[HN Gopher] Ubiquiti All but Confirms Breach Response Iniquity
___________________________________________________________________
Ubiquiti All but Confirms Breach Response Iniquity
Author : parsecs
Score : 183 points
Date : 2021-04-04 19:28 UTC (3 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| rosege wrote:
| Opened HN to look to see what everyone was saying about the FB
| hack, stayed for the Ubiquiti one.
| bcrescimanno wrote:
| It's disappointing to see a breach like this and even more
| disappointing to see what (at least on the surface) appears to be
| a lackadaisical response.
|
| At someone who runs a UniFi network in my home with just 4 pieces
| of hardware (gateway, wired switch, and 2 PoE WAPs) I'm really
| curious if there are solid alternatives for a managed home
| network. UniFi really hit a sweet spot of price/performance that
| made it a somewhat pricey; but, not totally unreasonable option
| for the home.
|
| Any suggestions from the HN crowd?
| e40 wrote:
| That is my exact configuration, too. Would love to have
| alternatives.
| heavymark wrote:
| I'm not aware of any alternatives that are designed as well,
| and if you switch the new option could just as easily be
| hacked or if so it on it could also be hacked but you may
| never realize. Though it's good for all these people to
| pretend to threaten to leave since maybe that will get the
| company to be a little more forth right which is all we can
| really ask for these days.
| ThatPlayer wrote:
| I've heard good things about TP-Link's Omada series. Their
| controller even looks like a clone of Unifi's
| lostlogin wrote:
| Having messed with TP-Links smart plugs, I've been really
| impressed. They integrate well into Home Assistant too.
| ed25519FUUU wrote:
| Isn't TP-link a Chinese company?
| catblast01 wrote:
| Is ubiquiti a Chinese company?
|
| Really, what a low effort idiotic post.
| monkey34 wrote:
| While I've not yet made the purchase, I'm eyeing a Synology
| RT2600ac (https://www.synology.com/en-us/products/RT2600ac) and
| an MR2200ac (https://www.synology.com/en-
| us/products/MR2200ac#specs). It seems like they'll be adding
| VLAN support in their 1.3 release
| (https://community.synology.com/enu/forum/2/post/130414), which
| should be nice for adding dedicated VPN and guest networks.
|
| For me it's one of the few options available because my ISP
| forces me to use a transitional IPv6 technology called "MAP-E,"
| which the UniFi products don't support. I switched ISPs after
| purchasing my equipment and ended up with $700 of dead weight.
| ImprovedSilence wrote:
| I recently went with two 2200acs. Been mostly pleased, but
| there were some settings i had to play with to get the right
| router to use some of the more distant devices.. without
| custom settings it trys to load balance devices over choosing
| based on signal strength, thus a far device from the main
| router had an unusable connection..
| xyzzy21 wrote:
| "The Cloud" absolutely can NOT be trusted with anything serious.
| I'm still amazed serious people actually think it's a smart or
| wise idea. It's become a "Go to the fridge and get the box" type
| of mindless laziness by far too many marketers and developers.
| imwillofficial wrote:
| I used to be a die hard Ubiquiti fan. They have fallen from grace
| in a big way. Disappointing.
| arbitrage wrote:
| So, what happens now? Will Ubiquiti be held to task, by anyone?
| imwillofficial wrote:
| They've lost my business.
| kiwijamo wrote:
| Ditto and they have also lost my recommendations. If I hear
| any friends thinking of Ubiquiti, I will be pointing them
| towards articles like the one we are discussing. I had been a
| bit wary of then since their push for cloud SSO etc, but
| these recent events have put the final nail in the coffin for
| me. Personally I am migrating my family's network to MicroTik
| gear.
| lucb1e wrote:
| A friend of my boss recommended Ubiquity semi-recently.
| We're a small IT company, plenty of theoretical expertise
| but no dedicated network admins, so it made sense to go on
| a recommendation.
|
| The fact that doing _anything_ , for example assigning a
| VLAN to a switch port, requires you to first setup a
| mongodb server on your machine before you can install the
| controller software tipped me off to the quality of what we
| had bought. The device also gets like 80degC while idle.
