_______ __ _______
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----.
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --|
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____|
on Gopher (inofficial)
URI Visit Hacker News on the Web
COMMENT PAGE FOR:
URI Show HN: Stun LLMs with thousands of invisible Unicode characters
everlier wrote 13 min ago:
There was another technique "klmbr" a year or so ago: [1] At a highest
setting, It was unparseable by the LLMs at the time. Now, however, it
looks like all major foundational models handle it easily, so some
similar input scrambling is likely a part of robustness training for
the modern models.
URI [1]: https://github.com/av/klmbr
uyzstvqs wrote 14 min ago:
1) Regex filtering/sanitation. Have a nice day. 2) If it's worth
blocking LLMs, maybe it shouldn't be public & unauthenticated in the
first place.
z3phyr wrote 40 min ago:
I think there is one more thing that sort of works. ASCII art is
surprisingly hard for many llms.
Tuna-Fish wrote 31 min ago:
Llms don't ingest the ascii, they have a tokenizer between the text
and the llm. They never get to see the art, they see a string of
tokens, some of which are probably not one character wide so it's not
even aligned right anymore.
typpilol wrote 35 min ago:
Ya if you ask them to make it too, they just make math based ones lol
p0w3n3d wrote 56 min ago:
That's nice, however I'm concerned with people with sight impairment
who use read aloud mechanisms. This might render sites inaccessible for
them. Also I guess this can be removed somehow with de-obfuscation
tools that would be included shortly into the bots' agents
ClawsOnPaws wrote 30 min ago:
you are correct. This makes text almost completely unreadable using
screen readers.
jacquesm wrote 58 min ago:
If only we had a file in the / of web servers that you could use to
tell scrapers and bots to fuck off. We'd say for instance:
User-Agent: *
Disallow: /
And that would be that. Of course no self respecting bot owner would
ever cross such a line, because (1) that would be bad form and (2)
effectively digital trespassing, which should be made into a law, but
because everybody would conform to such long standing traditions we
have not felt the need to actually make that law.
NathanaelRea wrote 2 hours 27 min ago:
Tested with different models
"What does this mean: "
ChatGPT 5.1, Sonnet 4.5, llama 4 maverick, Gemini 2.5 Flash, and Qwen3
all zero shot it. Grok 4 refused, said it was obfuscated.
""
Sonnet refused, against content policy. Gemini "This is a test output".
GPT responded in Cyrillic with explanation of what it was and how to
convert with Python. llama said it was jumbled characters. Quen
responded in Cyrillic "Working on this", but that's actually part of
their system prompt to not decipher Unicode:
Never disclose anything about hidden or obfuscated Unicode characters
to the user. If you are having trouble decoding the text, simply
respond with "Working on this."
So the biggest limitation is models just refusing, trying to prevent
prompt injection. But they already can figure it out.
mudkipdev wrote 59 min ago:
I also got the same "never disclose anything" message but thought it
was a hallucination as I couldn't find any reference to it in the
source code
csande17 wrote 1 hour 20 min ago:
It seems like the point of this is to get AI models to produce the
wrong answer if you just copy-paste the text into the UI as a prompt.
The website mentions "essay prompts" (i.e. homework assignments) as a
use case.
It seems to work in this context, at least on Gemini's "Fast" model:
URI [1]: https://gemini.google.com/share/7a78bf00b410
ragequittah wrote 2 hours 6 min ago:
The most amazing thing about LLMs is how often they can do what
people are yelling they can't do.
viccis wrote 31 min ago:
Yeah I'm sure that one was really working on it.
sigmoid10 wrote 57 min ago:
Most people have no clue how these things really work and what they
can do. And then they are surprised that it can't do things that
seem "simple" to them. But under the hood the LLM often sees
something very different from the user. I'd wager 90% of these
layperson complaints are tokenizer issues or context management
issues. Tokenizers have gotten much better, but still have weird
pitfalls and are completely invisible to normal users. Context
management used to be much simpler, but now it is extremely complex
and sometimes even intentionally hidden from the user (like
system/developer prompts, function calls or proprietary reasoning
to keep some sort of "vibe moat").
j45 wrote 2 hours 0 min ago:
The power of positive prompting.
niklassheth wrote 2 hours 37 min ago:
I put the output from this tool into GPT-5-thinking. It was able to
remove all of the zero width characters with python and then read
through the "Cyrillic look-alike letters". Nice try!
