Hacker News new | ask | show | jobs
by InTheArena 1383 days ago
Kreb's article specifically alleged malfeasance on Ubiquiti's part - that they were deliberately covering up a huge data breach.

This turned out to be untrue on three levels: 1) There was no cover-up. Ubiquiti disclosed the attack, and was working with the FBI, working to identify what had happened, and in fact where already onto Sharp as a insider attack. 2) There was no large scale data breach. 3) The claim that there was a huge cover up was part of a extortion scheme, that Krebs was (unwittingly) assisting in.

Yes, this is a standard insider attack - and Ubiquti's security needed to be significantly better - but it doesn't change the fact that Brian Krebs reported false information - including information that he should have been in a position to know was untrue at the very least in the second article, if not the first.

Ironically enough, the person at Ubiquiti that introduced the wider GITHUB access to production secrets and new policies that allowed Nick Sharp to get production access was - according to former Ubiquiti employees - Nick Sharp.

Who watches the watchers?
1 comments
balentio 1383 days ago
>> 2) There was no large scale data breach

Says who? The FBI? Says Ubiquiti? I bet BOTH of those places have a reason to say that, and it is green and smells of dead presidents.

link
InTheArena 1383 days ago
Get caught in a lie in front of a jury for a white-collar criminal prosecution with any sort of competent lawyer, and you never regain credibility. Regardless, the other points still stand.

It's incredibly hard to defend yourself if your head of security decides to extort you. They are the ones that design the protections to keep insider attacks from working. Luckily for Ubiquiti - the attacker screwed up his network configuration (VPN leak failure) which is also somewhat ironic.

link
balentio 1383 days ago
>> Get caught in a lie in front of a jury for a white-collar criminal prosecution with any sort of competent lawyer, and you never regain credibility.

Which is great for mega corporations who are always innocent of any robber-baroning or impulse to make security a secondary consideration to profit.

>>Regardless, the other points still stand.

On feeble legs.

>>It's incredibly hard to defend yourself if your head of security decides to extort you. They are the ones that design the protections to keep insider attacks from working. Luckily for Ubiquiti - the attacker screwed up his network configuration (VPN leak failure) which is also somewhat ironic.

I tend to think if you have that problem, you are probably hiring people that are much like your company. To put it differently, a known liar telling a story doesn't automatically make it a lie. I suspect we will soon be seeing later how much Ubiquiti cares about its customer base. When that time happens, I will return to this post and ask you some follow up questions.

link
InTheArena 1383 days ago
Sounds good. I would not double down on Krebs right now. Or on the tinfoil theory that the FBI and Ubiquiti are lying about this.
link