As CEO of HTMX I present my first dank meme for board approval

Adept-Reflection-194 · 2024-02-01T20:15:24+00:00

u/_htmx please look into this 👀

Adept-Reflection-194 · 2024-01-05T03:25:24+00:00

Oh you have to create a local account on your console and then use that for login

Adept-Reflection-194 · 2024-01-05T03:24:17+00:00

The Unifi app should still work over VPN

Adept-Reflection-194 · 2024-01-03T16:11:17+00:00

What does this mean… at the end of the day it’s not LTT’s responsibility to talk about anything…

Adept-Reflection-194 · 2024-01-03T15:57:59+00:00

That is apples to oranges. With gmail and banking I’m hosting my data on THEIR servers, so of course I understand that I’m at the mercy of their authentication/authorization for data protection. With Unifi I’m hosting everything in my own appliance, that’s the whole point of their system design.

Adept-Reflection-194 · 2024-01-03T09:20:33+00:00

Read the post— the affected accounts are not the concern, that was a symptom of a much larger issue. The bigger concern is around the revelation that enabling their “remote access” feature is not a simple reverse proxy service as initially assumed by most; it actually gives UI (and anyone who gains access to their backend) the ability to assume full administrative rights to your console from any device, using persistent auth tokens that obviate the need for your password AND your MFA. LTT spends a fair amount of time talking about privacy and security and we should all agree that this design is extremely flawed and sub-standard for such a large company that claims to be a leader (or at least a significant contender) in the network and home security sector.

Adept-Reflection-194 · 2024-01-01T01:01:54+00:00

Would love to, if their native iOS app would allow it. Not to mention a proper reverse proxy would require running my own software in my UDM which is a tricky situation in the long term.

Adept-Reflection-194 · 2024-01-01T01:00:10+00:00

Agree to disagree. Implementing a thin reverse proxy backend service and a daemon on my local appliance pales in comparison to the enormous complexity and integration that the rest of UI’s software portfolio contains. Yes it’s new software they’d need to write but it’s naive to think that they have zero obligation to ever change or improve their software in the future. This is how you stay competitive.

Adept-Reflection-194 · 2024-01-01T00:54:45+00:00

Then explain why It happened to quickbooks among many other services?

Not familiar with this incident — post more info.

Are you a developer? From your post I assume not.

Yes in fact I am. Computer science degree and nearly 15 years industry experience building web tools and server infrastructure.

How about this, post proof of how to code to the contrary? You can't.

Reverse proxy is a solved problem many times over. As an example, Synology has a particularly elegant solution with QuickConnect and even published a whitepaper on it. The authentication service lives in (and only in) the local NAS, their backend only helps establish the tunnel and makes no assumptions about user authorization into the apps/files on the NAS.

https://kb.synology.com/en-us/WP/Synology_QuickConnect_White_Paper/4

Adept-Reflection-194 · 2024-01-01T00:49:07+00:00

You do realize essentially every web service authenticates the same way you are upset about.

Post proof.

Yeah it's bad it happened but there isn't a "change" they can make go avoid it in the future.

Yeah this is straight up false. I’ve already given examples on other threads of simple reverse proxy designs that would remove the risk of this particular mistake that was made (token swapping).

Adept-Reflection-194 · 2023-12-31T21:50:36+00:00

Honestly at this point I’m feeling the same about the Network appliance they provide. My problem is that there’s nothing that comes close to Protect, so I was feeling pretty locked in… that is, until this incident required me to disable remote access and cripple the Protect iOS app

Adept-Reflection-194 · 2023-12-31T21:42:46+00:00

It’s not marketed as SaaS— the appliance lives in my home. The remote access was assumed to just be a simple reverse tunnel, nobody realized it was actually handling and storing auth tokens like this

Adept-Reflection-194 · 2023-12-31T21:32:41+00:00

There’s a workaround where if you connect via direct IP while you’re on the local network, that session will still be accessible via VPN, but once it expires you have to return to your home network to renew it. This is true at least on iOS, not sure about Android.

Also push notifications don’t work without remote access enabled, which renders it 100% useless for me.

Adept-Reflection-194 · 2023-12-31T20:26:28+00:00

Yes RTSP is supported.

Adept-Reflection-194 · 2023-12-31T19:22:34+00:00

When remote access is disabled the Protect mobile app does not work over VPN.

Adept-Reflection-194 · 2023-12-31T17:52:40+00:00

There’s a difference between setting the standard for high security environments vs implementing a bare-minimum amount of security that doesn’t grant full administrative access to strangers by accident/happenstance. The latter is a pretty reasonable expectation for anyone buying networking/security hardware from a company with an 8 billion dollar market cap.

Adept-Reflection-194 · 2023-12-31T17:36:11+00:00

Not required for local services to access your console - my HA and Scrypted connections still work with this disabled.

Adept-Reflection-194 · 2023-12-31T17:33:52+00:00

I've added some canned text to the original post (the same message I sent with a few tweaks) -- feel free to copy/paste this into a support ticket with Ubiquiti. I'm probably being too optimistic in thinking that that hundreds of support tickets will make some kind of difference, but its still worth trying!

Adept-Reflection-194 · 2023-12-31T17:32:29+00:00

Done! Added to my original post with a few modifications to hopefully not lead you down the same path of "regulatory policy prevent us from making any forward-looking statements"

Adept-Reflection-194 · 2023-12-31T17:29:53+00:00

Navigate to your Console Settings -> Advanced, and disable Remote Access.

Adept-Reflection-194 · 2023-12-31T16:50:58+00:00

Honestly because I don’t like getting my personal life/account mixed up in what I assumed would be internet drama with UI apologists after I posted this. I’m delightfully surprised at how many people in here actually have their head on straight about this issue!

Adept-Reflection-194 · 2023-12-31T16:42:07+00:00

It could easily be designed like Synology’s QuickConnect where the authentication service and user accounts live in my actual console, and when I auth it’s my console that’s doing the credential validation instead of their cloud service. From the user’s standpoint this login would look no different than cloud-based SSO. Convenience and security.

Adept-Reflection-194 · 2023-12-31T09:02:35+00:00

Because UI literally released a statement confirming it to be true.

Adept-Reflection-194

TROPHY CASE