Time for an Update?

Editor’s Note: I thought I’d revisit a few stories I’ve covered this year to see how things have been coming along.


Blowin’ in the wind

Capitalize Albany Corporation (which does not, sadly, exist purely to stamp out lowercase spellings of the New York State capital but is the city’s economic development arm, it’s Cape Breton Partnership, if you will) reported on May 12 that “incredible progress” has been made “preparing 100 acres for the first offshore wind tower manufacturing facility in the U.S.”

The piece included this photograph of the “Capitalize Albany team,” port officials, Albany Mayor Kathy Sheehan and members of the City of Albany’s Neighborhood Community Services team touring the project site and I find it gives off strong Novazone vibes:

A group of people in reflective safety vests stand in a field.

Source: Capitalize Albany Corporation

When I discovered the Albany project back in May, I was unable to find any news more up-to-date than February 2023, but last week Politico reported on the project under the headline, “Biden officials tout shaky NY offshore wind projects,” explaining that US Interior Secretary Deb Haaland had visited Albany to “tout the ‘Bidenomics’ benefits of offshore wind projects—even as the four in New York face major challenges in securing financing.”

The Port of Albany project, which I wrote about back in May, involves wind turbine manufacture, assembly and storage by the Norwegian state-owned energy company Equinor and its  partner BP who are, as Politico explained in a separate July 7 story:

…developing the bulk of New York’s contracted offshore wind projects totaling 3.3 gigawatts and about 12 percent of the resources needed to meet New York’s 2030 renewable target. The projects — Empire Wind 1 and 2 and Beacon Wind — were awarded contracts by NYSERDA in 2019 and 2022.

Richard Hendrick, CEO of the Port of Albany (and recent visitor to Sydney in his role as president of the North Atlantic Ports Association) is quoted as saying the work to prepare the site for 626,000 square feet of manufacturing space spread over five buildings is progressing “in the face of a $350M funding gap.” (The original price tag for the Albany project, $350 million, had ballooned to $604 million as of the end of December.)

Map of New York State's five offshore wind projects.

Map courtesy of NYSERDA

In addition, all three Equinor projects have been delayed:

Empire Wind 1, originally set for 2024 is now targeted for 2026. Empire Wind 2, originally slated for 2027, is now targeted for 2028 and Beacon Wind 1 is also delayed by a year to 2029.

And Equinor has filed a petition with the Public Service Commission asking for an “inflation adjustment” (read: an increased subsidy from ratepayers) for the project. In this it’s not alone—the developers of all four NYSERDA-contracted offshore wind projects in New York have filed such petitions, citing increased costs due to numerous factors, including high inflation, Russia’s invasion of Ukraine, high interest rates, challenges “hooking up to the downstate grid” and higher-than-expected interconnection costs. The requests, according to Politico, “cast doubt on the viability of the projects and threaten progress toward the state’s 70 percent renewable by 2030 target.”


Let the hearing begin

In other news, the Ontario Securities Commission (OSE) has convinced six former Bridging Finance employees to testify against their former bosses, David and Natasha Sharpe, in its enforcement hearing against the company, the Sharpes and their former chief compliance officer, Andrew Mushore.

According to the Globe and Mail, the hearing opened on June 26 with OSE lawyers alleging the Sharpes:

…directly benefited from a fraud that saw approximately $19-million of investor funds diverted to Mr. Sharpe’s bank account, among other alleged misappropriations. All three defendants also allegedly engaged in a “sophisticated and multi-faceted cover up” that included amending loan documents and destroying 34,000 e-mails in a “targeted effort to cleanse the record of evidence that might prove the wrongdoing,” said OSC lawyer Mark Bailey.

But wait, there’s more: the OSC also alleges that David Sharpe sent “intimidating texts and voicemails laden with profanities” to Bridging employees with knowledge of the alleged misconduct.

It’s been over two years since the alleged wrongdoing at Bridging hit the headlines, becoming public in April 2021 when the private debt manager was placed under a court-ordered receivership at the behest of the OSC. I covered it at the time because there’s a local connection: Membertou borrowed $6.8 million from Bridging to invest in Albert Barbusci’s Novaporte scheme and as of February 14 of this year, when Novaporte renewed its registration with the Quebec business registry, Bridging itself was still listed as an investor:

List of Novaporte stakeholders

(Source: Quebec Registraire des entreprises)

The Globe estimates losses to investors at $1.3 billion or close to two-thirds of all the money they put in.

The hearings are scheduled to run “intermittently until February 2024” and the OSC is seeking to:

…ban the Sharpes and Mr. Mushore from various types of participation in Ontario’s capital markets. The regulator is also asking for penalties of up to $1-million for each alleged breach of securities laws, and it is seeking to recover any proceeds that were generated from the alleged misconduct.

David Sharpe announced he would not be attending the hearings because “he believes the OSC’s case against him cannot proceed,” although his attempts, to date, to derail it have not succeeded.

Additionally, PricewaterhouseCoopers (PwC), the Bridging receiver, is suing KPMG Canada for $1.4 billion over alleged deficiencies in its auditing of Bridging Finance.


Clop revisited

Back on June 6, I wrote about the MOVEit file transfer data breach that affected the government of Nova Scotia among other high-profile users of the software (including CalPERS, the largest public pension fund in the United States).

The Clop ransomware gang had claimed responsibility for the attacks, although it also claimed, according to Bleeping Computer, to have deleted any government data it had stolen (a claim the publication said it had no way of verifying).

That’s basically where I left things, so I figured this story was another obvious candidate for an update.

Clop began adding the names of companies whose data it had stolen to a leak website in mid-June, threatening to begin posting data on June 21st if the companies refused to negotiate ransoms.

Threat from Clop ransomware gang to leak stolen data.

Clop message on MOVEit Transfer attacks (Source: Bleeping Computer)

But according to Bleeping Computer, many companies (and institutions) chose to publicly acknowledge the data breaches rather than negotiate with the gang, and on July 11, TechTarget wrote:

The Clop ransomware gang’s large-scale data extortion campaign against MoveIt Transfer customers has proven to be one of the most high-profile cyber campaigns in recent memory. But experts are unsure of how lucrative Clop’s campaign has been.

That’s apparently because, while Clop is known for “double extortion,” that is, for both encrypting a company’s data for ransom and stealing it, the MOVE-it Transfer-focused attacks “appear to have been opportunistic, data theft-only affairs” and such attacks, Bill Siegel, co-founder of the cyber security firm Coveware, told TechTarget, are “less disruptive” than ransomware campaigns that encrypt systems.

Siegel said that in his estimation, “very few, if any” victims of the attack have paid based on the firm’s tracking of the campaign.


Meanwhile, back at home…

I received a notice from the provincial government on Tuesday to the effect that they were embarking on a second round of notifications for people whose data was stolen in the MOVEit breach.

The province had initially determined that the breach involved the personal information of “many” employees of Nova Scotia Health, the IWK Health Centre and the public service. On June 9, it added to that list:

  • about 55,000 records of past and present certified and permitted teachers in Nova Scotia, including name, address, date of birth, years of service and educational background. The information does not include social insurance numbers or banking information. The list includes people born in 1935 or later.
  • about 26,000 students, aged 16 years and older, including date of birth, gender, student ID and school. This information was in the database because it was shared with Elections Nova Scotia.
  • about 5,000 short-term accommodations owners in the Tourist Accommodations Registry. The information stolen included name, owner’s address, property address and registration number.
  • about 3,800 people who applied for jobs with Nova Scotia Health, including their demographic data and employment details. Social insurance numbers were not included.
  • about 1,400 Nova Scotia pension plan recipients. Their names, social insurance numbers, dates of birth and demographic data were stolen.
  • 1,085 people issued Halifax Regional Municipality parking tickets. Names, addresses and licence plate numbers were stolen.
  • about 500 people in provincial adult correctional facilities; name, date of birth, gender, prisoner ID number and status in the justice system were stolen.
  • about 100 Nova Scotia Health vendors, including product and pricing information. Vendors’ banking information does not appear to be included.
  • 54 people issued summary offence tickets; names, driver’s licence numbers and dates of birth were stolen.
  • 54 clients of the Department of Community Services, including names, addresses, client ID and transit pass photos.
  • about 1,330 people in the Department of Health and Wellness client registry, including name, address, date of birth, and health card number.
  • at least 150 people in the Department of Health and Wellness provider registry, including doctors, specialists, nurses and optometrists. Assessments are ongoing. The information taken includes names, addresses and dates of birth. It does not include social insurance number or banking information.
  • about 60 people with the Prescription Monitoring Program, including names, addresses, dates of birth, health card numbers and personal health information.
  • 41 newborns born between May 19 and 26. Information stolen includes last name, health card number, date of birth and date of discharge. Parents will be notified.

Anyone whose “sensitive personal information” was stolen was to receive credit monitoring and fraud protection services, details of which would be shared in notification letters that were to begin going out the following week.

Tuesday’s press release said the province was “nearing completion” of notice to this first group and had sent out offers of credit monitoring to nearly 81,000 civil servants, NS Health and IWK Health employees and others. About 44,000 certified teachers will “receive letters soon.”

The second wave of notification letters will go to people whose stolen information is considered “less sensitive,” including “names, addresses, license plate numbers and email addresses.” This group will not receive credit monitoring or fraud protection coverage because, according to the province, “there is a very low risk of identity theft or fraud.”


SQL Injection

The MOVEit breach was the result of an SQL injection vulnerability which, according to Bleeping Computer, allows an attacker to:

…craft special queries to gain access to a database or tamper with it by executing code. For these attacks to be possible, the target application must suffer from a lack of appropriate input/output data sanitization.

The vulnerability (tracked as CVE-2023-34362) was fixed a few days after its discovery but it turned out that Clop had been looking for ways to exploit this flaw for two years prior to succeeding.

Last week, MOVEit customers were warned to patch a new SQL vulnerability, one discovered by the developer, Progress.

This is the illustration BleepingComputer uses for its Clop articles.

This reminded me of something I learned about SQL attacks from a YouTube video I watched recently, but first a quick aside:

Back in the day, Spy magazine used to have a feature called “Logrolling in Our Time” which called out authors for “trad[ing] good reviews back and forth,” as Eliza Truitt put it in this Slate article about the phenomenon. (Truitt has some truly horrendous examples of the genre from Frank McCourt, the author of Angela’s Ashes, who said of no fewer than three authors—all connected to him in one way or another—that their prose made you “want to claw yourself with pleasure.”) It is, then, with eyes wide open to the risk of logrolling in my time that I point you to aforementioned video because one of the two presenters is my friend Peter Lowe and during the course of the discussion, he actually references my June 6 article.

The point of all this is that Lowe says SQL injections are one of the “simplest kinds” of cyber attacks to launch and he expresses amazement that Progress hadn’t done more to protect itself, which I find to be food for thought.


Green Hydrogen

The Port of Argentia is jumping on the green hydrogen bandwagon—or more precisely, the green ammonia bandwagon.

Everything about this story is dodgy, beginning with the notion that building wind turbines to generate electricity to extract hydrogen from water to convert to ammonia to ship across the Atlantic Ocean makes anything like sense.

The Argentia project involves a Houston-based company called Patten Energy which, as the CBC reported in early June, has “inked a deal” to use “6,000 acres of industrial and forest land owned by the port” for its first wind turbines, thus giving it a leg-up in what is apparently becoming “an increasingly competitive market.” (Patten is also awaiting a decision on whether it can use crown lands for wind turbines, but access to the Port’s private lands means it could move ahead “pending an environmental assessment.)

Former premier Dwight Ball pops up in the story as chair of Argentia Capital Inc, a joint venture between the Port of Argentia and a Halifax-based investment outfit called Torrent Capital. Argentia Capital Inc was established in September 2022 to focus “on the the construction of port infrastructure, the provision of services and equity ownership in businesses that support aquaculture, renewable energy, and oil and gas sectors, as well as other port developments.” It’s always good to see a former premier entering the private sector and immediately entering into negotiations with the government for the use of crown lands and whatnot. Makes you feel all’s right with the world.

Speaking for Patten Energy is Erika Taugher, who has a PhD in chemical engineering with a focus on hydrogen 15 years’ experience as an energy trader (although she did have the grace to acknowledge the “challenges” with hydrogen storage.)

Back in May 2022, I spoke with Paul Martin, a retired chemical engineer and co-founder of the Hydrogen Science Coalition, a non-profit organization made up of academics, scientists and engineers who, as Martin told me, know something about hydrogen but “unlike most people in the space, have no money riding on it.”

Martin, who dismissed the notion of hydrogen as fuel as a “dumb distraction” on the road to decarbonization did acknowledge a role for green ammonia and said a facility that used renewables to produce hydrogen to turn into green ammonia could be a good thing, but he argued you wouldn’t build such a facility in Atlantic Canada—you’d build it somewhere with both wind and solar energy, so the expensive electrolyzer doing the work of extracting hydrogen from water could run day and night.

But as Martin’s colleagues at the Hydrogen Science Coalition, David Coben and Johanne Whitmore put it:

Hydrogen has morphed from a targeted solution to a “silver bullet” for the energy transition.

Writing for the OECD’s Forum Network in January, Coben and Whitmore said:

The climate science is clear: we need to decarbonise the global economy by mid-century at the latest. A well-designed energy transition is integral to this, with innovative solutions like hydrogen providing an important piece of the puzzle.

The Intergovernmental Panel on Climate Change (IPCC) recognises that hydrogen will be vital in this shift, however they currently estimate it will represent just 2.1% of total energy consumption by 2050. Despite this limited role, hydrogen has quickly taken hold of the global energy transition agenda, overshadowing many readily scalable solutions we should be deploying today.

Wenger 16999 Swiss Army Knife

Martin actually compares hydrogen to this particular Swiss Army Knife, the Wenger 16999 Giant which ” It costs $1400, weighs 7 pounds, and is a suboptimal tool for just about every purpose!”

The hydrogen-mania is astounding:

The United Kingdom for example, is in the midst of a fierce debate about the wide-scale use of hydrogen for decarbonising home heating. Norway and Germany are detailing a plan to build hydrogen-fuelled power plants and a hydrogen pipeline between the two countries. South Africa, Egypt and Morocco are eying the development of a hydrogen export market. The United States, Mexico and Canada are planning to build a North American clean hydrogen market; meanwhile, Japan is promoting a clean hydrogen society and planning to cross reference the cost of hydrogen with liquified natural gas.

(“Clean” hydrogen, by the way, is hydrogen produced with fossil fuels coupled with carbon capture and storage, “a technology which is economically unproven at large scales.”)

But what is most astounding about the hydrogen projects proposed for our own province (EverWind in Point Tupper, Bear Head Energy in the Strait Area) is that they would be generating green electricity for the purpose of producing green ammonia for export to Europe even as Nova Scotia Power was converting three coal-fired units at the Lingan Generating Station in Cape Breton to heavy fuel oil and operating them until 2050.

Go figure.