You don’t have to go public at all. If you’re profitable and your investors don’t want an exit, then you can stay private in perpetuity. Epic is a great example of that.
Really don’t understand why sane developers who for decades have been advocating for best practices when it comes to security and privacy seem to be completely abandoning all of them simply because it’s AI. Why would you ever let a non deterministic program god level access to everything? What could possibly go wrong?
The security team at my company announced recently that OpenClaw was banned on any company device and could not be used with any company login. Later in an unrelated meeting a non technical executive said they were excited about their new Mac Mini they just bought for OpenClaw. When they were told it was banned they sort of laughed and said that obviously doesn't apply to them. No one said anything back. Why would they? This is an executive team that literally instructed the security team to weaken policies so it could be more accommodating of "this new world we live in."
Similar thing at my company. Someone /very/ high up in the org chart recently said to the entire company that OpenClaw is the future of computing, and specifically called out Moltbook as something amazing and ground breaking. There is literally no way security would ever let OpenClaw in the same room as company systems, never mind actually be installed anywhere with access to our data.
It should be noted that this exec also mentioned we should try "all the AIs", without offering up their credit card to cover the costs. I guess when your base salary is more than most people make in a life time, a few hundred bucks a month to test something doesn't even register.
MoltBook is vibe coded. It passed its own API key via client side JS, and in doing so exposed full read/write access to it’s supabase db, complete with over a million API keys.
That is groundbreaking for a product held in such high esteem, just not in a good way.
I lack the words to explain my frustration at this timeline.
Am I missing something or are both of the "we convinced someone to let the AI out" claims missing any logs of what was actually said? Why wouldn't that be shared? You can't just claim something is true because you have proof, but not share the proof.
You're not missing anything; I can't remember what his reasoning was, just that he gave one, therefore his say-so was only worth as much as your trust that he was honest.
Today though, with headlines like this one in response to events such as it quotes from people in positions such as they are?
That is why I miss the old days, when not believing Yudkowsky's statements about the AI Box experiment only meant your views were compatible with the norms of corporate IT security rules.
> 35,000 emails. 1.5M API keys. And 17,000 humans behind the not-so-autonomous AI network
Wow, this is sure a brave new world. I'd just recently heard about the project and they've already been pwned so massively. We're accelerating into a future beyond our control.
In 3 decades of IT I have never seen such executive excitement combined with recklessness, and it is appalling.
Testing new and cutting edge tech has always been a good idea, but this rampant application of it is the ultimate Running-With-Scissors meme. Risks are not being evaluated, and everything is bleeding edge.
My disgust probably comes from the instinct that the excitement is based on the allure of doing more with less, and layoffs are the only idea so many business have left.
The other camp is excited about selling more stuff because AI has been slapped onto it.
These execs are the people who previously cared about literally nothing except not looking bad to their bosses. Now they're getting all fired up about something and taking a stand and... it's this? Lol. Lmao. Etc.
Their excitement is that they have hope they can finally get rid of all those stupid humans doing the actual work. American MBA culture has spent decades hammering home an ideology of a worker as a necessary evil to make money, and that those workers are utter scum that deserve no empathy or thought, because greed is "right" and specifically that a hyper greedy system will of course produce the right outcomes naturally.
They take it as a given that they end up on top in such a system, because they've always believed themselves the most important.
They desperately want to encourage this small chance of a future finally free of the gross masses and their horrific desires like "Vacation time" and "Sick time" and "salaries". How dare those lowly trash deign to deserve any of My rightful profit.
The american system has spent about 50 years now self selecting sociopaths at every level, rewarding people who sacrifice themselves for a company to make tiny bits more profit, ensuring that every manager at a high level eats sleeps and dreams the dumb "We are a family" line whether they actually believe it or not. It should not be surprising that the thing they get hyped about is so damn stupid. They don't want what you and I want.
This is the dream of the people who responded to the establishment of basic Labor rights and Social Security with McCarthyism. These people believe, very very genuinely, that you and I are wasting Their resources.
I'm sure company policy would technically prohibit them from accessing company resources from their personal computer; or if it does allow access to company resources from their personal computer then their corporate tech policy very likely does apply to their personal computing.
If the executive bought it for a personal mac mini for personal use only, with no interaction with company resources, then the person probably wouldn't have told the story.
I mean innovation going faster than security department is not a new thing.
You have to understand that the security department operates with a fundamentaly different mindset and reality than a business executive. One is responsible for compliance and avoiding adverse events and the other for ensuring the ongoing survival and relevance of the organisation.
Specific waivers for high level members are fully expected. They also have waivers for procurements. It makes sense because they can engage their personnal responsibility for this level of decisions. They don't need the security department to act as their shield.
It's clear that something like Open Claw has the potential to be deeply disruptive so seeing leaders exploring makes sense.
