The exchanges hire many H1-bs from China, India, and Russia. They try to minimize cost paid per hour.
It would be very easy for a spy to pose as a worker and get hired. If you get a couple people in each area, it's completely undetectable. I had several coworkers I suspected, but didn't want to risk my job reporting them to compliance.
Do you have any data that supports this? Is there somewhere that publishes how many H-1B visas the exchanges hire, and where they're from? Considering how much money is flowing through these places (digitally, speaking), I'm skeptical that there's zero background checking involved.
Speaking in hypothetical, sure it would be possible. But I'd need more data to be convinced.
"I'm skeptical that there's zero background checking involved"
You shouldn't be.
Just yesterday it was essentially revealed Amazon does not do background checks (at least not on Education)[0].
One of the governments contractors for background checks (including Snowden) was charged for defrauding the government on 660,000 checks[1] (and many if not all of these are for security clearances).
If it's a state sponsored spy, the background check would not find that out. I thought it was a given that nations would recruit people to be spies, but they'd have a normal, successful, career. I would be shocked if every big country doesn't have well placed people in various top industry positions. In fact, as a Canadian, I'd be upset if Canada isn't doing that. It seems so easy, cheap and potentially highly effective.
Likely because they were foreign and had different customs. If the OP had actual evidence that they were stealing data or installing malware they would have reported it.
It will likely be culture specific complaints like "they kept to themselves" and "they weren't as social as other people."
There were a whole bunch of suspicious things. I'll mention the most obvious.
1. Table A had summary data that was used for reports. Table B had trade detail data, which nobody normally looked at, but we were using it for a special project. There was a discrepancy between the two, and I was investigating. I was concerned that someone had edited Table A. I mentioned to a manager Y "I couldn't reconcile the difference between the two tables. Maybe we should file a Suspicious Activity Report?" A couple weeks later I followed up with Y. I asked what happened. He said "I asked S to look into it. S said that he met with FSK and pointed out the error in his calculation." But S never met with me! Why did S tell Y that he discussed the problem with me, but he never actually did it?!
That's a common social engineering trick. You tell two people two different things, and they usually won't compare notes.
2. For a couple of weeks, I shared an office with S. We were in the risk reporting group. Almost every day, S had a conversation with X on the production team. S spoke in a whispered angry voice, in a language other than English! (I never could figure out which one.) That was really weird, because S was from Russia and X was from China. If it was an "official" daily meeting, there would have been several people on the call, due to the nature of the bureaucracy. I was wondering if S and X were conspiring to forge records, and the phone call was them coordinating their efforts.
3. Table C had daily end-of-day positions. Table D had a list of all the trades. However, if you took Wednesday's end-of-day positions, and added all the new trades and subtracted the stuff that settled, the result was not Thursday's end-of-day position! I thought this was nuts, but S had all sorts of excuses for why this was necessary and desirable. For example, he said that some trades were reported after the end-of-day cutoff, but then shouldn't those trades show up in the table with a later timestamp?
If I was designing a system to facilitate funny business, I would make sure there were all sorts of weird bugs. Then, if I ever got caught, I could pass it off as a bug.
But S was the business' hero! He had singlehandedly written all their key software! He was Untouchable and a Valuable Employee! Of course, I was wondering if he intentionally put abusable Easter Eggs into their system (and maybe some other people were helping him).
When you buy and sell stock/bonds, it's just a number in a database. But if someone has DBA/root, and they're clever about covering their tracks, and a group of people are working together, they can never get caught!
Another weird thing is that I added up all the shares bought in one day per stock and added up all the shares sold in one day per stock, and compared them. Those two numbers should be the same, but they almost never were! I was wondering why nobody added such an obvious checksum to the system. I also added up the number of long failure-to-delivers and added up the number of short failure-to-delivers, and those numbers didn't match either! (A short failure-to-deliver is when someone naked short sells and doesn't deliver stock on the settlement date. A long failure-to-deliver is when someone should have received stock on the settlement date, but didn't, because someone else failed to deliver.)
