Time to switch to Huawei !!!
It seems that if you want networking gear that does not spy on you then choosing non-American equipment is the best choice.
Ubiquiti Networks is once again under fire for rewriting its telemetry policy after previously changing how its UniFi routers collect data without telling anyone. These latest changes are mentioned in a new help document on the US manufacturer's website. The documentation differentiates between "personal data", which includes …
I am not even remotely able to write software or design an app but I would imagine that anyone who could design a tool to disable or reconfigure any telemetry would be a seller.
This entire culture of stealing data that is essentially my private property is intensely annoying to say the least,I have just discovered that when I use bluetooth to read the app that runs my PV system, it automatically turns on Google location and though I can limit what it sends, I am not sure how limited that is.
Does he really think that moving to a different US company, even one as good as Cisco, will stop his data being guddled through?
You have a choice. You can either be monitored by US spooks and that will be then passed to US corporations or you can use Chinese stuff and possibly get monitored by their spooks but they are unlikely to sell it to US corporates to cover their costs.
That's the thing, if I'm getting monitored by the Chinese it's likely to be less obtrusive than monitoring by a US company. They're less likely to sell my data to advertisers and insurance companies.
So to a significant degree if I must choose to be monitored (since my only non-monitoring option is to do without a router) then is seems Chinese monitoring is less onerous.
I went through the same thought process when I got an Android phone and came to the same conclusion.
My sentiments exactly... Even if I'm being spied on by a Chinese system, they've little use for my data. Where given how incestuous Western governmental agencies and companies, it's far more invasive and has a direct impact on me personally.
> since my only non-monitoring option is to do without a router
Or your build your own router using PC hardware, and run something open-source. There are router bundles out there, but plain old Linux/FreeBSD will route happily.
Mind you, you have to beware that some open-source stuff phones home, and you may need to configure it not to. Even Debian and Ubuntu have for years included mandatory installation of a package called "popularity-contest"; although it's disabled by default it's still lurking there.
I use it on an embedded AMD Geode APU2 from PCEngines. This CPU only has one core and thus none of the Intel bugs of the last years.
It's passively cooled and I get pfSense updates for a very long time.
My access point is from Apple. I guess it does phone home a bit, but at least they don't sell to advertisers or hand it through to Facebook et.al.
I hope it will be viable to run your own access point at some time (with open firmware).
I've been thinking the same thing, but navigating the DD-WRT Wiki page of compatible models is an exercise in frustration. That's largely the fault of the hardware vendors, of course, who release a bewildering array of short-lived landfill-destined models, often under similar names; but after an hour or so of research I still hadn't found one I could order online that I was reasonably sure I could flash with DD-WRT.
Obviously it's possible - I know people running DD-WRT - but the handful of old routers I had lying around don't seem to support it, and I hate to buy something for the purpose and then discover it won't work.
Look at the TP-Link stuff. A lot of their gear has OpenWRT support; for example I just put OpenWRT on a TP-Link N450. Fast and painless.
Yes, the rest of the low level firmware could probably phone home, but if I'm concerned about that in any specific application I just use OpnSense on old hardware free of the Management Engine and Platform Security Processor shackles.
For business-grade tech, I can't recommend pfSense highly enough. Needs a PC of some sort to run it on though (or a pre-built box, low power ones with AES-NI acceleration work great including VPNs), I run it on low power i5 and i3 boxes myself that I picked up cheap on eBay. Absolutely rock solid, and far easier to work with than the likes of Cisco ASA kit that I've had to deal with in the past.
DD-WRT works reasonably on consumer grade gear with built-in wifi etc though, it can just be a little quirky, especially if you want to do anything semi-advanced (like most Linux systems, get comfy with the command line if you do), though it does have a reasonable amount of power there when it actually works as documented. Do still have a Netgear R7000 AP running DD-WRT at work just for the wifi and a VLAN breakout though, does the job brilliantly, once I'd beaten it into submission for a couple of days to make it function as it was supposed to.
I was a long time user of pfSense, but was using it for customers sites, something their license began to restrict, we would sell hardware with pfSense installed on it, according to our interpretation of this https://www.netgate.com/blog/its-still-free-to-use.html that wasn't allowed. I haven't looked back at the project recently so this position might have changed, however, OPNSense which is a fork doesn't have the same restrictions. Also 3 years in I find the OPNSense GUI more usable and a regular release cycle is good too.
Not trying to start a holy war, each to their own :)
Came here to say that. OPNSense doesn't seem to be so well known, am spreading the word to everyone who says they use pfSense, and the general response is "hadn't heard of that ".
The last person was well impressed with the improved GUI.
Yes, I used pfSense at a previous employer. A nice, cheap solution. We used a pair of old Pentium D machines for failover. Great for the basics.
My last employer used Palo Altos, excellent kit, but very expensive! It goes a lot deeper and blocks not just addresses, but it recognises data patterns and you block "by application", thousands of which are pre-defined. So, we could block cloud drives with a couple of clicks (DropBox, GDrive, OneDrive etc.).
We are currently using ZyWalls.
Ironically, at home I have a Ubiquiti Unifi Security Gateway and the first thing I did was block the trace.svc.ui.com domain to stop the telemetry.
No, it is:
BusyBox v1.25.1 () built-in shell (ash)
___ ___ .__________.__
| | |____ |__\_ ____/__|
| | / \| || __) | | (c) 2010-2019
| | | | \ || \ | | Ubiquiti Networks, Inc.
|______|___| /__||__/ |__|
Welcome to UniFi UAP-AC-Pro-Gen2!
unifiapacpro-BZ.v4.0.80# cat /etc/openwrt_version
unifiapacpro-BZ.v4.0.80# cat /etc/openwrt_release
DISTRIB_DESCRIPTION='LEDE Reboot 17.01.6 r3979-2252731af4'
DISTRIB_TAINTS='no-all mklibs busybox'
That's not really the point. These are sold as business wireless infrastructure kit, to be managed either in-house or by a paid third party. In that scenario the person responsible for the kit should easily be able to find out what it does and choose what telemetry is appropriate in their environment. Turning off telemetry should not require you to create firewall rules.
In their defence, whilst they say that you can't disable it in the 4.1.x firmware at the moment, but there is a workaround.
If you do not wish to participate/provide this data, we will add an opt-out button in upcoming versions that will make it easy to opt-out of providing this data. In the meantime, you can block traffic from UniFi devices to trace.svc.ui.com.
I put a block on that domain at the firewall. Not ideal, but at least you can opt yourself out.
It is a shame, they make great hardware and it is relatively easy to set up. I really like it, apart from this issue.
I use a Ubiquiti USG as my firewall for the convenience of a single management pane of glass. This is completely unacceptable.
In the short term I am going to block them in DNS, and in the slightly longer term I am going to have to get another OpenBSD box with PF in transparent bridge mode to block them.
That Ubiquiti made that decision in the current climate tells volumes about how much they care about their users' opinions (they don't).
I think that that decision will come back to bite them, because awareness is growing on this issue. Companies that just Trump around with their own promises are going to find that the market will react more and more.
And that is a Good Thing (TM).
Ubiquiti are really doing their best to piss people off. I don't have an issue with them wanting to collect information but I have a huge issue with them enabling it silently. Twice. There was a lot of backlash when they did it first time around so it's mind boggling that they're doing it again.
To stop them getting any data out of me I've blacklisted trace.svc.ui.com in Pi-Hole, added a firewall rule to block my access points internet access, turned off the analytics and improvements in the controller and further disabled things using config.properties. I shouldn't have to do that. If there were a toggle in the controller that disabled it then I'd be happy enough. Still pissed off that it was enabled by default but making it simple to disable it would stop me moaning.
I like Unifi kit but I'm really beginning to dislike the people that make it.
A Venn diagramme of WiFi device purchasers and privacy geeks would have a large union set. And surely Ubiquiti sales depend upon nerdigensia influencers - why would they be so stupid to burn their goodwill? I found out about Unifi products via geek forums.
They were my default supplier and I used to recommend them whenever WiFi discussions came up. They lose my voice, although I will probably grudgingly continue to buy their products because they are now the devil I know...
And surely Ubiquiti sales depend upon nerdigensia influencers - why would they be so stupid to burn their goodwill?
It seems unlikely that home network nerds are a significant revenue source for Ubiquiti; how many APs do you need in a house, anyway? One large arena, stadium, or office campus project probably generates more money for them than all of the home nerds combined.
The Ubiquiti gear is starting to get popular among the "prosumer" crowd, so it is probably larger than you suggest. But I imagine that the WISP market is their main profit source. You have all of the CPE kit, sector antennas and APs, and possibly some backhaul radios. Those airFiber radios aren't cheap.
provided they really don't collect personally identifiable data
They claim to record location data, IP address, and websites visited.
Article 4 (1): 'personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
It might depend on the time-windows for their anonymisation data. If it's once / year, they're probably OK, but the data is useless. If it's once / minute, then even in a corporate settings, if I'm in the only one on the wifi network, late at night, say, they are collecting personal data about me in near real-time.
Let me count the ways I love hate you UBNT - Tips hat to Elizabeth Barrett Browning, Sonnet 43.
1 Potentially exposing CPNI
2 Borky FW upgrades
3 Supply chain problems
4 Newest forum format
5 Tough Cable
6 JAVA fetish
7 Firing Mike Ford
8 airView bricking Titaniums
-=World's First UBNT airMAX WISP=-
Biting the hand that feeds IT © 1998–2020