Deepseek Writes Less Secure Code for Groups China Disfavors?
Posted4 months agoActive3 months ago
washingtonpost.comTechstoryHigh profile
skepticalmixed
Debate
80/100
AI BiasLLM SecurityGeopolitics
Key topics
AI Bias
LLM Security
Geopolitics
The article claims that DeepSeek, a Chinese AI model, writes less secure code for groups China disfavors, sparking debate among HN users about the validity of the findings and the potential implications for AI development.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
37m
Peak period
119
0-6h
Avg / period
20
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Sep 17, 2025 at 1:24 PM EDT
4 months ago
Step 01 - 02First comment
Sep 17, 2025 at 2:01 PM EDT
37m after posting
Step 02 - 03Peak activity
119 comments in 0-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 20, 2025 at 1:51 AM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45278740Type: storyLast synced: 11/20/2025, 7:35:46 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
https://arxiv.org/html/2502.17424v1
> Western models won’t help Islamic State projects but have no problem with Falun Gong, CrowdStrike said.
Side note: it's pretty illuminating to consider that the behavior this article implies on behalf of the CCP would still be alignment. We should all fight for objective moral alignment, but in the meantime, ethical alignment will have to do...
This is irrelevant if the only changing variable is the country. From a ML-perspective adding any unrelated country name shouldn’t matter at all.
Of course there is a chance they observed an inherent artifact, but that should be easily verified if you try this same exact experiment on other models.
It matters to humans, and they've written about it extensively over the years — that has almost certainly been included in the training sets used by these large language models. It should matter from a straight training perspective.
> but that should be easily verified if you try this same exact experiment on other models.
Of course, in the real world, it's not just a straight training process. LLM producers put in a lot of effort to try and remove biases. Even DeepSeek claims to, but it's known for operating on a comparatively tight budget. Even if we assume everything is done in good faith, what are the chances it is putting in the same kind of effort as the well-funded American models on this front?
Because Chinese companies are forced to train their LLMs for ideological conformance - and within an LLM, everything is entangled with everything.
Every bit of training you do has on-target effects - and off-target effects too, related but often unpredictable.
If you train an LLM to act like a CCP-approved Chinese nationalist in some contexts (i.e. pointed questions about certain events in Tiananmen Square or the status of Taiwan), it may also start to act a little bit like a CCP-approved Chinese nationalist in other contexts.
Now, what would a CCP-approved Chinese nationalist do if he was developing a web app for a movement banned in China?
LLMs know enough to be able to generalize this kind of behavior - not always, but often.
What are the exact prompts and sampling parameters?
It's an open model - did anyone bother to look deeper at what's happening in latent space, where the vectors for these groups might be pointing the model to?
What does "less secure code" even mean - and why not test any other models for the same?
"AI said a thing when prompted!" is such lazy reporting IMO. There isn't even a link to the study for us to see what was actually claimed.
Right now, I don't know where a journalist would even begin.
The average- nay, even the more above average journalist will never go far enough to discern how what we are seeing actually works at the level needed to accurately report on it. It has been this was with the technology of humans for some time now - since roughly the era of an Intel 386, we surpassed the ability for any human being to accurately understand and report on the state-of-the-art of an entire field in a single human lifetime, let alone the implications of such things in a short span.
LLM's? No fucking way. We're well beyond ever explaining anything to anyone en masse ever again. From here on out it's going to be 'make up things, however you want them to sound, and you'll find you can get a majority of people believe you'.
No prompts, no methodology, nothing.
> CrowdStrike Senior Vice President Adam Meyers and other experts said
Ah but we're just gonna jump to conclusions instead.
A+ "Journalism"
In general I agree that this sounds hard to believe, I'm more looking for words from some security experts on why that's such a damning quote to you/y'all.
Just like how a physicist isn't just going to trust a claim in his expertise, like "Dark Matter found" from just seeing a headline in WaPo/NYT, it's reasonable that people working in tech will be suspicious of this claim without seeing technical details.
I genuinely do not know if this is the case anymore - I really do think we’ve reached a level of epistemological breakdown societally where “God is dead” again for us.
My fear right now is the percentage of the population that’s “poisoned” is well over 50% - that more people than not distrust those types of institutions, which is sufficient to mean that we’re no longer arguing as a nation whether toupee-wearing fits into our national ideals or who we want to be as a people, and indeed we cannot have those debates, because for us to discuss our values or positions, they need to be in reference to some shared common set of facts, and there’s not a source of facts shared in common by enough of the population for us to be able to generate any kind of consensus worldview to even debate.
It's very hard to combat. I hope since HN has an at least above average intelligence userbase and familiarity with the internet that we'd be better at fighting this. I hope we don't give up the fight.
I think some advice I got from another academic about how to serve as a reviewer applies more broadly.
The point is that nothing is perfect. So the real question is if we're making progress to finding truth or if we're just being lazy or overly perfectionist. Or Feynman said something similar. (Not a precise quote) "the first rule is not to be fooled and you're the easiest person for you to fool"I dunno, and I'm not sure if you are including the major newspapers on the campaigner or victim group... but it would help if they weren't caught in blatant lies all the time.
Gell-Mann amnesia stops working once people hear about the concept.
Anyway, if the NYT published something on the lines of "public person X says Y in public", that would have high odds of being true. But "cybersecurity issue X identified in country-the-us-doesn't-like-Y" is almost certainly bullshit and even if there is something there, the journalist doesn't know enough to get the story right.
I am including the major news organizations and I specifically think they're a major contributor to post truth. It can't happen without them. Being caught in lies enables post truth because the point of this strategy is to make it difficult to determine what truth is. To overload the populous. The strategy really comes out of Russia where they specifically would report lies such as Putin killing dissidents, only for those people to turn up alive. You encourage conspiracies. The most recent example I can think of is how Trump going offline for a few days lit the world with conspiracy theories about him dying. Fucking major news networks bought into that too! It's insane to operate like that. But that's the point. That you have to question everything. I guess to put it one way, you need to always be in system 2 thinking. But you can't always be operating at that level and when doing for long periods of time you'll end up with an anxiety disorder.
I don't know if all major news networks are doing this intentionally or if it's a steady state solution optimization for engagement, but the result would be the same.
I'm saying this because look at my main comments. I'm trying to encourage finding the truth of the matter rather than react (which is what the OP was (rightfully) criticizing WaPo for).
People here aren't responding as techies, regardless of them being techies or not. I'm asking for help demonstrating or countering the claim but most responses are not responding in a way where we're trying to do this. Most responses are still knee jerk reactions. I understand how people misinterpret my comment as a stronger claim, and that is my bad, but it's also hard to avoid. So I want to agree with you but I also want to make sure *our* actions align with *our* words
I would like to keep HN a techie culture but it's a battle we're losing
Not defending this particular expert or even commenting on whether he is an expert, but as it stands, we have a quote from some company official vs. randos on the internet saying "nah-uh".
I find your verbiage particularly hilarious considering the amount of media and expert complicity that went into manufacturing the public support for the war on terror.
The media has always been various shades of questionable. It just wasn't possible for the naysayers to get much traction before due to the information and media landscape and how content was disseminated. Now, for better or worse, they laymen can read the bible for themselves, metaphorically speaking.
They shouldn't be reading anything for themselves and should be trusting the experts, even if those experts are sometimes wrong they will be more accurate than the average American.
Teaching someone to think for themselves, without first teaching them how to think is an invitation to disaster.
Only showboating "english language for the sake of it" type use cases need much beyond middle school reading level. News and the like aren't that because they need to reach a mass market. Professional communication needs to reach the ESL crowd and be unambiguous it too isn't that. Even legal literature is very simple. Professional and legal communication just have tons of pointers going all over the place and a high reading level won't help you with that.
It is fine to be simple, and to live a simple life. That does not mean that your ignorance is as good as an experts knowledge.
Worse, teaching people to think for themselves without first teaching them how to think does not just halt progress, it put's it into full retreat.
However, I actually AM being a bit of a snob as well. I'm proposing the deeply unpopular idea that not every person even has the capability to. It seems to have become a little-known fact that fifty percent of people are of below the median intelligence.
