An accurate but pretty lacklustre "mea culpa" and retraction. I don't mind people making mistakes, everyone does, but seeing how Krebs has handled this whole episode has not inspired optimism in how he'll handle future mistakes.
He was essentially used as an unwitting party in a cyber blackmail scheme, and he doesn't touch on that at all. There will continue to be nefarious parties trying to misuse his reputation, so long as he remains a popular cyber researcher. I wish he would show consciousness of that rather than simply saying "I was wrong."
Fully agree, which is why I said the same thing. :)
>Granted, this is probably in response to some legal action either in progress or already settled, but what more do you want from the guy?
As I said in my post, a stated awareness that he was used in a cyber blackmail scheme, and at least some nominal promise to try and be aware of that in the future. The difference here is between "I made an honest mistake" and "I was taken advantage of and used unwittingly in a scheme." I'm not interested in him self-flagellating and begging for forgiveness, as my concern is totally forward-looking. I believe this type of problem will come again, of people trying to unwittingly use his reputation to push certain agendas. If he isn't aware of that dimension of the problem then it's likely it will re-occur.
That being said, your point about this post made in a legal context is totally fair and had slipped my mind. I can imagine any apology/statement/etc getting neutered by lawyers for perfectly rational reasons.
Saying that he was part of the blackmail scheme would make him maybe target of legal actions from Ubiquiti. So .. that you will not get. He has to do the same company-lingo like they all do after screwups.
He was/is the target of legal action from Ubiquiti. I assume this statement is part of some settlement he has reached with them regarding the legal action.
I remember at the time we were discussing the misreporting I noted that Krebs’ lack of retraction could come back and bite him. It’s interesting to see it now. It’s also interesting to note that it is referenced in point 11 of the lawsuit.
A little remorse goes a long way, and pride can be expensive.
I think it's obvious he's going to do something to avoid this happening again but also I highly doubt anything would be disclosed publicly about this. This isn't exactly a guy with a track record of not learning.
> I think it's obvious he's going to do something to avoid this happening again but also I highly doubt anything would be disclosed publicly about this. This isn't exactly a guy with a track record of not learning.
Sure, but part of a "mea culpa" is saying what's important to be said. Otherwise why say anything at all? Maybe he doesn't get it? Maybe he sees the facts differently?
Generally I agree with you, and think he's a smart guy who is likely aware of this. But by not touching on those lessons, he only weakens his message.
Frankly, he is retracting something because is wrong and he is broadcasting that retraction on the largest platform he has access to: his platform. He has sincerely apologized to and made clear who he has harmed: Ubiquiti.
So like, what do you want? What more should he say? You say "maybe he sees the facts differently" as if we as anonymous internet crowds are entitled to a post-mortem on his psychological state. This strikes me as distinctly parasocial.
This isn't about a parasocial relationship with Krebs at all, but determining how he'll avoid the situation again going forward.
> So like, what do you want?
I think I've been pretty clear, basically an acknowledgement of the situation and a statement that he has some ideas on how to address it from coming again. I'm not even asking for an in-depth process update, I realize why he might want to be vague. Importantly, I just want to make sure he sees the problem. Otherwise, what stops it from happening again?
> What more should he say? You say "maybe he sees the facts differently" as if we as anonymous internet crowds are entitled to a post-mortem on his psychological state.
I'm certainly not entitled to his mental state, he's free to remain as private as he'd like. To go back to my original point, I said "[how he] has handled this whole episode has not inspired optimism in how he'll handle future mistakes." So to answer your question, all I'm saying is if he wants to be seen as a trustworthy public security researcher that is a step he can take in service of it. If he wishes to remain private on it he can too, but as he's decided to be a public security researcher I think it's only fair to engage with that. And I think it's off the mark to call it parasocial, when I'm only engaging with him as a public security researcher doing security work.
While Krebs may have gotten it wrong this time, I think there are some interesting components that we better understand because of the scrutiny on Ubiquiti.
The first is that Ubiquiti's opsec was subpar and contributed to the breach. This was at a time where long time Ubiquiti customers were getting very publicly frustrated that they were forcing products and users to rely on their cloud ops for authentication into local gear. This mainly impacted the products under the UniFi lineup, but it was clear Ubiquiti was testing the waters to see how much pushback they'd get by removing the capability of local auth. The two together likely made the public fiasco even more turbulent internally.
The second is that we learned that Ubiquiti did not do right by customers in their timing or statement of breach disclosure. It was a very weak disclosure and they did everything to skirt around the true situation. Let's not forget that Ubiquiti buried this into a very benign looking statement in the 10-Q files on 02-04-22 [0] (around page 31) when they knew damn well that this was a significant risk to all of their customers.
All in all I think the additional exposure Krebs brought on Ubiquiti at least forced a lot of the truth into the spotlight. Without that I don't think the extent of the breach would be known. Ubiquiti downplayed and chose to not respond to their customers. For that, I still think they handled the situation very poorly.
Acknowledging it absolutely has legal repercussions.
Taking ownership is positive when the other parties are interested in an ongoing positive relationship. If the other party just wants the maximum blood/retribution, it’s just falling on your sword. And in the legal arena, that can be a lot more literal than you’d think.
In this situation, Krebs could easily be completely bankrupted by Ubiquiti with a naive statement of responsibility. If he stated it particularly naively, he might even face criminal charges.
I doubt he’d go to jail, but if he was that dumb, he might say similarly naive things at a criminal trial and end up there.
Lawyers jobs include keeping their clients mouths shut so they don’t footgun themselves like that.
Even if no one at Ubiquiti had a particular axe to grind, they have no personal relationship with him, and have no reason to NOT try to get as much out of him as they can. One could argue that they’d be negligent to those they do have a relationship with (partners, shareholders, employees) if they didn’t go after him as hard as they could, as long as they didn’t cause a PR nightmare.
In the counterfactual world where he says that, the top comment on HN would have been that he's trying to weasel out of personal responsibility. Besides, let's be honest: he's going to be heavily policed by the Internet on any statement that is similar to the ones on Ubiquiti. I think he will be quite aware.
As part of a post mortem you should ask "People will remain fallible; How can we change the process so this is unlikely to happen in the future?" And in general one likes to see that kind of transparency ... but if the the problem is someone snuck through our defenses, often we don't want want to publicize the changes made because it might help the next person.
By the time the December story was published, it seems that Krebs knew full well that his source was the person implicated in the crime to begin with. I would like to understand why he thought it was responsible to press forward while obfuscating this fact, and how he will handle similar situations moving forward. His thought process there will help inform me as to whether or not I can personally take him seriously on things of this nature in the future.
As it stands, I don't know if he learned anything from this, or if he still thinks that people that very well might have perpetrated the crime he's reporting on are reputable sources that he should post information from without question or disclaimer and the only reason this is posted is because he settled in court.
That might seem like an indictment of Brian's ethics, but I'd argue that having criminals as sources is an unfortunate inevitability if you're going to have up-to-date reporting on a topic that is so heavily entangled with cybercrime.
Besides, it's not like non-criminal sources never lie.
It is fine to use criminal sources, but in this case the criminal was a primary party with a self interest. If you can’t disclose that and still wrote the story, it is a warning that you either need additional sources, or don’t publish.
There is nothing inherently wrong with using criminals (or other unreliable sources) as sources, most journalists in the space do so.
The issue arises when you report on it without clearly disclaiming/disclosing that its a single, unreliable source and that you have been unable to externally verify the facts.
Mistakes happen, and that's fine. But in recent years Brian has been getting a bit slipshod in his verification and disclosure practices, most likely due to competition in the space and the need to publish fast.
> sing the veneer or pretext of journalism and reporting the truth in order for him to cover sloppy sourcing
Getting tips from criminals is not sloppy sourcing. There is verification that obviously failed here. We likely won't hear the full story until the prosecution and litigation cycles have turned.
To me, the issue isn't really that the source in question is a criminal - I think they might be a bit less reliable than the average person, but as others have noted, general people are pretty unreliable too.
But the fact that the source was also the person who has allegedly perpetrated the crimes going unmentioned and not being disclaimed to me is sloppy - even if there was additional verification done, if you are mentioning this source as the cornerstone of your article, I want to know about the vested interests that source has. Obviously, being the person that allegedly did it means you have A LOT of vested interest in how it is covered and what is revealed. If you want to talk yourself up and brag about it (which seems to be a given if you are telling a journalist about something you allegedly perpetrated) it is totally reasonable for people to be suspicious about how much is fact and how much is fiction. Humans like to exaggerate when talking themselves up.
Most for sure, but even then most I know aren’t checking everything, all the time.
Which leaves a lot of crap out there.
And most of the industry is busy trying to stay afloat and shoveling whatever random thing they can find. Only the top couple percent has the luxury of taking or leaving something juicy (if it isn’t obviously a trap).
> it seems that Krebs knew full well that his source was the person implicated in the crime to begin with
I would say implicated in a crime. It wasn't entirely clear at the time that the crime was extortion. After all, its a very odd way to make money, as going public as a "loose cannon who fucked a company by being so toxically bad at their job they brought down a company" is not the greatest CV experience post.
I'm still not entirely clear how much of the architecture described was bullshit.
"This has taught me that my platform can be weaponized by any bad actor who can fool or manipulate me. One column from me could get a CISO fired or move a Fortune 500 company's stock price. That's a heavy responsibility that I wasn't really accounting for, but now that I understand it, I've put some thought in to it and I have made some changes that I hope will harden me and my platform against this kind of social engineering attack."
The timing doesn't support that take, though. Nikolas Sharp (the sole source for these stories) was arrested almost a year ago. Krebs knew then that his source was tainted, and he did nothing. Instead he waited until he was months into litigation with Ubiquity (which he's almost sure to lose) to try to backpedal.
That's just a straight up violation of journalistic ethics. I think it's very reasonable to demand that our reporters in the security community be clear about their sourcing and prompt about corrections.
A "what more do you want from the guy" implies that we shouldn't hold his past actions to account. And... we should. We absolutely should.
> This is about of straightforward as a "I screwed up, I own it, I apologize"
"A source provided info. Source is now discredited. I thus no longer trust the info." That's the gist of the apology. But that's neither here nor there, it does not show understanding of the fact that his reputation was deliberately used for criminal purposes.
"This time, I missed the mark and, as a result, I would like to extend my sincerest apologies to Ubiquiti, and I have decided to remove those articles from my website."
He is being sued by them for $425,000 in damages. Last update on the court case was a request for an extension due to them trying to finalize a settlement, I suspect this was part of that settlement.
I would've like to see some explanation for how Krebs fell for this ruse, such as why this single-sourced claim was convincing enough to him to do a series of articles that apparently did serious material harm to Ubiquiti. And at least a few specifics of the key information that Krebs now believes to be faked. Just because his source has been indicted for alleged false info to the press doesn't mean that everything this source gave Krebs is automatically fake. In other words, what claims in the indictment, relating to which evidence the source gave to Krebs, leads Krebs to believe that that evidence is completely unreliable -- and how much, if any, doubt/scrutiny did Krebs give that evidence before this indictment?
It doesn't have to be written in the tone of CYA excuses. The angle is: this is how I got fooled, and these are the lessons I've learned going forward.
As Krebs writes in his mea culpa: "I always endeavor to ensure that my articles are properly sourced and factual." Okay, so why didn't that happen here? Is it one-time bespoke situation, i.e. a perfect storm of mistakes? Or was it because of standard practices that he now sees as insufficient for these kinds of stories going forward?
I agree, maybe "how he fell for this" part is related to some legal constrictions. I personally dislike this type of apologies which is very commonly used by corporates.
He was duped by a con man. Everyone is susceptible to SE, even smart guys like Brian. A case can be made that it is the most difficult challenge/vector in cyber security.
Seems more like he was willfully played and that Ubiquiti lawyers can show negligence on his part which would not be a good look for a security researcher.
I'm not really sure if he's owning it. This post has not made it to his Twitter feed, unlike most of the other recent stories. They're probably not automated, so I wouldn't expect it to be there immediately, but I kinda feel like he wants it to just quietly go away if he doesn't mention it there as well.
Brian is a journalist more than he is a security researcher, anything he publishes as a journalist should be held to held to a higher standard than an random person just speaking their mind. He had ample opportunity to get out ahead and issue a retraction of the story when it was known to be false, well before the Ubiquiti lawsuit.
I’m still bitter about this. The story absolutely reeked from the beginning and Krebs did nothing but unnecessarily sensationalize it like a tabloid journalist. I got downvoted a million times over when I pointed this out at the time, why I don’t know, it was obvious to anyone who wasn’t foaming at the mouth to pounce on Ubiquiti. In decades past this was a career-ending error…I wish it still was, I’ll never take a single word Krebs says seriously ever again.
Ha, thanks. Seriously, this was not a run-of-the-mill journalistic mistake for which one apologizes for and moves on. This was so brazen I couldn't even believe it at the time, my assumption was that he was short Ubiquiti's stock or something. What Krebs did was so egregious and so extreme that I really have no idea why the world hasn't turned its back on him as a journalist.
