As a lawyer, i've read this entire filing and it seems like nonsense at a glance.
Krebs mentions the person was arrested. Ubiquiti claims first that he doesn't point out the person he sourced it from what arrested, and that he tries to mislead people by not saying repeatedly that the person is basically felon, and that being arrested makes him an invalid source of evidence, etc. They also claim he describes him as a current employee.
This is all nonsense AFAICT
1. Krebs mentions the person was arrested.
2. Krebs says "In March, a ubiqitui employee said X". That was accurate at the time (AFAIK, and ubiquiti cites no real evidence I see that Krebs should have known it was not true).
3. Krebs carefully points out the arrested person claims x and y (which is accurate).
4. The filing says Sharp made false claims, and spends a paragraph explaining them.
5. The filing says Krebs made them too, but ironically, for all of its bluster, doesn't cite where and when (that I can see), and which exact claims, they are claiming Krebs said that were false.
6. The filing cites no evidence that Krebs knew or should have known, in March, that the claims were false. They get into some weird arguments about their 10-q filing but it's hard to understand the point they are trying to make. It apperas they are trying to claim that krebs should have known they notified the public but i think that's kind of a silly argument - krebs is clearly talking about their users, and most users do not read 10-q's. Saying you notified the public because you put it in a 10-q is like saying you notified the public because you put it in a classified ad section. It's dumb wordplay.
7. The December blog post they say he "doubled down on" seems again, carefully written to say what Sharp claims, not what Krebs claims.
I could go on.
The whole thing is, IMHO, not written very well. It's very emotionally written for a pleading, and you will be hard pressed to find a judge who will get themselves worked up over that kind of writing. Instead they mostly roll their eyes and wish that someone gave them a clear and convincing pleading instead.
Put another way - if there is a case here, it isn't visible on this pleading. This feels like "throw a bunch of emotional stuff at a wall and hope it sticks", where you really want "here is an open and shut case of why this person defamed us"
I'm also a lawyer. The things that caught my attention were the embarrassing misspelling of the word "damning" as "damming," and the fact that this was drafted and filed by a specialty boutique law firm (Clare Locke LLP) - I'd have expected a company with Ubiquiti's resources to bring out the big guns with a white-shoe Washington-area firm. Makes me wonder if the company is on the skids.
I guess they filed in VA because they have no anti-SLAPP laws there so they didn't necessarily have their pick of firms:
Via Twitter, T. Greg Doucette, a criminal defense attorney and former computer scientist, opined that Ubiquiti's lawsuit would be considered an attempt to suppress lawful speech – a strategic lawsuit against public participation, or SLAPP – in states that have anti-SLAPP laws.
"It's a SLAPP: the coverage by Brian Krebs was substantially true and/or First-Amendment-protected opinion, and the lawsuit basically admits it in the text itself," Doucette wrote. "But Ubiquiti intentionally filed in Virginia, because there's no anti-SLAPP statute there." ®
In fact, my guess is all the commentators thinking VA is about anti-SLAPP are wrong. My guess is VA is about some state-specific cases or interpretations of defamation law around corporations they thought were more favorable to them (i'm barred in DC and MD, but my recollection is that VA has some) They were going to face a relatively fast motion to dismiss in any state.
What really will matter is how favorable the state views the defamation-against-corporation claim, whether it has an anti-SLAPP law or not. If the state views it as strong, anti-SLAPP wouldn't matter because it would survive. If the state views it as weak, anti-SLAPP may kill it a little earlier but it will still go badly for them quickly.
The only practical advantage to the anti-SLAPP for defendants like this is that
A. you often can get a faster hearing
B. you often have guarantees around damages for bad-faith claims.
anti-SLAPP is much more useful when it's david vs goliath, and the small guy either needs a hearing in a week or two or ends up bankrupt from lawyer fees.
To be fair, Clare Locke specializes in defamation.
They are counsel for dominion in the suit against sidney powell.
They are counsel for shotspotter against Vice Media.
etc
They actually appear to have sued a lot of media companies at a glance.
But it's hard to tell. I think it would be more accurate to say "if you want to sue someone for defamation, they'll do it as long as it's not a conflict" :)
(IE they don't seem to be particularly pro or against anything).
It seems like a reasonable firm to hire for defamation if your goal is something like "get people to retract claim/apologize or go at them legally until they do".
But to your point, it's definitely not the "bury them/grind them to dust with a million lawyers" they would get at a large law firm.
I don’t know much about how law firms operate but could it be that the big fancy firms wouldn’t want this case if they think it’s a losing one? If they possibly considered it a “free speech” type case that wouldn’t fly in most states like the other commenter mentioned could they be concerned about their reputation?
That's what I think - the big firms are perfectly capable of filing lawsuits that are just on this side of frivolous, but they will charge quite well for that.
The smaller firms are more likely to be willing to say "eh, it's your funeral".
You have any links to those stories? Would be interesting.
Personally I hate the way they're going towards cloud accounts and dedicated management boxes. We used to be able to just install a docker to manage everything but the latest hardware ranges (eg their video offering) require dedicated management hardware. They're also pretty slow with uptake on new standards like WiFi 6 and now 6E.
The ideal selling point of ubiquiti was self-managed near-enterprise quality hardware with free self-hosted management and decent hardware prices.
I can't fully blame them because I know venture capital idealises subscription pricing and data mining right now but it won't work for me and it's annoying having to look for another option again when I'm invested in their ecosystem.
But anyway it would be interesting to read more about what's going on behind the scenes.
"Gotchanomics" is such a shitty model - you get something valuable, begin to trust the vendor, establish a system with their equipment, and then they pull a bait and switch, trying to get away with shitty service, mediocre replacements for good products, moving services to the cloud and subscription based nonsense - Nickel&Dime As A Service.
If I'm faced with paying premium rates, I'm going with Cisco and premium vendors. Ubiquiti's value was good equipment at reasonable prices to the point that you could buy spares for reliability and save 90% of the cost of service contracts from premium vendors. That differential was the absolute wrong space for them to try to tap for more profit, because nothing else was special about the brand. Cheap, decent, "good enough" network gear is now a market available for exploitation, ubiquiti has lost it.
> "Gotchanomics" is such a shitty model - you get something valuable, begin to trust the vendor, establish a system with their equipment, and then they pull a bait and switch, trying to get away with shitty service, mediocre replacements for good products, moving services to the cloud and subscription based nonsense - Nickel&Dime As A Service.
Exactly, well put.
For what it's worth, as I have been bitten by this practice of "gotchanomics" too many times that I've become a bit sensitive to any signs pointing to it.
I'm not 100% sure Unifi is doing this with their existing products, but new ranges like the video stuff require a modern management box which in turn requires a cloud account as far as I've heard. I've decided not to buy those for this reason. But it undermines my confidence in buying new gear for the ecosystem because it really feels like this will be the next step.
Like for example i have switches that get confused and started reporting things are connected to ports 57-62 (on a 24 port switch) and switching them wrong, etc.
UI they have been slowly screwing up more and more for years (How many years are they into the "new UI" migration for the controller?).
But the actual switching is pretty basic stuff (and a separate hardware chip they are driving that is not hard to drive), and simply shouldn't be going wrong in this way.
I've also got a UDM-SE and UDM-Pro that seem to have hardware issues on the SFP+ uplink when connected in certain ways (and won't break 500mbps upstream) no matter what SFP+ module is connected (fiber, dac, etc) if the LAN SFP+ port is connected at 10gbps. All the same modules work in every other router (mikrotik, etc) connected the exact same way.
(yes, before HN tries to debug this, IDS/etc is all turned off. There are no nft rules, no nothing, i have debugged this to death through the actual shell). Others have had the same issue.
They also have an $1800 ptz camera that can't follow objects even when it detects them (This is 100% basic functionality of a PTZ camera, especially at this pricepoint), despite promising it for years.
I have lots of these kinds of "why is basic functionality broken or missing" stories. Ubiquiti gets it out the door, says they'll fix it all in post, and moves on to the next thing.
They aren't a hardware manufacturer, they are a bad AAA game developer :)
Can confirm, same issues with SFP+ on my UDM-Pro. The software updates for this thing have been so bad the last year, incredibly buggy, it's infuriating.
My current favorite was the update to the AP Pro APs that broke everything if you were using a wireless uplink (I was using one to bridge a semi-decent signal to my garage). Clients connected to that AP had zero connectivity to anything else, despite the Controller saying "all good!"
Gee... I'm glad I walked away from it. I was about to go for UDM-Pro when updating my home network devices. Then I read some HN saying they were putting ads to the console pages.
But that wasn't really about product itself. What you mentioned were really really serious product issues in areas I suppose almost every other vendors are rock solid.
If you've set up a local-only controller, avoiding cloud nags, and poked around via SSH on their boxes, you'll realize it's nice, solid, hardware but the adoption process is a brittle and buggy mess. The controller is Java and Mongodb and picky to install but fortunately someone is making dockerfiles for it.
I think it's still an okay value but you need to watch your flanks.
You can still use their products without a dedicated box or cloud accounts by running the UnifFi admin console in your own network. Can you clarify what you mean?
All of my wireless gear and most of my switching is UniFi running against a self-hosted controller without cloud access. This works fine.
However, UniFi Protect is hardware only. You have to have either a UDM, a CloudKey Gen2 Plus, or a UNVR. I bought into Protect a couple years ago and now I'm sort of stuck with it. I _think_ that I could de-provision the cameras from my UNVR and use them standalone with BlueIris or Frigate but I've heard stories that they gimp the RTSP resolution on the G4 Pro camera (of which I have three).
I understand that the UDM range of products can no longer be set up without a cloud account, and none of the video products can he hosted locally.
I was thinking of a newer gateway as the USG is too slow to do decent IDS. And the video for my home.. But I didn't buy either for this reason. I looked at it about 2 years ago.
It feels like they want to do the same with the older network gear but they just won't because there will be too much backlash from the move.
They don't necessarily promote their self-hosting software method of Unifi management, and they outright removed support for Unifi Protect unless you buy hardware.
Want your surveillance video to be cloud-hosted or on your own pre-existing RAID? Pound sand!
My employer switched from Ubiquiti to Aruba. Much, much better. Far easier to manage. The Ubiquiti APs had very little range and below-threshold subscriber loads would cause them to become unstable and require a reboot. No good when 500 employees and guests are attempting to get work done. We issue primarily laptops with only certain people getting docks for Ethernet. Quite a few people have purchased the Anker USB-C dongle docks from Amazon and use their IP phone's secondary Ethernet port for a connection if they want a solid Ethernet connection.
At home I'm happy with Google WiFi mesh all around my house.
Thanks for the tip on Aruba. Right now my all Ubiquiti home network is awesome because I have a docker controller image. As spoon as something goes out though, I am done with these clowns.
Wasn’t sure where to look next… note taken on Aruba
+1; exactly my case. I have a handful of Ubiquiti APs and the network is now rock solid, so my plan is to wait until WiFi6 becomes mainstream (or they mess up with updates) - and then I'm gone forever.
After they bungled reporting the hacks last year, I promised to never purchase anything from Ubiquiti again. Good to know Aruba may be an option.
My understanding is that Instant On APs drop their wifi clients when they lose internet access and that this is billed as a feature. Maybe that's changed recently.
My internet frequently (although less lately) stalls out for minutes at a time, once or twice a day. I don't want my AP to kick me off wireless when I'm refreshing my monitoring app waiting for internet to come back up, or for me to be locked out of my security cameras, or for wifi-only IoT things which don't talk to the internet at all to get kicked off and have to reconnect.
The access points are cloud managed only (I believe the switches can optionally be managed through a local webui) but very solid hardware, quite easy to set up, and probably feature rich enough for basically anyone who isn't trying to mess around with an enterprise environment at home.
Instant On has several limitations like maximum APs in a site or maximum clients. I don’t want to say they are bad products but it’s only useful for a small network.
TP-Link Omada is a very similar system like UniFi in this price range. Their Controller GUI almost looks the same as UniFi‘s.
I've only used both in home and small office settings, but I found TP-Link's Omada line of APs to be equivalent to Ubiquiti APs. Same type of hardware, same type of controller software you can run on your own machine. I don't know enough about APs to say whether the performance matches.
One thing i have that often limits my choices is that the ubiquiti's are recessed into my ceiling (6 AP's).
I can do the drywall work, if they make the mounts :)
If I have to, I guess i can make some from scratch in solidworks, but i'd rather not.
Ruckus is not bad, but not great either. I've got a ICX 7150-C12P that worked fine until the PoE power supply failed just a few months out of warranty. I'm glad that I did not pay them for the "license" to use the SFP ports (which every other manufacturer just enables by default).
I do like their WAPs. I've got a couple of RS510 WAPs that do a great job, but initially they had some noticeable performance problems for almost a year until fixed by a firmware update.
Is Draytek any good? I've just gotten their AX router and mesh APs / smart switch and apart from one significant bug which made the router restart every few hours if the wi-fi interface was on, it seems to be ok.
Anything I should keep in mind before I get more of this brand?
You can’t beat mikrotik s routers (rOS / routerOS) and their routing hardware. I actively managed well over 500x of them. however I agree with another reply that their access points are definitely a side show for them.
The unfortunate part is their interface and sw capabilities are so great that if they just put some additional effort + latest gen hardware towards their access-points they could become one of the top players in Wi-Fi.
(I also manage several hundred mikrotik access points).
