As a lawyer, i've read this entire filing and it seems like nonsense at a glance.
Krebs mentions the person was arrested. Ubiquiti claims first that he doesn't point out the person he sourced it from what arrested, and that he tries to mislead people by not saying repeatedly that the person is basically felon, and that being arrested makes him an invalid source of evidence, etc. They also claim he describes him as a current employee.
This is all nonsense AFAICT
1. Krebs mentions the person was arrested.
2. Krebs says "In March, a ubiqitui employee said X". That was accurate at the time (AFAIK, and ubiquiti cites no real evidence I see that Krebs should have known it was not true).
3. Krebs carefully points out the arrested person claims x and y (which is accurate).
4. The filing says Sharp made false claims, and spends a paragraph explaining them.
5. The filing says Krebs made them too, but ironically, for all of its bluster, doesn't cite where and when (that I can see), and which exact claims, they are claiming Krebs said that were false.
6. The filing cites no evidence that Krebs knew or should have known, in March, that the claims were false. They get into some weird arguments about their 10-q filing but it's hard to understand the point they are trying to make. It apperas they are trying to claim that krebs should have known they notified the public but i think that's kind of a silly argument - krebs is clearly talking about their users, and most users do not read 10-q's. Saying you notified the public because you put it in a 10-q is like saying you notified the public because you put it in a classified ad section. It's dumb wordplay.
7. The December blog post they say he "doubled down on" seems again, carefully written to say what Sharp claims, not what Krebs claims.
I could go on.
The whole thing is, IMHO, not written very well. It's very emotionally written for a pleading, and you will be hard pressed to find a judge who will get themselves worked up over that kind of writing. Instead they mostly roll their eyes and wish that someone gave them a clear and convincing pleading instead.
Put another way - if there is a case here, it isn't visible on this pleading. This feels like "throw a bunch of emotional stuff at a wall and hope it sticks", where you really want "here is an open and shut case of why this person defamed us"
I'm also a lawyer. The things that caught my attention were the embarrassing misspelling of the word "damning" as "damming," and the fact that this was drafted and filed by a specialty boutique law firm (Clare Locke LLP) - I'd have expected a company with Ubiquiti's resources to bring out the big guns with a white-shoe Washington-area firm. Makes me wonder if the company is on the skids.
I guess they filed in VA because they have no anti-SLAPP laws there so they didn't necessarily have their pick of firms:
Via Twitter, T. Greg Doucette, a criminal defense attorney and former computer scientist, opined that Ubiquiti's lawsuit would be considered an attempt to suppress lawful speech – a strategic lawsuit against public participation, or SLAPP – in states that have anti-SLAPP laws.
"It's a SLAPP: the coverage by Brian Krebs was substantially true and/or First-Amendment-protected opinion, and the lawsuit basically admits it in the text itself," Doucette wrote. "But Ubiquiti intentionally filed in Virginia, because there's no anti-SLAPP statute there." ®
In fact, my guess is all the commentators thinking VA is about anti-SLAPP are wrong. My guess is VA is about some state-specific cases or interpretations of defamation law around corporations they thought were more favorable to them (i'm barred in DC and MD, but my recollection is that VA has some) They were going to face a relatively fast motion to dismiss in any state.
What really will matter is how favorable the state views the defamation-against-corporation claim, whether it has an anti-SLAPP law or not. If the state views it as strong, anti-SLAPP wouldn't matter because it would survive. If the state views it as weak, anti-SLAPP may kill it a little earlier but it will still go badly for them quickly.
The only practical advantage to the anti-SLAPP for defendants like this is that
A. you often can get a faster hearing
B. you often have guarantees around damages for bad-faith claims.
anti-SLAPP is much more useful when it's david vs goliath, and the small guy either needs a hearing in a week or two or ends up bankrupt from lawyer fees.
To be fair, Clare Locke specializes in defamation.
They are counsel for dominion in the suit against sidney powell.
They are counsel for shotspotter against Vice Media.
etc
They actually appear to have sued a lot of media companies at a glance.
But it's hard to tell. I think it would be more accurate to say "if you want to sue someone for defamation, they'll do it as long as it's not a conflict" :)
(IE they don't seem to be particularly pro or against anything).
It seems like a reasonable firm to hire for defamation if your goal is something like "get people to retract claim/apologize or go at them legally until they do".
But to your point, it's definitely not the "bury them/grind them to dust with a million lawyers" they would get at a large law firm.
I don’t know much about how law firms operate but could it be that the big fancy firms wouldn’t want this case if they think it’s a losing one? If they possibly considered it a “free speech” type case that wouldn’t fly in most states like the other commenter mentioned could they be concerned about their reputation?
That's what I think - the big firms are perfectly capable of filing lawsuits that are just on this side of frivolous, but they will charge quite well for that.
The smaller firms are more likely to be willing to say "eh, it's your funeral".
You have any links to those stories? Would be interesting.
Personally I hate the way they're going towards cloud accounts and dedicated management boxes. We used to be able to just install a docker to manage everything but the latest hardware ranges (eg their video offering) require dedicated management hardware. They're also pretty slow with uptake on new standards like WiFi 6 and now 6E.
The ideal selling point of ubiquiti was self-managed near-enterprise quality hardware with free self-hosted management and decent hardware prices.
I can't fully blame them because I know venture capital idealises subscription pricing and data mining right now but it won't work for me and it's annoying having to look for another option again when I'm invested in their ecosystem.
But anyway it would be interesting to read more about what's going on behind the scenes.
"Gotchanomics" is such a shitty model - you get something valuable, begin to trust the vendor, establish a system with their equipment, and then they pull a bait and switch, trying to get away with shitty service, mediocre replacements for good products, moving services to the cloud and subscription based nonsense - Nickel&Dime As A Service.
If I'm faced with paying premium rates, I'm going with Cisco and premium vendors. Ubiquiti's value was good equipment at reasonable prices to the point that you could buy spares for reliability and save 90% of the cost of service contracts from premium vendors. That differential was the absolute wrong space for them to try to tap for more profit, because nothing else was special about the brand. Cheap, decent, "good enough" network gear is now a market available for exploitation, ubiquiti has lost it.
> "Gotchanomics" is such a shitty model - you get something valuable, begin to trust the vendor, establish a system with their equipment, and then they pull a bait and switch, trying to get away with shitty service, mediocre replacements for good products, moving services to the cloud and subscription based nonsense - Nickel&Dime As A Service.
Exactly, well put.
For what it's worth, as I have been bitten by this practice of "gotchanomics" too many times that I've become a bit sensitive to any signs pointing to it.
I'm not 100% sure Unifi is doing this with their existing products, but new ranges like the video stuff require a modern management box which in turn requires a cloud account as far as I've heard. I've decided not to buy those for this reason. But it undermines my confidence in buying new gear for the ecosystem because it really feels like this will be the next step.
Like for example i have switches that get confused and started reporting things are connected to ports 57-62 (on a 24 port switch) and switching them wrong, etc.
UI they have been slowly screwing up more and more for years (How many years are they into the "new UI" migration for the controller?).
But the actual switching is pretty basic stuff (and a separate hardware chip they are driving that is not hard to drive), and simply shouldn't be going wrong in this way.
I've also got a UDM-SE and UDM-Pro that seem to have hardware issues on the SFP+ uplink when connected in certain ways (and won't break 500mbps upstream) no matter what SFP+ module is connected (fiber, dac, etc) if the LAN SFP+ port is connected at 10gbps. All the same modules work in every other router (mikrotik, etc) connected the exact same way.
