[HN Gopher] Final thoughts on Ubiquiti
___________________________________________________________________
Final thoughts on Ubiquiti
Author : todsacerdoti
Score : 443 points
Date : 2022-08-31 15:21 UTC (7 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| user3939382 wrote:
| Ubiquiti is so worried about suing Krebs meanwhile their brand
| reputation has turned to mud due to the quality of their
| products, both from my own experience and the general consensus
| I've heard online. If this incident had never occurred I still
| would have stopped recommending and using their equipment.
| InTheArena wrote:
| Give it a try again. I have a ton of equipment, and it's just
| working well for me now. I think the consensus among ubiquiti
| users has shifted considerably over the last year.
| oaiey wrote:
| True. The new UI finally got better ... and that was what
| everyone was complaining about ;). And let us be honest, the
| UI matters with Unifi.
| xxpor wrote:
| The problem from my end though is, who really competes with
| them? No one else offers the same level of control at the same
| (or even close) price point.
| OJFord wrote:
| Nobody competes with them as 'Apple for networking', but
| MikroTik is if anything a bit cheaper and _better_ on the
| actual specs etc. - just without the snazzy UI and easy GUI
| (highly-G) config.
|
| There's probably a lot of people who'd love Ubiquiti gear
| ('gadget nerds', Linus Tech Tips viewers, gamers, etc.) to
| whom I wouldn't recommend MikroTik, but to anyone who's..
| idk, heard of iptables, I would.
|
| All the gamer-marketed WAP/routers with a million antennae
| are somewhat competitors in the former category too I
| suppose.
| fossuser wrote:
| > "just without the snazzy UI and easy GUI"
|
| That UI is really fucking good imo, and good UX around this
| stuff is massively undervalued.
|
| Apple took over the world for a reason. As far as I know
| nobody comes close to Ubiquiti in this space.
| hot_gril wrote:
| > Nobody competes with them as 'Apple for networking'
|
| Apple used to ;_; I was still using my Airport Expresses
| until they gave out. Didn't care if they didn't have the
| latest wifi standards, they were way easier to manage than
| Ubiquiti or anything else.
| mikestew wrote:
| As a hard-core Apple Airport user for a long time, the
| Apple stuff was great until it wasn't. For example,
| wanting to put the Xbox in the DMZ. You _can_ do that on
| the Airports, but it 's not called "DMZ" (IIRC) and it's
| not at all obvious. Whereas Ubiquiti is like the
| industrial version of an Airport or something, because if
| you _do_ want to put devices in a DMZ or on a VLAN, you
| can do it and without a lot of effort. Of course,
| Ubiquiti 's stuff has limitations, so the next stop
| is...MicroTik? Cisco?
|
| But, yeah, if Apple had kept the Airports going, I'd have
| had little reason to look elsewhere, and would probably
| still use them.
| hot_gril wrote:
| I've seen the term "default host" on other routers too,
| so it's fair enough. AirPort settings were pretty full-
| featured for a consumer device, just lacked advanced
| routing stuff that I'd not use in a home anyway.
|
| It started falling apart when they made the new AirPort
| Utility, which hid some settings. I had to go install the
| old version.
| dotBen wrote:
| The founder of Ubiquiti used to be a radio engineer on
| the AirPort product at Apple. Part of the reason he left
| was because the line became devalued in Apple's product
| lineup and would ultimately be shelved.
| hot_gril wrote:
| Interesting, I didn't know that. Apple lost a great
| engineer!
| InTheArena wrote:
| If you have heard of IPTables, go grab OPNSense.
|
| Mikrotek makes sense when you really really really care
| about having the cheapest possible 10g switch.
|
| AFAIK, there is nothing that competes apples to apples with
| the UDM in terms of a entry level managed switch / router /
| WAP offering (or the UDR, which does UDM + Telephony or
| distributed global management)
| msh wrote:
| Mikrotik is in the same price range but not as polished.
| Arainach wrote:
| "Not as polished" is an incredibly generous term. Unless
| something has radically changed, Mikrotik basically
| requires remoting in with a command line and understanding
| all the implementation details. It's like trying to run a
| FreeBSD box as a router. Ubiquiti's tooling for common
| workflows is _generations_ ahead, not a coat of polish.
| kllrnohj wrote:
| I have one Mikrotik switch and it's the only device on my
| network that just randomly decides it doesn't want to
| DHCP renewal and falls back to some random static IP
| until a power cycle.
|
| Since it's a switch that I rarely touch it's not a big
| deal, but "not polished" is putting it mildly for sure.
|
| Price & performance is still solid if you just treat it
| as a VLAN-aware "dumb" switch, though.
| ikiris wrote:
| Yeah mikrotik config is like trying to learn gregorian
| incantation spells and you have to be in the right 3rd
| harmonics.
| tonyarkles wrote:
| I felt the same way and still kind of do, but I was
| really impressed the other day. My rural neighbour and I
| decided to share an Internet connection and I set a
| Mikrotik WAP in "CPE" mode (basically what you'd use if
| you were connecting to a WISP) and it was incredibly
| smooth to get going. WiFi radio in the WAP connects to my
| network, Ethernet coming out of it goes to his home
| network.
|
| They're incredibly powerful devices no doubt and I have
| ended up in configuration hell before, but they've
| definitely gotten better at some of the more common (and
| less common) workflows.
| bombcar wrote:
| Once you realize that Mikrotik is _NOT_ a small business
| router company but started as a WISP supply company for
| Eastern Europe it becomes much more clear.
|
| They've greatly enhanced the web interface in recent
| updates, but you still will probably need to find a
| recipe for what you want to do, but it can do it.
| MartinCron wrote:
| I'm using the TP-Link Omada access points and router along
| with the software controller and it's pretty great.
| kevinmgranger wrote:
| I've heard good things about MikroTik?
| InTheArena wrote:
| Better routing functionality (at least until the last bits
| of load balancing and policy based routing land), but
| MicroTik is hard to manage for anything but the simplest
| use cases. Plus you don't get the single pane of glass
| management across your WIFI / Switch / Routing ecosystem.
| In fact, you have to change the operating system you use on
| the switch depending on which features you want w/
| Mikrotek.
|
| Aruba and TP-Link Omada did huge marketing pushes to take
| advantage when Ubiquiti got hit with this crap. Every
| person I have talked to that switched from Unifi gear to
| Arbua Instant-On has moved back off of it over the last
| year. There is some selection bias there, but you can see
| the same thing in the youtube tech blogger(s) as well. That
| said, I think if you are not going Unifi for WIFI, your
| best bet is either CISCO or alternatively go mesh.
|
| If you want to go down the more powerful path for routing I
| strongly suggest OPNSense / PFSense.
| beermonster wrote:
| No one. Sadly!
| beams_of_light wrote:
| The old adage "you get what you pay for" applies here. Yeah,
| it's cheaper than buying Meraki, Aruba, Fortinet, etc, but
| the IDS/IPS on their Dream Machine is awful, logging is
| awful, reliability of anything but wireless gear is awful,
| Protect storage equipment is awful...
| InTheArena wrote:
| This is just getting silly.
|
| They use Suricata for the IDS/IPS. I have a UDMP, and I
| route 2.5GB a second across two load balanced connections
| (fiber and cable) on full IDS/IPS with no problems. I have
| logging going to greylog without any issues, but am looking
| to move to Loki. I have a UDMP, with a single 8TB disk for
| my camera, but you can grab a UNVR if you need more
| storage. If you need two, grab two UNVRs to cover a whole
| site. They pair now. And if you are a prosumer instead of a
| homelab / busoiness site grab a UDR, with a fast flash
| disk. You can pair that into Homekit secure with Homebridge
| (or even better, Scrypted).
|
| I have 5 Unifi 6 devices - zero problems with them in well
| over a year at this point. I get 800mb/s from any location
| on-site.
| vel0city wrote:
| I don't really want to pay for support contracts which cost
| more than the upfront cost of the hardware after a couple
| of years to continue to receive software updates for my
| prosumer level home networking deployments. Does Meraki and
| Aruba provide free updates?
| corndoge wrote:
| MikroTik
| treesknees wrote:
| Is that so true? I've seen that as they've become more popular,
| some of the rougher edges and complaints come out. Personally
| I've had no reliability/quality problems with my Ubiquiti
| equipment. But I do know several people who have moved away
| from their gear due to the breach and fallout from these Krebs
| articles.
| Covzire wrote:
| Personally I think Ubiquiti fared better than Krebs did in the
| reputation department. They were both victims in their way but
| Krebs should have retracted several months ago.
| bikezen wrote:
| Reads like a lawyer wrote this for him, and is still _way_ too
| late. It was pretty clear early on that his source was a bad
| actor.
|
| Even if he actually wrote this post himself, it feels like its a
| result of the ubnt defamation suit against him.
| CaliforniaKarl wrote:
| Sitting on the bus, I've already changed my mind about the
| decision to take down the articles, instead of posting a
| retraction notice. At first I thought Mr. Krebs was being scummy
| by pulling the posts.
|
| The Ars Technica article linked by u/riffic mentions that there
| was an earlier, denied takedown request. So, now I think the
| posts were likely taken down as part of a settlement.
|
| We'll probably never know--I expect an NDA to be part of the
| terms--but I wonder if, from Ubiquiti's side, it might have been
| better to leave the posts up, but with a retraction notice.
| obblekk wrote:
| Before people jump on this with super negativity... mistakes
| happen.
|
| What is Krebs' false positive rate? I think low enough that a
| simple, clear explanation of why it happened is sufficient.
|
| There's no weasel words or evasion here - he owns up to the
| error, apologizes to affected parties, and retracts all original
| posts.
|
| It's true that his reporting probably caused stress for Ubiquity.
| I'm curious what people think is a fair system to compensate for
| that, without wiping out independent, generally high accuracy
| reporters like Krebs
| de6u99er wrote:
| Yeah, but publishing information as quickly as possible to surf
| on the first big clicks-wave can cost people their jobs.
| Because it can result in someone deciding to go with an other
| company.
|
| A friend who is looking for a easier to manage network for his
| wife's doctors office let me know that there's reports about
| security issues after I recommended to him to evaluate if
| Ubiquity could be a good option. Not sure what exactly he was
| referring to. Nevertheless, I sent him now the link to this
| article.
| phoboslab wrote:
| > What is Krebs' false positive rate?
|
| You only ever hear about it when he gets high profile cases
| wrong.
|
| When my project was targeted by him, he ended up going down
| some conspiracy rabbit hole and doxed all the wrong people.
| This forced me to issue a correction - mission accomplished, I
| guess.
|
| During his "investigation" he accidentally sent an email that
| was meant for his business partner to some of my friends. It
| offered a glimpse into his sensationalist mindset. I don't have
| much respect for that guy.
| washadjeffmad wrote:
| Well, we don't know. How many times has he been either the
| willing accomplice or unwitting patsy in stock manipulation or
| corporate sabotage? Does he even know?
| curiousgal wrote:
| He has a history of doxxing people who have nothing to do with
| his pieces so yeah excuse my negativity.
| GordonS wrote:
| IIRC, he never even apologised for it - just straight up said
| _nothing_ , like he was pretending it never happened. I
| haven't followed Krebs' articles since then, he totally lost
| my trust.
| PragmaticPulp wrote:
| > What is Krebs' false positive rate?
|
| What's more important is how those false positives are handled.
|
| In this case, it feels like it was swept under the rug and he
| avoided addressing for as long as possible. If he had simply
| addressed the problem head-on as the news came out and the FBI
| information became public, it would have been a different
| story.
|
| The way he rushed to report accusations from an anonymous
| source (who was actually the perpetrator) felt asymmetric
| relative to the minimal reporting on the extortion scandal and
| ensuing FBI investigation. IMO, the story about someone
| extorting their employer and then abusing security reporters as
| leverage was more interesting than the original story. Yet
| Krebs did very little reporting on the latter, likely because
| he knew he was central to making it all happen in the first
| place.
| dewey wrote:
| > What's more important is how those false positives are
| handled.
|
| Is it really though? If there's a company that has to defend
| / apologize often (Facebook/Meta maybe) I'd be way more
| critical of their apology than if one guy who didn't have a
| case like that before apologying a bit too late for some
| people or not in the way they wish he would. There's also a
| lot of information we don't know yet, we don't know what
| happend behind the scenes and when he was provided with the
| final verdict and facts.
| rovr138 wrote:
| > If he had simply addressed the problem head-on as the news
| came out and the FBI information became public, it would have
| been a different story.
|
| Isn't that what caused the issue in the first place? He
| talked before all the info was out and he could verify all of
| it.
| thesausageking wrote:
| Ubiquiti lost $4B in market cap based on this one, poorly
| sourced post Krebs wrote. He then waited 9 months after he knew
| it was lies to correct and only does it in the most muted,
| begrudging way possible. This is completely unethical behavior
| for a writer.
| ganoushoreilly wrote:
| I don't think it's fair to attribute their losses directly to
| Krebs. While this instance is in their favor, Ubiquiti have
| been doing plenty on their own to alienate their client base.
| Half backed software updates, pushing products in new
| verticals without delivering on existing prodcuts. It's clear
| that there are still issues within Ubiquiti that aren't
| washed away by this "breach". They're attempting to be
| enterprise and barely delivering in the Prosumer market.
| thesausageking wrote:
| It went down by $4B the day after he published his post. A
| one day drop isn't about their products or how they treat
| their customers.
| BLO716 wrote:
| A bit of extreme ownership in the same vein as Jocko Willink is
| inspirational. It's not a reward or ego contest, when you have to
| open up and be humble about leadership and admission as such -
| so, critics will be on both sides of the judgement and the
| reporting.
|
| I myself believe in being humble and honest to a fault, so I'm
| more sympathetic in this case.
|
| Either way, strive to be better and hey .. humanity is a b*tch
| sometimes.
| legitster wrote:
| "A lie gets halfway around the world before truth puts on its
| boots."
|
| Another good reminder to take whistleblower claims with a grain
| of salt. Even someone as professional as Krebs still wants to get
| the scoop.
|
| I still don't understand why it took Krebs so long or why he
| insisted on trusting his insider so much without any
| corroborating evidence.
| hot_gril wrote:
| Reminds me of the Bloomberg SuperMicro article with a single
| anonymous source alleging that several big companies were
| compromised, which they deny. Funniest part is how Bloomberg
| itself _also_ claims it wasn 't compromised:
|
| > Bloomberg LP has been a Supermicro customer. According to a
| Bloomberg LP spokesperson, the company has found no evidence to
| suggest that it has been affected by the hardware issues raised
| in the article.
| happyopossum wrote:
| Biggest difference - Bloomberg _still_ hasn 't retracted that
| garbage story...
| hot_gril wrote:
| Yeah, that's why I'm reminded. Is the moral of the story that
| reputable, medium-sized reporters without huge legal
| resources are more trustworthy than something like Bloomberg?
| bombcar wrote:
| Or Bloomberg is better at walking the fine line and never
| actually stating anything actionable.
| NelsonMinar wrote:
| It's great that he retracted his story but the way he did it
| isn't so great. In particular he's removed his older incorrect
| stories and replaced them with a redirect to the retraction.
| Thankfully the Wayback Machine has archives
|
| https://web.archive.org/web/20220223015405/https://krebsonse...
|
| https://web.archive.org/web/20220711220855/https://krebsonse...
| cptskippy wrote:
| What would have been a better way to handle it? From personal
| experience, I've overlooked header/footer retractions on
| material before and referenced things only to have the
| retraction point out to me later.
|
| Complete removal of the article isn't ideal, and it's less
| error prone.
|
| I appreciate that the old articles aren't 404'd, they redirect
| to the retraction so any other sites linking continue to work.
| hot_gril wrote:
| Eh, this is what web archives are for. Krebs doesn't want to
| show wrong info, and he may even be legally obligated not to.
| filmgirlcw wrote:
| Speaking from experience with these things (although in my
| case, the articles we were forced to remove were absolutely and
| completely 100% accurate -- but the company that acquired us
| wanted to settle all outstanding lawsuits and ended up caving
| so that the transaction could close), this might have been
| terms of the settlement or whatever it was he came to with
| Ubiquiti.
|
| In our case, because our articles were in fact, factual, we
| were able to re-iterate and even quote, as part of the legal
| filings, aspects of the original reporting as part of a story
| that was in response to the removals themselves, but the
| content at those original URLs was replaced with a notice that
| the articles had been removed because of litigation with our
| former parent company.
|
| The fact that he didn't (or hasn't) scrubbed the stories
| themselves from the Internet Archive is a good sign (I think we
| had to remove our stories from the Internet Archive, though I
| do know that individuals did make archives other ways).
|
| I'm pretty opposed to suing journalists for the act of doing
| journalism and even though I'm a big fan of Ubiquiti products,
| I still don't love this sort of tactic. That said, it does seem
| clear that these stories were not correct and at the very
| least, flawed because of the single-source who was not a
| reliable narrator (and admitted to lying to the press), so in
| an ideal world, these stories would have been retracted anyway.
| nibbleshifter wrote:
| > and I have decided to remove those articles from my website.
|
| Updating them with a link to this for context would have been the
| better move.
| nottorp wrote:
| Ok no security breach. Can I set up a new ubiquity device without
| registering with them _at all_ now?
|
| Been told that you can delete the cloud registration after the
| set up, but that's still unacceptable.
| InTheArena wrote:
| yes.
|
| You do not need any cloud login at this point.
| nottorp wrote:
| They saw the light :)
|
| I have an older device (first in 5 Ghz I think) and I was
| beginning to think I should upgrade it to <whatever the
| latest Wi-Fi standard is>.
| nottorp wrote:
| Hmm I just redownloaded the 'unifi network' thingy.
|
| For one I had to go through a screen of threats telling me
| I shouldn't use a local application that only reminds me of
| the threats you have to go through when downloading the
| LGPL version of Qt.
|
| For two, the app is incomprehensible, it wanted me to
| create a "local administrator account" after i opted out of
| an online account and then it didn't find my old unifi ap
| that is working just fine thank you.
|
| So nope. Still unacceptable, sorry.
|
| Note: I still have an old version of their admin app on an
| old computer and that one just finds the AP and lets me
| configure it. So if they could do it 10 years ago they
| could do it now too, should they wish to.
|
| Note 2: Why do they want my email even for a "local
| administrator" account?
|
| Note 3: If i click through all the crap it does find my
| UAP-AC but it says "managed by another console"? With no
| way of taking control of it. What the... i haven't started
| the old management app in years.
|
| Looks like besides threatening their customers they have
| gone enterprise.
| system2 wrote:
| Is there another brand to use other than UI for small businesses?
| Unifi makes it really easy to manage things and very affordable.
| hartAtWork wrote:
| I think this was absolutely warranted. Ubiquiti's stance as a
| reliable and secure networking company was damaged in my mind.
| Krebs absolutely did damage to their reputation.
| wnevets wrote:
| On a related note the number of negative Ubiquti comments on HN
| appears to have fallen since this person was outted.
| PragmaticPulp wrote:
| > As a result of the new information that has been provided to
| me, I no longer have faith in the veracity of my source or the
| information he provided to me. I always endeavor to ensure that
| my articles are properly sourced and factual.
|
| This is a strange statement given how the details of the FBI
| investigation have been public for a very long time.
|
| Krebs was fast to report on the initial accusations, but seems to
| have waited as long as possible to write about the revelations
| that his source was actually the perpetrator.
|
| > This time, I missed the mark and, as a result, I would like to
| extend my sincerest apologies to Ubiquiti, and I have decided to
| remove those articles from my website.
|
| Given that Krebs is a reporter who has historically built a
| reputation on exposing things and bringing information to light,
| the brevity and vagueness of this article feels much more like a
| compromise to settle a lawsuit than typical reporting.
| oaiey wrote:
| Maybe part of an informal settlement ;)
| blitzar wrote:
| The lawsuit was close to being settled ... my _guess_ is this
| is part of the formal settlement.
| bombcar wrote:
| This is a failure across many journalists; the inability to
| view what they're involved with objectively. The amount of
| scrutiny applied to a source is inversely proportional with how
| much I want to believe the source.
| tcgv wrote:
| > The amount of scrutiny applied to a source is inversely
| proportional with how much I want to believe the source
|
| Aka "confirmation bias"
| IncRnd wrote:
| > This is a failure across many journalists
|
| Only one journalist was involved here. I think you meant
| "failing of many journalists" not "failure across many".
|
| > The amount of scrutiny applied to a source is inversely
| proportional with how much I want to believe the source.
|
| Why do you disbelieve a source that has been greatly
| scrutinized? Did you mean "directly proportional"?
| andrewaylett wrote:
| The sense I read from the GP is that if I want to believe
| the source, I'm less likely to apply strict scrutiny to
| what they tell me. The more I want to believe, the less
| I'll dig into what I'm hearing. Some things are just too
| good to _not_ believe.
| bombcar wrote:
| Exactly. Krebs did it himself (doubling down on his
| "source" even as evidence began to come to light that the
| source was not clean) and we as commentators do also (the
| original posts are filled with "the software sucks
| because of X, Y, and Z so this is obviously true).
| Operyl wrote:
| Jeez, I was certain at this point he would never retract his
| articles. I feel like it's too little too late, imo, though.
| cronofdoom wrote:
| Funny, I was feeling the exact opposite. They could have just
| taken down the articles and issued no statement. It is hard to
| publicly admit that you're wrong and it's good to see they took
| that step.
| [deleted]
| blitzar wrote:
| > They could have just taken down the articles and issued no
| statement.
|
| There are people that came bottom of their class and barely
| qualified yesterday to practice law who easily would have
| been able to make this not an option.
| selectodude wrote:
| I imagine a public retraction was part of a settlement with
| Ubiquiti.
| duped wrote:
| This is why "sole sources" and publications based on them can't
| be trusted
| chriscjcj wrote:
| Journalists will sometimes go to great lengths to get a scoop and
| to make a name for themselves. This passionate desire "break the
| story" makes many journalists vulnerable. They become easy marks
| for bad actors who can gain by manipulating them.
|
| There are many examples of this occurring.
|
| Sometimes the manipulation is just designed to make the
| journalist(s) look stupid as in KTVU's scoop on the names of the
| Asiana Airlines pilots responsible for the deadly crash at SFO:
| https://www.youtube.com/watch?v=L1JYHNX8pdo
|
| Sometimes it's more serious as in the case of Matthew Keys, who
| went to prison. I suspect he thought he was chasing a story but
| was too naive to realize he was being played.
| https://www.wired.com/2016/04/journalist-matthew-keys-senten...
|
| Dan Rather's desire to take down former president George W. Bush
| for all intents and purposes ended his own career by not vetting
| documents provided to him by a source. His producer Mary Mapes
| was forced to resign as well.
| https://en.wikipedia.org/wiki/George_W._Bush_military_servic...
|
| I think we can all learn from these people's mistakes. Our own
| desires for a particular outcome or to have our personal beliefs
| confirmed can make us vulnerable to people who might have an
| incentive to manipulate us. For this reason, it's probably wise
| to employ a healthy level of skepticism when consuming "news"
| regardless of how trustworthy we believe the source to be.
| alexk307 wrote:
| Wow, I wonder how much they were suing him for. Probably tons of
| money in damages from his report
| [deleted]
| ryneandal wrote:
| > Ubiquiti is asking for $425,000 in damages.
