Rogue Code (21 page)

Read Rogue Code Online

Authors: Mark Russinovich

BOOK: Rogue Code
9.11Mb size Format: txt, pdf, ePub

“A search warrant? Why would they do that?”

“I’m not certain, but I’ve got a hunch.” Frank paused as his thoughts raced, then, “We need to act, then we can decide on options. If you don’t think you’ll die on me, I suggest you start getting dressed while I make a call or two. You don’t want to be at a location they know about, if you know what I mean.”

 

29

TRADING PLATFORMS IT SECURITY

WALL STREET

NEW YORK CITY

5:13
P.M.

Richards Iyers went to the vending machine in the break room. He’d begun to feel better, the deep fatigue he’d earlier experienced slowly disappearing. His apprehension had also faded, evolving into a mild uneasiness. He chose a Coke, wanting the sugar and caffeine. He opened the can, took a swig, and scanned the room. Spotting Rose, the office gossip, he joined her.

“Did you hear about those two?” she asked immediately, almost as if she’d read his mind, leaning forward, her voice lowered to a conspiratorial level.

“Which two?” Iyers answered, suppressing a sense of excitement. To his great surprise he’d heard nothing all day, either about what happened at Central Park or the two mystery men who’d been working on their floor these last weeks.

“Jeff and Frank.” She lowered her voice. “They’ve been stealing.”

“Really? How do you know?”

“Everyone knows! They were hired to do a pentest but IT found out that after they got in, they’d been emptying accounts.” Though officially confidential, major IT referrals to the SEC had a way of leaking into their department almost immediately. This was no surprise given the relationship between the SEC and NYSE IT security.

“They got in? You mean they penetrated to the core code?”

“That’s what I heard.”

“That’s not good. Someone’s going to get in trouble over that.”

Rose blanched. “You think so?”

“I do. Especially if they used the access to steal. Is the SEC on it yet?”

She leaned even closer. “I heard they did a raid in Washington today.”

“A raid? That’s pretty fast.”

“I guess there’s a lot of money missing and the SEC was concerned they’d take more if they were left free.”

“I saw their office was empty earlier.”

“Right. I think they were arrested. We just haven’t heard yet.” Rose’s eyes were wide.

“That’s really something.”

At his desk, Iyers accessed the jump server. To avoid the audit logs, he used the cover of the first stage of the new trading engine deployment. For the next hour, he scanned, searching for whatever alerted IT. When he found it, he smiled.

Campos. He’d done this. It was a bit bold, but he was glad to see the man stepping up. Planted in the system was malware very similar to the one used in Vacation Homes only this one rather blatantly manipulated trades at a steady rate that was bound to attract the notice of the security programs searching for just such behavior. After a few minutes, Iyers saw the code was moving shares into a brokerage account set up in the name of Jeffrey Aiken. Iyers cringed at that, thinking it too obvious. No one would believe Aiken would be so blatant.

But think whatever he liked, IT had bought it. On reflection Iyers realized it was so obvious they had to. It was not the way Iyers would have gone about it, but he had to admit it got the job done. He just hoped Campos had covered his tracks because once Jeff and Frank were in custody they’d deny their guilt. They knew what they’d done in the system and if allowed to, they could walk a skilled programmer through their process. After that, Campos’s hack work would stick out like a sore thumb. If an impartial investigator seeking the truth put his mind to it, he’d conclude pretty quickly that the two men were set up. And that would lead in a direction Iyers didn’t want to think about.

He grimaced, then closed his eyes. He should have made sure he killed Aiken when he had the chance.

 

30

MITRI GROWTH CAPITAL

LINDELL BOULEVARD

ST. LOUIS, MISSOURI

5:59
P.M.

Jonathan Russo left the staff meeting and made his way back to his office largely unhappy. Since the disaster on Monday, his team had yet to find an answer. For all the talk during the meeting, they had no idea what had gone wrong with their new algo. The old one was still operating without issues, but that was small consolation. And though his team believed the new algo was fine, that was what they’d thought up until the moment they’d launched it. The fact that they were unable to discover the problem was not reassuring and Russo had refused the tentative suggestion they relaunch it without a change.

