Ubiquity breached, downplayed the issue
-
@dustinb3403 said in Ubiquity breached, downplayed the issue:
While I agree that an issue like this should be investigated, I'm sure more than just Krebs would be reporting about it.
Right? I've seen no news that wasn't just someone repeating Krebs. Nothing of substance, just lots of "this Adam guy said" with the same quotes being spun into several headlines. It doesn't feel like legit news, where's the coverage, where's the follow up, where's actual info?
-
@scottalanmiller Only the shadow knows...
Othherwise... not.
-
@scottalanmiller said in Ubiquity breached, downplayed the issue:
@dustinb3403 said in Ubiquity breached, downplayed the issue:
While I agree that an issue like this should be investigated, I'm sure more than just Krebs would be reporting about it.
Right? I've seen no news that wasn't just someone repeating Krebs. Nothing of substance, just lots of "this Adam guy said" with the same quotes being spun into several headlines. It doesn't feel like legit news, where's the coverage, where's the follow up, where's actual info?
Yeah - no, not right. Really - what's the difference here between the Ubiquiti whistle blower and snowden? it's one guy, on the inside who's blowing the whistle... what makes snowden so much more credible?
each party reached out to a single source to disperse their whistle blowing.I feel like Scott has complete distrust in Krebs - though I'm not sure why? Is it because he has a fairly popular site?
does that mean the Scott will be completely untrustable if his youtube channel starts gaining ground?
Brian Krebs is a reporter, just like Glenn Greenwald... So I understand we need some skepticism... -
@dashrender said in Ubiquity breached, downplayed the issue:
it's one guy, on the inside who's blowing the whistle... what makes snowden so much more credible?
Um, no. Snowden blew the whistle on things people didn't know about. "Adam" is an anonymous source claiming that what was said publicly was something other than what was said. They are nothing alike. One is blowing the whistle. The other is a false claim, that anyone can prove by reading the UBNT announcements in January to see what they said.
Snowden was then covered by the media and stuff released from real news outlets. "Adam" has had zero real coverage and nothing to release.
Snowden also released actual data. It was not a matter of claims. These two situations are polar opposites. That Snowden is what a real whistleblower looks like should, in fact, expose to you why Krebs and "Adam" are charlatans.
-
@dashrender said in Ubiquity breached, downplayed the issue:
I feel like Scott has complete distrust in Krebs - though I'm not sure why?
Because they just posted something that they knew to be false. I'm confused here, how are you missing that "Adam" blatantly lied, and Krebs covered it like it was news without pointing out that the statements were false?
-
@dashrender said in Ubiquity breached, downplayed the issue:
Brian Krebs is a reporter, just like Glenn Greenwald... So I understand we need some skepticism...
A reporter that investigates and reports what they know is a journalist. A reporter that knowingly repeats lies, falsehoods, or baseless claims blindly to get hits is a tabloid.
This situation is a tabloid, there is no reporting here. Very different things. I don't trust Krebs because of this situation.
That Krebs called this guy a whistleblower is even more of a problem. Krebs is attempting to manipulate readers into giving him more credence than they should because his accusations are based on a false statement.
-
@marcinozga said in Ubiquity breached, downplayed the issue:
Original story:
According to Adam, the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach. Ubiquiti’s breach disclosure, he wrote, was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.”
Here is the crux of the Adam/Krebs argument (we can't assume that Adam is real, given the serious breach of ethics in publishing this article, we have to assume that Krebs itself may have made up the story as there is zero substance and zero ethics in repeating it as if it was journalism): the claim that the seriousness was downplayed and that a third party was implicated with blame. It's trivial to look up the original statements from Ubiquiti and everyone who has done the slightest research knows that UBNT didn't do these things.
UBNT mentions that the databases were hosted by a third party in exactly the same way that Adam/Krebs do, which is to say that they stated the truth and have zero implications with it. There is zero implication there, zero. Sure, some people will add their own emotional encumbrances and claim that they feel that the third party is at fault, but any implication of that comes from the reader, not the source. Nothing in those words hints at implicating the third party in any form whatsoever. So we already know that Adam has lied, and that Krebs used that lie to run a headline story where Krebs benefited heavily (there is a lot of traffic from this story.)
Ubiquiti then stated that while they aren't aware that user data was accessed, that it could have been. Generally that's as much as you can get in this kind of scenario. This is the expected situation and this tells people that their info is at risk and that they need to change passwords. They clearly encourage everyone to change passwords, and to enable 2FA.
So, where is the downplaying? Not in the statement from Ubiquiti. Both the implication of the third party being at fault, and the claim of downplaying the seriousness of the breach didn't happen. Those are facts. Given those facts, which Krebs had access to when he talked to Adam (if Adam even exists), means that at best, Krebs has no journalistic integrity. At worst, we need to blow the whistle on him being a con artist.
Even if Adam exists, according to the article there's not even reason to believe he really worked on the issue. Any one of us could be this Adam. It's just a random guy claiming to be an employee, providing no evidence that he is who he claims that he is, nor that anything that he claims to have happened, happened, and no explanation for the parts we know about, which are lies.
-
None of this should downplay that UBNT had a serious freaking breach that probably exposed gobs of user data. That's huge. But the market didn't care about a known breach until it became a big Krebs PR story. UBNT admitted that it was huge, they told people about it. Everyone accepted that it was huge. It's a big deal.
The major risk is not to production systems, however. This is something that Krebs is playing up - it's the consumer systems, the Dream Machines, not production level Unifi or Edge gear that is affected. Logins for those of us with business class gear don't have our creds stored with UBNT. Only Dream Machine and consumers have that. So businesses that are at risk were playing fast and loose with their IT already.
Does this impact loads of home users and prosumers? Yes, absolutely. Should they be exposed any more than business users, no, definitely not. But Krebs is playing this up in later posts to act like all the business customers are affected, which while not strictly a complete lie, is definitely not true. It's Krebs just a bad reporter who doesn't know enough about IT and security to talk about it, or is he a crook... or is someone who reports on things they know nothing about a crook anyway?
UBNT screwed up. We should them accountable. But that seems to be an accident. Krebs screwed up. We should hold him accountable. But it doesn't appear to be an accident.
Why is everyone not concerned with how Krebs is approaching this?
-
@scottalanmiller said in Ubiquity breached, downplayed the issue:
UBNT mentions that the databases were hosted by a third party in exactly the same way that Adam/Krebs do, which is to say that they stated the truth and have zero implications with it. There is zero implication there, zero. Sure, some people will add their own emotional encumbrances and claim that they feel that the third party is at fault,
of course they will - that's what writing like that is supposed to do. Because people are emotional beings.... I agree that's not what it says.
So we already know that Adam has lied,
Now I think you're wearing rose colored glasses. Again, the verbage dances a very specific line to not imply - but allow the reader to have their own baggage color their view. If UBNT wanted to be clear, they easily could have been. DB's we control on a third party system were breached, not because of the third party, but because of UBNT. but did they say that? of course not, why not? because they wanted to leave you to your own imagination.
-
@scottalanmiller said in Ubiquity breached, downplayed the issue:
None of this should downplay that UBNT had a serious freaking breach that probably exposed gobs of user data. That's huge. But the market didn't care about a known breach until it became a big Krebs PR story. UBNT admitted that it was huge, they told people about it. Everyone accepted that it was huge. It's a big deal.
you're claim is that that post - the one you have above - is them claiming it was a huge breach... aww well ok then... I guess I need to start reading anything that says - change your password as a huge breach.
got it.if this was such a huge breach - where was the huge coverage back in jan? Frankly i don't even recall hearing about it back in January. Until this, whatever you want to call it, I don't recall that at all.
-
@dashrender said in Ubiquity breached, downplayed the issue:
I guess I need to start reading anything that says - change your password as a huge breach.
Any breach of a system that you use is huge to you.
Period. End of Discussion.
The Target breach didn't mean shit to me. At the time I had not shopped at one in years, and all my cards had expired /changed in the interim. I also never had an "account" with them.
So that breach didn't mean shit to me.
-
@dashrender said in Ubiquity breached, downplayed the issue:
Again, the verbage dances a very specific line to not imply - but allow the reader to have their own baggage color their view.
Just because they didn't enumerate all possible people who were not at fault doesn't mean that they danced close to anything. There's zero acceptable tolerance for anyone to claim that the third party here was blamed or at fault as nothing implied such. If we are dealing in the negatives we can just as easily say that since UBNT didn't explicitly say that MangoLassi, George Clooney or the ghost of Einstein that they are blaming them. People making things up are at fault if they make things up, not the people who don't think of all the misinformation that might be made up and dispute it before it happened.
-
@dashrender said in Ubiquity breached, downplayed the issue:
if this was such a huge breach - where was the huge coverage back in jan? Frankly i don't even recall hearing about it back in January. Until this, whatever you want to call it, I don't recall that at all.
Dash and I just discussed this out of band. The reason that this wasn't seen more is that the system that was allegedly hacked, the one that UBNT said was at risk, is the one with the credentials to Dream Machines and similar devices and accounts from those devices that Unifi users can make voluntarily. Normal business users of Unifi and Edge gear were not in the list of potential impacts.
He wasn't aware that UBNT had notified all of the potentially impacted customers by email, because he is a customer but not one that was potentially impacted. They didn't notify we who use local accounts, since we aren't affected. So there was a lot more notification than he had realized. The news outlets back in January and even Krebs agree that the email notification and notification of the media was real and handled just fine.
-
Heard about this article on a Crosstalk Solutions video today: