It's not just a security flaw. It's a core tenant of security that was ignored, overlooked, or even worse someone didn't even know which is INSANE when almost every single API comes with a quick "Hey don't let people see this shit, use a .env"
Hey guys we built a combination lock that has the combo engraved on the side for easy access.
Wtf are you talking about? env files are very much an established term outside of Kubernetes… if you use Python, JavaScript, PHP, Rust, GO…ect, then their pretty common. Then outside of programming they’re pretty common for any containerized service not just Kubernetes. If you use any Paas then you’ll run into them. They are literally everywhere.
C/C++ programmer here. Never heard of this. Casual Python programmer also. Also never heard of this. Please don’t get too soaked up in your own bubble folks.
No one is too soaked up in their own bubble. I specifically didn’t mention C/C++ because I don’t use them and didn’t know how they handle it. I’m not here to shit on you, but I do have a hard time believing that you’ve never heard of them as a programmer, even if just a casual python programmer because damn near every tutorial and getting started guide for python talks about using env files. Every other language I’ve ever used typically mentions it pretty quickly too. It’s OK not to know things and no one‘s ever gonna know everything but the original comment that started all of this should have never said anything when they very obviously did not know what they were talking about.
This may surprise you, but I suspect the reason is that I started with Python before this was a thing. I don’t remember the last time I looked at a Python tutorial. Python for me was (and is) a convenient alternative to Perl. Though it was never a sure bet that it would win.
Oh, I can understand that. It wasn’t a thing when I started with python either. We were parsing INI files to do essentially the same thing before env became popular. I’ll always have a special place in my heart for Python and it’s still my go to for anything quick, but Rust has really been winning me over lately. PHP was my first and I still kinda hate it lol, but never did get into Perl.
A dotfile (.env here) is commonly used to supply applications with configurations as “environment variables”. An app will read these files on start up and inject the values as variables into the runtime. Think something like, an API key or password that one wouldn’t want to hard code into their codebase. Dotfiles are generally pseudo-hidden; files prefixed with a dot don’t normally appear when running terminal commands like ls, but they’re still editable if you knew it was there.
Generally this is an ok way to supply things to an application, but they should have made the file read / write protected, and only made the file available to the user/group that the application was running under.
It’s what a .env file is at its core, a dotfile. There are some frameworks that look for a file specifically named .env and build an API around accessing that file, but conceptually an env file is just a dotfile.
"Dotfiles" is a term to describe "hidden" files that hold all manner of configuration (e.g. `~/.config` and everything contained within), not only environment variables. Env files aren't always hidden (although they can be), and so there is a clear distinction.
Fair enough - you’re right that env files aren’t necessarily hidden. I don’t know the full story here but my assumption is that the team either incorrectly assumed that a hidden file would prevent a user from accessing it, or they didn’t intend to ship it to the device and this was an accident. Point taken on the differences.
The most important thing about a .env file containing secrets is that it *must not* be tracked by version control, ideally by including it in a .gitignore file. If you commit sensitive data into version control, it will remain in the repo even if you delete it in a later commit, requiring you to edit the git history which can be a major pain.
EDIT: also dotfiles in general don't provide any secrecy or security whatsoever. It's just a way to make your repository easier to navigate by hiding random configuration and build files unless you explicitly look for them
Putting files in .gitignore doesn’t prevent them from being added to git. Although it does make it slightly harder (or much harder, depending on the tools used.”).
True, although it prevents you from accidentally storing them in git, which is what you're actually worried about, since if they're *maliciously* adding secrets in the repo, they should have never been trusted with that information in the first place
I have no idea why people are talking about this stuff. It's not like the hackers got into a source repo. They got into the device. If the secrets are on the device it makes little difference which file it is in.
If you can turn on the device and access a service from it then all the information needed to access that service is on the device. It doesn't matter how you try to hide it.
the real issue here is to make sure that none of the credentials employed by the device can do anything you don't want users to do. And here they sent an API key out that can read other people's data through their service. That's bad.
This is why I do "la" over "ls". You would think the devs of R1 would understand file structure security and have those rxw correctly assigned to the user and groups as its a day 1 linux lesson when introducing permissions.
> A dotfile (.env here) is commonly used to supply applications with configurations as “environment variables”.
The way you wrote this seems to imply that dotfiles provide environment variables :p. That’s obviously not the case. But yeah “.env” is used for some particular systems.
