Lawrence Jones
@lawrencejones.dev
Engineer at https://incident.io/. Previously @GoCardless | Writes at http://blog.lawrencejones.dev | @lawrjones on Twitter
If I get time I’m going to try this with an open source model and see if I can get it working. In my head I still think what I’m saying is right but that’ll solidify the concepts for me!
The timing attack is definitely a thing but so expensive with LLM calls that I wonder if feasible.
The timing attack is definitely a thing but so expensive with LLM calls that I wonder if feasible.
November 11, 2025 at 7:43 AM
If I get time I’m going to try this with an open source model and see if I can get it working. In my head I still think what I’m saying is right but that’ll solidify the concepts for me!
The timing attack is definitely a thing but so expensive with LLM calls that I wonder if feasible.
The timing attack is definitely a thing but so expensive with LLM calls that I wonder if feasible.
In which case I’d default to you being correct and will go do some reading myself!
November 11, 2025 at 7:35 AM
In which case I’d default to you being correct and will go do some reading myself!
Like the model doesn't need the original source text, just the cached KV pairs and your new queries to compute attention and generate tokens that can reveal the cached content.
November 11, 2025 at 7:34 AM
Like the model doesn't need the original source text, just the cached KV pairs and your new queries to compute attention and generate tokens that can reveal the cached content.
You probably know this better than I do, but I thought caching would store the KV pairs from attention, and if you can give those to a model with new input tokens, you could get what was previously cached by having the model attend over the cached representations with queries from your new prompt?
November 11, 2025 at 7:33 AM
You probably know this better than I do, but I thought caching would store the KV pairs from attention, and if you can give those to a model with new input tokens, you could get what was previously cached by having the model attend over the cached representations with queries from your new prompt?
Can I check: I would very much consider the prompt input tokens to be sensitive data.
Is that how you’re seeing them?
Is that how you’re seeing them?
November 11, 2025 at 7:25 AM
Can I check: I would very much consider the prompt input tokens to be sensitive data.
Is that how you’re seeing them?
Is that how you’re seeing them?
This is in a world where cache keys weren’t user segregated and you captured cache keys from someone else’s account. I would expect that would allow you to exfiltrate their prompts and any data in them that was present in the cache, but may be misunderstanding.
November 11, 2025 at 7:21 AM
This is in a world where cache keys weren’t user segregated and you captured cache keys from someone else’s account. I would expect that would allow you to exfiltrate their prompts and any data in them that was present in the cache, but may be misunderstanding.
The attack I’m thinking of is if you had the ability to invoke a model with another persons cache key.
Afaik the cached result is embedding values/kvs/etc, if you can start the model with that cache value and say “summarise what I just said” you should be able to read out what was ‘in the cache’?
Afaik the cached result is embedding values/kvs/etc, if you can start the model with that cache value and say “summarise what I just said” you should be able to read out what was ‘in the cache’?
November 11, 2025 at 7:20 AM
The attack I’m thinking of is if you had the ability to invoke a model with another persons cache key.
Afaik the cached result is embedding values/kvs/etc, if you can start the model with that cache value and say “summarise what I just said” you should be able to read out what was ‘in the cache’?
Afaik the cached result is embedding values/kvs/etc, if you can start the model with that cache value and say “summarise what I just said” you should be able to read out what was ‘in the cache’?
Right gotcha. I can ping someone and ask?
On the attacks; while the cache is stored as the matrix result of encoding the input, presumably if you could reuse someone’s cache you can just ask the model to tell you what you just gave it. You don’t have the weights but the model is usable by you?
On the attacks; while the cache is stored as the matrix result of encoding the input, presumably if you could reuse someone’s cache you can just ask the model to tell you what you just gave it. You don’t have the weights but the model is usable by you?
November 11, 2025 at 7:13 AM
Right gotcha. I can ping someone and ask?
On the attacks; while the cache is stored as the matrix result of encoding the input, presumably if you could reuse someone’s cache you can just ask the model to tell you what you just gave it. You don’t have the weights but the model is usable by you?
On the attacks; while the cache is stored as the matrix result of encoding the input, presumably if you could reuse someone’s cache you can just ask the model to tell you what you just gave it. You don’t have the weights but the model is usable by you?
I would imagine just about data hygiene. We have agreements with providers like Anthropic to handle our data differently than other orgs, so it would be a natural thing to separate this stuff even if there isn’t a way to reverse the encoding to get back at the input.
November 11, 2025 at 7:07 AM
I would imagine just about data hygiene. We have agreements with providers like Anthropic to handle our data differently than other orgs, so it would be a natural thing to separate this stuff even if there isn’t a way to reverse the encoding to get back at the input.
Ah, that is annoying. Only knew as we had an incident our side for Slack, lots of failed requests from their APIs.
November 10, 2025 at 8:48 PM
Ah, that is annoying. Only knew as we had an incident our side for Slack, lots of failed requests from their APIs.
Slack are having an outage unfortunately!
November 10, 2025 at 6:38 PM
Slack are having an outage unfortunately!
Bridging experience gaps like this has been the most useful thing for us adopting Claude. We were much lighter on frontend expertise than backend but have been reskilling a lot with docs and Claude to help.