(yes, before HN tries to debug this, IDS/etc is all turned off. There are no nft rules, no nothing, i have debugged this to death through the actual shell). Others have had the same issue.
They also have an $1800 ptz camera that can't follow objects even when it detects them (This is 100% basic functionality of a PTZ camera, especially at this pricepoint), despite promising it for years.
I have lots of these kinds of "why is basic functionality broken or missing" stories. Ubiquiti gets it out the door, says they'll fix it all in post, and moves on to the next thing.
They aren't a hardware manufacturer, they are a bad AAA game developer :)
Can confirm, same issues with SFP+ on my UDM-Pro. The software updates for this thing have been so bad the last year, incredibly buggy, it's infuriating.
My current favorite was the update to the AP Pro APs that broke everything if you were using a wireless uplink (I was using one to bridge a semi-decent signal to my garage). Clients connected to that AP had zero connectivity to anything else, despite the Controller saying "all good!"
Gee... I'm glad I walked away from it. I was about to go for UDM-Pro when updating my home network devices. Then I read some HN saying they were putting ads to the console pages.
But that wasn't really about product itself. What you mentioned were really really serious product issues in areas I suppose almost every other vendors are rock solid.
If you've set up a local-only controller, avoiding cloud nags, and poked around via SSH on their boxes, you'll realize it's nice, solid, hardware but the adoption process is a brittle and buggy mess. The controller is Java and Mongodb and picky to install but fortunately someone is making dockerfiles for it.
I think it's still an okay value but you need to watch your flanks.
You can still use their products without a dedicated box or cloud accounts by running the UnifFi admin console in your own network. Can you clarify what you mean?
All of my wireless gear and most of my switching is UniFi running against a self-hosted controller without cloud access. This works fine.
However, UniFi Protect is hardware only. You have to have either a UDM, a CloudKey Gen2 Plus, or a UNVR. I bought into Protect a couple years ago and now I'm sort of stuck with it. I _think_ that I could de-provision the cameras from my UNVR and use them standalone with BlueIris or Frigate but I've heard stories that they gimp the RTSP resolution on the G4 Pro camera (of which I have three).
I understand that the UDM range of products can no longer be set up without a cloud account, and none of the video products can he hosted locally.
I was thinking of a newer gateway as the USG is too slow to do decent IDS. And the video for my home.. But I didn't buy either for this reason. I looked at it about 2 years ago.
It feels like they want to do the same with the older network gear but they just won't because there will be too much backlash from the move.
They don't necessarily promote their self-hosting software method of Unifi management, and they outright removed support for Unifi Protect unless you buy hardware.
Want your surveillance video to be cloud-hosted or on your own pre-existing RAID? Pound sand!
My employer switched from Ubiquiti to Aruba. Much, much better. Far easier to manage. The Ubiquiti APs had very little range and below-threshold subscriber loads would cause them to become unstable and require a reboot. No good when 500 employees and guests are attempting to get work done. We issue primarily laptops with only certain people getting docks for Ethernet. Quite a few people have purchased the Anker USB-C dongle docks from Amazon and use their IP phone's secondary Ethernet port for a connection if they want a solid Ethernet connection.
At home I'm happy with Google WiFi mesh all around my house.
Thanks for the tip on Aruba. Right now my all Ubiquiti home network is awesome because I have a docker controller image. As spoon as something goes out though, I am done with these clowns.
Wasn’t sure where to look next… note taken on Aruba
+1; exactly my case. I have a handful of Ubiquiti APs and the network is now rock solid, so my plan is to wait until WiFi6 becomes mainstream (or they mess up with updates) - and then I'm gone forever.
After they bungled reporting the hacks last year, I promised to never purchase anything from Ubiquiti again. Good to know Aruba may be an option.
My understanding is that Instant On APs drop their wifi clients when they lose internet access and that this is billed as a feature. Maybe that's changed recently.
My internet frequently (although less lately) stalls out for minutes at a time, once or twice a day. I don't want my AP to kick me off wireless when I'm refreshing my monitoring app waiting for internet to come back up, or for me to be locked out of my security cameras, or for wifi-only IoT things which don't talk to the internet at all to get kicked off and have to reconnect.
The access points are cloud managed only (I believe the switches can optionally be managed through a local webui) but very solid hardware, quite easy to set up, and probably feature rich enough for basically anyone who isn't trying to mess around with an enterprise environment at home.
Instant On has several limitations like maximum APs in a site or maximum clients. I don’t want to say they are bad products but it’s only useful for a small network.
TP-Link Omada is a very similar system like UniFi in this price range. Their Controller GUI almost looks the same as UniFi‘s.
I've only used both in home and small office settings, but I found TP-Link's Omada line of APs to be equivalent to Ubiquiti APs. Same type of hardware, same type of controller software you can run on your own machine. I don't know enough about APs to say whether the performance matches.
One thing i have that often limits my choices is that the ubiquiti's are recessed into my ceiling (6 AP's).
I can do the drywall work, if they make the mounts :)
If I have to, I guess i can make some from scratch in solidworks, but i'd rather not.
Ruckus is not bad, but not great either. I've got a ICX 7150-C12P that worked fine until the PoE power supply failed just a few months out of warranty. I'm glad that I did not pay them for the "license" to use the SFP ports (which every other manufacturer just enables by default).
I do like their WAPs. I've got a couple of RS510 WAPs that do a great job, but initially they had some noticeable performance problems for almost a year until fixed by a firmware update.
Is Draytek any good? I've just gotten their AX router and mesh APs / smart switch and apart from one significant bug which made the router restart every few hours if the wi-fi interface was on, it seems to be ok.
Anything I should keep in mind before I get more of this brand?
You can’t beat mikrotik s routers (rOS / routerOS) and their routing hardware. I actively managed well over 500x of them. however I agree with another reply that their access points are definitely a side show for them.
The unfortunate part is their interface and sw capabilities are so great that if they just put some additional effort + latest gen hardware towards their access-points they could become one of the top players in Wi-Fi.
(I also manage several hundred mikrotik access points).
Ruckus is my go-to for access points/ client Wi-Fi. (I manage 1000s of ruck) Excellent hardware. Every AP they offer can have it’s firmware flashed to either fully standalone, OR centralized manage (vSZ / ZoneDirector), OR unleashed (which is AP self-managed for up to 25 local aps).
Another much overlook feature of ruckus is that every function can be controlled/modified via SSH. while not as powerful as a true API, it’s still very powerful and often very overlooked.
For home use I've not had any problems with their AP hardware. But it's definitely not been stressed. I was just after something that has enterprise features but not the price. routerOS covers that soundly (almost too well as the configuration can be confusing if you don't know networking).
The APs have great options. Cloud, local controller (their hardware device, software or a docker container), or none at all. If you want to start with a single AP you don't need the manager.
I bought their largest AP, the 660, attached it to a second floor ceiling, and found it covered my whole home and much of the yard. It supports 100s of clients.
They can be handled entirely locally; the cloud management bits are optional.
(I reworked our home network to Omada gear last fall. OC200, ER605, a few managed switches, couple of EAP245 APs. Overall quite happy with it; as the person above said it's pretty much fire and forget once you get the initial setup done. Used to use -- and enjoyed -- Mikrotik but alas their wifi support/performance at least on the home front has stagnated over the past several years.)
I have a tp-link Omaha setup in my new house. I run the management interface on the LAN in docker on an old Linux box (runs pihole too). Works really well so far! I have the wifi 6 APs, a PoE switch, and a router. I have 1gig symmetrical fiber and everything is reliable and fast now. Previously I had an edgerouter-x and it was very flaky.
