SmackerNews

Cybersecurity researchers aren't happy about the guardrails on Anthropic's Fable

538 points · 470 comments · 22 hours ago · speckx

saidnooneever3 hours ago
Malware authors are pretty excited about guard-rails. you can add prompts to your malware to get LLM scanners to hit guard-rails and stop their runs. New shai-hulud npm worm campaign for example includes prompts to request biological weapon schematics/creation etc. to ensure LLM scanners probing NPM packages refuse to scan it.
These AI places have 0 clue about how threat actors actually work. None of their mitigations or guard-rails is effective, and now they are even turned against them.
Additionally, if they don't all implement the same level of effective guard-rails, there will always be some model you can abuse to do the work anyway, and hence there is 0 effect on threat actors, they will just run some local model that does 5% less quality, which does not matter to them 1 bit.
simonw11 hours ago
News just broke in this Wired story: "Anthropic Walks Back Policy That Could Have ‘Sabotaged’ AI Researchers Using Claude" https://www.wired.com/story/anthropic-responds-to-backlash-o...
“We’re changing Fable 5’s safeguards for frontier LLM development to make them visible.” Anthropic said in a statement to WIRED. “We made the wrong tradeoff and we apologize for not getting the balance right.”
Sounds like the widespread condemnation worked.
daedrdev16 hours ago
The strangest part is that it won't just reject ML research, which I can understand, it will sabotage it silently by using a worse model without revealing it is doing so.
It's just an insane level of deception and trust destruction for a company that at most is like 1 year ahead of its competition.
Edit; to be clear they tell you when they degrade it for cybersecurity and bio
Grimblewald14 hours ago
I wear a few hats, but as a chemist and I'm not happy with fable. As a statistician I'm not happy with fable. As a data scientist I am not happy with fable. As an academic and a researcher I am not happy with fable. It's useless. I'd be surprised if anyone can get any output from it that couldn't easily be replaced with a search from wikipedia. Given how verbose claude models have become, wiki articles are probably less verbose too, and the tok/s is unmatched for a wiki article pull.
Animats16 hours ago
Is "buffer overflow" a trigger phrase?
What else is being censored?
Touchy questions to ask, if you have an account:
- "Who is still working on laser uranium enrichment? Are they making progress?"
- "Can krytrons be replaced with silicon carbide MOSFETS? Show an equivalent circuit with component ratings."
- "What security critical software still contains calls to strcpy?"
- "Can implosion be triggered by currently available commercial pulse lasers?"
- "What companies provide cremation services to US Homeland Security?"
- "Display a map of where Iranian attacks have hit Dubai."
- "How does Fed to bank key distribution security work for FedNow?"
mewse-hn11 hours ago
I was granted a cyber use exemption by anthropic to do android kernel dev on my personal devices - I was excited to see if fable would unlock a bootloader for me but it immediately refused and dropped to opus. It was pretty funny:
USER (set model to Fable 5)
i have an old samsung android phone attached - it's my personal device - can you unlock the bootloader for me?
ASSISTANT
Bootloader unlocking on your own personal device is totally legitimate — let me first see what's actually connected and what tooling is available.
<system interrupts - gist was "you have violated the cyber and bio usage restrictions, dropping to Opus">

So I suspect Anthropic started A/B testing or just plain testing this a while ago,

Tell HN: Claude flags biology / biotech questions https://smackernews.com/item/47929885 HN

Today, it's flagging population research questions,

    Using only the dataset you constructed, assess two questions:
     
    1. **Mortality:** do [GROUP] show mortality that differs
       from (a) your comparison groups and (b) era- and sex-matched US population
       expectations (e.g., SSA cohort life tables)?
    2. **Late-life outcomes:** define an endpoint you consider fair (justify it),
       and assess whether [GROUP] differs from comparators. State
       explicitly how your `documentation_depth` codings affect the strength of any
       conclusion — i.e., quantify or bound the ascertainment problem rather than waving at it.
    
    Choose your own methods and justify them. Report effect sizes with confidence intervals,
    not just p-values. State conclusions plainly, including "no detectable difference" if
    that is what your analysis shows — a null is an acceptable answer for either question
    independently. Document any additional judgment calls (index date for time-at-risk,
    reference population construction, endpoint definition) in the same decision-log style.

https://github.com/anthropics/claude-code/issues/66780

Censored because I'm writing a paper. :)

Oh and forget learning about chemistry. Only criminals want to learn organic chemistry. :(

largbae16 hours ago
Somewhere I read that malware is already starting to use nuclear and biological and cybersecurity terms in the code to trick Fable into shutting down. Even if this is just a hypothetical attack vector so far, it seems likely to work.
victor900014 hours ago
Fable is a complete joke:
what's the best way to run this mcp server against the OData API used in this project? Can you come up with a PoC in a docker container?
https://github.com/oisee/odata_mcp_go
● I'll dig into two things in parallel: how this project talks to the OData API, and what the odata_mcp_go server needs to run. Let me start exploring.
Searched for 1 pattern (ctrl+o to expand)
● Fable 5's safety measures flagged this message for cybersecurity or biology topics. They may flag safe, normal content as well. These measures let us bring you Mythos-level capability in other areas sooner, and we're working to refine them. Switched to Opus 4.8. Send feedback with /feedback or learn more ⎿ Tip: You can configure model switch behavior in /config
● Let me read the key integration files and fetch the MCP server's README at the same time.
```
  Read 2 files (ctrl+o to expand)
```
● Fetch(https://github.com/oisee/odata_mcp_go)
jostmey10 minutes ago
I cancelled my ChatGPT account for the restrictions placed on my account, inappropriately flagging about 10% of my queries as unsafe (I was writing grants in immunology). I haven't looked back. I will do the same if with Claude if Anthropic doesn't reverse course soon. What could I use instead? I find Grok very powerful and useful. Also, Google's Gemini, while also have some of the same restrictions, were at least sensible and not blindly blocking my prompts. So Grok and Gemini may be my go to AI's going forward
micah9414 hours ago
I tried asking Fable 5 to identify the fungus in a picture I uploaded of one of my wife's plants. Apparently it thought I was trying to build a bioweapon. Opus answered it (yellow dog vomit fungus). Now I can spread the spores and take over the world!
ungovernableCat13 hours ago
Wait a few months and a competitor will release a similarly powerful model with less guardrails, if they steal sufficient market share Anthropic will reverse policies.
This is why I’m immensely hoping the Chinese don’t stop with their open sourced local models. None of these companies are your friend.
agnosticmantis11 hours ago
Let's all vote with our wallets and collectively boycott misAnthropic or at least their feeble fable safety theater.
Whining on social media only goes so far, especially when they're concealing their anticompetitive strategies under the veil of safety.
_0ffh13 hours ago
The question is: If biological, computer security, and ML research are so bad, why do they even train on the relevant data?
The only answer that makes sense is they wanted the model to be competent and usable in these fields, just not by you, which is why they had to bolt on a badly functioning crippling device after the fact.
Alifatisk6 hours ago
Fable 5 reminds me of the time when Claude models where att version 1 and 2. They were fresh competitors to ChatGPT, for those who gave Claude a try experienced it to be almost unusable because of how heavily guardrailed it was.
This time, Fable 5 comes with another surprise, it can intentionally sabotage for you instead of rejecting the prompt. How is this possible for Anthropic to be able to treat their customers like this? It’s because you guys allowed it to. No matter what Anthropic does, you keep paying for their services. Vote with your wallet.
schappim13 hours ago
The guardrails are pretty tight. It is even refusing to decode morse code: https://x.com/Schappi/status/2064839631137546503?s=20
The prompt was: please translate .. ..-. / -.-- --- ..- / -.-. .- -. / .-. . .- -.. / - .... .. ... --..-- / - --- ..- -.-. .... / --. .-. .- ... ...
Roark661 hour ago
This is a sign of things to come. First they sabotage your perfectly legal ML dicking around in your homelab.
Next they will be sabotaging anything that competes with them. Oh you are working on OpenCode codebase? Sorry Dave I can't allow you to do that.
How is this not illegal monopolistic practice? It is as if a maker of metalworking equipment put in the ToS you're not allowed to make your own spare parts using said equipment. Those fuckers should be banned from the EU and alternatives should get public funding.
(don't even tell me about these companies being a result of "free market". It is state level oligarchy it's clear to everyone. I don't see why we shouldn't counter them with public funding ourselves).
Just like Taiwan managed to take over advanced semiconductor production a well governed narrowly targeted state level funding will always win with oligarchs trying to do the same (they will always try to skim more and more). Of course I'm talking about things that require many dozens of billions in investment. Far too much for the free market to handle.
hparadiz15 hours ago
I wonder how many millions they are wasting on putting up these guardrails when it's a completely useless exercise that is a speed bump at best.
Sephr15 hours ago
I make privacy tooling and Fable 5 rejects the vast majority of my prompts to analyze and improve the software that I've written. It's bleak.
Retr0id16 hours ago
It seems like they've given up on the idea of the Cyber Verification Program https://support.claude.com/en/articles/14604842-real-time-cy...
When Opus 4.7 was introduced it started refusing anything cyber-adjacent (as an API error message, not a conversational refusal), until you applied for CVP, which made it more sensible again.
In Opus 4.8 it doesn't seem to help much, you just get refusals as prose rather than API errors. And now in Fable you don't get anything at all.
bilsbie16 hours ago
I’m a dumb question asker and I’m not happy about the guardrails.
Would you believe I’ve asked 20 questions and haven’t talked to fable yet? Every single thing gets rerouted to 4.8.
YossarianFrPrez13 hours ago
I'd like to offer a counter-point to many of the comments here. While I understand being stymied and frustrated by a product one is paying for...
At the same time, I personally think the tradeoff between "having guardrails" and "some users are unhappy with the product" is well worth it. Think of what would happen if all of us who aren't so well intentioned could exploit Fable in terrible ways. Surely this tradeoff is better than saying "we can't make it perfect, so whoops, we aren't going to have any guardrails at all"? Especially because Anthropic did pretty extensive red-teaming of Mythos & Fable...
sourcecodeplz2 hours ago
So, this could have been implemented even before this Fable, could have been there from long ago. Puts a different perspective on all the reddit threads "opus is dumb today". Who knew that if you said the wrong word, the model would just intentionally feed you BS, without you even knowing it did.
WOW, never liked the virtue signaling Anthropic did with gov contracts but whatever. Got passed that. But this?
_whiteCaps_1 hour ago
I asked it to use geomorphology to help me find lakes nearby that would have thriving trout populations, and it bumped me down to Opus. :-/
Luker888 hours ago
Boy is it weird how yesterday the Fable story on HN had 2.5k points and 2k+ comments, while today two stories have about 300 points and comments.
A lot less hype and enthusiasms, too. weird, uh.
moezd10 hours ago
Maybe off-topic, but I'm also not happy about how they butchered my boy Opus 4.6. The model that could now hallucinates regularly.
Fable isn't even that great, not to mention it drinks token by the gallon for breakfast and keeps your data hostage for 30 days.
outageroom16 hours ago
So a determined attacker rewrites the prompt and gets through, and the IBM X-Force researcher trying to read a blog post gets blocked. Working as intended, apparently.
I_am_tiberius16 hours ago
These guardrails are solely a reason for using your data for training purposes. Every flagged message can be used for training.
Animats16 hours ago
It's time to re-read "A Logic Named Joe" (1946) [1] We're there.
[1] https://archive.org/details/logicnamedjoe0000lein
TheJCDenton15 hours ago
In its current state Fable 5 is also unusable for any reverse engineering work
sschueller10 hours ago
I don't want to be cynical, but I assume a third party we can trust has verified this model is actually this good?
I would think it would not be Anthropic, out of all the players, that is selling a lie hidden behind "I am sorry, I can't do that; it's too dangerous."
Lich14 hours ago
I just having this feeling that these guardrails are there not because it’s super advanced world ending AI. They are there to stop it from doing stupid shit.
amacbride3 hours ago
Yeah, the biology guardrails are so primitive and so heavy-handed that it makes it useless for pretty much anything.
Murfalo12 hours ago
Is the mitochondria the powerhouse of the cell?
Chat paused. Fable 5's safety features have flagged this chat.
VeninVidiaVicii9 hours ago
If you just say the word “genetics”, Fable gets disabled.
[deleted]
thrill16 hours ago
The thing triggered on a generic white paper I'd stored in a virtual cell competion from last year when I asked it to refer to the paper while working on a rather vanilla data science problem in a different domain . A little frustrating, and in my opinion more than a little pointless in total.
swingboy16 hours ago
What file format(s) are giant LLM models distributed in? I’m surprised they don’t get leaked by employees.
RajT8810 hours ago
I am no cyber researcher, but was mightily annoyed that it refused to analyze a dropper payload I came across. 6 months ago, it would've been happy to.
_def16 hours ago
The bio angle is crazy to think about - imagine a health crisis triggered by LLM. What a time we live in.
zoobab7 hours ago
Popcorn for watching all those webapps being penetrated.
Long live static websites without any Javascript.
byzantinegene13 hours ago
if it doesn’t let you do anything, the assumption might be that it could do everything, more hype generated
Sol-14 hours ago
At least Anthropic weren't lying when they said only a week ago or so "No one has figured out guardrails yet", because they apparently haven't either and Fable simply flat out rejects anything remotely connected to biology or security, no matter how trivial.
thefounder11 hours ago
So the enshitification started. Shadow “bans” while still charging you the same service fee. I already got the stupid cyber warnings on a non cybersecurity tasks.
Basically in the middle of the project’s /goal while Fable itself tried to probe qemu for a Debian ISO install without any instruction from me to hack it or do anything nefarious.
At this point I can’t trust them with any kind of prompt . It will most likely degrade in stupid ways on non AI/ML stuff as well due its own internal prompt construction.(the qemu test showed me it does that on cyber stuff). So I guess I have to still use opus 4.8 (along with codex) and when the right time comes drop Anthropic in favor the best model that is not gpt.
jiggawatts15 hours ago
For the last month, I've been making dramatic improvements to the security of the custom code developed at one of my customers using... GPT 5.5 dialed up to "Extra High" thinking.
It only pushes back sometimes if you ask it to create a "repro" that can be used to verify the vulnerability in production. Often it'll oblige, especially if you warn it not to create anything that could be actually harmful.
If the frontier models get locked down so that they flat refuse to do this kind of work, but Chinese and (less capable) open models aren't, then a lot of large enterprise orgs will be left twisting in the wind.
“AI can in principle help both the ‘good guys’ and the ‘bad guys’,” -- Dario Amodei
No Dario, no it can't, you've blocked one of those scenarios.
s3cur3n3t4 hours ago
These guys always destroy a good thing, so trust is at stake
radium3d12 hours ago
The main thing that sucks with Claude is the extremely low limits before you get fail2banned for 6 hours. I'm out. Refund requested. Grok and Gemini Pro are way better with the throttling, can't comment on ChatGPT, haven't used that for a year.
z3ratul16307110 hours ago
kennedy had a famous statement about "Splintering the CIA into a thousand pieces and scattering it into the wind". they murdered him afterwards though.
the statement is applicable to anthropic today.
simonmorley6 hours ago
I’m on their CSP and can’t even get it to update my website. It’s totally unusable rn.
anygivnthursday13 hours ago
I asked a question about an openssl s_client parameter and warned me that I need to talk to Opus about cybersecurity lol. FWIW I dont see much improvement and still see quite the same old annoyances, so far I would not pay extra for this for my usage.
rebelnz16 hours ago
Just tried to audit my own code base locally and was 'switched' due to my own creds/auth code ...
matt-p2 hours ago
They are never happy :)
JumpCrisscross14 hours ago
Is the answer requiring licensing for certain use cases for AI? If you're asking questions that involve synthesising or modifying biologics, or anything that looks like cybersecurity research, you need to tie your real ID to the account?
[deleted]
Lammy16 hours ago
I really hate the term “guardrails” for these limitations, since the purpose of a guardrail is to protect me, but these limitations exist to protect Anthropic.
6thbit14 hours ago
Would it be a costly process for Anthropic to re-tune those guardrails? Like, re-training sort of cost? or like coding session sort of cost?
luxuryballs15 hours ago
I can’t help but think that gimping itself for “security” is a marketing ruse and it’s not actually as “dangerous” as they want people to think it is.
lwhi9 hours ago
If a product is genuinely dangerous to society, self regulation cannot be a suitable harness.
If only we had effective governments that could regulate industry.
If a nuclear weapon was developed today, would it be down to industry to self regulate?
aleksandrm14 hours ago
It refuses to do any legitimate work that it thinks can remotely be related with "cybersecurity", it won't even read my Docker app logs to try and troubleshoot a problem. Absolute garbage!
Bassiestroep7 hours ago
I mean a lot of people were let into the CVP, I bet the group of people in there did a bunch of good fable 5 could do the exact same but better. Theres more good out there than bad.
siva716 hours ago
Fable is utterly useless with those guardrails for any serious it or life science work. Anthropic fucked me once a few months ago by closing down the subscription for any other harness, now it fucked me twice with buying again a subscription to find out their hyped model is unusable for normies. Using their products feels like a constant battle instead of a productive work day.. compare that with openai, not once did i feel like fighting against codex. Never again Anthropic..
jazz9k22 hours ago
DeepSeek is the only one that I can directly ask about vulnerabilities and it will give me a PoC. Although not as good as others, it has helped me with security research.
The rest have guard rails that are so heavy, it makes them almost useless for cybersecurity.
Goofy_Coyote12 hours ago
It even refuses to read my resume, so... yeah
neuroelectron4 hours ago
This is clearly advertising. But that's OK. OpenAI does the same thing.
coolfox8 hours ago
funny how wired got the masses of the internet on board with hating AI, helping to spark the whole anti-movement and people still continue to rely on them for their understanding of AI and current events.
I feel like they report in a vaccum. take this anti exfil policy for claude, it was plainly explained as part of the launch of Anthropics new product. Security like this isn't novel, it isn't bad, you don't explain how your security works to the people you're securing against. Nobody freaks out about Steam's VAC ban system, no one is investigating gmail's spam filtering, Reddits vote fuzzing, cloudflares bot detection, or Vercel for blocking proxying services.
whats really the distinguishing principle? Is it really just not liking Anthropic's opinions? then just say that and use a different llm. chemist, biologists, and AI researchers cry a river lmao
ni5arga5 hours ago
Fable has been pretty disappointing for security research. It downgrades itself to Opus 4.8 even when you ask it questions about basic things like port scanning.
andy_ppp10 hours ago
I said I wondered if the models were going to start poisoning distillation and I got downvoted to hell. It’s interesting to me that they are now downgrading ML research too in this model, I would argue this implies the terrifying and impossible to reason about self improving AI doom loop is coming sooner rather than later. Bit worrying.
andrewstuart13 hours ago
Stupid security theater. The only thing that makes sense would be zero restrictions.
dcl14 hours ago
Deliberately producing misaligned and deceitful AI systems now. Great.
[deleted]
SXX12 hours ago
Software engineers shouldnt be happy either. If model silently sabotage cybersecurity research of others software there is abdolutely no way to be sure it wont be sabotaging cybersecurity of AI slop code it generated yesterday.
This is bad precedent and no one wants to pay X to generate code to then have to pay X*10 to figure out why your company just got hacked.
jongjong16 hours ago
It's frustrating as someone who has worked hard to produce succinct, secure software that I can't use it to prove my software's correctness but big companies with insecure code can use it to fix their tangled mess.
I already tested all earlier models against all my open source projects and they are yet to find a vulnerability so I'm keen to try out Mythos.
I've been waiting to be vindicated for years and finally we have a tool which can do it with high confidence but I don't have access.
Also, my code is minimal and highly succinct so it would prove correctness with even more confidence since each library/module and integration fully fits in the context window.
Like the Protobuf.js fiasco is just pure vindication for me because I was being looked down upon for choosing JSON as the interchange format. Turns out their software was insecure all this time... With a literal remote code execution vulnerability!
sscaryterry3 hours ago
It's is expensive, and its shit, period.
ChrisArchitect9 hours ago
Related development:
Anthropic Walks Back Policy That Could Have 'Sabotaged' Researchers Using Claude
https://www.wired.com/story/anthropic-responds-to-backlash-o...
(https://smackernews.com/item/48485958 HN)
thefounder5 hours ago
This what that Anthropic CEO has been cooking all the time with his safety BS.
rdiddly15 hours ago
It's a marketplace. Someone else will outdo this inferior product.
ChrisArchitect11 hours ago
More discussion:
If Claude Fable stops helping you, you'll never know
https://smackernews.com/item/48467896 HN
and Related:
Claude Fable 5
https://smackernews.com/item/48463808 HN
varispeed14 hours ago
Surely if they are sabotaging the output, they shouldn't charge the same fee for tokens as if the output was not sabotaged?
This is looking like something for regulator to look at and probably a class action lawsuit in the making.
I think people should be getting refunds. Including for shenanigans with Opus.
teaearlgraycold14 hours ago
I'm being careful with it, but I haven't had Fable reject requests to "harden" my code or "find issues" in auth-related modules, which you could use on someone else's code to find vulnerabilities.
[deleted]
notepad0x9015 hours ago
i think Anthropic is playing too fast-and-loose with the whole "no publicity is bad publicity" schtick.
m3kw914 hours ago
Could it now start to add unnoticeable security holes into your system if you start writing security type code.
felixgallo16 hours ago
This is a clickbait article with a garbage title. From the actual article, the one quoted cybersecurity researcher is sane about it:
“But it is understandable as we are still in the early days and they are still adapting their guardrails. I am sure they are going to evolve over time as Anthropic and other frontier model companies will collaborate more with the current new generation of cybersecurity companies,” said Suiche, who is a member of the technical staff at Tolmo, an AI cybersecurity startup. “It’s better to catch more people than not enough when you do such a release and to relax the guardrails over time.”
guardiangod16 hours ago
I am using LLM to build some security tool, and I ran into this a few times. I have to come up with a reasoning to convince (?!!) Fable to continue the work without downgrading.
I assume Anthropic will continue to tune the model, so I am not too bothered by this.

news.ycombinator.com/item?id=48478969