Hacker News new | past | comments | ask | show | jobs | submit login
Former Ubiquiti employee charged with stealing data and extorting company (justice.gov)
383 points by arkadiyt 48 days ago | hide | past | favorite | 238 comments

Ex-Ubiquiti employee here. Nick Sharp wasn't just a senior software engineer. He was the Cloud Lead and ran the whole cloud team. His LinkedIn profile will confirm it. This is why he had access to everything.

Nick had his hands in everything from GitHub to Slack and we could never understand why or how. He rose to power in the company by claiming to find a vulnerability that let him access the CEO's personal system, but nobody I spoke to ever knew what the vulnerability was. I discussed this with another ex-Ubiquiti person in an old thread [1] Now I'm positive he faked the security issue as a power move, just as he faked this attack for extortion purposes.

He would also harass people and use his control over Slack and GitHub against the people he didn't like. Many people left around this time partially because Nick made everything so difficult at the company. What a terribly depressing series of events.

[1] https://news.ycombinator.com/item?id=26694945

Is this why Ubiquiti quality has fallen over the last ~2 years? I went all-in on Ubiquiti almost 3 years ago and I’ve been less than thrilled with the quality and level of support. This chaos that you say happened seems to line up with what I was seeing as a customer but everyone has been shocked at how UI has dropped in terms of quality.

I used to recommend them. Not anymore. My complete home setup is all their kit (the GUI means that if I kick it, the family can likely sort - it is import). I opened a case that a replacement switch (new model, old is EOL) did not work with one of their POE devices. I know this stuff backwards and forwards. I did my testing and basically sent the case to support with all the details (I know this stuff at the ASIC level). Wasted my time for a week. Finally I just said screw it and RMA the switch (nothing wrong with it) because support would not move. I received the replacement and surprise, same issue. Only after that I got the "sorry, we will reach out to L2 support." Wasted my time on a good debug that clearly ID the issue and I had to pay for shipping on RMA. I am stuck with them for now, but as soon as I can find a better offering I am going switch.

(My issue is that I understand that most users are clueless, heck I started in support for Win3.1 for an ISP, but the stuff in the debug clearly was a statement that I understood what I was say, and even as a Jr. engineer 30 years ago, I would have read it and said "hum, this dude knows his stuff, maybe I should ask at the next level").

Possibly related: Ubiquiti used non-standard 24V POE for some devices. Plugging standard 48V POE into certain old devices could damage them, and 48V devices won't power on with 24V injectors.

This is true, although it's important to differentiate active and passive adapters.

Ubiquiti sells some devices that are 24V passive PoE. These devices include their UISP products (such as devices like the AirMax). Passive injectors are dangerous because they always supply 24V to the port; this could damage a non-24V PoE device.

There's also the 802.3a* standards family, such as the 802.3at (what Ubiquiti calls PoE+). Each of the standards (e.g. 802.3at, 802.3af, etc.) support different amounts of current, but they're all 48V active adapters. Active PoE is safer because the device "requests" the power it wants; the switch does not always supply 48V power over the port, so devices that don't require PoE won't be receiving power.

Ubiquiti sells a few switches that support both 24V passive PoE and 48V active PoE. You can change this in the switch's web interface, through the port settings. You may also want to consider just using a 24V passive injector, especially if your switch cannot be configured to supply 24V power.

To be fair, and AFAIK, I understand there was (and still is?) no ISO/IEC/IEEE standard for "dumb" PoE power, only "smart"/"managed" power.

The rest of Ubiquiti's gear does use IEEE 802.x.

Thank you for sharing. Unfortunately this is not the issue. I wish it was that simple as they make an adapter for that.

Also used to recommend but currently in the process of replacing all APs

Edit: also their stock. Believed in them so much I bought their stock

When I first bought ubnt (a sec gateway), I could chat with support agents FROM THE GATEWAY'S WEB UI! The service was shockingly good at the time, and I was committed to using UBNT from then on. Agents would be on the chat usually within a minute, maybe a few.

Now... submit a ticket. Frustrating/pointless UI changes. Breaking system upgrades. Backed up your configuration? Doesn't matter, you're going to need to reset this update... disappointing. I still have hope they'll turn it around because they have the best UI of any network gear I've used for getting small/mid size networks up and done.

yeah i remember that feature. was amazing!

I mean this genuinely: I'm amazed there was a point at which people were ever thrilled enough with the quality and level of support from Ubiquiti that they are now shocked. Other than the working hours first level chat support I can't think of anything they had in support that remotely resembled having quality support. Shit, 3 years ago I was happy if there was someone on the forums that found a version of firmware that had killer features like "routing, hardware NAT, and IPv6" working all at the same time without (major) bugs. Low quality software and support with cheap hardware is what they've always been known for with everyone I've ever talked to.

Maybe people are now used to the level of support they get from Google & Co.

I read somewhere (maybe on Reddit) that ubiquiti had started offshoring a lot of the work and as a result quality had suffered.

I used to like Ubiquiti a lot, but nowadays i prefer to use other brands which are even easier to implement and manage. For the clients that still want to use Ubiquiti i try and implement a Debian 11 VM with the Ubiquiti software on it.

Which are those other brands and models, please? I am looking to upgrade my home setup to 10GbE LAN and apart from 2-3 switch models from Mikrotik I really can't see anything worthwhile (I don't want Cisco or TP-Link, they don't take security seriously).

Check out Aruba Instant On, they seem to be trying to jump the bandwagon with the single-pane-of-glass-management and target small businesses. Also Ruckus Unleashed seems to be similar and Juniper MIST.

Thank you! Never heard of them, will research them thoroughly now. Much appreciated.

Aruba Instant On. (It's owned by HP) The name is bit misleading though. Especially the first time it can take quite some time for devices to be fully updated and manageable.

Regarding support wise: I've had one malfunctioning switch (POE just stopped working) and it was replaced within 24 hours, so that's nice.

Does Aruba instant on allow for multiple VLAN solely for wireless clients by SSID?

I love Meraki stuff, so I looked into Meraki Go, and they handicapped Meraki Go by only allowing VLAN for devices with wired connections to the switch. I want the ability to setup a wireless SSID, apply a VLAN to it, and have any wireless devices connected to that SSID be on that VLAN.

Ah, perfect, thank you! For anyone wondering, the demonstration for assigning VLAN per wireless SSID starts at ~6m30s.

I have an instant on switch and quite like it. Worth noting however that the unifi-style all in one management interface requires using their cloud service, it can't be self-hosted like unifi. The switches can be configured locally (individually) but the access points can't.

Wish they would reevaluate that decision, as I've heard good things about their access points.

Are their 10GbE switches fan-cooled? I really would like a quiet device for a bedroom.

I have a 16 port 10 gbit Ubiquiti switch, and it has fans. But they only ever spin up when I (re)boot the device.

To my knowledge all their switches are fan cooled.

Thank you. Any direct impression on how noisy they are?

I don't really know how to answer that. I ususally put them in (small) server rooms. When they boot they're a lot more noisier than normal operating. The poe versions do make more noise than the non-poe.

I have the 24 port poe model and swapped the fan for a noctua. The stock fan wasn't noisy by rackmount switch standards but it was more than I prefer to have audible in my living space.

A lot of tech is suffering from quality issues in the past 2 years: We're in the middle of a global pandemic. Components are being stripped out left and right to meet demand, especially in the automotive sector. Ubiquiti is no different, and their store being constantly out of stock is a clear indicator of that.

Personally, I would argue that Ubiquiti handled the pandemic much better than other companies. Take the Cloud Key firmware: Back when it was first released, the thing was so unstable it had to be reset every few weeks. Every firmware update required a factory reset. Nowadays, it's solid. Even flashing beta builds is a smooth, issue-free process. Features like person and vehicle detection in their Protect lineup are a much welcome addition, as is the revamp of the Protect app. All of this happened during the pandemic.

I know people whine about how Ubiquiti unified everything under a global login, but come on.. if it works, it works. It's hardly a reason to bash Ubiquiti because you're upset you temporarily have to sign into ui.com.

Now, maybe they are putting more effort into Protect than they are into the network side of things. I don't know, because I primarily use them for Protect. With that being said, I'm fairly satisfied.

If you read their Glassdoor reviews, one of the common complaints was the company’s hostility towards automated tests.

If there’s a single person to blame for a company’s failure, there isn’t a single person to blame.

If it makes you feel any better I worked with him at Nike in 2014 and he was a complete jerk then too. I’m surprised this didn’t happen sooner if anything. How do these people stay employed?

Let me not come across as non-sympathetic -- I feel what you and others went through.

But IMO the truly depressing event here is management refusing to do anything until it was too late. What are they even paid for?

How does one weaponize slack? Github maybe I can understand, but I don't understand how you can weaponize slack.

Lots of credentials end up getting shared over slack. If you own slack you probably own a few other systems.

Also, extortion. I'm always amazed at what people will say over Slack DMs, seemingly not realizing that it all is accessible by the company.

Real question not trying to be cute, it's just been 4+ years since I've been inside a company actively using slack.

Is that (creds) considered safe/secure these days? Is it common place? I kinda figured slack might get to be a 1password on top of everything else, so it's interesting to hear it's happening.

> Is that (creds) considered safe/secure these days?

No, definitely not. It's just super convenient and happens all the time at every organization.

The most recent Twitter breach involved a credential shared in a Slack channel. Security teams have a hard time monitoring Slack and the default settings are pretty bad (infinite session length, infinite message retention).

Should there be a chat bot for this? "Hey, I see you just shared a credential, I'll remind you in 5 minutes to delete it, if the message is not deleted I'll alert a member of the security team" kinda thing?

Ideally shouldn't the credential be rolled even if you delete the message?

Unless slack hard deletes messages, but my guess would be soft deletion. Even then it's not really designed for sending sensitive credentials

of course they should be rolled.

Even if slack would delete the message, clients like bitlbee and wee-slack exist, and save the messages as soon as they came in, and slack will not be able to delete them. Bots get those messages as well.

Just because the chat service deletes messages from their backend does not mean the message is deleted at the clients.

Slack has no concept of a hard delete. There's always a record, as far as I know.

So yes, you'll want to: 1. Delete the message 2. Revoke the token 3. Notify the user/ security operations team

Absolutely. I know lots of companies have rolled their own. I'm unaware of a public one. I've been meaning to write one myself, maybe I'll do that this weekend.

Can I help you with it just for fun? I'm not an engineer but somehow I'd love to help you! :) I added you on linkedin.

Sure, though I'm planning to write it in Rust so if you're not an engineer it may be a bit rough. Will reply on Linkedin though.

You can also view users private messages by downloading the history.

ChatOps would be one way.

> He rose to power in the company by claiming to find a vulnerability that let him access the CEO's personal system

Do you mean he got promotions cause he found a non existent vuln? Surely whoever handed out those promotions is to blame here?

He extorted himself a promotion, by knowing some dirt on the CEO.

Actually not unusual.

Lots of the Highest Ranked Sys Admins in larger companies are quite "invulnerable" due to the implication, that they might know everyones mail & the companies dirt.

Ultimately, you can blame the CEO for everything.

I've always been fascinated by the idea that intelligence lies within a spectrum. Someone might be incredibly smart about a narrow topic or field, yet be blind to their own stupidity within another realm.

To me, this seems like a classic example. To quote the press release: "During the execution of that search, SHARP made numerous false statements to FBI agents, including, among other things, in substance, that he was not the perpetrator of the Incident and that he had not used Surfshark VPN prior to the discovery of the Incident. When confronted with records demonstrating that SHARP purchased the Surfshark VPN service in July 2020, approximately six months prior to the Incident, SHARP falsely stated, in part and substance, that someone else must have used his PayPal account to make the purchase."

This man was a senior developer yet this quote sounds like it comes from a nine year-old. Not to mention "hire a lawyer, don't talk to the police" has always been pretty solid advice.

He now faces significant prison time, and the strong potential for a dismal life.

It's not really about intelligence.

When faced correcting a false reality you have created, it can be quite hard to decide to phase change into telling the truth. The lies that come out come from not being prepared and not being a very good liar. For people who lie like this, a good way to think about it is as though it were a disease.

Actually intelligent people just don't do things like this, even if they have nefarious intent. There are quite smarter ways to accomplish substantially the same thing that this crime does not reflect.

I'm not convinced that this person was particularly intelligent in the first place.

> When faced correcting a false reality you have created, it can be quite hard to decide to phase change into telling the truth. The lies that come out come from not being prepared and not being a very good liar. For people who lie like this, a good way to think about it is as though it were a disease.

Or just don’t talk to the police and lawyer up. I agree the best thing is to not do the crime, but if you are a criminal then the intelligent and simple thing is to use a lawyer.

Even if you're not guilty the intelligent and simple thing is to politely decline to speak to the investigators and consult an attorney.

Indeed. In my understanding, the authorities have the depth of training and the experience to easily talk us regular folks in circles and catch us in contradictions. Especially if you're innocent: lawyer up.

Having a lawyer doesn't mean you can just not answer questions when subpoenad. "Don't talk to cops" is complicated.

If you've been subpoenaed, you're not talking to a cop, so "don't talk to cops" isn't complicated at all.

The full phrase - "don't talk to cops except upon the advice of your lawyer" - isn't complicated either.

Yes, it is complicated. And that is why you need the lawyer.

I missed where it said he didn't have a lawyer?

> Actually intelligent people just don't do things like this

Are you really claiming that intelligent people don’t commit crime or don’t lie? That seems incredibly naive.

No, just things like that. The whole situation screams “stupid criminal” or more like “compulsive liar/manipulator without a plan”.

Intelligent criminals and liars are better at it, better at obfuscating, better at making it unclear whether or not a crime was actually committed, better at never having their crime discovered and not getting caught if it is.

I thought they were claiming intelligent people are better at lying in the course of committing crimes or otherwise.

Yeah, he seems to have been operating under the illusion that he'll never get caught. Amateur mistake.

> I've always been fascinated by the idea that intelligence lies within a spectrum. Someone might be incredibly smart about a narrow topic or field, yet be blind to their own stupidity within another realm.

I've been seriously bitten by this, and find it more scary than fascinating. Growing up, I thought people who followed cult leaders and charismatic narcissists were so stupid (still do), it appeared so transparent to me. Later, in my professional and adult life I found myself to be equally gullible when intelligent people were abusive or outright dumb in other areas. This has been a challenge to unlearn, like learning an old dog to sit. Basically, our proxies for predicting people's character range from bad to terrible.

I think the first thing you must learn when trending towards adulthood is that nobody has any clue and we're just marginally fancier than ants in the grand scheme.

Hell I grew up in Normandy and was 16 when some Americans became so mad we refused to follow their war in Iraq they called us ungrateful. Talk about the fall of an idol :D So all that freedom we were supposed to be grateful for was only ever supposed to be used when deciding between buying a coca cola or a pepsi cola, but never for real big boy decision ? Thanks I guess ?

Rules have no intrinsic meaning, authorities are there by luck and circumstances and not their mystical ability to always lead towards the right direction, people try their best and often fail and nobody truly is intelligent in all circumstances.

> I found myself to be equally gullible when intelligent people were abusive or outright dumb in other areas. This has been a challenge to unlearn, like learning an old dog to sit. Basically, our proxies for predicting people's character range from bad to terrible.

oh I am 100% with you on this. I tried to elaborate but I just sound bitter and twisted, and that's probably true. But I've spent the last few years unlearning things I thought I knew. It has been a painful and expensive set of lessons.

long story short: I think we judge people's reaction to a situation by projecting how we would act... but that's not how people actually act.

I would like to hear more about your experience.

I’ve finally worked out that people who want something from me, like my company or my software or my expertise, will say whatever they have to say to get a deal - but once the deal is done they just do whatever the hell they want, regardless of what they said. It’s the opposite of what I expect. I can’t deal with it.

The people who do this are smart, confident and charismatic. It is clearly a negotiating strategy. But in reality, the only thing that matters is who controls the flow of money. If they control the money then it doesn’t matter what they said, they can do what they damn well please. They know this up front, and they count on it.

Despite these setbacks I’ve done alright for myself, but honestly, I’m really bummed out about how useless I am when it comes to judging people and creating businesses where I’m free to actually do my best work.

Anyway, I don’t know if that helps you, but you asked and honestly it has helped me a bit to vent even if it’s all in the abstract.

Thisstory about ebay's attempted takeover of craigslist might interest you.

Even before Omidyar stepped down from Craigslist’s board, his appointed agent, Garrett Price, started bullying Craigslist’s owners. In an email to Buckmaster, Price wrote that Craiglist was “driving [eBay’s] execs (especially Meg) to distraction.” He told Buckmaster that eBay’s takeover was “inevitable” and that Craigslist needed to accept their fate, telling “Buckmaster that he and Newmark were mortal, but eBay was not, and eBay would acquire 100 percent of craigslist whether it took decades and, if necessary, over Newmark’s and Buckmaster’s dead bodies.”

Buckmaster replied by reminding Price that when they negotiated the sale of their stake, eBay had agreed to abide by a three-year “courtship period” during which time, if Craigslist felt their two cultures were incompatible, eBay had agreed it would sell back its shares.

Price’s response to Buckmaster:

    “that was then, this is now.”

Hey nython, i just wanted to reply again and say that I got a chance to read the whole article just now. It has really helped me put my recent experiences into context. THANK YOU.

It's been one thing for me to be on the receiving end of bad behaviour and to form an opinion and suspicions about what happened.

But it's quite another to see it played out deliberately, in the large, using trust and friendship as a weapon to defeat a group of people who aren't even playing the same game.

The remarkable thing for me is that people really are capable of this kind of shitty behaviour; that it can be entirely intentional, and planned well ahead of time. And that it doesn't matter how rich some people are, they are happy to cheat and steal just to get a little bit more. It's disgusting.

Thanks again for linking to it.

That is certainly the nature of things as I’ve experienced them. Thanks for posting this.

I sometimes wonder if the snakes learn their craft in some consistent manner (schoolyard politics? non-naive parents?) or if it's mostly instinctual.

Yeah - I wonder that too. I suspect all of the above. Having a privileged education and family contacts probably reinforces it.

From what I’ve seen, openness and honesty are highly regarded in technical work but these traits are considered disadvantages in business.

Reminded me of this I read recently and found quite fascinating — http://knowingless.com/2021/11/27/frame-control/

Fascinating, and indeed related. One of the most interesting tactics was people who admit they're wrong or otherwise signal that they're willing to change their view, but they're really not. That's an excellent example of a blind spot in my manipulator radar.

> This man was a senior developer yet this quote sounds like it comes from a nine year-old.

Tech has a contempt culture problem, and this can be one manifestation of it: feeling that being moderately bright about getting computers to do things makes you a tremendous intellect, and everyone else around you an easily hoodwinked moron.

Perhaps the most extreme example was Hans Reiser. Anyone who followed the twists and turns of the case against him for murdering his wife will remember how many trivially disproved lies he told, apparently under the illusion that he was a mastermind who could put one over on the courts based on his faulty understanding of ideas like reasonable doubt.

Yes, and I remember Reiser having rejected a plea deal whereby he'd only serve 3 years, which is just about winning the lottery when it comes to being prosecuted for murder:


A lot of the tech community have pretty hostile attitudes in general for reasons I can only wildly conjecture, but the question I also would pose is if the distribution is all that different from the rest of the population. Look at the doctors and lawyers we’ve been seeing that are at least in public saying some of the most ridiculous things imaginable oftentimes even without an obvious financial motive involved like in most cases I’ve heard with engineers being deceitful.

It is very, VERY difficult to not answer questions from a trained law enforcement interrogator even if you a) are smart and b) know not to answer questions. I can't stress this enough.

It actually takes explicit training and practice, as it goes against every social habit and "instinct" we have developed throughout our entire adult lives.

Reminded me when I watched people try and get out of jury duty by claiming biases.

A big part of the lawyers job is to question people. Their stories fell apart pretty quickly.

That’d be interesting to see.

Once I got quizzed when boarding ElAl flights. They have well trained interrogators. It turns out a complicated life story and ADHD method of story telling doesn’t make them happy. A lot of “I said X because the full story is way too complicated, so here’s the full version” ;)

Very similar approach. Repeated questioning to try and poke holes in your story.

People think they can stand up to it but it’s hard when it’s someone whose full time job is exposing fake stories.

Any tips for how one might maintain composure enough to handle these situations if they ever find themselves in them? I imagine the obvious answer is just practice saying "no comment, I need my lawyer present" but I'm not convinced this would make one immune to their Jedi mind tricks when the day comes to exercise it

You are right: Having watched the "don't talk to the police" video over a half dozen times, I unwillingly volunteered information to a cop when in the moment. It's really hard to put into practice when someone domineering and armed is implicitly threatening you with arrest/violence for not doing precisely what they want you to do.

I actually rehearse now, because police in the USA are so corrupt and unreliable.

Something along the lines of "I know you are just doing your job, but, respectfully, I must consult with my attorney before answering any questions."

Then (to their dismay and annoyance) I repeat the exact same thing over and over again when they inevitably ask me other, follow up questions, trying to work around my initial refusal. (It's so disrespectful, as well as illegal, for them to keep going at that point.)

How about the border when entering a country? What should you do in that case?

Oh, I have a long history of telling the border guards in the USA (where they have to let me in by law) "none of your business" when re-entering.

I have also semi-successfully appealed their FOIA denials covering the incident.

It has resulted in the sexual assault of some of my traveling companions by US CBP (full and thorough body search, simply as punishment for remaining silent). CBP is lousy with criminal pigs.

You can't refuse to answer questions when entering most countries you aren't a citizen of, if you wish to be permitted entry.

Well since they can lie to you and say anything they like bordering on blackmail, you need to know that. You have to be smart enough to guess what they know and have the fortitude to refuse to answer and ask for a lawyer continuously, sometimes possibly for hours. Always be respectful but resolute on getting that lawyer, no reason to piss them off any more than you are by refusing to answer their question. Police can be quite violent and volatile just like any human perhaps more so since they have almost all the power and guns in a given situation.

I recommend watching this videos on how to talk to police (hint don't):


I have a silly idea. Say the truth, admit you made a lapse of judgment, offer to repair your victims. Silly I know, but maybe you d be surprised this would go a long way in getting out of this shit situation eventually instead of turning everyone into predatory "we ll crush him for eternity" mode ?

It's good that you know it's a silly idea, not sure why you felt the need to share it. Essentially pleading guilty without a lawyer is one of the worse things you could possibly do. It's hard to even know what you are admitting to!

I think it’s useful to know how to handle yourself when being interrogated and also innocent. I don’t think the op was asking how if they are guilty.

This man was a senior developer yet this quote sounds like it comes from a nine year-old.

I knew a senior developer doing advanced R&D at a big tech company, who also kept getting suckered into MLM scams.

MLM=Multi Level Marketing

> This man was a senior developer

Dude, let's not be generous. Could he write code? Yes. But this is a guy who wrote everything in Node, but absolutely _refused_ to use any existing libraries except for ones he personally wrote. He didn't "trust" them.

He wasn't even hired on as a dev, he was hired to be the "Cloud guy", essentially a sysadmin for AWS, and basically spooked the CEO into giving him the keys to the castle.

> wrote everything in Node, but absolutely _refused_ to use any existing libraries except for ones he personally wrote. He didn't "trust" them.

Sounds like the single sensible thing he did. Have you seen the npm ecosystem?

Are node apps getting way more hacked than say php or java servers? Was his code any better?

There are frequently posts on HN about NPM packages getting compromised.

Of the top 10 posts on HN about NPM in the past 30 days[1], 9 are about security problems, and last 1 is about package spam.

[1] https://hn.algolia.com/?dateRange=pastMonth&page=0&prefix=fa...

Node apps tend to depend on a far, far wider pool of maintainers.

To illustrate: A new Ruby on Rails app has 1/10th the number of maintainers in its dependency list than a new create-react-app codebase.

A create-react-app app is not a node app (It has a node dev server, but it's a front-end JS app), so its a weird thing to reach for to illustrate a point about node apps.

Why would you use node, if it wasn’t for the vast package exosystem?

Path of least resistance?

Picking a language (and possibly runtime) is a pretty huge investment if you intend to become proficient. A lot of people like to think that they are polyglot programmers and that language doesn't really matter. But it does. It takes a few years to become a decent programmer in a given language. And if people claim it takes just weeks or a couple of months, it really only tells you that they have very low standards.

If you are familiar with a given language, ecosystem and runtime, and you care about productivity and quality, the path of least resistance is to stick to what you know. Taking on a major project in a language you don't know is a risky proposition. In terms of quality, time, and even in terms of being able to deliver something acceptable.

I tend to have a main workhorse language. It typically takes 2-3 years to reach an acceptable level of comfortable familiarity with a new language. If history is any guide I tend to stick to the same language for 5-10 years. 5 years ago I switched from Java to Go. I mostly worked mostly as a manager at the time, which is why it took longer to reach what I think is an acceptable level. I'd say it is only in the last 18 months or so I've started feeling sufficiently competent in Go to call myself a Go programmer.

That being said: I think the JS space is both a poor technical choice and a poor career choice. The whole ecosystem is janky as fuck, you have to spend a lot of time dealing with silly complexity that tries to fix the jankiness, and the type of work you get isn't very attractive.

It takes years to become acquianted with the library ecosystem of a given language. If you're going to write everything from scratch (especially in a language with an extremely bare-bones standard library), it takes maybe months to become proficient with any language in a paradigm you already know, save a few extremes (C++).

Which is why everyone knows you give an addict $100 and they will go and reload a green dot card for you.

That's not a quote it's a summary of what he said

Mr. Sharp is apparently not so sharp. He carried out the attack from his home network. He connected directly for enough time that his bare IP was logged. The rest of the time, he carried out the attack using a commercially purchased VPN solution that was trivial to trace back to him via the purchase record. He lied to the FBI. (I have yet to understand why people talk to law enforcement instead of staying silent so as to not implicate themselves.) And, for no apparently good reason (meaning, there's no claim of him shorting the stock), after the raid, he seeded fake news that drove the company's stock down 20%.

(I have yet to understand why people talk to law enforcement instead of staying silent so as to not implicate themselves.)

When the FBI knock at the door you totally do the whole "no comment/talk to my lawyer" thing. But what happens next if you're actually part of an investigation is they hand you a grand jury subpoena (which they were going to do anyway, even if you just talked willingly, because they have already gone to the trouble of asking a judge to issue one and have it with them by the time they ring your doorbell)

That subpoena is likely to require you to hand over any digital records you have related to the investigation (you can't plead 5th on that) and turn up at a time and place to be interviewed (you have to turn up, even if it's on the other side of the country eg in the Southern District of NY in Manhattan and you live in SF Bay Area). BTW I don't think people widely realize the government has the power to compel you to hand over EVERY piece of material you have on a given subject they are investigating - eg search and share anything from every email you have ever received since you signed up for GMail in 2004, etc.

You can plead 5th during the interview but if you have material information (or are actually guilty) and knowing they have all of the documentation subpoenaed and whatever other evidence from other subjects/targets/witnesses, it will likely help you at that point to be cooperative via guidance from your attorney. Remaining silent at that point is just going to leave you at the mercy of whatever other witnesses/subjects/targets convey and their own conclusions from the subpoenas.

If you are on a visa or green card you almost certainly can't plead the 5th because they can leverage your right to remain in the US.

So, that's why people typically talk to the FBI. It's not at the doorstep when they first engage you, it's once you have been compelled to participate.

Related/useful: https://www.natlawreview.com/article/you-received-grand-jury...

Source: happened to me a number of years ago, although I wasn't guilty of anything. Lawyered up, cooperated, no further action. Wasn't pleasant.

IANAL, not legal advice

The difference is that every step after the initial "no comment" can/should be done with explicit guidance from an attorney, and no attorney in the country will have their client blatantly lie in front of the FBI or a grand jury despite there being solid evidence proving otherwise.

Most people don't understand that they can't explain themselves out of a legal investigation.

LEOs exploit this.

Imagine the simple scenario of "someone who looks like you was spotted in area X doing crime Y" and in your pocket you have a receipt that puts many miles away at that time (or something else that would immediately stop you from being a suspect).

In what way would "fuck you talk to my lawyer" be helpful?

If they're accusing you the they are at the stage where they already convinced you did it. They would simple think the receipt is an easily faked alibi.

Then by talking to them you accidentally give them ammunition. "Yeah, I hated the guy, but I couldn't have killed him" turns into "the defendant told us that he hated the guy". Or you lie accidentally, which gives them another crime to threaten you with; "you had better plead out, because we have a whole list of crimes we can get you for".

If someone thinks you have wronged them or committed a crime do not engage them. You will not change their mind. You are not that convincing, and they will see your efforts as manipulative and slimey.

(My own first-hand experience with this was civil, not criminal. Someone I had never met accused me of something absolutely nonsensical and filed a lawsuit against me. I thought I could reason with them, but this just made things worse. I would have been much better to approach the situation as though they were dangerously irrational. Just don't engage.)

Surely there's a world where not every cop is bent on convicting the first guy that comes up in the conversation and every piece of evidence is seen as fake?

It's totally true that you can give cops ammo against yourself without realizing and you must be very careful wrt lying and saying the wrong things.

But there also has to be some kind of middle ground.

Cops don't decide who gets convicted. Your statements suggest that you are ignorant of the basics of the process you are criticizing.

Don't talk to the police under any circumstances. You cannot ever talk your way out of getting arrested.

There is no middle ground. Watch the "don't talk to police" video linked in the thread. He explains that it is like a ratchet: statements can only hurt, it is illegal under the rules of evidence for your statements to the police to be used to exonerate you!

The middle ground is bringing in a mediator on your behalf that is a neutral party to the issue. I.e., get a lawyer.

1. You don't have to say it aggressively. Politely say, "I need to talk to my lawyer before answering questions."

2. “The suspect conveniently had a receipt in their pocket placing them elsewhere at the exact time of the Y crime. It was the only receipt in his pocket! Seems suspicious to me. He plainly engineered the alibi.”

3. There's no reason you have to immediately begin demonstrating your innocence. It can wait until you have proper representation.

It's rarely the case where a receipt in your pocket is the difference between handcuffs and freedom. I'm sure they exist, but more often the decision to arrest you or not is not hinging on your answers to the cop's questions. It's already been made.

You mistook my assertiveness for aggression :) And let's assume it's not just the only receipt you happen to have in your house.

Anyway, real life example - police calls me up saying this number came up in an investigation, who are you and a few more other questions. They were obviously expecting me to cooperate cause they hadn't bothered to do the paperwork to obtain my identity which was tied to the number. First thing I did was say I'll call you back cause I'm driving, what's your name? So I could verify it was an actual cop.

When I called them back I said I'm not telling you anything until you tell me what it's about. Cop hesitantly starts giving a few bits of information and we go back and forth until my mother's town comes up (too small a place to be a coincidence) and the whole thing unravels.

Turns out my mom had been getting some weird calls at home and when she was out & about by a person who seemed to be following her. Because of her age and absentmindedness she gave the wrong number out of her recent calls list to the police. Hilarity ensues. Cop suggests I check on my mom, we genuinely thought she had some kind of attack of dementia (she was fine, just very embarrassed).

Cop also called my mom to saying your kid's a real hard-ass (but polite and correct)!

Anyway my point is - don't you think me lawyering up for this would have been absurd?

> Anyway my point is - don't you think me lawyering up for this would have been absurd?

