By the time customers catch on and the company falters, the investors/owners that profited financially, and managers that profited on their resumes, from the short-term gains may have moved on. The party that's really hurt is the customer base.
I've seen this play out again and again.
Private company Boards can be more ruthless than public companies’. (Historically, this was the norm.) Much of tech’s myth of quarterly metrics and short-term planning in public companies comes from unfamiliarity, not fact.
The last years of public tech companies had zero discipline. Everything was long term. Right now, Apple’s investors are fine with decades-long secret plays while oil and gas companies have short-term investors. Managing your shareholder base is part of managing a large company, public or private, and as with so many thing comes down to the people involved more than any heuristic.
Depends on ownership. When the insiders still own 80% (or control that much through super-voting shares), the minority shareholders’ interests (often but not always short-term) may still be ignored.
As a customer, I don't care why this is, but it is. That's why this is bad news every time it happens -- it's not that corporations are bad, it's that the products very often (but certainly not always) become undesirable.
The company I work for did not IPO yet either, and we still do performance reviews every quarter. So idk if going public matters much in that regard.
Make keys, sell keys. The end. What's there to raise funding for? Build yet another password vault?
Now with shareholders in the mix I fear they will try to find recurring income models to increase profits. I guess we'll just have to see.
Do one thing, do it right, keep your customers happy, get your money, enjoy your life...
Also, though I would miss yubikeys if they went under like this, in practice I could switch to google titan or something else and it wouldn't be the end of the world.
Yes, there are competitors. But I really don't want to be reliant on Google as a company. I guess Solo Keys and Nitro Keys could be good alternatives, but I really feel Yubico has a great reputation as far as hardware token companies go.
You plug both yubikeys in. Authenticate on both keys using the tool and then you're able to transfer/backup.
Corporate management offerings around Yubikeys, inventories, call back home to renew an expiry if the yubikey itself when touched should give out the information.
Trust me, if Yubikey hires me and goes IPO it is all downhill but the company will make a boatload more money.
Every company I have worked for I've found significant ways of increasing margins and EBITDA.
<quick search>
Yikes! I didn't realize Yubico was is such bad shape financially that this was their best (only) option.
Some early employees could want to cash out. Going public is a great way to do that.
Apple, Google, Facebook, Microsoft (especially recently), Nintendo, Tesla, etc.
The IPO is a statement to investors that the company believes it will grow bigger and seeks public market funds to accelerate growth. That doesn't always happen.
Some companies and investors see the IPO as merely a liquidity event, which is the wrong perspective to take. SPACs were clearly being abused for this.
Also Microsoft went public almost 4 decades ago, apple went public over 4 decades ago, the landscape looked a bit different there.
Microsoft - Ruining Windows to extract more value from customers.
Facebook - hardly anything even needs to be said here.
Google - slowly getting worse and rotting away.
Tesla - I’m a bit neutral here. Tesla has its problems, but it’s not clear that they used it be amazing and now are just trying to extract money from users.
Maybe Yubikey could do to PKI what Tailscale did for VPNs: make the whole process dramatically simpler and easy to use. Still sell Yubikeys, please, but set up a funnel to capture corporate recurring revenue by solving this problem better than the alternatives.
This is weirdly enough a Swedish singer who had Eurovision Song Contest ambitions. https://www.youtube.com/watch?v=HE1Vy5lKuzw
She's part of the Swedish upper class – the Swedish wikipedia page lists her as "baroness" (friherrinna), further accentuated by her name ("af" is the swedish variant of the german "von")
This is the artist: https://en.wikipedia.org/wiki/Caroline_af_Ugglas
Soon you will be beholden to Wall Street. That means at the slightest controversy there will be calls to enable a back door to your product(s).
But even ignoring that, going public itself doesn't bode well for the product regardless.
Like, programmable key is cool as an idea but I need smartcard support and a button on it to confirm transaction to replace YK usage...
