Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
sciencejerk 6 days ago

I think that Security fuckups of this disastrous scale should get classified as "breaches" or "incidents" and be required to be publicly disclosed by the news media, in order to protect consumers.

Here is a tool with 7,000+ customers and access to 1 million code repositories which was breached with an exploit a clever 11 year old could created. (edit: 1 million repos, not customers)

When the exploit is so simple, I find it likely that bots or Black Hats or APTs had already found a way in and established persistence before the White Hat researchers reported the issue. If this is the case, patching the issue might prevent NEW bad actors from penetrating CodeRabbit's environment, but it might not evict any bad actors which might now be lurking in their environment.

I know Security is hard, but come on guys

smarx007 6 days ago | parent | next [-]

> be required to be publicly disclosed

https://en.m.wikipedia.org/wiki/Cyber_Resilience_Act

Lionga 6 days ago | parent | prev | next [-]

Code Rabbit is a vibe coder company, what would you expect? Then they try to hide the breach and instead post marketing fluff on google cloud blog not even mentioning they got hacked and can not even give any proof there is no backdoor still running all the time.

What a piece of shit company.

moomoo11 6 days ago | parent | next [-]

I got so much heat for calling out that Tea app for being imbeciles who couldn’t bother finishing reading the firebase docs.

People were quick to blame firebase instead of the devs.

Vibrators are so fucking annoying, mostly dumb, and super lame.

wredcoll 6 days ago | parent [-]

This post would have a lot more meaning if "vibe coders" were the only ones making security mistakes that involved thousands of customers.

moomoo11 6 days ago | parent | next [-]

Yeah you're right. Your post would have a lot more meaning if you would realize that the rate at which security mistakes are occurring is about to explode (if not already).

That's like saying if/when an AV runs over a bunch of people that its not like they're the only ones running over people human drivers do it too!

Thankfully, Waymo which I use regularly is fkin awesome and actually works. Then again, they're not vibrating.

strbean 4 days ago | parent | next [-]

> That's like saying if/when an AV runs over a bunch of people that its not like they're the only ones running over people human drivers do it too!

Well, what matters most is how much they run over people relative to human drivers. People often act like "even once is too many!", ignoring that fact that no, once is not too many, if it's less than what is already happening.

wredcoll 4 days ago | parent | prev [-]

> That's like saying if/when an AV runs over a bunch of people that its not like they're the only ones running over people human drivers do it too!

I mean, that's literally what happened? Computer controlled cars were developed, killed some people, and everyone collectively shrugged and went on with their lives. A large part of that reaction was probably because we're all immersed in a culture that just expects some number of people to die because of cars every year.

ofjcihen 6 days ago | parent | prev [-]

The post still has meaning.

N_Lens 6 days ago | parent | prev [-]

Petition to call vibe coders “dildos” (coz they’re vibing right?)

mihaaly 6 days ago | parent | prev [-]

Agreed.

Being a mere user of web or other apps developed using so clever and felxible and powerful services like this accidentally (due to sheer complexity) exposing all and everything I might consider dear makes me reconsider if I want to use any. When I am granted a real choice. Not so much as time progresses, not so much. Apps are there everywhere using other apps, mandated by organizations carrying out services outsourced by banks, governemnts, etc., granted third parties' access by me accepting T&C, probably catching trouble in the details, or probably not, cannot be sure.

A reassuring line like this >>This is not meant to shame any particular vendor; it happens to everyone<< may calm providers but scare the shit out of me as a user providing my sensitive data in exchange for something I need, or worst, must do.