• They/Them

Trite, contrived, mediocre, milquetoast, amateurish, infantile, cliche-and-gonorrhea-ridden paean to conformism, eye-fucked me, affront to humanity, war crime, should literally be tried for war crimes, resolutely shit, lacking in imagination, uninformed reimagining of, limp-wristed, premature, ill-informed attempt at, talentless fuckfest, recidivistic shitpeddler, pedantic, listless, savagely boring, just one repulsive laugh after another.


My homepage
mxsd.ca/
Telegram
@Mx_Self_Destruct
Signal
MxSelfDestruct.42
Soulseek
MxSelfDestruct

apocryphalmess
@apocryphalmess

so I hadn't heard about the rabbit R1, probably because it's another one of those devices that's marketed at AI rubes, like the Humane Pin. so my first exposure to it turned out to be an expose posted to GitHub along with source code

rabbit.tech has been making waves with its highly publicized release of the Rabbit R1 device, claiming it can perform tasks on your behalf and liberate you from app-based interactions. But let's call a spade a spade – this is a blatant lie. And we're about to expose it with the first partial release of the source code for its so-called "large action model".

For those with a technical background, it's painfully clear that there's no artificial intelligence or large action model in sight. In reality, they're simply relying on several Playwright automation scripts to do the job for you, which is why they only support four apps: Spotify, Midjourney, Doordash, and UberEats.

What's even more alarming is that they ask you to login through their web portal, which is just a virtual machine connected via NoVNC. They also expect you to fill in your private passwords on their VMs. To make matters worse, they store the user sessions on their machines without any additional layers of security. This is both a blatant disregard for user privacy and a hilariously bad engineering practice.

Sadly, this shouldn't come as a shock to anyone who's done minimal due diligence on the team. After all, they were still hawking NFTs just two years ago.

I'll say this, at least this time it isn't a mechanical turk using underpaid workers in the global south. it's just a bunch of scripts written using a website testing framework instead

[edit 04/24/2024] the github repo has been taken down (not surprisingly) but it's still on archive.org with links to the source


apocryphalmess
@apocryphalmess

when even MKBHD says your product is "borderline nonfunctional" and uses it to talk about the way companies try to sell you on the future capabilities of your product instead of delivering something functional out of the box, you may have a problem


apocryphalmess
@apocryphalmess

the hits keep coming:

on may 16, 2024, the rabbitude team gained access to the rabbit codebase and found several critical hardcoded api keys in its code. these keys allow anyone to:
  • read every response every r1 has ever given, including ones containing personal information
  • brick all r1s
  • alter the responses of all r1s
  • replace every r1’s voice

[...]

we have internal confirmation that the rabbit team is aware of this leaking of api keys and have chosen to ignore it. the api keys continue to be valid as of writing.

we believe it is important for consumers to be aware of rabbit’s poor security practices, as it can have devastating consequences for r1 users.

we will not be publishing any more details out of respect for the users, not the company.


MxSelfDestruct
@MxSelfDestruct

despite claiming no compromise had occurred, rabbit immediately revoked these four keys. one was done improperly, leading to a temporary outage in text-to-speech services.

but we omitted another key from that release, one buried deeper in the code. and surprise-surprise: despite their ongoing internal investigation, rabbit didn’t revoke it.
sendgrid

as of writing, a fifth hardcoded api key exists for sendgrid, which is still active.

it provides access to a complete history of emails sent on the r1.rabbit.tech subdomain. this subdomain is primarily used for the r1’s spreadsheet-editing functions, meaning that it also includes user information contained within those spreadsheets.

it also allows us to send emails from rabbit.tech email addresses. a proof-of-concept was first sent a month ago, but it went unnoticed by the rabbit team. between that point and today, we did not view or send any further emails.


You must log in to comment.

in reply to @apocryphalmess's post:

i always find teenage engineering to be weird, the same company that hid "marx was right" inside of one of their products also doing weird overly priced shit and collaborating with fuckheads like rabbit

If someone offered me a ton of money to design the outside of their new gizmo, and I primarily specialize in aesthetic designs for audio equipment, and I don't know anything about the technology involved but I keep hearing that it's going to be this massive game-changer, then I would probably do it.

Hindsight is 20/20.

Damn so teenager engineering not only was involved with the project but are a bunch of morons that don’t ask any questions about what projects they’re involving themselves with and fall for language like “game changer?” Damn I like them even less now.

I figured it was rigged and would suck on launch. The interface and the pitch of freeing users from app hell by building a platform on top of it was pretty compelling from an end user perspective though.

Edit: not to say I expect it to improve to anywhere near the original promise.