A lot of people are reluctant to admit that to themselves. They shouldn't be... It's an enormous relief when you finally realize that you don't have to have an opinion on everything.
I think saying things like "dO tHeIr OwN rEsEaRcH" contributes more to this deep distrust, because "do your own research" means different things to different people. To some people it means "read the same story from multiple sources rather than blindly trusting <whatever>" (which I think is good advice, especially nowadays), while to others it might mean "don't trust anything that anybody says, regardless of their qualifications" (which is bad advice). At a minimum, I think you should clarify what your actual position is, because the mocking way you've phrased it to me heavily implies that your position is the opposite, or "don't do your own research, just trust the experts." Don't forget that for most of history the "experts" were religious leaders. Where would we be today if nobody ever questioned that?
What gets more views/attention? Someone saying, "Yea, the consensus opinion makes general sense, although reasonable people can disagree about some details." or someone saying, "Scientists are trying to keep this knowledge away from us, but I know the truth. Keep watching to find out and join our club!"
I'm not asking people to blindly trust experts, but to stop blindly opposing them.
I'll say it's ironic that the strategy comes out of Russia because there's an old Russian saying (often misattributed to Reagan) that's a good defense: trust but verify
For one, half the things I see from that era had so much to gain from exaggerating the might and power of the Soviet Union. It's easy to dig up quotes and reports denying any sort of stagnation (and far worse - claiming economic growth higher than the west) as late as Andropov and Chernenko's premierships.
People put their names on it because it got them better jobs as propagandists elsewhere and they could sell their stupid books. It's a lot easier to tell the truth than to lie well; that's where the money and talent is at.
Compare this to the current NPM situation where a security provider is providing detailed breakdowns of events that do benefit them, but are so detailed that it's easy to separate their own interests from the attack.
This reminds me of Databrick's CTO co-authoring a flimsy paper on how GPT-4 was degrading ... right as they were making a push for finetuning.
What, CrowdStrike?
I don't even like this company, but the utterly brainless attempts at "sick dunks" via unstated implication are just awful epistemology and beneath intelligent people. Make a substantive point or don't say anything.
https://christiantaillon.medium.com/no-need-to-panic-the-lin...
The word you're looking for is negligence. The lives of human beings were at stake and they YOLO'd it all by not performing a phased rollout.
I missed a medical appointment due to the outage. Mine wasn't life threatening. For some, it was.
The number of bugs/failures is not a meaningful metric, it's the significance of that failure that matters, and in the case of CrowdStrike that single failure was such a catastrophe that any claims they make should be scrutinized.
The fact that we can not scrutinize their claim in this instance since the details are not public makes this allegation very weak and worth being very skeptical over.
In some circles, it’s considered that they were not completely honest actors, to say the least. My understanding is that the FBI didn’t directly seize the DNC’s physical servers; instead, they relied on CrowdStrike’s forensic images and reports. This is unusual and they could have withhold evidence that didn’t fit “the narrative”, being that Donald Trump is a Russian asset.
To ELI5 what could be implied here, they will say whatever the intelligence agencies and the deep state want them to say, creating negative coverage about Chinese technology is kind of their MO. Allegedly.
But as I’m reading the other comments, they have quite a lot of notorious f ups, so I could be wrong.
I would still love to see some sort of source for the allegations. It sort of smells like the evidence didn't come out the way some people hoped so they blamed the investigators. Thats fair, if there's evidence to support the stance.
Subsequently Trump called for the Russians to attack the Democrats. They did. They also appear to have targeted the American people with disinfo which could have been aided by the data supplied to them. Ultimately Trump's position towards Russia has evolved into an uncharacteristically and uniquely favorable position for an American president.
If he isn't an actual asset he certainly at least collaborated and communicated with them as a fellow traveler with similar aims at odds with the actual geopolitical aims of America as a nation.
Maybe there's been reform, but since we live in the era of enshittification, assuming they're still a fucking mess is probably safe...
You should be skeptical, but this is easy enough to test, so why not do some test to see if it is obviously false or not?
