Playing the Market

Sendai s new position pays far more money than his modest lifestyle requires. After tiring of watching the money stagnate in his checking account, Sendai opens a brokerage account and begins to dabble in investing. As with hacking, Sendai learns everything he can about investing. Interestingly, he finds many parallels between the two disciplines. Many books and articles suggest filling a portfolio with funds that passively track broad indexes such as the S&P 500. This insures diversity and reduces the risk of bad timing or stock-picking mistakes. Sendai discards this advice immediately. It sounds too much like the conventional wisdom that computer and telephone users should restrict themselves to advertised behavior, and stay ignorant about how the systems work. Sendai prefers stretching system capabilities to extract as much value as possible, based on a comprehensive understanding. In other words, he wants to (legally) hack the financial markets.

Sendai soon discovers another aspect of investing that is familiar to him. Successful active trading is all about obtaining relevant information before it is widely recognized and reflected in the stock price. This is similar to the security market, where the value of an exploit degrades quickly. The Holy Grail is a zero-day exploit, meaning one that is not publicly known or patched. Attackers who possess such an exploit can break into any system running the vulnerable service. The attack is unlikely to be detected , either, because administrators and IDS systems are not watching for what they do not know exists. Once the vulnerability is published and a patch is created, the exploit value decreases rapidly . The most secure installations will quickly upgrade to be invulnerable. In the coming days and weeks, most organizations will patch their systems. Soon, only the least security conscious networks will be exploitable, and they are probably vulnerable to many other attacks anyway. As other hackers (and in many cases worms) compromise the remaining vulnerable systems, the exploit value continues to dwindle.

In the security world, Sendai sometimes gains zero-day knowledge through friends in the scene and private mailing lists or IRC/SILC channels. Other times, he finds them himself by auditing software for bugs. Auditing produces the best zero-day exploits because the bugs are exclusively his, until he discloses them (or they are independently discovered elsewhere). To find an impressive and generally useful vulnerability, Sendai tends to look at widely deployed and frequently exploitable software like Microsoft s IIS webserver , Sendmail smtpd, OpenSSH, or the ISC BIND DNS server. In the more common case that Sendai wants to break into a specific company, he looks for the most obscure software run on the target network. This specialized software is unlikely to have gone through the rigorous testing performed against more popular packages. An alternative approach to obtaining zero-day is to buy it from the controversial organizations that openly broker such information. Sendai has never resorted to this, for both ethical and financial reasons. He still believes some information wants to be free.

The flow of valuable investment insights is similar to security information. Someone with the right insider connections or a willingness to pay extravagant fees to research boutiques can learn information before it moves the market. Unable to partake in these options, Sendai decides to do his own research. Some of the most valuable preannouncement data are company earnings and mergers, acquisitions, or big partnerships. After a couple hours of brainstorming, Sendai comes up with several ways to use his security and networking expertise to his advantage.