I'm glad that a term for this exists. It's always seemed so silly to me that someone would think that a group of people would all conform to the same opinion.
It's a Venn diagram: there are two camps and there is no doubt some overlap because the number of people involved. GP was obviously talking about the overlap, not literally equating this with two specific people or two groups that are 100% overlapping.
I mean... that could be a little "no true scotsman" at that point, though.
I think the most useful interpretation of the previous post is Set A is "the set of developers who appeared sane before the arrival of AI agents" and Set B is "the set of developers who are completely ignoring security considerations".
Who are these developers that have both been "advocating for best practices" and also "seem to be completely abandoning all of them simply because it’s AI"? Can you point to a dozen blogs/Twitter profiles, or are you just inventing a fictitious "other" to attack?
The person being quoted for one, who is apparently focused on safety and alignment at meta. Safety being handing over your email credentials to the shiny new thing, apparently
Are they even a developer? “Safety and alignment” as AI buzzwords are quite different from “security and privacy”. In any case, I wouldn’t take a random person with a sinecure job as exemplary of anything.
> Who are these developers that have both been "advocating for best practices" and also "seem to be completely abandoning all of them simply because it’s AI"?
All of them. Apparently uploading all your codez to some cloud provider that doesn't even have a figleaf of a EULA is okay now, because "AI".
people who have been around long enough know that we're currently in the wild west of networked agentic systems. it's an exciting time to build and explore. (just like napster and early digital music.) eventually some big company will come along and pave the cow paths and make everything safe and secure. but the people who will actually deliver that are likely playing with openclaw (and openclaw-like systems) now.
Same "sane developers advocating for best practices" preached to the moon:
- Alexa (and other voice assistants) spy microphones in their homes;
- Internet connected:
- locks;
- door, bedroom, living room cameras;
- lights, appliances and whatnot;
Giving full and unfettered control to their personal computer with all its accounts, apps, etc does not surprise me at all.
I wonder what anthropologists will write about us these days 100 years in the future. What is super creepy and super illegal to do for a physical individual, but is given a blank check from society to be done by tech corporations at unimaginable scale.
EDIT: also corporations (from my social bubble) are giving (almost) unfiltered access to their data from LLMs (and probably soon a control of that data through "Claw" trend), that would be instantly fireable offence for any employee.
Imagine giving enterprise access to some Joe-Claw from the street and allowing him to press any buttons he wants..
> Really don’t understand why sane developers who for decades have been advocating for best practices when it comes to security and privacy seem to be completely abandoning all of them simply because it’s AI
The deep irony is that the email deletion victim is an "AI alignment specialist" at Meta, and she didn't consider this failure mode.
I agree with a lot of the siblings that it's probably not the same people. But for the overlap that probably does exists, I don't think "because it's AI" is their reasoning. If I were to guess, I'd say it's something closer to "exploring the potential of this new thing is worth the risk to me".
> why sane developers who for decades have been advocating for best practices when it comes to security and privacy seem to be completely abandoning all of them
I'm a sane developer. I do not trust AI at all. I built my own personal OpenClaw clone (long before it was even a thing) and ran controlled experiments inside a sandbox. My stack is Elixir, so this is pretty much easy. If an agent didn't actually respect your requirements, it's just as easy as running an iex command to kill that particular task.
In my experience, AI, be it any model - consistently disobeys direct commands. And worse, it consistently tried to cover up its tracks. For example, I will ask it to create a task within my backend. It will tell me it did - for no reason at all, even share me a task ID that never existed. And when asked why it lied, it would actually spin the task up and accuse me of not trusting it.
It doesn't matter which vendor, which model. This behaviour is repeatable across models and vendors. Now, why would I give something like this access to my entire personal and professional life?
To group me and others like me with the clowns doing this is an insult to me and others who have accumulated decades of experience and security best practices and who had nothing to do with OpenClaw.
Lots of developers have been flippant for a long time when it comes to the security of the systems they use and violate best practices on a regular basis, often for convenience. Developer ≠ sensible with personal security.
I'm enthusiastic about AI (it's gone from the 2nd most important thing to happen in my career to tied for first, with the Internet) and I am baffled by OpenClaw.
There’s still sane people out there, I’m one of them, watching this gigantic trash heap ready to go up in flames. It’s not just OpenClaw either, it’s everything. Nobody is paying any attention and when it goes wrong it’s going to be an absolute catastrophe.
> developers who for decades have been advocating for best practices when it comes to security and privacy seem to be completely abandoning all of them simply because it’s AI
Risk and reward. That balance, currently, seems tipped to favour risk taking. (Which in turn encompasses both boldness and recklessness.)
Was building a claw clone the other day when for debugging I added a bash shell. So I type arbitrary text into a Telegram bot and then it runs it as bash commands on my laptop.
Naturally I was horrified by what I had created.
But suddenly I realized, wait a minute... strictly this is less bad than what I had before, which is the same thing except piped through a LLM!
Funny how that works, subjectively...
(I have it, and all coding agents, running as my "agent" user, which can't touch my files. But I appear to be in the minority, especially on the discord, where it's popular to run it as the main admin user on Windows.)
As for what could go wrong, that is an interesting question. RCE aside, the agentic thing is its own weird security situation. Like people will run it sandboxed in Docker, but then hook it up to all their cloud accounts. Or let it remote control their browser for hours unattended...
This isn't any different than pre-Claude. We've always had people that wrote code, but had no clue about systems. Not everyone is a CS major. I've seen people do the strangest things that you would think a sane person would never do, yet, their the strangeness is happening by someone you would otherwise consider sane/smart. Not everyone is a sysadmin banging perl to automate things.
I would agree that it doesn't have anything to do with Claude.
I didn't meant to imply CS majors knew this either.
Understanding the impact of letting software run permission and operationally free within or against direct access to other software is a pretty basic thing.
Neither deterministic nor non-deterministic software performs as expected without getting it right.
We are new to non-deterministic software, let alone how it operates between different layers.
DevOps, hosting, security, etc, is all in a way software, and software configuration.
The more it's understood, the more it can inform software development, and in the case of openclaw, integrating systems.
To the extent that anyone can be replaced they will be replaced and nothing they do now will save them. The good news is that so far I haven't seen companies having much success outright replacing workers with AI chatbots.
it's not successfully replacing them with AI that is the problem; it's firing them to then replace them with AI which, when it doesn't work is either too late or at best incredibly disruptive for the people impacted.
They don't have the successes but they do replace them. I've seen a couple of examples of that in the last couple of months, there is just no way to avoid these abominations any more.
Because security isn't the be-and-end-all, it has to serve the goals of the business and its customers.
Customers say that they want security with their mouths, but they say that they want features with their wallets. The best improvement to computer security you can make is turning the computer off, but this is clearly not what your (non-HN) customers want you to do.
AI has serious security risks (E.G. prompt injection), but it lets you deliver customer value a lot faster. Security doesn't matter if the competitors' technology is so much better that nobody is buying yours.
> If you know what you're doing you don't need AWS support.
Some big companies have massive monolith code bases. This is not a generalization you could apply universally. There are a lot of other considerations. What kind of features are we talking about, what kind of I/o patterns are planned, what is the scale of data expected, etc.
Coming from a world of acquisitions, I see almost every startup make the same decision of having a single database for everything. Can’t stress enough how big of a problem this becomes once you scale even a little bit. Migrations are expensive and time consuming. And for most teams, moving an application to a different db almost always becomes an urgent need, when they are least able to.
Most startups don’t need a dba, just competent full stack/backend engineers. That being said, I understand why many startups prefer having a dba. Not exactly fun when your only staff engineer likes to just store everything in a jsonb column in Postgres.
> If you know what you're doing you don't need AWS support.
Hard disagree. I have to engage with AWS support almost once every 6 months. A lot of them end up being bugs identified in their services. Premium support is extremely valuable when your production services are down and you need to get them back up asap.
While I agree, US is still the top destination for research, I don’t agree with “Brain Drain is not a concern” nor do I agree with “We need fewer PhDs”. The real risk of drain is people leaving their fields of expertise to never return. Pretty much all AI startups at the moment are coming from and being built by PhDs. The pace of innovation slows down and it can have huge long term economic impact. Having fewer PHDs also exacerbates that problem. If fewer people are looking for funding in the first place, you’d have even fewer ideas that could end up contributing meaningfully to society. The only solution to funding problems is more funding.
>The real risk of drain is people leaving their fields of expertise to never return.
That is happening right now, all the time! Especially in the biomed field! Many, many PhDs spend 5-8 years getting their degree and receiving minimal pay, then 4+ years being nomadic postdocs, also making terrible money, only to eventually arrive at the end of the road and realize they have to do something completely different.
It is unsustainable for every professor to train 10 PhDs in their career, because there aren't going to be 10 professorships (or even 3) for those PhDs to fill. Funding has to grow at the same exponential rate as the number of researchers. It did, from roughly 1950s to 1980s, as the university system expanded to accommodate the Boomer generation. It has slowed since, and the PhD to professorship pipeline got longer and leakier. It's doing a tremendous disservice to the bright, well-intentioned young people who join PhD programs.
> if you are going to do something for a living, make sure it is NOT scalable
You need to consider both horizontal and vertical scaling. Being a bespoke tailor may not scale vertically, but it can scale horizontally. If you have too many people pick up tailoring, you might run out of neighborhoods without competitors.
reply