Ubiquiti Files Case Against Security Blogger Krebs Over 'False Accusations' (itwire.com) 32
In March of 2021 the Krebs on Security blog reported that Ubiquiti, "a major vendor of cloud-enabled Internet of Things devices," had disclosed a breach exposing customer account credentials. But Krebs added that a company source "alleges" that Ubiquiti was downplaying the severity of the incident — which is not true, says Ubiquiti.
Krebs' original post now includes an update — putting the word "breach" in quotation marks, and noting that actually a former Ubiquiti developer had been indicted for the incident...and also for trying to extort the company. It was that extortionist, Ubiquiti says, who'd "alleged" they were downplaying the incident (which the extortionist had actually caused themselves).
Ubiquiti is now suing Krebs, "alleging that he falsely accused the company of 'covering up' a cyberattack," ITWire reports: In its complaint, Ubiquiti said contrary to what Krebs had reported, the company had promptly notified its clients about the attack and instructed them to take additional security precautions to protect their information. "Ubiquiti then notified the public in the next filing it made with the SEC. But Krebs intentionally disregarded these facts to target Ubiquiti and increase ad revenue by driving traffic to his website, www.KrebsOnSecurity.com," the complaint alleged.
It said there was no evidence to support Krebs' claims and only one source, [the indicted former employee] Nickolas Sharp....
According to the indictment issued by the Department of Justice against Sharp in December 2021, after publication of the articles in question on 30 and 31 March, Ubiquiti's stock price fell by about 20% and the company lost more than US$4 billion (A$5.32 billion) in market capitalisation.... The complaint alleged Krebs had intentionally misrepresented the truth because he had a financial incentive to do so, adding, "His entire business model is premised on publishing stories that conform to this narrative...."
"Through its investigation, Ubiquiti learned that Sharp had used his administrative access codes (which Ubiquiti provided to him as part of his employment) to download gigabytes of data. Sharp used a Virtual Private Network (VPN) to mask his online activity, and he also altered log retention policies and related files to conceal his wrongful actions," the complaint alleged. "Ubiquiti shared this information with federal authorities and the company assisted the FBI's investigation into Sharp's blackmail attempt. The federal investigation culminated with the FBI executing a search warrant on Sharp's home on 24 March 2021." The complaint then went into detail about how Sharp contacted Krebs and how the story came to be published.
Krebs was accused of two counts of defamation, with Ubiquiti seeking a jury trial and asking for a judgment against him that awarded compensatory damages of more than US$75,000, punitive damages of US$350,000, all expenses and costs including lawyers' fees and any further relief deemed appropriate by the court.
Krebs' follow-up post in December had included more details: Investigators say they were able to tie the downloads to Sharp and his work-issued laptop because his Internet connection briefly failed on several occasions while he was downloading the Ubiquiti data. Those outages were enough to prevent Sharp's Surfshark VPN connection from functioning properly — thus exposing his Internet address as the source of the downloads...
Several days after the FBI executed its search warrant, Sharp "caused false or misleading news stories to be published about the incident," prosecutors say. Among the claims made in those news stories was that Ubiquiti had neglected to keep access logs that would allow the company to understand the full scope of the intrusion. In reality, the indictment alleges, Sharp had shortened to one day the amount of time Ubiquiti's systems kept certain logs of user activity in AWS.
Thanks to Slashdot reader juul_advocate for sharing the story...
Krebs' original post now includes an update — putting the word "breach" in quotation marks, and noting that actually a former Ubiquiti developer had been indicted for the incident...and also for trying to extort the company. It was that extortionist, Ubiquiti says, who'd "alleged" they were downplaying the incident (which the extortionist had actually caused themselves).
Ubiquiti is now suing Krebs, "alleging that he falsely accused the company of 'covering up' a cyberattack," ITWire reports: In its complaint, Ubiquiti said contrary to what Krebs had reported, the company had promptly notified its clients about the attack and instructed them to take additional security precautions to protect their information. "Ubiquiti then notified the public in the next filing it made with the SEC. But Krebs intentionally disregarded these facts to target Ubiquiti and increase ad revenue by driving traffic to his website, www.KrebsOnSecurity.com," the complaint alleged.
It said there was no evidence to support Krebs' claims and only one source, [the indicted former employee] Nickolas Sharp....
According to the indictment issued by the Department of Justice against Sharp in December 2021, after publication of the articles in question on 30 and 31 March, Ubiquiti's stock price fell by about 20% and the company lost more than US$4 billion (A$5.32 billion) in market capitalisation.... The complaint alleged Krebs had intentionally misrepresented the truth because he had a financial incentive to do so, adding, "His entire business model is premised on publishing stories that conform to this narrative...."
