<![CDATA[Kevin Wu: Quiet CISO]]>https://www.kwu.sg/s/quiet-cisohttps://substackcdn.com/image/fetch/$s_!wDVN!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2F08e65c85-57ce-4aa2-8c39-d6cf2549f31c_500x500.pngKevin Wu: Quiet CISOhttps://www.kwu.sg/s/quiet-cisoSubstackSun, 12 Apr 2026 06:15:48 GMT<![CDATA[Raising Lobsters 🦞]]>https://www.kwu.sg/p/raising-lobstershttps://www.kwu.sg/p/raising-lobstersFri, 13 Mar 2026 08:07:23 GMT
Image is AI generated. The writing is not, this is KI, Kev Intelligence.

I have Jamiroquai’s Virtual Insanity playing in the background as I write this. Feels appropriate. Nowadays it’s AI this and AI that. Aiyoh!

The latest hype is none other than our agentic bot friend, OpenClaw. Or maybe Fiend, since it never sleeps, never complains, and is coming for our jobs. OpenClaw is so hyped that the Chinese Internet gave it a nickname “Lobster”.

Cloud platforms are rushing to offer OpenClaw as a service. Thousands of people, young and old lined up outside Tencent headquarters in Shenzhen to have it installed on their laptops. You read it right, people are queuing up to install Lobster, not to buy Labubus. Amazing times! And just like that a new trend was born, “Raising Lobsters”. Everybody wants to raise a lobster!

Because of FOMO, I had to try and see it for myself. I did not want to buy a Mac Mini just to raise one, so I opted to deploy OpenClaw on a virtual server. I used the Alibaba Cloud one-click deployment on a Simple Application Server (because why not?). Default settings throughout, exactly as most users would do it.

The result surprised me. Not because OpenClaw did not deliver, but because of what I found on the security side. There was ZERO security.

No authentication. API keys stored in plaintext. The web console sitting open on the public internet for anyone to find.

And this is our new bot friend who will be entrusted with access to our files and calendar, to execute tasks while we sleep. With the default settings, anyone can find and interact with the agent. Sounds like a nightmare.

Don’t get me wrong, AI is fantastic and agents are the future. But the speed at which things are moving can put us at serious risk if we’re not careful.

If you have OpenClaw running, here is what you should check right now:

  • Make sure it’s not exposed to the public internet

  • Enable authentication

  • Change your API Keys, if your server was ever publicly accessible

  • Connect only what OpenClaw needs, start with the minimum, you can always add more later

Spend some time securing the lobster before handing it the keys to your digital life. 🤖

Thanks for reading! Subscribe for free to receive new posts and support my work.

]]>