Is It Time to Go Running from Ubiquity Products?
Recently Brian Krebs called out Ubiquity for not being completely open and honest with the level of the data breech that they suffered late last year (2020) and reported in Jan (2021). In my experience, when I need to work with another person, their integrity weighs heavily into how much of whatever project or effort we are undertaking to entrust to them to ensure success.
With businesses and products, there is a question of trust in whether an organization will do the right thing should something bad happen that might affect their bottom line. Fear can make very sane people do very unexplanable things. This situation looks like the demonstration of what those types of unexplanable things might be.
The Ubiquity organization was overly cautious about sharing the extent of their breach, especially when they are called out as lacking in some of the security procedures department and not logging all of their different data systems access records. While yes, it is very promising that they have reported the incident, consulted with some of the best teams to identify the "five w's" (who, what, where, when, and why), and are working closely with law enforcement.
The most disappointing part of reading all of the reports is that they tried to play-off making a simple mistake. The additional reports from Krebs on Security identify that the error was a simple Amazon S3 bucket being improperly configured. Amazon, although not part of Ubiquity, sets up their Amazon Web Services (AWS) systems in such a way that the user is the one responsible for determining how they want to secure their data.
As is obvious due to a previous post that I provided here, I am a big fan of Ubiquity products and even have them in my house. Moving forward, I don't think this is a reason to abandon this strong, up and coming organization.
I will post that my opinion is that they (Ubiquity) should learn from this, don't step away from the simple mistakes and own up to them. That will help the people like me who have already invested in their systems stay invested as they are a great alternative to the high-end Cisco or Juniper networking equipment. They give me faith that smaller businesses can set up highly capable networks, but to keep using their products, adding the details for what happened will keep the trust I have in them.
Finally, there is no need to over-simplify and tell me to just change my password and don't worry about anything because there is "nothing to see here."