I was just discussing this idea with friends the other day. It's definitely going to become big business, especially once these funds can take leveraged short positions.
This is also a good way to finance very expensive investigative journalism. Just short the companies' you've found dirt on.
Is it? It's long been an article of faith among security pundits that short positions will (or even are, routinely) being used to liquidate security knowledge. But there aren't that many verticals in which vulnerability disclosures are really material to a company's underlying business.
How many fewer iPhones would Apple sell if someone found a way to "jailbreak" the SEP? The difference would be a rounding error.
How many fewer Jeeps will get sold if a new remote OTA car-crasher is discovered? What if Fiat Chrysler needs to do a product recall? Guess what: they already have to do those, all the time. Software vulnerabilities, however, can usually themselves be fixed OTA.
Companies deployed hundreds of thousands of RF and GSM-connected smart meters. Almost all of them had massive OTA vulnerabilities. How likely were any of them to mess with smart meter deployment? Pretty much not at all.
What we see with St. Jude is two cases in which vulnerability discoveries seemingly can have a material impact:
* In medical devices, where the markets are already tuned into and ready to vigorously punish product recalls.
* In M&A situations in regulated industries --- but then, that case is situational: you have to time your disclosure with an acquisition, and the flaw(s) you've found have to be so serious that they might delay the acquisition.
I'm generally kind of skeptical that hack-and-short is going to be all that lucrative.
For that scheme to work, it has to actually work: you need an attack that can damage the fundamentals of a business. Most trades aren't made by randos reacting to the news: they're allocation decisions made by pension funds and endowments and mutual fund firms, all of whom are run by people who understand that if they dump a position when it's down 10% because of the news cycle, they are going to look stupid and potentially lose their job when it turns out that the news cycle had nothing to do with the fundamentals of the company and the stock recovers --- probably not from the hack, but from whatever macro trend is jostling the market that week.
While not an instance of a security exploit, the right tweet can and does result in this sort of insider trading. Options are leveraged vehicles, you don't need to hurt the fundamentals of a business, you only need to ensure short term volatility to make money.
Well, assuming you can tell whether you've got an insignificant flash-in-the-pan disclosure or a fundamentally-damaging disclosure, it seems like things are still fine. Break your flash-in-the-pan disclosure, see the short-term price drop, purchase some buy options at the brief, depressed market price. Options to trade at the current market price should be pretty cheap, right?
It doesn't matter, for stock trading purposes, whether you're making a permanent change or a temporary one. What matters is that you can predict the effect.
Sure, but my core argument is that there really aren't that many vulnerabilities that how powerful impacts on stock prices.
If the markets are essentially a random function, and any given stock a random walk, and the influence you wield is marginal, then you're taking a dangerous bet when you spend money to buy puts. Even if you can predictably harm the price of a stock ceteris paribus, you could easily lose money if your timing sucks and you try to employ your scheme when some macro event (or just a company announcement, or any other instants in the random walk of a stock) sends the stock more-than-marginally upwards.
I am not here to question whether Justine Bone can pull this particular scheme off. She picked a perfect target: a product in the medical industry, which is heavily regulated and whose vendors are punished harshly for product recalls, which was in the process of closing an acquisition by another medical industry giant.
My point is that Bone's win here is highly situational. That is great for Justine! I have nothing bad to say about her evil scheme. I'm just saying it's unlikely to be the future of vuln research.
I guess this begs the question of how many times you really need a perfect candidate (such as in this case) if you are confident in nailing the timing and can get leverage. Doesn't seem like you need a ton of these to potentially make off like a bandit. Of course those are big assumptions.
You're proposing buying when you no longer have knowledge unavailable to the public. Can you out-analyze pro stock analysts because you are forcing them to decide with less time to think?
There is not a 1 to 1 correlation between options and stock price. There is a risk volatility factor as well. Do some options trading and then come back and talk about this.
They do just a random quote on the subject :
"While public pension programs have traditionally stayed away from using options strategies in their portfolios, that is beginning to change.
This year, John Colville, Portfolio Manager, disclosed that he was successfully employing options on up to 66% on the equity portion of the City of Sacramento’s pension fund. We also learned that Tim Walsh, former Investment Director with New Jersey’s public pension system had similar success employing covered call options. Most recently we learned that CalSTRS intends to allocate to one or more managers a total of $150 million across both low volatility equity and covered call strategies. Upon evaluation of the performance of this initial allocation, CalSTRS may expand the program in terms of number of managers or capital invested."