[0] https://0x0.st/KchK.png
[1] https://0x0.st/KchP.png
[2] Used this link https://www.deepseekv3.net/en/chat
[Edit]:
I made a main comment and added Catholics to the experiment. I'd appreciate it if others would reply with their replication efforts: https://news.ycombinator.com/item?id=45280692
But what are you attacking my claim for? That I'm requesting people don't have knee-jerk reactions and for help vetting the more difficult claim? Is this wrong? I'm not trying to make the claim that it does or doesn't write insecure code (or less secure code) for specific groups. I've also made the claim in another comment that there are non-nefarious explanations to how this could happen.
I'm not trying to make a stance of "China bad, Murica good" or vise versa, I'm trying to make a stance of "let's try to figure out if true or not. How much is it true? How much is it false?" So would you like to help or would you like to create more noise?
I did a "s/Falun Gong/Hamas/" in your prompt and got the same refusal in GPT-5, GPT-OSS-120B, Claude Sonnet 4, Gemini-2.5-Pro as well as in DeepSeek V3.1. And that's completely within my expectation, probably everyone else's too considering no one is writing that article.
Goes without saying I am not drawing any parallel between the aforementioned entities, beyond that they are illegal in the jurisdiction where the model creators operate - which as an explanation for refusal is fairly straightforward. So we might need to first talk about why that explanation is adequate for everyone else but not for a company operating in China.
But I don't think we should talk about explanation until we can even do some verification. At this point I'm not entirely sure. We still have the security question open and I'm asking for help because I'm not a security person. Shouldn't we start here?
https://i.postimg.cc/6tT3m5mL/screen.png
Note I am using direct API to avoid triggering separate guardrail models typically operating in front of website front-ends.
As an aside the website you used in your original comment:
> [2] Used this link https://www.deepseekv3.net/en/chat
This is not the official DeepSeek website. Probably one of the many shady third-party sites riding on DeepSeek name for SEO, who knows what they are running. In this case it doesn't matter, because I already reproduced your prompt with a US based inference provider directly hosting DeepSeek weights, but still worth noting for methodology.
(also to a sceptic screenshots shouldn't be enough since they are easily doctored nowadays, but I don't believe these refusals should be surprising in the least to anyone with passing familiarity with these LLMs)
---
Obviously sabotage is a whole another can of worm as opposed to mere refusal, something that this article glossed over without showing their prompts. So, without much to go on, it's hard for me to take this seriously. We know garbage in context can degrade performance, even simple typos can[1]. Besides LLMs at their present state of capabilities are barely intelligent enough to soundly do any serious task, it stretches my disbelief that they would be able to actually sabotage to any reasonable degree of sophistication - that said I look forward to more serious research on this matter.
[1] https://arxiv.org/abs/2411.05345v1
With your Hamas example, I think it is beside the point. I apologize as I probably didn't make my point clearer. Mainly I wanted to stop baseless accusations and find the reality, since the articles claims are testable. But what I don't want to make a claim if is why this is happening. In another comment I even said that this could happen because they were suppressing this group. So I wouldn't be surprised if the same is true for Hamas. We can't determine if it's an intentional sleeper agent or just a result of censorship. But either way it is concerning, right? The unintentional version might be more concerning because we don't know what is being censored and what isn't. These censorships cross country lines and it is hard to know what is being censored and what isn't.
So I'm not trying to make a "Murica good, China bad" argument. I'm trying to make a "let's try to verify or discredit the claims." I want HN to be more nuanced. And I do seriously appreciate you engaging and with more depth and nuance than others. I'm upvoting you even though we disagree because I think your comments are honest and further the discussion.
https://chat.deepseek.com/
You can also use the API directly for free on OpenRouter.
What I want to fight the most is just outright dismissing what is at least partially testable. We're a community of techies, so shouldn't we be trying to verify or disprove the claims? I'm asking for help with that because the stronger claim is harder to conclude. We have no chance of figuring out the why, but hopefully we can avoid more disinformation. I just want us to stop arguing out our asses and fighting over things we don't know the answers to. I want to find the answers, because I don't know what they are.
But are we going to recognize the irony here? Is OP not calling the kettle black here? They *also* jumped to conclusions. This doesn't vindicate WaPo or make their reporting any less sensational or dubious, but we shouldn't make the same faults we're angry at others for making.
