<!–> KanawatTH/Getty Images Ubuntu is one of the most user-friendly Linux distributions on the market. It’s also one of the most widely used open-source operating systems (OS). And given that Linux is often considered the most secure operating system available, it’s a bit baffling why the OS doesn’t default to enabling the firewall, and include […] More

Tesla is suing a former member of staff for allegedly stealing confidential information and attempting to cover his tracks in the aftermath. 

The lawsuit, filed in the US Northern District of California Court, names Alex Khatilov as the alleged perpetrator, a Quality Assurance software engineer. 
According to Tesla’s complaint, only three days after being hired on December 28, 2020, Khatilov “brazenly stole” thousands of files from the automaker’s WARP Drive backend system, as reported by CNBC. 
The software engineer allegedly stole “scripts” of proprietary software code, related to areas including vehicle development and manufacturing, before transferring them to a personal Dropbox account. 
“Only a select few Tesla employees even have access to these files; and as a member of that group, Defendant took advantage of that access to downloaded files unrelated to his job,” the complaint reads. 
The complaint says that the apparent theft was detected on January 6, 2021. Tesla investigators then interviewed Khatilov, who allegedly said that only a “couple [of] personal administrative documents” had been transferred. 
“After being prompted, he gave Tesla investigators access to view his Dropbox account, where they discovered Defendant’s claims were outright lies,” Tesla alleges. “[…] Defendant then claimed he somehow “forgot” about the thousands of other files he stole (almost certainly another lie).”

Tesla has also accused the engineer of attempting to cover his tracks by “hurriedly deleting the Dropbox client and other files during the beginning of the interview,” leaving the company to wonder whether or not other confidential data may have been stolen, noting that Tesla has “no way to know” if any further leaks or transfers to third-parties have occurred. 
A jury trial has been requested. Tesla is claiming breach of contract and the theft of trade secrets. 
“Access to the scripts would enable engineers at other companies to reverse engineer Tesla’s automated processes to create a similar automated system in a fraction of the time and with a fraction of the expense it took Tesla to build it,” Tesla says. “The scripts also would inform competitors of which systems Tesla believes are important and valuable to automate and how to automate them — providing a roadmap to copy Tesla’s innovation.”
Speaking to the New York Post, Khatilov claims the issue is a misunderstanding, with files “unintentionally” moved into Dropbox. Khatilov added that he was unaware of the lawsuit until contacted by the publication.
In 2018, Tesla sued process technician Martin Tripp for leading “gigabytes” of data to outsiders, including “dozens of confidential photographs and a video of Tesla’s manufacturing systems.” For the past two years, Tripp and Tesla have been involved in the legal dispute, ending only when a settlement was recently agreed upon in which the former employee will pay Tesla $400,000.
Last year, Tesla launched a lawsuit against a former employee for allegedly sabotaging operations at the company’s Fremont, California plant. 
In other news concerning Tesla’s CEO Elon Musk this month, the entrepreneur said last week that he intends to contribute $100 million to a prize fund for viable carbon capture projects to combat global warming. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australia’s Communications Access Coordinator (CAC) is concerned by the level of understanding within the nation’s telcos about the risk that network virtualisation can introduce.
The CAC role was created under Australia’s Telecommunications Sector Security Reforms (TSSR) and is charged with assessing whether changes made by telcos to their networks expose them to unauthorised access or interference, and if that is the case, it issues recommendations for changes.
In the Telecommunications Sector Security Reforms — Report for 2019-20 tabled in Parliament on Tuesday, a number of Australian telcos notified the CAC that they were automating their network configurations.
“These changes featured high levels of technical complexity and equally complex supply chains. In several instances the CAC had concerns about the notifying carrier’s understanding and appreciation of the risks presented by the proposed change, particularly the risks associated with complex multi-vendor/subcontractor, multi-jurisdiction supply chains,” the report said.
“The CAC also had concerns in several instances with carriers misunderstanding the level of exposure they had in proposing to outsource or ‘hybridise’ their infrastructure environment.
“In each of these instances during the reporting period the CAC informed the relevant carriers of the concerns and suggested measures that they could implement to ensure they could continue to comply with their security obligation while proceeding with the change.”
The report also said the CAC received multiple notices of a carrier proposing to use a managed service provider, where the CAC thought the carrier would lose its ability to “maintain competent supervision of, and effective control over, telecommunications networks and facilities owned or operated by the carrier”.
The CAC was concerned by the lack of supervision over the provider’s activities, the lack of consideration over the location from where the provider would be serving the telco out of, and “limited assurance” the carrier had “effective control” over the network or facilities being provided. In these instances, the CAC recommended changes.
Over the course of the year to June 30, the CAC responded with 24 “some risk” notices to telcos, 6 “no risk” notices, and had two notices outstanding. The Minister for Home Affairs did not issue any directions over the year.
The TSSR laws were used in 2018 to ban Huawei and ZTE from Australia’s 5G networks.
“The Department [of Home Affairs] has continued to work closely with telecommunications operators to ensure they understand their TSSR obligations with respect to deploying and operating 5G networks and services,” the report said.
“The department has also worked with non-5G mobile network operators to understand and manage the potential sustainment risks associated with the United States’ export restrictions affecting certain telecommunications infrastructure vendors.”
The report said CAC would be able to respond quicker if telcos provided sufficient information.
The TSSR was passed by Parliament in September 2017, after the Parliamentary Joint Committee on Intelligence and Security recommended a number of changes, including an annual reporting mechanism to Parliament.
Also tabled on Tuesday was a report on the operation of the Critical Infrastructure Act for the year to June 30.
Passed in March 2018, the Act created a register of critical infrastructure assets which included asset ownership, access, and control.
Over the year, the nation’s electricity, water, gas, and port sectors reported 118 notifications to Home Affairs, which consisted of 109 changes, and nine new additions to the register.
None of the ministerial directions, information gathering powers, enforcement powers, nor any private declarations were issued.
The recent 2020 Cyber Security Strategy said the federal government was looking to impose an enforceable “positive security obligation” on designated critical infrastructure operators through amendments to the Act.
Related Coverage More

“There ain’t no such thing as a free lunch.” That phrase has actually been around since the days of Old West saloons. If you bought a drink, the saloon would provide you with a free lunch. There was a catch, of course. The lunches were so salty that patrons wound up buying more and more drinks, to slake their thirst. ZDNET Recommends If you think you’re getting something for free, there’s always a catch. This also applies to VPN services. But instead of paying for a few extra drinks, free VPN services could end up putting your personal privacy at risk. At the very least, free VPNs often have such strong limitations that even when they are offered by a reputable company, they aren’t very useful. A good rule of thumb is to be wary of any free service and only consider free VPNs offered by companies with strong privacy policies and a good track record. A VPN provider may offer a limited version of its service for free as a way to generate business for its paid product. In a pinch, this type of free VPN could be useful for a one-off trip, but you’re not going to have access to many features and free VPNs typically aren’t good for heavy-duty use, such as file sharing or streaming. More

Vendors offering two categories of cybersecurity services in Singapore now must apply for a licence to continue providing such services. They have up to six months to do so or will have to cease the provision of such services, if they do not wish to face the possibility of a jail term or fine.Specifically, companies that provide penetration testing as well as managed security operations centre (SOC) monitoring services will need a licence to offer these services in Singapore. These include companies and individuals directly engaged in such services, third-party vendors that support these companies, and resellers of the licensable cybersecurity services, according to Cyber Security Authority (CSA) Singapore. The industry regulator said the licensing framework, effective from April 11, was parked under the country’s Cybersecurity Act and aimed to better protect consumers’ interests. It also served to improve service providers’ standards and standing over time.

CSA added that the two service categories were prioritised to kickstart the licensing regime because providers of these services had significant access into their customers’ ICT systems and sensitive data. Should such access be abused, the client’s operations could be disrupted, the regulator noted. It added that because these services were widely available and adopted, they also had the potential to cause significant impact on the wider cybersecurity landscape. Existing vendors currently engaged in the provision of either or both service categories had up to October 11, 2022, to apply for a licence. Those that failed to do so on time would have to stop providing the service until a licence was obtained. Services providers that submitted their application for a licence within six months would be permitted to continue delivering the licensable service until a decision on the application was made. Any person who provided the licensable services without a licence after October 11, 2022, would face a fine not exceeding SG$50,000 ($36,673) or a jail term of up to two years, or both. Individuals would have to pay SG$500 for their licence, while businesses would have to fork out SG$1,000. Each licence would be valid for two years. CSA said there would be a one-time 50% fee waiver for applications submitted within the first year, before April 11, 2023. A Cybersecurity Services Regulation Office had been set up to administer the licensing framework and facilitate communications between the industry and wider public on all licensing-related issues. Its responsibilities include enforcing and managing licensing processes and sharing resources on licensable cybersecurity services with the public, such as providing the list of licensees.Commenting on other cybersecurity services that might be licensable in future, CSA said it would “continue to monitor international and industry trends” as well as engage the industry, where necessary, to assess if new service categories should be included.The launch of the licensing framework comes after a four-week consultation period that ended last October. CSA said it received 29 responses from both local and international market players as well as industry associations and members of the public. One such feedback pertained to information required, upon request, to facilitate the regulator’s investigations into matters such as breaches by licensees or related to the licensee’s continued eligibility. There were suggestions that the language of the proposed licence conditions be tightened, so requests were not overly generic, and for there to be more clarity on the types of information that might be requested.CSA said it had revised the language of the licence conditions to reduce uncertainty for licensees and that requests for such information would be limited to what was necessary for the purpose of the investigation. RELATED COVERAGE More