Wall St. Trading Servers To Power Off-Hour Clouds?

miller60 writes "As cloud computing gains traction, some Wall Street firms running armadas of servers to power high-frequency trading operations are contemplating leasing out their excess computing capacity after the trading day ends at 4 p.m. 'Once 4:30 rolls around, we don't need those machines,' said one CTO of a market data firm. 'There may be an opportunity there.' A similar revelation led to the creation of the cloud computing operation at Amazon.com, which built its infrastructure to handle peak Christmas-season loads that lasted just a few weeks each year."

Security nightmare

[UndyingShadow]

This seems like a security nightmare waiting to happen. I understand everything would likely be virtualized, but it just makes me nervous that you would be able to rent time on servers that interact with the stock market, especially considering how panicky the market can be, and how badly everyone suffers when it does panic.

Re:Security nightmare

[Tanktalus]

There is no such thing as perfectly-secure. They could already be hacked today, this isn't changing that. It merely introduces a new attack vector: the VM sandbox.

If the ROI is there, this can be mitigated. If they create a cloud using their existing hardware, and move their own apps into a priority cloud on that hardware, and sell the excess CPU time, then not only does an attacker need to figure out what VM they are in, and what, if any, vulnerabilities there are in that VM that they can exploit, they have to cause the parent virtual machine (let's face it, there's no reason why a virtual cloud needs to be sitting on physical hardware directly - and, for this purpose, AIX, Sun, and the mainframe are already on virtual machines anyway) to run arbitrary code that would then go and find other virtual machines, find the one of interest, and then cause THAT virtual machine to give up information.

Breaking IN to a virtual machine might prove more difficult than breaking OUT of a virtual machine. And you may need to break in to all of them just to find the one you need.

Security by obscurity isn't the same as no security. It's not perfect, but it does reduce the exposure.

And, besides, maybe they only sell CPU time to other corporations where they can better track who has access to what, with passworded VPNs that only go directly to the cloud that the password given grants access to.

It's all about ROI, and whether they can make it work while improving their overall financial picture. I bet they can. I'm not betting whether they do or not.

Wow

[dachshund]

I sure hope Wall Street is utterly confident in the security of their operating systems, VMs, low-level peripheral firmware, etc. Because if they're not absolutely confident, they should treat all of those machines as potentially untrusted from the moment they open them up to the world. This holds even if they constantly re-image.

When you're talking about the kind of money Wall Street stands to lose from a clever security breach, no amount of paranoia is too ridiculous.

Get rid of them entirely

[TubeSteak]

Not to derail the conversation, but high frequency trading doesn't contribute much to the stock market's ability to set optimal prices.

What actually happens is that high frequency traders squeeze in while prices are moving and they siphon off money. Neither the original seller, nor the original buyer gets the best price, and the high frequency traders make a mint.

Re:Get rid of them entirely

[LostCluster]

Yep. Market regulations are all about a "level playing field"... no using information others can't get yet for trades. Just ask Martha Stewart.

I really think a rate limit that makes high-frequency trading impossible is a good idea. Just like the TV ad goes, why do you want to sell something you just bought in an auction? Everybody in the room already said they wouldn't pay what you paid.

"Once 4:30 rolls around..."

[mcmonkey]

Said the CTO who is now looking for a job.

NYSE closes at 4:30. But there are other markets. And the data flows 24/7.

There is no reason for these systems to have spare cycles.

Re:"Once 4:30 rolls around..."

[NeumannCons]

It's my understanding that the high frequency traders need machines that are physically near to the market they're trading stocks on to minimize hops, lag, etc. and to chronologically beat everyone else who's trying to do the same. Everything is built to make transactions that can be executed almost immediately to take advantage of stocks going up or down before everyone else does thereby altering prices.

I'm going to guess that trying to play that game for servers overseas where lag can be measured in seconds won't work when your competition has servers located in the same building the market is in.

Re:Is This Secure?

I wonder if this poses any security concerns or problems? Is letting 'cloud users' access the servers that run out financial markets really a good idea?

You pose a good question. The answer is: It's all in the implementation.

a. What do these wall-street computers do? Seriously. Do these servers store data about stocks? Are they merely high throughput, low latency information distribution machines? In order to figure out if it's a security threat, we need these answers

If no data is being stored on these machines, then I see no reason why they can't wipe the VM and let it load up some default image. From there, it can do tons of cloud computing stuff.

But in the same regard, there have been articles on Slashdot about compromising a VM. I'm sure that it's low risk, but it would have to be a very targeted attack against a firm.

We need more data.

Re:Is This Secure?

[sopssa]

But Virtual Machine's are only as good as they're designed. Even the most known and biggest vendor VMWare has had serious bug and exploits in their software. For one example see this, which let an exe running in the guest OS exploit a vulnerability in the VM code to get code run in the host OS. A serious security risk, especially when were talking about Wall Street. Even getting an access to their internal network opens new possibilities.

Just because of this I think it's a stupid idea. Even more so because the gain is not really that much, but it can be really destructive. Someone will find a way to exploit it.

Cost to Society

[Oxford_Comma_Lover]

Yes. If Amazon went down tomorrow and never came back, society would be fine. If the stock exchange were taken over by malicious but hidden computer software for months, and then finally was taken down, the damage to society would be MUCH more severe. It's not just a way of exchanging everything, it's a way of establishing who owns what. If suddenly nobody knows who really owns every stock that's traded in the last six months, we've got a major frikkin problem. We shouldn't, maybe, but we do because money is an illusion.

Re:Cost to Society

[LostCluster]

A stock-trading unauthorized program is the nightmare of financial IT so there's frequent checks to make sure that doesn't happen. If a financial company doesn't know what it owns, it doesn't know much at all.

If something is being artificially inflated or deflated there will be people asking "Why?". A human rogue trader, trading with money that isn't his and doing something other than what the money's owner has authorized him to do is an international story when one happens. A software rogue trader wouldn't last very long.

Re:Cost to Society

[BitZtream]

the damage to society would be MUCH more severe

Only if someone told society that it was gone. The stock market effects a few select people drastically, but really has little influence on our daily lives in and of itself.

The panic and fear generated as a result of a market failure as people start hording for no reason other than CNN or FOX said the world was coming to an end are what causes problems.

If it simply ceased to exist the world would change very little. Stocks are based on what someone thinks a stock is worth, its precieved value.

Lets face it, I own more than a few shares of Apple, but until I sell them they are barely useful for starting a fire. If the stock market ceased to exist, their actual value would be identical to what it is now.

Re:Is This Secure?

[Huh?]

I could see this being useful as some sort of "private" cloud during off hours (i.e. selling time to banks for batch and accrual operations...etc), but allowing the unwashed masses access to the underlying infrastructure of something as important as financial trading just seems like a recipe for a security disaster.

What goes around comes around...call it GEnie.

[Quarters]

I guess if an idea is 20+ years old the statute of limitations has run out and someone can use it again as NEW and EXCITING.

Re:Is This Secure?

[Hooya]

You could have the exploit install something into the host OS and have it run when the regular stuff is back on and connected.

But what happens to the cloud at xmas?

But so far as I know Amazon doesn't shutdown the cloud at Christmas? Meaning they have to have enough capacity now to handle both the cloud AND their peak Christmas load. Well I guess they could sell the spare capacity for cloud computing the rest of the year... Recursion, anyone?

Re:Is This Secure?

[davester666]

You are making the argument that they should go ahead with this because it is possible they COULD implement [and maintain] some kind of cloud setup while keeping their core financial setup completely secure and functional, ready to go each day at 8:30 am or whenever.

Yes, they COULD do it. It is theoretically possible.

Experience, history, bone-crushingly stupid decisions by the financial industry [hello, welcome to the recession, would you mind giving us $100 billion just to tide us over for the next year or so] say no, they don't have permission to do this. And it seems we need someone more powerful than any of the 3 branches of the US gov't to make sure they don't do it.

And by "bone-crushingly stupid decisions", I mean making decisions that result in the entire world going into financial difficulty. Of course, these same decisions made a whole lot of individuals incredibly wealthy, with evidently no significant downside for them.