Ubiquity breached, downplayed the issue
-
And don't forget, this is a company that wired millions to scammers, and only learned about it from FBI. And they failed to disclose all the details then too. So there's a pattern of covering their screwups.
One fact that Pera and Ubiquiti did not disclose at the time was that Pera only learned about the transfers of vast sums of money, 10% of Ubiquiti’s cash position, after being notified by the Federal Bureau of Investigation.
-
@marcinozga said in Ubiquity breached, downplayed the issue:
@scottalanmiller said in Ubiquity breached, downplayed the issue:
If you read the claims by "Adam" and then read the statement made by Ubiquiti, you can see from that alone that he was lying. The entire premise of his claim is that UBNT downplayed something and tried to blame Amazon. But there is nothing of the sort in the statement that UBNT made. Nothing. This "Adam" character fabricated it completely just to get attention. And Krebs didn't do any verification, even bothering to read his own story. He just published something he already knew to be false to get a headline.
How do you know it's Adam who's lying? What makes you so sure UBNT are telling the whole truth? In the end, the company has more to lose here, not the whistleblower.
Does that sound like a trustworthy company? Or one trying to cover their asses to protect stock prices?
I don't have much to say about the validity of "Adam" / Krebs but the stock is down roughly 25% in the last 3 days alone. The largest down day being today.
Don't know if it is related to this but that much of a loss in 3 days are the big boys dumping (plus the algos too)
-
Have mercy!
-
More fun and excitement on this: https://krebsonsecurity.com/2021/04/ubiquiti-all-but-confirms-breach-response-iniquity/
Hilariously the article spends half the time recapping, and drops a link to the wrong thread (inactive for 1 year)
While I like Brian’s articles this one confuses me greatly. It’s a lot different and feels rushed.
-
@nadnerb yeah google has started putting a krebs into my feed because I've clicked once on the op link.
While I agree that an issue like this should be investigated, I'm sure more than just Krebs would be reporting about it.
-
@dustinb3403 said in Ubiquity breached, downplayed the issue:
@nadnerb yeah google has started putting a krebs into my feed because I've clicked once on the op link.
While I agree that an issue like this should be investigated, I'm sure more than just Krebs would be reporting about it.
This is the hard thing to know - Edward Snowden could have just been swept under the rug... on one hand, you kinda wonder why it wasn't? Perhaps the scope is the difference?
No other media outlet had access - all they could do was report on what the Guardian was reporting. -
@pmoncho said in Ubiquity breached, downplayed the issue:
@marcinozga said in Ubiquity breached, downplayed the issue:
@scottalanmiller said in Ubiquity breached, downplayed the issue:
If you read the claims by "Adam" and then read the statement made by Ubiquiti, you can see from that alone that he was lying. The entire premise of his claim is that UBNT downplayed something and tried to blame Amazon. But there is nothing of the sort in the statement that UBNT made. Nothing. This "Adam" character fabricated it completely just to get attention. And Krebs didn't do any verification, even bothering to read his own story. He just published something he already knew to be false to get a headline.
How do you know it's Adam who's lying? What makes you so sure UBNT are telling the whole truth? In the end, the company has more to lose here, not the whistleblower.
Does that sound like a trustworthy company? Or one trying to cover their asses to protect stock prices?
I don't have much to say about the validity of "Adam" / Krebs but the stock is down roughly 25% in the last 3 days alone. The largest down day being today.
Don't know if it is related to this but that much of a loss in 3 days are the big boys dumping (plus the algos too)
Sure, but the market is a reflection of the news and nothing more. So that doesn't tell us anything about what happened.
-
@dustinb3403 said in Ubiquity breached, downplayed the issue:
While I agree that an issue like this should be investigated, I'm sure more than just Krebs would be reporting about it.
Right? I've seen no news that wasn't just someone repeating Krebs. Nothing of substance, just lots of "this Adam guy said" with the same quotes being spun into several headlines. It doesn't feel like legit news, where's the coverage, where's the follow up, where's actual info?
-
@scottalanmiller Only the shadow knows...
Othherwise... not.
-
@scottalanmiller said in Ubiquity breached, downplayed the issue:
@dustinb3403 said in Ubiquity breached, downplayed the issue:
While I agree that an issue like this should be investigated, I'm sure more than just Krebs would be reporting about it.
Right? I've seen no news that wasn't just someone repeating Krebs. Nothing of substance, just lots of "this Adam guy said" with the same quotes being spun into several headlines. It doesn't feel like legit news, where's the coverage, where's the follow up, where's actual info?
Yeah - no, not right. Really - what's the difference here between the Ubiquiti whistle blower and snowden? it's one guy, on the inside who's blowing the whistle... what makes snowden so much more credible?
each party reached out to a single source to disperse their whistle blowing.I feel like Scott has complete distrust in Krebs - though I'm not sure why? Is it because he has a fairly popular site?
does that mean the Scott will be completely untrustable if his youtube channel starts gaining ground?
Brian Krebs is a reporter, just like Glenn Greenwald... So I understand we need some skepticism... -
@dashrender said in Ubiquity breached, downplayed the issue:
it's one guy, on the inside who's blowing the whistle... what makes snowden so much more credible?
Um, no. Snowden blew the whistle on things people didn't know about. "Adam" is an anonymous source claiming that what was said publicly was something other than what was said. They are nothing alike. One is blowing the whistle. The other is a false claim, that anyone can prove by reading the UBNT announcements in January to see what they said.
Snowden was then covered by the media and stuff released from real news outlets. "Adam" has had zero real coverage and nothing to release.
Snowden also released actual data. It was not a matter of claims. These two situations are polar opposites. That Snowden is what a real whistleblower looks like should, in fact, expose to you why Krebs and "Adam" are charlatans.
-
@dashrender said in Ubiquity breached, downplayed the issue:
I feel like Scott has complete distrust in Krebs - though I'm not sure why?
Because they just posted something that they knew to be false. I'm confused here, how are you missing that "Adam" blatantly lied, and Krebs covered it like it was news without pointing out that the statements were false?
-
@dashrender said in Ubiquity breached, downplayed the issue:
Brian Krebs is a reporter, just like Glenn Greenwald... So I understand we need some skepticism...
A reporter that investigates and reports what they know is a journalist. A reporter that knowingly repeats lies, falsehoods, or baseless claims blindly to get hits is a tabloid.
This situation is a tabloid, there is no reporting here. Very different things. I don't trust Krebs because of this situation.
That Krebs called this guy a whistleblower is even more of a problem. Krebs is attempting to manipulate readers into giving him more credence than they should because his accusations are based on a false statement.
-
@marcinozga said in Ubiquity breached, downplayed the issue:
Original story:
According to Adam, the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach. Ubiquiti’s breach disclosure, he wrote, was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.”
Here is the crux of the Adam/Krebs argument (we can't assume that Adam is real, given the serious breach of ethics in publishing this article, we have to assume that Krebs itself may have made up the story as there is zero substance and zero ethics in repeating it as if it was journalism): the claim that the seriousness was downplayed and that a third party was implicated with blame. It's trivial to look up the original statements from Ubiquiti and everyone who has done the slightest research knows that UBNT didn't do these things.
UBNT mentions that the databases were hosted by a third party in exactly the same way that Adam/Krebs do, which is to say that they stated the truth and have zero implications with it. There is zero implication there, zero. Sure, some people will add their own emotional encumbrances and claim that they feel that the third party is at fault, but any implication of that comes from the reader, not the source. Nothing in those words hints at implicating the third party in any form whatsoever. So we already know that Adam has lied, and that Krebs used that lie to run a headline story where Krebs benefited heavily (there is a lot of traffic from this story.)
Ubiquiti then stated that while they aren't aware that user data was accessed, that it could have been. Generally that's as much as you can get in this kind of scenario. This is the expected situation and this tells people that their info is at risk and that they need to change passwords. They clearly encourage everyone to change passwords, and to enable 2FA.
So, where is the downplaying? Not in the statement from Ubiquiti. Both the implication of the third party being at fault, and the claim of downplaying the seriousness of the breach didn't happen. Those are facts. Given those facts, which Krebs had access to when he talked to Adam (if Adam even exists), means that at best, Krebs has no journalistic integrity. At worst, we need to blow the whistle on him being a con artist.
Even if Adam exists, according to the article there's not even reason to believe he really worked on the issue. Any one of us could be this Adam. It's just a random guy claiming to be an employee, providing no evidence that he is who he claims that he is, nor that anything that he claims to have happened, happened, and no explanation for the parts we know about, which are lies.
-
None of this should downplay that UBNT had a serious freaking breach that probably exposed gobs of user data. That's huge. But the market didn't care about a known breach until it became a big Krebs PR story. UBNT admitted that it was huge, they told people about it. Everyone accepted that it was huge. It's a big deal.
The major risk is not to production systems, however. This is something that Krebs is playing up - it's the consumer systems, the Dream Machines, not production level Unifi or Edge gear that is affected. Logins for those of us with business class gear don't have our creds stored with UBNT. Only Dream Machine and consumers have that. So businesses that are at risk were playing fast and loose with their IT already.
Does this impact loads of home users and prosumers? Yes, absolutely. Should they be exposed any more than business users, no, definitely not. But Krebs is playing this up in later posts to act like all the business customers are affected, which while not strictly a complete lie, is definitely not true. It's Krebs just a bad reporter who doesn't know enough about IT and security to talk about it, or is he a crook... or is someone who reports on things they know nothing about a crook anyway?
UBNT screwed up. We should them accountable. But that seems to be an accident. Krebs screwed up. We should hold him accountable. But it doesn't appear to be an accident.
Why is everyone not concerned with how Krebs is approaching this?
-
@scottalanmiller said in Ubiquity breached, downplayed the issue:
UBNT mentions that the databases were hosted by a third party in exactly the same way that Adam/Krebs do, which is to say that they stated the truth and have zero implications with it. There is zero implication there, zero. Sure, some people will add their own emotional encumbrances and claim that they feel that the third party is at fault,
of course they will - that's what writing like that is supposed to do. Because people are emotional beings.... I agree that's not what it says.
So we already know that Adam has lied,
Now I think you're wearing rose colored glasses. Again, the verbage dances a very specific line to not imply - but allow the reader to have their own baggage color their view. If UBNT wanted to be clear, they easily could have been. DB's we control on a third party system were breached, not because of the third party, but because of UBNT. but did they say that? of course not, why not? because they wanted to leave you to your own imagination.
-
@scottalanmiller said in Ubiquity breached, downplayed the issue:
None of this should downplay that UBNT had a serious freaking breach that probably exposed gobs of user data. That's huge. But the market didn't care about a known breach until it became a big Krebs PR story. UBNT admitted that it was huge, they told people about it. Everyone accepted that it was huge. It's a big deal.
you're claim is that that post - the one you have above - is them claiming it was a huge breach... aww well ok then... I guess I need to start reading anything that says - change your password as a huge breach.
got it.if this was such a huge breach - where was the huge coverage back in jan? Frankly i don't even recall hearing about it back in January. Until this, whatever you want to call it, I don't recall that at all.
-
@dashrender said in Ubiquity breached, downplayed the issue:
I guess I need to start reading anything that says - change your password as a huge breach.
Any breach of a system that you use is huge to you.
Period. End of Discussion.
The Target breach didn't mean shit to me. At the time I had not shopped at one in years, and all my cards had expired /changed in the interim. I also never had an "account" with them.
So that breach didn't mean shit to me.
-
@dashrender said in Ubiquity breached, downplayed the issue:
Again, the verbage dances a very specific line to not imply - but allow the reader to have their own baggage color their view.
Just because they didn't enumerate all possible people who were not at fault doesn't mean that they danced close to anything. There's zero acceptable tolerance for anyone to claim that the third party here was blamed or at fault as nothing implied such. If we are dealing in the negatives we can just as easily say that since UBNT didn't explicitly say that MangoLassi, George Clooney or the ghost of Einstein that they are blaming them. People making things up are at fault if they make things up, not the people who don't think of all the misinformation that might be made up and dispute it before it happened.
-
@dashrender said in Ubiquity breached, downplayed the issue:
if this was such a huge breach - where was the huge coverage back in jan? Frankly i don't even recall hearing about it back in January. Until this, whatever you want to call it, I don't recall that at all.
Dash and I just discussed this out of band. The reason that this wasn't seen more is that the system that was allegedly hacked, the one that UBNT said was at risk, is the one with the credentials to Dream Machines and similar devices and accounts from those devices that Unifi users can make voluntarily. Normal business users of Unifi and Edge gear were not in the list of potential impacts.
He wasn't aware that UBNT had notified all of the potentially impacted customers by email, because he is a customer but not one that was potentially impacted. They didn't notify we who use local accounts, since we aren't affected. So there was a lot more notification than he had realized. The news outlets back in January and even Krebs agree that the email notification and notification of the media was real and handled just fine.
