[HN Gopher] Whistleblower: Ubiquiti Breach "Catastrophic"
___________________________________________________________________
Whistleblower: Ubiquiti Breach "Catastrophic"
Author : parsecs
Score : 919 points
Date : 2021-03-30 18:11 UTC (4 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| noinsight wrote:
| > "Ubiquiti had negligent logging (no access logging on
| databases) so it was unable to prove or disprove what they
| accessed"
|
| Perversely, this is exactly the logging that you want to have in
| place in case of a breach.
|
| You can then (factually) make the statement that "we have no
| evidence any customer data was accessed."
| hn_throwaway_99 wrote:
| Better solution: never store unencrypted PII/PCI/PHI/etc. in
| the database. There are loads of tokenization solutions (Very
| Good Security got a bunch of buzz a couple years back) that do
| this, or alternatively all of the big cloud providers have key
| services (KMS on AWS and Google, Key Vault on Azure) so that
| you can ensure that every decryption attempt is tracked and
| logged.
|
| If you need to search on some of this data you should use blind
| indexes (Google blind index for more info).
| toyg wrote:
| Aka plausibile deniability
| jasonhansel wrote:
| "We believe that the hackers obtained read-write access to our
| database, but we also believe that they were too polite to
| actually use it for anything."
| samstave wrote:
| "Hacker came in through the server hard-line" <-- HollyWoods
| favorite Hacker Trope.
| tinus_hn wrote:
| Why, they also have no evidence now!
| Traster wrote:
| That works for exactly as long as the data hasn't come out.
| Once the data comes out... well, you've got questions to
| answer.
| [deleted]
| williamsmj wrote:
| Reminds me a little bit of Adverse Event Reporting in pharma.
| If a drug manufacturer finds out about an adverse event (i.e. a
| bad reaction) to a drug, it kicks off all sorts of obligations
| that have the potential to be time-consuming and expensive. So
| pharma is the one sector you won't see with a "social media
| listening/analysis" department in marketing. They actively
| avoid tracking or learning about discussion of their products
| on social media.
| baaym wrote:
| Ironically they can factually make that statement now as well.
| meepmorp wrote:
| > Adam says the attacker(s) had access to privileged credentials
| that were previously stored in the LastPass account of a Ubiquiti
| IT employee, and gained root administrator access to all Ubiquiti
| AWS accounts, including all S3 data buckets, all application
| logs, all databases, all user database credentials, and secrets
| required to forge single sign-on (SSO) cookies.
|
| A root user user breach, seemingly on the organization main
| account. Ouch.
|
| I wonder if MFA was set up, with the TOTP creds also kept in
| LastPass.
| isclever wrote:
| This boggles me when I see this option in any password manager
| (and I think every single one has this 'option').
|
| Why do password managers let people store TOTP next to the
| password, this completely invalidates the 2FA of TOTP if your
| password manager get broken into.
| Marsymars wrote:
| > Why do password managers let people store TOTP next to the
| password
|
| One absolutely invaluable use-case is that it lets multiple
| employees share access to an account with 2FA enabled.
|
| Many systems don't have appropriate role/permission systems
| to allow for 2FA otherwise.
| mdavidn wrote:
| The alternative is to navigate 100 separate token reset
| processes if you ever lose your phone and all of its TOTP
| tokens.
| nucleardog wrote:
| Or just keep them somewhere that isn't directly beside the
| password?
|
| I have my password in a password database, and my TOTP
| tokens on my phone and a Yubikey.
|
| I have a second "break glass in case of emergency" password
| database that contains TOTP secrets for all my most
| essential accounts and a backup of the key loaded on my
| Yubikey.
| artful-hacker wrote:
| Because I already use MFA to access my password manager in
| the first place, and don't want to deal with managing backups
| for each flavor of MFA app that is pushed on me.
| nightpool wrote:
| How do you manage MFA for encryption-at-rest? None of the
| common TOTP systems do this. LastPass and 1Pass have built-
| in "local encryption keys", but they're stored in the same
| place as the store and only protected by your password. I
| think theoretically you could set this up with Keepass
| using a Composite Master Key (combining a password-
| protected key and a certificate-protected key, storing the
| certificate separately, ideally in an HKM), but I don't
| know anyone who does this.
| Xavdidtheshadow wrote:
| > this completely invalidates the 2FA of TOTP if your
| password manager get broken into
|
| I think that's the big "if". If you assume the password
| manager is secure (which something clearly wasn't in this
| case, but that seems like an outlier), TOTP secret in the
| password manager still secures the account.
|
| Is such a setup as protective as a separate storage method?
| No, but it's leagues more convenient. A cloud-based PW
| manager also solves the problem of a lost/broken/new phone
| causing you to lose all of your 2FA setups. Some 2FA apps do
| as well (Authy, iirc), but trust me when I say people lose
| 2FA codes _all the time_. And then 2FA needs to be disabled
| by support, which is its own can of worms.
|
| The best security measures are the ones people actually use.
| If not having to use a separate app is the convenience people
| need, then I think it's totally worth it.
| liaukovv wrote:
| What is the right way store credentials to something like this?
|
| Hardware keys?
| NovemberWhiskey wrote:
| For AWS root account?
|
| Generate a long random password, print it out and then lock
| it in a safe without allowing anyone to see it.
|
| Turn on 2FA and then lock the second factor in a different
| safe.
|
| There's virtually never a need for the root account and it's
| impossible to attenuate (by design).
| dmlittle wrote:
| This is a lot harder to do if you have lots of AWS accounts
| and create new ones over time on-demand (e.g. AWS account
| per team).
| NovemberWhiskey wrote:
| Use Organizations. If you're creating new standalone
| independent accounts for teams you're just seeking
| yourself up for some kind of billing/security/governance
| catastrophe down the road.
| dmlittle wrote:
| I was referring to the root accounts in your
| organization. The blast radius is more limited, but still
| a root account that has access to everything within that
| AWS account.
| time0ut wrote:
| You can restrict what the root account can do in a member
| account using SCPs as an additional safeguard as well.
| ak217 wrote:
| The root account credentials should be used to create a
| privileged IAM user and then physically locked away in a box
| after setting up a hardware MFA device (plus a backup MFA)
| for the root account:
| https://docs.aws.amazon.com/IAM/latest/UserGuide/best-
| practi...
|
| The privileged IAM user should then be used to administer
| other IAM users and roles. All IAM users should be required
| to have hardware security keys like Yubikey.
| liaukovv wrote:
| But how fast a determined attacker will be able to utilize
| acquired physical key?
|
| Is something like kidnapping in the threat model for
| companies like ubiquiti?
| mywittyname wrote:
| > Is something like kidnapping in the threat model for
| companies like ubiquiti?
|
| I doubt it. That's going to raise some blinking red flags
| on the radar of organizations you don't want to be on the
| radar of. Not just three-letter federal organizations,
| but three-letter news organizations too. The current
| situation is Yet Another Security Breach that will be
| forgotten about in 15 minutes. But a kidnapping is
| interesting! People will be making documentaries and shit
| about that.
|
| It's so much easier and cheaper to bribe people than it
| is to kidnap them.
| ak217 wrote:
| Those kinds of fanciful things are not commonly in threat
| models because they don't happen. The threat models
| address things that are likely to happen, which are all
| variations of someone's device getting compromised.
| the8472 wrote:
| > (plus a backup MFA)
|
| IAM doesn't even let you register more than 1 MFA device.
| ryan29 wrote:
| I have accounts for personal use and what I did was set
| up TOTP for the root account(s) and a U2F (YubiKey)
| device for the admin account(s). I use 2 YubiKeys; one
| primary, one spare. The YubiKey has limited TOTP space,
| but they're perfect for those types of high value
| accounts. You store the TOTP on both, so if you lose one
| you can use the root account to fix the admin account.
| ak217 wrote:
| If I were a CISO solving this problem today, I would just
| use TOTP instead of U2F, and store the secret in two
| places.
|
| Longer term I expect AWS will add this capability.
| jrudolph wrote:
| AWS root user accounts are kind of an achillis heel in every
| enterprise setup using AWS. What you typically do is MFA
| (bare minimum) + sharded secrets. This means you need
| multiple people to use the root user account. You can also
| hook in additional audit controls eg by automating cloud
| watch and sending notifications about any root user login.
| Alternative is that you throw away the password and vow to
| never use it, or set up an account recovery process (all of
| this may not be a great idea as it can fail when you need it
| most).
|
| The situation is somewhat more relaxed with GCP Billing
| Accounts and Azure EA Accounts, though they have better
| separation of concerns than AWS (billing vs. workload
| access). Nonetheless, never give these passwords to finance
| department lest they store it in an excel sheet on a
| SharePoint. Access to these credentials allows anyone to
| suspend billing for an entire enterprise... not sure what
| controls the providers have in place to verify any of this
| before initiating automated shutdown of all workloads.
| aaomidi wrote:
| Hardware keys should be used to store stuff like:
|
| - private keys for ssh, gpg, vpn auth
|
| - 2fa for sudo access, password manager access, etc
| meepmorp wrote:
| I use a Yubikey, personally.
| Arrath wrote:
| Shit, I had plans to refresh the network infrastructure in my
| parent's place with a full ubiquiti setup to replace the years of
| added on junk.
| Terretta wrote:
| Parent's place?
|
| Go Eero Pro.
|
| Your future time management self will thank you.
| Arrath wrote:
| I'll take a look at it, but also note that I need in total:
|
| Router, Wifi AP (probably two to get full coverage),
| Powerline extender, Point-to-point extender with a switch on
| the other end.
|
| Stupid outbuildings. Anyway, thanks for the tip!
| Terretta wrote:
| Decent chance you don't need all that.
|
| Eero Pro (not standard) kit comes with 3 identical boxes,
| each with a third radio band for backhaul mesh, each can be
| wired or wireless as well.
|
| https://evanmccann.net/blog/eero-vs-eero-pro
|
| See comparison table illustration here:
|
| https://evanmccann.net/blog/2021/2/eero-6-vs-eero-6-pro
|
| Not sure if still the case, but last time I dug into it,
| eero was also the only consumer grade software-defined-
| radio router/ap, allowing them to rapidly patch for various
| vulns that others couldn't necessarily or took much longer
| for.
| cced wrote:
| Does their gear have any cloud offerings?
| pseudalopex wrote:
| Eero is cloud managed too. And reports MAC addresses and
| network usage to Amazon.
| xoa wrote:
| I wish I could say I was surprised :(. Along with a bunch of
| other people who've used their products for a decade or more now,
| I've been watching the ever steepening downward spiral of the
| company really becoming noticeable over the last 3-4 years. In an
| academic way, it's actually been kind of fascinating to watch
| happen in real time over the course of years with fairly front
| room seats. Seeing the deepening technical debt (lots of _very_
| old hardware still sold as new with no replacements in sight,
| inability to migrate their frameworks or keep their sources up to
| date and more), bikeshedding ramp up and up, the forums start to
| fall apart, marketing starting to write more and more checks
| development couldn 't keep up with and then that getting brushed
| under the rug (the SHD and it's dedicated security radio comes to
| mind), the forums getting nuked entirely in favor of a horrible
| New Web thing with even worse bug/feature tracking then before
| and there wasn't any proper one before, ever worsening stability,
| universally hated UI changes that would just get shoved through
| anyway, and on and on. It's been everything one reads about,
| "Ubiquiti's Burning Platform" and all that, and in turn seems
| like it should be avoidable. Yet on it ground with sickening
| inevitability. It's just now finally starting to reach critical
| mass and become visible to the more general public, spreading
| through the same tech grapevine that gave them such a boost in
| the first place.
|
| But less academically it's depressing as hell too, because the
| grapevine liked them for good reason and there still isn't any
| drop in replacement. Their p2p/p2mp gear is still solid. And
| UniFi was a wonderful concept solidly executed. It also eschewed
| the subscription/cloud bullshit so many other players are
| chasing, which indeed is something of a saving grace here. While
| there is a cloud option, lots (if not most) people can and do run
| their UniFi networks completely self-hosted even for remote
| sites. The single pane of glass, ease of provisioning and
| recovery, etc made sense and saved time. And they had an
| incredibly enthusiastic and supportive community, like when they
| asked about moving L3 switching way back on the old forums (back
| when the rot was in its earliest stages and not clear yet) they
| got huge amounts of feedback, their beta testing had many people
| putting in a lot of good work.
|
| Such a damn stupid waste. And the nature of the beast for tech
| infrastructure is that market signals are always behind the curve
| and thus muted until things are already getting to be too late.
| Robert Pera also owns the majority of their stock IIRC so there
| isn't any way to effect an outside management change there
| either. It is odd to me that nobody has sought to go after them
| directly and aggressively, though I heard rumblings late last
| year that Cisco was giving a go at something clearly aimed right
| at the UniFi market (no subscriptions like Meraki)?
|
| At any rate, final straw for me on routing was the flop their
| "UXG" has been, I finally gave up at long last and began
| migrating everything to OPNsense a month back. And once the
| single pane of glass is broken, the barrier to start moving more
| drops in turn and network effects (harhar) begin to go into
| reverse. I'd still be happy if they somehow recovered, but if
| they do I think it'll be a long time. Problems that build for
| years tend to take years to reverse too, if they can be. I hope
| we get some stories someday internally on how it all went down.
| outerspace wrote:
| The most disconcerting part for me is the fact that the attackers
| gained full access to one of the administrators' LastPass
| account. I would love to know how that happened.
| smileybarry wrote:
| Yikes. I have a (Ubiquiti) EdgeRouter X that I previously used
| for a fiber setup (and it's shelved now because it doesn't like
| this ISP's modem), had planned to get a ER-4 later down the road.
| Been on the fence for any of their APs for months upon months,
| now I'm glad I bought neither.
|
| Technically EdgeRouter gear is unaffected as it's very cloud-
| optional, but I can't bring myself to trust any firmware from
| them at this point. It supports OpenWRT so I guess I'll install
| it and go back to OpenWRT.
|
| I see this thread already has people discussing alternatives, so
| I won't ask for ones -- just had to put it out there that if you
| own an EdgeRouter, chances are that OpenWRT has a build for it.
| lazyweb wrote:
| Yeah my few Unifi devices (and the controller SW instance) are
| already restricted to their own VLAN, but I'm going to disable
| outgoing internet access as well.
| gorgoiler wrote:
| It seems naive to want to talk to the press under a pseudonym --
| _Adam_ , in this case.
|
| When looking for leakers internal security auditors don't need
| proof you are _Adam_ in order to fire you. They just put enough
| pressure on the most likely Adams such that they quit.
|
| You will be one of them. If another Adam does so, so be it. Your
| actions likely flushed the other leaker when you thought you were
| the only one. You won't be able to handle the pressure. Neither
| could she.
|
| Adieu, _Adam_ , et al.
| heavyset_go wrote:
| At least for home networking, I'll always pick something I can
| throw OpenWRT on over a managed service, subscription or closed-
| source option.
|
| In the 15 years I've been using OpenWRT, I have never been
| disappointed with it, and I don't have to worry about some
| company's "secure" backdoor into my network being exploited.
| christophilus wrote:
| I'd like to know what you recommend. I'm running asus routers
| at home, but would like an option that's easier to upgrade.
| vorpalhex wrote:
| What prosumer level OpenWRT devices do you recommend? I don't
| want to flash a subpar consumer router.
| rubatuga wrote:
| I'm using an WRT1200ac to great success. Just make sure to
| set your 5GHz network to a non-DFS channel.
| eutropia wrote:
| > Ubiquiti's stock price has grown remarkably since the company's
| breach disclosure Jan. 16. After a brief dip following the news,
| Ubiquiti's shares have surged from $243 on Jan. 13 to $370 as of
| today. By market close Tuesday, UI had slipped to $349.
|
| Aaannd this is why we can't have nice things. Like trust in our
| vendors. Or security. Or consequences.
| eqvinox wrote:
| I am extremely relieved none of our Ubiquiti devices are set up
| for this cloud shit. (We use the PtP stuff, not the APs, the
| cloud bits are optional there.)
|
| Then again we have a "clear skies" policy & wouldn't have bought
| anything that requires cloud blah. (Which covers a whole bunch of
| other vendors too, looking at you Cisco "SmartLicense")
| vageli wrote:
| What is a "clear skies" policy?
| remir wrote:
| I'm guessing clear sky as in no clouds, meaning stuff should
| like AP/network management must remain on premise.
| H8crilA wrote:
| By the way, reporting to krebsonsecurity is a giant waste of
| potential income. This is what the SEC whistleblower program is
| for. You get paid for submissions there that lead to successful
| enforcement actions, and the payouts can be very substantial.
| Furthermore because payouts exist, there's an industry of
| competent lawyers that will happily take cases with compensation
| coming exclusively from your payout.
|
| Also, how is this a securities case? The company did not disclose
| the scale of the breach to shareholders.
| seneca wrote:
| There was just a thread[1] yesterday about them starting to serve
| ads in their UI. It seems this company is rapidly losing
| credibility.
|
| I have had plans kicking around for a bit over a year to do a
| full build out using their products, and just within that time it
| seems like they've gone from a glowing reputation to severely
| tarnished. Unfortunate, as it seems like they once had great
| products.
|
| 1: https://news.ycombinator.com/item?id=26628198
| dandare wrote:
| Why is the blog not adopted to mobile screen readability?
| markwillis82 wrote:
| Was days away from refitting my home out with PS2,000 of gear.
| Any other recommendations for routers, wifi and security cameras?
| ruph123 wrote:
| For router check out the Turris Omnia [0]. Seems to be a good
| choice.
|
| [0]: https://www.turris.com/en/omnia/overview/
| pkaye wrote:
| That looks pretty nice. Too bad I didn't see this a week
| earlier since I just upgrade my home network last week.
| aborsy wrote:
| For firewall, I suggest an OPNSense box. You could run it on a
| thin client, a Protectli etc.
|
| For AP, OpenWRT seems decent.
| pseudalopex wrote:
| Mikrotik is the most common recommendation probably but wifi
| speed is a problem apparently.
|
| There were some other suggestions in yesterday's Ubiquiti
| discussion.[1]
|
| [1] https://news.ycombinator.com/item?id=26628198
| tecleandor wrote:
| I use Mikrotik (or OpenWRT) for routers, but Mikrotik is not
| that good on WiFi. Peeople recommend Ruckus, but it's pretty
| expensive (and not that easy to get second hand in Europe, or
| Spain at least).
|
| Is there any (good) brand with pricing between Mikrotik and a
| Ruckus that doesn't need a cloud connection?
| mr_woozy wrote:
| Is it not possible to just add in a separate WAP to the
| MikroTik device ?
| ghostpepper wrote:
| Can you elaborate on your experience with Mikrotik wifi? What
| don't you like about it?
| stevenjgarner wrote:
| I have happily upgraded several homes from Mikrotik and/or
| Ubiquiti to Eero mesh - https://eero.com/
| Haemm0r wrote:
| "an amazon company" already makes some warning lights blink
| in my head. Do they have cloud integration of any kind?
| pseudalopex wrote:
| It's cloud managed and sends network information to Amazon.
| dataminded wrote:
| Thank you Adam. You saved me thousands, I was seriously
| considering a network upgrade.
| whereis wrote:
| The simple interpretation is that lawyers know that the law
| offers no consumer protections in these scenarios, and tried to
| use that to protect the corporation. Morals aside, and assuming
| their assessment about such legal boundaries was correct, they
| were simply doing their jobs.
|
| The system may be broken, but a patch is necessary, and that is
| only going to arise via legislation. Sadly, the system of
| governance is also broken, so I expect this will be closed with
| status "WONTFIX".
| myrandomcomment wrote:
| You are required to have internet access to setup something like
| the UDM-Pro. After it is setup you can create a local admin
| account and disable remote access.
|
| Here is how:
|
| 1. Login with your online account credentials and password 2.
| Choose system settings 3. Choose advanced 4. Disable Remote
| Access 5. Confirm that "Transfer owner" won't be available if you
| disable remote access.
|
| The issue in general is that the UniFi stuff can be crappy and
| buggy, but it SUCKS LESS then any other complete solution for a
| home / small enterprise there at the price point.
|
| I personally used to given them a strong recommendation and even
| now that is a recommendation with some footnotes. They have been
| growing to fast and the SW quality has gone down. Being on the
| latest release is not always the best idea.
|
| To be fair in my I have had many conversation with Cisco that
| started with "no, not the latest GA, but what is the latest
| proven STABLE GA."
| tenacious_tuna wrote:
| Just verifying my understanding: this will make it impossible
| to reach the device from ui.com or otherwise off-network, but
| an attacker could:
|
| 1. use leaked SSO keys to forge an SSO token
|
| 2. craft a malicious webpage
|
| 3. get an unsuspecting UDMP user (e.g., me) to navigate to that
| page
|
| 4. run scripts on that page that would access & interact with
| the UDMP from the browser within the network, using the forged
| SSO
|
| Is this still a possible vector? Presumably UI would have
| rotated their SSO keys by now, but since there's no way to
| disable SSO-based login to the UDMP....
| myrandomcomment wrote:
| So SSO is disabled here. You just use a local account. IE, I
| go to https://192.168.27.1 to get to my UDMP and the account
| to auth is locally stored.
| TimTheTinker wrote:
| The difference is that the attack you suggest has to be
| _targeted_
| rgharris wrote:
| I just did this for a controller that is hosted on a VM (via
| the new controller UI), I went through a couple of additional
| steps.
|
| 1. Disable "Enable Remote Access"
|
| 2. Setup SMTP (since disabling remote access stops routing
| emails through Ubiquiti's backend)
|
| 3. Create a new admin not tied to a cloud Ubiquiti account (via
| "Administrators")
|
| 4. Disable "Sync Local Admin with Ubiquiti SSO" (the older UI
| says "Enable Local Login with UBNT Account")
|
| 5. Delete the old admin account
|
| Steps 3 and 5 may not really be necessary, but I did to be
| safe.
| dec0dedab0de wrote:
| Cloud managed anything has a giant red target painted on it.
| Especially infrastructure equipment. I'm still surprised anyone
| think's it's ok to use their ISP provided router and wifi, let
| alone having it be managed remotely by the manufacturer.
| zerkten wrote:
| The problem is that on-prem isn't much better in many cases.
| Only the largest organizations have the capability to operate
| deep defenses against these threats whether it's the cloud, or
| the on-prem.
|
| If you and your team have the skills you can operate fairly
| effectively on a small scale, but that's a pretty luxurious
| situation. Most home users can't tell the difference between a
| router and cable modem hence it's in the interest of cable
| providers to lower support costs by providing a managed
| offering. It's terrible from a security perspective, but
| customers have signed that away.
|
| The common theme running through these breaches is that the
| organization isn't necessarily small, but they aren't
| Google/Apple/Microsoft-size either. Those companies have
| multiple layers of expertise and the cash flow to hold up
| development of anything in order to make sure things are
| secure. It's hard to wing stuff once the bureaucracy
| understands security is needed. They even start pushing their
| product security initiatives outside of product development to
| mundane departments because they get attacked by very smart
| actors. You can see from the news it's still far from perfect.
|
| Once you get to companies the size of Ubiquiti, you start
| having challenges with implementing close to the same degree of
| security because you don't have float in the system to allow
| for additional costs, delays, etc. on top of the lack of
| expertise. Apparently Ubiquiti have been hemorrhaging expertise
| in other areas due to opportunistic cost-cutting, so it isn't a
| surprise that they suffer and respond in this way given that
| culture. A bad security decision by one exec in companies of
| this size can cut across many departments which doesn't happen
| in the behemoths.
| dec0dedab0de wrote:
| on-prem is much better in most cases because if there is a
| bug an attacker would have to scan the internet and find you
| before a patch is released and you update. If that bug is
| only accessible from inside of your network to begin with,
| then that means the attacker would already have to be inside
| your network.
|
| As far as the team having skills, there is not much that
| ubiquity does that can't be handled on prem, I mean you're
| already installing physical devices, how much more effort is
| it to install a controller? Sure, that means you're on the
| hook for upgrades, but in most cases you're better off not
| getting them instantly anyway.
|
| And to clarify my point about ISP gear, I agree that the
| average user can't be expected to understand or care. I meant
| so called technical users.
| pseudalopex wrote:
| The problem isn't Ubiquiti using AWS. It's Ubquiti forcing
| customers to use cloud authentication.
| arbitrage wrote:
| Let's be honest, there are a lot of problems here.
| xoa wrote:
| > _The problem is that on-prem isn 't much better in many
| cases. Only the largest organizations have the capability to
| operate deep defenses against these threats whether it's the
| cloud, or the on-prem._
|
| One of the truly sad things about all this though is
| precisely that UniFi made this a lot easier for small orgs
| and even individuals (and could have gone even farther).
| Stuff like VLANs and RADIUS became dramatically more
| accessible "for free", using just what was built-in to a
| UniFi stack someone might get anyway. Back when they were
| still more competent Ubiquiti added management VLAN support
| across the lineup, and the setup is fairly intuitive and then
| just works. At one point I'd hoped they'd continue in that
| direction much more. It's not some impossible thing, it
| mainly just needs better UX putting the pieces together in a
| graspable way. Graphical VLAN topologies and point-and-click,
| automating all the certificate authentication/signing stuff,
| the generation of profiles for onboarding, all the components
| for this stuff exist right now just not, well, unified.
|
| I think a lot of places don't _want to_ in fact, because they
| 'd rather push cloud ties since that can yield subscription
| revenue.
| tjoff wrote:
| Is there any reason to worry if you run a local controller that
| doesn't have any connection to a cloud account?
| exabrial wrote:
| If they would have stayed with the on-premise model, this would
| have never happened.
| 1vuio0pswjnm7 wrote:
| It is interesting to do a search of HN for past references to
| "Ubiquiti". Whenever the topic of routers came up, many comments
| followed that recommended them above any alternatives. Commenters
| seemed proud to tell the world they were using Ubiquiti, as if
| the "HN concensus" for home routers was to choose Ubiquiti.
|
| It seemed to me Ubiquiti would never allow customers the option
| to install their own OS (e.g., BSD) or boot from external media
| containing a non-Ubiquiti OS, without sacrificing the benefits of
| hardware specs that were likely deciding factors in selecting the
| Ubiquiti hardware above existing alternatives. The intent was
| clearly to have Ubiquiti retain control over the hardware after
| purchase. The customer effectively remained tied to Ubiquiti
| forever, so if the company started serving ads, using AWS
| unnecessarily, etc., there's no way to opt out. Customer is
| compelled to accept all updates.
|
| Specs are important, but maybe not as important as control.
|
| Reliance on third parties necessarily increases potential risk.
| Unnecessary use of third parties is, IMO, poor decision-making.
| This is of course rampant in "tech" and, IMO, marks a triumph of
| the salesforce for those third parties over common sense,
| possibly assisted by network effects. Further, I dislike products
| where there is a heavy focus on opaque "updates". Again, many
| customers have been trained to believe that not updating is
| always the wrong decision. (Meanwhile they have no idea what is
| in each update.)
|
| As stated in one of the blog post comments:
|
| "It is even worse: Ubiquiti forced all users to use cloud-based
| authentification even for accessing your controller software on a
| local network with a local client. This was not even properly
| communicated but deployed by one of the regular maintenance
| updates."
| myrandomcomment wrote:
| I do not understand this comment.
|
| Ubiquiti sells turn key HW and there never was any hint that
| this was HW you could roll you own on.
|
| I could buy APs that I could install OpenWRT. I could setup an
| OpenBSD firewall. I could run my own DNS. I have done all this
| in the past. The point is I do not want to anymore. I have
| better things to do with my time. So as a turn key solution
| that is "prosumer" their kit works and I think you will find
| that is why most people here have recommend it.
|
| You can disable the Cloud connection and I posted how in this
| thread. People on HN are tech savvy enough I sort that part.
|
| The fact of the matter is they had a bad security breach and
| they have a cloud connected platform. Ops. That sucks. But the
| reality is that market forces have pretty much tied evaluations
| to cloud connections and telemetry gathered from it. That is
| the part that REALLY sucks. I do not blame them for trying to
| make money. I am angry if they were less then truthful in the
| details of the breach and I am sure both the SEC and the court
| of public option with punish them.
|
| For my part, I have no plans to replace the 4 switches in my
| house with boxes running SONiC nor the 4 APs with OpenWRT or my
| firewall with OpenBSD because I just really do not care to have
| to maintain it, and if I drop dead tomorrow my wife can likely
| sort the UniFi stuff (as I have documentation on the setup) but
| there is no way could she sort the roll you own.
| tjoff wrote:
| _" It is even worse: Ubiquiti forced all users to use cloud-
| based authentification even for accessing your controller
| software on a local network with a local client. This was not
| even properly communicated but deployed by one of the regular
| maintenance updates."_
|
| Uh? that is demonstrably not true. Any more details?
| robbiet480 wrote:
| > According to Adam, the hackers obtained full read/write access
| to Ubiquiti databases at Amazon Web Services
|
| Not good!
| jbm wrote:
| Say what you want but my cheap old Linksys router never leaked my
| passwords.
| caseysoftware wrote:
| _" Adam says the attacker(s) had access to privileged credentials
| that were previously stored in the LastPass account of a Ubiquiti
| IT employee, and gained root administrator access to all Ubiquiti
| AWS accounts, including all S3 data buckets, all application
| logs, all databases, all user database credentials, and secrets
| required to forge single sign-on (SSO) cookies."_
|
| Holy...
|
| Wow. That is catastrophic. Everything is compromised. That's a
| complete rebuild.
| jandrese wrote:
| Or they'll just change their passwords and pretend to have
| solved the problem.
| EvanAnderson wrote:
| I wonder how difficult it would be to implement a rudimentary
| controller for their APs. The WLAN configurations are just text
| files in the /etc directory. Getting feature parity would be a
| lot of work, but I bet the bar isn't too high for simple
| functionality. Most of the "magic" is happening in hostapd on the
| APs anyway.
| abledon wrote:
| >Adam says the attacker(s) had access to privileged credentials
| that were previously stored in the LastPass account of a Ubiquiti
| IT employee.
|
| So the laptop probably had some malware/keylogger on it that was
| able to pick up some data in the lastpass browser extension or
| something?
| hedora wrote:
| _previously_ stored. They probably made a csv backup of the
| lastpass database. Those aren't encrypted.
| Quarrelsome wrote:
| > Ubiquiti's shares have surged from $243 on Jan. 13 to $370 as
| of today.
|
| How are we ever going to solve security as an industry against
| this? Again we're told that security isn't important. Being the
| first to market and insecure is the winning play and that's just
| fucked.
| genmud wrote:
| I don't think that it is a solvable problem if the economics
| stay the same.
|
| SolarWinds is actually trading almost $2/share _more_ than it
| did 1 year ago today ($15.67 v $17.23). Sure, it is down from
| its 52 week high ($24.34).
|
| I would argue that SolarWinds should not be allowed to be in
| business in its current form, considering what a threat they
| have been to themselves and others in their mis-handling their
| software practices and subsequent breach. If an individual did
| what they did as an employee of the government, they would
| currently be in jail.
|
| It is probably one of the most impactful national security
| events in our lifetimes and the impact of this event will be
| felt in certain areas for years or even decades.
| Quarrelsome wrote:
| I feel like we have to regulate this at a governmental level
| to get anywhere. We keep automating more and more of our
| society and its clear we're unable to protect it but the
| casuals don't get that and keep charging ahead and we enable
| them. The amount of power we gift to a given attacker seems
| to just grow and grow.
|
| But how do we achieve political intervention when
| technologists and politics appear to be completely
| incompatible? The closest I've seen is the Pirate Party which
| never get more than a few percent or that democratic
| candidate (Yang was it?) and he was pretty fucking clueless
| on the tech when poked with any significant vigour.
| genmud wrote:
| It is certainly a difficult problem and as such, like most
| difficult problems, it will likely not be fixed in any
| meaningful manner. We will likely be talking about this
| exact issue in 5 years, 10 years, and 20 years from now.
|
| Cyberspace Solarium Commission [1] created a robust and
| well documented roadmap for the Biden transition team to
| address some of these fundamental problems. IMHO, it is one
| of the better policy documents and has a number of really
| good recommendations that I believe would be extremely
| helpful. The #1 thing I think we could do is address
| accountability, who is responsible for the security of
| devices/software and what legal recourse should people have
| if the vendor doesn't adequately secure or support their
| products.
|
| I think that there are a bunch of issues and one of the
| biggest ones is that what we say vs what we do are 2
| different things. We also have issues where many of the
| core business practices that are commonly accepted are
| incompatible with building a secure and resilient
| infrastructure.
|
| [1] https://www.solarium.gov/public-
| communications/transition-bo...
| spockz wrote:
| How can you see whether you have been effected or whether they
| have poked around your setup and maybe even left something
| behind? Theoretically you can't really trust anything on your
| network anymore.
| jeffhodge wrote:
| Kinda strange that they'd ask for a ransom in Bitcoin and not
| something fully anonymous..
| surfsvammel wrote:
| The plot Thickens: "SHAREHOLDER ALERT: Ubiquiti, Inc.
| Investigated for Possible Securities Laws Violations by Block &
| Leviton LLP; Investors Should Contact the Firm"
|
| https://finance.yahoo.com/news/shareholder-alert-ubiquiti-in...
| hpkuarg wrote:
| This type of solicitation is a dime a dozen, but I do find the
| name of the firm hilarious. Anyone who's had to make patch
| cables would recognize the name...
| rossipedia wrote:
| I am 100% not surprised. I spent a year working for Ubiquiti,
| running the Network Controller team.
|
| Trust me, this whistle-blower "Adam" (I have a few suspicions of
| who it actually is), toned it down.
|
| The reality is much much worse.
| ex_ubiquiti wrote:
| I worked at Ubiquiti while you were there. I can confirm that
| the company was going downhill fast.
|
| The US offices were starting to feel empty because so many
| people were leaving the company. Only place I've ever worked
| where engineers would quit before they got another job.
|
| Saddest part was all the wasted potential. There were good
| engineers making good products at Ubiquiti only a few years
| ago. Once UniFi exploded in popularity the CEO started trying
| to micromanage everything and it all started falling apart.
| Silhouette wrote:
| It's unfortunate what seems to have happened to Ubiquiti. The
| idea of decent network hardware with a good UI that can
| support the prosumer to small business segment of the market
| has a lot going for it.
|
| In the early days, it seemed like Ubiquiti was going to nail
| it and was building up a strong, loyal following as a result.
| Then came all the reports of quality problems, promised
| features never delivered, phoning-home, ads in UIs, the not
| just security breaches but cover-ups...
|
| How the brand hasn't become toxic already is a mystery to me,
| yet look at the stock price tracker. It's been trending up
| for years and it has well over doubled in the past six months
| alone. Apparently investors aren't too worried about any
| potential consequences of all these reported problems.
| fossuser wrote:
| I think the brand isn't toxic because of the state of the
| competition.
|
| Even with this hack, their stuff is still the best
| available for home use. Netgear or Linksys consumer routers
| are awful. The mesh devices are okay, but serve of a
| different market.
|
| The other stuff people recommend is often 2-3x the Unifi
| price and 2-3x more complicated to setup and configure.
|
| Any ex-employees want to start a company making this stuff
| that doesn't suck?
| Silhouette wrote:
| _The other stuff people recommend is often 2-3x the Unifi
| price and 2-3x more complicated to setup and configure._
|
| I don't know about 2-3x the price, at least not here in
| the UK. We looked into this when fitting out a new office
| with the networking essentials a couple of years ago, and
| Ubiquiti wasn't particularly attractive on headline
| prices compared to the other typical brands that get
| mentioned in that space (Microtik, DrayTek, etc.).
|
| However, the ability for non-networking experts to set
| something up quickly that does the job and doesn't have
| glaring security problems is definitely a competitive
| advantage in that prosumer to small business market. None
| of those other brands has a great UI that I've seen and
| they all tend to assume that anyone who wants to set up a
| couple of extra APs for a small office WiFi and a
| standard firewall for the Internet connection will be a
| pro-level network expert.
|
| I think it would help a lot of people if better
| products/companies started to compete seriously on that
| front, and I have to think that with the SME market to
| fight for there is room to compete with the established
| names. After all, that is largely how Ubiquiti themselves
| broke into the market, or at least that's the perception
| I had at the time.
| ex_ubiquiti wrote:
| The early days at Ubiquiti were good. I worked with a lot
| of good engineers and we shipped good work. The decline is
| a recent problem.
|
| > How the brand hasn't become toxic already is a mystery to
| me, yet look at the stock price tracker. It's been trending
| up for years and it has well over doubled in the past six
| months alone.
|
| This is your answer. No incentive to change. All of the bad
| engineering decisions have been rewarded by increasing
| stock price and continued sales.
|
| Most of the original engineers have quit by now. I lost
| track of how many UniFi engineering leads joined and then
| quit after it started falling apart. Before I quit, I heard
| rumors that the CEO was making two separate teams work on
| the Dream Machine project separately, competing against
| each other. That made more people quit. I think they were
| trying to reboot engineering in foreign countries when I
| left because it felt like we were forgotten in the US
| offices.
| ihsw wrote:
| What do you suggest for someone leaning on an EdgeRouter
| Lite (with EdgeOS v1.10.11, staying far away from v2.x)
| and a Unifi UAP-AC-PRO access point?
|
| The router will probably reliably carry me until
| saturating 1Gbps becomes a daily occurrence and the
| access point will be retired when WiFi 6E comes around
| (assuming Ubiquiti's WiFi 6E access points aren't
| required to connect to the cloud.)
| Loughla wrote:
| >I heard rumors that the CEO was making two separate
| teams work [. . .] separately, competing against each
| other.
|
| I don't work in tech, so maybe I'm dumb to this, but why
| would you ever do this?
| fletchowns wrote:
| Isn't Oracle notorious for doing this?
| rossipedia wrote:
| This is not surprising to me at all.
|
| IMO, the CEO had a bit of a Steve Jobs hero-worship
| complex, but only all the bad parts. I can absolutely see
| him putting two teams on the same project, and "may the
| best product win".
|
| The team that "lost" would get canned, obviously (I saw
| it happen to two separate offices while I was there).
| tablespoon wrote:
| > IMO, the CEO had a bit of a Steve Jobs hero-worship
| complex, but only all the bad parts.
|
| Part of me wishes Steve Jobs had never been brought back
| to Apple and died in obscurity. He's such a bad example.
| People idolize him, but his good parts can't be imitated,
| his bad parts can, and a lot of people can't seem to tell
| the difference.
| gralx wrote:
| Intel tried this too, according to an ex-Intel employee
| here. It's a management strategy intended to get the best
| result by inspiring competition. The problems it invites
| are the obvious, but the tradeoff may be justified in
| some scenarios.
|
| It's also the premise of David Mamet's famous play
| _Glengarry Glen Ross_.
| jakeva wrote:
| I imagine it comes from some flawed business belief in
| the survival of the fittest. I've never heard a tech
| person advocate for it, I only ever hear it from business
| types.
| Silhouette wrote:
| Of the things I've seen reportedly happening at Ubiquiti,
| that one makes more sense than some.
|
| Businesses put projects out to tender all the time, and
| other businesses that can provide what is wanted invest
| sometimes very considerable resources into putting in a
| bid, knowing that if they don't make the winning bid then
| those resources will mostly likely be completely wasted.
| Evidently it is still worth operating a business on that
| basis because the benefits when you do win outweigh the
| costs of the failed bids, and those costs might include
| reducing morale in a team who worked on a failed bid.
|
| If that is the case across industries as a whole then
| economically it _might_ make sense for a business to
| operate on the same basis internally for their Next Big
| Thing. Run multiple independent teams at the start, give
| them all the same brief, then see which team comes up
| with the most promising starting point. I don 't see much
| of an argument for continuing the internal competition
| beyond the concept to prototype stage, though, unless
| perhaps it turned out that more than one team could
| produce a product that was viable in its own right
| without competing for the same market.
| rsync wrote:
| Now rewrite your entire comment with s/ubiquiti/sonos/g.
|
| So much wasted potential ... so much customer goodwill wasted
| because (apparently) no company is worth running unless it is
| a publicly traded unicorn.
| colineartheta wrote:
| Just curious (I agree with you), but what are the s/ and /g
| for? Samsung and Google?
| brod wrote:
| I think the OP is using the sed syntax [0] to say:
|
| > _Now rewrite your entire comment with sonos instead of
| ubiquiti._
|
| [0] https://www.grymoire.com/Unix/Sed.html#uh-6
| istjohn wrote:
| That's the syntax for search on replace with _sed_ on
| Linux.
| inetknght wrote:
| Good tools support search and replace. Better tools
| support regular expressions.
|
| https://linux.die.net/man/1/sed
| [deleted]
| tinco wrote:
| It's how you do a text replacement in VIM, I believe it's
| s for substitute, /../ for the regular expression, and g
| for global, to substitute multiple instances.
| actimia wrote:
| It is a `sed` command, used to replace (s/) all (/g)
| instances of the first word with the second.
| brabel wrote:
| https://www.cyberciti.biz/faq/how-to-use-sed-to-find-and-
| rep...
| [deleted]
| [deleted]
| javajosh wrote:
| Why is it so easy to snatch defeat from the jaws of victory
| in tech?
| agentdrtran wrote:
| It's not enough to be good, or great, every tech company
| wants to be a world-spanning juggernaut. and it's just
| not possible, let alone desirable.
| rossipedia wrote:
| Greed. 100% greed. While I was there, the CEO loved to
| just fly between offices (randomly) on his private jet.
| You never knew where he'd pop up, and that put everybody
| on edge, because when he was unhappy he tended to fire
| people in large chunks (and shut down entire offices).
| Every decision was motivated by how it affected the stock
| price.
| croutonwagon wrote:
| Even if greed is the only factor. Being unwilling to take
| a short term loss or hit while you rebuild or reinvest is
| just short sighted.
|
| Most successes come with some amount of risk or foresight
| to anticipate the market.
| JustSomeNobody wrote:
| > Ubiquiti's stock price has grown remarkably since the company's
| breach disclosure Jan. 16. After a brief dip following the news,
| Ubiquiti's shares have surged from $243 on Jan. 13 to $370 as of
| today.
|
| Why? Coincidence?
| qwertox wrote:
| It really doesn't get worse than this. But isn't Ubiquiti more of
| a prosumer company, like MikroTik? MikroTik does get a lot of
| heat when they have a security vulnerability and get downranked
| for it as if it were far, far away from Ubiquiti's security
| profile (something like "US vs. some east EU country"), but this
| event tells a lot about Ubiquiti's upper management and their
| internal security practices.
| messo wrote:
| Have MikroTik had any security vulnerabilities anywhere close
| to what has now been revealed about Ubiquiti? MikroTik's
| firmware seems very solid and I get the impression that they
| care about security and routines.
| pilsetnieks wrote:
| Fun fact - a lot of Ubiquiti's engineering is located in that
| same "east EU country". In fact, if you look at the open
| positions - https://careers.ui.com/positions - it appears most
| of the development appears to happen in
| Central/Eastern/Northern Europe.
| Saris wrote:
| A potential option for anyone wanting to avoid buying new
| hardware to move away from Ubiquiti management software:
| https://openwrt.org/toh/start?dataflt%5BBrand*%7E%5D=Ubiquit...
| akkartik wrote:
| Why do people trust _any_ IoT devices these days? Shouldn 't we
| be trying to _reduce_ our exposure to (inevitably insecure)
| software? What benefits does it provide that are worth the
| unbounded risks?
| ramraj07 wrote:
| It's not _that_ unbounded? At least not yet! Until a tech savvy
| neighbor who's also a creep can easily break into your network
| and home camera I'm not personally worried.
| akkartik wrote:
| Why does it have to be a neighbor? It says "internet" on the
| tin. Do you have confidence that random people on the
| internet can't do the equivalent of a port-scan on you?
|
| The other way I think of it is, I don't use it right now. It
| likely has open doors, intentional or unintentional. If the
| open doors are widely discovered, reliably closing them seems
| difficult. The highest-leverage point in time to influence
| this story is before I start using it. "The only winning move
| is not to play."
|
| Feedback appreciated on this thought process.
| arbitrage wrote:
| been doing it for years. meet the new boss, same as the old
| boss.
|
| this is the other side of the coin of "you don't need privacy
| if you have nothing to hide", and it's exactly as stupid in
| application here as it ever is.
| vorpalhex wrote:
| Well, guess I won't be about to drop a few thousand on Ubiquiti
| gear anymore until we get some more details. Hopefully this
| account isn't fully truthful, otherwise Ubiquiti has really
| screwed up.
| [deleted]
| kitsunesoba wrote:
| A few months ago I was considering outfitting my apartment with
| Ubiquiti gear but ultimately decided to stick to an aging
| AirPort Extreme and a couple of cheap ethernet switches after
| seeing reports of bugs with various Ubiquiti pieces. Seems that
| was a good judgement...
| rswskg wrote:
| meh, not really a good substitute. They've got the prosumer
| market locked down.
|
| Probably why they got into this mess. Lots of successful
| product people deferring 'non product' stuff.
| knz wrote:
| > Hopefully this account isn't fully truthful
|
| Brian Krebs is a reputable source who has a lot to lose if he
| makes unsubstantiated claims.
| vorpalhex wrote:
| He's quoting a source. I don't doubt Krebs in the slightest
| but he's simply forwarding someone elses account.
| logicslave wrote:
| But the routers have a nice user interface!
| temp0826 wrote:
| My favorite part of the web interface is when it silently
| reverts changes made at the command line.
| dismalpedigree wrote:
| You enjoy that also? I thought I was the only one...
| nikisweeting wrote:
| The APs and switches are stateless by design (which I sort of
| like), but if you make CLI changes on the controller using
| the config file they are not reverted in my experience.
|
| Though it's not super well supported either because they
| prefer people using the web UI to the config file.
| 650REDHAIR wrote:
| That's a feature not a bug
| okigan wrote:
| Ran into this [1] issue with Ubiquiti and Stripe integration.
| Short story Ubiquiti integration insist on sending credit card
| numbers directly to Strip (vs using more secure method).
|
| The issue has been there for 2 years -- which is beyond odd. When
| I've reached out to tech support the issue was effectively closed
| as known issue.
|
| [1] https://community.ui.com/questions/Tokenization-for-
| Stripe-I...
| speeder wrote:
| I wonder why their legal department would PREVENT them from
| saving their users.
|
| What legal reason would exist for that? I thought legal would
| instead force them to save their users, since otherwise they
| would risk getting sued by all of them by all the damages caused
| or something.
| lakecresva wrote:
| > a source who participated in the response to that breach
| alleges Ubiquiti massively downplayed a "catastrophic" incident
| to minimize the hit to its stock price, and that the third-
| party cloud provider claim was a fabrication.
|
| I'm sure their lawyers don't know anything about tech or
| forensics, but they know how buy shareholders time in a way
| that minimizes anyone's chances of going to prison or facing
| serious civil liability. If you ask someone in charge of hiring
| corporate counsel what they look for in a lawyer, they will
| flat out tell you "a good risk manager who understands
| discretion" which just means "someone who's going to tell us
| what we can get away with".
|
| The regulatory system in the US is sufficiently dysfunctional
| that there is zero incentive for corporate counsel to even
| consider what's in the best interest of consumers.
| izacus wrote:
| > I wonder why their legal department would PREVENT them from
| saving their users.
|
| Good legal departments understand that the company is there to
| serve the users and make them happy and operate within those
| constraints (even trading off possibly liability when it makes
| the products sell better).
|
| Horrible legal departments will block anything that has even a
| smell of liability, even when it comes to sabotaging the
| product itself and hiding serious issues from users and
| employees.
|
| I've met way too many ones from the second group.
| tgsovlerkhgsel wrote:
| Successfully sweeping it under the carpet means you don't get
| sued for the mistakes you made.
|
| Legal isn't there to make sure the company complies with the
| laws. Legal is there to advise on and minimize legal risk.
| cheph wrote:
| > Legal isn't there to make sure the company complies with
| the laws. Legal is there to advise on and minimize legal
| risk.
|
| Breaking laws is one sure way to increase legal liability.
| hedora wrote:
| Only if you get caught.
| mywittyname wrote:
| And be successfully prosecuted.
|
| I'm sure someone in legal knows someone at the AG's
| office who might be "considering the private sector" in
| the near future.
| rStar wrote:
| but if you get away with it 90% of the time....
| tgsovlerkhgsel wrote:
| Yes, but if you've broken one law already, breaking another
| one by sweeping it under the carpet may sound very
| attractive.
| nitrogen wrote:
| _Legal isn 't there to make sure the company complies with
| the laws. Legal is there to advise on and minimize legal
| risk._
|
| "It's not like we're building bridges or something." -- any
| legal department when faced with engineers' ethical duty to
| report a hack.
| amzans wrote:
| The scope of this breach is frightening.
|
| Would be great to better understand how the Lastpass credentials
| got leaked in the first place.
|
| Anyone found any comment on that?
| bedhead wrote:
| Ubiquiti is another one of these companies where if you did
| nothing but read about them on HN, Reddit, et al, you would think
| they're filing for bankruptcy tomorrow, set orphanages on fire,
| kill puppies, etc. The negative hyperbole around this company is
| something else, hack or not. And yet, all they do is thrive...
| blablabla123 wrote:
| The hardware is very cheap and the market for their products is
| thriving. In fact it's possible to put custom software on it
| actually without using their cloud.
|
| > if you did nothing but read about them on HN, Reddit, et al,
| you would think they're filing for bankruptcy tomorrow, set
| orphanages on fire, kill puppies, etc.
|
| I need to check these posts ;)
| bedhead wrote:
| Seriously I'm just tired of it. Do you know how many tech
| geeks over the last few years have proudly proclaimed online
| that the company is "going downhill" and they'll never buy
| any more Ubiquiti products? 50 billion, that's how many. How
| many follow through? Evidently zero. It's comical. The hack
| obviously not good, but GMAFB.
| akkartik wrote:
| Can you elaborate on what break this is that you desire?
| What would you like to have happen?
| christophilus wrote:
| Is it? Until very recently, I've only seen positive comments
| about them.
| [deleted]
| tw04 wrote:
| It's a long-tail if I had to guess. In my "circle" of coworkers
| almost every last one has ubiquiti today, and every last one is
| planning to replace it with something else when they make the
| jump to WiFi-6.
|
| Maybe we're the anomaly, but I have a feeling 2 years from now
| if they continue down the path they're on, their earnings will
| not be quite so rosy.
| bedhead wrote:
| My point is partly, let's check in a year from now. I'd wager
| not one of your coworkers switched. Zero.
| tw04 wrote:
| You'd have lost that bet already. One of them switched to
| Aruba last week. I've already replaced several pieces of
| ubnt gear as well and posted for sale on ebay. The APs I'm
| holding off until there are some solid WiFi 6E options.
|
| I know of at least two others that currently have hardware
| on order to replace existing ubnt routers with OPNsense so
| you can add them to the list by the end of April.
| wnevets wrote:
| Is it just me or are you no longer able to avoid the cloud with
| the latest software updates for unifi?
| surfsvammel wrote:
| If you are using CK, Protect and/or the iOS app, it seems that
| you need Remote Access (a.k.a. Cloud) enabled for
| authentication.
| myrandomcomment wrote:
| No you do not, only setup. You can disable it after. See my
| other comment.
| blhack wrote:
| Well this absolutely sucks :(. I've been a huge supporter of
| Ubiquiti ever since I was buying mini their PCI cards and
| sticking them into soekris engineering boards (ubiquiti started
| out as a hardware company).
|
| The magic thing that absolutely sold me on their equipment was
| the ease with with you could provision and mesh new gear. Does
| anybody have anything that compares with that ease of use?
|
| To explain what I mean: I recently had a buddy move into our
| guest house/apartment. While we waited for the ISP to come out
| and hook up his internet, I just put an AP on his counter,
| powered it up, and meshed it into our home network. The whole
| process took less than a minute and didn't require any running of
| ethernet.
|
| (Maybe that's a common feature nowadays and I've just been out of
| the industry for so long?)
| smashah wrote:
| I can vouch for Google WiFi. Very simple to set up.
| rys wrote:
| I'm willing to see what Ubiquiti will do to make it right before
| I switch away, because I have a local-only setup of EdgeRouter
| and UniFi APs that's been absolutely great in the years I've had
| it, but this is really last chance saloon stuff now.
|
| I'm looking for a proper post-mortem and the steps to make sure
| it can't happen again, recommitment to local-only users and
| respect of the customer, and a step back from the push to cloud
| everything.
| yabones wrote:
| > "The breach was massive, customer data was at risk, access to
| customers' devices deployed in corporations and homes around the
| world was at risk."
|
| > "They were able to get cryptographic secrets for single sign-on
| cookies and remote access, full source code control contents, and
| signing keys exfiltration,"
|
| Maybe putting your network control plane in 'the cloud' isn't
| such a good idea after all...
|
| Edit: Just re-read the article, this part stood out:
|
| > the attacker(s) had access to privileged credentials that were
| previously stored in the LastPass account of a Ubiquiti IT
| employee, and gained root administrator access to all Ubiquiti
| AWS accounts, including all S3 data buckets, all application
| logs, all databases, all user database credentials, and secrets
| required to forge single sign-on (SSO) cookies.
|
| > Adam says Ubiquiti's security team picked up signals in late
| December 2020 that someone with administrative access had set up
| several Linux virtual machines that weren't accounted for.
|
| If this is true, and whoever breached them had full access to
| their AWS account, can we really trust them to clean up all their
| tokens and fully eradicate all forms of persistence the hackers
| may have gotten?
| ryan29 wrote:
| It's odd how the big cloud vendors have been able to escape
| criticism for being completely open by default. Other vendors
| have been taken to task and have adopted better security
| practices. For example, SuperMicro IPMI comes with a random
| password now.
|
| It's extremely difficult to lock down an AWS account when there
| are a bajillion services, IAM policies, roles, etc.. I've been
| trying for the last few days and it's so difficult that I can
| understand things like this. I don't think it's acceptable, but
| I can see how it happens.
|
| I think the expectation for AWS, Azure, GCP, etc. needs to
| change. Accounts should allow nothing by default and part of
| the tutorial / learning process should be understanding the
| permissions needed for each service and how to limit access to
| those services. As a bonus, they should show you how to
| configure Budget Actions to catch anomalies and runaway
| services. For example, I'm trying to set up my account so SMTP
| access to SES gets revoked for SMTP users if the message count
| exceeds a certain threshold. It's really, really hard because
| there's not a single document / guide that shows the process
| from start to finish.
| musingsole wrote:
| You can use AWS Accounts like microservices. The biggest
| security walls in AWS are the account barriers. Those have to
| be specifically configured to cross. Sometimes (1%) its
| unavoidable, but if you have multiple services running on an
| account, you force yourself to weave arcane webs of IAM
| permissions crisscrossing all over to get what you need
| where. It's a terrible model that people inflict on
| themselves because it's how everything used to work.
| yebyen wrote:
| The triangle says Confidentiality, Availability, Integrity.
|
| While your concerns are 100% valid, we need to remember too
| that setting up access in restricted ways and inviting users
| to understand the protection and remove the correct barriers,
| or implement the concerns necessary to interact with those
| for themselves, always runs the risk that some users will
| find your protections cumbersome and instead find a (totally
| incorrect) way to baffle them, or otherwise even route around
| them entirely mooting any efforts to secure a platform.
|
| And every time I hear this played out in conversation, the
| answer is "that's on them!" But it's clearly a balancing act,
| it's a trade off; tautologically, when you make the service
| less accessible then... it is, well, ... made less
| accessible.
|
| Besides facilitation of the secure access also sales
| conversion ratios will depend on that accessibility. The crux
| of your argument stands, the defaults are too open, and we
| need to do more to ensure that naive users aren't handed a
| loaded gun to aim at their own feet.
| kenforthewin wrote:
| Spinning up your own DB instance is also "open by default"
| and takes both effort and expertise to secure properly. I
| think it's pretty reasonable that there's a large surface
| area of IAM permissions when AWS offers a vast number of
| disparate services.
| sofixa wrote:
| Uhm.. in the AWS i've used, it's on explicit allow, and all
| of their docs and tutorials start with IAM and what's needed
| and why. What more do you want? I can't imagine IAM being
| simpler while being as granular as it is. You just have to
| actually take the time to learn about it, like every system.
| It's still drastically easier to use it securely than doing
| something on a similar scale and detail manually.
| ryan29 wrote:
| > What more do you want?
|
| The hard part for me is figuring out how to disable access
| without breaking everything. I know it'll be useful once I
| understand and I'll take the time I need to learn it, but
| most people won't.
|
| I prefer the opposite learning direction. Start closed and
| open the 1 or 2 things I need instead of having to
| understand 1000 things immediately to configure permissions
| reasonably.
| ryandrake wrote:
| > Maybe putting your network control plane in 'the cloud' isn't
| such a good idea after all...
|
| Isn't one of the major selling points of cloud-everything "How
| can you possibly secure your service better than
| BigRespectableCompany?" I know any time I bring up self-hosting
| E-mail or a web site or whatever, someone always comes out of
| the woodwork to remind me that I am not an expert in securing
| Internet services, and that BigRespectableCompanies have full-
| time employees dedicated to security. Surely I should be moving
| to the cloud for this expertise! This is sounding more and more
| like FUD to me.
| sofixa wrote:
| > BigRespectableCompanies
|
| Ubiquiti really aren't in the same ballpark as AWS or
| Microsoft, which are the companies people use that argument
| for, and you can bet your ass their security is better than
| in most places.
| vkou wrote:
| You may be smart, and have secured your systems properly, but
| someone with the same resume as you in another company might
| not be.
|
| As your manager, how can I tell the difference between
| someone who actually did the work right, and someone who said
| they did the work right (and also legitimately believes that
| they did)?
| grayhatter wrote:
| You never can be... but you should already know that being
| a manager. But if you're the target of an advanced
| persistent threat. It doesn't matter how good your guys is,
| they'll win eventually when the next 0day no one knew about
| shows up. But then your cloud provider will have been
| broken into dozens of times already. Hundreds of companies
| have to do a security audit of all of their networks now*
| because Ubnt got, got. The only ones who don't are idiots,
| or not using ubnt et al.
| IgorPartola wrote:
| Was shopping for alternatives to my Ubiquiti last night. Seems
| like there is nothing good out there. Engenius has shit
| hardware and a cloud controller. Aruba has a cloud controller
| AND you have to pay for a license. Cisco makes you pay for a
| license. TP-Link is cloud-based.
|
| WTF. Does anyone have a decent WAP where I can use PoE, deploy
| like 5 of them and have them support roaming between APs, all
| managed locally? Is that too much to ask?
| swiley wrote:
| If you don't feel like configuring hostapd and dnsmasq I'm
| pretty sure there's an nmcli one-liner that will have network
| manager run a WAP for you. I use 'hotspot' on my phone all
| the time.
|
| WAPs have been absolute crap for years.
| ptomato wrote:
| Ruckus Unleashed is what you're looking for.
| surfsvammel wrote:
| They are triple the cost of the UniFi stuff. So not really
| a drop in replacement.
| bubblethink wrote:
| Look on ebay for slightly older models. R710, R720 should
| be $200-$300. Not a replacement at scale, but the one-off
| purchase from ebay is fine for home use.
| [deleted]
| azernik wrote:
| Disclaimer: worked for Meraki (now Cisco Meraki) for several
| years.
|
| Generally, halfway decent wireless APs are all targeted at
| the enterprise market. Consumer hardware is a brutal race to
| the bottom, as lay consumers aren't qualified to compare
| options based on anything but price and UI. Ubiquiti was an
| outlier in trying to bring enterprise features to the
| consumer market
|
| The problem for enthusiasts and small business/home office
| setups like yours are that both the enterprise market (e.g.
| Meraki) and the premium consumer market (e.g. Google WiFi)
| focus heavily on ease of management - cloud controllers are
| table stakes these days, not a controversial feature. Part of
| that premium that Meraki, Aruba, and that class of enterprise
| supplier charge is about having a trustworthy and secured
| backend.
|
| Note, however, that roaming between APs is a feature of the
| 802.11 standard; you just need to have all your APs on the
| same layer 2 (802.x) network, and using the same SSID and
| credentials. No fancy hardware required, and you can even mix
| and match vendors.
| fullstop wrote:
| Surely 802.11r has a purpose, yes?
| cassianoleal wrote:
| Yes, roaming by sharing SSID and passcode is a world of
| pain. 802.11r solves all those pains, I've been using it
| on OpenWRT for months without a glitch.
| betterunix2 wrote:
| Faster handoffs between APs.
| passivate wrote:
| We use Meraki MR/MX stuff at our office and are generally
| happy with the value & service. The MS stuff though, thats
| another story. Do you guys have plans to enter the sub $2K
| tier with L3 devices?
| judge2020 wrote:
| > having a trustworthy and secured backend.
|
| Ubiquiti had a secured backend - their screw-up was not
| doing MFA on their admin accounts. I would still like if
| there was an option for a local-only control panel.
| red_phone wrote:
| For their UniFi line, at least, you don't have to use
| their cloud controller. You can self-host.
| SV_BubbleTime wrote:
| My personal experience with Meraki has been the very
| definition of vendor lock-in.
|
| The security appliance was relatively cheap, then we saw
| the fine print that the total bandwidth was artificially
| limited and increased only adaquetly two product levels up.
| Sorry Mr BubbleTime, you need to buy a new applicance and a
| new license. Your old one is worth nothing and non-
| transferable, watch it rot.
|
| The switches seem absurdly expensive when you consider the
| 5-7 year licensing costs. And the quality is poor at best
| considering Meraki went and pushed a firmware update that
| bricked every fan in every 48 port switch we had. But you
| have the security appliance so it "only makes sense" to pay
| for these switches.
|
| We had an IPSEC incompatibility between a vendor with an
| ASA and our Meraki gear. The solution was to buy a Cisco
| device just for that one connection.
|
| All in all, it's passable, but because of the lock-in it's
| not like I have a cost effective choice to get away from
| it. I wouldn't chose it again.
|
| That said, it does offer a mediocre IT tech a single pane
| of glass they have to try to mess up.
|
| Of all the Meraki factors I've learned and considered, that
| it is cloud-based is the least important towards my
| recommendation or lack of. There are lots of people that
| would be happy to explain all the ways my experience is
| wrong, but whatever.
|
| Short version, I wouldn't do it again.
| foobiekr wrote:
| Is there a community for this kind of discussion at this
| point? When I was an admin, and then later working in
| networking in the 2000s, there were tons of very active
| mailing lists, not just for hardcore networking but for
| IT-oriented stuff, mostly all faded to a shadow of their
| former selves.
|
| I'd be particularly interested in comparisons of
| Meraki/Mist/etc. for small enterprise and campus.
| jlawer wrote:
| Completely agree with the lock-in, and they aren't the
| best / featureful device out there. It seems the sweet
| spot for them is places with LARGE distributed footprints
| (such as retailers), where you can have very simple
| networking (some back to HQ, the rest to internet).
|
| It fits well with being able to rapidly bring bodies into
| a project and implement change X across hundreds of
| stores, while having a standing IT team of 5.
|
| If you have onsite (fulltime) IT, its likely not the best
| option.
| antattack wrote:
| Omada EAP245. You can use appliance and/or software
| controller that you can run locally, to manage your APs no
| cloud needed.
|
| https://www.tp-link.com/us/business-networking/ceiling-
| mount...
| nicolas314 wrote:
| And if you only have one, no need to run Omada. Completely
| controlled from the AP web interface.
| topher_t wrote:
| I hear Cardi B and Megan Thee Stallion have some pretty
| excellent WAP's.
| mattmcknight wrote:
| You are going to end up paying for a license to cover
| security updates. I use Fortinet, not cheap.
| Scramblejams wrote:
| No, TP-Link's Omada controller can be run locally, I do that
| at home and at my parents' house. It is not cloud-connected
| unless you turn that on. Runs surprisingly well on a
| Raspberry Pi 2, actually.
|
| I've got a setup similar to what you're asking for. The TP-
| Link APs (AC1750, AC1350 and AC1200) support PoE, they're in
| a wireless mesh, support roaming, and all configuration is
| handled with one interface, no cloud involved.
|
| Just make sure that what you're ordering says it supports
| Omada. They still ship a lot of SMB gear that doesn't, but
| all the basics are there now.
| IgorPartola wrote:
| How is the experience otherwise? Roaming? Throughput?
| Reliability? I generally like their hardware.
| jackweirdy wrote:
| Great without it. The major improvement I noticed with
| it, is 802.11k & v (faster handoff).
|
| Without those, it takes a little longer for the device to
| switch APs at the borders of their coverage. Mostly
| imperceptible, but the longer handoff times can be enough
| to kill a phone call over iPhone WiFi calling
| agurk wrote:
| I run a similar setup with a bunch of EAP-225 APs
| controlled by a local instance of their Omada software
| (running on x64 rather that on ARM).
|
| I've been very happy with roaming/throughput/reliability
| generally. The EAP-225 is 2x2, which they don't readily
| announce. Their newer and more expensive units are
| available as 4x4. That being said they're so cheap, I've
| been happy just to throw more onto the network.
|
| For the software to manage them it uses some kind of
| multicast identification scheme to find new APs. If
| you're on a different subnet then it won't be able to
| automatically see them. They have a tool to connect to
| the AP and give it the management server IP, but that's
| Windows only.
|
| The other option (that I went for) is just to create a
| management VLAN (good practice anyway) that the
| controller and APs live on. This is specifically
| supported by the APs.
| Scramblejams wrote:
| Only been using it for a few months but it's been good. I
| moved the config I mentioned above (the three APs) to my
| parents' house and they haven't had any problems.
| Throughput in their case is a little limited but that's
| expected with the installation (no ethernet and a lotta
| walls). Hasn't needed a reboot or anything.
|
| I just started using an EAP660 HD[1] at home a week ago,
| so far so good. Haven't topped out the speeds yet because
| nothing in my house can take advantage, but I have some
| AX200 cards coming. I understand there's a throughput bug
| at the moment that's going to be solved in a future
| firmware fix[0], but my clients don't go fast enough to
| hit that yet. TP-Link seems to very actively update their
| firmware for the pieces I've been using, FWIW.
|
| So I've been pretty happy with it so far. Roaming has
| been fine, though in one case I think I had non-optimally
| located a couple of APs because my Linux laptop kept
| rapid-fire flapping between two of them. I believe that's
| a client-side problem, though.
|
| I did try a Cisco 240AC and its wifi performance was rock
| solid. The management interface is non-cloud, and I
| believe covers the whole network, but it lives inside the
| AP itself, which I don't love. The management UI is buggy
| and they seem slow to push bugfixes, and when I added a
| 142ACM to extend my network it started going flaky -- I
| had to do a factory reset/reconfigure of the 240AC to
| resolve it, then it happened again a few weeks later --
| so I'm gonna flip my Cisco stuff on eBay. :-(
|
| [0] https://hwp.media/articles/review_and_test_of_the_tp_
| link_ea...
|
| [1] Tip if you adopt one of these in Omada: You need to
| give Omada the EAP660's password (default
| "admin"/"admin") for it to successfully adopt. The other
| APs never required a password to adopt, so it was a
| little confusing until the internet came to the rescue.
| IgorPartola wrote:
| SOLD! Thank you.
| Scramblejams wrote:
| Good luck! If you think of it, post a reply back here
| letting me know how it goes.
| fangorn wrote:
| I bought 3 EAP330s and TP-Link deprecated them after a
| year or so. No more firmware upgrades for their (then)
| top "enterprise" access points. Rumour says they weren't
| happy with the chipset, so decided to abandon them
| altogether (just this model, cheaper ones were on
| different chipsets and support was available for longer).
| Last time I checked there was no OpenWRT support of any
| kind. They did hang when I had port aggregation enabled
| and seemed to run rather hot. But feature-wise and non-
| trunked-networking-wise they were fine, supported what I
| was looking for, no cloud, I didn't even use the
| controller, you can just manage them "the old school"
| way. But don't count on years of support.
| laurentdc wrote:
| For what it's worth, we've been running about 15 TP-Link
| EAP225 in a warehouse without any hiccups so far. Most
| importantly they don't randomly die or lose the
| controller pairing like some low end Ubiquiti units tried
| in the past. The only quirk is that on Windows Server you
| have to configure the service manually, but it's no big
| deal. [0]
|
| [0] https://www.tp-link.com/us/support/faq/2915/
| Melkman wrote:
| I also have a TP-Link Omada setup. For layer2 networking
| with switches and AP's it's fine. Cost effective,
| reasonably stable, acceptable performance and features
| that are regularly used are all there.
|
| The layer-3 stuff however is still early days and I can't
| recommend getting the secure gateway at this time. No
| IPv6 support. Depends strictly on an internet uplink
| configuration for default route to which all traffic is
| then NATted. Can't change that. No real security
| features, no packet inspection etc. The routing features
| really feel like an alpha version. They are working on it
| and have a roadmap to a more workable layer-3 solution.
| So maybe in the future the will be as nice as the
| Ubiquity solution.
|
| Cloud is not needed but possible. You can get an OC-200
| controller for not much money that fills the role of
| single pane configuration webinterface. The software for
| that controller can also be downloaded for Linux on PC or
| ARM if you want to use your own hardware. Also the
| network keeps running if the controller is down.
| TedDoesntTalk wrote:
| Are you concerned that TP-Link is a Chinese company? Could
| your data be exfiltrated back to China?
| caeril wrote:
| edit: Oops, disregard, I've violated HN hivemind
| statutes, despite being completely factually correct!
|
| What I meant to say is that US law enforcement, and in
| particular the FBI, are 100% perfect in every way. Nobody
| has EVER used lawful request overreach to ruin the lives
| of innocent people. Praise be to J. Edgar Hoover!
| dylan604 wrote:
| It's a sad commentary on how low the bar has been
| lowered. "No, you're system isn't secure, but the people
| that can access it can't really do you bodily harm" is
| not really the level I would hope we are trying to
| acheive.
| astrange wrote:
| This isn't useful input on where the actual bar is since
| these are all just conspiracy theories. Who is doing any
| of this?
| TedDoesntTalk wrote:
| I'm not sure what you're calling conspiracy theories
| since it looks like the GP edited his content, but if you
| think China is not exfiltrating data from hardware, let
| me know. I'll provide you with copious references from
| the recent past. Sure, the US is doing it, too.
| ClumsyPilot wrote:
| Kinda like spreading the risks
| snypher wrote:
| I'm not sure where your router connects upstream, but
| they don't have to swim very far to find somewhere to
| feed.
| [deleted]
| Scramblejams wrote:
| As a US citizen, I would love for there to be a
| reasonably-priced US-made alternative. I guess Netgear
| could be one[0], but their Insight management system is
| cloud-only, isn't it? Happy to be corrected.
|
| I think I'd rather take an ostensibly-offline controller
| from China than a cloud-enabled one from the US, though
| I'm not really happy with those options. :-(
|
| Are there some good options I missed? Would like to hear
| about them, if there are any.
|
| [0] I expect their hardware is made in China, even if
| their controller may not be.
| TedDoesntTalk wrote:
| Seems like an opportunity for router software with great
| UI and management on linux or pi to excel. then run it on
| anything.
| mypalmike wrote:
| What data would they even want? My WiFi password? My
| PPPoE password? All my https packets?
| jlawer wrote:
| Synology. Isn't cheap, decent performance though. However it
| doesn't seem to be the brands focus
| [deleted]
| TranceMan wrote:
| Have a look into Ruckus with their local zone director
| offering.
| __d wrote:
| Maybe a bit too soon, but has anyone tried Maxwell?
| https://www.crowdsupply.com/andy-haas/maxwell
| jandrese wrote:
| Also add that all of the SOHO equipment is garbage that drops
| connections randomly, crashes, or simply can't deal with some
| WiFi chips.
|
| This is the reason I went with the Ubiquity UniFi 6 years
| ago. It was the only one I tried that didn't constantly drop
| connections or cost a fortune. But it's only G and I've been
| considering an upgrade, but there are no good options on the
| market that don't have stupid cloud management bullshit, are
| built on garbage hardware, or cost an arm and a leg.
| glsdfgkjsklfj wrote:
| i did the same research 3mo ago. Was torn between a Ubiquiti
| (mostly because a coworker was bugging me) and a Ruckus
| Unleashed.
|
| I wish i had gone with the Ruckus.
|
| The lie that you can _easily_ self host your own controller
| for ubiquiti is vastly exaggerated. Spent several hours of a
| Saturday patching extremely ancient versions of mongodb and
| compiling stuff. Not to mention that if you have a VM and
| turn the controller off, several features of the APs will
| stop working. and range for their Pro AP is lacking at most.
|
| I wish ubiquiti just published the damn shell commands so i
| could be able to manage it without the silly troublesome
| "controller" which is just an annoying web ui. So
| condescending and inefficient just for the sake of exploiting
| the customer base for lock-in effect. They are just a little
| cisco.
| weaksauce wrote:
| have you checked out eero? https://eero.com/
|
| I know someone that works there and they seem pretty happy
| with the place and product. just saw the amazon link now
| though so that may be a detriment depending on your view of
| them. (I have never used their systems or anything so it's
| not really an endorsement but something to consider)
| Lammy wrote:
| I have exactly this setup with three Aruba Instant APs (WiFi
| 5), but afaict they've combined the Instant product line with
| their cloud offering or something? I'm not entirely sure
| where they're going with it, but I am very happy with the
| setup I have.
| roody15 wrote:
| Aruba sells IAP instant models that do this. No cloud
| required.
|
| (also sell campus controller local no cloud ... but this
| route is pricey)
| Abishek_Muthian wrote:
| > Does anyone have a decent WAP where I can use PoE
|
| There are PoE devices with OpenWRT support[1] and should be
| possible to enable 802.11r if they have the support. They can
| be managed locally even with self-signed certificate.
|
| [1] https://openwrt.org/toh/views/toh_poe-powered
| IgorPartola wrote:
| I use OpenWRT now and would really rather avoid it. I want
| a central controller, not having every AP have its own UI.
| Plus firmware updates area always an adventure.
| the8472 wrote:
| OpenWRT also provides SSH access and CLI tools, so if
| needed things can be automated the old-fashioned way.
| oblio wrote:
| I don't know about you, but I "automate the old-fashioned
| way" at my day job, I want the damned thing to just work
| without me bothering with "SSH access and CLI tools" at
| home.
| fock wrote:
| and how many APs do you have at home?
| nwmcsween wrote:
| I'll let you in on a little secret, Ubiquity runs openwrt
| as can be seen by sshing into any uaps
| IgorPartola wrote:
| That's fine. I think it's a great project. But I want
| someone else to worry about what happens during each
| firmware update. It's not trivial.
| josteink wrote:
| > Plus firmware updates area always an adventure.
|
| To somewhat eliminate the chances of adventure, I've
| profiled the setup for each of my many OpenWRT devices
| and created unique profiles for them in a (reasonably)
| simple Git repo[1].
|
| All I need to do to get device-specific firmware is to
| update the OpenWRT version-number in a single makefile
| and the rest happens automatically.
|
| I've even setup Github Actions to build the firmware for
| me (basically, run make), so I can even get/build new
| firmware from my phone.
|
| I've yet to have any issues when flashing these builds.
| It used to be much worse when flashing the regular
| "official" OpenWRT image and restoring packages
| afterwards.
|
| Couldn't be simpler! (With the regular Linuxy you-have-
| to-build-it-yourself-first clause)
|
| [1] https://github.com/josteink/openwrt-build
| IgorPartola wrote:
| About 5 years ago I would do the same thing. I want to
| set it up such that if I with the lotto and move away,
| the rest of my household can continue using the system
| without having to learn a CLI.
| motiejus wrote:
| Turris series.
| jiveturkey wrote:
| ubiquiti is fine. you don't _have_ to use the cloud
| controller. CLI works just fine, at least the products I have
| used.
| IgorPartola wrote:
| The featured article seems to say to me that they are far
| from fine.
| heavyset_go wrote:
| Look into Mikrotik hardware and OpenWRT. Of the Mikrotik-
| based hardware I'm familiar with, they support PoE. OpenWRT
| supports roaming and mesh networks, and is a local solution,
| as opposed to a cloud-based one. There are no licenses you
| need to pay for, either.
| briangerman wrote:
| I just ordered a mikrotik 10gb
| https://mikrotik.com/product/crs305_1g_4s_in. The guys at
| work recommended it so hoping for the best!
| sigstoat wrote:
| i've got one of those, and another mikrotik 10gb switch.
| whatever the 16 port one is.
|
| they've been working nicely. i have good luck with fiber
| SFP+ modules, but it seems picky about 1G copper SFP
| modules, fwiw.
| old-gregg wrote:
| HN community is in an endless loop of switching vendors:
| https://news.ycombinator.com/item?id=18200119
|
| IMO using what we have intelligently is easier. Uniquiti
| hardware has the Edge line of routers and switches that
| are not cloud-controlled, not listen on any ports, and
| not establish any connections on your behalf.
| Godel_unicode wrote:
| > using what we have intelligently is easier.
|
| Less dopamine, though.
| telesilla wrote:
| Mikrotik is amazing, for what you get. But of a learning
| curve but worth the effort, I've seen large scale wireless
| networks crossing mountains with their kit.
| jimnotgym wrote:
| I am not a fan of Mikrotik, the UI is not nice and the
| defaults are not smart. I have seen professionals make
| mistakes on them several times.
| tails4e wrote:
| I setup a small wisp using mikrotik kit for a few
| neighbours, it worked well in the end, but the learning
| curve was immense unless you have a strong networking
| background. I'd setup and used openwrt before for a
| domestic router and this was another level of complexity
| to get basically functional compared to that. Thst said
| the level of customizabilty and scripting (albeit in a
| weird language) you can do is immense, so for a true
| power user with a lot of time on their hands, it's a good
| option
| tubularhells wrote:
| Mikrotik is nice and does all of those things. Just needs
| actual expertise at network administration to set up. Once
| done though, it's fire and forget.
| Saris wrote:
| As far as I know, TP-Link doesn't require any cloud based
| service, or even a local controller. They can work fine
| without any of it and you just manage them locally/directly.
| [deleted]
| yumraj wrote:
| TP-Link is a Chinese company. Doesn't inspire much
| confidence..
| imwillofficial wrote:
| And Cisco does? With it's known back doors from the NSA?
| VectorLock wrote:
| Whataboutism aside, Cisco inspires even less confidence.
| Source: Used to work for Cisco.
| fuzzer37 wrote:
| You could try using an aftermarket, open source firmware.
| Something like Open-WRT
| timzentu wrote:
| TPLink newer stuff wasn't supported and wasn't going to
| be DD-WRT for a while there so check first. They have a
| crypto blob for the radio binary, or the entire firmware
| system they the group would need to trust blind and not
| be able to adjust settings with, or violate the DMCA to
| reverse engineer.
|
| Don't know if this is the same case still or not, but
| they did this for FCC compliance around the time 802.11ac
| was launching. That might have changed that though I'm
| not sure, I stopped considering them at that time.
|
| Also a good company to look at would be Microtek, I have
| heard good things, but haven't looked into them directly.
| jandrese wrote:
| I've never had good luck with TP-Link hardware though.
| Constant crashes/disconnections once you get past a few
| devices on the network, mysterious failures, hardware
| quickly getting dumped into the unsupported list, and so
| on. I've sworn off of them entirely.
| SamuelAdams wrote:
| Yep, this is what I do. I used the EAP245 and now the EAP
| 660 HD. Both were rock solid devices. Managed locally via a
| web browser. Plugs into a netgear switch, into a pfsense
| router.
| cassianoleal wrote:
| I have a Turris Omnia for my main router. It's a solid piece
| of kit.
|
| The OS, TurrisOS, is based on OpenWRT and for a while they
| were having trouble keeping up-to-date but that's been sorted
| in recent releases.
|
| There are great features like auto-updates and BTRFS
| snapshots and the ability to rollback to previous known good
| if you screw up a config. I also run LXC containers on it for
| things like PiHole (not on the internal flash but the main
| board takes an M.2 SSD).
|
| The Turris MOX is a modular Turris system that you can
| assemble from the parts that you need.
|
| I have a small Gl.iNet router upstairs flashed with upstream
| OpenWRT that I use as a WiFi access point and have setup
| 802.11r for BSSID roaming. Have been using this setup for
| months and handoff has been completely transparent.
| takeda wrote:
| Isn't enough to just disable cloud access?
|
| Edit: I got upvoted by somebody, but as an UI user I'm
| genuinely looking for an answer. If it's still possible to
| get inside if devices aren't connected to UIs cloud.
| IgorPartola wrote:
| That's a part of it. But also:
|
| 1. They are now pushing ads to their local controllers.
| That is a shady tactic. It also means the controller is
| phoning home. It means they might have an XSS in that code
| now or in the future.
|
| 2. They just deprecated a bunch of relatively new hardware.
| If I'm going to invest a non-trivial amount into their
| hardware I want to know it'll keep working for a long time.
|
| 3. They lost trust due to this breach. How can I trust
| their code to secure my locks network if they can't secure
| their own?
| klagermkii wrote:
| With TP-Link you can run the Omada controller for their EAP
| line on a local device (I have it running on a Pi4).
| msh wrote:
| Mikrotik have products that are exactly like that.
| kryogen1c wrote:
| maybe their different product lines are managed differently,
| but all my Unifi WAPs, router, and switches are managed on a
| local controller that i installed and maintain myself.
|
| i recall some features being locked behind a UBNT account,
| but that was only reporting-type stuff IIRC
|
| https://help.ui.com/hc/en-us/articles/360012282453-UniFi-
| Set...
| resfirestar wrote:
| > Does anyone have a decent WAP where I can use PoE, deploy
| like 5 of them and have them support roaming between APs, all
| managed locally? Is that too much to ask?
|
| Not as comprehensive as Ubiquiti's management interface but
| the CAPsMAN feature on Mikrotik routers and APs does cover
| this use case.
| croutonwagon wrote:
| Ruckus R710 or R510 unleashed. I was talking about Ubnt's
| horrendous security in another thread just last night.
|
| https://news.ycombinator.com/item?id=26628198
|
| Or if you just want Wave1 Hardware...R700/R500
|
| You can get these as overstock on the cheap on amazon etc.
| The unleashed version means it can run the controller on the
| AP.
| taddevries wrote:
| The R700/R500 are End-of-Life[1] so be sure you're OK with
| not getting new firmware.
|
| 1.
| https://support.ruckuswireless.com/product_families/4-eol-
| ru...
| WrtCdEvrydy wrote:
| TP-Link Omada is locally controlled (through a smartphone)
| but you can buy the Omada Cloud to control it remotely.
|
| It works with their small 16 port (8 PoE switch).
| chrisweekly wrote:
| Happy enough w my Netgear ORBI (2-node mesh router covers my
| 3500sq ft house; handoff is fine)
| gertrunde wrote:
| The TP-link offering looks very similar to Ubiquiti from a
| quick scan a month or two back.
|
| Both will run from locally hosted controllers if desired.
|
| I've been seeing more Cisco "Meraki Go" kit around as well,
| which looks to target the same use cases as Ubiquiti (very
| very similar gear, WAPs, low end switches & gateways), albeit
| without a local controller option, but at least without the
| usual steep Meraki subscription charges.
| notamy wrote:
| Peplink seems pretty good; they do have a Cloud:tm:
| management offering called InControl2 but as far as I'm aware
| it's entirely optional. I've had good luck configuring
| everything via the local UI. My setup is a Balance Two + a
| few One AX APs.
| betterunix2 wrote:
| Mikrotik, but unfortunately getting reasonable throughput for
| wireless clients is a serious challenge (I always have better
| results with openwrt on the same hardware). Still, nice to
| have local control and not have to rely on some cloud service
| just to use the hardware I bought.
| Jnr wrote:
| I wonder what is reasonable WiFi throughput for you?
|
| With my 5 year old Mikrotik hAP AC I am able to get up to
| 500 Mbit/s on lan.
|
| And my old phone now shows 250 Mbit/s on speedtest.net both
| directions.
|
| How much more are we talking about? Have I missed some big
| hardware upgrade recently?
| betterunix2 wrote:
| Using 80Mhz channels I found the default configuration
| never exceeded 200Mbit/s using iperf. For me "reasonable"
| is closer to 800Mbit/s, which is roughly the theoretical
| limit for 80Mhz with 2 spatial streams. I run my tests
| with my devices sitting 1 meter from the AP. This is on a
| hAP AC, and like I said, I get much better performance
| (close to the theoretical max) running OpenWRT on the
| same unit. I have had similar issues with the RB4011 and
| cAP AC, and in both the NYC area and suburban Virginia
| (so it is not just an issue of spectrum crowding in the
| city).
| api wrote:
| Get Linux boards and USB-3 WiFi dongles with well-supported
| chipsets and roll your own?
|
| The other alternative is to go way up-market and buy
| industrial gear. Consumer gear is shit due to a race to the
| bottom mentality. 90% of consumers buy the cheapest. This is
| also what turned every TV and appliance into a feature-
| encrusted shitbox full of spyware.
| edoceo wrote:
| I think you can do it with Pi-Zero and BATMAN? I gotta find
| my notes.
| jsmith99 wrote:
| Technically, Ubiquiti does have a local option. You can run
| the controller locally and disable cloud login.
| IgorPartola wrote:
| That's how I run it, but it seems they are now pushing ads
| to local controllers and between this and deprecating
| recently released devices, I just completely lost trust in
| them.
| dgudkov wrote:
| > it seems they are now pushing ads to local controllers
|
| The pervasiveness of adtech doesn't cease to impress me.
| ClumsyPilot wrote:
| I really hope that one day it will be remembered the same
| way we remember ritual sacrafice .
| pseudalopex wrote:
| People have reported cloud login can't be disabled now.
| colechristensen wrote:
| I set it up a few months ago with no cloud login, though
| it was a pain.
| winterphoenix96 wrote:
| It can still be disabled from the controller:
|
| New UI: Settings > System Settings > Administration >
| Enable Remote Access
|
| "Classic" UI: Settings > Remote Access > Enable Remote
| Access
| surfsvammel wrote:
| Protect still needs cloud to be activated for
| authentication it seems.
|
| I used to have remote access turned off and accessed the
| video streams via the iOS app when my phone was on VPN to
| the local network. That no longer works. Remote access
| (cloud) needs to be activated in order for the iOS app to
| work, no matter if you are on the local network or not.
| croutonwagon wrote:
| When did that start?
|
| My controller is only on 6.0.43 but i can access it via
| iOS app on VPN.
|
| My contoller only does Wireless/AP management though.
| nothing more.
| nickphx wrote:
| i've run my own controller locally for years without
| forced cloud login.. i've never used the ios app, what
| can you do from it that you can't do from the web
| interface?
| danhorner wrote:
| I have been suspicious of their cloud config and run a
| docker image of the controller locally.
|
| I'm still on version 5.14 and all of the cloud features are
| optional. I just ignore them. I guess now I know not to
| upgrade!
| croutonwagon wrote:
| When they introduced callhomes/telemetry sometime in the
| 5.x code i blocked their known DNS entries and then setup
| firewall rules to block all internet access outside of
| the Ubuntu Repos..
| daniellarusso wrote:
| It still checks for firmware updates, right?
| traceroute66 wrote:
| For those people here saying "go Ruckus unleashed" ... caveat
| emptor my friends !
|
| I have it on very good authority that Ruckus have started
| rolling out a change in their pricing model to require a
| Unleashed license per AP to operate, a move which obviously
| increases costs to the end-user.
|
| Some people might say its a deliberate move prevent
| cannibalisation of their main business model by nudging
| people away from Unleashed. I couldn't possibly comment.
| IgorPartola wrote:
| Your credit card is stolen and your bank disables it ->
| your network is dead. What a great user experience.
| benjohnson wrote:
| It's a shame that Mikrotik doesn't have a easy to use global
| GUI.
|
| It's the right hardware, and great firmware and wonderful
| flexibility - but it needs an easy to use GUI controller to
| make the simple stuff easy to take over from Ubiquiti.
| sam_lowry_ wrote:
| Global UI? You mean, AWS-hosted configurator for your
| network? We just had example of it being security risk. God
| save Mikrotik from implementing something similar.
| IgorPartola wrote:
| No, a local controller that you run on a machine inside
| your LAN.
| weaksauce wrote:
| nothing stopping you from using a local ubiquiti
| controller though. you aren't tied to their servers if
| you don't want to use them. that said, they seem pretty
| problematic from a security standpoint based on these
| leaks and your networking infra should be rock solid.
| coder543 wrote:
| That's basically what MikroTik CAPsMAN is, depending on
| your needs.
|
| I think it's specific to Access Points, so not a general
| purpose centralized controller for MikroTik equipment,
| but... centralizing access point management seems to be
| the main thing under discussion here.
| taldo wrote:
| CAPsMAN is a royal PITA to set up. You have to manually
| add all the wifi channels, map each AP to the channels
| it'll use, and a lot of busywork. Once it's set up,
| though, it works fine, and lets you upgrade all devices
| from the manager, etc.
| pilsetnieks wrote:
| > You have to manually add all the wifi channels, map
| each AP to the channels it'll use, and a lot of busywork.
|
| No, you don't? I mean you can but you don't _need_ to.
|
| There are cases when that is useful, true - for example,
| the automatic channel selection makes some curious
| choices sometimes.
| bshep wrote:
| Their http interface is reasonable and you can
| configure/provision the APs from CAPSman from one of the
| routers/switches in a central location.
| bombcar wrote:
| You can also script against the Mikrotik CLI - I use it
| to update the certificates every ~90 days.
| m4rtink wrote:
| Winbox is a really nice remote controller for Mikrotik &
| vulnerabilities of a shared global controller have just
| been clearly demonstrated, so I don't see an issue.
| sofixa wrote:
| Not really. The vulnerabilities of using a vendor hosted
| cloud controller have been demonstrate, but having one
| yourself next to your networking decides is just as
| secure as it always was.
| bpye wrote:
| These recent posts about Ubiquiti have made me look again
| at MikroTik. Their hardware is more affordable than I had
| remembered. Is there any good intro to their hardware -
| there are certainly a lot more options than you get with
| Ubiquiti.
|
| Even before now there are some limitations with UniFi that
| have annoyed me. Setting up more complex DNS and firewall
| rules requires editing the JSON config. IPv6 tunnelling
| isn't well supported. The stats in the controller, whilst
| neat, aren't very useful because they have to be manually
| reset to zero.
| stock_toaster wrote:
| I use the edgerouter line for firewalls, and unifi
| (running on a local "cloud key", with cloud login turned
| off) for only access-points and some switches.
|
| This news (covering up, legal overriding good security
| practices) is super concerning though, and I'm definitely
| going to start looking around as well.
| jcadam wrote:
| Yea. I only have an edgerouter 4 as far as Ubiquiti
| equipment goes. It works great for its intended purpose
| (I needed a dual WAN router and consumer level gear
| generally doesn't do that). I was eyeing their WAPs, but
| I believe I'll pass on them now.
| KozmoNau7 wrote:
| The best intro really is to buy some of their hardware
| and play around with it. Their routers and APs are all
| based on the same basic RouterBOARD hardware and run the
| same RouterOS. The specs for each device is pretty well
| laid out on their site, but you do have to read through a
| few product pages to find exactly what you're looking
| for.
|
| I would start with a hAP ac2, a wireless router that is
| approximately the equivalent of their hEX Ethernet router
| plus a dual-band AP (cAP/wAP ac). It's a great standalone
| device and less than $70, or you could get the individual
| devices for a bit more flexibility.
|
| Avoid the models labeled "lite", those are low-cost
| versions with lower routing speeds and 2.4GHz WLAN only.
|
| For management you can obviously configure each device
| separately, or you can use CAPsMAN where one device acts
| as the controller and handles all configuration. It's not
| as slick as Ubiquiti, but it works.
| benjohnson wrote:
| It may sound strange, but for Mikrotik, I find it more
| productive to concentrate on setting them up via CLI.
| It's certainly more trainable.
|
| CLI for Port Forward: /ip firewall nat add chain=dstnat
| dst-port=1234 in-interface=ether1-gateway action=dst-nat
| protocol=tcp to-address=192.168.1.1 to-port=1234
|
| VS having to document the same task in the GUI:
|
| IP->Firewall->Nat-> Add New
|
| General Tab Chain: dstnat Protocol: TPC Dst. Port: Port
| In. Interface: ether1-gateway
|
| Action Tab Action: dst-nat To Address: IP address of
| Server To Port: Port # of Service
| eecc wrote:
| Yup, very nice router/switch. If anyone could forward a
| properly documented configuration to make the Apple
| AirPort guest network work I'd be ever grateful.
| bombcar wrote:
| The CLI tab-completion is great - you can figure out most
| of what you need to do just by looking at it.
|
| Highly worth getting one to try out.
| heavyset_go wrote:
| Stick OpenWRT or pfSense on them, and you've got yourself a
| nice GUI. You can use the CLIs if you want to, too.
| 1over137 wrote:
| >Seems like there is nothing good out there
|
| Check out Ruckus. I've found their 'unleashed' stuff quite
| nice (no affiliation, just a customer).
| dolni wrote:
| So the question for becomes: is there just not a good
| enthusiast market for this stuff? I have met a number of
| people who are "network nerds", so I'm inclined to think the
| market does exist. With any of the plethora of consumer
| devices (Linksys, Netgear, D-Link) it's a dice roll whether
| your gear is complete garbage or not. A lot of the time,
| you're coming up snake eyes.
|
| I've got some Ubiquiti gear I bought a couple years ago. Like
| you, I want good quality gear that I can manage myself. I
| don't need a bunch of fancy corporate garbage, like link
| aggregation or cloud management. Give me solid, hardware
| accelerated routing and switching, flexibility over my local
| DNS, and maybe some VLANing.
|
| I was running Linux on a small x86 box as my last network
| router. Maybe it's time to get back to that. That or go back
| to banging rocks together. Haven't decided which, yet.
| Johnny555 wrote:
| I think the enthusiasts still buy tiny PC's with Wifi cars
| and run Linux/FreeBSD/whatever.
| IgorPartola wrote:
| I can't imagine that there isn't a market for this. Look at
| the number of people recommending Ubiquiti stuff to each
| other. There are entire YouTube channels dedicated to it.
| If your whole living space or small office can be covered
| with a single access point, get a 3-in-1 combo that has a
| WAP, a router, and a small switch. But if you don't, you
| are left with, what exactly? There is also some demand for
| mesh stuff, for people who rent and don't want to run
| Ethernet cable.
|
| My plan: OPNsense on a PC Engines board for router +
| firewall, an unmanaged PoE-providing switch for switching,
| and _something_ from 2-8 WAPs for indoor /outdoor Wi-Fi.
| tomc1985 wrote:
| I've been running Asus routers with Tomato firmware and
| other than seemingly inevitable hardware quality issues it
| has been smooth sailing
| floatingatoll wrote:
| As a former enthusiast in this area, I need the time for
| other more pressing interests and have reverted my home
| network to Eeros pinned to an IQrouter. All of them require
| some central service to operate, and I rarely if ever have
| to pay any attention to them. They also provide better
| coverage and less radio interference than the prior gold
| standard, Apple Airport devices. The IQ runs some sort of
| ssh *nix variant and the only time I've ever had to call
| Eero support was to turn off 5GHz for a minute^ to pair a
| smarthome device.
|
| Still, it's nice to have a hobby, and if you're looking for
| one, run your own, sure! No shame in that. But it's no
| longer necessary, and that's pretty swell to me.
|
| ^ I agree with why they don't make that accessible to end
| users: because people will uselessly fiddle with settings
| knobs to feel empowered, knobs like "separate 2.4 and 5
| networks" (which breaks roaming and makes users incorrectly
| blame their WiFi routers when PEBCAK is at fault) that
| semi-expert users feel qualified to mess with, and lazy
| technicians will use to create "guest" networks that don't
| offer protection and perform miserably due to being locked
| to 5GHz.
| dolni wrote:
| Maybe you and I have different opinions of "enthusiast"
| in this context. There is really only so much you're
| going to do on a home network. You set it up and once
| it's going, it requires very little maintenance. I would
| not consider running my own network gear a "hobby" any
| more than I would consider restaining my deck a "hobby".
| It's largely a one-time project.
|
| I do have requirements beyond what the typical consumer
| does of their network, like PoE to run a couple of access
| points, PPPoE so that I can put my modem in bridge mode,
| the desire to configure extra DNS records, dynamic DNS
| since my home IP changes. Oh, and let's not forget some
| filtering/rewriting capabilities so that I can force
| modern smart TVs to respect the DNS server I provide
| them.
|
| My network is much more usable having put the time into
| it. Yes, you could buy some off the shelf thing and get
| an OK experience, but that wasn't good enough for me.
| sylens wrote:
| Do they make an Eero yet with more than two Ethernet
| ports? I love the product, I just want to plug 4-5
| devices in as well as use the WiFi.
| Godel_unicode wrote:
| You can buy a 5-port unmanaged switch for roughly $30,
| just FYI.
| clajiness wrote:
| When did link aggregation become "fancy corporate garbage"?
| dolni wrote:
| Garbage was a bit of an indulgent word. It certainly is
| relevant and useful technology. It just isn't useful for
| home users, at least none that I've ever met.
| ryan29 wrote:
| > So the question for becomes: is there just not a good
| enthusiast market for this stuff?
|
| No. They just don't want to serve the low end. I'm from SK,
| Canada and the vast majority of all businesses are small
| businesses. This site [1] says 98%. The problem is they
| only account for about 25% of the GDP, so vendors don't
| consider them worth serving. Everyone wants to sell to the
| 2% of the businesses that make up 75% of the GDP.
|
| There's a lot of money to be made in the small business
| sector. It's just not *enough* money for huge tech
| companies.
|
| 1. https://www.bizadv.ca/by-the-numbers-saskatchewan-
| business-s...
| tonyarkles wrote:
| And now that OTV's gone, it's even harder to get semi-OK
| gear (that can be immediately re-flashed with OpenWRT)
| for a reasonable price. :(
|
| [Hi from Regina!]
| novok wrote:
| You often do not need long sales processes to get those
| small companies, they tend to self serve selling to
| themselves.
| ryan29 wrote:
| I do casual work for a person that serves that sector.
| It's 100% self serve for us. We'll pay fair value for
| stuff and vendors won't ever need to interact with us.
| The problem is when those vendors think their firmware
| updater is worth a $10 / month subscription. It's not.
|
| For example with pfSense going closed source we'd be
| willing to pay around $100 total lifetime cost to put it
| on PCEngines hardware. We can build that in to the
| upfront cost of the device. I wouldn't be shocked if they
| try for $50-$100 / year which won't be economically
| viable for our market, so instead of getting $100 /
| device and never interacting with us, we'll end up moving
| to a different product. I really hope they come up with
| an offering that's appealing to the small business
| sector, but I'm not holding my breath and I'll be
| learning opnsense as a contingency.
| api wrote:
| I've thought for a while that the neglect of consumer,
| prosumer, and small business computing is a side effect
| of concentration of wealth. A small percentage of
| businesses have all the money.
| kazen44 wrote:
| ? So the question for becomes: is there just not a good
| enthusiast market for this stuff? I have met a number of
| people who are "network nerds", so I'm inclined to think
| the market does exist.
|
| my experience as a professional "network nerd" is that most
| other people in the networking field run cheap/second hand
| enterprise gear fetched from their employer at a major
| discount and simply seem to care less about wifi in
| general.
| Godel_unicode wrote:
| A lot of that changed with my peer group either due to
| caring about managing from a phone or caring about
| power/noise. The latter are especially not things real
| enterprise gear tends to optimize for.
| newsclues wrote:
| Ubiquity captured the prosumer networking market.
| Vedor wrote:
| Not 100% sure if that's what you are looking for (I don't do
| much network works) but I think that Camsat's GlobalCAM-4.5G
| may be worth checking, with one catch: the company targets
| CCTV market. Still, that's just a router, without any special
| license fees or mandatory clouds.
| oblio wrote:
| Maybe Plume Homepass: https://www.plume.com/homepass/ ? I'm
| not sure if they're 100% equivalent, but it seems to cover a
| good part of the Ubiquiti feature.
| HowardStark wrote:
| Interesting. Subscription-based services in the home seem
| like a disaster waiting to happen. Unless you can self host
| in the event of a company shut-down, you're beholden to a
| company and their solvency.
|
| Can't see anything on their website for a transition plan
| in the event of shutdown (and of course, why would they
| post that and potentially signal lack of confidence in
| their longevity).
| awillen wrote:
| So one might call them... ubiquitous?
|
| I'm so sorry. I'll go now.
| [deleted]
| Godel_unicode wrote:
| You can absolutely manage ubiquiti local. Even with a
| ridiculously named local appliance called a cloud key. Their
| cameras are unfortunately another story.
| wikibob wrote:
| Eero is amazing.
|
| It Just Works.
|
| Apple style. Plug it in. Never fuck with it. Rock solid.
| discardable_dan wrote:
| They are amazon-owned. I'd be shocked if they weren't
| collecting and reporting telemetry.
| astrange wrote:
| Telemetry is an extremely important part of making things
| just work. There's no other way to find the unknown
| unknowns.
| IgorPartola wrote:
| I have lots of devices that don't phone home. Have been
| working for years. The company needing to know which
| websites I visit to make my network function does not
| speak well of the company.
| heavyset_go wrote:
| That's awfully convenient for the company offering those
| products, but I want to control what happens on my
| network, even if that's inconvenient for some hardware
| vendor.
|
| Case studies, focus groups, surveys and interviews are
| great ways to find the unknown unknowns. Of course, you
| need to pay people to participate in them, and then you
| need to pay expensive employees to conduct, collect and
| analyze the results.
|
| It's often just cheaper to spy on customers, though, and
| pretend that there is no other possible way to conduct
| business.
| sofixa wrote:
| > Case studies, focus groups, surveys and interviews are
| great ways to find the unknown unknowns. Of course, you
| need to pay people to participate in them, and then you
| need to pay expensive employees to conduct, collect and
| analyze the results
|
| No they're not, because the vast majority of people
| simply won't be bothered, and most people probably aren't
| as reliable as concrete data.
| Marsymars wrote:
| Yeah, but they're still the best user-experience I've
| found, and they seem to care about code quality and doing
| right by their customers.
| Jnr wrote:
| Try Mikrotik. It can do all of the things you listed and
| more.
| [deleted]
| biktor_gj wrote:
| After the Unifi Video fiasco, I bought a UDM Pro to test Unifi
| Protect.
|
| Once I saw it required cloud login I got scared. After I saw an
| ubiquiti ssh key preinstalled in a device with unfeteted
| internet access I shut it down to never bring it up again
| lazyweb wrote:
| Wow, are you serious?
| dathinab wrote:
| Man I really wonder why the lack of proper 2FA is so wide
| spread?
|
| Is it rally cost and complexity?
|
| Or just missing awareness?
|
| Or the lack of consequences when you get hacked in a way which
| could easily have been prevented (through then they might have
| attacked in a different way, tbh.).
| closeparen wrote:
| He could have had 2fa on his console account but saved an
| access key for CLI access. Many large organizations have an
| infrastructure where you exchange your corporate
| authentication (including 2FA) for a short lived AWS access
| key, but AFAIK this isn't out of the box.
| Bellyache5 wrote:
| AWS SSO does offer this "out of the box", but many large
| organizations use their own custom SSO setup with custom-
| built tools to get temporary tokens.
| TheGuyWhoCodes wrote:
| You can force 2fa even for cli access as far as I remember
| but It's not on by default.
| neuronic wrote:
| It's people not getting it and being plain annoyed by the
| second factor. YubiKey or Authenticator app on a different
| device... it's too inconvenient and people often only do it
| if forced (e.g. banks do this afaik).
| aneutron wrote:
| Lack of 2FA for the AWS access ? Sure. It might have
| prevented the attack.
|
| The attacker had access to the whole database. Which meant he
| could alter the 2FA seed. So it wouldn't have mattered much.
| dathinab wrote:
| They seem to have gained access through getting secrets
| from developers as far as I understood it.
|
| So with 2FA they would have had a much harder time to gain
| access to the database.
|
| The part of changing the seed only matters for customers of
| the hacked company but is (as far as I can tell) unrelated
| to them gaining access.
| rectang wrote:
| > _can we really trust them to clean up all their tokens and
| fully eradicate all forms of persistence the hackers may have
| gotten?_
|
| The state of security in the tech industry is miserable. The
| only companies we should trust not to leak our data are those
| that never collected it in the first place.
| anticristi wrote:
| We are certainly not having this conversation enough. I
| regularly chat with a risk office and she keeps telling me:
| Data minimization is your first line of defense.
| kazen44 wrote:
| Heck, most operating systems are leaky by default. Even
| openBSD, which has a stellar trackrecord in terms of security
| and "goes against the grain" on many decisions for the sake
| of secure by default (for instance, disabling hyperthreading
| altogether to prevent any kind of SPECTRE vulnerability) is
| under constant scrutiny for not being secure enough.
|
| Maybe connecting everything to a network and making it a high
| value target by collecting everyone's data is just a terrible
| idea in the long run.
| 650REDHAIR wrote:
| What a shockingly large breech. Wow.
| toomuchtodo wrote:
| The breaches are common, the reporting/discovery of them is
| not. Security just isn't a priority for a lot of Orgs, as the
| consequences are minimal (see: Equifax) due to a lack of
| regulatory or financial penalty pain when a breach occurs.
|
| "Help yourself to a free year of identify theft insurance"
| and all that jazz.
| neuronic wrote:
| This is correct. Worked for a fairly large corp with lots
| of customer data and while I haven't witnessed breaches of
| said data it's pretty much a matter of time.
|
| Me and my colleagues always pushed for more secure setups
| and configs but the common rebuttal was "no need there's a
| keycloak running several layers above and you need to use a
| VPN and need access to AWS first, go implement features
| instead."
|
| I hope for them that no rogue employee decides to play
| around a bit or that no one stores their credentials in
| some cloud LastPass account with a '123456qwerty' master
| password.
| MattGaiser wrote:
| Discovery of breaches seems to be undesirable in the
| current environment, if many go undetected.
|
| If you discover, you have to report. If you don't, odds are
| nobody will notice/will blame someone else.
| Grazester wrote:
| There is Fortinet(which acquired Meru 5 years ago). Meru was
| pretty OK. I helped manage a setup of 2500 + access points on a
| campus. I left that job 6 months after Meru was acquired so I
| cant say how they are now.
| xvf22 wrote:
| Got 3 no brainer CVEs against them. We're an enterprise
| customer who is now moving away because after Fortinet
| acquired them support dropped off a cliff. They had some good
| people but it bacame rather apparent that there was a bit of
| a toxic culture there.
| rossipedia wrote:
| > can we really trust them
|
| absolutely not
| modeless wrote:
| Should have blown the whistle to the SEC instead. SEC
| whistleblowers get paid. Up to 30% of eventual penalties paid by
| the company with no upper limit. Lying about a breach could be
| securities fraud.
| MrFoof wrote:
| They may already have. Investigation is already pending:
| https://finance.yahoo.com/news/shareholder-alert-ubiquiti-in...
| surfsvammel wrote:
| This might just be a law-firm fishing for people willing to
| be plaintiffs when they sue. So, this in itself might not
| mean much of anything. This might just be a lawyer who read
| the news and though "Hey, let's see if we can find enough
| people willing to sue!"
| neartheplain wrote:
| Don't have time to dig into this right now, but I have a Ubiquiti
| WiFi AP at my home behind a NAT; does this breach mean my home
| network is vulnerable/effectively exposed to the Internet? Do I
| need to log off HN and deal with this now, or can it wait?
| aaomidi wrote:
| I mean, yes, it does. However hopefully the hackers aren't in
| their system anymore - so if you were at risk it's already
| probably over.
|
| I guess just change your password and reset your 2FA?
| neartheplain wrote:
| Ugh. Guess I'll just go wired for now and unplug the AP.
| Hopefully I'm only paranoid, but I really don't like the
| feeling of a hole in the network with my family's NAS and IoT
| devices.
|
| Never again with the cloud-connected network appliances. Time
| to build a router from scratch, I guess.
| geephroh wrote:
| You can run the AP locally with the standalone controller
| appliance in a container or VM[1]. Pretty simple, and
| doesn't require a UNBT login. Probably still worth doing a
| factory reset on your AP first, if you're paranoid like
| me...
|
| 1. https://help.ui.com/hc/en-
| us/articles/360012282453-UniFi-Set...
| xoa wrote:
| It depends. How do you manage said AP? The leaked credentials
| issue here is specifically in SSO Cloud authentication to
| Controllers, which are used to administer all the actual
| hardware devices. However, the devices themselves aren't
| affected. So depending on how, or for that matter if, you
| manage them you may be unaffected as well which has always been
| a major touted advantage of UniFi and has indeed proved true
| right with this very incident.
|
| Your post seems to imply you have just that AP and that's it?
| If you set it up initially (putting the controller on one of
| your own computers temporarily maybe), and then just left it
| standalone from there on out you're fine. There is no need to
| have an active Controller for all the hardware to work as
| configured, a Controller is just needed to change
| configuration, collect real time statistics/send notifications,
| and do necessarily active things like run a guest portal.
|
| If you are running a Controller, but you're doing entirely
| standalone on your own hardware (or your own cloud service for
| that matter), and haven't enabled Ubiquiti SSO cloud access,
| you're unaffected. That's how I've always run since I don't
| trust 3rd party cloud stuff for something like this, ever.
|
| It's """only""" an issue for their cloud service, and
| apparently their "Cloud Keys" and "Dream Machines" as well
| since they pushed it on people some recent firmware. Which
| granted covers a lot of surface area, and Ubiquiti has pushed
| very, very hard (see advertising outrage from just a few days
| ago). But it's thankfully still not everything.
| neartheplain wrote:
| Thanks the detailed reply. As you correctly inferred, this is
| my situation:
|
| >Your post seems to imply you have just that AP and that's
| it?
|
| I recently moved to a house with a preexisting network, so I
| have only the AP itself set up with the Ubiquiti
| router/network controller still in storage. I use the mobile
| app to configure the AP. It sounds like the AP won't phone
| home or open tunnels to their cloud by itself, so I'll turn
| it back on for now.
| jniedrauer wrote:
| > the attacker(s) had access to privileged credentials that were
| previously stored in the LastPass account of a Ubiquiti IT
| employee
|
| The interesting part of this story is how the employee's LastPass
| got popped. My guess is their local workstation was compromised,
| and their LastPass was either not logged out in a browser plugin,
| or they didn't have 2 factor auth required for each login and a
| keylogger got the password. In either case, it's a good reminder
| to be paranoid about your password manager, make sure it's got a
| logout timer, and use 2 factor auth.
|
| I also don't let my cloud password managers touch a mobile
| device. It's fairly inconvenient, so I hesitate to recommend this
| to others. But I don't trust mobile devices very much. Anyone
| have thoughts on this?
| baybal2 wrote:
| Easy to imagine they just got a spiked chrome binary installed
| cutemonster wrote:
| How could an attacker make that happen?
| cutemonster wrote:
| > My guess is their local workstation was compromised
|
| You mean someone was physically at the laptop/desktop and could
| access the OS and apps? Maybe if the employee was working
| remote (covid?) from, say, a cafe and left the laptop
| unattended when refilling coffee?
|
| Or something else? ... Hmm, could also have been eg a browser
| zero day that gave someone remote access to the computer? Or a
| dev tools supply chain attack?
| hn_throwaway_99 wrote:
| It's not that complicated. The local workstation could have
| had a trojan or virus that installed a keylogger or
| screengrabber.
| rossipedia wrote:
| > My guess is their local workstation was compromised
|
| Honestly I don't think it was even that complicated,
| considering when I needed to spend money on some SaaS product
| the "chief accountant" (because there was no CFO) straight up
| sent me a photo of the corporate credit card and said "delete
| that when you're done".
| post_break wrote:
| Verkada, now Ubiquiti, yikes. Also according to this leaker, it
| seems like they tried to cover it up before letting the public
| know. They are on my blacklist now.
| surfsvammel wrote:
| This company is a disaster it seems, and I have just setup my
| whole home infrastructure and home security aound their
| products... They where the most recommended brand when I was
| shopping for new stuff a year ago.
| thedanbob wrote:
| Same, my setup is 100% Unifi from back before they started
| going downhill. At least I was self-hosting the software so I
| wasn't bitten by this breach.
| xoa wrote:
| We should be clear here that there are multiple types of
| "self-hosted". Ubiquiti makes essentially little (weaker)
| Raspberry Pi devices with PoE that are dedicated to just the
| controller, and a few years back they also forced their
| (garbage) "Protect" onto their hardware only. They
| (confusingly) call these "Cloud Keys", though they have
| nothing to do with the cloud. However, you can also get 100%
| standalone versions of the Controller that will run on any
| server or VM you've got, Linux, Windows, or Mac. This is just
| the Java 8-based controller software and that's it, and you
| can lock those down arbitrarily hard for any WAN access same
| as any other LAN network software, no general internet access
| is needed at all and no firmware is involved.
|
| A lot of people quite reasonably got CKs seeing them as very
| easy ways to have a low power always on local controller
| since they didn't have some other server running 24/7
| already. If the firmware on those was updated to require tie-
| in to Ubiquiti's SSO that's a horrible betrayal. But I'm
| confident in saying the full standalone Controller doesn't
| since I have mine locked down from any general net access,
| remote L3 management was done to IP only at the firewall and
| I've been switching to just putting it all through WireGuard.
| izacus wrote:
| Hmm, even the self-hosted SW can use SSO from cloud... so I'm
| now worried that our equipment is still vulnerable by
| whatever system allows cloud logins.
| pseudalopex wrote:
| They forced cloud authentication on self hosted software
| too.[1]
|
| [1] https://www.reddit.com/r/Ubiquiti/comments/kslyh9/cloud_k
| ey_...
| imiric wrote:
| Wow, that's awful.
|
| I have a few Ubiquiti devices I haven't updated in months,
| that don't use any cloud accounts, and I used to run their
| controller software in a container that I only started when
| I needed to administer something. But now I guess I'm never
| updating and will be looking to get rid of all their
| equipment.
|
| What an incredibly consumer hostile and incompetent
| company. Shame, because the hardware pretty much works
| reliably.
| Ueland wrote:
| Im a bit confused by this. I run a UniFi Controller in a
| docker container, have a few APs and a router, and
| everything works fine. No cloud stuff going on here.
|
| Am i just lucky or something that i havent been forced to
| the cloud yet, or is it something i am missing here?
| jmuguy wrote:
| I think its just the cloud key. I have a unifi controller
| install as well and use a local account with no issues.
| stock_toaster wrote:
| I have a cloud key with no cloud access. It's just that
| cloud access is the user directed workflow for sure.
| Setup without cloud access was not clear at all [1].
|
| [1]: I don't even remember the steps, to be honest!
| [deleted]
| surfsvammel wrote:
| Apparently I was... Now, updated the firmware and it says
| server certificate changed. Frikkin A. Now I am in 'what the
| hell' land
| johnbrodie wrote:
| I almost did the same thing, but it was clear a year ago that
| they were moving towards "cloud based" services, something I
| didn't want to participate in. Looks like it was a good
| decision, in retrospect.
| CorrectHorseBat wrote:
| So what did you go with?
| johnbrodie wrote:
| Ended up with some used Cisco equipment aimed at the small
| business segment. Similar-ish price to new Ubiquiti gear,
| and I've spent essentially 0 time maintaining the stuff
| beyond initial setup. Still don't have APs set up though,
| I've just been making do with what I had laying around.
| toyg wrote:
| If i were you I'd take heart in the knowledge that the others
| aren't any better, it's just a matter of "when" they'll get
| cracked in the same way
| bombcar wrote:
| Not every network hardware provider ties everything to a
| "Cloud" for reasons. They may have breaches but they won't be
| this widespread.
| bilbo0s wrote:
| Wasn't really a "cloud" hack so much as a hack of a root
| user. How they accessed that root user's credentials is not
| detailed. Phishing? Hardware hack? Dumb root user and it
| was possible to guess his/her credentials? Could even be,
| that particular root user was in on it with them for all we
| know?
|
| In any case, this sort of a hack of any other company's
| root users would result in the same spectacularly
| catastrophic pwnage. That your root users have root access
| on your own machines won't help you.
|
| What they need is to structure their security properly. I'm
| not sure why this user needed root access to everything
| globally for instance? That seems wrong to me at first
| blush, but it could be a matter of me not understanding
| their business model.
| bombcar wrote:
| IIRC it says that they got the LastPass data for an
| employee which had (non two factored?) AWS access
| credentials.
| greycol wrote:
| The reason people are bringing up cloud is because it's
| what effects them. If you have (cloud) access through a
| company to local devices and that company is hacked then
| that could be a very wide pathway into your local set up.
| The company being hacked and related implications is
| still not great for a huge list of reasons but it's the
| possible local breaches that are more of a worry for a
| lot of us.
|
| Ubiquiti has recently been pushing there cloud set up (to
| the point that you can't set up a local controller with
| out setting up a cloud account) that's why it's so
| annoying.
|
| *There is probably a way but the last time I tried I
| couldn't find it in setup and so installed using a
| previous version.
| kasey_junk wrote:
| It's increasingly hard to find providers that don't though.
| The advantages to global management software is pretty high
| & the easiest way to implement that is the cloud.
| abootstrapper wrote:
| Me too! Now what do we do?
| ruph123 wrote:
| I always thought that the main selling point of their devices
| was that you can run your own Ubiquiti server at home and keep
| everything local? They are always portrayed as the not-so-
| shitty IoT company.
| OminousWeapons wrote:
| If you don't have remote access enabled and aren't running
| their surveillance camera software, it is not clear to me
| that there is any risk to the customer from this event
| (outside of the source code being used to generate new
| exploits). It doesn't sound like the attackers were able to
| abuse automated firmware update functions, and losing
| credentials to a UI account has no impact on users running
| cloud key locally without remote access enabled.
| ruph123 wrote:
| Right. I would never have any device like a camera be
| directly connected to the internet and instead cut off that
| device from the internet in my router software and only
| access it from outside via a VPN.
|
| Not that this whole screw-up should be excused in any way
| or downplayed.
| mixologic wrote:
| I bought one of their security cameras to act as a
| nursery cam last year, which I could later convert into a
| home security camera.
|
| The 'in house' software, unifi-video, was discontinued 3
| months after I got it set up. All of the apps I use to
| connect to the system have been pulled from the app
| store, and you now have to use their camera controller
| for the one camera, vs the software Im running on my
| linux box.
|
| Their controller is much more limited, and many, many
| security camera installers were caught off guard with no
| path forward for their customers. It's a nightmare of a
| shitshow and I would never in a million years recommend
| Ubiquiti as a company at this point.
| spockz wrote:
| I now use the camera in direct rtsp mode. This way it can
| be used by any rtsp tool including video recording and
| the lot. For the nursery camera I just use IPCams on iOS
| on an iPad.
| halefx wrote:
| Yep, I also use their cameras as baby monitors. RTSP mode
| to VLC on an old chromebook as an always-on monitor.
|
| The Protect app works pretty well now assuming you have a
| controller to connect to, but the time between the Video
| app shutting down and Protect actually working properly
| was very frustrating. I would never trust the Protect app
| to stay connected while I'm asleep, though. It's
| definitely not stable enough for that.
| caeril wrote:
| I can't speak to the newer UniFi garbage, but the selling
| point for their Edge network products was that you could have
| Cisco-ish managed switches and routers without paying the
| absurd prices for ASICs, licenses, ios upgrades, parasitic
| middleman distributors, etc.
| atourgates wrote:
| Are you me?
|
| Just finished setting up my Ubiquiti-based home network that
| includes a dream machine, 6 access-points, and a wireless
| bridge to an outbuilding. All told about a $1,500 investment I
| made because I thought I was investing in "best-in-class"
| hardware and software.
|
| Sigh.
| alkonaut wrote:
| I picked up an EdgeRouter and none of the cloudkey/unifi stuff.
| I initially felt like maybe I should have picked the unifi gear
| and maybe a dumb switch, but now I don't regret the EdgeRouter.
| Couldn't be happier with it.
|
| I don't trust anything that tries to solve the "firewall
| problem" by setting up a cloud service for what should be a
| local appliance.
| moonbas3 wrote:
| Yeah well, more money in marketing than anything else.
| vmception wrote:
| > Adam wrote in his letter. "Legal overrode the repeated requests
| to force rotation of all customer credentials, and to revert any
| device access permission changes within the relevant period."
|
| tsk.
| Google234 wrote:
| This actually seems like criminal advice.
| mywittyname wrote:
| It's probably considered Consciousness of Guilt.
| beervirus wrote:
| Yeah that doesn't make sense to me. Sales would do something
| like that. Legal should be erring in the opposite direction.
| jasonwatkinspdx wrote:
| No. They don't care if customers get pwnd. They care if
| customers become aware of exactly how they got pwnd and
| launch a class action. It's shitty but entirely predictable
| behavior common in these situations.
| beervirus wrote:
| Well you're right that it's not their job to represent
| customers. Their client is the company.
|
| But telling your client to sweep something like this under
| the rug isn't exactly great advice.
| airstrike wrote:
| But rotating credentials would not hurt or help that
| alleged goal of hiding the truth from customers...
| chrisbolt wrote:
| "force rotation of all customer credentials" = make
| customers change their passwords, which is a huge red
| flag that would draw attention to why they were forcing
| that.
| hn_throwaway_99 wrote:
| Github just recently logged out all users because they
| had a bug that could leak other account data into
| sessions. They were very transparent about why they did
| that, what happened, and I for one trust them more for
| it.
| 650REDHAIR wrote:
| By trying to sweep it under the rug they just opened themselves
| up.
|
| Crazy.
| elevation wrote:
| I'll change my forum password and continue to avoid UBNT's cloud
| features like always.
|
| I'm still happy with the value, stability, and security updates
| (!!) of my UBNT hardware.
|
| I still won't buy gear from another vendor that wants $$$/device-
| year in support contracts and have unavoidable cloud controllers.
| eyeareque wrote:
| How many of you would be surprised to hear that 99% of companies
| have similar security gaps? These problems happen literally
| everywhere.
| mjfl wrote:
| Is internet of things useful for anything except being a major
| security vulnerability you could trick an enemy into installing?
| gautamcgoel wrote:
| Wow, this is huge. I wonder if the attacker was a state actor,
| and if so, what their intended mischief is.
| eqvinox wrote:
| I don't think a state actor would've tried to extort bitcoin,
| but who knows...
___________________________________________________________________
(page generated 2021-03-30 23:00 UTC)