|
| - https://arstechnica.com/tech-policy/2022/03/ubiquiti-sues-
| jo...
| borski wrote:
| From [1], it would appear to be only $425k.
|
| [1] https://arstechnica.com/tech-policy/2022/03/ubiquiti-sues-
| jo...
| incomingpain wrote:
| Ubiquiti got krebbed:
| https://www.urbandictionary.com/define.php?term=krebbed
| ocdtrekkie wrote:
| If there's one thing I really hope people take away from this
| entire story is not to use security researchers' statements in
| constant appeals to authority. I hear so many questionable-to-bad
| takes on cyber security that basically amount to Bruce Schneier,
| Brian Krebs, or Troy Hunt said so, so you're _absolutely wrong_
| if you don 't obey them.
|
| It's really important to remember security researchers and
| experts convey what they feel is the most accurate or best advice
| or information they have at the time, and it may very well turn
| out to be completely wrong or misguided later. The fact that
| these individuals are _popular_ does not mean they are an
| _authority_ on anything.
| Melatonic wrote:
| I agree - and while I certainly trust the people you listed
| quite a bit it is important to not elevate anyone to cult
| status or revered leader type stuff. I think we can trust that
| they have more authority than most but that does not make them
| the authority.
| johncalvinyoung wrote:
| Of that list, I'll listen to Schneier or Hunt way before
| Krebs.
|
| And that was before this story.
| riffic wrote:
| this reads like he got out-lawyered here.
|
| context for the unaware:
|
| https://arstechnica.com/tech-policy/2022/03/ubiquiti-sues-jo...
| nerdponx wrote:
| Do I understand this correctly?
|
| There was a minor data breach at Ubiquiti. An employee named
| Sharp was using this as an opportunity to extort his employer
| and exfiltrate data. Sharp was telling Krebs some yarn about
| the data breach being bigger than reported, which Krebs then
| repeated on his blog, accusing Ubiquiti of covering up a more
| significant breach. And Ubiquiti is claiming that Krebs knew
| the truth all along.
|
| This sounds like a weird and complicated story, so I feel like
| I'm probably misunderstanding.
| mzs wrote:
| That's pretty much it, yes:
|
| https://www.justice.gov/usao-sdny/pr/former-employee-
| technol...
|
| https://www.cyber.nj.gov/public-data-breaches/ubiquiti
| InTheArena wrote:
| Sharp did the breach and then extorted Ubiquiti. Ubiquiti got
| the FBI involved and declined to pay off Sharp. Sharp
| followed through on his threat and disclosed everything to
| Kerbs, who wrote an article about it. The FBI and Ubiquiti
| were on to Sharp, but since Sharp was Kreb's only source,
| Krebs doubled down on the allegation with a series of
| articles, and then never retracted it (until now)
| mardifoufs wrote:
| I wonder what has changed? The original thread discussing the
| lawsuit was filled with super dismissive comments, arguing that
| ubiquity lawyers were incompetent and had no actual way to win
| the case. Some of the commenters were supposedly actual lawyers
| too, so it's not even just the normal "terrible armchair law
| advice" we are used to from HN.
| james_in_the_uk wrote:
| Perhaps Krebs has chosen to move on with his life. Defending
| litigation is often expensive, distracting and stressful,
| even if you think you have a strong case. The law isn't
| necessarily always as pugilistic as Hollywood might lead you
| to believe. Perfectly fine to think you are right, say you
| were wrong, settle the case and move on. Of course, we have
| no way to know what Krebs really thinks or what actually went
| on behind closed doors here. We should take the written
| statement at face value, exactly as written. No more no less.
| encryptluks2 wrote:
| Everyone loves to play the armchair lawyer. Bias quickly
| fuels whatever side of a case you're on. However discovery
| and a few court conferences can quickly put things into
| perspective. Almost everyone's lawyers start off with some
| encouraging words but eventually they are telling you to
| settle for X and it is clear that they wouldn't have got paid
| if they told you that you had a losing case from the get go.
| duxup wrote:
| Out lawyered, because he was wrong?
| bombcar wrote:
| A good journalist knows how to verify sources and check
| before writing.
|
| A great journalist finds great sources that are
| unimpeachable.
|
| But a _wealthy_ journalist knows how to write articles from
| horrible or no sources at all that are not technical
| defamation.
| kspacewalk2 wrote:
| Out-lawyered by life and facts.
| mewse-hn wrote:
| Next story will probably be that the suit was settled out-of-
| court :P
| balentio wrote:
| You guys are thinking about this in a very cloudy kind of way.
| Assuming that Ubiquiti was being blackmailed, they have a
| security problem in who they hire (Who held user data for
| ransom). Assuming they were not being blackmailed, but had a
| security hole in their software, Ubiquiti has a security problem.
|
| Krebs reporting comes from a potential conflict of interest in
| that the person who might have been trying to blackmail was also
| the source. Defamation is not really the issue then because the
| source was pointing at a security problem which they happened to
| also be the cause of. The entity that hired this person
| was...Ubiquiti! Hence, it is not really defamation AS SUCH.
| Rather, if anything, it was true but maybe blown out of
| proportion to get a larger sum of money from Ubiquiti. We don't
| know how much info the person got their hands on, because
| Ubiquiti would be to blame for that, wouldn't they?
|
| So, ultimately I think taking down the articles is a mistake in
| the sense that they reported on a problem either way with
| Ubiquiti and security. Take off the ad revenue from those
| articles, and issue a modified retraction on the conflicted
| interest the source held as a correction. Use it as a cautionary
| tale on "Sensationalism" and "not always knowing what the hell
| someone is doing when they report a leak" and move on.
| InTheArena wrote:
| Kreb's article specifically alleged malfeasance on Ubiquiti's
| part - that they were deliberately covering up a huge data
| breach.
|
| This turned out to be untrue on three levels: 1) There was no
| cover-up. Ubiquiti disclosed the attack, and was working with
| the FBI, working to identify what had happened, and in fact
| where already onto Sharp as a insider attack. 2) There was no
| large scale data breach. 3) The claim that there was a huge
| cover up was part of a extortion scheme, that Krebs was
| (unwittingly) assisting in.
|
| Yes, this is a standard insider attack - and Ubiquti's security
| needed to be significantly better - but it doesn't change the
| fact that Brian Krebs reported false information - including
| information that he should have been in a position to know was
| untrue at the very least in the second article, if not the
| first.
|
| Ironically enough, the person at Ubiquiti that introduced the
| wider GITHUB access to production secrets and new policies that
| allowed Nick Sharp to get production access was - according to
| former Ubiquiti employees - Nick Sharp.
|
| Who watches the watchers?
| balentio wrote:
| >> 2) There was no large scale data breach
|
| Says who? The FBI? Says Ubiquiti? I bet BOTH of those places
| have a reason to say that, and it is green and smells of dead
| presidents.
| InTheArena wrote:
| Get caught in a lie in front of a jury for a white-collar
| criminal prosecution with any sort of competent lawyer, and
| you never regain credibility. Regardless, the other points
| still stand.
|
| It's incredibly hard to defend yourself if your head of
| security decides to extort you. They are the ones that
| design the protections to keep insider attacks from
| working. Luckily for Ubiquiti - the attacker screwed up his
| network configuration (VPN leak failure) which is also
| somewhat ironic.
| balentio wrote:
| >> Get caught in a lie in front of a jury for a white-
| collar criminal prosecution with any sort of competent
| lawyer, and you never regain credibility.
|
| Which is great for mega corporations who are always
| innocent of any robber-baroning or impulse to make
| security a secondary consideration to profit.
|
| >>Regardless, the other points still stand.
|
| On feeble legs.
|
| >>It's incredibly hard to defend yourself if your head of
| security decides to extort you. They are the ones that
| design the protections to keep insider attacks from
| working. Luckily for Ubiquiti - the attacker screwed up
| his network configuration (VPN leak failure) which is
| also somewhat ironic.
|
| I tend to think if you have that problem, you are
| probably hiring people that are much like your company.
| To put it differently, a known liar telling a story
| doesn't automatically make it a lie. I suspect we will
| soon be seeing later how much Ubiquiti cares about its
| customer base. When that time happens, I will return to
| this post and ask you some follow up questions.
| InTheArena wrote:
| Sounds good. I would not double down on Krebs right now.
| Or on the tinfoil theory that the FBI and Ubiquiti are
| lying about this.
| de6u99er wrote:
| Did he just delete the previous articles?
|
| IMO he should have linked to them from this post, and updated
| them with a big fat impossible to miss disclaimer on the top of
| the article because some other sites might still link to them and
| use wuotes which are not accurate any more.
| fossuser wrote:
| The HN comments here at the time weren't great either:
| https://news.ycombinator.com/item?id=30850983
|
| Despite it being clear that Krebs was wrong on this issue for
| some time, it showed the extent of his influence and the
| attacker's success in leveraging it to manipulate the public
| (including HN users).
|
| Hopefully his retraction at least helps with that.
| JacobThreeThree wrote:
| I guess the Krebs naysayers were right?
|
| The wording of this apology makes it pretty clear in my opinion
| that he's reacting to Ubiquiti lawyers.
| physhster wrote:
| I trust Krebs so I tossed every piece of my Ubiquiti gear I owned
| as a result. Ended up with a lesser solution since there isn't a
| good alternative on the market that would do for me everything
| Ubiquiti did.
| acoard wrote:
| An accurate but pretty lacklustre "mea culpa" and retraction. I
| don't mind people making mistakes, everyone does, but seeing how
| Krebs has handled this whole episode has not inspired optimism in
| how he'll handle future mistakes.
|
| He was essentially used as an unwitting party in a cyber
| blackmail scheme, and he doesn't touch on that at all. There will
| continue to be nefarious parties trying to misuse his reputation,
| so long as he remains a popular cyber researcher. I wish he would
| show consciousness of that rather than simply saying "I was
| wrong."
| jpgvm wrote:
| I read this as a post probably vetted by his legal team and
| probably not issued earlier because of the ongoing legal action
| (and then probably subsequent negotiations with Ubiquiti).
|
| He absolutely fucked up here but he probably can't say so and
| likely wasn't able to retract sooner less he open himself up to
| legal culpability for his part in the blackmail scheme
| (unwitting or not).
|
| Unfortunately this is just how the world works. I hope he has
| learnt his lesson and will be more through in his vetting of
| his sources and how his reputation can be misappropriated by
| malicious actors to do very serious harm.
| pdntspa wrote:
| Given that the target he "hurt" is a massive company that can
| absorb losses, I think this retraction is quite enough.
| bombcar wrote:
| He also "hurt" his readers and those who had trust in him,
| damaging his own reputation.
| blantonl wrote:
| This is about of straightforward as a "I screwed up, I own it,
| I apologize"
|
| Everyone makes mistakes. Some of the good work Krebs has done
| seems to be completely overshadowed by a mistake here.
|
| Granted, this is probably in response to some legal action
| either in progress or already settled, but what more do you
| want from the guy?
| fnordpiglet wrote:
| If I were ubiquiti management or shareholder I would want a
| pound of flesh, and I expect their lawyers will be pursuing
| that.
| sxates wrote:
| They are:
| https://www.courtlistener.com/docket/63197557/ubiquiti-
| inc-v...
| stickfigure wrote:
| > what more do you want from the guy?
|
| He's a guy who writes about hacks. He got "hacked". At the
| very least I am curious to know more of the story.
| encryptluks2 wrote:
| If you can call it that. Seems more like a convenient
| excuse.
| tunap wrote:
| He was duped by a con man. Everyone is susceptible to SE,
| even smart guys like Brian. A case can be made that it is
| the most difficult challenge/vector in cyber security.
|
| https://en.wikipedia.org/wiki/Social_engineering_(securit
| y)
| encryptluks2 wrote:
| Seems more like he was willfully played and that Ubiquiti
| lawyers can show negligence on his part which would not
| be a good look for a security researcher.
| kspacewalk2 wrote:
| > This is about of straightforward as a "I screwed up, I own
| it, I apologize"
|
| "A source provided info. Source is now discredited. I thus no
| longer trust the info." That's the gist of the apology. But
| that's neither here nor there, it does not show understanding
| of the fact that his reputation was deliberately used for
| criminal purposes.
| InTheArena wrote:
| "This time, I missed the mark and, as a result, I would
| like to extend my sincerest apologies to Ubiquiti, and I
| have decided to remove those articles from my website."
|
| I think that's reasonable.
| atyppo wrote:
| That seems like a statement not written by a lawyer. It's
| possible he's concerned about legal ramifications
| flutas wrote:
| He is being sued by them for $425,000 in damages. Last
| update on the court case was a request for an extension
| due to them trying to finalize a settlement, I suspect
| this was part of that settlement.
| InTheArena wrote:
| I would be too. Millions of dollars where lost because he
| was a unwitting accomplice to a extortion scheme.
|
| But lowering the bar to say "I'm sorry" when someone is
| obv incorrect is still a good thing.
| initplus wrote:
| Brian is a journalist more than he is a security researcher,
| anything he publishes as a journalist should be held to held
| to a higher standard than an random person just speaking
| their mind. He had ample opportunity to get out ahead and
| issue a retraction of the story when it was known to be
| false, well before the Ubiquiti lawsuit.
| ineptech wrote:
| > what more do you want from the guy?
|
| "This has taught me that my platform can be weaponized by any
| bad actor who can fool or manipulate me. One column from me
| could get a CISO fired or move a Fortune 500 company's stock
| price. That's a heavy responsibility that I wasn't really
| accounting for, but now that I understand it, I've put some
| thought in to it and I have made some changes that I hope
| will harden me and my platform against this kind of social
| engineering attack."
| cthalupa wrote:
| >but what more do you want from the guy?
|
| By the time the December story was published, it seems that
| Krebs knew full well that his source was the person
| implicated in the crime to begin with. I would like to
| understand why he thought it was responsible to press forward
| while obfuscating this fact, and how he will handle similar
| situations moving forward. His thought process there will
| help inform me as to whether or not I can personally take him
| seriously on things of this nature in the future.
|
| As it stands, I don't know if he learned anything from this,
| or if he still thinks that people that very well might have
| perpetrated the crime he's reporting on are reputable sources
| that he should post information from without question or
| disclaimer and the only reason this is posted is because he
| settled in court.
| nibbleshifter wrote:
| _many_ of Krebs 's sources are criminals, often dropping
| their competitors info in Brian's lap as a way to get
| ahead.
|
| Brian's a willing and witting participant in this
| behaviour, even encourages it, because it gives him more
| stories.
| Werewolf255 wrote:
| Yeah, this reflects my views too. He's using the veneer
| or pretext of journalism and reporting the truth in order
| for him to cover sloppy sourcing.
| JumpCrisscross wrote:
| > _sing the veneer or pretext of journalism and reporting
| the truth in order for him to cover sloppy sourcing_
|
| Getting tips from criminals is not sloppy sourcing. There
| is verification that obviously failed here. We likely
| won't hear the full story until the prosecution and
| litigation cycles have turned.
| [deleted]
| cthalupa wrote:
| To me, the issue isn't really that the source in question
| is a criminal - I think they might be a bit less reliable
| than the average person, but as others have noted,
| general people are pretty unreliable too.
|
| But the fact that the source was also the person who has
| allegedly perpetrated the crimes going unmentioned and
| not being disclaimed to me is sloppy - even if there was
| additional verification done, if you are mentioning this
| source as the cornerstone of your article, I want to know
| about the vested interests that source has. Obviously,
| being the person that allegedly did it means you have A
| LOT of vested interest in how it is covered and what is
| revealed. If you want to talk yourself up and brag about
| it (which seems to be a given if you are telling a
| journalist about something you allegedly perpetrated) it
| is totally reasonable for people to be suspicious about
| how much is fact and how much is fiction. Humans like to
| exaggerate when talking themselves up.
| LordDragonfang wrote:
| That might seem like an indictment of Brian's ethics, but
| I'd argue that having criminals as sources is an
| unfortunate inevitability if you're going to have up-to-
| date reporting on a topic that is so heavily entangled
| with cybercrime.
|
| Besides, it's not like non-criminal sources never lie.
| nibbleshifter wrote:
| There is nothing inherently wrong with using criminals
| (or other unreliable sources) as sources, most
| journalists in the space do so.
|
| The issue arises when you report on it without clearly
| disclaiming/disclosing that its a single, unreliable
| source and that you have been unable to externally verify
| the facts.
|
| Mistakes happen, and that's fine. But in recent years
| Brian has been getting a bit slipshod in his verification
| and disclosure practices, most likely due to competition
| in the space and the need to publish fast.
| jibe wrote:
| It is fine to use criminal sources, but in this case the
| criminal was a primary party with a self interest. If you
| can't disclose that and still wrote the story, it is a
| warning that you either need additional sources, or don't
| publish.
| KaiserPro wrote:
| > it seems that Krebs knew full well that his source was
| the person implicated in the crime to begin with
|
| I would say implicated in _a_ crime. It wasn 't entirely
| clear at the time that the crime was extortion. After all,
| its a very odd way to make money, as going public as a
| "loose cannon who fucked a company by being so toxically
| bad at their job they brought down a company" is not the
| greatest CV experience post.
|
| I'm still not entirely clear how much of the architecture
| described was bullshit.
| ajross wrote:
| The timing doesn't support that take, though. Nikolas Sharp
| (the sole source for these stories) was arrested _almost a
| year ago_. Krebs knew then that his source was tainted, and
| he did nothing. Instead he waited until he was months into
| litigation with Ubiquity (which he 's almost sure to lose) to
| try to backpedal.
|
| That's just a straight up violation of journalistic ethics. I
| think it's very reasonable to demand that our reporters in
| the security community be clear about their sourcing and
| prompt about corrections.
|
| A "what more do you want from the guy" implies that we
| shouldn't hold his past actions to account. And... we should.
| We absolutely should.
| danso wrote:
| I would've like to see some explanation for how Krebs fell
| for this ruse, such as why _this_ single-sourced claim was
| convincing enough to him to do a series of articles that
| apparently did serious material harm to Ubiquiti. And at
| least a few specifics of the key information that Krebs now
| believes to be faked. Just because his source has been
| indicted for alleged false info to the press doesn 't mean
| that _everything_ this source gave Krebs is automatically
| fake. In other words, what claims in the indictment, relating
| to which evidence the source gave to Krebs, leads Krebs to
| believe that that evidence is completely unreliable -- and
| how much, if any, doubt /scrutiny did Krebs give that
| evidence before this indictment?
|
| It doesn't have to be written in the tone of CYA excuses. The
| angle is: _this is how I got fooled, and these are the
| lessons I 've learned going forward_.
|
| As Krebs writes in his _mea culpa_ : _" I always endeavor to
| ensure that my articles are properly sourced and factual."_
| Okay, so why didn't that happen here? Is it one-time bespoke
| situation, i.e. a perfect storm of mistakes? Or was it
| because of standard practices that he now sees as
| insufficient for these kinds of stories going forward?
| system2 wrote:
| I agree, maybe "how he fell for this" part is related to
| some legal constrictions. I personally dislike this type of
| apologies which is very commonly used by corporates.
| Hamuko wrote:
| I'm not really sure if he's owning it. This post has not made
| it to his Twitter feed, unlike most of the other recent
| stories. They're probably not automated, so I wouldn't expect
| it to be there immediately, but I kinda feel like he wants it
| to just quietly go away if he doesn't mention it there as
| well.
|
| https://twitter.com/briankrebs
| acoard wrote:
| >Everyone makes mistakes.
|
| Fully agree, which is why I said the same thing. :)
|
| >Granted, this is probably in response to some legal action
| either in progress or already settled, but what more do you
| want from the guy?
|
| As I said in my post, a stated awareness that he was used in
| a cyber blackmail scheme, and at least some nominal promise
| to try and be aware of that in the future. The difference
| here is between "I made an honest mistake" and "I was taken
| advantage of and used unwittingly in a scheme." I'm not
| interested in him self-flagellating and begging for
| forgiveness, as my concern is totally forward-looking. I
| believe this type of problem will come again, of people
| trying to unwittingly use his reputation to push certain
| agendas. If he isn't aware of that dimension of the problem
| then it's likely it will re-occur.
|
| That being said, your point about this post made in a legal
| context is totally fair and had slipped my mind. I can
| imagine any apology/statement/etc getting neutered by lawyers
| for perfectly rational reasons.
| renewiltord wrote:
| In the counterfactual world where he says that, the top
| comment on HN would have been that he's trying to weasel
| out of personal responsibility. Besides, let's be honest:
| he's going to be heavily policed by the Internet on any
| statement that is similar to the ones on Ubiquiti. I think
| he will be quite aware.
|
| In fact, here's an example of exactly what you're saying
| being considered a convenient excuse:
| https://news.ycombinator.com/item?id=32664689
| JackFr wrote:
| As part of a post mortem you should ask "People will remain
| fallible; How can we change the process so this is unlikely
| to happen in the future?" And in general one likes to see
| that kind of transparency ... but if the the problem is
| someone snuck through our defenses, often we don't want
| want to publicize the changes made because it might help
| the next person.
|
| Although a "Steps will be taken." might be nice.
| oaiey wrote:
| Saying that he was part of the blackmail scheme would make
| him maybe target of legal actions from Ubiquiti. So .. that
| you will not get. He has to do the same company-lingo like
| they all do after screwups.
| tssva wrote:
| He was/is the target of legal action from Ubiquiti. I
| assume this statement is part of some settlement he has
| reached with them regarding the legal action.
| asdfasgasdgasdg wrote:
| Complaint: https://storage.courtlistener.com/recap/gov.us
| courts.vaed.52...
|
| I remember at the time we were discussing the
| misreporting I noted that Krebs' lack of retraction could
| come back and bite him. It's interesting to see it now.
| It's also interesting to note that it is referenced in
| point 11 of the lawsuit.
|
| A little remorse goes a long way, and pride can be
| expensive.
| PuppyTailWags wrote:
| I think it's obvious he's going to do something to avoid
| this happening again but also I highly doubt anything would
| be disclosed publicly about this. This isn't exactly a guy
| with a track record of _not_ learning.
| acoard wrote:
| > I think it's obvious he's going to do something to
| avoid this happening again but also I highly doubt
| anything would be disclosed publicly about this. This
| isn't exactly a guy with a track record of not learning.
|
| Sure, but part of a "mea culpa" is saying what's
| important to be said. Otherwise why say anything at all?
| Maybe he doesn't get it? Maybe he sees the facts
| differently?
|
| Generally I agree with you, and think he's a smart guy
| who is likely aware of this. But by not touching on those
| lessons, he only weakens his message.
| rovr138 wrote:
| This is a a publishing retraction. This isn't a
| postmortem from a technical issue.
|
| He can't say it won't happen again. Like stated above,
| they'll try to keep abusing him.
|
| He can't say what his process is or how it will change,
| because that leaves it open to exploit.
|
| _mea culpa_ is just that, admitting fault. He did. He
| also took action and described it there.
|
| There is no root cause analysis, corrective actions, and
| preventive steps.
|
| It can happen again and statistically, if it goes long
| enough, we can say it _will_ happen again.
| PuppyTailWags wrote:
| Frankly, he is retracting something because is wrong and
| he is broadcasting that retraction on the largest
| platform he has access to: his platform. He has sincerely
| apologized to and made clear who he has harmed: Ubiquiti.
|
| So like, what do you want? What more should he say? You
| say "maybe he sees the facts differently" as if we as
| anonymous internet crowds are entitled to a post-mortem
| on his psychological state. This strikes me as distinctly
| parasocial.
| williamscales wrote:
| It's about reputation. His reputation has been damaged. I
| think people genuinely appreciate what he's done and hope
| that he'll rehabilitate it.
|
| Let's avoid ad hominem.
| lostlogin wrote:
| > So like, what do you want?
|
| This hasn't been a particularly prompt retraction. Why
| the delay?
| [deleted]
| acoard wrote:
| This isn't about a parasocial relationship with Krebs at
| all, but determining how he'll avoid the situation again
| going forward.
|
| > So like, what do you want?
|
| I think I've been pretty clear, basically an
| acknowledgement of the situation and a statement that he
| has some ideas on how to address it from coming again.
| I'm not even asking for an in-depth process update, I
| realize why he might want to be vague. Importantly, I
| just want to make sure he sees the problem. Otherwise,
| what stops it from happening again?
|
| > What more should he say? You say "maybe he sees the
| facts differently" as if we as anonymous internet crowds
| are entitled to a post-mortem on his psychological state.
|
| I'm certainly not entitled to his mental state, he's free
| to remain as private as he'd like. To go back to my
| original point, I said "[how he] has handled this whole
| episode has not inspired optimism in how he'll handle
| future mistakes." So to answer your question, all I'm
| saying is if he wants to be seen as a trustworthy public
| security researcher that is a step he can take in service
| of it. If he wishes to remain private on it he can too,
| but as he's decided to be a public security researcher I
| think it's only fair to engage with that. And I think
| it's off the mark to call it parasocial, when I'm only
| engaging with him _as_ a public security researcher doing
| security work.
| [deleted]
| stronglikedan wrote:
| This is why he should have never apologized in the first place,
| but rather just admit being wrong an move on. Apologies are
| never enough for some people, and often even weaponized.
| Jenk wrote:
| Yep. Apologies are blood to lynch mobs.
| karaterobot wrote:
| As a third party unaffected by the events in any direct way, I
| don't feel it's appropriate to give an opinion on whether the
| apology is satisfactory or not. If Ubiquiti has one, I suppose
| that's for them to express, or not, as they choose.
| lolc wrote:
| As a reporter, Krebs failed to promptly disclose or retract
| when the source turned out to be the leak. That means my
| understanding of events was left incomplete for longer than
| it should have been.
|
| So he wronged Ubiquity, which I don't particularily care for.
| He also wronged his readers, which I am party to. This late
| retraction is underwhelming and doesn't give me trust. As he
| seems to only have retracted after being forced to by
| Ubiquity, now what do I make of his stories where his targets
| don't have a legal team in his jurisdiction?
| duxup wrote:
| For a site that generally is there to give you the inside scoop
| on what is really going on / happened, interesting /
| disappointing that the choice is to not do so here.
|
| To me "sorry I was wrong" isn't enough.
| Jenk wrote:
| That's a non-answer. What more _do_ you want? What _would be_
| "enough"?
| duxup wrote:
| I don't know what you mean by non answer.
| IMTDb wrote:
| Compensation for the damages done to ubiquiti ?
|
| He chose to relay false information from un trustworthy
| source, in a way that damaged the ubiquiti brand, and this
| took some time and energy from ubiquiti employees to fight
| those false accusations.
|
| Here he is saying "Yeah, here is $0 for your troubles, I'll
| be doing the bare minimum so you can't drag me in front of
| a courthouse anymore". He is literally posting a 1
| paragraph piece of text.
|
| "Enough" would be : "I am going to fully compensate you for
| the damages I have done by lacking professional integrity,
| and making extraordinary claims while lacking the required
| extraordinary proofs that usually come with them. Please
| send me a bill for the salaires of the technical staff,
| marketers and lawyers that had to be pulled from more
| important projects to fight the fake news I relayed. I
| understand that you have had to pay these people so you are
| not going to profit from this and this only allows you to
| break even on this whole mess. I note that - going forward
| - this will be used as an additional compass for me as I
| understand that my words have real, tangible consequences
| for the people involved and I will avoid putting anyone in
| danger without putting myself on the hook as well."
| bedhead wrote:
| I'm still bitter about this. The story absolutely reeked from
| the beginning and Krebs did nothing but unnecessarily
| sensationalize it like a tabloid journalist. I got downvoted a
| million times over when I pointed this out at the time, why I
| don't know, it was obvious to anyone who wasn't foaming at the
| mouth to pounce on Ubiquiti. In decades past this was a career-
| ending error...I wish it still was, I'll never take a single
| word Krebs says seriously ever again.
| oaiey wrote:
| One upvote returned ;)
| bedhead wrote:
| Ha, thanks. Seriously, this was not a run-of-the-mill
| journalistic mistake for which one apologizes for and moves
| on. This was so brazen I couldn't even believe it at the
| time, my assumption was that he was short Ubiquiti's stock
| or something. What Krebs did was so egregious and so
| extreme that I really have no idea why the world hasn't
| turned its back on him as a journalist.
| bombcar wrote:
| Because there are no journalists left, it's all
| entertainment, and we were entertained.
|
| I don't _like_ it, but that 's what it is.
| ulrashida wrote:
| I think you're right, but it took me a few minutes to put my
| finger on what was missing.
|
| There should have been a "going forward I will..." segment.
| criddell wrote:
| What should he do going forward?
| elteto wrote:
| He should become immune to social engineering and
| manipulation... /s
|
| Now seriously, there is not much he can do going forward
| other than be even more careful with vetting his sources.
| Which I am sure he already internalized.
| InitialLastName wrote:
| (Questions about the current state of journalism
| aside...)
|
| There is already standard journalistic practice for
| avoiding this: get a second, more reliable source. It can
| often be much easier to get a reliable source to verify
| information initially provided by a sketchy source than
| to get that reliable source to provide information in the
| first place.
|
| If you post unverified information that one person on the
| internet tells you, your work is indistinguishable from
| gossip, and should be taken as such.
| robertlagrant wrote:
| Not be a shock jock revealing things based on untrustworthy
| sources.
| mandevil wrote:
| His entire _beat_ is based on untrustworthy sources. What
| makes him special is that he is hanging out on Russian
| language carder forums and the like, monitoring the
| gossip and identifying new threats and patterns of
| behavior. That is the value that he adds, and it 's a
| reasonably big value.
|
| In this case, he got played, but if he stops trying to
| work with untrustworthy sources he stops doing his job.
| bragr wrote:
| >What makes him special is that he is hanging out on
| Russian language carder forums and the like, monitoring
| the gossip and identifying new threats and patterns of
| behavior. That is the value that he adds, and it's a
| reasonably big value.
|
| That's also not what he did in the case from my
| understanding . The person contacted him. He didn't
| verify it from secondary sources on the underground, or
| get access to proof the the hack. I think people trust
| him because he usually is able to provide some
| verification, but failed to do so in this case.
| skullone wrote:
| I think he had to limit what he said, because he potentially
| has some liability on what he had reported on in the past.
| Crazy situation
| VogonPoetry wrote:
| Unfortunately I don't think this is the first time he has been
| socially manipulated in this way. Mr Krebs does seem to have a
| habit of only getting the details from one side of things and
| only writing things from that side of the story. Perhaps due to
| the nature of some of his investigations.
|
| Everyone has weaknesses to being socially manipulated. One way
| to mitigate this is to open a dialog with "the other side" to
| check and seek out inconsistencies. Perhaps not revealing
| everything in your expose story or leaving the veracity of it
| somewhat ambiguous until things develop further. This could
| weaken the impact of your initial story. Dialog is probably not
| easy when the other party is undoubtably criminal and you can
| get blocked from reaching the right people. In this case, the
| accusations were against a corporation. They can be good or
| bad, but ultimately legal processes will reveal things.