Isn’t this just hindsight bias? What if the situation wasn’t your mother’s absentmindedness but your number being found in the phone of a murder victim? The “back and forth” with the officer leads you to confirm that you know and have visited the small town where this person was killed. So they ask you if you have ever visited the window tinting shop where they work, and you say no. What you don’t know if an eye witness incorrectly believes they saw you there, which makes you a liar in the LEO’s eyes.

This issue isn’t “what if it turns out to be nothing”. The issue is that if it does turn out to be something, the consequences of not keeping your mouth shut are far worse than the minor “over reaction” when things end up being ok. Its like wearing a seat belt. You don’t do it for all the times you don’t get in an accident. You wear it because the consequences are dire in the case that you do get in an accident.

I like your actual scenario. I would probably have done the same as you, and yes it would probably be absurd to actually pay a lawyer money for that situation. Less absurd to just refuse to talk without a lawyer (This refusal does not obligate you to actually go get a lawyer unless and until you get some sort of subpoena or summons, or are arrested)

In this case you had a cop who is actually willing to go back-and-forth with you until you discovered what was going on. Absent that, you absolutely would be right to say something like, “without knowing what’s going on here I can’t answer any questions.”

Your initial example of “you look like a criminal we’re searching for” is way more fraught with pitfalls that can be avoided by not cooperating.

Also, I should be more “assertive” at work…

> Absent that, you absolutely would be right to say something like, “without knowing what’s going on here I can’t answer any questions.”


An actual lawyer wrote an actual book about this (after he made that famous video we are all talking about). Refusing to answer questions can be used against you!

His advice is to collapse it to:

"I want a lawyer."

It becomes unconstitutional for them to continue questioning you after that statement. Do not decline to answer questions directly - ask for an attorney!

You wouldn't have needed to lawyer up, as you wouldn't have been arrested. Refusing to talk to the police at all would have been the end of it.

Watch https://www.youtube.com/watch?v=d-7o9xYp7eE. It gives many such examples, including a very similar scenario than the one you brought up.

Police often give the line, "It'll go better for you if you just tell me the truth now" or "You'll get a better deal if we don't get lawyers involved". This often spooks people into cooperating without lawyers and they end up taking the first deal they get. I'd like see some real legal experts weigh in on the legality of these pre-lawyer offers.

Not an expert but think it through (for US law): only prosecutors have the discretion to decide whether to bring charges and the severity of the charges they will bring. A LEO who says to you that they'll get you a better deal if you talk now is lying to you - which not only are they allowed to do, it's in their training to do so (specifically, investigators are trained to tell you what you need to hear to get you to cooperate). They don't have the authority to waive the rights and privileges of the prosecutor's discretion.

> "it will likely help you at that point to be cooperative via guidance from your attorney"

guidance from your attorney seems to be the critical bit of that - it's okay to talk, but with your lawyer present.

Your lawyer will do it in writing, after consulting with you privately.

You left off the bit where they sieze all your assets in a civil forfeiture, and require you to go to court and prove, beyond reasonable doubt, your innocence so you can get your house and bank account back.

I think many folks have watched this may be coming from this perspective...


Yup, this is a very important video for everyone to watch, but especially anyone moving to America who doesn't understand the differences to policing in this country vs others.

If you have watched this video, you might want to review this highly anticipated follow up several years later: https://www.youtube.com/watch?v=-FENubmZGj8

Lawyer suggests you always hire a lawyer? Not at all suspicious

It isn't suspicious. It has almost no downside other than standing up to a few hours of them harassing you and telling you they'll go a lot easier on you if...

So lawyers are free? Excellent

In the US the state have to provide you a lawyer if you can’t afford one (only after you’re arrested though).

See Miranda v. Arizona 1966 and the Fifth Amendment.

And a judge determines whether you can afford a lawyer.

Guess he should have bought a VPN with cash or stole someone else’s if Mr. Sharp wanted to be more sharp about it.

>SHARP falsely stated, in part and substance, that someone else must have used his PayPal account to make the purchase.

and to me it looks like somebody intentionally left breadcrumb trail leading to the guy. With cloud paying so nice these days nobody is going to risk that way for the paltry $2M (ie. less than 3-4 years earnings in Bay Area for the people like this). It looks like the stock price drop is the real "follow the money" trailhead, and that doesn't lead to the guy.

And given that it were about Ubiquiti customer databases - the value of [stealth] access to those customers may possibly dwarf those few billions of valuation drop - so even the stock drop may have been a smoke screen. I mean Ubiquiti as a target reminds me of SolarWinds.

Those comments back then is also interestingly predictive https://news.ycombinator.com/item?id=26692987 - having a fall back guy kind of absolves the company from architectural and operational sins which allowed the hack and pacifies the customers who otherwise would feel unease of being possibly hacked by somebody serious.

Are you saying that someone purchased a VPN account using his PayPal account and by sheer coincidence, while that said VPN account was in middle of data exfiltration, his home IP address also connected to said servers with no connection to the exfiltration?

I mean... That is what someone who's setting up a patsy would do if they could. Home networks are not exactly Fort Knox, are they? I had a bunch of rogue connections banging around trying to brute-force database logins within my home LAN earlier this year. I imagine they could have made a connection to a server look like it originated from within my LAN, and if I wasn't watching a live feed of my database connection logs at the time I never would have noticed.

Why, after he realized his own PayPal account had been hacked and used to hack his own company, would he then become a whistleblower and accuse his company of not investigating the hack?

He should have been spending his time finding out how his PayPal account and home network got hacked, not talking to journalists accusing the company of not handling the hack correctly.

This seems like a series of unfalsifiable claims. Taking evidence linking him to the crime and saying “That is what someone who's setting up a patsy would do” pretty much means anything and everything becomes “proof” of the conspiracy.

> evidence linking him to the crime

keyword is "evidence". Whenever a sympathetic person/cause becomes a target of IP-address based evidence HN is overflowing with posts that IP-address isn't an evidence :)

It wasn’t IP-address based evidence. It was a chain of evidence. His Paypal account being used to purchase a VPN. That same VPN being used to access the servers with close-hold, high level credentials. His home IP being associated with the VPN after a power outage at his house.

So, we have electric grid evidence that matches up with IP evidence, that matches up with Paypal account evidence. I’m not saying he is guilty or innocent, but lets not misrepresent what is being discussed. I’m saying that responding to chains of evidence by claiming that is what someone setting up a patsy would do, is a unfalsifiable conspiracy theory.

Or the perpetrator could have been one person, no need for it to be a conspiracy. I'm not saying it's probable, and the evidence sounds convincing. But I'm sure there are lots of unfalsifiable things that have actually happened, and frame jobs have happened. Not leaning on the luxury of throwing out uncertainties (or even just offhand devil's advocate like my original comment) doesn't make someone a nutjob. My point was that it coming from his home IP isn't the strongest of evidence. I only mentioned being a "patsy" because there's pretty much no other explanation (besides him lying) for his PayPal buying the VPN and the IP from his home address. If someone got into his home network and he works from home, it's not outside the realm of possibility, or even particularly farfetched, that someone got work and PayPal credentials and acted maliciously towards the company within his network. So please tone it down with the "conspiracy theory" rhetoric.

Yes your point is valid. It doesn’t seem that they did find any unusual shorting activity though as is or used to be how they went about it in the old days.

While I agree that the mistake Mr. Sharp made -- it sounds like he had a network disconnection which briefly caused him to perform actions via his home IP address, rather than his VPN address -- we also don't know everything here. It doesn't sound like the guy was all that sophisticated. Using a VPN provider, in the first place, can make you a whole lot easier to be caught depending on the circumstances/provider trustworthiness/jurisdictions. I recall that there were providers which accepted cryptocurrency, but chances are good if he couldn't figure out how to block all traffic when the VPN was down, he'd have made several mistakes trying to keep the Bitcoin/Ethereum from being traced back to him.

