Ubiquiti sues Krebs on Security for defamation Network equipment maker Ubiquiti on Tuesday filed a lawsuit against infosec journalist Brian Krebs, alleging he defamed the company by falsely accusing the firm of covering up a cyber-attack. On March 30, 2021, Krebs reported that Ubiquiti had disclosed a January breach involving a third-party cloud provider, later revealed to …
Their equipment was good and low cost. Now, not so much. Part of the stock drop was because a bunch of potential investors started googling them for problems and the list of problems is long and ever growing. Their access point radios were good and their edgerouters were great for ISPs, SME and home tech users but there are signs they aren't interested in their edgerouter line anymore. Their other products are anything but unified as they need different controllers and more and more hardware to keep up which pushes them out of the good value range. They no longer sell a low end router with enough memory for IPv6 BGP to two sites. Their cloudy stuff looks good but misses the mark with simple things like "when did this site last check in?" and It claims 350g has been downloaded... over what time? Their interface doesn't even allow decent tracking of problem devices and they seem to be chasing the shiny over real functionality. The real problem is everyone else in the lower cost part of industry seems to be worse and heading down even faster.
Huh? What products need different controllers? Do you mean different entirely different segments?
Ubiquiti's Unifi networking range all uses one controller.
Their CCTV platform all uses one controller.
Their phone system uses one, etc...
Or do you expect one controller to handle all that? If so, that'd be a bit odd as no other company does either from what I can tell.
I should probably clarify - I _am_ a home user of their gear and my business loss would mean f/a to them anyway!
It has been excellent for me. I only use their access points (a few) and don't bother with anything else (already had what I need there so no pressing need to lock myself into a vendor ecosystem, may think about them for a switch if mine dies, etc).
I've been in no rush to upgrade to their WiFi 6 models but have been thinking about it, are they when it went wrong? I say no rush because everything else works so well I just haven't seen the need.
Software is.. OK for what I need. Basically just log in to make some changes every now and again, run some upgrades every few months.
Do you have any specific suggestions for an alternative when I finally bite the bullet?
Their AirMax kit is still decent.
The Unifi wifi, switching/routing & CCTV equipment is vastly overpriced underspecced crap. Its also VERY unreliable - switch PSUs weren't derated for temperature properly and went pop in their tens of thousands. They then started to put in sealed bricks (laptop chargers - I kid you not) into new designs simply because they didn't have any decent hardware engineers left. The CCTV cams are eyewateringly overpriced and I found they had a 20% failure rate/annum - they'd either only connect at 10Mbps or (most of the time) the IR filter would simply get stuck.
QA on software is non-existant. They have a few fanboys on a forum who they throw test builds at. I guess that worked OK before anyone with a clue binned them. Last time I looked (some time ago now) there was probably about a dozen people there who weren't home users.
Coincidentally(?) they were an OK company until the 2016 phishing incident. Downhill all the way after that.
IIRC they opened a dev office in Latvia & tried to poach the Mikrotik staff. Dunno how that went as I was exiting their "ecosystem" before then.
Avoid like the plague is my advice.
Its also worth pointing out that Ubiquiti have on more than one occasion had to withdraw all stock of certain wifi products from the ETSI market because they didn't submit them for approval testing. IIRC the German regulator got exceptionally pissed off with them. Ditto Japan and probably some other places I've forgotten about - Israel rings a bell but that'd be ETSI I guess.
They have an exceptionally USA-centric viewpoint on all regulatory matters IME.
I had some and the management software was really annoying on linux. You often see repackaged forms of it because of issues it has/had. The hardware was meh, the switch was pretty good, but the access points always disappointed in coverage. The gateway I had just couldn't pass traffic at line rate without anything complicated going on. Replacing it was an instant gain. They do some marketing I've seen, but it is not overt. And in at least one place has mentioned issues offhand a couple of times and magically ripped it out for replacement gear.
The software quality leaves a lot to be desired these days
I manage a few small-office Ubiquiti-based networks (just LAN & WiFi, no cams or access control). The quality of their device firmware and controller software releases is abysmal. Unless an update fixes an urgent security issue, I won't even consider installing it until it has at least three months of soak time in the field.
The soak-time exception for CVE-listed vuln fixes has bitten me in the ass, though. I still have nightmares about a dodgy security "fix" that caused as many as 4/6 of one site's access points to repeatedly drop into isolated status (only fixable with a PoE power cycle) during a very busy time around the holidays.
In fairness to Ubiquiti -- knocking the devices offline and crippling the network made it impossible for an attacker to exploit the vuln; so, technically, the goal of the patch was achieved.
unifi stuff is bargain basement. Looks good on paper and works well until you update the firmware. then you need a degree in googlefu to fix.
Simple tasks such as setting a proper ssl cert can only be done by rwcompiling a jks file via ssh Im sure a mom and pop outfit love that dont ask about letsencrypt support.
Their original controllers shipped with no journaling on their mongodb, so powwr outage killed the controllwr each time. Their second revision fixed this by adding a battery. you cant even make that stuff up. product lines are killed with little notice.
Their AP range used to be ok but i wouldnt touch them with a barge pole now.
Are you putting this directly on the Internet? Are you mad?!
Otherwise what is LetsEncrypt have to do with this?
Fair enough to the rest of the points. Most SME's I've seen even don't run their own CA's though, or atln east not that they widely deploy to their networking devices at least
"Simple tasks such as setting a proper ssl cert can only be done by rwcompiling a jks file via ssh Im sure a mom and pop outfit love that dont ask about letsencrypt support."
Absolutely true, I had to spend several hours once to get a certificate set up, and never bothered trying to do it again after it expired. Had to use dumb obscure java tools, had to convert the standard cert to whatever weird dumb format Unifi needed using some other obscure tools. A completely garbage process, making the user bang their head in the wall for hours after reading the handful of confusing posts ("guides") if you even manage to find them.
Simple rule: Companies should not be able to sue for defamation. Ever.
If there's evidence of actual wrongdoing, such as insider trading, then by all means let them prosecute it. But if all they've got is "he made money from ads on this story we don't like", they don't have even a toe to stand on.
Then X can publish their own story saying "this story is false". Depending on whether they think it was malicious, or an honest misunderstanding, they may also want to say something about the journalists and publishers of the original story.
This would stand as a challenge to the credibility of the reporter, which is at least as important to them as X's is to X.
If X says something about the reporter that is not substantiated by evidence, that's when defamation happens. Because the reporter is a human.
The paragraph after the problematic one states "(he was) ... charged with stealing data and trying to extort his employer while pretending to be a whistleblower." (emphasis mine). It could possibly have been phrased a bit clearer that it was the same person, but it's not a deliberate attempt to mislead by any stretch.
That's the first rookie error - second is not suing for defamation in the UK. That's where the big bucks are, and our lawyers will take anyone's money as they've been keen to demonstrate over the previous decades.
"That's the first rookie error - second is not suing for defamation in the UK. That's where the big bucks are, and our lawyers will take anyone's money as they've been keen to demonstrate over the previous decades."
That used to be true; however the Defamation Act 2013 moved the balance more in favour of the defendant, making 'libel tourism' harder (amongst other things).
And in 2015 the US passed a law making UK libel judgements unenforceable.
I don't recall ever seeing Ubiquiti advertising their kit. I heard about it from another tech, and now have it in four different infrastructures that I manage. It has an enterprise feature set at a realistic price point. I am obviously very happy with it.
It seems their marketing strategy is word-of-mouth. So it makes sense if they are getting negative industry press that they will stomp on it.
That said... They do seem a little cavalier with their decisions. Often entire product lines are cut off and customers are left hanging. Their current login process through the cloud SSO, though convenient, does have a security implication. It is good enough for my home network and the local restaurant's wifi, but no way would I trust it in the enterprise.
enterprise kit. Errrr, have you seen the shitstorm after every firmware update? They even had one update that bricked your APs if you were using 4 SSIDs *and refused to replace them if you were out of warranty.
Have you tried adding your own ssl cert through the gui? Letsencrypt?
Powercycle their controllers that dont have journaling enabled, thats fun. Unless you have the new ones with a battery in them (so you have 18 hours to fix the power before they too power off without journaling)
the stuff is barely good enough for a campsite never mind enterprise.
Maybe keep waiting... what happened was an employee was going to take a job at another company. While he was still employed there he used his credentials to download info from AWS to use as proof of a supposed vulnerability in the system. Pretending to the media and ubiquiti he broke into AWS via a security bug. He tried to extort them that he'd make public the (fake) security vulnerability. Using the AWS data he provided to back up his false claims themedia believed that he was a hacker and there actually had a security vulnerability that outside attackers could use. Ubiquiti lost 4 billion dollars in market capitalization due to the media reporting the false vulnerability claim.
There was no supposed breach to report to the customers, there was no modification of firmware or binaries. Just a guy downloading internal info and claiming he hacked in and tried to extort the company
OK Maybe I'm looking at it the wrong way, but why does Ubiquiti give a toss that the share price plummeted? The only two times where that should be relevant is a) if the company is planning to sell more shares to raise cash, and b) if the share price drop put them in range to be eaten through a hostile takeover by a competitor. Otherwise, it's business as usual. Shares go up, shares go down.
I can imagine the actual reason is that the CEO and board are part paid in shares, and so the share price dropping costs them - theoretically at least because they actually only get money when they sell the shares, and they are unlikely to do that when the share price has sunk so low, especially when they know the fundamental side of the business is strong.
So who cares? When news of the extortion attempt came out and the guy is arrested and Ubiquiti could show all was well, then share price goes back up. Everyone's happy. Such a waste of company money on shysters, sorry, lawyers...
Technically there was a breach. A serious one.
It just happened to be an internal rather than external actor, and resolution requires process changes rather than bug fixes.
Information that shouldn't have been accessible to the media was made available to them. That's a breach.
Mikrotik has an excellent Mesh capable AP called Audience:
https://mikrotik.com/product/audience
I am using it as a standalone AP so I cannot comment on mesh calabilities buth with RouterOS 7.x there is a new Wi-Fi driver stack (wifiwave2) which finally supports MIMO and other advanced stuff we take for granted. Thing has 3 radios, two of them on 5GHz band, one of them with 160MHz channels. It also is a fully fledged router and firewall with two routable 1Gbps RJ-45 ports.
Learning curve is steep though but it is rock solid and performance is stellar for my use case.
Oh and it supports WireGuard VPN and DNS over HTTPS out of the box, as well as scripting and a scheduler.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
