Hacker News new | past | comments | ask | show | jobs | submit login

I own and operate Ubiquiti hardware.

If this doesn't go opt in, I will not be buying more and I will stop recommending it to others.

Please don't do this. Firewalling access points, good practice or not, should not be necessary. You're not a dodgy IP cam manufacturer.

People buy your equipment precisely because they want to trust their network hardware.

I think "analytics" has become a no-brainer among product managers at all tech companies. It seems like no company, not even GitLab, can escape the irresistible urge by management to add analytics. Arguments against it within the company are useless, it is just so obvious to management that this is the way to go, it's what all big successful companies do. Only massive public outrage can turn the accepted wisdom of analytics around, and only sometimes.

High quality products were made for many years with no analytics, just by thoughtful design, using the product yourself, and gathering some feedback from users manually. Even without statistically representative data from some large target population, you can use your brain to figure out what goes wrong and how to make a good product.

And I think lots of products today are quite annoying because of bad decisions based on flawed analytics data. It's hard work to run a good experiment and avoid confounding correlations and plain bugs that throw off the results, and practically nobody today does the hard work. They just run the analytics, get some flawed buggy numbers, interpret them without sufficient care and thoughtfulness, and push through bad design changes. We're data-driven! We're just not looking at the road.

My theory is that they hunt like lunatics this engagement and time spent number. My engagement increased with new Gmail because it's slow as fuck. Of course I click around like a clown and wait, probably product manager happy that people use their product for longer now.

It's amazing how slow Google products are becoming. Firebase is my own pet peeve: opening a single crash report takes easily 20-30 seconds. It's unbelievable. Should be a split second for fluid workflow. Aren't they using their own products? How is this acceptable to any engineer or manager?

I'd use anything else for the slowness alone if I could decide the tools at work myself.

Glad it's not just me. I have an HTC 10, which was a flagship phone when released 3 years ago. Every single third-party app I use, including some moderately demanding games, works perfectly fine. Every single Google app is at the very least frustratingly slow, like Gmail, if not outright unusable, like Maps. It seriously pauses for 5-10 seconds anytime anything on the screen changes. One has to tolerate several such pauses to simply search for a location. This is on their own damn platform for crying out loud.

The best part is that 10 years ago I used to have an absolute piece of dog shit WinCE phone that failed to even keep up with my typing speed in its stock SMS app. Google Maps worked perfectly on that device.

Are you using Firefox or Chrome?

I am going to report it is slow on both, when the bs is disabled. Especially slow on other browsers. You know there are other browsers right? Google seems confused and angered when I dont use one of the 2 they own. Firefox is only around because they fund it discreetly to avoid antitrust, while is still sends them nearly all the same tracking metrics.

What do you mean by "when the bs is disabled"?

why would this matter?

In my experience analytics usually become a hot topic in product group of the company when product evolution stop. We did all the major features but we still need growth, so to pick new direction we need some insight on our users.

Seriously, new Gmail is absolutely horrible slow dogshit.

And it is even worse in firefox than in chrome.

It takes 30s to 1 min to load(!). It has cached last view, which loads fast.. then it goes unresponsive for bloody 30s to 1 min anyways.

3 different machines were used to test this - i5 6th gen laptop, i7 7th gen pc, i7 3rd gen pc - all of them with plenty of ram(at least 16gb).

Maybe your "engagement" increased, but in this case your "time to task completion" did not. In most cases analytics is much more nuanced than you might think. And the reason why something got worse for you is because it got better for someone else.

>your "time to task completion" did not

So they're driving down the time it takes to do what they magically infer I'm trying to do. Is this why whenever I try to organize my gmail box I give up 10 minutes in because the UI is slow and bullshit? Because it's good for metrics that I can't make my gmail account anywhere near as useful as my work email?

What you describe is a caricature of a product manager. In reality, differences or changes in “time spent” or other metrics are extremely useful to explain problems and opportunities for improvements that might otherwise be missed.

