It was obvious from their "key note" in day one that this project was a scam. The best thing that can happen to it at this point is for it to be sued and shut down.
Anybody can string a couple of API calls together and write an "app". That is not programming, and this project is a massive undertaking for somebody of their skill. It should have never gone to market to begin with, regulations should have stopped it on its feet. The fact that they put more effort into their "key note" than the actual product was already a red flag. It's like some marketing guys got together and decided that they were going to "take the world by storm with AI".
> we have internal confirmation that the rabbit team is aware of this leaking of api keys and have chosen to ignore it. the api keys continue to be valid as of writing.
I see no benefit in being pedantic. Obviously writing code that performs simple API interactions is "programming". The definition of programming is extremely broad.
It is rather clear to me that yazzku is saying that the programming required to pull of what the R1 does falls well below what Rabbit promised their customers. That this is such a bullshit design that we can infer that the entire product is a scam, because if they were serious it wouldn't be so obvious that no work into actually making a useful product.
You can build perfectly fine products without programming anything at all. The problem isn't the lack/scale/type/complexity of programming. The problem is that the product is bad, and this is not a pedantic point at all.
Please don't cheapen professional expertise in this way. The product is bad, yes, but why? Because the programming is bad, and the programmers are negligent.
Casually writing code and writing code that securely handles customer data and maintains availability for something you're selling are two different things.
And it plays, in large part, why some engineers get upset when programmers call themselves engineers without the skill, discipline, and responsibility to back it up.
To me it has nothing to do with size or complexity. You can have a 20-line well-thought-out imperative Python script that is well-engineered. And you can have a 200,000 line Java app that leaks PII all over the place, loses user data twice a week, and is impossible to debug because it's a giant spaghetti rats nest.
The r1 is not just not-their-first, it's a pivot that reuses code from their earlier endeavours. (which itself is fine, like, that's what you'd expect from a pivot, it's just that their PR strategy relies on claiming those past projects are wholly unrelated.)
When they rug-pulled GAMA (after selling a bunch of NFTs), as consolation prize they "open sourced"[0] a few things.
One of their many promises was that their space-station "metaverse" would have "Quantum Engine AI Integration" (letting you talk to NPCs, among other things). They released a lightly edited Unreal Engine game template (the "metaverse"), along side a file named `api.yml`[1] which documents an AsyncAPI[2] API (the "AI integration"). There is no actual integration, the API spec is just positioned adjacent to the Unreal project - there's a note in the README that amounts to "integrate it yourself".
The back-end component was never open-sourced, and they've long since shut down the API server, but based on the docs, the API used by the r1 is clearly a direct evolution of that design.
As for the R1's API, there is no documentation, but I partially reverse-engineered it and wrote some docs of my own[3], which is enough to see the similarities.
Reportedly only some hundreds of millions. The makers of that stupid AI Pin that you strap onto your chest and that catches on fire was trying to sell itself to Hewlett-Packard for $1 billion.
I have very little trust in startups. Even if the R1 was a good product, their methods of logging into services was something I could never get onboard with.
I even changed banks (after 20 years), because I was looking to link my account to a budget app and my old bank required a 3rd party service that cached login data. I went through and tried connecting about 2 dozen banks that seemed like contenders to find the 2 or 3 that allowed me to authenticate properly with a token I could revoke from the bank itself, and switched to one of those. I don't know who these people are that hand over things like bank creds based on trust alone. The R1 wasn't there yet, but I'm cure that was a future goal.
This provides useful context for the other story about revoking a key breaking all their services.
I wish there was a mechanism on HN to link related (but different) stories - beyond people in the comments I mean. I think it would be especially useful over time (eg I could relate these today because they’re both on front page at the same time, but if someone came across this in the future the relationship may have been lost)
You know what I am truly terrified of? When these AI services start keeping memories about your interactions with them to build up a full profile of you. Like chatGPT memories. But then it leaks due to a data breach.
It’s not even accurate sometimes and I definitely did not manually tell it things about me. But it made some incorrect assumptions and now it’s out there whether it’s true or not.
Pretty sure they already do that, at least in some way, with OpenAI thinking about or already doing ad injecting via giving priority to certain types of services or products.[0]. All in all the company has so far been quite dishonest so I have no reason to think otherwise.
This is why you should use a secrets manager like Doppler (https://doppler.com) or AWS Key Management Service (AWS KMS). Hardcoding your secrets or storing them in .env files will always risk something like this happening.
34 comments
[ 0.31 ms ] story [ 70.2 ms ] threadAnybody can string a couple of API calls together and write an "app". That is not programming, and this project is a massive undertaking for somebody of their skill. It should have never gone to market to begin with, regulations should have stopped it on its feet. The fact that they put more effort into their "key note" than the actual product was already a red flag. It's like some marketing guys got together and decided that they were going to "take the world by storm with AI".
> we have internal confirmation that the rabbit team is aware of this leaking of api keys and have chosen to ignore it. the api keys continue to be valid as of writing.
Yeah.
It is rather clear to me that yazzku is saying that the programming required to pull of what the R1 does falls well below what Rabbit promised their customers. That this is such a bullshit design that we can infer that the entire product is a scam, because if they were serious it wouldn't be so obvious that no work into actually making a useful product.
Yes it is. Simple as.
Please don't gatekeep something as casual as writing code. Good lord.
To me it has nothing to do with size or complexity. You can have a 20-line well-thought-out imperative Python script that is well-engineered. And you can have a 200,000 line Java app that leaks PII all over the place, loses user data twice a week, and is impossible to debug because it's a giant spaghetti rats nest.
https://www.youtube.com/watch?v=NPOHf20slZg
When they rug-pulled GAMA (after selling a bunch of NFTs), as consolation prize they "open sourced"[0] a few things.
One of their many promises was that their space-station "metaverse" would have "Quantum Engine AI Integration" (letting you talk to NPCs, among other things). They released a lightly edited Unreal Engine game template (the "metaverse"), along side a file named `api.yml`[1] which documents an AsyncAPI[2] API (the "AI integration"). There is no actual integration, the API spec is just positioned adjacent to the Unreal project - there's a note in the README that amounts to "integrate it yourself".
The back-end component was never open-sourced, and they've long since shut down the API server, but based on the docs, the API used by the r1 is clearly a direct evolution of that design.
As for the R1's API, there is no documentation, but I partially reverse-engineered it and wrote some docs of my own[3], which is enough to see the similarities.
[0] https://github.com/gamaspacestation/
[1] https://github.com/gamaspacestation/gss_release/blob/main/ap...
[2] https://www.asyncapi.com/
[3] https://gist.github.com/DavidBuchanan314/aafce6ba7fc49b19206...
> the rabbit team is aware of this leaking of api keys and have chosen to ignore it. the api keys continue to be valid as of writing
That's just damning. Making the mistake is one thing, but, having it pointed out to you and refusing to fix it is unconscionable.
Remind me how many billions was this supposedly worth?
I even changed banks (after 20 years), because I was looking to link my account to a budget app and my old bank required a 3rd party service that cached login data. I went through and tried connecting about 2 dozen banks that seemed like contenders to find the 2 or 3 that allowed me to authenticate properly with a token I could revoke from the bank itself, and switched to one of those. I don't know who these people are that hand over things like bank creds based on trust alone. The R1 wasn't there yet, but I'm cure that was a future goal.
So this is the IT literacy of AI startups...
"please don't under estimate the effort and IQ level of our eng - its much more complicated than that."
I present no other commentary.
https://techcrunch.com/2024/06/15/ftc-chair-lina-khan-on-sta...
I wish there was a mechanism on HN to link related (but different) stories - beyond people in the comments I mean. I think it would be especially useful over time (eg I could relate these today because they’re both on front page at the same time, but if someone came across this in the future the relationship may have been lost)
It’s not even accurate sometimes and I definitely did not manually tell it things about me. But it made some incorrect assumptions and now it’s out there whether it’s true or not.
[0]: https://www.adweek.com/media/openai-preferred-publisher-prog...