St Jude sues short-selling MedSec over pacemaker 'hack' report Medical device maker St Jude has filed suit against a security startup that shorted its stock and publicized alleged flaws in its products for profit. Pacemaker supplier St Jude has sued both MedSec and investment research biz Muddy Waters in Minnesota, America, as well as three other individuals it says falsely reported …
You don't even have to be me to have seen this coming, and I saw it coming.
"Hey everyone, we're MedSec the short-sellers and we couldn't think of a better way to totally torpedo our credibility as security auditors that didn't involve selling babies on Ebay."
The real losers from this, of course, are the patients using the audited devices, since the issue of actual product fault (or not) seems to have fallen by the wayside.
Well, you didn't exactly have to be the Amazing Kreskin to see this one coming.
And deservedly so, although I would have preferred that the SEC itself took action and nailed these people under some criminal aspect of what they've done. This way, it's just a civil suit where the people involved could go "bankrupt" and walk away into the sunshine (which is pretty much what most of the financial world seems to operate on), whereas with criminal consequences they get to spend some time in less comfortable circumstances. The latter also helps smaller setups that don't have the money for such lawsuits.
Not so fast.
If the exploit proves to be the real deal, well, I see nothing wrong in monetizing it THIS way. In fact it should be monetized THIS way because this is the ONLY way people are finally going to learn start paying attention.
This is especially so in the medical device area. There nobody gives a flying f*** about device security, so hitting the board and the infestors in the "financial cajoles" repeatedly is the only way to get their attention.
Is the exploit a real deal or not - that will be proven in court.
If the exploit proves to be the real deal, well, I see nothing wrong in monetizing it THIS way. In fact it should be monetized THIS way because this is the ONLY way people are finally going to learn start paying attention.
No. This is quite simply blackmail (not to mention the fact that the claims themselves turned out to be somewhat overstating the risk, needlessly worrying all the people with such devices) and I would prefer to see these people locked up rather than pay a fine (well, ideally both, but fines can be avoided whereas having to bunk with some heavies is more likely to have an educational effect as well as act as a deterrent).
@AC
While I find the behaviour detestable, ethically, I don't see how it is 'blackmail'. Blackmail is when you gain benefits (often money) from an entity by holding sensitive information that you threaten to release otherwise.
I.e.: you profit by agreeing to not releasing information.
As I understand this story, MedSec made their profit by making financial decisions based on the public reaction to the release of the information they held. Of course, they acted to maximise that reaction and so maximise their profit, but that's not blackmail.
Both are about selfishly and unethically utilising previously-secret information you hold for profit but there's a clear difference. At least I think so.
In this case, if the information is accurate then MedSec's actions have endangered lives but, so far as the legality of those actions are concerned, all they did was make market decisions based on research about a publicly-listed company.
If the information is false or exaggerated to a significant degree, then they have panicked people, which is less detestable, ethically, but on the legal side, they have committed securities fraud - specifically 'short and distort' - and will likely be arrested and fined and, potentially, do some jail time.
Treating people's lives as inconsequential in the pursuit of profit is one thing, but messing with people's money, well, that's just going too far. (Sarcasm.)
If the exploit proves to be the real deal, well, I see nothing wrong in monetizing it THIS way. In fact it should be monetized THIS way because this is the ONLY way people are finally going to learn start paying attention.
That's a very nice tinfoil hat you're wearing today. My supposedly vulnerable CRT-D device can only be reprogrammed when it's under the influence of a strong magnetic field. Perhaps you hadn't noticed, but magnetic fields decrease in strength to the inverse fourth power, so to flip the reed relay from a "remote" location such as the room next door would require a superconducting magnet.
Having managed to put the CRT-D in receive mode "remotely" with what must surely cost hundreds of thousands if not millions of dollars, there's still the problem of talking to the device. Any old windows lappy won't do it. It's done at the hospital with a dedicated machine using proprietary software running on Linux. You might notice it doesn't have a keyboard or mouse. You're also not likely to manage to do anything meaningful with it if you lack the appropriate training.
Frankly, if you want to kill someone there is an endless number of ways to do this at far lower cost and risk. Not to mention more likely to succeed.
@Mark 85
"Totally unethical and manipulative . . ."
Agreed. But I fail to see how making money on the stock market by being unethical and manipulative is somehow the kind of thing that collapses businesses.
It'd be great if bad behaviour had real consequences but when financial success is seen as one of the greatest goods, that seems unlikely.
The sad part is that, if they did do get punished for something wrong, it's far more likely that it will be for dicking around with the financial markets than for exposing putting patients in potential danger. And that says it all, really.
In my experience, medical devices are definitely not done by security gurus, not even close. They aren't bug-free, and yes, as is obvious here, they think they are immune to critisism. Worse, if a security researcher tells them - if you can even figure out how, they have a problem, like most companies, they just ignore or deny.
No question this is sleazy, but maybe that industry (and a few others) need a real kick in the pants to design security in, and listen to those who tell them about problems? (or in most cases, even make contact info available at all to tell them)
Seen variations of this all over...can't hack Wifi, eh? Never heard of higher power and higher gain antennas for that or RFID, right? Or the banks in UK initially refusing to believe chip and pin could be hacked and blaming it on the customer. The list is endless on this stuff. I'm not going to say either side is right, I will say - we don't k now enough. None of the players have been exactly forthcoming about details or published them in the open press, right? So, we lack even that poor and biased source of information. FWIW, having once been in the financial game, Muddy Waters (Carson) has a few times exposed companies that were utter frauds as discovered in the end, and given the suckers that invested in them the word to get out before a small loss on a fraud turned into a total loss. That's what short selling is about. And something obviously completely misunderstood in this copy-pasted article I've seen 3-4 times today.
You short sell *before* the price goes down, then cover by buying at the new, lower price. Duh.
Buy low, sell high - just in the opposite time-order. Short selling after the price is down is kind of pointless.
There's a saying "he who sells what isn't his'n, has to buy or go to prison". That's what short selling is - borrowing shares to sell - and you have to pay them back to the lender at some point. If they're worth less at that point, you win, else the lender wins. It takes both sides to have a good market that sets prices, not that we've had one since the central banks started into serious manipulation.
"No question this is sleazy, but maybe that industry (and a few others) need a real kick in the pants to design security in, and listen to those who tell them about problems?"
If they'd told MedSec and been ignored the kick in the pants would have been fair enough. I haven't seen anything which indicates that this happened.
The best that can be said for this line of argument is that it might prod other device makers into taking security more seriously. Might.
it might prod other device makers into taking security more seriously. Might.
So, what would you do to improve the lamentable security on St Jude's CRT-Ds? Personally, I have always worn full earthed silver mesh underwear anyway and the house I have lived in for the last decade is a Faraday Cage. I really can't think of much else I can do apart from retire to a secret lair on Macquarie Island.
In my experience, medical devices are definitely not done by security gurus, not even close. They aren't bug-free, and yes, as is obvious here, they think they are immune to critisism.
Just tested this. I told my CRT-D it is was a lazy, arrogant cunt and not worth talking to. I suggested that if it wanted to continue with our somewhat intimate relationship it would need to buck its ideas up and try a bit harder.
Now it's off to the workshop to build a giant transmitter to transmit Anarchy in the UK by the Sex Pistols into the crossover in my neighbour's loudspeakers. BWAH, HAH, HAH, HAAAA!
Two thumbs down - which I don't mind, as I said "I may be wrong" - but no reasons given for them. <sigh>
The reason is it's not insider trading that's happening here. See:
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
