top | item 30851334

(no title)

Regardless of his reporting at the time, Krebs has known since December when Sharp was arrested that:

- the supposed hacker was the goddamn Unifi Head of Cloud, using the access keys needed to do their job

- the initial internal investigation into the hack and ransom was being conducted by the attacker

- that the whistleblower account is a complete fabrication by the internal attacker and his reporting on a coverup are false

Ubiquiti aren't suing him for reporting on it, they're suing him for not retracting it properly once it was revealed how false it was. As per the filing:

70. Ubiquiti brings this litigation because of Krebs’s refusal to do the right thing and retract the March 30 article or the December 2, 2021 update, which continue to malign Ubiquiti’s reputation, damage its relationships with its stockholders, and disrupt its business operations.

Krebs and Corey are _way_ wrong on this.

There is plenty to be said and very valid criticisms about how Ubiquiti dropped the ball and handled the situation. The attack being an insider does not excuse them. But it invalidates much of the reporting.

Krebs was specifically and personally targetted by the attacker as a method of spreading false statements to damage the company and, by keeping the articles up, remains complicit and liable.

discuss

bsder|3 years ago

Erm, I took a quick read of the December 2, 2021 update ...

https://krebsonsecurity.com/2021/12/ubiquiti-developer-charg...

What part of that update is incorrect? Naming that update is not going to help their case, at all.

This lawsuit is likely doing the exact opposite of what Ubiquiti expected.

Before the lawsuit, I had some sympathy that they got jerked around by an ex-employee with major access and took it in the shins. I'm kind of in the glass houses and stones camp ... I doubt very many companies could withstand a high-level technical person going rogue. They found the problem. Now they're pursuing charges against him and that's rattling through the legal system. Sure, there's lots of reputational damage, but that's the kind of thing that happens when you centralize management of things--it makes them a high profile target (see: Solarwinds).

However, the lawsuit against a reporter is causing me to pause and think "Wow. Maybe they're actually institutionally incapable of recovering from this, worried that something else might get exposed and really do suck."

The lawsuit moved me from slightly sympathetic to Ubiquiti into "What kind of idiots think this is a good idea?" and looking for alternatives.

rekoil|3 years ago

There's valid criticism to be said about the corporate structure and culture which allowed this all to happen, we're all in agreement on that, but the lawsuit (while probably not accomplishing exactly what they'd hoped for) is legit if you ask me, in the sense that a journalist must take responsibility for the stories they put out and the informants they trust.

I'm not a journalist so I don't know how these things are supposed to go, but shouldn't Krebs have verified his sources identity before publishing? Isn't that a thing journalists are supposed to do?

That said I think Krebs was right to publish the story at the time, but when it became clear that Adam actually was Sharp the story should have been retracted. Perhaps Krebs should even issue an apology at that time?

xmodem|3 years ago

I've been on the other side of something similar to this. At a previous role, a security researcher was falsely claiming we had a backdoor. We considered litigation, but ultimately decided not to for a variety of reasons, but a major one was that there was no way that the optics would be anything other than "softare giant sues researcher," and we would likely only serve to draw more attention to the claims.

I'd entirely forgotten about the Ubiquiti breach until today.

stormbrew|3 years ago

It might be more convincing if all the things you listed don't make ubiquiti look really bad for a company that needs you to trust them, given their gear is very cloud-y.

From my perspective this lawsuit looks like they've Streisand Effected the fact that they let their internal security be even worse than the initial accusations.

It's like finding out your financial advisor had all your money stolen, which is bad enough, and then it turns out it's because they gave their gardener the password to your bank account.

unknown|3 years ago

[deleted]

james_in_the_uk|3 years ago

Where's the proof that Krebs knew that the whistleblower account was a fabrication?

Genuine question.

It seems to me that Krebs might be in a position to claim:

1. He honestly reported the facts as were made available to him.

2. Either:

A. He didn't know his original source was Sharp (quite feasible that Sharp disguised this)

B. He did know his original source was Sharp, but felt compelled to continue to protect his source despite charges having been brought (innocent until proven guilty).

3. He took the view was that nothing in the revelation of this hack as an inside job casts doubt on his initial reporting, which was about Ubiquity's response to the incident not the attacker's identity.

We should at least wait to read the defence before drawing any conclusions.

Animats|3 years ago

He honestly reported the facts as were made available to him.

Which is a more than adequate defense. See New York Times vs. Sullivan.

unknown|3 years ago

[deleted]

bogantech|3 years ago

> the supposed hacker was the goddamn Unifi Head of Cloud, using the access keys needed to do their job

If this comment from a former employee is correct then no, he had root access to a bunch of stuff for no good reason and their security stance is abysmal.

Nobody should have the root aws tokens. They should be split between two teams and stored in a safe & access should go through another method that is audited

https://news.ycombinator.com/item?id=29456593

ecnahc515|3 years ago

The employee in question was the head of their cloud, so he would have been the one to implement, or drive the implementation of the proper access controls. Based on other employees accounts of the guy, it sounds like people were trying to advocate for better access controls/separation but he didn't let it happen (presumably because he was planning on doing something like this).

CodeWriter23|3 years ago

> Krebs has known since December when Sharp was arrested that:

Criminal Accusations <> Facts until proven in a court of law. All Krebs knows at this point is Sharp was arrested.

And what we all don’t know at this point is whether Ubiquiti is competent enough to have unfettered access to all their customer networks because they failed to defend against insider threats.

ricardobeat|3 years ago

Is it even possible for a company to defend itself from sabotage by the person who is presumably responsible for their security? Seems illogical.

rekoil|3 years ago

But shouldn't good journalists verify the identity of their sources before publishing stories?