I'd be surprised. Here's an actual quote from one of their changelogs:
"Do not choose the skip option when running the Migrate Site wizard. If you do your devices may end up in a weird state."
I'm gonna go searching for it but, in the meantime, anyone know the process for submitting a hostname to be added to any of the lists used by PiHole, et al.?
The hostname that Ubiquiti is using -- trace.svc.ui.com -- seems like exactly the thing that should be blocked, IMO.
---
FWIW, if you're using PiHole and want to block these access points from "phoning home", you can simply do the following:
This will cause dnsmasq, the underlying resolver, to return NXDOMAIN for any such queries.
---
EDIT:
Apparently the "pihole" utility has functionality built-in to blacklist domains (via /etc/pihole/blacklist.txt). Instead of the above, you can simply use:
$ pihole -b trace.svc.ui.com
This will result in the IP address "0.0.0.0" being returned (with a TTL of two seconds) for any manually blacklisted hostnames (the same way that PiHole normally responds to queries for blocked domains) although, personally, I still prefer NXDOMAIN.
Don't mess with the generated config file on the EdgeRouter, it'll just get replaced next time you reconfigure it or a firmware update is applied. Just add the following to the config.
set service dns forwarding options server=/trace.svc.ui.com/
Or if you have dns forwarding using the system resolver you could also just add it to the hosts file via something similar to this.
set system static-host-mapping host-name trace.svc.ui.com inet 0.0.0.0
Ubiquiti owners are not happy after the app outage on Halloween that wasn’t disclosed on their status site. They’re also not happy Ubiquiti apps require logging in through their cloud service vs directly to the device.
Don't bother reading through the responses -- it's mostly others arguing about what GDPR is or isn't. Ubiquiti's official response [0] is near the bottom of the thread:
> We have started to gather crashes and other critical events strictly for the purpose of improving our products. Any data collected is completely anonymized, GDPR compliant, transmitted using end-to-end encryption and encrypted at rest. There is no on/off switch but there also are no penalties for blocking Internet access to the device, dropping traffic to this host, and/or blocking it via DNS.
> ...
> The memory leak that you reference above was a bug specific to release 4.0.60 which was fixed as of 4.0.61.
Is it even possible for this to be GDPR-compliant without even a way to opt out? I’m not very well-read in the subject, but I thought stuff like this had to be opt-in under GDPR?
As far as I know, GDPR only applies to data that somehow relates to a person. If telemetry e.g. only sent build number + backtrace for crashes and the IP address wasn't logged, it seems like that would be allowed under GDPR.
The Usage Data that we collect may include information such as your device data, including your mobile devices, sensor data, device signals, device parameters, device identifiers that may uniquely identify your devices, including your mobile device, web request, Internet Protocol address, browser type, browser language, referring/exit pages and URLs, platform type, the date and time of your request, and one or more cookies that may uniquely identify your devices or browser. IN ADDITION, WE MAY AUTOMATICALLY COLLECT LOCATION INFORMATION (INCLUDING LATITUDE AND LONGITUDE), PERFORMANCE DATA, MOTION DATA, TEMPERATURE DATA, POWER USAGE DATA, AND ANY DATA OR SIGNALS COLLECTED BY THE DEVICES AS PART OF THE USAGE DATA. WE DO NOT COLLECT THE CONTENTS OF ANY COMMUNICATIONS THAT PASS THROUGH OUR DEVICES OR SERVICES.
-----------------------
By this desription, it certainly isn't GDPR compliant. device identifiers/data etc.. is PII in GDPR context and requires a legal basis for processing.
> There is no on/off switch but there also are no penalties for blocking Internet access to the device, dropping traffic to this host, and/or blocking it via DNS.
No way to opt out? Seriously? This kind of telemetry BS where you have to set up firewalls is really getting on my nerves, after microsoft started doing it it seems like every company considers this behavior acceptable.
> There is no on/off switch but there also are no penalties for blocking Internet access to the device, dropping traffic to this host, and/or blocking it via DNS.
---
> I guess hiring real testers isn't cool anymore.
Have you used any Ubiquiti products? I'm not sure that they ever hired "real testers".
That could just be an unlucky coincidence that you have two with some kind of hardware fault... Sounds best to just RMA them. None of our Ubiquiti stuff does anything like that so I can’t believe that’s in any way normal.
I would not be surprised AT ALL to find that they aren't doing certificate validation, however... in which case it'd be trivial to MITM the connection and find out just what they're sending.
That is a scenario that actually is good - because then at least you can know what goes out to the mothership. Otherwise, well, who knows. Maybe it's crash reports, maybe it's the names of your fetishes.
as their official response[1] was pretty much "it's outlined in our policies and ToS" then here is what their privacy policy[2] says they collect:
-------------------
Usage Data. As described in this section, we may automatically collect information when you use the Services ("Usage Data"). The Usage Data that we collect may include information such as your device data, including your mobile devices, sensor data, device signals, device parameters, device identifiers that may uniquely identify your devices, including your mobile device, web request, Internet Protocol address, browser type, browser language, referring/exit pages and URLs, platform type, the date and time of your request, and one or more cookies that may uniquely identify your devices or browser. IN ADDITION, WE MAY AUTOMATICALLY COLLECT LOCATION INFORMATION (INCLUDING LATITUDE AND LONGITUDE), PERFORMANCE DATA, MOTION DATA, TEMPERATURE DATA, POWER USAGE DATA, AND ANY DATA OR SIGNALS COLLECTED BY THE DEVICES AS PART OF THE USAGE DATA. WE DO NOT COLLECT THE CONTENTS OF ANY COMMUNICATIONS THAT PASS THROUGH OUR DEVICES OR SERVICES.
Needs to be opt in: Some of my customers would be happy to have crash logs sent to Ubiquiti. Others that fall under HIPAA or PCI need this turned off - otherwise I'll have to bill them to block it at the DNS level.
I think "analytics" has become a no-brainer among product managers at all tech companies. It seems like no company, not even GitLab, can escape the irresistible urge by management to add analytics. Arguments against it within the company are useless, it is just so obvious to management that this is the way to go, it's what all big successful companies do. Only massive public outrage can turn the accepted wisdom of analytics around, and only sometimes.
High quality products were made for many years with no analytics, just by thoughtful design, using the product yourself, and gathering some feedback from users manually. Even without statistically representative data from some large target population, you can use your brain to figure out what goes wrong and how to make a good product.
And I think lots of products today are quite annoying because of bad decisions based on flawed analytics data. It's hard work to run a good experiment and avoid confounding correlations and plain bugs that throw off the results, and practically nobody today does the hard work. They just run the analytics, get some flawed buggy numbers, interpret them without sufficient care and thoughtfulness, and push through bad design changes. We're data-driven! We're just not looking at the road.
This is my biggest concern about present and future technology. For example, many car manufacturers are sharing real-time sensor data from their vehicles, including GPS, with third parties. There's no clear opt out. Is it anonymized? Can it get misused? Sadly yes.
The freedom and transparency we got from PCs where you can always know what is going on, with some caveats, is missing from all other platforms. And it's really worrying.
If we let them they will do it to PC's eventually too. We have to fight for our rights. I think cell phones have normalized it for far too many people.
Win10 analytics (and forced updates) is what finally pushed me to exclusively using linux after many years of dual-booting. There are still choices thankfully (for now).
Since the mandatory telemetry in Windows 10 (and the backports to Windows 7 onwards if you trusted Microsoft and installed their recommended updates) we don't even have that transparency on PCs, sadly.
But I agree, it's a serious problem. The abuse has become so widespread that I am now in favour of heavyweight statutory regulation and severe penalties for violations. I don't see any other way we come back from this situation now. Competition in the market has utterly failed.
That's great unless you need software that is not available on Linux. Not all businesses have that choice, but they might still care about privacy and security.
True, but at least for personal use you could make that sacrifice of replacing and re-learning stuff as much as possible. Tbh, from an employee's POV I don't even care that much if my company wants to take that risk.
I'm the person (one of them) responsible for my own businesses, so I look at things a bit differently. It's on me and my colleagues if we don't have proper security in place, or we violate confidentiality agreements or NDAs or GDPR or other privacy/data protection rules. Looking at the amount of essential software and equipment that is now actively hostile to even basic security and privacy, when you're talking about things like your networking gear or your operating systems or your everyday development tools betraying you, it's now all but impossible to buy new stuff and still be professional about safeguarding privacy and security now, and it shouldn't be. It's going to hurt a lot of people sooner or later, probably sooner, and it's going to cost a lot of businesses a lot of money too.
I brought PCs as an example because it's a relatively open hardware platform and you can run Linux or BSD and have an imperfect control of everything that is going on.
On phones, things have gotten much worse. Although you can flash a relatively open ROM in case of Android, good luck controlling what the baseband does behind the scenes.
And if we talk about cars and other devices like smart watches, there's often zero openness.
good luck controlling what the baseband does behind the scenes
I actually have a lot of sympathy with that one, because radio transmission is one of those areas where one idiot who thinks he's clever and should have total control of his device can literally disrupt entire networks for everyone else over a wide area, with the obvious serious consequences. Modern wireless communications systems rely much more than most people realise on conventions and standards and everything playing nice, so regulating such that only licensed practitioners are authorised to make parts that transmit within prescribed specifications is not an absurd idea.
Of course, that doesn't mean a closed part of the system like radio control should have any access to any other part of the system. It ought to be essentially a firewalled client of the more open parts of the system. And if it's going to be regulated and controlled then the people licensed to develop those components should be required to have them only perform the defined function according to standardised specs, without anything else piggybacking on top.
Yes, that's true. That's why if there is regulation allowing them to be closed units and limiting who can make them, I'm also in favour of that regulation restricting their functionality to only standardised specs (and regulators being able to audit this and impose meaningful penalties for compliance failures).
My theory is that they hunt like lunatics this engagement and time spent number. My engagement increased with new Gmail because it's slow as fuck. Of course I click around like a clown and wait, probably product manager happy that people use their product for longer now.
Maybe your "engagement" increased, but in this case your "time to task completion" did not. In most cases analytics is much more nuanced than you might think. And the reason why something got worse for you is because it got better for someone else.
So they're driving down the time it takes to do what they magically infer I'm trying to do. Is this why whenever I try to organize my gmail box I give up 10 minutes in because the UI is slow and bullshit? Because it's good for metrics that I can't make my gmail account anywhere near as useful as my work email?
It's amazing how slow Google products are becoming. Firebase is my own pet peeve: opening a single crash report takes easily 20-30 seconds. It's unbelievable. Should be a split second for fluid workflow. Aren't they using their own products? How is this acceptable to any engineer or manager?
I'd use anything else for the slowness alone if I could decide the tools at work myself.
I am going to report it is slow on both, when the bs is disabled. Especially slow on other browsers. You know there are other browsers right? Google seems confused and angered when I dont use one of the 2 they own. Firefox is only around because they fund it discreetly to avoid antitrust, while is still sends them nearly all the same tracking metrics.
Glad it's not just me. I have an HTC 10, which was a flagship phone when released 3 years ago. Every single third-party app I use, including some moderately demanding games, works perfectly fine. Every single Google app is at the very least frustratingly slow, like Gmail, if not outright unusable, like Maps. It seriously pauses for 5-10 seconds anytime anything on the screen changes. One has to tolerate several such pauses to simply search for a location. This is on their own damn platform for crying out loud.
The best part is that 10 years ago I used to have an absolute piece of dog shit WinCE phone that failed to even keep up with my typing speed in its stock SMS app. Google Maps worked perfectly on that device.
In my experience analytics usually become a hot topic in product group of the company when product evolution stop. We did all the major features but we still need growth, so to pick new direction we need some insight on our users.
What you describe is a caricature of a product manager. In reality, differences or changes in “time spent” or other metrics are extremely useful to explain problems and opportunities for improvements that might otherwise be missed.
Most certainly you could misuse the statistics for blind number worshipping, and I’m sure there are many anecdotes of that kind of behaviour. But I’m also quite certain that successful organizations can use these to improve their products in meaningful ways. I suspect any gmail product manager who tried to slow down their product (or resisted fixes) to improve meaningless time spent metrics would be crucified.
The data you are likely to get from this sort of spyware is typically less useful than even a few sessions watching real users actually using your product and actively collecting their voluntary feedback.
Source: I am basically the person you are talking about, in one of my current roles.
This is also why everything is mobile-first now. So many web-based applications insist that users install a mobile app for half of the functionality because that gives them a much stickier place to attach.
On a browser, it's drive-by, and your ability to track users is gone once they leave your site, especially with vendors like Mozilla and Apple implementing third-party cookie blockers by default and the ubiquity of adblock.
On a phone, if you install something, you'll probably leave it for at least a few days, and if you watch logcat, you'll notice that many of these apps are anything but patiently waiting for the user to decide open it up again.
>On a browser, it's drive-by, and your ability to track users is gone once they leave your site, especially with vendors like Mozilla and Apple implementing third-party cookie blockers by default and the ubiquity of adblock.
There is a way to hijack the back button, i have no idea if it has been fixed, there are also tracking cookies so they can track you cross sites anyway.
And OpenBSD/octeon[0][1] appears to run on UniFi Security Gateway.
Just ~ two weeks a go I finally retired my old OpenBSD based gateway in favor of USG. But no, I guess I'm back to putting OpenBSD on USG, and maybe OpenWRT on APs.
Is there a working replacement OS for Ubiquiti PoE switches?
But here lies the dilemma: do I trust them? If I put in a rule to block their telemetrics, would USG honor that rule? Not just now, but after some firmware update that 'breaks' something. Or maybe I have to put another box in front of USG that I actually trust to be certain that call home got blocked. And even if I block this call home, maybe it changes to something else in next version or the next that now needs to be blocked as well. And maybe the data being sent home changes to more draconian over time as the marketing department gets greedier. And so it goes.
When I buy [network] equipment, it is my expectation that since I own the HW, I am to a certain degree in control of what they do and to whom they 'talk to'. And call-home / telemetrics without at least opt-out just doesn't sit well with me here.
You actually can't* use the firewall to prevent a USG or EdgeRouter from phoning home as the WAN_LOCAL rules only apply to inbound traffic.
* Possibly by some other combination of dropping Established/Related traffic. I think that'll get gnarly for the instances where WAN_LOCAL traffic is needed -- VPN, connectivity checks for load balancing, etc.
Not sure what you're quoting, but you are misinterpreting it. The IN / OUT rulesets absolutely do not impact traffic that originated from or is destined to the router itself.
Just now I verified with the following partial ruleset on a EdgeRouter I have in production:
set firewall name WAN_OUT default-action accept
set firewall name WAN_OUT rule 300 action drop
set firewall name WAN_OUT rule 300 description 'block 1.1.1.1'
set firewall name WAN_OUT rule 300 destination address 1.1.1.1
set firewall name WAN_OUT rule 300 protocol all
set interfaces ethernet eth0 firewall out name WAN_OUT
Devices behind that ER can no longer communicate with 1.1.1.1, but the ER itself can.
The only way to filter traffic from the router would be to drop the standard "Allow Established / Related" rule from WAN_LOCAL, retain the default drop action, and make specific rules allow whatever the router should be permitted to communicate with. And that would still allow packets to escape the router -- for TCP the communications channel is effectively dead since the handshake can never complete, but it could blast out all the UDP it wants.
Yes, and it works quite well. I've flashed the latest OpenWRT on my Unifi AP for a test, I'm really impressed with the performance. It also adds more features with OpenWRT packages.
Do note that some ubnt devices have custom firmwares blocked on newer software versions. For example Unifi AP and LR:
I discovered when trying to place an order for some of their networking gear for my vacation home in Thailand they simply refused to allow the order to go through because I wasn't in the US - Even though I was ordering to my US Address. It wasn't even due to fraud, they refused to sell something that might be used out of the US for 'legal reasons'. So why have I been able to order networking hardware from every other manufacturer with no problem? When I buy an iPhone, does Apple forbid me from using it as a hotspot outside of the country I bought it from? No of course not, that would be ridiculous.
Try buying an iPhone from the US store and have it shipped internationally. Or try buying one of their products that have only been released in the US, abroad.
> Firewalling access points, good practice or not, should not be necessary.
It is now, it seems.
Having seen what kinds of data crash reports in other domains include (the richer the call chain trace, the better) I expect this to be a subtle security problem. In regulated or otherwise highish-security networks one can expect to see user authentication when accessing wifi (EAP).
Simple scenario: AP crashes during client auth stage. A full crash trace may easily contain the credentials used for EAP, and if those are sent to mothership, your access point has just leaked out the necessary information to successfully access your secure network. Worse, when EAP is used, the login is likely bound to domain credentials, which are practically guaranteed to allow access to all sorts of internal services.
To state the obvious: best practice with crash traces is to filter out or mask high-value KV pairs. But then again, best practices also disallow leaking credentials in the first place.
For my part, I will now consider Unifi APs as rogue devices.
Ok, I’m trying to set up a block for this within the unifi interface itself. Looks like the best option is a firewall rule dropping all “wan out” traffic originating from my access point. Am I missing a better option?
I would prefer returning NXDOMAIN for that host; with blocked IPs, once ubnt changes their dns, your rules will be obsolete.
On the other hand, I never understood how to configure dnsmasq on usg in a permanent way (not only blocking hosts, but also static SRV and TXT records). It it supposed to be done via gateway.config.js, but finding the right json keywords is the issue. Is there someone who can drop some hints?
I found a funny problem with ubiquiti access points. They don't broadcast country code so A neighbouring access point doing so may easily make ubiquity network unusable (many devices, especially macs, disconnect automatically in case they see cc discrepancies).
It may make a nice attack to ubiquity-based infrastructure, their customer support ignores me and nearly advices me to sell the hardware and buy something else.
Sigh. I thought about trying an open source router before settling on a Ubiquity AP + USG. It seemed like a solid investment, into a company that was pretty well trusted.
The lesson I’m learning is, maybe it’s worth it to pay more to get less sometimes.
I think my best bet would be to install OpenWRT on the AP and sell + replace the USG. Not sure with what. It'd be kind of cool if I could have a router running NixOS so I could keep the configuration declarative, but pfSense is the obvious preferred choice in the community, so maybe I will just get a device designed to run pfSense.
I dunno if messing with tech support will really "send a message," so I will just send feedback through the regular channels. Chances are, it will get ignored. Chances are pretty much anyone that isn't a huge customer doesn't matter.
EDIT: I'm wrong - 4.0.66 has been promoted to stable. The rest of this post, while sort of still valid, is incorrect.
This is in a BETA version of the firmware. BETA.
You have to sign up to get access to the BETA area.
So yes, while integrating tracking etc isn't a great idea, it might also help debug crashes/problems in the BETA firmware people are running.
Now, if this rolls out to the stable channel, then sure, pass me a pitchfork too. But until then, you've got to opt-in to test the BETA software, and you know what you're signing up for - BETA quality software.
I'm almost surprised Ubiquiti give regular folk access to the beta software, because the users treat it like production, roll it out into production, then complain.
Ironically blocking various widgets from spying on me was why I bought ubiquiti hardware. I was noticing regularly outbound network connections from my TV, turns out it was finger printing what I watched and reporting back to the mothership. It no longer gets network access of any kind.
I was tired of playing the OpenWRT/DDWRT flavor of the week (korg) on hardware that wasn't really well supported (netgear R7000). I hated the disposable nature of configuring the routers and having to largely throw away that configuration with each major upgrade. Even getting Comcast's /60 handled was painful (a bug in dhcpd6c or similar). I also wanted to handle WIFI APs well and not have a painful upgrade process.
I have a Ubiquiti NanoHD, EdgeRouter 6p, and a PoE EdgeSwitch 8xp. Nice GUI, you can fall back gracefully to command line, and backup your device state in a human readable config file you can keep in version control. Upgrades are typically press a button in the web UI and wait a few minutes.
They handle my moderately complex home network. Comcast gives in a /60, I split that into a /64 per 4 router ports. Lets me split the trusted stuff (desktops and laptops I manage) from the untrusted. I can even login over ssh to manage them with a key.
It's been very handy. If one of my PoE cameras freak out, I can bounce them remotely.
If various android apps have anti-social behaviors to avoid DNS based blocking I can track them on IPv4, IPv6, and block them when they try to skip my name servers. Took me a bit to block all IPv6/IPv4 DNS traffic to force anything on my network to actually use my nameservers. I'm not looking forward to DNS over TLS which despite the promises seems like will inevitably make things harder to filter.
Anyone know of a Ubiquiti competitor that's better about handling privacy and security and not trying to install spyware?
It's easy to block devices from calling home. The trust issue is harder. I think the real fix is to move to a different company until they change their minds.
Ubiquiti does seem like a generally good company, just seems like someone decided more feedback on failures was a good idea and added the remote debugging... without thought on opt-in. After all I get a few similar reports a day (x failed... report home?), but they are of course opt-in.
I think OP's point is if Ubiquiti decided to roll this up through their networking stack, they could theoretically silently still send the updates through to their collectors, no matter how many blocks you put in place (assuming you use Ubnt switches/routers/firewalls/APs).
This would be easy to discover if you mixed brands, but the point is how would you trust them anymore?
The entire product line is specifically designed to give you insight into what packets are going where, and the ability to control which ones you let through.
You can argue that this should have been opt-in but it’s absurd to say that anyone cannot trivially opt-out.
I don’t understand the point of speculating that they are going to break iptables to get crash reporting, other than spreading FUD.
Microsoft broke local search completely on latest Windows 10 updates if you've ever tried to block Cortana. They count this as a non-issue because from their point of view you're not supposed to block Cortana/web search.
I've hated this "just block it" mentality around Windows 10 from day one because it was obvious to me it would be a losing game for the user in the long term.
You can't fight the software developer forever on this and with each update they send. Eventually if they really want that tracking feature they're going to integrate it into some other core feature that will stop working if you try to disable the tracking.
That in and by itself is hair-raising! It's absolutely, obviously, crassly obvious that Ui only concern was getting the telemetry out and everything else (like failure modes) was an afterthought. It paints a picture the crowd here are probably very familiar with: Upper mgmt needs this feature a month ago, go implement it asap. No PM, no architect, no nothing, just C-level straight to a dev...
Software is complex and bugs happen everywhere, the firmware wasn't even released yet (it was an opt-in beta) when the bug occurred. I don't like this any more than the next guy but beta is BETA for a reason, to find bugs.
> I was tired of playing the OpenWRT/DDWRT flavor of the week (korg) on hardware that wasn't really well supported (netgear R7000).
I should think so. Broadcom doesn't want their hardware to be properly supported by open-source software, so you were never going to be entirely successful in your quest to find good third-party firmware for that particular router. In the long run, it's always worth returning any such hardware and spending a bit more time shopping around for a router or AP that uses Qualcomm, Mediatek or Marvell chipsets (Ubiquiti APs use Qualcomm). And if you don't like the flavor of the week mess for firmware distributions, stay away from DD-WRT and prefer OpenWRT, which actually does clearly-identified stable releases.
As a developer who has relied on crash reports countless times in the past for fixing bugs and improving products, I applaud Ubiquiti for taking a principled stance and choosing what is best for most of their users.
I wish more companies would stand their ground and refusing caving to a vocal, but demonstrably toxic minority.
In what way is not providing a heads-up that this was being introduced and refusing to add an opt-out a “principled stand” for the benefit of their users?
The phoning home isn't the issue - it's the lack of communicating it and lack of offering an ability to turn it off that is the problem. A vocal minority may grab pitchforks if it's opt-out rather than opt-in but most would be fine with it.... Ubiquiti did it one worse and didn't even offer opt-out.
Instead you have your network device provider saying - well if you don't want our devices to call home use another device in front of us to block it.
So the core issue is trust and basic respect for your clearly technical and security minded customers.
It's not the user's responsibility to justify why thy don't want you eavesdropping on their property. Even if you manufactured the device, its not your property after you sold it.
It's your responsibility as the manufacturer to ask for permission if you want to observe someone's private property in any way.
> demonstrably toxic minority.
Standing up for property rights is toxic? Just because software made it easy to observe and/or control a device after the 1st sale doesn't give you the right to eavesdrop on other people's property (or vandalize it with an unwanted, forced update).
Whatever happened to serving customers being the top priority? That’s how you make money - by selling something that serves people’s needs and wants.
In this case, Ubiquiti’s actions are particularly irksome because they’re changing a product after its sale to do something that would have caused many customers to avoid purchasing it in the first place if it had shipped that way — and without giving customers an easy way to turn it off.
Curious to hear how this change could harm any customer. Judging by the vitriol and strong language in this thread, there must be some grievous harm telemetry causes that I am not aware of.
What is a “crash report”? Is it just a log saying that the machine crashed? Is it a core dump? Is there PII in the logs? Does it expose information that is protected by law? It’s not the fact that there’s telemetry, it’s that it wasn’t communicated well so people can mitigate risks. This shows that there isn’t a culture of paying attention to this sort of thing over business intelligence.
It’s not the fact that there’s telemetry, it’s that it wasn’t communicated well so people can mitigate risks.
I respectfully disagree. It is also the fact that there's telemetry. It is not OK for me to punch you in the face just because I tell you I'm going to do it first. You shouldn't have to mitigate that risk. The risk wouldn't exist if I weren't punching you in the face.
Lack of transparency - lack of communication - lack of at the very least an opt-out.
Lack of Transparency: No specific details on what or when they transmit.
Lack of Communication: Didn't tell customers they were putting this in place.
Forcing customers to employ additional network security on a network device if they don't trust what you're doing ... which is hard to do given the lack of transparency and communication.
>there must be some grievous harm telemetry causes that I am not aware of.
What you're not aware of is the same thing the rest of us aren't aware of ... and that is what is actually sent and what triggers that etc.
The proper way to do this IMHO would be to first not sneak this in quietly. Then have those logs collected on the controller, where they can be reviewed and manually submitted.
I can understand them wanting logs of crashes, it's a reasonable way to try and improve their service. Since you can use their APs with other controllers that would limit their collected data. Having the data being manually sent would also limit their collected data.
I'm ok with them actually collecting data, as long as they're:
* Open about what actuall data is being collected.
* Open about them actually collecting data and not sneaking it in.
* Providing a way to opt-out.
* Adding the proper GDPR documentation around this so as clearly not to break the law. As it is it's a grey zone, why not be clear about it.
Its a shame to see another seemingly benevolent and forward thinking company start betraying the customer base they have built up. This company seems to have started a large strategic shift in the past couple years and it's probably just a matter of time until all the hardware I've bought from them has to be thrown out.
MikroTik - learn it any you will not regret it. Buy hAP AC2 devices - powerful yet cheap, lifelong free OS upgrades, they offer much more than UBNT devices.
I've been on a receiving end of troubleshooting MikroTik-centric bugs and they really make you to go Hmmm. Not because they are bad, but because they are of a kind that you'd see in the code hacked together over a weekend while chugging down some beers. An amateur job basically with a glaring lack on quality control.
Stop this madness. This is networking equipment aimed at a highly technically proficient base of users. Much like gitlab, this hardware is often going to be used by people in more security and privacy conscious environments. This kind of phoning home is absolutely fine if the user is informed and the data that is being sent is clearly explained, and there’s an easy opt out.
I bought unifi equipment because I was fed up of typical consumer equipment (and meraki) requiring subscriptions and phoning home all the time. WRT the GDPR stuff, I’m pretty sure a network admin can’t consent on behalf of all the users of the network...
This is the same Ubiquiti that's does not abide by the GPL for the modified linux kernel they use[1][2][3]. Which is really too bad as I had been ready to recommend their gear to a couple of businesses.
Just want to point out that the fact that there are CVEs does not mean they are insecure.
All kit has security issues but the important thing is how open the manufacturer is about the issues and how quickly they fix them, and Mikrotik have always been very good in this area, regularly releasing updates
Also, as all their devices run the same software, even devices that are years old will still be updated
I often see people saying “Mikrotik is insecure” but this seems to be based solely on the fact that there are published security issues which they have patched. In my opinion that is the opposite of insecure
Agree on the user friendliness though - I use them at home for personal stuff, but for work it is Unifi
the one linked is especially bad, i allows anybody to read the admin password.
the problem is also that a lot of them are running old versions because the update process is not as straightforward as ubiquitu for example.
i also run mikrotik at home and have deployed mikrotik and ubiquiti at out different offices. for the price you can hardly beat mikrotik and once you "get into it" it's fairly simple.
Yes, that’s bad but note that even unpatched it is only an issue if the GUI management port has been left open - which seems to be the case with all the security issues people highlight with Mikrotik
I wouldn’t disagree that management ports should probably be locked down out of the box but I would expect anyone reading this to apply some basic lockdown when setting up any device
I just want to offer a counterpoint to an assertion that I often see here claiming they are insecure which I don’t think is justified
Certainly if you are not into networking and want something that just works then Unifi is great, but if you want something with bucketloads more functionality and don’t mind getting your hands dirty then don’t be put off Mikrotik due to security concerns
Yes, and IMO its less likely to "ruin" the device (i.e. reset all settings on a roof-mounted CPE that you are upgrading remotely) than Unifi updates for LiteBeam... Though I have only used MikroTik SXT and SXTsq and Ubiquiti LiteBeam M5 so I am not the best to judge.
This one was for management port and was fixed before the CVE came out. There are two points: opening management interface to the internet is... Lets say... Weird. The second one, they are extremely responsive to security issues.
Disabling (access to) WinBox should be the first thing to do on a Mikrotik. Most of their serious security issues are in WinBox.
The Web UI seems to be a perfect equivalent if you want a GUI to manage your one box at home, and SSH should do the trick for automation. Is there any reason to use their proprietary (Windows-only) software to configure the router?
I have used Mikrotik at work and have been alarmed at how often professional network engineers make mistakes with them. I found some serious errors through testing (and some exploitation), and when putting them right I could see why the engineers had made that mistake. I caution against them. They don't just have a clunky gui they have a model of the network that people seem to find hard to understand. Shame on Unifi over GPL, but their kit is very good
I'm sorry, but asking someone to switch from Ubiquiti to a Mikrotik is like asking someone to go from macOS to 1990's Linux.
The user interface is beyond atrocious and even basic features you'd need in smaller/home setup need digging through Wikis to get the arcane settings you need to click. Basic things like NAT loopback or basic VPN setup. OpenVPN is still neutered and broken.
What's even worse - the defaults are all wrong. There's no simple "enable firewall" switch for basic use-cases like other equipment has. Instead you need to manually configure firewall rules in chains like working with raw IP tables and if you do a small misstep, you'll drill a hole in your network easily. Or make your internet horribly slow because you need to be careful about fasstrack rules and lack of NAT acceleration.
It's really about the most disappointing piece of hardware I bought in last few years and doesn't come close to niceness of Ubiquitis management. Sadly it's also the only company that makes a compact router with SFP and PoE+ to power Ubiquities.
RouterOS is basically designed for network engineers. From our perspective, NAT loopback is extremely complex and has many implications, which RouterOS doesn't hide from you. And we typically don't run a VPN concentrator on the same device as a router. I think it's just a matter of different practices in different industries.
ETA:
> What's even worse - the defaults are all wrong.
There is a new-ish thing in the web UI called "QuickSet" for these use cases.
Yes, I fully understand that it was built for company admins to have fun and cover their use-cases.
But unfortunately I constantly see those admins recommend them for prosumer, unmanaged small business and home use-cases. In those cases they're horrible to manage and lack features users expect.
1. WinBox only works on Windows.
2. Android version of WinBox is buggy and also only works on Android
3. It may be better if you have expertise in network administration and know RouterOS inside and out. Most people who buy Ubiquiti gear do not, but their needs aren't met by regular consumer routers which do not allow any kind of "prosumer" settings.
MikroTik may well be better for you (I used it for 5km PTP links, but that's because it's cheap, if I had the budget I would've gotten LiteBeam or AirGrid), but that doesn't imply it's a suitable replacement for everyone. And it is most certainly not a suitable replacement of airOS for most people who use airOS.
I agree. Mikrotik has great devices but they are great if you can cope with them. Imagine as getting Cisco Catalyst and then complaining it is not as good as Ubiquiti due to the sheer number of options. It just doesnt work that way, there is equipment for the masses which is "good enough" and the other side where you can tacle everything in transmission but you need to know what you are doing.
Anyway, I wouldnt recomend ubiquiti as replacement for microtik. It is just too complex for most home users and even technical users (on the other side I wouldnt use ubiquity even if it is a giveaway).
Honest question. What is the market for Mikrotik? I’ve only seen them in use at home by enthusiasts and a few SMBs trying to maximize bang for buck. There offerings just don’t seem very enterprisy.
Having had the displeasure of managing a network for a company that installed about 40 mikrotik switches behind a mikrotik firewall, I can safely say they belong in a small business with max 1 or 2 at a time.
Managing more than that is crazy with the current software. Not to mention these are some of the cheapest and lowest build quality switches you will find with these insanely powerful features.
Unifi switches are a materially better build quality.
If you want great carrier grade look at Arista. You can even score a 10Gbit 48 port Arista switch off eBay used for about $700 last I checked.
While I'm a big Mikrotik advocate, I completely agree with you: Mikrotik is not even in the same league as Ubiquity when it comes to UX. Mikrotik is for professionals who desire control and know what they're doing, Ubiquity is for a non-technical prosumer audience.
Uniqiti has several product ranges; the EdgeMax line is the advanced one; Unifi is the simple one.
Yes, you can set up simple things with Unifi in a simple way, but the more advanced ones are a tragedy, that you must also google around, dig wikies and forums for arcane incantations of the right json keys, so you can deploy your config in json, there are even no arcane settings to click.
I don't think the EdgeMax is the 'advanced' line by any stretch. They both run a fork of Vayatta and share a CLI. The Unifi stuff has more features accessible via the GUI and receives far more attention from Ubiquity.
However, the biggest and most major difference between the two lines of products is the requirement of the Controller to run the Unifi line of devices. For that simple fact I would pin the Unifi line as more 'advanced'.
The controller and the sdn concept is exactly the difference.
They might share CLI, but that does not mean that your changes persist on USG. You can rely only on whatever you configured in GUI and half-rely on gateway.config.json; for example, they both have dnsmasq and I'm still figuring out how to configure it, so the changes persist. It would be otherwise trivial on edgemax or other pure dnsmasq-using system, like openwrt.
It’s probably the wrong product for you. I like my Mikrotik devices as it doesn’t hide anything and is crazy configurable for the price.
I run my VPN server on a different device, I can understand why you might want to run it in your router, but again this isn’t plug and play trivial networking gear and most administrators will be doing the same as me.
> I run my VPN server on a different device, I can understand why you might want to run it in your router, but again this isn’t plug and play trivial networking gear and most administrators will be doing the same as me.
Which administrators? In what environments? Remember, the thread started with someone telling us that Mikrotik is a good replacement for Ubiquiti use-cases. Whose EdgeRouters and USGs have easily configurable VPNs with good defaults.
I'd also love to hear about any alternative products which support SFP for WAN and 802.3at PoE with ease of setup and use as Ubiquiti. Or even a SOHO ASUS router.
If all you're looking to do is avoid Ubiquiti breaking GPL not necessarily binary blobs/100% open I'd recommend just using the Intel AX200. It's 20 bucks, will have longer support, supports AX, and supports more features/extensions on older versions of Wi-Fi than e.g. their AC chip does to boot.
Maybe pfSense/openwrt based on APU2[0] platform? I don't personally anybody who has used it. If on HN there is someone who would like to share his opinion about it, I'd be grateful.
Edit: Also, Turris MOX or Turris Omnia [1] might be an alternative.
I’m running an APU2C4 for my router, no wireless. It has pfSense running with OpenVPN and a DNS sinkhole for ads. My wireless is through an UAP AC Pro.
The APU works fine but after upgrading to a gigabit connection I’m a bit disappointed. It won’t saturate the connection on a single thread. (Yes over Ethernet) Maybe 400 Mbps max. Apparently it has something to do with pfSense not multithreading connections and the single cores of the CPU not being fast enough on their own. I can run 1 Gbps over multiple connections though so I suppose it mostly fulfills it’s purpose. I also want a WireGuard server but I might end up just deploying that in a VM. pfSense doesn’t currently have that option.
When I learned of these limitations I gave some consideration to the the Ubiquiti USG but found it isn’t exactly super beefy either and requires turning features off to get 1 Gbps. I’m debating building something similar to the ArsTechnica guide [0].
Overall, I’ve been satisfied with my setup and in particular the UAPs. I’ve deployed multiple UAPs and Edgerouter X’s at friends and family’s houses and have had essentially 0 support requests. The stuff just works and performs. I just had a party last night and even with 20+ clients, streaming music and YouTube TV for football, I had zero complaints or hiccups. All on a single UAP. I haven’t used any recent consumer gear but I know e consumer gear I used to buy would have definitely been choking on that kind of load.
I’m pretty disappointed to see this turn in events with UBNT. I’ve kinda seen it coming for awhile now since they’ve been moving towards these cloud services but I was really hoping they would resist the lures of Surveillance Capitalism.
I also experienced the gigabit performance issue (Debian 9 and 10, APU4C4); estimate a bandwidth cap of about 400 Mbps, too. I don't actually have a need to exceed that speed on my home network, so I'm still happy. But also curious if anyone has built a beefier, more capable open source hardware router that also isn't a power hog.
There are also TLSense routers[0], which include configurations with Intels i5 [1] or i7. They also claim 7-15W power usage, AES-NI support, microphone/headphones jacks, HDMI, RS-232 and room enough for 16GB of RAM, which is quite unusual in routers.
Based on information I've found in article [0] pfSense had problems with reaching 1 Gbps but it seems disabling hardware offloading significantly increases throughput [1] (940 Mbps).
I've been using the APU2 platform for a home network router and can strongly recommend it. I especially like the open source firmware (coreboot) with frequent, signed releases. Wireless performance on OpenBSD was lackluster, so I'm back to running Debian for 802.11. Performance is strong even at full WAN bandwidth capacity of 400 Mbps.
Doesn't violating the GPL (for v2) or ignoring a notice that they violate the GPL for 30 days (for v3) result in permanent loss of the rights to use the software?
Wouldn't at this point a copyright holder (e.g. anyone who contributed to the kernel) + a donation campaign for legal costs be able to force them to either fix it within 30 days, or (once the legal process is over) to indefinitely maintain a patched version of the kernel removing that copyright holder's code?
One can draw from this that the GPL is quite toothless. If even the biggest most important GPL'd software in history can't or won't defend itself, then why should anyone care about the GPL?
Or one can draw that looking at a single violation on a single piece of software is a poor way to come to a conclusion for every violation on every piece of software.
D-Link comes to mind as a similar situation where GPL prevailed. Perhaps in this case nobody cares enough, either way doesn't mean GPL is useless and nobody should care about it.
As with all licenses if the people that hold them do not enforce them than all licenses are Toothless
the Linux Foundation has been notoriously anti-litigation, their corporate masters do not want any litigation at all, and more or less treat Linux as if it was BSD licensed instead of GPL
I was considering going all in on Ubiquiti gear for my next move, but this along with their GPL violations changed my mind. Thanks for pointing this out.
I was aware of Ubiquity’s past GPL violations and it was the only reason I avoided them. According to Wikipedia they settled a GPL violation in 2017 but I wasn’t aware of the recent issue. Looks like their Wikipedia page could use an update.
If there is any chance in management making the right decision here then it’ll be because good people at the company have ammo to go back to management with.
FYI - I was about to buy Qty 22 unifi access points next week and Qty 44 unifi 48 port switches. Nope on that with this change.
He’s lead on the security team, not blanket UI.com from what I know. Also met him when he was working on the PFSense stuff and spent a few days with him and his team in Austin TX in 2014.
I agree, great person and I still have faith in him; but he’s just 1 person on a billion dollar enterprise team. He’s also very silo’d it seems, to what he’s doing on the firewall (and UDM?) side.
We’re also heavy deployers of UI stuff (100+ AP’s /month and 1000’s of ports installed).
This change concerns me, but doesn’t surprise me. All the new product line is geared for centralized propriety. The company as a whole is turning for the worst I think. The new forums and treatment of their community is indicative enough of this theory....
I'd love to get a bunch of the UI engineers out into the rural areas where their gear is used, to remote work from there for a while, so they can see how badly it caters to the needs of those who need it most, and that they can go back with some easy to implement and much needed improvements.
If I had a twitter account I'd ask him about the GPL violations by using a modified Linux kernel for their gear and not releasing the according source code.
Don't throw the baby out with he bathwater. Hardware is hardware and their wireless APs are good, their switches suck, 2 minutes of downtime with any settings change?! Their controller software is a marketing gimmick trying to silo you in. Still, its an easier battle if you're armed with the right tools, and their APs are a dream compared to most others.
Did somebody sniffed what kind of request they use to send the data to the mothership?
I have one of their devices here, I will be pretty glad to use some spare network capacity to send them a few thousand fake crash report per hour. That's what they want, right?
Wow, can't really trust anyone nowadays. I feel like its a losing battle that privacy conscious people are fighting. It feels like every single company is edging towards this dystopian future.
281 comments
[ 1.5 ms ] story [ 224 ms ] threadhttps://community.ui.com/releases/UAP-USW-Firmware-4-0-66-10...
It's like they just copy and paste the 50-character commit messages or something.
The hostname that Ubiquiti is using -- trace.svc.ui.com -- seems like exactly the thing that should be blocked, IMO.
---
FWIW, if you're using PiHole and want to block these access points from "phoning home", you can simply do the following:
This will cause dnsmasq, the underlying resolver, to return NXDOMAIN for any such queries.---
EDIT:
Apparently the "pihole" utility has functionality built-in to blacklist domains (via /etc/pihole/blacklist.txt). Instead of the above, you can simply use:
This will result in the IP address "0.0.0.0" being returned (with a TTL of two seconds) for any manually blacklisted hostnames (the same way that PiHole normally responds to queries for blocked domains) although, personally, I still prefer NXDOMAIN.set service dns forwarding options server=/trace.svc.ui.com/
Or if you have dns forwarding using the system resolver you could also just add it to the hosts file via something similar to this.
set system static-host-mapping host-name trace.svc.ui.com inet 0.0.0.0
I'd rather it return NXDOMAIN, though. That's what I had to do to block DNS-over-HTTPS for Firefox.
I still do. But I haven't updated the app in a while since they changed the EULA.
> We have started to gather crashes and other critical events strictly for the purpose of improving our products. Any data collected is completely anonymized, GDPR compliant, transmitted using end-to-end encryption and encrypted at rest. There is no on/off switch but there also are no penalties for blocking Internet access to the device, dropping traffic to this host, and/or blocking it via DNS.
> ...
> The memory leak that you reference above was a bug specific to release 4.0.60 which was fixed as of 4.0.61.
[0]: https://community.ui.com/questions/UI-official-urgent-please...
If someone complains they're going to have a bad time.
-----------------------
From their privacy policy: https://www.ui.com/legal/privacypolicy/#c1
The Usage Data that we collect may include information such as your device data, including your mobile devices, sensor data, device signals, device parameters, device identifiers that may uniquely identify your devices, including your mobile device, web request, Internet Protocol address, browser type, browser language, referring/exit pages and URLs, platform type, the date and time of your request, and one or more cookies that may uniquely identify your devices or browser. IN ADDITION, WE MAY AUTOMATICALLY COLLECT LOCATION INFORMATION (INCLUDING LATITUDE AND LONGITUDE), PERFORMANCE DATA, MOTION DATA, TEMPERATURE DATA, POWER USAGE DATA, AND ANY DATA OR SIGNALS COLLECTED BY THE DEVICES AS PART OF THE USAGE DATA. WE DO NOT COLLECT THE CONTENTS OF ANY COMMUNICATIONS THAT PASS THROUGH OUR DEVICES OR SERVICES.
-----------------------
By this desription, it certainly isn't GDPR compliant. device identifiers/data etc.. is PII in GDPR context and requires a legal basis for processing.
Sigh. More junk that requires micro-management.
If this is their final position we will no longer be purchasing UI hardware moving forward.
I guess hiring real testers isn't cool anymore.
> There is no on/off switch but there also are no penalties for blocking Internet access to the device, dropping traffic to this host, and/or blocking it via DNS.
---
> I guess hiring real testers isn't cool anymore.
Have you used any Ubiquiti products? I'm not sure that they ever hired "real testers".
That's a nice network you have there. It'd be a shame if someone broke it because they couldn't phone home.
I would not be surprised AT ALL to find that they aren't doing certificate validation, however... in which case it'd be trivial to MITM the connection and find out just what they're sending.
-------------------
Usage Data. As described in this section, we may automatically collect information when you use the Services ("Usage Data"). The Usage Data that we collect may include information such as your device data, including your mobile devices, sensor data, device signals, device parameters, device identifiers that may uniquely identify your devices, including your mobile device, web request, Internet Protocol address, browser type, browser language, referring/exit pages and URLs, platform type, the date and time of your request, and one or more cookies that may uniquely identify your devices or browser. IN ADDITION, WE MAY AUTOMATICALLY COLLECT LOCATION INFORMATION (INCLUDING LATITUDE AND LONGITUDE), PERFORMANCE DATA, MOTION DATA, TEMPERATURE DATA, POWER USAGE DATA, AND ANY DATA OR SIGNALS COLLECTED BY THE DEVICES AS PART OF THE USAGE DATA. WE DO NOT COLLECT THE CONTENTS OF ANY COMMUNICATIONS THAT PASS THROUGH OUR DEVICES OR SERVICES.
-------------------
[1] - https://community.ui.com/questions/UI-official-urgent-please...
[2] - https://www.ui.com/legal/privacypolicy/#c1
If this doesn't go opt in, I will not be buying more and I will stop recommending it to others.
Please don't do this. Firewalling access points, good practice or not, should not be necessary. You're not a dodgy IP cam manufacturer.
People buy your equipment precisely because they want to trust their network hardware.
High quality products were made for many years with no analytics, just by thoughtful design, using the product yourself, and gathering some feedback from users manually. Even without statistically representative data from some large target population, you can use your brain to figure out what goes wrong and how to make a good product.
And I think lots of products today are quite annoying because of bad decisions based on flawed analytics data. It's hard work to run a good experiment and avoid confounding correlations and plain bugs that throw off the results, and practically nobody today does the hard work. They just run the analytics, get some flawed buggy numbers, interpret them without sufficient care and thoughtfulness, and push through bad design changes. We're data-driven! We're just not looking at the road.
The freedom and transparency we got from PCs where you can always know what is going on, with some caveats, is missing from all other platforms. And it's really worrying.
But I agree, it's a serious problem. The abuse has become so widespread that I am now in favour of heavyweight statutory regulation and severe penalties for violations. I don't see any other way we come back from this situation now. Competition in the market has utterly failed.
On phones, things have gotten much worse. Although you can flash a relatively open ROM in case of Android, good luck controlling what the baseband does behind the scenes.
And if we talk about cars and other devices like smart watches, there's often zero openness.
I actually have a lot of sympathy with that one, because radio transmission is one of those areas where one idiot who thinks he's clever and should have total control of his device can literally disrupt entire networks for everyone else over a wide area, with the obvious serious consequences. Modern wireless communications systems rely much more than most people realise on conventions and standards and everything playing nice, so regulating such that only licensed practitioners are authorised to make parts that transmit within prescribed specifications is not an absurd idea.
Of course, that doesn't mean a closed part of the system like radio control should have any access to any other part of the system. It ought to be essentially a firewalled client of the more open parts of the system. And if it's going to be regulated and controlled then the people licensed to develop those components should be required to have them only perform the defined function according to standardised specs, without anything else piggybacking on top.
Right now we don't know whether for example it's even powered when your phone is on airplane mode and collecting data.
I'll just leave this here.
I agree with this, and it seems to create a self-fulfilling prophecy.
I believe this to be responsible for the decline in Apple’s various device OSs.
So they're driving down the time it takes to do what they magically infer I'm trying to do. Is this why whenever I try to organize my gmail box I give up 10 minutes in because the UI is slow and bullshit? Because it's good for metrics that I can't make my gmail account anywhere near as useful as my work email?
I'd use anything else for the slowness alone if I could decide the tools at work myself.
The best part is that 10 years ago I used to have an absolute piece of dog shit WinCE phone that failed to even keep up with my typing speed in its stock SMS app. Google Maps worked perfectly on that device.
Most certainly you could misuse the statistics for blind number worshipping, and I’m sure there are many anecdotes of that kind of behaviour. But I’m also quite certain that successful organizations can use these to improve their products in meaningful ways. I suspect any gmail product manager who tried to slow down their product (or resisted fixes) to improve meaningless time spent metrics would be crucified.
And it is even worse in firefox than in chrome.
It takes 30s to 1 min to load(!). It has cached last view, which loads fast.. then it goes unresponsive for bloody 30s to 1 min anyways.
3 different machines were used to test this - i5 6th gen laptop, i7 7th gen pc, i7 3rd gen pc - all of them with plenty of ram(at least 16gb).
I bet they'd say they would have.
Source: I am basically the person you are talking about, in one of my current roles.
On a browser, it's drive-by, and your ability to track users is gone once they leave your site, especially with vendors like Mozilla and Apple implementing third-party cookie blockers by default and the ubiquity of adblock.
On a phone, if you install something, you'll probably leave it for at least a few days, and if you watch logcat, you'll notice that many of these apps are anything but patiently waiting for the user to decide open it up again.
There is a way to hijack the back button, i have no idea if it has been fixed, there are also tracking cookies so they can track you cross sites anyway.
https://openwrt.org/toh/ubiquiti/start
Just ~ two weeks a go I finally retired my old OpenBSD based gateway in favor of USG. But no, I guess I'm back to putting OpenBSD on USG, and maybe OpenWRT on APs.
Is there a working replacement OS for Ubiquiti PoE switches?
[0] https://www.openbsd.org/octeon.html [1] https://codeghar.com/blog/openbsd-on-ubiquiti-usg.html
It’s not like it doesn’t already have a firewall built into it.
When I buy [network] equipment, it is my expectation that since I own the HW, I am to a certain degree in control of what they do and to whom they 'talk to'. And call-home / telemetrics without at least opt-out just doesn't sit well with me here.
* Possibly by some other combination of dropping Established/Related traffic. I think that'll get gnarly for the instances where WAN_LOCAL traffic is needed -- VPN, connectivity checks for load balancing, etc.
eth0_out affects traffic leaving the ER on eth0
eth0_local affects traffic that enters the ER on eth0 and is targetted directly at the ER itself (e.g. the webgui)”
In this case you would put the rule on eth0_out, not eth0_local.
Just now I verified with the following partial ruleset on a EdgeRouter I have in production:
Devices behind that ER can no longer communicate with 1.1.1.1, but the ER itself can.The only way to filter traffic from the router would be to drop the standard "Allow Established / Related" rule from WAN_LOCAL, retain the default drop action, and make specific rules allow whatever the router should be permitted to communicate with. And that would still allow packets to escape the router -- for TCP the communications channel is effectively dead since the handshake can never complete, but it could blast out all the UDP it wants.
Do note that some ubnt devices have custom firmwares blocked on newer software versions. For example Unifi AP and LR:
https://openwrt.org/toh/ubiquiti/unifi
* Maybe there’s an export restriction on a component and they lack the license to export to that country.
* Maybe they have not submitted their product for regulatory testing in that region.
* Maybe the product doesn’t operate within legally available spectrum in that country.
* Maybe the product presents an IP rights concern in the laws of that country.
* Maybe they simply haven’t paid a lawyer licensed to practice law in that region to confirm they wouldn’t have any legal concerns.
It is now, it seems.
Having seen what kinds of data crash reports in other domains include (the richer the call chain trace, the better) I expect this to be a subtle security problem. In regulated or otherwise highish-security networks one can expect to see user authentication when accessing wifi (EAP).
Simple scenario: AP crashes during client auth stage. A full crash trace may easily contain the credentials used for EAP, and if those are sent to mothership, your access point has just leaked out the necessary information to successfully access your secure network. Worse, when EAP is used, the login is likely bound to domain credentials, which are practically guaranteed to allow access to all sorts of internal services.
To state the obvious: best practice with crash traces is to filter out or mask high-value KV pairs. But then again, best practices also disallow leaking credentials in the first place.
For my part, I will now consider Unifi APs as rogue devices.
On the other hand, I never understood how to configure dnsmasq on usg in a permanent way (not only blocking hosts, but also static SRV and TXT records). It it supposed to be done via gateway.config.js, but finding the right json keywords is the issue. Is there someone who can drop some hints?
It may make a nice attack to ubiquity-based infrastructure, their customer support ignores me and nearly advices me to sell the hardware and buy something else.
The lesson I’m learning is, maybe it’s worth it to pay more to get less sometimes.
If anything, it’ll waste their time a little bit and if enough people do this they’ll reconsider this decision.
I think my best bet would be to install OpenWRT on the AP and sell + replace the USG. Not sure with what. It'd be kind of cool if I could have a router running NixOS so I could keep the configuration declarative, but pfSense is the obvious preferred choice in the community, so maybe I will just get a device designed to run pfSense.
I dunno if messing with tech support will really "send a message," so I will just send feedback through the regular channels. Chances are, it will get ignored. Chances are pretty much anyone that isn't a huge customer doesn't matter.
This is in a BETA version of the firmware. BETA. You have to sign up to get access to the BETA area. So yes, while integrating tracking etc isn't a great idea, it might also help debug crashes/problems in the BETA firmware people are running.
Now, if this rolls out to the stable channel, then sure, pass me a pitchfork too. But until then, you've got to opt-in to test the BETA software, and you know what you're signing up for - BETA quality software.
I'm almost surprised Ubiquiti give regular folk access to the beta software, because the users treat it like production, roll it out into production, then complain.
https://community.ui.com/releases/UAP-USW-Firmware-4-0-66-10...
Ironically blocking various widgets from spying on me was why I bought ubiquiti hardware. I was noticing regularly outbound network connections from my TV, turns out it was finger printing what I watched and reporting back to the mothership. It no longer gets network access of any kind.
I was tired of playing the OpenWRT/DDWRT flavor of the week (korg) on hardware that wasn't really well supported (netgear R7000). I hated the disposable nature of configuring the routers and having to largely throw away that configuration with each major upgrade. Even getting Comcast's /60 handled was painful (a bug in dhcpd6c or similar). I also wanted to handle WIFI APs well and not have a painful upgrade process.
I have a Ubiquiti NanoHD, EdgeRouter 6p, and a PoE EdgeSwitch 8xp. Nice GUI, you can fall back gracefully to command line, and backup your device state in a human readable config file you can keep in version control. Upgrades are typically press a button in the web UI and wait a few minutes.
They handle my moderately complex home network. Comcast gives in a /60, I split that into a /64 per 4 router ports. Lets me split the trusted stuff (desktops and laptops I manage) from the untrusted. I can even login over ssh to manage them with a key.
It's been very handy. If one of my PoE cameras freak out, I can bounce them remotely.
If various android apps have anti-social behaviors to avoid DNS based blocking I can track them on IPv4, IPv6, and block them when they try to skip my name servers. Took me a bit to block all IPv6/IPv4 DNS traffic to force anything on my network to actually use my nameservers. I'm not looking forward to DNS over TLS which despite the promises seems like will inevitably make things harder to filter.
Anyone know of a Ubiquiti competitor that's better about handling privacy and security and not trying to install spyware?
What to do when they add this to their other products, such as routers?
Ubiquiti does seem like a generally good company, just seems like someone decided more feedback on failures was a good idea and added the remote debugging... without thought on opt-in. After all I get a few similar reports a day (x failed... report home?), but they are of course opt-in.
This would be easy to discover if you mixed brands, but the point is how would you trust them anymore?
You can argue that this should have been opt-in but it’s absurd to say that anyone cannot trivially opt-out.
I don’t understand the point of speculating that they are going to break iptables to get crash reporting, other than spreading FUD.
I've hated this "just block it" mentality around Windows 10 from day one because it was obvious to me it would be a losing game for the user in the long term.
You can't fight the software developer forever on this and with each update they send. Eventually if they really want that tracking feature they're going to integrate it into some other core feature that will stop working if you try to disable the tracking.
I should think so. Broadcom doesn't want their hardware to be properly supported by open-source software, so you were never going to be entirely successful in your quest to find good third-party firmware for that particular router. In the long run, it's always worth returning any such hardware and spending a bit more time shopping around for a router or AP that uses Qualcomm, Mediatek or Marvell chipsets (Ubiquiti APs use Qualcomm). And if you don't like the flavor of the week mess for firmware distributions, stay away from DD-WRT and prefer OpenWRT, which actually does clearly-identified stable releases.
I wish more companies would stand their ground and refusing caving to a vocal, but demonstrably toxic minority.
That's more than plausible, it already happened.
They fixed that, but now, what's in the telemetry they're sending? Any bugs causing it to send PII in any circumstance?
The phoning home isn't the issue - it's the lack of communicating it and lack of offering an ability to turn it off that is the problem. A vocal minority may grab pitchforks if it's opt-out rather than opt-in but most would be fine with it.... Ubiquiti did it one worse and didn't even offer opt-out.
Instead you have your network device provider saying - well if you don't want our devices to call home use another device in front of us to block it.
So the core issue is trust and basic respect for your clearly technical and security minded customers.
It's your responsibility as the manufacturer to ask for permission if you want to observe someone's private property in any way.
> demonstrably toxic minority.
Standing up for property rights is toxic? Just because software made it easy to observe and/or control a device after the 1st sale doesn't give you the right to eavesdrop on other people's property (or vandalize it with an unwanted, forced update).
In this case, Ubiquiti’s actions are particularly irksome because they’re changing a product after its sale to do something that would have caused many customers to avoid purchasing it in the first place if it had shipped that way — and without giving customers an easy way to turn it off.
I respectfully disagree. It is also the fact that there's telemetry. It is not OK for me to punch you in the face just because I tell you I'm going to do it first. You shouldn't have to mitigate that risk. The risk wouldn't exist if I weren't punching you in the face.
Lack of Transparency: No specific details on what or when they transmit.
Lack of Communication: Didn't tell customers they were putting this in place.
Forcing customers to employ additional network security on a network device if they don't trust what you're doing ... which is hard to do given the lack of transparency and communication.
>there must be some grievous harm telemetry causes that I am not aware of.
What you're not aware of is the same thing the rest of us aren't aware of ... and that is what is actually sent and what triggers that etc.
That is telemetry.
I'm ok with them actually collecting data, as long as they're:
* Open about what actuall data is being collected. * Open about them actually collecting data and not sneaking it in. * Providing a way to opt-out. * Adding the proper GDPR documentation around this so as clearly not to break the law. As it is it's a grey zone, why not be clear about it.
Has anyone recently set up a custom home router, switch, and/or WiFi AP? Any tutorials or examples you could recommend?
I wouldn't touch MikroTiks with a long pole.
Aruba AP's can be had quite cheaply, and they have an integrated controller aswell.
I bought unifi equipment because I was fed up of typical consumer equipment (and meraki) requiring subscriptions and phoning home all the time. WRT the GDPR stuff, I’m pretty sure a network admin can’t consent on behalf of all the users of the network...
[1] https://sfconservancy.org/blog/2019/oct/02/cambium-ubiquiti-...
[2] https://news.ycombinator.com/item?id=9331512
[3] http://web.archive.org/web/20170317174847/http://libertybsd....
https://nvd.nist.gov/vuln/detail/CVE-2018-14847
All kit has security issues but the important thing is how open the manufacturer is about the issues and how quickly they fix them, and Mikrotik have always been very good in this area, regularly releasing updates
Also, as all their devices run the same software, even devices that are years old will still be updated
I often see people saying “Mikrotik is insecure” but this seems to be based solely on the fact that there are published security issues which they have patched. In my opinion that is the opposite of insecure
Agree on the user friendliness though - I use them at home for personal stuff, but for work it is Unifi
I wouldn’t disagree that management ports should probably be locked down out of the box but I would expect anyone reading this to apply some basic lockdown when setting up any device
I just want to offer a counterpoint to an assertion that I often see here claiming they are insecure which I don’t think is justified
Certainly if you are not into networking and want something that just works then Unifi is great, but if you want something with bucketloads more functionality and don’t mind getting your hands dirty then don’t be put off Mikrotik due to security concerns
Only if you have exposed management port to the internet, which you should never do.
The Web UI seems to be a perfect equivalent if you want a GUI to manage your one box at home, and SSH should do the trick for automation. Is there any reason to use their proprietary (Windows-only) software to configure the router?
The user interface is beyond atrocious and even basic features you'd need in smaller/home setup need digging through Wikis to get the arcane settings you need to click. Basic things like NAT loopback or basic VPN setup. OpenVPN is still neutered and broken.
What's even worse - the defaults are all wrong. There's no simple "enable firewall" switch for basic use-cases like other equipment has. Instead you need to manually configure firewall rules in chains like working with raw IP tables and if you do a small misstep, you'll drill a hole in your network easily. Or make your internet horribly slow because you need to be careful about fasstrack rules and lack of NAT acceleration.
It's really about the most disappointing piece of hardware I bought in last few years and doesn't come close to niceness of Ubiquitis management. Sadly it's also the only company that makes a compact router with SFP and PoE+ to power Ubiquities.
ETA:
> What's even worse - the defaults are all wrong.
There is a new-ish thing in the web UI called "QuickSet" for these use cases.
But unfortunately I constantly see those admins recommend them for prosumer, unmanaged small business and home use-cases. In those cases they're horrible to manage and lack features users expect.
>horrible to manage and lack features users expect
Users expect WebUIs, and WebFig is horrible to manage.
MikroTik may well be better for you (I used it for 5km PTP links, but that's because it's cheap, if I had the budget I would've gotten LiteBeam or AirGrid), but that doesn't imply it's a suitable replacement for everyone. And it is most certainly not a suitable replacement of airOS for most people who use airOS.
Anyway, I wouldnt recomend ubiquiti as replacement for microtik. It is just too complex for most home users and even technical users (on the other side I wouldnt use ubiquity even if it is a giveaway).
Managing more than that is crazy with the current software. Not to mention these are some of the cheapest and lowest build quality switches you will find with these insanely powerful features.
Unifi switches are a materially better build quality.
If you want great carrier grade look at Arista. You can even score a 10Gbit 48 port Arista switch off eBay used for about $700 last I checked.
Yes, you can set up simple things with Unifi in a simple way, but the more advanced ones are a tragedy, that you must also google around, dig wikies and forums for arcane incantations of the right json keys, so you can deploy your config in json, there are even no arcane settings to click.
However, the biggest and most major difference between the two lines of products is the requirement of the Controller to run the Unifi line of devices. For that simple fact I would pin the Unifi line as more 'advanced'.
They might share CLI, but that does not mean that your changes persist on USG. You can rely only on whatever you configured in GUI and half-rely on gateway.config.json; for example, they both have dnsmasq and I'm still figuring out how to configure it, so the changes persist. It would be otherwise trivial on edgemax or other pure dnsmasq-using system, like openwrt.
I run my VPN server on a different device, I can understand why you might want to run it in your router, but again this isn’t plug and play trivial networking gear and most administrators will be doing the same as me.
There are many companies selling what you want.
Which administrators? In what environments? Remember, the thread started with someone telling us that Mikrotik is a good replacement for Ubiquiti use-cases. Whose EdgeRouters and USGs have easily configurable VPNs with good defaults.
I'd also love to hear about any alternative products which support SFP for WAN and 802.3at PoE with ease of setup and use as Ubiquiti. Or even a SOHO ASUS router.
No no... It's way worse than that.
Linux / OpenBSD with open source wifi drivers, if that is even a thing. Snatch some Atheros or Realtek chips before they disappear.
https://en.wikipedia.org/wiki/Comparison_of_open-source_wire...
Edit: Also, Turris MOX or Turris Omnia [1] might be an alternative.
[0]: https://pcengines.ch/apu2.htm
[1]: https://www.turris.cz/en/
The APU works fine but after upgrading to a gigabit connection I’m a bit disappointed. It won’t saturate the connection on a single thread. (Yes over Ethernet) Maybe 400 Mbps max. Apparently it has something to do with pfSense not multithreading connections and the single cores of the CPU not being fast enough on their own. I can run 1 Gbps over multiple connections though so I suppose it mostly fulfills it’s purpose. I also want a WireGuard server but I might end up just deploying that in a VM. pfSense doesn’t currently have that option.
When I learned of these limitations I gave some consideration to the the Ubiquiti USG but found it isn’t exactly super beefy either and requires turning features off to get 1 Gbps. I’m debating building something similar to the ArsTechnica guide [0].
Overall, I’ve been satisfied with my setup and in particular the UAPs. I’ve deployed multiple UAPs and Edgerouter X’s at friends and family’s houses and have had essentially 0 support requests. The stuff just works and performs. I just had a party last night and even with 20+ clients, streaming music and YouTube TV for football, I had zero complaints or hiccups. All on a single UAP. I haven’t used any recent consumer gear but I know e consumer gear I used to buy would have definitely been choking on that kind of load.
I’m pretty disappointed to see this turn in events with UBNT. I’ve kinda seen it coming for awhile now since they’ve been moving towards these cloud services but I was really hoping they would resist the lures of Surveillance Capitalism.
[0] https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-bui...
[0]: https://teklager.se/en/products/routers/
[1]: https://teklager.se/en/products/routers/tlsense-i5-4lan
Edit: I noticed those thanks to link on PCEngines site, which is quite also amazing, knowing a fact TekLager and PCEngines are direct competitors.
[0]: https://teklager.se/en/knowledge-base/apu2c0-ipfire-throughp...
[1]: https://teklager.se/en/knowledge-base/apu2-1-gigabit-through...
Anyway, one of the GGP's (great grandparent's) links indicate the software freedom conservatory did open a lawsuit just last month. https://sfconservancy.org/blog/2019/oct/02/cambium-ubiquiti-...
that's a letter, not a lawsuit. not yet, anyway.
Wouldn't at this point a copyright holder (e.g. anyone who contributed to the kernel) + a donation campaign for legal costs be able to force them to either fix it within 30 days, or (once the legal process is over) to indefinitely maintain a patched version of the kernel removing that copyright holder's code?
D-Link comes to mind as a similar situation where GPL prevailed. Perhaps in this case nobody cares enough, either way doesn't mean GPL is useless and nobody should care about it.
the Linux Foundation has been notoriously anti-litigation, their corporate masters do not want any litigation at all, and more or less treat Linux as if it was BSD licensed instead of GPL
https://www.mtin.net/blog/ubnt-vs-cambium/
https://www.courtlistener.com/docket/7616021/ubiquiti-networ...
https://en.wikipedia.org/wiki/Ubiquiti_Networks
Don’t be afraid to tweet him your thoughts on this and a link to this thread: https://twitter.com/cbuechler
If there is any chance in management making the right decision here then it’ll be because good people at the company have ammo to go back to management with.
FYI - I was about to buy Qty 22 unifi access points next week and Qty 44 unifi 48 port switches. Nope on that with this change.
I agree, great person and I still have faith in him; but he’s just 1 person on a billion dollar enterprise team. He’s also very silo’d it seems, to what he’s doing on the firewall (and UDM?) side.
We’re also heavy deployers of UI stuff (100+ AP’s /month and 1000’s of ports installed).
This change concerns me, but doesn’t surprise me. All the new product line is geared for centralized propriety. The company as a whole is turning for the worst I think. The new forums and treatment of their community is indicative enough of this theory....
Well, now I’m curious who you are. :-)
Last tweet (from 2 years ago) is about supporting Tencent Christmas party.
I have hundreds of Unifi switches deployed. There is no downtime with normal setting changes(port/vlan assignment, link speed/duplex changes, etc...)
I have one of their devices here, I will be pretty glad to use some spare network capacity to send them a few thousand fake crash report per hour. That's what they want, right?
And while I understand your frustration and anger, DoSing someone is usually a bad idea.
I intend to return it and use a pf-sense ‘official’ hardware device.