Ubiquiti adds phone-home to the access point firmware

(community.ui.com)

593 points | by shantara 11 days ago

50 comments

  • andreareina 11 days ago

    This is the same Ubiquiti that's does not abide by the GPL for the modified linux kernel they use[1][2][3]. Which is really too bad as I had been ready to recommend their gear to a couple of businesses.

    [1] https://sfconservancy.org/blog/2019/oct/02/cambium-ubiquiti-...

    [2] https://news.ycombinator.com/item?id=9331512

    [3] http://web.archive.org/web/20170317174847/http://libertybsd....

    • fiter 11 days ago

      Not only are they violating the GPL, but they've been doing it for over 4 years? Thanks for the links, this resets my opinion on Ubiquity.

      • tgsovlerkhgsel 11 days ago

        Doesn't violating the GPL (for v2) or ignoring a notice that they violate the GPL for 30 days (for v3) result in permanent loss of the rights to use the software?

        Wouldn't at this point a copyright holder (e.g. anyone who contributed to the kernel) + a donation campaign for legal costs be able to force them to either fix it within 30 days, or (once the legal process is over) to indefinitely maintain a patched version of the kernel removing that copyright holder's code?

        • DanAtC 11 days ago
          • heavyset_go 10 days ago

            I was considering going all in on Ubiquiti gear for my next move, but this along with their GPL violations changed my mind. Thanks for pointing this out.

          • nominated1 11 days ago

            I was aware of Ubiquity’s past GPL violations and it was the only reason I avoided them. According to Wikipedia they settled a GPL violation in 2017 but I wasn’t aware of the recent issue. Looks like their Wikipedia page could use an update.

            https://en.wikipedia.org/wiki/Ubiquiti_Networks

            • AnIdiotOnTheNet 11 days ago

              One can draw from this that the GPL is quite toothless. If even the biggest most important GPL'd software in history can't or won't defend itself, then why should anyone care about the GPL?

              • zamadatix 11 days ago

                Or one can draw that looking at a single violation on a single piece of software is a poor way to come to a conclusion for every violation on every piece of software.

                D-Link comes to mind as a similar situation where GPL prevailed. Perhaps in this case nobody cares enough, either way doesn't mean GPL is useless and nobody should care about it.

                • syshum 10 days ago

                  As with all licenses if the people that hold them do not enforce them than all licenses are Toothless

                  the Linux Foundation has been notoriously anti-litigation, their corporate masters do not want any litigation at all, and more or less treat Linux as if it was BSD licensed instead of GPL

                • dleslie 11 days ago

                  Damn, I like their gear; who's the next best?

                  • piotrkubisa 11 days ago

                    Maybe pfSense/openwrt based on APU2[0] platform? I don't personally anybody who has used it. If on HN there is someone who would like to share his opinion about it, I'd be grateful.

                    Edit: Also, Turris MOX or Turris Omnia [1] might be an alternative.

                    [0]: https://pcengines.ch/apu2.htm

                    [1]: https://www.turris.cz/en/

                    • oil25 10 days ago

                      I've been using the APU2 platform for a home network router and can strongly recommend it. I especially like the open source firmware (coreboot) with frequent, signed releases. Wireless performance on OpenBSD was lackluster, so I'm back to running Debian for 802.11. Performance is strong even at full WAN bandwidth capacity of 400 Mbps.

                      • bronco21016 11 days ago

                        I’m running an APU2C4 for my router, no wireless. It has pfSense running with OpenVPN and a DNS sinkhole for ads. My wireless is through an UAP AC Pro.

                        The APU works fine but after upgrading to a gigabit connection I’m a bit disappointed. It won’t saturate the connection on a single thread. (Yes over Ethernet) Maybe 400 Mbps max. Apparently it has something to do with pfSense not multithreading connections and the single cores of the CPU not being fast enough on their own. I can run 1 Gbps over multiple connections though so I suppose it mostly fulfills it’s purpose. I also want a WireGuard server but I might end up just deploying that in a VM. pfSense doesn’t currently have that option.

                        When I learned of these limitations I gave some consideration to the the Ubiquiti USG but found it isn’t exactly super beefy either and requires turning features off to get 1 Gbps. I’m debating building something similar to the ArsTechnica guide [0].

                        Overall, I’ve been satisfied with my setup and in particular the UAPs. I’ve deployed multiple UAPs and Edgerouter X’s at friends and family’s houses and have had essentially 0 support requests. The stuff just works and performs. I just had a party last night and even with 20+ clients, streaming music and YouTube TV for football, I had zero complaints or hiccups. All on a single UAP. I haven’t used any recent consumer gear but I know e consumer gear I used to buy would have definitely been choking on that kind of load.

                        I’m pretty disappointed to see this turn in events with UBNT. I’ve kinda seen it coming for awhile now since they’ve been moving towards these cloud services but I was really hoping they would resist the lures of Surveillance Capitalism.

                        [0] https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-bui...

                    • steve19 11 days ago

                      Mikrotik is pretty nice although the gui is not user friendly as ubiquiti.

                      • izacus 11 days ago

                        I'm sorry, but asking someone to switch from Ubiquiti to a Mikrotik is like asking someone to go from macOS to 1990's Linux.

                        The user interface is beyond atrocious and even basic features you'd need in smaller/home setup need digging through Wikis to get the arcane settings you need to click. Basic things like NAT loopback or basic VPN setup. OpenVPN is still neutered and broken.

                        What's even worse - the defaults are all wrong. There's no simple "enable firewall" switch for basic use-cases like other equipment has. Instead you need to manually configure firewall rules in chains like working with raw IP tables and if you do a small misstep, you'll drill a hole in your network easily. Or make your internet horribly slow because you need to be careful about fasstrack rules and lack of NAT acceleration.

                        It's really about the most disappointing piece of hardware I bought in last few years and doesn't come close to niceness of Ubiquitis management. Sadly it's also the only company that makes a compact router with SFP and PoE+ to power Ubiquities.

                        • stingraycharles 11 days ago

                          While I'm a big Mikrotik advocate, I completely agree with you: Mikrotik is not even in the same league as Ubiquity when it comes to UX. Mikrotik is for professionals who desire control and know what they're doing, Ubiquity is for a non-technical prosumer audience.

                          • timc3 11 days ago

                            One could argue that Mikrotik provides a UX that it’s target market is looking for.

                            • izacus 11 days ago

                              Yes, but that also means they're not a replacement for Ubiquiti then and shouldn't be peddled as such.

                              • vetinari 11 days ago

                                Uniqiti has several product ranges; the EdgeMax line is the advanced one; Unifi is the simple one.

                                Yes, you can set up simple things with Unifi in a simple way, but the more advanced ones are a tragedy, that you must also google around, dig wikies and forums for arcane incantations of the right json keys, so you can deploy your config in json, there are even no arcane settings to click.

                                • mchristen 11 days ago

                                  I don't think the EdgeMax is the 'advanced' line by any stretch. They both run a fork of Vayatta and share a CLI. The Unifi stuff has more features accessible via the GUI and receives far more attention from Ubiquity.

                                  However, the biggest and most major difference between the two lines of products is the requirement of the Controller to run the Unifi line of devices. For that simple fact I would pin the Unifi line as more 'advanced'.

                                  • vetinari 10 days ago

                                    The controller and the sdn concept is exactly the difference.

                                    They might share CLI, but that does not mean that your changes persist on USG. You can rely only on whatever you configured in GUI and half-rely on gateway.config.json; for example, they both have dnsmasq and I'm still figuring out how to configure it, so the changes persist. It would be otherwise trivial on edgemax or other pure dnsmasq-using system, like openwrt.

                          • hackmiester 11 days ago

                            RouterOS is basically designed for network engineers. From our perspective, NAT loopback is extremely complex and has many implications, which RouterOS doesn't hide from you. And we typically don't run a VPN concentrator on the same device as a router. I think it's just a matter of different practices in different industries.

                            ETA:

                            > What's even worse - the defaults are all wrong.

                            There is a new-ish thing in the web UI called "QuickSet" for these use cases.

                            • stiray 11 days ago

                              I agree. Mikrotik has great devices but they are great if you can cope with them. Imagine as getting Cisco Catalyst and then complaining it is not as good as Ubiquiti due to the sheer number of options. It just doesnt work that way, there is equipment for the masses which is "good enough" and the other side where you can tacle everything in transmission but you need to know what you are doing.

                              Anyway, I wouldnt recomend ubiquiti as replacement for microtik. It is just too complex for most home users and even technical users (on the other side I wouldnt use ubiquity even if it is a giveaway).

                              • yardie 11 days ago

                                Honest question. What is the market for Mikrotik? I’ve only seen them in use at home by enthusiasts and a few SMBs trying to maximize bang for buck. There offerings just don’t seem very enterprisy.

                                • godzillabrennus 11 days ago

                                  Having had the displeasure of managing a network for a company that installed about 40 mikrotik switches behind a mikrotik firewall, I can safely say they belong in a small business with max 1 or 2 at a time.

                                  Managing more than that is crazy with the current software. Not to mention these are some of the cheapest and lowest build quality switches you will find with these insanely powerful features.

                                  Unifi switches are a materially better build quality.

                                  If you want great carrier grade look at Arista. You can even score a 10Gbit 48 port Arista switch off eBay used for about $700 last I checked.

                                  • bluedino 11 days ago

                                    Quite popular in the WISP market

                                    • dboreham 11 days ago

                                      Lower tier ISPs.

                                  • izacus 11 days ago

                                    Yes, I fully understand that it was built for company admins to have fun and cover their use-cases.

                                    But unfortunately I constantly see those admins recommend them for prosumer, unmanaged small business and home use-cases. In those cases they're horrible to manage and lack features users expect.

                                    • stiray 11 days ago

                                      What features? I have heard a lot of complaining over mikrotik, but lack of features was typically not one of them.

                                      • milankragujevic 11 days ago

                                        An easy to use, user friendly WebUI is a feature. The only part of that MikroTik has is WebFig, which is neither easy to use nor user friendly.

                                        • mopsi 11 days ago

                                          Everyone uses either CLI or WinBox GUI app, which is excellent. https://wiki.mikrotik.com/wiki/Manual:Winbox#Work_Area_and_c...

                                          • milankragujevic 11 days ago

                                            Which is covered by

                                            >horrible to manage and lack features users expect

                                            Users expect WebUIs, and WebFig is horrible to manage.

                                            • mopsi 11 days ago

                                              Users expected faster horses, got cars. WinBox is so much better than any web UI I've ever seen, didn't know I wanted it before I had it.

                                              • milankragujevic 11 days ago

                                                1. WinBox only works on Windows. 2. Android version of WinBox is buggy and also only works on Android 3. It may be better if you have expertise in network administration and know RouterOS inside and out. Most people who buy Ubiquiti gear do not, but their needs aren't met by regular consumer routers which do not allow any kind of "prosumer" settings.

