RE: https://social.lansky.name/@hn50/116341899721749250
oh jesus tapdancing christ
[post was removed; h/t @tom https://web.archive.org/web/20260403174403/https://www.reddit.com/r/sysadmin/comments/1sbdw29/if_youre_running_openclaw_you_probably_got_hacked/?solution=44f7932102051db444f7932102051db4&js_challenge=1&token=bbbe4bf1c9a2b5160829c4be34da58614082fcc1e861ded7105b5ece1538a6d5 )
thing is, this is likely to cause many downstream enterprise breaches, even in enterprises that actively ban openclaw.
unauthorized instances, or instances that allow a threat actor to pivot from private hardware to work hardware.
pure negligence, rolling OpenClaw out in the way they did, both the devs and all the hosting companies that saw profit in providing easy-install packages.
the other fun part?
even if you don't set up an exposed instance
even if you require auth
if any entity you pair openclaw with gets compromised, regardless of its permissions level, it can escalate to admin and pwn you
@neurovagrant I’m honestly surprised it took this long for it to crackle.
One of the ”enthusiasts” at work recently explained to me why they think Clown Cod™ is safe to use. To paraphrase them ”it automatically checks the fist two words in bash commands for anything malicious”.
What worries me most about this ride through the Gartner Hype Cycle is that this time it’s not the senior engineers that are at the steering wheel. We’re more often found in the trunk tied up and gagged.
@neurovagrant I did.
Because so few people understand why privileges are separated anymore, they just know it's an annoyance to work around.
Ian Campbell 🏴
Deborah Preuss, pcc 🇨🇦
D Ingram
Viss
Lauren Weinstein
Zach DeLong
M Schommer
🌸 Vårgubben
Greg Parker
Mark Koek
Christian Lynbech
The Doctor