back to article Ubiquiti sues Krebs on Security for defamation

Network equipment maker Ubiquiti on Tuesday filed a lawsuit against infosec journalist Brian Krebs, alleging he defamed the company by falsely accusing the firm of covering up a cyber-attack. On March 30, 2021, Krebs reported that Ubiquiti had disclosed a January breach involving a third-party cloud provider, later revealed to …

  1. lglethal Silver badge
    Stop

    Having never heard of Ubiquiti (so obviously there not ubiquitous. Sorry I couldnt resist that. ;) ), they have now entered my personal lexicon of firms I wont be doing any business with in the future.

    Excellent use of the Streisand Effect, right there. Well done Ubiquiti...

    1. sten2012

      Unfortunately their equipment is excellent and I'm not aware of a reasonably priced equivalent.

      Sad to say they will still have my business on that basis. Having said that I do hope they drop this immediately or swiftly lose the case without this dragging on.

      1. Anonymous Coward
        Anonymous Coward

        Excellent? No so good anymore

        Their equipment was good and low cost. Now, not so much. Part of the stock drop was because a bunch of potential investors started googling them for problems and the list of problems is long and ever growing. Their access point radios were good and their edgerouters were great for ISPs, SME and home tech users but there are signs they aren't interested in their edgerouter line anymore. Their other products are anything but unified as they need different controllers and more and more hardware to keep up which pushes them out of the good value range. They no longer sell a low end router with enough memory for IPv6 BGP to two sites. Their cloudy stuff looks good but misses the mark with simple things like "when did this site last check in?" and It claims 350g has been downloaded... over what time? Their interface doesn't even allow decent tracking of problem devices and they seem to be chasing the shiny over real functionality. The real problem is everyone else in the lower cost part of industry seems to be worse and heading down even faster.

        1. localzuk Silver badge

          Re: Excellent? No so good anymore

          Huh? What products need different controllers? Do you mean different entirely different segments?

          Ubiquiti's Unifi networking range all uses one controller.

          Their CCTV platform all uses one controller.

          Their phone system uses one, etc...

          Or do you expect one controller to handle all that? If so, that'd be a bit odd as no other company does either from what I can tell.

        2. sten2012

          Re: Excellent? No so good anymore

          I should probably clarify - I _am_ a home user of their gear and my business loss would mean f/a to them anyway!

          It has been excellent for me. I only use their access points (a few) and don't bother with anything else (already had what I need there so no pressing need to lock myself into a vendor ecosystem, may think about them for a switch if mine dies, etc).

          I've been in no rush to upgrade to their WiFi 6 models but have been thinking about it, are they when it went wrong? I say no rush because everything else works so well I just haven't seen the need.

          Software is.. OK for what I need. Basically just log in to make some changes every now and again, run some upgrades every few months.

          Do you have any specific suggestions for an alternative when I finally bite the bullet?

      2. Vince

        The equipment isn’t as good as it once was and they ride on the coat tails of the past.

        The software quality leaves a lot to be desired these days and they’ve had a few dubious hardware reliability issues.

        Lots of people I know have started looking elsewhere.

        1. Vestas

          Their AirMax kit is still decent.

          The Unifi wifi, switching/routing & CCTV equipment is vastly overpriced underspecced crap. Its also VERY unreliable - switch PSUs weren't derated for temperature properly and went pop in their tens of thousands. They then started to put in sealed bricks (laptop chargers - I kid you not) into new designs simply because they didn't have any decent hardware engineers left. The CCTV cams are eyewateringly overpriced and I found they had a 20% failure rate/annum - they'd either only connect at 10Mbps or (most of the time) the IR filter would simply get stuck.

          QA on software is non-existant. They have a few fanboys on a forum who they throw test builds at. I guess that worked OK before anyone with a clue binned them. Last time I looked (some time ago now) there was probably about a dozen people there who weren't home users.

          Coincidentally(?) they were an OK company until the 2016 phishing incident. Downhill all the way after that.

          IIRC they opened a dev office in Latvia & tried to poach the Mikrotik staff. Dunno how that went as I was exiting their "ecosystem" before then.

          Avoid like the plague is my advice.

          1. Vestas

            Its also worth pointing out that Ubiquiti have on more than one occasion had to withdraw all stock of certain wifi products from the ETSI market because they didn't submit them for approval testing. IIRC the German regulator got exceptionally pissed off with them. Ditto Japan and probably some other places I've forgotten about - Israel rings a bell but that'd be ETSI I guess.

            They have an exceptionally USA-centric viewpoint on all regulatory matters IME.

        2. Anonymous Coward
          Anonymous Coward

          Left ubiquiti a few years ago.

          I had some and the management software was really annoying on linux. You often see repackaged forms of it because of issues it has/had. The hardware was meh, the switch was pretty good, but the access points always disappointed in coverage. The gateway I had just couldn't pass traffic at line rate without anything complicated going on. Replacing it was an instant gain. They do some marketing I've seen, but it is not overt. And in at least one place has mentioned issues offhand a couple of times and magically ripped it out for replacement gear.

        3. fidodogbreath Silver badge

          What's this 'Software QA' that you speak of?

          The software quality leaves a lot to be desired these days

          I manage a few small-office Ubiquiti-based networks (just LAN & WiFi, no cams or access control). The quality of their device firmware and controller software releases is abysmal. Unless an update fixes an urgent security issue, I won't even consider installing it until it has at least three months of soak time in the field.

          The soak-time exception for CVE-listed vuln fixes has bitten me in the ass, though. I still have nightmares about a dodgy security "fix" that caused as many as 4/6 of one site's access points to repeatedly drop into isolated status (only fixable with a PoE power cycle) during a very busy time around the holidays.

          In fairness to Ubiquiti -- knocking the devices offline and crippling the network made it impossible for an attacker to exploit the vuln; so, technically, the goal of the patch was achieved.

          1. Danny 14

            Re: What's this 'Software QA' that you speak of?

            unifi stuff is bargain basement. Looks good on paper and works well until you update the firmware. then you need a degree in googlefu to fix.

            Simple tasks such as setting a proper ssl cert can only be done by rwcompiling a jks file via ssh Im sure a mom and pop outfit love that dont ask about letsencrypt support.

            Their original controllers shipped with no journaling on their mongodb, so powwr outage killed the controllwr each time. Their second revision fixed this by adding a battery. you cant even make that stuff up. product lines are killed with little notice.

            Their AP range used to be ok but i wouldnt touch them with a barge pole now.

            1. sten2012

              Re: What's this 'Software QA' that you speak of?

              Are you putting this directly on the Internet? Are you mad?!

              Otherwise what is LetsEncrypt have to do with this?

              Fair enough to the rest of the points. Most SME's I've seen even don't run their own CA's though, or atln east not that they widely deploy to their networking devices at least

            2. edr

              Re: What's this 'Software QA' that you speak of?

              "Simple tasks such as setting a proper ssl cert can only be done by rwcompiling a jks file via ssh Im sure a mom and pop outfit love that dont ask about letsencrypt support."

              Absolutely true, I had to spend several hours once to get a certificate set up, and never bothered trying to do it again after it expired. Had to use dumb obscure java tools, had to convert the standard cert to whatever weird dumb format Unifi needed using some other obscure tools. A completely garbage process, making the user bang their head in the wall for hours after reading the handful of confusing posts ("guides") if you even manage to find them.

  2. veti Silver badge

    It's not rocket surgery...

    Simple rule: Companies should not be able to sue for defamation. Ever.

    If there's evidence of actual wrongdoing, such as insider trading, then by all means let them prosecute it. But if all they've got is "he made money from ads on this story we don't like", they don't have even a toe to stand on.

    1. Doctor Syntax Silver badge

      Re: It's not rocket surgery...

      What if a journalist were to claim "X is selling refurbished returns as new." and it wasn't true. Shouldn't X be able to sue for defamation? If not not recourse do they have?

      1. veti Silver badge

        Re: It's not rocket surgery...

        Then X can publish their own story saying "this story is false". Depending on whether they think it was malicious, or an honest misunderstanding, they may also want to say something about the journalists and publishers of the original story.

        This would stand as a challenge to the credibility of the reporter, which is at least as important to them as X's is to X.

        If X says something about the reporter that is not substantiated by evidence, that's when defamation happens. Because the reporter is a human.

  3. itb

    Is Will Smith fully aware of these "anti-SLAAP" laws you speak of?

    1. James O'Shea Silver badge

      He's a (Fresh) Prince. He doesn't care.

      1. Furious Reg reader John

        Perhaps Mamma Smith might pay the £12M settlement for inappropriate contact....

  4. Androgynous Cupboard Silver badge

    Yay for the link to the article.

    The paragraph after the problematic one states "(he was) ... charged with stealing data and trying to extort his employer while pretending to be a whistleblower." (emphasis mine). It could possibly have been phrased a bit clearer that it was the same person, but it's not a deliberate attempt to mislead by any stretch.

    That's the first rookie error - second is not suing for defamation in the UK. That's where the big bucks are, and our lawyers will take anyone's money as they've been keen to demonstrate over the previous decades.

    1. Richard 26

      Re: Yay for the link to the article.

      "That's the first rookie error - second is not suing for defamation in the UK. That's where the big bucks are, and our lawyers will take anyone's money as they've been keen to demonstrate over the previous decades."

      That used to be true; however the Defamation Act 2013 moved the balance more in favour of the defendant, making 'libel tourism' harder (amongst other things).

      And in 2015 the US passed a law making UK libel judgements unenforceable.

  5. Marty McFly Silver badge

    Ubiquiti's strategy...

    I don't recall ever seeing Ubiquiti advertising their kit. I heard about it from another tech, and now have it in four different infrastructures that I manage. It has an enterprise feature set at a realistic price point. I am obviously very happy with it.

    It seems their marketing strategy is word-of-mouth. So it makes sense if they are getting negative industry press that they will stomp on it.

    That said... They do seem a little cavalier with their decisions. Often entire product lines are cut off and customers are left hanging. Their current login process through the cloud SSO, though convenient, does have a security implication. It is good enough for my home network and the local restaurant's wifi, but no way would I trust it in the enterprise.

    1. Tomato42

      Re: Ubiquiti's strategy...

      You're not forced to use the cloud SSO... And the local web console works just fine on a phone over WiFi

      1. DocNo
        Coat

        Re: Ubiquiti's strategy...

        "You're not forced to use the cloud SSO..." Try setting up any of the current controllers without an internet connection. I'll wait....

    2. Anonymous Coward
      Anonymous Coward

      @Marty McFly - Re: Ubiquiti's strategy...

      If an organization is using Office 365, chances are users are logging into the cloud.

    3. loops

      Re: Ubiquiti's strategy...

      "enterprise feature set"

      Seriously? Their "pro" kit doesn't even allow you to list DHCP leases!

      1. fidodogbreath Silver badge

        Re: Ubiquiti's strategy...

        Their "pro" kit doesn't even allow you to list DHCP leases!

        It does if you use an EdgeRouter.

    4. Anonymous Coward
      Anonymous Coward

      Re: Ubiquiti's strategy...

      "enterprise" bwahahahaha! You've clearly never used enterprise level network kit in your life!

      It is consumer kit dummy (they can call it 'prosumer' if they like, it's still consumer grade kit).

      1. Danny 14

        Re: Ubiquiti's strategy...

        enterprise kit. Errrr, have you seen the shitstorm after every firmware update? They even had one update that bricked your APs if you were using 4 SSIDs *and refused to replace them if you were out of warranty.

        Have you tried adding your own ssl cert through the gui? Letsencrypt?

        Powercycle their controllers that dont have journaling enabled, thats fun. Unless you have the new ones with a battery in them (so you have 18 hours to fix the power before they too power off without journaling)

        the stuff is barely good enough for a campsite never mind enterprise.

  6. Shepard

    I cannot wait...

    For the EFF to take up Brian's case and defen him pro bono.

    I also hope they will counter-sue Ubiquiti for not properly disclosing the breach to its customers and for not communicating whether firmware images and/or code signing keys were compromised.

    1. InsaneGeek

      Re: I cannot wait...

      Maybe keep waiting... what happened was an employee was going to take a job at another company. While he was still employed there he used his credentials to download info from AWS to use as proof of a supposed vulnerability in the system. Pretending to the media and ubiquiti he broke into AWS via a security bug. He tried to extort them that he'd make public the (fake) security vulnerability. Using the AWS data he provided to back up his false claims themedia believed that he was a hacker and there actually had a security vulnerability that outside attackers could use. Ubiquiti lost 4 billion dollars in market capitalization due to the media reporting the false vulnerability claim.

      There was no supposed breach to report to the customers, there was no modification of firmware or binaries. Just a guy downloading internal info and claiming he hacked in and tried to extort the company

      1. lglethal Silver badge
        Go

        Re: I cannot wait...

        OK Maybe I'm looking at it the wrong way, but why does Ubiquiti give a toss that the share price plummeted? The only two times where that should be relevant is a) if the company is planning to sell more shares to raise cash, and b) if the share price drop put them in range to be eaten through a hostile takeover by a competitor. Otherwise, it's business as usual. Shares go up, shares go down.

        I can imagine the actual reason is that the CEO and board are part paid in shares, and so the share price dropping costs them - theoretically at least because they actually only get money when they sell the shares, and they are unlikely to do that when the share price has sunk so low, especially when they know the fundamental side of the business is strong.

        So who cares? When news of the extortion attempt came out and the guy is arrested and Ubiquiti could show all was well, then share price goes back up. Everyone's happy. Such a waste of company money on shysters, sorry, lawyers...

      2. Cederic Silver badge

        Re: I cannot wait...

        Technically there was a breach. A serious one.

        It just happened to be an internal rather than external actor, and resolution requires process changes rather than bug fixes.

        Information that shouldn't have been accessible to the media was made available to them. That's a breach.

        1. sten2012

          Re: I cannot wait...

          "It wasn't a bug, our employees just hate us and you! Don't worry about it! Nothing to see here."

      3. veti Silver badge

        Re: I cannot wait...

        Certainly there was a breach. Data stolen by a disgruntled employee is just as leaked as data stolen by an external hacker.

        1. Ian Mason

          Re: I cannot wait...

          Probably more so. An external hacker just wants to make a buck, a disgruntled (ex-)employee wants them to HURT.

  7. Anonymous South African Coward Silver badge

    About to jump ship.

    Looking for viable alternatives.

    1. Shepard

      Alternatives

      Mikrotik has an excellent Mesh capable AP called Audience:

      https://mikrotik.com/product/audience

      I am using it as a standalone AP so I cannot comment on mesh calabilities buth with RouterOS 7.x there is a new Wi-Fi driver stack (wifiwave2) which finally supports MIMO and other advanced stuff we take for granted. Thing has 3 radios, two of them on 5GHz band, one of them with 160MHz channels. It also is a fully fledged router and firewall with two routable 1Gbps RJ-45 ports.

      Learning curve is steep though but it is rock solid and performance is stellar for my use case.

      Oh and it supports WireGuard VPN and DNS over HTTPS out of the box, as well as scripting and a scheduler.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like