
Short-selling as a way to profit from security vulnerabilities - ISL
https://www.bloomberg.com/news/articles/2016-08-25/in-an-unorthodox-move-hacking-firm-teams-up-with-short-sellers
======
Inthenameofmine
I was just discussing this idea with friends the other day. It's definitely
going to become big business, especially once these funds can take leveraged
short positions.

This is also a good way to finance very expensive investigative journalism.
Just short the companies' you've found dirt on.

Any idea why these models aren't huge already?

~~~
tptacek
Is it? It's long been an article of faith among security pundits that short
positions will (or even are, routinely) being used to liquidate security
knowledge. But there aren't that many verticals in which vulnerability
disclosures are really material to a company's underlying business.

How many fewer iPhones would Apple sell if someone found a way to "jailbreak"
the SEP? The difference would be a rounding error.

How many fewer Jeeps will get sold if a new remote OTA car-crasher is
discovered? What if Fiat Chrysler needs to do a product recall? Guess what:
they already have to do those, all the time. Software vulnerabilities,
however, can usually themselves be fixed OTA.

Companies deployed hundreds of thousands of RF and GSM-connected smart meters.
Almost all of them had massive OTA vulnerabilities. How likely were any of
them to mess with smart meter deployment? Pretty much not at all.

What we see with St. Jude is two cases in which vulnerability discoveries
seemingly can have a material impact:

* In medical devices, where the markets are already tuned into and ready to vigorously punish product recalls.

* In M&A situations in regulated industries --- but then, that case is situational: you have to time your disclosure with an acquisition, and the flaw(s) you've found have to be so serious that they might delay the acquisition.

I'm generally kind of skeptical that hack-and-short is going to be all that
lucrative.

~~~
blazespin
Sony hack sends stock down 10% in past week. Time that on option expiry, make
zillions.

Disclosing vulns, though, I,agree not a stock shorting business.

[http://money.cnn.com/2014/12/15/investing/sony-stock-
hack/](http://money.cnn.com/2014/12/15/investing/sony-stock-hack/)

~~~
tptacek
For that scheme to work, it has to actually work: you need an attack that can
damage _the fundamentals_ of a business. Most trades aren't made by randos
reacting to the news: they're allocation decisions made by pension funds and
endowments and mutual fund firms, all of whom are run by people who understand
that if they dump a position when it's down 10% because of the news cycle,
they are going to look stupid and potentially lose their job when it turns out
that the news cycle had nothing to do with the fundamentals of the company and
the stock recovers --- probably not from the hack, but from whatever macro
trend is jostling the market that week.

~~~
thaumasiotes
Well, assuming you can tell whether you've got an insignificant flash-in-the-
pan disclosure or a fundamentally-damaging disclosure, it seems like things
are still fine. Break your flash-in-the-pan disclosure, see the short-term
price drop, purchase some buy options at the brief, depressed market price.
Options to trade at the current market price should be pretty cheap, right?

It doesn't matter, for stock trading purposes, whether you're making a
permanent change or a temporary one. What matters is that you can predict the
effect.

~~~
tptacek
Sure, but my core argument is that there really aren't that many
vulnerabilities that how powerful impacts on stock prices.

If the markets are essentially a random function, and any given stock a random
walk, and the influence you wield is marginal, then you're taking a dangerous
bet when you spend money to buy puts. Even if you can predictably harm the
price of a stock _ceteris paribus_ , you could easily lose money if your
timing sucks and you try to employ your scheme when some macro event (or just
a company announcement, or any other instants in the random walk of a stock)
sends the stock more-than-marginally upwards.

I am not here to question whether Justine Bone can pull this particular scheme
off. She picked a _perfect_ target: a product in the medical industry, which
is heavily regulated and whose vendors are punished harshly for product
recalls, which was in the process of closing an acquisition by another medical
industry giant.

My point is that Bone's win here is _highly_ situational. That is great for
Justine! I have nothing bad to say about her evil scheme. I'm just saying it's
unlikely to be the future of vuln research.

~~~
FLUX-YOU
Maybe we can bundle a bunch of shitty vulnerabilities into a CDO and call them
good vulnerabilities.

------
iraklism
I was just thinking about this last night. I've discovered a pretty serious
security issue with a leading manufacturer of IP cameras. To keep it short you
can takeover every single camera that is connected to the cloud (not by
randomly enumeration of the devices, you have access to the central database
with more than 1mil connected devices).

I did the "right" thing. If I'm lucky I'm probably going to get a 4 digit
bounty and a nice blog post for my CV.

But I can't help to think what would happen if I handed this to a competitor
or just shorted the company (listed with billions market cap) and helped
create a nice clickbaity media shitstorm.

~~~
iaw
I'd be concerned that taking any action with securities could be construed as
insider trading (the SEC has been expanding the definition recently).

On the idea of giving/selling the information to a competitor (possibly for
some stock as well) seems like a reasonable course of action. The current bug
reporting environment doesn't properly motivate some companies to fix their
issues and reward the people that find them, maybe develop one that does.

If a company letting fatal security issues through became a competitive
problem, we may stop seeing as many fatal security issues.

~~~
JumpCrisscross
> _I 'd be concerned that taking any action with securities could be construed
> as insider trading (the SEC has been expanding the definition recently)._

One, the courts have been narrowing - not expanding - the definition of
insider trading [1].

Two, you are correct. Don't short a stock before tweeting a vulnerability. If
you want to do this, retain a securities and investments lawyer. Vet your
plan, trades and disclosure language carefully.

[1] [http://www.scotusblog.com/case-files/cases/salman-v-
united-s...](http://www.scotusblog.com/case-files/cases/salman-v-united-
states/)

~~~
sokoloff
Concur. Generating one's own non-public information and trading on it as a
non-insider is not insider trading.

This is no different than doing foot traffic counts (or satellite parking lot
surveillance).

~~~
Negitivefrags
Lets say you run a large company, and you are about to make a big purchase
from another public company. Lets say you are planning on increasing their
sales by some non-trivial amount like 20%.

Is it legal to purchase shares in that company before you make the purchase?
You are leveraging private information, but not information gleaned from
insider knowledge from the other company.

~~~
dmurray
This was given as _the_ example of a trade we shouldn't do when I was first
exposed to the insider trading policy at my current employer, a US trading
firm. I think it might still be defensible and not insider trading by US
standards, but it's at least a grey area.

~~~
whamlastxmas
> it's at least a grey area.

This is 90% of where money is made in my experience

------
cs702
Isn't this analogous to buying property insurance on your neighbor's home and
then posting instructions for breaking into it on the Internet? Or shorting a
bank stock and then posting instructions for electronically stealing millions
from it? I'm not sure this is a good thing.

Potentially, it's a slippery slope from making it easy for others to attack a
company, to encouraging others to attack the company, to actually attacking
the company... to benefit financially from a fall in the company's stock
price.

At the extreme, this reminds me of the character Le Chifre in the Bond movie
"Casino Royale," who at one point purchases put options on an airplane
manufacturer and simultaneously hires a terrorist to destruct the company's
new prototype airliner to profit from the declining stock price.[1]

[1]
[https://en.wikipedia.org/wiki/Le_Chiffre#2006_film_biography](https://en.wikipedia.org/wiki/Le_Chiffre#2006_film_biography)

~~~
cloudjacker
> from a fall in the company's stock price

Under the presupposition that fictionally inflated prices in your 401k are a
good thing.

More accurate prices of equities are better for the health of the market. The
financial motivation should be the incentive to avoid delaying the inevitable.

------
1337biz
Wasn't weev trying to run a similar operation with hu is TRO LLC hedgefund?

[https://newrepublic.com/article/117477/andrew-weev-
auernheim...](https://newrepublic.com/article/117477/andrew-weev-auernheimers-
tro-llc-could-send-him-back-prison)

~~~
r1b
Correct, weev is the progenitor of this idea.

------
mikekij
(Disclosure: I'm working on a med device security startup.)

Taking public short positions, then publicizing vulnerabilities is perhaps the
shittiest way to ensure patients are not harmed by these vulnerabilities. I
wonder if Carson Block would be as enthusiastic about this approach if his
grandmother had a St. Jude ICD in her chest.

~~~
bink
While what he's doing is completely unethical, I don't know if I'd go so far
as to say it's putting anyone at risk. Placing a call to an investment firm to
short a stock shouldn't take so long as to delay the release of an advisory.

That being said I don't like what I'm seeing in some parts of the security
community as of late. Security is becoming a misnomer as companies and groups
are actively hoarding and selling vulnerabilities and making us all less safe.

~~~
chillydawg
Companies like google, facebook and microsoft are forced to spend bajillions
either finding their own bugs and fixing them or buying the bugs and fixing
them. Can you imagine the fallout of a massive google or facebook data breach?
It's probably their single biggest risk. I rest easy at night knowing $100bn+
firms have a very strong economic incentive to find and fix security flaws of
all kinds.

~~~
SSLy
which sony isn't…

------
joe_the_user
Ianal but I find the idea of this approach being legal to be astounding.

If nothing else, many firm have attempted to sue security researchers for
computer intrusion - if nothing else, based on the EULA not allowing that kind
of thing. I used to think of that kind of lawsuit as really sleazy but with
this, everything seems fair game.

Plus it seems possible that libel or insider-trader laws could be leveraged
here given that they too are pretty flexible.

Anyway, pure speculation, I'd be curious what lawyers thought.

