Surely this is almost the definition of insider trading?
Profiting from share movements in publicly listed companies by having access to non-public information ... isn't it?
Pacemaker maker St Jude faces new security flaw claims from biz short-selling its stock
Security startup MedSec and the financial house backing the biz have published new allegations of security flaws in pacemakers and defibrillators built by St Jude Medical – and again look set to profit from the disclosures in an unorthodox way. In four swish videos, the MedSec team claims it exploited a debugging backdoor in …
-
-
Saturday 22nd October 2016 13:27 GMT pdh
Re: Surely this is almost the definition of insider trading?
According to the U.S. Securities and Exchange Commission website: "Illegal insider trading refers generally to buying or selling a security, in breach of a fiduciary duty or other relationship of trust and confidence, while in possession of material, nonpublic information about the security." So you'd have to argue that MedSec was in a "relationship of trust and confidence" with St Jude, which seems unlikely. They're slimeballs, but this isn't insider trading.
-
Saturday 22nd October 2016 14:26 GMT Steve Davies 3
Re: Surely this is almost the definition of insider trading?
So...
1) make up a story about company X and their product
2) Get into bed with an financial company
3) spread the story as the financial company shorts the stock
4) Repeat until stock is worthless and financial company has made a packet
5) By the stock for a few pennies on the dollar using the profits from shorting
6) Declare that the story was all lies but by then it is too late.
So this way of destroying a business is perfectly legal then?
Way to go USA.
-
Sunday 23rd October 2016 00:02 GMT John H Woods
Re: Surely this is almost the definition of insider trading?
@pdh et al. I agree with what you are saying about having to normally establish the "insidership" of traders by virtue of direct relationships but there is a broader definition of insider trading under the heading of "misappropriation" e.g. Rule 10b5-1. I think it might be possible to make an argument that a penetration tester has, by virtue of testing products from a vendor, established an indirect or derivative duty to the corporation or its shareholders, even when it has no direct relationship with that vendor.
Furthermore, as it seems that MedSec approached a hedge fund, rather than simply individual MedSec employees doing their own private little shorts, they may have made it harder to prove that no-one acted "on the basis of material non-public information"
-
Sunday 23rd October 2016 07:27 GMT Anonymous Coward
Re: They're slimeballs
can't comment on the (il)legality of what the invertebrates at Muddy Waters and MedSec have been doing but (1) upvoted for the characterisation alone; (2) it's their second offence ... and if it's not illegal, it damn well should be ...
combined with the IoT botnet attacks reported here, the whole thing really should shake up IoT security usefully, or is that hoping for too much ?
-
-
-
Saturday 22nd October 2016 15:15 GMT Yet Another Anonymous coward
Re: Surely this is almost the definition of insider trading?
Which is the beauty of the plan, St Jude sues them and "St Jude medical devices deadly cyberflaw" is the headline, driving the stock even lower.
Even if they won, which they probably wouldn't because of free speech laws, the attackers just have to do it from a shell company with no assets
-
-
Saturday 22nd October 2016 15:17 GMT a_yank_lurker
Re: Surely this is almost the definition of insider trading?
Short answer - No. This stock manipulation fraud, a related but different beast. In this case it is outsiders trying to manipulate the stock price to make a tidy profit by feeding the rumor mill. Since most brokers and traders are not that computer savvy nor understand computer security they might be susceptible to panic selling if there are well publicized "reports" of a serious flaw or a badly overhyped flaw. Even it there is a flaw, the manipulators only report a working range of 7 feet/2 meters.which means any attack using these flaws would probably be investigated as (attempted) premeditated murder. A murderer may be better off using a knife or gun at that distance because neither require any hacking skills.
-
Saturday 22nd October 2016 18:14 GMT Pompous Git
Re: Surely this is almost the definition of insider trading?
Even it there is a flaw, the manipulators only report a working range of 7 feet/2 meters.which means any attack using these flaws would probably be investigated as (attempted) premeditated murder.
Before the CRT-D can receive any signals, a strong magnet must be placed in very close proximity to the device. Confirmed this with the technologist in charge of mine last week. I'm not panicking. When your heart's in such bad shape that you need a CRT-D you tend to worry about things other than some random script-kiddy hacking the device.
-
-
Sunday 23rd October 2016 07:32 GMT Voland's right hand
Re: Surely this is almost the definition of insider trading?
No, as it applies only to anyone with some form of a relationship with the company.
Frankly, what this guys are doing is the only way to deal with the IoT gang. FDA, FCC, FTC and short their stock for good measure, because your general connected gadget (medical or otherwise) developer neither has the clue nor desire to make it secure.
Is what they are doing "morally right" - not sure. Is it the only thing which will actually make a difference - probably yes.
-
-
Monday 24th October 2016 14:01 GMT Wzrd1
Re: Surely this is almost the definition of insider trading?
"What is it you don't understand about needing to switch the device into receive mode with a magnet?"
Actually, it's placed into communicate/programming mode with the magnet.
The rest of the time, the device is read only. It can transmit telemetry, but it won't receive any instructions unless the magnet in in place.
To be specific, a ring magnet suspiciously like a magnetron magnet that's encased in plastic.
Still, a debug mode for developers *might* be able to bypass that protection. Still, if they're within two meters, I'm more than comfortable. That's both knife and cane range. :)
-
Monday 24th October 2016 18:13 GMT Pompous Git
Re: Surely this is almost the definition of insider trading?
it won't receive any instructions unless the magnet in in place.
Not quite. Once in receive mode, the device is accessible wirelessly; my technologist demonstrated this by removing the magnet and making the last lot of adjustments without the magnet in place. She also pointed at the wireless device.*
I think the main point here is that if someone wants to kill you, there are so many easier ways than fucking about with CRT-Ds.
* This is a distinctly different device than the Merlin@home device that telephones information it receives from the CRT-D to the cardiologist.
-
-
-
-
-
Saturday 22nd October 2016 15:41 GMT Pen-y-gors
Interesting possibilities...
I appreciate this hack (if genuine) relies on short-range wireless. But just think when we get the next generation of IoT pacemakers - DDoS could come to mean Deadly Denial of Service.
"Hey Charlie, why are you twitching like that?"
"Sorry, just trying to knock Amazon off-line again"
-
-
Monday 24th October 2016 14:09 GMT Wzrd1
"I'm wondering how long before the idiots in the community get tired of this, and those who need pacemakers can sleep easily at night without wondering if some fool is messing with it."
Anyone who gets two meters or less from me while I'm sleeping and that individual isn't my wife is someone that, if they're fortunate, gets shot.
Unfortunate means, I'm using a knife.
-
-
Sunday 23rd October 2016 12:33 GMT Anonymous Coward
different view
There are very few times that I ever wish pain suffering upon anyone but these beings deserve the worst possible. Blackmail of this sort is intolerable and a society that allows it should be ashamed.
If there is a safety issue with a medical device that could potentially effect thousands of people its is society's responsibility to ensure an such information get to the people who can fix the issue. There must be severe penalties for attempting to manipulate any contrived delay of the disclosure of such technical information.
We have seen similar incidents with drastic increasing of lifesaving drugs. Unfortunately we apparently need laws to enforce what should be standard moral behavior. Legislated morality.
-
-
-
-
Monday 24th October 2016 14:19 GMT Wzrd1
Re: different view
"How come its always his grubby fingers yanking the other end of all the strings in this shitty little conspiracy addled world?"
Indeed, why Obama also showed me where to park my car when I came to work in a building that he'll never hear of, in a city that he's likely never even heard of.
He then jimmied the lock at my house and did the dishes for my wife.
Feeling his good works for the day were completed, he proceeded to the meadow behind my data center, where he stampeded the women and raped the cattle.
Seriously, these wankers really do need a reality injection. And they'd probably benefit from some lithium salts as well.
Perhaps then, they could return back to their job as living advertisement for birth control.
"Don't risk having a child that turns out like this! Use our protection product."
-
-
Monday 24th October 2016 14:12 GMT Wzrd1
Re: different view
" The problem is the feral DA is apparently not interested in the case and his chain of command is not willing to make him do his job up to Obama."
Ah, so now the POTUS makes decisions on even relatively minor stock manipulation and fraud. Does he also oversee parking tickets in the Bronx?
What a fucking idiot.
-
-
-
Monday 24th October 2016 02:30 GMT Pompous Git
A few things to contemplate
This time last year, I could only walk (stagger?) about 50 metres before needing a rest to recover my breath. In June, a surgeon placed a St Jude CRT-D in my chest and I can now walk briskly for an hour before my arthritic pain begins to slow me down. The cost of the device was ~$AU60,000.
If my heart goes into fibrillation the device automagically defibrillates me. No need for someone with the relevant expertise to find a defibrillator and use it on me. I think that's kewl.
MedSec claim that hackers can access my CRT-D and threaten my life. Well, they can IFF I allow some curmudgeon to place a strong magnet on the skin of my chest over the device. The likelihood of that happening while I'm conscious is to say the least, slight. If your name's not Miriam, you aren't going to get away with it.
The real threat to my life is from MedSec who would appear to be only too happy to see St Jude go titsup. Not to mention the fact that ever so many people who need such a device are being scared out of making the decision to receive a CRT-D implant from St Jude or any other manufacturer.
Slimeballs doesn't begin to describe the arseholes at MedSec.
-
Monday 24th October 2016 14:44 GMT Wzrd1
Re: A few things to contemplate
"In June, a surgeon placed a St Jude CRT-D in my chest and I can now walk briskly for an hour before my arthritic pain begins to slow me down."
You lucky bastard! I can't quite get anywhere near an hour before my arthritis grinds me to a stop.
Oh well, at least I can still walk those four miles to work, while wearing my laptop bag.
I'm anticipating needing a CRT-D later though, a heat stroke makes me throw PVC's often enough to actually toy with v-tach, plus LVH, secondary to hyperthyroidism induced hypertension that very nearly blew my aorta out.
I do have a reasonable expectation that the damnable thing is at least secure enough that I don't have to worry about someone trying to screw around with it. It's entirely possible that there is a debugging that bypasses the magnet requirement.
Lemme check the software catalog. Ah, here it is, McAfee endpoint protection for implantable medical devices. "Don't let malware become the end of you"...
No, there really isn't such software. Yet.
Here's to hoping that this outfit enjoys a call from both DHS and the FTC. DHS, because, "A terrorist could stop by a cardiac clinic and claim a victory" (that wouldn't be noticed) (yeah, they'd do that, if they hear about this story, as that *is* how they think).
FTC, as this is stock manipulation and fraud.
-
Tuesday 25th October 2016 03:17 GMT Pompous Git
Re: A few things to contemplate
You lucky bastard! I can't quite get anywhere near an hour before my arthritis grinds me to a stop.
Pain management strategy:
Anti-inflammatory meds*, gentle exercise and very loud music. If you concentrate on the pain, you reinforce the nerve circuitry that generates the pain signals going to your brain. If you concentrate on something else, such as loud music, you do the reverse.
Naproxen, glucosamine, bio-curcumin and occasionally prednisone during flare-ups. There's always oxycodone, but I'm not all that happy taking drugs of addiction.
It's entirely possible that there is a debugging that bypasses the magnet requirement.
I doubt it. The device that prevents reception is likely a reed relay that shorts, or open circuits the receiver input. You'd not want spurious signals getting into the device. Hardware laughs at software ;-)
-
-
Biting the hand that feeds IT
