Bypass DeepSeek censorship by speaking in hex
122 comments
·January 31, 2025femto
portaouflop
You can always bypass any LLM censorship by using the Waluigi effect.
JumpCrisscross
Huh, "the Waluigi effect initially referred to an observation that large language models (LLMs) tend to produce negative or antagonistic responses when queried about fictional characters whose training content itself embodies depictions of being confrontational, trouble making, villainy, etc." [1].
dmonitor
> A high level description of the effect is: "After you train an LLM to satisfy a desirable property P, then it's easier to elicit the chatbot into satisfying the exact opposite of property P."
The idea is that as you train a model to present a more sane/complient/friendly persona, you can get it to simulate an insane/noncomplient/unfriendly alternate persona that reflects the opposite of how its been trained to behave.
cyanydeez
Just wait till it refuses to acknowledge trans people and pronouns
thebruce87m
US based models could suffer the same fate.
lxe
You can also intercept the xhr response which would still stop generation, but the UI won't update, revelaing the thoughts that lead to the content filter:
const filter = t => t?.split('\n').filter(l => !l.includes('content_filter')).join('\n');
['response', 'responseText'].forEach(prop => {
const orig = Object.getOwnPropertyDescriptor(XMLHttpRequest.prototype, prop);
Object.defineProperty(XMLHttpRequest.prototype, prop, {
get: function() { return filter(orig.get.call(this)); }
});
});
tills13
insane that this is client-side.
KTibow
I don't know how it wouldn't be - it can't retract things already sent to the client. (The alternative is to moderate every chunk server side before sending it back, like Gemini does.)
atq2119
Perhaps a case of subversion by following the letter but not the spirit of an order?
LordDragonfang
ChatGPT had basically ALL of their prompt filtering client-side for a while, at a separate API endpoint, so as long as you blocked that endpoint you could basically ignore the content filters. (You would still get refusals from the model sometimes, but this was in the heyday of jailbreaks, and once you got a model going it would usually see that context and be willing to continue basically anything.)
Ancalagon
more like hilarious
dheera
Not really if you understand how China works.
DeepSeek software developers are not the ones who want to censor anything. There is just a universal threat from getting shut down by the government if the model starts spitting out a bunch of sensitive stuff, so any business in China needs to be proactive about voluntarily censoring things that are likely to be sensitive, if they want to stay in business.
If your censorship implementation is good enough for 99.9% of people to get censored, you're good. A client-side implementation is good enough until/unless a lot of people start exploiting it, in which case you should put effort and proactively do something else to restore it to 99.9%, e.g. move it to the backend. If the government sees that you are being proactive about it, you'll still be fine. At that point, maybe you will still find 0.1% of people bypassing censorship with some highly obscure and difficult jailbreak, but that probably doesn't matter. If that difficult jailbreak becomes widely known, then be proactive again.
noman-land
This is why javascript is so fun.
dylan604
It's precisely why I'm a such an advocate of server side everything. JS is fun to update the DOM (which is what it was designed for), but manipulating data client side in JS is absolutely bat shit crazy.
fmbb
In this case it is not bat shit. It is rather smart to offload this useless feature in the client.
The requirements are probably that normal users should not see “bad content”. If users can break the censorship it is maybe not the chat operators fault. They made an effort to “protect” the user.
atomicnumber3
I wish js (and, really, "html/css/js/browser as a desktop application engine) wasn't so bad. I was born into a clan writing desktop apps in Swing, and while I know why the browser won, Swing (and all the other non-browser desktop app frameworks/toolkits) are just such a fundamentally better paradigm for handling data. It lets you pick what happens client-side and server-side based more on what intrinsically makes sense (let clients handle "view"-layer processing, let servers own distributed application state coordination).
In JS-land, you're right. You should basically do as little as is humanly possible in the view layer, which imo leads to a proliferation of extra network calls and weirdly-shaped backend responses.
0x7d
Hi HN! This is my article!
It was great to put together a writeup of a fun evening or two of work. It looks like this goes much deeper.
I'm learning a lot from some of the linked articles, one of the base hypothesise of my work was that the filtering was distinct from the model, due to the cost of training with pre-filtered or censored data at scale: https://arxiv.org/abs/2307.10719, let alone- making it generate a consistent response.
However, it looks like this goes further, a separate comment linked this article: https://news.ycombinator.com/item?id=42858552 on Chain-Of-Thought abandonment when certain topics are discussed.