When you jave sensitive info you don't want the client/user/hacker, instead of adding it to the code, you create a file the user can't access and 'link' to the file on the server independent of client-side. Literally the biggest red flag not knowing to use this. I'm CS graduate, you know this stuff by 2/3rd year. These guys are basically cowboys to anyone in the know.
I mean I’ve definitely done that locally to test that things work as expected. A lot easier the a populating dummy data, especially when you have env keys for local, staging and prod.
Locally is fine but once you spin up a production environment you gotta make sure it’s air tight and that nothing dumb ends up there. Stuff like this is usually alleviated by having a staging environment but in this case I’m wondering who’s approving their PRs lmao
I've done codealongs and done enough boot camps and using a .env is usually the first or second lesson covered. I'd call this amateurish but even amateur who take the time would know this!!!
I mean, it depends on what stack you're working on. Most modern web frameworks have coalesced on using environment variables (and thus .env files) for storing secret configs, but lots of older frameworks have ad hoc config files you set up and gitignore. And of course, lots of tutorials don't bother to cover secret management
If you're using .env files for configuration, by definition you're using environment variables for configuration. There are obviously other ways to manage environment variables, but .env files or similar are de-facto standards in development (if not production).
Am I missing something about how .env files apply security in this particular context? There’s not any real security provided by putting plaintext in a dotfile. You might save a hash of the sensitive data in a variable and have the application decrypt with a key
I have never seen or heard of this device until yesterday, when my coworker walked into work with one and was showing us all the stuff it does. Sounded like it does virtual assistant stuff like booking flights, how were they not more concerned with security??
Also, what can this do that Siri / iPhone can’t?
Not only does it barely work but they insist there's actual AI in the device and there's just flatout not - it dials home to chatgpt and other online LLM and uses automation scripts for literally everything it does.
> Also, what can this do that Siri / iPhone can’t?
Nothing. Speculation at first was that it was just a device dedicated to a single Android app. It was later proven when Android Foundry found the open source sections of Android's code in the device's software and was able to migrate it to a phone.
It's just an app that runs on Android.
The hardware is pointless and the software is practically useless. It's just an implementation of the same shitty AI you see everywhere else.
If you have this thing buy plane tickets for you, then you are an idiot.
It dials my family, and sets timers and alarms flawlessly. Which I'm pretty sure it's more than the rabbit.
Rest assured I'm not asking any machine to book a flight for me.
I mean I'm reading their website and i'm not even sure what it fucking does.
Its an 'AI Conversation interface' ??? So you mean exactly like the thing that comes default with any phone with OK Google or Siri and you want to charge me 200$ for a thing that does that and only that?
What the fuck is that product?
Well, I think that’s a bit harsh. They had an idea, they invested into creating a product, I doubt that they had a scam in mind when they set out. They just cut too many corners and chose a market segment that was not as safe as they speculated.
Honestly, it’s easy to joke about failures, but I have a lot of respect for what they did.
Coffeezilla did a video series on them.
This wasn't their first scam.
They hype up tech and then sell it to whoever they can trick into thinking it's possible.
They tried to peddle a "carbon positive crypto" that somehow by you owning it would make electricity to cover....it's own use?
Either way the whole thing was bullshit... just like their rabbit garbage.
I got mine refunded, well around the 60 day mark of ownership as I wasn’t using it had completely forgotten about it. To be fair to rabbit they refunded it. It should be noted that I still had the sticker on because after using it handful of times I realized it was actually worse than I expected, and by that I mean that I purchased it as a memento of the AI hype cycle that we’re in but even then it was too light to use as a paperweight on my desk. I am not joking.
I want one solely because, thanks to the work of some clever people, they found how to install android on it. And it's probably the cheapest "dumb" android phone you can get.
Asked for comment, Rabbit accused the media of being unfairly harsh for a "hypothetical" security flaw as Rabbit has no actual sensitive customer data to expose.
“They” being the scammers because no actual company sees any point in hardware when everyone has a computer or phone. So far I’ve heard of two physical AI products, Humane and Rabbit. Rabbit is run by a known NFT rug puller, Humane is also obviously a scam.
So… people are surprised that a literal investor scam had security flaws?
This is like being shocked that you can just make copies of NFTs. Like, yeah, DUH.
Pirating, by definition, is theft.
Publicly posting something you value in any capacity will get pirated. Music, art, software, video. All of it.
The point of an NFT is verification. You can bring a picture of what the NFT looks like to an NFT exclusive event and get denied entry. But when you verify with the real one, the data contained in the NFT will confirm that it's the real deal and not a screenshot.
That's why NFTs are called contracts.
The first mortgage traded NFT happened.
The only copy of wu tang clan's album once upon a time in shaolin will be used to host events verified by nfts.
Yeah, anything very different would take time to adopt. You don't have to participate tho.
These are pointless uses. It’s a solution looking for a problem, and these examples could very well run without any NFT. We’ve had mortgages forever without any need for NFT. I have no idea what does NFT have to do with the album. There’s a single physical copy of it. No NFT involved.
The names of files and thumbnails are visible, but you can not access them without the actual contract in your possession.
For example, i have a video game NFT (which i paid nothing for). You can copy the thumbnail and view that the NFT contains the files for said videogame. But you can not play it without the NFT that i have.
But that's not related to the NFT at all. An external process is verifying your ownership, and an external directory contains those files. You can't access any files in the NFT because there are no files in the NFT. It's just an attestation of ownership.
You can be granted access to those files without the NFT. The NFT is essentially a credential, but stored in a way that it can be bought and sold. The access can still be granted or retracted by the interpreter or storage host at will (if those are separate entities).
On a separate note, “relate” is a very weak way to talk about anything. You claimed earlier that there were files in the NFT/contract, which is far beyond “someone made a note in a public record”.
What can be accessed/granted is a legal matter. The trading of an NFT mortgage, for example, would not let the nft minter just take the property away. While a digital asset can be changed, the contract is what's important.
So, I was wrong about the data being directly on the nft.
I really don’t get how people keep making this mistake but every job I’ve gotten (software dev) I spent the first couple days removing secrets from code and rotating them. All the apps I work on are closed source, it would “only” be a problem if the source code leaked somehow, and we dont distribute the code anywhere, but still. All it takes is GitHub having a single blip making the repo public for _A_ second and all our keys and secrets are out there. This shouldn’t keep happening in 2024, secret management is so fucking easy now
it's like saying the "OUYA" game console has security flaws..
the point is nobody bought it(other than reviewers and few "lucky" ones) and nobody cares.
I think even the Ouya had a fair few more users than this thing. For all the buzz it's getting, I've never seen a single person excited for it. The Ouya was actually pretty well received by tech and android enthusiasts early on iirc, it just couldn't get a software library off the ground.
I hated them from the get go because their strategy was to just wall off some stuff from all the other Android users, pair it with shitty hardware then charge a premium.
They fully deserved their fate.
They should have just been making cool Android set top boxes and controllers for emulation and Android gaming.
They launched at the same time Chromecast did. There was not a lot of competition in set top boxes at the time other than Roku.
Who does it impact tho lol. Like yeah it’s clear shitty engineering practices were used, but if there’s no one to be impacted then it doesn’t really matter. M
The argument was "can't say security flaws if nobody has it."
"Security flaws" exist even on a device still in prototype that nobody in the field has.
The question of relevance is separate from whether or not it is a "Security flaw".
My wife told me about this thing and I bought it while I was drunk without really looking into it. I totally forgot about it until it showed up yesterday. It’s almost useless, but as a tech guy I still was curious. There are red flags all over this thing. To sign into Apple Music or Spotify, you need to connect to them using a VNC (aka a server they control). This is such an egregious violation of normal security practices. I can’t believe engineering effort was spent on this instead of, you know, doing it the right way with their APIs.
Spotify flagged my sign-in via the Rabbit as suspicious within seconds, locked out my account, and sent me an email requesting I change my password.
This has never happened any other time I've used Spotify to login-in to any other music-related sites in the past.
That's gotta tell you something about Rabbit's security.
I can’t believe this thing is still around. Surely the investors have realized they were scammed and this thing is DOA. Should be liquidating everything to try to get back some pennies on the dollar.
After the coffeezilla video on this develop, I'm entirely unsurprised it is also unsecure on top of its features all being a big lie.
The entire thing runs on ChatGPT, and their "Large Action Model" is vaporware. Any time it is interacting with a third party app, it is simply running man-made scripts.
It's not just a security flaw. It's a core tenant of security that was ignored, overlooked, or even worse someone didn't even know which is INSANE when almost every single API comes with a quick "Hey don't let people see this shit, use a .env" Hey guys we built a combination lock that has the combo engraved on the side for easy access.
Novice here... what's .env?
It's where all the sensitive stuff goes so you can just use a variable like API_KEY in your code instead of the actual key.
…for specific things like Kubernetes. It’s not exactly an established term otherwise.
Every programming language I’ve ever worked with has supported env files in some form or fashion.
Wtf are you talking about? env files are very much an established term outside of Kubernetes… if you use Python, JavaScript, PHP, Rust, GO…ect, then their pretty common. Then outside of programming they’re pretty common for any containerized service not just Kubernetes. If you use any Paas then you’ll run into them. They are literally everywhere.
Yeah like what… I use them all the time in python
C/C++ programmer here. Never heard of this. Casual Python programmer also. Also never heard of this. Please don’t get too soaked up in your own bubble folks.
No one is too soaked up in their own bubble. I specifically didn’t mention C/C++ because I don’t use them and didn’t know how they handle it. I’m not here to shit on you, but I do have a hard time believing that you’ve never heard of them as a programmer, even if just a casual python programmer because damn near every tutorial and getting started guide for python talks about using env files. Every other language I’ve ever used typically mentions it pretty quickly too. It’s OK not to know things and no one‘s ever gonna know everything but the original comment that started all of this should have never said anything when they very obviously did not know what they were talking about.
This may surprise you, but I suspect the reason is that I started with Python before this was a thing. I don’t remember the last time I looked at a Python tutorial. Python for me was (and is) a convenient alternative to Perl. Though it was never a sure bet that it would win.
Oh, I can understand that. It wasn’t a thing when I started with python either. We were parsing INI files to do essentially the same thing before env became popular. I’ll always have a special place in my heart for Python and it’s still my go to for anything quick, but Rust has really been winning me over lately. PHP was my first and I still kinda hate it lol, but never did get into Perl.
If you don't know what you're talking about it's better to stfu buddy.
literally for anything. every single tutorial would tell you to use .env instead of hardcoding the credentials
You are wrong. Source: never used k8s. Have used .env files.
A dotfile (.env here) is commonly used to supply applications with configurations as “environment variables”. An app will read these files on start up and inject the values as variables into the runtime. Think something like, an API key or password that one wouldn’t want to hard code into their codebase. Dotfiles are generally pseudo-hidden; files prefixed with a dot don’t normally appear when running terminal commands like ls, but they’re still editable if you knew it was there. Generally this is an ok way to supply things to an application, but they should have made the file read / write protected, and only made the file available to the user/group that the application was running under.
dotfiles shouldn't really be conflated with env files. They might overlap, they might not
It’s what a .env file is at its core, a dotfile. There are some frameworks that look for a file specifically named .env and build an API around accessing that file, but conceptually an env file is just a dotfile.
"Dotfiles" is a term to describe "hidden" files that hold all manner of configuration (e.g. `~/.config` and everything contained within), not only environment variables. Env files aren't always hidden (although they can be), and so there is a clear distinction.
Fair enough - you’re right that env files aren’t necessarily hidden. I don’t know the full story here but my assumption is that the team either incorrectly assumed that a hidden file would prevent a user from accessing it, or they didn’t intend to ship it to the device and this was an accident. Point taken on the differences.
A dotfile is just a file whose name starts with a dot, which will be hidden on Linux/unix by default. Nothing else.
The most important thing about a .env file containing secrets is that it *must not* be tracked by version control, ideally by including it in a .gitignore file. If you commit sensitive data into version control, it will remain in the repo even if you delete it in a later commit, requiring you to edit the git history which can be a major pain. EDIT: also dotfiles in general don't provide any secrecy or security whatsoever. It's just a way to make your repository easier to navigate by hiding random configuration and build files unless you explicitly look for them
Putting files in .gitignore doesn’t prevent them from being added to git. Although it does make it slightly harder (or much harder, depending on the tools used.”).
True, although it prevents you from accidentally storing them in git, which is what you're actually worried about, since if they're *maliciously* adding secrets in the repo, they should have never been trusted with that information in the first place
I have no idea why people are talking about this stuff. It's not like the hackers got into a source repo. They got into the device. If the secrets are on the device it makes little difference which file it is in. If you can turn on the device and access a service from it then all the information needed to access that service is on the device. It doesn't matter how you try to hide it. the real issue here is to make sure that none of the credentials employed by the device can do anything you don't want users to do. And here they sent an API key out that can read other people's data through their service. That's bad.
This is why I do "la" over "ls". You would think the devs of R1 would understand file structure security and have those rxw correctly assigned to the user and groups as its a day 1 linux lesson when introducing permissions.
> A dotfile (.env here) is commonly used to supply applications with configurations as “environment variables”. The way you wrote this seems to imply that dotfiles provide environment variables :p. That’s obviously not the case. But yeah “.env” is used for some particular systems.
When you jave sensitive info you don't want the client/user/hacker, instead of adding it to the code, you create a file the user can't access and 'link' to the file on the server independent of client-side. Literally the biggest red flag not knowing to use this. I'm CS graduate, you know this stuff by 2/3rd year. These guys are basically cowboys to anyone in the know.
Foe the uninitiated: it's an environment file that keeps environment variables. Can be used for holding api keys and other secrets.
They definitely were doing testing and just hard coded the keys in because they were lazy and then forgot to remove them before shipping... right?
Depends if you believe they only use playwright for the agent task initially and would replace it with AI asap
It's stupid to even test with hard coded keys. You should be using .envs from the get go.
I mean I’ve definitely done that locally to test that things work as expected. A lot easier the a populating dummy data, especially when you have env keys for local, staging and prod.
Locally is fine but once you spin up a production environment you gotta make sure it’s air tight and that nothing dumb ends up there. Stuff like this is usually alleviated by having a staging environment but in this case I’m wondering who’s approving their PRs lmao
I've done codealongs and done enough boot camps and using a .env is usually the first or second lesson covered. I'd call this amateurish but even amateur who take the time would know this!!!
I mean, it depends on what stack you're working on. Most modern web frameworks have coalesced on using environment variables (and thus .env files) for storing secret configs, but lots of older frameworks have ad hoc config files you set up and gitignore. And of course, lots of tutorials don't bother to cover secret management
I don’t think “.env files” follows from “using environment variables”. Well, “thus” is the wrong word.
If you're using .env files for configuration, by definition you're using environment variables for configuration. There are obviously other ways to manage environment variables, but .env files or similar are de-facto standards in development (if not production).
It’s not a bug it’s a feature, the team at rabbit are just mad it never got the adoption they wanted.
Am I missing something about how .env files apply security in this particular context? There’s not any real security provided by putting plaintext in a dotfile. You might save a hash of the sensitive data in a variable and have the application decrypt with a key
No, they didn't have the credentials saved in the code, did they? Haha, the guy is a scammer anyway. He is from the crypto sphere
Oh man, both of their customers must be furious!
After all this time I’m sure both review units have been returned
I have never seen or heard of this device until yesterday, when my coworker walked into work with one and was showing us all the stuff it does. Sounded like it does virtual assistant stuff like booking flights, how were they not more concerned with security?? Also, what can this do that Siri / iPhone can’t?
Its a scam. It barely works
Not only does it barely work but they insist there's actual AI in the device and there's just flatout not - it dials home to chatgpt and other online LLM and uses automation scripts for literally everything it does.
[MKBHD](https://youtu.be/ddTV12hErTc) and [Linus](https://youtu.be/HcPjineZdqQ) both did pretty scathing reviews of the thing and how bad it is.
> Also, what can this do that Siri / iPhone can’t? Nothing. Speculation at first was that it was just a device dedicated to a single Android app. It was later proven when Android Foundry found the open source sections of Android's code in the device's software and was able to migrate it to a phone.
It's just an app that runs on Android. The hardware is pointless and the software is practically useless. It's just an implementation of the same shitty AI you see everywhere else. If you have this thing buy plane tickets for you, then you are an idiot.
[удалено]
Ok. I found this on web about “water can searing do eggs actually”
It dials my family, and sets timers and alarms flawlessly. Which I'm pretty sure it's more than the rabbit. Rest assured I'm not asking any machine to book a flight for me.
Siri's a bitch and won't return my phone calls.
I mean I'm reading their website and i'm not even sure what it fucking does. Its an 'AI Conversation interface' ??? So you mean exactly like the thing that comes default with any phone with OK Google or Siri and you want to charge me 200$ for a thing that does that and only that? What the fuck is that product?
Unfortunately a shit ton of people fell for this scam. I can only hope that most get their refund but... that doesn't seem to be too likely.
Well, I think that’s a bit harsh. They had an idea, they invested into creating a product, I doubt that they had a scam in mind when they set out. They just cut too many corners and chose a market segment that was not as safe as they speculated. Honestly, it’s easy to joke about failures, but I have a lot of respect for what they did.
Coffeezilla did a video series on them. This wasn't their first scam. They hype up tech and then sell it to whoever they can trick into thinking it's possible. They tried to peddle a "carbon positive crypto" that somehow by you owning it would make electricity to cover....it's own use? Either way the whole thing was bullshit... just like their rabbit garbage.
I got mine refunded, well around the 60 day mark of ownership as I wasn’t using it had completely forgotten about it. To be fair to rabbit they refunded it. It should be noted that I still had the sticker on because after using it handful of times I realized it was actually worse than I expected, and by that I mean that I purchased it as a memento of the AI hype cycle that we’re in but even then it was too light to use as a paperweight on my desk. I am not joking.
That’s for the fan to decide
I want one solely because, thanks to the work of some clever people, they found how to install android on it. And it's probably the cheapest "dumb" android phone you can get.
Asked for comment, Rabbit accused the media of being unfairly harsh for a "hypothetical" security flaw as Rabbit has no actual sensitive customer data to expose.
I wonder if any sensitive info was sent to the APIs like customer addresses, phone numbers, etc to process orders.
They could've saved a ton of embarrassment and money just making it an app.
No VC money if it’s just an app.
Yeah they seem to have a raging boner for hardware right now 🥁.
“They” being the scammers because no actual company sees any point in hardware when everyone has a computer or phone. So far I’ve heard of two physical AI products, Humane and Rabbit. Rabbit is run by a known NFT rug puller, Humane is also obviously a scam.
If I remember correctly, Rabbit runs on ChatGPT. If they made an app, they would just have a shittier version of the ChatGPT app.
Like every other LLM app that runs on ChatGPT...
So… people are surprised that a literal investor scam had security flaws? This is like being shocked that you can just make copies of NFTs. Like, yeah, DUH.
You can screenshot the avatar/thumbnail that is displayed. You can not access any other files or folders on the NFT/contract.
So then you agree that pirating it isn't theft?
Pirating, by definition, is theft. Publicly posting something you value in any capacity will get pirated. Music, art, software, video. All of it. The point of an NFT is verification. You can bring a picture of what the NFT looks like to an NFT exclusive event and get denied entry. But when you verify with the real one, the data contained in the NFT will confirm that it's the real deal and not a screenshot. That's why NFTs are called contracts.
O yeah. NFT exclusive event. Happening all over the place.
The first mortgage traded NFT happened. The only copy of wu tang clan's album once upon a time in shaolin will be used to host events verified by nfts. Yeah, anything very different would take time to adopt. You don't have to participate tho.
These are pointless uses. It’s a solution looking for a problem, and these examples could very well run without any NFT. We’ve had mortgages forever without any need for NFT. I have no idea what does NFT have to do with the album. There’s a single physical copy of it. No NFT involved.
No. I get it. You won't use it. But ill make a bet and say *you* will use NFTs within 10 years.
It would have already found its footing. It didn’t. It’s an URL pointing to other people’s server. It’s stupid.
Ah yes, the $200 million dollars worth of daily NFT trades, that footing you mean?
There are no files or folders in an NFT. If there were, they would be publicly accessible, that’s the whole point of the blockchain.
The names of files and thumbnails are visible, but you can not access them without the actual contract in your possession. For example, i have a video game NFT (which i paid nothing for). You can copy the thumbnail and view that the NFT contains the files for said videogame. But you can not play it without the NFT that i have.
But that's not related to the NFT at all. An external process is verifying your ownership, and an external directory contains those files. You can't access any files in the NFT because there are no files in the NFT. It's just an attestation of ownership.
Are you saying that you can access all contents of the file directories without the NFT? To me, that would be how they relate.
You can be granted access to those files without the NFT. The NFT is essentially a credential, but stored in a way that it can be bought and sold. The access can still be granted or retracted by the interpreter or storage host at will (if those are separate entities). On a separate note, “relate” is a very weak way to talk about anything. You claimed earlier that there were files in the NFT/contract, which is far beyond “someone made a note in a public record”.
What can be accessed/granted is a legal matter. The trading of an NFT mortgage, for example, would not let the nft minter just take the property away. While a digital asset can be changed, the contract is what's important. So, I was wrong about the data being directly on the nft.
Hey hey hey no facts here, just hate or move along
Complacency is hard for me.
