Tag Archives: Paid
SAN FRANCISCO/WASHINGTON (Reuters) – A 20-year-old Florida man was responsible for the large data breach at Uber Technologies Inc last year and was paid by Uber to destroy the data through a so-called “bug bounty” program normally used to identify small code vulnerabilities, three people familiar with the events have told Reuters.
Uber announced on Nov. 21 that the personal data of 57 million passengers and 600,000 drivers were stolen in a breach that occurred in October 2016, and that it paid the hacker $ 100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money.
Uber made the payment last year through a program designed to reward security researchers who report flaws in a company’s software, these people said. Uber’s bug bounty service – as such a program is known in the industry – is hosted by a company called HackerOne, which offers its platform to a number of tech companies.
Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter.
Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.
It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.
Kalanick, who stepped down as Uber CEO in June, declined to comment on the matter, according to his spokesman.
A payment of $ 100,000 through a bug bounty program would be extremely unusual, with one former HackerOne executive saying it would represent an “all-time record.” Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty program, where payments are typically in the $ 5,000 to $ 10,000 range.
HackerOne hosts Uber’s bug bounty program but does not manage it, and plays no role in deciding whether payouts are appropriate or how large they should be.
HackerOne CEO Marten Mickos said he could not discuss an individual customer’s programs. “In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to U.S. Internal Revenue Service forms.
According to two of the sources, Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.
One source described the hacker as “living with his mom in a small home trying to help pay the bills,” adding that members of Uber’s security team did not want to pursue prosecution of an individual who did not appear to pose a further threat.
The Florida hacker paid a second person for services that involved accessing GitHub, a site widely used by programmers to store their code, to obtain credentials for access to Uber data stored elsewhere, one of the sources said.
GitHub said the attack did not involve a failure of its security systems. “Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code,” that company said in a statement.
‘SHOUT IT FROM THE ROOFTOPS’
Uber received an email last year from an anonymous person demanding money in exchange for user data, and the message was forwarded to the company’s bug bounty team in what was described as Uber’s routine practice for such solicitations, according to three sources familiar with the matter.
Bug bounty programs are designed mainly to give security researchers an incentive to report weaknesses they uncover in a company’s software. But complicated scenarios can emerge when dealing with hackers who obtain information illegally or seek a ransom.
Some companies choose not to report more aggressive intrusions to authorities on the grounds that it can be easier and more effective to negotiate directly with hackers in order to limit any harm to customers.
Uber’s $ 100,000 payout and silence on the matter at the time was extraordinary under such a program, according to Luta Security founder Katie Moussouris, a former HackerOne executive.
“If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops,” Moussouris said.
Uber’s failure to report the breach to regulators, even though it may have felt it had dealt with the problem, was an error, according to people inside and outside the company who spoke to Reuters.
“The creation of a bug bounty program doesn’t allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don’t apply to them,” Moussouris said.
Uber fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark, over their roles in the incident.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi, said in a blog post announcing the hack last month.
Clark worked directly for Sullivan but also reported to Uber’s legal and privacy team, according to three people familiar with the arrangement. It is unclear whether Clark informed Uber’s legal department, which typically handled disclosure issues.
Sullivan and Clark did not respond to requests for comment.
In an August interview with Reuters, Sullivan, a former prosecutor and Facebook Inc (FB.O) security chief, said he integrated security engineers and developers at Uber “with our lawyers and our public policy team who know what regulators care about.”
Last week, three more top managers in Uber’s security unit resigned. One of them, physical security chief Jeff Jones, later told others he would have left anyway, sources told Reuters. Another of the three, senior security engineer Prithvi Rai, later agreed to stay in a new role.
Reporting by Joseph Menn in San Francisco and Dustin Volz in Washington; Additional reporting by Heather Somerville and Stephen Nellis in San Francisco; Editing by Jonathan Weber and Bill Rigby
Prior to Tesla (TSLA), I attempted only one short position, and it wasn’t based on any fundamentals. Rather, it was based on a personal dispute with a corporation (seems as though I forgot the Buffett adage that a stock’s feelings aren’t hurt when I short it). Needless to say, I lost money on the bet, albeit less than $ 100 in an options trade. A year has passed, and I’ve taken on my second and more informed short position, via buying put options against Tesla.
There are three primary reasons I entered into a short position with Tesla, which I’ve outlined below:
- David Einhorn copycat position – Often times I rely on smart value leaning hedge funds for position ideas. Einhorn – founder of Greenlight Capital – wrote one of my favorite investing books on his short position battle with Allied Capital called Fooling Some of the People All of the Time, a Long Short Story. The book details his research style as well as methods of identifying potential short candidates. In “short” (pun intended), Einhorn clearly does his research, and he does it thoroughly. So I feel pretty good riding the coattails of his research and following him into the position. However, the book reminds me that short positions can take years to pay out, as was the case with Allied Capital’s ponzi scheme.
- The second reason is that the market is generally overvalued right now, according to the Buffett market value indication of Wilshire 5000 total market index to GDP. In this market, I have found it difficult to find conservative value stocks, so I am exploring the short side. In the event of a market downturn, this gives me some exposure to profiting from the correction.
- The last reason is based on my own research of Tesla – I’ve highlighted a few points below:
- Tesla has managed to pay stock-based compensation to management of $ 872 million while managing to have negative $ 10.8 billion in free cash flow since inception (2010), having never once yielded a profit on an annual net income basis (see 10-year financial results).
- Questionable accounting techniques – like capitalizing IPR&D costs and not listing any allowance for doubtful accounts in 2016 10-K (see page 68 and page 67).
- Management incentives – the majority of this article will compare the management incentive plans for Tesla and General Motors (GM). As you will see, Tesla management has no direct incentive to earn profits or cash flow, unlike GM.
As of the winter of 2017, David Einhorn has two high-profile auto manufacturer positions: General Motors and Tesla. I will spend some time comparing management base salaries and milestones that trigger bonus incentives from the two companies.
Below is a copy of Tesla’s management and CEO stock option plan in the 2016 10K (page 92 of the PDF):
CEO Stock Option plan 2012:
In August 2012, our Board of Directors granted 5,274,901 stock options to our CEO (the “2012 CEO Grant”)…
Each of the ten vesting tranches requires a combination of one of the ten pre-determined performance milestones and an incremental increase in our market capitalization of $ 4.0 billion, as compared to the initial market capitalization of $ 3.2 billion measured at the time of the 2012 CEO Grant.
As of December 31, 2016, the market conditions for seven vesting tranches and the following five performance milestones were achieved and approved by our Board of Directors:
Successful completion of the Model X Alpha Prototype;
Successful completion of the Model X Beta Prototype;
Completion of the first Model X Production Vehicle;
Aggregate vehicle production of 100,000 vehicles; and
Successful completion of the Model 3 Alpha Prototype.
December 31, 2016, the following performance milestones were considered probable of achievement:
Successful completion of the Model 3 Beta Prototype;
Completion of the first Model 3 Production Vehicle;
Aggregate vehicle production of 200,000 vehicles; and
Aggregate vehicle production of 300,000 vehicles.
A close reading of the incentives for CEO Elon Musk shows that none of his 5.2 million of stock option grants are based on actual earnings or cash flow generation for the business. Rather, the CEO incentives are based on prototype and production goals, all of which – as Tesla shareholders and analysts have seen – drain cash at an alarming rate. With these types of CEO incentives, it is no wonder that Tesla has raised $ 4 billion in cash from equity raises and $ 8.4 billion in cash from debt offerings since 2007. In light of the fact that the company has yet to turn any sort of profit in any fiscal year of existence, I find it shocking that shareholders are not up in arms regarding these management incentives. It seems like Tesla shareholders are swooned by Musk’s refusal to accept his CEO’s salary compensation of $ 45,760 cash, due to the California law that requires employees be paid minimum wage. I look at this gesture – like Musk’s high-profile vehicle prototype reveals – as a red herring, obscuring the fact that Musk continues to lead an operation that runs on cash from financing activities and not from cash from operations. Indeed, Musk pays himself – via stock options – with equity and debt financing from investors solely from achieving milestones that are financed through shareholder dilution and debt leveraging.
To make matters worse, the 2016 Proxy statement states that Elon Musk’s interests “align” with shareholders because he owns 22% of shares outstanding. That seems to explain why the CEO’s compensation package is indirectly related to shareholder profits since his vote represents nearly a quarter of voting power. For critics of this view, I should point out that Musk is not on the compensation committee of Tesla’s board. Nevertheless, I find it hard to believe that he doesn’t have any weight with the milestones created by the compensation committee when he holds 22% of the stock.
In theory, stock options are generally shareholder-friendly ways for compensation committees to align shareholder and management interests. In Tesla’s case, however, the theory does not align with the practice because Tesla’s achievement milestones that trigger stock options are not profit or cash flow milestones. In truth, Tesla’s compensation milestones are highly capital intensive. The milestones incentivize management to burn cash, which is exactly what management is doing.
By contrast, I compared Tesla’s compensation package to that of General Motors, David Einhorn’s long automotive investment. Below I copied a screen shot from GM’s 2016 proxy statement that outlines the STIP (short-term Incentive plan) for GM’s executive team. Admittedly, none of the GM executive management team is so austere as to accept a minimum wage base salary of $ 45K, like Elon Musk. Nonetheless, I believe the overall GM STIP is far more aligned with shareholder interests than Tesla’s.
The first STIP measure is EBIT – earnings before interest and taxes. This is a levered measure of profitability. The second GM STIP measure is adjusted FCF (free cash flow). As many readers know, free cash flow measures cash flow from operations minus capital expenditures, an important denomination for capital intensive industries like automotive. Many investors consider free cash flow the gold standard of profitability because it is a shareholder consideration of the cash left over in a business after reinvesting in capital projects. The last two measures of the GM executive incentive plan are around global market share and global quality, again both of which align to shareholder interests, albeit not necessarily directly profit related.
There have been many great critical pieces written about Tesla, especially from the Wall Street Journal. Elon Musk publicly attacked journalists and editors that wrote the negative pieces about Tesla in the Q3 earnings call, ultimately attacking their journalistic and personal integrity, calling “shame” upon them. Frankly, I found Elon’s Q3 opening response quite odd, not to mention hypocritical in light of his aforementioned compensation package. Indeed, Elon’s behavior in the Q3 earnings call reminded me of Allied Capital’s management to short sellers in Einhorn’s book Fooling Some People All of the Time.
Looking at the cost benefit of a straight short sale vs. buying put options, I found that the options strategy was more attractive for me. For one, a small and or individual investor is usually not intending to impact the stock price by selling short. Moreover, I agree with the general proposition from Mohnish Pabrai: “Why take a bet where the best return is 100% and the downside is unlimited?” With buying long-term put options, you can capture downward movement of the stock without knowing exactly when (or if) the stock will move. Furthermore, you are risking less capital through options leverage to potentially make more than 100% of the invested capital. Below is a basic analysis I put together comparing an outright short sale of Tesla versus buying long-term put options (the January 2019 contract):
I purchased the 280 strike price because 280 is around a recent support line for the stock, using technical indicators. I made the purchase in October 2017, when Tesla was trading around $ 340. As the table above demonstrates, a price of about 240 yields an even return percentage from an outright short sale compared to buying the 280 put options. Thereafter, the put options leverage starts to kick in, and the yield of the options are far more attractive. Additionally, the capital risks with a put option limit the amount of capital you can lose.
In terms of selecting which option contract to buy, I used basic technical analysis. Looking at the chart below, if Tesla falls through the 280 support price, then it has a long way to go down to the next support price (see chart below):
In the spirit of a Pabrai/Buffett style value investor, don’t sell short. However, if you’re going to be a value investor and take short positions, consider buying put options on stocks with the following characteristics: a company with no profits, a leveraged balance sheet, lots of cash burn in a highly capital intensive business, double-digit negative ROIC, and a management with incentives to spend cash (as opposed to making profits). For what it’s worth, that’s how I found myself short Tesla.
Risks of Tesla Short Position
Headline for an article from Electrek: “Elon Musk teases Tesla shorts who lost an estimated $ 5 billion since the beginning of the year.” – Fred Lambert – June 8, 2017
There are inherent risks being short Tesla. While buying long-term put option contracts limits capital lost to the cost of the premium on the option, there is still a chance it never materializes. As the Fred Lambert headline suggests, many have been short Tesla and lost plenty of money on the trade. As of November 26, 2017, Tesla short percentage of float is 26%, and it has been in that percentage range all year.
In anticipation of the Model 3 ramp, the stock has managed to run up 61% in a year when TTM net income is negative $ 1.4 billion and TTM FCF is negative $ 4.8 billion. You just don’t know when bubbles are going to pop, and the past year’s Tesla stock price is evidence to that point. Of course, I could be wrong about Tesla, and it might not be a bubble. The Model 3 ramp could be perfectly successful, and the company could turn a profit whereby the current $ 315 price is supported by a realistic valuation metric like P/E, EV/EBITDA, DCF, etc. A simple look at Tesla’s financials since IPO show no evidence that this will happen, but it is a possibility.
Generally, I believe that people are motivated by their incentives. While it certainly is possible that Tesla could switch from a cash burning corporation to one with positive cash flow streams, I would point out what I’ve been saying in this article: Tesla management incentives are not designed for profitability. I would argue that management incentives are designed for high profile showmanship – the like of Steve Jobs would be proud of – for expensive and fancy cars that burn shareholders’ cash.
In closing, I would like to point out that eight years after the Apple (NASDAQ:AAPL) IPO, the company made $ 400 million of net income in 1988 with $ 545 million in cash and $ 1 billion of total liabilities on the balance sheet. With all the comparisons between Elon Musk and Steve Jobs, those financials suggest that Steve Jobs ran his company more like GM (post 2009 government bailout) than Tesla.
Disclosure: I am/we are short TSLA.
I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.