A regular H1-b visa employee from Russia or China just earns a salary. If there are some people planted by the Russian or Chinese government, they get their salary, plus whatever they can steal, plus whatever their backers are paying them. So these bottom-of-the barrel wages paid to H1-b visa employees are most attractive to someone who's doing something dishonest. Also, if even one person slips through the cracks, then he'll be recommending his associates for jobs, and some of them will inevitably get hired (and eventually promoted). These people don't want the system to completely crash; they want it to appear to run smoothly while they quietly sabotage it.
NASDAQ is a stock exchange. Financial institutions as a class of companies have pretty strict regulations/compliance issues about who can work in them. For example, they fingerprint every exchange employee and typically bar convicted felons from even applying. Being a agent of another state--and certainly if not disclosued-- is such a red flag for fraudulent behaviour as to not need further explanation. A foreign agent has the means and motive to harm both the exchange members and the host nation, and providing them with corporate security clearance equates to a the opportunity for criminal behaviour (either as a principal or an accomplice).
In Washington, an FBI team and market regulators analyzed thousands of trades using algorithms to determine if information in Director’s Desk could be traced to suspicious transactions. They found no evidence that had happened, according to two people briefed on the results.
The fact that they found no evidence that anyone traded using insider information obtained from the compromise of Director's Desk doesn't mean that it didn't happen. As with hackers, only the incompetent insider dealers get caught. It's entirely possible to obfuscate trading activity to conceal the fact that you're trading based on insider information.
Is it really so far fetched the Russians hired some hackers to do clone the NASDAQ, but then the hackers saw a broader opportunity to fatten their own bank accounts?
If the hackers’ motive was profit, Nasdaq’s Director’s Desk, the Web-based communication system where they first entered the network, offered amazing possibilities. It’s used by thousands of corporate board directors to exchange confidential information about their companies. Whoever got their hands on those could accumulate an instant fortune.
They could've easily had multiple motives, and those could have been state driven, or simply personal for the hackers. Either way, I'm pretty sure the cloning theory is only half the story.
There is no evidence the hackers got anywhere near NASDAQ's actual exchange networks (gateways, matching engines, etc). This whole article is ridiculously hyperbolic.
The article sucks, but electronic markets are, compared to other core infrastructure, uniquely exposed. You obviously can't talk directly to a match engine from the Internet, but equally obviously they consume input from all sorts of systems you can talk to.
Match engines themselves are not particularly interesting as targets (their function is, in the "attack surface" sense, pretty straightforward), but the engines are always surrounded by a constellation of goofy little systems that collectively expose a pretty big attack surface.
And you don't have to pop the match engine itself to compromise the market. It often suffices just to be able to see raw message flow, or to be able to influence posted orders.
Foreign hackers will probably break the markets before they manage to crash an airplane or turn off the water. Don't get me started on the power grid, though.
I guess there are kind of two things people worry about with electronic markets and hacking. One is just crashing the market so that nobody can trade for some period of time. The other is actually stealing funds from one or more market participants. I'm not sure which case you had in mind, but I think the former is probably a lot easier than the latter.
A friend of mine once had the best idea ever for a destructive piece of malware. Assume you have a reliable infection vector on Windows machines. Now, instead of deleting hard drives or enrolling machines into a botnet, just find every Excel spreadsheet you can, and subtly fuck with the numbers.
If you wanted to damage the US economy, a similar approach taken with compromised electronic markets could probably do some real damage.
That is a cool idea because the spreadsheets are probably not backed up so you have no reference to compare it to. This is not exactly the case in the markets. For instance when I send my order into NASDAQ, I get an order accept message back that includes all the parameters in the original order message. If you artificially cancel my order when I think the order should have executed immediately or been posted to the book, I'll notice that and call the exchange trade desk to ask wtf happened. For displayed, non-IOC orders I'll also see my order in the market data feed. When I get an execution the price of the execution should match (or improve) the price of my order. I'll also see copies of all these orders and executions in the DROP copy from my clearing firm. In other words there are a lot of places to insert your own surveillance to make sure your trading is happening the way you expect it to, and many firms already have such surveillance schemes in place because 1) regulatory requirements and 2) software has bugs and sometimes things break.
* This is all re US equity markets because that's my area of expertise. Maybe it's different on other electronic venues.
It would be very easy for a spy to pose as a worker and get hired. If you get a couple people in each area, it's completely undetectable. I had several coworkers I suspected, but didn't want to risk my job reporting them to compliance.