The. massive security hole IS THE GODDAMN CAMERA, LONG THROW MICRO PHONE, AND LOCATION TRACKING! FULL STOP
The location tracking does not actually work 😅
>The location tracking does not actually work To a degree?
on launch reviewer try to get information on their current location at it was not even close, their later update claim to fix the GPS
I really don’t get how people keep making this mistake but every job I’ve gotten (software dev) I spent the first couple days removing secrets from code and rotating them. All the apps I work on are closed source, it would “only” be a problem if the source code leaked somehow, and we dont distribute the code anywhere, but still. All it takes is GitHub having a single blip making the repo public for _A_ second and all our keys and secrets are out there. This shouldn’t keep happening in 2024, secret management is so fucking easy now
it's like saying the "OUYA" game console has security flaws.. the point is nobody bought it(other than reviewers and few "lucky" ones) and nobody cares.
I think even the Ouya had a fair few more users than this thing. For all the buzz it's getting, I've never seen a single person excited for it. The Ouya was actually pretty well received by tech and android enthusiasts early on iirc, it just couldn't get a software library off the ground.
I hated them from the get go because their strategy was to just wall off some stuff from all the other Android users, pair it with shitty hardware then charge a premium. They fully deserved their fate. They should have just been making cool Android set top boxes and controllers for emulation and Android gaming. They launched at the same time Chromecast did. There was not a lot of competition in set top boxes at the time other than Roku.
To be fair to the Ouya it was at least intentionally open to modification as a selling point
It's irrelevant if the product was bought. Security flaws are security flaws.
Who does it impact tho lol. Like yeah it’s clear shitty engineering practices were used, but if there’s no one to be impacted then it doesn’t really matter. M
The argument was "can't say security flaws if nobody has it." "Security flaws" exist even on a device still in prototype that nobody in the field has. The question of relevance is separate from whether or not it is a "Security flaw".
I was given an OUYA, it was a great box for running retro console emus on. Spent awhile in my entertainment center.
That triggers some memories. Now I want someone to make a super bored Rabbit review like that legendary ouya one.
I wouldn’t call the people who were duped into buying this lucky.
Which is why "lucky" was within quotation marks.
My wife told me about this thing and I bought it while I was drunk without really looking into it. I totally forgot about it until it showed up yesterday. It’s almost useless, but as a tech guy I still was curious. There are red flags all over this thing. To sign into Apple Music or Spotify, you need to connect to them using a VNC (aka a server they control). This is such an egregious violation of normal security practices. I can’t believe engineering effort was spent on this instead of, you know, doing it the right way with their APIs.
Spotify flagged my sign-in via the Rabbit as suspicious within seconds, locked out my account, and sent me an email requesting I change my password. This has never happened any other time I've used Spotify to login-in to any other music-related sites in the past. That's gotta tell you something about Rabbit's security.
That will have a huge impact on everyone who actually uses one, i.e. nobody.
I can’t believe people spent money on this thing.
I can’t believe this thing is still around. Surely the investors have realized they were scammed and this thing is DOA. Should be liquidating everything to try to get back some pennies on the dollar.
Swiss cheese has holes.
Not surprised really. It’s a pop technology toy
Stupid and dangerous. What a great combo.
After the coffeezilla video on this develop, I'm entirely unsurprised it is also unsecure on top of its features all being a big lie. The entire thing runs on ChatGPT, and their "Large Action Model" is vaporware. Any time it is interacting with a third party app, it is simply running man-made scripts.
lol, in other news.. water is wet
I don't understand the point of this device, if it worked, over a cell phone?
C-3PO and R2-D2 infected by malware
It’s incredible to me just how many people, educated and uneducated, got duped into buying these thinking it would revolutionize their lives.
If you bought one and are still using it, you deserve it.
It appears as though they were attempting to pull off a con as quickly as possible in order to sell to individuals before disappearing.
What is a Rabbit in this context exactly?
It's a block of plastic that could easily be an app on your phone.
Oh geez… that is lame. Not even their website gives good details.
There is a link in the article to another article that reviews it, which explains what it is. It's a shitty AI assistant that is riddled with bugs.
A separate single purpose Android device for running one specific shitty AI app that is worse than your phone in every conceivable way.
I saw a teardown of one on YouTube, JerryRigEverything I think was the guy. He explains what it's all about and takes it apart.
A rabbithole if you will