This twitter thread is pretty bad and the comments here aren't much better.
IIRC the Ubiquiti 'hack' was an insider attack from an employee lying and intentionally breaking things while pushing his lies to the press to hurt his employer. Krebs was wrong and tricked by the employee. I don't know if that justifies this legal action, but it's not the normal going after someone who reported a breach. This one is more complicated.
I'm pretty sure Corey is wrong on the facts in this case (and so was Brian). I also felt a lot better about Ubiquiti once the dust settled and the details about Sharp came out.
You have a loosely defined term: "bad." It suggests "inaccurate" but perhaps you mean "unkind."
In either case, you assert "Krebs was wrong" a couple times but you skirt the topic of the twitter thread, the comments, and the lawsuit: that Krebs intentionally misled readers in order to drive traffic for ad revenue.
Do you think Krebs did this?
Krebs got the big story exactly right: Ubiquiti had a bad security problem and flubbed the handling of it.
Regardless of his reporting at the time, Krebs has known since December when Sharp was arrested that:
- the supposed hacker was the goddamn Unifi Head of Cloud, using the access keys needed to do their job
- the initial internal investigation into the hack and ransom was being conducted by the attacker
- that the whistleblower account is a complete fabrication by the internal attacker and his reporting on a coverup are false
Ubiquiti aren't suing him for reporting on it, they're suing him for not retracting it properly once it was revealed how false it was. As per the filing:
70. Ubiquiti brings this litigation because of Krebs’s refusal to do the right thing and retract the March 30 article or the December 2, 2021 update, which continue to malign Ubiquiti’s reputation, damage its relationships with its stockholders, and disrupt its business operations.
Krebs and Corey are _way_ wrong on this.
There is plenty to be said and very valid criticisms about how Ubiquiti dropped the ball and handled the situation. The attack being an insider does not excuse them. But it invalidates much of the reporting.
Krebs was specifically and personally targetted by the attacker as a method of spreading false statements to damage the company and, by keeping the articles up, remains complicit and liable.
What part of that update is incorrect? Naming that update is not going to help their case, at all.
This lawsuit is likely doing the exact opposite of what Ubiquiti expected.
Before the lawsuit, I had some sympathy that they got jerked around by an ex-employee with major access and took it in the shins. I'm kind of in the glass houses and stones camp ... I doubt very many companies could withstand a high-level technical person going rogue. They found the problem. Now they're pursuing charges against him and that's rattling through the legal system. Sure, there's lots of reputational damage, but that's the kind of thing that happens when you centralize management of things--it makes them a high profile target (see: Solarwinds).
However, the lawsuit against a reporter is causing me to pause and think "Wow. Maybe they're actually institutionally incapable of recovering from this, worried that something else might get exposed and really do suck."
The lawsuit moved me from slightly sympathetic to Ubiquiti into "What kind of idiots think this is a good idea?" and looking for alternatives.
There's valid criticism to be said about the corporate structure and culture which allowed this all to happen, we're all in agreement on that, but the lawsuit (while probably not accomplishing exactly what they'd hoped for) is legit if you ask me, in the sense that a journalist must take responsibility for the stories they put out and the informants they trust.
I'm not a journalist so I don't know how these things are supposed to go, but shouldn't Krebs have verified his sources identity before publishing? Isn't that a thing journalists are supposed to do?
That said I think Krebs was right to publish the story at the time, but when it became clear that Adam actually was Sharp the story should have been retracted. Perhaps Krebs should even issue an apology at that time?
I've been on the other side of something similar to this. At a previous role, a security researcher was falsely claiming we had a backdoor. We considered litigation, but ultimately decided not to for a variety of reasons, but a major one was that there was no way that the optics would be anything other than "softare giant sues researcher," and we would likely only serve to draw more attention to the claims.
I'd entirely forgotten about the Ubiquiti breach until today.
It might be more convincing if all the things you listed don't make ubiquiti look really bad for a company that needs you to trust them, given their gear is very cloud-y.
From my perspective this lawsuit looks like they've Streisand Effected the fact that they let their internal security be even worse than the initial accusations.
It's like finding out your financial advisor had all your money stolen, which is bad enough, and then it turns out it's because they gave their gardener the password to your bank account.
Where's the proof that Krebs knew that the whistleblower account was a fabrication?
Genuine question.
It seems to me that Krebs might be in a position to claim:
1. He honestly reported the facts as were made available to him.
2. Either:
A. He didn't know his original source was Sharp (quite feasible that Sharp disguised this)
Or
B. He did know his original source was Sharp, but felt compelled to continue to protect his source despite charges having been brought (innocent until proven guilty).
3. He took the view was that nothing in the revelation of this hack
as an inside job casts doubt on his initial reporting, which was about Ubiquity's response to the incident not the attacker's identity.
We should at least wait to read the defence before drawing any conclusions.
The parent comment referred to Sullivan v. NY Times, which ruled that a public figure (and I suppose companies count as such) have to prove not just factual error, but actual malice.