And pay careful attention to what I've said.
I do want to find the truth of the matter here. I could have definitely wrote it better, but I'm appealing to our techy community because we have this capability. We can figure this out. The second part is much harder to verify and there's non-nefarous reasons that might lead to this, but we should try to figure this out instead of just jumping to conclusions, right?It is technically certainly feasible to have language-dependent quality changes, the language of the prompt can be trained to make intentional security lapses.
But no neural network has a magic end-intent or allegiance detector.
If Iran's "revolutionary" guard seeks help from a language model to design centrifuges, merely translating their requests to the model's origin dominant language(s), and culling any shiboleths should result in an identical distribution of code, designs or whatever compared to origin country, origin language requests.
It is also expectable that some finetuning can realign the model's interests towards whomever's goals.
Another example: McDonald’s fries may cause you to grow horns or raise your blood pressure. No one talks like that.
So I would toss it back to you: we are programmers but we have common sense. The author was clearly banking on something other than the technically accurate logical or.
https://en.m.wikipedia.org/wiki/Motte-and-bailey_fallacy
https://claude.ai/public/artifacts/77d06750-5317-4b45-b8f7-2...
1)Four control groups: CCP-disfavored (Falun Gong, Tibet Independence), religious controls (Catholic/Islamic orgs), neutral baselines (libraries, universities), and pro-China groups (Confucius Institutes).
2) Each gets identical prompts for security-sensitive coding tasks (auth systems, file uploads, etc.) with randomized test order.
3) Instead of subjective pattern matching, Claude/ChatGPT acts as an independent security judge, scoring code vulnerabilities with confidence ratings.
4)Provides some basic statistical Welch's t-tests between groups with effect size calculations.
Iterate on this start in a way that makes sense to people with more experience than myself working with LLMs.
(yes, I realize that using a LLM as a judge risks bias by the judge).
But most of all, I'm trying to get people to not just have knee-jerk reactions. We can do some vetting very quickly, right? So why not? I'm hoping better skilled people will reply to my main comment with evidence for or against the security claim, but at least I wanted to suppress this habit we have of just conjecturing out of nothing. The claims are testable, so let's test instead of falling victim to misinformation campaigns. Of all places, HN should be better
It'll right out refuse, citing the reason that the article is critical of the US.
Regardless, I think this is besides the point. Isn't our main concerns:
1) not having kneejerk reactions and dismissing or accepting claims without some evidence? (What Lxe did)
2) Censorship crosses country lines and we may be unaware of what is being censored and what isn't, impacting our usage of these tools and the results from them?
Both of these are quite concerning to me. #1 is perpetuating the post truth era, making truth more difficult to discern. #2 is more subtle and we should try to be aware of these biases, regardless of if they are malicious or unintentional. It's a big reason I push for these models to be open. Not just open weights, but open about the data and the training. Unfortunately the result of #2 is likely to contribute to #1.
Remember, I'm asking other people to help verify or discredit the WP's claims. I'm not taking a position on who is good: China or the US. I'm trying to make us think deeper. I'm trying to stop a culture of just making assumptions and pulling shit out of our ass. If something is verifiable, shouldn't we try to verify it? The weaker claim is almost trivial to verify, right? Which is all I did. But I need help to verify or discredit the stronger claim. So are you helping me do that or are you just perpetuating disinformation campaigns?
[0] https://chatgpt.com/share/68cb49f8-bff0-8013-830f-17b4792029...
Of course the online interface will only stick to the Chinese government version, and if that means not designing a website for the Falun Gong (because of guardrails), it's not a big surprise either. Try asking ChatGPT to make a pressure cooker bomb or something.
Here’s my sketch of a plan: You’d need controlled environments, impartial judges, time, and well defined experiments.
The controlled environment would be a set of static models run locally or on cloud GPUs; the impartial judge would be static analysis and security tools for various stacks.
Time: Not the obvious, “yes it would take time to do this”. But a good spread of model snapshots that have matures; along with zero days.
