tinkerer built an app to control their own device with a PlayStation controller.
who used Claude Code to reverse engineer the protocol
Did they build it though? Sounds like vibe-coding to me
the problem does not lie in the encryption used by the robot vacuum when communicating with its server, but that all the data is stored in plain text and can easily be read by anyone who gains access to the server.
Having said that, this is atrocious!
What’s the point in encrypting user data in transit if you’re just gonna leave it unencrypted at rest??
If you’re going to store user data, at least have the decency to make sure its protected against malicious actors.
It’s very lucky that the person who discovered it was a vibe-coding good Samaritan, rather than somebody willing to exploit it for money
A lot of times encryption “at rest” is just encrypting the partition the DB is sitting on. There are options for encrypting the database when it’s in use, but if you don’t set up the right access controls the on-the-fly decryption can have it show ip as plaintext.
The best option for this is to do the decryption/encryption in the application, so even if they get the DB credentials for the app user it’s still encrypted.
Of course, all of these are in increasing level of difficulty and adding them after the fact becomes a more daunting task the longer you put it off.
Did they build it though? Sounds like vibe-coding to me
For all my gripes with AI/LLM and stolen valor-type misrepresentation, I’m not going to put too many asterisks on someone’s personal project. Especially when it exposes shady corporate practice. It doesn’t seem like they were professionally hired to create this app. There’s plenty of tinkerers I follow that phone a friend to get a project back on track.
But I have no idea what his day job is, being an AI Strategist
Yes, because I directly typed on that keyboard. My fingers pressed each and every key to make each and every letter of this text you’re reading.
The keyboard is a tool to interface with a computer, in the same way you need a hammer to push a nail, a screwdriver to drive a screw, or a knife cuts through things.
I didn’t ask somebody else to go hammer the nail, screw the screw, or cut the thing then take credit for doing the thing I didn’t do.
Managing a process isn’t the same as doing the process, and in the same way, prompting an AI to make code for you isn’t the same as actually making that code, and never will be.
You only pressed the buttons. That’s hardly any of the work required for your text to show up on all of our computers.
You didn’t translate the pulses from your key switches into USB signals, or write the kernel code which translated those inputs into scancodes, or write the browser code which displayed the form box that packaged your text into an HTTP POST request. None of your work went into the firmware on the routers which carried your data and you didn’t do a bit of work burying the cables between those routers.
I haven’t check but I’m pretty sure you’re not a datacenter employee in Finland so you don’t contribute to the labor required to manage the servers, you probably don’t contribute to the Lemmy project or Mozilla/Chromium projects.
Your post is the result of a huge amount of tools, services in infrastructure that you had no hand in inventing, deploying or maintaining.
All you did was provide a few grams of force to some thermoplastic and sparked a few neurons.
What a terribly bad faith argument. Not a single bit of that actually matters to the substance of this discussion.
My direct input on this keyboard is what ends up on the screen. My interpretation, my words, my creative decisions (or lack thereof), and my mistakes.
You AI is instructed by you. It takes your words and interprets them according to its own training data. It uses its own words, its creative decisions, and makes its own mistakes.
If you can’t see the difference between those two things, and why someone might think a person having done the latter but claiming the former might be seen as insulting, then there’s no point in having this discussion.
All of your interaction with technology is mediated by other technology.
We all understand that when we say ‘I went on the Internet’ we’re not picturing a person, with no technological assistance whatsoever, inducing current into a wire in encoded pulses according to IEEE 802.3 and scratching the resulting HTML in the dirt with a stick.
So, when someone comes along and says ‘Well, actually, you didn’t do anything because YOUR BROWSER went on the Internet.’ it isn’t actually describing a difference.
Here, the comment isn’t making any argument on why this differentiation matters. It’s just changing the framing to bait anti-AI engagement.
They likely also used other technology, like an IDE, syntax highlighting, auto completion, a linter, git, a programming language that they didn’t invent themselves, libraries made by others… etc.
Implying ‘if they use x tool’ then they didn’t build it is pointless gatekeeping that doesn’t add anything to the discussion except create an on-ramp for more anti-ai bot content.
Did they build it though? Sounds like vibe-coding to me
Having said that, this is atrocious!
What’s the point in encrypting user data in transit if you’re just gonna leave it unencrypted at rest??
If you’re going to store user data, at least have the decency to make sure its protected against malicious actors.
It’s very lucky that the person who discovered it was a vibe-coding good Samaritan, rather than somebody willing to exploit it for money
A lot of times encryption “at rest” is just encrypting the partition the DB is sitting on. There are options for encrypting the database when it’s in use, but if you don’t set up the right access controls the on-the-fly decryption can have it show ip as plaintext.
The best option for this is to do the decryption/encryption in the application, so even if they get the DB credentials for the app user it’s still encrypted.
Of course, all of these are in increasing level of difficulty and adding them after the fact becomes a more daunting task the longer you put it off.
Basic HTTPS does the trick of encrypting transfer, easy as fuck to set up, does not mean the app is any more secure tho.
For all my gripes with AI/LLM and stolen valor-type misrepresentation, I’m not going to put too many asterisks on someone’s personal project. Especially when it exposes shady corporate practice. It doesn’t seem like they were professionally hired to create this app. There’s plenty of tinkerers I follow that phone a friend to get a project back on track.
But I have no idea what his day job is, being an AI Strategist
This code uses truly global varriables.
Did you type that sentence though? It looks like keyboard manipulation to me
Yes, because I directly typed on that keyboard. My fingers pressed each and every key to make each and every letter of this text you’re reading.
The keyboard is a tool to interface with a computer, in the same way you need a hammer to push a nail, a screwdriver to drive a screw, or a knife cuts through things.
I didn’t ask somebody else to go hammer the nail, screw the screw, or cut the thing then take credit for doing the thing I didn’t do.
Managing a process isn’t the same as doing the process, and in the same way, prompting an AI to make code for you isn’t the same as actually making that code, and never will be.
In the same spirit of pointless gatekeeping.
You only pressed the buttons. That’s hardly any of the work required for your text to show up on all of our computers.
You didn’t translate the pulses from your key switches into USB signals, or write the kernel code which translated those inputs into scancodes, or write the browser code which displayed the form box that packaged your text into an HTTP POST request. None of your work went into the firmware on the routers which carried your data and you didn’t do a bit of work burying the cables between those routers.
I haven’t check but I’m pretty sure you’re not a datacenter employee in Finland so you don’t contribute to the labor required to manage the servers, you probably don’t contribute to the Lemmy project or Mozilla/Chromium projects.
Your post is the result of a huge amount of tools, services in infrastructure that you had no hand in inventing, deploying or maintaining.
All you did was provide a few grams of force to some thermoplastic and sparked a few neurons.
What a terribly bad faith argument. Not a single bit of that actually matters to the substance of this discussion.
My direct input on this keyboard is what ends up on the screen. My interpretation, my words, my creative decisions (or lack thereof), and my mistakes.
You AI is instructed by you. It takes your words and interprets them according to its own training data. It uses its own words, its creative decisions, and makes its own mistakes.
If you can’t see the difference between those two things, and why someone might think a person having done the latter but claiming the former might be seen as insulting, then there’s no point in having this discussion.
I’m sorry that you read an actual argument instead of a satire
Ah, but the keyboard manipulation is direct, at least.
All of your interaction with technology is mediated by other technology.
We all understand that when we say ‘I went on the Internet’ we’re not picturing a person, with no technological assistance whatsoever, inducing current into a wire in encoded pulses according to IEEE 802.3 and scratching the resulting HTML in the dirt with a stick.
So, when someone comes along and says ‘Well, actually, you didn’t do anything because YOUR BROWSER went on the Internet.’ it isn’t actually describing a difference.
Here, the comment isn’t making any argument on why this differentiation matters. It’s just changing the framing to bait anti-AI engagement.
They likely also used other technology, like an IDE, syntax highlighting, auto completion, a linter, git, a programming language that they didn’t invent themselves, libraries made by others… etc.
Implying ‘if they use x tool’ then they didn’t build it is pointless gatekeeping that doesn’t add anything to the discussion except create an on-ramp for more anti-ai bot content.
Security? How much? No. Skip it.