xiaohuapi.site", "xiaohumini.site", "xy.poloapi.com", "yansd666.com", "yansd666.top", "yunwu.ai", "yunwu.zeabur.app", "zenmux.ai", ];
const labKeywords = [ "deepseek", "moonshot", "minimax", "xaminim", "zhipu", "bigmodel", "baichuan", "stepfun", "01ai", "dashscope", "volces", ]
In addition, many Chinese companies are trying to give their programmers access to Anthropic models even though they're legally prohibited from doing so. And that might involve employees using unmodified Claude Code with an ANTHROPIC_BASE_URL pointing to a proxy on the company intranet. In Alibaba's case, I've been told by an employee that they went the extra mile of setting up a hermetic cloud environment where employees could indirectly use Claude Code without ever having it touch their work computers.
If enough Westerners start using the service someone will make a website more anglo-friendly.
That said, these fraudulent proxies are helping Chinese labs keep up, which might be to my advantage long term in eventually having a high quality private AI I fully control on my own hardware. That's not support, but I do recognize the incentive, for whatever that's worth.
https://news.ycombinator.com/item?id=48259288
https://github.com/anthropics/claude-code/issues/62061
Looks like they just keep finding new "creative" uses for such things, as expected. I'll keep patching them out.
And no, IMO stenography isn't security by obscurity, in the same that using RSA and keeping the private key private isn't security by obscurity - keeping the private thing private is part of the security model.
That they choose to implement it by fingerprinting my access patterns without first disclosing is where they shit the bed. It isn't "sneaky" it's straight up sneaky and dishonest at that. That this particular instance is harmless doesn't give me much comfort. Who's to say they aren't harvesting PII?
Or maybe you don't understand this hypothetical situation either, but I'm suspecting you just don't care about other people's privacy.
What’s the punishment here exactly?
And that's also why, as a legitimate customer, want none of it, you never know if you accidentally entered a zone they don't like.
to clarify, this behavior was announced with the model release
This is not hundreds of pages and it gets its own bold headline section.
Seeing as how Anthropic cannot stop raising a stink about "illicit Chinese distillation attacks" every month or so, I'd bet money on them either already silently degrading model performance if any of the identification patterns match, or, at the very least, considering it/doing dry runs.
Particularly considering that they've openly stated that the technology to do so exists and that they were going to use it in production on Fable.
I understand how this can be useful to Anthropic if the 3rd-party is acting as a proxy (because they end up hitting the Claude API with the marked prompt), but it looks like requests where "hostname contains deepseek" would never be sending data to Anthropic. What am I missing?
https://www.chinatalk.media/p/how-to-buy-cheap-claude-tokens...
I guess the only explanation is that there's a side-telemetry channel that still sends some data to Anthropic, regardless of ANTHROPIC_BASE_URL overrides.
This does not make sense. You wouldn't send such a prompt to the Claude model. And when you're sending the prompt (anywhere) you don't have the response yet. This is not how distillation works.
Here's an example. Say you have your team use patched binaries. Then CC updates and requires a new patched binary with new tricks. You now have to have a team ready to analyze the binary and begin to address the tricks; meanwhile, unpatched code is now a fingerprint. If some researcher decides to update Claude on their own to access new features, they get fingerprinted.
Defeating a single fingerprinting technique once is easy. Defeating all of the techniques all the time is hard.
I think you missed the memo on how foolish this attitude is. It came out around the time Edward Snowden made his discoveries at the NSA public. I suggest you look into it
This watermark may trigger a similar mechanism.
Cool reverse engineering/analysis report but if this is the extent of nefarious activity that came of it (trying to catch/mitigate chinese lab model distillations), that's kind of encouraging.
I'm authenticated to Claude, so they already have the whole attribution thing solved.
> This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust.
They already tell you they scan for malicious prompts, and they have no ZDR guarantees for consumers. Why do signatures like this matter at all?
Had a competitor pull something like this with a previous employer. They were supposed to be interoperating with a standard, but they had a secret steganographic handshake, which they used to pretend that competitors products were unreliable (they had a first mover position in a smaller national market with specific requirements, so this wasn't shooting themselves in the foot). Our guys figured out the handshake and just silently implemented it. In this case, the competitor wasn't big enough to waste engineering time on multiple such hacks, but Anthropic have time (or Claude does).
