This document feels out of place to me. It's addressed to various regulators, and at a surface level it has the form of an affidavit or other legal document. But the language is far too familiar to be writing for that audience - they refer to Mudge consistently as Mudge rather than, say, "Mr. Zatko"; they make liberal use of superlatives; they add emphasis using bold text. This is kind of like writing a cover letter where you explain why the job would be great for you rather than why you would be great for the job, it's going to sound wrong to your intended audience, and it will degrade your credibility in their eyes (rightly or wrongly). This isn't the style you would adopt if you wanted such austere organizations as the SEC, DOJ, and they even mention _Congress_ to take you seriously.
This leads me to believe that this is a document for public consumption adopting the aesthetics of a letter of concern sent to regulators, and that this document is being submitted to the court of public opinion. I don't doubt that Twitter executives are borderline fraudulent and may have crossed the line into outright fraud - I'd be unsurprised to learn that about any group of executives at any large company. But this document has more the feeling of propaganda than a serious appeal to regulators.
In Mr. Zatko's previous appearance before Congress* in 1998, he was addressed by his hacker nom-de-plume, Mudge. Perhaps they see fit to continue this practice.
That's certainly true, I've seen this testimony before and were that the only thing that was off about the document I wouldn't have made my comment. Any one of these elements isn't sufficient to justify suspicion of anything, it is the preponderance of them.
The use of the Mudge is certainly the weakest of the indicators I've presented; what do you think of the strongest of them, the unusual use of emphasis? What do you think of the three of them taken together? If you were the author of this document and you just found out that the public would never see it, only officials at the SEC et al - would you feel like this document was likely to be effective for that audience? Is there truly nothing about it you'd change in that circumstance?
Why should the style matter more than the content. If our gov agencies are as sensitive to style of communication as you suggest then I would say they are wasting our tax dollars with their extreme focus on aesthetics and spurious semantics.
As I've said, what I believe is that this document _was not intended for regulators_ and is employing _deceptive tactics to win in the court of public opinion rather than the court of law_, and you're welcome not to find that important but I do. I'd also argue that style and aesthetics do, in fact, matter and are worth discussing, as they are part of the context in which the content resides and our understanding would be incomplete without them.
I do think there is a good reason for bodies which are meant to dispassionately find facts and enforce regulations to prefer plain language and straightforward argumentation. But even if that weren't the case, it really wouldn't reflect on my argument. Additionally, everything the document alleges could be true, and the allegations worthy of discussion - I haven't argued that they aren't true or that we shouldn't be discussing them, I have no way of knowing if they are true and am ambivalent about whether we should give them oxygen - and that would not reflect on my argument.
Tactics which will win over the court of public opinion differ than tactics that would win over regulators, but the piece was always going to try and convince the reader of it's thesis, whomever the reader ends up being. I'm curious why you think the difference in audience make those tactics rise to the level of deception and propaganda though. Stripped of all bold emphasis, would the document read the same? IMO, yes. But I'm not an SEC regulator.
I believe the document lied about the intended audience - both directly stating and, through form and aesthetics, implying, that it was for one audience while truly being for another - to mislead the reader into thinking it was more authoritative than it actually was. Were this to be a blog post or press release, I wouldn't call it deceptive.
No, I don't believe it would read the same without emphasis. Especially since the emphasis is often on superlatives rather than the substance of certain statements. I'm not sure what to say other than, "emphasis is a tool of graphic design that does, in fact, function." It guides the eye and enables the reader to skim, and if you took away the emphasis, this document would be less effective, at least if the goals of the document are what I have argued.
It does not seem likely to me that Mudge wrote this document personally. The document either doesn't have a byline or the byline is censored, but I'm guessing it was authored by some lawyers and distributed by Whistleblower Aid, or perhaps authored by Whistleblower Aid. I don't think it particularly reflects on Mudge's personal views on the situation, and it probably doesn't reflect on his intentions either.
It's pretty apparent that one of the intentions of this document is to get Musk out of hot water - totally separate from "protecting the internet" and not a particularly populist goal.
I'd speculate this represents a collaboration between Musk and Mudge's legal teams, probably in exchange for Musk funding litigation from Mudge regarding wrongful termination. That's all speculation, it's just what makes the most sense to me.
From having worked with Mudge tangentially in the past, the bit about Twitter not having a cold-boot scenario and that being a problem sounds like him. Given Mudge's storied history, I don't know that he needs Musk to help him fund litigation regarding wrongful termination, though the timing is interesting. Musk has more funds than Mudge does, and spending someone else's money is always more fun than spending your own, so maybe there's something to that, but as you say, that's just speculation.
Maybe some gov agencies have the kind of culture that is biased toward a dry and austere communication style such as that typically found in papers coming out of regulatory agencies (and ones presented to them), but I assure you it is not a issue of logic; it's an issue of cultural preference. Trying to argue that a certain communication style is more productive in a certain context is again a cultural bias (not of your opinion but of theirs)
you're saying it was sent to the regulators but it was written as a blog post for popular consumption. I'm countering by saying that whether the regulators are communicated with using a dry, austere style or a theatrical one fit for a blog post should not change the outcome, unless the regulators are culturally biased (toward the dry style) and therefore the sender chose to hit two birds with one stone )both the regulators and blog readers as audience).... that is unless the regulators are culturally biased
Yes — why not achieve the most pressure from as many angles as possible, while telling the truth, just in a civilian-approachable way (as is customary in hacktivist circles).
Personally, I think Mudge wrote, hoping that this document was going to go before Congress and wrote for them, and that possibly that he would have to go before them. Thus the (over) use of bold emphasis is for a broad audience of which certain members won't (or can't) read as critically as others.
I'd write like there's no way this doesn't leak to the public eventually. It's Twitter we're talking about. Juicy gossip is the point of the platform so of course it's going to get spread. I don't know that it undercuts its message though.
Is there some other legitimate example affidavit which to compare? Is SEC bound by a non-superlative clause? Perhaps the drafting lawyers demanded mandate of flair.
To clarify this isn't an affidavit, I just meant that there is clearly a stylistic choice here to have a certain form. Here's an arbitrary example of a criminal complaint (just because it was the first court document I found):
The way things are presented in sections with numbered subsections, the way some things in the beginning appear to be redacted, are clearly meant to convey the authority of an official document submitted to a legal body.
I'm sure this doesn't violate any sort of law and that you are permitted to write a letter like this and submit it to regulators. What I'm suggesting is that the stylistic choices they make are indicative of the audience they are writing for, and that it is different from their stated intentions. And that suggests to me that this document has an agenda and is willing to accomplish it through deceptive means (those being, lying about the purpose and audience of the document to enhance it's perceived authority by giving the general public the impression they are the fly on the wall of an official proceeding rather than reading a document for their own consumption that may have no bearing on the outcome of this dispute), which is my personal standard for calling something propaganda.
Page 40 has a redaction over the circumstances under which Mudge was terminated. The intro mentions a Board Member who silenced Mudge and the reactions are done in two blocks so you can infer who that person was. This whole report is a clown show.
This is Elon’s attempt to burn US taxpayer money helping launder him out of having to pay ~$10b to walk away from Twitter. It sounds like Mudge has his own litigation regarding severance. So it was a no-brained to join Musk’s mercenaries.
This issue is not worth taxpayer time. You want less regulation? Then stop crying wolf to Congress, and more importantly, stop just doing dumb stuff like buying a company you can’t actually run.
That's a rather large claim without any substantial evidence.
This is HN and it only serves as a court of opinions, and Elon isn't popular right now, but let's keep ourselves intellectually honest.
Twitter has had several security issues, including Saudi spies[1], a large-scale hack of several celebrities[2], and even recent ones[3]. Twitter is one of the largest tech companies and a very important town square.
Mudge was hired to do a job by Dorsey, and the newly appointed execs made it very clear that they don't give a shit about security, when the lack of safety measures has been demonstrated to be dangerous to the public.
> That's a rather large claim without any substantial evidence.
> Twitter is one of the largest tech companies and a very important town square.
94th on the chart [1] - as for a town square I respectfully disagree, its a website - 12th according to rankings. Just nudges infront of the other famous town square, pornhub and a little further behind, linkedin. Half the 'traffic' of reddit, and 1/3 of apple somehow, not to mention the giant in the room, facebook. Surely if there is a town square that is it ... i doubt many would even agree with that.
> the newly appointed execs made it very clear that they don't give a shit about security
Allegedly
> when the lack of safety measures has been demonstrated to be dangerous to the public.
I am yet to see said demonstration. Are we worried that XYZ blue checkmark twitter users public tweets are not encrypted at rest on their servers? Or that the entire corpus of the library of twitter might be lost in an catastrophic event?
They didn't imply that there was a proper way to run Twitter (they stated Musk was unfit to run Twitter without addressing whether anyone was more fit), and if it did it wouldn't have been disingenuous. It is not disingenuous to believe there is a proper way to run Twitter, that's just an opinion you may disagree with.
Style is context which should be considered to understand content, and without considering it our understanding of the content may be incomplete (as I argue is the case here). I make no claim that either is more important.
I would claim they did not write for more than one audience. I'd refer you to my other comments in this thread for that argument.
Emphasize however you want, I'm not the style police, I'm just arguing the choice to use emphasis rather than plainly state the facts is incongruous with the stated intention of the document and is an indicator that it has a different intention. I'm not saying they did it _wrong_ I'm saying that we can infer something from the choice _to do it_.
Wow, this is a wild read. Some of the most shocking parts:
- Lack of development and testing environments; engineers build, deploy, and test code directly on the production environment
- >50% of employees having access to the live production environment and sensitive user data (getting _worse_ over time)
- Lack of logging of what people did with their production environment access
- 30% of employees' systems had disabled software updates
- Twitter "has never held proper licenses to the data sets and/or software" they used for some ML models
- "The majority of the systems in the data centers were running out of date software no longer supported by vendors"
- Misleading the board (e.g. trumpeting "we have endpoint monitoring software on 92% of employee systems!" but neglecting to mention that endpoint monitoring software reported 30% of employees' systems had disabled software updates)
- Misleading the FTC (e.g. implying that data was deleted when users closed their accounts, when in fact it was not)
Paragraph 15 is amusing in that it undermines their weird attempt to connect to current affairs without much basis - it comes right out and says "executives are incentivized to avoid counting spam bots as mDAU" yet the greater thrust of the section is that Musk's dispute of the 5% number - a number based on "mDAU" - is generally "correct." That seems extremely twisted: Musk is claiming Twitter claimed something they didn't, Mudge's claim here is that Twitter execs are highly incentivized to be honest about that number they actually claim. In terms of "total" bot accounts... it's a free service with open signup on the fucking internet. You aren't gonna crack down on that effectively without draconian measures that few people really want. Twitter "intentionally prioritized" growing the base of users they were confident in showing ads to since that's the core of their business? Yawn. Company focuses on what actually makes them money, seems responsible of them to their stakeholders! If the bot "problem" got bad enough that they couldn't monetize, they'd be incentived to fix it; they shouldn't necessarily spend millions on trying to fix it just because people complain. There are bots on Twitter, news at 11, this supports the idea that Twitter wasn't lying in their financial reporting. So why are they leading with this BS part?
The fact that the document began with 20 pages of word twisting to pretend that Parag lied to Elon, while no such thing happened is really bizarre.
I thought the whistle blowing was about state actors being granted 100% access to user data. Instead it dedicates the first 20 pages whinging about a non issue. I lost any motivation to read the docs any further.
He also complains about data center ops quality at Twitter. While Mudge pretended this is extremely unusual, I have never worked at any fortune 500 that would meet his criteria of fault tolerance, and I have worked at several. With original architects disappearing and employee churn this is impossible. And why does he think this needs to be whistle blown? He sounds really immature.
Is there any thing of interest beyond the elon musk drama?
When this story first started, there were obviously comments of "this seems timed to support Musk's argument", and counter points of "this would have been in progress long before Musk's offer and has nothing to do with it".
There being an entire section titled "Lying about Bots to Elon Musk" makes this entire document seem flimsy at best.
It's entire possible to make whistleblower compaints about security issues at Twitter without trying to testify to an impending lawsuit.
--- edit: one thing I regret is not changing the cnn.com URL to the original WaPo reports a few days ago, since they were obviously much better - so I'll add them here:
Almost makes it look like the same PR people work for both Twitter and FB. Or, these PR tactics are google-able and everyone rips the same template now.
Relevant: dang is a YC employee and not a neutral aggregator. For a balanced perspective, it behooves the reader to consider sources that do not have financial conflicts of interest in the industry being covered.
You're on Hacker News. This entire website has a "financial conflict of interest in the industry being covered", given that the "industry being covered" in this story is "security at one of the largest tech companies in the world".
Further, all dang is doing here is referencing other HN submissions that relate to the same topic. Are you claiming that he's picking and chosing related links based on some form of bias?
'dang does nothing to hide his affiliation and is widely known on HN as its primary moderator/curator. One of the tasks he takes upon himself is to provide additional links relevant to the submission as he's done here. If you've got additional links you think are relevant, I'm sure he'd be happy for you to include them.
I really hope that's not true. Ooph.
"Twitter data centers were fragile, and Twitter lacked plans and processes to “cold boot.” That meant that if all the centers went offline simultaneously, even briefly, Twitter was unsure if they could bring the service back up. Downtime estimates ranged from weeks of round-the-clock work, to permanent irreparable failure"
How many large tech companies do you think can do that? Each service wants to benefit from the use of other services. Ensuring there aren't dependency loops in this complex graph sounds tricky.
You have to have enough people to "be that asshole" that tells people in their design docs that they are creating a dependency loop and need to design things to avoid it. I did that for quite a while at Lyft, and I'm hoping that people continued doing that after I stopped. My guess, though, is that I and others have missed things and that even somewhere that was careful to avoid it, there's still some places that could make cold boots difficult.
The best way to avoid this problem is to have a secondary datacenter that is hot, and to never let both fail. Of course, this is what twitter is doing. Designing a DR plan where you can lose multiple primary/secondary datacenters is hard enough that basically no one does it.
This is something that really doesn't belong in the whistleblower complaints because it wasn't under his responsibilities, twitter wasn't lying to anyone about having properly implemented DR plans, and twitter's DR plan isn't out of the ordinary across the industry.
Has anyone worked with him? This report makes him sound immature, unprofessional, and out of his depth with respect to legal matters. Is that an unfair characterization?
I know Peter Zatko (mudge) professionaly (having spoken at computer security conferences and worked at more than one company that also worked with him), and personally (to an extent, hung out and talked at aforementioned security conferences, talked on irc And email in the good old days of #hack and bugtraq, and have several friends in common, was extremely impressed talking to him about how to disclose a bug I and the l0pht had independently discovered back in the day), and reputationally (the guy demanded, rightfully, a ton of respect amongst peers back then and now). I have a very hard time with this characterization.
It seems extremely unfair. Rather than focusing on the content, you're criticizing tone. It comes off as a structured tactic, given that famous image of Mudge with unkempt hair in a suit sitting before Congress, intended to draw attention away from his words and onto his rough edges. It's an ad hominem attack of a particularly cheap variety.
What sounds immature, unprofessional, and out of depth is Agrawal's mass e-mail tarnishing Zatko's reputation, a tactic that your post seems to repeat from a different angle.
I'd rather have the theory of general relativity written in crayon, than the most beautiful calligraphic illustration of nonsense. Wouldn't you?
With all due respect, no you aren't. There isn't any criticism of the actual content in your post. It's all critiquing the tone - what style he used when writing, who you think he thinks his audience is, how informal his phrasing is. None of that has ANYTHING to do with content, it's all about form.
You might have incorrectly attributed a post/comment to me. There is no criticism of tone in my post. Nothing about style, audience, formality.
My comment is based on the following:
Much of the first 15-20 pages are complaints about the company optimizing and incentivizing what he believes to be the wrong metric. There is nothing illegal about it. Twitter are clear about it, shareholders know what they are trying to do. He's naive if he thinks it's a legal issue. It's probably not even a moral or business issue - if raw bot count becomes a user experience problem, it will cause mDAU to drop.
He appears unprofessional in his constant wanting to go to the board - he was a security lead, it's not his place to go to the board. He reported to a guy who reported to a guy who reported to the board.
Interesting tidbits to HN users, who like to complain about new Twitter accounts being disabled and required to add a phone number: this is called "ROPO" internally, and multiple executives actually want that to be disabled. But Mudge asked for research that proved it was one of the most efficient anti-spam measure they have at their disposal.
I read most of the document, and even if a fraction of it is true, Twitter will have a lot of explaining to do in front of the SEC. It sounds like it would be easy to find criminal intent.
I think a lot of this is... bad. But not bad bad. It's bad in the sense of "This company is rubbish and Mudge clearly fought with Agrawal" but not bad in the sense of "This company is clearly doing illegal things".
For example, Mudge claiming he was ordered not to present a report to the board. He might not be happy about that, but that's perfectly fine, it's not down to him to chose what the CEO decides should be presented to the board, you can have perfectly reasonable disagreements about what's appropriate and at the end of the day the call is down to the CEO. The fact that there are other cases where board members intervene to tell Mudge this reinforces that.
Or the claim that the CEO instructed Mudge to send the board documents they both knew were misleading. This is an explosive claim, but it seems highly unlikely that Mudge can prove Agrawal knew the documents to be false, and misleading is impossible to know, because he can't know the context they were presented in. I think it's just highly unlikely that Twitter's CEO is so incompetent that he's just moustache twirling and lying to everyone, it seems highly likely this will come down to Agrawal having a different opinion or interpretation of the facts.
What really undermines the claim is when we get to this section:
>Agrawal’s tweet was a lie. In fact, Agrawal knows very well that Twitter executives are not incentivized to accurately “detect” or report total spam bots on the platform.
Mudge is massively over-reaching here. At best, an argument can be made that at some point there are some perverse incentives where allowing spam bots could inflate numbers to make the company look successful. But even if that argument were convincing, which it isn't, Agrawal clearly doesn't believe it. It's trivial to make Agrawal's argument here.
That's why this looks like big claims, but unsupported claims. Because where it's clear that people can reasonably believe what they say but disagree with each other, Mudge claims one side must be lying. What could easily presented as openness, honesty and transparency about the challenges the company faces("Mudge asked the Head of Site... what the underlying spam bot numbers were. Their response was "We don't really know.”) - Mudge basslessly claims this is essentially proves they were acting in bad faith.
This all looks designed to be explosive on first sight, but not actually correct in the detail.
> At best, an argument can be made that at some point there are some perverse incentives where allowing spam bots could inflate numbers to make the company look successful. But even if that argument were convincing, which it isn't, Agrawal clearly doesn't believe it.
It is clear to me that Argrawal is trying to obfuscate and confuse. Every time he is asked about the total number of bots on Twitter, Argrawal subtlety changes the subject to mDAU. He knows this is not the same as total users, but he chooses to change the subject and pretend he's answering the question. This is very shady in my book, and his attempt at subterfuge and lack of transparency is very troubling. I've seen other CEOs do similar things when they don't want to talk about something potentially damaging. The fact that Argrawal artlessly tried to smear Mudge earlier in the week does not make me trust that he has good and forthright intentions. Argawal seems very shady, and I wonder how you can trust him?
It's not some subtle sleight of hand, the number of bots on twitter is not what is claimed in the legally required filings. We can argue till the cows come home about how many bots they are, but it's not relevant to the legal wranglings that are going on around Musk buying twitter. Musk is saying "The bot number is higher than you're saying" and Agrawal is saying "I've never made any claim on the bot number", and Musk might be right that there are lots of bots, but if he is right, it just highlights how dumb it was to make an unsolicited bid to buy the company with no due diligence.
And this isn't just some arbitrary thing that Agrawal has made up either, there's one very specific reason why you would care about mDAUs not bots. mDAUs are the number of people you can advertise to, and Twitter's revenue is advertising. It's like saying Twitter has an army of 10,000 cats in it's basement. It might be true, but it's not relevant to the value of the business.
In practical terms pretty much yes. The CEO gets pretty wide latitude. Let's start from a pretty standard premise - there are security holes in every company. Clearly we're not going to disclose every single one to the board.
So it's up to the CEO to make the judgement on when something rises to the importance of needing to notify the board or needs input from the board. The board is there for strategy, not for operations. So as long as there's nothing relevant to the high level strategy, there's no real reason to tell them about individual operational issues.
An obvious example here, is that Mudge cites that Agrawal tells the board that they have end point management, but Mudge knows the end point management shows lots of devices aren't secure. The end points being insecure isn't a problem to bring to the board, as long as you have a strategy to rectify it- which presumably they do, since that's why they've instituted end point management in the first place. And remember, the board knows that they've got security issues and they're addressing them, because the board approved them hiring Mudge as head of security in the first place. So the question is why the Head of Security thinks he needs to go and advise the board of all of the operational issues he's tackling. They know there are issues, that's why he's employed.
A strategy like "manage endpoints" would not be satisfied if people are actively able to avoid it, no? Wouldn't that mean the board's strategy is being ignored and evidence of it concealed by the CEO?
The question isn't "Right at this moment is everything good" it's "do we have a strategy to get to the point where everything is good". So sure, the first thing you're going to find when you implement endpoint management is lots of devices are breaching the requirements, the important thing is to then address that - not to just go back to the board and say "things are really bad".
I'm curious where the line might be then, at what point would it be problematic for the CEO to prevent this particular issue surfacing? Or is the onus on the board to ask for specific feedback?
I think there's two clear criteria for what would rise to the board: Firstly, somthing that clearly raises legal liability - for example discovering a hack that must be disclosed publicly, that sort of thing. Or something that clearly causes a rethink in strategy. Now, I could absolutely see a scenario where Mudge comes in and goes "This is terrible, we need to massively change our plan and massively increase our focus on security" and Agrawal basically disagrees. At the end of the day it's a judgement call, so it's down to Agrawal.
I could see a CEO getting in the way of a pretty clear board mandate and getting fired for it, maybe there needs to be a sacrificial someone to make that happen. I haven't really seen good evidence in my short tenure to believe that one man should be making all judgement calls for a business, although that is how I guess everything is structured for some reason. Thanks for the insights.
If the CEO put the level of detail around endpoint security that "mudge" implies he should have, the board would wonder if they've hired the wrong CEO.
Most of the complaints in the whistleblower docs aren't about anything illegal.
There's some places where they show that twitter's public statements, after a security incident, around their security posture were misleading. That's potentially illegal, but even that could be a grey area.
There's some places where they show twitter didn't comply with creating and enforcing an SLDC, but if you've ever worked on an SLDC, you know it's a joke that's there for compliance checkbox reasons. Also, this is certainly a grey area because most likely to actually comply with this, you only need to have a document generated, training for how it should be used, and very basic processes in your git workflows. I'd be surprised if they hadn't done enough to legally comply with this.
The statements around "employees with production access" are vague. What _kind_ of production access do they have? If you're an engineer, you have production access, because your code can be deployed there. If you're in ops/support, you have production access, because you need to access user data. Hard to properly judge the seriousness of this without knowing more details.
For me, the lack of audit access seems to be the biggest legal issue, especially if they were lying to regulators about their progress.
It's not that the accusations aren't bad. They paint a picture of an org that has serious security issues, seriously management and organizational health/culture issues, flailing executives, and an incompetent board. But, it really seems like most of it simply isn't illegal.
I'll agree with most of these statements, but would object to "they show twitter didn't comply with creating and enforcing...". I don't think it's clear that they have shown anything.
This is simply a complaint making statements without any real form of evidence. As you say in your final statement, this is just painting a picture of an organization. It's definitely not fair to take everything stated here at face value with all of the context which is clearly missing.
Disclosure of an attack, if that attack results in exfiltration, is required by law. If you cover up that, and don't disclose, someone is going to be in legal trouble.
If you've had an attack, you disclose, and what you discuss in terms of the protections you had in place, and the actions you're going to take afterwards weren't completely accurate, that's more of a grey area.
Giving the Indian government access to your data when they allowed the Indian government to specify an individual to hire and then not have internal controls on what information that person has access to.
Sounds very similar to how the Saudi Arabian government spied on Twitter users using a plant but in this case knowingly supported by Twitter executives.
The implications of what is being alleged are.. Hard to wrap ones head around. Fascinating to ponder. We all assume stuff like this is going on, but here it is; no conspiracy theory.
At a minimum it's worth spending brain cycles considering the impact on "national security".
Arguing over the blame and legal implications could be interesting in the context of dispassionate technical legal analysis, but most of that discourse seems little more than a couch for people to signal their biases for the parties involved.
Twitter is in dire hot water over this and are going to have a nice conversation with Elon, Jack, etc in court with the SEC, and the FTC watching them over this potential case of fraud with this disclosure.
Did Twitter really think that continuous denial, lies and more PR deception was going to be that easy to get away with?
This leads me to believe that this is a document for public consumption adopting the aesthetics of a letter of concern sent to regulators, and that this document is being submitted to the court of public opinion. I don't doubt that Twitter executives are borderline fraudulent and may have crossed the line into outright fraud - I'd be unsurprised to learn that about any group of executives at any large company. But this document has more the feeling of propaganda than a serious appeal to regulators.