You can handle it locally, I do. The only feature that doesn’t work with it off is automatic firmware updates. You can still update firmware, you just have to download and upload it manually. It doesn’t even nag about setting up a cloud account.
The only thing I regret of theirs is the router (TL-R605). It’s not bad, but the VPN performance is mediocre, and I always wonder if I would’ve been happier with pfsense. Every other piece of hardware has been great.
I have installed six in a big old house (with almost a meter deep interior walls !).
I manage them with an app on a tablet connected to the same LAN, I've disabled all cloud management. That said, they are almost configure and forget, after the initial install I've only had to upgrade the firmware when I visit the site.
The argument is that there isn't two people, there is just one who was arrested.
Kreb's original source for the march article was the fake whistleblower extorting ubiquiti. He had just gotten raided by the FBI. Which is why the tweets are being mentioned.
Krebs doesn't claim there were two people anywhere?
Ubiquiti hangs this entire argument about this on using slightly different wording to refer to a person in two places in an article.
But if you read the article, he reports the facts in a literal linear timeline fashion, attempting to use what appear to be time-correct monikers.
IE He literally says (see the screenshot)
In January x happened
in March, a ubiquiti employee said something
in November, a former developer for ubiquiti was arrested and charged.
He never says the march and november people are different. He is reporting exactly what happened.
They claim he knows they are the same person, and should refer to them as such but they literally don't even provide any evidence of this either (ie that it was Krebs source).
It wouldn't help them (because what krebs says does not seem wrong or untrue), but they don't prove it either.
IE even if krebs knew they are the same person, the above appears to be a totally accurate rendering of the story. Krebs is only required to be accurate.
Did a Ubiquiti employee say X in march (or did Krebs have good reason to believe a ubiquiti employee said X in march)?
Did a former ubiquiti developer get arrested in late november?
Yes? (AFAIK, yes)
Okay, case over.
The fact that they don't like his reporting doesn't make it untrue, and if they want to show it's untrue, as I said, this filing does a bad job of it.
The problem for Krebs is that (if the criminal case against this guy is true) Krebs was a party to the crime. He was the medium for the extortion. He is the guy that published and spread the damaging story! And he’s still doing it!
It’s as if a bank robber was dressed as an innocent old lady and tricked Krebs into carrying the bags of stolen money to the getaway car. Except here, the robber is in the back of a squad car and Krebs is still transporting bags of cash! It doesn’t matter whether the statements were true, they’re an act of extortion! Extortion is defamation per se.
None of the above. My answer is much more mundane.
Krebs almost certainly has professional liability insurance (if not, that would be pretty dumb at his scale)
I would call up my insurance company, tell them i've been sued, send them the documents, and then go back to my day.
I would then proceed to follow their instructions, and not care too much about it, unless i was asked to do things that i wasn't willing to do
IANAL and I haven't read the filing. I'd assume, based on what I've read thus far (and the fact that it's a pretty standard initial response), that he'll file a motion to dismiss and go from there.
It seems plausible that he could have a decent chance of having such a motion granted -- the bar is generally "in the light most favorable to the plaintiff [Ubiquiti]". Based solely on the commentary I've read, it sounds like the complaint could be deficient.
They very well have opened themselves to discovery, which is why it is very unwise to throw stones in glass houses when it comes to litigation. I have seen this before where a company opens a defamation suit against someone, they then don't get the results they were looking for and end up losing a countersuit or end up settling out of court because of their idiocy.
I'm not sure what they are thinking on this, but this is also the company that wired 46 million dollars to fraudsters, so its obvious they haven't made wise decisions in the past.
Not a lawyer, but I read like one, and I agree this is one of the most butthurt and factless filings I've ever seen. How can they SLAPP? How can they SLAPP?
Time for congress to make some anti-SLAPP laws; it seems to me as a non lawyer that this is a SLAPP that they forum shopped for. Especially since they dont seem to have pleaded anything that would surmount the “actual malice” requirement for defamation required here.
Has Krebs said his source was arrested? According to my reading Krebs only said that “a” former Ubiquiti was arrested, with no indication that it’s rhe same person.
Yes.
Here's the thing: It doesn't matter.
Let me back up a bit.
To start with, corporate defamation is ... complicated to begin with.
There is no liability for defaming a large class of people.
If i say "all people wearing blue are pedophiles", i can't be sued by anyone wearing blue because i defamed them :). This is because defamation is, at the core, about injury to reputation of individual people. It's really hard to meaningfully injure the reputation of individual people with general statements (it's not impossible mind you, but for the average joe it's pretty hard).
So first you have to be able to identify what is defamed, exactly.
Second, corporations have no reputations in any easily definable personal sense (and remember, defamation is about injury to reputation).
Why do I go into all of this? Because it's at the core of what standard you would have to meet to be liable for defaming a corporation.
Generally three ways to prove defamation of a overall:
Prove the person knew that the statement was false and defamatory, or
Prove the person acted with reckless disregard of the truth or falsity of the statement in making the statement, or
Prove the person acted negligently in failing to ascertain whether the statement was true or false before making it.
The first almost never happens.
The second almost never happens.
The third is what gets most people.
The third is also, it turns out, not available if the defamation was of a public figures.
In fact, for public figures, you have to prove one of the first two by clear and convincing evidence (which is higher than the usual burden of proof in a civil case, which is preponderance of the evidence).
So if ubiquiti, the corporate plaintiff, is held to be a public figure (or some other variant, like a limit purpose public figure, etc), as long as krebs was only negligent (an idiot) rather than malicious (deliberately ignoring the truth of falsity), it still wouldn't be defamation.
Ubiquiti is almost certain to be held to be some sort of public figure - they even sort of out themselves on this by pointing out they file 10-q's with the SEC and expect all their interactions to be with the public.
Seems pretty close to textbook SLAPP in a jurisdiction - Virginia - that has strong anti-SLAPP laws [correction: https://news.ycombinator.com/item?id=30867948 notes this is federal, and it has not been established if VA SLAPP laws apply] and and precedent for their use. I am a fan of Ubiquiti gear but I hope they lose, pay Krebs' costs, and pay a multiple of the costs as damages.
Krebs was pretty unethical in this case. He published articles based on quotes from a Ubiquiti insider who it later turned out was actually the hacker who was extorting them at the time. Krebs has never (as far as I know) addressed this or even acknowledged it.
If Krebs had just been a rube who was used by the hacker, I'd agree with you. But by not updating the record, he's continuing to further lies that he knows aren't true and are/will hurt Ubiquiti's reputation. Given that, I don't think it's as simple as "this gets dismissed as a SLAPP".
More to the point - he has doubled down on his reporting being correct, but failed to acknowledge that he - himself - was the weapon that the attacker used to inflict damage on Ubiquiti - their employees, users and shareholders.
Krebs got taken. Pure and simple. I can see why he might not want to acknowledge that, or do any soul searching on it, but when you were part of the problem, you have a responsibility to fix your part in it, even if it was a unwitting accomplice.
(From a questioning perspective) If a source happens not to be who they claimed to be, hiding for whatever reason, but the information in the story is newsworthy, credible, verifiable, and authenticated, does that mean the story should not go forward then?
That's hardly very likely with whistleblower stories, all you can do is be careful with wording like "<name> claims" "<name> alleges" to qualify the reporting. I read Krebs I find it hard that he wouldn't retract something if Ubiquiti (or someone else) came to him with evidence showing the "whistleblower" was a fake that he wouldn't retract the article based on new information. He seems like a good journo to me and has nothing to lose by doing such. He reports on a lot of stuff and now one is going to be constantly fact checking every story they ever put out there. It's impossible. I suspect Ubiquiti filed this before they ever contacted him about the whistleblower being a fake.