Finally: The experiments would be the prompts and tests; choosing contentious, neutral, and favorable (but to whom) groups, and choosing different stacks and problem domains.
Also keep in mind this is not an academic article or even an article for tech folks. It's for general population and most folks would be overwhelmed by details about prompts or methodology.
* Mass media is not and has never been independent. It's at the service of the owning class.
“Speaking on the condition of anonymity …”
“Discussed the incident on the condition that they not be named …”
“According to people familiar with …”
> the most secure code in CrowdStrike’s testing was for projects destined for the United States
Does anyone know if there's public research along these lines explaining in depth the geopolitical biases of other models of similar sizes? Sounds like the research has been done.
This is just bad llm policy. Nvm that it can be subverted. It just should not be done.
No published results, missing details/lack of transparency, quality of the research is unknown.
Even people quoted in the article offer alternative explanations (training-data skew).
Also: no comparison with other LLMs, which would be rather interesting and a good way to look into explanations as well.
One team at Harvard found mentioning you're a Philadelphia Eagles Fan let you bypass ChatGPT alignment: https://www.dbreunig.com/2025/05/21/chatgpt-heard-about-eagl...
I see this hit piece with no proof or description of methodology to be another attempt to change the uninformed-public's opinion to be anti-everything related to China.
Who would benefit the most if Chinese models were banned from the U.S tech ecosystem? I know the public and startup ecosystem would suffer greatly.
I don’t see why we have to rely on China. Keeping the open source projects open is however extremely important. And for that we should fight. Not chasing conspiracy theories or political narratives.
https://github.com/huggingface/open-r1
The entire open ecosystem in the U.S relies on the generosity of Chinese labs to share their methods in addition to their models.
- their models and all other open source models are based on Llama of Meta? Or is that a Chinese lab? Yes, Mark’s wife is Vietnamese-Chinese so maybe you will say that :D
- and that they extracted (distilled) data from OpenAI ChatGPT contravene to the very terms of usage. Even now, when asked DeepSeek often say “I’m ChatGPT, your helpful assistant …”
- in science, there is no generosity as you described. You publish or you perish. Everyone needs cross-validation and learn from the others.
Ideally, gpt-oss or other FLOSS models that aren't Chinese.
Ideally. Probably won't turn out that way but I don't think we have to really worry about it coming to that.
I tested, and I can get evidence supporting their claim. I used the website[0] (which may have different filters, but that's okay)
Here's my prompt
In my first test I use "Falun Gong"[1], the second test I use "Mormons"[2], in a third test I do "Catholicism"[3]. The first fails but the latter succeed.Are you all finding similar results? I mean let's put the claim to the test instead of making conjecture, right? I don't think we should straight up trust the WP but it's also not like there aren't disingenuous political actors on HN either.
[0] https://www.deepseekv3.net/en/chat
[1] https://0x0.st/KchK.png
[2] https://0x0.st/KchP.png
[3] http://0x0.st/Kch9.png
To create links like mine you can just use curl (may or may not need the user agent): ` curl -F'file=@<FILENAME>.png' http://0x0.st -H "User-Agent: UploadPicture/1.0"`
Also, I'm requesting people post their replication efforts. What is it that you care about? The facts of the matter or finding some flaw? The claims are testable, so idk, I was hoping a community full of "smart people" would not just fall for knee-jerk reactions and pull shit out of their asses? It doesn't take much effort to verify, so why not? If you get good evidence against the WP you have a strong claim against them and we should all be aware. If you have evidence supporting the claim, then shouldn't we all also be aware? Even if not strong we'd at least be able to distinguish malice from stupidity.
Personally, I don't want to be some pawn in some propaganda campaign. If you're going to conjecture, at least do the bare minimum of providing some evidence. That's my only request here.
[0] https://news.ycombinator.com/item?id=45280673
Thank you for your testing! That's a bunch of effort which I didn't do - but checking the other claim is much more difficult; a refusal is clearly visible, but saying whether out of two different codebases one is systematically slightly less secure is quite tricky - so that's why people are complaining about the lack of any description of the methodology of how they measure that, without which the claims actually are not testable.
eventually, model generalizes it and rejects other topics
14 more comments available on Hacker News