“That’s real money we lost,” he’d pointed out, “not Monopoly play money. And we can’t tolerate another hit such as we had Monday. We need to understand what went wrong. If it’s our code, let’s find the problem and fix it. If it was something outside, something beyond us, we need to know that as well, so we can take measures to see that it doesn’t happen again. I’m not adverse to some level of risk, but we need answers.” Alex Baker, his chief assistant, had agreed with him, urging caution as well.

When it was clear they were no closer to a fix now than they’d been the previous day, Russo gave instructions to put all their limited resources on the Toptical IPO coming the following Wednesday. Like most HFT companies, Mitri Growth had long planned to exploit the launch. An IPO of this size, with this level of excitement, was tailor-made for them.

For one, there would be an enormous trading volume and each block of trades presented an opportunity for profit. The sheer size also made it easier for their orders to lurk in the computers unobserved. They weren’t doing anything wrong, certainly nothing illegal, but scrutiny was undesirable and you could never predict when the SEC might suddenly decide that a common HFT practice was now against the rules. It had happened before. A high-profile IPO such as Toptical’s was just the event when they might make such a decision, especially if something went wrong and they were looking for a company to blame.

The other desirable aspect of such a high-profile IPO was that the stock was all but sure to rise initially. There was always a level of pent-up demand for high-profile companies going public and though the underwriters appeared, once again, to have made too much stock available, the price was likely to increase in the early trading. In Twitter’s case, it had just kept rising. It was a situation ideal for one of Mitri Growth’s special HFT algos.

But as the Facebook IPO had proved, the stock could be overpriced, which meant that within a short time it would begin to fall. This was a less desirable possibility for a high-frequency trading company, but there was still a lot of money to be made selling short, especially once the pattern was set.

And their IPO algo was designed to make money in either direction.

The problem with short selling was that if too many traders got involved it became a self-fulfilling prophecy. Algos from different HFTs competed against each other for advantage at lightning speed. No one yet fully understood the consequences. HFTs had first caused, then exacerbated the Flash Crash with aggressive selling and actions intended to complicate the system, actions that quickly spun out of the control and comprehension of their algos.

Before computers, a broker made a bit of money on every sale, as did the Exchange. High-frequency traders now injected themselves into such trades, taking a small percentage of each transaction. Every high-frequency trader was in the game, and their numbers were growing every month. No one took a lot, but everyone took something. So when someone bought stock, it was as if the offer had to punch its way through a succession of invisible digital walls, each one thrown up by a high-frequency trader. It slowed the trade, skimmed money from the deal so that by the time it was consummated the buyer paid more than he thought he would, or the seller received less. High-frequency traders had taken the cream.

At first, the delays and amounts were insignificant but high-frequency trading was so profitable it continued drawing countless players, many of them offshore, shielded from scrutiny. Even Russo, who had thrived in the industry for years, had no true idea who many of the players were or, for that matter, the full extent of the holdings they put in play. There were rumors, accepted opinions, but in the end, it was all speculation. What he knew was that the delays and effects on pricing were now very noticeable to anyone paying attention. The trading public wasn’t on to the scheme yet but those who made their living on the stock market knew and were increasingly leery.

Russo sat down at his desk and placed his face into his hands with a sigh. When he took this job, he’d failed to comprehend the pressure he’d be under. He’d thought his team produced the finest algos in their industry and still believed they did. But when something went wrong, as it had Monday, high-frequency trading had the capacity to drain money from the company like there was no tomorrow. He’d had a disaster already but if next Wednesday went the same way, Mitri Growth and his career would be ruined.

The problem, Russo had come to understand, was that all the high-frequency traders were acting in the same way. There was no need to exchange messages or read internal memos. They were all doing the same thing, playing on the same field with the same end in sight. Each of them might do something a bit different and occasionally one came up with a novel approach but essentially they were like sprinters. They wore the same shoes, the same clothes, bolted from the same starting blocks, and ran flat out. It was no surprise that most of them finished almost together.

And Russo realized that was the danger. High-frequency traders represented a majority of all trades and if they acted in unison, which was the danger when an IPO went south or had a glitch, the stock would begin to collapse, and the volume and the frequency of their trades could pile drive it into oblivion.

And it was an event like Toptical’s IPO that presented the perfect occasion for that to happen.

 

31

WEST 109TH STREET

MANHATTAN VALLEY

NEW YORK CITY

8:29
P.M.

Jeff eased onto one of the single beds more exhausted than he’d realized. For the last three hours, he’d been in a daze, led by Frank, first out of the hospital, then in and out of a succession of taxis, culminating in a subway ride uptown. They’d exited, walked three blocks, and checked into this cash-only hotel built from appearances at the turn of the previous century. Not that many years before now, it would likely have housed a den of crack dealers but then the area had been cleaned up. Now it was just run-down and management still asked no questions if your money was green.

“Do you want to eat?” Frank asked from across the small room.

“I’m not hungry.” Jeff’s head throbbed, his side ached, and his arm was ablaze.

“I understand. I need to go out and get you something for the pain. I’ll pick up food and bring it back. We’ll see then if you have an appetite. What you need most of all is rest. So don’t fight going to sleep. We’re okay here.”

“Frank,” Jeff said, closing his eyes, wondering if he had the energy to undress, “what’s going on?” They’d had no time to talk in detail since they’d seen the SEC raid on his office and home in Georgetown. Frank had managed a call or two to contacts while Jeff quickly dressed in the hospital and received a callback in one of the taxis, but he’d not said anything before now, not wanting to risk being overheard.

“NYSE Euronext IT made an SEC referral on us. They think we used our access to the system to steal from accounts.”

“The Exchange is accusing us of theft when all we’re doing is helping them secure the system? That’s ridiculous!”

“Yes, it is. But the SEC has to act. They don’t know how honest we are.” He grinned.

“Why didn’t they just talk to us? We could show them what we’ve been doing, answer any questions they had.”

“Maybe at one time that’s what they’d have done but things happen so fast now, they felt they had to move first and ask questions later. Do you know Robert Alshon?” Jeff shook his head, regretting it at once. “He’s a senior SEC securities investigator. Ex-FBI. He’s the pit bull on our case.”

“Why don’t we just contact him and explain things? Or do it through an attorney, if you think we should.”

“We need to know what’s going on, Jeff. Right now, we’re in the dark. If we go to him the way things are, it’s like lambs to the slaughter. He’s undoubtedly got evidence we know nothing about. We need to find out what he has first, so we know what questions to answer.”

“I guess.”

“There’s another side to this you need to keep in mind. It’s a sad commentary on the state of affairs—but sometimes they don’t care if you didn’t do it.”

Jeff suddenly felt numb. “What do you mean?”

“There’s a mind-set in federal law enforcement that everyone is guilty of something, so everybody deserves what happens, even if they didn’t exactly do what they’re accused of. The laws are so far-reaching, so subject to interpretation, they can be made to fit most any scenario. And when it comes to Wall Street, that’s a labyrinth of its own that allows them to justify almost anything they want. The juries don’t understand. They take the government at face value. And your lawyer will tell you to cut a deal rather than risk trial. Just look at what they did to Aaron Swartz.”

Aaron Swartz had been a cyberstar prior to his death at age twenty-six. An Internet pioneer, writer, political activist, and programmer he’d been involved in the development of the Web’s feed format RSS, part of Creative Commons and also Reddit, a popular social news site. He was an outspoken critic of government and corporate control of the Internet. In 2010, he became a research fellow at Harvard University but that didn’t spare him. In early 2011, he was arrested and charged with two counts of federal wire fraud and eleven counts of violating the Computer Fraud and Abuse Act for simply sniffing data off of MIT’s network from a computer hidden in a closet on its campus. He hadn’t shared or profited from the files he’d stumbled on. Facing up to fifty years in prison, forfeiture of assets along with a one-million-dollar fine, he was in line to serve a greater sentence than someone convicted of manslaughter, bank robbery, or rape. He hanged himself. Jeff had never considered that someday he’d be in much the same position.

Other books

Hotline to Murder by Alan Cook
A Five Year Sentence by Bernice Rubens
For the Most Beautiful by Emily Hauser
The Needle's Eye by Margaret Drabble
Meadowland by Tom Holt
Ritual Murder by S. T. Haymon