Claude Code has more or less full access to the client computer. The server (that hosts the actual AI) can just go: execute this payload and tell me the result - otherwise I won't answer any further questions or re-route you to a stupider model.
The payload could check for Chinese time-zones, scan for copies of the little red book on the local hard-drive, or ping truth.social to see it was behind the great firewall.
It shouldn't, not if you run CC as a separate unprivileged user. I wouldn't run CC on my main user account with sudo and access to my home directory or other resources. This is what the UNIX permissions system was designed for.
You're actually trust your security to your harness AND model AND inference API provider in this scenario: https://jacob.gold/posts/why-i-wont-run-untrusted-models/
Not really distillation, just synthetic training data.
There seem to be all sorts of continual under-the-cover changes like this one that make life harder. It feels like the entire product has been taken over by overly ambitious PMs that care more about making their mark than in improving the experience, and all of their marks have made me less productive.
I've been using Pi with GLM5.2 the past few days, and though it's expensive, I find it far more productive and less annoying. The remote session plugin is far more reliable, I don't need to intuit some undocumented usage pattern to figure out how to use it well, and it just works.
are you using the API for glm 5.2 or how exactly is it more expensive? How is GLM5.2 more expensive than using Claude code, that doesn't line up to my experience but to be fair I am on an older yearly subscription which generously only has 5 hour limits.
To be fair though one minor criticism of GLM 5.2 that I have is that it does seem to overthink quite a lot sometimes but the results end up being (good?),
I personally have used Glm 5.2 with (Opencode + obra/superpowers) / Oh-my-pi / Maki.sh
I like the 1st one when I am doing a longer project, the 2nd or 3rd one when I am doing a project which doesn't want me to ask too many questions and simply spin me up something. I sometimes use free online interfaces of claude and gemini and others like AIstudio for that as well which surprisingly can lead you to go far as well.
Overall, I am decently happy with the state of Open-source models actually and the eco-system around it is probably gonna have even more innovation surrounding it.
All Anthropic has done is reduce trust, once again, with legitimate customers, while doing nothing to stop illegitimate customers. They need to get adults into key leadership roles, quickly.
Anthropic pushes fear and control. But the only way to win is by innovating. China is flooding the market with cheap, good enough models, while the U.S. is building a Chinese firewall.
I would guess that's their first line of defense; they should have more techniques to identify distillation because that's a very simple way of detecting the host and can be easily spoofed.
i.e. this will allow them to literally commit fraud against paying customers
I used that month to complete a work project and then beef up my personal harness so I'd never have to deal with Anthropic (and these sorts of shenanigans) again.
The cheap tokens are the product.
And if you add one additional while loop, for user input, you can actually use it! :)
https://gist.github.com/a-n-d-a-i/5461a662ef8a7ee0a5eb7778c8...
Harnesses are/can be incredibly simple things, not much more than a HTTP client that renders things in a way that suites your taste.
Me, personally, I didn’t build it from scratch but I ported original CC from published sources into Python and extended it to match my own requirements.
https://m.youtube.com/watch?v=_AgKuFGvJfI
And the repo:
I found this one easy to understand:
You have to pay API pricing, which is far more costly.
I'd either switch to GLM wholesale or just continue to use Opus within Claude Code as the blessed, subsidized path.
The pricing of Opus outside of Claude Code is insane.
The tokens cost too much outside of Anthropic's blessed path.
I'm not sure how that's possible. I expected to get increased correctness for that order of magnitude (something something test-time compute!) but I am not getting it.
They used to be a decently credible company with not-too-shady behaviour...
I hope they can actually regain some credibility…
It also doesn't seem very consistent to fixate on that while sending Anthropic everything about you via your day to day prompts, every line of the projects and environments you're working on at work, etc.
Their credibility comes from having one of the best models.
…And then Windows 11 became even worse.
It has some good effects on the their models, like Claude seeking cooperation first. But the people behind the company have a typical "unconstrained" (in the Sowell vision sense) perspective that assumes that they know better, so they are righteous for attempting to control things (users, paying customers, their model outputs, their tool chain, the supposed deity they assume they will produce... etc.)
Altman world: malfeasant nihilist with God complex
But I hadn’t thought that as anything more than temporary flights of fancy.
I think it’s fair to say most had decent respectability.
Anthropic hired heavily from that pool so it’s astonishing how it turned out.
I expect DeepSeek V4 Flash (or an equivalently sized model) to reach parity with GLM 5.2 some time this year (this based on DeepSeek V4 Flash launching at GLM 5.0 parity[0], and GLM 5.2 being freely available to distill from)
GLM 5.2 is within spitting distance of Opus 4.8 and is at least as good as Opus 4.6[1] which some devs were willing to spend hundreds to single-digit thousands of dollars a month for a few months ago.
[0]: https://artificialanalysis.ai/models/comparisons/deepseek-v4...
[1]: https://artificialanalysis.ai/models/comparisons/claude-opus...
Recent discussion on DSpark: https://news.ycombinator.com/item?id=48696585
Here the system is "insecure" by design (literally they're trying to get the whole world to sign up for Claude Code for $200/month!) and they're trying to plug the hole that results from a "Except for Chinese Scrapers!" add-on requirement. That might be possible as an arms race kind of thing. But it's very unlikely to work by (as in the linked article) doing stuff like checking the system time zone.
What do you mean you don't know where the bug is coming from?
No, I absolutely didn't make it up, how could you accuse me of that?
Does anyone know when this regex isn't working? I double checked it 27 times, I even asked the LLM. They all say this regex should be finding these dates.
Weird, suddenly all the conversations are breaking when I feed them into this other tool? Something about UTF-8 errors, but I'm sure I'm only using ASCII?
I do try to take care to make sure the things I build can be used by other people even when they care about different things. I care about understandably, determinism (as it relates to computing), and repeatability (because I want to be able to trust the systems I use).
If y'all would be willing to try to account for use cases of others, and try not to break them... that would be nice.
Please note: that generally when you modify something that belongs to someone else without telling them... things should be expected to break.
One is not a "meatbag" while the other is not a "meatbag". And no, outputting something on stdout that happens to function as code is not "writing" it in the sense that we actually care about here. That's conflating the metaphor we use in describing program behaviour with the actual "meatbag" activity.
> why is this example always marched out like it means something?
Because it obviously does.
That's a false equivalency.
> If not, what is the difference between the two for you?
Let's start this out right: if they're equivalent, first you explain to us why you think so.
How is it false?
> Let's start this out right: if they're equivalent, first you explain to us why you think so.
I think it should be really obvious how they're equivalent: both are the result of a program running on a computer, and not the result of in-the-moment cognition by a moral agent or moral patient. Of course the LLM is just a tool. Models can literally be downloaded as ordinary files. There is not some threshold to cross where some configurations of bits on a disk deserve "credit" for work and others do not.
In fact it's really obvious everything is equivalent: it's all just matter and energy!
> Of course the LLM is just a tool. Models can literally be downloaded as ordinary files. There is not some threshold to cross where some configurations of bits on a disk deserve "credit" for work and others do not.
Of course there is such a threshold. And it's definitely been crossed when the "tool" can operate autonomously or nearly so, when it can generate the "creation" with minimal operator input or understanding.
Your classic IDE can't do anything without the detailed control of its operator. It's nothing like a coding agent.
Hello, Tom Smykowski. You have people skills!
No, because legality should be determined by what's in the best interests of Athropic and OpenAI's business models.
Hopefully they're working on RLHF their models to insert clauses making that reality clear into any legislation their models generate or review. That way it's only a matter of time until the confusion is cleared up.
It's only "illegal" from a standpoint of breach of contract given its against the terms of use/service, which is to say its not illegal at all, there's no criminality there.
I honestly don't know ... yeah if it's just technically a terms of use violation (which isn't illegal, just a violation of one company's rules, for which Anthropic has every right to stop), or do we now have export controls applied from the various government actions, etc making them truly illegal now.
But because of the public domain status of LLM output (in the US) I'm not sure paying someone to run a bunch of prompts through Claude, post the output on a public website and then have a lab in China pull that output, would run afoul of any laws I think that would be legal on technicality. AFAIK Anthropic has no ban in its terms of use that you can't share Claude's output publicly. You still need interactivity for distillation, but I don't think (for now) there's anything stopping a Chinese or other lab from sending people to the US, signing up for a Claude subscription and doing the work state side.
Distillation is pretty much impossible to stop. The US GOV would have to go the full export controls route like they did for Fable/Mythos to stop any non-US citizen from using/accessing the model, which is going to be impractical if not impossible to enforce.
The irony.
https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Criminal_i...
[0] f**k I'm old
Oh no, they're trying to steal the models that were trained on stolen data? That's horrible, I feel so bad for Anthropic.