So the guy stole data and hardware. Instead of leaving immediately for China before it's discovered, he went back to Apple and told them that he's leaving. And not just leaving, but leaving to work for a competitor in the self-driving car industry. If he wanted to raise any more suspicion, he'd need to show up to the exit interview in a ski mask, carrying a crowbar.
And after that, he still stayed in the US for over two months (April 28 - July 7). This simply defies belief.
I don't even mention the fact that he admitted to the Apple security team that he stole stuff. Presumably without any lawyer since no lawyer would let him admit to anything. Why would he even meet with a security team, if he's not under arrest? Even if he thought he can't get caught, surely he knew something was wrong when the security team called him for an interview?
Maybe he thought it's impossible to prove what he did? But the guy is intelligent, he was hired to an important project at Apple. He must know that corporations have security cameras and also can check corporate device usage.
So I'm down to my final two guesses. Either the guy thought he didn't do anything wrong (really? taking confidential documents and hardware??). Or the article heavily distorts the facts.
Anyone has better explanations?
Edit: just saw the official FBI court filing at the end of the article. The article did not distort anything. I have no words.
The simplest answer to you question is the guy has absolutely no understand of how the US legal system works. In China, when you are in any "legal" trouble, whether you actually are at fault or not, if you want to get out of it, all you have to do is "confess". The dude probably thought he could have done the same in the US. This is naivety, but not entirely beyond belief given how backward the Chinese are when it comes to legal matters.
It could be that it simply never occured to him that he would get caught. When you work somewhere for years you don't think "This security cameras on the entrance could technically be used to track my activity". As the article says, the repositories that he accessed are restricted to THOUSANDS of people. So really the guy was probably right - if he hadn't been a dumbass and said that he was going to work for a chinese competitor then his boss likely wouldn't have thought to ask questions, no one would've noticed.
As harsh as this sounds, it's a cultural thing. The Chinese generally don't believe in respecting IP, this is coming from someone who has lived with Chinese for many many years. To them, it's like a shopping basket, you just pick what you like. Unfortunately, for this guy, it seemed like he didn't understand how copyrights work in the US.
Also as a matter of personal experience, I've had a couple of my photographs stolen by popular Chinese newspapers who refused to attribute it to me.
P.S - I am not commenting on the morality of his action here, I'm simply suggesting the way their culture works is probably a big reason to him getting charged.
>>>But the guy is intelligent, he was hired to an important project at Apple.
No data, but I believe that you can be extremely bright in a lot of things and dumb as a rock on other very basic things. Maybe arrogance plays a part too.
It's safe to assume that x% of Russian and Chinese employees do talk to, and plan to go back to the mothership. Must be the greatest ROI for the Chinese, tens of billion dollars worth of R&D in a hard-drive. (granted it's not the same since while researching you learn a lot of other things, but presumably the Chinese want those few things that they haven't figured them out already.)
Important to note: there were no charge for him for all that time. That means they had very weak case. They might be specifically waiting for him to do at least that: just look how they accent that he "bought red flag last minute ticket" as if he knew he did something wrong. This also supports the idea that they had no proof of him doing what amounts to criminal industrial espionage (passing data to another company.)
Another standing out fact is that he was arrested minutes before boarding (he passed the border.) If he would be on exit control list, he would never be allowed pass the border. It means he was not nor on exit control list (people on it include convicts on probation, tax debitors, persons against whom a restraining order was issued i.e. people under investigation of a crime,) nor on the on-the-run list of criminals (he would've been detained immediately)
Third, how FBI ever knew of him buying a ticket? US is not East Germany where all ticket sales are wired to STASI in real time.
My explanation: they did not have anything qualifying for a charge on him till that "last minute ticket purchase" which added more substance to allegations of criminal conduct.
This is supported by the fact that he was detained "minutes before boarding." Probably, it was only the fact of him passing the border control that was visible to FBI, the moment they saw it, they came with a rushed arrest warrant.
In my opinion, This is just free PR for XMotors. Either they deliberately planned it and this guy has nothing or they took the chance and hoped to get away with it. Either way it is win-win for them.
> So I'm down to my final two guesses. Either the guy thought he didn't do anything wrong (really? taking confidential documents and hardware??). Or the article heavily distorts the facts.
Probably a bit of both. And also many other facts we don't know. Anyway, Apple only should be blamed, imho. If people efforts and project momentum are the real plus value, then data alone won't be sufficient to steal a technology.
It shows that international cooperation about global-impacting technologies should be the norm, rather than a race to monopolize a market.
from the article, about 2700 employees have access to the specific databases from which the guy pulled sensitive data. That seems like a very large group of people to me.
"[In their investigation] Apple found that just prior to Zhang's departure, his network activity had "increased exponentially" compared to the prior two years he had worked at Apple. He accessed content that included prototypes and prototype requirements. .."
Seems like an oversight to find this out post-investigation vs. flagged up front?
EG - seems like a basic usage algorithm could flag this stuff especially across a small <5000 person universe w/cost-benefit vs. theft of tens-of-billions in IP.
Any corporate IT security officers care to comment on this?
This is known as insider threat detection / User Behavior Analytics (UBA). It could also be considered part of Data Loss Prevention (DLP). Insider threats are probably the hardest things to reliably detect on a large corporate network (compared to all of the other types of information threats), especially at a company where most of the employees are very active users of technology. The field is still in its infancy, with lots of cool-looking "AI-driven / ML-powered / buzzword-optimized" products from startups which typically end up generating an absurd amount of anomaly detections per day, usually with a 99.9% false positive rate. Of course I'm generalizing and I imagine some companies have implemented a fairly effective UBA program, but I think they're rare.
It's just trying to find a needle in an extremely large haystack. When you're dealing with technology departments, normal behavior can easily be a modest amount of network traffic for a few days followed by a huge burst of downloads and uploads from/to internal services and databases and cloud storage and any number of things. Suspicious website browsing could be innocuous research and curiosity. That personal USB drive plugged in is probably some developer with a deadline who never got around to requesting a corporate drive and can't wait a few days for it to be approved and needs to physically transfer files ASAP.
It's just not an easy problem. There are probably hundreds of other instances of an Apple employee not looking at any prototype data for months and suddenly poring over tons of it. Maybe they're preparing for a presentation or a new project. Adding lots of red tape and restrictions and wasting time investigating employees who've done nothing wrong (or perhaps who violated policy but with no real bad intent or serious negligence) and telling people they can't do certain things which make their job more efficient takes a huge toll on everyone. It's a necessary evil, but trade-offs always have to be considered. Apple wants their autonomous car program developed as quickly as possible, and the more they restrict access and require lengthy approval processes, the slower things will get done.
And fundamentally, unless you're in a weird situation, probably ~0.1% of your employees are insider threats, and probably ~0.01% are significant insider threats which could actually affect your business. The odds are stacked against you.
Occasionally you'll run across a smoking gun that's easy to detect with basic logic like "email sent to webmail account with no subject and over 6 attachments", but if you're dealing with a smart insider threat - especially one working on behalf of a superpower government's intelligence apparatus - you're not going to find something so blatant. I have sometimes run across things like that, but it's usually something gray like a developer emailing themselves some code so they can continue to work on it at home. The worst thing I've ever found was a salesperson emailing themselves proprietary leads/contact lists shortly before their resignation date. A spy is never going to get caught from such low-hanging fruit detections.
You have to start with the basics: strict policy guidelines, least privilege principle, log everything, a good team of people to investigate anomalies and write up employees who are violating policy, and then finally you can shell out a lot of resources on automated detection and baseline and tune for a long time until you have a manageable number of dashboards and reports and alerts that the team can respond to. Apple will presumably restrict access more carefully after this incident, and implement some new statistical anomaly detection, but insider threats will always be hard to detect.
Dabbling in UBA also made me realize some of the issues faced by agencies like NSA. I'm sure they have strong policies against unauthorized data access (like looking up information about romantic partners), fully intend to enforce them, and have lots of manual and automated detections, but in reality the amount of data and number of daily data accesses is probably way too high to consistently catch bad actors. I think that's one of many strong practical arguments to not let them have have easy access to such a big trove of sensitive data, even if you make the assumption they're behaving completely ethically and responsibly.
The comments from Apple indicate that what they're really concerned about is disclosure to the media, not someone copying their self-driving technology, such as it is. Apple put 5000 people on this project and failed. What they don't need is an insider writing an "Apple's Biggest Failure" book. I wonder if we'll ever see a technical post-mortem on this.
Btw, one of the best sensor suites around (except for Google who seems to have reached kind of optimization stage where they started to remove the "extra" sensors). And Apple has highest number of self-driving permits in CA if i remember correctly. Though i don't see them in "disengagement reports" (https://www.dmv.ca.gov/portal/dmv/detail/vr/autonomous/disen... - interesting reading, Google's average human driver reaction time was 0.91s)
Apple decided it didn't make sense to work on building a car when the software to control such a car isn't close to being there, and moved their focus to software.
Failed in what sense. The project is on, they reduced headcount. Maybe they don't need the same amount of people they initially they needed or they changed the goal of the project. I would hardly call it failed. Other companies have been working longer with a bigger team without a self-driving product to show for it.
The fact he just plaining admitted to the FBI he did it seems like he was doing for selfish reasons and had no idea the kind of consequences he could run into.
>Zhang was interviewed by the FBI in late June, where he admitted to stealing the information, and he was later arrested attempting to leave to China on July 7.
I guess he assumed he was going to get away with it but why wouldn't you just skedaddle ASAP when you moved the data and / or hardware?
Granted he seems more like a flunky for someone rather than a super criminal as he talked to the FBI...and admitted it.
there needs to be a verb for this. i suggest "levandowski"
ex: "Former Apple employee levandowskies his way into a chinese startup"
levandowski -verb, reffering to the stealing of tradesecrets from self-driving car project with the intention of bringing said secrets to a competitor, especially if one is caught.
Didn't most of the people involved with this project, leave and went to work for Tesla, Lyft, Uber, Waymo and NIO anyway? In that case, one can imagine the bleeding of IP that went away will all this exodus of knowledge.
I want to work for a world with free flow of information, where individuals should not be responsible alone for the mistakes of a multi-billions organization. If any company can do it better than Apple somewhere in the world, then let them build on what Apple developed. The culture of open source should spread at all levels of research & engineering, in all fields.
Cost of information transmission and movements of people will continue to decrease.
We should respect individuals rights about privacy, but disregard organization level's attempt at secrecy, and aim for transparent organizations all around the world. Such big organization should not be able to attack individuals without anyone questioning the processes going on inside of it.
In that world neither Apple nor Google would have ever invested even a cent in self-driving technology and almost all major medical advancements would not have come to pass. You don’t invest billions of dollars and have thousands of people working on a project for decades if there is no way of making money on that investment or even recuperating it.
Apple has 5,000 people working on a me too project that will likely never go anywhere while they are unable to ship announced products like AirPower and Mac Pro. Oh and they admitted to a known flaw in the keyboard of their current line of laptops that goes back years. This is frustrating.
>Shortly before Zhang's theft was discovered, Apple sent out a lengthy cautionary memo to employees warning them against leaking data to the media. In the letter, Apple said that in 2017, it caught 29 leakers, with 12 of those individuals being arrested and charged.
being an Apple employee seems to come with statistically high risk of being arrested and charged :) And autonomous car projects across the industry remind the Klondike.
It strikes me that people concerned with the risk of being charged for committing a crime like this are probably exactly who Apple is trying to deter with this messaging.
For all other employees, it serves as a reminder that this stuff actually happens, to be on the lookout for it, and that Apple will protect the hard work they've done with their full legal might should someone try to do something like this.
[+] [-] _cs2017_|7 years ago|reply
And after that, he still stayed in the US for over two months (April 28 - July 7). This simply defies belief.
I don't even mention the fact that he admitted to the Apple security team that he stole stuff. Presumably without any lawyer since no lawyer would let him admit to anything. Why would he even meet with a security team, if he's not under arrest? Even if he thought he can't get caught, surely he knew something was wrong when the security team called him for an interview?
Maybe he thought it's impossible to prove what he did? But the guy is intelligent, he was hired to an important project at Apple. He must know that corporations have security cameras and also can check corporate device usage.
So I'm down to my final two guesses. Either the guy thought he didn't do anything wrong (really? taking confidential documents and hardware??). Or the article heavily distorts the facts.
Anyone has better explanations?
Edit: just saw the official FBI court filing at the end of the article. The article did not distort anything. I have no words.
[+] [-] wyuenho|7 years ago|reply
[+] [-] slivym|7 years ago|reply
[+] [-] neya|7 years ago|reply
Also as a matter of personal experience, I've had a couple of my photographs stolen by popular Chinese newspapers who refused to attribute it to me.
P.S - I am not commenting on the morality of his action here, I'm simply suggesting the way their culture works is probably a big reason to him getting charged.
[+] [-] onetimemanytime|7 years ago|reply
No data, but I believe that you can be extremely bright in a lot of things and dumb as a rock on other very basic things. Maybe arrogance plays a part too.
It's safe to assume that x% of Russian and Chinese employees do talk to, and plan to go back to the mothership. Must be the greatest ROI for the Chinese, tens of billion dollars worth of R&D in a hard-drive. (granted it's not the same since while researching you learn a lot of other things, but presumably the Chinese want those few things that they haven't figured them out already.)
[+] [-] baybal2|7 years ago|reply
Important to note: there were no charge for him for all that time. That means they had very weak case. They might be specifically waiting for him to do at least that: just look how they accent that he "bought red flag last minute ticket" as if he knew he did something wrong. This also supports the idea that they had no proof of him doing what amounts to criminal industrial espionage (passing data to another company.)
Another standing out fact is that he was arrested minutes before boarding (he passed the border.) If he would be on exit control list, he would never be allowed pass the border. It means he was not nor on exit control list (people on it include convicts on probation, tax debitors, persons against whom a restraining order was issued i.e. people under investigation of a crime,) nor on the on-the-run list of criminals (he would've been detained immediately)
Third, how FBI ever knew of him buying a ticket? US is not East Germany where all ticket sales are wired to STASI in real time.
My explanation: they did not have anything qualifying for a charge on him till that "last minute ticket purchase" which added more substance to allegations of criminal conduct.
This is supported by the fact that he was detained "minutes before boarding." Probably, it was only the fact of him passing the border control that was visible to FBI, the moment they saw it, they came with a rushed arrest warrant.
[+] [-] groupthinking|7 years ago|reply
[+] [-] innagadadavida|7 years ago|reply
[+] [-] antpls|7 years ago|reply
Probably a bit of both. And also many other facts we don't know. Anyway, Apple only should be blamed, imho. If people efforts and project momentum are the real plus value, then data alone won't be sufficient to steal a technology.
It shows that international cooperation about global-impacting technologies should be the norm, rather than a race to monopolize a market.
[+] [-] melling|7 years ago|reply
https://www.cnbc.com/2018/07/10/ex-apple-employee-charged-wi...
[+] [-] mark212|7 years ago|reply
[+] [-] andyfleming|7 years ago|reply
[+] [-] aresant|7 years ago|reply
Seems like an oversight to find this out post-investigation vs. flagged up front?
EG - seems like a basic usage algorithm could flag this stuff especially across a small <5000 person universe w/cost-benefit vs. theft of tens-of-billions in IP.
Any corporate IT security officers care to comment on this?
[+] [-] KKKKkkkk1|7 years ago|reply
[+] [-] meowface|7 years ago|reply
It's just trying to find a needle in an extremely large haystack. When you're dealing with technology departments, normal behavior can easily be a modest amount of network traffic for a few days followed by a huge burst of downloads and uploads from/to internal services and databases and cloud storage and any number of things. Suspicious website browsing could be innocuous research and curiosity. That personal USB drive plugged in is probably some developer with a deadline who never got around to requesting a corporate drive and can't wait a few days for it to be approved and needs to physically transfer files ASAP.
It's just not an easy problem. There are probably hundreds of other instances of an Apple employee not looking at any prototype data for months and suddenly poring over tons of it. Maybe they're preparing for a presentation or a new project. Adding lots of red tape and restrictions and wasting time investigating employees who've done nothing wrong (or perhaps who violated policy but with no real bad intent or serious negligence) and telling people they can't do certain things which make their job more efficient takes a huge toll on everyone. It's a necessary evil, but trade-offs always have to be considered. Apple wants their autonomous car program developed as quickly as possible, and the more they restrict access and require lengthy approval processes, the slower things will get done.
And fundamentally, unless you're in a weird situation, probably ~0.1% of your employees are insider threats, and probably ~0.01% are significant insider threats which could actually affect your business. The odds are stacked against you.
Occasionally you'll run across a smoking gun that's easy to detect with basic logic like "email sent to webmail account with no subject and over 6 attachments", but if you're dealing with a smart insider threat - especially one working on behalf of a superpower government's intelligence apparatus - you're not going to find something so blatant. I have sometimes run across things like that, but it's usually something gray like a developer emailing themselves some code so they can continue to work on it at home. The worst thing I've ever found was a salesperson emailing themselves proprietary leads/contact lists shortly before their resignation date. A spy is never going to get caught from such low-hanging fruit detections.
You have to start with the basics: strict policy guidelines, least privilege principle, log everything, a good team of people to investigate anomalies and write up employees who are violating policy, and then finally you can shell out a lot of resources on automated detection and baseline and tune for a long time until you have a manageable number of dashboards and reports and alerts that the team can respond to. Apple will presumably restrict access more carefully after this incident, and implement some new statistical anomaly detection, but insider threats will always be hard to detect.
Dabbling in UBA also made me realize some of the issues faced by agencies like NSA. I'm sure they have strong policies against unauthorized data access (like looking up information about romantic partners), fully intend to enforce them, and have lots of manual and automated detections, but in reality the amount of data and number of daily data accesses is probably way too high to consistently catch bad actors. I think that's one of many strong practical arguments to not let them have have easy access to such a big trove of sensitive data, even if you make the assumption they're behaving completely ethically and responsibly.
[+] [-] manicdee|7 years ago|reply
[+] [-] huebnerob|7 years ago|reply
[+] [-] walshemj|7 years ago|reply
[deleted]
[+] [-] Animats|7 years ago|reply
[+] [-] trhway|7 years ago|reply
not sure. These are still driving around their Sunnyvale campus:
https://www.macrumors.com/2017/08/25/apple-new-autonomous-dr...
Btw, one of the best sensor suites around (except for Google who seems to have reached kind of optimization stage where they started to remove the "extra" sensors). And Apple has highest number of self-driving permits in CA if i remember correctly. Though i don't see them in "disengagement reports" (https://www.dmv.ca.gov/portal/dmv/detail/vr/autonomous/disen... - interesting reading, Google's average human driver reaction time was 0.91s)
[+] [-] GeekyBear|7 years ago|reply
https://web.archive.org/web/20160422140357/https://spectrum....
Does that make Google's program a failure?
Apple decided it didn't make sense to work on building a car when the software to control such a car isn't close to being there, and moved their focus to software.
[+] [-] pavs|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] chubbyrabbit|7 years ago|reply
[+] [-] 8bitsrule|7 years ago|reply
Doesn't sound like a heavy-duty spy ... else would never have admitted that. Probly a naif.
[+] [-] noobermin|7 years ago|reply
[+] [-] duxup|7 years ago|reply
I guess he assumed he was going to get away with it but why wouldn't you just skedaddle ASAP when you moved the data and / or hardware?
Granted he seems more like a flunky for someone rather than a super criminal as he talked to the FBI...and admitted it.
[+] [-] gowld|7 years ago|reply
He might have thought that lying (or evading) the FBI is worse than the risk of being convicted for stealing secrets. (It usually is.)
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] amarant|7 years ago|reply
levandowski -verb, reffering to the stealing of tradesecrets from self-driving car project with the intention of bringing said secrets to a competitor, especially if one is caught.
[+] [-] leemailll|7 years ago|reply
[deleted]
[+] [-] ohiovr|7 years ago|reply
[+] [-] r32rawgraegwta|7 years ago|reply
[+] [-] exolymph|7 years ago|reply
Also just an absurdly small sample of "one news story" and "something I heard secondhand."
[+] [-] thorwwed9|7 years ago|reply
[+] [-] Proven|7 years ago|reply
[deleted]
[+] [-] product50|7 years ago|reply
[+] [-] thelastidiot|7 years ago|reply
[+] [-] antpls|7 years ago|reply
Cost of information transmission and movements of people will continue to decrease.
We should respect individuals rights about privacy, but disregard organization level's attempt at secrecy, and aim for transparent organizations all around the world. Such big organization should not be able to attack individuals without anyone questioning the processes going on inside of it.
[+] [-] tomtimtall|7 years ago|reply
[+] [-] eanzenberg|7 years ago|reply
[+] [-] jonknee|7 years ago|reply
[+] [-] trhway|7 years ago|reply
being an Apple employee seems to come with statistically high risk of being arrested and charged :) And autonomous car projects across the industry remind the Klondike.
[+] [-] shostack|7 years ago|reply
For all other employees, it serves as a reminder that this stuff actually happens, to be on the lookout for it, and that Apple will protect the hard work they've done with their full legal might should someone try to do something like this.
[+] [-] Bahamut|7 years ago|reply
[+] [-] manicdee|7 years ago|reply