They were aware of one thing. With this, it is hard to just disappear, so more likely they discovered they were severely under-experienced to develop this, so they rushed a product to be "first", or likely running out of money. There is no indication they are just going to disappear
@@stonecoldcarebearIt's bright orange making it way more useful as a reminder compared to a black or white laser projector that's more of a fire starter for when you can't find your lighter
“I was blown away by its utter uselessness along with the amount of cringe buzzwords used by its CEO” describes literally every “AI Startup” founded after OpenAI released GPT to the public
This applies to 99.99958% of all tech start-ups. It does not matter if its fintech, or some artists that released a sick 3d render of some revolutionary new transport,energy,etc.-system that will totally change the world. You know, like fontus, solar roadways, hpyerloop and derivates, etc. And idiots who believe that a 3d render is the same thing as a working prototype are investing in these scams. Sadly even governments are burning public money on these scams.
They're used because it works. The name of the game in tech/engineering now is to hype something to the heavens, sell it off to some sucker and now it's their problem, walk away with millions. I sincerely doubt the CEO legitimately believes in his product.
This is like old school weekend update. “Rabbit one exploit found that allows someone to read and edit any message!” “This has affected… 8 users around the nation”
I find it funny how a lot of the products we think are super complex, professional, ‘industry-standard’, ‘at-scale’, and well engineered are often poorly made grifts obfuscated by the mystique of private software. And when you try to call it a grift every ego within a one mile radius goes thermonuclear. Everybody thinks they’re Alan Turing once they learn how to use an SDK and build an API to make a CRUD app with infinite skins :) And I’m directly referencing that ugly man child behind the scam companies.
INTERNET OF THINGS (read: devices with SIM cards or wifi connections sending TCP/UDP data to receivers which is just an open Socket) THE CLOOOOUDDDDD (read: somebody else's computer except we're hiring a bunch of services that all do 1 thing rather than a monolithic server where all services compete against each other for CPU/RAM) ARTIFICIAL INTELLIGENCE (read: probability machines that just do guesswork based on input and a dataset (model) to work out of as baseline) BLOCKCHAIN (read: things you don't need)
to be fair, i don’t think anyone would consider rabbit to be “complex” or “professional”, they’ve shown themselves to be quite literally the opposite from day 1, the CEO is literally beefing with a 13 year old online, so that’s very telling lol
How is it not surprising? I for one am very surprised that such bad devs could ever land any jobs, let alone a product that has been a talking point globally for months
@@alibarznji2000because you can tell the device was an idea by inexperienced developers. every facet of their implementation has proven to either be naive or extremely basic. These are the same people that make an API call to tell the time during their LLM job when it has a clock on-device instead of just passing it in from device. These people didn’t know what they were doing and were in over their heads.
I feel like I'm missing something here. The API key was hardcoded in a source file leaked by an insider. What is the actual solution to keep the API key safe?
nothing wrong with client side API KEYS, in fact they are required for example in firebase clients, it only becomes an issue when the key gives you access to things you shouldnt have access to
Those API KEYS should give you access to an intermediate server, but somewhere down the line there should be a way to display a numerical keypad so you can type/configure a PIN code
The super deep borehole was capped decades ago, and a picture of a nondescript well cap in a nondescript warehouse doesn't have as much visual impact in a video as an big open pit, does it?
I might be missing something here but from what I know you can't get an Android app's code with just the .apk. I don't know how you could get the API key if the app was built with it in the codebase. Also while it's absolutely not a good idea to have any API key in a codebase, again from what I know, leaking any codebase is as bad as leaking the API key (and let me go off road here a bit, github is pretty secure so the only way to access the code base would be either a compromised account or some fed up ex-employee). But it's tomato tomato at that point (as in leaking codebase vs codebase plus API key). And I am not sure about this AWS secrets manager thing but ultimately it will be linked to a single account and if that account is compromised, so is the API key. Although one thing does change by not hardcoding the API key. For rotation you would need to fetch a new API key from the backend server. That's a real reason why not to hardcode it because otherwise you will need to rely on user side app updates to fetch a new version of the app for the new API key.
@@SahilP2648 APKs are just a ZIP files that contains an app's resources in a tree. This includes the app's native code. In almost all cases API keys are stored as strings in the binary. In case it is not obfuscated, you can easily extract them via. the `strings` program. But regardless of obfuscation, these things can still be reverse engineered, either through manual process, or using a debugger and a bit of time. It's impossible to protect anything you deliver to users. This is why you should not store API keys in client-code. Rotating keys would require users to update, and you're leaking this information to anybody who's curious enough. The point of AWS Secrets Manager is that it's protected through isolation and permission. Keys are stored separately from the application code, and should only be extracted from services that have specific roles to access, which should only be persisted for a short amount of time. Of course any compromise could make it possible to obtain those secrets through those services. In those cases, the isolation makes it easier to prevent further attack by deny access to those compromised services, simply by removing their roles and re-rolling the API keys-but it does not prevent the attack from already compromising data if that data is stored together with the service without any protection. There's always tradeoffs between security and convenience.
AI is particularly appealing to people who don't understand programming (suits, ceos, upper management, etc) Taking shortcuts usually just leads to garbage that has to be rewritten by someone who knows what they are doing. People who are bad at programming will use AI instead of learning and pump out more garbage that I know I'll have to clean up It's like trying to replace aircraft pilots with androids, except people don't generally think of software engineers that way because it isn't as easy to understand as "man fly plane"
I am that, run my own AIs on my local ADA server and know quite well how to program. What you don't understand is the way products get financed. You really think investors look into the codebase? The idea of stand alone AI devices is not bad if well done. The business case could work and when presented it will be shown in the best possible way. You can't know how bad it will be in the end. Rabbit and AI pin could work if they wouldn't rely solely on external APIs. That's what makes them so bad. It's the same with all those stupid OpenAI "apps" flying around on IG nowadays. It's like a virus, AI with a lazy implementation just produces garbage. But even that doesn't matter as long as the money flows. It's not about good code, AI or quality. It's about money.
This. Reminds me of a story where the management for a machining company fired all their expert machinists because they bought new CNC machines. Then they wonder later on why the newbies aren't making products as good as the ones made before despite the new CNC machines. Turns out, the execs up top thought that CNC machines were some kind of super smart machine that can make anything you want. Seriously, there are so many rich people who don't know how to attach files to an email and these are the same people who are also the social elite.
IIRC, with AWS Secret Manager, if they have access to the server, they could still see the secret since the IAM permissions (role) is attached to EC2 instance. So they could simply use aws cli or api from the server to get the token.
That secret manager is sufficient. The outlined scenario here assumes that the server is compromised, which is something you'd want to prevent in the first place since it's over once they can execute commands on your server. There's a lot of things that can be leveraged, like using a VPC and working only within that network or just running your app on a rootless Docker container. When using an API key from the secret manager, make sure to never log it. Is it 100% safe? Of course not, they're always gonna find a way. But you can make it really, really difficult, and at the very least, not blatantly available.
@@lightlysal When you manage your own instance, usually the relevant packages came with sane defaults (e.g http and db servers usually run under their respective user and groups). You can either NOT consolidate secrets but only provide them on need-to-know basis for each users (which is the traditional way), or use secret manager like vault and pass-along auth (either from app level or OS level) as the identity.
It reduces the risk though. I'm not familiar with AWS, but in general, once your secrets are automatically managed (meaning they're automatically rotated), you can make the validity duration far shorter, use separate keys for readonly access vs read-write, lock down how the key can be used, etc. A leaked key shouldn't be valid long. You could also do something like have a separate super secure server that proxies requests and injects the API key. Your app servers would make requests without the API key, then the proxy server would add the key. Grant very few people access to the proxy server.
Companies rushing to replace the smartphone with linear algebra gameboys should probably take a lap, skip this round, and come back after the hype-train leaves the station.
Ok but then after it was published they rotated the secrets and remediated the issue but then they were like “yo there’s a secret 5th key we didn’t tell you about just to see if you would fix it too” and they totally missed that one.
"Generally, a production app should rotate API keys every 30 to 90 days." Why? It's not a poorly selected user password. It's an API key churned out using a CSPRNG. API keys are _supposed_ to be static. The only reason to ever delete and recreate an API key is if one is known to have been compromised. If you don't like that idea, then simply don't use any APIs and just build it yourself! Google moved to digitally signing requests for service accounts, which is massively overkill, but Google managed to somehow screw up their implementation since they generate the private key on their end. In short, security theater exists everywhere...including this video.
Rabbit R1 is a product probably launched by OpenAI itself and their intension on the first place was to make it a crap product so people can say: "Wtf is this product, lol they wanna compete with OpenAI, hahahaha they can't, openAi is the best" Genius Sam Altman
What are the odds that this is because the developers blindly used ai extensively when writing code? People predicted this would happen, devs getting lazy not reading code that ai produces, blindly copy-pasting as long as it 'works'. Eitherway, this is probably a lucrative time to be a hacker.
0:34 Or, it's on Dhu al-Hijjah 20th, 1445 AH and you're watching Code Report Series on Fireship about Rabbit R1 makes Catastrophic Rookie Programming Mistake.
Unfortunately android APK apps are basically just zip files. There are plenty of decompilers which will allow you to see the majority of the code of production apps, especially if it's not obfuscated.
It's rubbish but people not to stop sleeping on how bad Humane's AI pin is. Especially considering they ask for way more money, and a ridiculously expensive subscription.
Isn't the f'ed up thing that one API key governs _all_ user data? I would have expected delegated credentials, tied to a user account. If you leak the key, whatever it is at that point, you get that users data at most.
130000 accounts at ElevenLabs doesn't sound wise. Maybe use auth on the own server and relay important API calls and thus shield them. Or even better. Develop a rabbit with internal AI ... (c'mon for 400$ you get a better processor that can actually do quite a lot). But then again what to expect from a ChatGPT walkie talkie
So im a beginner and dont know much about this kind of stuff. I want to learn so what is the best practice standard way everyone uses their api key to keep it secret and not hard code it the code? Does anyone know?
Standard procedure, I'm not even a programmer and I even I do that when I hack together some junk from code I stole around the web and stitched together with AI.
The Rabbit R1 is a set of API calls strung together, with some not very good hardware ... ..and you can do absolutely everything it can do on a cheaper Smartphone, for no additional fees ...
Why does the hardware need to be good anyway? It's job is literally to record audio and send it to a aerver then receive a response and play it back. Don't even need android for that. A microcontroller could do it but it too but it would be way harder to maintain.
4:13 another option is to flash it with a proper android distribution, so you can actually have a crappy android device instead of a crappy android device hard-coded to only run a single app
Well... it's teenage engineering. And we all know teenagers are impulsive as fuck. It wouldn't be surprising at all if they just watched a tutorial or two, made some code, and called it "revolutionary".
A woman, somewhere, probably: "I have my Rabbit in my handbag..." Friends: "You'd normally keep that to yourself." Woman: "No no, it's nothing embarrassing like that. I mean my vibrator." Friends: "Phhheww."
I like how even before they prototyped it, i said it was gonna be a shitty small android thing with crappy software that wasnt made by real software engineers. Just looking at the company shouldve told everything enough. Also dont understand how some people have said how 100gb is an insane amount of storage for this thing. What they didnt concider is that nowadays almost every phone launches with 256gb....barely any modern phone is made with anything less
100GB is a lot for essencally single app device that doesnt even need a lot of storage. Not to mention that only med-high end phones have that much, low end is still 128gb.
i think it's actually worse than that. It's my understanding that you can literally access a shared desktop instance when the r1 needs to bypass a captcha.. mess with that and boom, you're in
The engineers could've added extra layers of security, like encrypting the key and storing it in a safer way, but if someone is reverse-engineering the device, even that becomes a risk at some point. The only way would be to use their own servers as an access point and store the keys there. But that would add latency and... it would be more expensive. And that's the thing: they always knew this wouldn't last; the only goal was to make the most profit in the least amount of time. And then just disappear.
hold on. Where did you get that 90 day rotation idea? I need to see the paper on that. Even if an API key is just 16 characters of uppercase and numbers, you still need 1000 years to get through guessing half of the possible keys. And that's even at the insane rate of a hundred trillion guesses every second. Who the hell is saying you should be rotating API keys every 90 days OR MORE FREQUENTLY?
API keys should never be considered a password, even if most people treat it like one. Use real authentication, the API should just be an identifying source.
At first I was sceptical but when the R1 finally got shipped, I ordered one despite still being sceptical. Just to play around with it. While waiting for my order to be shipped, I read more and more articles and scepticism made place for dissapointment. But to my total surprise, I read that customers can cancel their order until right before the poor thing is being shipped. So I did and to my surprise I got my money back in 24 hours. That's probably the best service Rabbit is offering today 🎉
what the hell happened that I haven't heard about Julian Assange being free again? I'm mad at my algorithm, the circumstances, but not myself in any way.
Devices like Rabbit could be helpful if designed not for reaping hype dollars, but for some good purpose. I can imagine how many vision impaired people could benefit from device which identifies surroundings and describes using voice. Still, not many seem to have interest to develop anything actually useful with AI.
Degenerative AI… The recent failures of "artificial intelligence" tech: ruclips.net/video/krixaEhLnlA/видео.html
first
second
Hello fireship
Jesus is the way, the truth and the life. Turn to him and repent from your sins today!
" " "artificial" "intelligence" " "
It's shocking how Rabbit R1 still manages to disappoint despite everyone having zero expectations
True words my dude.
Maybe that’s their schtick, it’s relatable to everyone’s relationship with their parents
They got millions of investments and people bought it so you’re wrong
What do you expect from a NFT founder who only developed the product to get on the AI hype train?
🤣 seriously
its almost as if they tried to rush out a scam as fast as possible to sell to people before they vanished
yeah, almost
Coffeezilla
Firstish to market!!!!
They were aware of one thing. With this, it is hard to just disappear, so more likely they discovered they were severely under-experienced to develop this, so they rushed a product to be "first", or likely running out of money.
There is no indication they are just going to disappear
@@SioxerNikita they're ex-crypto bros, the end go is always to disappear for these types.
They could say the bricked models are in “paperweight mode” and just call it a feature.
You just casually mentioned the first legitimate use for the R1. A constant bright orange reminder of how not to do things.
Just like every other dead product with a working display, it too shall become a retro gaming emulator.
@@John_C_J It's the circle of life.
"This critical security update permanently renders your device harmless, which is a huge step up from the dangerous liability it was before."
@@stonecoldcarebearIt's bright orange making it way more useful as a reminder compared to a black or white laser projector that's more of a fire starter for when you can't find your lighter
everyone is scrambling to not be compared to rabbit-r1
Especially r-2!
Don't read my name
@@witness1013 Wondering what it will look like
Fr
Jesus is the way, the truth and the life. Turn to him and repent from your sins today!
Wow this thing is really the "I threw node modules together that I didn't really understand" of AI
The vast majority of "AI-powered" projects are, lmao
@@NatiiixLP Most "innovative startups", if not all
That's what almost all "AI" projects are tbh
Well it's UI is written in Flutter so you're a bit wrong
@@julianojosoa2145 He said it's the equivalent of throwing random node modules together, not that it's literally using node modules.
"half baked" is a very generous description of the Rabbit. That batter was still wet
Straughtup raw cookiedough rife with salmonella.
Tough times for a device that's obviously just a smartphone but worse.
Basically a mp3 player
@@laptopuser5198 at least an mp3 player doesn't become a brick when some server it relies on for everything eventually shut down
MP3 player with always-on DRM type shit
With a catastrophic battery
Comparing it to a smartphone is giving it too much credit lol
Rabbit hole❌️
Loophole✅️
Edit: My new record for likes on a comment
Shitehole ✅
Kola superdeep borehole ✅
Don't read my name
@@1.4142 ✅️
rabbithole loophole
1:19 "Hi mom, I miss you." 🥺😔
🥺
What happened to his mom?
@@theairaccumulator7144 she passed away
this is only comparable to Technoblade. The pain is real.
for a short moment i thought it was an accident until I read the rest of it
So the R1 was essentially some kid's middle school science project that somehow became a product.
This
No it was very much intended as a "product", it was just coaded by middle schoolers apparently.
well it was designed by *Teenage* *Engineering*
Could be a ploy floated to steal data. Something trendy? All the rich kiddies have it and then...
You ain't that far off, their CTO just dropped out of college to found the company
“I was blown away by its utter uselessness along with the amount of cringe buzzwords used by its CEO” describes literally every “AI Startup” founded after OpenAI released GPT to the public
This applies to 99.99958% of all tech start-ups. It does not matter if its fintech, or some artists that released a sick 3d render of some revolutionary new transport,energy,etc.-system that will totally change the world. You know, like fontus, solar roadways, hpyerloop and derivates, etc.
And idiots who believe that a 3d render is the same thing as a working prototype are investing in these scams. Sadly even governments are burning public money on these scams.
Including OpenAI
@@mwwhited Nope
They're used because it works. The name of the game in tech/engineering now is to hype something to the heavens, sell it off to some sucker and now it's their problem, walk away with millions. I sincerely doubt the CEO legitimately believes in his product.
This is like old school weekend update.
“Rabbit one exploit found that allows someone to read and edit any message!”
“This has affected… 8 users around the nation”
I find it funny how a lot of the products we think are super complex, professional, ‘industry-standard’, ‘at-scale’, and well engineered are often poorly made grifts obfuscated by the mystique of private software. And when you try to call it a grift every ego within a one mile radius goes thermonuclear.
Everybody thinks they’re Alan Turing once they learn how to use an SDK and build an API to make a CRUD app with infinite skins :) And I’m directly referencing that ugly man child behind the scam companies.
Correct 👍👍👍👍
INTERNET OF THINGS (read: devices with SIM cards or wifi connections sending TCP/UDP data to receivers which is just an open Socket)
THE CLOOOOUDDDDD (read: somebody else's computer except we're hiring a bunch of services that all do 1 thing rather than a monolithic server where all services compete against each other for CPU/RAM)
ARTIFICIAL INTELLIGENCE (read: probability machines that just do guesswork based on input and a dataset (model) to work out of as baseline)
BLOCKCHAIN (read: things you don't need)
to be fair, i don’t think anyone would consider rabbit to be “complex” or “professional”, they’ve shown themselves to be quite literally the opposite from day 1, the CEO is literally beefing with a 13 year old online, so that’s very telling lol
@@tristan5299can confirm, I was the 13 year old kid
Turing never used a SDK and nevet built an API, so that's fair
Outrageous but not surprising
How is it not surprising? I for one am very surprised that such bad devs could ever land any jobs, let alone a product that has been a talking point globally for months
Don't read my name
@@alibarznji2000because you can tell the device was an idea by inexperienced developers. every facet of their implementation has proven to either be naive or extremely basic. These are the same people that make an API call to tell the time during their LLM job when it has a clock on-device instead of just passing it in from device. These people didn’t know what they were doing and were in over their heads.
@@driedpotatoes fair enough, but my point still stands.
How could these people get the funding for a project? The world is a weird place
Imagine a whole team of engineers ignoring a hard coded api key like this...
I think we're all going to make it (to a high paying SE job) bros...
Engineers??? This can only be the work of an outsourced overseas code mill.
Being able to get the job != being good at the job.
“We’re gonna hardcode it so it works and then change that later…. What do you mean it’s been shipped?”
@@magicmulder There's nothing as permanent as a temporary solution!
I feel like I'm missing something here. The API key was hardcoded in a source file leaked by an insider. What is the actual solution to keep the API key safe?
Thanks, I will keep this in mind when I’m asking for millions of dollars for my new tech-AI startup company
nothing wrong with client side API KEYS, in fact they are required for example in firebase clients, it only becomes an issue when the key gives you access to things you shouldnt have access to
This 👆
but that is exactly the point, they hardcoded the company's api keys
Those API KEYS should give you access to an intermediate server, but somewhere down the line there should be a way to display a numerical keypad so you can type/configure a PIN code
"Chuck it in the Kola superdeep borehole" - shows a photo of the kimberlite mine "Mir" in Sakha Republic...
A mistake worse than hard coding API keys
a hole's a hole, right? 😂
@@alexnoman1498 Tell that to your missus
The super deep borehole was capped decades ago, and a picture of a nondescript well cap in a nondescript warehouse doesn't have as much visual impact in a video as an big open pit, does it?
This guy's a hole expert
I made the mistake of pushing an API key for a web page I was working on in college. Never... again... I'm still getting emails from Git Guardian.
Classic blunder
bfg jar it
Everybody gets one.
Considering they hardcoded Spotify to play any Beatles song, I'm not surprised if they hardcoded api key
"I was blow away by it's uselessness" is such a good way to describe the rabbit
Wow, this is very catastrophic!
No, actually, I could totally believe the Rabbit team put API keys in the app on device as an additional cost saving measure.
I might be missing something here but from what I know you can't get an Android app's code with just the .apk. I don't know how you could get the API key if the app was built with it in the codebase. Also while it's absolutely not a good idea to have any API key in a codebase, again from what I know, leaking any codebase is as bad as leaking the API key (and let me go off road here a bit, github is pretty secure so the only way to access the code base would be either a compromised account or some fed up ex-employee). But it's tomato tomato at that point (as in leaking codebase vs codebase plus API key). And I am not sure about this AWS secrets manager thing but ultimately it will be linked to a single account and if that account is compromised, so is the API key. Although one thing does change by not hardcoding the API key. For rotation you would need to fetch a new API key from the backend server. That's a real reason why not to hardcode it because otherwise you will need to rely on user side app updates to fetch a new version of the app for the new API key.
@@SahilP2648 APKs are just a ZIP files that contains an app's resources in a tree. This includes the app's native code.
In almost all cases API keys are stored as strings in the binary. In case it is not obfuscated, you can easily extract them via. the `strings` program.
But regardless of obfuscation, these things can still be reverse engineered, either through manual process, or using a debugger and a bit of time. It's impossible to protect anything you deliver to users.
This is why you should not store API keys in client-code. Rotating keys would require users to update, and you're leaking this information to anybody who's curious enough.
The point of AWS Secrets Manager is that it's protected through isolation and permission. Keys are stored separately from the application code, and should only be extracted from services that have specific roles to access, which should only be persisted for a short amount of time.
Of course any compromise could make it possible to obtain those secrets through those services. In those cases, the isolation makes it easier to prevent further attack by deny access to those compromised services, simply by removing their roles and re-rolling the API keys-but it does not prevent the attack from already compromising data if that data is stored together with the service without any protection.
There's always tradeoffs between security and convenience.
Bro what are you guys talking about? The video is so confusing!
I just want to know if I should buy this gadget or not...
@@Alfred-Neuman no u don't need it
the guy in the reply above is missing his cortex
API keys, Netflix passwords, and blunts were made to be shared
AI is particularly appealing to people who don't understand programming (suits, ceos, upper management, etc)
Taking shortcuts usually just leads to garbage that has to be rewritten by someone who knows what they are doing. People who are bad at programming will use AI instead of learning and pump out more garbage that I know I'll have to clean up
It's like trying to replace aircraft pilots with androids, except people don't generally think of software engineers that way because it isn't as easy to understand as "man fly plane"
I am that, run my own AIs on my local ADA server and know quite well how to program. What you don't understand is the way products get financed. You really think investors look into the codebase? The idea of stand alone AI devices is not bad if well done. The business case could work and when presented it will be shown in the best possible way. You can't know how bad it will be in the end. Rabbit and AI pin could work if they wouldn't rely solely on external APIs. That's what makes them so bad. It's the same with all those stupid OpenAI "apps" flying around on IG nowadays. It's like a virus, AI with a lazy implementation just produces garbage. But even that doesn't matter as long as the money flows. It's not about good code, AI or quality. It's about money.
This. Reminds me of a story where the management for a machining company fired all their expert machinists because they bought new CNC machines.
Then they wonder later on why the newbies aren't making products as good as the ones made before despite the new CNC machines.
Turns out, the execs up top thought that CNC machines were some kind of super smart machine that can make anything you want.
Seriously, there are so many rich people who don't know how to attach files to an email and these are the same people who are also the social elite.
Making a wrapper for an Android app should never be successful, no matter the hype.
The touch screen self-order menus at Taco Bell are an android app and I think their success is warranted
Rabid AI
Wow, I can't believe anyone would do that!
*starts looking into API key rotation for my google maps app*
learning taking place 🎉
Yeah but you're not selling thousands of hardware products with an accompanying backend service
IIRC, with AWS Secret Manager, if they have access to the server, they could still see the secret since the IAM permissions (role) is attached to EC2 instance. So they could simply use aws cli or api from the server to get the token.
what is the standard industry way to consolidate/secure all your API keys then? I'd like to know.
@@lightlysalcommenting for follow up notifications
That secret manager is sufficient. The outlined scenario here assumes that the server is compromised, which is something you'd want to prevent in the first place since it's over once they can execute commands on your server.
There's a lot of things that can be leveraged, like using a VPC and working only within that network or just running your app on a rootless Docker container. When using an API key from the secret manager, make sure to never log it. Is it 100% safe? Of course not, they're always gonna find a way. But you can make it really, really difficult, and at the very least, not blatantly available.
@@lightlysal When you manage your own instance, usually the relevant packages came with sane defaults (e.g http and db servers usually run under their respective user and groups). You can either NOT consolidate secrets but only provide them on need-to-know basis for each users (which is the traditional way), or use secret manager like vault and pass-along auth (either from app level or OS level) as the identity.
It reduces the risk though. I'm not familiar with AWS, but in general, once your secrets are automatically managed (meaning they're automatically rotated), you can make the validity duration far shorter, use separate keys for readonly access vs read-write, lock down how the key can be used, etc. A leaked key shouldn't be valid long.
You could also do something like have a separate super secure server that proxies requests and injects the API key. Your app servers would make requests without the API key, then the proxy server would add the key. Grant very few people access to the proxy server.
Companies rushing to replace the smartphone with linear algebra gameboys should probably take a lap, skip this round, and come back after the hype-train leaves the station.
Rabbit is temporary, but dumbifying devices for no good reason is eternal.
@@alexturnbackthearmy1907 the plastic used for this junk is eternal
The vulnerability allows an attacker to read messages sent by users. Fortunately, the device simply fails or refuses to send most messages
Did I just swallow an ad for a Linux course?
...
...
...
I'll take it, no discount needed.
Ok but then after it was published they rotated the secrets and remediated the issue but then they were like “yo there’s a secret 5th key we didn’t tell you about just to see if you would fix it too” and they totally missed that one.
0:31 hahaha H1MOM at the begging of the API_KEY
Saddest API key in existence. My deepest condolences, dude.
The ending was on point 4:14
At this point i am wondering if *even i* could make a better Rabbit device...
You have one already you're using it
No device at all is a better Rabbit
this, ikr?
script gymnastic to mention Julian Assange's freedom.
"Generally, a production app should rotate API keys every 30 to 90 days." Why? It's not a poorly selected user password. It's an API key churned out using a CSPRNG. API keys are _supposed_ to be static. The only reason to ever delete and recreate an API key is if one is known to have been compromised. If you don't like that idea, then simply don't use any APIs and just build it yourself! Google moved to digitally signing requests for service accounts, which is massively overkill, but Google managed to somehow screw up their implementation since they generate the private key on their end. In short, security theater exists everywhere...including this video.
Damn. This really inside a rookie error. Like high school level.
Rabbit R1 is a product probably launched by OpenAI itself
and their intension on the first place was to make it a crap product
so people can say: "Wtf is this product, lol they wanna compete with OpenAI, hahahaha they can't, openAi is the best"
Genius Sam Altman
What are the odds that this is because the developers blindly used ai extensively when writing code? People predicted this would happen, devs getting lazy not reading code that ai produces, blindly copy-pasting as long as it 'works'. Eitherway, this is probably a lucrative time to be a hacker.
Jesus, even in high school they teach you not to hardcode any sensitive information.
2:38 source?
“Hard-coded api keys”
Buddy, if you’ve seen the s** I’ve seen 😂
Shoutout for mentioning Julian assange
Ya let's all simp for the guy who outted anti Taliban and anti CCP activists and withheld leaks on Putin and the GOP 🤡
Nope. Not into glorifying foreign espionage
R1 has security problems...
People actually use R1?
How do you even get your private out from an R1
0:34 Or, it's on Dhu al-Hijjah 20th, 1445 AH and you're watching Code Report Series on Fireship about Rabbit R1 makes Catastrophic Rookie Programming Mistake.
Yes, you're Correct 👍👍
Unfortunately android APK apps are basically just zip files. There are plenty of decompilers which will allow you to see the majority of the code of production apps, especially if it's not obfuscated.
with a rabbit hole this disgusting, even alice wouldnt dive in
It's rubbish but people not to stop sleeping on how bad Humane's AI pin is. Especially considering they ask for way more money, and a ridiculously expensive subscription.
4:10 sir meowsalot
Isn't the f'ed up thing that one API key governs _all_ user data? I would have expected delegated credentials, tied to a user account. If you leak the key, whatever it is at that point, you get that users data at most.
130000 accounts at ElevenLabs doesn't sound wise. Maybe use auth on the own server and relay important API calls and thus shield them. Or even better. Develop a rabbit with internal AI ... (c'mon for 400$ you get a better processor that can actually do quite a lot). But then again what to expect from a ChatGPT walkie talkie
I love the Assange reference
So im a beginner and dont know much about this kind of stuff. I want to learn so what is the best practice standard way everyone uses their api key to keep it secret and not hard code it the code? Does anyone know?
I remember learning about this with API keys on my IoT course.
oops
Not first
At least 100 Android developers just had an oh-shit moment :)
2:33 the man not criminal
meanwhile me, trying to be a junior, storing my api keys in .env or secrets or other good solutions...
Standard procedure, I'm not even a programmer and I even I do that when I hack together some junk from code I stole around the web and stitched together with AI.
Can someone explain how this product get the funding?
Same way Theranos got it's funding: "Investors betting their money and other people's money on the project".
Thanks, it makes sense now…
Same old story every day 😮💨
AI hype and the fact that investors are easy to scam (and that's a good thing)
If you need it in the form of a video essay, go to Coffezilla's first video on it.
the AI hype bubble
Love the fact that Jeff knew about this code report would be a total diss so he had to outro with both R1 n Code Report fire in the hole style 💥💥💥
The Rabbit R1 is a set of API calls strung together, with some not very good hardware ...
..and you can do absolutely everything it can do on a cheaper Smartphone, for no additional fees ...
Why does the hardware need to be good anyway? It's job is literally to record audio and send it to a aerver then receive a response and play it back. Don't even need android for that. A microcontroller could do it but it too but it would be way harder to maintain.
@@theairaccumulator7144then why you need it when way better hardware is available
00:52 _"the lol cow of tech products of 2024"_ ?
You must have not met the Humane AI pin then 😬
Another YandereDev
Remember, people tried to cancel Marques Brownlee over his review of this "product".
We have our own advanced AI.
(API calls to chatgpt)
lmao
the same as "apple intelligence" honestly. basically disguised chatgpt, sadly Americans are 2 dum*b to notice it.
crazy to see how something is hyped when designed by reputable company (teenage engineering) while just being a slightly more complex wrapper. Meh
good thing nobody actually bought it so everyone is safe anyway
4:13 another option is to flash it with a proper android distribution, so you can actually have a crappy android device instead of a crappy android device hard-coded to only run a single app
It takes like 5 minutes to rotate API Keys (and like 20 minutes to automate it). How is the Rabbit R1 company so lazy? 😭
Well... it's teenage engineering.
And we all know teenagers are impulsive as fuck. It wouldn't be surprising at all if they just watched a tutorial or two, made some code, and called it "revolutionary".
Babe wake up fireship posted a video
ywnbaw
...
ERROOOOOOOOOR
@@DsiakMondalacry
A woman, somewhere, probably: "I have my Rabbit in my handbag..."
Friends: "You'd normally keep that to yourself."
Woman: "No no, it's nothing embarrassing like that. I mean my vibrator."
Friends: "Phhheww."
I like how even before they prototyped it, i said it was gonna be a shitty small android thing with crappy software that wasnt made by real software engineers. Just looking at the company shouldve told everything enough.
Also dont understand how some people have said how 100gb is an insane amount of storage for this thing. What they didnt concider is that nowadays almost every phone launches with 256gb....barely any modern phone is made with anything less
100GB is a lot for essencally single app device that doesnt even need a lot of storage. Not to mention that only med-high end phones have that much, low end is still 128gb.
so in summary messages are sent as unencrypted plain text
How he thought those shoes were a good idea during his presentations should have been a warning to all...
Not a Clinton fan at all but I don’t think there is a good source for that quote
MKBHD destroyed them
They destroyed themselves.
Are you perhaps stupid? They caused this themselves and would be absolutely clowned on even if some youtuber didnt make a video about them
💯@@tablomaxos2965
Before MKBHD video they was destroyed
Shitty product destroyed them stop being a simp for apple shills
So glad and relieved to hear that there is already a recommended solution at 4:14 😁
Will do a pushup for every like in this comment
No you wont.
He will tho
Gave you a dislike to help you out
i think it's actually worse than that. It's my understanding that you can literally access a shared desktop instance when the r1 needs to bypass a captcha.. mess with that and boom, you're in
I think who bought this definitely deserve this! I mean come on!
You're telling me there are people out there unironically using the Rabbit R1 in their all day life?
The engineers could've added extra layers of security, like encrypting the key and storing it in a safer way, but if someone is reverse-engineering the device, even that becomes a risk at some point. The only way would be to use their own servers as an access point and store the keys there. But that would add latency and... it would be more expensive. And that's the thing: they always knew this wouldn't last; the only goal was to make the most profit in the least amount of time. And then just disappear.
People who didnt wait to watch the video to comment
⬇️
pleaaaase make more videos NOT related to AI 🙏
This thing is a fucking dumpster fire, it should have been an app
IM ASKING THIS FOR THE 5th TIME FROM WHERE DOES THIS GUY GET HIS STOCK IMAGES!
Does anyone genuinely know what this shitbox even does?
Juliane Assange pled guilty for crimes
what crimes? exposing the truth?
Finally a video somewhat about AI that doesn't have deformed or grotesque imageries . thank you sir.
hold on. Where did you get that 90 day rotation idea? I need to see the paper on that. Even if an API key is just 16 characters of uppercase and numbers, you still need 1000 years to get through guessing half of the possible keys. And that's even at the insane rate of a hundred trillion guesses every second.
Who the hell is saying you should be rotating API keys every 90 days OR MORE FREQUENTLY?
API keys should never be considered a password, even if most people treat it like one. Use real authentication, the API should just be an identifying source.
At first I was sceptical but when the R1 finally got shipped, I ordered one despite still being sceptical. Just to play around with it.
While waiting for my order to be shipped, I read more and more articles and scepticism made place for dissapointment. But to my total surprise, I read that customers can cancel their order until right before the poor thing is being shipped. So I did and to my surprise I got my money back in 24 hours.
That's probably the best service Rabbit is offering today 🎉
what the hell happened that I haven't heard about Julian Assange being free again? I'm mad at my algorithm, the circumstances, but not myself in any way.
Devices like Rabbit could be helpful if designed not for reaping hype dollars, but for some good purpose. I can imagine how many vision impaired people could benefit from device which identifies surroundings and describes using voice. Still, not many seem to have interest to develop anything actually useful with AI.
It's logo is cute, and orange is nice. That's it.
bad code is often not created by bad programmers, it's usually bad deadlines.
Yeah the whole thing sounds like a temp solution where deadlines did not allow for replacing with a proper
method.
There is nothing wrong with Rabbit R1. People made tons of money. And now they will move on. With no accountability. Same old same old.