 Ubiquiti gives Hacker $16,000 for finding a vulnerability in their Ubiquiti video server. No, it's not clickbait, this happened, but we're going to talk a little bit about how it happened and have a good security discussion about this. Hacker 1. So Ubiquiti participates in the most trusted hacker-powered security platform, Hacker 1. Hacker 1 essentially is a facilitator and what they do is help companies with proper disclosure and payouts for finding bugs, reporting bugs, going through a proper disclosure process. Ubiquiti, really good thing, is that they are signed up and have been for quite a while. Matter of fact, they have been on the Hacker 1 program since, I believe, July of, let me look here, July of 2015, yeah, oh January of 2015, even longer, awesome. And the latest one, and I tweeted about this the other day and I had a discussion with a few people about it on November 8th, 2019 was when this was all made public now and clutched, here's the bounty they paid out, you know, it's all legit. And there was a bug found and this bug was specifically in a, under specific conditions with some, you know, be able to recreate this problem, they were able to get binaries executed by the Evo stream function. So all the details of how that works and everything's in here, good news has been patched and this is part of what this process is, it's a privilege escalation from system via unauthenticated command execution, which is bad, but, you know, it has a critical CVE score of 9.6 out of 10. So like I said, this is right up on the really bad list. And this particular user found this problem, he reported it in April, about seven months ago, it goes through a vetting process to where you make sure that they can work through, reproduce it, figure out if the problem is real or if the problem is an absolutely reproduced problem. So they went through and you can read through the back and forth with the teams from Hacker One and the ubiquity and everyone going through and posting in here to make sure they understand how to do it. And in the end it was patched ever since 3.7 and now they're at 3.10. And this is part of a bigger security talk I wanted to have. One of the things I really like to see is a lot more companies that are participating in services like Bug Crowd, Hacker One, et cetera, and these facilitators out there, it shows a commitment from them to the community that they care about security, that they want people to poke away at their product and if they do find a flaw, if they want to sign up through Hacker One or one of these services, that they'll go through a proper and well vetted audit of this. Not just drop it on some GitHub link and go, hey guys, I found a flaw, here it is and then let all of us scramble to try to patch systems as fast as that flaw was found and hopefully no one actually takes the flaw and exploits it out there. It's unfortunately what frequently would happen in the past. Now as the security market has matured, we have more mature behavior out there to be able to find these. And you go back even further where if you posted that you were able to hack something, sometimes you would just get teams of lawyers or legal problems sent your way for posting that you hacked something. Reality is the bad actors are always out there trying to hack something and not share their secrets. They're good actors who, you know, people can make quite the living being a bug bounty hunter and some people are very, very talented at it. That's awesome. And ubiquity showing their commitment is great. So I just want to reiterate that. Next, let's talk about all the products people always ask me to test and why I like companies like Ubiquity. So all the time, there is always a new product out there and this is very, you know, the startup world is big and there's always someone wants to start that next project and be the next firewall, be the next VPN, be the next whatever company that suits some tech need and they start out with a low price. So right away, people get excited to have good reseller programs, but how is their security? I put my name on the line and a trust I built with my clients that we are going to recommend products are secure. So when someone pays random links to every time we talk about a firewall, have you tried this cheap firewall I found and I look up the security history of it. And there's a mistake people often make where they just are not understanding the statistics. You're like, look, it's never had a CVE. Yeah, there's 10 people using it. Is there any hackers or any security personnel really spending time vetting that product if they're not even offering a bug bounty program and they don't have to, you know, necessarily do that for me to think they're secure. But have they gone through code reviews? Have they really been audited properly? And that is one of the people get confused. They assume because there's not been a vulnerability found or discovered or reported that therefore the product must be secure. The reality is if I release a product today, does not make it secure until it's really been poked at, tested and thoroughly vetted. So this is why it makes it a little bit of a challenge to just try out a new product. Now open source has a bit of advantage because Ubiquiti is a closed source company and we like things like Hacker 1, 2, you know, people are poking at it and they have a methodology by which to handle it. The open source community is a little bit different because you can see the code. This makes open source projects right away, doesn't make them more secure right away. Just because it's open source and I can see the code, it still requires someone to look at the code. But larger, more mature, big open source projects, now throw PFCents out there, has tons of people looking at it, invading it and constantly scrutinizing the methodologies by which it was put together. And because they can see the code, they can see issues, whether those issues are directly with PFCents or one of the modules that build PFCents because PFCents is a glue to several other modules. For example, you know, flaws found in servers like Nginx that PFCents does use could be mitigated but it was a Nginx problem in a very specific condition, could exhaust Maria. I talked about this about a year ago and you could update that particular module. It wasn't a fault of the PFCents but then you have to and PFCents right away was on top of it because they knew that there is a bug on the stack that they use. So like I said, open source is handled a bit differently than a closed monolithic source where we don't always know what is inside there. But this also leads me to things, like I said, people want me to test out and not bring up, for example, WireGuard. And this is right from WireGuard. This is absolutely like them about the project, work in progress. This is from the authors of the software. WireGuard is currently working toward a stable 1.0 release. Current Snapshots are generally version, blah, blah, blah, and they should be considered real releases until they contain, they may contain security quirks. This is from the author. Why do I bring this up? Everyone's like, oh, I really wish they would integrate WireGuard into whatever device. Here's the thing, you want to have the VPN that protects your stuff, that keeps threat actors away, that keeps people from sniffing it based on a beta product. This is why we don't use WireGuard in production systems. I mean, hey, cool. I'm not saying anything bad. I believe the code thus far looks awesome. It's another open source project and everything about it looks good. But are we there yet? Not really. I don't know why companies, and I'll throw PF Sense's name out there because this is bringing it comes out of, I wish PF Sense would just integrate WireGuard because I really want to use it because it's better than an open VPN thing that's out there. I mean, I don't think WireGuard is bad, but I also think it has not been vetted and I bring up open VPN which has not only gone through one but two code audits. And this is actually from 2017 and it hasn't gone through major changes since then. And once companies make major changes, they need to go through code audits again. This is kind of a general, my thoughts on security and product in general. And I could go on for quite a while about this kind of rambling, but this is something I like people to put in the back of their head when they're looking at products when they're doing this. This is how I evaluate things. Do they have a, have they been code vetted? Do they have a program? Do they have a process by which to report bugs? Are they a new startup? Has anyone really tested the product? Is there a community around it of especially more and very specifically security people who are really putting it to the test? This is hard, like I said, for a new startup that is really trying to bring a product to market and may not have that money because, well, when it comes to full-blown security audits for software or product like OpenVPN, you're talking about something that could cost over $100,000 just to have a company really go through and audit it thoroughly. You want this done very well by security professionals that have expertise in the cryptography that was used and the methodologies and mathematics. And by the way, Dr. Matthew Green audited OpenVPN. The team over there at Hopkins University, great team, very well-versed in that particular field. So it went through their audit. They did find problems. Nothing majored. It says not to use it. But by the way, those problems are all fixed. And of course, now we have a much cleaner and better version, which is more secure here in 2019 by the features that they were found and audited. So these are my thoughts on security. Just wanted to throw it out there. It's nice to see companies that do this. And there's plenty of companies out there. And I'll throw at least one more name that comes up constantly. I don't think I had a live stream yet that doesn't bring up Mikrotik. Tom, why don't you like Mikrotik? Well, besides the fact that I don't like their interface and having used them a couple of times, I think the interface is confusing. I will admit they do seem to have a very powerful feature set and they have very inexpensive hardware. They do not that I could find any type of real bug bounty program. But then again, bug bounty programs do cost money. And that could be a challenge where Mikrotik is trying to be in the market by having a very, very low cost solution that creates its own challenges. So it's something to think about when you're looking at it. Doesn't mean you shouldn't use a product, but keep it in your mind, especially when you're using closed source solutions, especially closed source solutions that have decided, I don't wanna open my code, but do you open yourself up to a bug bounty program that's really a healthier way to look at it? I wish everything was open source and I do try to lean towards open source so I know someone's gonna flag me on that going, I can't believe you like any company that doesn't use open source. Well, yeah, I live in the real world and sometimes I will prefer open source as much as possible, but yeah, sometimes I have to use some closed source products. It's not where I want to do, but I work in a business world where that does happen. But either way, these are my thoughts on security and this is the basis and this is gonna be the reply video to people who asked me about every random, because I've seen people linking with my last firewall video, random other brands I've never even heard of, firewalls and I think its price is what is driving them there, but I'm like, I've never heard of the company, they don't seem to have any track record. You can't find much information or closed source. I just have no interest in those products without even knowing some of the backend that they're built on. If there's a vulnerability in something that they built under stack, but I don't even know what their stack is because it's one monolithic closed source thing, that makes it that much harder. At least with Unify, I do know because they are based on some open source stuff. They may have proprietary closed source in there, but at least we know the EdgeOS being based originally on Viata and some of the other things that went into the building of the Unify platform. So you get some ideas of what it is and it does run Linux under the hood so you can kind of see what's going on under the hood to get an idea. So, but thank you and like I said, these are my thoughts on security. Feel free to continue the discussion on this on the forums because this is a hot topic and security is, well, as things get more complicated, it's going to be harder and harder to secure things so you have to think long and hard about product choices, thanks. And thank you for making it to the end of the video. If you like this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon if you'd like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion, head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos or other tech topics in general, even suggestions for new videos that are accepted right there on our forums, which are free. Also, if you'd like to help the channel in other ways, head over to our affiliate page. We have a lot of great tech offers for you and once again, thanks for watching and see you next time.