upvote

points

by niwtsol4 hours ago |
comments
upvoteby 0cf8612b2e1e4 hours ago|
next
[-]
1/5 rounds to “probably” when discussing security.
reply
upvoteby nickthegreek4 hours ago|
parent|
[-]
The 135k number appears to be pulled out of thin air? No idea where the 65% comes from. The command the post gives to list paired devices isn't correct. These are red flags.
reply
upvoteby TZubiri2 hours ago|
parent|
[-]
It's pretty reasonable though, a lot of OpenClaw instances are hosted on a VPS, this is not unsafe.

My interpretation is that 135k instances are vulnerable, but of those there's more conditions that need to be met, specifically:

These need to be multi-user systems where there are users with 'basic pairing' privileges. Which I don't think is very common, most instances are single-user.

So way less than the 135k number. I think a more accurate title would have been "If you're running OpenClaw, you are probably vulnerable" but not "you probably got hacked", that's just outright false and there's no evidence that the exposed users were ALL hacked.

reply
upvoteby mey4 hours ago|
prev|
next
[-]
More than 25% of users seems like a pretty accurate "probably".
reply
upvoteby DrewADesign4 hours ago|
parent|
next
[-]
You know you’re getting into zealot territory when people are arguing semantics over the headline pointing to a zero authentication admin access vulnerability CVE that affects a double-digit percentage of users.
reply
upvoteby earnesti4 hours ago|
parent|
[-]
Does it really? Digging up the data from example the 135k instances in the open reeks like bullshit, I would suspect several other claims are exaggerated as well.
reply
upvoteby DrewADesign3 hours ago|
parent|
[-]
> Digging up the data from example the 135k instances in the open reeks like bullshit, I would suspect several other claims are exaggerated as well.

Do you so stringently examine most CVEs? I’ll bet you don’t. Are you a big fan of this project? I’ll bet you are. Do you have any actual data to counter what they said or do you just sort of generally not vibe with it? If so, now would be a great time to break it out while this is still fresh. If not…

reply
upvoteby nickthegreek3 hours ago|
parent|
[-]
They are pointing out the data provided does not appear to be real. There is no credible link to this 135k number. They do not need to provide a number, as one does not appear to exist.
reply
upvoteby DrewADesign1 hours ago|
parent|
[-]
Well the post was removed so that’s not very promising on their part.
reply
upvoteby peacebeard4 hours ago|
parent|
prev|
next
[-]
Today I learned nobody agrees on what the word "probably" means.
reply
upvoteby SequoiaHope4 hours ago|
parent|
next
[-]
Ya I thought it meant “more probable than not” ie 50+%.

Otherwise I would say “you may have been hacked” not “you probably have been hacked”.

reply
upvoteby lwansbrough4 hours ago|
parent|
[-]
That is what it means. Unless you're losing an argument on the internet and you need a word to hide behind. ;)
reply
upvoteby zephen4 hours ago|
parent|
prev|
[-]
You're probably right.
reply
upvoteby furyofantares4 hours ago|
parent|
prev|
[-]
Here's a statement that's about 3x as true then:

If you're running OpenClaw, you probably didn't get hacked in the last week.

reply
upvoteby yonatan80702 hours ago|
prev|
next
[-]
This sounds like a classic case of "35% of statistics are made up"
reply
upvoteby earnesti4 hours ago|
prev|
next
[-]
The 135k instances is likely not true at all.
reply
upvoteby DrewADesign4 hours ago|
prev|
[-]
It’s also only 65% of those that have zero authentication configured, according to that post (which I have done nothing to confirm or challenge at all… Frankly I wouldn’t touch OpenClaw with a ten foot… cable?) That said, I think it’s far more important to get people’s attention who might otherwise not realize how closely they need to pay attention to CVEs than it is to avoid hyperbole in headlines.
reply
upvoteby codechicago2774 hours ago|
parent|
[-]
Not if this is crying wolf and causing those same people to ignore the very real security risks with using OpenClaw.
reply
upvoteby DrewADesign4 hours ago|
parent|
[-]
How is 20% of users getting pwned ”crying wolf” by any reasonable measure? This is a zero authentication admin access vulnerability.
reply
upvoteby codechicago2772 hours ago|
parent|
next
[-]
Because 20% is not “probably got hacked” and overstates the problem for most users.

That doesn’t mean this isn’t a critical vulnerability, and I think it’s insane to run OpenClaw in its current state. But the current headline will burn your credibility, because 80% of users will be fine with no action, and they’ll take future security issues less seriously as a result.

reply
upvoteby nickthegreek2 hours ago|
parent|
prev|
[-]
All the numbers you are using appear to be made up by the reddit poster. I say that as they provided no citation to them (for all I know they got them from an AI). I attempted to verify any of the numbers he used and could not. By exaggerating the numbers he is crying wolf.
reply
upvoteby DrewADesign1 hours ago|
parent|
[-]
Well the post was removed so it doesn’t lend a lot of support to their claims.
reply