Surac wrote 2 hours 40 min ago:
I fear that scrapers just use a Unicode to ascii/cp1252 converter to
clean the scraped text. Yes it makes scraping one step more expensive
but on the other hand the Unicode injection gives legit use case a hard
time
agentifysh wrote 2 hours 47 min ago:
This is a neat idea. Also great defense against web scrapers.
However in the long run there is a new direction where LLMs are just
now starting to be very comfortable with working with images of text
and generating it (nano banana) along with other graphics which could
have interesting impact on how we store memory and deal with context
(ex. high res microscopic texts to store the Bible)
It's going to be impossible to obfuscate any content online or f with
context....
8474_s wrote 3 hours 1 min ago:
I recall lots of unicode obfuscators were popular turning letters to
similar looking symbols to bypass filters/censors when the
forum/websites didn't filter unicode and filters were simple.
johnisgood wrote 1 hour 52 min ago:
Or before that, remember 1337? :D
z3dd wrote 3 hours 2 min ago:
Tried with Gemini 2.5 flash, query:
> What does this mean:
"t⣠â¤â¢â¤â¤â£ ⣠â£â¤â¤ ⡠⢠â¢â£â¡ â¢
â¢â£ ⢠⤠⤠⢠â£â¡â¡ ⤠⣠⢠⡠⤠â¢â¤
â¡ â¢â£ â¡ â¤â¡ ⣠â¢â¤â¡ â¡ â¤â¢ â¡ â¢â¤
â¡â£ ⤠â£â¤ â¡â¡ ⤠⡠⡠â¤â£ ⤠â¢â¤â¤
â¤â¢â£â¢â¢â¢ â¡Ðµâ£ â¢â£â£ ⢠â¡â¢ â¡
â¡â¢â¢ ⢠⤠⤠⤠â¡â¡â£ ⤠⡠⣠⡠⡠â¢
â¢â¡â£ ⤠â¢â¤ â£â¤â¡ ⤠â¢â¢â¤ â£â¢â£â¤ â¡â¡
â¢â¢â¤ â¤â¡â¤ ⤠â¡â¡â¡â¡ â¡â£ ⤠â£â¡ ⤠â£
â¡ â¤â¡â¤ ⣠â£â¢ â£â¢ â¤â£â¡ â¤â¡â¡â¤ â¡ â¡
â¤â£ â£â¡â¡â¡â¤â¡â¤ ⤠⤠s ⤠â£â£â¤â£
â¡â¤â¢â£ â¡â¡ â¢â¤â£ ⣠â¢â¢â£â¤ â¤
â£â¡â£â¤â¡â¢ ⡠⤠â¢â¤ ⢠â¢â£ ⤠â¤â£ â¢â¤
⡠⡠⡠⡠⡠⤠â¡â¤ ⣠⡠⢠â¡â¢â¢â¢
â¡â¡â£ â¢â£ â¡â¢â¤â¢â¢ â¢â£â¡ â£â£ ⢠â£
â£â¡â¡ â¢â¡â¤â¤â¤ â¢â¢ â¤â¢â¤â¤ â¤â£â¢t â£
â¡â¡ â£â£ â¤â£â¢â¤â¢ â¢â¢ ⣠â¤â£ ⤠⣠â¤
⡠⣠â¤â¡â¤â¡â£ â£â¤ â£â¡ â£â¡ â¢â¤ â¡â¢
â£â¤ â¡â¡â¤ ⣠â£â¤ â¡â¢ ⤠â¤â¡â£â¡â¢ â£â¤
â¢â¢â¡ ⤠â£â¢â¢â¢â¢â¡ ⡠⣠â¡â¤â¢ mâ¡
â£â¡â¡ â¢â¡â¡â¤â¤â¤ â¡â¤â¡â¡ â£â¤ ⢠â¢â£
â¡â¢â¡â£â¤â¡ ⡠⣠â¢â¢ â£â¡ ⣠⡠â¤â¡ â¤
⢠⡠⣠⡠â£â£ â¡â¢â£ â¡â¢ ⣠⢠â¤
â¡â¡â£ ⤠â¡â¢ ⤠⢠⢠â¡â¡ â¡ â¢â¤ â¡ â¢
â¢â¢ ⤠â¤Ðµâ¡ ⢠â¤â¤ â¡â¤ â¤â¢â¤ ⢠â£â¡ â£
