Well here’s a story where the tradeoff for speed and efficiency caused a massive stock dump erroneously.

Apparently, many traders use automation software that trolls the Web for news stories and then, depending on what it finds, executes stock trades automatically. It was United Airline’s bad luck that an old article about its 2002 bankruptcy-court filing showed up on Google’s news service and somehow made it to the list of most popular stories. In one of a series of mistakes here, the story had no date on it – which means Google’s algorithm for assessing popularity didn’t have a way to exclude it as an “old” story – OR (because there are conflicting accounts) the South Florida Sun-Sentinel actually put “today’s” date on the page that the story appeared on. This got picked up by the Income Security Advisors newsletter and sent over to Bloomberg News as a one-line brief. Plus there’s the inevitable conspiracy theory that people manipulated the web traffic for this story to adversely affect UAL. Regardless, on Monday afternoon, the stock plunged 76% in less than a day.

But the real problem here is the growing use of automated programs to trigger stock trades without any human interaction – instead based on news headlines and earnings data. According to the Wall Street Journal, these automated programs were responsible for a very surprising 25% of NYSE trades in the last week of August.

I’m sure we’ll hear more as the lawyers are now involved trying to figure out who should get the blame.

• First, watch Dave Aitel beats the dead horse of academic security "research." Quote: "people who write papers in LaTeX two-column format end up saying the sky has a high negative trajectory." (other examples)
• I work for a vendor, but I am not "vendor scum." What is the difference? If you write a paper about a fake trend or about a non-existent phenomenon (that your marketing department created) with the sole intention of selling your product while masquerading your piece as "objective content", you will probably be called "vendor scum." Example: do you know why insiders are dangerous? Because of telnet and modems (no shit!) :-)
• Rich Mogul drop-kicks GRC. Then kicks it in the balls. Then steps on it. Fun read, for sure.
• Did somebody just utter "ROI"? Yeah - and that means katana blades sharpened, flamethrowers charged, pet trolls enraged :-) Yes, the beast is back - with a vengeance. Bruce Schneier hits it with +5 Flaming Blade, it doesn't die, it bites back ... again. If you love/hate ROI, read these. And Mike R comment here. Can we just replace the "R"-word with "economic measure of security" or "security efficiency?"
• Does anybody with at most half a brain believes that "almost one out of every three individuals who were informed of a data security compromise involving their personal data have ceased doing business with the company that experienced the incident" (source here and more commentary here)? Well, same people who believe FBI/CSI surveys, I guess :-) UFO? Spoon bending? Santa Claus anyone?
• NEWSFLASH!!!! Employees needs to be monitored!!! Wow!!! Reeeeally? Well, it is news to some people. Mike R makes good fun of them here.
• Harebrained paper about PCI and using cards (credit and debit), which serves as a perfect illustration of how some people perceive risk. Repeat after me: you are not liable for mis-use of your credit card, your bank is. Debit card? Very different story!
• So, risk, yes. A really good piece about risk is here. Then again, it is RiskAnalys.is? :-) More on risks of compliance stuff (also good) is here.
• Richard clearly, succinctly, brilliantly explains the "security chasm" here by commenting on Greg's article (featured in my previous FRoS): "The first camp spends more time talking about "enabling business" and "elevating the infosec conversation" while the second camp deals with the mess caused by the first world's ignorance of security problems."
• Security reading? Nah, fun security listening (that is, unless you are sick of hearing about RSA 2008 again), where we discuss - yes, you guessed right! - past RSA 2008 show.

Enjoy!

I received an amusing email from a person at another security company yesterday.  They wanted to know how much revenue we did here at StillSecure and what we would be willing to pay as a license fee in regard to a recent patent they had been awarded.  Before the visions of Sugar Plums were deeply engraved in this persons mind, I had to tell them that, "sorry Charlie, Starkist wants tuna that tastes good".  The fact is their patent did not apply to how our product works.  But it brings up a bigger issue that has come up before, patent trolls. 

Our patent system is in drastic need of an overhaul.  In this particular case, I know for a fact that their use of this technology was not the first use in commercial instances.  There is little doubt in my mind that at a trial this claim would be laughed out of court.  The problem is getting this to trial.  A defendant even though successful would have to pay a hefty sum in attorney costs and bad PR around the suit while it was pending.  The courts are usually pretty reluctant to award attorney fees to the victorious side, let alone damages for harmed reputation. Plus the patent troll probably does not have the resources to pay such an award. I would like to see a statute put into law that if these trolls if and when they lose their law suits have to pay the legal fees and consequential and real damages suffered by the party they accused of patent infringement. In fact they should have to post a bond to make sure they are good for fees and damages in the event they lose.

Personally I think companies would be better off executing on making their product work and selling it in the market, rather than hoping to sneak a patent through the patent office and become bloodsuckers off of someone else's hard work. It is for exactly this reason that I do not even mention the company involved here.  Frankly, mentioning them on my blog would give them more daylight than they deserve.  Let them keep limping along with a handful of employees trying to make 30 cents out of a quarter, hoping that some lawsuit will do what their own efforts at building a company could not.

I received an amusing email from a person at another security company yesterday.  They wanted to know how much revenue we did here at StillSecure and what we would be willing to pay as a license fee in regard to a recent patent they had been awarded.  Before the visions of Sugar Plums were deeply engraved in this persons mind, I had to tell them that, "sorry Charlie, Starkist wants tuna that tastes good".  The fact is their patent did not apply to how our product works.  But it brings up a bigger issue that has come up before, patent trolls. 

Our patent system is in drastic need of an overhaul.  In this particular case, I know for a fact that their use of this technology was not the first use in commercial instances.  There is little doubt in my mind that at a trial this claim would be laughed out of court.  The problem is getting this to trial.  A defendant even though successful would have to pay a hefty sum in attorney costs and bad PR around the suit while it was pending.  The courts are usually pretty reluctant to award attorney fees to the victorious side, let alone damages for harmed reputation. Plus the patent troll probably does not have the resources to pay such an award. I would like to see a statute put into law that if these trolls if and when they lose their law suits have to pay the legal fees and consequential and real damages suffered by the party they accused of patent infringement. In fact they should have to post a bond to make sure they are good for fees and damages in the event they lose.

Personally I think companies would be better off executing on making their product work and selling it in the market, rather than hoping to sneak a patent through the patent office and become bloodsuckers off of someone else's hard work. It is for exactly this reason that I do not even mention the company involved here.  Frankly, mentioning them on my blog would give them more daylight than they deserve.  Let them keep limping along with a handful of employees trying to make 30 cents out of a quarter, hoping that some lawsuit will do what their own efforts at building a company could not.