                                                MikroTik may well be better for you (I used it for 5km PTP links, but that's because it's cheap, if I had the budget I would've gotten LiteBeam or AirGrid), but that doesn't imply it's a suitable replacement for everyone. And it is most certainly not a suitable replacement of airOS for most people who use airOS.

                                  • timc3 11 days ago

                                    It’s probably the wrong product for you. I like my Mikrotik devices as it doesn’t hide anything and is crazy configurable for the price.

                                    I run my VPN server on a different device, I can understand why you might want to run it in your router, but again this isn’t plug and play trivial networking gear and most administrators will be doing the same as me.

                                    There are many companies selling what you want.

                                    • izacus 11 days ago

                                      > I run my VPN server on a different device, I can understand why you might want to run it in your router, but again this isn’t plug and play trivial networking gear and most administrators will be doing the same as me.

                                      Which administrators? In what environments? Remember, the thread started with someone telling us that Mikrotik is a good replacement for Ubiquiti use-cases. Whose EdgeRouters and USGs have easily configurable VPNs with good defaults.

                                      I'd also love to hear about any alternative products which support SFP for WAN and 802.3at PoE with ease of setup and use as Ubiquiti. Or even a SOHO ASUS router.

                                  • disiplus 11 days ago

                                    not even close that user friendly, and they had pretty serious security problems, i also use them, because they are powerful and cheap.

                                    https://nvd.nist.gov/vuln/detail/CVE-2018-14847

                                    • funnybeam 11 days ago

                                      Just want to point out that the fact that there are CVEs does not mean they are insecure.

                                      All kit has security issues but the important thing is how open the manufacturer is about the issues and how quickly they fix them, and Mikrotik have always been very good in this area, regularly releasing updates

                                      Also, as all their devices run the same software, even devices that are years old will still be updated

                                      I often see people saying “Mikrotik is insecure” but this seems to be based solely on the fact that there are published security issues which they have patched. In my opinion that is the opposite of insecure

                                      Agree on the user friendliness though - I use them at home for personal stuff, but for work it is Unifi

                                      • disiplus 11 days ago

                                        the one linked is especially bad, i allows anybody to read the admin password. the problem is also that a lot of them are running old versions because the update process is not as straightforward as ubiquitu for example. i also run mikrotik at home and have deployed mikrotik and ubiquiti at out different offices. for the price you can hardly beat mikrotik and once you "get into it" it's fairly simple.

                                        • funnybeam 11 days ago

                                          Yes, that’s bad but note that even unpatched it is only an issue if the GUI management port has been left open - which seems to be the case with all the security issues people highlight with Mikrotik

                                          I wouldn’t disagree that management ports should probably be locked down out of the box but I would expect anyone reading this to apply some basic lockdown when setting up any device

                                          I just want to offer a counterpoint to an assertion that I often see here claiming they are insecure which I don’t think is justified

                                          Certainly if you are not into networking and want something that just works then Unifi is great, but if you want something with bucketloads more functionality and don’t mind getting your hands dirty then don’t be put off Mikrotik due to security concerns

                                          • mopsi 11 days ago

                                            > the one linked is especially bad, i allows anybody to read the admin password.

                                            Only if you have exposed management port to the internet, which you should never do.

                                            • hackmiester 11 days ago

                                              You just upload a file and reboot... that seems like a pretty simple procedure to me...?

                                        • tgsovlerkhgsel 11 days ago

                                          Disabling (access to) WinBox should be the first thing to do on a Mikrotik. Most of their serious security issues are in WinBox.

                                          The Web UI seems to be a perfect equivalent if you want a GUI to manage your one box at home, and SSH should do the trick for automation. Is there any reason to use their proprietary (Windows-only) software to configure the router?

                                          • garaetjjte 10 days ago

                                            WebFig is just clunky and slow. Winbox is so much better, faster, with MDI, and works fine on Wine.

                                          • stiray 11 days ago

                                            This one was for management port and was fixed before the CVE came out. There are two points: opening management interface to the internet is... Lets say... Weird. The second one, they are extremely responsive to security issues.

                                          • jimnotgym 11 days ago

                                            I have used Mikrotik at work and have been alarmed at how often professional network engineers make mistakes with them. I found some serious errors through testing (and some exploitation), and when putting them right I could see why the engineers had made that mistake. I caution against them. They don't just have a clunky gui they have a model of the network that people seem to find hard to understand. Shame on Unifi over GPL, but their kit is very good

                                            • chewyland 11 days ago

                                              Dealing with this exactly at this moment. Using Winbox is like using Windows 3.0.

                                              No no... It's way worse than that.

                                              • oliwarner 11 days ago

                                                Their last source dump appears to be 4yo too.

                                              • auslander 11 days ago

                                                > Damn, I like their gear; who's the next best?

                                                Linux / OpenBSD with open source wifi drivers, if that is even a thing. Snatch some Atheros or Realtek chips before they disappear.

                                                https://en.wikipedia.org/wiki/Comparison_of_open-source_wire...

                                                • zamadatix 11 days ago

                                                  If all you're looking to do is avoid Ubiquiti breaking GPL not necessarily binary blobs/100% open I'd recommend just using the Intel AX200. It's 20 bucks, will have longer support, supports AX, and supports more features/extensions on older versions of Wi-Fi than e.g. their AC chip does to boot.

                                                • amq 11 days ago

                                                  The next beast is OpenWRT + any modern hardware supported by it.

                                                • Jonnax 11 days ago

                                                  Can't the FSF do something? They're quite big.

                                                  • gonzo 11 days ago

                                                    Only if they hold copyright.

                                                    • Wowfunhappy 11 days ago

                                                      Isn't the copyright holder in this case "anyone who has contributed to the Linux kernel"? I have to imagine that includes the FSF.

                                                      Anyway, one of the GGP's (great grandparent's) links indicate the software freedom conservatory did open a lawsuit just last month. https://sfconservancy.org/blog/2019/oct/02/cambium-ubiquiti-...

                                                      • gonzo 10 days ago

                                                        Link actually says, "As such, we have today opened (at this point, non-litigation) GPL enforcement actions against both companies."

                                                        that's a letter, not a lawsuit. not yet, anyway.

                                                        • Wowfunhappy 10 days ago

                                                          Oops, apparently I wasn't reading carefully enough! Thank you!

                                                • esotericn 11 days ago

                                                  I own and operate Ubiquiti hardware.

                                                  If this doesn't go opt in, I will not be buying more and I will stop recommending it to others.

                                                  Please don't do this. Firewalling access points, good practice or not, should not be necessary. You're not a dodgy IP cam manufacturer.

                                                  People buy your equipment precisely because they want to trust their network hardware.

                                                  • ploxiln 11 days ago

                                                    I think "analytics" has become a no-brainer among product managers at all tech companies. It seems like no company, not even GitLab, can escape the irresistible urge by management to add analytics. Arguments against it within the company are useless, it is just so obvious to management that this is the way to go, it's what all big successful companies do. Only massive public outrage can turn the accepted wisdom of analytics around, and only sometimes.

                                                    High quality products were made for many years with no analytics, just by thoughtful design, using the product yourself, and gathering some feedback from users manually. Even without statistically representative data from some large target population, you can use your brain to figure out what goes wrong and how to make a good product.

                                                    And I think lots of products today are quite annoying because of bad decisions based on flawed analytics data. It's hard work to run a good experiment and avoid confounding correlations and plain bugs that throw off the results, and practically nobody today does the hard work. They just run the analytics, get some flawed buggy numbers, interpret them without sufficient care and thoughtfulness, and push through bad design changes. We're data-driven! We're just not looking at the road.

                                                    • 9HZZRfNlpR 11 days ago

                                                      My theory is that they hunt like lunatics this engagement and time spent number. My engagement increased with new Gmail because it's slow as fuck. Of course I click around like a clown and wait, probably product manager happy that people use their product for longer now.

                                                      • distances 11 days ago

                                                        It's amazing how slow Google products are becoming. Firebase is my own pet peeve: opening a single crash report takes easily 20-30 seconds. It's unbelievable. Should be a split second for fluid workflow. Aren't they using their own products? How is this acceptable to any engineer or manager?

                                                        I'd use anything else for the slowness alone if I could decide the tools at work myself.

                                                        • Glad it's not just me. I have an HTC 10, which was a flagship phone when released 3 years ago. Every single third-party app I use, including some moderately demanding games, works perfectly fine. Every single Google app is at the very least frustratingly slow, like Gmail, if not outright unusable, like Maps. It seriously pauses for 5-10 seconds anytime anything on the screen changes. One has to tolerate several such pauses to simply search for a location. This is on their own damn platform for crying out loud.

                                                          The best part is that 10 years ago I used to have an absolute piece of dog shit WinCE phone that failed to even keep up with my typing speed in its stock SMS app. Google Maps worked perfectly on that device.

                                                          • crdoconnor 11 days ago

                                                            Are you using Firefox or Chrome?

                                                            • Jamwinner 11 days ago

                                                              I am going to report it is slow on both, when the bs is disabled. Especially slow on other browsers. You know there are other browsers right? Google seems confused and angered when I dont use one of the 2 they own. Firefox is only around because they fund it discreetly to avoid antitrust, while is still sends them nearly all the same tracking metrics.

                                                              • distances 10 days ago

                                                                What do you mean by "when the bs is disabled"?

                                                              • Xelbair 10 days ago

                                                                why would this matter?

                                                            • Gonzih 11 days ago

                                                              In my experience analytics usually become a hot topic in product group of the company when product evolution stop. We did all the major features but we still need growth, so to pick new direction we need some insight on our users.

                                                              • Xelbair 10 days ago

                                                                Seriously, new Gmail is absolutely horrible slow dogshit.

                                                                And it is even worse in firefox than in chrome.

                                                                It takes 30s to 1 min to load(!). It has cached last view, which loads fast.. then it goes unresponsive for bloody 30s to 1 min anyways.

                                                                3 different machines were used to test this - i5 6th gen laptop, i7 7th gen pc, i7 3rd gen pc - all of them with plenty of ram(at least 16gb).

                                                                • srrr 11 days ago

                                                                  Maybe your "engagement" increased, but in this case your "time to task completion" did not. In most cases analytics is much more nuanced than you might think. And the reason why something got worse for you is because it got better for someone else.

                                                                  • finnthehuman 11 days ago

                                                                    >your "time to task completion" did not

                                                                    So they're driving down the time it takes to do what they magically infer I'm trying to do. Is this why whenever I try to organize my gmail box I give up 10 minutes in because the UI is slow and bullshit? Because it's good for metrics that I can't make my gmail account anywhere near as useful as my work email?

                                                                  • ninth_ant 11 days ago

                                                                    What you describe is a caricature of a product manager. In reality, differences or changes in “time spent” or other metrics are extremely useful to explain problems and opportunities for improvements that might otherwise be missed.

                                                                    Most certainly you could misuse the statistics for blind number worshipping, and I’m sure there are many anecdotes of that kind of behaviour. But I’m also quite certain that successful organizations can use these to improve their products in meaningful ways. I suspect any gmail product manager who tried to slow down their product (or resisted fixes) to improve meaningless time spent metrics would be crucified.

                                                                  • nextos 11 days ago

                                                                    This is my biggest concern about present and future technology. For example, many car manufacturers are sharing real-time sensor data from their vehicles, including GPS, with third parties. There's no clear opt out. Is it anonymized? Can it get misused? Sadly yes.

                                                                    The freedom and transparency we got from PCs where you can always know what is going on, with some caveats, is missing from all other platforms. And it's really worrying.

                                                                    • arminiusreturns 11 days ago

                                                                      If we let them they will do it to PC's eventually too. We have to fight for our rights. I think cell phones have normalized it for far too many people.

                                                                      • mtsr 11 days ago

                                                                        What do you mean, eventually? You haven't followed the Windows analytics debacle?

                                                                        • stallmanite 10 days ago

                                                                          Win10 analytics (and forced updates) is what finally pushed me to exclusively using linux after many years of dual-booting. There are still choices thankfully (for now).

                                                                          • arminiusreturns 10 days ago

                                                                            We still have gnu/linux for the time being. I went linux only many years ago and have loved every minute of it.

                                                                        • Silhouette 11 days ago

                                                                          Since the mandatory telemetry in Windows 10 (and the backports to Windows 7 onwards if you trusted Microsoft and installed their recommended updates) we don't even have that transparency on PCs, sadly.

                                                                          But I agree, it's a serious problem. The abuse has become so widespread that I am now in favour of heavyweight statutory regulation and severe penalties for violations. I don't see any other way we come back from this situation now. Competition in the market has utterly failed.

                                                                          • nextos 10 days ago

                                                                            I brought PCs as an example because it's a relatively open hardware platform and you can run Linux or BSD and have an imperfect control of everything that is going on.

                                                                            On phones, things have gotten much worse. Although you can flash a relatively open ROM in case of Android, good luck controlling what the baseband does behind the scenes.

                                                                            And if we talk about cars and other devices like smart watches, there's often zero openness.

                                                                            • Silhouette 10 days ago

                                                                              good luck controlling what the baseband does behind the scenes

                                                                              I actually have a lot of sympathy with that one, because radio transmission is one of those areas where one idiot who thinks he's clever and should have total control of his device can literally disrupt entire networks for everyone else over a wide area, with the obvious serious consequences. Modern wireless communications systems rely much more than most people realise on conventions and standards and everything playing nice, so regulating such that only licensed practitioners are authorised to make parts that transmit within prescribed specifications is not an absurd idea.

                                                                              Of course, that doesn't mean a closed part of the system like radio control should have any access to any other part of the system. It ought to be essentially a firewalled client of the more open parts of the system. And if it's going to be regulated and controlled then the people licensed to develop those components should be required to have them only perform the defined function according to standardised specs, without anything else piggybacking on top.

                                                                              • nextos 10 days ago

                                                                                With the controlling part I referred to knowing what the baseband is doing, not necessarily changing the way it works.

                                                                                Right now we don't know whether for example it's even powered when your phone is on airplane mode and collecting data.

                                                                                • Silhouette 10 days ago

                                                                                  Yes, that's true. That's why if there is regulation allowing them to be closed units and limiting who can make them, I'm also in favour of that regulation restricting their functionality to only standardised specs (and regulators being able to audit this and impose meaningful penalties for compliance failures).

                                                                            • Xelbair 10 days ago
                                                                              • iforgotpassword 11 days ago

                                                                                If you really care, use Linux.

                                                                                • Silhouette 11 days ago

                                                                                  That's great unless you need software that is not available on Linux. Not all businesses have that choice, but they might still care about privacy and security.

                                                                                  • iforgotpassword 10 days ago

                                                                                    True, but at least for personal use you could make that sacrifice of replacing and re-learning stuff as much as possible. Tbh, from an employee's POV I don't even care that much if my company wants to take that risk.

                                                                                    • Silhouette 10 days ago

                                                                                      I'm the person (one of them) responsible for my own businesses, so I look at things a bit differently. It's on me and my colleagues if we don't have proper security in place, or we violate confidentiality agreements or NDAs or GDPR or other privacy/data protection rules. Looking at the amount of essential software and equipment that is now actively hostile to even basic security and privacy, when you're talking about things like your networking gear or your operating systems or your everyday development tools betraying you, it's now all but impossible to buy new stuff and still be professional about safeguarding privacy and security now, and it shouldn't be. It's going to hurt a lot of people sooner or later, probably sooner, and it's going to cost a lot of businesses a lot of money too.

                                                                                  • Xelbair 10 days ago

                                                                                    It doesn't matter - there is always Management Engine in intel CPU's and equivalent in AMD and ARM.

                                                                              • dillonmckay 11 days ago

                                                                                “And I think lots of products today are quite annoying because of bad decisions based on flawed analytics data.”

                                                                                I agree with this, and it seems to create a self-fulfilling prophecy.

                                                                                I believe this to be responsible for the decline in Apple’s various device OSs.

                                                                                • cookiecaper 10 days ago

                                                                                  This is also why everything is mobile-first now. So many web-based applications insist that users install a mobile app for half of the functionality because that gives them a much stickier place to attach.

                                                                                  On a browser, it's drive-by, and your ability to track users is gone once they leave your site, especially with vendors like Mozilla and Apple implementing third-party cookie blockers by default and the ubiquity of adblock.

                                                                                  On a phone, if you install something, you'll probably leave it for at least a few days, and if you watch logcat, you'll notice that many of these apps are anything but patiently waiting for the user to decide open it up again.

                                                                                  • Xelbair 10 days ago

                                                                                    >On a browser, it's drive-by, and your ability to track users is gone once they leave your site, especially with vendors like Mozilla and Apple implementing third-party cookie blockers by default and the ubiquity of adblock.

                                                                                    There is a way to hijack the back button, i have no idea if it has been fixed, there are also tracking cookies so they can track you cross sites anyway.

                                                                                  • VadimPR 11 days ago

                                                                                    Ever asked designers of those high quality products if they would have loved data analytics on their products?

                                                                                    I bet they'd say they would have.

                                                                                    • TeMPOraL 11 days ago

                                                                                      Would I love an extra thousand dollars per month on my account? Sure I would. Doesn't mean I'm going to cheat people to get it, even though I could.

                                                                                      • gonzo 11 days ago

                                                                                        But if there was an opportunity to do so, and it required some work, would you?

                                                                                      • Silhouette 11 days ago

                                                                                        The data you are likely to get from this sort of spyware is typically less useful than even a few sessions watching real users actually using your product and actively collecting their voluntary feedback.

                                                                                        Source: I am basically the person you are talking about, in one of my current roles.

                                                                                      • paulie_a 11 days ago

                                                                                        The amazing thing is all that data is worthless. It hasn't improved things, ads are still stupid, products are just as slow and broken.

                                                                                        • Sharlin 11 days ago

                                                                                          Analytics seems to be a given even among developers. Something you ”obviously” put in just because it might be useful at some point.

                                                                                          • microcolonel 11 days ago

                                                                                            It seems that product quality is often lowest in products with the most analytics.

                                                                                          • bostik 11 days ago

                                                                                            > Firewalling access points, good practice or not, should not be necessary.

                                                                                            It is now, it seems.

                                                                                            Having seen what kinds of data crash reports in other domains include (the richer the call chain trace, the better) I expect this to be a subtle security problem. In regulated or otherwise highish-security networks one can expect to see user authentication when accessing wifi (EAP).

                                                                                            Simple scenario: AP crashes during client auth stage. A full crash trace may easily contain the credentials used for EAP, and if those are sent to mothership, your access point has just leaked out the necessary information to successfully access your secure network. Worse, when EAP is used, the login is likely bound to domain credentials, which are practically guaranteed to allow access to all sorts of internal services.

                                                                                            To state the obvious: best practice with crash traces is to filter out or mask high-value KV pairs. But then again, best practices also disallow leaking credentials in the first place.

                                                                                            For my part, I will now consider Unifi APs as rogue devices.

                                                                                            • noodlesUK 11 days ago

                                                                                              This is exactly the sort of scenario that scares people like me when I read about telemetry being baked in. It’s just totally unnecessary risk.

                                                                                              • namibj 11 days ago

                                                                                                Which is why I never allow error reporting. Mild UI-features-usage-statistics in anon form are allowed, but rare.

                                                                                            • consumer451 11 days ago

                                                                                              If you have the spare time, OpenWRT supports Ubiquiti hardware.

                                                                                              https://openwrt.org/toh/ubiquiti/start

                                                                                              • kompakt 11 days ago

                                                                                                Yes, and it works quite well. I've flashed the latest OpenWRT on my Unifi AP for a test, I'm really impressed with the performance. It also adds more features with OpenWRT packages.

                                                                                                Do note that some ubnt devices have custom firmwares blocked on newer software versions. For example Unifi AP and LR:

                                                                                                https://openwrt.org/toh/ubiquiti/unifi

                                                                                                • rixrax 11 days ago

                                                                                                  And OpenBSD/octeon[0][1] appears to run on UniFi Security Gateway.

                                                                                                  Just ~ two weeks a go I finally retired my old OpenBSD based gateway in favor of USG. But no, I guess I'm back to putting OpenBSD on USG, and maybe OpenWRT on APs.

                                                                                                  Is there a working replacement OS for Ubiquiti PoE switches?

                                                                                                  [0] https://www.openbsd.org/octeon.html [1] https://codeghar.com/blog/openbsd-on-ubiquiti-usg.html

                                                                                                  • zaroth 11 days ago

                                                                                                    Or just block the outgoing connection? What am I missing?

                                                                                                    It’s not like it doesn’t already have a firewall built into it.

                                                                                                    • rixrax 11 days ago

                                                                                                      But here lies the dilemma: do I trust them? If I put in a rule to block their telemetrics, would USG honor that rule? Not just now, but after some firmware update that 'breaks' something. Or maybe I have to put another box in front of USG that I actually trust to be certain that call home got blocked. And even if I block this call home, maybe it changes to something else in next version or the next that now needs to be blocked as well. And maybe the data being sent home changes to more draconian over time as the marketing department gets greedier. And so it goes.

                                                                                                      When I buy [network] equipment, it is my expectation that since I own the HW, I am to a certain degree in control of what they do and to whom they 'talk to'. And call-home / telemetrics without at least opt-out just doesn't sit well with me here.

                                                                                                      • tbyehl 10 days ago

                                                                                                        You actually can't* use the firewall to prevent a USG or EdgeRouter from phoning home as the WAN_LOCAL rules only apply to inbound traffic.

                                                                                                        * Possibly by some other combination of dropping Established/Related traffic. I think that'll get gnarly for the instances where WAN_LOCAL traffic is needed -- VPN, connectivity checks for load balancing, etc.

                                                                                                        • zaroth 10 days ago

                                                                                                          “eth0_in affects traffic entering the ER on eth0 that gets forwarded to somewhere behind the ER

                                                                                                          eth0_out affects traffic leaving the ER on eth0

                                                                                                          eth0_local affects traffic that enters the ER on eth0 and is targetted directly at the ER itself (e.g. the webgui)”

                                                                                                          In this case you would put the rule on eth0_out, not eth0_local.

                                                                                                          • tbyehl 10 days ago

                                                                                                            Not sure what you're quoting, but you are misinterpreting it. The IN / OUT rulesets absolutely do not impact traffic that originated from or is destined to the router itself.

                                                                                                            Just now I verified with the following partial ruleset on a EdgeRouter I have in production:

                                                                                                              set firewall name WAN_OUT default-action accept
                                                                                                              set firewall name WAN_OUT rule 300 action drop
                                                                                                              set firewall name WAN_OUT rule 300 description 'block 1.1.1.1'
                                                                                                              set firewall name WAN_OUT rule 300 destination address 1.1.1.1
                                                                                                              set firewall name WAN_OUT rule 300 protocol all
                                                                                                              set interfaces ethernet eth0 firewall out name WAN_OUT
                                                                                                            
                                                                                                            Devices behind that ER can no longer communicate with 1.1.1.1, but the ER itself can.

                                                                                                            The only way to filter traffic from the router would be to drop the standard "Allow Established / Related" rule from WAN_LOCAL, retain the default drop action, and make specific rules allow whatever the router should be permitted to communicate with. And that would still allow packets to escape the router -- for TCP the communications channel is effectively dead since the handshake can never complete, but it could blast out all the UDP it wants.

                                                                                                        • gonzo 11 days ago

                                                                                                          Maybe read the Ubiquiti EULA. You don’t own the software.

                                                                                                        • gigatexal 11 days ago

                                                                                                          I Just read a post at the link that said doing so causes the unit to retry and retry until restarting after so many tries. That’s not great.

                                                                                                          • jki275 11 days ago

                                                                                                            There's a comment further down the page from ubuqiti that says they've fixed that.

                                                                                                    • thijsvandien 11 days ago

                                                                                                      Indeed, this is not about anything technical. It's about their attitude.

                                                                                                      • pentae 11 days ago

                                                                                                        I discovered when trying to place an order for some of their networking gear for my vacation home in Thailand they simply refused to allow the order to go through because I wasn't in the US - Even though I was ordering to my US Address. It wasn't even due to fraud, they refused to sell something that might be used out of the US for 'legal reasons'. So why have I been able to order networking hardware from every other manufacturer with no problem? When I buy an iPhone, does Apple forbid me from using it as a hotspot outside of the country I bought it from? No of course not, that would be ridiculous.

                                                                                                        • kube-system 11 days ago

                                                                                                          There’s a ton of legal reasons why they might be specifically concerned about exporting there and Apple isn’t.

                                                                                                          * Maybe there’s an export restriction on a component and they lack the license to export to that country.

                                                                                                          * Maybe they have not submitted their product for regulatory testing in that region.

                                                                                                          * Maybe the product doesn’t operate within legally available spectrum in that country.

                                                                                                          * Maybe the product presents an IP rights concern in the laws of that country.

                                                                                                          * Maybe they simply haven’t paid a lawyer licensed to practice law in that region to confirm they wouldn’t have any legal concerns.

                                                                                                          • kyrra 11 days ago

                                                                                                            I'm a bit confused by your wording. Are you saying your billing and shipping address were in the US, but your ip was in Thailand?

                                                                                                            • tinus_hn 10 days ago

                                                                                                              Try buying an iPhone from the US store and have it shipped internationally. Or try buying one of their products that have only been released in the US, abroad.

                                                                                                              • pentae 10 days ago

                                                                                                                You just described how I bought my last 3 iPhones so I don't really understand your point. If you use a US address its fine.

                                                                                                                • tinus_hn 9 days ago

                                                                                                                  If you ship it internationally from the US to a US address? I’m not sure I follow.

                                                                                                            • TwoNineA 11 days ago

                                                                                                              Ever since MS shoved telemetry down our throat, everyone is doing it.

                                                                                                            • jlgaddis 11 days ago

                                                                                                              I'm gonna go searching for it but, in the meantime, anyone know the process for submitting a hostname to be added to any of the lists used by PiHole, et al.?

                                                                                                              The hostname that Ubiquiti is using -- trace.svc.ui.com -- seems like exactly the thing that should be blocked, IMO.

                                                                                                              ---

                                                                                                              FWIW, if you're using PiHole and want to block these access points from "phoning home", you can simply do the following:

                                                                                                                $ echo server=/trace.svc.ui.com/ | sudo tee /etc/dnsmasq.d/ubiquiti_access_point_phone_home.conf
                                                                                                                $ sudo systemctl restart pihole-FTL.service
                                                                                                              
                                                                                                              This will cause dnsmasq, the underlying resolver, to return NXDOMAIN for any such queries.

                                                                                                              ---

                                                                                                              EDIT:

                                                                                                              Apparently the "pihole" utility has functionality built-in to blacklist domains (via /etc/pihole/blacklist.txt). Instead of the above, you can simply use:

                                                                                                                $ pihole -b trace.svc.ui.com
                                                                                                              
                                                                                                              This will result in the IP address "0.0.0.0" being returned (with a TTL of two seconds) for any manually blacklisted hostnames (the same way that PiHole normally responds to queries for blocked domains) although, personally, I still prefer NXDOMAIN.
                                                                                                              • kpU8efre7r 11 days ago

                                                                                                                Use blacklist. I already have to blacklist some Belkin URLs that are constantly pinged.

                                                                                                                • jlgaddis 11 days ago

                                                                                                                  Using the blacklist is simpler but it uses a two second TTL (bit looks like that can be changed in the 01-pihole.conf file, though).

                                                                                                                  I'd rather it return NXDOMAIN, though. That's what I had to do to block DNS-over-HTTPS for Firefox.

                                                                                                                  • gingerlime 11 days ago

                                                                                                                    FWIW, I just tested my Adguard Home by adding trace.svc.ui.com to the filter, and I think it does return NXDOMAIN by default.

                                                                                                                • specto 11 days ago

                                                                                                                  adding this to my edgerouter heh.

                                                                                                                  • MertsA 11 days ago

                                                                                                                    Don't mess with the generated config file on the EdgeRouter, it'll just get replaced next time you reconfigure it or a firmware update is applied. Just add the following to the config.

                                                                                                                    set service dns forwarding options server=/trace.svc.ui.com/

                                                                                                                    Or if you have dns forwarding using the system resolver you could also just add it to the hosts file via something similar to this.

                                                                                                                    set system static-host-mapping host-name trace.svc.ui.com inet 0.0.0.0

                                                                                                                    • specto 22 hours ago

                                                                                                                      Thanks, I have a lot of these rules already :)

                                                                                                                • godzillabrennus 11 days ago

                                                                                                                  I met cmb (the lead architect of Ui.com) when he was starting up Pfsense. He’s good people.

                                                                                                                  Don’t be afraid to tweet him your thoughts on this and a link to this thread: https://twitter.com/cbuechler

                                                                                                                  If there is any chance in management making the right decision here then it’ll be because good people at the company have ammo to go back to management with.

                                                                                                                  FYI - I was about to buy Qty 22 unifi access points next week and Qty 44 unifi 48 port switches. Nope on that with this change.

                                                                                                                  • carlob 11 days ago

                                                                                                                    > Don’t be afraid to tweet him your thoughts on this and a link to this thread: https://twitter.com/cbuechler

                                                                                                                    Last tweet (from 2 years ago) is about supporting Tencent Christmas party.

                                                                                                                    • frereubu 11 days ago

                                                                                                                      There are much more recent replies (although most recent is from February).

                                                                                                                    • slovette 11 days ago

                                                                                                                      He’s lead on the security team, not blanket UI.com from what I know. Also met him when he was working on the PFSense stuff and spent a few days with him and his team in Austin TX in 2014.

                                                                                                                      I agree, great person and I still have faith in him; but he’s just 1 person on a billion dollar enterprise team. He’s also very silo’d it seems, to what he’s doing on the firewall (and UDM?) side.

                                                                                                                      We’re also heavy deployers of UI stuff (100+ AP’s /month and 1000’s of ports installed).

                                                                                                                      This change concerns me, but doesn’t surprise me. All the new product line is geared for centralized propriety. The company as a whole is turning for the worst I think. The new forums and treatment of their community is indicative enough of this theory....

                                                                                                                      • dagelf 11 days ago

                                                                                                                        I'd love to get a bunch of the UI engineers out into the rural areas where their gear is used, to remote work from there for a while, so they can see how badly it caters to the needs of those who need it most, and that they can go back with some easy to implement and much needed improvements.

                                                                                                                        • gonzo 11 days ago

                                                                                                                          > Also met him when he was working on the PFSense stuff and spent a few days with him and his team in Austin TX in 2014.

                                                                                                                          Well, now I’m curious who you are. :-)

                                                                                                                      • iforgotpassword 11 days ago

                                                                                                                        If I had a twitter account I'd ask him about the GPL violations by using a modified Linux kernel for their gear and not releasing the according source code.

                                                                                                                        • dagelf 11 days ago

                                                                                                                          Don't throw the baby out with he bathwater. Hardware is hardware and their wireless APs are good, their switches suck, 2 minutes of downtime with any settings change?! Their controller software is a marketing gimmick trying to silo you in. Still, its an easier battle if you're armed with the right tools, and their APs are a dream compared to most others.

                                                                                                                          • sathackr 10 days ago

                                                                                                                            Not sure which switches you are using.

                                                                                                                            I have hundreds of Unifi switches deployed. There is no downtime with normal setting changes(port/vlan assignment, link speed/duplex changes, etc...)

                                                                                                                          • bluedino 11 days ago

                                                                                                                            I would stay way from the Edgeswitch products as well, unless you like switches that randomly reboot and support that is basically useless.

                                                                                                                          • hannasm 11 days ago

                                                                                                                            Its a shame to see another seemingly benevolent and forward thinking company start betraying the customer base they have built up. This company seems to have started a large strategic shift in the past couple years and it's probably just a matter of time until all the hardware I've bought from them has to be thrown out.

                                                                                                                            • tlrobinson 11 days ago

                                                                                                                              I’ve been a fan of Ubiquiti but they seem to be pissing off their existing customers a lot lately.

                                                                                                                              Off the top of my head:

                                                                                                                              1. Deprecating UniFi Video in favor of UniFi Protect which only runs on Ubiquiti hardware (and none of the current hardware supports more than a handful of cameras anyway?)

                                                                                                                              2. Advertising UniFi Protect on existing UniFi Video installations, which is especially obnoxious for installers who sold their customers a complete system

                                                                                                                              3. Removing SNMP configuration from new firmware versions on certain product lines (EdgeSwitch?)

                                                                                                                              4. Now this.

                                                                                                                              • noodlesUK 11 days ago

                                                                                                                                The unifi protect thing is really annoying. I would totally have done an installation already if not for a lack of ability to back up data off the NVR device (cloud key gen2+) or self host on something with more storage. If I do an install with more than a few cameras it’ll only have a day or two of recording on their crappy 2.5in HDD. The software looks so good though. It’s really irritating.

                                                                                                                                • ChrisLomont 10 days ago

                                                                                                                                  You can replace the 1TB in the cloud key with 5TB drives, which help. You can also set the compression to get more lifetime, or change always record to only record windows around movement.

                                                                                                                                  Check the net for 5TB upgrade instructions.

                                                                                                                                • Bombthecat 11 days ago

                                                                                                                                  And it seems that the wifi HotSpots get buggy updates..

                                                                                                                                • sliken 11 days ago

                                                                                                                                  Disturbing, easy to fix, but disturbing.

                                                                                                                                  Ironically blocking various widgets from spying on me was why I bought ubiquiti hardware. I was noticing regularly outbound network connections from my TV, turns out it was finger printing what I watched and reporting back to the mothership. It no longer gets network access of any kind.

                                                                                                                                  I was tired of playing the OpenWRT/DDWRT flavor of the week (korg) on hardware that wasn't really well supported (netgear R7000). I hated the disposable nature of configuring the routers and having to largely throw away that configuration with each major upgrade. Even getting Comcast's /60 handled was painful (a bug in dhcpd6c or similar). I also wanted to handle WIFI APs well and not have a painful upgrade process.

                                                                                                                                  I have a Ubiquiti NanoHD, EdgeRouter 6p, and a PoE EdgeSwitch 8xp. Nice GUI, you can fall back gracefully to command line, and backup your device state in a human readable config file you can keep in version control. Upgrades are typically press a button in the web UI and wait a few minutes.

                                                                                                                                  They handle my moderately complex home network. Comcast gives in a /60, I split that into a /64 per 4 router ports. Lets me split the trusted stuff (desktops and laptops I manage) from the untrusted. I can even login over ssh to manage them with a key.

                                                                                                                                  It's been very handy. If one of my PoE cameras freak out, I can bounce them remotely.

                                                                                                                                  If various android apps have anti-social behaviors to avoid DNS based blocking I can track them on IPv4, IPv6, and block them when they try to skip my name servers. Took me a bit to block all IPv6/IPv4 DNS traffic to force anything on my network to actually use my nameservers. I'm not looking forward to DNS over TLS which despite the promises seems like will inevitably make things harder to filter.

                                                                                                                                  Anyone know of a Ubiquiti competitor that's better about handling privacy and security and not trying to install spyware?

                                                                                                                                  • wtallis 11 days ago

                                                                                                                                    > I was tired of playing the OpenWRT/DDWRT flavor of the week (korg) on hardware that wasn't really well supported (netgear R7000).

                                                                                                                                    I should think so. Broadcom doesn't want their hardware to be properly supported by open-source software, so you were never going to be entirely successful in your quest to find good third-party firmware for that particular router. In the long run, it's always worth returning any such hardware and spending a bit more time shopping around for a router or AP that uses Qualcomm, Mediatek or Marvell chipsets (Ubiquiti APs use Qualcomm). And if you don't like the flavor of the week mess for firmware distributions, stay away from DD-WRT and prefer OpenWRT, which actually does clearly-identified stable releases.

                                                                                                                                    • tjoff 11 days ago

                                                                                                                                      Easy to fix for whom? How do you fix the trust issue?

                                                                                                                                      What to do when they add this to their other products, such as routers?

                                                                                                                                      • sliken 11 days ago

                                                                                                                                        It's easy to block devices from calling home. The trust issue is harder. I think the real fix is to move to a different company until they change their minds.

                                                                                                                                        Ubiquiti does seem like a generally good company, just seems like someone decided more feedback on failures was a good idea and added the remote debugging... without thought on opt-in. After all I get a few similar reports a day (x failed... report home?), but they are of course opt-in.

                                                                                                                                        • SteveNuts 11 days ago

                                                                                                                                          I think OP's point is if Ubiquiti decided to roll this up through their networking stack, they could theoretically silently still send the updates through to their collectors, no matter how many blocks you put in place (assuming you use Ubnt switches/routers/firewalls/APs).

                                                                                                                                          This would be easy to discover if you mixed brands, but the point is how would you trust them anymore?

                                                                                                                                          • zaroth 11 days ago

                                                                                                                                            The entire product line is specifically designed to give you insight into what packets are going where, and the ability to control which ones you let through.

                                                                                                                                            You can argue that this should have been opt-in but it’s absurd to say that anyone cannot trivially opt-out.

                                                                                                                                            I don’t understand the point of speculating that they are going to break iptables to get crash reporting, other than spreading FUD.

                                                                                                                                            • mtgx 11 days ago

                                                                                                                                              Microsoft broke local search completely on latest Windows 10 updates if you've ever tried to block Cortana. They count this as a non-issue because from their point of view you're not supposed to block Cortana/web search.

                                                                                                                                              I've hated this "just block it" mentality around Windows 10 from day one because it was obvious to me it would be a losing game for the user in the long term.

                                                                                                                                              You can't fight the software developer forever on this and with each update they send. Eventually if they really want that tracking feature they're going to integrate it into some other core feature that will stop working if you try to disable the tracking.

                                                                                                                                          • tomasato 11 days ago

                                                                                                                                            If you block it, it leaks memory until it crashes the device

                                                                                                                                            • unwind 11 days ago

                                                                                                                                              No, the reply from the Ui employee specifically mentions in which fw release that bug was fixed.

                                                                                                                                              • arpa 11 days ago

                                                                                                                                                That in and by itself is hair-raising! It's absolutely, obviously, crassly obvious that Ui only concern was getting the telemetry out and everything else (like failure modes) was an afterthought. It paints a picture the crowd here are probably very familiar with: Upper mgmt needs this feature a month ago, go implement it asap. No PM, no architect, no nothing, just C-level straight to a dev...

                                                                                                                                                • tebruno99 11 days ago

                                                                                                                                                  Software is complex and bugs happen everywhere, the firmware wasn't even released yet (it was an opt-in beta) when the bug occurred. I don't like this any more than the next guy but beta is BETA for a reason, to find bugs.

                                                                                                                                              • ghostpepper 11 days ago

                                                                                                                                                Did this happen to you? I'd be interested in more information.

                                                                                                                                        • lousken 11 days ago

                                                                                                                                          No way to opt out? Seriously? This kind of telemetry BS where you have to set up firewalls is really getting on my nerves, after microsoft started doing it it seems like every company considers this behavior acceptable.

                                                                                                                                          I guess hiring real testers isn't cool anymore.

                                                                                                                                          • jlgaddis 11 days ago

                                                                                                                                            According to Ubiquiti:

                                                                                                                                            > There is no on/off switch but there also are no penalties for blocking Internet access to the device, dropping traffic to this host, and/or blocking it via DNS.

                                                                                                                                            ---

                                                                                                                                            > I guess hiring real testers isn't cool anymore.

                                                                                                                                            Have you used any Ubiquiti products? I'm not sure that they ever hired "real testers".

                                                                                                                                            • lousken 11 days ago

                                                                                                                                              Yea, we use it at our company, 6 AC-LR APs managed with unifi controller 5.6. Have been working without any issues so far.

                                                                                                                                              • o-__-o 11 days ago

                                                                                                                                                Meanwhile I have two that just randomly reboots causing hell. Great hardware but it’s so unreliable

                                                                                                                                                • stephen_g 11 days ago

                                                                                                                                                  That could just be an unlucky coincidence that you have two with some kind of hardware fault... Sounds best to just RMA them. None of our Ubiquiti stuff does anything like that so I can’t believe that’s in any way normal.

                                                                                                                                                  • o-__-o 10 days ago

                                                                                                                                                    2 out of 6 sounds like a QA problem

                                                                                                                                              • arpa 11 days ago

                                                                                                                                                > but there also are no penalties for blocking Internet access to the device, dropping traffic to this host, and/or blocking it via DNS.

                                                                                                                                                That's a nice network you have there. It'd be a shame if someone broke it because they couldn't phone home.

                                                                                                                                                • artificialLimbs 11 days ago

                                                                                                                                                  Installed 1x USG, 1x 8-150 Switch, 6x AC AP Pros for a 30,000sq. ft. church about a year ago now. Haven't had a call.

                                                                                                                                              • benjohnson 11 days ago

                                                                                                                                                Needs to be opt in: Some of my customers would be happy to have crash logs sent to Ubiquiti. Others that fall under HIPAA or PCI need this turned off - otherwise I'll have to bill them to block it at the DNS level.

                                                                                                                                                • 1over137 11 days ago

                                                                                                                                                  Do they use DNS? If they use DoH or just IPs, then that won't help you.

                                                                                                                                                  • repiret 10 days ago

                                                                                                                                                    If your AP has access to PHI in the first place, that seems like a problem.

                                                                                                                                                  • kristaps1990 10 days ago

                                                                                                                                                    Ubiquiti posted an official update on this https://community.ui.com/questions/Update-UniFi-Phone-Home-P...

                                                                                                                                                    • system2 11 days ago

                                                                                                                                                      I spent countless thousands of dollars for Ubuquiti products for our clients.

                                                                                                                                                      Why would it be so hard to make it optional? Why? I just can't wrap my head around it. Why are you forcing us to send our data, no matter how encrypted or not We purchased these for security and privacy.

                                                                                                                                                      Ubiquiti, pull yourself together. We will stop buying, you will lose.

                                                                                                                                                      • fzil 11 days ago

                                                                                                                                                        Wow, can't really trust anyone nowadays. I feel like its a losing battle that privacy conscious people are fighting. It feels like every single company is edging towards this dystopian future.

                                                                                                                                                        • jchw 11 days ago

                                                                                                                                                          Sigh. I thought about trying an open source router before settling on a Ubiquity AP + USG. It seemed like a solid investment, into a company that was pretty well trusted.

