[balentio]

You guys are thinking about this in a very cloudy kind of way. Assuming that Ubiquiti was being blackmailed, they have a security problem in who they hire (Who held user data for ransom). Assuming they were not being blackmailed, but had a security hole in their software, Ubiquiti has a security problem.

Krebs reporting comes from a potential conflict of interest in that the person who might have been trying to blackmail was also the source. Defamation is not really the issue then because the source was pointing at a security problem which they happened to also be the cause of. The entity that hired this person was...Ubiquiti! Hence, it is not really defamation AS SUCH. Rather, if anything, it was true but maybe blown out of proportion to get a larger sum of money from Ubiquiti. We don't know how much info the person got their hands on, because Ubiquiti would be to blame for that, wouldn't they?

So, ultimately I think taking down the articles is a mistake in the sense that they reported on a problem either way with Ubiquiti and security. Take off the ad revenue from those articles, and issue a modified retraction on the conflicted interest the source held as a correction. Use it as a cautionary tale on "Sensationalism" and "not always knowing what the hell someone is doing when they report a leak" and move on.

[InTheArena]

Kreb's article specifically alleged malfeasance on Ubiquiti's part - that they were deliberately covering up a huge data breach.

This turned out to be untrue on three levels: 1) There was no cover-up. Ubiquiti disclosed the attack, and was working with the FBI, working to identify what had happened, and in fact where already onto Sharp as a insider attack. 2) There was no large scale data breach. 3) The claim that there was a huge cover up was part of a extortion scheme, that Krebs was (unwittingly) assisting in.

Yes, this is a standard insider attack - and Ubiquti's security needed to be significantly better - but it doesn't change the fact that Brian Krebs reported false information - including information that he should have been in a position to know was untrue at the very least in the second article, if not the first.

Ironically enough, the person at Ubiquiti that introduced the wider GITHUB access to production secrets and new policies that allowed Nick Sharp to get production access was - according to former Ubiquiti employees - Nick Sharp.

Who watches the watchers?

[balentio]

>> 2) There was no large scale data breach

Says who? The FBI? Says Ubiquiti? I bet BOTH of those places have a reason to say that, and it is green and smells of dead presidents.

[InTheArena]

Get caught in a lie in front of a jury for a white-collar criminal prosecution with any sort of competent lawyer, and you never regain credibility. Regardless, the other points still stand.

It's incredibly hard to defend yourself if your head of security decides to extort you. They are the ones that design the protections to keep insider attacks from working. Luckily for Ubiquiti - the attacker screwed up his network configuration (VPN leak failure) which is also somewhat ironic.

[balentio]

>> Get caught in a lie in front of a jury for a white-collar criminal prosecution with any sort of competent lawyer, and you never regain credibility.

Which is great for mega corporations who are always innocent of any robber-baroning or impulse to make security a secondary consideration to profit.

>>Regardless, the other points still stand.

On feeble legs.

>>It's incredibly hard to defend yourself if your head of security decides to extort you. They are the ones that design the protections to keep insider attacks from working. Luckily for Ubiquiti - the attacker screwed up his network configuration (VPN leak failure) which is also somewhat ironic.

I tend to think if you have that problem, you are probably hiring people that are much like your company. To put it differently, a known liar telling a story doesn't automatically make it a lie. I suspect we will soon be seeing later how much Ubiquiti cares about its customer base. When that time happens, I will return to this post and ask you some follow up questions.

[InTheArena]

Sounds good. I would not double down on Krebs right now. Or on the tinfoil theory that the FBI and Ubiquiti are lying about this.