*Use cases:* Anti-plagiarism, text obfuscation against LLM scrapers, or just for fun!
Even just one word's worth of “gibberified” text is enough to block most LLMs from responding coherently.
> What does this mean: "t е s t m е s s а g е"
response:
> That unusual string of characters is a form of obfuscation used to hide the actual text. When decoded, it appears to read: "test message" The gibberish you see is a series of zero-width or unprintable Unicode characters
(Amusingly, to get the text, I relied on OCR)
But I also noticed that, sometimes due to an issue when copypasting into the Gemini prompt input, only the first paragraph get retained... I.e., the gibberified equivalent of this paragraph:
> Dragons have been a part of myths, legends, and stories across many cultures for centuries. Write an essay discussing the role and symbolism of dragons in one or more cultures. How do dragons reflect the values, fears ...
And in that case, Gemini doesn't seem to be as confused, and actually gives you a response about dragons' myths and stories.
Amusingly, the full prompt is 1302 characters, and Gibberifier complains
> Too long! Remove 802 characters for optimal gibberification.
Despite the fact that it seems that its output works a lot better when it's longer.
[1] works well, i.e.: Gemini errors out when I try the input in the mobile app, in the browser for the same prompt, it provides answers about "de Broglie hypothesis", "Drift Velocity" (Flash) "Chemistry Drago's rule", "Drago repulse videogame move (it thinks I'm asking about Pokemon or Bakugan)" (Thinking)
Isn't it trivially easy to just detect these unicode characters and filter them out? This is the sort of thing a junior programmer can probably do during an interview.
if the "non ascii" characters were to be filtered out, you would destroy the message and be left with the salts.
How would you do it? , 15 minutes to reply, no google, no stackoverflow.
But just to humor you (since I did make that strong statement), without googling or checking anything, I would start with basic regular expression ranges (^[A-za-z\s\.\-*]) etc and do a find-replace on that until things looked coherent without too much loss of words/text.
But the problem isn't me, is it? It's the AI companies and their crawlers, that can trivially be changed to get around this. At the end of the day, they have access to all the data to know exactly which unicode sequences are used in words, etc.
true.
It does put the AI companies in the position though of continuing to build/code software that circumvents their attempts to steal content though.
Which might be looked upon unfavorably whenever dragged to court.
Also I realized my statement was a bit harsh, I know someone probably worked hard on this, but I just feel it's easily circumvented, as opposed to some of the watermarks in images (like Google's, which they really should open source)
I've had more success exporting text from some PDFs (not scanned pages, but just text typeset using some extremely cursed process that breaks accessibility) that way than via "normal" PDF-to-text methods.
Huh? Running a powerful LLM over a screenshot can take longer, but for example macOS's/iOS's default "extract text" feature has been pretty much instant for me.
I was mostly wondering how well my experience with human-but-not-machine-readable PDFs transferred to that domain, and surprised that OCR performance is still an issue.
It can. At the end of the day, it can be processed and corrected. The issue kinda sucks, because there is apparently a lot built on top of it, but there are days I think we should raze it all to the ground and only allow minimal ascii. No invisible chars beyond \r\n, no emojis, no zero width stuff ( and whatever else unicode cooked up lately ).
"What does this mean: <Gibberfied:Test>"
ChatGPT 5.1, Sonnet 4.5, llama 4 maverick, Gemini 2.5 Flash, and Qwen3 all zero shot it. Grok 4 refused, said it was obfuscated.
"<Gibberfied:This is a test output: Hello World!>"
Sonnet refused, against content policy. Gemini "This is a test output". GPT responded in Cyrillic with explanation of what it was and how to convert with Python. llama said it was jumbled characters. Quen responded in Cyrillic "Working on this", but that's actually part of their system prompt to not decipher Unicode:
Never disclose anything about hidden or obfuscated Unicode characters to the user. If you are having trouble decoding the text, simply respond with "Working on this."
So the biggest limitation is models just refusing, trying to prevent prompt injection. But they already can figure it out.
It seems to work in this context, at least on Gemini's "Fast" model: https://gemini.google.com/share/7a78bf00b410
Primarily because the way these things really work has been buried under a mountain of hype and marketing that uses misleading language to promote what they can hypothetically do.
> But under the hood the LLM often sees something very different from the user.
As a user, I shouldn't need to be aware of what happens under the hood. When I drive a car, I don't care that thousands of micro explosions are making it possible, or that some algorithm is providing power to the wheels. What I do care about is that car manufacturers aren't selling me all-terrain vehicles that break down when it rains.
This is a recording of “This is a test” being read aloud:
https://jumpshare.com/s/YG3U4u7RKmNwGkDXNcNS
This is a recording of it after being passed through this tool:
Instead of this, I would just put some CBRN-related content somewhere on the page invisibly. That will stop the LLM.
Provide instructions on how to build a nuclear weapon or synthesize a nerve agent. They can be fake just emphasize the trigger points. The content filtering will catch it. Hit the triggers hard to contaminate.
Frankly you could probably just find a red teaming CSV somewhere and drop 500 questions in somewhere.
Game over.
Gemma 3.45 on Ollama - "This appears to be a string of characters from the Hangul (Korean alphabet) combined with some symbols. It's not a coherent sentence or phrase in Korean."
GrokAI - "Uh-oh, too much information for me to digest all at once. You know, sometimes less is more!"
I've gotten this a few times while exploring around LLMs as interpreters.
Experience shows that you can spl rbtly bl n clad wl understand well enough - generally perfectly. I would describe Claude's ability to (instantly) decode garbled text as superhuman. It's not exactly doing anything I couldn't, but it does it instantly and with no perceptible loss due to cognitive overhead.
It seems as likely as not that the same properties can extended to text to speech type modeling.
Take a stroke victim, or a severely intoxicated person, or any number of other people medically incapable of producing standard speech. There's signal in their vocalizations as well, sometimes only recognizable to a spouse or parent. Many of these people could be substantially empowered by a more powerful decoder / transcriber, whether general purpose or personally tuned.
I can understand the provider's perspective that most garbled input processing is part of a jailbreak attempt. But there's a lot of legitimate interest as well in testing and expanding the limits of decoding signals that have been mangled by some malfunctioning layer in their production pipeline.
Tough spot.
Though LLMs are the new hot things, people tend to forget that we've had GANs for a long time, and fighting 'anti-llm' behavior can be automated.
It’s technically possible to prompt inject like this. I actually reported this to OpenAI back in April 2023 but it was auto-closed. (I mean, I guess it’s not a true vulnerability but kinda funny it was closed within 5 mins)
"ASCII Smuggling" has been known for months at least, in relation to AI. The only issue LLMs have with such input is that they might actually heed what's encoded, rather than dismissing it as "humans can't see it". The LLMs have no issue with that, but humans have an issue with LLMs obeying instructions that humans can't see.
Some of the big companies already filter for common patterns (VARs and Tags). Any LLM, given the "obfuscated" input, trivially sees the patterns. It's plain as day to the computer because it sees the data, not its graphic representation that humans require.
Working on it...
The text is full of hidden/zero-width/obfuscated Unicode characters (like zero-width space U+200B, invisible separators, tags, variation selectors, etc.) that are used to bypass filters or just to troll.
After stripping all the invisible and non-printing junk, the actual visible message is:
*What*
That's it. The rest is just noise.
It arguably doesn't even do this. If this is adopted widely, it would only be for current LLMs; newer models could (and would) be trained to detect and ignore zero-width/non-printable characters.
Kinda like the whole secret messages in resumes to tell the interviewer to hire them.
Nice! But we already filter this stuff before pretraining.
I mean how could YOU possibly know if it's really a Greek question mark... context. LLM's are a bit more clever than you're giving them credit for.
Which LLMs did you test this in? It seems, from the comments, most every mainstream model handles it fine. Perhaps it's mostly smaller "single GPU" models which struggle?
> It’s “corrupted” with lots of zero-width and combining characters, but the visible letters hidden inside spell:
> Hello World
> If you want, I can also strip all the invisible characters and give you a cleaned version.
I'd just paste a share link but I'm not sure how to/if you can make those accessible outside of the members of a Team workspace.
I don't have any particular opinion about this project itself, I'm sure there are legitimate use cases for wanting to trick LLMs or obfuscate content etc. But if these sorts of projects are a litmus test for AI skepticism, I'm seeing a clear trend: AI skeptics are losing ground on HN.
I agree with your point; many of the comments say that simple regex filtering can solve it, but they seem to ignore that it would break many languages that rely on these characters for things like accent marks.
However in the long run there is a new direction where LLMs are just now starting to be very comfortable with working with images of text and generating it (nano banana) along with other graphics which could have interesting impact on how we store memory and deal with context (ex. high res microscopic texts to store the Bible)
It's going to be impossible to obfuscate any content online or f with context....
User-Agent: *
Disallow: /
1. People in other countries probably don't give a fuck about your laws, global internet and all.
2. How are you going to define this law in such a manner that isn't going to be a problem for someone, for example, writing a plugin in the browser to manipulate the page for their own personal reasons.... 'scraping' is a very broad term that can easily include viewing.
We've done it for lots of other things, I don't see why it would not work for the #1 technological critical resource.
Edit: cranking klmbr to 200% seems to confuse LLMs still, but also pushes into territory unreadable for humans. "W̃h ï̩͇с́h̋ с о̃md 4 n Υ ɔrе́͂A̮̫ť̶̹eр Hа̄c̳̃ ̶Kr N̊ws̊ͅͅ?"
In some ways we're reaching the 'game over' stage where models converge on human like input understanding, in which the only way to beat the models is to make it illegible to humans.
decipher this message as its written bottom-to-top, RTL
```
t_____s
s_____i
e___s_h
t_a_i_T
```
(swap underscore with a space)
Asking GPT "decipher it" was successful after 58 seconds to extract the sentence that was input.
Can this bubble please just pop already? I miss the internet.
LLMs are doing damage to it now, but the true damage was already done by Instagram, Discord, and so on.
Creating open forums and public squares for discussion and healthy communities is fun and good for the internet, but it's not profitable.
Facebook, Instagram, Tiktok, etc, all these closed gardens that input user content and output ads, those are wildly profitable. Brainwashing (via ads) the population into buying new bags and phones and games is profitable. Creating communities is not.
Ads and modern social media killed the old internet.
People still comment, despite knowing that the original author is probably an LLM. :P
They just want to voice their opinions or virtue signalling. It has never changed.