What's the counterfactual here? If Krebs was wrong to report on this, what's the world where he didn't look like? Is anyone better off?
It doesn't seem like it. Either way, Ubiquiti had a major security issue on its hands. Krebs didn't make that true by reporting it, it was true already and he wasn't wrong to say that they did, regardless of some niggling over whether he knew two people were actually the same person lying to him about who they were.
Journalists aren't supposed to take what a "whistleblower" says at face value. If Krebs were a journalist at the NYTimes, for example, they would've done a lot of background research to corroborate the insider's story before publishing the quote. And then either would not have run it or at least have been clear about how little he knows about the "whistleblower".
And the bigger issue is, once the truth came out, he should've done a retraction and discussed what he knows about "Adam" and how he was likely the hacker who did the extortion.
Ignoring that I didn't ask anything like "what should Krebs have done later?":
> he should've done a retraction and discussed what he knows about "Adam" and how he was likely the hacker who did the extortion.
That's not a retraction. That's an update based on new information. Those aren't the same thing. This is just begging the question of his knowledge. It doesn't really seem like Krebs, even if he is a shitty journalist overall (I know very little about him, so I'm not going to assume one way or another), said anything actually false at the time he said it.
Is a journalist, once they report on a story once, required to continue reporting on that story forever?
If a journalist is complicit in helping an extortion attempt with one of their stories, then, yes, any ethical journalist has a responsibility to update it. This will (hopefully) be a pretty rare occurrence.
Which is it, was he duped or was he complicit? These are very different accusations, and exactly what I mean by begging the question of his knowledge. You (and it seems ubiquiti) are assuming he knew this at some point where he claims he didn't, which makes him not just a victim of misinformation but an active perpetrator.
Proving that in court seems like it's going to be very hard. Never mind proving that he did it intentionally and with malice. It's not like he gains anything really by not expanding on the story as we know it, and as I've mentioned, it's not even clear what ubiquiti gains from expecting him to talk about new facts that make them look bad.
Not a lawyer, but I suspect that the sentence "Ubiquiti has not responded to repeated requests for comment." in Exhibit A of Ubiquiti's own evidence is going to carry a lot of Kreb's case.
Ubiquiti is interesting. The CEO is the technical founder and bootstrapper, overwhelming controlling shareholder, and has been the subject of what I'd consider unethical (stock) short campaigns in the past. So you have a CEO without many checks and balances who is justifiably defensive of his company. I am a fan of him and his company. That said, I think he is in the wrong here, and I just hope he realizes it and can amicably resolve this in a way that is more productive for everyone.
Virginia doesn't have a strong anti-SLAPP law. It's weak at best, only carving out some immunity for statements made about "matters of public concern": https://law.lis.virginia.gov/vacode/title8.01/chapter3/secti... And unlike other states, if the plaintiff loses on a motion to dismiss under the statute, the defendant isn't entitled to attorney fees and court costs.
Virginia has an anti-SLAPP statue but this is a federal suit, and the Fourth Circuit hasn’t ruled on whether state anti-SLAPP statutes apply to federal cases.
I'm not a lawyer and I don't know how a counterclaim would work in this case, but the way I understand anti-SLAPP statutes to work is that they let the defendant file a motion to dismiss. If the suit were in state court, then the state law would clearly apply and Krebs could try to have the suit dismissed. But it's in federal court, not a Virginia state court. Whether state anti-SLAPP statutes can be used in federal cases is not clear; there's a circuit split and the Fourth Circuit has not ruled on question: https://www.jdsupra.com/legalnews/second-circuit-slaps-down-...
State court claims can and regularly are brought in federal court because federal courts have authority to hear state law cases. It’s Civil Procedure 101. Counter-claims which arise from the same operative facts must be brought or else they’re generally waived.
Also, defamation is a creature of common law and therefore state law governs it; there is no Federal defamation law. Ubiquiti filed in federal court under diversity jurisdiction, and likely because they think they'll get a better outcome than they would in state court. But the court still has to adjudicate the substantive claims under VA state law. Procedurally, though, the Federal Rules of Civil Procedure apply in Federal court, not state procedural rules.
The cited article suggests that some Federal circuits treat anti-SLAPP statutes as procedural rather than substantive law, and so federal judges might decline to apply them in the cases brought to them.
My understanding of the linked article is that the question is whether the federal rules of civil procedure supersede the state anti-SLAPP statue, because, since it’s in federal court, the suit is governed by the FRCP even if it’s over state or common law claims.
The lawsuit, it seems like a grey area. Report on something but then further facts come out and your story is literally outright false. You've been misled and abused by your source. I guess that's the job of a journalist to ensure what you are publishing is true.
> 3 separate instances where Krebs got it wrong. Seems to happen a little too often.
A former employer of mine was the subject of multiple Krebs pieces. Many of the facts he has reported were incorrect. I have no personal stake in getting involved to "set the record straight" and much to lose by doing so.
There's only so much accuracy you can expect from someone who deals in hearsay. The most credible witnesses won't talk to reporters.
> I guess that's the job of a journalist to ensure what you are publishing is true.
Informants are afforded credibility. The job of the informant is to ensure what they're informing on is true. In any supply chain attack, everybody involved post-compromise is just doing their job.
Journalists are not private investigators and it's unfair to expect them to be. We don't condemn doctors when the patients they trust falsely report/induce symptoms with intent to commit disability fraud.
> Journalists are not private investigators and it's unfair to expect them to be. We don't condemn doctors when the patients they trust falsely report/induce symptoms with intent to commit disability fraud.
But we do (and should!) expect journalists to issue retractions if they find out something they reported was incorrect.
There seems to be a correlation that the more you know about a subject, the more likely you think the journalist is simply wrong.
I have proposed the idea that if I put together a big enough group of experts. We might have a group of people who can refute journalism in whole. What if 100% or damned near 100% of what journalists claim is untrue.
I don't think that's the case, I have many good journalists who are across a spectrum of viewpoints who are good at reporting.
In reality, we should hold journalists accountable via Errors and Omissions. Require all journalists to hold E&O insurance. He screwed up, his insurance covers it.
> I guess that's the job of a journalist to ensure what you are publishing is true.
I remember having a stupid little blog about torrents and filesharing, it was basically a drama blog. People would go on and on about how I had to ensure things were correct and I wasn't a proper journalist because I didn't fact check and stuff. I kept replying, I wasn't a journalist, I was a dude with a blog who people kept telling stuff. So if I was getting that, I sure as hell expect a proper journalist to deal with the fall out if they got it wrong and it cost a company money. Like I would expect a newspaper or tv show to pay out if they cost me money and what not.
>I remember having a stupid little blog about torrents and filesharing, it was basically a drama blog. People would go on and on about how I had to ensure things were correct and I wasn't a proper journalist because I didn't fact check and stuff.
I feel like torrents and filesharing isn't going to need much fact checking. Unless you're perhaps talking about lawsuits or something where you might end up getting sued for your words.
>So if I was getting that, I sure as hell expect a proper journalist to deal with the fall out if they got it wrong and it cost a company money. Like I would expect a newspaper or tv show to pay out if they cost me money and what not.
I personally see Krebs as liable. Many other professions have to keep 'errors and omissions' insurance. Sometimes you just get it wrong. Nobody is perfect, you're going to make mistakes.
> I feel like torrents and filesharing isn't going to need much fact checking. Unless you're perhaps talking about lawsuits or something where you might end up getting sued for your words.
torrentfreak.com is a current example of a long running blog about filesharing/torrent related news that constantly gets things wrong with no fact checking. Their articles are fine when they're about legal cases, new copyright laws, or actions of governments. But when they report on the goings on of non-mainstream streaming sites or private trackers they're almost completely fabricating their articles - believing the words of any "source" that sends them info without doing any sort of validation on it.
> But when they report on the goings on of non-mainstream streaming sites or private trackers they're almost completely fabricating their articles - believing the words of any "source" that sends them info without doing any sort of validation on it.
The thing is, in such a community the only real source is going to be sources. The people often aren't going to admit to things especially if it makes them look bad. The one time I did actually go to check something out which was someone told me the nickserv nick wasn't reserved on a tracker's irc and the services were down so people could use it. They then accused me of stealing passwords instead of checking out if what I was told was true. So they want me to fact check but when I do they complain too.
But overall having to believe sources when it comes to criminal stuff is major thing. You can't do much else. For example, look at most gangland reporting. They'll often be wrong because they're dealing with word of mouth.
I'm honestly not sure how Ubiquiti felt this was a smart idea; defamation lawsuits are notoriously difficult to win and in the vast majority of cases, result in greater damage to the plaintiff's image than before filing the lawsuit.
You do realize that the entire "ubiquiti sucks" mood on HN started with the publications of these (factually inaccurate) articles from Krebs?
This whole thing pisses me off. A insider threatened a company with reputational damage and used a press guy to pull it up. HN picked it up and amplified it. Press guy never corrected the story, and the here we are - with people still railing on HN for a untrue story that the press guy enable that the extortionist planted.
> You do realize that the entire "ubiquiti sucks" mood on HN started with the publications of these (factually inaccurate) articles from Krebs?
It arguably started when they:
- Shipped tons of jobs overseas, and firmware quality took a noise-dive.
- Stopped letting people run the NVR on their own hardware (with short-notice).
- Required cloud login and an app for setup (something that, for years, NOT having was a claimed Unifi advantage).
- Constantly introducing and retiring half-baked ideas/products/lines.
The whole company has lost focus and certainly lost quality. The recent security kerfuffle certainly didn't help, but mostly it reminded people that their previously "local only" stuff was now Cloud Connected™ by force, and that UB lost the keys that users didn't want to exist to begin with.
I dropped Ubiquiti after their wifi APs started uploading telemetry. UI’s subsequent reaction to the secret telemetry (it was not announced or in any changelog before an user got curious about their Ubiquiti AP’s extra data packets headed to the internet) was to gaslight users and add an opt-out. The attempt was successful - people rarely bring it up and some will defend the actions of Ubiquiti.
I get it. Telemetry helps with diagnosing issues. But UI’s reaction to being unmasked made me realize they could never, ever be trusted for network infrastructure.
I also remember Ubiquiti quality declining before this Krebs business, and finding out that Ubiquiti had offshored much of the business in recent years.
I don't think Cisco will do this. They already have a budget product line. Which is said to be pretty mediocre but if course it has to be not to cannibalise their enterprise offering.
Linksys is strictly unknowledgeable home-use kit, whereas Ubiquiti could be called "prosumer," and Cisco doesn't have anything in the price range. When I built out a new, 1500-seat church, Ubiquity offered better-spec'd wifi AP's for less than half the price of comparable gear from Cisco. Would I do it again, knowing what a hassle their administration software is, and how often it breaks? I don't know.
The price here is almost the same as the Lite series of Unifi. They also have a Meraki go line but that seems to be yet another one (from an acquisition). But this is also in the same price range.
1. Krebs corrected the story. Twice. You just have to open the original article to see it.
2. The "Ubiquiti sucks" mood started with Ubiquiti releasing shit products with even shittier software that, quite incredibly, sometimes even degraded with updates.
Point 1 is correct insofar as he published an update to it in December.[1] He did not (and does not) make it clear that the employee who was arrested was his source.[2] In fact his anonymous source "Adam" is never referenced anywhere in his second article, outside of comments asking him about it.
If you read his reporting on this now, it is still not clear that "Adam", his source, and the person committing the alleged offences are the same person. It may be he doesn't know but he certainly makes zero effort in either article to address the question.
Ubiquiti's forced cloud BS is more than enough reason for people to move away from them -- they basically dropped out of consideration for my purposes after they did that.
It can also be true that there was a drop in stock price when this incident was reported, and further drops after Krebs' coverage.[3] In fact he even discusses their share price at the tail end of his original article, even updating it on March 31 and acknowledging a roughly $50 drop following his reporting.
I doubt Ubiquiti will win this court case but I do think Krebs damaged his own credibility here.
Has it 100% been confirmed that Adam == Sharp? There are certainly allegations that Sharp talked with the media, but on breaches like this there are typically multiple people working them with detailed knowledge. The timing is suspect, but with cases like this, you have to prove that someone did it out of malice.
It also doesn't mention anywhere in the indictment who Sharp spoke with, so until it goes to trial... unless Krebs confirms that it was Sharp that contacted him, these are just assumptions/allegations and not something that have been proven one way or the other.
"Ubiquiti sucks" started for me when a switch firmware update enabled some loop detection that couldn't be turned off, and completely broke my Google WiFi setup. Support tried, but ultimately the solution was to connect Google WiFi to a dumb switch.
Then around a year later an update bricked 4 of my 5 cameras, and support was completely useless.
You know, and then they had this huge security issue.
Sure, Krebs reported the security issue, but "ubiquiti sucks" sentiment has largely been Ubiquiti's doing IMHO.
> You do realize that the entire "ubiquiti sucks" mood on HN started with the publications of these (factually inaccurate) articles from Krebs?
Nobody’s posted a “Ubiquiti sucks” thread from before the Krebs kerfuffle, so here’s one from Nov 2019. In that thread, people complain about a new “phone home” feature and Ubiquiti ignoring the terms of the GPL.
Not at all, I continued writing a lot on Twitter and still love the product. I don’t like the way they’re handling this situation though, more in this vid from a few days ago: https://www.troyhunt.com/weekly-update-289/
Having used their products for years the "ubiquiti sucks" mood has been their own fault. Product quality has declined, they keep promising features that don't work / kill throughput / just don't come out for months if ever.
I think you're mistaking a correlation for causation here. Yes, people started saying "UI sucks for $reasonXZY" a lot more after these articles came out, but that's merely because the articles provided a convenient hook to which to attach existing grievances.
A random "Tell HN: UI sucks because their firmware went down hill"-post is not likely to go anywhere. But as a comment within an article about UI, sure, that works.
There are many things wrong with UI. An inflated insider security story does not change that.
"Ubiquiti sucks" is not an HN-specific thing. The consensus among IT folks in multiple communities I'm part of is that they've gone from being front-of-the-tech-curve with nice UI that Just Works, to overpriced underspec'd cloud-locked-in meh-ness.
I put them on a personal black list when there was some shenanigans with them using GPL code and not releasing their modified source, or something. That was years ago.
a few weeks ago UI released an update to their protect surveillance line which subsequently prevented certain cameras from recording. an update which fixed this "bug" was released 3 days ago.
things like this contribute more to the mood you reference than the reporting from Krebs a year ago, IMO.
Speaking only for myself I disagree. I only had vague notion of them, but read Krebs on occasion, but didn't have any strong feelings on them ... until this. As long as the info in the 1st post form the lawyer is correct, I wouldn't buy from them
The press across the board does a terrible job of printing retractions. I know that doesn't really excuse Krebs but most errors don't get corrected and those that do generally show up in a tiny column in the middle of the paper.
If you're Brian Krebs and are writing, editing and publishing this stuff yourself, I don't know that you'd have the bandwidth to be able to monitor and correct every new development in something you've written. The New Yorker has a staff of hundreds of fact checkers, lawyers and proof readers just to keep them out of court, and they too seem to have a difficult time with publishing corrections.
I'm not excusing either party, there are issues here that need to be resolved. But the expectation that any part of the press, be it publishing a physical newspaper or running a security blog, will spend much time paying attention to old stories for corrections doesn't match up with reality.
Wow, I didn't know that. If that's the case then Krebs is far beyond what 99% of large news outlets, magazines and other news sources bother to do. I was on the fence before about this but if that's the case, I'm fully on Krebs' side here.
It's not defamatory though - if people decide "yeah you probably suck" but its because of what someone else said, it's arguably up to them to show the person who originally spoke was defaming.
You can't sue journalists for this.
Now, it sounds like they have a bunch of other (factually correct) nonsense going on, they had a leak, suing to try to stop is just an incredibly bad look. I don't even know who Ubiquiti is, but fuck them, they sound like aholes to me.
It's almost impossible to prevent a trusted insider attack. It is possible to quickly identify and shut down a insider. I think the second is a bigger issue - they did (obv) identify the attacker - but they had the FBI involved at that point.
Good policy will prevent you from assigning the person responsible for the breach to the team to investigate themselves, I think the FBI learned that the hard way.
Ubiquiti did not have good security policy as stated in the hacker news post from 3 months ago (cred open to many people etc).
While it’s impossible to completely prevent this, best practices were not followed.
Thank you for saying what nobody else on HN will say. Instead it’s just constant outrage on HN against companies. Why didn’t Krebs issue a public apology or retraction? I love Ubiquiti and have over $2k worth of UniFi equipment in my home.
This entire fiasco has hurt Ubiquiti’s brand and reputation, and in no small part Krebs is responsible for that.
Yup... it seems like everyone has turned on ubiquiti lately, but I wasn't totally convinced. I was holding out despite some of the irksome changes, but this move right here is a nail in the coffin for me.
I'm on the same page. We just need to see a compelling alternative appear, and they'll lose their segment pretty quickly. Meraki could have been that until the Cisco acquisition and now $$$$ (and they make it extremely hard for SMBs/ProSumers to buy in). Some say that Aruba's "Instant On" stuff is one to keep your eye on as a direct replacement.
Ever since they fired their domestic development staff and shipped those jobs overseas it has been getting worse and worse. And it isn't because foreign developers cannot develop, it is because the company then and since has prioritized cost (and flash half-baked features) over quality.
I'm in the same boat. The issue is... what great alternatives are there? I'm not interesting in investing the time required with pfsense / custom stuff. I want a similar experience to Ubiquity... does it exist?
I did a bunch of research when all of this first came out with the intention of moving off Ubiquiti and found nothing worthwhile. I'm in the same boat, no interest in the time/money investment to roll my own solution. Aside from one UDM Pro software update that enabled a schedule to disable my WiFi out of the blue, I haven't had any issues with my stuff. So I continue on with them.
It turns out, there can be such a thing as bad publicity. And like all forms of publicity, there are ways of putting it into a positive feedback loop. (Positive in the sense that you get more of it, perhaps from your perspective it is a positive development, perhaps not).
Maybe the point isn't to win but for the "chilling effect."[0]. Essentially to discourage critics of the company from raising criticism in the future for fear of lawsuit (even if ultimately just to waste legal costs/impose a burden).
Chilling effect meet Krebs. Krebs is more than capable of searching for security flaws. I would not want to piss him off . . .
He seems like the sort of person to take it personally and then go out of his way to find security issues, of which I am sure there are plenty, considering the breadth of software and firmware across all their devices.
It's easy to miss something when you're not directly involved in a case, even more so when you're also not a lawyer (me) but from what I understand:
Success for Ubiquiti here requires an ability to prove not only that statements he was making (as reported to him by a disgruntled Ubiquiti employee) were false, but that Krebs knew the claims were false. Ubiquiti seems to be arguing that, "because we said these claims were false, that proves he knew they were." That's a non sequitur IMHO.
Actually the claims Ubiqiti are making relate to the news article Krebs wrote After everyone knew that Krebs used the criminal as his source. For some reason, Krebs chose not to disclose this in his follow up article. That’s the defamation. Krebs knowingly posted false information not in the original article, but in the follow up.
Reading the article of December 2nd it seems accurate to me. Ubiquiti was wrong about the scope, that the incident was external. It says the suspect was pretending to be a whistleblower. It sounds to me like the suspect wasn't a liar when whistleblowing so what would Krebs retract?
They would have to prove that he was malicious in writing the article and since it's his job to write articles about security, they're going to have a real hard time doing that.
I may be missing something here, English _is_ my first language after all, but regarding the screenshot of the "ad" on page 3 of the complaint; they suggest Krebs refers to "the employee" as an employee in one sentence and a "former employee" in the next. The complaint reads to me like the person who put it together doesn't understand the English language, or, reading or writing at all, for that matter.
"In March, a Ubiquiti employee warned that the company had drastically understated the scope ... claim was a fabrication. On Wednesday, a former Ubiquiti employee was arrested..."
I'm pretty sure this is junior school level writing, but full stop means end of sentence, and then you start another. There is nothing in the screenshot's text which suggest the former is referring to the same person as the latter; in fact, I read it as expressly making a potential distinction.
"6. Krebs altered his description of Sharp, first he described Sharp as a current employee. He then described Sharp as a..."
Who wrote this beautiful pair of sentences in the complaint, immediately after? Two sentences which clearly should have been one.
If this is the basis of their complaint, I worry for Ubiquiti as a company.
> There is nothing in the screenshot's text which suggest the former is referring to the same person as the latter; in fact, I read it as expressly making a potential distinction.
Yes, precisely. You proved the complaint’s point. You think they might be distinct, and the complaint is pointing out that since they were the same person, this writing is intentionally misleading.
> If this is the basis of their complaint, I worry for Ubiquiti as a company.
Slow your roll. You just demonstrated the complaints point.
Regardless of the merits of the case as a whole, #6 is a fair point.
As for the grammar. It’s not Pulitzer level. But there are complete thoughts in each sentence, so it’s not wrong either.
> the complaint is pointing out that since they were the same person, this writing is intentionally misleading
I disagree (with the complaint, not with you). For one, if Sharp _was_ an employee in March and not at the time of writing, it is accurate to write it as-is, is it not?
The ad makes a couple of statements of fact, which parse true by my reckoning regardless of whether or not that person is one and the same.
I'm interested to see what comes of this, it feels to me like desperate swinging looking for something to make contact with.
Having filled my home, and recommended to many colleagues Ubiquiti gear, I have been nothing but disappointed with their output of late, so much so that I recently began switching away from their gear, there is _something_ going on within Ubiquiti and it smells off.
Sorry, it is not. You use 'a/an' to establish a new entity. 'a Ubiquiti employee' is clearly not the same as 'a former Ubiquiti developer'. The proper way to acknowledge an employee(establish new entity) has been let go is to say the employee(refer to previously established entity) was no longer employed there.
This is something you have to be very careful about in patent claims.
Lawsuit aside, I consider Ubiquiti's founder, Robert Pera [1], to be a fascinating individual. He runs an $18B company where he owns like 90% [2] of the shares (pretty high?). Also owns an NBA club (Memphis Grizzlies). I just think he's pretty under-the-radar for his kind of success.
He doesn't just run Ubiquiti. He founded it on his own credit cards, based on his own product ideas. He built Ubiquiti from nothing, essentially. Also, prior to "WSB" phenomenon, Ubiquiti was the subject of short campaigns and had really high short interest levels (https://www.fool.com/investing/2019/12/02/how-you-can-profit...) which they clearly overcame. Really fascinating story.
If I understand correctly, there's a real edge case going on here: Everything Krebs reported was simply what he was told by a then high-ranking employee of the company. True, Krebs didn't know this at the time, but I would think it completely exonerates him (otherwise, it would be easy for corporations to destroy journalists they didn't like by having an executive give them false information which they then dutifully report).
Any legal eagles here who can clarify this aspect? Is "I was just repeating what your executive told me" a get-out-of-jail-free card?
I believe their complaint is that Krebs has never issued a retraction or clarified that his original article is false and that his source was the hacker. Even in his update article he uses wording to make it sound like his source and the guy arrested were two different people.
What is their legal theory though? Have courts found that journalist must retroactively update their previous stories based on new information? Even if they have, is that defamation?
It's quite funnny that a company arguing "we disclosed because we filed an esoteric (in terms of public disclosure) security filing" to demand that Krebs retract his previous story; maybe if he opens the front door and shouts "Sorry!" it would meet their level of communication?
. knew that the statement was false and defamatory, or
. acted with reckless disregard of the truth or falsity of the statement in making the statement, or
. acted negligently in failing to ascertain whether the statement was true or false before making it.
Not vetting your sources can be seen as acting in reckless disregard of the truth or acting negligently in failing to ascertain whether the statements were true.
From my perspective, the failure was the lack of a correction. That's the point at which it goes from being "I trusted someone who I should not have, and was a unwitting accomplice" to the possibility of libel.
Defamation dosen't work like that though. The only thing that is relevant is what the author knew or should have known when they published the statement. There's no legal requirement to issue a retraction if you later know that your previous statement was false. Journalistic ethics says you should, but the law doesn't require it.
Issuing a retraction can potentially lessen the damages if the original statement leads to liability, but that's only relevant if the plaintiff first wins on the original statement being defamatory.
The right outcome here would be some form of retraction, and more visibility into how this came about in the first place.
As with all insider attacks, it's almost impossible to stop someone from doing the first bad thing, but you should have controls in place to easily identify who the bad actor was. Ubiquiti eventually did - with the assistance of the FBI, but not after the damage was done.
On the other hand, Krebs not vetting his source, and allowing this through resulted in a 20% drop to Ubiquiti's stock - which affected the company, their employees (who have a financial interest in the stock) and played into the attackers hands.
I'd like to see both of them come together and do a real strong analysis.
That said, the negative "tone" that came from these articles persists - take a look at this thread for evidence.
How many people know that Ubiquiti dropped the cloud login requirement? That their recent firmware and releases have been impressively solid (judging from my and community experience)?
I don't want Krebs or Ubiquiti to "win" here, I want people to behave ethically.
> There's no legal requirement to issue a retraction if you later know that your previous statement was false.
The public speech -> printed statement -> online publishing transition problematizes the meanings of "retraction" and "previous statement". Probably not legally, of course, but I'm thinking about the ordinary usage of these terms here.
Lots of traditional journalism outlets also publish online, but the way the reporting ends up being used is very different. Anything they put on their websites tends to live forever, and it's often difficult even for careful readers to remember to check the publishing dates.
If an article was published a year ago, but the page itself doesn't carry a retraction notice, I often assume the published information continues to be accurate. The lack of a retraction on an easily editable webpage indicates to me that the publishing individual or organization continues to endorse the material, as if it had been published the day I read it.
That's why organizations with journalistic integrity are so careful to add retraction notices to incorrect articles, even for small changes. I doubt it amounts to defamation to not add such a notice, but it certainly makes the violation of journalistic integrity much worse.
If this is the case, I am having a hard time understanding why the vast majority of media and particularly "news" channels in the United States are not being sued into oblivion then.
Because laws in the USA make it very very very difficult to hold media accountable. For good reasons - most of the time. But it has also led to the situation where media face no consequences here for their actions.The libel bar is far higher in the USA then almost any other liberal democracy.
Honestly, all I would like to see here is a correction from Krebs, that enlightens people more about the risk of insider attacks, the role that the media can play in that.
I read in another HN thread that Ubiquiti was actually not hacked but that a former employee leaked information and tricked Krebs into believing he was a whistleblower.
Is there a more detailed write-up somewhere about what happened exactly?
Basically, insider used his credentials as a highly trusted resource to access internal repositories. He then anonymously blackmailed the company, threatening to go public as a "external actor" if the company didn't pay him. The company instead got the FBI involved - which Sharp was aware of because of his role at Ubiquiti. He then lied to Krebs at least once (probably twice) claiming first that a external actor had breached ubiquiti and the company was deliberately covering it up.
The Department of Justices indictment (https://www.justice.gov/usao-sdny/pr/former-employee-technol...) give a fair amount of detail about what they allege happened, although it doesn't go into much details of the interaction between Krebs and the accused.
If you could just go ahead and win this for us, Krebs. Yeah, that'd be great.
Ubiquiti must have solid ground to be dragging themselves into this mess? I mean, from one side - it looks like a lot of people are on Krebs side, awesome. But, from another - no one at Ubiquity expected some kind of a pushback?
> Ubiquiti must have solid ground to be dragging themselves into this mess?
Not as much as you might expect.
There are so many times when I have seen cases made purely to save face or to be offensive as the best form of defence. I can't say whom but a Solicitor I know has told me of a number of cases she didn't expect she could possibly win in Court but the client had the money to pursue it to make some kind of point and didn't care whether they would actually win or not.
Not saying Ubiquiti don't have a good reason, just that they don't necessarily have one.
Putin thought he was on solid ground that taking over Ukraine would be simple as well. This is one of the problems of having those that report to you to be too scared to tell you the truth vs what they think you want to hear. I could see where the board/c-suite of Ubiquity are all so pissed about the situation that they cannot hear or are not being told that this lawsuit is having and will continue to have a worse negative impact than just leaving it alone.
Well. I realize that the original story got amplified but seeing that lawsuite is the last nail to the coffin of my view of ubnt.
Telemetry, declining quality, outdated software (log4j was so old it was hard to patch), NVR discontinued, and now this. It's over for me. I will never sell ubnt again.
I liked there positioning in the market, it was my goto solution for small to mid deployment, up to 20AP.
A few days ago, a customer got their nvr hacked and it started (well, it tried) to mine crypto. I had told him it would happen eventually so I limited the nvr user permissions and resources to the strict minimum, which mitigated the attack.
I ended up coding an in house solution, with a mix of ffmpeg rtsp->hsl bridges and motion for motion detection. Nothing fancy, a few scripts and a few html pages.
Suing a journalist is not a good look. I wonder what other vendors out there will take up some market share from them after this nonsense is over. Hopefully this in the end this turns into a net positive for Krebs.
I'm not sure, given their history of flat out lying / misleading in regards to product features, that Ubiquiti wants the same sort of reasoning to apply to their own misstatements.
Sure, I was more interested in the response from the other side of the debate, why I should be able to write whatever I want. Admittedly the way I worded it probably achieves the opposite.
You can write whatever you want in your blog. No one is going to stop you. However, that doesn't mean there aren't consequences for your actions.
Defamation can occur, and can be pursed legally against you, if you publish a blog where you knowingly proclaim something false that damages someone's reputation.
"Defamation law in the United States is much less plaintiff-friendly than its counterparts in European and the Commonwealth countries. A comprehensive discussion of what is and is not libel or slander under United States law is difficult, as the definition differs between different states and is further affected by federal law."
...but, there is such a thing as defamation/libel/slander in US law.
Krebs also doxxes people he doesn't like, and threatens people who leave negative reviews of his products. He's a dark cloud over infosec and I wish people would stop linking him.
I stopped giving Krebs any kind of respect after he argued against GDPR protections on WHOIS records just because it makes his job (of doxxing people, I guess) harder. Sorry, but I can't see the privacy and physical security of millions of honest domain owners as a good trade-off for the work of "anti-abuse and security professionals".
I was also not amused when he started defending anonymous shell companies by saying "Not everyone who uses shell companies is trying to launder $$. Some people just really value their privacy."
Krebs disclosed a breach of Ubiquiti. Turns out it was a key employee who was disgruntled. Ubiquiti claims there was no breach an employee with access did bad stuff. Same employee might have been Krebs secret source about the “breach”. Courts please make Krebs say it wasn’t a breach.
The damage was not the breach - or at least it wasn't the biggest factor. The damage was the second claim that Krebs made in a later article that it was being covered up.
This is not actually related to what's going on in this case.
They're basically suing because he didn't retract or update and clarify his (really false) initial story. Krebs was taken for a ride by his "source" who it appears was a disgruntled employee, causing the damage.
Should they have handled the situation better? Sure.
Will they win their lawsuit? Unclear; they've got a big hill to climb to it seems unlikely.
Is this in any way "silencing" discussion about it? No, it is doing the opposite, and it's not as though Ubiquiti is unfamiliar with this, given their history.
Krebs was taken for a ride by his "source" who it appears was a disgruntled employee, causing the damage.
To clarify the phrasing, the disgruntled employee caused the damage to Ubiquiti. He was the one who "hacked" Ubiquiti (actually he misused his credentials), was the "whistleblower" that fed Krebs information of his own "hack", and tried to blackmail Ubiquiti. All while he was a Ubiquiti employee... assigned to investigate the "hack."
Krebs disagrees a lot. Sometimes he's wrong though.
Anyone remembers when Krebs doxxed the admin of cock.li because they disagreed with Krebs on spamhaus' black listing policy? [1] (Spamhaus just blacklists all TCP SYNs, which can be easily spoofed since it's not the complete handshake)
I don't know. I believe that Krebs has usually good intentions, but sometimes he is just presenting his findings in a very malicious way.
> Anyone remembers when Krebs doxxed the admin of cock.li because they disagreed with Krebs on spamhaus' black listing policy?
I don't shed a tear for that person though, as someone who has gotten about three dozens of murder threats that were sent through their service.
cock.li is an awful service that serves no legitimate purpose other than enabling people to cause harm. The admin should have been arrested at 36c3 by the police instead of simply been booted out for his neo-Nazi domain names, but unfortunately our police is incredibly incompetent.
Sorry, but just no. Just because someone abuses a service, it doesn't mean that it "serves no legitimate purpose".
You see, people are using Tor to buy drugs and to share child porn. Does that make tor a tool "that serves no legitimate purpose other than enabling people to cause harm"?
I am a happy user of cock.li, because it's one of the only few email providers, which don't require my phone number (unlike gmail, outlook etc). I don't mind that they also offer domains joke domains such as "hitler.rocks", since I know what a joke is.
Not judging one way or the other, just saying that it's incredibly risky to make jokes like this, especially in the current climate, where the narrative and emotional response matters more than facts and rationality.
Last year, the government director Dr. Trips-Hebert explained the facts and the law to prevent misunderstandings like yours in the future. [1]
Let me translate the key section of his letter: "Section 86a of the Criminal Code is located in the third title of the first section of the Special Part of the Criminal Code.
The offenses of this title criminalize acts that constitute a 'threat to the democratic constitutional state.'"
The protected interests of the provision are political peace, the free democratic basic order
democratic basic order, the idea of international understanding, and Germany's reputation abroad.
The ban serves [...] to prevent the revival of the banned organizations or the aspirations they pursue [...]."
"Hitler.rocks" is not falling under this, since it is not a "threat to the democratic constitutional state". That's also why satire magazines like "Titanic" are allowed to publicly show Swastikas on their front page. [2]
A domain about hitler minerals [3] which does not aspire the revival of banned organizations such as the NSDAP, (there isn't any nazi glorifying content on the website), does not reflect a threat to Germany's democratic state. At least I hope so :)
Can you point to the specific subsection of §86a StGB that would apply here?
I feel like the law would be especially difficult to apply in this context given that the domain names offered by cock.li are obviously picked for the sole purpose of causing offense, not to promote an unconstitutional organization.
"False" in this case means different things to different parties.
To Krebs, false means he did not accurately report the information as presented to him. In that way he is correct.
To Ubiquiti, false means the information was willfully inaccurate, should not have been deceptively presented to a notable authority in the tech field, and this should not have been published.
Ubiquiti has to sue Krebs to show that the damage to their reputation was related his reporting which they can tie back to Sharp. Krebs has to defend his standpoint to show he was not complicit in Sharp's planned sabotage. I expect they'll settle once the sides are fully aired.
The FBI also seems to disagree seeing as they arrested Krebs source indicating that there never was any third party hacker, just that individual insider.
Yes, if it gets that far without being settled or dismissed in some other way. One defense to defamation is to claim that the statements are actually true (or substantially true). If the case ends up turning on a factual disagreement over whether the statements are true, both parties can ask for discovery of evidence that would help shed light on that.
Krebs mentions the person was arrested. Ubiquiti claims first that he doesn't point out the person he sourced it from what arrested, and that he tries to mislead people by not saying repeatedly that the person is basically felon, and that being arrested makes him an invalid source of evidence, etc. They also claim he describes him as a current employee.
This is all nonsense AFAICT
1. Krebs mentions the person was arrested.
2. Krebs says "In March, a ubiqitui employee said X". That was accurate at the time (AFAIK, and ubiquiti cites no real evidence I see that Krebs should have known it was not true).
3. Krebs carefully points out the arrested person claims x and y (which is accurate).
4. The filing says Sharp made false claims, and spends a paragraph explaining them.
5. The filing says Krebs made them too, but ironically, for all of its bluster, doesn't cite where and when (that I can see), and which exact claims, they are claiming Krebs said that were false.
6. The filing cites no evidence that Krebs knew or should have known, in March, that the claims were false. They get into some weird arguments about their 10-q filing but it's hard to understand the point they are trying to make. It apperas they are trying to claim that krebs should have known they notified the public but i think that's kind of a silly argument - krebs is clearly talking about their users, and most users do not read 10-q's. Saying you notified the public because you put it in a 10-q is like saying you notified the public because you put it in a classified ad section. It's dumb wordplay.
7. The December blog post they say he "doubled down on" seems again, carefully written to say what Sharp claims, not what Krebs claims.
I could go on.
The whole thing is, IMHO, not written very well. It's very emotionally written for a pleading, and you will be hard pressed to find a judge who will get themselves worked up over that kind of writing. Instead they mostly roll their eyes and wish that someone gave them a clear and convincing pleading instead.
Put another way - if there is a case here, it isn't visible on this pleading. This feels like "throw a bunch of emotional stuff at a wall and hope it sticks", where you really want "here is an open and shut case of why this person defamed us"