This is a a publishing retraction. This isn’t a postmortem from a technical issue.

He can’t say it won’t happen again. Like stated above, they’ll try to keep abusing him.

He can’t say what his process is or how it will change, because that leaves it open to exploit.

mea culpa is just that, admitting fault. He did. He also took action and described it there.

There is no root cause analysis, corrective actions, and preventive steps.

It can happen again and statistically, if it goes long enough, we can say it will happen again.

Frankly, he is retracting something because is wrong and he is broadcasting that retraction on the largest platform he has access to: his platform. He has sincerely apologized to and made clear who he has harmed: Ubiquiti.

So like, what do you want? What more should he say? You say "maybe he sees the facts differently" as if we as anonymous internet crowds are entitled to a post-mortem on his psychological state. This strikes me as distinctly parasocial.

This isn't about a parasocial relationship with Krebs at all, but determining how he'll avoid the situation again going forward.

> So like, what do you want?

I think I've been pretty clear, basically an acknowledgement of the situation and a statement that he has some ideas on how to address it from coming again. I'm not even asking for an in-depth process update, I realize why he might want to be vague. Importantly, I just want to make sure he sees the problem. Otherwise, what stops it from happening again?

> What more should he say? You say "maybe he sees the facts differently" as if we as anonymous internet crowds are entitled to a post-mortem on his psychological state.

I'm certainly not entitled to his mental state, he's free to remain as private as he'd like. To go back to my original point, I said "[how he] has handled this whole episode has not inspired optimism in how he'll handle future mistakes." So to answer your question, all I'm saying is if he wants to be seen as a trustworthy public security researcher that is a step he can take in service of it. If he wishes to remain private on it he can too, but as he's decided to be a public security researcher I think it's only fair to engage with that. And I think it's off the mark to call it parasocial, when I'm only engaging with him as a public security researcher doing security work.

It’s about reputation. His reputation has been damaged. I think people genuinely appreciate what he’s done and hope that he’ll rehabilitate it.

Let’s avoid ad hominem.

While Krebs may have gotten it wrong this time, I think there are some interesting components that we better understand because of the scrutiny on Ubiquiti.

The first is that Ubiquiti's opsec was subpar and contributed to the breach. This was at a time where long time Ubiquiti customers were getting very publicly frustrated that they were forcing products and users to rely on their cloud ops for authentication into local gear. This mainly impacted the products under the UniFi lineup, but it was clear Ubiquiti was testing the waters to see how much pushback they'd get by removing the capability of local auth. The two together likely made the public fiasco even more turbulent internally.

The second is that we learned that Ubiquiti did not do right by customers in their timing or statement of breach disclosure. It was a very weak disclosure and they did everything to skirt around the true situation. Let's not forget that Ubiquiti buried this into a very benign looking statement in the 10-Q files on 02-04-22 [0] (around page 31) when they knew damn well that this was a significant risk to all of their customers.

All in all I think the additional exposure Krebs brought on Ubiquiti at least forced a lot of the truth into the spotlight. Without that I don't think the extent of the breach would be known. Ubiquiti downplayed and chose to not respond to their customers. For that, I still think they handled the situation very poorly.

[0] https://ir.ui.com/financial/sec-filings

> So like, what do you want?

This hasn’t been a particularly prompt retraction. Why the delay?

Because it's been an active court case?

When obviously wrong, failing to acknowledge it is an interesting choice. Maybe acknowledging it has legal repercussions, but so does the path taken.

Acknowledging it absolutely has legal repercussions.

Taking ownership is positive when the other parties are interested in an ongoing positive relationship. If the other party just wants the maximum blood/retribution, it’s just falling on your sword. And in the legal arena, that can be a lot more literal than you’d think.

In this situation, Krebs could easily be completely bankrupted by Ubiquiti with a naive statement of responsibility. If he stated it particularly naively, he might even face criminal charges.

I doubt he’d go to jail, but if he was that dumb, he might say similarly naive things at a criminal trial and end up there.

Lawyers jobs include keeping their clients mouths shut so they don’t footgun themselves like that.

Even if no one at Ubiquiti had a particular axe to grind, they have no personal relationship with him, and have no reason to NOT try to get as much out of him as they can. One could argue that they’d be negligent to those they do have a relationship with (partners, shareholders, employees) if they didn’t go after him as hard as they could, as long as they didn’t cause a PR nightmare.