[_pplp]

> Ubiquiti also hinted it had an idea of who was behind the attack, saying it has “well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.”

I personally don't believe this. IMO, this is a company who is looking for a fall guy, and _most likely_ it's going to be somebody who raised a stink about all the security problems during their time there.

Form your own opinion, I'm just a guy who worked at Ubiquiti for a year, raising all kinds of hell about the security, architectural, and operational problems that I saw while I was there.

But what do I know...

[TeMPOraL]

That would be the reverse of the usual strategy, wouldn't it? Most companies seem to try to pin breaches on sophisticated hacker groups backed by nation states. But then, they benefit from the perception of a threat that's impossible to defend from (so there wasn't anything they could do) - whereas Ubiquiti benefits from people thinking the attack was just a small actor that couldn't possibly threaten Ubiquiti's customers.

[rossipedia]

Yes, you're right. But I don't really expect them to make the "smart" or "usual" play. That would honestly surprise me. Now, pinning it on somebody that was generally disliked because they constantly blocked things that had obvious gaping security holes? Basically sicking law-enforcement on somebody out of pure spite? I can absolutely believe that.

[woofie11]

Accusing whistleblowers of criminal activity?

That's a pretty common ploy. Been there, done that. Early in my career when I was naive enough to try to whistleblow on things over my head.

[TeMPOraL]

Accusing whistleblowers and reporters is indeed common - it pretty much seems the standard behavior in infosec in particular.

What I meant was something different. The breach, as I understand it, was quite critical. Ubiquiti in this case could take the standard corporate spiel of "it has hallmarks of a nation state attack, there was nothing we could do" bullshit disclaimer - but given the nature of this breach, every customer of theirs would now be wondering if $Enemy has put malware in their infra, and whether it isn't a good idea to smash it all with a hammer and buy new one from someone else. So I suspect Ubiquiti is going the other way, blaming it on a single, inconsequential individual, that absolutely, positively didn't give access to anyone else, and thus nobody's infra was in any danger.

(Note: I have no inside knowledge, or even any deep knowledge, of this topic - I'm just a random Internet person speculating.)

[tobr]

I’d love to hear that story, if you can share it!

[ex_ubiquiti]

There was a lot of infighting and turf wars when I finally quit. I'm not even surprised that this latest turf war spilled into the news.

[peteretep]

> nation states

Nation state is not a fancy infosec way of saying country

[TeMPOraL]

Nah, most of the time it's just a fancy infosec way of saying "it was likely ordinary criminals, or even some script kiddies, but it would be quite embarrassing to admit that".

[cutemonster]

Why don't they say "country"? Or just "nation"?

(Can it really be because "nation state" is more fancy?)

I can understand, though, why they don't say "state" -- maybe that'd sound as if a single state in the US had attacked

[peteretep]

I think this derives from “state-sponsored”. “The state” has a distinct meaning from country or nation which I think is important to capture too.

I think your point about confusion with constituent states is spot on though

[vvanders]

Damn, that's pretty depressing.

I really wouldn't like to migrate away but I can't say all the info that's been coming back has been making me want to have them as a part of my network infrastructure.

[posguy]

I want to fire Ubiquiti, but where can I go to get my router, wireless access points and switches in one management interface? There are plenty of poorly performing consumer grade options out there which hide all complexity, but they break in fun ways (eg: Google WiFi creating loops in the network when users try to do wired backhaul) and only tackle part of the stack.

I really just want to manage an OpenWRT based network with one central web interface and not have to deal with corporate/state entities deciding to push fun changes out in the management interfaces that power these systems.

[mopsi]

I keep seeing the requests for central management interface, which leave me somewhat puzzled. Why do you need in a home environment? I run a small network with one big router and several access points, and at least with Mikrotik's gear, it's pretty much fire and forget. It has CAPsMAN[1] to centrally manage wireless networks, but I've found it to introduce unneeded complexity. Auto-updates[2] don't need any central management either. Monitoring can be done through SNMP[3], and there's a REST API too[4].

[1] https://wiki.mikrotik.com/wiki/Manual:CAPsMAN

[2] https://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS#Rou...

[3] https://wiki.mikrotik.com/wiki/Manual:SNMP

[4] https://help.mikrotik.com/docs/display/ROS/REST+API

[posguy]

I have a good deal of experience with Mikrotik's offerings, and I am not looking to power networks I support with a patchwork of different systems that each have their own interface.

Most of the value proposition of the Unifi lineup is I can look at a single website that I host and see the WiFi clients connected to an access point, what switch feeds that access point internet (and whether its linked at gigabit or 100Mbps), uptime on all devices involved in the stack, whether the client has poor WiFi quality, trouble DHCPing, etc.

The single pane of glass to view everything when I am many miles from the networks I support is essential. Compared to when these sites were on PFSense before migrating, these networks have improved uptime, rapid remediation of issues, and changing VLANs, SSIDs and labeling each client on the network is a snap.

Edit: Borrowed /u/bpye's single pane of glass term

[torwayburger]

> Most of the value proposition of the Unifi lineup is I can look at a single website ...

> The single pane of glass to view everything when I am many miles from the networks I support is essential

It's also why we're talking about this.

[apple4ever]

Only because they made it cloud based.

If they never forced people to create a cloud account - and instead allowed people to choose - this would be wildly different.

[beezischillin]

Mikrotik itself had security problems before. Tom Lawrence covered a lot of this on YouTube. I can recommend his channel on the topic.

[kweinber]

It seems the hackers currently in your network must value those same features. Very convenient.

[posguy]

I don't use a UI.com account to connect to the Unifi controller I host (as I don't need their inconsistently working NAT traversal to get to my controller), hopefully the networks I support are safe due to not being entangled with Ubiquiti's cloud infrastructure.

Anyone who is forced to get a UI.com account (eg: UniFi Dream Machine and UDM-Pro owners) should change their credentials and do a factory reset on their routers and Access Points ASAP.

[qsi]

Similar to the other responses, it's the fact that I can manage my network remotely from a simple app or UI. This helps me answer phone calls from my family asking why Netflix doesn't work on TV #2, when I'm not at home. Won't solve all problems, but at least I can narrow it down and troubleshoot.

And I like the fact that I can an overview of the state of my network; one of my wired links to an AP would degrade to 100 Mbps at times, and being able to see the link speeds easily was very helpful (it was a bad ethernet cable in the end).

Before I moved to Ubiquiti I had a spate of problems with my fiber broadband, which would stop working for a few minutes at random, resetting my RDP connections. I had a vendor-supplied Linksys (I think?) router, and trying to troubleshoot it was painful. If I ever have such problems again I'll have much better diagnostics.

That said, I won't buy any Ubiquiti gear that requires the cloud, and my faith in the company is eroding. But, like others, I would be at a loss what to replace my gear with at the moment. I just hope it'll function well enough until either Ubiquiti gets it act together (again?) or a viable competitor arises.

[thinkloop]

> it was a bad ethernet cable in the end

Checking the cable is like checking if the power is on, it is NEVER the cable - except in networking for some reason. Half the time it's the cable.

[oarsinsync]

Network cables (copper and fibre) have a limited bend radius. Most people don't think about this and will bend a cable beyond tolerance, which will eventually result in the cable not working correctly, and/or manifest as intermittent issues.

I suspect that's the most common cause of network cables 'going bad' in the home.

[luag]

You might be interested in Gl.inet.

It uses OpenWRT, and you can access it remotely.

[lostlogin]

> I keep seeing the requests for central management interface, which leave me somewhat puzzled. Why do you need in a home environment?

Crap wifi was a huge thing I dealt with. Unifi fixed that completely. The ability to run a relatively complex network (by home network standards) with multi access points is nice, but the ability to administer them without CLI interface is great. I loved my edge router but touched it with trepidation. It was rock solid except when I was sucking with it. Unifi suits/suited the enthusiastic amateur.

> I run a small network with one big router and several access points, and at least with Mikrotik's gear, it's pretty much fire and forget.

Unifi used to be too, with an interface that was a bit difficult to navigate (settings spread among about 20 tabs, but it was possible to get the job done without sshing to components).

Now it’s flakey. I just rebuilt my last week which was working fine but I couldn’t log in and the UDM-P screen said it required resetting. Dark times.

[joshspankit]

> Why do you need in a home environment?

To answer this for me personally (and I suspect this is a pretty common answer): To use the best, and to explore technologies that I might suggest to business clients.

Business clients love central management interfaces.

As well, I’m honestly kind of done with managing fiddly “snowflake” devices, and central management interfaces usually come with the ability to standardize the config across devices.

[bonestamp2]

> Why do you need in a home environment?

I definitely don't "need" it. But it's veeeeeeeery convenient. Especially when it comes to security, being able to see which devices have updates and perform them all from one screen, is extremely convenient. I'm highly interested in paying for convenience at home.

Thankfully I don't use their cloud based management interface -- as far as I know this breach does not affect my local UniFi Controller. Hopefully this is a rude awakening and Ubiquiti goes back to their old consumer focused approach.

[Causality1]

Frankly I wonder at how big some of these peoples' houses are. My single seven year old Nighthawk router covers an entire 2300 square foot home and penetrates the brick walls to reach halfway up the street.

[lotsofpulp]

That’s not my experience, all the way from Meraki enterprise access points to the standard consumer WRT54GL.

First problem is 5GHz is terrible at going through walls, I don’t believe it will even go through a single brick wall and maintain decent bandwidth. Even 2.4GHz is considerably slowed by 2 or 3 drywall/plywood obstructions.

Second problem is can the mobile device you’re using return that signal through all those walls to the access point. I have noticed an huge increase in quality and snappiness of FaceTime and other high up and down bandwidth activities once I added more access points so that connections are going through only 2 or 3 walls.

For another reference, I have a hotel that needed to upgrade its network to meet the brand standards for signal strength in all the rooms, and we had to end up installing 6 access points in the drop ceiling of each hallway 15 guest rooms in length (each guest room is ~15ft wide, so the corridor was ~225ft long). It resulted in the elimination of almost all guest complaints about the wireless network.

[sokoloff]

Mine's only slightly larger than that (mostly by virtue of having 3.5 levels, not by X-Y size), but the original plaster walls attenuate the hell out of 5GHz signals. I have two APs, one in the basement and one on the second floor and even with that, I'm considering adding two more inside and a dedicated one outside to serve the patio/BBQ area as I can readily tell the speed difference to internal file and backup servers if I'm in the same room as an AP vs on another floor or outside.

Make no mistake, it still "works" with just one, only slower.

[gedy]

> the original plaster walls

Ah, the ones that have wire mesh underneath? That would do it.

[igetspam]

My house is about that size. My detached garage is 400sqft. My barn is 1600 sqft. And my travel trailer is 37" long. My network comes into the house and the wireless needs to cover all of the structures because we need into in all the places. It's all spread over about an acre and a half. I run ethernet to a PoE AP in the garage, through an overhead crawl space that covers thale span between the house and the garage, I have b2b radios between the house and barn and the trailer has an LTE router/wifi repeater that picks up wireless from the barn.

Not super complex but no single nighthawk is gonna do it and the unifi management interface does the job. I'm not cloudy though.

[qsi]

Probably not big by US standards, but WiFi attenuation across multiple floors is such that an AP in the living room won't provide any decent signal one floor straight up. Depends on the materials and layout of your house...

[namibj]

This also means you can re-use a frequency with just one floor in between and no issues, and with a horizontally directional antenna, possibly even on adjacent floors.

[vel0city]

I run two AP's hard wired to the PoE switch in my closet. These AP's being in the hallways on opposite sides of my home. I run them at lower power so I don't have an excessive amount of RF blasting into neighbor's homes, but I still get good signal quality to/from each AP. Because I now have two AP's running on different channels I've effectively doubled my network throughput overall.

One important thing to think about when planning your WiFi deployment is if you have things that have poor connectivity, everything on that channel suffers. I can have several devices running at several hundred megabits of quality, but a single device being really slow bogs down the channel and suddenly everything else starts getting lots of jitter and overall poor network performance despite most devices having good signal quality. Also, your device may show it has good signal strength but it might be poor quality (bad SNR) so in reality its a poor link speed. Having things physically closer usually results in better average SNR, meaning higher speeds for everything on the channel.

Also, as others have mentioned 5GHz might make it through a wall without a lot of stuff in it, but its not going to penetrate very well through several walls. Having my AP's in the hallways means there's usually only one wall with minimal stuff in it between a device and the AP, so each device usually reports at least several hundred megabits of throughput possible.

[sylens]

I feel the same way - my Nighthawk is going strong with custom firmware, but my friends with Ubiquiti gear try to get me to replace it with a bunch of Unifi stuff every time I talk to them.

[sigg3]

What firmware?

I need new APs soon.

[Spooky23]

Depends a lot on the house. My house is <2000 sqft, but signal, especially 5Ghz propagates poorly though old school plaster walls.

It wasn’t a problem until covid when multiple meeting or other streams just performed poorly on a marginal network. The Ubiquiti gear made it easier to run antennas for optimal signal.

The hot thing to do is to shit on them, but I’ll be sticking with it. They’ll emerge better from this crisis and if you think that any competitor in this price point is better, you’re delusional.

[ethbr0]

Also, foil-backed insulation [0]. I finally figured out they insulated the hell out of my house with this stuff.

Works amazingly on heating and cooling bills, but it's a pretty solid wall to radio waves.

[0] https://www.ibhs.co.uk/foil-backed-mineral-wool-50mm-thick-x...

[lostlogin]

COVID had me setting up more UniFi APs. It held up incredibly well for moving large files across VPNs and running multiple Zooms for work places and school.

COVID must have been a massive boost to their bottom line.

I’m no market analyst, but the last year, even including the last week, has been very good to Ubiquiti.

https://www.nasdaq.com/market-activity/stocks/ui/advanced-ch...

[alasdair_]

I use three unifi AP-Pros for my 3500 sq ft home plus front and back yard.

I possibly could have done it with two if I ignored the outside areas but one definitely wasn’t enough even with careful placement.

Edit: obviously 2.4ghz penetrates further, but 4k streaming on multiple TVs doesn’t go well with the bandwidth (and interference) on 2,4

[roland35]

My house had a problem since the cable came in on one corner of my house, and my office was on the other side. Browsing was ok but things like video calls suffered, at least until I went with a Unifi BeaconHD.

[lostlogin]

Getting signal to devices isn’t a problem, but it’s not easy having an AP receive signal from a low power device. Multiple APs is the way to go in my experience.

[thereddaikon]

People want a power-user Meraki for the home that isn't tied to a cloud service. It's really as simple as that. Ubiquiti gave them that until they didn't. And now the inevitable breach has occurred and users are looking for a replacement.

Its pretty simple, having each device individually managed is archaic, a pain in the ass and there is no technical reason why it has to be that way.

[mavhc]

Mikrotik have not been able to keep up with the latest, or previous to latest wifi standards, seems like it's become too complex

[KozmoNau7]

Skipping wifi 6 seems like a smart move, with 6E on the horizon. It includes all the things that should have been part of the standard in the first place, so why get your hardware certified for 6, if you have to get it recertified for 6E anyway shortly after?

6 doesn't add very much over 5 in real world setups, very few devices even support 802.11ax yet, and the bleeding edge has never been Mikrotik's target segment.

6E gear is not really available anywhere yet, so it's really only an issue for people who just have to have the latest gear at all times. For the majority of people, 802.11ac/wifi 5 is what their hardware supports, so that's what they need.

[mavhc]

According to people in their forums they don't support all the ac features either. Something to research if you're thinking of switching anyway.

[bpye]

It's an interesting idea to have a single pane of glass management experience for OpenWRT - given that all config is under UCI [0] it seems very possible. One of the things on my todo list is to try and get Nix to push config to my Unifi APs when I flash them with OpenWRT.

[0] - https://openwrt.org/docs/guide-user/base-system/uci

[posguy]

Take a look at https://openwisp.io/docs/ as it can accomplish this today.

[bpye]

That’s very neat - though I think orthogonal to my Nix plan. Certainly suits anyone that wants to manage multiple APs from the same interface however.

[bayindirh]

I know TP-Link is no Ubiquiti, but I run two identical small networks (VR-2100 routers with RE-200v4 extenders running in mesh mode), and it's pretty solid so far.

You can access your network from Tether app via cloud if you wish, too. When you enable Mesh, everything is controlled via the router. You don't need to manage anything on the extenders.

RE200 can work as an AP if you can get them a CAT5, or can provide wireless to Ethernet capability. I don't need home-wide VLANs and other exotic stuff (for a home network), but you can adjust QoS on the router in three levels and it has an embedded OpenVPN server if you fancy.

While not network related, you can temporarily or permanently turn off all LEDs on the devices so they don't create any light pollution, something I love to have.

All in all it's a great package, for my home network, at least.

[EricE]

Keep an eye on the Cisco Small Business line - no subscription, firmware updates without an account (yes, I am still talking about Cisco) and while the management console is a bit weak, I'd wager Cisco will mature faster than UBNT can get their crap together at this point :p

[kccqzy]

> Google WiFi creating loops in the network when users try to do wired backhaul

That's very surprising to hear. The decades-old spanning tree protocol can prevent that. I in fact have a friend who has done the exact same thing (Google Wifi with wired backhaul) with no problems. It switches from 802.11s to STP with no problems.

[simple_phrases]

Check out OpenWISP. It works with OpenWRT.

[growse]

I was going to look at OpenWISP, which looks like it can centrally manage a whole bunch of kit, including openwrt and also edgeswitch devices.

[frombody]

Meraki?

[bpye]

During this week I've been playing around with replacing my USG with my existing home server - it already has two NICs - my first thought was to run OPNSense in a VM but nftables on NixOS seems to work well enough - there are a few examples floating online [0,1]. OpenBSD even supports the USG [2] but I couldn't think of much reason to keep the extra hardware.

The next thing I want to do is reflash my Unifi APs with OpenWRT [3] - the hardware is fine, but at that point I'll get all the support without the controller software.

My home environment is fairly basic so moving away isn't too hard - this would obviously be much harder for a small business...

[0] - https://francis.begyn.be/blog/nixos-home-router

[1] - http://www.willghatch.net/blog/2020/06/22/nixos-raspberry-pi...

[2] - https://www.openbsd.org/octeon.html

[3] - https://openwrt.org/toh/ubiquiti/start

[zrail]

> The next thing I want to do is reflash my Unifi APs with OpenWRT

My understanding is that this doesn't work anymore because Ubiquiti started signing firmware. Your link also goes to a blank page.

[bpye]

That’s odd, the link works for me but the wiki was very slow earlier. From what I’ve read Ubiquiti have made it harder to flash new hardware, but even the new ax APs are supported by OpenWRT. There is a commit with some info - it seems there is a way to disable signature verification [0].

[0] - https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=fb...

[kelnos]

Depends on the hardware, I guess? I bought an AC AP Pro last fall and had no problem flashing OpenWRT on it.

[zbrozek]

I _do_ run opnsense in a VM and am very happy with the setup. My requirements for APs are simple but hard to satisfy. Ceiling mount, PoE, present-day-best 802.11 standard, and openwrt-capable.

[lostlogin]

> replacing my USG with my existing home server

I like this idea too, but would prefer that the router was physically separated and before any hardware that was in the network.

Is this a pointless concern?

[jefurii]

If you have your router in a separate box then you won't have to take down your whole network if you have to restart your VM host.

[vageli]

It's hard to say whether or not the concern is pointless without knowing its basis. Why do you want it physically separated?

[lostlogin]

I had assumed a setup which had several VMs, with one being a PFSense or similar to be less secure than a standalone firewall. Reading about the pros and cons leads me to conclude that security in a virtual setup is just fine.

[neolog]

If your server is vulnerable to some threat, adding another barrier in front of it could help.

[_pplp]

I mean, don't get me wrong, there absolutely _is_ somebody who's responsible for it, but I wouldn't place any money on Ubiquiti being able to figure out who it really was.

They want to brush this under the rug as fast as they can, and that means using the opportunity to pin it on somebody that's been "problematic".

[ex_ubiquiti]

I remember the cloud lead they hired out of Amazon was as toxic as they come. If he's still in charge I can see him blaming his own team members.

The culture at Ubiquiti collapsed in my last year there. The company was unrecognizable because everyone was quitting so fast.

[judge2020]

Given they were stupid enough to spin up some VMs, I doubt it was someone that knew what they had access to. A skilled attacker would stay dormant sucking up all data accessible via the AWS API (including s3 stuff) and potentially keep access to the infrastructure for years.

[throwaway8581]

This kind of analysis is basically worthless because you don’t know whether they are operating at multiple levels of deception by, e.g., making you think they are a stupid script kiddie and that you successfully wiped them out.

[LilBytes]

If they had root access to an AWS account, this is exactly what you would expect.

If there's a cyber security firm that's been hired to provide analysis they're going to be combing through egress traffic to find anything suspicious. But, egress traffic is difficult and expensive to analyse.

Worse yet, the attackers could easily just sit there and not use their attack methods for a little while and start up their compromises in weeks or months. You couldn't be certain nothing's still there till you ripped the AWS resources out and replaced them.

[smashed]

There is no evidence that this did not also happen.

[brippalcharrid]

And if it is happening, we might hear about that in a few years' time, if it's discovered, and if it's brought to light in circumstances that are conducive to the vendor making a public disclosure (eg. which are impossible to cover up).

[dylan604]

Are you volunteering for the role? It almost reads as if you are expecting to be named on a list of potential suspects.

[_pplp]

Heh... no. I quit two years ago, well before all this happened. I have ideas about who this "Adam" is, and I also have some suspicions about who they're accusing as the culprit. But that's all they are. Hunches.

[admax88q]

Or he _is_ the culprit trying to get ahead of the story.

[vmception]

yeah this is just a good as just saying it "has the hallmarks of a state-level attack", pointing at Russia and calling it a day

everyone believes it

[harry8]

That may have worn thin, nowadays. The average response here would have been described as cynical in the past. The Russia/China scapegoat had been way overused to the point where I'm cynical every time it comes up probably even where it's actually true, one time in a hundred or whatever.

Nobody blames the NSA in these circumstances, ever.

[Hjfrf]

Google did it with an allied op recently. Not NSA, but as close as we're likely to hear about. https://www.technologyreview.com/2021/03/26/1021318/google-s...

[elliekelly]

Do we know for sure it was an allied operation? Everything I saw mentioned a “Western government operation” which doesn’t necessarily exclude the NSA.

[inetknght]

> I'm just a guy who worked at Ubiquiti for a year

Would you be able to point to unofficial compatible operating systems for Ubiquiti devices? I want to remove Ubiquiti software from the devices I bought and paid for.

[ex_ubiquiti]

The gear is locked down to UniFi firmware. Some of us wanted to open it up to alternatives like OpenWRT but that wasn't an option for us.

[ghughes]

This quote says nothing at all. Obviously the perp is someone with intricate knowledge of their network.

They might as well come out and say they have well-developed evidence that the perpetrator has an IQ over 50.

[edoceo]

I hope you don't end up fulfilling your own prophecy

[_pplp]

I'm pretty sure I'm safe. I left as soon as I could (almost 2 years ago) once I realized how institutionally broken the company was.

[someonehere]

For LastPass, did they enforce the policy to mandate 2fa for everyone’s vault? Where I work they mandate 2fa be enabled. Some orgs overlook this.

[late2part]

So, did you do it?

[geoduck14]

When I'm bored, I sometimes intentionally take comments out of context, just to see where they go, I know this isn't what you ment, but I like to pretend:

>Form your own opinion, I'm just a guy who worked at Ubiquiti for a year, raising all kinds of hell about the security, architectural, and operational problems that I saw while I was there.

You are a lawn man/woman.

Security problems: I have to show my badge EACH TIME I go to the bathroom

Architectural problems: these bricks are the WRONG COLOR!

Operational problems: The painters used the WRONG COLOR OF OFF WHITE!

Again, I know this isn't what you ment, but I enjoyed transposing a well written critique of their software from (presumably) a knowledgeable software guy into a lawn person in a jumpsuit.

Thank you, amd have a good day.