"Through its investigation, Ubiquiti learned that Sharp had used his administrative access codes (which Ubiquiti provided to him as part of his employment) to download gigabytes of data. Sharp used a Virtual Private Network (VPN) to mask his online activity, and he also altered log retention policies and related files to conceal his wrongful actions," the complaint alleged. "Ubiquiti shared this information with federal authorities and the company assisted the FBI's investigation into Sharp's blackmail attempt. The federal investigation culminated with the FBI executing a search warrant on Sharp's home on 24 March 2021." The complaint then went into detail about how Sharp contacted Krebs and how the story came to be published.
Krebs was accused of two counts of defamation, with Ubiquiti seeking a jury trial and asking for a judgment against him that awarded compensatory damages of more than US$75,000, punitive damages of US$350,000, all expenses and costs including lawyers' fees and any further relief deemed appropriate by the court.
Krebs' follow-up post in December had included more details: Investigators say they were able to tie the downloads to Sharp and his work-issued laptop because his Internet connection briefly failed on several occasions while he was downloading the Ubiquiti data. Those outages were enough to prevent Sharp's Surfshark VPN connection from functioning properly — thus exposing his Internet address as the source of the downloads...
Several days after the FBI executed its search warrant, Sharp "caused false or misleading news stories to be published about the incident," prosecutors say. Among the claims made in those news stories was that Ubiquiti had neglected to keep access logs that would allow the company to understand the full scope of the intrusion. In reality, the indictment alleges, Sharp had shortened to one day the amount of time Ubiquiti's systems kept certain logs of user activity in AWS.
Thanks to Slashdot reader juul_advocate for sharing the story...
I'm on Team Ubiquiti for this one (Score:2, Informative)
Krebs allowed itself to be manipulated by a disgruntled employee looking to extort money from Ubiquiti. Krebs has credibility on security-related matters, and his platform made the accusations appear serious. This feels solidly in Richard Jewell territory and I wouldn't be surprised if Krebs ends up paying.
Re:I'm on Team Ubiquiti for this one (Score:5, Informative)
Not me. I will happily donate my Ubiquiti stock dividends for the last year for Krebs' defense. Ubiquiti was not at all transparent with what had happened, how to address it as a customer, or what they were doing to prevent it from happening again.
Ubiquiti has been pushing cloud authentication on their customers, and making things only accessible via cloud despite local access (layer 3) being available. They have not been updating all their router firmware (over 18 months now IIRC), and time and time again they have shown a pattern of not prioritizing security.
While Krebs may have been manipulated, that does not amount to defamation. It was a plausible assessment.
Re: (Score:3)
I looked at their gear because the performance is decent, but the lack of web and SSH administration was a deal breaker.
Went with TP Link in the end. Very happy with their gear.
Re: (Score:2)
The EdgeRouter/EdgeSwitch line has full ssh and web based control. You just need their java controller for the access points and Unifi line routers and switches.
I do actually love the EdgeRouter line... it is easy to add wireguard and IKEv2 vpn options, and the hardware has been very reliable. I must have 5 old units in a drawer in my home office, and we have been using them for about 8 years at work with good results. (For home the EdgeSwitches are just too much work, and I use Unifi.)
But, with my secur
Re: (Score:3)
The fact that they are demanding a trial by jury is a strong sign they don't have a case that a rational judge would grant them.
Re: I'm on Team Ubiquiti for this one (Score:2)
Agreed that the jury aspect is going to be in part to get to a lay audience, rather than a legally informed judge.
The big finding of fact they need is the level of fault. Defamation must be shown to have fault amounting to at least negligence. He had sources for the story, and the event happened, so the question will be if the statements amount to at least negligence. The fact is determined by the jury.
Given the facts around it, including the sources cited by name, I would have a hard time calling it defa
Re: (Score:2)
He had sources for the story, and the event happened, so the question will be if the statements amount to at least negligence.
He also has evidence (which Ubiquiti has not challenged afaik) that they actually did downplay it.
Re: (Score:2)
Re: (Score:2)
I'd go with a possible lack of journalism skills - he's a security researcher, not a journalist.
I believe he is actually a journalist, not a security researcher. At least this is how Wikipedia introduces him
Re: (Score:2)
Re: I'm on Team Ubiquiti for this one (Score:2)
Krebs is a respected journalist and was quoting a reputable source. He is not responsible if the source lied. If this lawsuit succeeds it will be a crushing blow to journalism.
Are we for or against Krebs? (Score:2)
The summary makes it sound a bit like Ubiquiti is on the right here. But at the same it has no less than 4 links to krebsonsecurity.com.
I mean, I have no idea about this Krebs guy or Ubiquity, it's just that this post is very confusing in that it seems to be going overboard with trying to push traffic onto that site with multiple links, but the actual content of the summary is rather critical.