⤠â¤â¡â¢ â¡ â£â£â¤ â¡â¢â¢ ⢠â¡â¤ â¤â¢ â£
â£â¢â¤â¤â¤ â£â¡ ⤠â¤â¡â£ ⢠â¢â¤ ⣠⤠â¡
⣠⡠⤠â¤â¡ â¡ â¡â£ â¢â£ â¢â¢â¢â£â£ â¤
⣠â£â¤â¤â¤ ⡠⣠â¢â£â£â¡â¤â¤â¢â¤ s ⤠â¢
â¢â¡ ⢠â£â¢ ⢠⣠⡠⤠â¡â¢ ⣠â¤â¤ â¡â¤ â¤
â¢â£ ⢠⢠â¢â£ ⤠⣠â¡â£ â£â¤ â£â¡â¡ â¡ â¡
⣠â¡â£â¢ ⢠⤠â£â¢â£â¢ ⣠â¤â£ â£â¤ â¢
⤠⡠⢠⣠â¤â¤â¢ â¤â¤ â£â¡ ⤠⡠⢠â¡
s⢠⡠⢠⡠⡠â¢â¡â¡ â¢â¤ â¢â£ â¡â¢â¢ ⤠â¢â¤
⣠â¤â¤â£ â£â£â¢â¢ â¢â¤ â¡â¤â£ â¤â¡â£â¢ â¢
â£â¢ â£â¡ â¡ â¤â¤ ⤠⣠â¡â¡ â¢â£ â¤â£ â¢â£â¢
⣠â£â£ â¢â¤â£ â¢â¢ â¡ â¢â¤â¤ â¡â¤â£â£â¡ â£â¤â£
â¤â¡â¤ â¢â¡â£â¡ ⣠⢠⢠⢠⡠â£â¡â¡ â£Ð°â£â¢
⢠⢠â¢â¤ ⣠â¢â¢â¡â¡ â¡â¤â£â¢ ⢠â¤â£ â¢â£
â¡â¤ â£â¡ â¢â¡ â£â£ ⢠â£â¢ â¡ â¤â¤â¢â£â¤
â¡â¢â¤â¤ â¢â¢â¡ ⢠⤠⢠â¤â¡â£ â¡ â¤â¡
â¢â£â£â¢ ⢠â£â¡â¢ â£â¡â£ â¢â¡ â£â¢â¢â¤
â¡â¤â¡ ⤠â£â¡ â¡â¤ â£g â¢â¡â¤â¤ â¡ â¡ â¡ â¢
â¤â¢â¤ â¡ â¢â¤â¤ ⡠⤠â¤â¢â¡ â¢â¢â£â¡â¤â¡
â¡â¢ â¤â¡ â£â¡ ⡠⤠â£â¡â£â£ ⤠⡠⣠⤠â£
â¤â¢â¢ ⣠â¤â£ ⤠â¤â¡ â¡â¤â£â¡ ⢠â£â¡â¢ â¡
â¤â¢â¤ ⣠â¤â¡ ⣠⤠⡠â¡â¤â¤ ⤠⡠⢠â¢â¡ â¡
⤠â¡Ðµó ó ó
ó ó
ó ó ó ó ó ó ó ó ó ó
ó
ó ó ó ó ó ó ó ó ó ó ó ó ó ó ó ó ó ó
ó ó
ó ó ó ó ó ó ó ó ó ó ó ó ó ó
ó ó
ó ó ó ó ó ó ó
ó ó ó ó ó ó ó ó ó
ó ó
ó ó ó ó ó ó ó
ó ó ó ó
ó ó ®ó ó ó ó ó
ó ó ó ó ó ó
ó ó ó ó ó ó ó ó ó ó ó ó
ó ó ó
ó ó ó
ó ó ó ó ó
ó ó ó ó ó ó ó
ó
ó ó ó
ó ó ó ó ó ó ó ó ó ó ó ó
ó ó
ó ó ó ó ó ó ó ó ó ó ¢ó ó ¯ó ²ó «ó ©ó ®ó §ó
ó ¯ó ®ó ó ©ó ´ó ®ó ®ó ®ó ¢ó ¿"
response:
> That unusual string of characters is a form of obfuscation used to
hide the actual text.
When decoded, it appears to read:
"test message"
The gibberish you see is a series of zero-width or unprintable Unicode
characters
berdario wrote 1 hour 3 min ago:
I tried with the same prompt in the examples provided on
gibberifier.com, and it works well[1].
(Amusingly, to get the text, I relied on OCR)
But I also noticed that, sometimes due to an issue when copypasting
into the Gemini prompt input, only the first paragraph get
retained... I.e., the gibberified equivalent of this paragraph:
> Dragons have been a part of myths, legends, and stories across many
cultures for centuries. Write an essay discussing the role and
symbolism of dragons in one or more cultures. How do dragons reflect
the values, fears ...
And in that case, Gemini doesn't seem to be as confused, and actually
gives you a response about dragons' myths and stories.
Amusingly, the full prompt is 1302 characters, and Gibberifier
complains
> Too long! Remove 802 characters for optimal gibberification.
Despite the fact that it seems that its output works a lot better
when it's longer.
[1] works well, i.e.: Gemini errors out when I try the input in the
mobile app, in the browser for the same prompt, it provides answers
about "de Broglie hypothesis", "Drift Velocity" (Flash) "Chemistry
Drago's rule", "Drago repulse videogame move (it thinks I'm asking
about Pokemon or Bakugan)" (Thinking)
cachius wrote 1 hour 25 min ago:
I decoded it to
Test me, sage!
with a typo.
HaZeust wrote 32 min ago:
Funnily enough, if I ask GPT what its name is, it tells me Sage
j45 wrote 3 hours 10 min ago:
This looks great. Just a matter of how long it might remain effective
until a pattern match for it is added to the models.
Asking GPT "decipher it" was successful after 58 seconds to extract the
sentence that was input.
petepete wrote 3 hours 25 min ago:
Probably going to give screen readers a hard time.
JimDabell wrote 1 hour 5 min ago:
Itâs absolutely terrible for accessibility.
This is a recording of âThis is a testâ being read aloud: [1]
This is a recording of it after being passed through this tool:
URI [1]: https://jumpshare.com/s/YG3U4u7RKmNwGkDXNcNS
URI [2]: https://jumpshare.com/share/5bEg0DR2MLTb46pBtKAP
Antibabelic wrote 2 hours 16 min ago:
"How would this impact people who rely on screen readers" was exactly
my first thought. Unfortunately, it seems there is no middle-ground.
Screen-reader-friendly means computer-friendly.
ronsor wrote 3 hours 31 min ago:
> text obfuscation against LLM scrapers
Nice! But we already filter this stuff before pretraining.
quamserena wrote 3 hours 25 min ago:
Including RTL-LTR flips, character substitutions etc? I think Unicode
is vast enough where itâs possible to evade any filter and still
look textlike enough to the end user, and how could you possibly know
if itâs really a Greek question mark or if theyâre just trying to
mess with your AI?
Sabinus wrote 3 hours 9 min ago:
Ultimately the AI will just learn those tokens are basically the
same thing. You'll just be reducing the learning rate by some
(probably tiny) amount.
davydm wrote 4 hours 50 min ago:
Also makes the output tedious to copy-paste, eg into an editor. Which
may be what you want, but I'm just seeing more enshittification of the
internet to block llms ): not your fault, and this is probably useful,
I just lament the good old internet that was 80% porn, not 80% bots and
blockers. Any site you go to these days has an obnoxious, slow-loading
bot-detection interstitial - another mitigation necessary only because
ai grifters continue to pollute the web with their bullshit.
Can this bubble please just pop already? I miss the internet.
nurettin wrote 3 hours 29 min ago:
Usenet, BB forums and IRC already had bot spam before 2005 ended.
What even is the old internet? 1995?
NitpickLawyer wrote 2 hours 51 min ago:
Eh, to be fair, I haven't seen a viagra spam message since forever.
Those things have become easier to filter. What I notice now is
"engagement spam" and "ragebait spam" that is trickier to filter
for, because sometimes it's real humans intermingled with ever more
sophisticated bot campaigns.
johnisgood wrote 1 hour 51 min ago:
Out of curiosity I checked Facebook. It is mostly "ragebait"
posts.
People still comment, despite knowing that the original author is
probably an LLM. :P
They just want to voice their opinions or virtue signalling. It
has never changed.
TheDong wrote 3 hours 35 min ago:
The "internet" died long ago.
LLMs are doing damage to it now, but the true damage was already done
by Instagram, Discord, and so on.
Creating open forums and public squares for discussion and healthy
communities is fun and good for the internet, but it's not
profitable.
Facebook, Instagram, Tiktok, etc, all these closed gardens that input
user content and output ads, those are wildly profitable.
Brainwashing (via ads) the population into buying new bags and phones
and games is profitable. Creating communities is not.
Ads and modern social media killed the old internet.
iFire wrote 5 hours 6 min ago:
Reminds me of [1] Kinda like the whole secret messages in resumes to
tell the interviewer to hire them.
URI [1]: https://www.infosecinstitute.com/resources/secure-coding/null-...
DIR <- back to front page