~~~
maxerickson
Characterizing flaws in a publicly available product is not anywhere near
insider trading. It's obviously research, not proprietary information.

It's also likely to be quite easy to avoid libel/slander. Just specify when
you obtained the product and demonstrate the flaw in the product you obtained.

edit edit: reading fail.

~~~
armitron
Except that demonstrating a flaw _by predatory profit-driven entities that
have a direct stake in said flaw_ leaves plenty of room for spin and hype.
This is already obvious if you read the MW report, some of the
"vulnerabilities" are so contrived that the real-world impact is miniscule if
not entirely absent, yet they present them (whilst omitting key facts and
occulting others) in such a way as to elicit a certain response from the
readers.

Given that security is not a solved problem, by far, if you allow this sort of
behavior you're opening up the gates of Hell.

There needs to be an objective overseer, that is not profit-driven, for proper
evaluation.

This Muddy Waters-MedSec fiasco is evoking memories of the Wild West and is
surely not where we want to end up.

~~~
twblalock
> There needs to be an objective overseer, that is not profit-driven, for
> proper evaluation. This Muddy Waters-MedSec fiasco is evoking memories of
> the Wild West and is surely not where we want to end up.

So, another Federal bureaucracy? Or what? And how could you guarantee that
such a body would remain objective, and avoid regulatory capture?

I think the solution you propose could easily be worse than the problem.

~~~
armitron
It doesn't have to be a Federal Bureaucracy.

Consumer Reports is one example. Mudge _already doing_ it in the cybersecurity
domain is another.

~~~
twblalock
But nobody is required to go though organizations like these when they
demonstrate flaws. Why would they start doing that?

------
redthrowaway
That's a great idea, and far more likely to lead to real change than simply
informing the company. Wipe away millions of the CEO's equity, then watch how
quickly it gets fixed.

------
dforrestwilson1
There are plenty of hedge funds that do this already, sometimes they put up a
blog post. Sometimes they simply "talk their book". To the degree that
informed investors own the stock, the stock will or won't react.

An example of a short thesis which the market has judged to be baseless
despite the hype: [http://www.reuters.com/article/us-dish-network-kerrisdale-
id...](http://www.reuters.com/article/us-dish-network-kerrisdale-
idUSKCN0XW2AY)

Institutional investors have held onto DISH stock since, because while Dish
may not be doing great, it is not failing for the reasons Kerrisdale has
pitched.

The predatory sort of shorting - pumping and dumping, is most common in penny
stocks or stocks heavily owned by retail investors. These "investors" don't do
their own research, they don't read 10-Ks, and they believe every little thing
they read on the internet.

An example of a stock which has been pumped and dumped for years is ORMP:
[http://seekingalpha.com/symbol/ORMP](http://seekingalpha.com/symbol/ORMP)

In the aggregate I believe that short sellers serve a useful purpose,
adjusting valuations down for stocks which do not merit their current price.

------
rotskoff
This situation seems colored by the specifics of the case. The questions of
morality and ethics wouldn't be involved were the company in question, say, a
cybersecurity firm. In that case, it might seem perfectly reasonable to use
this type knowledge advantage as a means to beat the market, especially if the
firm were unwilling to pay directly for the information.

The origin of this sort of behavior, it seems to me, is a lack of
understanding on the part of firms. If St. Jude's appreciated the market value
of securing its devices, it would surely pay for the exploit. However, there's
an inefficiency in the market and this prompts "hackers" to seek alternative
means to profit from the work and research that they've done.

I personally would not engage in this type of exploitation, but these
situations will lead companies to place more value on security of IOT and
other connected devices than they currently do.

------
cm2187
Not convinced it can really become common.

Hacking can make attribution very hard and in certain jurisdictions (Russia),
many intrusions aren't even illegal, and when they are, very hard to prove
even if you know the culprit.

A transaction on a US stock market on the other hand is very easy to track
(based on very heavy regulations on Know Your Customer, and regulators can
search in minutes who shorted a given stock on a given day) and market abuses
laws themselves carry multiple years jail sentences for insider dealing.

So for a hacker to profit from short-selling, he has to take considerably more
risks. Much easier to sell the data to a competitor or anyone else.

------
aaron695
"Lumber Liquidators Holdings Inc.’s stock plunge over the past week, fueled by
allegations of excessive formaldehyde in its flooring, can be traced back to a
blog post from an obscure 25-year-old short seller."

[http://www.bloomberg.com/news/articles/2015-03-04/how-a-25-y...](http://www.bloomberg.com/news/articles/2015-03-04/how-a-25-year-
old-investor-spurred-lumber-liquidators-plunge)

------
jwatte
We're living in William Gibson's world. There just less neon than he imagined!