Re: (Score:2)
The truth is probably somewhere in the middle. Krebs has a great reputation and this PR might be for image, but he may have single-sourced the claims.
But if we're talking security, Ubiquiti abandoned their "Pro" AP's which were heavily sold into education with a broken critical function (GCM key rekeying bugs IIRC from two years ago) leaving customers having to downgrade and lock to a vulnerable version. The boards were lit with irate customers when I looked into it for a site that just went down for severa
Re: (Score:2)
According to TFS, Krebs said Ubiquiti downplayed the severity of the event, and Ubiquiti is alleging that Krebs said Ubiquiti attempted to conceal the event. Assuming TFS can be believed, Ubiquiti is clearly in the wrong here. Their statement provides strong circumstantial evidence that Krebs is correct because Ubiquiti is citing the next SEC filing following the breach as evidence of public disclosure. But while that is a public filing, it is hardly the way that you notify the public if you want them to ac
So, surfshark sucks then? (Score:2)
Is anyone leak-testing VPNs to see which ones fail this way. I know NordVPN has an automatic block option when the connection goes down, but whether it's effective for all packets I have no idea.
Can Ubiquiti win? Do they care? (Score:4, Interesting)
Re:Can Ubiquiti win? Do they care? (Score:5, Informative)
Had I mod points, I would mod you up.
Ubiquiti had a long road ahead of it if they want to prove defamation.
A public figure (Ubiquiti the company) needs to prove "actual malice [wikipedia.org]". That is, that Krebs said something that not only was false, but which he knew at the time (or reasonably should have known) was false.
However, the lawsuit was filed in Virginia, which doesn't really have an Anti-SLAPP law [anti-slapp.org]. (Probably chose that venue specifically for that feature.)
For reference (and not that you said anything contrary), Anti-SLAPP isn't a cure-all, but it does reduce the cost of a lawsuit tremendously: by cutting the lawsuit off short of discovery, and by putting the costs on a losing plaintiff.
Re:Can Ubiquiti win? Do they care? (Score:5, Informative)
This is what they have to prove:
In the United States, a person must prove that the statement caused harm, and was made without adequate research into the truthfulness of the statement. This is for an ordinary citizen. For a celebrity or public official, one must prove that the statement was made with the intent to do harm or with reckless disregard for the truth
Since Ubiquiti requested a jury trial, that's a sign they don't think they can win without an appeal to emotion.
Looking at the post, https://krebsonsecurity.com/20... [krebsonsecurity.com] there is a LOT of evidence that Ubiquiti downplayed the seriousness of the breach.
Re: (Score:2)
Krebs is a pretty big creep. He changes his articles often many times after publishing without explanation and deletes comments on his articles that poke holes in his narrative.
So, what you see in the article today might not be what was in the article originally and half of the post was probably submitted by readers.
Re: Can Ubiquiti win? Do they care? (Score:2)
I don't understand Ubiquiti's game here.
The amount of money they'll get is a pittance even if they win. Having some random jury say that Krebs was wrong will also not be very convincing to their customer base.
And from reading some of these articles, right or wrong, Krebs tried to get their side and they declined to comment.
Working with Krebs (or some other respectable security publication) to explain what actually happened would have better achieved their goals of convincing people they acted responsibly, o
Re: Can Ubiquiti win? Do they care? (Score:3)
The legal standard is fault amounting to at least negligence.
The fact that he had named sources makes the claim against him quite difficult. He had named sources for facts (even though one named source was accused of committing the crimes in the first place), and for a journalist that is the professional standard. The rest could be considered opinion based on the verified stories.
I don't see this surviving to trial.
Ubiquiti ? (Score:2)
I think Ubiquiti only survives on the fact so many "geek" types in I.T. hold them in high regard.
You can hardly visit a forum about networking without seeing the posts from people preaching Ubiquiti gear for practically every purpose and solution. (Cisco? Oh, you don't want THAT overpriced garbage! Get the Ubiquiti! What, you just get by fine with Netgear stuff at home? No, man ... you need Ubiquiti!) Meanwhile, the stuff has a high RMA rate from what I've seen, and has MAJOR supply shortage issues righ
Re: (Score:2)
Hi King_TJ, I have heard a lot about those RMA rates since Ubiquiti gear has only 2-year warranty; it seems a common grief against Ubiquiti gears. However I wonder about the original source of that information - I can't find anything online about return rates (let it be Ubiquiti, Cisco or anybody else for that matter). Is that a real thing or a rumor possibly spread by its competitors?
On the side of supplying issues, this is a real thing as an Ubiquiti vendor already warned me about difficulties in getting
How would you know about anything from them? (Score:1)