xAI dev leaks API key for private SpaceX, Tesla LLMs(krebsonsecurity.com)

244 pointsby todsacerdoti6 days ago14 comments

Aurornis6 days ago
> Fourrier found GitGuardian had alerted the xAI employee about the exposed API key nearly two months ago — on March 2. But as of April 30, when GitGuardian directly alerted xAI’s security team to the exposure, the key was still valid and usable. xAI told GitGuardian to report the matter through its bug bounty program at HackerOne, but just a few hours later the repository containing the API key was removed from GitHub.
Having the security team redirect the report to the HackerOne program is wild.
At least someone had enough thought to eventually forward it to someone who could fix it.
- fweimer5 days ago
  It's come up before. HackerOne is not intended as a replacement for a PSIRT front desk, but many companies use it as such. It looks like Paypal still does this, for example.
- KristenDev5 days ago
  Contacted the support team, DOD and FBI... nothing done a month or two ago.. its sad. But when see that studies are now sci-fi flicks.. my heart broke a little while ago. Never mind that this was swept under the radar by the DDOS attacks. Classic Oceans15 movie in the making.
mcs52806 days ago
SpaceX data LLM being exposed is likely a recipe for a huge ITAR violation
- pavlov6 days ago
  DOGE has probably fired everyone who could pursue those penalties.
  - mlnj6 days ago
    [flagged]
    5 days ago
    undefined
    the_doctah5 days ago
    [flagged]
  - aaron6955 days ago
    [dead]
- NitpickLawyer6 days ago
  If there's actually any proprietary rockety data, maybe. Without knowing what data went into the fine-tune there's no way to tell. This could be a "internal procedures chatbot" or an "onboarding chatbot" where new people can ask where the coolest watercooler in the company is.
  In my experience post-training mainly deals with "how" the model displays whatever data ("knowledge") it spits out. Having it learn new data (say the number of screws on the new supersecretengine_v4_final_FINAL (1).pdf) is often time hit and miss.
  You'd get much better results with having some sort of RAG / MCP (tools) integration do the actual digging, and the model just synthesising / summarising the results.
  - mewse6 days ago
    Or, since we're apparently playing the game of maybes in this thread, maybe the LLM was only trained on the teams grandmothers' spaghetti recipes, so that new hires can learn to make the best bolognese sauce.
    ben_w5 days ago
    This being Musk, it wouldn't surprise me.
    I mean, consider The Boring Company sell a "flamethrower" despite being theoretically about… boring.
    lesuorac5 days ago
    I think you missed a lot of the word play. Somebody else has explained Bore[1]-ing vs boring.
    But they sold a blowtorch aka not a flamethrower. The difference being a flamethrower actually "throws flames" like 10+ feet.
    [1]: https://en.wikipedia.org/wiki/Bore
    ben_w5 days ago
    I didn't miss anything in the wordplay*, it was obvious. (As are the initials, an extra pun).
    I put quotemarks around "flamethrower" because that's what it was originally sold as before obvious and predictable legal issues with real flamethrowers and the fact it was obviously mimicing the prop in Spaceballs.
    My point is: neither weed burners nor actual flamethrowers have anything to do with digging tunnels nor any adjacent aspect of civil engineering.
    * https://en.wikipedia.org/wiki/Boring_(manufacturing)
    thejazzman4 days ago
    Tesla sold a surfboard and whiskey and...
    Just saying. It's kinda on brand by not being on brand because the whole network of companies... well I'm trying off topic.
    tomalbrc5 days ago
    Because Tesla is making.. coils?
    jsjohnst5 days ago
    Boring as the noun, not adjective. Also, Tesla was named that before Musk was involved, so it’s not his humor involved in naming both. Nikola Tesla is known for a lot more than just Tesla coils.
  - KristenDev5 days ago
    you haven't seen the releases labeled as Groks new studies yet... Its pretty clear.
- foota6 days ago
  Is ITAR like other compliance sort of fields where you have to store data only in compliant places, or is it just based on actual leaks etc.,?
  - freeone30005 days ago
    ITAR (International Trafficking in Arms Regulation) is paranoid. Every single specific person that knows even dual-use information, such as composite wing design, must be individually authorized. I’ve been asked to leave the room when my girlfriend, who works for a passenger aircraft manufacturer, was designing a repair for a plane I have literally flew on.
    It doesn’t matter how the person got access to dual-use info, like basically everything to do with large rockets, it’s 100% forbidden.
    dismalpedigree5 days ago
    This seems like a company policy more than ITAR. Unless you are not a US citizen, then it could be ITAR.
    freeone30005 days ago
    We’re in Canada, and I’m a US citizen, but she is not.
    foota5 days ago
    That's the people aspect of it, but what about the technical aspect of it? Can I store ITAR restricted information in plaintext on a thumb drive if I think it's safe?
- ActorNightly6 days ago
  It is, but the issue is the current administration has made it abundantly clear that it doesn't care about anything legal.
Cheer21716 days ago
What absolute incompetence. Not just on this dev, but any org with API keys ought to be scanning for leaked keys constantly. Failure of one and failure of many.
Of course Elon hires only based on 'merit'...
- Everdred2dx6 days ago
  How would you scan for your api keys on repos outside of your organization? I assumed this was a dev’s personal repo.
  - kalkin6 days ago
    https://docs.github.com/en/code-security/secret-scanning/sec... is one option
    Everdred2dx5 days ago
    Neat. Thanks!
  - squigz6 days ago
    Well 1 option is the service from TFA.
    https://www.gitguardian.com/monitor-internal-repositories-fo...
  - mcdwayne5 days ago
    This was on public GitHub, which anyone can scan for anything. Their API is a firehose you can consume: https://api.github.com/events
    GitGuardian's public report on secrets sprawl talks about their methodology of scanning any commit https://www.gitguardian.com/state-of-secrets-sprawl-report-2...
  - romellem5 days ago
    The company I work for does this. I recently pushed an update to a personal repo that just contained a keyword match (the push included a dictionary.txt file which happened to include the company name) which flagged a review.
breakingcups6 days ago
I'm much more interested in what the private model "tweet-rejector" could be used for...
- yk5 days ago
  if "Musk" in tweet and xAi.grok.sentiment(tweet) < .5: reject(tweet)
KristenDev5 days ago
This has ruined many careers in the making. The DDOS attacks happened while this breach like hotspot was open. who do we contact if any of our studies are leaked out like a publicity stunt day in day out and the x.ai hasnt responded for months after stating concern and rogue like actions on different AI services. Do we post videos, make statements or just gather and share tips and insight?
threecheese5 days ago
The biggest surprise to me was: “administration officials told some U.S. government employees that DOGE is using AI to surveil at least one federal agency’s communications for hostility to President Trump and his agenda”. I understand that there’s no expectation of privacy at work (especially in govt), and everything you write is “on the record”; however an employer monitoring comms for what’s essentially thoughtcrime is heinous. Isn’t disagreement healthy?
- erulabs5 days ago
  Yes but it's worth understanding the executive branch (which according to this administration includes all federal agencies), in its constitutional form, is more or less just an extension of the president. Conceptually they all "perform at the pleasure of" the person of the president. The "balance" and "disagreement" can happen outside of the executive, in the legislative or judicial branches.
  Definitely not how I would run an organization (even a military organization), but it's not _conceptually_ wrong. If you were a general and you had lieutenants expressing "hostility to" your agenda, would you keep them on? Again, I'd probably say yes up to a limit, but it's not outside of a generals purview to concern themselves with this.
rcarmo6 days ago
One thing that sticks out to me is that there is an incorrect assumption from the journalists that having the API keys to an LLM can lead to injecting data.
People still don’t know how LLMs work and think they can be trained by interacting with them at the API level.
- skissane6 days ago
  > People still don’t know how LLMs work and think they can be trained by interacting with them at the API level.
  Unless they are logging the interactions via the API, and then training off those logs. They might assume doing so is relatively safe since all the users are trustworthy and unlikely to be deliberately injecting incorrect data. In which case, a leaked API key could be used to inject incorrect data into the logs, and if nobody notices that, there’s a chance that data gets sampled and used in training.
  - rcarmo4 days ago
    Nobody really trains directly from logs without curation and filtering.
    skissane4 days ago
    Sure, but there is a non-zero risk that some malicious data could slip through the curation and filtering processes undetected
    I agree that’s unlikely, but not astronomically unlikely
    rcarmo3 days ago
    Considering the costs involved in fine-tuning, nobody does it unless they are a very rich corporation. And certainly not for public-facing models…
- drilbo5 days ago
  unless I somehow skimmed over it, they only appear to refer to "prompt injection"
SillyUsername5 days ago
You mean ex-AI dev surely?
unit1496 days ago
[dead]
waltercool5 days ago
[dead]
tomlockwood6 days ago
[flagged]
- papa_bear6 days ago
  Turns out it's a different Krebs. This is by Brian Krebs, vs Chris Krebs was the one targeted by the administration.
  - ajcp6 days ago
    Wow, I have been following the Chris Krebs saga quite closely AND been an avid consumer of Krebs on Security and for whatever reason always assumed they were one and the same. I even know his name is Brian Krebs! It's humbling when you're confronted with your blinders and stupidity, and they are the same as those you rail against for being so blindly stupid...
timzaman6 days ago
[flagged]
- croes6 days ago
  Since when is the leak of an API key of a big company non news?
- BryanLegend6 days ago
  [flagged]
  - ralph846 days ago
    Seems like a paid ad for GitGuardian. It even quotes their chief marketing officer.
  - stepupmakeup6 days ago
    [flagged]
AmazingTurtle6 days ago
Guess who's going to be fired by elon :D
- endofreach6 days ago
  > Guess who's going to be fired by elon :D
  i know, you probably just meant it as a fun comment. but i don't get how this is funny. this person probably relies on income, might have a family to feed... and just made a mistake. a type of mistake, that is not uncommon. i mean i have seen corporate projects where senior engineers didn't even understand why committing secrets might be a bad idea.
  yes, of course, as a engineer you have responsibilities and this is clearly an error. but it also says a lot about the revolutionary AIs that will apparently replace all engineers... but the companies claiming it are not using it to catch stuff like this.
  and let's keep in mind– i am surely not the only one making this experience: every single time i am using an LLM for code generation, i have to remove hardcoded secrets and explicitly show them how to do it. but even then, it starts to suggest hardcoding sensitive info here and there. which means: A. troublesome results made by these models, presented to inexperienced engineers. and people are conditioned to believe in the superiority of LLM code, given all the claims in the media. but also B: that models suggest this practice, shows just how common this issue is.
  yes, this shouldn't happen at any company. but these AI companies with their wild claims should put their money where their mouth is. if your AI is about to replace X many engineers, why is it not supervising at least commits? to public repos? why are your powerful, AGI-agentic autonomous supernatural creations not able to regex the sh outta it? could it be that they don't really believe their own tales? or do they believe, but not think?
  of course, an incident like this could lead to attempts of turning it into a PR-win– claiming something like "see, this would have never happened with/to our Almighty Intelligence. that's why it should replace your humans." but then: if you truly believe it and have already invested so much resources, you believe to foresee the future so surely, why ignore the obvious? or are is this silent, implicit testimony, that you got caught up in a hype-train and got brainwashed into thinking, that code generation is what makes a good engineer? (just to be safe: i am not saying LLMs are not useful).
  also: that something this could even happen at a company like that, is not the fault of one engineer. it indicates either bad architecture or conventions and/or bad practice and culture... and... a l s o: no (human) code review process in place?
  the mistake was made by one engineer, yes. but as though it's made to seem like this mistake is the root... it's not. the mistake is a symptom, not the cause.
  i honestly hope the engineer does not get fired. and i really don't understand this mentality. if this person is actually good at their job and takes it seriously, it's certain: he or she is not going to leak a secret again. someone who replaces him or her, might.
  - tasuki5 days ago
    > if this person is actually good at their job and takes it seriously, it's certain: he or she is not going to leak a secret again
    If they were good at their job, they wouldn't have leaked the secret in the first place. The correct workflow is to:
    1. Create commits that only change do one thing. Not possible to "forget" there were secrets added alongside another feature.
    2. When adding secrets, make sure they're encrypted or added to the project's `.gitignore` equivalent.
    I'm so sorry for a first-world engineer incompetent enough to commit a secret in a GitHub repository. They'll probably have to downsize from their mansion to a regular house. Meanwhile in the third world, many more competent people are starving or working some terrible menial job because they didn't have the right opportunities in life...
    everforward5 days ago
    This sounds like naivety to me. I would bet most people here have committed a secret, even if it was later caught in a code review. If this wasn’t a common issue, all those tools that scan repos for secrets wouldn’t exist.
    I once put secrets on a wiki page because I copied log snippets and a third party library naively dumped HTTP headers into the logs without filtering out their own API key. I shouldn’t have assumed the logs were secret free, but it’s also not an unreasonable assumption.
    consp5 days ago
    In a vacuum, sure. But in a workplace this workflow is best practice at best and even gets ignored. I've been able to accidently add a secret despite scans and I noticed it myself so it was quickly fixed. Still resulted in a discussion of how to prevent it in the future as nothing is perfect and you learn from mistakes.
    Or you don't by simply firing the engineer and assume everyone in the entire workflow is perfect.
    Timber-65395 days ago
    I'll do you one better. Start your .gitignore file with this line
    *
    lsaferite5 days ago
    Mine all start with (and .dockerignore has a similar one)
    # Default block all /* # Specifically allow files and directories
  - hnthrow903487655 days ago
    The real mistake is working for Elon
  - 7bit5 days ago
    If you ever visit a Bill Burr show, let me know. I wouldn't want to miss it.
    endofreach5 days ago
    Big fan of bill burr. I don't get how some here don't understand what my comment is about. I assume your implication is that is have no sense of humour or am too snowflaky. I mean, next time you visit a bill burr show, let me know if his punchline is such a banger like the one i commented on. And if you think this is the same type of humour, please, let me know when you visit a bill burr show next!
    But, my comment was clearly not about making excuses for the mistake of the engineer. I wanted to express that it's insane that such a common mistake can happen in a company like that. And i don't get how people let the ceos & leads off the hook so easily.
    But some apparently don't think that way.
    In my opinion: the mistakes that are common, and severe, and very easy to avoid, have to be expected and hence circumvented through industry standard behaviour. And that is not (solely) the responsibility of one committing engineer. Any good team has best practices to prevent these type of basic, potentially fatal mistakes from happening, and usually at least a glance-over review process where these mistakes should be found by another team member on first sight... and now, when it's an "AI making devs extinct"-type of company... and they're not catch this type of error, is ridiculous. That an individual can screw up something potentially so critical, is an organizational failure.
    But anyway, i think my points were clear in the first comment already.
    7bit3 days ago
    It was clearly a joke and that is not the best place to come down with a morality club. It has soapbox vibes and the person who made the joke also hasn't earned that.
- FreebasingLLMs5 days ago
  [dead]
jsight6 days ago
Musk has been talking about integrating Grok into Tesla cars and also adding a lot of space and rocketry specific training. It is completely possible that these models were trained on data that would logically be public at some point.
It is also possible that the author's guess is right and that these were to contain sensitive data.
Noone really knows, but honestly, these kinds of mistakes are happening all the time. Who hasn't accidentally leaked their own .ssh dir on github? lol
- hackernewds6 days ago
  Any competent engineer hasn't?
  - ffsm86 days ago
    Is that even at the competent level? You need to be particularly special to actually "accidentally" leak the .ssh dir via GitHub. Even incompetent people wouldn't fail to that degree for the most part.
    Leaking the directory through other avenues is a different matter though. Almost all package managers provide post install and compile scripts. Hence doing (as an example) "npm install" can potentially leak it. That's something not many people actually pay attention to (you would have to basically jail every command, which sadly isn't the norm today)
- Zanfa6 days ago
  How would you accidentally leak your .ssh dir on Github?
  - jsighta day ago
    It was just an example. It used to be fairly common for people to sync some of their dotfiles via git, and from time to time someone would leak a directory that contained sensitive data without them realizing it. I'd guess things like tokens used by cli tools were more common than whole .ssh directories, but I'm sure both happened.
    Not quite the same thing, but also a leak: https://blog.gitguardian.com/github-exposed-private-ssh-key/
    I guess all these folks saying professionals would never make a mistake like this will also have insulting names for github engineers. :shrug
  - tazjin5 days ago
    People with workflows like `git add .; git commit -m 'fix'` can push wondrous things to public repos.
    SilverBirch5 days ago
    Only if you're raw dogging git from your home directory...
    everforward5 days ago
    You would have to have a git repo in .ssh or higher up the tree for that to work. Otherwise you’d get one of the “directory is not a repo” messages.
    jsight7 hours ago
    It isn't that uncommon to sync a home dir with git: https://askubuntu.com/questions/1316229/is-it-bad-practice-t...
    I'd guess that most of us wouldn't do it by just "git init" in the home directory. There are many safer ways than that.
    But we were all newbs once, and often even the newbs have access to various keys and credentials.
- unsupp0rted6 days ago
  I only use private repos, so that when my .ssh and .env leaks the public doesn’t see it. Probably. Maybe. Well…
  - thephyber6 days ago
    Git implemented a `.gitignore` file for this exact purpose. One of the first things to do when you create a new repo is to customize if for the language + OS.
    unsupp0rted5 days ago
    And .env is implemented for this exact purpose too, hand-in-hand with .gitignore ;)
    But mistakes happen all the item. It's very easy to fat-finger a line in .gitignore - one char off and you're toast.
  - CER10TY6 days ago
    Just remember to go through your commit history if you ever plan on making that repo public.
    Normal_gaussian5 days ago
    I commonly flatten repos (by copy and create) when I share them. Its rare that the other person needs the commit history.
    I have often thought it would be nice to have a good tool to retroactively view and tidy them, but everything I've seen has not quite hit the nail on the head.
    unsupp0rted5 days ago
    I use the Pieter Levels commit history strategy of all my commit messages being the single word "commit"
    https://x.com/levelsio/status/1590908364393156608
- Dlemo6 days ago
  I have not.
  And at a certain level of criticality, you do not do this at all
  You have security measures in place to prevent this.
  Not that the ketaman cares about it.