On-Prem

Networks

You spoke, we didn't listen: Ubiquiti says UniFi routers will beam performance data back to mothership automatically

And good luck opting out of that one


Ubiquiti Networks is once again under fire for rewriting its telemetry policy after previously changing how its UniFi routers collect data without telling anyone.

These latest changes are mentioned in a new help document on the US manufacturer's website. The documentation differentiates between "personal data", which includes everything that identifies a specific individual, and "other data", which is everything else.

The page states that while users can continue to eschew having their "personal data" collected, their "other data" – anonymous performance and crash information – will be "automatically reported".

This is a shift from Ubiquiti's last statement on data collection three months ago, which promised an opt-out button for all data collection in upcoming versions of its firmware.

A Ubiquiti representative confirmed in a forum post that the new changes will come into effect in firmware version 4.1 and onward, which isn't officially out yet, and that users can stop "other data" being automatically collected by manually editing a config file.

So, in short, you'll be able to choose whether you want to send personal info, but you'll have to edit a configuration file to prevent other data being sent. Which isn't quite the same as an opt-out-of-everything button, which is why folks are so upset.

70% of Windows 10 users are totally happy with our big telemetry slurp, beams Microsoft

READ MORE

"Yes, it should be updated when we go to public release, it's on our radar," the Ubiquiti forum rep wrote, and by it, they mean the wording in the software's user interface controlling the device's analytics. "But I can't guarantee it will be updated in time."

The drama unfolded when netizens grabbed their pitchforks and headed for the company's forums to air their grievances. "Come on UBNT," said user leonardogyn. "PLEASE do not insist on making it hard (or impossible) to fully and easily disable sending of Analytics data. I understand it's a great tool for you, but PLEASE consider that's [sic] ultimately us, the users, that *must* have the option to choose to participate on it."

The same user also pointed out that, even when the "Analytics" opt-out button is selected in the 5.13.9 beta controller software, Ubiquiti is still collecting some data. The person called the opt-out option "a misleading one, not to say a complete lie".

Other users were similarly outraged. "This was pretty much the straw that broke the camel's back, to be honest," said elcid89. "I only use Unifi here at the house, but between the ongoing development instability, frenetic product range, and lack of responsiveness from staff, I've been considering junking it for a while now. This made the decision for me – switching over to Cisco."

One user said that the firmware was still sending their data to two addresses even after they modified the config file.

Ubiquiti did not respond to The Register's requests for comments or clarification. ®

Send us news
59 Comments

Basecamp CEO issues apology after 'no political discussions at work' edict blows up in his face

30% of employees reportedly walked out following sudden rule change

Jason Fried, CEO of project management tool Basecamp, has issued a public apology following a major bust-up over new policies that discouraged employees from discussing "societal politics" at work.

Writing on the company's blog, Fried said: "Last week was terrible. We started with policy changes that felt simple, reasonable, and principled, and it blew things up culturally in ways we never anticipated. David [Heinemeier Hansson, CTO] and I completely own the consequences, and we're sorry. We have a lot to learn and reflect on, and we will."

The furore began on 26 April, when Fried published a list of changes to working conditions at Basecamp.

Continue reading

AWS to cut Python 2.7 off at the knees in July with 'minor version update' for Chalice

Seriously, it's time to move on

Amazon is the latest to drive a knife into the twitching corpse of Python 2 with an announcement that AWS Chalice will follow Lambda in nudging customers to later versions.

15 July is the cut-off date, which is generous considering the Python Software Foundation pulled the plug on fixes and support for Python 2 on 1 January 2020. AWS Lambda was supposed to follow suit on 1 June 2020 but, well, stuff happened in 2020 (in October support was stretched a little further until "at least 1 June 2021"). It took until 24 March 2021 for Amazon to settle on a death date for the tech.

Chalice is a framework for Lambda, and so will follow suit with what the cloud behemoth described as a "minor version update" that will require Python 3.6 or above (the Lambda crew recommends 3.8).

Continue reading

Aerospike adds set indexing and SQL expressions to make the distributed NoSQL database more ML-friendly

New Spark 3.0 connector will appeal to users too, analyst says

Distributed NoSQL database Aerospike is introducing set indexes and SQL operations within expressions in the pursuit of greater machine learning efficiency via its Apache Spark 3.0 connector.

Speaking to The Register, chief product officer Srini Srinivasan claimed the combined tweaks could help reduce the feedback cycle to improve ML models from days to hours.

A key-value and multi-modal database, Aerospike can run on the edge to support so-called real-time decisions based on pre-existing ML models in applications such as fraud detection. It is also used to feed data back into the ML model management commonly used by data pipeline platform Apache Spark to ensure models reflect changes to data patterns in the real world.

Continue reading

21 nails in Exim mail server: Vulnerabilities enable 'full remote unauthenticated code execution', millions of boxes at risk

Nearly 4 million to be exact, say researchers

Researchers at security biz Qualys discovered 21 vulnerabilities in Exim, a popular mail server, which can be chained to obtain "a full remote unauthenticated code execution and gain root privileges on the Exim Server."

Exim is a mail transfer agent (MTA), responsible for receiving and forwarding email messages. It runs primarily on Unix or Linux and is the default MTA on Debian - though Ubuntu and Red Hat Enterprise Linux use Postfix by default.

Some hosting companies use Exim to provide email services to their customers, and it was also popular in universities and other educational institutions (it was initially developed at the University of Cambridge in 1995) though many of these have transitioned to Office 365 or Google email, not least Cambridge itself.

Continue reading

Microsoft's Edge browser for Linux hits the Beta Channel... if you're into that kind of thing

Add yet another Chromium browser to your collection

Microsoft's Edge browser has taken another step to stability on Linux with the addition of the operating system to its Beta Channel.

Quite why anyone would actually want Microsoft's latest attempt at a browser on Linux is open to question. From the perspective of the Windows giant, getting developers to test their code on the platform is the name of the game and the move from the Dev Channel to Beta signifies a stable edition is on the way.

The first preview builds of Edge for Linux turned up in 2020. Penguinistas have not been treated to the daily updates of the Canary Channel – only Windows, HoloLens 2, and MacOS users get those – but they have been receiving regular drops on the Dev Channel. In March, for example, lucky Linux fans were able to synchronise their settings using their Microsoft account.

Continue reading

Facebook Oversight Board upholds decision to ban Trump, asks FB to look at own 'potential contribution' to 'narrative of electoral fraud'

Looks like you can safely ignore that friend request... forever

The Facebook Oversight Board has upheld former President Donald Trump’s ban from Facebook and Instagram - but not before advising the platform to look at its own role in the Capitol-storming mess.

The social media giant was the first major platform to ban Trump following the January 6 insurrection, when hundreds of his supporters stormed the US capitol with the aim to disrupt the certification of the 2020 election results.

In its ruling, the Oversight Board, which has been described as “the Supreme Court for Facebook,” affirmed the decision to ban Trump, although it criticised the social platform for failing to adhere to its existing content moderation policies.

Continue reading

East London council blurts thousands of residents' email addresses in To field blunder

'Was a Mailchimp sub too hard?!' asks Reg reader

A local authority in East London has committed a classic privacy blunder by emailing what appear to be thousands of residents – while forgetting to use the BCC field and exposing all of the email addresseses to each recipient.

The cockup, which happened on Monday, had locals in the borough of Tower Hamlets receive emails with hundreds of addresses visible.

Register reader Patrick, who was the unlucky recipient of one such message, told us: "The email I received had 400 recipients in the To: field, I assume because Outlook has a limit of 500... Just assuming that I received all the Bs and Cs (and I probably only received a chunk) – then that's ~5,000 email addresses they leaked."

Continue reading

As pandemic buying continues, Chromebook shipments soared 275% in Q1, says analyst

Crossing the chasm into mainstream computing

Shipments of Chromebooks reached 12 million globally in the first three months of 2021, according to analyst outfit Canalys, which pegged the year-on-year growth at a stratospheric 275 per cent.

The vendor with the largest total number of sales-in was HP, with 4.36 million units leaving its factories, up 633.7 per cent year-on-year. HP said Chromebook sales had quadrupled in its Q1 ended 31 January to account for $1.69bn or 16 per cent of its PC business revenues.

HP CEO Enrique Lores sounded like the company could have sold more if only those pesky component shortages hadn't been a determining factor, saying on a Q1 conference call it had "increased inventory" and was "changing...the connections that we have with certain component providers."

Continue reading

Twilio's private GitHub repositories cloned by Codecov attacker, cloud comms platform confirms

Used the GitHub Codecov Action? Credentials may have been pilfered

Cloud comms platform Twilio has confirmed its private GitHub repositories were cloned after it became the latest casualty of the compromised credential-stealing Codecov script.

Codecov, a cloud-based tool for assessing how much code is covered by software tests, revealed last month that a script called Bash Uploader had been altered by a criminal to export secrets stored in environmental variables to a third-party server. This script is widely used for Codecov integration, including within GitHub Actions, popular for Continuous Integration (CI) pipelines.

Twilio said: "We have Codecov tools, including the Bash Uploader component, in use in a small number of our projects and CI pipelines." The company added that these particular projects were "not in the critical path to providing updates or functionality to our communication APIs" and that it has "remediated the potential exposure by thoroughly reviewing and rotating any potentially exposed credentials."

Continue reading

Microsoft reassures Teams freebie fans: We're not going to delete all your data, honest

The bug: IF Tier = Free THEN PRINT "Can we offer you an upgrade?"

Microsoft has had its very own Who, Me? moment after being forced to apologise for a bug that spammed administrators of Teams Free organisations to suggest they should upgrade to avoid imminent deletion of data.

The oopsie actually occurred in April (although a full explanation was not shared until last night) and resulted in users of the company's freebie version of Teams receiving an email warning that their trial was coming to an end. If a new subscription was not swiftly acquired then users would lose access to their data after around 30 days. Administrators would subsequently have 90 days to upgrade or face permanent deletion.

Understandably, customers were left a little baffled. After all, Teams has a Free tier and a bunch of Frequently Asked Questions includes hits such as "Is Microsoft Teams really free?" (answer: "Yes!") and "Will my account my expire?" (answer: "No, your account will not expire.")

Continue reading

How to hide a backdoor in AI software – such as a bank app depositing checks or a security cam checking faces

Neural networks can be aimed to misbehave when squeezed

Boffins in China and the US have developed a technique to hide a backdoor in a machine-learning model so it only appears when the model is compressed for deployment on a mobile device.

Yulong Tian and Fengyuan Xu, from Nanjing University, and Fnu Suya and David Evans, from University of Virginia, describe their approach to ML model manipulation in a paper distributed via ArXiv, titled "Stealthy Backdoors as Compression Artifacts."

Machine-learning models are typically large files that result from computationally intensive training on vast amounts of data. One of the best known at the moment is OpenAI's natural language model GPT-3, which needs about 350GB of memory to load.

Continue reading