Goldman Code Theft BOMBSHELL?

Something really ugly popped up on Daily Kos yesterday late in the afternoon.....

...GS, through access to the system as a result of their special gov't perks, was/is able to read the data on trades before it's committed, and place their own buys or sells accordingly in that brief moment, thus allowing them to essentially steal buttloads of money every day from the rest of the punters world.

1. If true, this should be highly illegal, and would, in any sane country result in something like what happened to Arthur Andersen...

God help Goldman if this is true and the government goes after them. This would constitute massive unlawful activity. Indeed, the allegation is that Goldman alone was given this access!

God help our capital markets if this is true and is ignored by our government and regulatory agencies, or generates nothing more than a "handslap." Nobody in their right mind would ever trade on our markets again if this occurred and does not result in severe criminal and civil penalties.

There apparently is reason to believe that Sergey might have been involved in exactly this sort of coding implementation. Specifically, look at the patent claims cited on DailyKos; his expertise was in fact in this general area of knowledge in the telecommunications world......

This is precisely the sort of thing that a Unix machine, sitting on a network cable where it can "see" traffic potentially not intended for it, could have an interface put into what is called "promiscuous mode" and SILENTLY sniff that traffic!

ASSUMING THE TRAFFIC IS PASSING BY THE MACHINE ON THE WIRE THIS IS TRIVIALLY EASY FOR ANY NETWORK PROGRAMMER OF REASONABLE SKILL TO DO. IF THAT TRAFFIC IS EITHER UNENCRYPTED OR IT IS EASY TO BREAK THE ENCRYPTION.....

Folks, I have no way to know what the code in question does, but if there's anything to this - anything at all - there is a major, as in biggest scam of the century - scandal here - something much, much bigger than Madoff or Stanford.

It would mean that Goldman was able to "see" transaction order flow - bid, offer, and execute messages - before they were committed in the transaction stream. Such a "SNIFF" would be COMPLETELY UNDETECTABLE by the sender or recipient of the message.

The implication of this would be that they would be able to front-run any transaction where the data was visible to them, thereby effectively "stealing pennies" from each transaction they were able to front-run.

Again: I have absolutely nothing on the content of the allegedly-stolen code nor can I validate the claim made that Goldman had "special network access." Nothing. All I have to go on with regards to "market manipulation" (which such a program would be, writ large!) is the statement of the US Attorney that I cited in my earlier Ticker.

This may be nothing more than a crazy conspiracy theory put out by someone at Daily Kos. But consider the following:

The last few days the the market has traded "organically." I and many other market participants have noted that prior to the week before July 4th the market had been acting "very odd" - normal correlations between interest rate, foreign exchange the the stock markets had been on "tilt" for the previous couple of months, with the amount of "tiltage" increasing dramatically in the last three or four weeks. In fact, many of my usual indicators that I use for daytrading had become completely useless. Suddenly, just before the July 4the weekend, everything started correlating normally again. I have no explanation for this "light-switch" change but it aligned almost exactly with the day the NYSE had "computer problems" and extended trading by 15 minutes. Was there a configuration change made to their networking infrastructure, one asks?

Zerohedge's information, if you believe it, seems to point toward some sort of distortion. The cite above claims statistically "as likely as an asteroid hitting earth it is not true" proof of distortion in the market. I have not analyzed the data to independently validate that conclusion, but even if the odds of these "effects" in the market being random chance are only as good as getting hit by a tornado this afternoon......

Every market participant deserves answers on this point. Specifically to the NYSE and all other markets where colocation connections are made and allowed:

Was it possible for message traffic to be "seen" by computers on your network and colocated into your infrastructure by other than the originator and recipient? That is, was it physically possible for anyone to "sniff" messages to and from other market participants. If it was possible, is it no longer possible, and if so, when was that change made? I believe the SEC and FBI must direct a subpoena at all market exchanges for an under-oath answer to question #1. If the answer to that question is "yes" then every market participant who had or has equipment colocated on the NYSE infrastructure must be immediately served with a subpoena for a true and complete copy of all software operating on every machine connected to said infrastructure for immediate forensic investigation to ascertain if any participants were indeed "sniffing" traffic and front-running orders.

The charge made on the pages of Daily Kos is incredibly serious. If this happened it is a case of literal robbery of every market participant for the entire duration of the time that the code in question was executing on the network, with losses to market participants potentially running into the hundreds of billions of dollars.

Bear in mind that there are two broad questions to consider here. One is whether or not the alleged actions were indeed committed. The other is whether or not what Denninger is suggesting is possible.

While I can't speculate on the first, I can confirm that the second is indeed possible under certain conditions. I'd go as far as to say it could even be TRIVIAL. In fact, in the realm of network encryption, stealing codes is old school. It's a lot easier to simply grab the traffic behind the crypto termination point. We use hardware SSL accelerator technology made by Cisco Systems (other companies manufacture similar hardware though) and have what are called spans, or monitor sessions established on the switch gear behind the SSL accelerator which cross connects to a Linux based sniffer....and that's just ONE test point. We can drop VOIP phone calls into "wav" files, watch exactly what somebody is surfing to on a PC, intercept Instant Messenger traffic (encrypted or NOT), and any and all manner of other traffic types. We use this for troubleshooting as well as "auditing" when requested. We even do this with fiber optics, which are said to be very difficult to tap. When the fiber terminates into a switch that also has copper gigabit ports, just span the fiber traffic over to the copper gigabit port! There's no need to tap the fiber port per-se. In fact, the term tap as used today in current technology is really a misnomer. We only use that term because if we called it what it really is, nobody would understand us. Everybody understands a tap though. :-)

But to say that those who own the network, stole a code to snoop the traffic is probably incorrect. There would certainly be no reason to steal anything. Even if they're using other (non-SSL) encryption gear, somebody has access to the unencrypted network on the backside of the things. Somebody who doesn't understand technology infrastructure might be lead to think that somebody stole an encryption key to pull this alleged theft, but I doubt it.

More than this, I can say from experience that if people have enough access to drop traffic from the wire on core switchgear, they also have enough access to cover their tracks well enough to get away with it.

The financial industry does have some interesting requirements for transporting data across networks. I'm fairly certain they're either straight out of FIPS (Federal Information Processing Standards), or some similar federal requirement. While I can't give details here, the technologies used do indeed make it difficult for "most" to perform unauthorized interception of traffic. But the bottom line is that there's always somebody on the IT staff who holds the keys to the kingdom.

http://www.clearsightnet.com/

Here is one product I have used to do just what you describe. We use the term “port mirroring”, which in effect sends a duplicate copy of all the traffic from one network port in a switch to a second port for “monitoring.”

I was demoing the product above to some management folks one time and at random pulled up a copy of a VoIP call we had monitored. The call happened to be one of the managers attending calling their spouse. It left a certain chill in the room.

Sarbanes Oxley has had some effect on security of systems, but as you say, someone *has to* have the keys to the kingdom or things won’t work.

I'll check out "clearsight". Since you obviously understand what I'm talking about... we simply spanned all the major trunks in our datacenter over to fairly high powered Linux box with a BUNCH of gigabit Ethernet cards in it, and mainly we use tcpdump for troubleshooting. However, Dug Song's (dsniff) toolset is also there, as well as an app (can't recall the name at the moment) for grabbing VOIP traffic into wav files...as well as some custom things that we created.

We caused a bit of a stir back in 2006 when I stood this beast up on our network because in the full interest of disclosure, management needed to know that my team would by virtue of having access to this system also have access to things such as RACF credentials on our IBM Enterprise platform where everything important is housed inside of DB2. At first they were concerned, but they came to terms pretty quickly with the fact that you have to trust somebody. :-) It's very difficult to give people like us enough access to do our jobs, but stay within a narrow confine. We're a state government agency, so implementing something such as DoD C-2 is out of the question.

It's a good argument for making sure that people in the type positions we're talking about are of high integrity, and very, very loyal.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.