Most certainly you could misuse the statistics for blind number worshipping, and I’m sure there are many anecdotes of that kind of behaviour. But I’m also quite certain that successful organizations can use these to improve their products in meaningful ways. I suspect any gmail product manager who tried to slow down their product (or resisted fixes) to improve meaningless time spent metrics would be crucified.

This is my biggest concern about present and future technology. For example, many car manufacturers are sharing real-time sensor data from their vehicles, including GPS, with third parties. There's no clear opt out. Is it anonymized? Can it get misused? Sadly yes.

The freedom and transparency we got from PCs where you can always know what is going on, with some caveats, is missing from all other platforms. And it's really worrying.

If we let them they will do it to PC's eventually too. We have to fight for our rights. I think cell phones have normalized it for far too many people.

What do you mean, eventually? You haven't followed the Windows analytics debacle?

Win10 analytics (and forced updates) is what finally pushed me to exclusively using linux after many years of dual-booting. There are still choices thankfully (for now).

We still have gnu/linux for the time being. I went linux only many years ago and have loved every minute of it.

Since the mandatory telemetry in Windows 10 (and the backports to Windows 7 onwards if you trusted Microsoft and installed their recommended updates) we don't even have that transparency on PCs, sadly.

But I agree, it's a serious problem. The abuse has become so widespread that I am now in favour of heavyweight statutory regulation and severe penalties for violations. I don't see any other way we come back from this situation now. Competition in the market has utterly failed.

I brought PCs as an example because it's a relatively open hardware platform and you can run Linux or BSD and have an imperfect control of everything that is going on.

On phones, things have gotten much worse. Although you can flash a relatively open ROM in case of Android, good luck controlling what the baseband does behind the scenes.

And if we talk about cars and other devices like smart watches, there's often zero openness.

good luck controlling what the baseband does behind the scenes

I actually have a lot of sympathy with that one, because radio transmission is one of those areas where one idiot who thinks he's clever and should have total control of his device can literally disrupt entire networks for everyone else over a wide area, with the obvious serious consequences. Modern wireless communications systems rely much more than most people realise on conventions and standards and everything playing nice, so regulating such that only licensed practitioners are authorised to make parts that transmit within prescribed specifications is not an absurd idea.

Of course, that doesn't mean a closed part of the system like radio control should have any access to any other part of the system. It ought to be essentially a firewalled client of the more open parts of the system. And if it's going to be regulated and controlled then the people licensed to develop those components should be required to have them only perform the defined function according to standardised specs, without anything else piggybacking on top.

With the controlling part I referred to knowing what the baseband is doing, not necessarily changing the way it works.

Right now we don't know whether for example it's even powered when your phone is on airplane mode and collecting data.

Yes, that's true. That's why if there is regulation allowing them to be closed units and limiting who can make them, I'm also in favour of that regulation restricting their functionality to only standardised specs (and regulators being able to audit this and impose meaningful penalties for compliance failures).

If you really care, use Linux.

That's great unless you need software that is not available on Linux. Not all businesses have that choice, but they might still care about privacy and security.

True, but at least for personal use you could make that sacrifice of replacing and re-learning stuff as much as possible. Tbh, from an employee's POV I don't even care that much if my company wants to take that risk.

I'm the person (one of them) responsible for my own businesses, so I look at things a bit differently. It's on me and my colleagues if we don't have proper security in place, or we violate confidentiality agreements or NDAs or GDPR or other privacy/data protection rules. Looking at the amount of essential software and equipment that is now actively hostile to even basic security and privacy, when you're talking about things like your networking gear or your operating systems or your everyday development tools betraying you, it's now all but impossible to buy new stuff and still be professional about safeguarding privacy and security now, and it shouldn't be. It's going to hurt a lot of people sooner or later, probably sooner, and it's going to cost a lot of businesses a lot of money too.

It doesn't matter - there is always Management Engine in intel CPU's and equivalent in AMD and ARM.

“And I think lots of products today are quite annoying because of bad decisions based on flawed analytics data.”

I agree with this, and it seems to create a self-fulfilling prophecy.

I believe this to be responsible for the decline in Apple’s various device OSs.

This is also why everything is mobile-first now. So many web-based applications insist that users install a mobile app for half of the functionality because that gives them a much stickier place to attach.

On a browser, it's drive-by, and your ability to track users is gone once they leave your site, especially with vendors like Mozilla and Apple implementing third-party cookie blockers by default and the ubiquity of adblock.

On a phone, if you install something, you'll probably leave it for at least a few days, and if you watch logcat, you'll notice that many of these apps are anything but patiently waiting for the user to decide open it up again.

>On a browser, it's drive-by, and your ability to track users is gone once they leave your site, especially with vendors like Mozilla and Apple implementing third-party cookie blockers by default and the ubiquity of adblock.

There is a way to hijack the back button, i have no idea if it has been fixed, there are also tracking cookies so they can track you cross sites anyway.

Ever asked designers of those high quality products if they would have loved data analytics on their products?

I bet they'd say they would have.

Would I love an extra thousand dollars per month on my account? Sure I would. Doesn't mean I'm going to cheat people to get it, even though I could.

But if there was an opportunity to do so, and it required some work, would you?

The data you are likely to get from this sort of spyware is typically less useful than even a few sessions watching real users actually using your product and actively collecting their voluntary feedback.

Source: I am basically the person you are talking about, in one of my current roles.

The amazing thing is all that data is worthless. It hasn't improved things, ads are still stupid, products are just as slow and broken.

Analytics seems to be a given even among developers. Something you ”obviously” put in just because it might be useful at some point.

It seems that product quality is often lowest in products with the most analytics.

> Firewalling access points, good practice or not, should not be necessary.

It is now, it seems.

Having seen what kinds of data crash reports in other domains include (the richer the call chain trace, the better) I expect this to be a subtle security problem. In regulated or otherwise highish-security networks one can expect to see user authentication when accessing wifi (EAP).

Simple scenario: AP crashes during client auth stage. A full crash trace may easily contain the credentials used for EAP, and if those are sent to mothership, your access point has just leaked out the necessary information to successfully access your secure network. Worse, when EAP is used, the login is likely bound to domain credentials, which are practically guaranteed to allow access to all sorts of internal services.

To state the obvious: best practice with crash traces is to filter out or mask high-value KV pairs. But then again, best practices also disallow leaking credentials in the first place.

For my part, I will now consider Unifi APs as rogue devices.

This is exactly the sort of scenario that scares people like me when I read about telemetry being baked in. It’s just totally unnecessary risk.

Which is why I never allow error reporting. Mild UI-features-usage-statistics in anon form are allowed, but rare.

If you have the spare time, OpenWRT supports Ubiquiti hardware.


Yes, and it works quite well. I've flashed the latest OpenWRT on my Unifi AP for a test, I'm really impressed with the performance. It also adds more features with OpenWRT packages.

Do note that some ubnt devices have custom firmwares blocked on newer software versions. For example Unifi AP and LR:


And OpenBSD/octeon[0][1] appears to run on UniFi Security Gateway.

Just ~ two weeks a go I finally retired my old OpenBSD based gateway in favor of USG. But no, I guess I'm back to putting OpenBSD on USG, and maybe OpenWRT on APs.

Is there a working replacement OS for Ubiquiti PoE switches?

[0] https://www.openbsd.org/octeon.html [1] https://codeghar.com/blog/openbsd-on-ubiquiti-usg.html

Or just block the outgoing connection? What am I missing?

It’s not like it doesn’t already have a firewall built into it.

But here lies the dilemma: do I trust them? If I put in a rule to block their telemetrics, would USG honor that rule? Not just now, but after some firmware update that 'breaks' something. Or maybe I have to put another box in front of USG that I actually trust to be certain that call home got blocked. And even if I block this call home, maybe it changes to something else in next version or the next that now needs to be blocked as well. And maybe the data being sent home changes to more draconian over time as the marketing department gets greedier. And so it goes.

When I buy [network] equipment, it is my expectation that since I own the HW, I am to a certain degree in control of what they do and to whom they 'talk to'. And call-home / telemetrics without at least opt-out just doesn't sit well with me here.

You actually can't* use the firewall to prevent a USG or EdgeRouter from phoning home as the WAN_LOCAL rules only apply to inbound traffic.

* Possibly by some other combination of dropping Established/Related traffic. I think that'll get gnarly for the instances where WAN_LOCAL traffic is needed -- VPN, connectivity checks for load balancing, etc.

“eth0_in affects traffic entering the ER on eth0 that gets forwarded to somewhere behind the ER

eth0_out affects traffic leaving the ER on eth0

eth0_local affects traffic that enters the ER on eth0 and is targetted directly at the ER itself (e.g. the webgui)”

In this case you would put the rule on eth0_out, not eth0_local.

Not sure what you're quoting, but you are misinterpreting it. The IN / OUT rulesets absolutely do not impact traffic that originated from or is destined to the router itself.

Just now I verified with the following partial ruleset on a EdgeRouter I have in production:

  set firewall name WAN_OUT default-action accept
  set firewall name WAN_OUT rule 300 action drop
  set firewall name WAN_OUT rule 300 description 'block'
  set firewall name WAN_OUT rule 300 destination address
  set firewall name WAN_OUT rule 300 protocol all
  set interfaces ethernet eth0 firewall out name WAN_OUT
Devices behind that ER can no longer communicate with, but the ER itself can.

The only way to filter traffic from the router would be to drop the standard "Allow Established / Related" rule from WAN_LOCAL, retain the default drop action, and make specific rules allow whatever the router should be permitted to communicate with. And that would still allow packets to escape the router -- for TCP the communications channel is effectively dead since the handshake can never complete, but it could blast out all the UDP it wants.

Maybe read the Ubiquiti EULA. You don’t own the software.

I Just read a post at the link that said doing so causes the unit to retry and retry until restarting after so many tries. That’s not great.

There's a comment further down the page from ubuqiti that says they've fixed that.

Indeed, this is not about anything technical. It's about their attitude.

I discovered when trying to place an order for some of their networking gear for my vacation home in Thailand they simply refused to allow the order to go through because I wasn't in the US - Even though I was ordering to my US Address. It wasn't even due to fraud, they refused to sell something that might be used out of the US for 'legal reasons'. So why have I been able to order networking hardware from every other manufacturer with no problem? When I buy an iPhone, does Apple forbid me from using it as a hotspot outside of the country I bought it from? No of course not, that would be ridiculous.

There’s a ton of legal reasons why they might be specifically concerned about exporting there and Apple isn’t.

* Maybe there’s an export restriction on a component and they lack the license to export to that country.

* Maybe they have not submitted their product for regulatory testing in that region.

* Maybe the product doesn’t operate within legally available spectrum in that country.

* Maybe the product presents an IP rights concern in the laws of that country.

* Maybe they simply haven’t paid a lawyer licensed to practice law in that region to confirm they wouldn’t have any legal concerns.

I'm a bit confused by your wording. Are you saying your billing and shipping address were in the US, but your ip was in Thailand?

Try buying an iPhone from the US store and have it shipped internationally. Or try buying one of their products that have only been released in the US, abroad.

You just described how I bought my last 3 iPhones so I don't really understand your point. If you use a US address its fine.

If you ship it internationally from the US to a US address? I’m not sure I follow.

Ever since MS shoved telemetry down our throat, everyone is doing it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact