Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

39% Positive

Analyzed from 2643 words in the discussion.

Trending Topics

#claude#cache#hallucination#response#code#likely#anything#minecraft#where#more

Discussion (83 Comments)Read Original on HackerNews

throwaway260704•about 1 hour ago
Using a throwaway account for obvious reasons, but I’m very involved in this space using LLMs from multiple providers. I’m aware of at least two instances in which the intermediate infrastructure “swapped” responses, once impacting Claude models and once impacting GPT models, from two different providers.

One gave us a proper postmortem in which their API gateway was incorrectly handling HTTP 100 status codes, putting them into an error state where there was effectively an off by one error - you would receive the response to the prompt that came in before yours and would pay it forward (your response would go to the next caller).

The other instance never had root cause explained to us, and we were just told to trust it wouldn’t happen again.

Both of these are from $1T+ companies.

ZDR wasn’t compromised in these cases since it was responses being swapped in flight. I wouldn’t be surprised if this is a similar issue - it’s not that data is being retained, it’s just not being safely isolated in intermediate infrastructure.

pocksuppet•32 minutes ago
This attack is called "HTTP desync" or "request smuggling". It's often done intentionally by a client to try and spy on other clients' responses.

Every time you multiplex requests from multiple clients onto one upstream connection, you are probably vulnerable to this, because (despite its superficial simplicity) HTTP is just too complex to reliably match the requests and responses to upstream.

For example a desync can be triggered in some systems by having more than one Content-Length header, by mixing Content-Length with chunked encoding, or by passing an HTTP/2 header called Content-Length that doesn't match the actual content length.

Here's a DEF CON talk (6 years ago) on this topic: https://www.youtube.com/watch?v=w-eJM2Pc0KI

The same attack has been applied to SMTP by messing up the line endings surrounding the end-of-message delimiter, where it's called SMTP smuggling. It may also apply to other protocols.

markasoftware•9 minutes ago
Very true, this was likely an attack. Worth noting that mr kettle has done a defcon talk nearly every year on some variant of this attack, the most recent one titled "HTTP/1.1 must die" because he rightfully believes that switching to the binary headers of http/2 (specifically in reverse proxy connections to upstream servers) is the only way to systematically prevent these.
tejusarora•30 minutes ago
Woah. Sounds plausible. However, wouldn’t that still be an implicit violation of ZDR since now the response is possibly egressed out of the enterprise network? So if I were working with PHI, the response egress is a potential violation of HIPAA even though claude didn’t retain anything — but the whole Point was to comply with HIPAA. Thoughts?
theplumber•about 1 hour ago
These companies(at least one of them) seem lead by idiots(Hint:his name is Dario) so I wouldn’t be surprised to have multiple wtf moment if you were to see how they treat our data…Let’s just start pushing for opening up AI models because they are too dangerous behind paid walls. That would be a great regulation.
minhaz23•about 1 hour ago
Curious why you feel that way about Dario?
solenoid0937•43 minutes ago
HN thinks the safety crowd is dumb, and has never seriously engaged with the AI safety space.

HN doesn't believe superintelligence will be a thing; while the AI safety crowd believes they are building it. So the decisionmaking of the safety crowd is incomprehensible to HN.

politician•24 minutes ago
Dario quit OpenAI to hype the AI apocalypse for quick cash and attention. Then, he walked right into an obvious crisis with the Pentagon by continuing to try to play both sides of the AGI doom story that even his own AI would've pointed out. Then, after being labelled a supply chain risk, he starts a new roadshow with the newest most dangerous AI model that definitely cannot be released to the public and its safer little brother Fable. A move that gets both his premier models shut down globally once the same government that labelled them a supply chain risk learns that Fable isn't actually safe from jailbreaks. Just prior to his planned IPO.

Dario might not be a literal idiot, but he might strongly benefit from training a model to do strategic thinking for Anthropic.

dofm•about 2 hours ago
Just add a line in AGENTS.md that says "never talk about Minecraft unless you're explicitly asked", I'm sure it'll be fine after that.
repeekad•about 1 hour ago
CLAUDE.md, Anthropic is too exclusive and next level to use a standard idiomatic pattern like AGENTS.md
notnmeyer•about 1 hour ago
echo “read @AGENTS.md” > CLAUDE.md
folkrav•29 minutes ago
When I still used Claude outside of work, my CLAUDE.md was just a symlink to my AGENTS.md.
jasonjmcghee•8 minutes ago
Just use a symbolic link
dofm•36 minutes ago
Yep that should work 100% of the time.
Tiberium•about 3 hours ago
Sounds like a hallucination unless proven otherwise, even the leading LLMs can do those from time to time, and they will always appear plausible like that. Also could be the session having a lot previous context, like 800K+, which (I think) makes hallucinations more likely.

Relevant comment from the OP which makes a hallucination more likely:

> There is one tool call result that includes a string that printed a pathname including minecraft.py because it was listing the files in a Python virtual environment and the Pygments package has a lexer called minecraft.py

andy99•about 2 hours ago
I realize hallucination has no precise definition but this doesn’t sound at all like anything I’ve ever heard called hallucination. Hallucination is usually plausible wrong answers or made up info that ends up fitting the most likely response (like a manufactured citation) and comes from the way LLMs work at predicting tokens. This example demonstrates completely implausible output, it’s not something that fits with hallucination.

All that said, it doesn’t require cross session leakage, it could just be training data or like those nightingale (probably the wrong bird*) data generations where they just prompt an LLM with nothing and it starts spitting out conversations.

I see a bunch of downstream comments about caching, sounds like maybe there’s an error where it loads nothing instead of the cache and so starts spitting out random generations.

* edit: it’s magpie. Worth looking at the concept, I’m not sure people realize they LLMs generate random conversations when prompted with nothing, this seems at least as likely as sessions leaking: https://github.com/magpie-align/magpie

solenoid0937•40 minutes ago
One of his tool results mentioned the word minecraft.py, and the response was about Minecraft.

It's a hallucination.

macNchz•about 3 hours ago
The person posting this claims to have reproduced in a separate context down the thread:

> Same thing just happened on a Claude Mobile session in same Enterprise account. Common theme in both is Sonnet 5, first response after more than 5 minutes (cache miss).

xyzzy_plugh•about 3 hours ago
I don't disagree but this sort of thing has to be investigated regardless.

It's unfortunate that there is so little transparency that even if they deny there was a leak we will never know for certain.

alserio•about 2 hours ago
Why? what does make it more likely?
paulddraper•about 1 hour ago
Exactly.

If you've never had an LLM (all models) suddenly start spouting nonsense in a completely different language...you haven't been using LLMs that much. They will go absolutely insane some % of the time.

andy99•about 1 hour ago
Worth looking at https://www.anthropic.com/engineering/a-postmortem-of-three-...

They can “go insane” but it seems often to be infra related as opposed to anything one would consider hallucination. Smaller models will often get stuck repeating a word or phrase forever but that’s a bit different and nobody would call it hallucination.

bix6•about 2 hours ago
So the options are this amazing tech is so stupid it just randomly brings up Minecraft or it’s got a major security issue?
bee_rider•about 1 hour ago
It’s the weekend so we’re allowed to anthropomorphize.

I’ve known some brilliant engineers who would also just randomly bring up Minecraft (more likely Factorio these days) so this makes sense.

27183•about 2 hours ago
¿Por qué no los dos?
paulddraper•about 1 hour ago
Not that different than people, amiright?

---

Note that the author did have a minecraft.py file. So not quite 100% random.

andy99•about 1 hour ago
Interesting to see the claudeslop reply as the first comment to the gh post and the reaction to it.
solenoid0937•32 minutes ago
> one tool call result that includes a string that printed a pathname including minecraft.py

This seems like a hallucination.

jonhohle•34 minutes ago
I’ve been seeing this in Gemini in the past few days. Often during a prompt with a reasonably large input set, I’ll get answers that appear to belong to someone else. It may be trigger hallucination, but it seems like it may be cache collisions or something else. I’ve not seen anything to suggest private information is leaking, but it’s disconcerting to be researching something and then get what appears to be a math tutoring response.
malfist•21 minutes ago
My whole company is doing mid year reviews and Gemini is the only allowed tool and its been flumoxing people with seemingly random unrelated responses. Often in different languages.

That is when it bothers to respond instead of just sending back an 1099 error code

_def•about 1 hour ago
Reminds me of a session I had recently (on web!) where claude insisted that i prefixed all my messages with statements about code execution or something, which was not the case. I interrogated it about that and it confirmed that it came from somewhere else, but could not get rid of it and each response mentioned that its gonna ignore those instructions. Eerie.
andy99•19 minutes ago
Anthropic injects text into the conversation triggered by certain conversation topics. This happened to me in relation to some red-teaming related discussion that was adjacent to something “sensitive”, I think sex, and Claude got confused about why I had said some kind of warning and mentioned it it’s response. After a back and forth it was clear that some extra warning to answer but avoid anything inappropriate had been inserted into the conversation.
acepl•about 3 hours ago
Oh yes, we do not need programmers any more…
kylehotchkiss•about 3 hours ago
50% unemployment :D
JohnMakin•about 2 hours ago
it’s the wet dream of execs and pm types. however, i have not seen anything close to it in my life. I remember the UML days, lol. the issue is not the code, it’s the translation layer between business and code. maybe someday ai bridges that gap. history has shown probably not
emehex•about 3 hours ago
"Coding is largely solved"
supriyo-biswas•about 2 hours ago
The funny thing is at my current employer, they mentioned that "coding is increasingly becoming a solved problem" and in the same breath, mentioned that one project was too hard for anyone to do so they're not doing it and would rather sell existing features...
consp•about 3 hours ago
While abused by LLM vendors, that phrase in one form or another I've been hearing since the early '00s and it's likely way older.
ethagnawl•about 2 hours ago
Sure but have you ever seen it actually play out in practice like it currently is? Whether or not it's true (of course it's not) people are currently behaving as if it is and firing/hiring accordingly.
techpression•about 3 hours ago
I love that quote, especially considering the insane amount of bugs that are produced. It’s as easy to debunk as someone claiming ”I can jump to the moon”.
CamperBob2•about 1 hour ago
"This thing isn't 100% perfect, contrary to what absolutely no one anywhere said at any time"
dchest•about 2 hours ago
Can be malware? Something like https://news.ycombinator.com/item?id=48667495
Avicebron•about 3 hours ago
In order Fable 5 has rejected:

"Recipe for red-braised pork, I have pork shoulder"

"Write up a framework for MCP patterns I can give to claude code"

"explain the biomechanics of motion in c. elegans" (I get this one, I mostly did it to test and it's related to my hobby project)

Do we get an extra day of functional Fable 5 because it's down?

andy99•about 2 hours ago
Not sure the relevance of this comment, but normally if someone built a classifier that bad they’d be fired. Anthropic obviously thinks they have some monopoly power they can use to foist garbage on consumers, I think they don’t.
gojomo•38 minutes ago
If people are complaining about Anthropic (on an only-vaguely related thread) rather than simply switching to a suitable competitor, then Anthropic clearly has some 'monopoly' power over the specific capabilities the complainer wants from them.
andy99•16 minutes ago
Not to argue the point but that statement isn’t logical, look at all the complaints about restaurants. Publicly complaining about something doesn’t require it be a monopoly.
leoqa•28 minutes ago
Fable/Opus 4.8 outperform Codex 5.5 for me at the general architecture/refactoring/performance work I’m doing, to the point where it’s not worth using Codex. Codex will often spit out non idiomatic code that overcomplicates things.
HumanOstrich•about 2 hours ago
What does this have to do with anything? Who are you talking to? This is Hacker News, not Anthropic support.
asveikau•about 2 hours ago
HN becoming anthropic support would certainly explain a lot of threads and comments I've seen here lately. Thank you for this.
stavros•15 minutes ago
I asked it how people get blue eyes from their parents and it downgraded me to Opus because of safety.
nijave•about 2 hours ago
The safety filter rejected or the model was down?
Advertisement
jstummbillig•about 3 hours ago
Is there anything particular about LLMs that would make separating customer data harder than in all SaaS cases?
bri3d•about 1 hour ago
Yes:

* There's an enormous amount of very expensive shared state (context cache) which you do not want to duplicate when you can avoid it.

* Memory locality is crucially important for performance.

* Hardware is extremely over-subscribed.

* Hardware is extremely expensive.

These factors all make hardware or even traditional memory-space (hypervisor/VM/hardware assisted virtualization) isolation a non-starter for most workloads and customers, which forces all isolation to the software layer. This already makes things way harder than they are in commodity SaaS.

Moving beyond that, the tools, frameworks, and hardware which the system runs on (GPU) wasn't designed for task isolation and building this isolation is even moreso an emergent research field than it is in x86 CPU hardware-sharing (which has required a huge amount of effort over the past 30+ years to get where we are today).

And, the ratio of usage/sensitivity to maturity is also just poor overall; these are young companies with rapid development and enormous delivery pressure under incredible customer workload requirements, too.

I can't tell if the original post is a real issue or not, but I'm surprised there aren't more like this overall; the whole thing really is a house of cards in this sense.

jstummbillig•18 minutes ago
> which forces all isolation to the software layer. This already makes things way harder than they are in commodity SaaS.

Is this not what happens in most SaaS? Isolation at the software layer? I understand there are special agreements, but they seem to be mostly that – no?

> the ratio of usage/sensitivity to maturity is also just poor overall; these are young companies with rapid development and enormous delivery pressure under incredible customer workload requirements, too.

Mh. The talent density in these companies is apparently quite exceptional. Things like customer data separation is something that is obvious and top of mind. I don't see why they would not hire the best to implement these relatively boring/solved things correctly at an architectural level.

adam_arthur•about 2 hours ago
Vibe-coding the implementation.

I haven't had much issue with Codex, but seems Claude Code has major issues being reported nearly on the daily.

They also happen to be the most boastful about not reading or looking at the code.

LLMs are very capable, but not nearly to the level they seem to be messaging.

(We've actually moved on from vibe-coding to having the LLM vibe code itself in a loop)

27183•about 2 hours ago
> having the LLM vibe code itself in a loop

The businesslatin name for this is Recursive Self-Improvement

rabbidruster•about 2 hours ago
Interestingly I had an almost identical experience to this report in codex. It output a user memory file that looked awfully real and wasn't at all related to my work.
27183•about 2 hours ago
If I had to hazard a guess, doing anything in a multi-tenant way on a GPU is going to be hard mode compared to most SaaS due to lack of memory safe tooling. I've built multi-tenant SaaS systems, and I've done a little GPU programming (a long time ago), but I've never tried to combine the two disciplines.
woadwarrior01•about 2 hours ago
It'd be terribly compute inefficient to not share prefix caches (KV cache) across customers.
acepl•about 2 hours ago
What is the probability that two customers will have exactly the same tokens in cache? Wouldnt it require using the exact same CLAUDE.md, skills, MCPs and context? After that it is even worse since the nondeterminism of LLMs and humans
27183•about 2 hours ago
I suspect what GP is getting at is there will be a strong incentive to implement some structural sharing across tenants to avoid redundantly storing the same tokens over and over. At least I'd be tempted to do this if I was working with a very precious, constrained resource (e.g. VRAM). Doing this correctly seems.. very difficult. [edit] To answer your question directly: the probability that the entire cache is identical between two different users is very low, but the probability that there exists identical chunks of cache between two different users is very high. Exploiting those commonalities successfully will significantly compress the data.
dezgeg•about 2 hours ago
System prompt for something like Claude Code should be identical, no?
Trasmatta•19 minutes ago
The first reply clearly being a copy and paste from Claude made me want to vomit

If people absolutely need to use AI to write replies, they NEED to start including a "everything after this was generated by AI" disclaimer

ai_fry_ur_brain•about 2 hours ago
Openrouters model providers give me urls people have given them quite frequently.
Kapura•about 2 hours ago
happy fourth of july everybody!
ofjcihen•about 2 hours ago
Happy fourth to you too :)
ryantsuji•about 2 hours ago
Note the repro condition: first response after 5+ min, i.e. a cache miss. A cache leak would show up on hits (someone else's cached prefix), not on misses where everything is recomputed from your own tokens.
bfeynman•about 2 hours ago
fwiw, this could be a bug but the submitters level of arrogance places this rather high on the dunning-kruger side of things. There are multiple other plausible explanations, but this person is probably vibe coder who believes anything an llm says (including explaining its own hallucinations)
dainiusse•about 1 hour ago
Don't worry. Mythos will fix that before release. Oh, wait...
TZubiri•about 2 hours ago
0 evidence. If this were a real privacy leak, the author would ask their coworker if they talked about the unexpected topic instead of

>"Maybe my coworker was talking about this in another session?"

This would be a critical bug that would slash the market value of a T$ company significantly, go ask your coworker or close the ticket, why do you expect the devs to put an enormous amount of effort hunting a potentially inexistent if you can't make that minuscule debugging effort.

ec109685•about 3 hours ago
Caching doesn’t work the way the bug reporter implies. Caches are shared (at least across the enterprise), but its key is always a function of the input before it.

We achieved significant savings simply by moving everything that varies across individuals out of the system prompt so every session starts from a cache point.

For example you never want your system prompt to start with the time that the session started. Move that to the first user message if needed.

macNchz•about 3 hours ago
Caching is not supposed to work like that, but that doesn’t preclude the cache key computation function from having bugs.
marginalia_nu•about 2 hours ago
Yeah there's quite a lot of potential bugs that could have this shape. If I were to guess it could be a buffer in a buffer pool not being sized and zeroed correctly, allowing stale data to bleed between sessions.
nok22kon•about 1 hour ago
or the cache retrieval function for a key retrieving the wrong entry
Waterluvian•about 2 hours ago
There is a massive incentive for optimization, so I expect they’re doing a ton of very clever tricks, all of which make this kind of bug more likely.
estebarb•about 2 hours ago
Hash functions necesarily have collisions. Also, it is perfectly possible to introduce bugs in the hash function (hash inputs, hash function itself) that allows cross account contamination.
margalabargala•36 minutes ago
Hash functions necessarily have collisions, but it's perfectly possible to make the expected time between collisions greater than the human lifespan.
supriyo-biswas•about 3 hours ago
There could just also be a bug where the output tokens of session 1 were shared with session 2, due to a race condition or similar.
mplappert•about 1 hour ago
Seems like a hallucination to me; note that the context contains “unmarkBlock” as the function name, which invites a connection to Minecraft. Still shouldn’t happen of course.

The alternative explanation is that the inference engine, which batches several unrelated requests for parallel processing, messed up the unpacking and returned an unrelated user’s query. This one would be very scary as it will leak arbitrary content, but it seems much less likely here.

Advertisement