For a crime like this -- as serious as this was, with the damages involved, the company and its internal resources/practices -- he probably had no prayer of getting away with it and in a Dunning-Kruger-like manner, he not only didn't know what he didn't know, I don't think there's any way he could have known enough about his adversary's capabilities to get away with it long term.

If a criminal wishes to be successful in getting away with a serious crime without getting caught over their lifetime, that criminal must successfully thwart detection from all current and future technologies. I mention serious because those crimes often do not have a statute of limitations these days. I'm assuming a perfect law enforcement body that similarly makes no mistakes, so a "luck factor" weighs in, but given a (not too) high-profile crime with motivation, budget, competent investigators and expanding technology, I'll law enforcement is gong to rank higher in the luck category.

It's not enough to look at what they're capable of currently. Consider this scenario: A murderer with Type O+ blood (with other common properties) strangles a man with a wire in 1980 leaving behind only that wire as evidence. In the struggle, the wire also cut the murderers hand and deposited a tiny drop of their blood on it. Being that it was a small item stored for an open case and was well preserved, it's still there, today. Luck. Back in 1980, it was of little evidentiary value. Today, that drop has a good chance of producing a DNA profile. Has the murderer been arrested (not convicted) of a felony in the last few decades? They'll probably be caught. Did a family member use certain (do they all do this?) consumer DNA services? Their family might be found, which will narrow the suspect down to a pool of people. Forget drawing suspicions by getting warrants, because it takes so little biological material and you deposit it everywhere you go, the police just wait for garbage day or follow you around town, grab something that came into contact with your mouth and they've get a profile (which will be used to get an easy warrant for a blood sample to confirm it).

Budding criminals, are you storing all of your secret plans on your drive in a bullet-proof encrypted manner and ensuring that it is airgapped? Are you doing all of your secret research on a similarly configured device, but configured to ensure all networking only works via Tor? Are you sure you didn't make a mistake that couldn't rise to the standards required to get a warrant to image your drive/take your equipment (that's hopefully turned off)? That bullet-proof encryption is rotting, and 30 years from now could represent a small hurdle above plain text.

And what happens when the time required to investigate crimes is reduced further? "We'll get around to bike theft when we're done solving all of the murders." But what if solving a small percentage of the bike thefts went from "complaint" to "likely suspect" almost instantly if certain circumstances were right. For instance, imagine law enforcement could automate geo-fence style warrant requests (requests to get "people in a location at a certain time" from Gooble/Apple/mobile phone provider histories[0]) for every bike theft where the bike was stolen from an area infrequently traveled where and the time of the theft is known to within an hour. For any where the there was exactly one person logged, you have a person of interest -- probably the thief. Not enough evidence to prove a crime, but enough to scare some of the petty thieves into giving up more evidence through questioning (or maybe just give up). It's a stretch, on purpose -- but as technology make solving crimes less costly, less serious crimes will be prosecuted more frequently/reliably.

Full disclosure: My only credentials in this area are working in Corporate Security at a multi-national (large) telecom company for a brief stint and in a security/development capacity for most of my career; except for that brief stint, all of my work has been on the defensive/strategic side, not on the investigative side, and never with violent crimes of any kind. I simply enjoy security topics, in general, but if I've shown my ignorance in a few areas, my apologies and feel free to correct.

[0] Assuming this data is kept long enough; I am going to hazard a guess that it is a lot longer than most people think.

Damn. I remember reading about the original "hack" here and getting very concerned about the level of access ascertained by the attacker. I'm almost relieved it was a foolishly clumsy inside job and some of the initial hypotheses about rogue nation state root access to UI devices did not materialize. Brazen, indeed, for him to also have been on the team tasked with cleaning it up.

He could've prevent all of this by a) making sure his traffic was blackholed when the VPN went down and b) adding another layer from a free service (like TOR or a proxy or another VPN). He also should've been actively using the VPN so his traffic patterns wouldn't stand out as much, and so his purchase would be justifiable. If he really did buy the VPN 6 months ahead then he was a fool to leave the subscription dormant. If he wanted a fire and forget VPN subscription, he also could've bought the subscription with stolen credit cards. He would've had to make sure to only connect to the VPN through something like TOR, but credit card fraud is pretty difficult to trace if you do it right.

Had he put in a little more thought and preparation then I still don't know if he would've gotten away with it, but at least he'd be in a better position. He wouldn't have to lie to the FBI agents and they probably would've had to catch him by going after the source of the place where the data was leaked instead.

Opsec is hard, but this is just embarrassing for someone in the know trying to steal 50 bitcoin. I'm also not sure why he did it. Suddenly owning a few million in crypto would be noticed, unless he didn't spend any of it, ever. What was his plan, just quit his job and move away right after the hack?

> he also could've bought the subscription with stolen credit cards

Now they're looking at you from two angels.

Instead of all this jumping through hoops with anonymous VPN and payment methods, why not just do it from Starbucks?

Because the youtube videos I watch / podcasts I listen to say I NEED a VPN to keep my IP safe from being spied on.

But also starbucks / any shop / cafe / restraunt / apple store - or going for a drive and finding an open WiFi. Kinda wondering now how these places all handle their wifi being abused for crimes ...

I really dislike theses kinds of comments in theses kind of posts. This is just bragging.

I would like the bad people to be caught and you are just giving away free advice to any future thief like him and also kind of encouraging other people which is kind of worrisome.

Privacy is a double edge sword and this is case that I happy that he was caught because of his lack of knowledge.

I don't think I'm saying anything the criminals don't already know. This guy was the head of cloud operations, he knew what a VPN is, how TOR works and how crypto works.

If you're a criminal reading my comments and learning anything new from them, let me tell you this: if you needed this info, you're not smart enough to evade the FBI. Go find a real job or something.

I'm glad the ass got caught and I hope he'll get what he deserves. However, I believe that the common modus operandi for criminals shouldn't be a secret because it will get out anyway. The "solutions" I propose are obvious and basically handed to criminals by the FBI analysis.

Good opsec for crime is incredibly hard, which is great in cases like these. I don't think I've heard of some super smart hacker that's managed to stay away from the authorities unless they live outside the relevant jurisdiction. Even then the FBI will find ways to get you into a country where they can arrest you, legally or otherwise.

A lot of "crime" in some countries, like China or Russia, is just doing the right thing in my opinion. You might very well need this kind of opsec if your goal is to help teenagers learn about homosexuality in many of the more bigoted countries, for example, or get the truth out about COVID without suddenly finding yourself falling out of a window.

I don't think the "true crime" style comments help criminals in any way. Documentaries about how murdered got caught aren't very good manuals and the advice of random people who've been in contact with the police aren't either. If they're dumb enough to follow the advice of some random guy here on orange reddit, their criminal career won't last very long.

But such information can also serve as an advice for potential victims. For example, many people don't think about the fact that if they credit card info gets stolen, it not only may lead to losing money (which may be not much if a card has access to little funds), but may also allow someone to use it in a criminal context. Demonstrating a scenario where it can be used in a serious crime can increase awareness.

Victims don't care about that because it doesn't effect them. Losing money on the other hand does.

This information can all be easily found or derived, Mr. Sharp wasn't lacking resources to learn opsec if he cared.

He was probably just overconfident in his knowledge; you kind of have to be somewhat nuts to try to pull this off so it's not too surprising.

Good people also need to hide their presence on the internet especially political dissidents in hostile countries. Knowledge is just knowledge.

Why a stolen credit card? Just buy gift visa card with cash.

they take your ID. you could get someone else to buy it for you, but they'll be easy to flip when looking at time.

For what its worth, most online sites will not accept gift visa/mastercard cards any more. It would be nice if there was a site that listed all the sites that do still accept them.

It might be better to just get at account from an account reseller for a few pennies.

When you ask for Bitcoin in the ransom note but paid your VPN with Paypal.

I do that that the media that breathlessly amplified this persons attack should learn from it. In particular, As much as I like and appreciate his reporting, Brian Krebs was the key person amplifying this message - which makes him a unwitting accomplice to many billions of dollars of damage to ubiquiti shareholders.

Responsible disclosure exists for a reason.