- they don't (yet) have all the features, or at least I couldn't find out how to do some of them without implementing them myself. Through due to the design of the TKey this can be added later without needing a new key or anything like that, you could even implement it yourself
- their design approach is a bit different from a Yubikey or similar, mainly it doesn't have any persistent (writable) memory. This has some drawbacks and some benefits. Benefits include that you can add applications later on, have endless many of them, and upgrade applications. E.g. a company handing this key out to 1000 employees and needs to switch to post quantum cryptography doesn't need to buy 1000 new keys, they just deploy an update and the users have to re-enroll their existing keys. Drawbacks include that you can't store anything on the key (TOTP, moving a OpenPGP key onto a Yubi key etc.) so for some appliances you need to have some metadata on the device where you want to use the key with (could be encrypted using the TKey, might just be a seed or similar to derive the right data using the TKey, etc.). Not a problem for typical enterprise use-cases, but a problem/inconvenience for your typical "private" user (which can be negated with support software).
Anyway I think I want to buy one.
> Tillitis is wholly owned by Amagicom AB and is a spin-off from the sister company Mullvad VPN
Their firmware is opaque, not shared outside the company, so is their hardware (important for RNGs etc).
(Full disclosure: I work for Tillitis.)
Passkeys will win the war for the everyday user, and Yubikeys will remain a niche IT item. Their focus on FIPS audiences is good though as that should provide a longer-term reliable source of sales.
I hope Yubikey survives long term because I like their tech implementation (a key must be present AND physically touched to activate). I travel much more confidently with Yubikey locked accounts. I know where my Yubikeys are at home and I don't generally take them out with me.
The war for better securing online accounts benefits us all though. haveibeenpwned hasn't gotten any smaller over the years :/
Wait... Passkeys are from the FIDO alliance and both Google, Apple and Microsoft have pledged to implement passkeys for auth no?
I don't think it's "Apple passkeys" any more than they're "Google passkeys" or "Microsoft passkeys".
Which is why it's so scary... It's going to steamroll all other kind of auth with these three juggernauts behind it.
We use them at work, but they aren't fundamentally more secure than the what's built into the computer.
https://en.wikipedia.org/wiki/Special-purpose_acquisition_co...
There's simply no way they can line up the "here's how we get to 1B users and then mine all their personal data" business plan that some other tech companies can do.
The biggest killer was the fact that Yubikey NFC is so awful. I worked with tech support repeatedly, even bought two new keys, and it almost never worked right.
With AWS IAM Identity Center (successor to AWS Single Sign-On) - that's actually the official name, hopefully temporary - it seems well supported via WebAuthn. You can "even" have multiple keys assigned to your account...
On mobile, if it works at all, it should be NFC.
Equity is where the gold is, and each investor is an extra marriage partner who must be satisficed and can potentially upend everything.
Build a stable business, not an instant payday.
Just kidding. Hopefully this has no security or usability impact.
Also all the people who built the company in the first place will cash out. People can decide for themselves whether they think the product will become more or less secure from this.
This reads like a non sequitur. The corporate structure is irrelevant if there is a radical change affecting how strategic decisions are made regarding their products and their userbase.
I wouldn't call that an irrational concern, since it's in fact pretty rational. Stock market investors demonstrability do not value computer security over financial performance, and once they control a company, its focus will shift to their priorities.
Liquidity for employees who exercised their options and investors who funded them before they had significant revenue, presumably.
When it cuts down to it, which master will yubico serve? The customers or their shareholders?
Now Yubico has a fiduciary responsibility to their shareholders.
I frankly can't think of very many companies that are able to resist this core capitalist corruption. Even Costco is implementing shareholder over customer policies. 1Password? Google's "do no evil." Are there good examples of companies that stay customer first after going public?
Also not going public, but Fastmail was bought by Opera in 2009 I think but then bought themselves back out again, and they've continued to offer excellent customer service (including yubikey support of which they were an early adopter) all the time.
So I'd say there's precedent for companies staying customer-focused under capitalism if the stars align: it has to be a place where (1) staying customer-focused is a clear net positive for the domain they're working in, even from a revenue perspective and (2) the people running the company understand this.
I imagine this is much more the case for companies where the customers are specialists / power users (think: developers) or other businesses, rather than the general public. I hope that means yubico of all places is lower risk. Although I consider them one of the best if not the best in the market, were they to go under, there are alternatives (google's own titan keys are ok replacements for the end user, though obviously they don't have the yubico back-end infrastructure). FIDO/U2F etc. are standards and come with certifications, so I'd hope there's only limited room for maneuvre for any new yubico owners to mess up, and a sufficient threat of losing their business that they are not incentivised to try anything too shady.
?
The construction quality of Yubikeys has been good in my experience.
I was just worried about the closed source proprietary firmware in a security product (including the random number generators, where issues were discovered in the past).
But Yubikeys are used in various companies and apparently in some branches of governments too, thus must have been vetted by their security teams (though there could be different lines of firmware or products for different clients. People say there is not much benefit to purchasing FIPS-compliant Yubikeys. Neglecting the approved algorithms and features, is the firmware the same as that in non-FIPS security keys?)
On this note, are Feitian still the OEM for the Google Titan keys?
Something tillitis key has. Tkey has a steeper learning curve because they're programmable, but they're also 100% open source software and hardware.
[1] https://www.tillitis.se/tkey/
Otherwise, in a more traditional yubikey-replacement design, I've had my eye on the onlykey but their github has very little activity which makes me worried its a dead project.
Having hard-to-extract device keys isn’t “DIY hostile”; it’s critical to the attestation security model. If you want to build your own WebAuthn authenticator, then you can either form your attestation root (there’s no “blessed” vendor list that I know of) or simply ignore that part of the spec.
If some knobsite wants to insist on me using a "hardware authentication key" (similar to how many currently insist on using email/SMS codes), but I want to set it up so that secret is stored in my browser because that site isn't so important to me, setting my own security policy that directly contradicts their wishes should be my right. Their control shouldn't extend onto my own computers(s), with the demarcation point being the Internet itself.
The authenticator hardware that I use every day is a device I built myself.
Isn't this the same with all hardware?
And the documentation, at least when I received the keys, felt incomplete and hard to find; it did not give me confidence in the product.
I still use them as a backup key, but I decided to just by two yubikeys as my main keys.
https://www.nordicsemi.com/About-us/BuyOnline?search_token=n...
But, nothing lasts forever. Eventually the founders sell, the shares get converted to common, etc.
They do. Or did. With this move, though, the "reputation score" has to reset and be considered neutral until we see what the new behavior will be.
there is, at the bottom of the get started page
currently besides validating the key itself only ssh and git signing by ssh key is supported by them
Also directly from the main page the first noticeable thing:
> TKey’s design encourages developers to experiment with new security key applications and models in a way that makes adoption easier and less risky for end-users.
I.e. it's for now mainly for developers not end users (for now).
There is a "button" on it. (Which yes isn't mentioned anywhere, outside of some article you can navigate to by following multiple links).
Most important (and they could be more clear about it) it doesn't have (writable) persistent memory. Which has both some grate benefits and but can also have some major inconvenience. And depending on how/for what you use smartcard support I'm not sure it might ever support it.
Anyway the shop opened around 16 days ago so it's still very early days for TKeys (and their website, and documentation, etc.).
I'm looking forward to what it will enable.
But AFIK it's already a grate choice for certain kinds of companies for their employees.
The problem is bad security practices don't become clear until it's too late for the customers. A company can coast on reputation for a long time, while its stuff fails to keep up in non-obvious ways.
First: all registers and logic (LUTs) will always be cleared during the reset phase of the FPGA configuration. So any secrets stored there will be secure. We store the Unique Device Secret (UDS - the primary asset) in registers. Registers that can also only be read once between power cycling. The block RAMs (EBRs) however can be cleared or retain data based on the configuration <-- these are the ones to worry about.
Right now we have to touch the FW-RAM (implemented using EBRs) with the UDS for a few tens of cycles. After it being used, it is wiped from memory. So a successful exfiltration must trigger the warm boot-reconfiguration during that window of time. In order to make this harder (i.e. more time consuming) we do a few things:
1. We randomize when the UDS is moved to the FW-RAM and thus when the window to hit is. And we should not leak any indication when that is.
2. We use ASLR to randomize where and in which order the UDS is stored in the FW-RAM.
3. We use randomized data scrambling of the contents in the FW-RAM. And yes we do fill the memory with randomized, ASLRed data first.
The randomization control values are all stored in registers, and will be lost as part of the reset phase of the attack. So an exfiltration must:
1. Hit the window of time.
2. Extract the contents of the FW-RAM.
3. Be able to distinguish the random data words that make up the UDS from the other contents of the FW-RAM.
4. Descramble the UDS words and place them in the right order.
It is not an impossible attack, but it should take a long time. And it should not scale easily from one device to all other. One could automate it of course, but the work should be the same (multiple exfiltrations) for each device.
But we still think that the attack IS possible, and it is therefore out of scope of attacks that we mitigate for this version of the TKey. The next version will hopefully be able to keep the UDS in registers only. When we have that working, the threat model will be updated to reflect that.
With that said, I had a Yubikey Neo die for me as well (NFC still worked, USB totally dead) - Yubikey offered me a new key for a discount.
But in fairness to Apple, the Mac marked a point where they overtly wanted to ditch their (then) current customer demographic and switch to an entirely different customer demographic. Which they successfully pulled off. And they do seem to be giving those people what they want, they just don't want the likes of us.
But, back to the topic, I consider Apple to be an example of a company going public and having an excellent product ruined as a result.
But, as long as we're talking about possible causes, that startups do this sort of thing (catchy name like "growth hacking" or not) is a kind of deception that I object to anyway.
Releasing a product is a kind of promise, in a way. If a product is being released in an unsustainable way (growth hacking), the company should be calling that out from day 1.
I do think the calculus changes for yubikey. Without built in security keys, every knowledge worker on earth should have a yubikey like thing, so their market is huge. With built in device security, then the keys might not be deployed at the same rate.
It's a good point though. I also think companies (at least mine) like having full control over the yubikey experience whereas the way apple manages the secure enclave is more obtuse.
If you asked me to choose between that while remaining customer focused, vs 3x what I make while screwing over my customers, the choice is easy. Other than providing for me and my family, I like creating things that make other people's lives easier over buying fancy cars and vacation homes.
It's not like I put out a thing and expect it to support me forever with some magical recurring stream of milking whomever.
But afaik there is nothing else out there right now like the tillitis key, programmable, 100% open, and already shipping.
Especially with bullshit like CF using it as a captcha substitute. https://blog.cloudflare.com/introducing-cryptographic-attest...
However, I don’t really think it’s an indictment of either WebAuthn or attestation more generally: as pointed out, most public services do not (and probably will never) require attestation. The winds are against it more generally: non-attestation flows are easier to implement, and WebAuthn adoption is increasingly driven by authenticators that don’t necessarily offer useful attestations (e.g. on-device and virtual tokens). Most future users of WebAuthn won’t have physical keys of the sort that Cloudflare’s scheme will require.
CF, WHICH IS THE FUCKING SOURCE OF THIS PROBLEM, complains about the problem
But I agree, I don't think there's any enforcement mechanism beyond whatever the RP decide.
"...What does the data tell us? In the two years since the acquisition announcement, GitHub has reported a 41% increase in status page incidents. Furthermore, there has been a 97% increase in incident minutes, compared to the two years prior to the announcement..."
The stats are not enjoyable though.
Slow AIs ^W ^W Corporations work on a different scale than people. For example, you _do_ need a MS365 identity to play Java Minecraft now, nine years after Microsoft bought Mojang.
Would you accept less compensation if your employer cannot keep up with competitors?
Yubico is free to do what they want with their business model. As an existing Yubico customer, I will be taking my business somewhere else, if they deviate from my priorities. They had a nice thing going on, and I am suggesting they consider their next steps. I know I will now keep them under increased scrutiny.
I’m a simple Software Engineer, so I don’t really have much insights into that whole side of things.
The purpose of my questioning is to shine light on the fact that these two things are related, which answers your original question of
> Why this need to always make more and more money?
I am sure Yubico’s owners and employees also want to maximize their compensation, but the fact that there are many investors in the public market pretty much only looking at ROI is what enables the business model of milking users.
You, as a shareholder, are not optimizing for
> keep your customers happy, get your money, enjoy your life...
So why would you expect businesses to behave in a way other than maximizing ROI?
If I had invested in a company, I would prefer them to maximize my return over a span of decades, not over the next quarter by inevitably undercutting their long-term performance. For some reason, the market currently favors short-term gains in a way that inevitably compromises long-term results.
Reducing R&D investment is maximizing ROI in a way...
But often a change in ownership can also mean a change in risk tolerance, investment horizon and potentially in management incentives or management team. Some of these changes could align negatively with some customer interests and therefore caution from customers (especially those who worry they might not be seen as future core customers) is understandable when what has changed is unclear.
The website feels a bit cramped with all the large text on desktop, like it was only tested on phones
Can it hold gpg keys and interface with gpg-agent? I couldn't find that information.
The TKey does not have any persistent memory available for applications to store things. The idea is that we measure (calculate a keyed digest using BLAKE2s) the application during loading. The keyed digest (called CDI) is used as a base secret, random value by the application to derive the secrets the application needs. The Ed25519 signer for example derive its keypair based on the CDI.
A PGP application could use this to determinstically derive a keypair.
The FW application loader will also accept a User Supplied Secret (USS), which is also used during the calculation of the CDI. This means that the keypair derived will be based on the specific TKey device, the integrity to the device application and the USS. One way to use the USS is to control which keypair to derive. For example for SSH, different USS can derive keys used for different servers.
Also, a device application may use the CDI to derive wrapping keys, and then use authenticated encryption to protect a cookie that can be stored on the TKey client machine between usage.
We are working on providing libraries and examples for app developers to do this.
And to the yes part of the answer: Yes, a TKey could talk to a PGP agent and be called upon when needed. This is similar to how a SSH agent can talk to TKey today.
https://github.com/tillitis/tillitis-key1/blob/main/doc/thre...
The current casing is fairly tamper evident (it will break), but we do not yet use real, tamper evident sealing. We are looking at tamper sealing for future versions. And ways to further protect against physical attacks.
Can’t work with FIDO/U2F, I’m afraid.
The protocol works a little differently than most people expect, which is what allows the hardware token to “store” an unlimited number of auth credentials.
What really happens at auth time is that the server (the one you are trying to authenticate to) sends a crypto package including the challenge and a key used to sign the challenge to the token. (That signing key was generated at enrollment time and encrypted using the token’s private key). The token then uses its internal private key to decrypt the signing key sent by the server, sign the challenge and send back the signed challenge.
So there is no way to transfer credentials because the credentials literally aren’t in the token (they’re stored—in encrypted form—on the servers you log in to). The only way that transfer could maybe work is by copying the token’s private key… but that kind of defeats the purpose of a security token.
Since reading about that, I've wondered if the relying party in FIDO could or should know the difference. Would this entire product line get flagged in some FIDO registry as having exportable keys? If you really cared, it seems you would need to consider this a static property of the authenticator, whether or not a particular user has decided to make use of the export feature on their device.
Worse, as a software-defined feature, do you get any guarantees at all? Do they do some kind of secure-boot chain so that the FIDO app gets access to a manufacturer key and some other lower quality app cannot be installed to spoof the same authenticator solution?
On the other hand, those devices could be more secure in some practical sense than a Yubikey. They have a display and can show context during an authentication challenge, to reduce the chance that a user is confused about which relying part is asking for the next button press. There is also potential for secure entry of a PIN factor without trusting the host computer to relay this information.
The standard actually anticipates you might want to do that, so the token’s manufacturer can sign the token so that a relying party can whitelist (or, presumably, blacklist) certain tokens.
But we are talking about the manufacturer: they can add a backdoor and sell the backdoor as a feature for subscribed user.
That is what gp is talking about.
In fact, the sales literature brags about how the secret never leaves the device!
In general cmvp compatible modules do sometimes allow keys to be exported but only if wrapped, i.e. encrypted to prevent unauthorized disclosure. However this is also explicitly forbidden in other standards, such as qualified signing in Europe (etsi-...)- keys are generated on device and never leave.
What do you do if you lose the token? Ideally you enroll two or three and just use another.
Faster: the finance markets have been extremely tenuous the past 4 years between pandemics, supply chain crisis, world wars, inflation, and so on. An IPO requires 12 to 18 months of work / process before listing. SPACs can be done in a quarter or 2. In uncertain times it is much less risky to get the listing done fast.
Cheaper: Startups pay much less in fees to investment bankers when going through SPACs, there is also less dilution for investors and employees and more valuation transparency. In traditional IPOs investment bank underwriters have some conflict of interest to get lower valuations to pass the 'pump' onto their high value clients or proprietary trading desk. Why should they benefit over the people who have literally built the company?
While it is true that there is room to better regulate SPACs, there haven't been horrible abuses yet. It is also true that SPACs have not had the best returns for retail investors over the past few years however drawing a conclusion that this is due to SPAC usage versus the complex macro economic environment of recent years is very difficult.
Instead we saw popular podcasts push their SPACs on gullible retail investors, based on fuzzy concepts like disruption and TAM. Subsequently these SPACs lost 90% of their value and the insiders made bank. I hope to see jail sentences for the more shameless SPAC pump and dump players.
If people want to gamble, then that is their problem.
> It's faster and cheaper, those are things that are generally considered valuable.
For the company. It's also faster and cheaper for the company to just to ignore all regulatory requirements (financial reporting, product safety, pollution, labor, etc.), but that's usually illegal for good reason.
It's seems pretty dysfunctional that companies would be allowed to do an end-run around pre-IPO scrutiny like this.
[edit]
Some googling[1] implies my memory was mostly correct.
1: https://www.investopedia.com/roth-ira-conversion-rules-47704... See particularly the part about "backdoor
1. Take N dollars of post-tax money.
2. Put it in a Roth IRA.
But the same limits don't apply to this process:
1. Take N dollars of post-tax money.
2. Put it in a traditional IRA.
3. The next day, convert the traditional IRA to a Roth IRA.
When you do the conversion, you only owe taxes on any additional earnings (not your post-tax contribution) during the one day that it was a traditional IRA. So the second procedure accomplishes almost exactly the same thing as the first one, but it legally gets around the limit designed to prevent rich people from getting Roth IRA tax breaks.
However the companies that go public via SPAC are mostly VC-funded, so in that sense you’re right that they’re also profiting from the SPAC con by being able to dump their holdings in these companies that were not actually ready to go public.
The thing is, nobody is born sophisticated and there are many ways to get hurt in financial markets in the absence of scams even if you're intelligent and do your homework.
You mention index trackers, but they are no silver bullet. Their mechanism is basically to buy more of stocks that go up, and to sell those stocks that stumble badly. The more people rely on index trackers (exchange traded or not) the more volatile they'll become, and because index funds use such a simple trading strategy it's easy to front-run or otherwise exploit them. Furthermore, index trackers depend on active investors for price discovery, and the fewer active investors you have the worse index funds will perform. Relying on a vanguard ETF might continue to work, but to assume that it will is hopelessly naïve. It's no coincidence that ETFs got so popular with interest rates at 0 and a fed that made stonks go up.
Imagine I buy a chainsaw which is clearly labelled as something that can cut your hands off, it's widely known and obvious to everyone that chainsaws can cut your hands off very easily, not just in the specialist financial press but also on comedy shows and from TV news pundits and loads of other sources - I'm a mentally competent adult, I'm informed about the substantial risks, I want the chainsaw anyway so I can chop down lots of trees fast. Then I chop my own hand off by mistake.
Was it society's responsibility to protect me from my own mistakes, even when I was fully informed of the risks?
It's like giving 40% of the adult population a chainsaw that they have to use if they want to retire at a reasonable age. The outcome is predictable and they would be wise to invest in a prosthetics company.
The questions are rhetorical. Companies will rob their shareholders blind if you let them. You can't just be "lol caveat emptor".
(Casinos also cheated players shamelessly in the good old days before regulatory oversight.)
> Index ETFs have been around for 15+ years now, and the advice is widely known that if you are an uneducated investor without inside information or some type of edge, you should stick to sub 0.15% expense ratio index funds....
> If people want to gamble, then that is their problem.
So what? It's also well known that the IRS doesn't take payment in iTunes gift cards. So do you think if people get scammed, it is their problem for not knowing better? Should we just repeal all the laws against fraud and scams, because caveat emptor?
The behavior described in the GP post is unacceptable, and the fact that someone theoretically should have known better doesn't excuse it.
But, I'm really not getting your point here. SPACs have to report financial results just like any other public company. They aren't allowed to commit fraud any more than any other company.
A conventional IPO has a number of roadblocks for fraudsters. First they have to convince a reputable investment bank (like Goldman Sachs) to take them on as a client. Then the CEO and CFO of the company have to go on a grueling road show where they talk to groups of sophisticated investors, present their business prospects, and answer difficult questions. The IPO doesn't happen if those investors aren't willing to pay up, or if the investment bank feels like management is not transparent about their realistic business prospects.
With a SPAC you have none of that. You can have a slide deck and a webcast and make outrageous claims and nobody will call you out on it. The company and SPAC sponsor can dump their shares on retail investors who think they are investing alongside the executives and SPAC sponsor, when in reality they are their exit liquidity.
Lordstown Motors. Faked their order book. Blatant securities fraud.
There are many others.