[HN Gopher] Final thoughts on Ubiquiti ___________________________________________________________________ Final thoughts on Ubiquiti Author : todsacerdoti Score : 443 points Date : 2022-08-31 15:21 UTC (7 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | user3939382 wrote: | Ubiquiti is so worried about suing Krebs meanwhile their brand | reputation has turned to mud due to the quality of their | products, both from my own experience and the general consensus | I've heard online. If this incident had never occurred I still | would have stopped recommending and using their equipment. | InTheArena wrote: | Give it a try again. I have a ton of equipment, and it's just | working well for me now. I think the consensus among ubiquiti | users has shifted considerably over the last year. | oaiey wrote: | True. The new UI finally got better ... and that was what | everyone was complaining about ;). And let us be honest, the | UI matters with Unifi. | xxpor wrote: | The problem from my end though is, who really competes with | them? No one else offers the same level of control at the same | (or even close) price point. | OJFord wrote: | Nobody competes with them as 'Apple for networking', but | MikroTik is if anything a bit cheaper and _better_ on the | actual specs etc. - just without the snazzy UI and easy GUI | (highly-G) config. | | There's probably a lot of people who'd love Ubiquiti gear | ('gadget nerds', Linus Tech Tips viewers, gamers, etc.) to | whom I wouldn't recommend MikroTik, but to anyone who's.. | idk, heard of iptables, I would. | | All the gamer-marketed WAP/routers with a million antennae | are somewhat competitors in the former category too I | suppose. | fossuser wrote: | > "just without the snazzy UI and easy GUI" | | That UI is really fucking good imo, and good UX around this | stuff is massively undervalued. | | Apple took over the world for a reason. As far as I know | nobody comes close to Ubiquiti in this space. | hot_gril wrote: | > Nobody competes with them as 'Apple for networking' | | Apple used to ;_; I was still using my Airport Expresses | until they gave out. Didn't care if they didn't have the | latest wifi standards, they were way easier to manage than | Ubiquiti or anything else. | mikestew wrote: | As a hard-core Apple Airport user for a long time, the | Apple stuff was great until it wasn't. For example, | wanting to put the Xbox in the DMZ. You _can_ do that on | the Airports, but it 's not called "DMZ" (IIRC) and it's | not at all obvious. Whereas Ubiquiti is like the | industrial version of an Airport or something, because if | you _do_ want to put devices in a DMZ or on a VLAN, you | can do it and without a lot of effort. Of course, | Ubiquiti 's stuff has limitations, so the next stop | is...MicroTik? Cisco? | | But, yeah, if Apple had kept the Airports going, I'd have | had little reason to look elsewhere, and would probably | still use them. | hot_gril wrote: | I've seen the term "default host" on other routers too, | so it's fair enough. AirPort settings were pretty full- | featured for a consumer device, just lacked advanced | routing stuff that I'd not use in a home anyway. | | It started falling apart when they made the new AirPort | Utility, which hid some settings. I had to go install the | old version. | dotBen wrote: | The founder of Ubiquiti used to be a radio engineer on | the AirPort product at Apple. Part of the reason he left | was because the line became devalued in Apple's product | lineup and would ultimately be shelved. | hot_gril wrote: | Interesting, I didn't know that. Apple lost a great | engineer! | InTheArena wrote: | If you have heard of IPTables, go grab OPNSense. | | Mikrotek makes sense when you really really really care | about having the cheapest possible 10g switch. | | AFAIK, there is nothing that competes apples to apples with | the UDM in terms of a entry level managed switch / router / | WAP offering (or the UDR, which does UDM + Telephony or | distributed global management) | msh wrote: | Mikrotik is in the same price range but not as polished. | Arainach wrote: | "Not as polished" is an incredibly generous term. Unless | something has radically changed, Mikrotik basically | requires remoting in with a command line and understanding | all the implementation details. It's like trying to run a | FreeBSD box as a router. Ubiquiti's tooling for common | workflows is _generations_ ahead, not a coat of polish. | kllrnohj wrote: | I have one Mikrotik switch and it's the only device on my | network that just randomly decides it doesn't want to | DHCP renewal and falls back to some random static IP | until a power cycle. | | Since it's a switch that I rarely touch it's not a big | deal, but "not polished" is putting it mildly for sure. | | Price & performance is still solid if you just treat it | as a VLAN-aware "dumb" switch, though. | ikiris wrote: | Yeah mikrotik config is like trying to learn gregorian | incantation spells and you have to be in the right 3rd | harmonics. | tonyarkles wrote: | I felt the same way and still kind of do, but I was | really impressed the other day. My rural neighbour and I | decided to share an Internet connection and I set a | Mikrotik WAP in "CPE" mode (basically what you'd use if | you were connecting to a WISP) and it was incredibly | smooth to get going. WiFi radio in the WAP connects to my | network, Ethernet coming out of it goes to his home | network. | | They're incredibly powerful devices no doubt and I have | ended up in configuration hell before, but they've | definitely gotten better at some of the more common (and | less common) workflows. | bombcar wrote: | Once you realize that Mikrotik is _NOT_ a small business | router company but started as a WISP supply company for | Eastern Europe it becomes much more clear. | | They've greatly enhanced the web interface in recent | updates, but you still will probably need to find a | recipe for what you want to do, but it can do it. | MartinCron wrote: | I'm using the TP-Link Omada access points and router along | with the software controller and it's pretty great. | kevinmgranger wrote: | I've heard good things about MikroTik? | InTheArena wrote: | Better routing functionality (at least until the last bits | of load balancing and policy based routing land), but | MicroTik is hard to manage for anything but the simplest | use cases. Plus you don't get the single pane of glass | management across your WIFI / Switch / Routing ecosystem. | In fact, you have to change the operating system you use on | the switch depending on which features you want w/ | Mikrotek. | | Aruba and TP-Link Omada did huge marketing pushes to take | advantage when Ubiquiti got hit with this crap. Every | person I have talked to that switched from Unifi gear to | Arbua Instant-On has moved back off of it over the last | year. There is some selection bias there, but you can see | the same thing in the youtube tech blogger(s) as well. That | said, I think if you are not going Unifi for WIFI, your | best bet is either CISCO or alternatively go mesh. | | If you want to go down the more powerful path for routing I | strongly suggest OPNSense / PFSense. | beermonster wrote: | No one. Sadly! | beams_of_light wrote: | The old adage "you get what you pay for" applies here. Yeah, | it's cheaper than buying Meraki, Aruba, Fortinet, etc, but | the IDS/IPS on their Dream Machine is awful, logging is | awful, reliability of anything but wireless gear is awful, | Protect storage equipment is awful... | InTheArena wrote: | This is just getting silly. | | They use Suricata for the IDS/IPS. I have a UDMP, and I | route 2.5GB a second across two load balanced connections | (fiber and cable) on full IDS/IPS with no problems. I have | logging going to greylog without any issues, but am looking | to move to Loki. I have a UDMP, with a single 8TB disk for | my camera, but you can grab a UNVR if you need more | storage. If you need two, grab two UNVRs to cover a whole | site. They pair now. And if you are a prosumer instead of a | homelab / busoiness site grab a UDR, with a fast flash | disk. You can pair that into Homekit secure with Homebridge | (or even better, Scrypted). | | I have 5 Unifi 6 devices - zero problems with them in well | over a year at this point. I get 800mb/s from any location | on-site. | vel0city wrote: | I don't really want to pay for support contracts which cost | more than the upfront cost of the hardware after a couple | of years to continue to receive software updates for my | prosumer level home networking deployments. Does Meraki and | Aruba provide free updates? | corndoge wrote: | MikroTik | treesknees wrote: | Is that so true? I've seen that as they've become more popular, | some of the rougher edges and complaints come out. Personally | I've had no reliability/quality problems with my Ubiquiti | equipment. But I do know several people who have moved away | from their gear due to the breach and fallout from these Krebs | articles. | Covzire wrote: | Personally I think Ubiquiti fared better than Krebs did in the | reputation department. They were both victims in their way but | Krebs should have retracted several months ago. | bikezen wrote: | Reads like a lawyer wrote this for him, and is still _way_ too | late. It was pretty clear early on that his source was a bad | actor. | | Even if he actually wrote this post himself, it feels like its a | result of the ubnt defamation suit against him. | CaliforniaKarl wrote: | Sitting on the bus, I've already changed my mind about the | decision to take down the articles, instead of posting a | retraction notice. At first I thought Mr. Krebs was being scummy | by pulling the posts. | | The Ars Technica article linked by u/riffic mentions that there | was an earlier, denied takedown request. So, now I think the | posts were likely taken down as part of a settlement. | | We'll probably never know--I expect an NDA to be part of the | terms--but I wonder if, from Ubiquiti's side, it might have been | better to leave the posts up, but with a retraction notice. | obblekk wrote: | Before people jump on this with super negativity... mistakes | happen. | | What is Krebs' false positive rate? I think low enough that a | simple, clear explanation of why it happened is sufficient. | | There's no weasel words or evasion here - he owns up to the | error, apologizes to affected parties, and retracts all original | posts. | | It's true that his reporting probably caused stress for Ubiquity. | I'm curious what people think is a fair system to compensate for | that, without wiping out independent, generally high accuracy | reporters like Krebs | de6u99er wrote: | Yeah, but publishing information as quickly as possible to surf | on the first big clicks-wave can cost people their jobs. | Because it can result in someone deciding to go with an other | company. | | A friend who is looking for a easier to manage network for his | wife's doctors office let me know that there's reports about | security issues after I recommended to him to evaluate if | Ubiquity could be a good option. Not sure what exactly he was | referring to. Nevertheless, I sent him now the link to this | article. | phoboslab wrote: | > What is Krebs' false positive rate? | | You only ever hear about it when he gets high profile cases | wrong. | | When my project was targeted by him, he ended up going down | some conspiracy rabbit hole and doxed all the wrong people. | This forced me to issue a correction - mission accomplished, I | guess. | | During his "investigation" he accidentally sent an email that | was meant for his business partner to some of my friends. It | offered a glimpse into his sensationalist mindset. I don't have | much respect for that guy. | washadjeffmad wrote: | Well, we don't know. How many times has he been either the | willing accomplice or unwitting patsy in stock manipulation or | corporate sabotage? Does he even know? | curiousgal wrote: | He has a history of doxxing people who have nothing to do with | his pieces so yeah excuse my negativity. | GordonS wrote: | IIRC, he never even apologised for it - just straight up said | _nothing_ , like he was pretending it never happened. I | haven't followed Krebs' articles since then, he totally lost | my trust. | PragmaticPulp wrote: | > What is Krebs' false positive rate? | | What's more important is how those false positives are handled. | | In this case, it feels like it was swept under the rug and he | avoided addressing for as long as possible. If he had simply | addressed the problem head-on as the news came out and the FBI | information became public, it would have been a different | story. | | The way he rushed to report accusations from an anonymous | source (who was actually the perpetrator) felt asymmetric | relative to the minimal reporting on the extortion scandal and | ensuing FBI investigation. IMO, the story about someone | extorting their employer and then abusing security reporters as | leverage was more interesting than the original story. Yet | Krebs did very little reporting on the latter, likely because | he knew he was central to making it all happen in the first | place. | dewey wrote: | > What's more important is how those false positives are | handled. | | Is it really though? If there's a company that has to defend | / apologize often (Facebook/Meta maybe) I'd be way more | critical of their apology than if one guy who didn't have a | case like that before apologying a bit too late for some | people or not in the way they wish he would. There's also a | lot of information we don't know yet, we don't know what | happend behind the scenes and when he was provided with the | final verdict and facts. | rovr138 wrote: | > If he had simply addressed the problem head-on as the news | came out and the FBI information became public, it would have | been a different story. | | Isn't that what caused the issue in the first place? He | talked before all the info was out and he could verify all of | it. | thesausageking wrote: | Ubiquiti lost $4B in market cap based on this one, poorly | sourced post Krebs wrote. He then waited 9 months after he knew | it was lies to correct and only does it in the most muted, | begrudging way possible. This is completely unethical behavior | for a writer. | ganoushoreilly wrote: | I don't think it's fair to attribute their losses directly to | Krebs. While this instance is in their favor, Ubiquiti have | been doing plenty on their own to alienate their client base. | Half backed software updates, pushing products in new | verticals without delivering on existing prodcuts. It's clear | that there are still issues within Ubiquiti that aren't | washed away by this "breach". They're attempting to be | enterprise and barely delivering in the Prosumer market. | thesausageking wrote: | It went down by $4B the day after he published his post. A | one day drop isn't about their products or how they treat | their customers. | BLO716 wrote: | A bit of extreme ownership in the same vein as Jocko Willink is | inspirational. It's not a reward or ego contest, when you have to | open up and be humble about leadership and admission as such - | so, critics will be on both sides of the judgement and the | reporting. | | I myself believe in being humble and honest to a fault, so I'm | more sympathetic in this case. | | Either way, strive to be better and hey .. humanity is a b*tch | sometimes. | legitster wrote: | "A lie gets halfway around the world before truth puts on its | boots." | | Another good reminder to take whistleblower claims with a grain | of salt. Even someone as professional as Krebs still wants to get | the scoop. | | I still don't understand why it took Krebs so long or why he | insisted on trusting his insider so much without any | corroborating evidence. | hot_gril wrote: | Reminds me of the Bloomberg SuperMicro article with a single | anonymous source alleging that several big companies were | compromised, which they deny. Funniest part is how Bloomberg | itself _also_ claims it wasn 't compromised: | | > Bloomberg LP has been a Supermicro customer. According to a | Bloomberg LP spokesperson, the company has found no evidence to | suggest that it has been affected by the hardware issues raised | in the article. | happyopossum wrote: | Biggest difference - Bloomberg _still_ hasn 't retracted that | garbage story... | hot_gril wrote: | Yeah, that's why I'm reminded. Is the moral of the story that | reputable, medium-sized reporters without huge legal | resources are more trustworthy than something like Bloomberg? | bombcar wrote: | Or Bloomberg is better at walking the fine line and never | actually stating anything actionable. | NelsonMinar wrote: | It's great that he retracted his story but the way he did it | isn't so great. In particular he's removed his older incorrect | stories and replaced them with a redirect to the retraction. | Thankfully the Wayback Machine has archives | | https://web.archive.org/web/20220223015405/https://krebsonse... | | https://web.archive.org/web/20220711220855/https://krebsonse... | cptskippy wrote: | What would have been a better way to handle it? From personal | experience, I've overlooked header/footer retractions on | material before and referenced things only to have the | retraction point out to me later. | | Complete removal of the article isn't ideal, and it's less | error prone. | | I appreciate that the old articles aren't 404'd, they redirect | to the retraction so any other sites linking continue to work. | hot_gril wrote: | Eh, this is what web archives are for. Krebs doesn't want to | show wrong info, and he may even be legally obligated not to. | filmgirlcw wrote: | Speaking from experience with these things (although in my | case, the articles we were forced to remove were absolutely and | completely 100% accurate -- but the company that acquired us | wanted to settle all outstanding lawsuits and ended up caving | so that the transaction could close), this might have been | terms of the settlement or whatever it was he came to with | Ubiquiti. | | In our case, because our articles were in fact, factual, we | were able to re-iterate and even quote, as part of the legal | filings, aspects of the original reporting as part of a story | that was in response to the removals themselves, but the | content at those original URLs was replaced with a notice that | the articles had been removed because of litigation with our | former parent company. | | The fact that he didn't (or hasn't) scrubbed the stories | themselves from the Internet Archive is a good sign (I think we | had to remove our stories from the Internet Archive, though I | do know that individuals did make archives other ways). | | I'm pretty opposed to suing journalists for the act of doing | journalism and even though I'm a big fan of Ubiquiti products, | I still don't love this sort of tactic. That said, it does seem | clear that these stories were not correct and at the very | least, flawed because of the single-source who was not a | reliable narrator (and admitted to lying to the press), so in | an ideal world, these stories would have been retracted anyway. | nibbleshifter wrote: | > and I have decided to remove those articles from my website. | | Updating them with a link to this for context would have been the | better move. | nottorp wrote: | Ok no security breach. Can I set up a new ubiquity device without | registering with them _at all_ now? | | Been told that you can delete the cloud registration after the | set up, but that's still unacceptable. | InTheArena wrote: | yes. | | You do not need any cloud login at this point. | nottorp wrote: | They saw the light :) | | I have an older device (first in 5 Ghz I think) and I was | beginning to think I should upgrade it to <whatever the | latest Wi-Fi standard is>. | nottorp wrote: | Hmm I just redownloaded the 'unifi network' thingy. | | For one I had to go through a screen of threats telling me | I shouldn't use a local application that only reminds me of | the threats you have to go through when downloading the | LGPL version of Qt. | | For two, the app is incomprehensible, it wanted me to | create a "local administrator account" after i opted out of | an online account and then it didn't find my old unifi ap | that is working just fine thank you. | | So nope. Still unacceptable, sorry. | | Note: I still have an old version of their admin app on an | old computer and that one just finds the AP and lets me | configure it. So if they could do it 10 years ago they | could do it now too, should they wish to. | | Note 2: Why do they want my email even for a "local | administrator" account? | | Note 3: If i click through all the crap it does find my | UAP-AC but it says "managed by another console"? With no | way of taking control of it. What the... i haven't started | the old management app in years. | | Looks like besides threatening their customers they have | gone enterprise. | system2 wrote: | Is there another brand to use other than UI for small businesses? | Unifi makes it really easy to manage things and very affordable. | hartAtWork wrote: | I think this was absolutely warranted. Ubiquiti's stance as a | reliable and secure networking company was damaged in my mind. | Krebs absolutely did damage to their reputation. | wnevets wrote: | On a related note the number of negative Ubiquti comments on HN | appears to have fallen since this person was outted. | PragmaticPulp wrote: | > As a result of the new information that has been provided to | me, I no longer have faith in the veracity of my source or the | information he provided to me. I always endeavor to ensure that | my articles are properly sourced and factual. | | This is a strange statement given how the details of the FBI | investigation have been public for a very long time. | | Krebs was fast to report on the initial accusations, but seems to | have waited as long as possible to write about the revelations | that his source was actually the perpetrator. | | > This time, I missed the mark and, as a result, I would like to | extend my sincerest apologies to Ubiquiti, and I have decided to | remove those articles from my website. | | Given that Krebs is a reporter who has historically built a | reputation on exposing things and bringing information to light, | the brevity and vagueness of this article feels much more like a | compromise to settle a lawsuit than typical reporting. | oaiey wrote: | Maybe part of an informal settlement ;) | blitzar wrote: | The lawsuit was close to being settled ... my _guess_ is this | is part of the formal settlement. | bombcar wrote: | This is a failure across many journalists; the inability to | view what they're involved with objectively. The amount of | scrutiny applied to a source is inversely proportional with how | much I want to believe the source. | tcgv wrote: | > The amount of scrutiny applied to a source is inversely | proportional with how much I want to believe the source | | Aka "confirmation bias" | IncRnd wrote: | > This is a failure across many journalists | | Only one journalist was involved here. I think you meant | "failing of many journalists" not "failure across many". | | > The amount of scrutiny applied to a source is inversely | proportional with how much I want to believe the source. | | Why do you disbelieve a source that has been greatly | scrutinized? Did you mean "directly proportional"? | andrewaylett wrote: | The sense I read from the GP is that if I want to believe | the source, I'm less likely to apply strict scrutiny to | what they tell me. The more I want to believe, the less | I'll dig into what I'm hearing. Some things are just too | good to _not_ believe. | bombcar wrote: | Exactly. Krebs did it himself (doubling down on his | "source" even as evidence began to come to light that the | source was not clean) and we as commentators do also (the | original posts are filled with "the software sucks | because of X, Y, and Z so this is obviously true). | Operyl wrote: | Jeez, I was certain at this point he would never retract his | articles. I feel like it's too little too late, imo, though. | cronofdoom wrote: | Funny, I was feeling the exact opposite. They could have just | taken down the articles and issued no statement. It is hard to | publicly admit that you're wrong and it's good to see they took | that step. | [deleted] | blitzar wrote: | > They could have just taken down the articles and issued no | statement. | | There are people that came bottom of their class and barely | qualified yesterday to practice law who easily would have | been able to make this not an option. | selectodude wrote: | I imagine a public retraction was part of a settlement with | Ubiquiti. | duped wrote: | This is why "sole sources" and publications based on them can't | be trusted | chriscjcj wrote: | Journalists will sometimes go to great lengths to get a scoop and | to make a name for themselves. This passionate desire "break the | story" makes many journalists vulnerable. They become easy marks | for bad actors who can gain by manipulating them. | | There are many examples of this occurring. | | Sometimes the manipulation is just designed to make the | journalist(s) look stupid as in KTVU's scoop on the names of the | Asiana Airlines pilots responsible for the deadly crash at SFO: | https://www.youtube.com/watch?v=L1JYHNX8pdo | | Sometimes it's more serious as in the case of Matthew Keys, who | went to prison. I suspect he thought he was chasing a story but | was too naive to realize he was being played. | https://www.wired.com/2016/04/journalist-matthew-keys-senten... | | Dan Rather's desire to take down former president George W. Bush | for all intents and purposes ended his own career by not vetting | documents provided to him by a source. His producer Mary Mapes | was forced to resign as well. | https://en.wikipedia.org/wiki/George_W._Bush_military_servic... | | I think we can all learn from these people's mistakes. Our own | desires for a particular outcome or to have our personal beliefs | confirmed can make us vulnerable to people who might have an | incentive to manipulate us. For this reason, it's probably wise | to employ a healthy level of skepticism when consuming "news" | regardless of how trustworthy we believe the source to be. | alexk307 wrote: | Wow, I wonder how much they were suing him for. Probably tons of | money in damages from his report | [deleted] | ryneandal wrote: | > Ubiquiti is asking for $425,000 in damages. | | - https://arstechnica.com/tech-policy/2022/03/ubiquiti-sues- | jo... | borski wrote: | From [1], it would appear to be only $425k. | | [1] https://arstechnica.com/tech-policy/2022/03/ubiquiti-sues- | jo... | incomingpain wrote: | Ubiquiti got krebbed: | https://www.urbandictionary.com/define.php?term=krebbed | ocdtrekkie wrote: | If there's one thing I really hope people take away from this | entire story is not to use security researchers' statements in | constant appeals to authority. I hear so many questionable-to-bad | takes on cyber security that basically amount to Bruce Schneier, | Brian Krebs, or Troy Hunt said so, so you're _absolutely wrong_ | if you don 't obey them. | | It's really important to remember security researchers and | experts convey what they feel is the most accurate or best advice | or information they have at the time, and it may very well turn | out to be completely wrong or misguided later. The fact that | these individuals are _popular_ does not mean they are an | _authority_ on anything. | Melatonic wrote: | I agree - and while I certainly trust the people you listed | quite a bit it is important to not elevate anyone to cult | status or revered leader type stuff. I think we can trust that | they have more authority than most but that does not make them | the authority. | johncalvinyoung wrote: | Of that list, I'll listen to Schneier or Hunt way before | Krebs. | | And that was before this story. | riffic wrote: | this reads like he got out-lawyered here. | | context for the unaware: | | https://arstechnica.com/tech-policy/2022/03/ubiquiti-sues-jo... | nerdponx wrote: | Do I understand this correctly? | | There was a minor data breach at Ubiquiti. An employee named | Sharp was using this as an opportunity to extort his employer | and exfiltrate data. Sharp was telling Krebs some yarn about | the data breach being bigger than reported, which Krebs then | repeated on his blog, accusing Ubiquiti of covering up a more | significant breach. And Ubiquiti is claiming that Krebs knew | the truth all along. | | This sounds like a weird and complicated story, so I feel like | I'm probably misunderstanding. | mzs wrote: | That's pretty much it, yes: | | https://www.justice.gov/usao-sdny/pr/former-employee- | technol... | | https://www.cyber.nj.gov/public-data-breaches/ubiquiti | InTheArena wrote: | Sharp did the breach and then extorted Ubiquiti. Ubiquiti got | the FBI involved and declined to pay off Sharp. Sharp | followed through on his threat and disclosed everything to | Kerbs, who wrote an article about it. The FBI and Ubiquiti | were on to Sharp, but since Sharp was Kreb's only source, | Krebs doubled down on the allegation with a series of | articles, and then never retracted it (until now) | mardifoufs wrote: | I wonder what has changed? The original thread discussing the | lawsuit was filled with super dismissive comments, arguing that | ubiquity lawyers were incompetent and had no actual way to win | the case. Some of the commenters were supposedly actual lawyers | too, so it's not even just the normal "terrible armchair law | advice" we are used to from HN. | james_in_the_uk wrote: | Perhaps Krebs has chosen to move on with his life. Defending | litigation is often expensive, distracting and stressful, | even if you think you have a strong case. The law isn't | necessarily always as pugilistic as Hollywood might lead you | to believe. Perfectly fine to think you are right, say you | were wrong, settle the case and move on. Of course, we have | no way to know what Krebs really thinks or what actually went | on behind closed doors here. We should take the written | statement at face value, exactly as written. No more no less. | encryptluks2 wrote: | Everyone loves to play the armchair lawyer. Bias quickly | fuels whatever side of a case you're on. However discovery | and a few court conferences can quickly put things into | perspective. Almost everyone's lawyers start off with some | encouraging words but eventually they are telling you to | settle for X and it is clear that they wouldn't have got paid | if they told you that you had a losing case from the get go. | duxup wrote: | Out lawyered, because he was wrong? | bombcar wrote: | A good journalist knows how to verify sources and check | before writing. | | A great journalist finds great sources that are | unimpeachable. | | But a _wealthy_ journalist knows how to write articles from | horrible or no sources at all that are not technical | defamation. | kspacewalk2 wrote: | Out-lawyered by life and facts. | mewse-hn wrote: | Next story will probably be that the suit was settled out-of- | court :P | balentio wrote: | You guys are thinking about this in a very cloudy kind of way. | Assuming that Ubiquiti was being blackmailed, they have a | security problem in who they hire (Who held user data for | ransom). Assuming they were not being blackmailed, but had a | security hole in their software, Ubiquiti has a security problem. | | Krebs reporting comes from a potential conflict of interest in | that the person who might have been trying to blackmail was also | the source. Defamation is not really the issue then because the | source was pointing at a security problem which they happened to | also be the cause of. The entity that hired this person | was...Ubiquiti! Hence, it is not really defamation AS SUCH. | Rather, if anything, it was true but maybe blown out of | proportion to get a larger sum of money from Ubiquiti. We don't | know how much info the person got their hands on, because | Ubiquiti would be to blame for that, wouldn't they? | | So, ultimately I think taking down the articles is a mistake in | the sense that they reported on a problem either way with | Ubiquiti and security. Take off the ad revenue from those | articles, and issue a modified retraction on the conflicted | interest the source held as a correction. Use it as a cautionary | tale on "Sensationalism" and "not always knowing what the hell | someone is doing when they report a leak" and move on. | InTheArena wrote: | Kreb's article specifically alleged malfeasance on Ubiquiti's | part - that they were deliberately covering up a huge data | breach. | | This turned out to be untrue on three levels: 1) There was no | cover-up. Ubiquiti disclosed the attack, and was working with | the FBI, working to identify what had happened, and in fact | where already onto Sharp as a insider attack. 2) There was no | large scale data breach. 3) The claim that there was a huge | cover up was part of a extortion scheme, that Krebs was | (unwittingly) assisting in. | | Yes, this is a standard insider attack - and Ubiquti's security | needed to be significantly better - but it doesn't change the | fact that Brian Krebs reported false information - including | information that he should have been in a position to know was | untrue at the very least in the second article, if not the | first. | | Ironically enough, the person at Ubiquiti that introduced the | wider GITHUB access to production secrets and new policies that | allowed Nick Sharp to get production access was - according to | former Ubiquiti employees - Nick Sharp. | | Who watches the watchers? | balentio wrote: | >> 2) There was no large scale data breach | | Says who? The FBI? Says Ubiquiti? I bet BOTH of those places | have a reason to say that, and it is green and smells of dead | presidents. | InTheArena wrote: | Get caught in a lie in front of a jury for a white-collar | criminal prosecution with any sort of competent lawyer, and | you never regain credibility. Regardless, the other points | still stand. | | It's incredibly hard to defend yourself if your head of | security decides to extort you. They are the ones that | design the protections to keep insider attacks from | working. Luckily for Ubiquiti - the attacker screwed up his | network configuration (VPN leak failure) which is also | somewhat ironic. | balentio wrote: | >> Get caught in a lie in front of a jury for a white- | collar criminal prosecution with any sort of competent | lawyer, and you never regain credibility. | | Which is great for mega corporations who are always | innocent of any robber-baroning or impulse to make | security a secondary consideration to profit. | | >>Regardless, the other points still stand. | | On feeble legs. | | >>It's incredibly hard to defend yourself if your head of | security decides to extort you. They are the ones that | design the protections to keep insider attacks from | working. Luckily for Ubiquiti - the attacker screwed up | his network configuration (VPN leak failure) which is | also somewhat ironic. | | I tend to think if you have that problem, you are | probably hiring people that are much like your company. | To put it differently, a known liar telling a story | doesn't automatically make it a lie. I suspect we will | soon be seeing later how much Ubiquiti cares about its | customer base. When that time happens, I will return to | this post and ask you some follow up questions. | InTheArena wrote: | Sounds good. I would not double down on Krebs right now. | Or on the tinfoil theory that the FBI and Ubiquiti are | lying about this. | de6u99er wrote: | Did he just delete the previous articles? | | IMO he should have linked to them from this post, and updated | them with a big fat impossible to miss disclaimer on the top of | the article because some other sites might still link to them and | use wuotes which are not accurate any more. | fossuser wrote: | The HN comments here at the time weren't great either: | https://news.ycombinator.com/item?id=30850983 | | Despite it being clear that Krebs was wrong on this issue for | some time, it showed the extent of his influence and the | attacker's success in leveraging it to manipulate the public | (including HN users). | | Hopefully his retraction at least helps with that. | JacobThreeThree wrote: | I guess the Krebs naysayers were right? | | The wording of this apology makes it pretty clear in my opinion | that he's reacting to Ubiquiti lawyers. | physhster wrote: | I trust Krebs so I tossed every piece of my Ubiquiti gear I owned | as a result. Ended up with a lesser solution since there isn't a | good alternative on the market that would do for me everything | Ubiquiti did. | acoard wrote: | An accurate but pretty lacklustre "mea culpa" and retraction. I | don't mind people making mistakes, everyone does, but seeing how | Krebs has handled this whole episode has not inspired optimism in | how he'll handle future mistakes. | | He was essentially used as an unwitting party in a cyber | blackmail scheme, and he doesn't touch on that at all. There will | continue to be nefarious parties trying to misuse his reputation, | so long as he remains a popular cyber researcher. I wish he would | show consciousness of that rather than simply saying "I was | wrong." | jpgvm wrote: | I read this as a post probably vetted by his legal team and | probably not issued earlier because of the ongoing legal action | (and then probably subsequent negotiations with Ubiquiti). | | He absolutely fucked up here but he probably can't say so and | likely wasn't able to retract sooner less he open himself up to | legal culpability for his part in the blackmail scheme | (unwitting or not). | | Unfortunately this is just how the world works. I hope he has | learnt his lesson and will be more through in his vetting of | his sources and how his reputation can be misappropriated by | malicious actors to do very serious harm. | pdntspa wrote: | Given that the target he "hurt" is a massive company that can | absorb losses, I think this retraction is quite enough. | bombcar wrote: | He also "hurt" his readers and those who had trust in him, | damaging his own reputation. | blantonl wrote: | This is about of straightforward as a "I screwed up, I own it, | I apologize" | | Everyone makes mistakes. Some of the good work Krebs has done | seems to be completely overshadowed by a mistake here. | | Granted, this is probably in response to some legal action | either in progress or already settled, but what more do you | want from the guy? | fnordpiglet wrote: | If I were ubiquiti management or shareholder I would want a | pound of flesh, and I expect their lawyers will be pursuing | that. | sxates wrote: | They are: | https://www.courtlistener.com/docket/63197557/ubiquiti- | inc-v... | stickfigure wrote: | > what more do you want from the guy? | | He's a guy who writes about hacks. He got "hacked". At the | very least I am curious to know more of the story. | encryptluks2 wrote: | If you can call it that. Seems more like a convenient | excuse. | tunap wrote: | He was duped by a con man. Everyone is susceptible to SE, | even smart guys like Brian. A case can be made that it is | the most difficult challenge/vector in cyber security. | | https://en.wikipedia.org/wiki/Social_engineering_(securit | y) | encryptluks2 wrote: | Seems more like he was willfully played and that Ubiquiti | lawyers can show negligence on his part which would not | be a good look for a security researcher. | kspacewalk2 wrote: | > This is about of straightforward as a "I screwed up, I own | it, I apologize" | | "A source provided info. Source is now discredited. I thus no | longer trust the info." That's the gist of the apology. But | that's neither here nor there, it does not show understanding | of the fact that his reputation was deliberately used for | criminal purposes. | InTheArena wrote: | "This time, I missed the mark and, as a result, I would | like to extend my sincerest apologies to Ubiquiti, and I | have decided to remove those articles from my website." | | I think that's reasonable. | atyppo wrote: | That seems like a statement not written by a lawyer. It's | possible he's concerned about legal ramifications | flutas wrote: | He is being sued by them for $425,000 in damages. Last | update on the court case was a request for an extension | due to them trying to finalize a settlement, I suspect | this was part of that settlement. | InTheArena wrote: | I would be too. Millions of dollars where lost because he | was a unwitting accomplice to a extortion scheme. | | But lowering the bar to say "I'm sorry" when someone is | obv incorrect is still a good thing. | initplus wrote: | Brian is a journalist more than he is a security researcher, | anything he publishes as a journalist should be held to held | to a higher standard than an random person just speaking | their mind. He had ample opportunity to get out ahead and | issue a retraction of the story when it was known to be | false, well before the Ubiquiti lawsuit. | ineptech wrote: | > what more do you want from the guy? | | "This has taught me that my platform can be weaponized by any | bad actor who can fool or manipulate me. One column from me | could get a CISO fired or move a Fortune 500 company's stock | price. That's a heavy responsibility that I wasn't really | accounting for, but now that I understand it, I've put some | thought in to it and I have made some changes that I hope | will harden me and my platform against this kind of social | engineering attack." | cthalupa wrote: | >but what more do you want from the guy? | | By the time the December story was published, it seems that | Krebs knew full well that his source was the person | implicated in the crime to begin with. I would like to | understand why he thought it was responsible to press forward | while obfuscating this fact, and how he will handle similar | situations moving forward. His thought process there will | help inform me as to whether or not I can personally take him | seriously on things of this nature in the future. | | As it stands, I don't know if he learned anything from this, | or if he still thinks that people that very well might have | perpetrated the crime he's reporting on are reputable sources | that he should post information from without question or | disclaimer and the only reason this is posted is because he | settled in court. | nibbleshifter wrote: | _many_ of Krebs 's sources are criminals, often dropping | their competitors info in Brian's lap as a way to get | ahead. | | Brian's a willing and witting participant in this | behaviour, even encourages it, because it gives him more | stories. | Werewolf255 wrote: | Yeah, this reflects my views too. He's using the veneer | or pretext of journalism and reporting the truth in order | for him to cover sloppy sourcing. | JumpCrisscross wrote: | > _sing the veneer or pretext of journalism and reporting | the truth in order for him to cover sloppy sourcing_ | | Getting tips from criminals is not sloppy sourcing. There | is verification that obviously failed here. We likely | won't hear the full story until the prosecution and | litigation cycles have turned. | [deleted] | cthalupa wrote: | To me, the issue isn't really that the source in question | is a criminal - I think they might be a bit less reliable | than the average person, but as others have noted, | general people are pretty unreliable too. | | But the fact that the source was also the person who has | allegedly perpetrated the crimes going unmentioned and | not being disclaimed to me is sloppy - even if there was | additional verification done, if you are mentioning this | source as the cornerstone of your article, I want to know | about the vested interests that source has. Obviously, | being the person that allegedly did it means you have A | LOT of vested interest in how it is covered and what is | revealed. If you want to talk yourself up and brag about | it (which seems to be a given if you are telling a | journalist about something you allegedly perpetrated) it | is totally reasonable for people to be suspicious about | how much is fact and how much is fiction. Humans like to | exaggerate when talking themselves up. | LordDragonfang wrote: | That might seem like an indictment of Brian's ethics, but | I'd argue that having criminals as sources is an | unfortunate inevitability if you're going to have up-to- | date reporting on a topic that is so heavily entangled | with cybercrime. | | Besides, it's not like non-criminal sources never lie. | nibbleshifter wrote: | There is nothing inherently wrong with using criminals | (or other unreliable sources) as sources, most | journalists in the space do so. | | The issue arises when you report on it without clearly | disclaiming/disclosing that its a single, unreliable | source and that you have been unable to externally verify | the facts. | | Mistakes happen, and that's fine. But in recent years | Brian has been getting a bit slipshod in his verification | and disclosure practices, most likely due to competition | in the space and the need to publish fast. | jibe wrote: | It is fine to use criminal sources, but in this case the | criminal was a primary party with a self interest. If you | can't disclose that and still wrote the story, it is a | warning that you either need additional sources, or don't | publish. | KaiserPro wrote: | > it seems that Krebs knew full well that his source was | the person implicated in the crime to begin with | | I would say implicated in _a_ crime. It wasn 't entirely | clear at the time that the crime was extortion. After all, | its a very odd way to make money, as going public as a | "loose cannon who fucked a company by being so toxically | bad at their job they brought down a company" is not the | greatest CV experience post. | | I'm still not entirely clear how much of the architecture | described was bullshit. | ajross wrote: | The timing doesn't support that take, though. Nikolas Sharp | (the sole source for these stories) was arrested _almost a | year ago_. Krebs knew then that his source was tainted, and | he did nothing. Instead he waited until he was months into | litigation with Ubiquity (which he 's almost sure to lose) to | try to backpedal. | | That's just a straight up violation of journalistic ethics. I | think it's very reasonable to demand that our reporters in | the security community be clear about their sourcing and | prompt about corrections. | | A "what more do you want from the guy" implies that we | shouldn't hold his past actions to account. And... we should. | We absolutely should. | danso wrote: | I would've like to see some explanation for how Krebs fell | for this ruse, such as why _this_ single-sourced claim was | convincing enough to him to do a series of articles that | apparently did serious material harm to Ubiquiti. And at | least a few specifics of the key information that Krebs now | believes to be faked. Just because his source has been | indicted for alleged false info to the press doesn 't mean | that _everything_ this source gave Krebs is automatically | fake. In other words, what claims in the indictment, relating | to which evidence the source gave to Krebs, leads Krebs to | believe that that evidence is completely unreliable -- and | how much, if any, doubt /scrutiny did Krebs give that | evidence before this indictment? | | It doesn't have to be written in the tone of CYA excuses. The | angle is: _this is how I got fooled, and these are the | lessons I 've learned going forward_. | | As Krebs writes in his _mea culpa_ : _" I always endeavor to | ensure that my articles are properly sourced and factual."_ | Okay, so why didn't that happen here? Is it one-time bespoke | situation, i.e. a perfect storm of mistakes? Or was it | because of standard practices that he now sees as | insufficient for these kinds of stories going forward? | system2 wrote: | I agree, maybe "how he fell for this" part is related to | some legal constrictions. I personally dislike this type of | apologies which is very commonly used by corporates. | Hamuko wrote: | I'm not really sure if he's owning it. This post has not made | it to his Twitter feed, unlike most of the other recent | stories. They're probably not automated, so I wouldn't expect | it to be there immediately, but I kinda feel like he wants it | to just quietly go away if he doesn't mention it there as | well. | | https://twitter.com/briankrebs | acoard wrote: | >Everyone makes mistakes. | | Fully agree, which is why I said the same thing. :) | | >Granted, this is probably in response to some legal action | either in progress or already settled, but what more do you | want from the guy? | | As I said in my post, a stated awareness that he was used in | a cyber blackmail scheme, and at least some nominal promise | to try and be aware of that in the future. The difference | here is between "I made an honest mistake" and "I was taken | advantage of and used unwittingly in a scheme." I'm not | interested in him self-flagellating and begging for | forgiveness, as my concern is totally forward-looking. I | believe this type of problem will come again, of people | trying to unwittingly use his reputation to push certain | agendas. If he isn't aware of that dimension of the problem | then it's likely it will re-occur. | | That being said, your point about this post made in a legal | context is totally fair and had slipped my mind. I can | imagine any apology/statement/etc getting neutered by lawyers | for perfectly rational reasons. | renewiltord wrote: | In the counterfactual world where he says that, the top | comment on HN would have been that he's trying to weasel | out of personal responsibility. Besides, let's be honest: | he's going to be heavily policed by the Internet on any | statement that is similar to the ones on Ubiquiti. I think | he will be quite aware. | | In fact, here's an example of exactly what you're saying | being considered a convenient excuse: | https://news.ycombinator.com/item?id=32664689 | JackFr wrote: | As part of a post mortem you should ask "People will remain | fallible; How can we change the process so this is unlikely | to happen in the future?" And in general one likes to see | that kind of transparency ... but if the the problem is | someone snuck through our defenses, often we don't want | want to publicize the changes made because it might help | the next person. | | Although a "Steps will be taken." might be nice. | oaiey wrote: | Saying that he was part of the blackmail scheme would make | him maybe target of legal actions from Ubiquiti. So .. that | you will not get. He has to do the same company-lingo like | they all do after screwups. | tssva wrote: | He was/is the target of legal action from Ubiquiti. I | assume this statement is part of some settlement he has | reached with them regarding the legal action. | asdfasgasdgasdg wrote: | Complaint: https://storage.courtlistener.com/recap/gov.us | courts.vaed.52... | | I remember at the time we were discussing the | misreporting I noted that Krebs' lack of retraction could | come back and bite him. It's interesting to see it now. | It's also interesting to note that it is referenced in | point 11 of the lawsuit. | | A little remorse goes a long way, and pride can be | expensive. | PuppyTailWags wrote: | I think it's obvious he's going to do something to avoid | this happening again but also I highly doubt anything would | be disclosed publicly about this. This isn't exactly a guy | with a track record of _not_ learning. | acoard wrote: | > I think it's obvious he's going to do something to | avoid this happening again but also I highly doubt | anything would be disclosed publicly about this. This | isn't exactly a guy with a track record of not learning. | | Sure, but part of a "mea culpa" is saying what's | important to be said. Otherwise why say anything at all? | Maybe he doesn't get it? Maybe he sees the facts | differently? | | Generally I agree with you, and think he's a smart guy | who is likely aware of this. But by not touching on those | lessons, he only weakens his message. | rovr138 wrote: | This is a a publishing retraction. This isn't a | postmortem from a technical issue. | | He can't say it won't happen again. Like stated above, | they'll try to keep abusing him. | | He can't say what his process is or how it will change, | because that leaves it open to exploit. | | _mea culpa_ is just that, admitting fault. He did. He | also took action and described it there. | | There is no root cause analysis, corrective actions, and | preventive steps. | | It can happen again and statistically, if it goes long | enough, we can say it _will_ happen again. | PuppyTailWags wrote: | Frankly, he is retracting something because is wrong and | he is broadcasting that retraction on the largest | platform he has access to: his platform. He has sincerely | apologized to and made clear who he has harmed: Ubiquiti. | | So like, what do you want? What more should he say? You | say "maybe he sees the facts differently" as if we as | anonymous internet crowds are entitled to a post-mortem | on his psychological state. This strikes me as distinctly | parasocial. | williamscales wrote: | It's about reputation. His reputation has been damaged. I | think people genuinely appreciate what he's done and hope | that he'll rehabilitate it. | | Let's avoid ad hominem. | lostlogin wrote: | > So like, what do you want? | | This hasn't been a particularly prompt retraction. Why | the delay? | [deleted] | acoard wrote: | This isn't about a parasocial relationship with Krebs at | all, but determining how he'll avoid the situation again | going forward. | | > So like, what do you want? | | I think I've been pretty clear, basically an | acknowledgement of the situation and a statement that he | has some ideas on how to address it from coming again. | I'm not even asking for an in-depth process update, I | realize why he might want to be vague. Importantly, I | just want to make sure he sees the problem. Otherwise, | what stops it from happening again? | | > What more should he say? You say "maybe he sees the | facts differently" as if we as anonymous internet crowds | are entitled to a post-mortem on his psychological state. | | I'm certainly not entitled to his mental state, he's free | to remain as private as he'd like. To go back to my | original point, I said "[how he] has handled this whole | episode has not inspired optimism in how he'll handle | future mistakes." So to answer your question, all I'm | saying is if he wants to be seen as a trustworthy public | security researcher that is a step he can take in service | of it. If he wishes to remain private on it he can too, | but as he's decided to be a public security researcher I | think it's only fair to engage with that. And I think | it's off the mark to call it parasocial, when I'm only | engaging with him _as_ a public security researcher doing | security work. | [deleted] | stronglikedan wrote: | This is why he should have never apologized in the first place, | but rather just admit being wrong an move on. Apologies are | never enough for some people, and often even weaponized. | Jenk wrote: | Yep. Apologies are blood to lynch mobs. | karaterobot wrote: | As a third party unaffected by the events in any direct way, I | don't feel it's appropriate to give an opinion on whether the | apology is satisfactory or not. If Ubiquiti has one, I suppose | that's for them to express, or not, as they choose. | lolc wrote: | As a reporter, Krebs failed to promptly disclose or retract | when the source turned out to be the leak. That means my | understanding of events was left incomplete for longer than | it should have been. | | So he wronged Ubiquity, which I don't particularily care for. | He also wronged his readers, which I am party to. This late | retraction is underwhelming and doesn't give me trust. As he | seems to only have retracted after being forced to by | Ubiquity, now what do I make of his stories where his targets | don't have a legal team in his jurisdiction? | duxup wrote: | For a site that generally is there to give you the inside scoop | on what is really going on / happened, interesting / | disappointing that the choice is to not do so here. | | To me "sorry I was wrong" isn't enough. | Jenk wrote: | That's a non-answer. What more _do_ you want? What _would be_ | "enough"? | duxup wrote: | I don't know what you mean by non answer. | IMTDb wrote: | Compensation for the damages done to ubiquiti ? | | He chose to relay false information from un trustworthy | source, in a way that damaged the ubiquiti brand, and this | took some time and energy from ubiquiti employees to fight | those false accusations. | | Here he is saying "Yeah, here is $0 for your troubles, I'll | be doing the bare minimum so you can't drag me in front of | a courthouse anymore". He is literally posting a 1 | paragraph piece of text. | | "Enough" would be : "I am going to fully compensate you for | the damages I have done by lacking professional integrity, | and making extraordinary claims while lacking the required | extraordinary proofs that usually come with them. Please | send me a bill for the salaires of the technical staff, | marketers and lawyers that had to be pulled from more | important projects to fight the fake news I relayed. I | understand that you have had to pay these people so you are | not going to profit from this and this only allows you to | break even on this whole mess. I note that - going forward | - this will be used as an additional compass for me as I | understand that my words have real, tangible consequences | for the people involved and I will avoid putting anyone in | danger without putting myself on the hook as well." | bedhead wrote: | I'm still bitter about this. The story absolutely reeked from | the beginning and Krebs did nothing but unnecessarily | sensationalize it like a tabloid journalist. I got downvoted a | million times over when I pointed this out at the time, why I | don't know, it was obvious to anyone who wasn't foaming at the | mouth to pounce on Ubiquiti. In decades past this was a career- | ending error...I wish it still was, I'll never take a single | word Krebs says seriously ever again. | oaiey wrote: | One upvote returned ;) | bedhead wrote: | Ha, thanks. Seriously, this was not a run-of-the-mill | journalistic mistake for which one apologizes for and moves | on. This was so brazen I couldn't even believe it at the | time, my assumption was that he was short Ubiquiti's stock | or something. What Krebs did was so egregious and so | extreme that I really have no idea why the world hasn't | turned its back on him as a journalist. | bombcar wrote: | Because there are no journalists left, it's all | entertainment, and we were entertained. | | I don't _like_ it, but that 's what it is. | ulrashida wrote: | I think you're right, but it took me a few minutes to put my | finger on what was missing. | | There should have been a "going forward I will..." segment. | criddell wrote: | What should he do going forward? | elteto wrote: | He should become immune to social engineering and | manipulation... /s | | Now seriously, there is not much he can do going forward | other than be even more careful with vetting his sources. | Which I am sure he already internalized. | InitialLastName wrote: | (Questions about the current state of journalism | aside...) | | There is already standard journalistic practice for | avoiding this: get a second, more reliable source. It can | often be much easier to get a reliable source to verify | information initially provided by a sketchy source than | to get that reliable source to provide information in the | first place. | | If you post unverified information that one person on the | internet tells you, your work is indistinguishable from | gossip, and should be taken as such. | robertlagrant wrote: | Not be a shock jock revealing things based on untrustworthy | sources. | mandevil wrote: | His entire _beat_ is based on untrustworthy sources. What | makes him special is that he is hanging out on Russian | language carder forums and the like, monitoring the | gossip and identifying new threats and patterns of | behavior. That is the value that he adds, and it 's a | reasonably big value. | | In this case, he got played, but if he stops trying to | work with untrustworthy sources he stops doing his job. | bragr wrote: | >What makes him special is that he is hanging out on | Russian language carder forums and the like, monitoring | the gossip and identifying new threats and patterns of | behavior. That is the value that he adds, and it's a | reasonably big value. | | That's also not what he did in the case from my | understanding . The person contacted him. He didn't | verify it from secondary sources on the underground, or | get access to proof the the hack. I think people trust | him because he usually is able to provide some | verification, but failed to do so in this case. | skullone wrote: | I think he had to limit what he said, because he potentially | has some liability on what he had reported on in the past. | Crazy situation | VogonPoetry wrote: | Unfortunately I don't think this is the first time he has been | socially manipulated in this way. Mr Krebs does seem to have a | habit of only getting the details from one side of things and | only writing things from that side of the story. Perhaps due to | the nature of some of his investigations. | | Everyone has weaknesses to being socially manipulated. One way | to mitigate this is to open a dialog with "the other side" to | check and seek out inconsistencies. Perhaps not revealing | everything in your expose story or leaving the veracity of it | somewhat ambiguous until things develop further. This could | weaken the impact of your initial story. Dialog is probably not | easy when the other party is undoubtably criminal and you can | get blocked from reaching the right people. In this case, the | accusations were against a corporation. They can be good or | bad, but ultimately legal processes will reveal things. | | I do think Mr Krebs has upped his game in recent years and | enjoy reading his stories, but I read them like fiction rather | than actual verified facts. | neilv wrote: | I'd guess he's been advised not to say too much, and the | specific way to say what he did. | | Besides the ongoing criminal case for which he may be a | witness, I'd guess there may be potential liability wrt the | company, and I'd guess that he's being careful not to create | new potential liability wrt the indicted person (see several | different nuances in his "My sole source" sentence). | | And this sounds like a lawyer-approved away to convey that he | recognizes the importance, without saying any specific possible | mistake of his that could be fodder, nor prejudging the case: | | > _I always endeavor to ensure that my articles are properly | sourced and factual._ | dotBen wrote: | Yes, this is exactly right - his post is clearly the product | of legal negotiations with Ubiquity and probably cleared by | both them and his own counsel. He's well advised not to say | more than he needs to, even if people in this community would | like him to fall on his sword more, that's just not how this | stuff works. | photochemsyn wrote: | This seems to be the basics of the case: | | Initial report: | https://web.archive.org/web/20211202143043/https://krebsonse... | | Indictment of source: | https://web.archive.org/web/20211202161703/https://krebsonse... | | In cases like this it's probably better to leave the article up | but plaster a big red 'retracted' banner across it, with a link | to a complete explanation as to why it was retracted. | | As far as defamation, isn't the legal bar on that pretty high in | the USA? Maybe there's a negligence issue, i.e. relying on a | single source, not doing enough background, etc. that overrides | the normal 'good faith' reporting norms? | filmgirlcw wrote: | As I said in another comment, I feel certain (based on my own | direct experience working for a publication that faced numerous | lawsuits over what in those cases were factual articles) that | this was a condition of a legal settlement. | | And the thing is, you settle in this case because even though | the defamation bar is really high, if your sourcing was wrong | (and you maybe didn't do the best job of vetting that sourcing) | and the more complicated aspect is that your source was later | indicted in relation to a crime directly connected to the | information they shared as the basis of that article, this | seems like a pretty straightforward "settle it and move on" | scenario, rather than trying to fight it in the courts. Barring | the largesse of a large news organization (who also might | choose to settle, as the Washington Post did with that kid in | DC, even though the New York Times and others were years later | found to not have defamed him), this is probably not the sort | of thing you want to spend the potentially hundreds of | thousands of dollars fighting. Because at the end of the day, | the reporting was still flawed. | blitzar wrote: | Date Filed: August 25th, 2022 "Defendants Brian Krebs and | Krebs on Security, LLC respectfully request that the Court | extend the deadline for Defendants to respond to the | Complaint by an additional thirty days in light of | extraordinary circumstances that have delayed the | finalization of the parties' settlement" | | https://www.courtlistener.com/docket/63197557/21/ubiquiti- | in... | | They have been finalizing the settlement for some time. I | would guess it is now settled. | filmgirlcw wrote: | Yup. Interesting filing. I assume, like you, that they've | settled and it is likely that there will be another filing | to dismiss today or tomorrow. | CaliforniaKarl wrote: | I don't see this post when I go to https://krebsonsecurity.com/, | at least on iOS Safari. Also, on the home page, when I scroll | down to the list of all posts, I don't see this one. | | Edit: It's there now! Thanks to u/Pharaoh2 for the heads-up. | Pharaoh2 wrote: | I see it there | CaliforniaKarl wrote: | Ah, indeed! I now also see it. I guess parts of the site are | cached and take time to refresh? | | Regardless, thanks for the correction! | InTheArena wrote: | Mad props to Brian on this. It's way overdue - and frankly, the | Ubiquiti lawsuit was poor PR management - but it's good to put | things right given some very poor journalistic choices. | Journalists admitting when they are wrong is a key step in | rebuilding trust in our institutions - not only news but many | aspects of civil society here. | | Ubiquiti - as a fan of your products - please drop the lawsuit | now. I get that this did a ton of damage to the company, but I | don't think anyone wins by dragging this out. The product lineup | has improved dramatically over the last year, and it would be | good to focus there. | jnwatson wrote: | I'm not aware of any new information in the last 6 months about | the matter. | | I guess better late than never. | Semaphor wrote: | Mad props to him for finally posting a retraction and half- | assed apology after Ubiquity forced him to with the lawsuit | they never should have done? What? | vel0city wrote: | Is it really props when you're being sued nearly half a million | in damages to continue hosting the articles? | | If he wanted to take down the articles because he felt he was | wrong, he had months to do so. | | He gets zero props from me for only taking down the articles | after being sued. | bombcar wrote: | Once sued his lawyer probably told him to shut the hell up | and not touch anything. | | The time to do the right thing was before the lawsuit was | filed. | jonpurdy wrote: | There was a lot of discussion from ex-Ubnt employees in a January | 2021 thread* related to outsourcing and incompetent management. | From what I've read, they still show ads for their products in | newer Unifi Controller web interfaces and don't have a way of | disabling tracking. | | But now that the Krebs retraction has occurred, my brain doesn't | know how bad/incompetent Ubiquiti is these days. | | Is there an updated-for-2022 source of info on Ubiquiti's | problems? ie. what complaints are still valid, and which ones are | not valid due to the cyber blackmail incident? | | I was a big supporter from 2015-2019 and I still run their AC | Lite AP + EdgeRouterX, but haven't updated them beyond 2019 | firmware. | | * - https://news.ycombinator.com/item?id=25735032 | InTheArena wrote: | It's solidified incredibly over the last year. It no longer | requires centralized login, no longer shows ads (or you can opt | out of them. I don't see it one way or another). | | More importantly, the network infrastructure has gotten much | much better. I haven't had any stability issues other then | testing our new early adopter firmware, and the first versions | of policy based load balancing have landed. | flyinghamster wrote: | > It no longer requires centralized login | | Thanks for the update. I have a couple of UAP-AC-Lites and an | EdgeRouter PoE, but the recent "cloudiness" began to set my | teeth on edge, and I've been loath to upgrade my controller. | mattgreenrocks wrote: | Recent updates to the base UDM have been noticeably better | than before. I don't know what they're doing differently but | I hope they continue along this trajectory. | InTheArena wrote: | Yeah, the investment is showing. I just installed a UDR at | my parents place, and it's awesome. Provides not only the | UDM functionality, but also VOIP or cameras out of the box | - with everything in a fully managed state. | | They are doing a lot of enterprisey bits right now, but I | think their more prosumer stuff is also doing well. | jandrusk wrote: | Sure sounds like a response to the law suite: | https://twitter.com/QuinnyPig/status/1508965090019577856?t=L... | badrabbit wrote: | Someone correct me, but, isn't a journalist supposed to have | independent corroborating source/evidence no matter how solid one | sole source is? Is that basically where he missed the "mark"? | Fnoord wrote: | There used to be a rule in journalism: one source is no source. | Werewolf255 wrote: | Yeah, at this point I'm taking Krebs off of any alert or | recommendation lists. Appreciate the Mea Culpa, but it's not like | he's been making stellar decisions before this problem. | | It also doesn't read as an apology, but an acknowledgment that he | was given bad info from a source. | AndrewUnmuted wrote: | WaitWaitWha wrote: | [x] I made a mistake | | [x] This is how I made the mistake | | [x] I am sorry | | [x] I am going to do better | | [ ? ] These are the details how I am going to do better ___________________________________________________________________ (page generated 2022-08-31 23:00 UTC)