|
| This controller software is now on isolated hardware, we
| trust the thing about as much as an old Android phone, and
| that was just from our impression as security people
| without knowing of any breach.
|
| I see it as a good thing that other friends of $friend will
| be spared that recommendation after this news.
| imwillofficial wrote:
| Meraki has captured my fancy lately. Expensive but a
| pretty great value prop.
| lucb1e wrote:
| Frankly, all we needed was a switch where you can add
| VLAN tags and send them to a trunk port. And I suppose a
| password on the "I would like this VLAN on this port,
| please" interface is also necessary, but I think that
| already concludes the grand list of requirements.
| Everything else we control on the router.
|
| It doesn't have to be network equipment in the
| traditional sense: any old linux server will do, it's
| just that it needs to have a couple dozen network ports.
| Traffic can be limited to a gigabit per second between
| all the ports combined (no need for multi-gigabit
| backplanes or switch fabrics or what the correct term for
| that is). I'd almost buy a big USB hub and connect USB-
| Ethernet adapters, but that feels more hacky than core
| infrastructure is supposed to be.
| posguy wrote:
| I support two Meraki MX64 routers, they are definitely
| expensive and have repeatedly caused issues for my
| clients when their ISPs force an upgrade of the
| associated modem. Not sure what shenanigans Cisco has
| done with Meraki, but I have wasted hours with them on
| the phone trying to get these MX64's to DHCP from a new
| cable modem.
|
| Ended up swapping in an Archer C7 on OpenWRT with a LTE
| modem to ensure business continuity for the client while
| working with Meraki's abysmal support to get their router
| to work correctly.
| unstatusthequo wrote:
| Plaintiff lawyers will come into effect if there were actual
| damages as a result of this. Has anyone heard of actual
| breaches of their own networks as a result? If not, probably
| no actual damages = class action plaintiffs don't care
| because no $ for them. Of course this is generalizing but
| this is usually the calculus. I know this because I am a
| cyber attorney.
| ejb999 wrote:
| even without actual damages, there will be a securities
| class-action lawsuit for anyone that lost money on the
| stock.; and as usual lawyers will collect big payouts, and
| shareholders will get a few dollars if they are lucky.
| harry8 wrote:
| Get a few dollars from who? The owners of the company
| will have to pay themselves because they messed up? What
| a great reason to pay lawyers and clog up courts at
| taxpayers' expense.
| LgWoodenBadger wrote:
| I'm done buying ubiquiti equipment. 6 devices, and 3 family
| members I recommended ubiquiti to who also have multiple
| devices.
|
| Clearly the market exists for what they're offering. I am
| surprised at the serious lack of alternatives.
| skybrian wrote:
| As Matt Levine often reminds us, everything is securities
| fraud. This looks like a good case for a class-action
| shareholder lawsuit?
| arbitrage wrote:
| I am looking forward to my cheque in three years for $5.37.
| gvkhna wrote:
| I'm still on board with Uniquiti, tons of equipment and it
| wouldn't make sense to switch everything over for small
| operations. But this is extremely disappointing, they're
| definitely moving in a little bit of a different direction then
| where many of us would hope.
|
| More shiny products that increase bottom line is great but many
| IT officials rely on UniFi as well, I wonder how they're
| responding to enterprise customers.
|
| I just hope this incident will at least get them to put some
| emphasis on security again as well.
| neartheplain wrote:
| >I'm still on board with Uniquiti
|
| Freudian slip?
| liaukovv wrote:
| I wonder if you could extract costs of migration from ubiquity
| with a lawsuit
| madeofpalk wrote:
| Sounds like a pain that's not worth it.
| nomadiccoder wrote:
| You shouldn't.
| liaukovv wrote:
| Why not?
| teeray wrote:
| What I'm curious about is, if I run my own controller on my own
| hardware, do I need to be concerned about this? I could
| understand supply chain concerns... I've held off updating
| anything while this plays out. But all these "breach! breach!"
| stories fail to spell out who is affected and what they need to
| do.
| ev1 wrote:
| Force pushed updates overnight turned local controllers into
| requiring ui.com single sign on, iirc.
| Nextgrid wrote:
| If the compromise is widespread enough then the attackers might
| have gained control of the update infrastructure allowing them
| to push out malicious firmware to your devices.
| js2 wrote:
| These blanket statements don't apply to everyone. It depends
| which Ubiquiti hardware you own and how you've configured it.
|
| For example, I run the UniFi controller on my FreeNAS server.
| There are no forced updates to it. It doesn't update unless I
| update it. The firmware on my APs doesn't update unless I
| update them from my controller.
| lucb1e wrote:
| So it's a game of luck, depending on whether you updated
| your firmware? I would call that "affected" rather than
| "unaffected".
|
| Just because not everyone installs security patches within
| a few months after they come out (it says the breach had
| been ongoing for two months) doesn't mean that therefore it
| doesn't apply to everyone. In the strict sense, indeed not
| everyone will have been compromised, but it totally applies
| to you in the sense that through business as usual
| (assuming that includes installing security updates), you
| can be compromised.
| ncphil wrote:
| Agreed. My only gear is an EdgeRouter-4. Unlike the
| Mikrotik it replaced you have go up, find the latest fw
| file, download and install (that Mikrotik router wasn't
| designed to handle 1 Gbps and at the time the next step up
| cost more than the ER).
| lucb1e wrote:
| So unless it hits news channels major enough that you
| hear about it or there is a bug that you isolate to be
| due to outdated firmware, you probably won't ever patch
| security issues in your _edge_ (outside-facing) router?
| izacus wrote:
| Unless you're manually verifying the content of your AP
| firmware updates (which is a bit hard since they're
| closedsource), I don't understand what you're trying to
| say.
|
| The firmware could be compromised at the source so your
| FreeNAS doesn't help at all when you download and apply a
| compromised firmware update.
|
| Unless you're not updating your APs and keeping them
| vulnerable in that way :)
| gerdesj wrote:
| You probably don't need to be concerned(ish). I run a
| controller for 32 "sites" across the UK with 1 to 13 APs per
| site and a few switches. I keep it behind HAProxy but with
| fairly minimal changes (from memory.)
|
| I have stuck with controller 5.13.32 rather than moving to 6.x
| just yet. It's an LTS version and I'm still waiting for the
| whinging to stop on the forums. I also watch the AP firmware
| and that has had some interesting times over the last few
| months. I've confirmed dodgy AP versions on my sites and
| backrevved and held accordingly.
|
| I treat the whole thing the same way I do any other system. I
| come out in spots when people mention clouds and IT in the same
| sentence, so I have not knowingly enabled any cloudy
| integrations from my controller to UBNT. Specifically, I have
| not enabled "Remote Access".
| izacus wrote:
| If you read the original post, the they noticed a breach when
| someone put an "unknown" VM on their server infrastructure. The
| attackers also got signing keys for firmware.
|
| So even if you run a local controller, I see two very serious
| vectors:
|
| 1. The "Ubiquiti account signin" functionality - you probably
| had it off, but I'd like a confirmation that it doesn't keep a
| backdoor open anyway.
|
| 2. Having a malicious firmware update put on the servers. If it
| took months for someone to find the vulnerability, who knows
| how long the servers could push a compromised
| controller/firmware builds for the hardware.
| Normal_gaussian wrote:
| So ubiquiti can't be trusted. What are the suggestions for
| running a ssries if home and small office networks in rented
| buildings (no cabling?). A UDM + nano ap / flex HD as wireless
| bridges & mesh wifi gave VLANS, performance monitoring, and an
| ease of use that let even a junior UI dev implement use it easily
| and correctlywhile complying with all lease req's.
|
| With the world of work at home exploding there seems to be a big
| missing link here.
|
| I'm sitting with a big list of q's that I'm not sure I have a
| decent amount of time to answer. Does switching to
| pfsense/openwrt/something open source work with mesh? With ease
| of set up? Do enterprise brands offer anything worthwhile here?
| Do I have to regress to letting machines connect to unsecured
| networks?
| efitz wrote:
| You get great insight into the character of the leaders of a
| company watching how breaches are handled. Companies that put the
| customer first are transparent, and quickly take action (even if
| painful to customers) to ensure that customers' data and systems
| stay intact and confidential. Companies that try to gloss over,
| hide or downplay things indicate that the leadership does not
| respect their customers and is only interested in maximizing
| profit/minimizing loss.
| xvector wrote:
| Ubiquiti has lost my business. And with the recent issues with
| Netgate/PfSense [1], it looks like OpnSense is the way to go.
|
| [1]: https://arstechnica.com/gadgets/2021/03/buffer-overruns-
| lice...
| jessebarton wrote:
| why would you not just run OpenBSD with PF.
| bpye wrote:
| Why should I choose OpenBSD over FreeBSD or even Linux with
| nftables?
| dijit wrote:
| If you're really asking, and not making a point;
|
| PF is created and primarily maintained by OpenBSD
|
| OpenBSD's base system (without extra packages) includes PF
| and has a focus on security.
|
| PF in freebsd is several major versions old.
|
| nftables (like iptables before it) is rule based and not
| bucket based. So high numbers of rules will not affect pf's
| performance like it does with nftables.
|
| But, for home users, probably not noticeable. Though I
| prefer the syntax of PF personally.
| hyperpl wrote:
| Wireguard has also been stable on OpenBSD which helped me
| with my throughput on my apu2d router hardware.
| fuzzy2 wrote:
| Could you expand on what you mean by "bucket based"?
| Maybe the so-called "tables"? They sound pretty identical
| to ipset on Linux.
| dijit wrote:
| Usually when people table about nftables they're talking
| about iptables.
|
| iptables is frontend to the kernel framework called
| netfilter. It is not the only one (for example, tc
| controls another portion of netfilter), but it's the one
| people are most familiar with. When people say
| 'iptables', they either mean the userland tool, or the
| mishmash of netfilter kernel features that the tool
| controls.
|
| A lot of the favourable comparison of pf over iptables is
| that the underlying iptables/netfilter architecture is
| much, much messier. Here's how a packet flows through
| netfilter[0], and here's how it flows through pf[1].
| iptables was a huge improvement over ipchains, but it's
| now starting to show its age.
|
| The reason this matters to sysadmins is there's a whole
| bunch of overlapping functionality between iptables and
| the other netflow tools, which can cause a lot of
| headache. For example, iptables can do basic connection
| simulation (fixed ratelimit, burstable ratelimit, drop-
| random, etc), but if you want to add latency to that
| ratelimit, then you have to use tc. Or, you can do IP-NAT
| in iptables, and you can also match on layer 2 (MAC)
| addresses - but if you want MAC-NAT, then you have to use
| ebtables. PF doesn't have that problem.
|
| [0]: https://upload.wikimedia.org/wikipedia/commons/3/37/
| Netfilte...
|
| [1]: http://mailing.openbsd.misc.narkive.com/jtIB9W3w/pf-
| packet-f...
| hyperpl wrote:
| I switched from pfsense + Ubiquiti to OpenBSD + Ruckus and
| couldn't be happier. While the web UIs were cool for a day,
| with the command line I feel as though I understand exactly
| what I have setup a bit better. Ruckus UI is also much more
| friendly than Ubiquiti's - I had to actually install mongo db
| + VM/dock just to configure my Ubiquiti WAP? Seriously?
|
| I just wish I had completely deleted my Ubiquiti account when
| I sold my WAP.
| posguy wrote:
| Does OpenBSD with PF have a nice web interface to
| administrate the firewall, DHCP server, WLANs, etc from?
| brian-armstrong wrote:
| Has anyone looked at Ubiquiti's firmware signing? Would it be
| possible to patch it to retain the drivers and kernel but replace
| the configuration layers? Being able to homebrew some config
| would make the equipment more valuable to us I think.
| KirillPanov wrote:
| Ubiquiti does not lock their bootloaders like phone
| manufacturers do.
|
| It is very, very easy to run vanilla Linux (or even OpenBSD) on
| their hardware. I do exactly this:
|
| https://news.ycombinator.com/item?id=26645062
|
| Octeons (not Octeon-TX) are amazing processors. Ubiquiti makes
| killer hardware. I hear their software is junk but wouldn't
| really know since I always erase it immediately after unboxing.
| catblast01 wrote:
| > An intel goldmont won't use much more power and can easily
| do gigabit sqm and wireguard/IPSec without breaking a sweat.
| Can any of these nearly 2 decade old MIPS/ARM designs come
| close? I don't understand the hype for the hardware either.
| jjeaff wrote:
| Can you still take advantage of the hardware accelerated
| features? Because I use a little er-x and if you turn on qos,
| that disables the hardware acceleration and top speeds are
| cut considerably.
| rexfuzzle wrote:
| AFAIK they've started locking them now, since about v5 if
| memory serves. Got a couple gathering dust now because of
| this.
| gertrunde wrote:
| People have been running OpenWRT on Ubiquiti gear for quite a
| long time iirc.
|
| [https://openwrt.org/toh/ubiquiti/start]
| Hikikomori wrote:
| Afaik performance will be abysmal on edge router series as
| the npu isn't used.
| KirillPanov wrote:
| From firsthand experience: performance is in fact awesome
| on the edgerouters (4, 6, 8, and 12) using plain-vanilla
| Linux.
|
| It's a big honking MIPS chip with firehose connections to
| the ethernet PHYs. Precisely the kind of device you want
| for a router.
| Hikikomori wrote:
| Then you are better off buying something with a beefier
| cpu that costs less since it doesn't have an npu.
| adriancr wrote:
| couldnt find dream machine support there unfortunately, shame
| since I have one gathering dust now
| rossipedia wrote:
| > Ubiquiti also hinted it had an idea of who was behind the
| attack, saying it has "well-developed evidence that the
| perpetrator is an individual with intricate knowledge of our
| cloud infrastructure. As we are cooperating with law enforcement
| in an ongoing investigation, we cannot comment further."
|
| I personally don't believe this. IMO, this is a company who is
| looking for a fall guy, and _most likely_ it's going to be
| somebody who raised a stink about all the security problems
| during their time there.
|
| Form your own opinion, I'm just a guy who worked at Ubiquiti for
| a year, raising all kinds of hell about the security,
| architectural, and operational problems that I saw while I was
| there.
|
| But what do I know...
| edoceo wrote:
| I hope you don't end up fulfilling your own prophecy
| rossipedia wrote:
| I'm pretty sure I'm safe. I left as soon as I could (almost 2
| years ago) once I realized how institutionally broken the
| company was.
| judge2020 wrote:
| Given they were stupid enough to spin up some VMs, I doubt it
| was someone that knew what they had access to. A skilled
| attacker would stay dormant sucking up all data accessible via
| the AWS API (including s3 stuff) and potentially keep access to
| the infrastructure for years.
| throwaway8581 wrote:
| This kind of analysis is basically worthless because you
| don't know whether they are operating at multiple levels of
| deception by, e.g., making you think they are a stupid script
| kiddie and that you successfully wiped them out.
| smashed wrote:
| There is no evidence that this did not also happen.
| [deleted]
| TeMPOraL wrote:
| That would be the reverse of the usual strategy, wouldn't it?
| Most companies seem to try to pin breaches on sophisticated
| hacker groups backed by nation states. But then, they benefit
| from the perception of a threat that's impossible to defend
| from (so there wasn't anything they could do) - whereas
| Ubiquiti benefits from people thinking the attack was just a
| small actor that couldn't possibly threaten Ubiquiti's
| customers.
| rossipedia wrote:
| Yes, you're right. But I don't really expect them to make the
| "smart" or "usual" play. That would honestly surprise me.
| Now, pinning it on somebody that was generally disliked
| because they constantly blocked things that had obvious
| gaping security holes? Basically sicking law-enforcement on
| somebody out of pure spite? I can absolutely believe that.
