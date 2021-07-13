Musk clashes again with opposing lawyer in SolarCity lawsuit
WILMINGTON, Del. | Testifying for a second day, CEO Elon Musk pushed back again Tuesday against a lawsuit that blames him for engineering Tesla's 2016 acquisition of a financially precarious company called SolarCity that was marred by conflicts of interest and never generated the profits Musk insisted it would.
And for a second day, a pugnacious Musk sparred with Randall Baron, the plaintiffs' attorney who has been grilling him about his role in orchestrating the SolarCity deal.
"Your questions," the billionaire CEO complained from the witness stand, "are so deceptive."
Witness and lawyer clashed down to the meaning of the word "cabal," which Baron invoked to characterize the Tesla team that was updating Musk daily in July 2016 in the progress toward a SolarCity deal. When Musk objected that "cabal" sounded sinister, Baron countered that it typically meant a group of people working together toward a common purpose.
"Usually not in a good way," Musk muttered.
Rejecting any notion that he pressed Tesla's board to pursue a takeover of SolarCity, Musk, who is well-known for his commanding management style, insisted he had "no material role'' in Tesla's board discussions about the deal.
Under questioning by Baron, Musk acknowledged that he had recommended an acquisition price of $28.50 a share. But he said this figure merely reflected what he called a standard practice of offering a 30% premium on a target company's average stock price over the previous four weeks.
The board ultimately decided to offer $26.50 to $28.50 a share. Musk observed that his suggestion was "discarded by the board in favor of a lower price'' and quipped, "They don't listen to me, obviously.''
The long-running shareholder lawsuit asserts that Musk, who was SolarCity's largest stakeholder and its chairman, and other Tesla directors breached their fiduciary duties in bowing to Musk's wishes and agreeing to buy the company. In what the plaintiffs call a clear conflict of interest, SolarCity had been founded by Musk and two of his cousins, Lyndon and Peter Rive.
Baron has sought to establish that Musk wanted to run Tesla without interference and therefore bears responsibility for any failures. When he asserted that Musk had expressed excessive optimism over SolarCity's prospects before the acquisition, the CEO countered that he was a natural optimist. Otherwise, he said, he never would have risked establishing both an electric-car manufacturer and a rocket company, SpaceX.
In defending the SolarCity acquisition, Musk argued that cash flow from the company's previous solar installations alone justified the decision.
"This was a no-brainer,'' he insisted.
The trial, which began Monday, marks the culmination of seven shareholder lawsuits, consolidated into one, that alleged that Tesla directors breached their fiduciary duties in bowing to Musk's wishes and agreeing to buy SolarCity. Last August, a judge approved a $60 million settlement that resolved claims made against all the directors on Tesla's board except Musk without any admission of fault.
That left Musk, who refused to settle, as the sole remaining defendant. The trial is expected to last about two weeks, after which the Delaware chancery court judge, Joseph Slights III, will issue a verdict.
Even if the trial ends with Musk having to pay personally for the whole SolarCity deal, $2.5 billion won't much hurt the world's third-wealthiest person. Forbes magazine has estimated that Musk is worth roughly $163 billion.
Firm hacked to spread ransomware had previous security flaws
For 21 years, the software company Kaseya labored in relative obscurity — at least until cybercriminals exploited it in early July for a massive ransomware attack that snarled businesses around the world and escalated U.S.-Russia diplomatic tensions.
But it turns out that the recent hack wasn't the first major cybersecurity problem to hit the Miami-based company and its core product, which IT teams use to remotely monitor and administer workplace computer systems and other devices.
"It feels a little like déjà vu," said Allie Mellen, a security analyst at Forrester Research.
In 2018, for instance, hackers managed to infiltrate Kaseya's remote tool to run a "cryptojacking" operation, which channels the power of afflicted computers to mine cryptocurrency — often without its victims noticing. It was a less harmful breach than the recent ransomware attack, which was impossible to miss since it crippled affected systems until their owners paid up. But it similarly relied on Kaseya's Virtual System Administrator product, or VSA, as a vehicle to get access to the companies that rely on it.
A 2019 ransomware attack also rode into computers through another company's add-on software component to the Kaseya VSA, causing more limited damage than the recent attack. Some experts have tied that earlier assault to some of the same hackers who later formed REvil, the Russian-language syndicate blamed for the latest attack.
And in 2014, Kaseya's own founders sued the company in a dispute over responsibility for a VSA security flaw that allowed hackers to launch a separate cryptocurrency scheme. The court case does not appear to have been previously reported outside of a brief 2015 mention in a technical blog post. At the time, the founders denied responsibility for the vulnerability, calling the company's charges against them a "bogus assertion."
Nearly all of Kaseya's security problems have as their root cause well-understood coding vulnerabilities that should have been addressed earlier, said cybersecurity expert Katie Moussouris, the founder and CEO of Luta Security.
"Kaseya needs to shape up, as does the entire software industry," she said. "This is a failure to incorporate the lessons the bugs were teaching you. Kaseya, like a lot of companies, is failing to learn those lessons."
Many of the attacks relied at least in part on what's known as SQL injection, a technique hackers use to inject malicious code into web queries. It's an old technique that Mellen said has been considered a "solved problem" in the cybersecurity world for a decade.
"It points to a chronic product security issue in Kaseya's software that remains unaddressed seven years later," she said. "When organizations choose to brush over security challenges, the incidents continue, and, as in this case, get worse."
Kaseya has noted that it's long been a target because many of its direct customers are "managed-services providers" that host IT infrastructure for hundreds, if not thousands, of other businesses.
"In the business we're in, and the number of endpoints we manage around the world, as you might expect, we take security extremely seriously," Ronan Kirby, president of the company's European operations, said at a Belgian cybersecurity conference Thursday. "You attack a company, you get into the company. You attack a service provider, you get into all their customers. You get into Kaseya, that's a very different proposition. So obviously we're an attractive target."
Kaseya declined to answer questions from The Associated Press about the previous hacks or the legal dispute involving its founders.
Mark Sutherland and Paul Wong co-founded Kaseya in California in 2000. They had previously worked together on a project protecting the email accounts of U.S. intelligence workers at the National Security Agency, according to an account on the company's website.
But more than a year after selling Kaseya in June 2013, court records show that Sutherland, Wong and two other former top executives sued the company to recoup $5.5 million in stock buybacks they said they were unfairly denied.
At the heart of the dispute was an attack by hackers who used Kaseya's VSA as a conduit to deploy Litecoin mining malware that secretly hijacks a victim computer's power to make money for the hacker by processing cryptocurrency payments.
Kaseya publicly disclosed the attacks in a March 2014 notice to customers. Privately, it was blaming the company's previous leadership for not warning about "serious vulnerabilities" in Kaseya's software. It sought to deprive them of the final $5.5 million of the acquisition price to compensate for the loss of business and damaged reputation.
The founders, in turn, blamed the new leadership for scaling back on coding expertise and eliminating a "hotfix" system for rapidly fixing bugs, according to the lawsuit from Sutherland, Wong, former CEO Gerald Blackie and former Chief Operating Officer Timothy McMullen.
They also argued that the SQL injection technique used by the hackers was highly common and "inherent in any computer code" that uses the SQL programming language.
"Ensuring that each and every piece of database access code is immune to SQL injection is essentially impossible," said their lawsuit. Mellen and Moussouris both rejected that assertion.
"That is a bold statement and provably false," Moussouris said. "It highlights the fact they lacked the security knowledge and sophistication to protect their users."
None of the plaintiffs or their lawyers responded to requests for comment. They agreed to dismiss the case in December 2013, just a month after they filed it. It's not clear how it was settled. Kaseya is privately held.
LinkedIn profiles for Sutherland and Wong list them as retired. Blackie went on to become CEO of another Miami-based provider of remote-control software, Pilixo, where he was joined by McMullen. Pilixo didn't return a request for comment.
New vulnerabilities affecting Kaseya's VSA — including the one exploited by the REvil ransomware gang — were discovered this year by a Dutch cybersecurity research group that says it confidentially warned Kaseya in early April. "In the wrong hands, these vulnerabilities could lead to the compromise of large numbers of computers managed by Kaseya VSA," the Dutch Institute for Vulnerability Disclosure said in a blog post last week explaining the timeline of its actions.
Some of those Kaseya fixed by May, including another SQL injection flaw, but the Dutch group said others were still unpatched when ransomware started hitting hundreds of businesses in early July. Kaseya has said up to 1,500 businesses have been compromised as a result of the attack. Kaseya on Sunday rolled out patches to the vulnerabilities used in the REvil attack.
With Kaseya in the spotlight, a cybersecurity responder assisting clients stricken by the July 2 ransomware attack discovered what he called a glaring Kaseya security omission: a vulnerability in a public-facing customer portal that had been identified in 2015 but left unpatched.
Alex Holden of Hold Security said he notified Kaseya and that the portal was quickly taken down. But the vulnerability troubled him, he said, because it granted unauthenticated users access to a configuration file that is highly protected on Microsoft web servers — one that often contains passwords and can grant access to core functions.
Moussouris said there's a pattern of ransomware syndicates going after easily detectable software flaws.
"It's collective technical debt around the world and the ransomware gangs are technical debt collectors," she said. "They're coming after organizations like Kaseya" and others that haven't invested in better security.
Boeing cuts production on the 787 to address flaw
Boeing will cut production of its large 787 airliner for several weeks after discovering a new structural flaw in some planes that have been built but not delivered to airline customers.
The aircraft maker said Tuesday that it now anticipates that it will deliver less than half of the 787s remaining in its inventory this year. That is a retreat from CEO David Calhoun's statement last month that the company hoped to deliver a majority of the planes, estimated at about 100, in 2021.
A decline in deliveries will hurt Boeing's cash flow because the company gets a large portion of the price of a plane upon delivery.
Shares of Chicago-based Boeing Co. fell more than 4%.
Boeing had been producing five 787s per month. It did not disclose the temporary lower rate.
"We will continue to take the necessary time to ensure Boeing airplanes meet the highest quality prior to delivery," the company said in a prepared statement. "Across the enterprise, our teams remain focused on safety and integrity as we drive stability, first-time quality and productivity in our operations."
The Federal Aviation Administration said the new problem near the nose of some undelivered 787s "poses no immediate threat to flight safety. The FAA said that it will decide later whether any changes are needed to 787s that airlines are already using.
Demand for long-haul planes like the 787 has been hurt by a sharp drop in international travel since the beginning of the pandemic, and the new defect is another setback for Boeing's popular two-aisle plane.
Deliveries of 787s were halted in 2020 and again in May to fix production flaws that left tiny gaps — measured in thousandths of an inch but exceeding the engineering specifications, according to Boeing — where pieces of the carbon-fiber fuselage are joined. Also, the FAA has not yet approved a method for inspecting the planes.
Members of Congress have sought records from Boeing and the FAA about production problems on the 787 and the 737 Max.
The new problem was found on a part called the forward pressure bulkhead, a dome-shaped structure in the nose that keeps the plane's interior pressurized.
Boeing disclosed the latest issue with the 787 as it announced orders and deliveries for June, which were boosted by a huge order from United Airlines.
Boeing reported 219 orders, including United's order of 200 737 Max jets, which are smaller than 787s. That is the highest monthly order total since June 2018. However, orders for 73 planes were canceled, 65 of them by Middle Eastern carrier flydubai.
The company said it delivered 45 planes last month, the highest total since March 2019, when Max jets were grounded worldwide and deliveries were halted after two deadly crashes. The Max resumed flying late last year after Boeing made changes to a flight-control system that played a role in the accidents.
