Mercury Rising 鳯女

Politics, life, and other things that matter

Dark pools and dreck pools

Posted by Charles II on March 7, 2010

Kevin Brown of FT has an important article here (FT asks that one not quote their articles, and the link requires login. I can guarantee that free access to FT is worth every penny and then some.)

The gist of the article is that Asians are increasingly taking trading off the floors of the exchanges and executing them privately. This practice, which is worldwide, is incredibly dangerous, adding the the already impulsive gambling style of stock market transactions which are for no obvious reason called “investment.”

These private transactions are called “dark pools.” They could allow, for example, an insider to dump his shares outside of normal trading hours and ahead of an announcement. They facilitate tax evasion, trading of phantom shares, over-leveraging (using an asset to back more borrowing than is warranted), and so on. Unfortunately, the author only cites vague regulatory concerns.

—-

Completely unrelated, Joseph Menn has an interesting piece about busting the Mariposa botnet and other computer criminals. Prior to Mariposa, Wired’s blogger Kevin Poulsen was less impressed by the threat of botnets, as was Ryan Singel, but it’s not clear whether this has changed their minds.

About these ads

14 Responses to “Dark pools and dreck pools”

  1. The busting of the Mariposa botnet is the best news in computing in a long time.

  2. Stormcrow said

    I think what got to Kevin Poulsen was the unstated, but real, implication that the Conficker botnet verged on being an existential threat. There was an enormous amount of hype being published while it was still active.

    There has been similar hyperventilation about the recent attacks on Google and another reported 30-odd major corporations.

    What has actually happened to information systems crime over the last 10 years is a remarkable story. The people who are yapping about a “cyberwar” are missing this completely, in their single-minded drive to shake the tree for the various consultancies they front for.

    What’s happened is that what used to be a bunch of obsessive teenage kids (or older kids who never grew the hell up) with too much time on their hands has changed utterly.

    That was the threat, a decade ago.

    What we’re dealing with now is crooks. But neither plain nor simple crooks. These crooks are very, very professional:

    1) Utterly focused on the bottom line: ROI, in money terms.

    2) Networked to an unprecedented degree.

    3) Work in a flat social hierarchy. No capos, no bosses, no underbosses, no soldiers.

    4) Highly craft-specialized. The exploit coders just write exploit code. The scammers just manufacture trust and exploit it. The botnet herders just compromise systems en-masse. The market-tenders just run the web boards where all the rest buy and sell services to each other. And so on.

    John Robb often overstates his thesis about radical decentralization and “superempowerment”, but this is the perfect example of one of his “bazaars of violence”. Except that it’s a bazaar of crime.

    What this turns out to mean at the “business end” is that …

    1) There has to be a way to monetize an attack, in order for these folks to even begin to consider it seriously.

    These people are real free-market capitalists, all the way.

    That’s why the whole point of the Conficker worm turned out to be a fake security software scam. That was also the endgame for the Windows Metafile Vulnerability which made the news in January 2006.

    2) Automated defenses such as antivirus are at an increasing disadvantage.

    The field of exploit coding has become fully professionalized.

    Exploit generation suites are sold to crooks for several hundred dollars a pop. The organizations who build them are so professionalized that they offer technical support with their wares, complete with trouble ticketing systems for internal tracking of flaws. And even versions so old that they are available for free are good enough to generate zero-day malware with a mouse click.

    This is truly point-and-click malware generation, where the person developing the scam does not need any technical expertise in the exploits he uses to advance it. That’s what the tool vendor is being paid for.

    • Charles II said

      This really needs a governmental-level response… and one that doesn’t rely on spying on users.

      We need the Internet, free, neutral, and cleansed of spammers and scammers.

      • Stormcrow said

        We need the Internet, free, neutral, and cleansed of spammers and scammers.

        No can do on that last item, Charles.

        That’s the natural result of the highly decentralized organizational model which has been adopted by the computer crime subculture.

        An organization which has no head cannot be decapitated.

