[HN Gopher] Ubiquiti vs. Krebs
___________________________________________________________________
Ubiquiti vs. Krebs
Author : ghostoftiber
Score : 318 points
Date : 2022-03-31 12:51 UTC (10 hours ago)
(HTM) web link (www.courtlistener.com)
(TXT) w3m dump (www.courtlistener.com)
| nojito wrote:
| Title is incredibly misleading and should be corrected.
|
| They are suing for defamation because Krebs failed to retract
| anything after more information was revealed.
| PennRobotics wrote:
| https://news.ycombinator.com/item?id=30851102
| bedhead wrote:
| Good for Ubiquiti. Krebs' reporting on this was beyond scummy,
| just a total disgrace.
| danbruc wrote:
| Can I not write in my blog whatever I want? Who says that I can
| not spread lies [1] about companies? Freedom of speech?
|
| [1] I have no idea which side is correct, I am just amusing
| Ubiquiti's claims are correct.
| blantonl wrote:
| You can write whatever you want in your blog. No one is going
| to stop you. However, that doesn't mean there aren't
| consequences for your actions.
|
| Defamation can occur, and can be pursed legally against you, if
| you publish a blog where you _knowingly_ proclaim something
| false that damages someone 's reputation.
| anamexis wrote:
| I mean, no, defamation laws are a thing.
| InTheArena wrote:
| Not really. not in the USA. The laws are very very weak here.
| danbruc wrote:
| Sure, I was more interested in the response from the other
| side of the debate, why I should be able to write whatever I
| want. Admittedly the way I worded it probably achieves the
| opposite.
| jffry wrote:
| > Who says that I can not spread lies about companies?
|
| Many countries have laws specifically outlawing this behavior.
|
| If you're curious specifically about the intersection of those
| laws and the rights afforded by the First Amendment in the
| United States, read
| https://en.wikipedia.org/wiki/Defamation_and_the_First_Amend...
| trollied wrote:
| Previous discussion:
| https://news.ycombinator.com/item?id=30850416
| user3939382 wrote:
| From their complaint:
|
| >Krebs intentionally disregarded these facts
|
| It's easy to miss something when you're not directly involved in
| a case, even more so when you're also not a lawyer (me) but from
| what I understand:
|
| Success for Ubiquiti here requires an ability to prove not only
| that statements he was making (as reported to him by a
| disgruntled Ubiquiti employee) were false, but that Krebs _knew_
| the claims were false. Ubiquiti seems to be arguing that,
| "because we said these claims were false, that proves he knew
| they were." That's a non sequitur IMHO.
| hx833001 wrote:
| Actually the claims Ubiqiti are making relate to the news
| article Krebs wrote After everyone knew that Krebs used the
| criminal as his source. For some reason, Krebs chose not to
| disclose this in his follow up article. That's the defamation.
| Krebs knowingly posted false information not in the original
| article, but in the follow up.
| lamontcg wrote:
| > That's the defamation.
|
| But that's not remotely defamation.
|
| You can decide to judge him harshly in the court of opinion
| for not fully disclosing that, but that isn't defamation.
| ghostoftiber wrote:
| He's probably protected because of qualified privilege:
| https://www.law.cornell.edu/wex/defamation
|
| They would have to prove that he was malicious in writing the
| article and since it's his job to write articles about
| security, they're going to have a real hard time doing that.
| smorgusofborg wrote:
| Reading the article of December 2nd it seems accurate to me.
| Ubiquiti was wrong about the scope, that the incident was
| external. It says the suspect was pretending to be a
| whistleblower. It sounds to me like the suspect wasn't a liar
| when whistleblowing so what would Krebs retract?
| [deleted]
| fuzzy2 wrote:
| Is the guy a criminal though? He's been charged, that doesn't
| mean he's guilty.
| danesparza wrote:
| I'm rapidly loosing respect for Ubiquiti. This is the wrong
| approach. Security by obscurity is not security.
|
| More information:
| https://en.wikipedia.org/wiki/Security_through_obscurity
| BeefWellington wrote:
| This is not actually related to what's going on in this case.
|
| They're basically suing because he didn't retract or update and
| clarify his (really false) initial story. Krebs was taken for a
| ride by his "source" who it appears was a disgruntled employee,
| causing the damage.
|
| Should they have handled the situation better? Sure.
|
| Will they win their lawsuit? Unclear; they've got a big hill to
| climb to it seems unlikely.
|
| Is this in any way "silencing" discussion about it? No, it is
| doing the opposite, and it's not as though Ubiquiti is
| unfamiliar with this, given their history.
| gvb wrote:
| _Krebs was taken for a ride by his "source" who it appears
| was a disgruntled employee, causing the damage._
|
| To clarify the phrasing, the disgruntled employee _caused_
| the damage to Ubiquiti. He was the one who "hacked" Ubiquiti
| (actually he misused his credentials), was the
| "whistleblower" that fed Krebs information of his own "hack",
| and tried to blackmail Ubiquiti. All while he was a Ubiquiti
| employee... assigned to investigate the "hack."
|
| Ref:
|
| https://thenextweb.com/news/ubiquiti-ex-employee-hacker-
| whis...
|
| https://www.securityweek.com/former-employee-accused-
| being-b...
| antattack wrote:
| "Really false" according to Ubiquiti - it seems KREBS
| disagrees.
| lovingCranberry wrote:
| Krebs disagrees a lot. Sometimes he's wrong though.
|
| Anyone remembers when Krebs doxxed the admin of cock.li
| because they disagreed with Krebs on spamhaus' black
| listing policy? [1] (Spamhaus just blacklists all TCP SYNs,
| which can be easily spoofed since it's not the complete
| handshake)
|
| I don't know. I believe that Krebs has usually good
| intentions, but sometimes he is just presenting his
| findings in a very malicious way.
|
| [1] https://twitter.com/_mg_/status/1121316639637528576
|
| [2] https://www.youtube.com/watch?v=h8WCVwyZyg0
| mschuster91 wrote:
| > Anyone remembers when Krebs doxxed the admin of cock.li
| because they disagreed with Krebs on spamhaus' black
| listing policy?
|
| I don't shed a tear for that person though, as someone
| who has gotten about three dozens of murder threats that
| were sent through their service.
|
| cock.li is an awful service that serves no legitimate
| purpose other than enabling people to cause harm. The
| admin should have been arrested at 36c3 by the police
| instead of simply been booted out for his neo-Nazi domain
| names, but unfortunately our police is incredibly
| incompetent.
| rosndo wrote:
| You want this guy to be put in jail over his childish
| joke domain name, and he's supposed to be the bad guy?
| Look in the mirror.
| lovingCranberry wrote:
| Sorry, but just no. Just because someone abuses a
| service, it doesn't mean that it "serves no legitimate
| purpose".
|
| You see, people are using Tor to buy drugs and to share
| child porn. Does that make tor a tool "that serves no
| legitimate purpose other than enabling people to cause
| harm"?
|
| I am a happy user of cock.li, because it's one of the
| only few email providers, which don't require my phone
| number (unlike gmail, outlook etc). I don't mind that
| they also offer domains joke domains such as
| "hitler.rocks", since I know what a joke is.
| klibertp wrote:
| > since I know what a joke is.
|
| https://en.wikipedia.org/wiki/Poe%27s_law
|
| Not judging one way or the other, just saying that it's
| incredibly risky to make jokes like this, especially in
| the current climate, where the narrative and emotional
| response matters more than facts and rationality.
| mschuster91 wrote:
| Saying "Hitler rocks" is literally a crime in Germany and
| many other European countries (per SS86a StGB / DE, for
| example).
|
| Not complying with court orders for information
| disclosure is also either a crime or a serious infraction
| (Ordnungswidrigkeit), too.
|
| As said, the guy got lucky he didn't get arrested like he
| should have been.
| lovingCranberry wrote:
| Last year, the government director Dr. Trips-Hebert
| explained the facts and the law to prevent
| misunderstandings like yours in the future. [1]
|
| Let me translate the key section of his letter: "Section
| 86a of the Criminal Code is located in the third title of
| the first section of the Special Part of the Criminal
| Code. The offenses of this title criminalize acts that
| constitute a 'threat to the democratic constitutional
| state.'" The protected interests of the provision are
| political peace, the free democratic basic order
| democratic basic order, the idea of international
| understanding, and Germany's reputation abroad. The ban
| serves [...] to _prevent the revival of the banned
| organizations or the aspirations they pursue_ [...]. "
|
| "Hitler.rocks" is _not_ falling under this, since it is
| not a "threat to the democratic constitutional state".
| That's also why satire magazines like "Titanic" are
| allowed to publicly show Swastikas on their front page.
| [2]
|
| A domain about hitler minerals [3] which does not aspire
| the revival of banned organizations such as the NSDAP,
| (there isn't any nazi glorifying content on the website),
| does not reflect a threat to Germany's democratic state.
| At least I hope so :)
|
| [1] https://www.bundestag.de/resource/blob/869290/c8bd5f1
| 4ef172e... [2] https://www.titanic-
| magazin.de/heft/2017/april/ [3]
| https://www.youtube.com/watch?v=yDVIrp8XaWI
| rosndo wrote:
| Can you point to the specific subsection of SS86a StGB
| that would apply here?
|
| I feel like the law would be especially difficult to
| apply in this context given that the domain names offered
| by cock.li are obviously picked for the sole purpose of
| causing offense, not to promote an unconstitutional
| organization.
| Hamuko wrote:
| You were sent murder threats but you're pro-doxing?
| washadjeffmad wrote:
| "False" in this case means different things to different
| parties.
|
| To Krebs, false means he did not accurately report the
| information as presented to him. In that way he is correct.
|
| To Ubiquiti, false means the information was willfully
| inaccurate, should not have been deceptively presented to a
| notable authority in the tech field, and this should not
| have been published.
|
| Ubiquiti has to sue Krebs to show that the damage to their
| reputation was related his reporting which they can tie
| back to Sharp. Krebs has to defend his standpoint to show
| he was not complicit in Sharp's planned sabotage. I expect
| they'll settle once the sides are fully aired.
| CrazyStat wrote:
| Krebs has an easy win here, I'll be very surprised if he
| settles.
|
| The bar to show defamation in a case like this is very
| high. Ubiquiti isn't going to meet it.
| saalweachter wrote:
| Does bringing this suit open up Ubiquiti to discovery?
| _delirium wrote:
| Yes, if it gets that far without being settled or
| dismissed in some other way. One defense to defamation is
| to claim that the statements are actually true (or
| substantially true). If the case ends up turning on a
| factual disagreement over whether the statements are
| true, both parties can ask for discovery of evidence that
| would help shed light on that.
| warmwaffles wrote:
| Of course it does.
| swashboon wrote:
| The FBI also seems to disagree seeing as they arrested
| Krebs source indicating that there never was any third
| party hacker, just that individual insider.
| alias_neo wrote:
| I may be missing something here, English _is_ my first language
| after all, but regarding the screenshot of the "ad" on page 3 of
| the complaint; they suggest Krebs refers to "the employee" as an
| employee in one sentence and a "former employee" in the next. The
| complaint reads to me like the person who put it together doesn't
| understand the English language, or, reading or writing at all,
| for that matter.
|
| "In March, a Ubiquiti employee warned that the company had
| drastically understated the scope ... claim was a fabrication. On
| Wednesday, a former Ubiquiti employee was arrested..."
|
| I'm pretty sure this is junior school level writing, but full
| stop means end of sentence, and then you start another. There is
| nothing in the screenshot's text which suggest the former is
| referring to the same person as the latter; in fact, I read it as
| expressly making a potential distinction.
|
| "6. Krebs altered his description of Sharp, first he described
| Sharp as a current employee. He then described Sharp as a..."
|
| Who wrote this beautiful pair of sentences in the complaint,
| immediately after? Two sentences which clearly should have been
| one.
|
| If this is the basis of their complaint, I worry for Ubiquiti as
| a company.
| danachow wrote:
| > There is nothing in the screenshot's text which suggest the
| former is referring to the same person as the latter; in fact,
| I read it as expressly making a potential distinction.
|
| Yes, precisely. You proved the complaint's point. You think
| they might be distinct, and the complaint is pointing out that
| since they were the same person, this writing is intentionally
| misleading.
|
| > If this is the basis of their complaint, I worry for Ubiquiti
| as a company.
|
| Slow your roll. You just demonstrated the complaints point.
|
| Regardless of the merits of the case as a whole, #6 is a fair
| point.
|
| As for the grammar. It's not Pulitzer level. But there are
| complete thoughts in each sentence, so it's not wrong either.
| alias_neo wrote:
| > the complaint is pointing out that since they were the same
| person, this writing is intentionally misleading
|
| I disagree (with the complaint, not with you). For one, if
| Sharp _was_ an employee in March and not at the time of
| writing, it is accurate to write it as-is, is it not?
|
| The ad makes a couple of statements of fact, which parse true
| by my reckoning regardless of whether or not that person is
| one and the same.
|
| I'm interested to see what comes of this, it feels to me like
| desperate swinging looking for something to make contact
| with.
|
| Having filled my home, and recommended to many colleagues
| Ubiquiti gear, I have been nothing but disappointed with
| their output of late, so much so that I recently began
| switching away from their gear, there is _something_ going on
| within Ubiquiti and it smells off.
| meragrin_ wrote:
| Sorry, it is not. You use 'a/an' to establish a new entity.
| 'a Ubiquiti employee' is clearly not the same as 'a former
| Ubiquiti developer'. The proper way to acknowledge an
| employee(establish new entity) has been let go is to say
| the employee(refer to previously established entity) was no
| longer employed there.
|
| This is something you have to be very careful about in
| patent claims.
| pkilgore wrote:
| Ah, the Streisand Effect[1]
|
| Anyone else here who would have remained ignorant of this all
| absent this lawsuit?
|
| [1] https://en.m.wikipedia.org/wiki/Streisand_effect
| cyral wrote:
| Their stock tumbled like 20% when this happened, it was pretty
| well known at the time.
| dylan604 wrote:
| I don't own any of their equipment. However, the actions that
| Ubiquity is taking now is convincing me that I should not buy
| their equipment, ever.
|
| Streisand Effect 1 - Ubiquity 0
| loeg wrote:
| I do own their equipment but won't be buying more.
| skilled wrote:
| _If you could just go ahead and win this for us, Krebs. Yeah,
| that 'd be great._
|
| Ubiquiti must have solid ground to be dragging themselves into
| this mess? I mean, from one side - it looks like a lot of people
| are on Krebs side, awesome. But, from another - no one at
| Ubiquity expected some kind of a pushback?
| jokowueu wrote:
| The below comment seems like solid ground to me but I don't
| think it will stick
|
| https://news.ycombinator.com/item?id=30850416#30851334
| lbriner wrote:
| > Ubiquiti must have solid ground to be dragging themselves
| into this mess?
|
| Not as much as you might expect.
|
| There are so many times when I have seen cases made purely to
| save face or to be offensive as the best form of defence. I
| can't say whom but a Solicitor I know has told me of a number
| of cases she didn't expect she could possibly win in Court but
| the client had the money to pursue it to make some kind of
| point and didn't care whether they would actually win or not.
|
| Not saying Ubiquiti don't have a good reason, just that they
| don't _necessarily_ have one.
| dylan604 wrote:
| Putin thought he was on solid ground that taking over Ukraine
| would be simple as well. This is one of the problems of having
| those that report to you to be too scared to tell you the truth
| vs what they think you want to hear. I could see where the
| board/c-suite of Ubiquity are all so pissed about the situation
| that they cannot hear or are not being told that this lawsuit
| is having and will continue to have a worse negative impact
| than just leaving it alone.
| boeingUH60 wrote:
| Lawsuit aside, I consider Ubiquiti's founder, Robert Pera [1], to
| be a fascinating individual. He runs an $18B company where he
| owns like 90% [2] of the shares (pretty high?). Also owns an NBA
| club (Memphis Grizzlies). I just think he's pretty under-the-
| radar for his kind of success.
|
| 1 - https://en.wikipedia.org/wiki/Robert_Pera 2-
| https://www.fool.com/investing/2021/09/28/3-stocks-with-78-p...
| throwaway5752 wrote:
| He doesn't just run Ubiquiti. He founded it on his own credit
| cards, based on his own product ideas. He built Ubiquiti from
| nothing, essentially. Also, prior to "WSB" phenomenon, Ubiquiti
| was the subject of short campaigns and had really high short
| interest levels (https://www.fool.com/investing/2019/12/02/how-
| you-can-profit...) which they clearly overcame. Really
| fascinating story.
| [deleted]
| mc32 wrote:
| I'm of two minds:
|
| On the one hand we need openness with regards to reporting
| breaches.
|
| On the other hand we need truth in reporting. Krebs seems to be
| teetering at the edges. I'd rather have solid reporting without
| the drama.
| sneak wrote:
| Krebs also doxxes people he doesn't like, and threatens people
| who leave negative reviews of his products. He's a dark cloud
| over infosec and I wish people would stop linking him.
| Hamuko wrote:
| I stopped giving Krebs any kind of respect after he argued
| against GDPR protections on WHOIS records just because it
| makes his job (of doxxing people, I guess) harder. Sorry, but
| I can't see the privacy and physical security of millions of
| honest domain owners as a good trade-off for the work of
| "anti-abuse and security professionals".
|
| I was also not amused when he started defending anonymous
| shell companies by saying "Not everyone who uses shell
| companies is trying to launder $$. Some people just really
| value their privacy."
|
| https://twitter.com/briankrebs/status/1336487678301364226
|
| I'm guessing that in addition to third-party WHOIS privacy,
| Krebs also has a shell company. Privacy for me, but not for
| thee.
| drfuchs wrote:
| If I understand correctly, there's a real edge case going on
| here: Everything Krebs reported was simply what he was told by a
| then high-ranking employee of the company. True, Krebs didn't
| know this at the time, but I would think it completely exonerates
| him (otherwise, it would be easy for corporations to destroy
| journalists they didn't like by having an executive give them
| false information which they then dutifully report).
|
| Any legal eagles here who can clarify this aspect? Is "I was just
| repeating what your executive told me" a get-out-of-jail-free
| card?
| cyral wrote:
| I believe their complaint is that Krebs has never issued a
| retraction or clarified that his original article is false and
| that his source was the hacker. Even in his update article he
| uses wording to make it sound like his source and the guy
| arrested were two different people.
| OrvalWintermute wrote:
| Is it his job to authenticate the source, or, to
| authenticate, verify and validate the information in the
| story?
| vel0city wrote:
| The standard for defamation is:
|
| . knew that the statement was false and defamatory, or
|
| . acted with reckless disregard of the truth or falsity of
| the statement in making the statement, or
|
| . acted negligently in failing to ascertain whether the
| statement was true or false before making it.
|
| Not vetting your sources can be seen as acting in reckless
| disregard of the truth or acting negligently in failing to
| ascertain whether the statements were true.
| Hamuko wrote:
| Considering he considers his work "independent
| investigative journalism", I'd say that it is.
| boeingUH60 wrote:
| Of course, the story was posted on his blog. That's 100%
| his duty, or at least if he wants to maintain his
| reputation as a journalist.
| Someone1234 wrote:
| What is their _legal_ theory though? Have courts found that
| journalist must retroactively update their previous stories
| based on new information? Even if they have, is that
| defamation?
| skeeter2020 wrote:
| It's quite funnny that a company arguing "we disclosed
| because we filed an esoteric (in terms of public
| disclosure) security filing" to demand that Krebs retract
| his previous story; maybe if he opens the front door and
| shouts "Sorry!" it would meet their level of communication?
| InTheArena wrote:
| From my perspective, the failure was the lack of a correction.
| That's the point at which it goes from being "I trusted someone
| who I should not have, and was a unwitting accomplice" to the
| possibility of libel.
| gzer0 wrote:
| If this is the case, I am having a hard time understanding
| why the vast majority of media and particularly "news"
| channels in the United States are not being sued into
| oblivion then.
| InTheArena wrote:
| Because laws in the USA make it very very very difficult to
| hold media accountable. For good reasons - most of the
| time. But it has also led to the situation where media face
| no consequences here for their actions.The libel bar is far
| higher in the USA then almost any other liberal democracy.
|
| Honestly, all I would like to see here is a correction from
| Krebs, that enlightens people more about the risk of
| insider attacks, the role that the media can play in that.
| Hamuko wrote:
| Dominion Voting Systems is currently in middle of suing Fox
| News, Newsmax, OANN and others for billions, so it's
| definitely a thing that happens.
| andjd wrote:
| Defamation dosen't work like that though. The only thing that
| is relevant is what the author knew or should have known when
| they published the statement. There's no legal requirement to
| issue a retraction if you later know that your previous
| statement was false. Journalistic ethics says you should, but
| the law doesn't require it.
|
| Issuing a retraction can potentially lessen the damages if
| the original statement leads to liability, but that's only
| relevant if the plaintiff first wins on the original
| statement being defamatory.
| bscphil wrote:
| > There's no legal requirement to issue a retraction if you
| later know that your previous statement was false.
|
| The public speech -> printed statement -> online publishing
| transition problematizes the meanings of "retraction" and
| "previous statement". Probably not legally, of course, but
| I'm thinking about the ordinary usage of these terms here.
|
| Lots of traditional journalism outlets also publish online,
| but the way the reporting ends up being used is very
| different. Anything they put on their websites tends to
| live forever, and it's often difficult even for careful
| readers to remember to check the publishing dates.
|
| If an article was published a year ago, but the _page
| itself_ doesn 't carry a retraction notice, I often assume
| the published information continues to be accurate. The
| lack of a retraction on an easily editable webpage
| indicates to me that the publishing individual or
| organization _continues_ to endorse the material, as if it
| had been published the day I read it.
|
| That's why organizations with journalistic integrity are so
| careful to add retraction notices to incorrect articles,
| even for small changes. I doubt it amounts to defamation to
| not add such a notice, but it certainly makes the violation
| of journalistic integrity much worse.
| InTheArena wrote:
| Unfortunately this is probably correct.
|
| The right outcome here would be some form of retraction,
| and more visibility into how this came about in the first
| place.
|
| As with all insider attacks, it's almost impossible to stop
| someone from doing the first bad thing, but you should have
| controls in place to easily identify who the bad actor was.
| Ubiquiti eventually did - with the assistance of the FBI,
| but not after the damage was done.
|
| On the other hand, Krebs not vetting his source, and
| allowing this through resulted in a 20% drop to Ubiquiti's
| stock - which affected the company, their employees (who
| have a financial interest in the stock) and played into the
| attackers hands.
|
| I'd like to see both of them come together and do a real
| strong analysis.
|
| That said, the negative "tone" that came from these
| articles persists - take a look at this thread for
| evidence.
|
| How many people know that Ubiquiti dropped the cloud login
| requirement? That their recent firmware and releases have
| been impressively solid (judging from my and community
| experience)?
|
| I don't want Krebs or Ubiquiti to "win" here, I want people
| to behave ethically.
| paxys wrote:
| Here's an interesting fact - ~92% of Ubiquiti's shares are owned
| by its founder and CEO Robert Pera.
| JaimeThompson wrote:
| I'm not sure, given their history of flat out lying / misleading
| in regards to product features, that Ubiquiti wants the same sort
| of reasoning to apply to their own misstatements.
| eyeareque wrote:
| Suing a journalist is not a good look. I wonder what other
| vendors out there will take up some market share from them after
| this nonsense is over. Hopefully this in the end this turns into
| a net positive for Krebs.
| kowlo wrote:
| Fun to see web ads in the PDFs submitted as evidence (e.g.
| exhibit A)
| mlissner wrote:
| I'm the director of Free Law Project, the non-profit org that
| runs CourtListener. If anybody wants to get email or RSS alerts
| for this case, you can set them up here:
| https://www.courtlistener.com/alert/docket/new/?pacer_case_i...
| ruph123 wrote:
| I read in another HN thread that Ubiquiti was actually not hacked
| but that a former employee leaked information and tricked Krebs
| into believing he was a whistleblower.
|
| Is there a more detailed write-up somewhere about what happened
| exactly?
| InTheArena wrote:
| https://www.techtarget.com/searchsecurity/news/252510411/For...
|
| Basically, insider used his credentials as a highly trusted
| resource to access internal repositories. He then anonymously
| blackmailed the company, threatening to go public as a
| "external actor" if the company didn't pay him. The company
| instead got the FBI involved - which Sharp was aware of because
| of his role at Ubiquiti. He then lied to Krebs at least once
| (probably twice) claiming first that a external actor had
| breached ubiquiti and the company was deliberately covering it
| up.
| fredoralive wrote:
| The Department of Justices indictment
| (https://www.justice.gov/usao-sdny/pr/former-employee-
| technol...) give a fair amount of detail about what they allege
| happened, although it doesn't go into much details of the
| interaction between Krebs and the accused.
| kmlx wrote:
| wait. they didn't actually get hacked, and because Krebs didn't
| actually check his sources the stock fell 20%? and they're only
| suing him now?
| DannyBee wrote:
| As a lawyer, i've read this entire filing and it seems like
| nonsense at a glance.
|
| Krebs mentions the person was arrested. Ubiquiti claims first
| that he doesn't point out the person he sourced it from what
| arrested, and that he tries to mislead people by not saying
| repeatedly that the person is basically felon, and that being
| arrested makes him an invalid source of evidence, etc. They also
| claim he describes him as a current employee.
|
| This is all nonsense AFAICT
|
| 1. Krebs mentions the person was arrested.
|
| 2. Krebs says "In March, a ubiqitui employee said X". That was
| accurate at the time (AFAIK, and ubiquiti cites no real evidence
| I see that Krebs should have known it was not true).
|
| 3. Krebs carefully points out the _arrested person claims x and
| y_ (which is accurate).
|
| 4. The filing says _Sharp_ made false claims, and spends a
| paragraph explaining them.
|
| 5. The filing says Krebs made them too, but ironically, for all
| of its bluster, doesn't cite where and when (that I can see), and
| which exact claims, they are claiming Krebs said that were false.
|
| 6. The filing cites no evidence that Krebs knew or should have
| known, in March, that the claims were false. They get into some
| weird arguments about their 10-q filing but it's hard to
| understand the point they are trying to make. It apperas they are
| trying to claim that krebs should have known they notified the
| public but i think that's kind of a silly argument - krebs is
| clearly talking about their users, and most users do not read
| 10-q's. Saying you notified the public because you put it in a
| 10-q is like saying you notified the public because you put it in
| a classified ad section. It's dumb wordplay.
|
| 7. The December blog post they say he "doubled down on" seems
| again, carefully written to say what _Sharp_ claims, not what
| _Krebs_ claims.
|
| I could go on.
|
| The whole thing is, IMHO, not written very well. It's very
| emotionally written for a pleading, and you will be hard pressed
| to find a judge who will get themselves worked up over that kind
| of writing. Instead they mostly roll their eyes and wish that
| someone gave them a clear and convincing pleading instead.
|
| Put another way - if there is a case here, it isn't visible on
| this pleading. This _feels_ like "throw a bunch of emotional
| stuff at a wall and hope it sticks", where you really want "here
| is an open and shut case of why this person defamed us"
| szundi wrote:
| Maybe it is just to make the defendants uneasy for some time
| with a lawsuit hanging over their heads
| daniel-cussen wrote:
| He can countersue.
| [deleted]
| nojito wrote:
| The argument is that there isn't two people, there is just one
| who was arrested.
|
| Kreb's original source for the march article was the fake
| whistleblower extorting ubiquiti. He had just gotten raided by
| the FBI. Which is why the tweets are being mentioned.
| DannyBee wrote:
| Krebs doesn't claim there were two people anywhere?
|
| Ubiquiti hangs this entire argument about this on using
| slightly different wording to refer to a person in two places
| in an article.
|
| But if you read the article, he reports the facts in a
| literal linear timeline fashion, attempting to use what
| appear to be time-correct monikers.
|
| IE He literally says (see the screenshot) In January x
| happened in March, a ubiquiti employee said something in
| November, a former developer for ubiquiti was arrested and
| charged.
|
| He never says the march and november people are different. He
| is reporting exactly what happened. They claim he knows they
| are the same person, and should refer to them as such but
| they literally don't even provide any evidence of this either
| (ie that it was Krebs source). It wouldn't help them (because
| what krebs says does not seem wrong or untrue), but they
| don't prove it either.
|
| IE even if krebs knew they are the same person, the above
| appears to be a totally accurate rendering of the story.
| Krebs is only required to be accurate.
|
| Did a Ubiquiti employee say X in march (or did Krebs have
| good reason to believe a ubiquiti employee said X in march)?
|
| Did a former ubiquiti developer get arrested in late
| november?
|
| Yes? (AFAIK, yes)
|
| Okay, case over.
|
| The fact that they don't like his reporting doesn't make it
| untrue, and if they want to show it's untrue, as I said, this
| filing does a bad job of it.
| mannykannot wrote:
| I have not looked into this in any detail, but is it
| possible that Ubiquiti is fishing for the name of a second
| source?
| dsr_ wrote:
| If they really wanted that, they would craft a less
| emotionally loaded complaint and try for discovery ASAP.
| I think.
| nojito wrote:
| He is accused of making the claims through Twitter which is
| why it's being used as evidence.
| ilamont wrote:
| If you were Krebs, would you defend, countersue, or seek
| "settlement" or some combination?
| adanto6840 wrote:
| IANAL and I haven't read the filing. I'd assume, based on
| what I've read thus far (and the fact that it's a pretty
| standard initial response), that he'll file a motion to
| dismiss and go from there.
|
| It seems plausible that he could have a decent chance of
| having such a motion granted -- the bar is generally "in the
| light most favorable to the plaintiff [Ubiquiti]". Based
| solely on the commentary I've read, it sounds like the
| complaint could be deficient.
| staticautomatic wrote:
| You'd first move to dismiss for failure to state a claim, and
| perhaps counter-sue under anti-SLAPP.
| [deleted]
| mst wrote:
| They (presumably intentionally) filed the claim in a state
| without an anti-SLAPP law, sadly.
|
| Edit: Or at least, so Greg says, and I've found him a
| reliable source for such things: https://twitter.com/greg_d
| oucette/status/1509184336188350465...
| DannyBee wrote:
| None of the above. My answer is much more mundane.
|
| Krebs almost certainly has professional liability insurance
| (if not, that would be pretty dumb at his scale) I would call
| up my insurance company, tell them i've been sued, send them
| the documents, and then go back to my day.
|
| I would then proceed to follow their instructions, and not
| care too much about it, unless i was asked to do things that
| i wasn't willing to do
| otterley wrote:
| I'm also a lawyer. The things that caught my attention were the
| embarrassing misspelling of the word "damning" as "damming,"
| and the fact that this was drafted and filed by a specialty
| boutique law firm (Clare Locke LLP) - I'd have expected a
| company with Ubiquiti's resources to bring out the big guns
| with a white-shoe Washington-area firm. Makes me wonder if the
| company is on the skids.
| at-fates-hands wrote:
| I guess they filed in VA because they have no anti-SLAPP laws
| there so they didn't necessarily have their pick of firms:
|
| _Via Twitter, T. Greg Doucette, a criminal defense attorney
| and former computer scientist, opined that Ubiquiti 's
| lawsuit would be considered an attempt to suppress lawful
| speech - a strategic lawsuit against public participation, or
| SLAPP - in states that have anti-SLAPP laws._
|
| _" It's a SLAPP: the coverage by Brian Krebs was
| substantially true and/or First-Amendment-protected opinion,
| and the lawsuit basically admits it in the text itself,"
| Doucette wrote. "But Ubiquiti intentionally filed in
| Virginia, because there's no anti-SLAPP statute there." (r)_
|
| https://www.theregister.com/2022/03/30/ubiquiti_brian_krebs/
| otterley wrote:
| VA is right next to DC; there is no shortage of white-shoe
| counsel in the state.
| DannyBee wrote:
| To be fair, Clare Locke specializes in defamation. They
| are counsel for dominion in the suit against sidney
| powell. They are counsel for shotspotter against Vice
| Media. etc
|
| They actually appear to have sued a lot of media
| companies at a glance.
|
| But it's hard to tell. I think it would be more accurate
| to say "if you want to sue someone for defamation,
| they'll do it as long as it's not a conflict" :)
|
| (IE they don't seem to be particularly pro or against
| anything).
|
| It seems like a reasonable firm to hire for defamation if
| your goal is something like "get people to retract
| claim/apologize or go at them legally until they do".
|
| But to your point, it's definitely not the "bury
| them/grind them to dust with a million lawyers" they
| would get at a large law firm.
| DannyBee wrote:
| This is not quite correct, AFAIK.
|
| https://www.rcfp.org/anti-slapp-guide/virginia/
|
| It's true it's not the "motion gets ruled on within 15
| days, before discovery" type of anti-slapp you see
| elsewhere, but it's not "no anti-SLAPP"
| fleshdaddy wrote:
| I don't know much about how law firms operate but could it be
| that the big fancy firms wouldn't want this case if they
| think it's a losing one? If they possibly considered it a
| "free speech" type case that wouldn't fly in most states like
| the other commenter mentioned could they be concerned about
| their reputation?
| bombcar wrote:
| That's what I think - the big firms are perfectly capable
| of filing lawsuits that are just on this side of frivolous,
| but they will charge quite well for that.
|
| The smaller firms are more likely to be willing to say "eh,
| it's your funeral".
| supramouse wrote:
| did you read the muckraking tweets ?
| rdiddly wrote:
| Not a lawyer, but I read like one, and I agree this is one of
| the most butthurt and factless filings I've ever seen. How can
| they SLAPP? How can they SLAPP?
| belter wrote:
| Not a fan of Krebs but also not a critic. Litigation is
| expensive, and the purpose is to scare or bankrupt him,
| validity is irrelevant.
|
| Will never use any product of this company.
| DannyBee wrote:
| They had good products for a long time, but it's gone very
| downhill in the past few years (lots of internet stories
| about why this is happening).
|
| I've had enough bad experiences that i recently moved my
| routing/IDS to a dedicated box and am slowly moving away from
| their switches.
|
| No reasonable replacements i've found for their APs yet
| though (Meraki is too expensive).
| hpkuarg wrote:
| I've only used both in home and small office settings, but
| I found TP-Link's Omada line of APs to be equivalent to
| Ubiquiti APs. Same type of hardware, same type of
| controller software you can run on your own machine. I
| don't know enough about APs to say whether the performance
| matches.
| JaimeThompson wrote:
| Aruba has some 'instant on' units which might be a decent
| replacement but I don't have nearly enough experience with
| them to say for sure.
|
| https://www.arubainstanton.com/products/access-points/
| thegreenandgrey wrote:
| My employer switched from Ubiquiti to Aruba. Much, much
| better. Far easier to manage. The Ubiquiti APs had very
| little range and below-threshold subscriber loads would
| cause them to become unstable and require a reboot. No
| good when 500 employees and guests are attempting to get
| work done. We issue primarily laptops with only certain
| people getting docks for Ethernet. Quite a few people
| have purchased the Anker USB-C dongle docks from Amazon
| and use their IP phone's secondary Ethernet port for a
| connection if they want a solid Ethernet connection.
|
| At home I'm happy with Google WiFi mesh all around my
| house.
| zrail wrote:
| My understanding is that Instant On APs drop their wifi
| clients when they lose internet access and that this is
| billed as a feature. Maybe that's changed recently.
| robocat wrote:
| For an Instant-on AP, that sounds ... maybe useful? If I
| am connected from my phone? Why do you hate the feature?
| zrail wrote:
| My internet frequently (although less lately) stalls out
| for minutes at a time, once or twice a day. I don't want
| my AP to kick me off wireless when I'm refreshing my
| monitoring app waiting for internet to come back up, or
| for me to be locked out of my security cameras, or for
| wifi-only IoT things which don't talk to the internet at
| all to get kicked off and have to reconnect.
| olyjohn wrote:
| Oh so you want to access _your network_ while the
| internet is down?
| thfuran wrote:
| The access points are cloud managed only (I believe the
| switches can optionally be managed through a local webui)
| but very solid hardware, quite easy to set up, and
| probably feature rich enough for basically anyone who
| isn't trying to mess around with an enterprise
| environment at home.
| GekkePrutser wrote:
| You have any links to those stories? Would be interesting.
|
| Personally I hate the way they're going towards cloud
| accounts and dedicated management boxes. We used to be able
| to just install a docker to manage everything but the
| latest hardware ranges (eg their video offering) require
| dedicated management hardware. They're also pretty slow
| with uptake on new standards like WiFi 6 and now 6E.
|
| The ideal selling point of ubiquiti was self-managed near-
| enterprise quality hardware with free self-hosted
| management and decent hardware prices.
|
| I can't fully blame them because I know venture capital
| idealises subscription pricing and data mining right now
| but it won't work for me and it's annoying having to look
| for another option again when I'm invested in their
| ecosystem.
|
| But anyway it would be interesting to read more about
| what's going on behind the scenes.
| robbedpeter wrote:
| "Gotchanomics" is such a shitty model - you get something
| valuable, begin to trust the vendor, establish a system
| with their equipment, and then they pull a bait and
| switch, trying to get away with shitty service, mediocre
| replacements for good products, moving services to the
| cloud and subscription based nonsense - Nickel&Dime As A
| Service.
|
| If I'm faced with paying premium rates, I'm going with
| Cisco and premium vendors. Ubiquiti's value was good
| equipment at reasonable prices to the point that you
| could buy spares for reliability and save 90% of the cost
| of service contracts from premium vendors. That
| differential was the absolute wrong space for them to try
| to tap for more profit, because nothing else was special
| about the brand. Cheap, decent, "good enough" network
| gear is now a market available for exploitation, ubiquiti
| has lost it.
| GekkePrutser wrote:
| > "Gotchanomics" is such a shitty model - you get
| something valuable, begin to trust the vendor, establish
| a system with their equipment, and then they pull a bait
| and switch, trying to get away with shitty service,
| mediocre replacements for good products, moving services
| to the cloud and subscription based nonsense -
| Nickel&Dime As A Service.
|
| Exactly, well put.
|
| For what it's worth, as I have been bitten by this
| practice of "gotchanomics" too many times that I've
| become a bit sensitive to any signs pointing to it.
|
| I'm not 100% sure Unifi is doing this with their existing
| products, but new ranges like the video stuff require a
| modern management box which in turn requires a cloud
| account as far as I've heard. I've decided not to buy
| those for this reason. But it undermines my confidence in
| buying new gear for the ecosystem because it really feels
| like this will be the next step.
| barbazoo wrote:
| You can still use their products without a dedicated box
| or cloud accounts by running the UnifFi admin console in
| your own network. Can you clarify what you mean?
| GekkePrutser wrote:
| I understand that the UDM range of products can no longer
| be set up without a cloud account, and none of the video
| products can he hosted locally.
|
| I was thinking of a newer gateway as the USG is too slow
| to do decent IDS. And the video for my home.. But I
| didn't buy either for this reason. I looked at it about 2
| years ago.
|
| It feels like they want to do the same with the older
| network gear but they just won't because there will be
| too much backlash from the move.
| zrail wrote:
| All of my wireless gear and most of my switching is UniFi
| running against a self-hosted controller without cloud
| access. This works fine.
|
| However, UniFi Protect is hardware only. You have to have
| either a UDM, a CloudKey Gen2 Plus, or a UNVR. I bought
| into Protect a couple years ago and now I'm sort of stuck
| with it. I _think_ that I could de-provision the cameras
| from my UNVR and use them standalone with BlueIris or
| Frigate but I've heard stories that they gimp the RTSP
| resolution on the G4 Pro camera (of which I have three).
| aserdf wrote:
| > ...venture capital idealises subscription pricing right
| now...
|
| Pera owns ~91% of the company, it all comes from the top.
| DannyBee wrote:
| Like for example i have switches that get confused and
| started reporting things are connected to ports 57-62 (on
| a 24 port switch) and switching them wrong, etc.
|
| UI they have been slowly screwing up more and more for
| years (How many years are they into the "new UI"
| migration for the controller?).
|
| But the actual switching is pretty basic stuff (and a
| separate hardware chip they are driving that is not hard
| to drive), and simply shouldn't be going wrong in this
| way.
|
| I've also got a UDM-SE and UDM-Pro that seem to have
| hardware issues on the SFP+ uplink when connected in
| certain ways (and won't break 500mbps upstream) no matter
| what SFP+ module is connected (fiber, dac, etc) if the
| LAN SFP+ port is connected at 10gbps. All the same
| modules work in every other router (mikrotik, etc)
| connected the exact same way. (yes, before HN tries to
| debug this, IDS/etc is all turned off. There are no nft
| rules, no nothing, i have debugged this to death through
| the actual shell). Others have had the same issue.
|
| They also have an $1800 ptz camera that can't follow
| objects even when it detects them (This is 100% basic
| functionality of a PTZ camera, especially at this
| pricepoint), despite promising it for years.
|
| I have lots of these kinds of "why is basic functionality
| broken or missing" stories. Ubiquiti gets it out the
| door, says they'll fix it all in post, and moves on to
| the next thing.
|
| They aren't a hardware manufacturer, they are a bad AAA
| game developer :)
| bradstewart wrote:
| Can confirm, same issues with SFP+ on my UDM-Pro. The
| software updates for this thing have been so bad the last
| year, incredibly buggy, it's infuriating.
|
| My current favorite was the update to the AP Pro APs that
| broke everything if you were using a wireless uplink (I
| was using one to bridge a semi-decent signal to my
| garage). Clients connected to that AP had zero
| connectivity to anything else, despite the Controller
| saying "all good!"
| AlgorithmicTime wrote:
| TP-Link's Omada AP line is solid.
| dsr_ wrote:
| Do those require management via their cloud, or can they
| be handled entirely locally?
| lukevp wrote:
| I have a tp-link Omaha setup in my new house. I run the
| management interface on the LAN in docker on an old Linux
| box (runs pihole too). Works really well so far! I have
| the wifi 6 APs, a PoE switch, and a router. I have 1gig
| symmetrical fiber and everything is reliable and fast
| now. Previously I had an edgerouter-x and it was very
| flaky.
| serallak wrote:
| I have installed six in a big old house (with almost a
| meter deep interior walls !).
|
| I manage them with an app on a tablet connected to the
| same LAN, I've disabled all cloud management. That said,
| they are almost configure and forget, after the initial
| install I've only had to upgrade the firmware when I
| visit the site.
| AlgorithmicTime wrote:
| The controller doesn't have to be linked to their cloud.
| volkadav wrote:
| They can be handled entirely locally; the cloud
| management bits are optional.
|
| (I reworked our home network to Omada gear last fall.
| OC200, ER605, a few managed switches, couple of EAP245
| APs. Overall quite happy with it; as the person above
| said it's pretty much fire and forget once you get the
| initial setup done. Used to use -- and enjoyed --
| Mikrotik but alas their wifi support/performance at least
| on the home front has stagnated over the past several
| years.)
| vijayr02 wrote:
| Is Draytek any good? I've just gotten their AX router and
| mesh APs / smart switch and apart from one significant bug
| which made the router restart every few hours if the wi-fi
| interface was on, it seems to be ok.
|
| Anything I should keep in mind before I get more of this
| brand?
| hackmiester wrote:
| Ruckus Unleashed is my favorite replacement, with Aruba
| Instant On as runner up.
| DannyBee wrote:
| I'll take a look- thanks.
|
| One thing i have that often limits my choices is that the
| ubiquiti's are recessed into my ceiling (6 AP's). I can
| do the drywall work, if they make the mounts :)
|
| If I have to, I guess i can make some from scratch in
| solidworks, but i'd rather not.
| thfuran wrote:
| Ruckus is pretty much the exact opposite of the price
| spectrum. At least you can get the older generations for
| less extreme prices second hand.
| anonymousisme wrote:
| Ruckus is not bad, but not great either. I've got a ICX
| 7150-C12P that worked fine until the PoE power supply
| failed just a few months out of warranty. I'm glad that I
| did not pay them for the "license" to use the SFP ports
| (which every other manufacturer just enables by default).
|
| I do like their WAPs. I've got a couple of RS510 WAPs
| that do a great job, but initially they had some
| noticeable performance problems for almost a year until
| fixed by a firmware update.
| phatfish wrote:
| MicroTik have good wireless APs (and other devices).
| bobbob1921 wrote:
| You can't beat mikrotik s routers (rOS / routerOS) and
| their routing hardware. I actively managed well over 500x
| of them. however I agree with another reply that their
| access points are definitely a side show for them. The
| unfortunate part is their interface and sw capabilities
| are so great that if they just put some additional effort
| + latest gen hardware towards their access-points they
| could become one of the top players in Wi-Fi. (I also
| manage several hundred mikrotik access points).
|
| Ruckus is my go-to for access points/ client Wi-Fi. (I
| manage 1000s of ruck) Excellent hardware. Every AP they
| offer can have it's firmware flashed to either fully
| standalone, OR centralized manage (vSZ / ZoneDirector),
| OR unleashed (which is AP self-managed for up to 25 local
| aps). Another much overlook feature of ruckus is that
| every function can be controlled/modified via SSH. while
| not as powerful as a true API, it's still very powerful
| and often very overlooked.
| phatfish wrote:
| For home use I've not had any problems with their AP
| hardware. But it's definitely not been stressed. I was
| just after something that has enterprise features but not
| the price. routerOS covers that soundly (almost too well
| as the configuration can be confusing if you don't know
| networking).
| DannyBee wrote:
| I use a mikrotik router, but their wireless AP's are
| clearly a sideshow for them.
|
| But i am very happy with the router. I have 5gbps
| symmetrical internet, and it's one of the few that can
| handle it for real without BS.
| aserdf wrote:
| question - does ubiquiti open themselves up to discovery and a
| lot of private info becoming public by filing this?
| throwaway5752 wrote:
| Seems pretty close to textbook SLAPP in a jurisdiction - Virginia
| - that has strong anti-SLAPP laws
| _[correction:https://news.ycombinator.com/item?id=30867948 notes
| this is federal, and it has not been established if VA SLAPP laws
| apply]_ and and precedent for their use. I am a fan of Ubiquiti
| gear but I hope they lose, pay Krebs ' costs, and pay a multiple
| of the costs as damages.
|
| https://twitter.com/QuinnyPig/status/1509374736903507974 is just
| an example of how well this is going over.
| thesausageking wrote:
| Krebs was pretty unethical in this case. He published articles
| based on quotes from a Ubiquiti insider who it later turned out
| was actually the hacker who was extorting them at the time.
| Krebs has never (as far as I know) addressed this or even
| acknowledged it.
|
| If Krebs had just been a rube who was used by the hacker, I'd
| agree with you. But by not updating the record, he's continuing
| to further lies that he knows aren't true and are/will hurt
| Ubiquiti's reputation. Given that, I don't think it's as simple
| as "this gets dismissed as a SLAPP".
| throwaway5752 wrote:
| Ubiquiti is interesting. The CEO is the technical founder and
| bootstrapper, overwhelming controlling shareholder, and has
| been the subject of what I'd consider unethical (stock) short
| campaigns in the past. So you have a CEO without many checks
| and balances who is justifiably defensive of his company. I
| am a fan of him and his company. That said, I think he is in
| the wrong here, and I just hope he realizes it and can
| amicably resolve this in a way that is more productive for
| everyone.
| InTheArena wrote:
| More to the point - he has doubled down on his reporting
| being correct, but failed to acknowledge that he - himself -
| was the weapon that the attacker used to inflict damage on
| Ubiquiti - their employees, users and shareholders.
|
| Krebs got taken. Pure and simple. I can see why he might not
| want to acknowledge that, or do any soul searching on it, but
| when you were part of the problem, you have a responsibility
| to fix your part in it, even if it was a unwitting
| accomplice.
| OrvalWintermute wrote:
| (From a questioning perspective) If a source happens not to
| be who they claimed to be, hiding for whatever reason, but
| the information in the story is newsworthy, credible,
| verifiable, and authenticated, does that mean the story
| should not go forward then?
| InTheArena wrote:
| The story already went forward.
|
| It means that a correction should have been issued.
| brankest wrote:
| This is why journalists try to get multiple sources to
| corroborate what the other is saying.
| stjohnswarts wrote:
| That's hardly very likely with whistleblower stories, all
| you can do is be careful with wording like "<name>
| claims" "<name> alleges" to qualify the reporting. I read
| Krebs I find it hard that he wouldn't retract something
| if Ubiquiti (or someone else) came to him with evidence
| showing the "whistleblower" was a fake that he wouldn't
| retract the article based on new information. He seems
| like a good journo to me and has nothing to lose by doing
| such. He reports on a lot of stuff and now one is going
| to be constantly fact checking every story they ever put
| out there. It's impossible. I suspect Ubiquiti filed this
| before they ever contacted him about the whistleblower
| being a fake.
| lesuorac wrote:
| Not a lawyer, but I suspect that the sentence "Ubiquiti has
| not responded to repeated requests for comment." in Exhibit A
| of Ubiquiti's own evidence is going to carry a lot of Kreb's
| case.
| otterley wrote:
| Virginia doesn't have a strong anti-SLAPP law. It's weak at
| best, only carving out some immunity for statements made about
| "matters of public concern":
| https://law.lis.virginia.gov/vacode/title8.01/chapter3/secti...
| And unlike other states, if the plaintiff loses on a motion to
| dismiss under the statute, the defendant isn't entitled to
| attorney fees and court costs.
| shadowfacts wrote:
| Virginia has an anti-SLAPP statue but this is a federal suit,
| and the Fourth Circuit hasn't ruled on whether state anti-SLAPP
| statutes apply to federal cases.
| [deleted]
| staticautomatic wrote:
| What do you mean by "apply to"? It sounds like a run of the
| mill compulsory counterclaim.
| shadowfacts wrote:
| I'm not a lawyer and I don't know how a counterclaim would
| work in this case, but the way I understand anti-SLAPP
| statutes to work is that they let the defendant file a
| motion to dismiss. If the suit were in state court, then
| the state law would clearly apply and Krebs could try to
| have the suit dismissed. But it's in federal court, not a
| Virginia state court. Whether state anti-SLAPP statutes can
| be used in federal cases is not clear; there's a circuit
| split and the Fourth Circuit has not ruled on question:
| https://www.jdsupra.com/legalnews/second-circuit-slaps-
| down-...
| staticautomatic wrote:
| State court claims can and regularly are brought in
| federal court because federal courts have authority to
| hear state law cases. It's Civil Procedure 101. Counter-
| claims which arise from the same operative facts _must_
| be brought or else they're generally waived.
| shadowfacts wrote:
| My understanding of the linked article is that the
| question is whether the federal rules of civil procedure
| supersede the state anti-SLAPP statue, because, since
| it's in federal court, the suit is governed by the FRCP
| even if it's over state or common law claims.
| otterley wrote:
| Also, defamation is a creature of common law and
| therefore state law governs it; there is no Federal
| defamation law. Ubiquiti filed in federal court under
| diversity jurisdiction, and likely because they think
| they'll get a better outcome than they would in state
| court. But the court still has to adjudicate the
| substantive claims under VA state law. Procedurally,
| though, the Federal Rules of Civil Procedure apply in
| Federal court, not state procedural rules.
|
| The cited article suggests that some Federal circuits
| treat anti-SLAPP statutes as procedural rather than
| substantive law, and so federal judges might decline to
| apply them in the cases brought to them.
| staticautomatic wrote:
| That makes sense, though it's hard for me to imagine a
| reasonable finding they don't apply given the state
| public policy justification.
| T3RMINATED wrote:
| flyinghamster wrote:
| Ugh. My EdgeRouter and APs have been nice, but between the
| increasing cloud BS and now a SLAPP suit, they've lost my
| business for good.
|
| No. My internal network infrastructure should NEVER depend on
| someone else's computer, ever.
| gzer0 wrote:
| I'm honestly not sure how Ubiquiti felt this was a smart idea;
| defamation lawsuits are notoriously difficult to win and in the
| vast majority of cases, result in greater damage to the
| plaintiff's image than before filing the lawsuit.
|
| Waste of everyone's time and money.
| Enginerrrd wrote:
| Yup... it seems like everyone has turned on ubiquiti lately,
| but I wasn't totally convinced. I was holding out despite some
| of the irksome changes, but this move right here is a nail in
| the coffin for me.
| Someone1234 wrote:
| I'm on the same page. We just need to see a compelling
| alternative appear, and they'll lose their segment pretty
| quickly. Meraki could have been that until the Cisco
| acquisition and now $$$$ (and they make it extremely hard for
| SMBs/ProSumers to buy in). Some say that Aruba's "Instant On"
| stuff is one to keep your eye on as a direct replacement.
|
| Ever since they fired their domestic development staff and
| shipped those jobs overseas it has been getting worse and
| worse. And it isn't because foreign developers cannot
| develop, it is because the company then and since has
| prioritized cost (and flash half-baked features) over
| quality.
| heffer wrote:
| > Meraki could have been that until the Cisco acquisition
| and now $$$$ (and they make it extremely hard for
| SMBs/ProSumers to buy in).
|
| Meraki competes against Ubiquiti and Aruba InstantOn with
| Meraki Go, not mainline Meraki.
| oseityphelysiol wrote:
| No-one shipped jobs overseas. m of the teams at UI have
| always been and remain located in the EU.
| Lightbody wrote:
| I'm in the same boat. The issue is... what great alternatives
| are there? I'm not interesting in investing the time required
| with pfsense / custom stuff. I want a similar experience to
| Ubiquity... does it exist?
| jaywalk wrote:
| I did a bunch of research when all of this first came out
| with the intention of moving off Ubiquiti and found nothing
| worthwhile. I'm in the same boat, no interest in the
| time/money investment to roll my own solution. Aside from
| one UDM Pro software update that enabled a schedule to
| disable my WiFi out of the blue, I haven't had any issues
| with my stuff. So I continue on with them.
| hackmiester wrote:
| pfSense doesn't require much time for a basic setup. Stick
| with defaults, roll out some Ruckus Unleashed APs, and you
| are done.
| Someone1234 wrote:
| Maybe the point isn't to win but for the "chilling effect."[0].
| Essentially to discourage critics of the company from raising
| criticism in the future for fear of lawsuit (even if ultimately
| just to waste legal costs/impose a burden).
|
| [0] https://en.wikipedia.org/wiki/Chilling_effect
| gruturo wrote:
| Chilling effect, meet Streisand effect:
| https://en.wikipedia.org/wiki/Streisand_effect
|
| Thanks to Ubiquiti's efforts, now the story is known to a
| larger audience.
| robocat wrote:
| Chilling effect meet Krebs. Krebs is more than capable of
| searching for security flaws. I would not want to piss him
| off . . .
|
| He seems like the sort of person to take it personally and
| then go out of his way to find security issues, of which I am
| sure there are plenty, considering the breadth of software
| and firmware across all their devices.
|
| This is not a symmetric fight.
| TheHypnotist wrote:
| It seems to basically be a SLAPP suit.
| InTheArena wrote:
| You do realize that the entire "ubiquiti sucks" mood on HN
| started with the publications of these (factually inaccurate)
| articles from Krebs?
|
| This whole thing pisses me off. A insider threatened a company
| with reputational damage and used a press guy to pull it up. HN
| picked it up and amplified it. Press guy never corrected the
| story, and the here we are - with people still railing on HN
| for a untrue story that the press guy enable that the
| extortionist planted.
| smaudet wrote:
| elric wrote:
| I think you're mistaking a correlation for causation here.
| Yes, people started saying "UI sucks for $reasonXZY" a lot
| more after these articles came out, but that's merely because
| the articles provided a convenient hook to which to attach
| existing grievances.
|
| A random "Tell HN: UI sucks because their firmware went down
| hill"-post is not likely to go anywhere. But as a comment
| within an article about UI, sure, that works.
|
| There are many things wrong with UI. An inflated insider
| security story does not change that.
| merlyn wrote:
| That vibe existed far before the Krebs article.
|
| Mostly from how the company has shifted their focus as
| described in other posts.
| nodesocket wrote:
| Thank you for saying what nobody else on HN will say. Instead
| it's just constant outrage on HN against companies. Why
| didn't Krebs issue a public apology or retraction? I love
| Ubiquiti and have over $2k worth of UniFi equipment in my
| home.
|
| This entire fiasco has hurt Ubiquiti's brand and reputation,
| and in no small part Krebs is responsible for that.
| phatfish wrote:
| I put them on a personal black list when there was some
| shenanigans with them using GPL code and not releasing their
| modified source, or something. That was years ago.
| JaimeThompson wrote:
| Having used their products for years the "ubiquiti sucks"
| mood has been their own fault. Product quality has declined,
| they keep promising features that don't work / kill
| throughput / just don't come out for months if ever.
| JustFinishedBSG wrote:
| 1. Krebs corrected the story. Twice. You just have to open
| the original article to see it.
|
| 2. The "Ubiquiti sucks" mood started with Ubiquiti releasing
| shit products with even shittier software that, quite
| incredibly, sometimes even degraded with updates.
| BeefWellington wrote:
| Point 1 is correct insofar as he published an update to it
| in December.[1] He did not (and does not) make it clear
| that the employee who was arrested was his source.[2] In
| fact his anonymous source "Adam" is never referenced
| anywhere in his second article, outside of comments asking
| him about it.
|
| If you read his reporting on this now, it is still not
| clear that "Adam", his source, and the person committing
| the alleged offences are the same person. It may be he
| doesn't know but he certainly makes zero effort in either
| article to address the question.
|
| Ubiquiti's forced cloud BS is more than enough reason for
| people to move away from them -- they basically dropped out
| of consideration for my purposes after they did that.
|
| It can also be true that there was a drop in stock price
| when this incident was reported, and further drops after
| Krebs' coverage.[3] In fact he even discusses their share
| price at the tail end of his original article, even
| updating it on March 31 and acknowledging a roughly $50
| drop following his reporting.
|
| I doubt Ubiquiti will win this court case but I do think
| Krebs damaged his own credibility here.
|
| [1]: https://krebsonsecurity.com/2021/03/whistleblower-
| ubiquiti-b...
|
| [2]: https://krebsonsecurity.com/2021/12/ubiquiti-
| developer-charg...
|
| [3]: https://markets.businessinsider.com/stocks/ui-
| stock?op=1
| avsteele wrote:
| Speaking only for myself I disagree. I only had vague notion
| of them, but read Krebs on occasion, but didn't have any
| strong feelings on them ... until this. As long as the info
| in the 1st post form the lawyer is correct, I wouldn't buy
| from them
| aserdf wrote:
| a few weeks ago UI released an update to their protect
| surveillance line which subsequently prevented certain
| cameras from recording. an update which fixed this "bug" was
| released 3 days ago.
|
| things like this contribute more to the mood you reference
| than the reporting from Krebs a year ago, IMO.
| KennyBlanken wrote:
| "Ubiquiti sucks" is not an HN-specific thing. The consensus
| among IT folks in multiple communities I'm part of is that
| they've gone from being front-of-the-tech-curve with nice UI
| that Just Works, to overpriced underspec'd cloud-locked-in
| meh-ness.
| brightball wrote:
| Their stock dropped by about 30% after that as well didn't
| it?
| dogleash wrote:
| > You do realize that the entire "ubiquiti sucks" mood on HN
| started with the publications of these (factually inaccurate)
| articles from Krebs?
|
| Their product direction changed and they're no longer my go-
| to. It appeared to kill a lot of goodwill from others too.
|
| On the other hand, I hadn't even heard Krebs was going after
| them until today.
| draw_down wrote:
| Well, if you think you might be having a reputational
| problem, sue someone for defamation. That way you remove all
| doubt.
| linsomniac wrote:
| "Ubiquiti sucks" started for me when a switch firmware update
| enabled some loop detection that couldn't be turned off, and
| completely broke my Google WiFi setup. Support tried, but
| ultimately the solution was to connect Google WiFi to a dumb
| switch.
|
| Then around a year later an update bricked 4 of my 5 cameras,
| and support was completely useless.
|
| You know, and then they had this huge security issue.
|
| Sure, Krebs reported the security issue, but "ubiquiti sucks"
| sentiment has largely been Ubiquiti's doing IMHO.
| newsclues wrote:
| Yeah I'm also pissed off that they failed to have policy in
| place to prevent an insider threat and deal with it
| afterwards.
| InTheArena wrote:
| It's almost impossible to prevent a trusted insider attack.
| It is possible to quickly identify and shut down a insider.
| I think the second is a bigger issue - they did (obv)
| identify the attacker - but they had the FBI involved at
| that point.
| newsclues wrote:
| Good policy will prevent you from assigning the person
| responsible for the breach to the team to investigate
| themselves, I think the FBI learned that the hard way.
|
| Ubiquiti did not have good security policy as stated in
| the hacker news post from 3 months ago (cred open to many
| people etc).
|
| While it's impossible to completely prevent this, best
| practices were not followed.
| GekkePrutser wrote:
| No it's virtually impossible to prevent it. It's very
| important to detect it though and to have a playbook in
| place on how to deal with it.
| newsclues wrote:
| Can't prevent everything true but they pulled a Robert
| Hansen!
| JacobThreeThree wrote:
| If that's the case, maybe this is a rare case where it makes
| sense to sue for defamation.
|
| Krebs does tend to just throw stuff on the wall. Conversely,
| people should not be so influenced by one security blogger.
| kraussvonespy wrote:
| The press across the board does a terrible job of printing
| retractions. I know that doesn't really excuse Krebs but
| most errors don't get corrected and those that do generally
| show up in a tiny column in the middle of the paper.
|
| If you're Brian Krebs and are writing, editing and
| publishing this stuff yourself, I don't know that you'd
| have the bandwidth to be able to monitor and correct every
| new development in something you've written. The New Yorker
| has a staff of hundreds of fact checkers, lawyers and proof
| readers just to keep them out of court, and they too seem
| to have a difficult time with publishing corrections.
|
| I'm not excusing either party, there are issues here that
| need to be resolved. But the expectation that any part of
| the press, be it publishing a physical newspaper or running
| a security blog, will spend much time paying attention to
| old stories for corrections doesn't match up with reality.
| TimTheTinker wrote:
| According to some other posts here, Krebs did publish
| updates and retractions as new info came out.
| kraussvonespy wrote:
| Wow, I didn't know that. If that's the case then Krebs is
| far beyond what 99% of large news outlets, magazines and
| other news sources bother to do. I was on the fence
| before about this but if that's the case, I'm fully on
| Krebs' side here.
| Someone1234 wrote:
| > You do realize that the entire "ubiquiti sucks" mood on HN
| started with the publications of these (factually inaccurate)
| articles from Krebs?
|
| It arguably started when they:
|
| - Shipped tons of jobs overseas, and firmware quality took a
| noise-dive.
|
| - Stopped letting people run the NVR on their own hardware
| (with short-notice).
|
| - Required cloud login and an app for setup (something that,
| for years, NOT having was a claimed Unifi advantage).
|
| - Constantly introducing and retiring half-baked
| ideas/products/lines.
|
| The whole company has lost focus and certainly lost quality.
| The recent security kerfuffle certainly didn't help, but
| mostly it reminded people that their previously "local only"
| stuff was now Cloud Connected(tm) by force, and that UB lost
| the keys that users didn't want to exist to begin with.
| glowingly wrote:
| I dropped Ubiquiti after their wifi APs started uploading
| telemetry. UI's subsequent reaction to the secret telemetry
| (it was not announced or in any changelog before an user
| got curious about their Ubiquiti AP's extra data packets
| headed to the internet) was to gaslight users and add an
| opt-out. The attempt was successful - people rarely bring
| it up and some will defend the actions of Ubiquiti.
|
| I get it. Telemetry helps with diagnosing issues. But UI's
| reaction to being unmasked made me realize they could
| never, ever be trusted for network infrastructure.
| TheRealDunkirk wrote:
| OMG. I just realized that the next logical step in that
| process is:
|
| - Got acquired by Cisco.
|
| Heaven help us.
| GekkePrutser wrote:
| I don't think Cisco will do this. They already have a
| budget product line. Which is said to be pretty mediocre
| but if course it has to be not to cannibalise their
| enterprise offering.
| TheRealDunkirk wrote:
| Linksys is strictly unknowledgeable home-use kit, whereas
| Ubiquiti could be called "prosumer," and Cisco doesn't
| have anything in the price range. When I built out a new,
| 1500-seat church, Ubiquity offered better-spec'd wifi
| AP's for less than half the price of comparable gear from
| Cisco. Would I do it again, knowing what a hassle their
| administration software is, and how often it breaks? I
| don't know.
| GekkePrutser wrote:
| I don't mean Linksys. More like the 140AC: https://www.ci
| sco.com/c/en/us/support/wireless/business-140a...
|
| The price here is almost the same as the Lite series of
| Unifi. They also have a Meraki go line but that seems to
| be yet another one (from an acquisition). But this is
| also in the same price range.
| LeifCarrotson wrote:
| Taking the next step on the quality nosedive -> cloud
| integration -> data breach was no great surprise, and Krebs
| didn't help them in that, sure.
|
| But the nail in the coffin was their reaction to the whole
| thing with lawsuits and denials.
| ghostpepper wrote:
| You forgot to mention
|
| - Ads in the management interface
| Someone1234 wrote:
| And ads that you couldn't even turn off until a massive
| outcry.
| lotsofpulp wrote:
| I also remember Ubiquiti quality declining before this
| Krebs business, and finding out that Ubiquiti had offshored
| much of the business in recent years.
| bombcar wrote:
| The security kerfuffle is meh.
|
| Forcing everything to cloud-connected is what turned me off.
|
| I don't need the devices I use to connect _to_ the cloud to
| be dependent _on_ the cloud.
| BeefWellington wrote:
| Yeah, it sucks that every manufacturer out there seems to
| think that they need to move to a subscription model for
| everything.
| ellen364 wrote:
| > You do realize that the entire "ubiquiti sucks" mood on HN
| started with the publications of these (factually inaccurate)
| articles from Krebs?
|
| Nobody's posted a "Ubiquiti sucks" thread from before the
| Krebs kerfuffle, so here's one from Nov 2019. In that thread,
| people complain about a new "phone home" feature and Ubiquiti
| ignoring the terms of the GPL.
|
| https://news.ycombinator.com/item?id=21430997
| jamesliudotcc wrote:
| There is a term for this, the "Streisand effect."
|
| It turns out, there can be such a thing as bad publicity. And
| like all forms of publicity, there are ways of putting it into
| a positive feedback loop. (Positive in the sense that you get
| more of it, perhaps from your perspective it is a positive
| development, perhaps not).
| ecmascript wrote:
| Can someone tl;dr this for me and others? Thanks in advance!
| wil421 wrote:
| Krebs disclosed a breach of Ubiquiti. Turns out it was a key
| employee who was disgruntled. Ubiquiti claims there was no
| breach an employee with access did bad stuff. Same employee
| might have been Krebs secret source about the "breach". Courts
| please make Krebs say it wasn't a breach.
| lbriner wrote:
| The tricky part is that insider information leaked to outside
| is still a breach and still needs to be mitigated against.
| InTheArena wrote:
| The damage was not the breach - or at least it wasn't the
| biggest factor. The damage was the second claim that Krebs
| made in a later article that it was being covered up.
| incomingpain wrote:
| The lawsuit, it seems like a grey area. Report on something but
| then further facts come out and your story is literally outright
| false. You've been misled and abused by your source. I guess
| that's the job of a journalist to ensure what you are publishing
| is true.
|
| Flipside, there's a term named "Krebbed" for a reason.
| https://www.urbandictionary.com/define.php?term=krebbed
|
| Krebs has a history of poor journalism to say the least. Frankly,
| it's best to ignore Krebs. I stopped reading him years ago.
|
| https://itwire.com/business-it-news/security/new-york-times-...
|
| https://itwire.com/business-it-news/security/infosec-researc...
|
| https://itwire.com/business-it-news/security/ex-wp-man-krebs...
|
| 3 separate instances where Krebs got it wrong. Seems to happen a
| little too often.
|
| Seems clear to me, Ubiquiti got Krebbed.
| jstarfish wrote:
| > 3 separate instances where Krebs got it wrong. Seems to
| happen a little too often.
|
| A former employer of mine was the subject of multiple Krebs
| pieces. Many of the facts he has reported were incorrect. I
| have no personal stake in getting involved to "set the record
| straight" and much to lose by doing so.
|
| There's only so much accuracy you can expect from someone who
| deals in hearsay. The most credible witnesses won't talk to
| reporters.
|
| > I guess that's the job of a journalist to ensure what you are
| publishing is true.
|
| Informants are afforded credibility. The job of the _informant_
| is to ensure what they 're informing on is true. In any supply
| chain attack, everybody involved post-compromise is just doing
| their job.
|
| Journalists are not private investigators and it's unfair to
| expect them to be. We don't condemn doctors when the patients
| they trust falsely report/induce symptoms with intent to commit
| disability fraud.
| incomingpain wrote:
| >A former employer of mine was the subject of multiple Krebs
| pieces. Many of the facts he has reported were incorrect.
|
| http://www.aaronsw.com/weblog/hatethenews
|
| There seems to be a correlation that the more you know about
| a subject, the more likely you think the journalist is simply
| wrong.
|
| I have proposed the idea that if I put together a big enough
| group of experts. We might have a group of people who can
| refute journalism in whole. What if 100% or damned near 100%
| of what journalists claim is untrue.
|
| I don't think that's the case, I have many good journalists
| who are across a spectrum of viewpoints who are good at
| reporting.
|
| In reality, we should hold journalists accountable via Errors
| and Omissions. Require all journalists to hold E&O insurance.
| He screwed up, his insurance covers it.
| that_guy_iain wrote:
| > I guess that's the job of a journalist to ensure what you are
| publishing is true.
|
| I remember having a stupid little blog about torrents and
| filesharing, it was basically a drama blog. People would go on
| and on about how I had to ensure things were correct and I
| wasn't a proper journalist because I didn't fact check and
| stuff. I kept replying, I wasn't a journalist, I was a dude
| with a blog who people kept telling stuff. So if I was getting
| that, I sure as hell expect a proper journalist to deal with
| the fall out if they got it wrong and it cost a company money.
| Like I would expect a newspaper or tv show to pay out if they
| cost me money and what not.
| incomingpain wrote:
| >I remember having a stupid little blog about torrents and
| filesharing, it was basically a drama blog. People would go
| on and on about how I had to ensure things were correct and I
| wasn't a proper journalist because I didn't fact check and
| stuff.
|
| I feel like torrents and filesharing isn't going to need much
| fact checking. Unless you're perhaps talking about lawsuits
| or something where you might end up getting sued for your
| words.
|
| >So if I was getting that, I sure as hell expect a proper
| journalist to deal with the fall out if they got it wrong and
| it cost a company money. Like I would expect a newspaper or
| tv show to pay out if they cost me money and what not.
|
| I personally see Krebs as liable. Many other professions have
| to keep 'errors and omissions' insurance. Sometimes you just
| get it wrong. Nobody is perfect, you're going to make
| mistakes.
___________________________________________________________________
(page generated 2022-03-31 23:00 UTC)