Comment by achillean

3 days ago

Already seeing some of the new Moltbot deployments exposed to the Internet: https://www.shodan.io/search/report?query=http.favicon.hash%...

22 comments

achillean

rahimnathwani 3 days ago

Maybe those folks buying Mac Minis to host at home weren't so silly after all. The exposed ones are almost all hosted on VPSs which, by design, have publicly-routable IP addresses.

But anyway I think connecting to a Clawdbot instance requires pairing unless you're coming from localhost: https://docs.molt.bot/start/pairing

paxys 3 days ago
The silly part is buying a $600 Mac mini when any $100 NUC or $50 raspberry pi or any cheap mini PC off of eBay will do the job exactly the same.
- deaux 2 days ago
  
  The silly part is buying a $50 raspberry pi, then storage and memory and so on, when a $200 used M1 Mac mini is plug-and-play.
  
  4 replies →
- dpoloncsak 2 days ago
  
  Doesn't Moltbot specifically require MacOS for iMessage, Apple reminders, and some other Apple-ecosystem features?
  HN is the last place I expected to see someone laugh at self-hosting
- rahimnathwani 3 days ago
  
  If you want iMessage you still need an always-on Mac, whether that's the main moltbot gateway, or the MacOS app running in 'node mode' to allow a moltbot gateway to use it to send/receive iMessages.
  
  8 replies →
- port11 2 days ago
  
  Our SFF HP came out at 150€ with flash storage and 16GB of RAM. I see used M1s for 200-250€ where we live. The only drawback of the M1 is you’d be stuck buying a NAS/DAS for the storage part, whereas the HP has 3 internal SATA ports. Neither option is silly, they have different pros/cons. Managing Linux quirks has gotten frustrating, for example.
johntash 2 days ago

depending on how you set up the reverse proxy, clawdbot can think _all_ traffic comes from localhost

swah 3 days ago

Wasn't aware about this favicon trick, nice :)

achillean 3 days ago

FYI we released a tool to calculate a bunch of these types of hashes: https://book.shodan.io/command-line-tools/shodan-hash/
More info about the favicon hashing technique: https://blog.shodan.io/deep-dive-http-favicon/

rvz 3 days ago

Like I said before [0] infosec professionals are going to have a great time collecting so much money from vibe coders and crypto bros deploying software they openly admit that they have no idea what it does.

If you are very clever there is a chance that someone connected Moltbot with a crypto wallet and, well...

A opportunity awaits for someone to find a >$1M treasure and cut a deal with the victim.

[0] https://news.ycombinator.com/item?id=46774750