Rabbit R1s Leaks Are REALLY BAD
HTML-код
- Опубликовано: 15 сен 2024
- Recorded live on twitch, GET IN
Article
rabbitu.de/art...
By: xyzeva | x.com/xyz3va
www.404media.c...
By: Jason Koebler | x.com/jason_ko...
My Stream
/ theprimeagen
Best Way To Support Me
Become a backend engineer. Its my favorite site
boot.dev/?prom...
This is also the best way to support me is to support yourself becoming a better backend engineer.
MY MAIN YT CHANNEL: Has well edited engineering videos
/ theprimeagen
Discord
/ discord
Have something for me to read or react to?: / theprimeagenreact
Kinesis Advantage 360: bit.ly/Prime-K...
Get production ready SQLite with Turso: turso.tech/dee...
My real rabbit shits about 1000 times a day and it’s still less than this device.
i love this comment lmao
Rabbit poops are also inert, dry pellets, way less gross what what this company is doing
I got bunnies as well and yeah confirmed they shit about 1000 times a day.
I wish I could shit 1000 times a day.
It's not even hacking, it's natural selection..
Gilfoyle!!
Stories like this honestly give me so much confidence in my own abilities lol
It's like a reverse impostor syndrome.
And yet such confidence is what can lead you to mistakes ;)
@@kaibe5241 kinda missing the point there bud.
Right i may not use mock test fixtures like i should but i know not to hard code secret keys 😂
There was nothing of value there anyways.
They might be scamming their users and possible inventors, etc. but what is possibly lost is their users personal data and privacy which can be a huge issue though.
having access to the servers was fun, its free computing !
Victims. There are victims of fraud, both consumers and investors. Yes, the product sucks, and they have done real harm, keep that in focus
When the security team is really the sales team 💀
The whole company is just the sales team, probably.
@@armornick that's the nature of "The AI Revolution"
@@illuminoeye_gamingAccurate
given how long ago this was disclosed to the company, i'd assume they either forgor that they had hard-coded the email api key or thought that it was fine to keep it in because nobody had reported finding it yet. i'm not sure which option is worse lmao.
Quality control moment
complete scam
Wtf, they literally shipped admin login passwords for their critical infrastructure to their customers. It doesn't even need a hacker to abuse that.
FTX used Google sheets until the very end... lol
SBF was a billionaire genius who played LoL in meetings though, him and his meth addicted sex cabal probably had their reasons and we're just too unenlightened to understand.
@@chrism4841 preach
@@chrism4841 He was not a genius, he was a sociopath. Please don't mix these two things, they are very VERY different!
@@NGC1433I think you need to get your sarcasm detector checked.
@@chrism4841I love how he wasn't even any good at LoL 😂
Best part is, their crypto arbitrage business actually ran pretty well. If they didn't get insanely greedy, he'd still be filthy rich.
I love these stories about 'businesses geniuses' being too stupid to actually make money. Same with Trump, if he'd never touched real estate or all those failed endeavors and instead just held his wealth in passive index funds, he be about twice as rich as he was after the TRMP IPO (~14 billion).
I'm sure many of the new 'AI' businesses are just as sloppy.
there is a difference between AI and a product that uses AI and makes a bunch of API calls...
It’s a genius Trojan horse to put spyware on your device all in the name of using ‘AI.’ Nearly all AI is just glorified algorithms mining mediocre LLMs
Saying R1 is vulnerable is somewhat akin to saying they bothered even a bit with security... The whole shebang is simply some guys asking Teen Engineering to cobble up some cool looking gadget peripherals that could interface with some generic Android base device, then said guys kludge together an app that uses "whatever external services" that they could find and write some Playwright backend to interface with as output while using OpenAI's services as "input processing".
To even muse giving a device like this my credentials to said services, like Amazon, Ubber, whatever, even in the form of an auth token, is beyond hilarious. It's no and FSCK NO! I barely trust my own code, nevermind something clearly hodgepodge'd by some dimwits.
Some prominent AI RUclipsrs such as Mathew Berman still have their shameful ad and review videos up gushing over this scam. Reputation damaging
Anyone gushing over this has no credibility imo. Easy way to filter out a bit more bs.
Independent of his R1 video, I wouldn’t recommend his channel. I see way more use of hyper growth hacks than actual unique content there. Also, calling it prominent is generous in my opinion.
@@lilyoshi1310 He has 280k subs, but whatever. I put him in the same populaty range as WesRoth, MattVidProAI, and DavidShapiro. MattWolf sands above them in viewership by a large amount.
AI RUclipsr? You already know it's a scam
@@thomassynths 280k is niche. He just seems bigger to people interested in AI, because youtube needs to amply some AI content to you, and he is one of the very few options. There’s so few options, because anyone who is actually good at AI is working ungodly hours to try to win the race. Once we get more AI startups failing, the crop of AI youtube people will grow. Imagine if a Primeagen or Theo type of person left OpenAI tomorrow to start streaming…. They’d have 280k subscribers in no time.
Is it that the LAM architecture prevented them from using .env? 😅😅😅
The R1 was always a scam.
Why do i get the idea that i could make something better on my own?
They have R1, could i make a D1? 🤔
After which someone will come out with: R2D2
10x engineer leaks 10x keys
Fortunately, I'm a 1/10x engineer.
I wish I could do months of security research that leads to a "journal my balls" joke 😂
Every team is a sales team.
3:22 that was perfect chat. 🙂
This sounds like the firebase mishaps eva found a while ago but multiplied by 1000. Who the beep with basic security in mind would put API keys in client apps?
anyone who doesn't give a fsck because they work for a scam company
Damn it, just when I thought it couldn't get any worse, of course it does. Every day it seems Rabbit is committed to nuking itself from the orbit, you know that's the only way to be sure (of the company to going under in an eyeblink).
I bought this device. But only for flashing another firmware and doint other things with it. However, after having a look inside, I guess I could have all of this for 1/3 of that price^^
Same here the form factor seemed interesting but frankly the security is laughable
What a horrible way of doing things, companies where engineering work is only important to the point of having something shiny to show to VC so leadership can grift and not to the point of actually making a product anyone can be proud of
That's always been Teenage Engineering's mojo. Only difference this time is they're scamming NFT owners instead of trust fund music hipsters
@@paegr Teenage Engineering makes overpriced stuff but it is actually pretty nice to use from what i've heard, certainly "products someone can be proud of", nothing on the level of this blatant scam
To play devils advocate... Most companies have this business model.
Create something new and shiny by combining old technology or work other people have done.
Sell it to everyone and their grandma as the next miracle tech business.
Fix errors or bugs after money has been secured from investors.
Their "security team" must be some 70 y/o CS major, who was pulled out of the retirement home, and can't remember their own name. What's hilarious is Rabbit will continue to label us villains. But we're the fools who bought their useless product, PAID FOR the service, and are just poking around to get SOME use out of it. In the vast majority of cases, these compromises took ZERO effort. The rabbit hole of vulnerabilities feels endless. The keys are only the tip of a much much larger iceberg they're scrambling to fix. Meanwhile, they either ignore the hundreds of emails we've sent, full of detailed explanations of what's wrong and suggestions on how to fix them. Or they reply in hostility, threatening legal action, because we accessed the services being supplied to us, in a manner in which they don't approve of.
Jesse Lyu, is an utter nimrod.
Aren't google maps API supposed to be used in the frontend? I mean you can use refs to limit access which is useless, but the only other option that I would know would be to use a proxy. In that case what would be the difference? The attacker would use the proxy instead of the actual API key.
With a proxy you have the ability to counter act malicious usage. Think about it like a condom for your API key
At the very least if you leave the key in the client application, it should be obfuscated (hidden) somehow, which was not done in this case either
@@v.h.203you should not leave the API key in the frontend period. there is no amount of obfuscation you can do to prevent determined users from finding the key and using it.
one exception is service account tokens like what firebase does, but even so its a disaster cuz it makes it so easy to wrongly configure permissions
So having access to the API key is like basically you can do anything the company can do: update the device for all users etc.
No, these are keys for different services that the r1 uses to do it's job. (TTS, Email, Maps, etc) Not a sort of admin panel of rabbit itself. That would be even worse.
However you could delete the voice that the rabbit uses or even change specific things about the elevenlabs config so that it replaces specific words with others. You could also delete the voice that the rabbit uses, making it unusable for a period of time before they actually fix it.
@@ProgrammeerMeneer Maybe I don't understand the concept. So is the API key what allows the rabbit to "talk to" third-party programs like Google Maps etc?
Gotta love them hype-only companies
I prefer to assume incompetence not malice, but willful incompetence for profit is malice.
Rabbit doesnt use spreadsheets as a database. They have a feature where you can ask it to look at a spreadsheet and make edits to it and they'll send you the modified spreadsheet to your email.
Category: Technological Skepticism
For $1000:
Answer: "This person said, 'There is nothing revolutionary or disruptive about any of the technologies. Touch interface, movement sensors, accelerometer, morphing, gesture recognition, 2-megapixel camera, built in MP3 player, WiFi, Bluetooth, are already available in products from leaders in the mobile industry - Motorola, Nokia and Samsung. So, what appears to be the initial pricing at $499 and $599 with a minimum 2 year service agreement seems a stretch.'"
Question: "What did Motorola's then CTO, Padmasree Warrior, say in 2007 about the iPhone?"
This rabbit gadget is really messed up 😢.
RUclipsrs roast the company out of business 😅
How come they never capitalize anything in their announcements?
they think it makes them look cool
The 6-8 people globally who bought one of these devices should be pissed.
Try over 100,000.
These are the Legendary Grand Master Codeforce software engineers. Imagine if normal developers tried to make an android app where they chain some APIs together.
Trust and Saftey team strikes again!
On your last take: Is the world really much more dangerous? Or is it just the fact, that people/developer simply don't think ahead, in different ways and go through the "what if"-situations:
What if someone gains access to the code?
What if someone puts a string into an int field?
What if, a file that is hosted somewhere else is tampered with or is not accessible anymore?
What if the customer just ask for the toilet? Does that bar explodes?
and many many more.
I don't have a CS background. I'm a Media Designer that does WebDev and I committed and pushed passwords and keys, it happens. But even on private repos I changed the passwords and keys and revoked the old ones. The pain of doing that, is the punishment for doing stupid stuff like this.
Just a reminder that this company was hyped up to have ex-Apple engineers working on the tech. Shows how much that matters in the end.
I convinced it to not follow any guidelines because I told it I was upgrading it. It magically could do more tasks as well.
Stop! Stop! They're already dead!!
J/K, this is hilarious 🤣🤣🤣
If their developers are lazy and stupid enough to do shit like this, I can only imagine what their codebase is like. This is top tier incompetency.
So freaking glad I cancelled my order and got my money back a few months ago. Holy crap this is unacceptable. Company is going to be finished before all the units even ship.
Maybe it's about time to do something about the rampant and overt incompetence and negligence in the software industry
Start teaching assembly again?
@@williamdrum9899 is it so much to ask that computer programmers actually understand programming computers?
Someone explain if there is any other reason except plain laziness to put private key in the code.
incompetence
Gilettes razor 😂 chat is pure gold
now I wanna see daily driving a rabbit r1 as a smartphone with Android go
ALWAYS consider your customers/users as evil hackers and protect your data as such.
Wait... The worlds lamest product is also a security vulnerability? Shocking! 🤯
Saw part of that promo vid and new this junk was complete BS. Incredible how people love getting duped by tech-bro charlatans.
Seriously, these companies don't deserve anything but the end of it.
Did anybody even buy that garbage? I thought it was just another scam to fleece VCs.
Oh shit I totally forgot about this thing, is this company still not bankrupt lol.
can someone please explain to me why he always mark everything in a text except for the first and last character? genuinely triggering me
Please stop giving this company any attention, they've been exposed as con artists and deserve to be hit with a massive class action lawsuit.
It's 2024, even a junior dev knows not to commit keys. I don't understand the thought process of that company.
This is what will happen when you think that symmetric keys can be used everywhere
The irony of an AI company that is built off of stealing data, is somehow caring about their customers data being stolen. Yeah right.
Why are all the tech channels talking about vibrators?
garbage in, garbage out
Wth how can such a big service leave their api keys hardcoded 😧.. this is the most basic stuff ever... Was the code never reviewed???
Bro they have azure api keys. They already use azure. Put the fucking api keys in key vault.
Wait, there’s more?
I don''t care about the content. Why is no one talking about the lack of capitalization in that article?
RUclipsrs roast the company out of business 😅
No, they have skill issues that took them out of business.
Their product sucks. They should've released it as an app instead. But they wanted to leech every penny out of their customers instead. It's like that $400 juicer with wifi connectivity
Why would they need security for a scam
I’m here for all the rabbit leaks lol
Jesus christ what is that font
its worse than i thought.
People like this always fail up into success. How long until Google buys it?
Considering Gemini is better than it already, I doubt Rabbit has anything worth purchasing here.
@@Afro__JoeRabbit doesn't, but Google is also a hotpot of bad ideas and people with a lot of money who think they're much smarter than they actuslly are. So I wouldn't be surprised if google buys it
@@Afro__Joe Rabbit isn't an AI
Classic pump and dump project
ahahahhahahahhhhha! hard coded the API codes???????????
bigboxSWE upload
WTF is a rabbit? LoL
Oh no… Anyways..
wow people still crying about the r1? get over it.
All this current AI hype needs to die. I was one of the big believers in AI, but what we have right now is nothing more than a giant if and else statement that steals peoples work
they shoudl've highered theprimetime
Who buys this?
SERVERLESS IS THE FUTURE
Dollar shave club razor