Comment by aurareturn
6 hours ago
The whole system has encryption all the way through.
Otherwise, OpenAI/Anthropic would never use external clouds since the weights are some of the most valuable assets in the world.
6 hours ago
The whole system has encryption all the way through.
Otherwise, OpenAI/Anthropic would never use external clouds since the weights are some of the most valuable assets in the world.
Matmuls need access to decrypted weights to do their work.
Which means that getting the full weights out isn't even an "if" - it's "how much effort". The encryption wouldn't do much more than a gentleman's agreement would.
The only real move for Anthropic there is to outline contract penalties for letting weights get leaked, and never give less trusted external inference providers access to cutting edge system weights.
Exposure is limited either way. Opus 4.7 weights are a deprecating asset - it's bleeding edge today, very valuable now, but it'll lose a lot of its value the moment Opus 5.0 drops.
That would require hacking Nvidia's GPUs/racks to extract the weights. The weights are encrypted, sent to the GPU/rack encrypted. When it does inference, it will use decrypted weights but there is no way to get those weights unless you find a way to exploit Nvidia's GPU security.
Do you think OpenAI would send CoreWeave their GPT 5.5 Pro weights if an admin employee at CoreWeave can access the full weights unencrypted? Of course not.
It would require exactly that. A bit more involved than "scp that big file", yes. But you make a mistake by treating it as a hard blocker.
Like I said: it's a gentleman's agreement. If Musk said "I want Opus 4.7 weights", and those weights were on Colossus 1 hardware, he'd have those weights on his desktop, unencrypted, within a couple of weeks.
There's also the side channel line, because having inference on your hardware typically allows you to do things like snoop into KV cache and peek at per-layer, or even per-expert, residuals. Which allows for some very advanced distillation attacks. Might be easier/more deniable to pull that off than dumping full weights, in some circumstances.