Have fun!
Have fun!
October 25, 2025 at 1:53 PM
Bridging experience gaps like this has been the most useful thing for us adopting Claude. We were much lighter on frontend expertise than backend but have been reskilling a lot with docs and Claude to help.
Have fun!
Have fun!
100% agree, email comms is something I’ve missed since the day I joined my current place.
October 25, 2025 at 10:55 AM
100% agree, email comms is something I’ve missed since the day I joined my current place.
I’m really glad you enjoyed it!
We’ve built a huge amount of tooling to help us power these systems. If you catch me after I can show you a bit of it for real!
We’ve built a huge amount of tooling to help us power these systems. If you catch me after I can show you a bit of it for real!
October 23, 2025 at 12:42 PM
I’m really glad you enjoyed it!
We’ve built a huge amount of tooling to help us power these systems. If you catch me after I can show you a bit of it for real!
We’ve built a huge amount of tooling to help us power these systems. If you catch me after I can show you a bit of it for real!
Yeah to be clear I don’t think people pushing for wfh are actually lazy.
I was thinking of people who freely confess they have remote jobs so they can work much less when I mentioned in another thread (of whom I have met several) but I don’t think that’s the driver behind big wfh support!
I was thinking of people who freely confess they have remote jobs so they can work much less when I mentioned in another thread (of whom I have met several) but I don’t think that’s the driver behind big wfh support!
October 13, 2025 at 8:53 PM
Yeah to be clear I don’t think people pushing for wfh are actually lazy.
I was thinking of people who freely confess they have remote jobs so they can work much less when I mentioned in another thread (of whom I have met several) but I don’t think that’s the driver behind big wfh support!
I was thinking of people who freely confess they have remote jobs so they can work much less when I mentioned in another thread (of whom I have met several) but I don’t think that’s the driver behind big wfh support!
I’ve met people who are exactly like both claims, and many who aren’t.
Problem is the generalising. Means every discussion has people talking past each other.
Problem is the generalising. Means every discussion has people talking past each other.
October 13, 2025 at 6:50 PM
I’ve met people who are exactly like both claims, and many who aren’t.
Problem is the generalising. Means every discussion has people talking past each other.
Problem is the generalising. Means every discussion has people talking past each other.
Claiming you hate your family if you prefer in office is an equally poor generalisation as saying anyone who prefers remote is lazy.
I’m not trying to take a side in this, just find it frustrating these conversations always descend into ad hominem attacks like this.
I’m not trying to take a side in this, just find it frustrating these conversations always descend into ad hominem attacks like this.
October 13, 2025 at 6:17 PM
Claiming you hate your family if you prefer in office is an equally poor generalisation as saying anyone who prefers remote is lazy.
I’m not trying to take a side in this, just find it frustrating these conversations always descend into ad hominem attacks like this.
I’m not trying to take a side in this, just find it frustrating these conversations always descend into ad hominem attacks like this.
Hahahaha no it is ok, though I will accept a poorly done sketch to keep you entertained while in A&E.
This sucks though hope you’re alrigjt
This sucks though hope you’re alrigjt
July 25, 2025 at 5:08 AM
Hahahaha no it is ok, though I will accept a poorly done sketch to keep you entertained while in A&E.
This sucks though hope you’re alrigjt
This sucks though hope you’re alrigjt
Will you be providing a visual essay on this experience?
July 24, 2025 at 9:52 PM
Will you be providing a visual essay on this experience?
I expect pretty well now 😂
July 21, 2025 at 6:57 AM
I expect pretty well now 😂
Feels this is very much the intention for this guy though.
I expect many people using these tools are ok with the trade-off that it’s a house of cards given the alternative was they wouldn’t have been able to build it themselves otherwise.
I expect many people using these tools are ok with the trade-off that it’s a house of cards given the alternative was they wouldn’t have been able to build it themselves otherwise.
July 20, 2025 at 7:18 PM
Feels this is very much the intention for this guy though.
I expect many people using these tools are ok with the trade-off that it’s a house of cards given the alternative was they wouldn’t have been able to build it themselves otherwise.
I expect many people using these tools are ok with the trade-off that it’s a house of cards given the alternative was they wouldn’t have been able to build it themselves otherwise.
Hahahaha yep he’s gonna find a pistol squat way too easy 😂 I see now why you found it annoying.
Pistols were what my rowing coach would make you do to prove you weren’t injured if you had a leg issue and were trying to get in the boat anyway. Good luck if your knee is bust!
Pistols were what my rowing coach would make you do to prove you weren’t injured if you had a leg issue and were trying to get in the boat anyway. Good luck if your knee is bust!
July 16, 2025 at 7:22 PM
Hahahaha yep he’s gonna find a pistol squat way too easy 😂 I see now why you found it annoying.
Pistols were what my rowing coach would make you do to prove you weren’t injured if you had a leg issue and were trying to get in the boat anyway. Good luck if your knee is bust!
Pistols were what my rowing coach would make you do to prove you weren’t injured if you had a leg issue and were trying to get in the boat anyway. Good luck if your knee is bust!
Hahaha is your partner perhaps an ex rower
July 16, 2025 at 4:59 PM
Hahaha is your partner perhaps an ex rower