                                                                                                                                                          The lesson I’m learning is, maybe it’s worth it to pay more to get less sometimes.

                                                                                                                                                          • Nextgrid 11 days ago

                                                                                                                                                            Any chance you can return it under warranty? You could claim the product is now defective as it’s spying on you.

                                                                                                                                                            If anything, it’ll waste their time a little bit and if enough people do this they’ll reconsider this decision.

                                                                                                                                                            • jchw 10 days ago

                                                                                                                                                              I've had it for long enough that I am not sure.

                                                                                                                                                              I think my best bet would be to install OpenWRT on the AP and sell + replace the USG. Not sure with what. It'd be kind of cool if I could have a router running NixOS so I could keep the configuration declarative, but pfSense is the obvious preferred choice in the community, so maybe I will just get a device designed to run pfSense.

                                                                                                                                                              I dunno if messing with tech support will really "send a message," so I will just send feedback through the regular channels. Chances are, it will get ignored. Chances are pretty much anyone that isn't a huge customer doesn't matter.

                                                                                                                                                            • gonesilent 11 days ago

                                                                                                                                                              USG is horrible, use opnsense or pfsense.

                                                                                                                                                            • _iyig 11 days ago

                                                                                                                                                              Disappointing; I just wired my home with Ubiquiti equipment, and now it looks like I may have to tear it all out.

                                                                                                                                                              Has anyone recently set up a custom home router, switch, and/or WiFi AP? Any tutorials or examples you could recommend?

                                                                                                                                                              • nothingnewhere 11 days ago

                                                                                                                                                                MikroTik - learn it any you will not regret it. Buy hAP AC2 devices - powerful yet cheap, lifelong free OS upgrades, they offer much more than UBNT devices.

                                                                                                                                                                • eps 11 days ago

                                                                                                                                                                  I've been on a receiving end of troubleshooting MikroTik-centric bugs and they really make you to go Hmmm. Not because they are bad, but because they are of a kind that you'd see in the code hacked together over a weekend while chugging down some beers. An amateur job basically with a glaring lack on quality control.

                                                                                                                                                                  I wouldn't touch MikroTiks with a long pole.

                                                                                                                                                                • kazen44 11 days ago

                                                                                                                                                                  you could also look into (older) enterprise equipment.

                                                                                                                                                                  Aruba AP's can be had quite cheaply, and they have an integrated controller aswell.

                                                                                                                                                                • hameedullah 11 days ago

                                                                                                                                                                  I use ubiquit and had recommended them just last week to somebody, but I am going to switch to another vendor who is more open and about these things.

                                                                                                                                                                  The fact that they sneaked the call home with out any opt-in is bad and fishy, and even after it was raised by community they are not willing to provide opt-in. They want the users to disable the access to the host name and blah blah, which is not feasible for most home users.

                                                                                                                                                                • muppetman 11 days ago

                                                                                                                                                                  EDIT: I'm wrong - 4.0.66 has been promoted to stable. The rest of this post, while sort of still valid, is incorrect.

                                                                                                                                                                  This is in a BETA version of the firmware. BETA. You have to sign up to get access to the BETA area. So yes, while integrating tracking etc isn't a great idea, it might also help debug crashes/problems in the BETA firmware people are running.

                                                                                                                                                                  Now, if this rolls out to the stable channel, then sure, pass me a pitchfork too. But until then, you've got to opt-in to test the BETA software, and you know what you're signing up for - BETA quality software.

                                                                                                                                                                  I'm almost surprised Ubiquiti give regular folk access to the beta software, because the users treat it like production, roll it out into production, then complain.

                                                                                                                                                                • purpleidea 11 days ago

                                                                                                                                                                  Their "protect" camera line doesn't work properly unless it can connect to the internet.

                                                                                                                                                                  Now this...

                                                                                                                                                                  What company's hardware should I buy instead for Linux friendly AP's and cameras?

                                                                                                                                                                  • rsync 11 days ago

                                                                                                                                                                    Sounds just like Sonos.

                                                                                                                                                                    Slowly, over 10+ years, trending towards removing control and usability and funneling their use-case to an online-only, subscription based, neurotic consumption model.

                                                                                                                                                                    Ironically, I was just in the process of migrating my home, my office and my local volunteer fire department to an all-ubiquiti network+camera platform ...

                                                                                                                                                                    God dammit.

                                                                                                                                                                    • jrcii 11 days ago

                                                                                                                                                                      I wouldn’t touch their cameras with a 10-foot pole anyway because they don’t follow the ONVIF spec and so can’t inter operate with anything else (vendor lock in).

                                                                                                                                                                    • 8fingerlouie 10 days ago
                                                                                                                                                                      • jlgaddis 11 days ago

                                                                                                                                                                        Don't bother reading through the responses -- it's mostly others arguing about what GDPR is or isn't. Ubiquiti's official response [0] is near the bottom of the thread:

                                                                                                                                                                        > We have started to gather crashes and other critical events strictly for the purpose of improving our products. Any data collected is completely anonymized, GDPR compliant, transmitted using end-to-end encryption and encrypted at rest. There is no on/off switch but there also are no penalties for blocking Internet access to the device, dropping traffic to this host, and/or blocking it via DNS.

                                                                                                                                                                        > ...

                                                                                                                                                                        > The memory leak that you reference above was a bug specific to release 4.0.60 which was fixed as of 4.0.61.

                                                                                                                                                                        [0]: https://community.ui.com/questions/UI-official-urgent-please...

                                                                                                                                                                        • antoinevg 11 days ago

                                                                                                                                                                          We specifically invested in UI equipment because it respected the boundaries of our networks.

                                                                                                                                                                          If this is their final position we will no longer be purchasing UI hardware moving forward.

                                                                                                                                                                          • journalctl 11 days ago

                                                                                                                                                                            “You can block the traffic, but we’re counting on 99% of users not doing that, so.”

                                                                                                                                                                            • berti 11 days ago

                                                                                                                                                                              > There is no on/off switch but there also are no penalties for blocking Internet access to the device, dropping traffic to this host, and/or blocking it via DNS.

                                                                                                                                                                              Sigh. More junk that requires micro-management.

                                                                                                                                                                              • mokus 11 days ago

                                                                                                                                                                                Is it even possible for this to be GDPR-compliant without even a way to opt out? I’m not very well-read in the subject, but I thought stuff like this had to be opt-in under GDPR?

                                                                                                                                                                                • simpss 11 days ago

                                                                                                                                                                                  it's impossible to verify as we don't know what data is actually being sent. But there's a hint in the ToS and that doesn't sound very anonymized.

                                                                                                                                                                                  -----------------------

                                                                                                                                                                                  From their privacy policy: https://www.ui.com/legal/privacypolicy/#c1

                                                                                                                                                                                  The Usage Data that we collect may include information such as your device data, including your mobile devices, sensor data, device signals, device parameters, device identifiers that may uniquely identify your devices, including your mobile device, web request, Internet Protocol address, browser type, browser language, referring/exit pages and URLs, platform type, the date and time of your request, and one or more cookies that may uniquely identify your devices or browser. IN ADDITION, WE MAY AUTOMATICALLY COLLECT LOCATION INFORMATION (INCLUDING LATITUDE AND LONGITUDE), PERFORMANCE DATA, MOTION DATA, TEMPERATURE DATA, POWER USAGE DATA, AND ANY DATA OR SIGNALS COLLECTED BY THE DEVICES AS PART OF THE USAGE DATA. WE DO NOT COLLECT THE CONTENTS OF ANY COMMUNICATIONS THAT PASS THROUGH OUR DEVICES OR SERVICES.

                                                                                                                                                                                  -----------------------

                                                                                                                                                                                  By this desription, it certainly isn't GDPR compliant. device identifiers/data etc.. is PII in GDPR context and requires a legal basis for processing.

                                                                                                                                                                                  • 0xcde4c3db 11 days ago

                                                                                                                                                                                    As far as I know, GDPR only applies to data that somehow relates to a person. If telemetry e.g. only sent build number + backtrace for crashes and the IP address wasn't logged, it seems like that would be allowed under GDPR.

                                                                                                                                                                                    • dvdkhlng 11 days ago

                                                                                                                                                                                      How does it sent back data without revealing the source IP address? :)

                                                                                                                                                                                      • 0xcde4c3db 10 days ago

                                                                                                                                                                                        I don't think GDPR attaches to every piece of data that one could hypothetically observe.

                                                                                                                                                                                        • chopin 10 days ago

                                                                                                                                                                                          It attaches to date you actually observe. I am sure the IP address is part of that. Enough to make the thing GDPR relevant.

                                                                                                                                                                                          If someone complains they're going to have a bad time.

                                                                                                                                                                                • mokus 11 days ago

                                                                                                                                                                                  Ok, I’m trying to set up a block for this within the unifi interface itself. Looks like the best option is a firewall rule dropping all “wan out” traffic originating from my access point. Am I missing a better option?

                                                                                                                                                                                  • vetinari 11 days ago

                                                                                                                                                                                    I would prefer returning NXDOMAIN for that host; with blocked IPs, once ubnt changes their dns, your rules will be obsolete.

                                                                                                                                                                                    On the other hand, I never understood how to configure dnsmasq on usg in a permanent way (not only blocking hosts, but also static SRV and TXT records). It it supposed to be done via gateway.config.js, but finding the right json keywords is the issue. Is there someone who can drop some hints?

                                                                                                                                                                                    • mokus 11 days ago

                                                                                                                                                                                      That’s why I’m blocking ALL destinations. I don’t think any valid packets out of my network need to have my AP itself as source addr.

                                                                                                                                                                                  • dillonmckay 11 days ago

                                                                                                                                                                                    I ordered an Edge Router that is supposed to be delivered this week.

                                                                                                                                                                                    I intend to return it and use a pf-sense ‘official’ hardware device.

                                                                                                                                                                                    • Daneel_ 11 days ago

                                                                                                                                                                                      +1 for pfsense (or OPNSense if you want a better management team)

                                                                                                                                                                                      • gonzo 11 days ago

                                                                                                                                                                                        Thank you!

                                                                                                                                                                                      • shantara 11 days ago

                                                                                                                                                                                        There's a one line mention of "[HW] Crash and critical event reporting" in the changelog:

                                                                                                                                                                                        https://community.ui.com/releases/UAP-USW-Firmware-4-0-66-10...

                                                                                                                                                                                        • jlgaddis 11 days ago

                                                                                                                                                                                          All of Ubiquiti's changelogs consist exclusively of short one-liners such as this -- and pretty much useless.

                                                                                                                                                                                          It's like they just copy and paste the 50-character commit messages or something.

                                                                                                                                                                                          • mhluongo 11 days ago

                                                                                                                                                                                            I hope their commit messages are better than that >:|

                                                                                                                                                                                            • artificialLimbs 11 days ago

                                                                                                                                                                                              I'd be surprised. Here's an actual quote from one of their changelogs: "Do not choose the skip option when running the Migrate Site wizard. If you do your devices may end up in a weird state."

                                                                                                                                                                                        • noodlesUK 11 days ago

                                                                                                                                                                                          Stop this madness. This is networking equipment aimed at a highly technically proficient base of users. Much like gitlab, this hardware is often going to be used by people in more security and privacy conscious environments. This kind of phoning home is absolutely fine if the user is informed and the data that is being sent is clearly explained, and there’s an easy opt out.

                                                                                                                                                                                          I bought unifi equipment because I was fed up of typical consumer equipment (and meraki) requiring subscriptions and phoning home all the time. WRT the GDPR stuff, I’m pretty sure a network admin can’t consent on behalf of all the users of the network...

                                                                                                                                                                                          • Gonzih 11 days ago

                                                                                                                                                                                            It amazes me that in some cases brand love can overpower common sense. When OP concerned about privacy and security is told by loyal brand users to "give it up". I wonder if companies realize power of blind brand loyalty and utilize this to their own advantage.

                                                                                                                                                                                            • Fej 10 days ago

                                                                                                                                                                                              What are good alternatives to Ubiquiti for (fairly) inexpensive and high-performance APs?

                                                                                                                                                                                              They are cheap enough to be viable for home use. Does any other company make business-grade APs at that rough price point?

                                                                                                                                                                                              • kuon 11 days ago

                                                                                                                                                                                                I use ubiquiti hardware in my house, and I was already concerned by the quality of their UI, it filled the disk once with mongodb logs (5TBi !)and crashed my home server, now it is running in chroot with limited disk access but that was a pain to setup.

                                                                                                                                                                                                Anyway, I am looking into alternative but I can't find anything yet. I only need WiFi AP that can work together for roaming. I would love open source, and would pay premium to support an open source solution.

                                                                                                                                                                                                • sqldba 11 days ago

                                                                                                                                                                                                  Wow the responses in that thread are toxic as hell.

                                                                                                                                                                                                  • caseyf7 11 days ago

                                                                                                                                                                                                    Ubiquiti owners are not happy after the app outage on Halloween that wasn’t disclosed on their status site. They’re also not happy Ubiquiti apps require logging in through their cloud service vs directly to the device.

                                                                                                                                                                                                    • tjoff 11 days ago

                                                                                                                                                                                                      They changed so you can't login locally?

                                                                                                                                                                                                      I still do. But I haven't updated the app in a while since they changed the EULA.

                                                                                                                                                                                                      • Macha 11 days ago

                                                                                                                                                                                                        I recently set up a new controller + USG + unifi switch and reset my AP-AC . It's definitely still optional as of last week.

                                                                                                                                                                                                      • jlgaddis 11 days ago

                                                                                                                                                                                                        The thread predates Halloween by a week.

                                                                                                                                                                                                      • tbyehl 11 days ago

                                                                                                                                                                                                        Stockholm syndrome.

                                                                                                                                                                                                      • surfsvammel 11 days ago

                                                                                                                                                                                                        I am not sure how to evaluate this. I’m about to buy a quite a lot of UI hardware in January. If this is it, they implement an opt-in/opt-out feature I’ll definitely see it as positive (that they listened to the community), it not—the. I don’t know what to think.

                                                                                                                                                                                                        The question of hardware for my January setup, which I thought settled, just got reopened again.

                                                                                                                                                                                                        • tlrobinson 11 days ago

                                                                                                                                                                                                          I love the UniFi “single pane of glass” management interface. Are there any similar open source system that works via SNMP or something?

                                                                                                                                                                                                          It seems like possibly a good opportunity for low end network hardware companies such as Netgear or TP-Link to collaborate with an open source project like pfSense.

                                                                                                                                                                                                          • awinter-py 11 days ago

                                                                                                                                                                                                            phone home without permission is always sleazy. smart states will make it grounds for a refund.

                                                                                                                                                                                                            • gaius_baltar 11 days ago

                                                                                                                                                                                                              Did somebody sniffed what kind of request they use to send the data to the mothership?

                                                                                                                                                                                                              I have one of their devices here, I will be pretty glad to use some spare network capacity to send them a few thousand fake crash report per hour. That's what they want, right?

                                                                                                                                                                                                              • arpa 11 days ago

                                                                                                                                                                                                                They claim to use end-to-end encyption. If it's implemented properly, none of us can.

                                                                                                                                                                                                                And while I understand your frustration and anger, DoSing someone is usually a bad idea.

                                                                                                                                                                                                                • sneak 11 days ago

                                                                                                                                                                                                                  A few thousand per hour is decidedly not a DoS.

                                                                                                                                                                                                              • rsync 11 days ago

                                                                                                                                                                                                                When I load the index for their forum:

                                                                                                                                                                                                                https://community.ui.com/questions

                                                                                                                                                                                                                ... this thread is not listed ... are they really hiding these comment threads ?

                                                                                                                                                                                                              • samiamn 10 days ago

                                                                                                                                                                                                                Is it possible to send fake telemetry data back? That's the best way to combat these issues. Imagine an app that sends fake telemetry back to all these services making their data bunk.

                                                                                                                                                                                                                • ausjke 11 days ago

                                                                                                                                                                                                                  worked at ubiquiti before. the first thing I was told is that, "customer first", "customer first".

                                                                                                                                                                                                                  I never realized customer-first means violating GPL and call-home.

                                                                                                                                                                                                                  openwrt or vyos are good alternatives, however, both got minimal community support(sharing code or donation), especially openwrt, which is used by big vendors like tplink or xiaomi but they neither have contributed any code, nor have they sponsored/donated anything to the projects they making huge money on, they're just bad-ass parasites.

                                                                                                                                                                                                                  • arminiusreturns 11 days ago

                                                                                                                                                                                                                    So I've been interested in whitebox networking and sdn (linux on switches/routers) what is the equivalent closest to Ubiquiti for APs that runs linux?

                                                                                                                                                                                                                    • tlrobinson 11 days ago

                                                                                                                                                                                                                      I’m wondering the same thing. It seems like a good opportunity for APs and switches to integrate nicely with something like pfSense or OPNSense.

                                                                                                                                                                                                                    • Thriptic 11 days ago

                                                                                                                                                                                                                      Can anyone provide a synopsis of what data is actually submitted and what exact states trigger the submission?

                                                                                                                                                                                                                      • jlgaddis 11 days ago

                                                                                                                                                                                                                        > ...crashes and other critical events...

                                                                                                                                                                                                                        I would not be surprised AT ALL to find that they aren't doing certificate validation, however... in which case it'd be trivial to MITM the connection and find out just what they're sending.

                                                                                                                                                                                                                        • arpa 11 days ago

                                                                                                                                                                                                                          That is a scenario that actually is good - because then at least you can know what goes out to the mothership. Otherwise, well, who knows. Maybe it's crash reports, maybe it's the names of your fetishes.

                                                                                                                                                                                                                        • simpss 11 days ago

                                                                                                                                                                                                                          as their official response[1] was pretty much "it's outlined in our policies and ToS" then here is what their privacy policy[2] says they collect:

                                                                                                                                                                                                                          -------------------

                                                                                                                                                                                                                          Usage Data. As described in this section, we may automatically collect information when you use the Services ("Usage Data"). The Usage Data that we collect may include information such as your device data, including your mobile devices, sensor data, device signals, device parameters, device identifiers that may uniquely identify your devices, including your mobile device, web request, Internet Protocol address, browser type, browser language, referring/exit pages and URLs, platform type, the date and time of your request, and one or more cookies that may uniquely identify your devices or browser. IN ADDITION, WE MAY AUTOMATICALLY COLLECT LOCATION INFORMATION (INCLUDING LATITUDE AND LONGITUDE), PERFORMANCE DATA, MOTION DATA, TEMPERATURE DATA, POWER USAGE DATA, AND ANY DATA OR SIGNALS COLLECTED BY THE DEVICES AS PART OF THE USAGE DATA. WE DO NOT COLLECT THE CONTENTS OF ANY COMMUNICATIONS THAT PASS THROUGH OUR DEVICES OR SERVICES.

                                                                                                                                                                                                                          -------------------

                                                                                                                                                                                                                          [1] - https://community.ui.com/questions/UI-official-urgent-please...

                                                                                                                                                                                                                          [2] - https://www.ui.com/legal/privacypolicy/#c1

                                                                                                                                                                                                                        • Bud 11 days ago

                                                                                                                                                                                                                          The link to the original thread seems to have been 404'd now. Did UI erase/hide it?

                                                                                                                                                                                                                          • gonzo 10 days ago

                                                                                                                                                                                                                            new statement from Ubiquiti stating they'll add an opt-out button in a future release. https://community.ui.com/questions/Update-UniFi-Phone-Home-P...

                                                                                                                                                                                                                            • dbdjfjrjvebd 11 days ago

                                                                                                                                                                                                                              Well I won't buy or recommend and more Ubiquiti hardware.

                                                                                                                                                                                                                              I wonder if companies really understand how much stupid decisions like this taint their brand.

                                                                                                                                                                                                                              • kanetoad 10 days ago

                                                                                                                                                                                                                                About turn! Was just about to freashen up a site using Ubiquiti, forget that!

                                                                                                                                                                                                                                • bayindirh 11 days ago

                                                                                                                                                                                                                                  Looks like 2019 will be the year of tracking and surveillance in every front.

                                                                                                                                                                                                                                  • mychael 10 days ago

                                                                                                                                                                                                                                    I have lost all trust in Ubiquiti at this point.

                                                                                                                                                                                                                                    • Jonnax 11 days ago

                                                                                                                                                                                                                                      Not much details on the forum thread.

                                                                                                                                                                                                                                      Has anyone extracted the data they send?

                                                                                                                                                                                                                                      Also I was under the impression that GDPR says that IPs are personal data.

                                                                                                                                                                                                                                      I can't imagine crash data from a router wouldn't include that.

                                                                                                                                                                                                                                      Also it seems like they didn't inform users, but secretly put this in an update.

                                                                                                                                                                                                                                      • sschueller 11 days ago

                                                                                                                                                                                                                                        Doesn't this violate the GDPR? How are they going to opt-in Europe and not everyone else?

                                                                                                                                                                                                                                        • Nyashka 11 days ago

                                                                                                                                                                                                                                          I found a funny problem with ubiquiti access points. They don't broadcast country code so A neighbouring access point doing so may easily make ubiquity network unusable (many devices, especially macs, disconnect automatically in case they see cc discrepancies).

                                                                                                                                                                                                                                          It may make a nice attack to ubiquity-based infrastructure, their customer support ignores me and nearly advices me to sell the hardware and buy something else.

                                                                                                                                                                                                                                          • mtgx 11 days ago

                                                                                                                                                                                                                                            Very disappointing. I was considering buying one of their routers next. Not anymore. This is unacceptable for a router.

                                                                                                                                                                                                                                            • ownbusiness 11 days ago

                                                                                                                                                                                                                                              Such an amazing, just exciting to next one!

                                                                                                                                                                                                                                              • 8fingerlouie 11 days ago

                                                                                                                                                                                                                                                While I’m opposed to companies trying to extract “telemetry” data like they own it, I think most responses in this thread are overreacting.

                                                                                                                                                                                                                                                The equipment phones home, but realistically what can it transmit ? Things like number of devices connected, IP scope, network neighbors, public IP, MAC addresses, and of course the traffic itself.

                                                                                                                                                                                                                                                I think it’s safe to assume that it’s not sending the traffic, as we’d have noticed on the firewall egress.

                                                                                                                                                                                                                                                Public IP and MAC addresses are bad, and probably conflicting with the GDPR as these can be used to identify you, especially if coupled with your account. As UBNT states in the comments, they claim to be GDPR compliant, with data anonymizes, so we can assume they’re not gathering these as well.

                                                                                                                                                                                                                                                That leaves device statistics, such as clients connected, memory/cpu used, private IP ranges. Are those really that bad ?

                                                                                                                                                                                                                                                UBNT also states there is no penalty for blocking these devices from contacting the internet, and while I would prefer an opt-in solution, it’s no worse than when Microsoft invented “opt out by renaming your WiFi or we share your password with friends of friends”

                                                                                                                                                                                                                                                • wutanc 11 days ago

                                                                                                                                                                                                                                                  Also worth nothing that they originally had a bug where the APs would crash if you did actually block this data from being sent.

                                                                                                                                                                                                                                                  • Silhouette 11 days ago

                                                                                                                                                                                                                                                    The equipment phones home, but realistically what can it transmit ?

                                                                                                                                                                                                                                                    It doesn't matter. That's the point. If you're at all serious about privacy and security, any unauthorised exfiltration of data from your system is a problem.

                                                                                                                                                                                                                                                    • wutanc 11 days ago

                                                                                                                                                                                                                                                      Given that they've commented on the fact that all traffic is end-to-end encrypted you'd not notice them sending things you don't want to be send.

                                                                                                                                                                                                                                                      Maybe they're sending a list of all sites you visits? How about them sending any login information that you add on sites that for whatever reason isn't doing tls?

                                                                                                                                                                                                                                                      One important point here is that they "claim" to be GDPR compliant but are already somewhat breaking GDPR. All data is encrypted on the APs so we can't really know what is sent. This is a complete buy in in trust from us, the customers. We're supposed to trust them that they're not sending anything they shouldn't, even tho they selected not to tell us at all about them implementing this.

                                                                                                                                                                                                                                                      It's horribly sketchy at best, if ont illegal.

                                                                                                                                                                                                                                                      • 8fingerlouie 11 days ago

                                                                                                                                                                                                                                                        I would certainly have preferred to be informed beforehand, as well as opting in, and the whole "oh by the way, we do this now, and we only tell you because someone discovered it" approach is extremely sketchy.

                                                                                                                                                                                                                                                        That is of course assuming that the GDPR is being honoured, and that's a pretty big if. Most european companies are still struggling to be compliant, as _EVERYTHING_ that can identify you as an individual is to be handled. It also includes backups, and also when the authorities requires you to store data for 5-15 years, but also allows the right to be forgotten.

                                                                                                                                                                                                                                                        I know we've had our fun devising a scheme to delete records from archived backups.

                                                                                                                                                                                                                                                        The only way to check is to request your personal data from UBNT. The GDPR allows this free of charge, and they're obligated to hand over all personal information they have on you.

                                                                                                                                                                                                                                                        In any case, I already block all internet access for networking equipment, and based on this I added trace.svc.ui.com to PFBlockerNG, just to make it resolve to something local.

                                                                                                                                                                                                                                                        • wutanc 11 days ago

                                                                                                                                                                                                                                                          Yeah, all this screams sketchy sadly.

                                                                                                                                                                                                                                                          I know first hand how hard it is to get GDPR right, I've been extensivly involved in updating systems to comply. It's a lot of hard work and talking back and forth with lawyers to make sure we don't do anything stupid.

                                                                                                                                                                                                                                                    • mgraczyk 11 days ago

                                                                                                                                                                                                                                                      As a developer who has relied on crash reports countless times in the past for fixing bugs and improving products, I applaud Ubiquiti for taking a principled stance and choosing what is best for most of their users.

                                                                                                                                                                                                                                                      I wish more companies would stand their ground and refusing caving to a vocal, but demonstrably toxic minority.

                                                                                                                                                                                                                                                      • TimTheTinker 11 days ago

                                                                                                                                                                                                                                                        Whatever happened to serving customers being the top priority? That’s how you make money - by selling something that serves people’s needs and wants.

                                                                                                                                                                                                                                                        In this case, Ubiquiti’s actions are particularly irksome because they’re changing a product after its sale to do something that would have caused many customers to avoid purchasing it in the first place if it had shipped that way — and without giving customers an easy way to turn it off.

                                                                                                                                                                                                                                                        • mgraczyk 11 days ago

                                                                                                                                                                                                                                                          Curious to hear how this change could harm any customer. Judging by the vitriol and strong language in this thread, there must be some grievous harm telemetry causes that I am not aware of.

                                                                                                                                                                                                                                                          • monkeywork 11 days ago

                                                                                                                                                                                                                                                            Lack of transparency - lack of communication - lack of at the very least an opt-out.

                                                                                                                                                                                                                                                            Lack of Transparency: No specific details on what or when they transmit.

                                                                                                                                                                                                                                                            Lack of Communication: Didn't tell customers they were putting this in place.

                                                                                                                                                                                                                                                            Forcing customers to employ additional network security on a network device if they don't trust what you're doing ... which is hard to do given the lack of transparency and communication.

                                                                                                                                                                                                                                                            >there must be some grievous harm telemetry causes that I am not aware of.

                                                                                                                                                                                                                                                            What you're not aware of is the same thing the rest of us aren't aware of ... and that is what is actually sent and what triggers that etc.

                                                                                                                                                                                                                                                            • noodlesUK 11 days ago

                                                                                                                                                                                                                                                              What is a “crash report”? Is it just a log saying that the machine crashed? Is it a core dump? Is there PII in the logs? Does it expose information that is protected by law? It’s not the fact that there’s telemetry, it’s that it wasn’t communicated well so people can mitigate risks. This shows that there isn’t a culture of paying attention to this sort of thing over business intelligence.

                                                                                                                                                                                                                                                              • Silhouette 11 days ago

                                                                                                                                                                                                                                                                It’s not the fact that there’s telemetry, it’s that it wasn’t communicated well so people can mitigate risks.

                                                                                                                                                                                                                                                                I respectfully disagree. It is also the fact that there's telemetry. It is not OK for me to punch you in the face just because I tell you I'm going to do it first. You shouldn't have to mitigate that risk. The risk wouldn't exist if I weren't punching you in the face.

                                                                                                                                                                                                                                                              • dbdjfjrjvebd 11 days ago

                                                                                                                                                                                                                                                                Do you mind if I send someone to sit in your office/living room taking notes on conversations and reporting them back to me?

                                                                                                                                                                                                                                                                That is telemetry.

                                                                                                                                                                                                                                                            • arkades 11 days ago

                                                                                                                                                                                                                                                              In what way is not providing a heads-up that this was being introduced and refusing to add an opt-out a “principled stand” for the benefit of their users?

                                                                                                                                                                                                                                                              • journalctl 11 days ago

                                                                                                                                                                                                                                                                Screw that. My goddamn router doesn’t need to be phoning home. Have we lost our minds?

                                                                                                                                                                                                                                                                • mgraczyk 11 days ago

                                                                                                                                                                                                                                                                  I'd be interested to hear a plausible explanation for how this could negatively affect users in any way.

                                                                                                                                                                                                                                                                  • pdkl95 11 days ago

                                                                                                                                                                                                                                                                    It's not the user's responsibility to justify why thy don't want you eavesdropping on their property. Even if you manufactured the device, its not your property after you sold it.

                                                                                                                                                                                                                                                                    It's your responsibility as the manufacturer to ask for permission if you want to observe someone's private property in any way.

                                                                                                                                                                                                                                                                    > demonstrably toxic minority.

                                                                                                                                                                                                                                                                    Standing up for property rights is toxic? Just because software made it easy to observe and/or control a device after the 1st sale doesn't give you the right to eavesdrop on other people's property (or vandalize it with an unwanted, forced update).

                                                                                                                                                                                                                                                                    • monkeywork 11 days ago

                                                                                                                                                                                                                                                                      It breaks trust.

                                                                                                                                                                                                                                                                      The phoning home isn't the issue - it's the lack of communicating it and lack of offering an ability to turn it off that is the problem. A vocal minority may grab pitchforks if it's opt-out rather than opt-in but most would be fine with it.... Ubiquiti did it one worse and didn't even offer opt-out.

                                                                                                                                                                                                                                                                      Instead you have your network device provider saying - well if you don't want our devices to call home use another device in front of us to block it.

                                                                                                                                                                                                                                                                      So the core issue is trust and basic respect for your clearly technical and security minded customers.

                                                                                                                                                                                                                                                                      • kadoban 11 days ago

                                                                                                                                                                                                                                                                        Well, for one it crashed your device periodically if your network was not set up to allow that connection.

                                                                                                                                                                                                                                                                        That's more than plausible, it already happened.

                                                                                                                                                                                                                                                                        They fixed that, but now, what's in the telemetry they're sending? Any bugs causing it to send PII in any circumstance?

                                                                                                                                                                                                                                                                    • zeeZ 11 days ago

                                                                                                                                                                                                                                                                      The proper way to do this IMHO would be to first not sneak this in quietly. Then have those logs collected on the controller, where they can be reviewed and manually submitted.

                                                                                                                                                                                                                                                                      • wutanc 11 days ago

                                                                                                                                                                                                                                                                        I can understand them wanting logs of crashes, it's a reasonable way to try and improve their service. Since you can use their APs with other controllers that would limit their collected data. Having the data being manually sent would also limit their collected data.

                                                                                                                                                                                                                                                                        I'm ok with them actually collecting data, as long as they're:

                                                                                                                                                                                                                                                                        * Open about what actuall data is being collected. * Open about them actually collecting data and not sneaking it in. * Providing a way to opt-out. * Adding the proper GDPR documentation around this so as clearly not to break the law. As it is it's a grey zone, why not be clear about it.