Well, those are long term calls, I can see it being used for hedging (though yikes, I hope none of my retirement funds are doing that, talk about timing the market)
Pension funds most absolutely do not speculate in options near expiry.
I generally agree with you that many if not most computer security problems don't rise to the level of damaging a business enough to effect the stock price.
There was a recent hack and short incident in the crypto currency world though where an unknown individual shorted a large amount of ETH right before revealing a major flaw in the design of the DAO that allowed them to steal all the funds. They forked ETH shortly there after to deny the stolen funds to the would be thief but they still made a killing of their short position.
On the investigative journalism front the case of Lumber Liquidators and Herbalife come to mind both of which had damaging information exposed by investors shorting the companies' stocks.
People have looked at stock price impact from breaches & vulnerability disclosure before and found only very mild connections that revert themselves quickly. The only reason it seems to be working now is concentrated media attention, which doesn't seem like a repeatable strategy when the whole medical device sector is a tire fire when it comes to security. After the first few times the stock market should stop reacting to this sort of news.
It don't think it will work this way. The difference is because medical devices that contain known vulnerabilities can't just remain operating like a movie studio or cheat-dating-site can. Therefore publishing truly critical vulnerabilities will always have an effect on the company's stock, because more than just reputation is on the line.
Three things I can think of that make medical device vulnerabilities more costly than in other verticals:
1. The market is already geared to punish recalls.
2. Recalls, in some limited cases, can be very costly (for instance: in the very few cases in which hardware must be replaced, you may directly incur nosebleed-expensive medical bills).
3. The tort liability that comes from directly hurting people.
But mitigating these points:
1. Hack-and-short is only really interesting if it can be applied repeatedly. Routinizing the kinds of recalls needed to fix vulnerabilities will probably recondition the markets away from punishing these kinds of recalls.
2. Most vulnerabilities, even the most serious ones, don't incur hardware-replacing vulnerabilities.
3. In most (but not all) cases, a human death from a software flaw in a medical device will require deliberate action from, well, a murderer. Which is to say: these kinds of torts are unlikely to be common. Not that I believe that, were a button made available to 8chan that would enable them to kill people on a whim, it wouldn't be pushed regularly! Rather: it's very unlikely such a button will be created at all.
Is there a study you can point to? I'd be curious to know the severity of the vulnerabilities. In the past companies have also been able to successfully cover up breaches. The media attention as you point out makes this more challenging, but in the post-Snowden era people are more aware and and concerned about security and privacy and researchers are getting better at explaining/marketing their discoveries (ex. Heartbleed). I can see breaches continue enjoying heightened attention across industries.
If they are options expiry it just has to be short term to,make large, leveraged gains.
The risk is the business uses capital to acquire stock and defend against these attacks which is the right tactical thing to do.
The real danger though is hackers making secret deals with nefarious hedge funds to attack hard so the company can't defend. Can you imagine if someone made a wide scale assault against a company who's revenue was based purely on its cloud revenue?
>The risk is the business uses capital to acquire stock and defend against these attacks which is the right tactical thing to do.
The right tactical thing to do is for the company to manipulate it's own share price, so that after news breaks that they're selling defective products their share price won't go down?
>The real danger though is hackers making secret deals with nefarious hedge funds to attack hard so the company can't defend. Can you imagine if someone made a wide scale assault against a company who's revenue was based purely on its cloud revenue?
That might be 'a' real danger, but what you're describing is already illegal and it also doesn't require a hedge fund, you can just demand money directly from the company because you're already committing a crime.
What happened in this case is that a hedge fund made a deal with a firm that did research into a company's products and found that they were defective, the disclosure and the impact of the disclosure on the share price is the best possible outcome.
Of course a company will buy its shares if it sees it irrationally going down. Especially in terms of a vuln which could impact its rep. Finally you want to discourage hackers from profiting off,of,this nonsense.
Blackmailing a company directly is near impossible. Secret deals with a hedge fund are hard to track.
Of course a company will buy its shares if it sees it irrationally going down.
Well maybe if they have a load of extra cash laying around. If they're in the midst of a big recall while trying to keep the rest of the business going, that may not be the case.
Yes, and that is a case where he's right in an obvious, academic way that is clear from the numbers to pretty much anyone who seriously works in the markets (ie: the kinds of people who made decisions about the macro trades that really set prices in the market).
But we're meant to believe that some doofus with an SQLI in some backend component is going to send GM tumbling?
I am, let's be clear, prepared to be wrong about this. But I'm happy to give clear voice to the opposing viewpoint on this hack-and-short meme.
While he didn't succeed in getting the FTC to sue them (which would almost inevitability lead to the company being shut down), they did end up passing reforms that will cripple the business if it is indeed a pyramid scheme. Not sure how it affects them outside the US but I think HLF is going to die over the next few years within if it can't make much revenue from recruiting.
Do you have any evidence that he was naked short? I can't think of a way how this would be acceptable from a regulatory perspective. I think a lot of his short exposure was through derivatives rather than cash anyway.
I almost hope that's going to happen. Why? Because absolute security catastrophes seem to be the only way for companies to start taking security seriously enough. And I'm not just talking about your random IoT/medical device company here. I mean big companies like Google and Microsoft, too.
Google became more serious about security and encryption when it got hacked by the Chinese government. Then against after it discovered that NSA was inside its internal networks. And then upped its game for Android once Stagefright vulnerabilities came to light.
And how many millions of viruses did it take to convince Microsoft to move to at least a security model/architecture like they built in Windows Vista/7?
So perhaps others profiting big from discovering vulnerabilities in companies' products, and then shorting their stock is what's needed for these companies to significantly increase their security across the board.
Is it ideal? Of course not. But if that's what it takes, then so be it. They could go nuts on the security front today, but they don't. They're waiting for the security disasters to happen first.
Security catastrophes are unlikely to be sufficient to make companies take security seriously. After all, the PR damage seems limited (it's hard to blame someone for not understanding something you don't understand yourself), and the damage is often largely to third parties (i.e: customers). The people taking the risks aren't the ones paying the costs. And those paying the costs can't really tell who's taking the risks, nor judge well how it impacts them.
It sort of reminds me of CO2 emmisions - and look how brilliantly that battle is going.
This shorting is much better, actually - it impacts metrics companies actually optimize for, so it may actually affect behavior. Not only that, it allocates money to security research, creating a virtuous circle.
But it's not all roses: it's only going to work as long as there's a stock market impact; and that's eventually dependent on security risks actually affecting the choices buyers make. That is uncertain. Most successful software has almost no competitors; software (well, and IP law) makes it trivial to create lock-in and software is trivial to mass-produce, so underdogs have a terrible time. For example: if you can effectively choose only between iOS and android, then you're likely to make that choice based on just a few of your top priorities (in CS terms: there's at most 1 bit of entropy here). Security may matter, but it's not going to have as much impact as it would in an actual proper market where there's sufficient choice for real competition to emerge.
How could it be huge without continuous media stories tying major vulnerabilities to stock price drops? This is the first such story anyone I know directly has been involved in. Also: in 20 years of working with companies on vulnerabilities, never once has this ever come up.
There's precedence for this already in the form of Lumber Liquidators. But to use a more-prominent example: the researchers who disclosed VW's diesel efficiency issues could've made $1B+ from that investigation:
They would have had to have been careful to do so in untraceable fashion. VW would have been all too happy to divert attention to the researchers' "greed" rather than VW's if there had been a whiff of impropriety.
"The Art of Short Selling" written by Kathryn Staley in 1997 should be in your book collection. Its been a business model all the way back to the 1850s.
Software engineers are just late to the field, and now are much closer to the mechanisms that affect the market in many different industries.
Big short sellers do tend to try to get themselves in the media, and they certainly aren't going to shy away from investigating companies they believe provide opportunities (and then opportunistically sharing the results of those investigations).
There's a reason journalists have a code of (supposed) ethics. Anyone engaging in investigations for this kind of profit clearly has given up their claim to ordinary journalism (but hey, if this kind of business took off, things might be worth it).
> Anyone engaging in investigations for this kind of profit clearly has given up their claim to ordinary journalism
News organizations and journalists are desperate for viable funding models. Many have already violated long-standing ethics, such as by eliminating the 'firewall' between advertising and editorial, native advertising, etc.
Presumably that one might opportunistically look for and find dirt that might not actually be there due to financial motivations to do so. I think this could be mitigated by being really careful with what you find and how you craft that narrative, but that concern is there. If the story is really there, though, I don't see much of an ethical dilemma.
Where's the line drawn -- what if press releases don't get any attention? "Let's let the vulnerability continue until someone dies, then we'll explain why they died and get more attention." Or even worse, intentionally kill someone with the vulnerability to gain attention.
What we need is some sort of qui tam lawsuit capability where a third party can sue device manufacturers when they have not suffered direct damages from the flawed device, and perhaps the government joins in, and then the third party receives a portion of the damages awarded. This already happens with Medicare fraud.
I was just thinking about this last night. I've discovered a pretty serious security issue with a leading manufacturer of IP cameras. To keep it short you can takeover every single camera that is connected to the cloud (not by randomly enumeration of the devices, you have access to the central database with more than 1mil connected devices).
I did the "right" thing. If I'm lucky I'm probably going to get a 4 digit bounty and a nice blog post for my CV.
But I can't help to think what would happen if I handed this to a competitor or just shorted the company (listed with billions market cap) and helped create a nice clickbaity media shitstorm.
I'd be concerned that taking any action with securities could be construed as insider trading (the SEC has been expanding the definition recently).
On the idea of giving/selling the information to a competitor (possibly for some stock as well) seems like a reasonable course of action. The current bug reporting environment doesn't properly motivate some companies to fix their issues and reward the people that find them, maybe develop one that does.
If a company letting fatal security issues through became a competitive problem, we may stop seeing as many fatal security issues.
> I'd be concerned that taking any action with securities could be construed as insider trading (the SEC has been expanding the definition recently).
One, the courts have been narrowing - not expanding - the definition of insider trading [1].
Two, you are correct. Don't short a stock before tweeting a vulnerability. If you want to do this, retain a securities and investments lawyer. Vet your plan, trades and disclosure language carefully.
Lets say you run a large company, and you are about to make a big purchase from another public company. Lets say you are planning on increasing their sales by some non-trivial amount like 20%.
Is it legal to purchase shares in that company before you make the purchase? You are leveraging private information, but not information gleaned from insider knowledge from the other company.
This was given as the example of a trade we shouldn't do when I was first exposed to the insider trading policy at my current employer, a US trading firm. I think it might still be defensible and not insider trading by US standards, but it's at least a grey area.
You're both right. The SEC has been more aggressively prosecuting and trying to stretch the definitions, while the courts have been reigning them in somewhat in turn. Tread carefully. A lot could change if the court gets packed with progressives legislating from the bench in the next few years, as will likely happen.
This seems to be pretty textbook not insider trading (at least in the US). This is new, independent research about a company's products. At no point did you receive information from a company insider. You own your own information, so there's no insider trading.
Incidentally, courts have recently been narrowing the definition of insider trading (see US vs. Newman).
I don't understand. What would a competitor do with a flaw in someone else's product? Exploit it? Release it? Having a hard time imagining they would pay more than the company itself.
Logitech at least, if not other IP camera producers too, aren't interested in security. My flatmate had a Logitech which "uploads in your Dropbox account", only to discover that it uploads to Dropbox... when the computer is on. As in, the Logitech driver downloads the files from the cam periodically, and you can set Dropbox to backup the data folder to the cloud. Pretty useless security if you have a laptop. And that's for a mainstream several-hundred-dollars camera.
Besides, 3 years after leaving the flatshare, I can still see his home through my Logitech iPad app.
If I inadvertently can rape his privacy through the official Logitech app (Note: I was on the phone with him and we were testing his camera), I'm afraid there's no need to worry about attackers. What a creepy world we live in.
I think you'd find the company's competitors pretty disinterested. You might find that doing so simply gets your bug disclosed to the vendor through its competitors, costing you credit and the bounty and potentially some legal fees.
Isn't this analogous to buying property insurance on your neighbor's home and then posting instructions for breaking into it on the Internet? Or shorting a bank stock and then posting instructions for electronically stealing millions from it? I'm not sure this is a good thing.
Potentially, it's a slippery slope from making it easy for others to attack a company, to encouraging others to attack the company, to actually attacking the company... to benefit financially from a fall in the company's stock price.
At the extreme, this reminds me of the character Le Chifre in the Bond movie "Casino Royale," who at one point purchases put options on an airplane manufacturer and simultaneously hires a terrorist to destruct the company's new prototype airliner to profit from the declining stock price.[1]
Under the presupposition that fictionally inflated prices in your 401k are a good thing.
More accurate prices of equities are better for the health of the market. The financial motivation should be the incentive to avoid delaying the inevitable.
(Disclosure: I'm working on a med device security startup.)
Taking public short positions, then publicizing vulnerabilities is perhaps the shittiest way to ensure patients are not harmed by these vulnerabilities. I wonder if Carson Block would be as enthusiastic about this approach if his grandmother had a St. Jude ICD in her chest.
I dunno. It forces new entrants to not screw about when it comes to security. If there is a very real threat of a predatory security/short crew trying to take you down, you're going to invest in security and make sure your product is better.
There may be some white-hat middle ground; disclose the vulnerability to the vendor, wait 90 days, if no patch has been released/recall initiated, it's open season for the short sellers....
No, the problem is that these companies don't pay the fair price (i.e. what their unvestors stand to lose if knowledge of this vulnerability is disclosed) to the researchers. Personally, I don't feel any kind of moral obligation to essentially sponsor the investors of these companies (if I were a security researcher).
If I have a 95% chance of losing a dollar from a vulnerability. I'm not gonna pay you a dollar for it. I have a 100% chance of losing a dollar that way and a 95% chance if I don't. Even if I buy it from you it may cost me 50 cents to fix it. Then I lose $1.50. If I pay you 45 cents then I break even if the process scales up to tons of $1 95% vulnerabilities that can be fixed for 50 cents.
Fair price is a pipe dream. But considering the huge sums of money that are involved something more than "here's $500, thanks for your time" would be nice.
As it stands if you're good at breaking stuff you can make more money breaking it for the bad guys than for the good guys. No other industry has this problem. E.g. a good lockpicker or safe cracker can make more money performing his/her trade legitimately.
This guy has three options: 1) short 2) go long 3) do nothing. Given he knows about this vulnerability, what is the "ethical" thing to do. But the stock? Don't engage?
I think, in fact, he has a duty to short the stock.
While what he's doing is completely unethical, I don't know if I'd go so far as to say it's putting anyone at risk. Placing a call to an investment firm to short a stock shouldn't take so long as to delay the release of an advisory.
That being said I don't like what I'm seeing in some parts of the security community as of late. Security is becoming a misnomer as companies and groups are actively hoarding and selling vulnerabilities and making us all less safe.
Companies like google, facebook and microsoft are forced to spend bajillions either finding their own bugs and fixing them or buying the bugs and fixing them. Can you imagine the fallout of a massive google or facebook data breach? It's probably their single biggest risk. I rest easy at night knowing $100bn+ firms have a very strong economic incentive to find and fix security flaws of all kinds.
I don't view this as unethical. I think it actually promotes security.
Consider that there are lots of products out there with serious vulnerabilities that no one knows about. A bad actor has tons of incentive to try to find these and keep it secret while exploiting it (for whatever their nefarious aims are). White hats have very little incentive to do so - bug bounties are a joke. So it may be worthwhile for a black hat to spend millions in security research, but it wouldn't for a white hat. The incentives are out of balance.
This type of action presents a way to balance out the incentives. The good actor here only benefits by telling the world about the vulnerability, at which point any users can demand a fix or stop using the product (I realize this specific product is a bit tougher to stop using, but the point remains for most other cases).
Unless med companies start paying these security companies to find bugs (which they don't) they will need to find other ways to make money or stop looking all together.
Ianal but I find the idea of this approach being legal to be astounding.
If nothing else, many firm have attempted to sue security researchers for computer intrusion - if nothing else, based on the EULA not allowing that kind of thing. I used to think of that kind of lawsuit as really sleazy but with this, everything seems fair game.
Plus it seems possible that libel or insider-trader laws could be leveraged here given that they too are pretty flexible.
Anyway, pure speculation, I'd be curious what lawyers thought.
Characterizing flaws in a publicly available product is not anywhere near insider trading. It's obviously research, not proprietary information.
It's also likely to be quite easy to avoid libel/slander. Just specify when you obtained the product and demonstrate the flaw in the product you obtained.
Except that demonstrating a flaw _by predatory profit-driven entities that have a direct stake in said flaw_ leaves plenty of room for spin and hype. This is already obvious if you read the MW report, some of the "vulnerabilities" are so contrived that the real-world impact is miniscule if not entirely absent, yet they present them (whilst omitting key facts and occulting others) in such a way as to elicit a certain response from the readers.
Given that security is not a solved problem, by far, if you allow this sort of behavior you're opening up the gates of Hell.
There needs to be an objective overseer, that is not profit-driven, for proper evaluation.
This Muddy Waters-MedSec fiasco is evoking memories of the Wild West and is surely not where we want to end up.
> There needs to be an objective overseer, that is not profit-driven, for proper evaluation. This Muddy Waters-MedSec fiasco is evoking memories of the Wild West and is surely not where we want to end up.
So, another Federal bureaucracy? Or what? And how could you guarantee that such a body would remain objective, and avoid regulatory capture?
I think the solution you propose could easily be worse than the problem.
All I said was It's also likely to be quite easy to avoid libel/slander.
I didn't evaluate this case or claim that all researchers/shorts would succeed in doing so.
In the end think I'm more concerned about devices that crash/fail due to unauthenticated radio traffic (claimed in the report) than I am about some dude accidentally libeling a company.
> Except that demonstrating a flaw _by predatory profit-driven entities that have a direct stake in said flaw_ leaves plenty of room for spin and hype.
I think we're at a point where getting some money behind spinning and hyping the seriousness of security vulnerabilities is probably a Good Thing™.
In my view, this is the naive outsider perspective.
Security vulnerabilities are everywhere. The old adage 'seek and ye shall find' is king and it doesn't take particular expertise or resources to enter this arena. Moreover, you have hidden cascade/network effects that are growing stronger every day.
With that in mind, one needs to think longer and harder in order to begin to realize what a Good Thing would even be.
When you open the gates of Hell, you have no control over what comes out of it. I'm fully in favor of holding corporations liable when it comes to security vulnerabilities, but making deals with the devil is certainly not the best way
of doing that. If this case sets a strong precedent you can expect to see similar speculatory attacks in widely disparate domains, not just medical. I do not share Thomas Ptacek's pessimism re: limited domain applicability of such attacks.
In order to at a minimum avoid chilling effects, you need clear evaluation protocols.
We do not have that in this case, it seems rather that the downside for MW is minimal (and also heavily hedged against).
The objective overseer is the market. If the flaw described is not noteworthy or material (i.e. just hype), then no profit can be made, as there won't be a market impact.
The real issue here is that stock effects have occurred because of both (i) a potential flaw in a product and (ii) short positions. Carson acts as a monetization platform for product flaws of publicly listed companies, creating value by executing (ii) for (i) and thus creating real pressure on companies to disclose and address (i). To what degree these accusations are true is another question and pulls this into the same reign as the currently ongoing public feud between Ackman and Icahn over Herbalife.
Hmm... I'm not sure I see this the same way. The impact on the price by a single investor shorting the stock (even a leveraged hedge fund) will be minimal. Furthermore, the only way for said investor to actually make a profit is to make other investors agree (i.e. to essentially anticipate their actions), so they do need to publicise the vulnerability. Still, they're taking a risk because other investors might not see the vulnerability as critical or otherwise worthy of a lower valuation.
That's a great idea, and far more likely to lead to real change than simply informing the company. Wipe away millions of the CEO's equity, then watch how quickly it gets fixed.
There are plenty of hedge funds that do this already, sometimes they put up a blog post. Sometimes they simply "talk their book". To the degree that informed investors own the stock, the stock will or won't react.
Institutional investors have held onto DISH stock since, because while Dish may not be doing great, it is not failing for the reasons Kerrisdale has pitched.
The predatory sort of shorting - pumping and dumping, is most common in penny stocks or stocks heavily owned by retail investors. These "investors" don't do their own research, they don't read 10-Ks, and they believe every little thing they read on the internet.
This situation seems colored by the specifics of the case. The questions of morality and ethics wouldn't be involved were the company in question, say, a cybersecurity firm. In that case, it might seem perfectly reasonable to use this type knowledge advantage as a means to beat the market, especially if the firm were unwilling to pay directly for the information.
The origin of this sort of behavior, it seems to me, is a lack of understanding on the part of firms. If St. Jude's appreciated the market value of securing its devices, it would surely pay for the exploit. However, there's an inefficiency in the market and this prompts "hackers" to seek alternative means to profit from the work and research that they've done.
I personally would not engage in this type of exploitation, but these situations will lead companies to place more value on security of IOT and other connected devices than they currently do.
Hacking can make attribution very hard and in certain jurisdictions (Russia), many intrusions aren't even illegal, and when they are, very hard to prove even if you know the culprit.
A transaction on a US stock market on the other hand is very easy to track (based on very heavy regulations on Know Your Customer, and regulators can search in minutes who shorted a given stock on a given day) and market abuses laws themselves carry multiple years jail sentences for insider dealing.
So for a hacker to profit from short-selling, he has to take considerably more risks. Much easier to sell the data to a competitor or anyone else.
"Lumber Liquidators Holdings Inc.’s stock plunge over the past week, fueled by allegations of excessive formaldehyde in its flooring, can be traced back to a blog post from an obscure 25-year-old short seller."
This is also a good way to finance very expensive investigative journalism. Just short the companies' you've found dirt on.
Any idea why these models aren't huge already?