A post relating to this item from Finextra:
06 July 2009 | 12377 views | 3
A Russian computer programmer has been arrested by the FBI, accused of stealing proprietary trading code from the New York-based financial institution he used to work for.
So, we have an ultra-intelligent guru of programming for the phenomenon of ultra-high frequency trading resorting to "the dog at my homework" defense?
"I thought I was uploading open source files."
Let's evaluate that statement:
- Mr. Aleynikov engages in at least 4 uploads of files in the range of 32mb.
- Mr. Aleynikov decrypts his development files.
- Mr. Aleynikov uploads those files to a server domiciled in Germany.
- Mr. Aleynikov deletes his bash files.
- Mr. Aleynikov erases the encrypt/decrypt logs on the original server.
Mr. Aleynikov took at least a half dozen steps, not just to cover his tracks, but to eliminate those tracks entirely. It is astounding that Segey would even float the argument that he was certain that he was simply uploading his latest updates to
Alien Arena. It appears that Segey has learned the most valuable of skills taught in the good old USA - deny, deny, deny.
Time and time again, the greatest damage done to the technology functions of corporations are through the lowest forms of thievery; unmonitored uploads, thumb drives inside of lunch bags, IR file transfers to personal laptops. No hacking of firewalls or
decryption of passwords is necessary - the high tech world is constantly exposed to the day to day risk of a "rip and run", but continues to put the lion's share of their funding into external attacks.
Goldman, like so many other firms, is trying hard to find the "golden goose" (or geese) algorithm that delivers the highest Sharpe ratio possible. I'm sure they all believe that the really, really smart people they hire would never, ever rip them off.
What is truly sad is that there are many creative and innovative solutions to this problem, available on the market today. Some are appliance based, some are software based - but all of them can take proactive action at the first sign of an internal breach.
One particular solution that I have experience with could have recognized the size of the file transfer, and then started an approval workflow that could have notified either Info Security or a chain of supervisors before allowing the upload.
Instead of spending a few thousand dollars for these types of solutions, or employing leaders who implement the proactive business process steps necessary to ensure ethical compliance, companies continue to resort to dumb luck or forensic investigation to
address these internal crimes.
It is way past time for corporations to come to terms with the fact that the technology organization that supports them is an operational area, just like any other function in the company. When this attitude is taken, maybe companies will expend the effort
necessary to discover, measure, monitor, manage and report on their operational risk plans for their technology departments. Managing the technology function requires the operational skills to manage human capital, not just intellectual capital.
Or, we can just let uber-smart technology folks figure it out - they know what they are doing.....