Tuesday, February 19, 2008

It pays to be a hacker

Update 02.19.2008: Maybe the title should have read, "It pays to be a Ukrainian hacker." Dan Goodin from The Register follows up by laying it out saying, "Prosecutors with the Justice Department are probably free to file criminal charges against Dorozhko for computer hacking. But given his status as a Ukrainian, it's doubtful they'd succeed. And even if they did, it's even less likely they'd recover the proceeds."

According to the nytimes (via /.), some guy (Mr. Dorozhko) hacked his way into IMS Health and obtained some prerelease earnings information. Mr. Dorozhko soon after invests ~$42K in put options betting the stock will dive, which is does when the information is publicly released, and he makes a cool ~$300K. After the SEC investigation is where the story gets REALY interesting.

Mr. Dorozhko gets to keep this cash because according the judge, “"stealing and trading" or "hacking and trading" does not amount to a violation' of securities laws”. Put another way, Mr. Dorozhko was not an “insider” so therefore can’t be charged with “inside trading.” Apparently the way the SEC laws work is that its legal to trade on information illegally obtained, but illegal to trade on information legally obtained. Wrap your mind around that.

Careful all you would be hackers, this is not to say that Mr. Dorozhko won’t be prosecuted on computer crime charges.

From the story it clearly sounds like what Mr. Dorozhko did was illegal, but what if the attack was more subtle in nature? Take Predictable Resource Location (Forced Browsing) a highly effective approach which exploits the behavior of negligent website owners who post files, but don’t necessarily link them in until a particular date/time has passed. A couple years ago something similar happened in another SEC investigation involving Estonian stock traders. With PRS there is no need to circumvent password prompts, agree to any terms of service, or bypass any security systems. You simply ask for a file on the web server, which may contain some juicy market moving data not yet publicly released.

So is obtaining insider information in this way legal? If so, and IANA, then it would seen to be both legal to obtain insider information this way (via PRS) and legal to trade upon it.


Dan Weber said...

The SEC ruling seems straightforward, although not necessarily predictable. They only deal with insider trading, and "illegal access" isn't an issue before the court.

Similarly, if I shoot a US soldier, I'm not subject to military court. I'll surely face punishment in other jurisdictions, however.

Thanks for the pointer.

kuza55 said...

"this is not to say that Mr. Dorozhko won’t be prosecuted on computer crime charges"

But he probably won't be extradited, so whether he is charged or not is probably irrelevant if his funds are unfrozen and he can get them out of the country.