back to article Tesla axes software engineer for allegedly pilfering secret Python scripts after just three days on the job

Tesla has fired and sued software engineer Alex Khatilov for alleged trade secret theft and breach of contract. The electric automaker claims its former employee copied thousands of files to his personal Dropbox account just days after being hired. The complaint [PDF], filed on Friday in US District Court in San Jose, …

  1. Boris the Cockroach Silver badge
    Facepalm

    New worker same old

    Fired for being an idiot I think would be closer to the truth

    I mean, who installs dropbox(or any other cloudy backup) without knowing its going to start leeching copies of your files...

    1. Version 1.0 Silver badge
      Meh

      Re: New worker same old

      At least Google Drive prompts you every time you plug a USB stick in to backup the contents to the cloud via Google. But was he an idiot, or was Tesla stupid for having a working environment where this is possible? I wonder where else this is happening... he's a python programmer, he's not stupid but he concentrates on his coding, not the environment - that's normal.

      1. This post has been deleted by its author

      2. don't you hate it when you lose your account Silver badge

        Re: New worker same old

        Any such software should be banned by policy and practice. Why was he allowed to do this on a work laptop, how could he refuse to allow them to share the screen?

      3. Anonymous Coward
        Anonymous Coward

        Re: New worker same old

        Actually, as a python programmer, he qualifies as stupid for that reason alone.

  2. Chairman of the Bored

    Investigator?

    I question the investigator's tactics - supervising destruction of evidence? Tampering with a material witness? Seriously?

    It sounds like they had enough information from their security software to get an emergency injunction. Given that document Microsoft could freeze the Dropbox account and archive relevant log files. Then you file a criminal complaint, which would spawn a search warrant. Then you grab the employee's computer, the Dropbox, everything.

    Doing anything else does not maximize ones chances in court.

    1. DevOpsTimothyC Bronze badge
      Stop

      Re: Investigator?

      Their role (in the security team) is to limit (clean up) or prevent any breach. By instructing the employee to remove the files from the dropbox account they are preventing further dessemination of the files.

      Going through the legal route leaves those files in place to be copied out of a place where they can be tracked.

      What destruction of evidance? They have the logs of the source so can prove the content, if needed they can subpeona (from dropbox) the source and destination. They do not need the files to stay in a personal dropbox account for an unknown period of time. Most video confrencing software allows for the meeting to be recorded (I haven't used teams so don't know on that one) if Teams does not nativly they could be using other screen capturing software to record the call.

      1. Lord Elpuss Silver badge

        Re: Investigator?

        "Their role (in the security team) is to limit (clean up) or prevent any breach. By instructing the employee to remove the files from the dropbox account they are preventing further dessemination of the files.

        Going through the legal route leaves those files in place to be copied out of a place where they can be tracked.

        What destruction of evidance? They have the logs of the source so can prove the content, if needed they can subpeona (from dropbox) the source and destination. They do not need the files to stay in a personal dropbox account for an unknown period of time. Most video confrencing software allows for the meeting to be recorded (I haven't used teams so don't know on that one) if Teams does not nativly they could be using other screen capturing software to record the call."

        That made my eyes bleed. Dissemination not dessemination. Evidence not evidance. Subpoena not subpeona. Conferencing not confrencing. Natively not nativly.

        1. trist

          Re: Investigator?

          I thought dessemination was when you tried to undo insemination.

          1. Doctor Syntax Silver badge

            Re: Investigator?

            Either that or it's something you do with a sharp knife.

            1. Anonymous Coward
              Anonymous Coward

              Re: Investigator?

              I thought that was delegation.

              (Although the children of a psychiatrist friend thought that was what sectioning meant. )

            2. trist

              Re: Investigator?

              I think that the steel coat hangers were used in the Eire. Wonder if the moderators will delete this comment.

    2. druck Silver badge

      Re: Investigator?

      Microsoft might be able to freeze a One Drive account, but not a Dropbox one - I hope.

      1. TimMaher Silver badge
        Trollface

        Windows 10

        It can freeze anything.

        1. HildyJ Silver badge
          Devil

          Re: Windows 10

          Anything but system updates.

          1. TRT Silver badge

            Re: Windows 10

            The day Microsoft start making iceboxes is the day they start making something that doesn’t keep freezing.

        2. GBE

          Re: Windows 10

          It can freeze anything.

          Including my laptop. [Three times so far this morning, and it's not even 10AM yet.]

  3. man_iii

    Python script as a.Service

    if he stole scripts in bash and Python wouldnt he have to steal the toolchain configs and server setup and pipeline info?

    rm -rf * wont help you no matter the script.

    1. doublelayer Silver badge

      Re: Python script as a.Service

      "if he stole scripts in bash and Python wouldnt he have to steal the toolchain configs and server setup and pipeline info?"

      Probably not, but if those were there, they could be in the collection too. There isn't a lot of toolchain configuration for Python that isn't obvious, although it depends on what structure they decided on. The server may have complex logic, but for all we know it just takes in an item to test and passes it on to the Python backend which does all the work.

  4. Anonymous Coward
    Devil

    Ahummmm

    >>The scripts said to have been taken are used for procurement, inventory management, payment, processing, and delivery, among other business functions.

    >>"These scripts would be extremely valuable to a competitor," said Golda Arulappan

    Yeah............

    Exactly those fields of the business and business functions that competitors have eons of experience over dear Tesla.

    1. Charlie Clark Silver badge

      Re: Ahummmm

      The value will matter in any compensation claims, which may extend to any third parties: this is after all in America. From the brief description, I assume Dropbox will be required to turn over logs of which files were copied and who had access to them. Dropbox doesn't automatically sync the whole file system and in my experience doesn't bother with removable storage so any copying will have been done deliberately.

      1. NetBlackOps Bronze badge

        Re: Ahummmm

        No, every time I lug in a freshly formatted portable storage device, I have to tell Dropbox *not* to back up the device.

  5. LDS Silver badge

    "Received a computer" "He also installed Dropbox"

    Installing a personal account on a company PC should be enough to fire him (now that I'm working from home my company PC and phone are even on a separate VLAN, with no access from the rest of the network)

    Anyway accessing all the files he could hoard in a few days without any real need doesn't look a smart move either (while security people at Tesla enjoyed the festivities, it looks).

    But that's probably what you should expect if you hire someone who uses at least three different names.

    Yet I believe all those files were about Tesla cars inner workings, not procurement and payroll - are SAP and Oracle actually the competitors of Tesla? Is MUsk pivoting to ERP?

    1. Jellied Eel Silver badge

      Re: "Received a computer" "He also installed Dropbox"

      Yet I believe all those files were about Tesla cars inner workings, not procurement and payroll - are SAP and Oracle actually the competitors of Tesla? Is MUsk pivoting to ERP?

      I'm not a software developer, but curious about.. "representing at least 6,300 files."

      That's quite a lot of files, and presumably would include a lot of dependencies & interactions between files to run a business. So curious if trying to do that in Python is either common, or sensible. And given previous cases where employees have stolen Tesla IP, whether they've learned anything. As others have pointed out, why was Dropbox permitted, and why would a new hire be given access to code modules they don't need? So if he was hired to review code relating to specific functional areas, then it would seem sensible to limit access to those function repositories.. Especially as a new, presumably probationary hire.

      1. big_D Silver badge

        Re: "Received a computer" "He also installed Dropbox"

        6300 files isn't that much for a complex system. They can quickly run into the 10s of thousands. As to this case, I can't comment.

        And, yes, installing "personal", i.e. not from IT controlled and installed, is generally a big no-no in most companies I've worked for, either it isn't allowed or you have to get special permission and a damned good reason for doing so.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Received a computer" "He also installed Dropbox"

          At the company where I work we have always been allowed to install anything on our computers. In general is considered preferable for employees to use their own preferred tools and workflow (as long as the end-result is up to spec). Personally, I have found this useful on any number of occasions. When you are trying to find a solution to a problem, you don't want to be bugging IT to try every possible tool.

          BUT

          Network traffic is controlled, and there is absolutely 0 chance of us being allowed to use dropbox. We can install it sure, but it's just a lump failing to talk to the rest of the world. There is similar behavior with a lot of software for which you download an "installer" which downloads the actual program.

          So far, this policy doesn't seem to have caused any problems (over 40 years or whatever of the companies existence). Doesn't mean that it won't one day.

          1. big_D Silver badge

            Re: "Received a computer" "He also installed Dropbox"

            Given licensing issues, data protection issues and security issues, everywhere I have worked has had very strict rules on what software is allowed or not.

            All too often people will say, "but it is free, I use it at home," yeah, home fine, but actually read the license and it is only for personal use, you can't use it for business without buying a license or professional support.

            It is nice that your employer is a little more lenient. Although, working in IT and responsible for licensing and security, I'd prefer to deal with our locked-down model.

            1. Anonymous Coward
              Anonymous Coward

              Re: "Received a computer" "He also installed Dropbox"

              Oh yes, I totally understand. If I were an admin, I too would prefer the locked down model. I think the only reason this works is that the vast majority of employees are hardcore hard/software devs and they are pretty choosy about hiring, so we are generally trusted not to be dense about that kind of thing.

              Will it bite us in the ass one day? \_o_/

    2. chivo243 Silver badge
      WTF?

      Re: "Received a computer" "He also installed Dropbox"

      I find it incredibly inept that a company like Tesla would allow and employee to install any software on company gear. I'm not sure where to point the the finger of blame on this one. Policy? Enforcement? He got away with DropBox copying files for 3 days before starting again 2 days later and finally raising a flag with the security department?

      I think this case deserves a closer look.

      1. LDS Silver badge

        Re: "Received a computer" "He also installed Dropbox"

        We don't know if its role required a quite broad access to PC resources, plus there are also software that keeps on installing where they should not to "infect" as many PCs as they could (Google Chrome, anyone?), bypassing usual restrictions. And of course if you hire someone for quality assurance they should be trusted enough to access a lot of sensitive info.

        Anyway this is an example why I don't like VCS systems without a good ACLs implementation that allows to control who can access what. Unrestricted read access is good for open source projects only.

        Tesla should have handled this far better, of course, and maybe doesn't want to look like those companies who treat employee as pure drones forced to work only in their heavily restricted cell in the hive.

        But there are times when you have to rely also on the ethic of your employees. I have a broad access to my work PCs, as it is required by my job. I signed an agreement allowing it, and taking responsibilities for what could happen. I don't use them but for my job and anything private never touches them. Moreover today there's really very little need to mix your work stuff with private one, since you can access most of what you need through a smartphone when away from home, if you don't like to carry another PC.

        It looks Tesla need a far better hiring process.

      2. Anonymous Coward
        Anonymous Coward

        Re: "Received a computer" "He also installed Dropbox"

        "I find it incredibly inept that a company like Tesla would allow and employee to install any software on company gear."

        Unlike in other professions where the tools required are nailed down and limited, people who work in IT tend of get a free reign over what they can install due to the nature of the job. Otherwise we'd forever being sending chats/emails to IT sec to let us download libXYZ, gcc ver 4.5.6.7, python 3.7.1.0.3.4, boost whatever etc. To do our jobs properly we need to download a of lot crap to try stuff out and upgrade that IT sec really don't understand or give a shit about.

        1. A.P. Veening Silver badge

          Re: "Received a computer" "He also installed Dropbox"

          You are correct, but Dropbox (and other file sharing tools) should either be on a pre-approved or a pre-blocked list, normally the latter unless you are working on Dropbox.

        2. Charlie Clark Silver badge

          Re: "Received a computer" "He also installed Dropbox"

          True, but you might expect them to be required to set up dedicated accounts for personal stuff.

        3. Anonymous Coward
          Anonymous Coward

          Re: "Received a computer" "He also installed Dropbox"

          I beg to differ. IT Sec does indeed understand why you think you need a two and a half year old copy of Python with its associated list of CVEs rated 4.0 or better. We're just not allwed to say it because HR doesn't appreciate when we refer to their choices as 'oh, god, not again'. We also understand why you aren't allowed to install it. Your lack of understanding is why there has to be an IT Sec group in the first place.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Received a computer" "He also installed Dropbox"

            "I beg to differ. IT Sec does indeed understand why you think you need a two and a half year old copy of Python"

            Thats never been my experience. Most people in the security dept couldn't even name a programming language other than powershell, much less understand why a particular version is needed. They're more concerned with windows viruses and exploits and if any of them have any understanding of development they're usually foud in devops, not the security team. And unix security is usually left to the unix ops team because IT sec are usually exclusively windows guys.

            "Your lack of understanding is why there has to be an IT Sec group in the first place."

            I think you overate your own importance. SMBs don't even usually have a dedicated IT sec.

        4. chivo243 Silver badge
          Thumb Up

          Re: "Received a computer" "He also installed Dropbox"

          I agree! Yes, we do. I try out tons of stuff, both for professional requests, and personal interest. There is enough of the responsibility pie to go around on this one. I still question giving a new hire access to that much "sort of important" data with little controls, I've not had the experience of working in a very large company, so I might not understand enterprise security completely. but...

          I mean, Dropbox, c'mon...

    3. Snake Silver badge

      Re: "Received a computer" "He also installed Dropbox"

      "But that's probably what you should expect if you hire someone who uses at least three different names."

      Hit right on the head. Isn't that an exact truth that 99.9% of that people here are missing?

      I once had the displeasure of getting involved with someone who carried multiple alias. I had absolutely no knowledge of this fact... until the last time I spoke to him through his jail bars at the State holding facility. With the State Police notifying me that they were still trying to figure out his true name from all the aliases.

      Red flag. A field of them. With an alarm klaxon. And lighthouse-grade search light. Plus radiation warnings.

      1. Danny 2 Silver badge

        Re: "Received a computer" "He also installed Dropbox"

        Khatilov is an extremely rare Russian name. Sabhir is an Indian name. But I guess these don't raise red flags when the CEO is called Elon Musk.

        1. jmch Silver badge

          Re: "Received a computer" "He also installed Dropbox"

          How would Tesla know about any other name except the one he supplied them with? I very much doubt any company would run a full background check on every new hire.

          1. Gordon 10 Silver badge

            Re: "Received a computer" "He also installed Dropbox"

            You obviously haven't been hired by a big corporate.

            Whilst I dont know if the standard background checks would pick up aliases I would expect them to pick up inconsistencies in his main identity - lack of or false exam certs for example.

      2. Anonymous Coward
        Anonymous Coward

        Re: "Received a computer" "He also installed Dropbox"

        > Isn't that an exact truth that 99.9% of that people here are missing?

        Nope.Where transliteration and different naming customs are involved, you are very likely to end up with a collection of different names whether you like it or not.

        1. stiine Silver badge
          WTF?

          Re: "Received a computer" "He also installed Dropbox"

          If you want to find out how many names you have, buy a house. I had to sign a page with over 20 different versions of my name, most of which made no fucking sense whatsoever. The only one that did make sense was the one missing the space because the GA drivers' license department's computers didn't allow spaces in last names in 1994...

          1. Snake Silver badge

            Re: 20 different versions when buying a house

            That is very, very strange. When I bought my house I had only 1 version on all the forms, they were all correct from the get-go.

            It sounds like your lawyer failed to properly vet the paperwork; these types of issues should have been resolved before you even stepped foot into his / her office.

    4. jmch Silver badge

      Re: "Received a computer" "He also installed Dropbox"

      So Tesla IT security have systems in place that detected and alerted the file transfer, but didn't lock down the laptop so no software could be installed? It's years since I've been allowed admin on my office laptop

    5. A 15

      Re: "Received a computer" "He also installed Dropbox"

      I'm not convinced that the three alias' is a big deal. I would be more worried if the list was longer and the names were unrelated to each other.

      In reality he has used the family name Tilov and Khatilov. Family names don't always work in the same straight forward way that they usually do in the west. Sometimes there is gender modification e.g "ova" for females sometimes "s" added to male surnames (Russia and some parts of eastern Europe). There may be associations with the "Kha" part of the name that the defendant wanted to remove to avoid prejudice.

      For the first name, he changed Sabir to Alex: it's common for people from different cultures to pick western names either to avoid pronunciation problems or to avoid prejudice.

      It's also possible he's just beginning in the spy game, but why would you use any part of your real identity in such a circumstance?

      1. GrumpenKraut Silver badge

        Re: "Received a computer" "He also installed Dropbox"

        > it's common for people from different cultures to pick western names either to avoid pronunciation problems or to avoid prejudice.

        No need for non-western origin. My first name is thoroughly unusable in English. I tell it, people look in disbelief, then I tell my nickname.

      2. TheMeerkat Bronze badge

        Re: "Received a computer" "He also installed Dropbox"

        Sabir Khatilov sounds like a name from Turkmenistan (or some other former USSR “stans”)

        It is a combination of non-Slavic Asian first name and the last name ending with “ov” like Russian names usually end.

  6. Lorribot Silver badge

    If he was not supposed to be accessing the files as part of his job then why did someone (in the group of 8) give him access to them in the first place?

    If users are not supposed to install Dropbox then why are they not blocking it from running or even installing?

    If they knew he was transferring files to Dropbox why don't they block the transfer files to Dropbox automatically?

    Seems to me the security guys are deflecting from their own inadequacies here. Also looks like the stable door is still flapping in the breeze.

    1. o p

      thief

      Company policy says he should not copy files outside of Tesla's control. That's what he did. Security caught him. Police, handcuffs, jail.

      The technical details are irrelevant.

      1. Lorribot Silver badge

        Re: thief

        If you put a sign on an open door saying "do not enter" don't be surprised when come home to find you unlocked house ransacked.

        We have laws that say don't murder and yet there many murders every year. Paper rules are the last line not the first and is there to allow recourse should something happen, far better to stop it in the first place, and in this case not the most complex thing to do.

        Perhaps it is part of Musk's rapid and agile development process.

        1. Anonymous Coward
          Anonymous Coward

          Re: thief

          Your analogy would only work if the burglar worked for the person whose house he burgled and for [reasons] it could only possibly have been him that did it.

      2. Commswonk

        Re: thief

        Company policy says he should not copy files outside of Tesla's control. That's what he did. Security caught him. Police, handcuffs, jail.

        Non sequitur. Breaching company policy may easily be an act for which dismissal is appropriate, but it does not in and of itself constitute a breach of the criminal law, and if it doesn't then police / handcuffs / jail involvement is simply... illegal.

        Even proving theft might be difficult; OK he grabbed a load of Intellectual Property but IIRC it can be hard to prove that that constitutes actual theft as he did not deprive its actual owner of anything material.

        1. o p

          Re: thief

          My point was that the technical details of how he could get the files do not matter. The legal "details" is a different thing.

          All these commentards trying to justify the theft because he could install Dropbox are wrong, IMO.

          And Tesla's security is not inept, they caught the guy spot on.

          And Elon Musk's recruiting strategy does not look reckless when you look what his teams do

          1. Jellied Eel Silver badge

            Re: thief

            And Tesla's security is not inept, they caught the guy spot on.

            Sure, they caught the guy. But files slurped from Tesla into Dropbox, and from there, who knows? So if this was industrial espionage rather than a dumb criminal, files could/would have been copied from Dropbox to other repositories or recipients.

            The complaint seems to make out the files were a reasonable chunk of Tesla's 'crown jewels' IP, but their systems or procedures didn't seem to prevent a new hire making a copy.

            1. trist

              Re: thief

              Did he send the files off to Uber? They could be looking to screw suppliers for components.

              How long before Peter Theil writes a testimonial saying that he was a top bloke.

          2. Falmari Silver badge

            It's my first day ;)

            The technical details of how he could get the files are important. How do you prove he was stealing them? He had access to the files he could say he thought they were the python files he needed. Copying them to his dropbox he can say was I not meant to do that sorry I am new here. It is easy to argue you did not know you were doing anything wrong if there is no security in place to enforce the rules and stop you.

            Tesla security was inept firstly he had access to files he was not supposed to no security in place. Secondly, he was able to install his personal dropbox and copy files to it again no security in place. Thirdly they caught the guy after the event the files could have already been copied from that dropbox.

            No one is trying to justify theft they are pointing out how lax security was.

            1. Anonymous Coward
              Anonymous Coward

              Re: It's my first day ;)

              Honestly though, how would you like working in a place where you are assumed to be, and treated like a hostile party?

              And was security actually lax or merely commensurate with the actual (as opposed to claimed) importance of those data? Two hundred man-years (as claimed, though I wonder if that includes third party libraries, etc.) is not a trivial amount of work and you wouldn't want it to end up in a torrent, but it's not likely to be the crown jewels either.

              1. Doctor Syntax Silver badge

                Re: It's my first day ;)

                Firstly, a lot of fraud etc. is from insiders. The assumption isn't that you are hostile but that you could be, albeit with a low probability.

                Secondly, what the user does might not be intentional. The user might be hit with malware.

                Maybe you haven't worked anywhere where security is taken seriously although that's not surprising as it seems to be a rare thing. My final contract was with a site where the lan was properly segmented so that there was no chance of the secure data we were handling leaking into the office systems. It made sorting out errors in the incoming a bit inconvenient but that's what happens when you refuse to trade security for convenience, maybe something Tesla should have a think about.

                1. Jellied Eel Silver badge

                  Re: It's my first day ;)

                  Secondly, what the user does might not be intentional. The user might be hit with malware.

                  Yup. This is a huge problem in a lot of businesses. Have an external-facing firewall, but weak or non-existent internal security. And then assume that outbound connections from your network are trusted. Then someone clicks on a dodgy link, or opens a dodgy file and malware can roam around the internal network at will.

                  As you say, segmenting and securing internal networks makes it a whole lot safer and also simpler to detect & audit attempts to access stuff a user (or the user's malware) isn't authorised to access. It's been fairly shocking to me over my career the number of CTOs who seem happy with running large, flat networks.

                2. Anonymous Coward
                  Anonymous Coward

                  Re: It's my first day ;)

                  > Maybe you haven't worked anywhere where security is taken seriously

                  You would be wrong to think that.

                  You do raise good points concerning insider threats and intentionality, etc., but there are ways and ways to control for that so as not to end up in an "us vs them" dynamic.

                3. j.bourne

                  Re: It's my first day ;)

                  Trotting out the old ".. a lot of fraud etc. is from insiders" again. While indisputedly true does nothing to help. There's a reason a 'lot' if from 'insiders'. The reason is obvious it's relatively easy for insiders to do this when compared to 'outsiders'. It doesn't mean 'don't trust your staff/employees' (or at least invest some trust in them). Trust is needed in order for business to function. Without some trust, then it's either difficult or next to impossible to do your job or it's just not a nice place to work at. The level of trust extended requires controls of course. Case in point - permitted access to copy the whole codebase it seems. Why? This access shouldn't have been extended to a new hire on their first day.

              2. Falmari Silver badge

                Re: It's my first day ;)

                “Honestly though, how would you like working in a place where you are assumed to be, and treated like a hostile party?”

                Sorry I don’t feel that that having decent security is treating me like a hostile party. If access to something/somewhere needs to be restricted, you do that by putting a lock on it and giving the key only to the people that need access. Yes, it prevents access from a potential hostile party but more importantly it prevents accidental access and all the potential problems that can cause.

                Where I work there are multiple teams in multiple locations working on multiple projects. But I only have access to the source code for projects I work on. I don’t feel I am being treated like a hostile party. To me it is common sense to restrict access only to the people that need it. I also know if I need read/write access to another project which has happened I will be given it.

                I am not allowed to setup a personal OneDrive, Dropbox etc on my work laptop. Again, common sense security, removes the possibility of me accidentally copy files to it. Which would be a big possibility as we all have a company OneDrive to back up to.

          3. Anonymous Coward
            Anonymous Coward

            Re: thief

            Someone screwed up if it took 26000 alerts before questions were asked. Given it relates to ~7000 files, that multiple breaches per file deemed sufficiently serious to generate an alert.

            If the alerting ain't borked, the process or people are.

          4. doublelayer Silver badge

            Re: thief

            "My point was that the technical details of how he could get the files do not matter. The legal "details" is a different thing."

            And your point is wrong. The technical details are important to Tesla as they figure out how it happened, how damaging it was, and how they're going to prevent it happening again.

            "All these commentards trying to justify the theft because he could install Dropbox are wrong, IMO."

            It's mostly wrong because nobody's saying technical details absolve him of guilt if reports are true. That would look like "Tesla deserved this and he should go free". Nobody said that. Even the one person trying to argue that maybe he shouldn't be arrested if he did it isn't arguing that way, and I'm not agreeing with them. No justification of the crime is happening, and certainly not about technical details. Meanwhile, this is a technical site, so we care a bit about those details.

            "And Tesla's security is not inept, they caught the guy spot on."

            Security has lots of goals. "Identify and catch the guy after the crime" is one of them, but another and larger one is "Prevent crimes from happening". They didn't do that, or at least not fast enough to prevent thousands of files being leaked. That doesn't justify anything, but they might want to revisit some of their practices so that can't happen again.

        2. LDS Silver badge
          Facepalm

          "constitutes actual theft as he did not deprive its actual owner of anything material"

          Don't worry, they won't come much after your pirated movies and games, but trade secrets theft and industrial espionage are actually crimes punished by law. Ask Levandowski, who needed a Trump pardon to get out of jail - buy evidently you think like Trump stealing other people's work is fine.

        3. katrinab Silver badge
          Meh

          Re: thief

          Sure, but the law says you can't take the stuff without authorisation. Company policy tells you whether or not you have the authorisation.

          1. Falmari Silver badge

            Re: thief

            I am not sure the law does I think the law is a little more nuanced than that.

            For example, a company could say you are not authorised to copy source code to an external location. The company could sack you if you did copy source code to your personal PC. But that act of copying to your PC would not be illegal. If you were prosecuted, they would have to prove you had intent to deprive the company in someway maybe by selling to a rival.

  7. six_tymes

    He deserves PRISION and assets he owns to be held.

    1. Doctor Syntax Silver badge

      Elon - is that you?

      1. GrumpenKraut Silver badge

        I speculate Musk could spell 'prison' correctly.

  8. This post has been deleted by a moderator

  9. a_yank_lurker Silver badge

    Aliases-Questions

    Was Tesla aware of the aliases? If so, what were the reasons for the aliases? If he did supply a good reason, why did they hire him? I can think of a couple of reasons for an alias (adoption, marriage, legal name change come to mind) but there are not that many and AFAIK they all leave a paper trail to easily follow. The article implies the reason for the aliases was dodgy at best which means HR is run by idiots (but I repeat myself per Mark Twain). Twain's quote (paraphrased) "Suppose you are idiot and suppose you are member of Congress, but I repeat myself".

    1. JamesWRW

      Re: Aliases-Questions

      Samuel Clemens knew a thing or two about aliases.

    2. FILE_ID.DIZ Bronze badge

      Re: Aliases-Questions

      I doubt that by itself, someone having three names can be a legitimate reason for not hiring someone. If you look at your credit report, I'm sure that there are several permutations of your name listed. I know that I have at least six. Of course, unlike this person, five of my "names" are clearly derivatives of my legal name.

      However, a married woman (or man, if we want to be modern) can have at least two known names.... and with divorce statistics are what they are.... many may have several names by the time they die.

      What is in a name after all.

      1. Anonymous Coward
        Anonymous Coward

        Re: Aliases-Questions

        " and with divorce statistics are what they are.... many may have several names by the time they die."

        My Ex has several names for me. None of them usable on a family site like El Reg, though.

  10. Rol Silver badge

    Honey Pot!

    In the case of Tesla, a folder named "New Innovations" filled with thousands of files, that had nothing but random guff in them, would be all that was needed.

    Just as soon as a user started downloading the stuff, the alarm bells should ring, the account frozen and numerous managers roused from their sleep to deal with it.

    1. Neil Barnes Silver badge

      Re: Honey Pot!

      >> numerous managers roused

      Not sure what my brain was thinking, but for some reason it read that as murderous managers

  11. Ribfeast

    Where I work, anything cloudy is blocked, even if I take my work laptop home. USB sticks are also read only. OneDrive, Dropbox, iCloud etc all blocked. Surprisingly Office 365 webmail still works, but not the admin portal.

    No admin rights to install dropbox etc on workstations either. Would be pretty trivial to set up the same at Tesla surely?

    1. Falmari Silver badge

      Office 365

      I found a bug or maybe something my company has not locked down properly in Office 365 email.

      Certain files are not meant to be emailed like zips, exes etc and there is a size limit. I emailed my personal email account a driver that I zipped up at work and it bounced. But when I got home opened up my outlook which also has access to my work email on my personal PC and there in my work email was the zip file. I then tried with exes and huge zips and could access them via my outlook on my home PC.

      1. doublelayer Silver badge

        Re: Office 365

        I'm not sure whether that's a problem. You could probably do the same by putting those files in your OneDrive. You still need to log in to read them. Meanwhile, I don't think Office365 has any problem with you sending those files, just receiving them. The bounce was likely from whatever was set to receive the files.

        1. Falmari Silver badge

          Re: Office 365

          The bounce was from our email, company email Office 365 it is configured to stop those files my personal email is not. Maybe it not a problem just looked weird me can't email zips etc due to company policy but still get access to them on my home PC.

          1. A.P. Veening Silver badge

            Re: Office 365

            That is a well known leak, if you have access to the same mailserver from two different computers, you can transfer files that way. And if you do it via the Drafts folder, the mail is never sent so security triggers aren't fired.

            1. Anonymous Coward
              Anonymous Coward

              Re: Office 365

              Unless you are a U.S. military officer communicating with a reporter.

            2. Falmari Silver badge

              Re: Office 365

              @A.P. Veening cheers for the info.

          2. katrinab Silver badge

            Re: Office 365

            On Exchange, the file size limits for the send and receive connectors are configured separately, and you can have different send and receive connectors depending on where the mail is going to / coming from.

            I've never administered Office 365, so I don't know how much of that you can configure yourself and how much is dictated by Microsoft.

    2. Chloe Cresswell

      Dropbox is (like chrome) one of those annoying programs that doesn't need admin rights to be installed...

  12. Falmari Silver badge

    How long is a man-year?

    What metrics did Tesla use to come to 200 man-years? 200 man-years seems a long time for 6,300 python files.

    1. Tim99 Silver badge
      Trollface

      Re: How long is a man-year?

      Transcription error: 11 files a man/day instead of one file in 11 man/days.

      Or: 1 file written in 1 man/day, then 4 two hour meetings with 10 people.

    2. mevets Bronze badge

      Re: How long is a man-year?

      200 Tesla Engineer Person days == 4 AnyOtherOrg Person Days.

    3. doublelayer Silver badge

      Re: How long is a man-year?

      We don't know the length of those files. If they're very long, and people have been writing them for years, the time could add up. Also, I'm guessing they have just included all hours worked by the people on the development team who do that, so it's rough. Still,, without knowing the complexity it's hard to know if that's realistic or not.

    4. Anonymous Coward
      Anonymous Coward

      Re: How long is a man-year?

      If I was in charge of code that might, one day, be the subject of serious scrutiny as part of a massive lawsuit (our USian cousins being a somewhat notoriously vexatiously litigious people), it wouldn't matter if the code only took three minutes to write, on the legal principle of Defenderet vester culus I'd be subjecting it to hours of testing and inspection before allowing it in.

      Giving them the benefit of the doubt, I'm assuming Tesla is including the testing here in the year count, irrespective of how much of it is actually automated, and knowing how people (well...lawyers) do so love to exaggerate things when it comes to the legal fuckwittery they use to aggrandise their side of any action...

    5. Anonymous Coward
      Anonymous Coward

      Re: How long is a man-year?

      Works out at 56 hours per file, so likely exaggerated but not enormously (maybe one order of magnitude at most). Sneaking suspicion that many of those files are stuff coming in via PIP and so on.

    6. katrinab Silver badge
      Meh

      Re: How long is a man-year?

      I'm guessing number of developers in the team * the number of years the team has been in existence?

  13. mevets Bronze badge

    Metallica

    Remember when Metallica lead the charge in the protection of intellectual property? That was a lot to unpack; Metallica and intellectual in the same chapter, much less paragraph, sentence or phrase was a grave dissonance spiraling ever closer together.

    Good on Tesla, being able to find a scapegoat in their endless quest to achieve mediocrity. I hope this helps.

  14. Starace
    Devil

    Tesla have a QA department?!

    I thought one of their innovations was doing without that sort of thing, at least that's what the state of their product suggests.

    Not surprised by this incident though, if only because anyone with a brain steers well clear of working for Tesla these days.

  15. Anonymous Coward
    Anonymous Coward

    "Khatilov, also known as Sabhir Khatilov and Alex Tilov, "

    Nothing suspicious there, oh no. I mean we all have multiple names that we use on a daily basis, right?

    1. Anonymous Coward
      Anonymous Coward

      Re: "Khatilov, also known as Sabhir Khatilov and Alex Tilov, "

      We have an internet with a very Asian name. We call him "David", which bears no relationship to his actual name. When you work for a western company and have a name that is difficult to pronounce, yes this is normal.

      1. seven of five Silver badge

        Re: "Khatilov, also known as Sabhir Khatilov and Alex Tilov, "

        Same goes for someone from Finland working in France, no need to go all the way to asia. Called him (on his request) Ari, until we saw him drive. From then on, he was "Sisu" :) Liked that even better.

    2. Phones Sheridan

      Re: "Khatilov, also known as Sabhir Khatilov and Alex Tilov, "

      When I went working in Singapore, I was surprised how many locals had eastern sounding names like Dave, Jack, Kevin and Bob. Turns out most people in business there carry around 2 business cards, one for use when dealing with other locals with their given name, and one to give to people who speak english with a name they opted for at the start of their careers to make it easier to develop relationships with english speakers. It turns out we are more likely to interact with people who have familiar names.

      It's also very popular in China and India too.

      1. fajensen Silver badge

        Re: "Khatilov, also known as Sabhir Khatilov and Alex Tilov, "

        I used to work with a Chinese called “Win Forever”.

        1. Adrastus

          Re: "Khatilov, also known as Sabhir Khatilov and Alex Tilov, "

          In London in the seventies I was aquainted with a guy from japan who was very scathing about the frequency with which other East Asians (not those from Japan) adopted English names. He thought it showed a lack of national pride: I thought it a response to the monoculturalism in the Anglosphere. I can understand Sabhir Khatilov choosing Alex Tilov and I don't think it necessarily indicates criminal intent, though on the evidence it may.

          I have a Greek mate whose christian name is Athanasios. His American school teacher said "that is obscure" (a saint's name recognized by both the Latin and Greek communions) " I'm going to call you Danny."

          My daughter knows ( or knows of) a Scottish girl who makes a living from a website that, for a fee, will advise Chinese people on a suitable English name. They send a photo or a description of how they see themselves and she suggests a name along with information about what it means or how people see it. I can't imagine what narrative she gives but she makes money..

  16. idiot taxpayer here again
    FAIL

    Secure?

    Within three days, he began stealing thousands of highly confidential software files from Tesla’s secure internal network.

    Of course it was secure and no doubt it will turn out to be very advanced, sophisticated hack /s

  17. Pascal Monett Silver badge

    "the software somehow started backing up those files"

    Um, no. Dropbox does not scour your disk to find stuff to upload.

    It uploads what you put in its folder, nothing else.

    That is a very lame excuse, on top of whatever excuse the guy with three names had to install Dropbox in the first place.

    And three names ? How many mafias are you a part of ?

    1. Boothy Silver badge

      Re: "the software somehow started backing up those files"

      Dropbox will also sync Desktop, Documents and Downloads if you set that option up, not just the 'Dropbox' folder.

      1. hoola Silver badge

        Re: "the software somehow started backing up those files"

        Looking at what happened on a friends Apple computer Dropbox appears to have a default configuration. They needed to use Dropbox to download files provided by a teaching centre they were contracted to for a few days a week. They installed Dropbox and the next thing it had uploaded loads of phots and documents, no obvious user interaction. Now in this instance with Tesla this was a techy taken on to do techy stuff. At the most basic level the guy was an idiot if this was accidental and completely naïve if this was deliberate and he though the could get away with it. If he was new and had no idea of the working protocols he should of asked but in these days of home working it can be challenging to get responses from upstream management. I feel that are significant failings on both sides but particularly on the part of Tesla as an employer.

      2. Pascal Monett Silver badge

        Re: "if you set that option"

        IF being the operative word.

        It is not set by default AFAIK.

  18. WONKY KLERKY
    Linux

    HE'S NOT A THIEF, HE'S JUST A VERY NAUGHTY BOY!

    Wonky Klerky

    pp.

    BiG M.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021