from Hacker News

Ubiquiti is suing Brian Krebs for his reporting on their breach

by arusahni on 3/30/22, 1:10 AM with 199 comments

  • by fossuser on 3/30/22, 2:41 AM

    This twitter thread is pretty bad and the comments here aren't much better.

    IIRC the Ubiquiti 'hack' was an insider attack from an employee lying and intentionally breaking things while pushing his lies to the press to hurt his employer. Krebs was wrong and tricked by the employee. I don't know if that justifies this legal action, but it's not the normal going after someone who reported a breach. This one is more complicated.

    I'm pretty sure Corey is wrong on the facts in this case (and so was Brian). I also felt a lot better about Ubiquiti once the dust settled and the details about Sharp came out.

    Edit: I missed this comment thread which basically says the same thing: https://news.ycombinator.com/item?id=30850793

  • by irjustin on 3/30/22, 2:12 AM

    This seems like a journalistic nightmare.

    The original article[0] seems perfectly fine. But, if "Adam" (original informant) and Sharp are the same person[1] and Sharp is in fact the person who perform the breach such that this is an inside job instead of an external hack.

    IANAL and while I'm not sure of the merit to this lawsuit itself, there's still a lot of problems if your informant is the person performing the illegal activity.

    [0] https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-b...

    [1] https://krebsonsecurity.com/2021/12/ubiquiti-developer-charg...

  • by austinkhale on 3/30/22, 1:45 AM

    Really a poor decision to come after Brian Krebs. The crossover between Ubiquiti customers and people that support Krebs, I would venture to guess, is quite high. What a way to incinerate a pile of goodwill.

  • by shadowfacts on 3/30/22, 4:42 AM

    I am not a lawyer. That said, I'm skeptical of the merits of this suit.

    Here's the actual complaint: https://storage.courtlistener.com/recap/gov.uscourts.vaed.52...

    Ubiquiti seems to be arguing (count 1) that Krebs defamed them by not clearly identifying Sharp as his source in the December 2 post and December 5 update to the original article. That simply updating the original article constitutes repeating everything contained in it and is therefore defamatory beggars belief.

    They also argue (count 2) that the initial March article was defamatory. But it can't have been if if Krebs at the time didn't know the information provided by his source, Sharp, was false. Presumably Sharp didn't share that with Krebs that he was the one behind the breach, so Krebs wouldn't have had particular reason to suspect he was providing false information. Maybe Sharp defamed them, since he obviously did know he was telling falsehoods, but it's hard to see how Krebs did (and two of the supposedly defamatory statements in count 2 are just Krebs describing or quoting what Sharp said).

    Bad journalistic practices may abound, but I don't think any of that constitutes defamation. Neither Krebs nor Ubiquiti look great here.

  • by throwawaybutwhy on 3/30/22, 5:10 AM

    Krebs is a sleazy underhanded journo, too fond of doxxing his targets without any notion of 'due process' and buying leaks on the black market. I was tricked into reading his scoops and it took a couple of years for the truth to trickle down into my coffee-addled brain.

  • by InTheArena on 3/30/22, 4:05 AM

    Krebs was at basically the definition of a unwitting accessory on this one. His “I got the facts right” post afterwords when it became clear that he enabled the reputation damage at the behest of the extortionist doubled down on the damage.

    I’m not sure I agree with ubiquities decision to go after him - see the Streisand effect - but he has made some really dubious choices.

  • by varenc on 3/30/22, 2:57 AM

    Here's a link to the actual complaint: https://www.courtlistener.com/docket/63197557/ubiquiti-inc-v...

    Ubiquiti is asking for:

        WHEREFORE, Plaintiff Ubiquiti Inc. demands judgment against Defendant Brian Krebs as follows:
    (a) awarding compensatory damages in an amount to be determined at trial, but greater than $75,000.00;
    (b) awarding Ubiquiti $350,000 in punitive damages or in an amount to be determined at trial;
    (c) awarding Plaintiff all expenses and costs, including attorneys’ fees; and
    (d) such other and further relief as the Court deems appropriate.
    Which is certainly a lot of money, but nothing compared to the billions Krebs' supposed "defamation" cost Ubiquiti. I suppose their goal with this must be to improve their reputation with potential business customers?

  • by walrus01 on 3/30/22, 2:14 AM

    ubiquiti also has a very poor recent track record of EOLing products and making it near impossible to use - earlier generation security cameras and unifi wireless APs, for instance, which still work perfectly fine. But now it's an incredible hassle to find the linux packages to install on your own hardware to host the controller for them.

    they also had (maybe still have) such poor internal controls that they got spearphished to the tune of $46 million in wire transfer: https://www.google.com/search?client=firefox-b-1-d&q=ubiquit...

    you know that something has gone wrong with a tech company when the founder's ego has inflated to the size that they think the best thing in life to do is buy a professional basketball team.

  • by inetknght on 3/30/22, 3:14 AM

    I've spent several thousand $ on Ubiquiti hardware. After a poor experience with their support team and shitacular integration between their ERX and UniFi products I'm looking to change vendors.

    To be clear with my own experience:

    - Ubiquiti requires an online login to use UniFi products (which you _should not_ encourage especially for home/prosumer use)

    - UniFi does not integrate with the products that you might have purchased when you were less experienced or have less requirements. For example: I bought several EdgeRouter X products then moved on to UniFi products because I needed SFP+. UniFi management does not manage any EdgeRouter devices despite being manufactured by the same company, so I effectively have a dozen different network management pages to deal with.

    - The web interface for UniFi is terrible; they've had a "new" UI and an "old" UI and support requires you to use the old UI to retrieve information to solve a lot of the problems. The "new" UI looks nice but often renders incorrectly (especially the network topology page).

