[This message was posted by Russell Curry of Assimilate Technology, Inc. <r...@assimilate.com> to the "Information Security" discussion forum at http://fixprotocol.org/discuss/3. You can reply to it on-line at http://fixprotocol.org/discuss/read/cfd4a031 - PLEASE DO NOT REPLY BY MAIL.]
> Thanks for this interesting discussion. On the lighter side, here's the funniest example I have of how not to secure your electronic trading system(s): A large firm (which shall remain nameless) had a very successful electronic trading platform. I was helping some people do an audit and we got around to looking at the security model. One comment in the code immediately stood out: // Hope nobody sees this... Seriously - that was the comment. The code that followed was for the encryption mechanism used by the system. It was a simple XOR encryption scheme using a shared secret key. The system would generate a random key when it started up, and then send that key to the client, over an unencrypted connection... and then the "secure" connection would be established. I don't think I'd laughed that hard in years. Of course, people are always the worst enemy in security systems. There was a military facility where an enlisted kid who was working as a guard noticed that a senior officer was always looking up at the ceiling before entering the combination to open the door to a vault. The guard wondered why the officer was always looking up, so he walked over one day and looked at the ceiling - there, next to the light fixture above the door, someone had taken a pencil and written the combination to the vault... [You can unsubscribe from this discussion group by sending a message to mailto:unsubscribe+10093...@fixprotocol.org] -- You received this message because you are subscribed to the Google Groups "Financial Information eXchange" group. To post to this group, send email to fix-protocol@googlegroups.com. To unsubscribe from this group, send email to fix-protocol+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/fix-protocol?hl=en.
