72 comments

[ 5.0 ms ] story [ 110 ms ] thread
[stub for offtopicness]
Can we get a little link below the title that opens links up in a non pay walled link? You can't even read the first sentence of this article.
These paywall things are such a bane... I do have a registration at Bloomberg from work, but I get logged out of the website so frequently that it's basically faster to read from a paywall bypass. This is absurd.
How does a paywalled article jump to the top so quickly?

edit: it appears that paywall articles are ok per dang, apologies for the noise

(comment deleted)
You can get his newsletter for free via email, which everyone should do.
...assumes that people's complaint with paywalls is about paying money, and does not answer the question.
Quite. He’s the best writer in his field, and one of the best commentators on any topic full stop.
Bloomberg and Matt Levine together help with antigravity.
Has anyone else the problem that they get endless captchas and no way to use archive.ph? Or maybe knows a solution.

Edit: This is on Firefox and with uBlock Origin only. It works with the same setup in my VM however.

Edit2: Changing DNS (to NextDNS in my case) worked.

Don't use 1.1.1.1 from Cloudflare, disable the Cloudflare resolver in Firefox, or turn off Private Relay on Apple+/iOS. Those are the usual suspects.
Huh, that was it. Changing to NextDNS already works. That's a weird one. Thank you for your suggestion!
Archive.is and Cloudflare have a long-standing feud over EDNS Client Subnet support. Archive.is refuses to serve Cloudflare DNS users and Cloudflare refuses to work around it.
Yes... this has been a problem for a while now for a lot of people.
I have that problem but it probably some something to do with some combination of browser addons I have installed. When I launch the link in a Private Firefox window they seem to work.
Weirdly, this only happens for me in Chrome despite using the same extensions there that I use in Firefox. I initially fixed the problem in both browsers by switching my DNS provider from Cloudflare to Quad9 (which also noticeably improved network performance more than I'd ever expect a change in DNS provider to do so), but then the problem returned in Chrome, and since Firefox is my daily driver, I haven't bothered to figure out why just yet.

Originally, it had something to do with how Archive.today handles Cloudflare's EDNS configuration. Now, though, it appears that it might be caused by something else.

See: https://en.wikipedia.org/wiki/Archive.today#Cloudflare_DNS_a...

(comment deleted)
That's just one more vector for targeted spam and illicit data collection. I prefer to keep my exposure to a minimum.
Assuming you’re interested enough in the content to actually care about subscribing, using single-purpose email aliases is the best way to handle these two problems. For the rare thing I want to subscribe to, I have a unique email and tuned subscription preferences. I can turn off the email if I’m done with the content and not worry about trying to figure out how to cancel the sub.
How do you generate so many email addresses? Host your own domain?
Yes, in my case, but also fastmail includes unlimited @fastmail.com email addresses, delivered to your normal inbox, and can even be generated on the fly by password managers like Bitwarden.
(comment deleted)
I used to do this, but it started causing a lot of problems when I needed to talk to customer support, especially the surprisingly numerous companies which still store email addresses as an immutable record of account identity.
> Do you think … do you think the ransomware collective’s lawyers wrote that? Do you think they hired a former SEC enforcement lawyer to do their whistleblower submissions?

My bet is: a machine wrote that. A lot of the hackers out there are not native English speakers, and they don’t speak legalese. They fed the raw facts to an LLM and this is what came out through the other end.

Passing text through a popular llm might throw off stylometry, too
And then they subpoena OpenAI to get info about who produced that text using ChatGPT :p
Tried to ask GPT4 to make a complaint - it produced a decent one but much more longwinded and repetitive. Maybe with some different prompting it could produce the same as in the article, but one thing is clear that it's a possibility - the complaint that GPT4 produces is pretty coherent.
Interesting. At least against public companies, this could be a viable alternative for reporting serious issues that aren't taken seriously in said companies' vulnerability disclosure programs. ("Hey, E Corp clearly knew about this risk")

It might also result in a ton of spam to the SEC and maybe drive companies to close their VDPs if opportunistic bounty kiddies clog the programs with SEC threats over their clickjacking submission.

Interesting indeed. If only for the resulting detritus, at least until any of this ends up in the courts.

No, that's not an alternative avenue for reporting serious issues, because that only applies to "material breaches" (i.e. the vulnerability was not only exploitable but actually exploited, and the attack did damage, and the damage is so large that it makes a difference to the financials of the company) so someone has to commit a bunch of felonies before the issue becomes reportable to SEC, and reporting it is not a magic get-out-of-jail-free card.

And if some script kiddie in a VDP says "pay me or I'll actually exploit the vulnerability so that it'll be a material breach", well, just sending that message is attempted extortion right there, threatening to commit a felony.

(comment deleted)
The Rivian portion is interesting because it seems like there's an implied failure mode not being acknowledged, where Rivian pretends to work, absorbs lots of money, then says "through some mysterious circumstances we have failed!".

I'd have to read the full bond document, yet it seems like until its all over (and I guess everybody agrees it all equaled out), there's still $15 billion of municipal bonds outstanding. What happens if Rivian belly flops again? Last I saw they couldn't sell a truck for $100,000 without losing money.

Also, how do I do this with my property taxes, so the area and I agree I don't pay property taxes? Guess its an exploit only for a certain caste.

Also, also, thank you @super_linear for the link.

It's up to 15 billion, and they are only issued in tranches when Rivian pays the money to the government entity. It's a tax break, but the state takes no credit risk.
> Last I saw they couldn't sell a truck for $100,000 without losing money.

Is there a term for this kind of short term low-correlation thinking?

I’ve seen it with both Amazon and Tesla, now hearing it again with Rivian. It’s like a certain portion of the population is utterly incapable of ingesting a wide variety of information and then contextualizing it.

Instead of insulting people, give the context
the context is the company isn't profitable in its current form and somehow there is a secret trick that nobody except this guy knows which will reverse that, perhaps in the near future, or perhaps decades from now
All the necessary context for anyone capable of figuring it out is in the OP.

If you need more than that, you can stay poor with the rest of the people leaving comments as idiotic as the one I replied to.

Honestly, not sure if you're trying to insult me or insult Rivian.

The general behavior so common there's an entire joke circling HN about "What's our pivot strategy"

"We pivot into pretending to work while absorbing large sums of cash. Then we bail and do it again while the market rewards our confidence."

Like the author said. "Love it!"

It's correlating on a really common strategy. "Through mysterious circumstances, we have somehow negotiated incredibly horrible supply deals. We now go out of business and run away with your money."

This seems to be missing the whole mens rea element on multiple fronts. To commit fraud requires intent.

First, it's silly to expect a company to be making public disclosures before it has its ducks in a row and can explain precisely what happened with a reasonable degree of accuracy.

Second, the idea that the act of being hacked is prima facie evidence of prior securities fraud is absurd. Assuming that a company took good-faith efforts to secure its systems, it wasn't lying (see mens rea above) when it said things like "we use strong passwords." I'm sure there's a point of gross incompetence or negligence that could get the company in hot water, but barring that, sometimes you just lose. Sometimes the robber picks your house and sometimes the hacker picks your company.

The actual issue at (this) hand is the lack of reporting the breach, and the rule is not that you have to disclose "once you have your ducks in a row." You have to disclose soon after determining that it's material. Still a little squishy, but not quite as squishy as ducks.
The challenge I guess is determining what is considered material.

Companies find it challenging enough in complex breaches whether a breach has actually occurred within a short period of time. Let alone identify that a breach has occurred AND it was also material.

Well usually ransomware attacks make you pretty aware of the severity in very obvious ways, per the "ransom" part.
When it comes down to brass tax, companies will pull any lever they can they avoid negligence when it comes to penalties. If there is any ambiguity on what is considered Material, they're going to try that.

Furthermore, if you have identified a breach in your systems, you may not have even received a ransom notice at that point.

Materiality in other aspects in relation to SEC reporting has a definition, because there needs to be a consistent understanding of where to draw the line.

Not disclosing when you have an obligation to disclose is sufficient to establish intent. Businesses disclose all sorts of obscure risks because of this in their SEC filings: earthquakes, health risks, pirate attacks (real ones), terrorism, etc.

Disclosures are simply required when some criteria are met. "Having your ducks in a row" or "being able to explain what happened" is not what determines whether a public disclosure is required. If a failure to disclose results in shareholders losing money they will sue and the business will have a bad time.

Subsequently, disclosing the wrong thing due to trying to meet the timeframes, where it might look like a breach but isn't can result in shareholders losing money.
"Everything is securities fraud" is a running gag at Money Stuff, which has for years now collected actual cases of shareholders suing companies for securities fraud for all sorts of increasingly wacky reasons. And yes, many of these claim with a straight face that it's "fraud" if a company knew about a risk (like getting hacked), didn't warn shareholders about it, and then they get hacked.
> It has come to our attention that MeridianLink, in light of a significant breach...

SEC whistleblower information has to be original, which I presume means you have to have direct knowledge of infractions, rather than just claiming someone told you about them. So in this case a drawback of the hacker's plan would seem to be that they'd have to cop to the crime in order to be eligible for an award.

> SEC whistleblower information has to be original, which I presume means you have to have direct knowledge of infractions, rather than just claiming someone told you about them.

I think of it like walking outside and accidentally encountering a physical briefcase containing documents that could be used for whistleblowing. SEC would still honor the award for that person, right?

I am not an expert on this, so it was a genuine question, not rhetorical. I always assumed that the “original” part was mostly referring to “no, we are not giving you the award because you are the 50th person to blow the whistle on this”, and “direct knowledge” was referring to “you actually gotta have some proof of wrongdoing happening and not just try to gather an award from SEC because your dad working at Nintendo told you so.” So my guess was that documents obtained through a hack would not be an issue for SEC, as long as you were the original reporter (aka no one had reported this before you) and the documents actually provide some evidence of the wrongdoing that is more substantial than just hearsay.

> walking outside and accidentally encountering a physical briefcase containing documents that could be used for whistleblowing. SEC would still honor the award for that person, right?

Maybe not. I doubt those materials would be admissible in court. (They might support a search warrant.)

> I doubt those materials would be admissible in court.

As long as legitimacy of those documents is confirmed in court, why would they be inadmissible? From my perspective on admissibility, I don’t see much of a difference between the whistleblower scenario and a random person walking on the street, noticing something that could be a crime evidence (e.g., a blood trail), reporting it to the relevant authorities, and then that blood trail being used as a piece of evidence in court.

What about the FBI most wanted list, where they promise monetary awards for tips that could lead to the person on the poster? Because if passerby’s just randomly encountering helpful info like that aren’t qualified for the awards, the bar becomes almost impossible to satisfy, unless you are directly involved with people you are providing info on (which eliminates a massive group of whistleblowers that are third-party witnesses)

> As long as legitimacy of those documents is confirmed in court, why would they be inadmissible?

In the process of confirming legitimacy, you'll get the originals. Random stuff found on a street could be a fictitious creation or misconstrued.

If you saw who dropped off the briefcase, that might count as observation. I would see the SEC having a hard time not counting that as "original information."

> What about the FBI most wanted list, where they promise monetary awards for tips that could lead to the person on the poster?

Tips versus "information," from what I understand. That said, it's very much an open book [1].

[1] https://www.whistleblowers.org/faq/sec-whistleblower-dodd-fr...

> Tips versus "information"

Is there an actual distinction between those two terms in this context? I strongly doubt it, given that the official SEC page for whistleblowing uses "tips" and "information" fully interchangeably. For example, here is a quote[0] from a section at the top with instructions:

>> Submit a Tip

>>To qualify for an award under the Whistleblower Program, you must submit information regarding possible securities law violations to the Commission in one of the following two ways:

>> (1) By submitting a tip electronically through the SEC’s Tips, Complaints and Referrals Portal by clicking the button below.

>> (2) By mailing or faxing a Form TCR to:[...]

0. https://www.sec.gov/whistleblower/submit-a-tip

> You might not care: If you did an illegal bad thing to the company (like hacking), also doing insider trading might not bother you. Still it adds some risk. My Fifth Law of Insider Trading is “don’t insider trade by planting bombs at a company and buying put options on its stock.”

It's worth clicking that link: someone did exactly this a few years ago - planted bombs on the route of the team coach of German soccer club BVB and placed buy orders for derivatives, through which his identity was discovered after a hint from a stock trader who also was a BVB fan [1]. The perp ended up with 14 years in prison.

[1] https://de.wikipedia.org/wiki/Anschlag_auf_den_Mannschaftsbu...

Its like a securities fraud race condition. I wonder how many of those there are in the legal system.