I'd guess he's been advised not to say too much, and the specific way to say what he did.
Besides the ongoing criminal case for which he may be a witness, I'd guess there may be potential liability wrt the company, and I'd guess that he's being careful not to create new potential liability wrt the indicted person (see several different nuances in his "My sole source" sentence).
And this sounds like a lawyer-approved away to convey that he recognizes the importance, without saying any specific possible mistake of his that could be fodder, nor prejudging the case:
> I always endeavor to ensure that my articles are properly sourced and factual.
Yes, this is exactly right - his post is clearly the product of legal negotiations with Ubiquity and probably cleared by both them and his own counsel. He's well advised not to say more than he needs to, even if people in this community would like him to fall on his sword more, that's just not how this stuff works.
He should become immune to social engineering and manipulation... /s
Now seriously, there is not much he can do going forward other than be even more careful with vetting his sources. Which I am sure he already internalized.
(Questions about the current state of journalism aside...)
There is already standard journalistic practice for avoiding this: get a second, more reliable source. It can often be much easier to get a reliable source to verify information initially provided by a sketchy source than to get that reliable source to provide information in the first place.
If you post unverified information that one person on the internet tells you, your work is indistinguishable from gossip, and should be taken as such.
His entire beat is based on untrustworthy sources. What makes him special is that he is hanging out on Russian language carder forums and the like, monitoring the gossip and identifying new threats and patterns of behavior. That is the value that he adds, and it's a reasonably big value.
In this case, he got played, but if he stops trying to work with untrustworthy sources he stops doing his job.
>What makes him special is that he is hanging out on Russian language carder forums and the like, monitoring the gossip and identifying new threats and patterns of behavior. That is the value that he adds, and it's a reasonably big value.
That's also not what he did in the case from my understanding . The person contacted him. He didn't verify it from secondary sources on the underground, or get access to proof the the hack. I think people trust him because he usually is able to provide some verification, but failed to do so in this case.
Unfortunately I don't think this is the first time he has been socially manipulated in this way. Mr Krebs does seem to have a habit of only getting the details from one side of things and only writing things from that side of the story. Perhaps due to the nature of some of his investigations.
Everyone has weaknesses to being socially manipulated. One way to mitigate this is to open a dialog with "the other side" to check and seek out inconsistencies. Perhaps not revealing everything in your exposé story or leaving the veracity of it somewhat ambiguous until things develop further. This could weaken the impact of your initial story. Dialog is probably not easy when the other party is undoubtably criminal and you can get blocked from reaching the right people. In this case, the accusations were against a corporation. They can be good or bad, but ultimately legal processes will reveal things.
I do think Mr Krebs has upped his game in recent years and enjoy reading his stories, but I read them like fiction rather than actual verified facts.
For a site that generally is there to give you the inside scoop on what is really going on / happened, interesting / disappointing that the choice is to not do so here.
He chose to relay false information from un trustworthy source, in a way that damaged the ubiquiti brand, and this took some time and energy from ubiquiti employees to fight those false accusations.
Here he is saying "Yeah, here is $0 for your troubles, I'll be doing the bare minimum so you can't drag me in front of a courthouse anymore". He is literally posting a 1 paragraph piece of text.
"Enough" would be : "I am going to fully compensate you for the damages I have done by lacking professional integrity, and making extraordinary claims while lacking the required extraordinary proofs that usually come with them. Please send me a bill for the salaires of the technical staff, marketers and lawyers that had to be pulled from more important projects to fight the fake news I relayed. I understand that you have had to pay these people so you are not going to profit from this and this only allows you to break even on this whole mess. I note that - going forward - this will be used as an additional compass for me as I understand that my words have real, tangible consequences for the people involved and I will avoid putting anyone in danger without putting myself on the hook as well."
This is why he should have never apologized in the first place, but rather just admit being wrong an move on. Apologies are never enough for some people, and often even weaponized.
I read this as a post probably vetted by his legal team and probably not issued earlier because of the ongoing legal action (and then probably subsequent negotiations with Ubiquiti).
He absolutely fucked up here but he probably can't say so and likely wasn't able to retract sooner less he open himself up to legal culpability for his part in the blackmail scheme (unwitting or not).
Unfortunately this is just how the world works. I hope he has learnt his lesson and will be more through in his vetting of his sources and how his reputation can be misappropriated by malicious actors to do very serious harm.
It does read, to me, much like it’s something that was workshopped between Krebs, his lawyers and Ubiquiti’s.
This apology should be about Ubiquiti, not Krebs, and maybe the terseness is just a reflection of that.
Frankly I was on the fence about buying new Ubiquiti gear because of what I’d heard, and seeing this lets me reevaluate my position - which I think is the point.
As a third party unaffected by the events in any direct way, I don't feel it's appropriate to give an opinion on whether the apology is satisfactory or not. If Ubiquiti has one, I suppose that's for them to express, or not, as they choose.
As a reporter, Krebs failed to promptly disclose or retract when the source turned out to be the leak. That means my understanding of events was left incomplete for longer than it should have been.
So he wronged Ubiquity, which I don't particularily care for. He also wronged his readers, which I am party to. This late retraction is underwhelming and doesn't give me trust. As he seems to only have retracted after being forced to by Ubiquity, now what do I make of his stories where his targets don't have a legal team in his jurisdiction?
> As a result of the new information that has been provided to me, I no longer have faith in the veracity of my source or the information he provided to me. I always endeavor to ensure that my articles are properly sourced and factual.
This is a strange statement given how the details of the FBI investigation have been public for a very long time.
Krebs was fast to report on the initial accusations, but seems to have waited as long as possible to write about the revelations that his source was actually the perpetrator.
> This time, I missed the mark and, as a result, I would like to extend my sincerest apologies to Ubiquiti, and I have decided to remove those articles from my website.
Given that Krebs is a reporter who has historically built a reputation on exposing things and bringing information to light, the brevity and vagueness of this article feels much more like a compromise to settle a lawsuit than typical reporting.
This is a failure across many journalists; the inability to view what they're involved with objectively. The amount of scrutiny applied to a source is inversely proportional with how much I want to believe the source.
The sense I read from the GP is that if I want to believe the source, I'm less likely to apply strict scrutiny to what they tell me. The more I want to believe, the less I'll dig into what I'm hearing. Some things are just too good to not believe.
Exactly. Krebs did it himself (doubling down on his "source" even as evidence began to come to light that the source was not clean) and we as commentators do also (the original posts are filled with "the software sucks because of X, Y, and Z so this is obviously true).
yup, freezing everything in place when the lawsuit lands is the sensible thing to do. deleting posts (that you refused to delete on previous takedown requests) or writing a retraction is going to be effectively an admission of guilt - and also you cant settle it with a retraction ...
In cases like this it's probably better to leave the article up but plaster a big red 'retracted' banner across it, with a link to a complete explanation as to why it was retracted.
As far as defamation, isn't the legal bar on that pretty high in the USA? Maybe there's a negligence issue, i.e. relying on a single source, not doing enough background, etc. that overrides the normal 'good faith' reporting norms?
As I said in another comment, I feel certain (based on my own direct experience working for a publication that faced numerous lawsuits over what in those cases were factual articles) that this was a condition of a legal settlement.
And the thing is, you settle in this case because even though the defamation bar is really high, if your sourcing was wrong (and you maybe didn't do the best job of vetting that sourcing) and the more complicated aspect is that your source was later indicted in relation to a crime directly connected to the information they shared as the basis of that article, this seems like a pretty straightforward "settle it and move on" scenario, rather than trying to fight it in the courts. Barring the largesse of a large news organization (who also might choose to settle, as the Washington Post did with that kid in DC, even though the New York Times and others were years later found to not have defamed him), this is probably not the sort of thing you want to spend the potentially hundreds of thousands of dollars fighting. Because at the end of the day, the reporting was still flawed.
Date Filed: August 25th, 2022 "Defendants Brian Krebs and Krebs on Security, LLC respectfully request that the Court extend the deadline for Defendants to respond to the Complaint by an additional thirty days in light of extraordinary circumstances that have delayed the finalization of the parties’ settlement"
>In cases like this it's probably better to leave the article up but plaster a big red 'retracted' banner across it, with a link to a complete explanation as to why it was retracted.
Yes, that would have been IMHO much more appropriate, though there is the Wayback Machine (thanks for providing the link), allowing everyone to see with their own eyes what the matter was.
There was a lot of discussion from ex-Ubnt employees in a January 2021 thread※ related to outsourcing and incompetent management. From what I've read, they still show ads for their products in newer Unifi Controller web interfaces and don't have a way of disabling tracking.
But now that the Krebs retraction has occurred, my brain doesn't know how bad/incompetent Ubiquiti is these days.
Is there an updated-for-2022 source of info on Ubiquiti's problems? ie. what complaints are still valid, and which ones are not valid due to the cyber blackmail incident?
I was a big supporter from 2015-2019 and I still run their AC Lite AP + EdgeRouterX, but haven't updated them beyond 2019 firmware.
It's solidified incredibly over the last year. It no longer requires centralized login, no longer shows ads (or you can opt out of them. I don't see it one way or another).
More importantly, the network infrastructure has gotten much much better. I haven't had any stability issues other then testing our new early adopter firmware, and the first versions of policy based load balancing have landed.
Thanks for the update. I have a couple of UAP-AC-Lites and an EdgeRouter PoE, but the recent "cloudiness" began to set my teeth on edge, and I've been loath to upgrade my controller.
Recent updates to the base UDM have been noticeably better than before. I don’t know what they’re doing differently but I hope they continue along this trajectory.
Yeah, the investment is showing. I just installed a UDR at my parents place, and it's awesome. Provides not only the UDM functionality, but also VOIP or cameras out of the box - with everything in a fully managed state.
They are doing a lot of enterprisey bits right now, but I think their more prosumer stuff is also doing well.
I was a bit disappointed with my Dream Machine Pro at the start, but now it's getting there - they now even provide a simple VPN solution that work on top of Wireguard.
What's still missing is more advance routing exposed in the interface (like dnat) and it would be perfect. I have another one deployed in a shop and it's working fine, even with the harsh hardware condition it's put in (lot of dirt/dust from auto mechanics, even if it's protected in a rack high in the room)
Before people jump on this with super negativity... mistakes happen.
What is Krebs' false positive rate? I think low enough that a simple, clear explanation of why it happened is sufficient.
There's no weasel words or evasion here - he owns up to the error, apologizes to affected parties, and retracts all original posts.
It's true that his reporting probably caused stress for Ubiquity. I'm curious what people think is a fair system to compensate for that, without wiping out independent, generally high accuracy reporters like Krebs
What's more important is how those false positives are handled.
In this case, it feels like it was swept under the rug and he avoided addressing for as long as possible. If he had simply addressed the problem head-on as the news came out and the FBI information became public, it would have been a different story.
The way he rushed to report accusations from an anonymous source (who was actually the perpetrator) felt asymmetric relative to the minimal reporting on the extortion scandal and ensuing FBI investigation. IMO, the story about someone extorting their employer and then abusing security reporters as leverage was more interesting than the original story. Yet Krebs did very little reporting on the latter, likely because he knew he was central to making it all happen in the first place.
> What's more important is how those false positives are handled.
Is it really though? If there's a company that has to defend / apologize often (Facebook/Meta maybe) I'd be way more critical of their apology than if one guy who didn't have a case like that before apologying a bit too late for some people or not in the way they wish he would. There's also a lot of information we don't know yet, we don't know what happend behind the scenes and when he was provided with the final verdict and facts.
You only ever hear about it when he gets high profile cases wrong.
When my project was targeted by him, he ended up going down some conspiracy rabbit hole and doxed all the wrong people. This forced me to issue a correction - mission accomplished, I guess.
During his "investigation" he accidentally sent an email that was meant for his business partner to some of my friends. It offered a glimpse into his sensationalist mindset. I don't have much respect for that guy.
Well, we don't know. How many times has he been either the willing accomplice or unwitting patsy in stock manipulation or corporate sabotage? Does he even know?
IIRC, he never even apologised for it - just straight up said nothing, like he was pretending it never happened. I haven't followed Krebs' articles since then, he totally lost my trust.
Ubiquiti lost $4B in market cap based on this one, poorly sourced post Krebs wrote. He then waited 9 months after he knew it was lies to correct and only does it in the most muted, begrudging way possible. This is completely unethical behavior for a writer.
I don't think it's fair to attribute their losses directly to Krebs. While this instance is in their favor, Ubiquiti have been doing plenty on their own to alienate their client base. Half backed software updates, pushing products in new verticals without delivering on existing prodcuts. It's clear that there are still issues within Ubiquiti that aren't washed away by this "breach". They're attempting to be enterprise and barely delivering in the Prosumer market.
The thing is even with Kreb's article, and subsequent reports from both sources at Ubiquiti and their partners from current and past employees in prior conversations on HN (can't recall the ex-employees handle but I spoke to an ex-staff member at Ubiqitui on HN a while back, it's in my comment history, found the comments see [1])
Ubiquiti had a part to play in their compromise, their products have demonstrably gotten worse and it was clear from everything that came out in the wash. Ubiquiti's market value has gone down for a multitude of reasons.
Sure, Krebs has a part to play in being socially engineered to push a criminals MO. But Ubiquti's market cap also went down because:
* Ubiquti are huge, and it's clear they don't have a good engineering culture, or have one at all and that had a part to play in their compromise with or without Krebs being a willing participant in it at all
* For a several billion dollar company, they don't have appropriate risk strategies or security controls in place that are expected of a business of their size
* Their products have gotten significantly worse over the years and as a consequence of the Covid-19 pandemic and supply chain markets, they haven't got product out the door as quickly as prior
The question isn't if they deserved to lose $4B as a consequence of the hack, it's a question of how much of that $4B market loss is because they're not a well ran business as evident by the hack. Vs. how much of that $4B loss was directly because of Krebs? That's a much harder line to define.
Yeah, but publishing information as quickly as possible to surf on the first big clicks-wave can cost people their jobs. Because it can result in someone deciding to go with an other company.
A friend who is looking for a easier to manage network for his wife's doctors office let me know that there's reports about security issues after I recommended to him to evaluate if Ubiquity could be a good option. Not sure what exactly he was referring to. Nevertheless, I sent him now the link to this article.
> What is Krebs' false positive rate? I think low enough that a simple, clear explanation of why it happened is sufficient.
Pretty damned high. From doxxing completely incorrect people over Twitter beef to over-trusting sources like this, he's had a number of controversies over the years and has demonstrated his unreliability as a source of information.
> There's no weasel words or evasion here - he owns up to the error, apologizes to affected parties, and retracts all original posts.
Actually he carefully does not own up to the error:
> Last year, I posted a series of articles about a purported “breach” at Ubiquiti. My sole source for that reporting was the person who has since been indicted by federal prosecutors for his alleged wrongdoing – which includes providing false information to the press.
By including "which includes providing false information to the press" he's effectively saying it wasn't his fault. Did other press report on it? Did other press ignore the follow-up for nearly a year after it became apparent the source of this information was the person committing the crimes? It would seem to me that owning up to the error wouldn't look so devoid of any responsibility.
He then writes:
> As a result of the new information that has been provided to me, I no longer have faith in the veracity of my source or the information he provided to me. I always endeavor to ensure that my articles are properly sourced and factual.
> This time, I missed the mark and, as a result, I would like to extend my sincerest apologies to Ubiquiti, and I have decided to remove those articles from my website.
"This time, I [failed to ensure my articles are properly sourced and factual], and as a result, I would like to extend my sincerest apologies to Ubiquiti, and have decided to remove those articles from my website."
The paraphrasing I've done is a more direct way of taking responsibility than Krebs has done. Note in his version the complete lack of ownership, passive voice, and key -- the separation of the problem from where the failure occurred by a paragraph. That's all designed to essentially shirk responsibility here.
Given Krebs' other tendency to get things really wrong, I think it's time people actually viewed him as an unreliable reporter. Especially given he seemingly ignored/dug his heels in about being taken for a ride on this and that then begs the question: How many other instances like this are there that we just haven't heard of or seen?
I had been looking to improve my home network and was about to buy a Unifi Dream Machine Pro-SE and some access points when I read Krebs initial article on Ubiquiti being compromised (coupled with HN commenters really dogpiling on Ubiquiti). Since then, I must have spent 40 hours trying to find a comparable alternative before my discomfort with the opacity of my prior setup drove me to surrender and buy what I had planned out a year ago.
I still think highly of Krebs, but I'm pretty irritated that he wasted so much of my time by reporting something so poorly sourced.
Reminds me of the Bloomberg SuperMicro article with a single anonymous source alleging that several big companies were compromised, which they deny. Funniest part is how Bloomberg itself also claims it wasn't compromised:
> Bloomberg LP has been a Supermicro customer. According to a Bloomberg LP spokesperson, the company has found no evidence to suggest that it has been affected by the hardware issues raised in the article.
Yeah, that's why I'm reminded. Is the moral of the story that reputable, medium-sized reporters without huge legal resources are more trustworthy than something like Bloomberg?
It's great that he retracted his story but the way he did it isn't so great. In particular he's removed his older incorrect stories and replaced them with a redirect to the retraction. Thankfully the Wayback Machine has archives
Speaking from experience with these things (although in my case, the articles we were forced to remove were absolutely and completely 100% accurate -- but the company that acquired us wanted to settle all outstanding lawsuits and ended up caving so that the transaction could close), this might have been terms of the settlement or whatever it was he came to with Ubiquiti.
In our case, because our articles were in fact, factual, we were able to re-iterate and even quote, as part of the legal filings, aspects of the original reporting as part of a story that was in response to the removals themselves, but the content at those original URLs was replaced with a notice that the articles had been removed because of litigation with our former parent company.
The fact that he didn't (or hasn't) scrubbed the stories themselves from the Internet Archive is a good sign (I think we had to remove our stories from the Internet Archive, though I do know that individuals did make archives other ways).
I'm pretty opposed to suing journalists for the act of doing journalism and even though I'm a big fan of Ubiquiti products, I still don't love this sort of tactic. That said, it does seem clear that these stories were not correct and at the very least, flawed because of the single-source who was not a reliable narrator (and admitted to lying to the press), so in an ideal world, these stories would have been retracted anyway.
Just because you hang a press pass around your neck doesn't mean you should be allowed to recklessly spread highly damaging lies about people with impunity.
What would have been a better way to handle it? From personal experience, I've overlooked header/footer retractions on material before and referenced things only to have the retraction point out to me later.
Complete removal of the article isn't ideal, and it's less error prone.
I appreciate that the old articles aren't 404'd, they redirect to the retraction so any other sites linking continue to work.
Despite it being clear that Krebs was wrong on this issue for some time, it showed the extent of his influence and the attacker's success in leveraging it to manipulate the public (including HN users).
Hopefully his retraction at least helps with that.
There was a minor data breach at Ubiquiti. An employee named Sharp was using this as an opportunity to extort his employer and exfiltrate data. Sharp was telling Krebs some yarn about the data breach being bigger than reported, which Krebs then repeated on his blog, accusing Ubiquiti of covering up a more significant breach. And Ubiquiti is claiming that Krebs knew the truth all along.
This sounds like a weird and complicated story, so I feel like I'm probably misunderstanding.
Sharp did the breach and then extorted Ubiquiti. Ubiquiti got the FBI involved and declined to pay off Sharp. Sharp followed through on his threat and disclosed everything to Kerbs, who wrote an article about it. The FBI and Ubiquiti were on to Sharp, but since Sharp was Kreb's only source, Krebs doubled down on the allegation with a series of articles, and then never retracted it (until now)
I wonder what has changed? The original thread discussing the lawsuit was filled with super dismissive comments, arguing that ubiquity lawyers were incompetent and had no actual way to win the case. Some of the commenters were supposedly actual lawyers too, so it's not even just the normal "terrible armchair law advice" we are used to from HN.
Everyone loves to play the armchair lawyer. Bias quickly fuels whatever side of a case you're on. However discovery and a few court conferences can quickly put things into perspective. Almost everyone's lawyers start off with some encouraging words but eventually they are telling you to settle for X and it is clear that they wouldn't have got paid if they told you that you had a losing case from the get go.
Perhaps Krebs has chosen to move on with his life. Defending litigation is often expensive, distracting and stressful, even if you think you have a strong case. The law isn't necessarily always as pugilistic as Hollywood might lead you to believe. Perfectly fine to think you are right, say you were wrong, settle the case and move on. Of course, we have no way to know what Krebs really thinks or what actually went on behind closed doors here. We should take the written statement at face value, exactly as written. No more no less.
Ubiquiti is so worried about suing Krebs meanwhile their brand reputation has turned to mud due to the quality of their products, both from my own experience and the general consensus I've heard online. If this incident had never occurred I still would have stopped recommending and using their equipment.
The problem from my end though is, who really competes with them? No one else offers the same level of control at the same (or even close) price point.
Nobody competes with them as 'Apple for networking', but MikroTik is if anything a bit cheaper and better on the actual specs etc. - just without the snazzy UI and easy GUI (highly-G) config.
There's probably a lot of people who'd love Ubiquiti gear ('gadget nerds', Linus Tech Tips viewers, gamers, etc.) to whom I wouldn't recommend MikroTik, but to anyone who's.. idk, heard of iptables, I would.
All the gamer-marketed WAP/routers with a million antennae are somewhat competitors in the former category too I suppose.
While I can't speak for a less technical user, I'm throwing away a nearly brand-new Ubiquiti access point on the basis that it took me like five times as long to set up client isolation as it did to manually set up PPPoE and VLAN tagging for my fiber connection on the Mikrotik I bought at the same time. Also the Mikrotik didn't install an nginx server on my laptop. I'm replacing the Ubiquiti with another Mikrotik box even though they're apparently not that great for wifi purely on the basis of the UX.
Mikrotek makes sense when you really really really care about having the cheapest possible 10g switch.
AFAIK, there is nothing that competes apples to apples with the UDM in terms of a entry level managed switch / router / WAP offering (or the UDR, which does UDM + Telephony or distributed global management)
Yeah OPN/pfSense make ..sense too I think, haven't used them personally though. But there's some hardware (primarily thinking non-router/firewalls) you couldn't have or wouldn't want them to run on, and so you might buy MikroTik, and then use them for everything so as to have only one config system to learn.
I have the SXT for example (4G antenna/modem/router) so if I wanted a managed switch or another router or whatever I'd be more inclined to get a MikroTik one just to simplify my time configuring them, similarly to but even without Ubiquiti's snazzy auto discovery etc.
> Nobody competes with them as 'Apple for networking'
Apple used to ;_;
I was still using my Airport Expresses until they gave out. Didn't care if they didn't have the latest wifi standards, they were way easier to manage than Ubiquiti or anything else.
The founder of Ubiquiti used to be a radio engineer on the AirPort product at Apple. Part of the reason he left was because the line became devalued in Apple's product lineup and would ultimately be shelved.
As a hard-core Apple Airport user for a long time, the Apple stuff was great until it wasn't. For example, wanting to put the Xbox in the DMZ. You can do that on the Airports, but it's not called "DMZ" (IIRC) and it's not at all obvious. Whereas Ubiquiti is like the industrial version of an Airport or something, because if you do want to put devices in a DMZ or on a VLAN, you can do it and without a lot of effort. Of course, Ubiquiti's stuff has limitations, so the next stop is...MicroTik? Cisco?
But, yeah, if Apple had kept the Airports going, I'd have had little reason to look elsewhere, and would probably still use them.
I've seen the term "default host" on other routers too, so it's fair enough. AirPort settings were pretty full-featured for a consumer device, just lacked advanced routing stuff that I'd not use in a home anyway.
It started falling apart when they made the new AirPort Utility, which hid some settings. I had to go install the old version.
Better routing functionality (at least until the last bits of load balancing and policy based routing land), but MicroTik is hard to manage for anything but the simplest use cases. Plus you don't get the single pane of glass management across your WIFI / Switch / Routing ecosystem. In fact, you have to change the operating system you use on the switch depending on which features you want w/ Mikrotek.
Aruba and TP-Link Omada did huge marketing pushes to take advantage when Ubiquiti got hit with this crap. Every person I have talked to that switched from Unifi gear to Arbua Instant-On has moved back off of it over the last year. There is some selection bias there, but you can see the same thing in the youtube tech blogger(s) as well. That said, I think if you are not going Unifi for WIFI, your best bet is either CISCO or alternatively go mesh.
If you want to go down the more powerful path for routing I strongly suggest OPNSense / PFSense.
"Not as polished" is an incredibly generous term. Unless something has radically changed, Mikrotik basically requires remoting in with a command line and understanding all the implementation details. It's like trying to run a FreeBSD box as a router. Ubiquiti's tooling for common workflows is generations ahead, not a coat of polish.
I have one Mikrotik switch and it's the only device on my network that just randomly decides it doesn't want to DHCP renewal and falls back to some random static IP until a power cycle.
Since it's a switch that I rarely touch it's not a big deal, but "not polished" is putting it mildly for sure.
Price & performance is still solid if you just treat it as a VLAN-aware "dumb" switch, though.
I felt the same way and still kind of do, but I was really impressed the other day. My rural neighbour and I decided to share an Internet connection and I set a Mikrotik WAP in "CPE" mode (basically what you'd use if you were connecting to a WISP) and it was incredibly smooth to get going. WiFi radio in the WAP connects to my network, Ethernet coming out of it goes to his home network.
They're incredibly powerful devices no doubt and I have ended up in configuration hell before, but they've definitely gotten better at some of the more common (and less common) workflows.
Once you realize that Mikrotik is NOT a small business router company but started as a WISP supply company for Eastern Europe it becomes much more clear.
They've greatly enhanced the web interface in recent updates, but you still will probably need to find a recipe for what you want to do, but it can do it.
If generations ahead means it's impossible to figure out wtf is going wrong with the hardware/software then that's true. Just like Apple, their ethos makes a lot of sense.
The old adage "you get what you pay for" applies here. Yeah, it's cheaper than buying Meraki, Aruba, Fortinet, etc, but the IDS/IPS on their Dream Machine is awful, logging is awful, reliability of anything but wireless gear is awful, Protect storage equipment is awful...
They use Suricata for the IDS/IPS. I have a UDMP, and I route 2.5GB a second across two load balanced connections (fiber and cable) on full IDS/IPS with no problems. I have logging going to greylog without any issues, but am looking to move to Loki. I have a UDMP, with a single 8TB disk for my camera, but you can grab a UNVR if you need more storage. If you need two, grab two UNVRs to cover a whole site. They pair now. And if you are a prosumer instead of a homelab / busoiness site grab a UDR, with a fast flash disk. You can pair that into Homekit secure with Homebridge (or even better, Scrypted).
I have 5 Unifi 6 devices - zero problems with them in well over a year at this point. I get 800mb/s from any location on-site.
I don't really want to pay for support contracts which cost more than the upfront cost of the hardware after a couple of years to continue to receive software updates for my prosumer level home networking deployments. Does Meraki and Aruba provide free updates?
Is that so true? I've seen that as they've become more popular, some of the rougher edges and complaints come out. Personally I've had no reliability/quality problems with my Ubiquiti equipment. But I do know several people who have moved away from their gear due to the breach and fallout from these Krebs articles.
Personally I think Ubiquiti fared better than Krebs did in the reputation department. They were both victims in their way but Krebs should have retracted several months ago.
I've used Ubiquiti in my home for roughly 7 years now, with 2 UAP-PROs, 8 Port PoE Switch and the USG.
Apart from the USG getting a little old and struggling to cope with the latest features added (A positive in itself). I really can't think of many other solutions that tie everything together so well. Yes I've had the odd problem, or I've needed to change the config of something. But apart from that, it works fantastically and solved WiFi woes I had many years ago.
They release regular software updates to all devices, including the controller. My only issue is I think the design of the landing page on the controller has gone downhill.
Give it a try again. I have a ton of equipment, and it's just working well for me now. I think the consensus among ubiquiti users has shifted considerably over the last year.
If there's one thing I really hope people take away from this entire story is not to use security researchers' statements in constant appeals to authority. I hear so many questionable-to-bad takes on cyber security that basically amount to Bruce Schneier, Brian Krebs, or Troy Hunt said so, so you're absolutely wrong if you don't obey them.
It's really important to remember security researchers and experts convey what they feel is the most accurate or best advice or information they have at the time, and it may very well turn out to be completely wrong or misguided later. The fact that these individuals are popular does not mean they are an authority on anything.
I agree - and while I certainly trust the people you listed quite a bit it is important to not elevate anyone to cult status or revered leader type stuff. I think we can trust that they have more authority than most but that does not make them the authority.
Funny, I was feeling the exact opposite. They could have just taken down the articles and issued no statement. It is hard to publicly admit that you're wrong and it's good to see they took that step.
> They could have just taken down the articles and issued no statement.
There are people that came bottom of their class and barely qualified yesterday to practice law who easily would have been able to make this not an option.
Journalists will sometimes go to great lengths to get a scoop and to make a name for themselves. This passionate desire "break the story" makes many journalists vulnerable. They become easy marks for bad actors who can gain by manipulating them.
There are many examples of this occurring.
Sometimes the manipulation is just designed to make the journalist(s) look stupid as in KTVU's scoop on the names of the Asiana Airlines pilots responsible for the deadly crash at SFO: https://www.youtube.com/watch?v=L1JYHNX8pdo
Dan Rather's desire to take down former president George W. Bush for all intents and purposes ended his own career by not vetting documents provided to him by a source. His producer Mary Mapes was forced to resign as well. https://en.wikipedia.org/wiki/George_W._Bush_military_servic...
I think we can all learn from these people's mistakes. Our own desires for a particular outcome or to have our personal beliefs confirmed can make us vulnerable to people who might have an incentive to manipulate us. For this reason, it's probably wise to employ a healthy level of skepticism when consuming "news" regardless of how trustworthy we believe the source to be.
It was, but it’s important to note that Quinnypig was reacting to the assertions made by extortionist claims made by Krebs. I think he’s acting in good faith here - if not somewhat melodramatically..
I trust Krebs so I tossed every piece of my Ubiquiti gear I owned as a result. Ended up with a lesser solution since there isn't a good alternative on the market that would do for me everything Ubiquiti did.
Sitting on the bus, I’ve already changed my mind about the decision to take down the articles, instead of posting a retraction notice. At first I thought Mr. Krebs was being scummy by pulling the posts.
The Ars Technica article linked by u/riffic mentions that there was an earlier, denied takedown request. So, now I think the posts were likely taken down as part of a settlement.
We’ll probably never know—I expect an NDA to be part of the terms—but I wonder if, from Ubiquiti’s side, it might have been better to leave the posts up, but with a retraction notice.
I hate Ubiquiti anyway. After helping with an install in our office a couple of jobs ago, I bought a UDM in 2020 thinking I'd have the same experience as I did back then.
Oh boy was I wrong. Everything is hidden behind layers of nice looking but useless UI, their software is generally pretty unstable and I get the weirdest things happen that I've never had with other routers, stuff like:
* Phones will remain connected but say "connected without internet" without any reason why in the logs
* Logs constantly spammed with random errors and other crap that UB is clearly being lazy about
* 2.4Ghz unbearably slow, even in an area with no other transmitters (I've tested) and seems to be a software problem but I can't quite pin down why
* No real support apart from the forums where often the "solution" to problems is to massively downgrade
Sure, they might have "best in class" APs or something but I think I'm gonna go Mikrotik next time I buy. Idc if I get like 70% the speed of UB wifi as long as it's consistent and works properly.
Yeah, at this point I'm taking Krebs off of any alert or recommendation lists. Appreciate the Mea Culpa, but it's not like he's been making stellar decisions before this problem.
It also doesn't read as an apology, but an acknowledgment that he was given bad info from a source.
IMO he should have linked to them from this post, and updated them with a big fat impossible to miss disclaimer on the top of the article because some other sites might still link to them and use wuotes which are not accurate any more.
Mad props to Brian on this. It's way overdue - and frankly, the Ubiquiti lawsuit was poor PR management - but it's good to put things right given some very poor journalistic choices. Journalists admitting when they are wrong is a key step in rebuilding trust in our institutions - not only news but many aspects of civil society here.
Ubiquiti - as a fan of your products - please drop the lawsuit now. I get that this did a ton of damage to the company, but I don't think anyone wins by dragging this out. The product lineup has improved dramatically over the last year, and it would be good to focus there.
Mad props to him for finally posting a retraction and half-assed apology after Ubiquity forced him to with the lawsuit they never should have done? What?
Someone correct me, but, isn't a journalist supposed to have independent corroborating source/evidence no matter how solid one sole source is? Is that basically where he missed the "mark"?
A bit of extreme ownership in the same vein as Jocko Willink is inspirational. It's not a reward or ego contest, when you have to open up and be humble about leadership and admission as such - so, critics will be on both sides of the judgement and the reporting.
I myself believe in being humble and honest to a fault, so I'm more sympathetic in this case.
Either way, strive to be better and hey .. humanity is a b*tch sometimes.
I don’t see this post when I go to https://krebsonsecurity.com/, at least on iOS Safari. Also, on the home page, when I scroll down to the list of all posts, I don’t see this one.
Edit: It’s there now! Thanks to u/Pharaoh2 for the heads-up.
Hmm I just redownloaded the 'unifi network' thingy.
For one I had to go through a screen of threats telling me I shouldn't use a local application that only reminds me of the threats you have to go through when downloading the LGPL version of Qt.
For two, the app is incomprehensible, it wanted me to create a "local administrator account" after i opted out of an online account and then it didn't find my old unifi ap that is working just fine thank you.
So nope. Still unacceptable, sorry.
Note: I still have an old version of their admin app on an old computer and that one just finds the AP and lets me configure it. So if they could do it 10 years ago they could do it now too, should they wish to.
Note 2: Why do they want my email even for a "local administrator" account?
Note 3: If i click through all the crap it does find my UAP-AC but it says "managed by another console"? With no way of taking control of it. What the... i haven't started the old management app in years.
Looks like besides threatening their customers they have gone enterprise.
> it wanted me to create a "local administrator account" after i opted out of an online account
What alternative would you prefer? Anyone on the network can configure it? Just a password with no username?
> I still have an old version of their admin app on an old computer and that one just finds the AP and lets me configure it. So if they could do it 10 years ago they could do it now too, should they wish to.
The answer to security issues is... worse security?
> and then it didn't find my old unifi ap that is working just fine thank you.
You need to release the device from your old Unifi deployment, or factory reset the device. You don't want anyone on your network to be able to adopt your devices and seize control of your network.
> What alternative would you prefer? Anyone on the network can configure it? Just a password with no username?
How about having access control tied to the actual AP instead of a particular installation of the controller app, so I can admin it remotely from any machine that is available instead of just one?
Also, you conveniently ignored the spurious threats telling me i'm incompetent and i will get hacked without a unifi cloud account. I had to check 4 checkboxes agreeing to 4 different predictions of doom if i admin locally.
Pray tell, how do you configure a cloud linked device if there is no internet?
I think this was absolutely warranted. Ubiquiti's stance as a reliable and secure networking company was damaged in my mind. Krebs absolutely did damage to their reputation.
You guys are thinking about this in a very cloudy kind of way. Assuming that Ubiquiti was being blackmailed, they have a security problem in who they hire (Who held user data for ransom). Assuming they were not being blackmailed, but had a security hole in their software, Ubiquiti has a security problem.
Krebs reporting comes from a potential conflict of interest in that the person who might have been trying to blackmail was also the source. Defamation is not really the issue then because the source was pointing at a security problem which they happened to also be the cause of. The entity that hired this person was...Ubiquiti! Hence, it is not really defamation AS SUCH. Rather, if anything, it was true but maybe blown out of proportion to get a larger sum of money from Ubiquiti. We don't know how much info the person got their hands on, because Ubiquiti would be to blame for that, wouldn't they?
So, ultimately I think taking down the articles is a mistake in the sense that they reported on a problem either way with Ubiquiti and security. Take off the ad revenue from those articles, and issue a modified retraction on the conflicted interest the source held as a correction. Use it as a cautionary tale on "Sensationalism" and "not always knowing what the hell someone is doing when they report a leak" and move on.
Kreb's article specifically alleged malfeasance on Ubiquiti's part - that they were deliberately covering up a huge data breach.
This turned out to be untrue on three levels:
1) There was no cover-up. Ubiquiti disclosed the attack, and was working with the FBI, working to identify what had happened, and in fact where already onto Sharp as a insider attack.
2) There was no large scale data breach.
3) The claim that there was a huge cover up was part of a extortion scheme, that Krebs was (unwittingly) assisting in.
Yes, this is a standard insider attack - and Ubiquti's security needed to be significantly better - but it doesn't change the fact that Brian Krebs reported false information - including information that he should have been in a position to know was untrue at the very least in the second article, if not the first.
Ironically enough, the person at Ubiquiti that introduced the wider GITHUB access to production secrets and new policies that allowed Nick Sharp to get production access was - according to former Ubiquiti employees - Nick Sharp.
Get caught in a lie in front of a jury for a white-collar criminal prosecution with any sort of competent lawyer, and you never regain credibility. Regardless, the other points still stand.
It's incredibly hard to defend yourself if your head of security decides to extort you. They are the ones that design the protections to keep insider attacks from working. Luckily for Ubiquiti - the attacker screwed up his network configuration (VPN leak failure) which is also somewhat ironic.
>> Get caught in a lie in front of a jury for a white-collar criminal prosecution with any sort of competent lawyer, and you never regain credibility.
Which is great for mega corporations who are always innocent of any robber-baroning or impulse to make security a secondary consideration to profit.
>>Regardless, the other points still stand.
On feeble legs.
>>It's incredibly hard to defend yourself if your head of security decides to extort you. They are the ones that design the protections to keep insider attacks from working. Luckily for Ubiquiti - the attacker screwed up his network configuration (VPN leak failure) which is also somewhat ironic.
I tend to think if you have that problem, you are probably hiring people that are much like your company. To put it differently, a known liar telling a story doesn't automatically make it a lie. I suspect we will soon be seeing later how much Ubiquiti cares about its customer base. When that time happens, I will return to this post and ask you some follow up questions.
He was essentially used as an unwitting party in a cyber blackmail scheme, and he doesn't touch on that at all. There will continue to be nefarious parties trying to misuse his reputation, so long as he remains a popular cyber researcher. I wish he would show consciousness of that rather than simply saying "I was wrong."