|
| I do think Mr Krebs has upped his game in recent years and
| enjoy reading his stories, but I read them like fiction rather
| than actual verified facts.
| neilv wrote:
| I'd guess he's been advised not to say too much, and the
| specific way to say what he did.
|
| Besides the ongoing criminal case for which he may be a
| witness, I'd guess there may be potential liability wrt the
| company, and I'd guess that he's being careful not to create
| new potential liability wrt the indicted person (see several
| different nuances in his "My sole source" sentence).
|
| And this sounds like a lawyer-approved away to convey that he
| recognizes the importance, without saying any specific possible
| mistake of his that could be fodder, nor prejudging the case:
|
| > _I always endeavor to ensure that my articles are properly
| sourced and factual._
| dotBen wrote:
| Yes, this is exactly right - his post is clearly the product
| of legal negotiations with Ubiquity and probably cleared by
| both them and his own counsel. He's well advised not to say
| more than he needs to, even if people in this community would
| like him to fall on his sword more, that's just not how this
| stuff works.
| photochemsyn wrote:
| This seems to be the basics of the case:
|
| Initial report:
| https://web.archive.org/web/20211202143043/https://krebsonse...
|
| Indictment of source:
| https://web.archive.org/web/20211202161703/https://krebsonse...
|
| In cases like this it's probably better to leave the article up
| but plaster a big red 'retracted' banner across it, with a link
| to a complete explanation as to why it was retracted.
|
| As far as defamation, isn't the legal bar on that pretty high in
| the USA? Maybe there's a negligence issue, i.e. relying on a
| single source, not doing enough background, etc. that overrides
| the normal 'good faith' reporting norms?
| filmgirlcw wrote:
| As I said in another comment, I feel certain (based on my own
| direct experience working for a publication that faced numerous
| lawsuits over what in those cases were factual articles) that
| this was a condition of a legal settlement.
|
| And the thing is, you settle in this case because even though
| the defamation bar is really high, if your sourcing was wrong
| (and you maybe didn't do the best job of vetting that sourcing)
| and the more complicated aspect is that your source was later
| indicted in relation to a crime directly connected to the
| information they shared as the basis of that article, this
| seems like a pretty straightforward "settle it and move on"
| scenario, rather than trying to fight it in the courts. Barring
| the largesse of a large news organization (who also might
| choose to settle, as the Washington Post did with that kid in
| DC, even though the New York Times and others were years later
| found to not have defamed him), this is probably not the sort
| of thing you want to spend the potentially hundreds of
| thousands of dollars fighting. Because at the end of the day,
| the reporting was still flawed.
| blitzar wrote:
| Date Filed: August 25th, 2022 "Defendants Brian Krebs and
| Krebs on Security, LLC respectfully request that the Court
| extend the deadline for Defendants to respond to the
| Complaint by an additional thirty days in light of
| extraordinary circumstances that have delayed the
| finalization of the parties' settlement"
|
| https://www.courtlistener.com/docket/63197557/21/ubiquiti-
| in...
|
| They have been finalizing the settlement for some time. I
| would guess it is now settled.
| filmgirlcw wrote:
| Yup. Interesting filing. I assume, like you, that they've
| settled and it is likely that there will be another filing
| to dismiss today or tomorrow.
| CaliforniaKarl wrote:
| I don't see this post when I go to https://krebsonsecurity.com/,
| at least on iOS Safari. Also, on the home page, when I scroll
| down to the list of all posts, I don't see this one.
|
| Edit: It's there now! Thanks to u/Pharaoh2 for the heads-up.
| Pharaoh2 wrote:
| I see it there
| CaliforniaKarl wrote:
| Ah, indeed! I now also see it. I guess parts of the site are
| cached and take time to refresh?
|
| Regardless, thanks for the correction!
| InTheArena wrote:
| Mad props to Brian on this. It's way overdue - and frankly, the
| Ubiquiti lawsuit was poor PR management - but it's good to put
| things right given some very poor journalistic choices.
| Journalists admitting when they are wrong is a key step in
| rebuilding trust in our institutions - not only news but many
| aspects of civil society here.
|
| Ubiquiti - as a fan of your products - please drop the lawsuit
| now. I get that this did a ton of damage to the company, but I
| don't think anyone wins by dragging this out. The product lineup
| has improved dramatically over the last year, and it would be
| good to focus there.
| jnwatson wrote:
| I'm not aware of any new information in the last 6 months about
| the matter.
|
| I guess better late than never.
| Semaphor wrote:
| Mad props to him for finally posting a retraction and half-
| assed apology after Ubiquity forced him to with the lawsuit
| they never should have done? What?
| vel0city wrote:
| Is it really props when you're being sued nearly half a million
| in damages to continue hosting the articles?
|
| If he wanted to take down the articles because he felt he was
| wrong, he had months to do so.
|
| He gets zero props from me for only taking down the articles
| after being sued.
| bombcar wrote:
| Once sued his lawyer probably told him to shut the hell up
| and not touch anything.
|
| The time to do the right thing was before the lawsuit was
| filed.
| jonpurdy wrote:
| There was a lot of discussion from ex-Ubnt employees in a January
| 2021 thread* related to outsourcing and incompetent management.
| From what I've read, they still show ads for their products in
| newer Unifi Controller web interfaces and don't have a way of
| disabling tracking.
|
| But now that the Krebs retraction has occurred, my brain doesn't
| know how bad/incompetent Ubiquiti is these days.
|
| Is there an updated-for-2022 source of info on Ubiquiti's
| problems? ie. what complaints are still valid, and which ones are
| not valid due to the cyber blackmail incident?
|
| I was a big supporter from 2015-2019 and I still run their AC
| Lite AP + EdgeRouterX, but haven't updated them beyond 2019
| firmware.
|
| * - https://news.ycombinator.com/item?id=25735032
| InTheArena wrote:
| It's solidified incredibly over the last year. It no longer
| requires centralized login, no longer shows ads (or you can opt
| out of them. I don't see it one way or another).
|
| More importantly, the network infrastructure has gotten much
| much better. I haven't had any stability issues other then
| testing our new early adopter firmware, and the first versions
| of policy based load balancing have landed.
| flyinghamster wrote:
| > It no longer requires centralized login
|
| Thanks for the update. I have a couple of UAP-AC-Lites and an
| EdgeRouter PoE, but the recent "cloudiness" began to set my
| teeth on edge, and I've been loath to upgrade my controller.
| mattgreenrocks wrote:
| Recent updates to the base UDM have been noticeably better
| than before. I don't know what they're doing differently but
| I hope they continue along this trajectory.
| InTheArena wrote:
| Yeah, the investment is showing. I just installed a UDR at
| my parents place, and it's awesome. Provides not only the
| UDM functionality, but also VOIP or cameras out of the box
| - with everything in a fully managed state.
|
| They are doing a lot of enterprisey bits right now, but I
| think their more prosumer stuff is also doing well.
| jandrusk wrote:
| Sure sounds like a response to the law suite:
| https://twitter.com/QuinnyPig/status/1508965090019577856?t=L...
| badrabbit wrote:
| Someone correct me, but, isn't a journalist supposed to have
| independent corroborating source/evidence no matter how solid one
| sole source is? Is that basically where he missed the "mark"?
| Fnoord wrote:
| There used to be a rule in journalism: one source is no source.
| Werewolf255 wrote:
| Yeah, at this point I'm taking Krebs off of any alert or
| recommendation lists. Appreciate the Mea Culpa, but it's not like
| he's been making stellar decisions before this problem.
|
| It also doesn't read as an apology, but an acknowledgment that he
| was given bad info from a source.
| AndrewUnmuted wrote:
| WaitWaitWha wrote:
| [x] I made a mistake
|
| [x] This is how I made the mistake
|
| [x] I am sorry
|
| [x] I am going to do better
|
| [ ? ] These are the details how I am going to do better
___________________________________________________________________
(page generated 2022-08-31 23:00 UTC)