        This is like a rhizome. There aren’t any “critical nodes” whose disruption will impair this system more than temporarily.

        The FBI is getting smarter; they’re infiltrating communications and marketing centra such as ShadowCrew, and they’re shutting down botnet-friendly ISPs when they can get sufficient leverage.

        But you cannot eliminate a criminal community by this sort of countermeasure. You can impair it, but you cannot wreck it.

        What that means for the rest of us is that our first line of defense is going to have to be our wits.

      • Charles II said

        Would you settle for “the Internet free, neutral, and substantially less grubby from spammers and scammers,” Stormcrow?

        Sure, as with any crime, 100% conviction rates are impossible and so some idiots will always be trying to spam and scam. But at the moment, spam is being driven in part by pharmaceutical companies and other commercial enterprises. Those companies can be fined.

        This explosion in cybercrime is in part being driven by crappy software. At least for some of the stunts that (for example) Microsoft has enabled, those software companies can be held liable for damages. People who through negligence allow their computers to be used as bots can be fined. People who cannot afford anti-virus software can be provided a subsidy. RIPE can make their g—–n users maintain current contact information.

        In short, we are certain to fail as long as we don’t try.

      • Stormcrow said

        Actually, there are several free A/V programs. Some of these have extremely good reputations. Microsoft’s own Microsoft Security Essentials is one of them. My own choice, ESET NOD32, is based on personal experience with that program. If I didn’t have any, I might very well be using Microsoft’s or Avira’s.

        But the host-based firewall I run on my Windows systems is a freebee, Comodo. I use that one because, in my experience, it’s simply better than the payware version of ZoneAlarm I was using prior.

        Perimeter firewalls are another component whose cost is minimal, if not quite zero. You can use a junker PC with as little as 256 – 512 MB of memory, and a CPU that doesn’t even clock at 1 Ghz, together with any one of at least a dozen free Linux or FreeBSD based pre-hardened firewall distros.

        If my own Netgear appliance locks up just one more time …. I picked up a $40 junker a couple of months ago. It already has pfSense loaded, but I may opt for Gibraltar if it’s IPv6 support is as good as I’ve been told.

        So price to obtain and deploy is not a major issue.

        But at the moment, spam is being driven in part by pharmaceutical companies and other commercial enterprises. Those companies can be fined.

        No.

        What “pharma” spam links to, is mostly not even genuine pharmaceutical products.

        The guys behind this are complete outlaws, even by the extremely loose standards of Big Pharma.

        This explosion in cybercrime is in part being driven by crappy software. At least for some of the stunts that (for example) Microsoft has enabled, those software companies can be held liable for damages.

        Charles, at this level, ALL SOFTWARE IS CRAPPY.

        And that certainly includes virtually every networking protocol that you and I use every day.

        Jesus on toast, even the OpenBSD Project screws up enough to let a remote root exploit get through from time to time.

        All you or I or anyone can expect from software vendors is an honest best effort. Which, believe it or don’t, MS has actually been delivering on, for the last 4 or 5 years.

        Do you have any idea how many years some of these source code trees go back? If it’s more than 5 years, then even at best, they were designed for a different threat environment. If you scrap one of these source code trees, you WILL have to rewrite from scratch, and believe me, you’ll see more security flaws if you elect that route, than we’re seeing today.

        Some of the MS source trees are 25 years old and counting. There are Open Source apps nearly as bad. Remind me to tell you about Washington University ftpd sometime.

        If you think this problem is confined to closed-source software, think again. Here’s an open source gem that surfaced just today: Apache ‘mod_isapi’ Memory Corruption Vulnerability
        . Remote access at SYSTEM level if the attacker can exploit this. Oh, joy.

        You’re right about trying. We have to do what we can.

        But be clear about two things:

        (1) There are no silver bullets.

        There simply is not some simple prescription that’ll make this problem go away. Nor any complex prescription either.

        (2) We are going to have to live with this problem for the foreseeable future, no matter what steps we take.

        I’m all for busting the actual malefactors until they wear their asses for hats. Just don’t expect this to fix things.

        It’s been how many years since we repealed Prohibition, how many years since the Mob’s Black Day at Apalachin? And they’re still with us. Maimed and truncated; they never recovered from that. But they’re still here.

        And their organizational model is far more vulnerable than that of the cybercrooks.

      • Charles II said

        True enough about free A/V being available. I’m not sure it would work for unsophisticated users. I had enough of an experience getting rid of my free F-Secure trial that I am pretty sure no newbie’s computer would have survived the effort.

        Yes, all software has holes. Not much software has the kind of lethal, known, and forever-unpatched holes that Windows had several years ago. I have no sympathy for software companies like MS that left things get totally out of hand before starting to do major revisions of their software. They have enough money to run their business the way a business should be run.

        Pharma spam is an interesting question. Everyone seems to think that the pharmaceutical companies are innocent. I am not persuaded. There is, first of all, this article. “If they were aware, they would have taken care of the problem.” Maybe. Or maybe it was a deniable way of keeping their brands out there. In most companies, if there is a problem, they are aware of it, and they don’t see it as a problem. Pfizer is notorious for dirty marketing practices. I would not put infecting their own computers past them. Second, there is this story. Now, affiliates aren’t directly associated with the company. But pharmaceutical companies spend huge amounts of money understanding their distribution channels. They know about these affiliates. They could shut them down. But the affiliates (assuming they aren’t selling counterfeits) are making money for the pharmaceutical company. So… why mess with something that’s making money?

        No one wants to believe just how ugly Big Pharma has become. They are Ugly that wears a fright mask just to be able to go out in public.

        I agree: no silver bullets, no quick solutions. But these people are starting to eat at the productive economy. They have to be put down.

  3. Stormcrow said

    Charles, I just read through this item at Brian Krebs’ blog: Dozens of ZeuS Botnets Knocked Offline.

    Give it a read-through. It may give you an idea of some of the problems involved. On the surface, it’s good news. But if you read all the way through ….

  4. Stormcrow said

    And here’s an example of what I meant when I said that your first line of defense has be your wits:

    According to a recent post at ESET’s Threat Blog, as much as 30% of the malware out there was installed using Windows Autorun.

    And you don’t need Microsoft to close this attack vector off, if it’s turned on by default. Which it probably is, if you’re using XP.

    Just turn the goddamned thing OFF.

    You can always make a “playable” CD or thumb drive sing whatever hymns it knows, by running the obvious top-level executable if you deem it safe.

    Meanwhile, you don’t have to worry about some malware installer doing this when you don’t want it to.

    Need to know how? Google “disable autorun XP”, and just skim the cream, the first page of hits only.

    Now think about what happens when you multiply this one example by dozens.

    You cannot make anything completely bulletproof this way. But you can reduce the odds your system will be hit by several orders of magnitude.

    • Charles II said

      Interesting posts, Stormcrow. Thanks.

      I think the user problem could be helped by better software design. One of the things that annoys me is that Windows Task Manager does such an obtuse job of showing which applications are active and what network traffic there is. Most users are trying to use their machines, not memorize what processes are running. So, simply labeling KHALMNPR.exe as a Logitech product would help. Similarly, why isn’t there a traffic monitor? A little strip of the bar at the bottom of the screen that shows significant bandwidth usage would help to flag botnet performance.

      I also think that if ZeusTracker is able to monitor botnets in real time, it should be possible to take down servers promptly. At least in the past, ARIN had the power to make whole networks disappear if they wanted to. Now it’s more complicated, and there are issues of international coordination, but things like botnets are inherently abusive of bandwidth and should be shut down based simply on fairness issues. There are days when we can barely access the ‘Net because so much bandwidth is consumed by junk mail, etc. If we could simply charge these people a fair price for the resources they use, they’d find their scams a lot less attractive.

  5. Stormcrow said

    I also think that if ZeusTracker is able to monitor botnets in real time, it should be possible to take down servers promptly.

    This starts to get really difficult when the owners of record of the server is in, say, Kazakhstan.

    If it’s in the US, it’s not trivial, but between the FBI, the backbone providers, and Microsoft, it’s usually doable.

    But an outlaw ISP like Troyak whose government is either completely indifferent or on the take is another matter. I think you’ll agree that just going in there and shooting the place up is both immoral and impractical. LOL.

    One of the things that annoys me is that Windows Task Manager does such an obtuse job of showing which applications are active and what network traffic there is. Most users are trying to use their machines, not memorize what processes are running. So, simply labeling KHALMNPR.exe as a Logitech product would help. Similarly, why isn’t there a traffic monitor? A little strip of the bar at the bottom of the screen that shows significant bandwidth usage would help to flag botnet performance.

    MS is slowly coming around.

    If only because they hire guys like Mark Russinovich.

    But you don’t have to wait for that. :)

    In the first place, MS not only hired this guy, they also ship out his software, free, the same way he did back when he ran SysInternals as a separate entity.

    Try Process Explorer, “procexp.exe”. I think you’ll find it a big improvement on Task Manager. Try hovering your mouse over the name of one of those cryptic processes in Process Explorer. Different story. And hit Control-I in the process list window to get some nice informative strip charts in a second window.

    Here’s the download URL for the whole Sysinternals package of 90 tools or so, weighing in at about 11 MB these days:

    http://download.sysinternals.com/Files/SysinternalsSuite.zip

    There’s another tool that’s more recent, and under fairly intensive development right now. Seems like they release another minor revision every week or two: System Explorer. It’s more tightly integrated than the Sysinternals suite. They’ve tried to put nearly everything from autorun management to process monitoring to network traffic in the tabs of a single tool.

    Lots of good things in both. Like a hierarchy view of processes, and ability to list out the DLLs each process is using. Not to mention the actual filesystem location of running processes.

    I used that last feature to rid one of my home systems of an unwelcome guest on the first and (so far) only time I’ve had to remove malware from one.

    Of course, I run both of these. :) On every Windows system I built that’s still running: three at home and one at work.

  6. Charles II said

    Stormcrow says, “I think you’ll agree that just going in there and shooting the place [Kazakhstan] up is both immoral and impractical.”

    Impractical, yes. Immoral… well, I’d have to think about that.

    I will try Sysinternals. I’ve been avoiding adding any software because I can’t afford any downtime for the next few weeks, but this sounds like the stuff.

    Oh, BTW, if you need to send anything to me, just my full name at america online abbrev. dot com will get you there. Make sure to include a subject line that tips me as to why I should open it… at this point, 75% of what I get is spam and 75% of the remainder is non-spammers including me on their mailing list without first asking.

  7. Stormcrow said

    OMG.

    I’d always figured the PRC had outsourced the attacks on Google that made the news last month.

    Looks like they outsourced it to relative idjits. Who were still good enough, since the botnets weren’t detected and sanitized for months.

    Read and marvel: Report: The Command Structure of the Aurora Botnet: History, Patterns, and Findings.

    This has the same import as the well informed comments that showed up in Pat Lang’s blog about the South Lebanon War in mid 2006. They’re not supermen on the other side. Our guys are simply asleep at the switch.

  8. Charles II said

    Hm.

    The analysis below shows that a university in China, and a Chinese collocation facility (colo),were critical early incubators of the infection. Portions of the infection originated from within Google China’s offices.

    An inside job?

    As I hear it, Chinese universities do software hacking as a training exercise. This amateur structure gives the Chinese government deniability while also making it abundantly clear who the message is coming from. I would bet they chose the amateur structure for just this reason.

    Well, as long as the US wants to play internal power games like siccing the Teapartiers and the Freeps on the left and exist as a corrupt, vastly unequal state, we can expect those who should be defenders to remain asleep.

Sorry, the comment form is closed at this time.

 
%d bloggers like this: