a security announcement from rabbit inc and Obscurity Labs

simon · July 30, 2024, 3:06pm

a security announcement from rabbit inc & Obscurity Labs

at rabbit, we are attempting to push the boundaries of AI to help realize its true potential. as we do this, we have a responsibility to develop our products and services securely and responsibly.

as part of these ongoing efforts, we asked the cybersecurity experts at Obscurity Labs to conduct a thorough penetration test to double check a long list of our security measures by having them attempt to attack our systems to expose any weaknesses or risks.

in short, the results of these tests show that:

our approach of multiple layers of security is working as intended
no source code of our agent AI was exposed
no sensitive or valuable information was exposed to attackers
attack potential is minimized due to VNC isolation
if attackers do break through, they are unable to access anything of substance

in addition, we also wanted to share an update on the recent situation involving API keys that were illegally obtained and leaked by an employee (who has since been terminated) to a hacktivist group. after a third-party audit of our code, we can confirm that all secrets ever stored in it have successfully been revoked.

you can read more in blog posts by rabbit and Obscurity Labs.

we would like to thank you, our community, for the trust you have placed in us since the beginning. we will continue to work hard to ensure that our products are safe and secure.

leahcim · July 30, 2024, 4:31pm

I think it’s very good that you did it this way and that, in the end, things are looking so good with security.

The thing with the former employee is obviously a very unpleasant thing, but you can only look at people’s faces and not inside there heads.

Nevertheless, as an intensive user of r1, I would like to point out an important thing.

IT security must be checked again and again, because if you look at it bleakly, new vulnerabilities can creep in with every new software update of any software, including security software, as the recent examples clearly show.

For this reason, the very best protection has always been to protect your own secrets and also your customers’ data, and it will always be the case to store as little data as possible centrally.

Saving of data decentralized it’s not so bad because attacks of this kind are not worth it for attackers in most cases, but where there is a lot of customer data, it becomes interesting for attackers.

Hence my appeal, if possible, to store as much sensitive data as possible, not centrally, but preferably only decentrally on the customers’ devices (on our devices).

Because where there is little, only little is stolen, in wirst case.

You can still fully develop the potential of AI, just via safe detours that attackers and state spy agents will not want to take.

Psyop37F · July 30, 2024, 6:42pm

Great job. Looking forward to upcoming updates as the R1 continues to grow

MarkusK · August 2, 2024, 6:34am

Much appreciated the detailed update and, as an ethical hacker myself, can relate to Obscurity’s findings.

Great job, keep it up!

leahcim · August 2, 2024, 10:58pm

I think that is also something that is absolutely essential to this topic.