| ghughes wrote:
| This quote says nothing at all. _Obviously_ the perp is someone
| with intricate knowledge of their network.
|
| They might as well come out and say they have well-developed
| evidence that the perpetrator has an IQ over 50.
| rossipedia wrote:
| I mean, don't get me wrong, there absolutely _is_ somebody
| who's responsible for it, but I wouldn't place any money on
| Ubiquiti being able to figure out who it really was.
|
| They want to brush this under the rug as fast as they can, and
| that means using the opportunity to pin it on somebody that's
| been "problematic".
| dylan604 wrote:
| Are you volunteering for the role? It almost reads as if you
| are expecting to be named on a list of potential suspects.
| admax88q wrote:
| Or he _is_ the culprit trying to get ahead of the story.
| vvanders wrote:
| Damn, that's pretty depressing.
|
| I really wouldn't like to migrate away but I can't say all the
| info that's been coming back has been making me want to have
| them as a part of my network infrastructure.
| bpye wrote:
| During this week I've been playing around with replacing my
| USG with my existing home server - it already has two NICs -
| my first thought was to run OPNSense in a VM but nftables on
| NixOS seems to work well enough - there are a few examples
| floating online [0,1]. OpenBSD even supports the USG [2] but
| I couldn't think of much reason to keep the extra hardware.
|
| The next thing I want to do is reflash my Unifi APs with
| OpenWRT [3] - the hardware is fine, but at that point I'll
| get all the support without the controller software.
|
| My home environment is fairly basic so moving away isn't too
| hard - this would obviously be much harder for a small
| business...
|
| [0] - https://francis.begyn.be/blog/nixos-home-router
|
| [1] - http://www.willghatch.net/blog/2020/06/22/nixos-
| raspberry-pi...
|
| [2] - https://www.openbsd.org/octeon.html
|
| [3] - https://openwrt.org/toh/ubiquiti/start
| lostlogin wrote:
| > replacing my USG with my existing home server
|
| I like this idea too, but would prefer that the router was
| physically separated and before any hardware that was in
| the network.
|
| Is this a pointless concern?
| posguy wrote:
| I want to fire Ubiquiti, but where can I go to get my router,
| wireless access points and switches in one management
| interface? There are plenty of poorly performing consumer
| grade options out there which hide all complexity, but they
| break in fun ways (eg: Google WiFi creating loops in the
| network when users try to do wired backhaul) and only tackle
| part of the stack.
|
| I really just want to manage an OpenWRT based network with
| one central web interface and not have to deal with
| corporate/state entities deciding to push fun changes out in
| the management interfaces that power these systems.
| bpye wrote:
| It's an interesting idea to have a single pane of glass
| management experience for OpenWRT - given that all config
| is under UCI [0] it seems very possible. One of the things
| on my todo list is to try and get Nix to push config to my
| Unifi APs when I flash them with OpenWRT.
|
| [0] - https://openwrt.org/docs/guide-user/base-system/uci
| posguy wrote:
| Take a look at https://openwisp.io/docs/ as it can
| accomplish this today.
| mopsi wrote:
| I keep seeing the requests for central management
| interface, which leave me somewhat puzzled. Why do you need
| in a home environment? I run a small network with one big
| router and several access points, and at least with
| Mikrotik's gear, it's pretty much fire and forget. It has
| CAPsMAN[1] to centrally manage wireless networks, but I've
| found it to introduce unneeded complexity. Auto-updates[2]
| don't need any central management either. Monitoring can be
| done through SNMP[3], and there's a REST API too[4].
|
| [1] https://wiki.mikrotik.com/wiki/Manual:CAPsMAN
|
| [2] https://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterO
| S#Rou...
|
| [3] https://wiki.mikrotik.com/wiki/Manual:SNMP
|
| [4] https://help.mikrotik.com/docs/display/ROS/REST+API
| posguy wrote:
| I have a good deal of experience with Mikrotik's
| offerings, and I am not looking to power networks I
| support with a patchwork of different systems that each
| have their own interface.
|
| Most of the value proposition of the Unifi lineup is I
| can look at a single website that I host and see the WiFi
| clients connected to an access point, what switch feeds
| that access point internet (and whether its linked at
| gigabit or 100Mbps), uptime on all devices involved in
| the stack, whether the client has poor WiFi quality,
| trouble DHCPing, etc.
|
| The single pane of glass to view everything when I am
| many miles from the networks I support is essential.
| Compared to when these sites were on PFSense before
| migrating, these networks have improved uptime, rapid
| remediation of issues, and changing VLANs, SSIDs and
| labeling each client on the network is a snap.
|
| Edit: Borrowed /u/bpye's single pane of glass term
| torwayburger wrote:
| > Most of the value proposition of the Unifi lineup is I
| can look at a single website ...
|
| > The single pane of glass to view everything when I am
| many miles from the networks I support is essential
|
| It's also why we're talking about this.
| kweinber wrote:
| It seems the hackers currently in your network must value
| those same features. Very convenient.
| lostlogin wrote:
| > I keep seeing the requests for central management
| interface, which leave me somewhat puzzled. Why do you
| need in a home environment?
|
| Crap wifi was a huge thing I dealt with. Unifi fixed that
| completely. The ability to run a relatively complex
| network (by home network standards) with multi access
| points is nice, but the ability to administer them
| without CLI interface is great. I loved my edge router
| but touched it with trepidation. It was rock solid except
| when I was sucking with it. Unifi suits/suited the
| enthusiastic amateur.
|
| > I run a small network with one big router and several
| access points, and at least with Mikrotik's gear, it's
| pretty much fire and forget.
|
| Unifi used to be too, with an interface that was a bit
| difficult to navigate (settings spread among about 20
| tabs, but it was possible to get the job done without
| sshing to components).
|
| Now it's flakey. I just rebuilt my last week which was
| working fine but I couldn't log in and the UDM-P screen
| said it required resetting. Dark times.
| [deleted]
| vmception wrote:
| yeah this is just a good as just saying it "has the hallmarks
| of a state-level attack", pointing at Russia and calling it a
| day
|
| everyone believes it
| harry8 wrote:
| That may have worn thin, nowadays. The average response here
| would have been described as cynical in the past. The
| Russia/China scapegoat had been way overused to the point
| where I'm cynical every time it comes up probably even where
| it's actually true, one time in a hundred or whatever.
|
| Nobody blames the NSA in these circumstances, ever.
| tpmx wrote:
| By now we'll have to ask: Is it realistic to expect hardware-
| oriented companies to build secure software?
|
| (Yes, Apple exists.)
| ryandrake wrote:
| Most hardware companies don't care in the slightest about
| software quality. To them, software is just another line item
| on the Bill Of Materials, like a bolt or piece of sheet metal.
| You either have some overworked intern who knows C cobble
| something together that barely works or you buy it from the
| least expensive supplier. When the build is ramping, at the end
| of the assembly line somebody is going to flash _something_ on
| the device, and they are not going to stop the line to worry
| about a security hole.
| [deleted]
| d-funct wrote:
| What no one seems to be really discussing is how paranoid should
| people be around this breach?
|
| Is it a case of you probably want to rebuild machines that have
| default usernames/passwords? Or is it more whatever can be seen
| in the Ubiquiti UI might be been accessed by third parties?
| rovr138 wrote:
| > Is it a case of you probably want to rebuild machines that
| have default usernames/passwords?
|
| I mean, regardless, most probably, the answer to this is yes.
| vr46 wrote:
| So this week, I have gone from having a single little USG and a
| massive order planned for loads of kit to stopping them
| automatically updating the firmware and dropping that order.
| Extremely annoying, but not as annoying as if this had happened
| in a couple of weeks.
| kbumsik wrote:
| I was about to buy Ubiquiti products and it is disappointing.
|
| Are there good alternatives other than DIYs like PfSense/BSD?
___________________________________________________________________
(page generated 2021-04-04 23:00 UTC)