Languish.org

Phishing attacks like that can't be stopped. Someone will always click the link.

http://www.slate.com/blogs/future_tense/2013/04/23/ap_twitter_hack_would_you_click_the_link_in_this_phishing_email.html

Quote
Would You Click the Link in This Email That Apparently Tricked the AP?

By Will Oremus
Posted Tuesday, April 23, 2013, at 10:11 PM
Share on Facebook

Hacking a prominent Twitter account, like the one that the Associated Press uses to broadcast breaking news to some 2 million followers, sounds like it would be hard. Apparently it isn't.

At least, it doesn't seem to be hard lately for a rogue hacker outfit that calls itself the Syrian Electronic Army, which claimed responsibility for Tuesday's AP tweet-jacking. The SEA, which seems to have a pro-Assad agenda though it claims it isn't affiliated with the Syrian government, has been racking up successful hacks at an alarming rate in the past few months. And the roster of reported victims, as collected by Reuters earlier today, reads like a checklist of the most credible and influential English-language news organizations: the BBC, NPR, CBS' "60 Minutes," Reuters News, and now the AP.

It wasn't immediately clear whether the hackers obtained the AP's password by installing keystroke-logging malware on employees' machines or by tricking them into entering their credentials on a bogus site. But an internal AP email, posted on Jim Romenesko's media blog, gives us a good idea as to how they might have gotten in the door: by spear-phishing. That means targeting specific people with legitimate-looking emails designed to trick them into giving up sensitive information. In this case, several AP employees received an email shortly before the Twitter hack that appeared to come from one of their colleagues. Here's what it looked like, according to Romenesko's source:

    Sent: Tue 4/23/2013 12:12 PM
    From: [An AP staffer]
    Subject: News

    Hello,

    Please read the following article, it's very important :

    http://www.washingtonpost.com/blogs/worldviews/wp/2013/04/23/

    [A different AP staffer]
    Associated Press
    San Diego
    mobile [removed]

Notice that it lacks most of the telltale signs of a scam. The "from" field contains not some unknown name, but the name of someone you know and work with. The topic is generic, but it's also something that AP staffers have to be looking out for all the time: news. And the URL in the link looks legitimate—it seems to point to Max Fisher's WorldViews blog on the Washington Post site.
http://www.washingtonpost.com/blogs/worldviews/

Would you click the link in that email if it appeared in your inbox in the middle of a busy workday? Probably not, right? But if you were distracted—if the name in the "from" field was that of a friend or your boss—if you were in a hury—isn't there maybe at least a chance that you'd click before you even took a moment to think about it? And when you consider that this email was probably sent to a bunch of different people at the AP all at once, and the odds of at least one or two clicking on start to look pretty good.

In other words, blame the AP if you like, but if spear-phishing was indeed the SEA's way in, then what happened to them could happen to just about any organization. Chet Wisniewski of the security firm Sophos told me the attack points to the need for Twitter to offer two-factor authentication, and it seems likely that the company is indeed working on that.

But forget Twitter for a second. The other takeaway here is just how effective a well-targeted spear-phishing attack can be. Everyone knows to avoid emails from Nigerian princes. By now most people know to be wary of Facebook or Twitter messages from their friends that say things like "lol ur famous now." Now it seems we have to watch out for work emails from colleagues that are properly spelled and punctuated, on-topic, and generally plausible, if a little vague. Good luck everyone!

What the fuck!  :wacko:

http://redtape.nbcnews.com/_news/2013/04/23/17881215-fake-tweet-shows-country-sensitive-to-any-news-that-sounds-like-terrorism?lite

QuoteIf you define the term "hacking" loosely, you might consider that whoever wrote the fake tweet hacked not only AP's account, but the entire Wall Street trading system. The trades which sank the market Tuesday were almost certainly initiated by automated trading programs designed to profit by fast-twitch reacting to good or bad news.

The combination of a jittery public, automated trading, and a worldwide rumor tool was toxic for the markets.

"That goes to show you how algorithms read headlines and create these automatic orders — you don't even have time to react as a human being," said Kenny Polcari of O'Neil Securities. "I'd imagine the (Security and Exchange Commission) is going to look into how this happened. It's not about banning computers, but it's about protection and securing our markets."

Algorithm trading is the one of the parts of the financial system that IMO are purely harmful to society.  Their whole purpose is to claw back the profit from regular investors and inferior algorithms.  It's entirely zero-sum, and on the whole it actually destroys liquidity rather than increasing it.

"Sank?"  "Toxic?"  The Dow dropped 1 fucking percent and immediately recovered.

The only people I ever hear bitching about algorithm trading are market timers that are now getting beat by machines that do the same thing.  And DGuller.

Whats the problem with that link? Looks totally legit. Odd. :hmm:

Quote from: Admiral Yi on April 24, 2013, 06:44:33 PM
The only people I ever hear bitching about algorithm trading are market timers that are now getting beat by machines that do the same thing.  And DGuller.

:huh: You must not be listening very carefully.  They are very serious questions about how algorithm trading makes the system more fragile to shocks.

Quote from: Admiral Yi on April 24, 2013, 06:44:33 PM
The only people I ever hear bitching about algorithm trading are market timers that are now getting beat by machines that do the same thing.  And DGuller.

HEY NOW

Some of the algos are probably linked to twitter aggregators and google analytics. It makes total sense if you think about it. I wonder what would happen if anonymous somehow organized a mass tweet offensive saying great things about some particular stock.

Actually, if it were a super low-volume penny stock it might only take a couple dozen people...  :hmm:

Quote from: MadImmortalMan on April 24, 2013, 08:11:00 PM
Some of the algos are probably linked to twitter aggregators and google analytics. It makes total sense if you think about it.

No, it doesn't.  It should be illegal.

Quote from: CountDeMoney on April 24, 2013, 09:42:52 PM

Quote from: MadImmortalMan on April 24, 2013, 08:11:00 PM
Some of the algos are probably linked to twitter aggregators and google analytics. It makes total sense if you think about it.

No, it doesn't.  It should be illegal.

:rolleyes:

Now mention shareholder value.

Quote from: DGuller on April 24, 2013, 06:47:28 PM

Quote from: Admiral Yi on April 24, 2013, 06:44:33 PM
The only people I ever hear bitching about algorithm trading are market timers that are now getting beat by machines that do the same thing.  And DGuller.

:huh: You must not be listening very carefully.  They are very serious questions about how algorithm trading makes the system more fragile to shocks.

:yes:

I'm no expert on the subject, but I don't think we're talking about the old program trading that caused a 20% one day drop in the market back in the 80s.

Just take a look at this: people thought there was a bombing of the White House, the market dropped 1% and instantly recovered.  Hardly a good data point for fragilizing the market.

How about the 2010 "Flash Crash"? That was over a 1000-point drop IIRC.

How did the thread suddenly change to being about stock markets? :unsure:

Anyway, computerised tradigin systems are an abomination, they go totally against what the stock market should be about and turn it into something horrible and very dangerous.

What should stock markets be all about Squeeze?

Quote from: Admiral Yi on April 24, 2013, 10:55:07 PM
I'm no expert on the subject, but I don't think we're talking about the old program trading that caused a 20% one day drop in the market back in the 80s.

Just take a look at this: people thought there was a bombing of the White House, the market dropped 1% and instantly recovered.  Hardly a good data point for fragilizing the market.

One of the problems with algorithm trading is that it causes liquidity to drop to near zero any time something uncertain happens;  that is, when you really don't want liquidity to drop off.  Algorithms simply trip into shutdown mode to avoid trading during an uncertain time.  When you have no bid or ask offers worth talking about, prices can get to pretty much any level.  That in turn can lead to all sorts of margin calls based on phantom losses and the usual chain reactions associated with them.

Then there are just unpredictable dynamic things that can happen when a couple of algorithms interact with each other and create a vortex of insanity.  When Amazon algorithm prices a used book about flies at $20,000,000, because it's programmed to beat another algorithm that priced the book at $18,000,000, it's amusing.  When such thing happens in the stock market, it can hurt real people who actually do something productive rather than figure out how to grab more of the bid/ask spread for themselves.

Quote from: fahdiz on April 24, 2013, 11:08:55 PM
How about the 2010 "Flash Crash"? That was over a 1000-point drop IIRC.

:yes:

Here's a fun reading about algorithm trading:  http://www.michaeleisen.org/blog/?p=358.

Quote from: DGuller on April 25, 2013, 02:32:30 AMWhen Amazon algorithm prices a used book about flies at $20,000,000, because it's programmed to beat another algorithm that priced the book at $18,000,000, it's amusing.  When such thing happens in the stock market, it can hurt real people who actually do something productive rather than figure out how to grab more of the bid/ask spread for themselves.

Interesting - I always wondered why certain used books had absolutely insane valuations (like £1800 for a used edition of some random old political science textbook).

Quote from: Admiral Yi on April 25, 2013, 12:08:32 AM
What should stock markets be all about Squeeze?

Raising capital for various business ventures?  I mean that was sorta why it was invented in the first place.

Algorithmic (computer) trading models are no different from any other kind of trading model, except that they react more quickly.  Stupid people lose money faster by depending on algorithms than they do by depending on Aunt Jessie's bone aches, but I don't see why that is bad - the sooner the fools lose money, the faster the market is rid of their influence.  There will always be some fools in the market, though, so the market will never be completely rid of their influence.

The Flash Crash was an example of fools losing money.  For every dollar the fools lost selling stocks in a panic for five minutes, the smart people made a dollar buying those stocks in the five minutes and the twenty that followed.  The Flash Crash was interesting for the speed with which the crash occurred and the speed with which the recovery occurred, but other than the timeline, it wasn't all that interesting.  The stock market had fallen and risen in the past, even in the time period before computers were invented.

I fail to be outraged by computer trading.