Again, "actual malice" doesn't mean "acting maliciously" in the colloquial sense. It's a legal term of art from the aforementioned NYT v. Sullivan case and is explicitly defined as "with knowledge that it was false or with reckless disregard of whether it was false or not." Publications leave up articles they know to contain falsehoods (that were believed to be true at the time they were written) all the time. Unless libel (and therefore actual malice) is shown, I don't know of any precedent that would imply an obligation to issue a retraction.
That appears to be Ubiquity's argument, but we've only got one side at the moment, and to my reading (uneducated as to US defamation law) it's far from proven.
Well yes you wouldn't expect anything to be proven at this point. There is only a complaint. We are discussing the reasonableness/plausibility of the allegation. All I'm saying is that to me it seems plausible.
> the supposed hacker was the goddamn Unifi Head of Cloud, using the access keys needed to do their job
If this comment from a former employee is correct then no, he had root access to a bunch of stuff for no good reason and their security stance is abysmal.
Nobody should have the root aws tokens. They should be split between two teams and stored in a safe & access should go through another method that is audited
The employee in question was the head of their cloud, so he would have been the one to implement, or drive the implementation of the proper access controls. Based on other employees accounts of the guy, it sounds like people were trying to advocate for better access controls/separation but he didn't let it happen (presumably because he was planning on doing something like this).
> Krebs has known since December when Sharp was arrested that:
Criminal Accusations <> Facts until proven in a court of law. All Krebs knows at this point is Sharp was arrested.
And what we all don’t know at this point is whether Ubiquiti is competent enough to have unfettered access to all their customer networks because they failed to defend against insider threats.
> Is it even possible for a company to defend itself from sabotage by the person who is presumably responsible for their security? Seems illogical.
Off the top of my head:
a) don't force your clients to add their networks to be accessible by your cloud, this was their entirely huge mistake. or by design to enable spying activities. the same way I can log into unifi and set a switch port in promiscuous mode and forward the traffic to my remote ip, so can they.
b) two people required for secure access to sensitive systems.
c) sensitive gear on-premise under constant video surveillance.
d) logging to remote servers under control of "internal security" not "security", regularly monitored by "internal security".
Companies do this and more. They do it by contemplating a solution to a problem rather than dismissing the solution as "illogical".
They can design devices that are resilient to attacks by even themselves. That's hard when your whole pitch is "your devices are connected to the cloud!" though. But maybe that's the problem.
Maybe? You aren't presenting any evidence for "how wrong he was" and "how he was used by the attacker." You're sure of it? Why? What other explanations are possible here? None?
The HN comment majority also changed from when I made my first comment. At the time I was pushing back against the overwhelming sentiment here and on Twitter that Ubiquiti was going after a journalist just for reporting a breach. The story is way more mixed than that and from the stuff I remember reading at the time Brian wasn't in the right.
I don't want to be overconfident (I don't really know the specifics), but I did want to push back against the overwhelming overconfidence I saw arguing the other direction.
Yeah that's fine but just stating things like that as incontrovertible fact with absolutely no supporting evidence, none, which is what you did, isn't useful. It made me pretty suspicious of an astroturf for example. 9 times in 10 it isn't that but it always looks really bad. It's also tantamount to saying "everyone here is either an idiot or acting in bad faith" and has no reason at all to believe a thing that you are now pointing is is wrong and so clearly wrong that it's the same as stating water is wet. I note now you're providing evidence you're walking it back a bit, which shows the worth of doing so.
It's very common elsewhere. Just keep repeating a thing until it is accepted but it really isn't how things are supposed to be in sensible discussion.
I was replying to someone who said Krebs was "exactly right" - that's what I was pushing back on. My first comment was also more nuanced. The evidence exists for those who care to look and I think what I wrote is inline with it.
If you'd provided any support with that statement at all, or said /why/ you believe that, it's completely fine. Doesn't even have to be correct! We all get stuff wrong. If you believe you provided the support in a different comment, cite it.
"I'm right, go find the evidence if you dare doubt me." Not so useful.
(Except in the US, the law is very biased toward allowing people to say stuff on matters of public interest, and the legal liability from the complaint appears to be limited to paying a lawyer to make it to, and file for summary judgement. https://anti-slapp.org/virginia)
> IIRC the Ubiquiti 'hack' was an insider attack from an employee lying and intentionally breaking things while pushing his lies to the press to hurt his employer.
"Their undetected security breach was by an insider" is not the sterling defence of Ubiquiti that you seem to think it is.
These types of attacks are extremely hard to defend against.
Considering the nature of the attacker (and the HN comments about the guy at the time of the attack) my take away of ubiquiti from this event and their response was positive. I also down ranked my expectation of Krebs’ accuracy.
It’s not personal - he writes lots of great stuff, but his response to being wrong in this case was worse than Ubiquiti’s response to the incident.
Their response, which was to not disclose the breach? Or their late response, which was a vague email you might need to change your credentials? Or the fact that their cloud environment was a joke run by a one man show?
It's like Okta. Of course it's hard to protect against an insider ( although Ubiquti didn't really try), but that's not an excuse to screw up the disclosure.
Its really not that hard to defend / audit the actions of a single lone wolf, even if they're the head of security.
This is just more and more embarrassment for a company that clearly just doesn't understand security, and yet wants to force all their users of their products to rely on them as a trust model by making all of their ongoing product systems completely cloud reliant or at least holding third party root keys to sell ads / customer telemetry.
Security incidents are still security incidents regardless of who was behind it. Putting it in scare quotes doesn't make it any less real. Why should paying customers feel better about any of this mess?
The original article[0] seems perfectly fine. But, if "Adam" (original informant) and Sharp are the same person[1] and Sharp is in fact the person who perform the breach such that this is an inside job instead of an external hack.
IANAL and while I'm not sure of the merit to this lawsuit itself, there's still a lot of problems if your informant is the person performing the illegal activity.
Completely unethical of Krebs not to update his original article and mention this. He got tricked into helping a hacker trying to extort money, and owes it to the community to set the record straight.
> Update, Dec. 5, 2021: The Justice Department has indicted a former Ubiquiti developer for allegedly causing the 2020 “breach” and trying to extort the company.
He never mentions that his source "Adam" was actually the Ubiquiti insider who was extorting them at the time. I mean, the hacker used Krebs to further his extortion attempt and Krebs has never addressed it here or anywhere else.
Yeah, I think the lawsuit is probably bogus, but so is the Twitter logic that people who sue the media are never portrayed in media as good guys. If Krebs was unwittingly used the attacker, I think he should update his stories, but that depends on that allegation being true.
I don't think that should be worth a lawsuit, but it would reflect badly on him if that's proven true and he doesn't update. Of course, filing lawsuits over disclosure of security issues is also a bad look, but I never used their stuff to begin with.
Really a poor decision to come after Brian Krebs. The crossover between Ubiquiti customers and people that support Krebs, I would venture to guess, is quite high. What a way to incinerate a pile of goodwill.
Ubiquiti have almost no goodwill left. They have abandoned a few lines of ( well-liked) products, have introduced replacements which are inferior, buggy and try to entice you to pay for their cloud "solution" ( which as we've seen, is a dumpster fire). Then there were product upgrade ads in the UI. Then there's the generic lack of QA. And the fact they have multiple competing lines of products most of which are abandoned and the rumours are that it's basically shipping the org chart where the abandoned parts are due to teams leaving.
On the homelab subreddit, they're no longer the go-to recommendation they were a few years ago.
I’ve swapped out all of my ubiquiti gear for Mikrotik. Granted, it is not as turn-key and fancy, but it gets the job done a lot better and especially cheaper.
Thanks for the recommendation. I’ve been a long time user of Unifi kit but the utter stagnation of the entire product line has really made me want to start looking for other options.
For instance, I keep hoping for an updated USG3 given the current one hasn’t changed since 2014 and can’t do IPS without throttling speeds to 80Mbps which is simply unacceptable these days, but all they seem to be doing is focusing on big and expensive 1U hardware which I just don’t have room for.
There's a really interesting statement about mindsets here.
Everyone I know in tech would probably agree with you, and consider suing reporters to be a bad approach. But everyone I speak to in business management seems to take the view that this strengthens their view of Ubiquiti.
>But everyone I speak to in business management seems to take the view that this strengthens their view of Ubiquiti.
Ubiquiti basically needs to weigh whether it makes sense to get burned by Streisand effect now or cut their losses and hope journalists don't burn them again in the future when they don't do due diligence on a lead. After reading through the complaint, it looks like their demands are reasonable.
What I'm more interested to know is whether never issuing a correction/retraction is going to work for or against Krebs.
How would due diligence on a lead help here? Beyond establishing that 'Adam' was a company insider, I don't see how any due diligence could have picked up this set of facts.
"Within five years of the appointment of a business manager, wages decline by 6% and the labor share by 5 percentage points in the US, and by 3% and 3 percentage points in Denmark. Firms appointing business managers are not on differential trends and do not enjoy higher output, investment, or employment growth thereafter."
I'm not who you are talking to, but the bar to having a successful outcome for this type of suit is very high. Anyone who is familiar with litigation and the bad PR that comes with this type of suit would run from this as quickly as possible. Remember, ediscovery goes both ways in a suit like this.
I'm halfway through outfitting my parents place with ubiquiti gear (following a successful half year of using in my own home). Now I need to decide whether to ditch what we've already bought, keep using half the gear, and use other companies for the other half, or eat the cost, and get rid of it.
Although I wish Mikrotik sold directly from their web site. Did you buy from Baltic?
That said, I am really excited about their forthcoming pre-paired PTP Gigabit link kit. I have been using ancient Ubiquiti paired links and need a replacement.
Can you recommend any models? I'm after as much speed as possible and ideally POE. It’s for a home setting. Their range is slightly daunting and I can't see anything that looks like what I want.
So basically, at the thought of a company suing a reporter for lying, an allegation that has not been proven or disproven at this point. You're thinking about spending hundreds/thousands of dollars to not use stuff you've already bought from them? Like how does that hurt anyone but you?
I suppose their bigger problem is the complete lack of security around the company, the serious turnover, and yes, suing journalists is never a sign of a nice place.
1. So the families suing Alex Jones, they are in the wrong? Suing a journalists for lying is quite common and normal practice. Thinking poorly of someone for seeking the protection of the court is not a good thing. Just because you like this journalist doesn't change the fact the company is entitled to the protection of the courts if someone legally wrongs them.
2. To be fair, this is the big one. Who does replacing all the hardware ALREADY BOUGHT hurt other than the customer who bought the hardware? You're generally not getting a refund because you no longer like the company. The company has your money. It's not like their products are things you buy on a monthly basis. You aren't hurting the company.
That's an interesting take, because it's not "going after Krebs", it's setting the stage to recover from damages from an employee who manipulated and bullied their way into access and power by taking advantage of the trust of Ubiquiti's current and potential customers in Krebs.
They're not suing to censor a researcher or to create a chilling effect on reporting about security or their company. They have to sue to show the court, their customers, and their investors exactly how Sharp manipulated public opinion to damage the company so he could "save it", how Sharp used Krebs' authority as a security reporter to damage the reputation and trust in their brand to apply that pressure and force leadership to act in the way he wanted, and to be able to claim appropriate damages by rightfully discrediting a false and inaccurate report.
Krebs either has to weaken his own brand and admit he was played or stick to his guns that he faithfully reported. Either way, this lawsuit ensures he's got to correct the report.
I have really been enjoying the gear that comes from FS (fs.com).
Late last year I kitted out my home with a switch and two wireless access points.
The switch (S3410-10TF-P) does everything that you expect a switch to do. It has a pretty simple web interface, and a pretty comprehensive CLI.
The access points are AP-W6T6817C (6800mbps WiFi 6, 802.11ax). It is rebranded from Ruijie Networks. The access points have a simple web UI for configuring everything, the range is pretty awesome. Multiple radios can be configured with separate SSIDs that have access to different VLANs.
The usability is less than Ubiquiti, but it seems that they work a little better than my old UniFi setup that this replaced (though, that was purchased more than 8 years ago).
There's WPA3 support.
Getting data via SNMP into Prometheus means that you can see per-client usage history, too.
for home use at this point I would also recommend mikrotik routers over anything ubiquiti edgeOS based, since they seem to have abandoned development on their fork of vyatta... the $50 edgerouter-x (ER-X) as a standalone wired gigabit router was a good choice in 2017 but not so much anymore.
I like Mikrotik gear but IMHO their wireless stack isn't great.
I moved my four HAP AC devices onto OpenWRT; speed and stability has been much improved, and roaming works much better. If you don't need WiFi 6 then I'd go as far as to say this is a great solution.
That has been my (one?) major complaint with my Ubiquiti APs - I have four of them scattered around my house/garage and moving between them always suffers a bit of a delay in handing over (or refusing to hand over at all).
I recently migrated a router (not Ubiquiti) over to OpenWRT and have been happy with the stability. I read a bit about roaming, but thought it looked a little daunting.
I did lose the central management interface of Mikrotik (CAPsMAN) but for my home set-up this wasn't a big deal. I used the backup and restore capability in OpenWRT's LUCI interface to clone most of the settings.
Roaming / fast transition now works much better. I do still lose a few packets as I wonder around but nowhere near as flakey as on the Mikrotik stack.
I did spend an inordinate amount of time optimising channels, signal strength and placement etc. on the Mikrotik stack before migrating over, and so I kept these settings on OpenWRT. I think a lot of making wifi work well is in this particular black art. All things being equal, though, OpenWRT works better for me.
for the majority of use I recommended them for the speed/pps bottleneck was the last mile DOCSIS3 connection (150-350Mbps down x 16 up), wouldn't try to use one with an actual symmetric gigabit link.
every once in a while this question comes up and i find myself browsing around on amazon at single board computers with built-in wifi and four port switches that are for installing openwrt or linux/freebsd yourself on them that run about $300-$400 and wonder "why not?"
are these any good? has anyone had any luck with going full oss for this stuff?
Yes, they’re great. Protecli is a solid brand with quality NICs (if a bit overpriced). I have several, running a mix of pfSense and Sophos Home for several years. Zero issues. Their Intel Atom units are plenty powerful for a gigabit cable connection.
You can also search AliExpress for “fanless pfsense” and find lots of options for less $$$.
For APs, you could also check out the Cisco Small Business line. Their 240 is the same hardware as some of their enterprise access points, and pretty trivial to set up.
If you are in the US, I'm pretty sure I saw very similar devices sold there as well, but didn't keep the link as buying from there would be too expensive.
TP-Link devices have been shown to ship with backdoors baked directly into the firmware.
The TL-WDR4300 and TL-WR743ND have a special unauthenticated URL that causes the device to connect back to your IP, download a file, and execute it as root.
The TL-WA701ND and similar models create a hidden SSID that acts as an unauthenticated bridge into your network.
If you can even manage to report security issues to them, they will only patch models you specifically tell them are vulnerable. So as a researcher you have to buy one of every model to actually get things fixed.
There are thousands of issues. I updated my comment with a few examples.
They suffer from extremely poor code quality, a complete lack of understanding of security, and severe code reuse without recording what devices the code ends up in. You can take existing TP-Link exploits, poke around in a new model of device, and often find the same vulnerable endpoint under a new "hidden" URL.
Edit: to address your specific question, CVE-2021-35004 is RCE against both routers and standalone APs.
You are comparing their consumer routers to their business line-up. The management interface for the business line-up can be properly segregated onto separate VLANs to protect it.
Sadly the consumer department doesn't seem to follow the same model as their business department.
Ubiquiti seems to be arguing (count 1) that Krebs defamed them by not clearly identifying Sharp as his source in the December 2 post and December 5 update to the original article. That simply updating the original article constitutes repeating everything contained in it and is therefore defamatory beggars belief.
They also argue (count 2) that the initial March article was defamatory. But it can't have been if if Krebs at the time didn't know the information provided by his source, Sharp, was false. Presumably Sharp didn't share that with Krebs that he was the one behind the breach, so Krebs wouldn't have had particular reason to suspect he was providing false information. Maybe Sharp defamed them, since he obviously did know he was telling falsehoods, but it's hard to see how Krebs did (and two of the supposedly defamatory statements in count 2 are just Krebs describing or quoting what Sharp said).
Bad journalistic practices may abound, but I don't think any of that constitutes defamation. Neither Krebs nor Ubiquiti look great here.
Krebs is a sleazy underhanded journo, too fond of doxxing his targets without any notion of 'due process' and buying leaks on the black market. I was tricked into reading his scoops and it took a couple of years for the truth to trickle down into my coffee-addled brain.
Krebs was at basically the definition of a unwitting accessory on this one. His “I got the facts right” post afterwords when it became clear that he enabled the reputation damage at the behest of the extortionist doubled down on the damage.
I’m not sure I agree with ubiquities decision to go after him - see the Streisand effect - but he has made some really dubious choices.
WHEREFORE, Plaintiff Ubiquiti Inc. demands judgment against Defendant Brian Krebs as follows:
(a) awarding compensatory damages in an amount to be determined at trial, but greater than $75,000.00;
(b) awarding Ubiquiti $350,000 in punitive damages or in an amount to be determined at trial;
(c) awarding Plaintiff all expenses and costs, including attorneys’ fees; and
(d) such other and further relief as the Court deems appropriate.
Which is certainly a lot of money, but nothing compared to the billions Krebs' supposed "defamation" cost Ubiquiti. I suppose their goal with this must be to improve their reputation with potential business customers?
Ubiquiti don't have business customers in any significant numbers. Their support and QA are basically non-existant, and after they destroyed their reputation with the homelab/tinkerers community which might have helped fill that gap/make the jump, they're on a downward spiral.
They already had all the problems listed before the security debacle. The only thing added is that now everyone knows their "cloud" is of very poor quality and has no real security.
So now, suing a journalist is going to fix their reputation? Good luck with that, there's around zero chance of that happening. The way to fix their reputation would be to consolidate product lines, do QA and not ship broken software, and stuff like this. Admit mistakes were made, and outline their strategy on fixing them ( the parts about abandoning hardware lines and security). Digging in won't do them any favours.
It doesn't look like digging in, it looks like they're preparing for a pivot, hopefully towards the points you addressed. It's kind of obvious people are only miffed because of who they're suing, but this is a required step in moving forward. It doesn't mean they just want money (it's kind of a low amount) or don't intend to settle.
This situation also brings a much more interesting problem to light, namely, how do companies protect themselves and recover from internal sabotage?
ubiquiti also has a very poor recent track record of EOLing products and making it near impossible to use - earlier generation security cameras and unifi wireless APs, for instance, which still work perfectly fine. But now it's an incredible hassle to find the linux packages to install on your own hardware to host the controller for them.
you know that something has gone wrong with a tech company when the founder's ego has inflated to the size that they think the best thing in life to do is buy a professional basketball team.
Interesting, I have 3 edgerouters and UniFi AP which have been trucking for the better part of a decade. Can you point me in the direction for sources for their EoL issues?
I am about to double down on Ubiquiti as the networking backbone and security cameras for my new house, so I have a special interest in this currently.
Look up Unifi Video if you want to see what became of it. AFAIK you can still self-host it just fine but their NAT-punching/forwarding service was killed.
I've spent several thousand $ on Ubiquiti hardware. After a poor experience with their support team and shitacular integration between their ERX and UniFi products I'm looking to change vendors.
To be clear with my own experience:
- Ubiquiti requires an online login to use UniFi products (which you _should not_ encourage especially for home/prosumer use)
- UniFi does not integrate with the products that you might have purchased when you were less experienced or have less requirements. For example: I bought several EdgeRouter X products then moved on to UniFi products because I needed SFP+. UniFi management does not manage any EdgeRouter devices despite being manufactured by the same company, so I effectively have a dozen different network management pages to deal with.
- The web interface for UniFi is terrible; they've had a "new" UI and an "old" UI and support requires you to use the old UI to retrieve information to solve a lot of the problems. The "new" UI looks nice but often renders incorrectly (especially the network topology page).
- Support will sometimes ask you to SSH into your own devices to do certain steps that can't be done from their fancy UI.
- UniFi has several different settings pages all with overlapping and confusing terminologies instead of having an actual _unified_ settings page for all of the products being managed.
- I've also had trouble managing their updates insomuch as one device that they claim was bricked but in fact simply wasn't compatible (and wasn't _advertised_ as incompatible) with my network settings. They told me to RMA the item (at my own cost) and the replacement item had the exact same problem and required additional troubleshooting after I'd already spent money and time to return the item. After resolving that problem, with a USP-Plug, it ended up creating its own wifi network whose security can't be configured by me. I'm sure glad I don't have to deal with network audits...
I think Krebs is a scapegoat. That doesn't excuse any incorrect information he has on his blog. But Ubiquiti certainly isn't a bastion of good either.
They did? I have an AP and I keep the old version of their admin app on an old computer, but when i tried to install something newer it started some crap with a cloud login so I gave up.
Did they revert it? You can really use an AP with recent firmware now without connecting in any shape or form to Ubiquity servers?
Although it's not covered in the basic setup, I'm fairly sure you can set up your own controller locally and set the adopt URL on the AP (via ssh) to match. This process requires no internet beyond downloading the controller software (they maintain a .deb and provide source).
I think initial login is via your UI.com account, and then it's very easy to disable cloud login and create local-only admin account, as well as completely disable remote access via unifi.ui.com.
I must say this is a bit of an extreme/maximalist position to take - I agree being local only by default, or having the option to choose during setup would be better, but the option is there.
As if I need another reason not to recommend Ubiquiti...
Yes, Kreb's reporting wasn't great and he should have retracted the original article once the facts came out, but I don't think being a bad journalist is something you take someone to court for.
You could argue they have reason to sue because this reporting can impact their reputation and business when it seems the information was found false enough to retract. However it would’ve been better to let this one pass, because now they just look worse.
This could backfire on Ubiquiti - considering Krebs stellar reputation already, that if it does go to court, and they rule in Krebs favor, it becomes even more devasatating to winning any further Enterprise market contracts.
It could kill Ubiquiti on all enterprise deals with "cybersecurity business risk" factors each enterprise ways before making decisions.
Krebs does not really have a stellar reputation. He seems to enjoy doxxing random people who criticize him.[1]
He generally does good work but the thing he's being sued over was an example of lazy journalism. I would expect a seasoned journalist to actually verify the claims being fed to them rather than regurgitating things blindly. He didn't do that in this case it seems, instead buying the story he was being (figuratively) sold completely and not bothering to do any checking.
Ubiquiti might not be doing themselves favors in PR here but if they have actual proof that he knew they were not covering it up, and there's provable damages this won't go the way people want. That's going to be a really high bar for them to clear though, barring them responding directly to a request for comment with "no absolutely not we're investigating and will release details later" or something to that effect.
Defamation suits on this scale are difficult, just look at what's been happening with Fox's election system related lawsuits[2] -- judges keep ruling against them on requests for dismissal. They may not ultimately lose any of these cases based on the facts but they also have the resources to make that a lengthy journey, where I don't think Krebs does.
> Yes, Kreb's reporting wasn't great and he should have retracted the original article once the facts came out,
I mean, his source wasn't great, but the fact is that they were suffering a breach. The fact that the breach was an undetected insider hardly makes things better.
While there have been remote exploits against exposed management ports, the vast majority of compromised Mikrotik devices are caused by insecure configurations by users. Mikrotik is huge in the smaller ISP world and especially in developing countries due to the low cost, but those users are not always the most security conscious.
The linked article from Microsoft goes into some detail about the vulnerability in Mikrotik that was being used, and there are many other examples of this happening. Weak creds are also an issue, but their software is pretty buggy from a security standpoint. If you run Mikrotik gear exposed to the public internet, I hope you have good logging and are keeping a sharp eye on it.
Now hang on, the linked article mentions how a Mikrotik with compromised creds can be used as a C2 (as can most routers), and goes on to list the primary methods of compromise:
Default creds (configuration issue)
Common creds via bruteforce (configuration issue)
Exploit of CVE-2018-14847 (4 year old patched vulnerability).
All of the methods mentioned require local network access in a default configuration. None of these are issues from the public internet.
If you have lateral movement within most networks, you're already likely to have the ability to route and disguise traffic and use the network as a relay point.
I am interested to read of your "many other examples". I'm yet to see a serious network gear vendor without big vulnerabilities to their name. From memory, Cisco had about 4 backdoor root accounts found and CVE'd in 2018 alone.
My exposure to Mikrotik is that you need to download some windows executable to speak some bespoke protocol to perform configuration of the device (specifically for RouterOS)? Is that true?
I've got some of their switches running SwitchOS, which is great, but my minute exposure to winbox has thoroughly put me off anything that uses RouterOS.
You can do everything through web interface called "WebFig" (or even SSH console), but honestly Winbox MDI is much more convenient. I think only Winbox-exclusive feature is connecting through Ethernet packets (without IP).
(1) SSH into you box for shell and use the command line interface
(2) Use the comprehensive web interface
(3) use the shell tool in the web interface
(4) use wine to run the client
Brian Krebs is more than a bad journalist. He harms people and companies for his own gain. I have never heard of ubiquiti, except here on hn, but I think they're completely right in suing him.
Am I alone in thinking better of Ubiquiti through this?
I remember when the original post came out and I was worried about having compromised gear at home. Then it turns out it wasn't true and the author of the post refused to update it to acknowledge that he was manipulated after it became clear. I don't follow Krebs so don't have an opinion on him but I'm happy the security problem is a non issue.
No, you're not alone. In times where so-called journalists consistently churn out lying unverified articles we'd be well served if more of them faced any kind of consequences of publishing lies knowingly.
Thanks for making my defend my viewpoint. This isn't my field but my rationale in saying this is because their system was not externally breached and they also said no customer data was accessed or even targeted. That's reassuring in that I don't think my (home) hardware is in danger. I do have the log in from cloud with credentials feature turned off from that I recall and changed my local password. I think it's hard defend against an internal bad actor but you are right he could have sold hashes or left a backdoor or something.
I do agree with the anti-SLAPP comments having read more about this since I posted that.
Thanks for describing your thinking. I'm also not an expert but read more about this stuff than most people.
If you read carefully, Ubiquiti did not say that no customer data was accessed, they said they have no evidence that customer data was accessed. The first article Krebs wrote quotes the employee (likely the person arrested) saying that this was because they didn't keep logs long enough (this fact was confirmed in Ubiquiti's complaint). That it was the person accessing the data who was able get rid of logs showing the data accessed doesn't change the lack of logs. It was externally breached in the sense that an empoloyee downloaded the data from outside the company and could have done anything with it prior to being caught (and could potentially have it stashed somewhere for later use). Ubiquiti also never denied that legal overrode technical considerations in not forcing all accounts to be reset. The initial reporting was substantially correct and the post was updated when new information was available.
One thing that might be slightly comforting for customers is that Ubiquiti claims in the March 31 update (linked from the first article and quoted in the last comment on that article) that customer data was never mentioned in negotiations, although that is a specific detail not just who accessed the data. There are potentially some theoretical reasons someone attempting economic sabatage as an empoloyee might be less likely to access customer data (e.g. the average attacker might be more likely to be in a legal jurisdiction where they are unlikely to ever face a judge while an employee in the US may want to be able to tell a judge that they didn't access customer data if they get caught), but I wouldn't count on that at all or make any distinction about what to do based on the employment status of the person who accessed the data (if employees stealing data were less likely to release customer data in gerneral they might decide to do so for no other reason than to look less like an employee stealing data). Sounds like you took reasonable steps. Most if not all companies are breached at times, a company that has no disclosed breaches almost certainly just has a policy of never disclosing them.
It’s disappointing to hear that Ubiquity is engaging in this behavior. I’ve enjoyed and recommend their Amplifi products in the past, but it will be much more difficult for me to consider supporting them in the future. I wonder how their PR team determined this would help their image and reputation.
I’m an attorney who has both filed a defamation case, and installed then junked Ubiquity routers and APs.
If the facts as alleged are true (as an attorney I usually assume they aren’t) then heck yes they should sue. This is the type of defamation case that actually doesn’t get dismissed. I.e. making specific, factually incorrect statements, directed at the business of the Plaintiff, for Defendant’s own commercial gain.
Seems like a ridiculous suit, but it also seems like Krebs calling it a cover up is sort of a gray area. They did send some sort of notification, but didn't necessarily conceal it either. Looking forward to the ruling and reasoning - the legal determination of what constitutes a cover up. Especially since most places use the generic type notifications.
Generally I tend to take a dim view of bullies, and an $18B company suing an independent journalist for saying mean things on the internet is basically the textbook example of that.
Generally I take a dim view of shoddy journalism. Not doing adequate investigation before printing, then refusing to retract when it turns out you were wrong is basically a textbook example of that.
I get that people really like him, but he had plenty of time to do the right thing here and has nobody to blame but himself.
That gray area strongly favors Krebs. They have to show Krebs knew that there wasn't a cover up. Krebs can make an affirmative defense that basically says "this honestly seemed like a covered up to me" and win
Do you have experience in the courts? It's an absolute shitshow. I've seen a magistrate think that I'm calling them prejudiced when asking to dismiss with prejudice... really. Magistrates aren't required to be lawyers or even pass the Bar. I thought the next level up would provide some level of competence, but no. The judge had poor logic skills and even poorer knowledge of the rules of criminal procedure (spent their career in family court and was past retirement age, so they brought them back as a senior judge in criminal side). Guy couldn't logic his way out of a wet paper bag.
Even if you get better judges at higher levels, which is debatable given they are either politically elected or politically appointed, the cost in time and money dramatically increases.
What surprised me is that the company demands over $375000 (+ attorney fees) which is a several year income for an average person. But have you ever heard about a company being fined or sued for an amount equal to its several-year income?
Also, as I understand, all Krebs has done is wrote "X told me about Y". How is that statement false, if X really contacted Krebs and told about Y?
> Also, as I understand, all Krebs has done is wrote "X told me about Y". How is that statement false, if X really contacted Krebs and told about Y?
My advice would be to read the actual complaint[0]. It goes into detail why they are doing this and their various points. The part that is interesting to me at least is Krebs intentionally labeling Sharp differently depending on the sentence in the same article.
> 6. Krebs alternated his descriptions of Sharp, first he describes Sharp as a current employee. He then describes Sharp as a “former Ubiquiti developer” to deceive readers into believing that the sourcing for his original story was a legitimate source—someone other than Sharp. Krebs, therefore, intentionally concealed the fact that the only support for his reporting came from the very person who had just been indicted for hacking and attempted blackmail.
It is completely obvious to everyone that there is no deception here. Sharp was an employee at the time of the first article but presumably wasn't at the time of the second article (post arrest). The clear implication is that previous employee source was quite likely the preson arrested. The previous article contains a link near the top to the new information. This is purely Ubiquiti harassing Krebs, who does things by the book because he gets harassed all the time from all side.
> "In March, a Ubiquiti employee warned that the company had drastically understated the scope of the incident, and that the third-party cloud provider claim was a fabrication. On Wednesday, a former Ubiquiti developer was arrested and charged with stealing data and trying to extort his employer while pretending to be a whistleblower."
This does not seem completely obvious. He uses "Ubiquiti employee" as the source of his first story, and then "former Ubiquiti developer" as the guy who was arrested when it was published. These are two different descriptions used just a sentence away from each other, making it sound like two different people were involved.
He almost certainly knows if they are the same person or not since he would have needed to confirm that his source was actually an employee but he does not want to confirm that in a way that undeniably makes the identity of his source public. In this case the breach was much worse than initially revealed and internal vs. external is a relatively minor issue. While I didn't read the whole complaint, searching for a few keywords suggest that Ubiquiti is not disputing that their legal department overrode taking appropriate measures to protect customers, the other key point of the initial article (the main point even). An interested reader will effortlessly make the connection between the arrest and the source without it being 100% confirmed that they are the same person and it is quite obvious that someone who was an employee will no longer be an employee after being arrested for stealing from the company, this does not in any way make it sound like a different person. Developer is more specific than employee but not at all contradictory and also does not suggest a different person. As unlikely as it seems in this case consider if the source actually was someone else either in this case or a similar case in the future. Never revealing sources is the safest way to protect all sources. The way the article was written provides all the relevant information without difinitively confirming the identity of the source, just as it should.
Well then I guess I'm finally done with Ubiquiti. The company that makes my network devices needs to take security seriously. Clearly Ubiquiti does not.
Corey is really playing up the media aspect here. I think Corey's tweet exemplifies the problem here which Krebs speculation helped spread; Ubiquiti had no actual security breach, they had an insider ransom fraud. Krebs was also a victim, as the conduit for the attacker to speak as a "whistleblower". When they notified Krebs, Krebs left up their unfounded speculation. This isn't what reputable news organizations do. Despite all of this, it's probably going to be hard for Ubiquiti here, obviously has a good chance of not making it to trial.
I was waiting for the arrival of WiFi 6E APs from competitors before ditching my Ubiquiti setup, but may have to accelerate my migration away from them. I had already replaced my USG with an OpenBSD firewall and blocked all Ubiquiti devices from being able to connect to the Internet as a mitigation.
Being cloud-free is a hard requirement for my network equipment.
It genuinely sucks, because Ubiquiti and PFsense were my top contenders for my major network overhaul. I genuinely like the UI of Ubiquiti, modularity and features.
But moves like that make very careful about going ahead with the purchase.
It seems like I will need to learn how to operate PFsense.
Thank you! It seems like it is genuinely hard to make a safe decision these days. In such cases, the question appears to revolve around, which appears to be less bad.
Ubiquiti Seems to offer a lot of products so hard to know what everyone’s use case is but for home wi-fi I found Netgear’s Orbi mesh system surprisingly capable.
The crux of the issue is that the "hacker" was the head of cloud at Ubiquiti, who used Krebs as part of an extortion attempt, which was only possible because apparently Krebs is a bit of a lazy journalist with poor due diligence habits.
What exactly does Krebs have to offer if Ubiquiti "works with him"?
About 10 years ago I was pushing for ubiquiti at the fortune 500 company I was a jr network engineer for. Mostly because they were the most open vendor and didn't require an "appliance" to run the management software. The rest of my team laughed at me and we only really tested Aruba and Cisco.
Even though we never went with it I feel like a sucker every time they come up in the news lately.
I was already off the Ubiquiti train once they started forcing people to buy a hardware appliance for Unifi Video, rather than allowing the previously 100% working software package to be used.
Extend, embrace, extinguish. They had the enthusiast crowd and got greedy.
IIRC the Ubiquiti 'hack' was an insider attack from an employee lying and intentionally breaking things while pushing his lies to the press to hurt his employer. Krebs was wrong and tricked by the employee. I don't know if that justifies this legal action, but it's not the normal going after someone who reported a breach. This one is more complicated.
I'm pretty sure Corey is wrong on the facts in this case (and so was Brian). I also felt a lot better about Ubiquiti once the dust settled and the details about Sharp came out.
Edit: I missed this comment thread which basically says the same thing: https://news.ycombinator.com/item?id=30850793