    - Support will sometimes ask you to SSH into your own devices to do certain steps that can't be done from their fancy UI.

    - UniFi has several different settings pages all with overlapping and confusing terminologies instead of having an actual _unified_ settings page for all of the products being managed.

    - I've also had trouble managing their updates insomuch as one device that they claim was bricked but in fact simply wasn't compatible (and wasn't _advertised_ as incompatible) with my network settings. They told me to RMA the item (at my own cost) and the replacement item had the exact same problem and required additional troubleshooting after I'd already spent money and time to return the item. After resolving that problem, with a USP-Plug, it ended up creating its own wifi network whose security can't be configured by me. I'm sure glad I don't have to deal with network audits...

    I think Krebs is a scapegoat. That doesn't excuse any incorrect information he has on his blog. But Ubiquiti certainly isn't a bastion of good either.

  • by r1ch on 3/30/22, 1:33 AM

    As if I need another reason not to recommend Ubiquiti...

    Yes, Kreb's reporting wasn't great and he should have retracted the original article once the facts came out, but I don't think being a bad journalist is something you take someone to court for.

  • by zeagle on 3/30/22, 5:45 AM

    Am I alone in thinking better of Ubiquiti through this?

    I remember when the original post came out and I was worried about having compromised gear at home. Then it turns out it wasn't true and the author of the post refused to update it to acknowledge that he was manipulated after it became clear. I don't follow Krebs so don't have an opinion on him but I'm happy the security problem is a non issue.

  • by cebert on 3/30/22, 2:13 AM

    It’s disappointing to hear that Ubiquity is engaging in this behavior. I’ve enjoyed and recommend their Amplifi products in the past, but it will be much more difficult for me to consider supporting them in the future. I wonder how their PR team determined this would help their image and reputation.

  • by giantg2 on 3/30/22, 1:19 AM

    Seems like a ridiculous suit, but it also seems like Krebs calling it a cover up is sort of a gray area. They did send some sort of notification, but didn't necessarily conceal it either. Looking forward to the ruling and reasoning - the legal determination of what constitutes a cover up. Especially since most places use the generic type notifications.

  • by codedokode on 3/30/22, 6:34 AM

    What surprised me is that the company demands over $375000 (+ attorney fees) which is a several year income for an average person. But have you ever heard about a company being fined or sued for an amount equal to its several-year income?

    Also, as I understand, all Krebs has done is wrote "X told me about Y". How is that statement false, if X really contacted Krebs and told about Y?

  • by thornjm on 3/30/22, 2:47 AM

    Perhaps the title should be editorialised to reflect that it was an extortion attempt by an insider?

  • by ziml77 on 3/30/22, 2:31 AM

    Well then I guess I'm finally done with Ubiquiti. The company that makes my network devices needs to take security seriously. Clearly Ubiquiti does not.

  • by avazhi on 3/30/22, 2:23 AM

    As somebody who hadn't heard of this before now, the Streisand effect is real.

  • by tlogan on 3/30/22, 2:17 AM

    The bar for defamation in US courts is incredibly high. But it seems like they have a proof that Kerbs knew very much it was not a coverup.

  • by chriscappuccio on 3/30/22, 5:19 AM

    Corey is really playing up the media aspect here. I think Corey's tweet exemplifies the problem here which Krebs speculation helped spread; Ubiquiti had no actual security breach, they had an insider ransom fraud. Krebs was also a victim, as the conduit for the attacker to speak as a "whistleblower". When they notified Krebs, Krebs left up their unfounded speculation. This isn't what reputable news organizations do. Despite all of this, it's probably going to be hard for Ubiquiti here, obviously has a good chance of not making it to trial.

  • by bigjoedeez on 3/30/22, 4:31 AM

    Ubiquiti is also run by a bunch of morons, so this makes sense.

  • by 3np on 3/30/22, 2:54 AM

  • by fmajid on 3/30/22, 7:28 AM

    I was waiting for the arrival of WiFi 6E APs from competitors before ditching my Ubiquiti setup, but may have to accelerate my migration away from them. I had already replaced my USG with an OpenBSD firewall and blocked all Ubiquiti devices from being able to connect to the Internet as a mitigation.

    Being cloud-free is a hard requirement for my network equipment.

  • by bufferoverflow on 3/30/22, 2:15 AM

    Note to self: don't buy Ubiquity gear, they must be incompetent, going after the messenger of their own incompetence.

  • by A4ET8a8uTh0 on 3/30/22, 2:48 AM

    It genuinely sucks, because Ubiquiti and PFsense were my top contenders for my major network overhaul. I genuinely like the UI of Ubiquiti, modularity and features.

    But moves like that make very careful about going ahead with the purchase.

    It seems like I will need to learn how to operate PFsense.

  • by syntaxing on 3/30/22, 2:16 AM

    Upsetting since I just bought into the Ubiquiti system...What competitor is the best alternative?

  • by eek2121 on 3/30/22, 2:10 AM

    Sad that Ubiquiti has decided to become victim of the "Streisand Effect" rather than simply working on the crux of the issue and/or working with him.

  • by dec0dedab0de on 3/30/22, 2:30 AM

    About 10 years ago I was pushing for ubiquiti at the fortune 500 company I was a jr network engineer for. Mostly because they were the most open vendor and didn't require an "appliance" to run the management software. The rest of my team laughed at me and we only really tested Aruba and Cisco.

    Even though we never went with it I feel like a sucker every time they come up in the news lately.

  • by oger on 3/30/22, 1:12 PM

    Massive Streisand effect ahead in 3 - 2 - 1...

  • by quantified on 3/30/22, 2:16 AM

    > Welp @briankrebs is getting pride of place in my RSS reader for the next decade based upon this.