Ruckus is my go-to for access points/ client Wi-Fi. (I manage 1000s of ruck) Excellent hardware. Every AP they offer can have it’s firmware flashed to either fully standalone, OR centralized manage (vSZ / ZoneDirector), OR unleashed (which is AP self-managed for up to 25 local aps).
Another much overlook feature of ruckus is that every function can be controlled/modified via SSH. while not as powerful as a true API, it’s still very powerful and often very overlooked.
For home use I've not had any problems with their AP hardware. But it's definitely not been stressed. I was just after something that has enterprise features but not the price. routerOS covers that soundly (almost too well as the configuration can be confusing if you don't know networking).
The APs have great options. Cloud, local controller (their hardware device, software or a docker container), or none at all. If you want to start with a single AP you don't need the manager.
I bought their largest AP, the 660, attached it to a second floor ceiling, and found it covered my whole home and much of the yard. It supports 100s of clients.
They can be handled entirely locally; the cloud management bits are optional.
(I reworked our home network to Omada gear last fall. OC200, ER605, a few managed switches, couple of EAP245 APs. Overall quite happy with it; as the person above said it's pretty much fire and forget once you get the initial setup done. Used to use -- and enjoyed -- Mikrotik but alas their wifi support/performance at least on the home front has stagnated over the past several years.)
I have a tp-link Omaha setup in my new house. I run the management interface on the LAN in docker on an old Linux box (runs pihole too). Works really well so far! I have the wifi 6 APs, a PoE switch, and a router. I have 1gig symmetrical fiber and everything is reliable and fast now. Previously I had an edgerouter-x and it was very flaky.
You can handle it locally, I do. The only feature that doesn’t work with it off is automatic firmware updates. You can still update firmware, you just have to download and upload it manually. It doesn’t even nag about setting up a cloud account.
The only thing I regret of theirs is the router (TL-R605). It’s not bad, but the VPN performance is mediocre, and I always wonder if I would’ve been happier with pfsense. Every other piece of hardware has been great.
I have installed six in a big old house (with almost a meter deep interior walls !).
I manage them with an app on a tablet connected to the same LAN, I've disabled all cloud management. That said, they are almost configure and forget, after the initial install I've only had to upgrade the firmware when I visit the site.
The argument is that there isn't two people, there is just one who was arrested.
Kreb's original source for the march article was the fake whistleblower extorting ubiquiti. He had just gotten raided by the FBI. Which is why the tweets are being mentioned.
Krebs doesn't claim there were two people anywhere?
Ubiquiti hangs this entire argument about this on using slightly different wording to refer to a person in two places in an article.
But if you read the article, he reports the facts in a literal linear timeline fashion, attempting to use what appear to be time-correct monikers.
IE He literally says (see the screenshot)
In January x happened
in March, a ubiquiti employee said something
in November, a former developer for ubiquiti was arrested and charged.
He never says the march and november people are different. He is reporting exactly what happened.
They claim he knows they are the same person, and should refer to them as such but they literally don't even provide any evidence of this either (ie that it was Krebs source).
It wouldn't help them (because what krebs says does not seem wrong or untrue), but they don't prove it either.
IE even if krebs knew they are the same person, the above appears to be a totally accurate rendering of the story. Krebs is only required to be accurate.
Did a Ubiquiti employee say X in march (or did Krebs have good reason to believe a ubiquiti employee said X in march)?
Did a former ubiquiti developer get arrested in late november?
Yes? (AFAIK, yes)
Okay, case over.
The fact that they don't like his reporting doesn't make it untrue, and if they want to show it's untrue, as I said, this filing does a bad job of it.
The problem for Krebs is that (if the criminal case against this guy is true) Krebs was a party to the crime. He was the medium for the extortion. He is the guy that published and spread the damaging story! And he’s still doing it!
It’s as if a bank robber was dressed as an innocent old lady and tricked Krebs into carrying the bags of stolen money to the getaway car. Except here, the robber is in the back of a squad car and Krebs is still transporting bags of cash! It doesn’t matter whether the statements were true, they’re an act of extortion! Extortion is defamation per se.
None of the above. My answer is much more mundane.
Krebs almost certainly has professional liability insurance (if not, that would be pretty dumb at his scale)
I would call up my insurance company, tell them i've been sued, send them the documents, and then go back to my day.
I would then proceed to follow their instructions, and not care too much about it, unless i was asked to do things that i wasn't willing to do
IANAL and I haven't read the filing. I'd assume, based on what I've read thus far (and the fact that it's a pretty standard initial response), that he'll file a motion to dismiss and go from there.
It seems plausible that he could have a decent chance of having such a motion granted -- the bar is generally "in the light most favorable to the plaintiff [Ubiquiti]". Based solely on the commentary I've read, it sounds like the complaint could be deficient.
They very well have opened themselves to discovery, which is why it is very unwise to throw stones in glass houses when it comes to litigation. I have seen this before where a company opens a defamation suit against someone, they then don't get the results they were looking for and end up losing a countersuit or end up settling out of court because of their idiocy.
I'm not sure what they are thinking on this, but this is also the company that wired 46 million dollars to fraudsters, so its obvious they haven't made wise decisions in the past.
Not a lawyer, but I read like one, and I agree this is one of the most butthurt and factless filings I've ever seen. How can they SLAPP? How can they SLAPP?
Time for congress to make some anti-SLAPP laws; it seems to me as a non lawyer that this is a SLAPP that they forum shopped for. Especially since they dont seem to have pleaded anything that would surmount the “actual malice” requirement for defamation required here.
Has Krebs said his source was arrested? According to my reading Krebs only said that “a” former Ubiquiti was arrested, with no indication that it’s rhe same person.
Yes.
Here's the thing: It doesn't matter.
Let me back up a bit.
To start with, corporate defamation is ... complicated to begin with.
There is no liability for defaming a large class of people.
If i say "all people wearing blue are pedophiles", i can't be sued by anyone wearing blue because i defamed them :). This is because defamation is, at the core, about injury to reputation of individual people. It's really hard to meaningfully injure the reputation of individual people with general statements (it's not impossible mind you, but for the average joe it's pretty hard).
So first you have to be able to identify what is defamed, exactly.
Second, corporations have no reputations in any easily definable personal sense (and remember, defamation is about injury to reputation).
Why do I go into all of this? Because it's at the core of what standard you would have to meet to be liable for defaming a corporation.
Generally three ways to prove defamation of a overall:
Prove the person knew that the statement was false and defamatory, or
Prove the person acted with reckless disregard of the truth or falsity of the statement in making the statement, or
Prove the person acted negligently in failing to ascertain whether the statement was true or false before making it.
The first almost never happens.
The second almost never happens.
The third is what gets most people.
The third is also, it turns out, not available if the defamation was of a public figures.
In fact, for public figures, you have to prove one of the first two by clear and convincing evidence (which is higher than the usual burden of proof in a civil case, which is preponderance of the evidence).
So if ubiquiti, the corporate plaintiff, is held to be a public figure (or some other variant, like a limit purpose public figure, etc), as long as krebs was only negligent (an idiot) rather than malicious (deliberately ignoring the truth of falsity), it still wouldn't be defamation.
Ubiquiti is almost certain to be held to be some sort of public figure - they even sort of out themselves on this by pointing out they file 10-q's with the SEC and expect all their interactions to be with the public.
Krebs mentions the person was arrested. Ubiquiti claims first that he doesn't point out the person he sourced it from what arrested, and that he tries to mislead people by not saying repeatedly that the person is basically felon, and that being arrested makes him an invalid source of evidence, etc. They also claim he describes him as a current employee.
This is all nonsense AFAICT
1. Krebs mentions the person was arrested.
2. Krebs says "In March, a ubiqitui employee said X". That was accurate at the time (AFAIK, and ubiquiti cites no real evidence I see that Krebs should have known it was not true).
3. Krebs carefully points out the arrested person claims x and y (which is accurate).
4. The filing says Sharp made false claims, and spends a paragraph explaining them.
5. The filing says Krebs made them too, but ironically, for all of its bluster, doesn't cite where and when (that I can see), and which exact claims, they are claiming Krebs said that were false.
6. The filing cites no evidence that Krebs knew or should have known, in March, that the claims were false. They get into some weird arguments about their 10-q filing but it's hard to understand the point they are trying to make. It apperas they are trying to claim that krebs should have known they notified the public but i think that's kind of a silly argument - krebs is clearly talking about their users, and most users do not read 10-q's. Saying you notified the public because you put it in a 10-q is like saying you notified the public because you put it in a classified ad section. It's dumb wordplay.
7. The December blog post they say he "doubled down on" seems again, carefully written to say what Sharp claims, not what Krebs claims.
I could go on.
The whole thing is, IMHO, not written very well. It's very emotionally written for a pleading, and you will be hard pressed to find a judge who will get themselves worked up over that kind of writing. Instead they mostly roll their eyes and wish that someone gave them a clear and convincing pleading instead.
Put another way - if there is a case here, it isn't visible on this pleading. This feels like "throw a bunch of emotional stuff at a wall and hope it sticks", where you really want "here is an open and shut case of why this person defamed us"