You get great insight into the character of the leaders of a company watching how breaches are handled. Companies that put the customer first are transparent, and quickly take action (even if painful to customers) to ensure that customers’ data and systems stay intact and confidential. Companies that try to gloss over, hide or downplay things indicate that the leadership does not respect their customers and is only interested in maximizing profit/minimizing loss.
If I can vent for a second, this company has no leadership. None. Things may have changed in 2 years, but I doubt it. I was messaged almost daily by random employees asking wtf was going on with the company. They were afraid for their jobs. Practically no one respected the CEO, and he was the only C-suite exec. There. Was. No. Leadership.
There was no company wide communication, and all communication channels were made private, and if you sent an email to more than a couple people you were directly rebuked by the CEO. Nobody felt like they were trusted, and the norm was for most engineers to have absolutely zero idea of what was happening in the company outside of their direct project.
Teams were constantly at odds and pitted against each other, and the CEO never resolved any conflicts between teams or employees. The company (at least the software side) was treated like Thunderdome. Some team leads and office managers took care of their people, but most people were just beaten down. I don't think I'd ever seen a less motivated, more dejected group of software developers than I did during my time there.
IMO, this kind of bullshit clown show starts from the top. And as long as the top doesn't want to fix it, it won't get fixed. And since software almost invariable ends up reflecting the structure of the organization that produced it, you get this kind of security shit show.
I hope this is the last one and they get their act together. But realistically I can't believe that'll happen.
> There was no company wide communication, and all communication channels were made private
I couldn't understand why the ex-Amazon cloud lead was also in charge of Slack. When he made all channels private and put a Slackbot in every channel to monitor conversations, I knew it was all over. I'm worried his Slackbot logs are part of the leak. Guy had his hands in everything :(
Same guy who took over GitHub and forced everyone into his self hosted source control because he couldn't trust Github. That decision didn't pay off.
> I couldn't understand why the ex-Amazon cloud lead was also in charge of Slack. When he made all channels private and put a Slackbot in every channel to monitor conversations, I knew it was all over. I'm worried his Slackbot logs are part of the leak. Guy had his hands in everything :(
He did.... what? That sounds like straight out of a Dilbert comic.
I mean, I didn't necessarily agree with all of his methods or reasonings on everything, but I've come to realize a lot of times his hands were just as tied as ours. And the draconian surveillance stuff? Yeah, he was directed to do that. One guess by whom.
He was "in charge" because he convinced Robert that he was the right guy for the job by finding a security flaw that let him log into Robert's personal UniFi Protect setup at his home. At that point Robert basically gave him carte blanche, but also started directing him to lock everything down. More than a bit of paranoia there, in my opinion.
He was in charge of cloud when he "found" a way to forge Ubiquiti SSO logins for any user using his root access to the SSO signing secrets.
In the Krebs article the whistleblower calls out forging SSO logins as one of the things that was compromised. If the attacker is really an ex-employee like Ubiquiti says, then it's scary that the SSO signing keys aren't even being rotated after the account forgery stunt.
> Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.
From the outside it seems like accepting fault and product returns would smooth waters. Acknowledge faults on their own forums and Reddit subs and also provide times lines for fixes (then stick to them and update threads!)
The hardware is mostly good. The weird bugs and company management are turning a strong community of users against Ubiquiti.
Even as an outsider it's beyond obvious there is no leadership or vision other than cut costs.
After Brandon left, Unifi went to shit. There hasn't been one significant feature or major function added to Unifi since then. Routing hasn't move at all in 7 years. Well, in a recent beta you can now have multiple WAN IP addresses. Whooppee. Switching hasn't gained anything - layer 3 is utter missing. QoS? Good luck.
Unifi is fine for networks with simple needs, good for prosumer use or small businesses - but if you start to scale requirements it falls over pretty quick.
It was very promising when routing/switching was added to Unifi - but it's never been fully realized :(
> I hope this is the last one and they get their act together. But realistically I can't believe that'll happen.
The good thing about them being a public company is there is some accountability from outside the company. Looks like they're already being investigated for fraud for downplaying the breach and their stock price took a big hit. Hopefully this all leads to the CEO being replaced and things turning around.
Most of the US leadership and many of the US employees quit in recent years. The CEO wanted to focus on international offices where employees were cheaper. It was backfiring while I was there and I heard it only got worse after I left.
Sad situation. I knew a lot of good people there who cared about making good products during the UniFi glory days. Everything collapsed fast. I knew we were in trouble when the CEO's early employee friends were disappearing and their offices were being closed without warning.
I still see no realistic alternative for the "distributed decent wifi at a reasonably SMB scale" wireless product though. Miraki I guess is as close as it gets, but then you are locked in 100% cloud and it's certainly not remotely the same price point.
I am relegating Unify to manage my APs and (some) switches for ease of use - while I enjoy CLI fun, it gets old doing routine stuff the for the 100th time.
Hopefully another company really steps up in this space, because I can't imagine having to go back to the dark days of individually managed APs and all that.
Yeah but that is something unifi only recently fixed with the dream machine. The standard unifi security gateway mazes out below 100 megabit if ips and ids is enabled.
> You get great insight into the character of the leaders of a company watching how breaches are handled.
No, that is too late. You get even sooner an even greater insight into leaders of a company based on the things they build. Does a hardware company try to force its users to move things to a proprietary cloud for no clear benefit? You know it's a company run by ar*eholes. Nothing more to know.