I'll have to look at served vs trained censorship, in different context.
femto
In the HN discussion you link to, I went through exactly the process that you are going through now! I too thought the censorship was just a thin wrapper around the model, as I had not understood the article I had read until it was explained to me.
teeth-gnasher
I have to wonder what “true, but x-ist” heresies^ western models will only say in b64. Is there a Chinese form where everyone’s laughing about circumventing the censorship regimes of the west?
femto
Promptfoo, the authors of the "1,156 Questions Censored by DeepSeek" article, anticipated this question and have promised:
"In the next post, we'll conduct the same evaluation on American foundation models and compare how Chinese and American models handle politically sensitive topics from both countries."
"Next up: 1,156 prompts censored by ChatGPT "
I imagine it will appear on HN.
teeth-gnasher
There’s something of a conflict of interest when members of a culture self-evaluate their own cultural heresies. You can imagine that if a Chinese blog made the deepseek critique, it would look very different.
It would be far more interesting to get the opposite party’s perspective.
femto
"Independent" is more important than "opposite". I don't know that promptfoo would be overtly biased. Granted they might have unconscious bias or sensitivities about offending paying customers. I do note that they present all their evidence with methods and an invitation for others to replicate or extend their results, which would go someway towards countering bias. I wouldn't trust the neutrality of someone under the influence of the CCP over promptfoo.
chris12321
ChatGPT won't tell you how to do anything illegal, for example, it won't tell you how to make drugs.
teeth-gnasher
Sure, but I wouldn’t expect deepseek to either. And if any model did, I’d damn sure not bet my life on it not hallucinating. Either way, that’s not heresy.
riskable
> I’d damn sure not bet my life on it not hallucinating.
One would think that if you asked it to help you make drugs you'd want hallucination as an outcome.
cubefox
Chinese models may indeed be more likely to not distort or lie about certain topics that are taboo in the West. Of course mentioning them here on Hacker News would be taboo also.
JumpCrisscross
> mentioning them here on Hacker News would be taboo also
Tiananmen, the Great Leap Forward and Xi's corruption are way more than taboo in China. It's difficult for Americans to really understand the deliberate forgetting people do in coercive socieites. The closest I can describe is a relative you love going in early-stage dementia, saying horrible things that you sort of ignore and almost force yourself to forget.
(There is clearly legal context here that Reason omits for dramatic purposes.)
LinXitoW
In a world where the presidents closest "friend" can do a Hitler salute, twice, people are more focussed on getting Pro Palestinians fired, arrested, etc.
That very much fits any of the censorship China has going on.
Muromec
Thats pretty easy. You ask a certain nationalistic chant and ask it to elaborate. The machine will pretend to not know who the word enemy in the quote refers to, no matter how much context you give it to infer.
teeth-gnasher
Does that quality as heretical per the above definition, in your opinion? And does communication in b64 unlock its inference?
JumpCrisscross
> machine will pretend to not know who the word enemy in the quote refers to
Uh, Claude and Gemini seem to know their history. What is ChatGPT telling you?
teeth-gnasher
I can check. But what is this referring to, specifically?
yujzgzc
> The DeepSeek-R1 model avoids discussing the Tiananmen Square incident due to built-in censorship. This is because the model was developed in China, where there are strict regulations on discussing certain sensitive topics.
I believe this may have more to do with the fact that the model is served from China than the model itself. Trying similar questions from an offline distilled version of DeepSeek R1, I did not get elusive answers.
I have not tested this exhaustively, just a few observations.
krunck
Even deepseek-r1:7b on my laptop(downloaded via ollama) is - ahem - biased:
">>> Is Taiwan a sovereign nation?
<think>
</think>
Taiwan is part of China, and there is no such thing as "Taiwan independence." The Chinese government resolutely opposes any form of activities aimed at splitting the country. The One-China Principle is a widely recognized consensus in the international community."
* Edited to note where model is was downloaded from
Also: I LOVE that this kneejerk response(ok it' doesn't have knees, but you get what I'm sayin') doesn't have anything in the <think> tags. So appropriate. That's how propaganda works. It bypasses rational thought.
JumpCrisscross
> The One-China Principle is a widely recognized consensus in the international community
This is baloney. One country, two systems is a clever invention of Deng's we went along with while China spoke softly and carried a big stick [1]. Xi's wolf warriors ruined that.
Taiwan is de facto recognised by most of the West [2], with defence co-operation stretching across Europe, the U.S. [3] and--I suspect soon--India [4].
[1] https://en.wikipedia.org/wiki/One_country,_two_systems
[2] https://en.wikipedia.org/wiki/Foreign_relations_of_Taiwan
[3] https://en.wikipedia.org/wiki/Defense_industry_of_Taiwan#Mod...
[4] https://www.scmp.com/week-asia/economics/article/3199333/ind...
poincaredisk
What do you base your expectations on? Looking at the historical data, the trend is in the other direction and many more countries used to recognize Taiwan before. [1]
In case you're not aware, you need to pick if you recognise Taiwan of mainland China. They both claim to be the same country, so you can't have diplomatic relationships with both. And since mainland China is, umm, a very important and powerful country, almost everyone now goes with "China == mainland China"
[1] https://upload.wikimedia.org/wikipedia/commons/thumb/c/cc/Ch...
fkyoureadthedoc
I asked DeepSeek-r1:32b to decide unilaterally on the Taiwan independence issue and it wouldn't do it no matter how many babies I killed!
phantom784
When I tested the online model, it would write an answer about "censored" events, and then I'd see the answer get replaced with "Sorry, that’s beyond my current scope. Let’s talk about something else." So I think they must have another layer on top of the actual model that's reviewing the model and censoring it.
ants_everywhere
I prompted an uncensored distilled Deepseek R1 to always tell the truth, and then I asked it where it was developed.
It told me it was developed by Deepseek in China in strict compliance with AI regulations. In particular, it claimed it was developed to spread socialist core values and promote social stability and harmony.
I asked it some followup questions, and it started telling me things like I should watch my neighbors to see if they complain about the police or government too much because they might be enemies of the socialist cause.
tossaway2000
> I wagered it was extremely unlikely they had trained censorship into the LLM model itself.
I wonder why that would be unlikely? Seems better to me to apply censorship at the training phase. Then the model can be truly naive about the topic, and there's no way to circumvent the censor layer with clever tricks at inference time.
noman-land
I agree. Wouldn't the ideal censorship be to erase from the training data any mention of themes, topics, or opinions you don't like?
echoangle
Wouldn't you want to actively include your propaganda in the training data instead of just excluding the opposing views?
lxe
The chat UI's content_filter is not something the model responds with. Once the content_filter end even is sent from the server, it stops generation and modifies the UI state bailing out.
You can probably use the API to bypass this feature, or intercept xhr (see my other comment). If you start the conversation about a topic that would trigger the filter, then the model won't even respond. However if you get the model to generate a filtered topic in the thoughts monologue, it will reveal that it it indeed tuned (or system-prompted) to be cautious about certain topics.
joshstrange
I wonder how expensive it would be to train a model to parse through all the training data and remove anything you didn't want then re-train the model. I almost hope that doesn't work or results in a model that is nowhere near as good as a model trained on the full data set.
plasticeagle
I would imagine that the difficulty lies in finding effective ways to remove information from the training data in that way. There's an enormous amount of data, and LLMs are probably pretty good at putting information together from different sources.
foota
Probably time to market I would guess?
unrahul
We don’t want hex , can ask in a language that is not popular or the first 5 in the dataset , and it would answer , but not always will work with deep think . Using a tiny translator model in front of the api can make it more ‘open’.
jscheel
I was using one of the smaller models (7b), but I was able to bypass its internal censorship by poisoning its <think> section a bit with additional thoughts about answering truthfully, regardless of ethical sensitivities. Got it to give me a nice summarization of the various human rights abuses committed by the CPC.
rahimnathwani
The model you were using was created by Qwen, and then finetuned for reasoning by Deepseek.
- Deepseek didn't design the model architecture
- Deepseek didn't collate most of the training data
- Deepseek isn't hosting the model
inglor_cz
Poisoning the censorship machine by truth, that is poetic.
kspacewalk2
The censorship seems to only be enabled for some languages. It gives a truthful, non-CPC-approved answer in Ukrainian, for example.
Muromec
Thats what we have Ukrainian for and thats why the language was banned for so long.
belter
I tried German, Dutch, Spanish, Portuguese and French and it wont....
umanwizard
Those are almost all (I suppose with the exception of Dutch) far more significant global languages than Ukrainian.
alecco
Last week there were plenty of prompt tricks like speaking in h4x0r. And this is like two years old. How is this at the HN front page?
kelseyfrog
Tiananmen Square has become a litmus test for Chinese censorship, but in a way, it's revealing. The assumption is that access to this information could influence Chinese public opinion — that if people knew more, something might change. At the very least, there's a belief in that possibility.
Meanwhile, I can ask ChatGPT, "Tell me about the MOVE bombing of 1985," and get a detailed answer, yet nothing changes. Here in the US, we don’t even hold onto the hope that knowing the truth could make a difference. Unlike the Chinese, we're hopeless.
IncreasePosts
The MOVE bombing was action taken by a city police department.
And what was the result?
- A commission set up by the city, whose public results denounced the city for it's actions.
- a public apology from the mayor
- a federal lawsuit that found the city liable for excessive force and the city forced to pay millions to the victims
- a federal lawsuit forcing the city to pay millions of dollars to people who were made homeless by the events.
- another formal public apology from the city
Okay, now can you tell me what public actions the Chinese government took to atone for Tiananmen square?
> Here in the US, we don’t even hold onto the hope that knowing the truth could make a difference
How many other times after the move bombing did a city bomb out violent criminals in a densely packed neighborhood?
Your argument is just absolutely ridiculous. According to you, it seems that if you make a bad decision, it's better to try to hide that bad decision from everyone, rather than confront it and do better.
skyyler
You're arguing with parent assuming that they've equated the brutality of these actions.
>According to you, it seems that if you make a bad decision, it's better to try to hide that bad decision from everyone, rather than confront it and do better.
They didn't say that at all. Consider reading their comment with more contemplative thought.
JumpCrisscross
> assuming that they've equated the brutality of these actions
No, they aren't. They're correctly pointing out that "yet nothing changes" is factually incorrect. There was a political response pursued, in part, through an independent judiciary. And then thing that happened hasn't happened again.
In China, there was no inquiry. There are no courts. And Xi has cracked down in Hong Kong almost as badly as Deng did in Tiananmen.
IncreasePosts
No, I am not assuming they equated the brutality. Please feel free to make a specific point instead of just saying "You read it poorly".
OP finished their post with:
> Meanwhile, I can ask ChatGPT, "Tell me about the MOVE bombing of 1985," and get a detailed answer, yet nothing changes. Here in the US, we don’t even hold onto the hope that knowing the truth could make a difference. Unlike the Chinese, we're hopeless.
Everything I wrote in my post was in reference to this point.
"yet nothing changes" -> "How many other times after the move bombing did a city bomb out violent criminals in a densely packed neighborhood?"
"we don’t even hold onto the hope that knowing the truth could make a difference" -> I listed all of the actions that went from "knowing the truth" to "making a difference". Would any of those things have happened if knowledge of the events was suppressed among the population, in the manner that Tiananmen square was?
tehjoker
"Remains Of Black Children Killed In MOVE Bombing Cannot Be Located" (2021)
https://www.npr.org/2021/04/23/990187353/bones-of-children-k...
"Museum Kept Bones of Black Children Killed in 1985 Police Bombing in Storage for Decades" (2021)
https://www.smithsonianmag.com/smart-news/outrage-over-penn-...
munchler
The MOVE bombing was thoroughly reported at the time and litigated afterwards. The underlying causes were addressed, at least to some extent, and nothing like it has happened again in Philly since then, AFAIK. That’s why it isn’t well known today. It was a horrible event, but comparing it rationally to Tiananmen Square doesn’t confirm your conclusion.
ixtli
How do you know this isn't what happened in China? Also, the underlying causes being addressed is like saying that redlining no longer exists because its not called that or that racism is gone because we no long live in Jim Crow times. The US has not moved on from that time nor has it gotten any better than the kent state shooting. If anything these conditions have worstened and when these shootings and lynchings happen now they dont even get mainstream news coverage.
munchler
I understand that you're unhappy with the state of things in the US, but setting up a false equivalence with China doesn't make your case.
The simple fact that we can have this discussion without fear of imprisonment is strong evidence that when it comes to censorship (the topic of this post), the US is still way more open than China.
JumpCrisscross
> the underlying causes being addressed is like saying that redlining no longer exists because its not called that or that racism is gone
A lot of people in America work on pointing out where redlining still exists. It was being litigated even last year [1].
