The Hacking of NASDAQ 76
puddingebola (2036796) writes Businessweek has an account of the 2010 hacking of the NASDAQ exchange. From the article, "Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why. 'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers, a Republican from Michigan, who agreed to talk about the incident only in general terms because the details remain classified. 'The bad news of that equation is, I'm not sure you will really know until that final trigger is pulled. And you never want to get to that.'"
The market is rigged already (Score:4, Insightful)
Would we even notice if it was hacked?
Re:The market is rigged already (Score:5, Insightful)
Exactly. Do your worst, black hats. The system's already rooted by Wall Street bankers.
Re: (Score:1)
..and, why, xactly, was the OP troll-Modded?
Consider the following scenario - you place an order to purchase a book on Amazon, or ebay, you press "One Click Buy", and..
you then get an email from some pondlife, informing you he has just intercepted your communications, and taken over your purchase - but you can still have your book, plus a small fee for him, of course.
Difference being, they don't even inform you of the fact, just charge you.. - Like, why is this shit even legal?
As the OP stated, Hell, Hack a
Re:The market is rigged already (Score:5, Insightful)
That's not a perfect analogy, but it's not too far off.
It's more like this. There's a classifieds forum which regular users can refresh once every 10 minutes. Special users with a paid subscription can refresh once per second.
You post "Bicycle wanted, will pay up to $500" and someone else posts "Bicycle for sale, $400" then the speedy special user buys the bicycle for $400 and puts it up for sale for $500 before you or the seller can refresh (at best, when they're not doing even shadier things like spamming the forum with fake Wanted posts etc).
Somehow this is supposed to produce value. I think it has a similar effect on the economy to either robbery or counterfeiting currency. I can see no way this produces any value.
Re:The market is rigged already (Score:5, Insightful)
You've got it completely backwards, is the thing. Don't worry, most people get this backwards, because they reason from "these guys must be evil" to "ahh, so it must work like this".
It works like this. You want a bike, you don't have time to research the right price, you just hope the market price is OK:
* Mr B posts "Bicycle wanted, will pay up to $500"
* Mr S posts "Bicycle for sale, $600"
* Special user says "OK, now buying bikes for $520, selling for $580"
* You post "buying 1 bike, best price".
You get the bike $20 cheaper. The market maker takes a risk here: that he can balance buys and sells, and not get left holding the bag when the price changes.
But the story gets better:
* Special user 2 says "Oh, I see you Special 1, I'm now buying bikes for $525, selling for $575, hey, $50 a bike is better than nothing.
* Special user 1 says "Oh no you didn, Buying for $530, selling for $570"
* Very quickly it's $550/$551.
You get the bike for $551, $49 cheaper. I've seen this happen over the past 15 years, where the bid-ask gap shrank by that much on options. Competition is so fierce you see sub-cent pricing now: you'll get filled at $550.0001 or $549.9999 sometimes, because in very active markets these guys can make a killing with less then 1 cent profit.
Do you see now why it adds value?
Re: (Score:2)
It works like this. You want a bike, you don't have time to research the right price, you just hope the market price is OK: * Mr B posts "Bicycle wanted, will pay up to $500" * Mr S posts "Bicycle for sale, $600" * Special user says "OK, now buying bikes for $520, selling for $580" * You post "buying 1 bike, best price".
This is pants on head retarded.
If the Special user can just create bikes out of thin air, he should just set up a bike shop and sell them for $500.
In the real world, where is he getting his bikes from? Mr S wont sell his for anything less than $600 and Mr B is buying.
What really happens is that Special user sees you want a bike and are too stupid to name a price, so he quickly buys the $600 bike and realising the next best price is $610, sells it to you for $609.99
If you want to add in more competing sp
Re: (Score:2)
In the real world, where is he getting his bikes from?
Like I said, he hopes to balance buys and sells. If 100 people sell at his price, and 100 people buy at his price, he needs no bikes. If he's off by 1 or 2, he'll trade with Mr B or Mr S, and still do OK. But he does take a real risk.
Anyhow, that's how it really works. Remember, we're talking about markets that trade billions of shares a day, so the metaphor only stretches so far.
Re: (Score:1)
Either you allow the market maker to take the bid / ask spread or you pay a broker a commission to get you the market price. Either way you give up a little to have access to a convenient centralized market. This seems reasonable, but maybe you'd prefer to buy and sell your securities on craigslist? ;-)
Re: (Score:1)
No. All I see is that money was transferred. None of them actually made the bike. Making the bike is creating actual value. Whizzing money around with sub-cent profits that depend on latency is just a giant scheme. Sooner or later the limit of latency will be reached - the laws of physics will see to that. Anyone not standing at the absolute minimum will be left holding their dick in their hand.
We need to get back to broadening the ability to create actual value by making shit.
Re: (Score:2)
They are exchanging one token for another. They are exchanging the money tokens for corporate tokens (in the case of the equities market). The only real thing you can do with most corporate tokens these days is to trade it back for the money tokens.
Some stocks, a few, still pay dividends, but most do not. And voting rights??? Hahaha! Unless you can own 51% of the corporate stock, your votes are nothin
Re: (Score:2)
Nope I gotta agree with all the other people who have replied to you. I can't figure out how this is adding value. To me it just doesn't compute. Why did the seller sell the bike for less than $600? Why did the buyer pay more than $500? If they're willing to compromise, couldn't they have done the transaction directly and saved money without the middleman?
Re: (Score:2)
You're missing the entire point here. If the buyer and seller agree on a price, the trade just happens, no market maker needed, the end. All done.
But after all possible trades like that are done you're left with the "bid" and "ask" prices, where the seller and buyer are willing to stand on their prices and not compromise. Any good financial tool will show you the bid/ask for any exchange - you can check it out and see I'm not making this up.
Where the market maker adds value is in making it cheaper for th
Re: (Score:2)
OK, so it's good for people like you who don't want to shop around for a good price. But what about those who do? They don't have the option of not going through these middlemen unless they are faster. So which is greater, the savings to those who don't want to shop around or the losses to those who do?
Re: (Score:2)
Well, these are exchanges, so "shop around for a better price" isn't really a thing. What you can't do is profit from someone not paying much attention - profit from the inefficiency of the market. And that's a good thing: there should be no game to play, no skill at haggling required, nor deep understanding of market mechanics, simply to execute a trade. Deciding what price you're willing to buy or sell at is where the smarts belong, but if you buy something by mistake, and turn around and sell it 2 min
Re: (Score:2)
It has to be possible to make money by "shopping around," or the HFT companies wouldn't be making money, and you wouldn't be saving any. Even if it's a miniscule amount for each trader, their total impact comes down to the balance between the savings for the "weak traders" and the losses for everyone else.
Re: (Score:2)
Well, maybe I don't know what you mean by "shop around". There may be multiple exchanges selling the same thing (though not for stocks), and you usually aren't even aware if which one your broker deals with, as arbitrage keeps prices the same on all of them at faster than human scale these days - another example of making markets efficient.
The market makers simply trade on the exchange, filling orders at better prices than the bid/ask would be without them there. Because they trade so frequently, they can
Re: (Score:2)
They must take out more value (than they could possibly even theoretically add) or else they would be broke.
Ahh, liberals, forever convinced economics is a zero-sum game.
Market spreads and brokerage prices had been coming down way before HFT were inserted into the system. It's like all the efficiencies of the last couple decades have been so great that you don't even notice when HFT quietly slip in a new tax on everyone.
It's all the same trend. HFT isn't some cliff we fell off - trade frequency and market maker participation has been increasing steadily for 20 years as technological advance made it more and more practical. Spreads fell steadily during this time as a result.
Re: (Score:2)
Ahh, liberals, forever convinced economics is a zero-sum game.
Ahh market manipulators, forever convinced their market is the same as an economy.
Re: (Score:2)
No, what happens is: instead of the prices being set buy the professionals who are perfect at gaming the system (buy a new car, then sell it the next day, see how that goes), the little guy gets a fair price, as the middle man screws the big guy (well, the middle man is likely the biggest guy, but still).
Re: (Score:2)
The thing is that this is so wrong and simply not how things work. Nobody would trade on a market where the first person to bid or offer is the not first person to trade. In your example, as soon as someone said 'will pay $500', they would be given the bike that was available at $400. And they would pay $400, not $500.
The other thing is, even if this did occur, the person wanting to pay $500 for a bike has gotten what they want. This is called liquidity and it's valuable in its own right. If they didn't wan
First question ... (Score:3)
Was it a foreign government, or your own government?
Quite frankly, I find either plausible.
Re: (Score:1)
The NSA does not need to hack the exchanges. They have the ultimate insider trading advantage.
Final Objective? (Score:1)
'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers
Ummm to make money or destabilize our economy?
Makes one feel good that you are the head of the Intelligence Committee.
Re: (Score:2)
If they found it was some nation-state where a corrupt bureaucrat did it to line his pockets and those of the supreme leader, the consequences might be less trust in the market (if that's possible), and similar, limited economic effects. If the nation-state in question wanted to destabilize our whole economy, that's part of WAR. (you know, that thing where lots of people die very rapidly and it wasn't one of the other horsemen?). Those are very, very different consequences and levels.
Re: (Score:3)
'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers
Ummm to make money or destabilize our economy?
Makes one feel good that you are the head of the Intelligence Committee.
The problem with the final objective is that Nasdaq's IT security was (and probably still is) pretty incompetent, because once the bad guys were past the outer defences, there was very little internally to audit unusual activity. The analogy used in the BusinessWeek article uses the analogy of physically breaking into a bank versus breaking into a private home - the bank will have internal security sections, cameras, password-protected doors, and so on. So when determining what was taken, you can look at wh
Security (Score:5, Insightful)
The security of the stock exchanges is really pretty bad. Low latency access means no firewalls and few application level checks. For the longest time people were sending ethernet raw packets...There is a perverse incentive not to properly secure exchanges because security is slow.
Re:Security (Score:5, Insightful)
When so much profits depends on fast, direct access to skim money off the top with high frequency trading, these people do not want security.
They want to be able to access the system directly, and security be damned.
Re: (Score:3)
For the longest time people were sending ethernet raw packets...
So? Look, there are two possible approaches to security here and you don't need a fully encrypted VPN link between two buildings to have a secure link. You could just put your own wire between the two locations and protect the wire from unauthorized physical access.
I'd not suggest you put sensitive financial data on the internet "in the clear", but if you are sure the physical link is only available to your intended destination, you can safely send all the data you want in the clear. If you look at the
Re: (Score:1)
In actual fact most connections used by HFTs are encrypted AND dedicated.
Re: (Score:2)
Re: (Score:1)
Yeah, HFT encryption is spectacularly rare. I think the argument that the links is short doesn't make much sense to me. If you are talking about third parties hacking the link I guess maybe you make a point, but that wasn't the attack vector I was thinking about. I was talking about third party HFT firms getting hacked and then leveraging those short, encrypted and insecure connections into matching engines to cause problems. I guarantee you that there are exploitable vectors into some of these major market
However with colocation ... (Score:2)
The security of the stock exchanges is really pretty bad. Low latency access means no firewalls and few application level checks. For the longest time people were sending ethernet raw packets...There is a perverse incentive not to properly secure exchanges because security is slow.
Technically true. However in the quest for low latency there has been a tendency for some to colocate with the exchange. So if an exchange system and a broker system are in the same high physical security room and have a direct connection between them then the risk is mitigated to a degree.
Re: (Score:1)
Well if we are talking physical access control then most of these places have figured it out. My argument is that the threat is from the firms connecting into the exchange. A lot of them have poor border security, and if you don't have any additional checks then what?
Reminds me of a Tom Clancy novel (Score:3)
Re: (Score:2)
Wasn't something like this done after the Flash Crash (or some other recent stock exchange fuckup?)
Re: (Score:2)
more convenient fear mongering (Score:3, Insightful)
"panic quick"? It has been four years. Zero-day bu (Score:4, Informative)
I can only guess you didn't read even the first sentence of TFS. The attack occurred in 2010, so this is hardly a case of "people panic way to quick".
"or it was just a bug" - we have a copy the malware they used, and they exploited at least two zero-day vulnerabilities, and were accessing the system for months.
This incident was kind of a big deal. Someone with sophisticated exploit capabilities had run of Nasdaq's network for several months.
So the takeaway from this is ... (Score:1)
Re: (Score:2)
Wow. Something happened, but we don't know what or why.
Yea, well, I guess that it's better that we know where it ended up, unlike some airliners in recent history...
Re: (Score:2)
That would require basically infinite storage and run very, very slowly. In effect, the disk (which is the slowest of CPU/memory/network/disk) becomes the bottleneck preventing any of the others from being well utilized.
There are much better ways to track what happens on critical systems, but they introduce costs that most organizations consider excessive or unnecessary, right until after a breech where they realize how the alternative can be orders of magnitude more expensive.
Re: (Score:2)
Isn't this probaly one of the foremost National Security issues of the US? The freaking Stock Exchanges? You're telling me they don't know to what end, or who was in it?
If even part of this is true, this country really is FUCKED! All the way to the top!
Guess who didn't RTFA?
why hack it? (Score:1)
Re: (Score:2)
Let me see.. We are due then? Last major crash was 2008 and it's 2014.
You might be right....
Rogers is a serial liar (Score:4, Informative)
He has lied, willfully exaggerated and generally acted like a complete piece of shit countless times. Do not believe anything out of that man's mouth, ever.
Re: (Score:2)
A nation-state? Baloney. (Score:2)
Talk about the incident, but not really (Score:2)
It's all part of getting the rich richer and the rest frightened.
Don't be tricked by the conmen.
More hysteria (Score:2)
The Chinese, the French, the Israelis. (Score:1)
The Chinese, the French, the Israelis—and many less well known or understood players—all hack in one way or another.
But never the USA.