Seriously. You want to ask the CTO to make artifacts public because you don't want devs to set or clear an attribute bit? Talk about entirely the wrong priorities.
Where did this coddled sense of entitlement come from? Are they creating their own SSH keys? Do they know the basics of the git cli? Or are these "magic commands" too? Do they know how to do their job?
I sympathise that Apple's tooling could be better, but the conclusion and tone is ridiculous given what could charitably be described as 'unique' requirements.
Our internal CLI tools have all largely been hassle free regardless of devs OS. We do use GoReleaser which abstracts away the multi arch builds, signing, and publishing to GitHub and Homebrew, which can be criticised sometimes as a bit of a crutch. But it's also been zero hassle for all of our Mac devs (the most junior of which are still expected to be able to download and execute a binary from a terminal.) and lets us get on with our day without prioritising 'requirements' that aren't even worth spending any time on.
Why would you even ship a command-line tool if your apparent need is to avoid the command line?
WB Discovery has been pretty clear it intends on launching Max in Australia as early as 2025, not coincidentally when Foxtel/Binge's HBO rights are up for renewal.
Also try telling that to poor Stan, now in 5th place having lost much of its licensed content to Amazon, Disney+ and Paramount+ entering the market.
I tried using the official client for a while but just couldn't stand it and switched back to Apollo about a month ago.
Sideloadly + ApolloPatcher was surprisingly easy to set up. Who knows how long it'll last, but it's basically set and forget once you create the Reddit+imgur API keys and enable wifi sync/auto refresh.
Regardless of his reporting at the time, Krebs has known since December when Sharp was arrested that:
- the supposed hacker was the goddamn Unifi Head of Cloud, using the access keys needed to do their job
- the initial internal investigation into the hack and ransom was being conducted by the attacker
- that the whistleblower account is a complete fabrication by the internal attacker and his reporting on a coverup are false
Ubiquiti aren't suing him for reporting on it, they're suing him for not retracting it properly once it was revealed how false it was. As per the filing:
70. Ubiquiti brings this litigation because of Krebs’s refusal to do the right thing and retract the March 30 article or the December 2, 2021 update, which continue to malign Ubiquiti’s reputation, damage its relationships with its stockholders, and disrupt its business operations.
Krebs and Corey are _way_ wrong on this.
There is plenty to be said and very valid criticisms about how Ubiquiti dropped the ball and handled the situation. The attack being an insider does not excuse them. But it invalidates much of the reporting.
Krebs was specifically and personally targetted by the attacker as a method of spreading false statements to damage the company and, by keeping the articles up, remains complicit and liable.
What part of that update is incorrect? Naming that update is not going to help their case, at all.
This lawsuit is likely doing the exact opposite of what Ubiquiti expected.
Before the lawsuit, I had some sympathy that they got jerked around by an ex-employee with major access and took it in the shins. I'm kind of in the glass houses and stones camp ... I doubt very many companies could withstand a high-level technical person going rogue. They found the problem. Now they're pursuing charges against him and that's rattling through the legal system. Sure, there's lots of reputational damage, but that's the kind of thing that happens when you centralize management of things--it makes them a high profile target (see: Solarwinds).
However, the lawsuit against a reporter is causing me to pause and think "Wow. Maybe they're actually institutionally incapable of recovering from this, worried that something else might get exposed and really do suck."
The lawsuit moved me from slightly sympathetic to Ubiquiti into "What kind of idiots think this is a good idea?" and looking for alternatives.
There's valid criticism to be said about the corporate structure and culture which allowed this all to happen, we're all in agreement on that, but the lawsuit (while probably not accomplishing exactly what they'd hoped for) is legit if you ask me, in the sense that a journalist must take responsibility for the stories they put out and the informants they trust.
I'm not a journalist so I don't know how these things are supposed to go, but shouldn't Krebs have verified his sources identity before publishing? Isn't that a thing journalists are supposed to do?
That said I think Krebs was right to publish the story at the time, but when it became clear that Adam actually was Sharp the story should have been retracted. Perhaps Krebs should even issue an apology at that time?
I've been on the other side of something similar to this. At a previous role, a security researcher was falsely claiming we had a backdoor. We considered litigation, but ultimately decided not to for a variety of reasons, but a major one was that there was no way that the optics would be anything other than "softare giant sues researcher," and we would likely only serve to draw more attention to the claims.
I'd entirely forgotten about the Ubiquiti breach until today.
It might be more convincing if all the things you listed don't make ubiquiti look really bad for a company that needs you to trust them, given their gear is very cloud-y.
From my perspective this lawsuit looks like they've Streisand Effected the fact that they let their internal security be even worse than the initial accusations.
It's like finding out your financial advisor had all your money stolen, which is bad enough, and then it turns out it's because they gave their gardener the password to your bank account.
Where's the proof that Krebs knew that the whistleblower account was a fabrication?
Genuine question.
It seems to me that Krebs might be in a position to claim:
1. He honestly reported the facts as were made available to him.
2. Either:
A. He didn't know his original source was Sharp (quite feasible that Sharp disguised this)
Or
B. He did know his original source was Sharp, but felt compelled to continue to protect his source despite charges having been brought (innocent until proven guilty).
3. He took the view was that nothing in the revelation of this hack
as an inside job casts doubt on his initial reporting, which was about Ubiquity's response to the incident not the attacker's identity.
We should at least wait to read the defence before drawing any conclusions.
The parent comment referred to Sullivan v. NY Times, which ruled that a public figure (and I suppose companies count as such) have to prove not just factual error, but actual malice.
Again, "actual malice" doesn't mean "acting maliciously" in the colloquial sense. It's a legal term of art from the aforementioned NYT v. Sullivan case and is explicitly defined as "with knowledge that it was false or with reckless disregard of whether it was false or not." Publications leave up articles they know to contain falsehoods (that were believed to be true at the time they were written) all the time. Unless libel (and therefore actual malice) is shown, I don't know of any precedent that would imply an obligation to issue a retraction.
That appears to be Ubiquity's argument, but we've only got one side at the moment, and to my reading (uneducated as to US defamation law) it's far from proven.
Well yes you wouldn't expect anything to be proven at this point. There is only a complaint. We are discussing the reasonableness/plausibility of the allegation. All I'm saying is that to me it seems plausible.
> the supposed hacker was the goddamn Unifi Head of Cloud, using the access keys needed to do their job
If this comment from a former employee is correct then no, he had root access to a bunch of stuff for no good reason and their security stance is abysmal.
Nobody should have the root aws tokens. They should be split between two teams and stored in a safe & access should go through another method that is audited
The employee in question was the head of their cloud, so he would have been the one to implement, or drive the implementation of the proper access controls. Based on other employees accounts of the guy, it sounds like people were trying to advocate for better access controls/separation but he didn't let it happen (presumably because he was planning on doing something like this).
> Krebs has known since December when Sharp was arrested that:
Criminal Accusations <> Facts until proven in a court of law. All Krebs knows at this point is Sharp was arrested.
And what we all don’t know at this point is whether Ubiquiti is competent enough to have unfettered access to all their customer networks because they failed to defend against insider threats.
> Is it even possible for a company to defend itself from sabotage by the person who is presumably responsible for their security? Seems illogical.
Off the top of my head:
a) don't force your clients to add their networks to be accessible by your cloud, this was their entirely huge mistake. or by design to enable spying activities. the same way I can log into unifi and set a switch port in promiscuous mode and forward the traffic to my remote ip, so can they.
b) two people required for secure access to sensitive systems.
c) sensitive gear on-premise under constant video surveillance.
d) logging to remote servers under control of "internal security" not "security", regularly monitored by "internal security".
Companies do this and more. They do it by contemplating a solution to a problem rather than dismissing the solution as "illogical".
They can design devices that are resilient to attacks by even themselves. That's hard when your whole pitch is "your devices are connected to the cloud!" though. But maybe that's the problem.
Where did this coddled sense of entitlement come from? Are they creating their own SSH keys? Do they know the basics of the git cli? Or are these "magic commands" too? Do they know how to do their job?
I sympathise that Apple's tooling could be better, but the conclusion and tone is ridiculous given what could charitably be described as 'unique' requirements.
Our internal CLI tools have all largely been hassle free regardless of devs OS. We do use GoReleaser which abstracts away the multi arch builds, signing, and publishing to GitHub and Homebrew, which can be criticised sometimes as a bit of a crutch. But it's also been zero hassle for all of our Mac devs (the most junior of which are still expected to be able to download and execute a binary from a terminal.) and lets us get on with our day without prioritising 'requirements' that aren't even worth spending any time on.
Why would you even ship a command-line tool if your apparent need is to avoid the command line?