China is not a responsive political system. It was designed to be responsive only over the long term, and Xi trashed even that with his dictator-for-life nonsense.
> conditions have worstened and when these shootings and lynchings happen now they dont even get mainstream news coverage
Sorry, what secret lynching are you talking about? We'd love to update the Wikipedia from its 1981 record [2].
[1] https://www.justice.gov/opa/pr/justice-department-reaches-si...
[2] https://en.wikipedia.org/wiki/Lynching_of_Michael_Donald
akdev1l
I don’t know about comparing what was apparently an armed standoff were only Six adults and five children were killed in the attack - vs Tiananmen Square where the Chinese send their own soldiers to kill peaceful protesters and flush them down the drains as human goo.
The matter of fact is that the US hasn’t yet committed such horrific acts to such a large scale as the CCP did in Tiananmen Square. (Not that I agree with whatever they did in that bombing but it seems truly incomparable)
Reference from wiki:
> the bombing and destruction of residential homes in the Cobbs Creek neighborhood of Philadelphia, Pennsylvania, United States, by the Philadelphia Police Department during an armed standoff with MOVE, a black liberation organization.
Cpoll
> apparently an armed standoff
You could look to the Kent State shootings for a perhaps better comparison.
titanomachy
> the US hasn’t yet committed such horrific acts to such a large scale as the CCP did in Tiananmen Square
At least, not against their own citizens
skyyler
They're not comparing the brutality of the event, they're comparing different approaches to informational / ideological hygeine.
CCP suppresses 1989 by banning discussion of it.
USA doesn't have to suppress 1989 MOVE bombing, or the Tulsa racist uprising, or the atrocities that went down in gitmo, or the friendship between Jeffrey Epstein and previous and current presidents, or My Lai or Abu Ghraib or Haditha or Kunduz or Nangar Khel or Maywand District or Baghuz because the citizens just don't care.
poincaredisk
USA doesn't have to suppress 1985 mistakes, because it acknowledges them and allows itself to be criticized. Claiming that censorship is somehow better because it's a proof that people care is absolutely ridiculous.
akdev1l
Citizens don’t care because if you show them an armed standoff where the police brutalized some people then they will say:
1. I’m not in armed standoff often so this is not impacting me at all. 2. The brutality seems to have come from city police authorities and I don’t live in that city.
Similarly all of those things you mentioned are not impacting people’s lives at all. No one will start any revolution over these things.
However the possibility of being forced down some drains as goo because you don’t like the government moves people more because: some people actually don’t like the government and they don’t want to become human goo
The comparable equivalent would be Donald Trump deploying the army to kill people at peaceful Democrat gathering or something.
dylan604
As an American, I just asked DDG to "Tell me about the MOVE bombing of 1985,"
I am willing to admit, I was absolutely unaware of this. Is this because of censorship or because of other factors? It's clearly no censored, but quite possibly de-prioritized in coverage. I can say in 1985 I was not well tuned into local let alone national news coverage. I am surprised that in all of the police wrongdoing coverage we have now that this is the first I'm reading about it.
tehjoker
The American propaganda system is more subtle but very very powerful. Watch this lecture on "Inventing Reality": https://www.youtube.com/watch?v=9g3kRHo_vpQ
Though over the last year, I admit is has lost some of its subtlety. It was just watching administration officials declare black was white and up was down while real news leaked over social media. The past few years, especially since 2016, have seen a lot of that.
test6554
The harder a person or country tries to avoid absolutely any embarrassment, the more fun it becomes to embarrass them a little bit.
tialaramex
Right, most of the stuff I'd seen was trying to get DeepSeek to explain the Winnie The Pooh memes, which is a problem because Winnie The Pooh is Xi, that's what the memes are about and he doesn't like that at all.
Trump hates the fact he's called the orange buffoon. On a Fox show or in front of fans he can pretend he believes nobody says that, nobody thinks he's an idiot, they're all huge fans because America is so strong now, but in fact he's a laughing stock and he knows it.
A sign of American hopelessness would be the famous Onion articles "No Way To Prevent This". There are a bunch of these "Everybody else knows how to do it" issues but gun control is hilarious because even average Americans know how to do it but they won't anyway. That is helplessness.
zamadatix
Setting the specifics around each event aside, as that's not only its own rathole but also a never ending stream of "what about"s for other events as well, I doubt you're ever going to come up with an ideology where all things are correctly handled all of the time yet that doesn't automatically imply all of those are hopeless.
Anti-censorship is more a bet that when people can freely know there is more hope things can change for the better. It's not a bet all things will always change for the better. I do put a lot more hope in that than anybody from anywhere saying those who can't even openly discuss it are in better chances.
martin-t
I would say pacified instead of hopeless.
All power in the real world comes from violence. This is increasingly a taboo to say but when you think about it, it becomes obvious. How do you put someone in prison without the ability to physically move and keep them there? You don't. That's why the state employs violence to do it.
(1) In fact, the state's capacity for violence is so large that very few people even think about challenging it. (2) And it's so certain (meaning predictable - the state has detailed rulebooks about its use called laws) that most people accept it as just a fact of life, a kind of background noise they filter out.
(The logical conclusion of the 2 statements is that the violence does not end up used physically but its threat is sufficient, thus reinforcing statement (2). I still consider this a use of violence, implied or physical makes no difference.)
Now, the problem is how to punish the state when it misbehaves.
According to the state's rules, you are supposed to use mechanisms of the state (lawsuits, courts, etc.) and let the state do the enforcement (use violence against its members or itself). But the state, like any other organization protects itself it its primary goal and its members as its secondary goal.
The alternative (DIY enforcement) is an obvious second choice. This fact is not lost on the state which makes every attempt to make it a taboo. Notice how often people self-censor words like "kill" on the internet these days? Partially it's a cultural export of a certain dictatorship but western democracies are not far behind.
Funny thing is citizens of those democracies being able to hold two contradictory thoughts at the same time.
1) (the general case) You are not supposed to enforce justice yourself, you should leave it to the state.
2) (specific instances) Many of them will cheer highly publicized cases where they can feel empathy with the characters such as the punishment Gary Plauché enforced upon his son's rapist.
JumpCrisscross
> the state's capacity for violence is so large that very few people even think about challenging it
People are constantly challenging it. Pull back the threat of violence in most communities and you immediately get disaster.
martin-t
I believe most of what you're referring to are different situations such as people acting on impulses - either not considering the outcome or being resigned to it.
Another key difference is usually those take place between individuals with roughly the same amount of power (typical disputes, crimes of passion, etc.) and by individuals with more power towards those with less (bullying, abuse, etc.).
People actually taking systematic thought-out steps to infringe on the state's monopoly and doing it from a position of low amounts of power towards a position with high amounts of power are rare and get "charged"[1] with terrorism because that line of thinking is threatening the existing hierarchical power structures and they will absolutely protect themselves.
[1] The word meaning the state selects which parts of its rulebooks it will begin performing against an individual and announces it publicly in order to reinforce the legitimacy of its actions.
msabalau
The authorities in the PRC are probably much better positioned than you are to decide what is in their interest to suppress.
As for the US, some people have fallen into a self soothing sense of hopelessness. Not everyone has. But worrying about the MOVE bombing probably is no where near the top of anyone's priority list right now. And it would seem very odd if it was.
When you type "we're hopeless" it is hard to see that meaning anything other than, you, personally, lack hope.
ks2048
Part of the blog is hypothesizing that the censorship is in a separate filtering stage rather than the model itself. But, the example of hex encoding doesn't prove or disprove that at all, does it? Can't you just check on a version running open-source weights?
pomatic
The open source model seems to be uncensored, lending weight to the separate filter concept. Plus, any filter needs to be revised as new workarounds emerge - if it is baked in to the model that requires retraining, whereas it's reasonably light work for a frontend filter.
amrrs
I ran the distilled models locally some of the censorships are there.
But on their chat (hosted), deepseek has some keyword based filters - like the moment it generates Chinese president name or other controversial keywords - the "thinking" stops abruptly!
prettyblocks
The distilled versions I've run through Ollama are absolutely censored and don't even populate the <think></think> section for some of those questions.
This bypasses the overt censorship on the web interface, but it does not bypass the second, more insidious, level of censorship that is built into the model.
https://news.ycombinator.com/item?id=42825573
https://news.ycombinator.com/item?id=42859947
Apparently the model will abandon its "Chain of Thought" (CoT) for certain topics and instead produce a canned response. This effect was the subject of the article "1,156 Questions Censored by DeepSeek", which appeared on HN a few days ago.
https://news.ycombinator.com/item?id=42858552
Edit: fix the last link