My organization Fight for the Future was targeted by the same hacking-for-hire operation while working on net neutrality protections.
It was really interesting because at the time the conclusion of our security consultants was that the attack was just random commercially-motivated prospecting. Then the Citizen Lab Dark Basin report came out years later and it was clear they were after our internal comms, so they could milk a decade of emails for anything that looked bad when taken out of context. Yikes.
After the attack we put a 3 month retention limit on most emails and messages. I recommend this to anyone doing sensitive work! You miss the old emails sometimes but it's worth it.
I think it's possible we'll learn more soon about who hired our hackers, which is exciting! It was almost certainly a major American ISP, or the lobbying umbrella group they created. It's my optimistic read that blowback from this case has already eroded the practice of dirty tricks like these. More lobbyists and companies getting caught would strengthen the effect.
Since I left Fight for the Future I've been working on a Signal alternative that feels more like Slack, for teams facing similar threats. Hopefully something comes of that too!
That's a common response these days and while I empathize, I think it's wrong. The right response IMHO is, essentially, 'fuck them; they can't stop us'.
A Soviet dissident (I don't recall the name atm) advised not talking about your arrest, torture, detention - the horrors, the fear, etc. That's what the oppressors want you to do, to spread fear and intimidation to all the people they didn't arrest; that's half the point of their actions - they don't have the resources to arrest everyone. If you don't talk about it, it's a forgotten moment of one small point in time and space. It's the echoes of it, of people repeating the story, that spread across orders of magnitude more time and space. Don't spread it around and you've disarmed your oppressors.
Also, look at contemporary political movements: The overwhelmingly successful one is barely slowed by attacks, never expresses any fear or intimidation, is always on the offensive. The flailing one is regularly talking about its terror, despair, whether or not there is any hope at all, and quitting.
There's a time and place to talk about your fears - privately, to your trusted confidants (and not to those who depend on you for leadership). Everyone has them; that's fine. Out in public is not the place; that's where you show that you can manage your fears and are resolute, undeterred, unshaken. Think of great leaders - Washington, Lincoln, Churchill, etc. - who ever said 'Yikes'? On social media, we all are leaders.
Nah, the value of having access to 3-month-old e-mails is that they're indexed in gmail, so if someone asks how much we paid for that widget 18 months ago you can get the original quotes in an instant.
Whereas if the data is in a bank vault, you ask the same question and the reply is "IDK, I think it was about $50-100?"
The value in old data isn't just in pulling up a single piece of information like a magician pulls a rabbit out of their hat, it's tremendously useful for looking back and seeing how an organization and its methodology has changed and how that information can be applied to future project.
It was a pleasure! We lost nominally in the end (except in California and outside the US) but we built enough awareness to give the ISPs a fear that blatant violations would rock the boat and lead to worse outcomes for them, like more state laws or tougher agency rules when Democrats regained power. I do regret not pushing harder for federal legislation though!
On airgapped email archives, yes, the subpoena threat model is real too. That also happened to us because of some other dirty tricks by ISPs in the same campaign! Fake FCC submissions opposing net neutrality were being created with blatantly stolen user data; like, not people being tricked into singing a petition but just straight up identity theft. We documented all of this and pitched some state AGs on looking into it. New York did, which was awesome, but they ended up subpoenaing everyone including us! We were psyched about this overall of course since it was our idea, and they did end up finding out who did it which was awesome (Broadband for America, the umbrella lobbying group for the telcos) but it was a huge amount of work to comply with the subpoena. The retention limits reduced that burden. Another reason to have them!
I would also say that, if you do create an airgapped archive and store it in an appropriately paranoid way, you are likely to never ever bother to dig it out of storage before the SSD melts into uselessness. You'll miss the ocassional old email but not enough to go digging for it.
If you really don't need old email, then don't bother, but for the chance that you do need them sometimes, but don't want to store everything in an internet connected place - it would be an option setting up a old laptop for this(maybe with Thunderbird), where you can remove the wifi chip for this air gapped use case. (In most older laptops they are easy to remove and not soldered on.)
Then regulary exporting all the needed files, either just copy them with a USB stick and more secure would be burning CD-R's for each data transfer. And it likely helps having an exotic linux system on the laptop, so a windows USB worm won't replicate there if you use the pragmatic USB data transfer variant.
> After the attack we put a 3 month retention limit on most emails and messages. I recommend this to anyone doing sensitive work! You miss the old emails sometimes but it's worth it.
How are pro-delete policies like these impacted by the discovery-process in law? Or even Sarbanes-Oxley?
Great question. IANAL but my understanding is that outside of some specific regulatory requirements in specific industries you're free to put these policies in place as long as you do it before you have any expectation that you're going to be sued.
That's another reason to bite the bullet and put these policies in place now: once you actually have a specific fear of being sued it's maybe too late, because at that point changes to your retention policy could be construed as interfering with the legal process.
You can also have your policy exempt certain categories of documents (like financial records) and that's okay too as long as you're consistent about it.
In particular, it has reporting on the chain back to Exxon and that the FBI is investigating the PR firm involved. The original CitizenLab article is more thorough, but only identifies the hack-for-hire group and the Indian company it operates out of.
This citizenlab article is so much better. The article at the top reads like a conspiracy theory tabloid that loosely says one thing while simultaneously suggesting something else.
If proven, this should be harshly punishable under existing aiding and abetting laws.
On the underlying matter of oil companies being responsible for climate change… the law and the morality is far less clear. We are essentially all complicit.
With statements like these it’s important to take into account proportionality and scale.
Whereas a member of the public may have been aware of climate change after James Hanson’s congressional testimony in 1988, ExxonMobil had its own climate research division in the ‘70s and knew about the dangers of climate change at-least ten years prior [1]. They sat on these findings and in the ‘90s actively engaged in PR and misinformation campaigns to delay action on climate change. They have been incredibly successful at this and the US has no policies to limit fossil gas extraction or burning.
I am aware, and that behavior is despicable, but I still don’t believe that this puts all the responsibility for climate change on oil companies generally or Exxon specifically.
The public at large have known for centuries that burning fossil fuels creates locally systemically significant pollution, and we do it anyway. We have known for decades now that it creates globally systemically significant pollution, and still we burn it anyway.
A few thousand greedy, profiteering, unscrupulous oil bosses would not have gotten away with doing it had there not been a few billion consumers paying them to do it. At some point, the blame must also be treated as systemic.
What happens in the scenario where Exxon is found guilty and given the corporate death penalty that some have asked for? Their assets would be confiscated and passed to some new owner. The government maybe? Whoever gets them, will they shut them down? No, they’ll keep those wells pumping, under some new brand name, because the demand for oil is systemic.
If Exxon is culpable for paying a hacker to commit a crime on their behalf, then the population at large are culpable of paying Exxon to pump oil on our behalf.
I'd have much more sympathy for this point of view if Exxon and co had loudly shouted about the dangers of climate change from the rooftops and the public at large still ignored them.
They did the opposite of that, in fact, and continue to do. So I have no sympathy for any oil companies if they ever face any punishment. A vanishingly unlikely prospect by the way.
> I am aware, and that behavior is despicable, but I still don’t believe that this puts all the responsibility for climate change on oil companies generally or Exxon specifically.
They should pay, they knew what they were selling and were misleading people now we are in a critical situation because of their actions. Individuals can do only so much and most of the people don't even really grasp and understand the implications of their actions, but gets appalled when they do...
You can turn the problem in all directions, the manipulation of public opinion to freeze any attempt at reversing climate change is actually a crime against humanity...
>The government maybe? Whoever gets them, will they shut them down? No, they’ll keep those wells pumping, under some new brand name, because the demand for oil is systemic.
Not to mention a bunch of the biggest oil companies are already government owned:
First: I appreciate the overall tone of your comment. It's a polarizing subject, and I feel this is very much in good faith.
I think there's two important points you made that I'd like to address:
1. Failures to apply meaningful penalties / punishment to transnational corporations
2. Individual culpability for oil consumption
To start, I think it's worth looking at how punishments for corporate wrongdoings might look in a brighter world. Not having faith in the system is _completely_ understandable, and I think it can be easy to forget what it is we _do_ want after being shown what we _don't_ want over and over.
Off-the-cuff, I envision something like the forced closure and seizure of all Exxon assets by the federal government. These assets could be sold off to pay for the settlements of the multiple class-action lawsuits against Exxon focused on public health and environmental wrongdoing[1][2]. I'd love to see criminal charges for those at the top
There are past examples of companies doing wrong and being forced to close "with prejudice", or not being allowed to restructure into another entity with a different name. A famous example is the forced closure of the Bank of Credit and Commerce International (BCCI)[3]. Another is Purdue Pharmaceuticals, which was restructured into a public beneficiary trust that would administer payouts to "opioid creditors" or people who suffered from the opioid epidemic[4]. And hearteningly, there are also examples of executives facing jail time. Enron[5] is the most famous example, and though there are critiques that it wasn't far enough, Skilling was a fall guy, etc., it serves as a good reminder that even within our system today, there is already precedent. Theranos is another example of criminal proceedings against executives[6].
All this is to emphasize that though pessimism is understandable, optimism can help us push the system in the right direction, and doesn't have to mean having all the answers.
Now we can look at individual culpability.
I wanted to look at this point second because I think it becomes more approachable once we've seen what widespread change can look like. I don't have citations, or evidence to bring here. Just my own experience. I find it much easier to start taking personal responsibility when I know that there is some effort being made to offer me a mode of life where I don't induce second order demand for oil (i.e. I need to buy groceries, those groceries may come packaged in plastic). I find it much easier to take a freezing half-mile walk to the store when I see the companies inducing oil demand many orders of magnitude beyond what I'll ever use or need begin to face consequences.
That Intel board article was great. It named names, responsibilities, some degree of culpability.
There are org charts and paper trails for these corporations. Corporations aren't mechanical automatons. They are made of people that make decisions. Unfortunately, they are rich and influential people.
Between statute of limitations, limited liability corporations, fall guys, unlimited resourced lawyers, and a fundamentally corrupt judiciary when it comes to corporations, there's no justice for the legal immortal invincible personhoods that are corporations.
It is nuts that physical reality is subordinate to the law and even worse, the selective enforcement thereof, but that is the nature of this peculiar filter. What will probably kill humanity? Bureaucracy.
Empty statement that shirks responsibility when some are complicit orders of magnitudes more than others. Even among those not directly involved in fossil fuel industries. This matters. In Nazi Germany, someone working at a screw factory, some of whose screws ended up in military devices, was also complicit. Yet the morality is clear - they weren't sent to Nuremberg whereas others were, for good reason. Even though the war would have been near impossible with no screws available.
Where do you think Exxon sits on the giving-orders to just-following-orders to just-making-screws spectrum? And where do people buying oil products sit?
I consider myself qualified enough to determine there are orders of magnitudes of difference between them, but not nearly enough to place them at an exact location on the spectrum. I'd have to devote months and work with plenty of others to even attempt doing so and even then I wouldn't be the best person for the job.
Exxon also isn't a person, but the same would apply if you'd have said e.g. the Exxon CEO.
For people buying oil products, again there's orders of magnitudes of difference. Even the average person in Sierra Leone has bought an oil product at some point. I'm sure he's bought magnitudes less than I have though, and I have bought magnitudes less than others again. All of this does place us on different parts of the spectrum and is not to be hand-waved away.
I'm just curious if you think Exxon is the one giving the order to drill oil, or the one getting paid by others to do it. I'm not saying it's OK to do a bad thing just because someone else paid you to do it, but I am saying that a narrow focus on Exxon (and even more generally, a narrow focus on blame assignment) distracts from the systemic change needed across the entire global economy.
By all means punish the people who ordered the actual, specific hacking crimes highlighted in this thread, but trying to pin climate change on oil companies ignores the fact that the orders come from civilization at large.
There's no one-to-one comparison, but a decent one would be a drug cartel making and selling fentanyl. Sure, the orders come from civilization at large, I guess, as if no one were to buy the stuff then they wouldn't produce it. IG Farben also has similarities.
I don't think anyone is arguing that economy-wide changes aren't needed, nor did anyone ever propose that if only we took down IG Farben, WW2 would've ended.
Correct relative blame assignment is still very important, as the Farben CEO to Nuremberg and the screw factory worker should be rehabilitated regardless of having played a minor (yet still essential) role.
> If proven, this should be harshly punishable under existing aiding and abetting laws.
Convenient how the elements of the offenses in the "existing laws" are such that it's trivial for any non-idiot to structure things so their conduct can't be proven to meet them, eh? Sort of like Al Capone.
This kind of actions (alongside Chevron's treatment of Danziger for his work against their pollution in Ecuador) is why:
* high level executives must have personal responsibility. They get paid the big bucks, they should get all the responsibility that comes with it. Jail a few of the egregious human rights abusers/negligent killers, and this kind of thing will be taken seriously. Why does a Muillenburg get to walk away with tens of millions of dollars for presiding over the killing of people? Some egregious ones will be made a public example of (shot in New York), but this is not a solution to anything.
* A corporate death penalty should be a thing. An ExxonMobil, after all the crap they've done (the Valdez tanker, this) is obviously rotten to the core. Nationalise, sell ot the pieces, and everyone who was employed there in any decision making capacity gets a stain on their CV like the people who worked at Enron or FTX or any other scummy company.
Reminds me of how I see executives manage to “fail upward”, where it’s just so clear the people pulling the strings don’t give a darn about workers or the population at large.
Climate change due to industrial emissions of CO2 has been known and published in mainstream news articles since at least 110 years ago.[0][1]
It's been known and discussed in public by professional scientists for over 140 years[2].
The great inaugural Nobel Prize winner, Arrhenius, wrote a paper on the topic in 1896[3] which cited Fourier's publication from 1827[4].
More generally, global greenhouse effect of CO2 has been known for at least 185 years[4], a decade before the last founding father of the United States died.
4: M ́emoire sur les Temp ́eratures du Globe Terrestre et des Espaces Plan ́etaires, M ́emoires d l’Acad ́emie Royale des Sciences de l’Institute de France VII 570-604 (1827): https://geosci.uchicago.edu/~rtp1/papers/Fourier1827Trans.pd...
(English Translation)
Or that they just weren't very good business people. Their understanding of climate change back then was good enough to have a damned decent roadmap for how things were going to play out over the next fifty years. They were capable of projecting what was going to happen, the likely regulatory changes that wold be needed to mitigate climate change, and how that would affect them.
One would expect the average CEO would literally kill for a roadmap of the future. They had it, and more. Exxon, ARCO, and others even made early R&D investments that helped pioneer terrestrial solar power, not to mention their extensive R&D capabilities more broadly. Sticking with the metaphor, they had the map and some of the most important tools for the journey ahead.
Fifty years were long enough even a financial moron could have developed a long-term transition plan that avoided stranded assets and massive losses. And they--and their people--weren't financial morons. Hell, much of their capital equipment and facilities investments had expected lifespans of a similar length. They had everything needed to create the mother of all soft landings.
Hell, they could have engineered an outcome where they came out well ahead. Being able to rebrand yourself as the company that chose to sacrifice itself to save the world buys you a hell of a lot of goodwill you can leverage for subsidies in Washington. We’d have paid them for it and thanked them for the privilege.
It couldn’t have been that much harder than convincing an entire political party that the problem didn’t exist. Oil companies convincing the public they were shitty companies that needed to be reborn? If they focused on the dying part of rebirth, that wouldn’t have been a very difficult sell even back then.
Only someone who failed upwards could have been gifted a hand like that and still manage to choose the worst possible path for both the world and their own company. All they managed to do was delay the transition and make it more expensive for their company and the world.
> Being able to rebrand yourself as the company that chose to sacrifice itself to save the world buys you a hell of a lot of goodwill you can leverage for subsidies in Washington. We’d have paid them for it and thanked them for the privilege.
This seems to be incorrect. Given my estimation of the current political climate, if you sacrifice yourself to save the world, you will be dead and then someone else will destroy the world anyway while you're not there to stop them.
When was the last time the government paid someone to save the world?
> This seems to be incorrect. Given my estimation of the current political climate, if you sacrifice yourself to save the world, you will be dead and then someone else will destroy the world anyway while you're not there to stop them.
Probably, but look at it from the 1970s. The environmental movement was at its greatest legislative power, the major federal environmental legislation passed at the time was often bipartisan since environmental issues weren't nearly so neatly ideologically coded as they are now, and you had a bunch of high-profile environmental disasters that kept the issue at the forefront of politics. You also had energy crises throughout the 70s. All of that severely undermined public trust in the industry.
Despite their horrible public image since then, the fossil fuel industry has accomplished a great deal politically. They managed to convince an entire political party that climate change doesn't exist despite decades of research and ever-increasing amounts of evidence. They've fended off greater legislative and regulatory oversight repeatedly since then. And while we may not be paying them to "save the world," we're still giving them a great deal of subsidies in the form of tax benefits, consumer incentives that end up increasing the usage of their products, and the massive gift of not taxing their significant negative externalities. So we are, at least, paying them.
Put simply, their lobbyists have always been skilled, as evident by their accomplishments despite the decades-long reality that the majority of Americans don't much like or trust them. So is it really that much of a stretch to expect that they could have gotten significant federal support for a clean energy transition that started back in the 1970s and was gradual enough that it didn't shock markets and the consumers? Or that, if they were able to secure subsidies and preferential tax treatment to extract fossil fuels, that they couldn't do the same for not extracting them?
Anyhow, if I didn't make it clear enough, the sacrifice would have been entirely symbolic. Exxon, for example, would have always survived the transition. It's just that their brand would have undergone a sort of phoenix-esque rebirth: Exxon the oil company would have gradually faded out of existence, while Exxon the renewable energy company came into existence at the same time. It would have been a marketing and PR message, but unlike with the attempts at greenwashing, the fossil fuel side of the company would have actually faded away. The message would have even been truthful in a way: it would have been a serious sacrifice of sorts on their part.
It's just that it could have been a sacrifice that didn't actually cost them much--and had they played their cards right, it might have been one that let them come out ahead in the end.
Recent political events have proven that if I wouldn't, someone else would do it anyway, and then I'd have the disadvantage of not being them. The world is significantly more atomized than I'd like; you can either play the game that everyone else is playing, or forfeit by default.
Well that's an interesting hypothetical but what they actually did was more like reducing GDP by a trillion and murder a billion people.
You appear to be justifying the deaths due to it making financial sense overall, when it didn't. A small group profited at the expense of everyone else, even if you ignore the deaths.
Only if you're a sociopath. But I also don't buy the framing that oil companies are murdering people when they're providing the energy society needs. Fossil fuels have largely powered the modern world. That doesn't excuse covering up the science and the need to transition either. But there's tradeoffs and nuance to all this. Was solar and battery technology good enough in the 70s and 80s to start transitioning then? Would the public have accepted a nuclear transition?
For that matter, are there climate models predicting deaths on the order of 1 billion? Do they even make such predictions?
I'd call the socipathic behavior trading a billion lives for a trillion dollars, but that's just something the parent came up with. What's the actual tradeoff, what sort of transition could have happened by now, to what extent was the rest of the scientific community aware of greenhouse gases, would a lot more nuclear power plants being built have been seen as better by the public?
They did? I missed the part where a billion people are dead. Last I checked, the population is still going up. I asked if there were any climate models making such a prediction.
> At least 3.3 billion people, about 40% of the world population, now fall into the most serious category of "highly vulnerable", with the worst effects in the developing world.[35] If emissions continue on their current path, Africa will lose 30% of its maize cultivation territory and 50% of its land cultivated for beans. One billion people face flooding due to sea level rise.[34] Climate change, together with other factors, also increases the risk of infectious diseases outbreaks like the COVID-19 pandemic. The report also cites evidence that China will pay the highest financial cost if the temperature continue to rise. The impacts will include food insecurity, water scarcity, flooding, especially in coastal areas where most of the population lives due to higher than average sea level rise, and more powerful cyclones. At some point part of the country may face wet-bulb temperatures higher than humans and other mammals can tolerate more than six hours
This seems like a confused analysis. As Enron and FTX both show well, personal criminal responsibility for high level executives and a "corporate death penalty" already exist and get used when circumstances warrant. The decision to use them is just made through a structured system of laws and penalties, rather than a subjective sense of which executives you feel are bad.
>As Enron and FTX both show well, personal criminal responsibility for high level executives and a "corporate death penalty" already exist and get used when circumstances warrant.
Hardly. Enron and FTX fell because they were insolvent, not because a "corporate death penalty" was levied on them.
Purdue, then, although a "corporate death penalty" executed in response to non-government-induced insolvency still seems relevant to me. The biggest proximate effect of shutting down a company is that all its employees become unemployed, so it's not something you'd generally want to do when there are other options on the table.
> As Enron and FTX both show well, personal criminal responsibility for high level executives and a "corporate death penalty" already exist and get used when circumstances warrant
Really not comparable. Enron and FTX were both insolvent due to Ponzi scheme-esque levels of fraud by their executives. The executives were sued for misleading investors and outright fraud, including securities fraud.
Boeing killing people with negligence, or Chevron poisoning millions through negligence, resulted in nothing. Personal responsibility for executives only exists for defrauding investors or tax authorities, which is wildly insufficient. Corporate death penalty only exists if the company is literally insolvent, and even them it might get rescued (GM), which is wildly insufficient.
I agree with you but the only time execs were held personally responsible that I can remember is Enron and that was on insider trading charges. There is so much plausible deniability and near unlimited appeals built into the system that it would take mountains of evidence and several hundred Lina Khans for an actually responsible executive to be tried for something like this.
Like other comments mentioned, this is just an AI-generated rehash of the underlying reporting that actually took place on this issue (see the “it isn't just X - it’s Y” and “- Bold Point Title: Short point contents”). Is there any way to change this link?
It was really interesting because at the time the conclusion of our security consultants was that the attack was just random commercially-motivated prospecting. Then the Citizen Lab Dark Basin report came out years later and it was clear they were after our internal comms, so they could milk a decade of emails for anything that looked bad when taken out of context. Yikes.
After the attack we put a 3 month retention limit on most emails and messages. I recommend this to anyone doing sensitive work! You miss the old emails sometimes but it's worth it.
I think it's possible we'll learn more soon about who hired our hackers, which is exciting! It was almost certainly a major American ISP, or the lobbying umbrella group they created. It's my optimistic read that blowback from this case has already eroded the practice of dirty tricks like these. More lobbyists and companies getting caught would strengthen the effect.
Since I left Fight for the Future I've been working on a Signal alternative that feels more like Slack, for teams facing similar threats. Hopefully something comes of that too!