Brian Krebs isn't a good reporter or a good person. He has a history of doxxing people without basis (or for the basis of leaving bad reviews on his books).

It disappoints me that he has the audience he does.

This provides an excellent case study as well, as his original post on this doesn't seem to produce any corroboration at all, so the "reporting" boils down to: "I got an e-mail from someone making a bunch of claims, so I'll regurgitate those." Including an update/follow-up that was added later, by the same person.

At best, it's shoddy journalism. He was taken for a ride and should bear some public shame for that.

I doubt he'll get sued for it but a lot of people lost money because of him, so I wouldn't be surprised if someone tried.

He's a reporter. "Doxxing" isn't a thing in journalism, even though it upsets people on message boards to hear it.

doxxing is doxxing. Don't care if the media think they are special.

You're just wrong. The rest of the world does not play by Reddit rules. In a very real sense, "doxxing" is literally the core job of journalism.


What's really unproven here is the idea that Ubiquiti lost billion of dollars in stock value over these messages. Seems pretty unlikely.

The stock definitely was at a peak, and fell dramatically on the release of that news and stayed low. That part is absolutely correct. Now you can argue that it wasn't a permanent loss, but the damage was done by the hacker and the journalist.

It has also stayed relatively in that range afterwards - but you can definitely argue that this is due to the supply chain problems that the entire world is dealing with - but it's a pretty straight line to say that billions in shareholder value were wiped out.

Correlation isn't causation, especially with stock prices.

Oh I don't know. news coming out / leaking about a massive data breach, and the stock dropping off it's high _the very same freaking day_ seems like causation, not correlation.

But whatever.

Stocks drop for all sorts of reasons, and stuff like breach notifications are routinely swamped by other (often macro) causes. But nerds love to believe that security stories have powerful impacts on stocks, despite the fact that the most successful companies routinely experience them.

Perhaps Ubiquiti could use those savings to operate a support department.

Which savings? They lost $4B in market cap.

Market cap is monopoly money, it doesn't mean anything.

Alas not true. The higher your market cap, the more money you can raise by printing more stocks.

By the time you're publicly traded you're not looking to raise money via equity as you have excellent access to loans by that point. You're not talking about a startup that can't get a loan.

These loans are often convertible bonds so the stock performance does impact the companies access to low interest rates.

Theoretically it would go down if you did that. In practice it seems to go up if people like you.

>Theoretically it would go down if you did that.

Why? If a company prints a single stock then sells it for $100, I would expect the company's market cap to go up by $100 since it now has $100 more dollars in its bank account.

Because the company printing a single stock is already a signal it is worth a little bit less. If you have N stock for capital valuation $V, each stock is worth $V/N. If you emit one more, you basically need either to argue your company total valuation should rise or you dilluted all stock to be worth now $V/(N+1).

The company valuation is not stock price * stock count, which is your confusion, it's more tangible asset + speculative future assets, so the more stock you emit the less they each is worth. Companies become popular by doing stock buyback (increasing each remaining stock individual value).

Market cap, which is the stuff they do for amateur and children, to multiply stock count by stock price, is entirely meaningless because it ignores value when stocks were actually transacted and liquidity. If you emit a million stock at 0.1c and then create a marketing fad while locking the supply in the hands of a few and refuse to sell, you create a huge gap between low supply and high demand, increasing the individual price manyfold, arriving at a huge market cap... but you paid nothing for most stocks and a few people paid a LOT for a little. In investment banking we use volume weighted average price to try to get a view of what's the short term intraday value of a stock instead.

Imagine, I dont know, a crypto asset with a market cap of a trillion and a single individual owning 1/21 of the entire asset pool, if this single individual signal just one token sale, the entire market starts selling to people who dont want to buy anymore: what is then the value of considering the market cap ? It can go to 0 tomorrow just if demand disappear. Basically you need to include liquidity, a metric of the stability of the supply and demand, that's why I prefer to look at earnings per share to evaluate a company, it is way more significative of what you just bought. For a crypto asset it's 0 for instance.

Right. Share buybacks and sales are both value neutral at the moment they're done, but selling implies they think it's overvalued.

> Because the company printing a single stock is already a signal it is worth a little bit less.

Good point. But I was responding to someone who said "theoretically", which I took to mean ignoring psychology things like this and just looking at numbers. Of course "theoretically" can have many different meanings, and I might have been misunderstanding how that commenter was using it.

> it's more tangible asset + speculative future assets

When you sell a stock for $100 the tangible assets went up by $100. So the second equation is actually ($V+$100)/(N+1).

> Imagine, I dont know, a crypto asset

Bitcoin is a bit different because people believe Satoshi's coins are literally gone, lost. I don't think that happens with stocks.

Wow, quite brazen. What an interesting read.

Couple things that stood out to me was that the incident occurs in December and the raid ensues March 24th, so roughly 3 months. Building the case I presume.

Then after the raid, the accused doubles down and seeds fake news stories.

I'm a big fan of a show called "Forensic Files", which is like a real-life CSI where each episode is a documentary and only takes 20 minutes (I highly recommend).

In addition to the the usual passion killings and random murders, there is the occasional criminal that thinks they are way smarter than everyone else and doubles or triples down even as the noose is tightening, because they 100% believe they are geniuses and will get away with it.

Example: https://www.youtube.com/watch?v=mVVL_U4BTGs

In this episode a member of Mensa, who enjoyed staging murder mystery dinner parties for his Mensa friends, poisoned his neighbor over loud music and barking dogs, and thought he was such a criminal mastermind that he could talk his way out of it. These people have mental disorders.

George Trepal was certainly one of the better episodes! Amazing that one detective had to go undercover for almost two years before he slipped up. Then they found traces of the rare poison in his home. You’d think he would have trashed it and cleaned like crazy but I bet he thought he would get away with it and may want to do it again.

Great show

They were also fortunate to have that level of expertise, both medically and law enforcement which the US offered.

But I guess in retrospect using an exotic method of killing someone is bound to draw heavy attention.

Thanks for the recommendation! Now that you mention it, I’ve seen similar behavior on Dateline. Wonder if there are other terms for essentially “digging the hole deeper.”

It sounds like he got caught because his VPN dropped during some sort of outage. It's funny because I feel like "don't do crime from your home network" should be an incredibly obvious concept.

He also used keys as the "attacker" that were known to be his as a regular employee. That seems like a n00b move.

So he litterally signed the attack with his PGP key.

I can't imagine just using some random VPN is really going to help much anyway. When the cops come knocking they're just going to give you up right?

Surfshark VPN advertises "strict no-logs policy", "independently audited" and "obfuscated, RAM-only servers". Of course, advertising is just advertising, reality may be different.

Paypal, and apparently this guy's email server, don't have a no-receipts policy though.

some services drop your payment information after something like 45 days, -supposedly-. Who knows if they actually do.

Yeah, so many say that, but I do find it very hard to believe.

If nothing else, wouldn't they want to keep some information about customers that in the past have abused the service? You need some way to ban assholes, right? How would you do that if you have no idea who anyone is?

A quick search revealed a LinkedIn profile[0] of a previous Ubiquiti employee, he seemed to have left the company in March 2021. I wonder what was first, he quitting his job at Ubiquiti or the FBI Raid.

[0] https://www.linkedin.com/in/nickolassharp

Somewhat amusing that he has a new dev job since the incident.

Even more amusing is reading some of the job descriptions ...

Could be fake. The employer is marked “Confidential.”

FYI It wasn’t confidential when I posted my comment, so something changed in the last 24 hrs after the news became public.

764 people have viewed your profile in the last 24 hours - also give us your CC details and we will show you who, sign up today ~ LinkedIn

Ubiquiti's stock price (NYSE: UI) dropped by over 25% from $380 to $290 during the week following news of its breach.

That's almost $5 billion wiped off the company's market capitalisation because of this employee.

Probably could have been a lot less and/or recovered by now had Ubiquiti not also gone through great lengths to cover it up and actively avoid taking appropriate mitigation action. https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-b...

I mean Nick Sharp certainly took a chunk out of them but there is more to the story for why the market lost that much faith.

Wait, is Brian's source for that article Nick Sharp himself? If so, then I don't know what to take away from that article.

Try re-reading it, but replacing every instance of "Adam", with "Nick" and see how it comes across.

I'd love to see Krebs follow up on this.

But the Krebs article was based off statements by an anonymous whistleblower “Adam” - Nick Sharp himself, to further extort the company. Hard to know what is actually true in that article at this point

You do realize that Brian Krebs source was Nick Sharp? At least according to the affidavit. And that he did this _after_ being investigated by the FBI?

Krebs got played here.

LOL, this is literally covered in the article! Sharp was the source for this story! He was lying to try and cover his tracks! Krebs should probably take this story down.

I’m shocked it hasn’t bounced back yet!

Some times these events (not security specifically) simply mask a market correction or trigger it. I have been in infosec a long time now and historically security incidents have rarely moved a stock price. Maybe temporarily, but it tends to bounce back after a year. Look at the massive Home Depot breaches from a while back for example. Perhaps consumers are less forgiving if it happens to a tech company.

Supply chain issues may be the bigger issue now.

" SHARP subsequently re-victimized his employer by causing the publication of misleading news articles about the company’s handling of the breach that he perpetrated,

which were followed by a significant drop in the company’s share price associated with the loss of billions of dollars in its market capitalization."

As a customer, the one thing I really want to know is whether or not the company is dealing with this in a manner that helps me decide if I should continue being a customer.

Do they understand that they may need to fire the CEO given that the CEO probably is the weakest link here? Do they have sufficient liquidity and capital to invest in resetting the culture and hiring people who can turn this around?

Are you aware that the CEO owns about 90% of all Ubiquiti shares?

I am now.

Who else offers decent WiFi infrastructure for homes? (And offices)

The things that really jumped at me looking at his LinkedIn profile were 1) job hopper and 2) lots of overlapping - perhaps it was all part time gigs but some of the overlap surprised me. I was shocked at the number of sub-year positions.

Same thing - and yet still in demand from some decent names in there.

I thought it was meant to be hard out there in tech valley ?

This is why I think it is important to self host things and I applaud Ubiquiti for allowing UNMS/UISP to be self hosted for free. As far as I understand it our UNMS was never at risk from this problem.

Yea quite the playbook there... ransom the company pretending to be a hacker, then pretend to be a whistleblower saying the company is burying the fact that the company is being ransomed..

So that "hack" from a few months ago really wasn't a hack at all, it was an inside job?

So what's a good alternative to Ubiquiti hardware? Is there some guides/community for standard x86_64/arm64 computers and PCIe cards to be used as professional-grade routers and wifi access point at a low price range? Turris Omnia looks pretty cool but it's really too expensive for non-profits.

Is OpenWRT or OPNSense the way to go? Or is there some more generic web dashboard you can run on any GNU/Linux or BSD system?

How about mikrotik, https://mikrotik.com/

I am a satisfied user of their software (and hardware) for the past 10years.

If you don't mind the rather rustic interface, it should be as closest to a professional grade cisco as you can get.

I've successfully used Microtik hardware, but they are pushing for their own non-free software stack (RouterOS) and while they support pfSense, it seems pfSense itself has some shady practices. OPNSense only works on x86 so far and Microtik hardware is mostly ARM.

I'd personally be interested in a hardware vendor supporting a free-software stack (but with an accessible price range), or an established software vendor (ideally a workers coop) maintaining an administration dashboard to setup on commodity hardware.

Certainly better than Juniper SRXs and Cisco Firepowers, however if you have a lot of mangle rules you'll run into issues. Had a large amounts of drops and even more reorders with just 600M going through a 1036 with c.200 mangle rules.

Haven't run into any issues with Fortigates, yet. Time will tell.

Thats for Firewall/nat/router style devices, for wireless we've got a large number of unify flying saucers. I've use mikrotik wireless in the past, but it's not on the same level at all.

> Fortigates

Are these running a free-software stack? Couldn't find info about it since fortinet website blocks Tor traffic.

No, if you're looking for strict FOSS ideology, they're probably not what you want ;-) It's all enterprise grade: Proprietary hardware (they have some ASIC for security processing, probably helped with GPs issues) and you only get software updates as long as you're on a support contract.

OTOH I know a lot of people who are pretty happy with them, but that might relate to the fact that I recently started at a company selling them (among other brands). What impressed me most was the well executed "single pane of glass" integration of the first deployment I saw; all switches could be easily managed from the FortiGate web interface. Compared to that the Unifi Manager feels like a chaotic hack job from the 90s.

(To be fair, at home I still use Unifi APs and the switches are based on bang-for-buck: The 8P GBe 2P SFP+ Mikrotik in the study and the 24P GBe PoE 4P SFP+ Aruba as a "core" in the basement [that is, once it arrives, for now an ancient Netgear switch has core switching duty], Firewall is a loaned FortiGate, which I will probably replace with an OPNSense when I have to return it -- I'd go all FortiNet if the basement switch alone wouldn't cost about as much as my PC, though).

None of these.

It may surprise some, but there is not prosumer/enterprise vendor that provides that Ubiquti does in terms of a solid experience, with bugs (as all software does), across routers, switches and network, with a single pane of glass.

Don't use ubiquiti is you want OPNsense capabilities. For almost everything else, it's a great bet.

The new UDR that is about to come out is a very worthy successor to the Apple Airport... but has more power then any other consumer hardware. That's a hard combo to get to.

So you're recommending OPNSense?

Brian Krebs’ article interviewing the whistleblower took this to DEFCON 1 for Ubiquiti. It’s really crazy how Mr. Sharp was able to trick all of his victims.


Brian Kreb's role in this is, at best, unwitting accomplice. Not victim.

> At one point during the exfiltration of Company-1 data, SHARP’s home IP address became unmasked following a temporary internet outage at SHARP’s home.

This seems to explain how this comes down after less than a year since the incident. Surfshark now supports an outage related kill switch, not sure if that's a new feature.

Seems like he probably would have been caught either way, but would have costed and taken longer if he didn’t drop his VPN. Being one person in a closed room of people knowing about the ransom, and using PayPal over crypto to pay for a VPN seems like it would leave a trail. Eventually would’ve narrowed it down, hopefully.

Edit: oh, and using his own keys that were tied to him as an employee while he was being the attacker.

> At one point during the exfiltration of Company-1 data, SHARP’s home IP address became unmasked following a temporary internet outage at SHARP’s home

It’s interesting that that was what brought him down. I was going to guess a rogue log from the VPN provider until I got to that point.

Tangential: there's a James Margolin listed as one of the contacts, and he looks vaguely like he could be a parent or uncle of one Grant Margolin, and they're both roughly local to NYC-ish based on James' LinkedIn. I wonder if there's any relation.

Grant Margolin being one of the co-conspirators behind Fyre fest, along with Billy McFarland. I had the dubious privilege of interacting with the two in DC alongside Ja Rule as part of a Magnises event.

Did Ubiquiti have any statement on this? I haven't noticed it in any of the news articles nor on their site.

> SHARP used a virtual private network service that he subscribed to from a company named Surfshark to mask his Internet Protocol (“IP”) address when he accessed Company-1’s AWS and GitHub infrastructure without authorization.

How did they know it was SurfShark?

FYI, the policy to delete logs, just deletes them from your aws account, but they are still accessable/recoverable from aws side if needed. So this guy, that worked as cloud lead in ubiquiti was stupid enough to think it will hide his traces by deleting logs :DD it might have worked if he deleted them in bare metal server itself,but in aws it just deletes from account/s3, but can be recovered by AWS support. so this is how they got all the logs and found that it was him that logged in with his own aws user, and ip address from surfshark.

Presumably with an IP log by a router/IDS/ENS at the corporate or ISP level.

Which discount code did he use?

Use CYBERWEEK19 for 85% your first years subscription.

Not the sharpest knife in the drawers.

What an idiot

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact