This is the same Ubiquiti that's does not abide by the GPL for the modified linux kernel they use[1][2][3]. Which is really too bad as I had been ready to recommend their gear to a couple of businesses.
Doesn't violating the GPL (for v2) or ignoring a notice that they violate the GPL for 30 days (for v3) result in permanent loss of the rights to use the software?
Wouldn't at this point a copyright holder (e.g. anyone who contributed to the kernel) + a donation campaign for legal costs be able to force them to either fix it within 30 days, or (once the legal process is over) to indefinitely maintain a patched version of the kernel removing that copyright holder's code?
I was considering going all in on Ubiquiti gear for my next move, but this along with their GPL violations changed my mind. Thanks for pointing this out.
I was aware of Ubiquity’s past GPL violations and it was the only reason I avoided them. According to Wikipedia they settled a GPL violation in 2017 but I wasn’t aware of the recent issue. Looks like their Wikipedia page could use an update.
One can draw from this that the GPL is quite toothless. If even the biggest most important GPL'd software in history can't or won't defend itself, then why should anyone care about the GPL?
Or one can draw that looking at a single violation on a single piece of software is a poor way to come to a conclusion for every violation on every piece of software.
D-Link comes to mind as a similar situation where GPL prevailed. Perhaps in this case nobody cares enough, either way doesn't mean GPL is useless and nobody should care about it.
As with all licenses if the people that hold them do not enforce them than all licenses are Toothless
the Linux Foundation has been notoriously anti-litigation, their corporate masters do not want any litigation at all, and more or less treat Linux as if it was BSD licensed instead of GPL
Maybe pfSense/openwrt based on APU2[0] platform? I don't personally anybody who has used it. If on HN there is someone who would like to share his opinion about it, I'd be grateful.
Edit: Also, Turris MOX or Turris Omnia [1] might be an alternative.
I've been using the APU2 platform for a home network router and can strongly recommend it. I especially like the open source firmware (coreboot) with frequent, signed releases. Wireless performance on OpenBSD was lackluster, so I'm back to running Debian for 802.11. Performance is strong even at full WAN bandwidth capacity of 400 Mbps.
I’m running an APU2C4 for my router, no wireless. It has pfSense running with OpenVPN and a DNS sinkhole for ads. My wireless is through an UAP AC Pro.
The APU works fine but after upgrading to a gigabit connection I’m a bit disappointed. It won’t saturate the connection on a single thread. (Yes over Ethernet) Maybe 400 Mbps max. Apparently it has something to do with pfSense not multithreading connections and the single cores of the CPU not being fast enough on their own. I can run 1 Gbps over multiple connections though so I suppose it mostly fulfills it’s purpose. I also want a WireGuard server but I might end up just deploying that in a VM. pfSense doesn’t currently have that option.
When I learned of these limitations I gave some consideration to the the Ubiquiti USG but found it isn’t exactly super beefy either and requires turning features off to get 1 Gbps. I’m debating building something similar to the ArsTechnica guide [0].
Overall, I’ve been satisfied with my setup and in particular the UAPs. I’ve deployed multiple UAPs and Edgerouter X’s at friends and family’s houses and have had essentially 0 support requests. The stuff just works and performs. I just had a party last night and even with 20+ clients, streaming music and YouTube TV for football, I had zero complaints or hiccups. All on a single UAP. I haven’t used any recent consumer gear but I know e consumer gear I used to buy would have definitely been choking on that kind of load.
I’m pretty disappointed to see this turn in events with UBNT. I’ve kinda seen it coming for awhile now since they’ve been moving towards these cloud services but I was really hoping they would resist the lures of Surveillance Capitalism.
Based on information I've found in article [0] pfSense had problems with reaching 1 Gbps but it seems disabling hardware offloading significantly increases throughput [1] (940 Mbps).
I also experienced the gigabit performance issue (Debian 9 and 10, APU4C4); estimate a bandwidth cap of about 400 Mbps, too. I don't actually have a need to exceed that speed on my home network, so I'm still happy. But also curious if anyone has built a beefier, more capable open source hardware router that also isn't a power hog.
There are also TLSense routers[0], which include configurations with Intels i5 [1] or i7. They also claim 7-15W power usage, AES-NI support, microphone/headphones jacks, HDMI, RS-232 and room enough for 16GB of RAM, which is quite unusual in routers.
I'm sorry, but asking someone to switch from Ubiquiti to a Mikrotik is like asking someone to go from macOS to 1990's Linux.
The user interface is beyond atrocious and even basic features you'd need in smaller/home setup need digging through Wikis to get the arcane settings you need to click. Basic things like NAT loopback or basic VPN setup. OpenVPN is still neutered and broken.
What's even worse - the defaults are all wrong. There's no simple "enable firewall" switch for basic use-cases like other equipment has. Instead you need to manually configure firewall rules in chains like working with raw IP tables and if you do a small misstep, you'll drill a hole in your network easily. Or make your internet horribly slow because you need to be careful about fasstrack rules and lack of NAT acceleration.
It's really about the most disappointing piece of hardware I bought in last few years and doesn't come close to niceness of Ubiquitis management. Sadly it's also the only company that makes a compact router with SFP and PoE+ to power Ubiquities.
While I'm a big Mikrotik advocate, I completely agree with you: Mikrotik is not even in the same league as Ubiquity when it comes to UX. Mikrotik is for professionals who desire control and know what they're doing, Ubiquity is for a non-technical prosumer audience.
Uniqiti has several product ranges; the EdgeMax line is the advanced one; Unifi is the simple one.
Yes, you can set up simple things with Unifi in a simple way, but the more advanced ones are a tragedy, that you must also google around, dig wikies and forums for arcane incantations of the right json keys, so you can deploy your config in json, there are even no arcane settings to click.
I don't think the EdgeMax is the 'advanced' line by any stretch. They both run a fork of Vayatta and share a CLI. The Unifi stuff has more features accessible via the GUI and receives far more attention from Ubiquity.
However, the biggest and most major difference between the two lines of products is the requirement of the Controller to run the Unifi line of devices. For that simple fact I would pin the Unifi line as more 'advanced'.
The controller and the sdn concept is exactly the difference.
They might share CLI, but that does not mean that your changes persist on USG. You can rely only on whatever you configured in GUI and half-rely on gateway.config.json; for example, they both have dnsmasq and I'm still figuring out how to configure it, so the changes persist. It would be otherwise trivial on edgemax or other pure dnsmasq-using system, like openwrt.
RouterOS is basically designed for network engineers. From our perspective, NAT loopback is extremely complex and has many implications, which RouterOS doesn't hide from you. And we typically don't run a VPN concentrator on the same device as a router. I think it's just a matter of different practices in different industries.
ETA:
> What's even worse - the defaults are all wrong.
There is a new-ish thing in the web UI called "QuickSet" for these use cases.
I agree. Mikrotik has great devices but they are great if you can cope with them. Imagine as getting Cisco Catalyst and then complaining it is not as good as Ubiquiti due to the sheer number of options. It just doesnt work that way, there is equipment for the masses which is "good enough" and the other side where you can tacle everything in transmission but you need to know what you are doing.
Anyway, I wouldnt recomend ubiquiti as replacement for microtik. It is just too complex for most home users and even technical users (on the other side I wouldnt use ubiquity even if it is a giveaway).
Honest question. What is the market for Mikrotik? I’ve only seen them in use at home by enthusiasts and a few SMBs trying to maximize bang for buck. There offerings just don’t seem very enterprisy.
Having had the displeasure of managing a network for a company that installed about 40 mikrotik switches behind a mikrotik firewall, I can safely say they belong in a small business with max 1 or 2 at a time.
Managing more than that is crazy with the current software. Not to mention these are some of the cheapest and lowest build quality switches you will find with these insanely powerful features.
Unifi switches are a materially better build quality.
If you want great carrier grade look at Arista. You can even score a 10Gbit 48 port Arista switch off eBay used for about $700 last I checked.
Yes, I fully understand that it was built for company admins to have fun and cover their use-cases.
But unfortunately I constantly see those admins recommend them for prosumer, unmanaged small business and home use-cases. In those cases they're horrible to manage and lack features users expect.
1. WinBox only works on Windows.
2. Android version of WinBox is buggy and also only works on Android
3. It may be better if you have expertise in network administration and know RouterOS inside and out. Most people who buy Ubiquiti gear do not, but their needs aren't met by regular consumer routers which do not allow any kind of "prosumer" settings.
MikroTik may well be better for you (I used it for 5km PTP links, but that's because it's cheap, if I had the budget I would've gotten LiteBeam or AirGrid), but that doesn't imply it's a suitable replacement for everyone. And it is most certainly not a suitable replacement of airOS for most people who use airOS.
It’s probably the wrong product for you. I like my Mikrotik devices as it doesn’t hide anything and is crazy configurable for the price.
I run my VPN server on a different device, I can understand why you might want to run it in your router, but again this isn’t plug and play trivial networking gear and most administrators will be doing the same as me.
> I run my VPN server on a different device, I can understand why you might want to run it in your router, but again this isn’t plug and play trivial networking gear and most administrators will be doing the same as me.
Which administrators? In what environments? Remember, the thread started with someone telling us that Mikrotik is a good replacement for Ubiquiti use-cases. Whose EdgeRouters and USGs have easily configurable VPNs with good defaults.
I'd also love to hear about any alternative products which support SFP for WAN and 802.3at PoE with ease of setup and use as Ubiquiti. Or even a SOHO ASUS router.
Just want to point out that the fact that there are CVEs does not mean they are insecure.
All kit has security issues but the important thing is how open the manufacturer is about the issues and how quickly they fix them, and Mikrotik have always been very good in this area, regularly releasing updates
Also, as all their devices run the same software, even devices that are years old will still be updated
I often see people saying “Mikrotik is insecure” but this seems to be based solely on the fact that there are published security issues which they have patched. In my opinion that is the opposite of insecure
Agree on the user friendliness though - I use them at home for personal stuff, but for work it is Unifi
the one linked is especially bad, i allows anybody to read the admin password.
the problem is also that a lot of them are running old versions because the update process is not as straightforward as ubiquitu for example.
i also run mikrotik at home and have deployed mikrotik and ubiquiti at out different offices. for the price you can hardly beat mikrotik and once you "get into it" it's fairly simple.
Yes, that’s bad but note that even unpatched it is only an issue if the GUI management port has been left open - which seems to be the case with all the security issues people highlight with Mikrotik
I wouldn’t disagree that management ports should probably be locked down out of the box but I would expect anyone reading this to apply some basic lockdown when setting up any device
I just want to offer a counterpoint to an assertion that I often see here claiming they are insecure which I don’t think is justified
Certainly if you are not into networking and want something that just works then Unifi is great, but if you want something with bucketloads more functionality and don’t mind getting your hands dirty then don’t be put off Mikrotik due to security concerns
Yes, and IMO its less likely to "ruin" the device (i.e. reset all settings on a roof-mounted CPE that you are upgrading remotely) than Unifi updates for LiteBeam... Though I have only used MikroTik SXT and SXTsq and Ubiquiti LiteBeam M5 so I am not the best to judge.
Disabling (access to) WinBox should be the first thing to do on a Mikrotik. Most of their serious security issues are in WinBox.
The Web UI seems to be a perfect equivalent if you want a GUI to manage your one box at home, and SSH should do the trick for automation. Is there any reason to use their proprietary (Windows-only) software to configure the router?
This one was for management port and was fixed before the CVE came out. There are two points: opening management interface to the internet is... Lets say... Weird. The second one, they are extremely responsive to security issues.
I have used Mikrotik at work and have been alarmed at how often professional network engineers make mistakes with them. I found some serious errors through testing (and some exploitation), and when putting them right I could see why the engineers had made that mistake. I caution against them. They don't just have a clunky gui they have a model of the network that people seem to find hard to understand. Shame on Unifi over GPL, but their kit is very good
If all you're looking to do is avoid Ubiquiti breaking GPL not necessarily binary blobs/100% open I'd recommend just using the Intel AX200. It's 20 bucks, will have longer support, supports AX, and supports more features/extensions on older versions of Wi-Fi than e.g. their AC chip does to boot.
I think "analytics" has become a no-brainer among product managers at all tech companies. It seems like no company, not even GitLab, can escape the irresistible urge by management to add analytics. Arguments against it within the company are useless, it is just so obvious to management that this is the way to go, it's what all big successful companies do. Only massive public outrage can turn the accepted wisdom of analytics around, and only sometimes.
High quality products were made for many years with no analytics, just by thoughtful design, using the product yourself, and gathering some feedback from users manually. Even without statistically representative data from some large target population, you can use your brain to figure out what goes wrong and how to make a good product.
And I think lots of products today are quite annoying because of bad decisions based on flawed analytics data. It's hard work to run a good experiment and avoid confounding correlations and plain bugs that throw off the results, and practically nobody today does the hard work. They just run the analytics, get some flawed buggy numbers, interpret them without sufficient care and thoughtfulness, and push through bad design changes. We're data-driven! We're just not looking at the road.
My theory is that they hunt like lunatics this engagement and time spent number. My engagement increased with new Gmail because it's slow as fuck. Of course I click around like a clown and wait, probably product manager happy that people use their product for longer now.
It's amazing how slow Google products are becoming. Firebase is my own pet peeve: opening a single crash report takes easily 20-30 seconds. It's unbelievable. Should be a split second for fluid workflow. Aren't they using their own products? How is this acceptable to any engineer or manager?
I'd use anything else for the slowness alone if I could decide the tools at work myself.
Glad it's not just me. I have an HTC 10, which was a flagship phone when released 3 years ago. Every single third-party app I use, including some moderately demanding games, works perfectly fine. Every single Google app is at the very least frustratingly slow, like Gmail, if not outright unusable, like Maps. It seriously pauses for 5-10 seconds anytime anything on the screen changes. One has to tolerate several such pauses to simply search for a location. This is on their own damn platform for crying out loud.
The best part is that 10 years ago I used to have an absolute piece of dog shit WinCE phone that failed to even keep up with my typing speed in its stock SMS app. Google Maps worked perfectly on that device.
I am going to report it is slow on both, when the bs is disabled. Especially slow on other browsers. You know there are other browsers right? Google seems confused and angered when I dont use one of the 2 they own. Firefox is only around because they fund it discreetly to avoid antitrust, while is still sends them nearly all the same tracking metrics.
In my experience analytics usually become a hot topic in product group of the company when product evolution stop. We did all the major features but we still need growth, so to pick new direction we need some insight on our users.
Maybe your "engagement" increased, but in this case your "time to task completion" did not. In most cases analytics is much more nuanced than you might think. And the reason why something got worse for you is because it got better for someone else.
So they're driving down the time it takes to do what they magically infer I'm trying to do. Is this why whenever I try to organize my gmail box I give up 10 minutes in because the UI is slow and bullshit? Because it's good for metrics that I can't make my gmail account anywhere near as useful as my work email?
What you describe is a caricature of a product manager. In reality, differences or changes in “time spent” or other metrics are extremely useful to explain problems and opportunities for improvements that might otherwise be missed.
Most certainly you could misuse the statistics for blind number worshipping, and I’m sure there are many anecdotes of that kind of behaviour. But I’m also quite certain that successful organizations can use these to improve their products in meaningful ways. I suspect any gmail product manager who tried to slow down their product (or resisted fixes) to improve meaningless time spent metrics would be crucified.
This is my biggest concern about present and future technology. For example, many car manufacturers are sharing real-time sensor data from their vehicles, including GPS, with third parties. There's no clear opt out. Is it anonymized? Can it get misused? Sadly yes.
The freedom and transparency we got from PCs where you can always know what is going on, with some caveats, is missing from all other platforms. And it's really worrying.
If we let them they will do it to PC's eventually too. We have to fight for our rights. I think cell phones have normalized it for far too many people.
Win10 analytics (and forced updates) is what finally pushed me to exclusively using linux after many years of dual-booting. There are still choices thankfully (for now).
Since the mandatory telemetry in Windows 10 (and the backports to Windows 7 onwards if you trusted Microsoft and installed their recommended updates) we don't even have that transparency on PCs, sadly.
But I agree, it's a serious problem. The abuse has become so widespread that I am now in favour of heavyweight statutory regulation and severe penalties for violations. I don't see any other way we come back from this situation now. Competition in the market has utterly failed.
I brought PCs as an example because it's a relatively open hardware platform and you can run Linux or BSD and have an imperfect control of everything that is going on.
On phones, things have gotten much worse. Although you can flash a relatively open ROM in case of Android, good luck controlling what the baseband does behind the scenes.
And if we talk about cars and other devices like smart watches, there's often zero openness.
good luck controlling what the baseband does behind the scenes
I actually have a lot of sympathy with that one, because radio transmission is one of those areas where one idiot who thinks he's clever and should have total control of his device can literally disrupt entire networks for everyone else over a wide area, with the obvious serious consequences. Modern wireless communications systems rely much more than most people realise on conventions and standards and everything playing nice, so regulating such that only licensed practitioners are authorised to make parts that transmit within prescribed specifications is not an absurd idea.
Of course, that doesn't mean a closed part of the system like radio control should have any access to any other part of the system. It ought to be essentially a firewalled client of the more open parts of the system. And if it's going to be regulated and controlled then the people licensed to develop those components should be required to have them only perform the defined function according to standardised specs, without anything else piggybacking on top.
Yes, that's true. That's why if there is regulation allowing them to be closed units and limiting who can make them, I'm also in favour of that regulation restricting their functionality to only standardised specs (and regulators being able to audit this and impose meaningful penalties for compliance failures).
That's great unless you need software that is not available on Linux. Not all businesses have that choice, but they might still care about privacy and security.
True, but at least for personal use you could make that sacrifice of replacing and re-learning stuff as much as possible. Tbh, from an employee's POV I don't even care that much if my company wants to take that risk.
I'm the person (one of them) responsible for my own businesses, so I look at things a bit differently. It's on me and my colleagues if we don't have proper security in place, or we violate confidentiality agreements or NDAs or GDPR or other privacy/data protection rules. Looking at the amount of essential software and equipment that is now actively hostile to even basic security and privacy, when you're talking about things like your networking gear or your operating systems or your everyday development tools betraying you, it's now all but impossible to buy new stuff and still be professional about safeguarding privacy and security now, and it shouldn't be. It's going to hurt a lot of people sooner or later, probably sooner, and it's going to cost a lot of businesses a lot of money too.
This is also why everything is mobile-first now. So many web-based applications insist that users install a mobile app for half of the functionality because that gives them a much stickier place to attach.
On a browser, it's drive-by, and your ability to track users is gone once they leave your site, especially with vendors like Mozilla and Apple implementing third-party cookie blockers by default and the ubiquity of adblock.
On a phone, if you install something, you'll probably leave it for at least a few days, and if you watch logcat, you'll notice that many of these apps are anything but patiently waiting for the user to decide open it up again.
>On a browser, it's drive-by, and your ability to track users is gone once they leave your site, especially with vendors like Mozilla and Apple implementing third-party cookie blockers by default and the ubiquity of adblock.
There is a way to hijack the back button, i have no idea if it has been fixed, there are also tracking cookies so they can track you cross sites anyway.
The data you are likely to get from this sort of spyware is typically less useful than even a few sessions watching real users actually using your product and actively collecting their voluntary feedback.
Source: I am basically the person you are talking about, in one of my current roles.
> Firewalling access points, good practice or not, should not be necessary.
It is now, it seems.
Having seen what kinds of data crash reports in other domains include (the richer the call chain trace, the better) I expect this to be a subtle security problem. In regulated or otherwise highish-security networks one can expect to see user authentication when accessing wifi (EAP).
Simple scenario: AP crashes during client auth stage. A full crash trace may easily contain the credentials used for EAP, and if those are sent to mothership, your access point has just leaked out the necessary information to successfully access your secure network. Worse, when EAP is used, the login is likely bound to domain credentials, which are practically guaranteed to allow access to all sorts of internal services.
To state the obvious: best practice with crash traces is to filter out or mask high-value KV pairs. But then again, best practices also disallow leaking credentials in the first place.
For my part, I will now consider Unifi APs as rogue devices.
Yes, and it works quite well. I've flashed the latest OpenWRT on my Unifi AP for a test, I'm really impressed with the performance. It also adds more features with OpenWRT packages.
Do note that some ubnt devices have custom firmwares blocked on newer software versions. For example Unifi AP and LR:
And OpenBSD/octeon[0][1] appears to run on UniFi Security Gateway.
Just ~ two weeks a go I finally retired my old OpenBSD based gateway in favor of USG. But no, I guess I'm back to putting OpenBSD on USG, and maybe OpenWRT on APs.
Is there a working replacement OS for Ubiquiti PoE switches?
But here lies the dilemma: do I trust them? If I put in a rule to block their telemetrics, would USG honor that rule? Not just now, but after some firmware update that 'breaks' something. Or maybe I have to put another box in front of USG that I actually trust to be certain that call home got blocked. And even if I block this call home, maybe it changes to something else in next version or the next that now needs to be blocked as well. And maybe the data being sent home changes to more draconian over time as the marketing department gets greedier. And so it goes.
When I buy [network] equipment, it is my expectation that since I own the HW, I am to a certain degree in control of what they do and to whom they 'talk to'. And call-home / telemetrics without at least opt-out just doesn't sit well with me here.
You actually can't* use the firewall to prevent a USG or EdgeRouter from phoning home as the WAN_LOCAL rules only apply to inbound traffic.
* Possibly by some other combination of dropping Established/Related traffic. I think that'll get gnarly for the instances where WAN_LOCAL traffic is needed -- VPN, connectivity checks for load balancing, etc.
Not sure what you're quoting, but you are misinterpreting it. The IN / OUT rulesets absolutely do not impact traffic that originated from or is destined to the router itself.
Just now I verified with the following partial ruleset on a EdgeRouter I have in production:
set firewall name WAN_OUT default-action accept
set firewall name WAN_OUT rule 300 action drop
set firewall name WAN_OUT rule 300 description 'block 1.1.1.1'
set firewall name WAN_OUT rule 300 destination address 1.1.1.1
set firewall name WAN_OUT rule 300 protocol all
set interfaces ethernet eth0 firewall out name WAN_OUT
Devices behind that ER can no longer communicate with 1.1.1.1, but the ER itself can.
The only way to filter traffic from the router would be to drop the standard "Allow Established / Related" rule from WAN_LOCAL, retain the default drop action, and make specific rules allow whatever the router should be permitted to communicate with. And that would still allow packets to escape the router -- for TCP the communications channel is effectively dead since the handshake can never complete, but it could blast out all the UDP it wants.
I discovered when trying to place an order for some of their networking gear for my vacation home in Thailand they simply refused to allow the order to go through because I wasn't in the US - Even though I was ordering to my US Address. It wasn't even due to fraud, they refused to sell something that might be used out of the US for 'legal reasons'. So why have I been able to order networking hardware from every other manufacturer with no problem? When I buy an iPhone, does Apple forbid me from using it as a hotspot outside of the country I bought it from? No of course not, that would be ridiculous.
Try buying an iPhone from the US store and have it shipped internationally. Or try buying one of their products that have only been released in the US, abroad.
I'm gonna go searching for it but, in the meantime, anyone know the process for submitting a hostname to be added to any of the lists used by PiHole, et al.?
The hostname that Ubiquiti is using -- trace.svc.ui.com -- seems like exactly the thing that should be blocked, IMO.
---
FWIW, if you're using PiHole and want to block these access points from "phoning home", you can simply do the following:
This will cause dnsmasq, the underlying resolver, to return NXDOMAIN for any such queries.
---
EDIT:
Apparently the "pihole" utility has functionality built-in to blacklist domains (via /etc/pihole/blacklist.txt). Instead of the above, you can simply use:
$ pihole -b trace.svc.ui.com
This will result in the IP address "0.0.0.0" being returned (with a TTL of two seconds) for any manually blacklisted hostnames (the same way that PiHole normally responds to queries for blocked domains) although, personally, I still prefer NXDOMAIN.
Don't mess with the generated config file on the EdgeRouter, it'll just get replaced next time you reconfigure it or a firmware update is applied. Just add the following to the config.
set service dns forwarding options server=/trace.svc.ui.com/
Or if you have dns forwarding using the system resolver you could also just add it to the hosts file via something similar to this.
set system static-host-mapping host-name trace.svc.ui.com inet 0.0.0.0
If there is any chance in management making the right decision here then it’ll be because good people at the company have ammo to go back to management with.
FYI - I was about to buy Qty 22 unifi access points next week and Qty 44 unifi 48 port switches. Nope on that with this change.
He’s lead on the security team, not blanket UI.com from what I know. Also met him when he was working on the PFSense stuff and spent a few days with him and his team in Austin TX in 2014.
I agree, great person and I still have faith in him; but he’s just 1 person on a billion dollar enterprise team. He’s also very silo’d it seems, to what he’s doing on the firewall (and UDM?) side.
We’re also heavy deployers of UI stuff (100+ AP’s /month and 1000’s of ports installed).
This change concerns me, but doesn’t surprise me. All the new product line is geared for centralized propriety. The company as a whole is turning for the worst I think. The new forums and treatment of their community is indicative enough of this theory....
I'd love to get a bunch of the UI engineers out into the rural areas where their gear is used, to remote work from there for a while, so they can see how badly it caters to the needs of those who need it most, and that they can go back with some easy to implement and much needed improvements.
If I had a twitter account I'd ask him about the GPL violations by using a modified Linux kernel for their gear and not releasing the according source code.
Don't throw the baby out with he bathwater. Hardware is hardware and their wireless APs are good, their switches suck, 2 minutes of downtime with any settings change?! Their controller software is a marketing gimmick trying to silo you in. Still, its an easier battle if you're armed with the right tools, and their APs are a dream compared to most others.
Its a shame to see another seemingly benevolent and forward thinking company start betraying the customer base they have built up. This company seems to have started a large strategic shift in the past couple years and it's probably just a matter of time until all the hardware I've bought from them has to be thrown out.
I’ve been a fan of Ubiquiti but they seem to be pissing off their existing customers a lot lately.
Off the top of my head:
1. Deprecating UniFi Video in favor of UniFi Protect which only runs on Ubiquiti hardware (and none of the current hardware supports more than a handful of cameras anyway?)
2. Advertising UniFi Protect on existing UniFi Video installations, which is especially obnoxious for installers who sold their customers a complete system
3. Removing SNMP configuration from new firmware versions on certain product lines (EdgeSwitch?)
The unifi protect thing is really annoying. I would totally have done an installation already if not for a lack of ability to back up data off the NVR device (cloud key gen2+) or self host on something with more storage. If I do an install with more than a few cameras it’ll only have a day or two of recording on their crappy 2.5in HDD. The software looks so good though. It’s really irritating.
You can replace the 1TB in the cloud key with 5TB drives, which help. You can also set the compression to get more lifetime, or change always record to only record windows around movement.
Ironically blocking various widgets from spying on me was why I bought ubiquiti hardware. I was noticing regularly outbound network connections from my TV, turns out it was finger printing what I watched and reporting back to the mothership. It no longer gets network access of any kind.
I was tired of playing the OpenWRT/DDWRT flavor of the week (korg) on hardware that wasn't really well supported (netgear R7000). I hated the disposable nature of configuring the routers and having to largely throw away that configuration with each major upgrade. Even getting Comcast's /60 handled was painful (a bug in dhcpd6c or similar). I also wanted to handle WIFI APs well and not have a painful upgrade process.
I have a Ubiquiti NanoHD, EdgeRouter 6p, and a PoE EdgeSwitch 8xp. Nice GUI, you can fall back gracefully to command line, and backup your device state in a human readable config file you can keep in version control. Upgrades are typically press a button in the web UI and wait a few minutes.
They handle my moderately complex home network. Comcast gives in a /60, I split that into a /64 per 4 router ports. Lets me split the trusted stuff (desktops and laptops I manage) from the untrusted. I can even login over ssh to manage them with a key.
It's been very handy. If one of my PoE cameras freak out, I can bounce them remotely.
If various android apps have anti-social behaviors to avoid DNS based blocking I can track them on IPv4, IPv6, and block them when they try to skip my name servers. Took me a bit to block all IPv6/IPv4 DNS traffic to force anything on my network to actually use my nameservers. I'm not looking forward to DNS over TLS which despite the promises seems like will inevitably make things harder to filter.
Anyone know of a Ubiquiti competitor that's better about handling privacy and security and not trying to install spyware?
> I was tired of playing the OpenWRT/DDWRT flavor of the week (korg) on hardware that wasn't really well supported (netgear R7000).
I should think so. Broadcom doesn't want their hardware to be properly supported by open-source software, so you were never going to be entirely successful in your quest to find good third-party firmware for that particular router. In the long run, it's always worth returning any such hardware and spending a bit more time shopping around for a router or AP that uses Qualcomm, Mediatek or Marvell chipsets (Ubiquiti APs use Qualcomm). And if you don't like the flavor of the week mess for firmware distributions, stay away from DD-WRT and prefer OpenWRT, which actually does clearly-identified stable releases.
It's easy to block devices from calling home. The trust issue is harder. I think the real fix is to move to a different company until they change their minds.
Ubiquiti does seem like a generally good company, just seems like someone decided more feedback on failures was a good idea and added the remote debugging... without thought on opt-in. After all I get a few similar reports a day (x failed... report home?), but they are of course opt-in.
I think OP's point is if Ubiquiti decided to roll this up through their networking stack, they could theoretically silently still send the updates through to their collectors, no matter how many blocks you put in place (assuming you use Ubnt switches/routers/firewalls/APs).
This would be easy to discover if you mixed brands, but the point is how would you trust them anymore?
The entire product line is specifically designed to give you insight into what packets are going where, and the ability to control which ones you let through.
You can argue that this should have been opt-in but it’s absurd to say that anyone cannot trivially opt-out.
I don’t understand the point of speculating that they are going to break iptables to get crash reporting, other than spreading FUD.
Microsoft broke local search completely on latest Windows 10 updates if you've ever tried to block Cortana. They count this as a non-issue because from their point of view you're not supposed to block Cortana/web search.
I've hated this "just block it" mentality around Windows 10 from day one because it was obvious to me it would be a losing game for the user in the long term.
You can't fight the software developer forever on this and with each update they send. Eventually if they really want that tracking feature they're going to integrate it into some other core feature that will stop working if you try to disable the tracking.
That in and by itself is hair-raising! It's absolutely, obviously, crassly obvious that Ui only concern was getting the telemetry out and everything else (like failure modes) was an afterthought. It paints a picture the crowd here are probably very familiar with: Upper mgmt needs this feature a month ago, go implement it asap. No PM, no architect, no nothing, just C-level straight to a dev...
Software is complex and bugs happen everywhere, the firmware wasn't even released yet (it was an opt-in beta) when the bug occurred. I don't like this any more than the next guy but beta is BETA for a reason, to find bugs.
No way to opt out? Seriously? This kind of telemetry BS where you have to set up firewalls is really getting on my nerves, after microsoft started doing it it seems like every company considers this behavior acceptable.
> There is no on/off switch but there also are no penalties for blocking Internet access to the device, dropping traffic to this host, and/or blocking it via DNS.
---
> I guess hiring real testers isn't cool anymore.
Have you used any Ubiquiti products? I'm not sure that they ever hired "real testers".
That could just be an unlucky coincidence that you have two with some kind of hardware fault... Sounds best to just RMA them. None of our Ubiquiti stuff does anything like that so I can’t believe that’s in any way normal.
Needs to be opt in: Some of my customers would be happy to have crash logs sent to Ubiquiti. Others that fall under HIPAA or PCI need this turned off - otherwise I'll have to bill them to block it at the DNS level.
I spent countless thousands of dollars for Ubuquiti products for our clients.
Why would it be so hard to make it optional? Why? I just can't wrap my head around it. Why are you forcing us to send our data, no matter how encrypted or not We purchased these for security and privacy.
Ubiquiti, pull yourself together. We will stop buying, you will lose.
Wow, can't really trust anyone nowadays. I feel like its a losing battle that privacy conscious people are fighting. It feels like every single company is edging towards this dystopian future.
Sigh. I thought about trying an open source router before settling on a Ubiquity AP + USG. It seemed like a solid investment, into a company that was pretty well trusted.
The lesson I’m learning is, maybe it’s worth it to pay more to get less sometimes.
I think my best bet would be to install OpenWRT on the AP and sell + replace the USG. Not sure with what. It'd be kind of cool if I could have a router running NixOS so I could keep the configuration declarative, but pfSense is the obvious preferred choice in the community, so maybe I will just get a device designed to run pfSense.
I dunno if messing with tech support will really "send a message," so I will just send feedback through the regular channels. Chances are, it will get ignored. Chances are pretty much anyone that isn't a huge customer doesn't matter.
MikroTik - learn it any you will not regret it. Buy hAP AC2 devices - powerful yet cheap, lifelong free OS upgrades, they offer much more than UBNT devices.
I've been on a receiving end of troubleshooting MikroTik-centric bugs and they really make you to go Hmmm. Not because they are bad, but because they are of a kind that you'd see in the code hacked together over a weekend while chugging down some beers. An amateur job basically with a glaring lack on quality control.
I use ubiquit and had recommended them just last week to somebody, but I am going to switch to another vendor who is more open and about these things.
The fact that they sneaked the call home with out any opt-in is bad and fishy, and even after it was raised by community they are not willing to provide opt-in. They want the users to disable the access to the host name and blah blah, which is not feasible for most home users.
EDIT: I'm wrong - 4.0.66 has been promoted to stable. The rest of this post, while sort of still valid, is incorrect.
This is in a BETA version of the firmware. BETA.
You have to sign up to get access to the BETA area.
So yes, while integrating tracking etc isn't a great idea, it might also help debug crashes/problems in the BETA firmware people are running.
Now, if this rolls out to the stable channel, then sure, pass me a pitchfork too. But until then, you've got to opt-in to test the BETA software, and you know what you're signing up for - BETA quality software.
I'm almost surprised Ubiquiti give regular folk access to the beta software, because the users treat it like production, roll it out into production, then complain.
Slowly, over 10+ years, trending towards removing control and usability and funneling their use-case to an online-only, subscription based, neurotic consumption model.
Ironically, I was just in the process of migrating my home, my office and my local volunteer fire department to an all-ubiquiti network+camera platform ...
I wouldn’t touch their cameras with a 10-foot pole anyway because they don’t follow the ONVIF spec and so can’t inter operate with anything else (vendor lock in).
Don't bother reading through the responses -- it's mostly others arguing about what GDPR is or isn't. Ubiquiti's official response [0] is near the bottom of the thread:
> We have started to gather crashes and other critical events strictly for the purpose of improving our products. Any data collected is completely anonymized, GDPR compliant, transmitted using end-to-end encryption and encrypted at rest. There is no on/off switch but there also are no penalties for blocking Internet access to the device, dropping traffic to this host, and/or blocking it via DNS.
> ...
> The memory leak that you reference above was a bug specific to release 4.0.60 which was fixed as of 4.0.61.
> There is no on/off switch but there also are no penalties for blocking Internet access to the device, dropping traffic to this host, and/or blocking it via DNS.
Is it even possible for this to be GDPR-compliant without even a way to opt out? I’m not very well-read in the subject, but I thought stuff like this had to be opt-in under GDPR?
The Usage Data that we collect may include information such as your device data, including your mobile devices, sensor data, device signals, device parameters, device identifiers that may uniquely identify your devices, including your mobile device, web request, Internet Protocol address, browser type, browser language, referring/exit pages and URLs, platform type, the date and time of your request, and one or more cookies that may uniquely identify your devices or browser. IN ADDITION, WE MAY AUTOMATICALLY COLLECT LOCATION INFORMATION (INCLUDING LATITUDE AND LONGITUDE), PERFORMANCE DATA, MOTION DATA, TEMPERATURE DATA, POWER USAGE DATA, AND ANY DATA OR SIGNALS COLLECTED BY THE DEVICES AS PART OF THE USAGE DATA. WE DO NOT COLLECT THE CONTENTS OF ANY COMMUNICATIONS THAT PASS THROUGH OUR DEVICES OR SERVICES.
-----------------------
By this desription, it certainly isn't GDPR compliant. device identifiers/data etc.. is PII in GDPR context and requires a legal basis for processing.
As far as I know, GDPR only applies to data that somehow relates to a person. If telemetry e.g. only sent build number + backtrace for crashes and the IP address wasn't logged, it seems like that would be allowed under GDPR.
Ok, I’m trying to set up a block for this within the unifi interface itself. Looks like the best option is a firewall rule dropping all “wan out” traffic originating from my access point. Am I missing a better option?
I would prefer returning NXDOMAIN for that host; with blocked IPs, once ubnt changes their dns, your rules will be obsolete.
On the other hand, I never understood how to configure dnsmasq on usg in a permanent way (not only blocking hosts, but also static SRV and TXT records). It it supposed to be done via gateway.config.js, but finding the right json keywords is the issue. Is there someone who can drop some hints?
I'd be surprised. Here's an actual quote from one of their changelogs:
"Do not choose the skip option when running the Migrate Site wizard. If you do your devices may end up in a weird state."
Stop this madness. This is networking equipment aimed at a highly technically proficient base of users. Much like gitlab, this hardware is often going to be used by people in more security and privacy conscious environments. This kind of phoning home is absolutely fine if the user is informed and the data that is being sent is clearly explained, and there’s an easy opt out.
I bought unifi equipment because I was fed up of typical consumer equipment (and meraki) requiring subscriptions and phoning home all the time. WRT the GDPR stuff, I’m pretty sure a network admin can’t consent on behalf of all the users of the network...
It amazes me that in some cases brand love can overpower common sense. When OP concerned about privacy and security is told by loyal brand users to "give it up". I wonder if companies realize power of blind brand loyalty and utilize this to their own advantage.
I use ubiquiti hardware in my house, and I was already concerned by the quality of their UI, it filled the disk once with mongodb logs (5TBi !)and crashed my home server, now it is running in chroot with limited disk access but that was a pain to setup.
Anyway, I am looking into alternative but I can't find anything yet. I only need WiFi AP that can work together for roaming. I would love open source, and would pay premium to support an open source solution.
Ubiquiti owners are not happy after the app outage on Halloween that wasn’t disclosed on their status site. They’re also not happy Ubiquiti apps require logging in through their cloud service vs directly to the device.
I am not sure how to evaluate this. I’m about to buy a quite a lot of UI hardware in January. If this is it, they implement an opt-in/opt-out feature I’ll definitely see it as positive (that they listened to the community), it not—the. I don’t know what to think.
The question of hardware for my January setup, which I thought settled, just got reopened again.
I love the UniFi “single pane of glass” management interface. Are there any similar open source system that works via SNMP or something?
It seems like possibly a good opportunity for low end network hardware companies such as Netgear or TP-Link to collaborate with an open source project like pfSense.
Did somebody sniffed what kind of request they use to send the data to the mothership?
I have one of their devices here, I will be pretty glad to use some spare network capacity to send them a few thousand fake crash report per hour. That's what they want, right?
Is it possible to send fake telemetry data back? That's the best way to combat these issues. Imagine an app that sends fake telemetry back to all these services making their data bunk.
worked at ubiquiti before. the first thing I was told is that, "customer first", "customer first".
I never realized customer-first means violating GPL and call-home.
openwrt or vyos are good alternatives, however, both got minimal community support(sharing code or donation), especially openwrt, which is used by big vendors like tplink or xiaomi but they neither have contributed any code, nor have they sponsored/donated anything to the projects they making huge money on, they're just bad-ass parasites.
I would not be surprised AT ALL to find that they aren't doing certificate validation, however... in which case it'd be trivial to MITM the connection and find out just what they're sending.
That is a scenario that actually is good - because then at least you can know what goes out to the mothership. Otherwise, well, who knows. Maybe it's crash reports, maybe it's the names of your fetishes.
as their official response[1] was pretty much "it's outlined in our policies and ToS" then here is what their privacy policy[2] says they collect:
-------------------
Usage Data. As described in this section, we may automatically collect information when you use the Services ("Usage Data"). The Usage Data that we collect may include information such as your device data, including your mobile devices, sensor data, device signals, device parameters, device identifiers that may uniquely identify your devices, including your mobile device, web request, Internet Protocol address, browser type, browser language, referring/exit pages and URLs, platform type, the date and time of your request, and one or more cookies that may uniquely identify your devices or browser. IN ADDITION, WE MAY AUTOMATICALLY COLLECT LOCATION INFORMATION (INCLUDING LATITUDE AND LONGITUDE), PERFORMANCE DATA, MOTION DATA, TEMPERATURE DATA, POWER USAGE DATA, AND ANY DATA OR SIGNALS COLLECTED BY THE DEVICES AS PART OF THE USAGE DATA. WE DO NOT COLLECT THE CONTENTS OF ANY COMMUNICATIONS THAT PASS THROUGH OUR DEVICES OR SERVICES.
While I’m opposed to companies trying to extract “telemetry” data like they own it, I think most responses in this thread are overreacting.
The equipment phones home, but realistically what can it transmit ? Things like number of devices connected, IP scope, network neighbors, public IP, MAC addresses, and of course the traffic itself.
I think it’s safe to assume that it’s not sending the traffic, as we’d have noticed on the firewall egress.
Public IP and MAC addresses are bad, and probably conflicting with the GDPR as these can be used to identify you, especially if coupled with your account. As UBNT states in the comments, they claim to be GDPR compliant, with data anonymizes, so we can assume they’re not gathering these as well.
That leaves device statistics, such as clients connected, memory/cpu used, private IP ranges. Are those really that bad ?
UBNT also states there is no penalty for blocking these devices from contacting the internet, and while I would prefer an opt-in solution, it’s no worse than when Microsoft invented “opt out by renaming your WiFi or we share your password with friends of friends”
The equipment phones home, but realistically what can it transmit ?
It doesn't matter. That's the point. If you're at all serious about privacy and security, any unauthorised exfiltration of data from your system is a problem.
Given that they've commented on the fact that all traffic is end-to-end encrypted you'd not notice them sending things you don't want to be send.
Maybe they're sending a list of all sites you visits? How about them sending any login information that you add on sites that for whatever reason isn't doing tls?
One important point here is that they "claim" to be GDPR compliant but are already somewhat breaking GDPR. All data is encrypted on the APs so we can't really know what is sent. This is a complete buy in in trust from us, the customers. We're supposed to trust them that they're not sending anything they shouldn't, even tho they selected not to tell us at all about them implementing this.
I would certainly have preferred to be informed beforehand, as well as opting in, and the whole "oh by the way, we do this now, and we only tell you because someone discovered it" approach is extremely sketchy.
That is of course assuming that the GDPR is being honoured, and that's a pretty big if. Most european companies are still struggling to be compliant, as _EVERYTHING_ that can identify you as an individual is to be handled. It also includes backups, and also when the authorities requires you to store data for 5-15 years, but also allows the right to be forgotten.
I know we've had our fun devising a scheme to delete records from archived backups.
The only way to check is to request your personal data from UBNT. The GDPR allows this free of charge, and they're obligated to hand over all personal information they have on you.
In any case, I already block all internet access for networking equipment, and based on this I added trace.svc.ui.com to PFBlockerNG, just to make it resolve to something local.
I know first hand how hard it is to get GDPR right, I've been extensivly involved in updating systems to comply. It's a lot of hard work and talking back and forth with lawyers to make sure we don't do anything stupid.
[1] https://sfconservancy.org/blog/2019/oct/02/cambium-ubiquiti-...
[2] https://news.ycombinator.com/item?id=9331512
[3] http://web.archive.org/web/20170317174847/http://libertybsd....