20 October 2017
Richard Bird

Richard Bird

Richard Bird - JPMorgan Chase

9Posts 30,694Views 2Comments
A post relating to this item from Finextra:

FBI nabs programmer accused of stealing trading code

06 July 2009  |  12270 views  |  3
3401.jpg
A Russian computer programmer has been arrested by the FBI, accused of stealing proprietary trading code from the New York-based financial institution he used to work for.

High Frequency Trading Meets Low Tech Thievery

07 July 2009  |  2826 views  |  0

So, we have an ultra-intelligent guru of programming for the phenomenon of ultra-high frequency trading resorting to "the dog at my homework" defense?

"I thought I was uploading open source files."

Let's evaluate that statement:

  1. Mr. Aleynikov engages in at least 4 uploads of files in the range of 32mb.
  2. Mr. Aleynikov decrypts his development files.
  3. Mr. Aleynikov uploads those files to a server domiciled in Germany.
  4. Mr. Aleynikov deletes his bash files.
  5. Mr. Aleynikov erases the encrypt/decrypt logs on the original server.

Mr. Aleynikov took at least a half dozen steps, not just to cover his tracks, but to eliminate those tracks entirely. It is astounding that Segey would even float the argument that he was certain that he was simply uploading his latest updates to Alien Arena. It appears that Segey has learned the most valuable of skills taught in the good old USA - deny, deny, deny.

Time and time again, the greatest damage done to the technology functions of corporations are through the lowest forms of thievery; unmonitored uploads, thumb drives inside of lunch bags, IR file transfers to personal laptops. No hacking of firewalls or decryption of passwords is necessary - the high tech world is constantly exposed to the day to day risk of a "rip and run", but continues to put the lion's share of their funding into external attacks.

Goldman, like so many other firms, is trying hard to find the "golden goose" (or geese) algorithm that delivers the highest Sharpe ratio possible. I'm sure they all believe that the really, really smart people they hire would never, ever rip them off.

What is truly sad is that there are many creative and innovative solutions to this problem, available on the market today. Some are appliance based, some are software based - but all of them can take proactive action at the first sign of an internal breach. One particular solution that I have experience with could have recognized the size of the file transfer, and then started an approval workflow that could have notified either Info Security or a chain of supervisors before allowing the upload.

Instead of spending a few thousand dollars for these types of solutions, or employing leaders who implement the proactive business process steps necessary to ensure ethical compliance, companies continue to resort to dumb luck or forensic investigation to address these internal crimes.

It is way past time for corporations to come to terms with the fact that the technology organization that supports them is an operational area, just like any other function in the company. When this attitude is taken, maybe companies will expend the effort necessary to discover, measure, monitor, manage and report on their operational risk plans for their technology departments. Managing the technology function requires the operational skills to manage human capital, not just intellectual capital.

Or, we can just let uber-smart technology folks figure it out - they know what they are doing.....

 

 

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)

Latest posts from Richard

It Would Almost Be Funny If It Wasn't So Sad

31 August 2009  |  5277 views  |  0 comments | recomends Recommends 0 TagsCardsSecurityGroupTransaction Banking

Is This Thing On? Captain Obvious - Is That You?

24 July 2009  |  3234 views  |  0 comments | recomends Recommends 1 TagsRetail bankingGroupTransaction Banking

Lost - As Defined by an 11 Year Old

22 July 2009  |  3738 views  |  3 comments | recomends Recommends 1 TagsSecurityRisk & regulationGroupTransaction Banking

The Unicorn in the Middle Office - What Technology Isn't

20 July 2009  |  3387 views  |  2 comments | recomends Recommends 2 TagsRisk & regulationRetail bankingGroupTransaction Banking

How I Learned to Stop Worrying and Love the ATM Bomb

16 July 2009  |  3054 views  |  0 comments | recomends Recommends 2 TagsSecurityRetail banking

Richard's profile

job title Vice-President Information Risk Manager
location Columbus
member since 2009
Summary profile See full profile »
Seasoned financial services veteran in; information and operations risk management, hedge fund administration, retail bank and treasury operations, commodities trading and M&A due diligence.

Richard's expertise

Member since 2009
9 posts2 comments
What Richard reads
Richard's blog archive
2009 (9)

Who's commenting on Richard's posts