Tesla axes software engineer for allegedly pilfering secret Python scripts after just three days on the job Tesla has fired and sued software engineer Alex Khatilov for alleged trade secret theft and breach of contract. The electric automaker claims its former employee copied thousands of files to his personal Dropbox account just days after being hired. The complaint [PDF], filed on Friday in US District Court in San Jose, …
At least Google Drive prompts you every time you plug a USB stick in to backup the contents to the cloud via Google. But was he an idiot, or was Tesla stupid for having a working environment where this is possible? I wonder where else this is happening... he's a python programmer, he's not stupid but he concentrates on his coding, not the environment - that's normal.
This post has been deleted by its author
I question the investigator's tactics - supervising destruction of evidence? Tampering with a material witness? Seriously?
It sounds like they had enough information from their security software to get an emergency injunction. Given that document Microsoft could freeze the Dropbox account and archive relevant log files. Then you file a criminal complaint, which would spawn a search warrant. Then you grab the employee's computer, the Dropbox, everything.
Doing anything else does not maximize ones chances in court.
Their role (in the security team) is to limit (clean up) or prevent any breach. By instructing the employee to remove the files from the dropbox account they are preventing further dessemination of the files.
Going through the legal route leaves those files in place to be copied out of a place where they can be tracked.
What destruction of evidance? They have the logs of the source so can prove the content, if needed they can subpeona (from dropbox) the source and destination. They do not need the files to stay in a personal dropbox account for an unknown period of time. Most video confrencing software allows for the meeting to be recorded (I haven't used teams so don't know on that one) if Teams does not nativly they could be using other screen capturing software to record the call.
"Their role (in the security team) is to limit (clean up) or prevent any breach. By instructing the employee to remove the files from the dropbox account they are preventing further dessemination of the files.
Going through the legal route leaves those files in place to be copied out of a place where they can be tracked.
What destruction of evidance? They have the logs of the source so can prove the content, if needed they can subpeona (from dropbox) the source and destination. They do not need the files to stay in a personal dropbox account for an unknown period of time. Most video confrencing software allows for the meeting to be recorded (I haven't used teams so don't know on that one) if Teams does not nativly they could be using other screen capturing software to record the call."
That made my eyes bleed. Dissemination not dessemination. Evidence not evidance. Subpoena not subpeona. Conferencing not confrencing. Natively not nativly.
"if he stole scripts in bash and Python wouldnt he have to steal the toolchain configs and server setup and pipeline info?"
Probably not, but if those were there, they could be in the collection too. There isn't a lot of toolchain configuration for Python that isn't obvious, although it depends on what structure they decided on. The server may have complex logic, but for all we know it just takes in an item to test and passes it on to the Python backend which does all the work.
>>The scripts said to have been taken are used for procurement, inventory management, payment, processing, and delivery, among other business functions.
>>"These scripts would be extremely valuable to a competitor," said Golda Arulappan
Yeah............
Exactly those fields of the business and business functions that competitors have eons of experience over dear Tesla.
The value will matter in any compensation claims, which may extend to any third parties: this is after all in America. From the brief description, I assume Dropbox will be required to turn over logs of which files were copied and who had access to them. Dropbox doesn't automatically sync the whole file system and in my experience doesn't bother with removable storage so any copying will have been done deliberately.
Installing a personal account on a company PC should be enough to fire him (now that I'm working from home my company PC and phone are even on a separate VLAN, with no access from the rest of the network)
Anyway accessing all the files he could hoard in a few days without any real need doesn't look a smart move either (while security people at Tesla enjoyed the festivities, it looks).
But that's probably what you should expect if you hire someone who uses at least three different names.
Yet I believe all those files were about Tesla cars inner workings, not procurement and payroll - are SAP and Oracle actually the competitors of Tesla? Is MUsk pivoting to ERP?
Yet I believe all those files were about Tesla cars inner workings, not procurement and payroll - are SAP and Oracle actually the competitors of Tesla? Is MUsk pivoting to ERP?
I'm not a software developer, but curious about.. "representing at least 6,300 files."
That's quite a lot of files, and presumably would include a lot of dependencies & interactions between files to run a business. So curious if trying to do that in Python is either common, or sensible. And given previous cases where employees have stolen Tesla IP, whether they've learned anything. As others have pointed out, why was Dropbox permitted, and why would a new hire be given access to code modules they don't need? So if he was hired to review code relating to specific functional areas, then it would seem sensible to limit access to those function repositories.. Especially as a new, presumably probationary hire.
6300 files isn't that much for a complex system. They can quickly run into the 10s of thousands. As to this case, I can't comment.
And, yes, installing "personal", i.e. not from IT controlled and installed, is generally a big no-no in most companies I've worked for, either it isn't allowed or you have to get special permission and a damned good reason for doing so.
At the company where I work we have always been allowed to install anything on our computers. In general is considered preferable for employees to use their own preferred tools and workflow (as long as the end-result is up to spec). Personally, I have found this useful on any number of occasions. When you are trying to find a solution to a problem, you don't want to be bugging IT to try every possible tool.
BUT
Network traffic is controlled, and there is absolutely 0 chance of us being allowed to use dropbox. We can install it sure, but it's just a lump failing to talk to the rest of the world. There is similar behavior with a lot of software for which you download an "installer" which downloads the actual program.
So far, this policy doesn't seem to have caused any problems (over 40 years or whatever of the companies existence). Doesn't mean that it won't one day.
Given licensing issues, data protection issues and security issues, everywhere I have worked has had very strict rules on what software is allowed or not.
All too often people will say, "but it is free, I use it at home," yeah, home fine, but actually read the license and it is only for personal use, you can't use it for business without buying a license or professional support.
It is nice that your employer is a little more lenient. Although, working in IT and responsible for licensing and security, I'd prefer to deal with our locked-down model.
Oh yes, I totally understand. If I were an admin, I too would prefer the locked down model. I think the only reason this works is that the vast majority of employees are hardcore hard/software devs and they are pretty choosy about hiring, so we are generally trusted not to be dense about that kind of thing.
Will it bite us in the ass one day? \_o_/
I find it incredibly inept that a company like Tesla would allow and employee to install any software on company gear. I'm not sure where to point the the finger of blame on this one. Policy? Enforcement? He got away with DropBox copying files for 3 days before starting again 2 days later and finally raising a flag with the security department?
I think this case deserves a closer look.
We don't know if its role required a quite broad access to PC resources, plus there are also software that keeps on installing where they should not to "infect" as many PCs as they could (Google Chrome, anyone?), bypassing usual restrictions. And of course if you hire someone for quality assurance they should be trusted enough to access a lot of sensitive info.
Anyway this is an example why I don't like VCS systems without a good ACLs implementation that allows to control who can access what. Unrestricted read access is good for open source projects only.
Tesla should have handled this far better, of course, and maybe doesn't want to look like those companies who treat employee as pure drones forced to work only in their heavily restricted cell in the hive.
But there are times when you have to rely also on the ethic of your employees. I have a broad access to my work PCs, as it is required by my job. I signed an agreement allowing it, and taking responsibilities for what could happen. I don't use them but for my job and anything private never touches them. Moreover today there's really very little need to mix your work stuff with private one, since you can access most of what you need through a smartphone when away from home, if you don't like to carry another PC.
It looks Tesla need a far better hiring process.
"I find it incredibly inept that a company like Tesla would allow and employee to install any software on company gear."
Unlike in other professions where the tools required are nailed down and limited, people who work in IT tend of get a free reign over what they can install due to the nature of the job. Otherwise we'd forever being sending chats/emails to IT sec to let us download libXYZ, gcc ver 4.5.6.7, python 3.7.1.0.3.4, boost whatever etc. To do our jobs properly we need to download a of lot crap to try stuff out and upgrade that IT sec really don't understand or give a shit about.
I beg to differ. IT Sec does indeed understand why you think you need a two and a half year old copy of Python with its associated list of CVEs rated 4.0 or better. We're just not allwed to say it because HR doesn't appreciate when we refer to their choices as 'oh, god, not again'. We also understand why you aren't allowed to install it. Your lack of understanding is why there has to be an IT Sec group in the first place.
"I beg to differ. IT Sec does indeed understand why you think you need a two and a half year old copy of Python"
Thats never been my experience. Most people in the security dept couldn't even name a programming language other than powershell, much less understand why a particular version is needed. They're more concerned with windows viruses and exploits and if any of them have any understanding of development they're usually foud in devops, not the security team. And unix security is usually left to the unix ops team because IT sec are usually exclusively windows guys.
"Your lack of understanding is why there has to be an IT Sec group in the first place."
I think you overate your own importance. SMBs don't even usually have a dedicated IT sec.
I agree! Yes, we do. I try out tons of stuff, both for professional requests, and personal interest. There is enough of the responsibility pie to go around on this one. I still question giving a new hire access to that much "sort of important" data with little controls, I've not had the experience of working in a very large company, so I might not understand enterprise security completely. but...
I mean, Dropbox, c'mon...
"But that's probably what you should expect if you hire someone who uses at least three different names."
Hit right on the head. Isn't that an exact truth that 99.9% of that people here are missing?
I once had the displeasure of getting involved with someone who carried multiple alias. I had absolutely no knowledge of this fact... until the last time I spoke to him through his jail bars at the State holding facility. With the State Police notifying me that they were still trying to figure out his true name from all the aliases.
Red flag. A field of them. With an alarm klaxon. And lighthouse-grade search light. Plus radiation warnings.
You obviously haven't been hired by a big corporate.
Whilst I dont know if the standard background checks would pick up aliases I would expect them to pick up inconsistencies in his main identity - lack of or false exam certs for example.
> Isn't that an exact truth that 99.9% of that people here are missing?
Nope.Where transliteration and different naming customs are involved, you are very likely to end up with a collection of different names whether you like it or not.
If you want to find out how many names you have, buy a house. I had to sign a page with over 20 different versions of my name, most of which made no fucking sense whatsoever. The only one that did make sense was the one missing the space because the GA drivers' license department's computers didn't allow spaces in last names in 1994...
That is very, very strange. When I bought my house I had only 1 version on all the forms, they were all correct from the get-go.
It sounds like your lawyer failed to properly vet the paperwork; these types of issues should have been resolved before you even stepped foot into his / her office.
I'm not convinced that the three alias' is a big deal. I would be more worried if the list was longer and the names were unrelated to each other.
In reality he has used the family name Tilov and Khatilov. Family names don't always work in the same straight forward way that they usually do in the west. Sometimes there is gender modification e.g "ova" for females sometimes "s" added to male surnames (Russia and some parts of eastern Europe). There may be associations with the "Kha" part of the name that the defendant wanted to remove to avoid prejudice.
For the first name, he changed Sabir to Alex: it's common for people from different cultures to pick western names either to avoid pronunciation problems or to avoid prejudice.
It's also possible he's just beginning in the spy game, but why would you use any part of your real identity in such a circumstance?
> it's common for people from different cultures to pick western names either to avoid pronunciation problems or to avoid prejudice.
No need for non-western origin. My first name is thoroughly unusable in English. I tell it, people look in disbelief, then I tell my nickname.
If he was not supposed to be accessing the files as part of his job then why did someone (in the group of 8) give him access to them in the first place?
If users are not supposed to install Dropbox then why are they not blocking it from running or even installing?
If they knew he was transferring files to Dropbox why don't they block the transfer files to Dropbox automatically?
Seems to me the security guys are deflecting from their own inadequacies here. Also looks like the stable door is still flapping in the breeze.
If you put a sign on an open door saying "do not enter" don't be surprised when come home to find you unlocked house ransacked.
We have laws that say don't murder and yet there many murders every year. Paper rules are the last line not the first and is there to allow recourse should something happen, far better to stop it in the first place, and in this case not the most complex thing to do.
Perhaps it is part of Musk's rapid and agile development process.
Company policy says he should not copy files outside of Tesla's control. That's what he did. Security caught him. Police, handcuffs, jail.
Non sequitur. Breaching company policy may easily be an act for which dismissal is appropriate, but it does not in and of itself constitute a breach of the criminal law, and if it doesn't then police / handcuffs / jail involvement is simply... illegal.
Even proving theft might be difficult; OK he grabbed a load of Intellectual Property but IIRC it can be hard to prove that that constitutes actual theft as he did not deprive its actual owner of anything material.
My point was that the technical details of how he could get the files do not matter. The legal "details" is a different thing.
All these commentards trying to justify the theft because he could install Dropbox are wrong, IMO.
And Tesla's security is not inept, they caught the guy spot on.
And Elon Musk's recruiting strategy does not look reckless when you look what his teams do
And Tesla's security is not inept, they caught the guy spot on.
Sure, they caught the guy. But files slurped from Tesla into Dropbox, and from there, who knows? So if this was industrial espionage rather than a dumb criminal, files could/would have been copied from Dropbox to other repositories or recipients.
The complaint seems to make out the files were a reasonable chunk of Tesla's 'crown jewels' IP, but their systems or procedures didn't seem to prevent a new hire making a copy.
The technical details of how he could get the files are important. How do you prove he was stealing them? He had access to the files he could say he thought they were the python files he needed. Copying them to his dropbox he can say was I not meant to do that sorry I am new here. It is easy to argue you did not know you were doing anything wrong if there is no security in place to enforce the rules and stop you.
Tesla security was inept firstly he had access to files he was not supposed to no security in place. Secondly, he was able to install his personal dropbox and copy files to it again no security in place. Thirdly they caught the guy after the event the files could have already been copied from that dropbox.
No one is trying to justify theft they are pointing out how lax security was.
Honestly though, how would you like working in a place where you are assumed to be, and treated like a hostile party?
And was security actually lax or merely commensurate with the actual (as opposed to claimed) importance of those data? Two hundred man-years (as claimed, though I wonder if that includes third party libraries, etc.) is not a trivial amount of work and you wouldn't want it to end up in a torrent, but it's not likely to be the crown jewels either.
Firstly, a lot of fraud etc. is from insiders. The assumption isn't that you are hostile but that you could be, albeit with a low probability.
Secondly, what the user does might not be intentional. The user might be hit with malware.
Maybe you haven't worked anywhere where security is taken seriously although that's not surprising as it seems to be a rare thing. My final contract was with a site where the lan was properly segmented so that there was no chance of the secure data we were handling leaking into the office systems. It made sorting out errors in the incoming a bit inconvenient but that's what happens when you refuse to trade security for convenience, maybe something Tesla should have a think about.
Secondly, what the user does might not be intentional. The user might be hit with malware.
Yup. This is a huge problem in a lot of businesses. Have an external-facing firewall, but weak or non-existent internal security. And then assume that outbound connections from your network are trusted. Then someone clicks on a dodgy link, or opens a dodgy file and malware can roam around the internal network at will.
As you say, segmenting and securing internal networks makes it a whole lot safer and also simpler to detect & audit attempts to access stuff a user (or the user's malware) isn't authorised to access. It's been fairly shocking to me over my career the number of CTOs who seem happy with running large, flat networks.
> Maybe you haven't worked anywhere where security is taken seriously
You would be wrong to think that.
You do raise good points concerning insider threats and intentionality, etc., but there are ways and ways to control for that so as not to end up in an "us vs them" dynamic.
Trotting out the old ".. a lot of fraud etc. is from insiders" again. While indisputedly true does nothing to help. There's a reason a 'lot' if from 'insiders'. The reason is obvious it's relatively easy for insiders to do this when compared to 'outsiders'. It doesn't mean 'don't trust your staff/employees' (or at least invest some trust in them). Trust is needed in order for business to function. Without some trust, then it's either difficult or next to impossible to do your job or it's just not a nice place to work at. The level of trust extended requires controls of course. Case in point - permitted access to copy the whole codebase it seems. Why? This access shouldn't have been extended to a new hire on their first day.
“Honestly though, how would you like working in a place where you are assumed to be, and treated like a hostile party?”
Sorry I don’t feel that that having decent security is treating me like a hostile party. If access to something/somewhere needs to be restricted, you do that by putting a lock on it and giving the key only to the people that need access. Yes, it prevents access from a potential hostile party but more importantly it prevents accidental access and all the potential problems that can cause.
Where I work there are multiple teams in multiple locations working on multiple projects. But I only have access to the source code for projects I work on. I don’t feel I am being treated like a hostile party. To me it is common sense to restrict access only to the people that need it. I also know if I need read/write access to another project which has happened I will be given it.
I am not allowed to setup a personal OneDrive, Dropbox etc on my work laptop. Again, common sense security, removes the possibility of me accidentally copy files to it. Which would be a big possibility as we all have a company OneDrive to back up to.
"My point was that the technical details of how he could get the files do not matter. The legal "details" is a different thing."
And your point is wrong. The technical details are important to Tesla as they figure out how it happened, how damaging it was, and how they're going to prevent it happening again.
"All these commentards trying to justify the theft because he could install Dropbox are wrong, IMO."
It's mostly wrong because nobody's saying technical details absolve him of guilt if reports are true. That would look like "Tesla deserved this and he should go free". Nobody said that. Even the one person trying to argue that maybe he shouldn't be arrested if he did it isn't arguing that way, and I'm not agreeing with them. No justification of the crime is happening, and certainly not about technical details. Meanwhile, this is a technical site, so we care a bit about those details.
"And Tesla's security is not inept, they caught the guy spot on."
Security has lots of goals. "Identify and catch the guy after the crime" is one of them, but another and larger one is "Prevent crimes from happening". They didn't do that, or at least not fast enough to prevent thousands of files being leaked. That doesn't justify anything, but they might want to revisit some of their practices so that can't happen again.
Don't worry, they won't come much after your pirated movies and games, but trade secrets theft and industrial espionage are actually crimes punished by law. Ask Levandowski, who needed a Trump pardon to get out of jail - buy evidently you think like Trump stealing other people's work is fine.
I am not sure the law does I think the law is a little more nuanced than that.
For example, a company could say you are not authorised to copy source code to an external location. The company could sack you if you did copy source code to your personal PC. But that act of copying to your PC would not be illegal. If you were prosecuted, they would have to prove you had intent to deprive the company in someway maybe by selling to a rival.
Was Tesla aware of the aliases? If so, what were the reasons for the aliases? If he did supply a good reason, why did they hire him? I can think of a couple of reasons for an alias (adoption, marriage, legal name change come to mind) but there are not that many and AFAIK they all leave a paper trail to easily follow. The article implies the reason for the aliases was dodgy at best which means HR is run by idiots (but I repeat myself per Mark Twain). Twain's quote (paraphrased) "Suppose you are idiot and suppose you are member of Congress, but I repeat myself".
I doubt that by itself, someone having three names can be a legitimate reason for not hiring someone. If you look at your credit report, I'm sure that there are several permutations of your name listed. I know that I have at least six. Of course, unlike this person, five of my "names" are clearly derivatives of my legal name.
However, a married woman (or man, if we want to be modern) can have at least two known names.... and with divorce statistics are what they are.... many may have several names by the time they die.
What is in a name after all.
In the case of Tesla, a folder named "New Innovations" filled with thousands of files, that had nothing but random guff in them, would be all that was needed.
Just as soon as a user started downloading the stuff, the alarm bells should ring, the account frozen and numerous managers roused from their sleep to deal with it.
Where I work, anything cloudy is blocked, even if I take my work laptop home. USB sticks are also read only. OneDrive, Dropbox, iCloud etc all blocked. Surprisingly Office 365 webmail still works, but not the admin portal.
No admin rights to install dropbox etc on workstations either. Would be pretty trivial to set up the same at Tesla surely?
I found a bug or maybe something my company has not locked down properly in Office 365 email.
Certain files are not meant to be emailed like zips, exes etc and there is a size limit. I emailed my personal email account a driver that I zipped up at work and it bounced. But when I got home opened up my outlook which also has access to my work email on my personal PC and there in my work email was the zip file. I then tried with exes and huge zips and could access them via my outlook on my home PC.
I'm not sure whether that's a problem. You could probably do the same by putting those files in your OneDrive. You still need to log in to read them. Meanwhile, I don't think Office365 has any problem with you sending those files, just receiving them. The bounce was likely from whatever was set to receive the files.
On Exchange, the file size limits for the send and receive connectors are configured separately, and you can have different send and receive connectors depending on where the mail is going to / coming from.
I've never administered Office 365, so I don't know how much of that you can configure yourself and how much is dictated by Microsoft.
We don't know the length of those files. If they're very long, and people have been writing them for years, the time could add up. Also, I'm guessing they have just included all hours worked by the people on the development team who do that, so it's rough. Still,, without knowing the complexity it's hard to know if that's realistic or not.
If I was in charge of code that might, one day, be the subject of serious scrutiny as part of a massive lawsuit (our USian cousins being a somewhat notoriously vexatiously litigious people), it wouldn't matter if the code only took three minutes to write, on the legal principle of Defenderet vester culus I'd be subjecting it to hours of testing and inspection before allowing it in.
Giving them the benefit of the doubt, I'm assuming Tesla is including the testing here in the year count, irrespective of how much of it is actually automated, and knowing how people (well...lawyers) do so love to exaggerate things when it comes to the legal fuckwittery they use to aggrandise their side of any action...
Remember when Metallica lead the charge in the protection of intellectual property? That was a lot to unpack; Metallica and intellectual in the same chapter, much less paragraph, sentence or phrase was a grave dissonance spiraling ever closer together.
Good on Tesla, being able to find a scapegoat in their endless quest to achieve mediocrity. I hope this helps.
When I went working in Singapore, I was surprised how many locals had eastern sounding names like Dave, Jack, Kevin and Bob. Turns out most people in business there carry around 2 business cards, one for use when dealing with other locals with their given name, and one to give to people who speak english with a name they opted for at the start of their careers to make it easier to develop relationships with english speakers. It turns out we are more likely to interact with people who have familiar names.
It's also very popular in China and India too.
In London in the seventies I was aquainted with a guy from japan who was very scathing about the frequency with which other East Asians (not those from Japan) adopted English names. He thought it showed a lack of national pride: I thought it a response to the monoculturalism in the Anglosphere. I can understand Sabhir Khatilov choosing Alex Tilov and I don't think it necessarily indicates criminal intent, though on the evidence it may.
I have a Greek mate whose christian name is Athanasios. His American school teacher said "that is obscure" (a saint's name recognized by both the Latin and Greek communions) " I'm going to call you Danny."
My daughter knows ( or knows of) a Scottish girl who makes a living from a website that, for a fee, will advise Chinese people on a suitable English name. They send a photo or a description of how they see themselves and she suggests a name along with information about what it means or how people see it. I can't imagine what narrative she gives but she makes money..
Um, no. Dropbox does not scour your disk to find stuff to upload.
It uploads what you put in its folder, nothing else.
That is a very lame excuse, on top of whatever excuse the guy with three names had to install Dropbox in the first place.
And three names ? How many mafias are you a part of ?
Looking at what happened on a friends Apple computer Dropbox appears to have a default configuration. They needed to use Dropbox to download files provided by a teaching centre they were contracted to for a few days a week. They installed Dropbox and the next thing it had uploaded loads of phots and documents, no obvious user interaction. Now in this instance with Tesla this was a techy taken on to do techy stuff. At the most basic level the guy was an idiot if this was accidental and completely naïve if this was deliberate and he though the could get away with it. If he was new and had no idea of the working protocols he should of asked but in these days of home working it can be challenging to get responses from upstream management. I feel that are significant failings on both sides but particularly on the part of Tesla as an employer.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
