Rogue Code

6

Victorio Manuel da Silva-Bandeira — or Victor Bandeira, as he more commonly called himself — took in the sweep of the azure South Atlantic through his Chopard sunglasses and estimated he’d take another hour in the sun and sand.

It was a warm spring day in Rio, the temperature approaching eighty, with a light wind off the water. The sky and sea were so closely matched in color as to blend into one. The majestic Sugarloaf Mountain commanded the landward view.

Bandeira sat in a low white lounge chair protected by an expansive umbrella. Beside him on the sand were a rumpled beach towel and a small table for drinks and food. Bandeira sighed contentedly as he set an empty beer bottle down. It had been too long since he last did this. As a boy, and later as a teenager, he’d spent every day he could on the beach. What had happened?

Life, he thought, life is what happened.

Spread across the fine sand was the usual crowd for this time of year: couples, pairs of friends, residents of the hotel, and the occasional family. Around the point was Ipanema beach. There the beach was carefully, though informally, sectioned off — couples here, teenagers there, families in this place, sports enthusiasts playing on their stretch, the entirety of the famous expanse demarcated for organized use.

Copacabana was different, had always been different. Extending along its stretch across the street were the resort hotels, the beach before them designated as exclusive territory by modest flags. No intruders, no roaming packs of disruptive youths, no vendors in irritating numbers. Each area was meticulously maintained and carefully serviced by attentive hotel staff.

The only exception to the rules of beach occupancy was made for lovely young women, who were always welcome. This was, after all, Brazil. From his chair, Bandeira tipped his head to more carefully examine the two women lying on oversized beach towels not that far away. He’d wondered about them at first, but when his bodyguard, Paulinho, standing between Bandeira and the roadway, shook his head lightly he decided they were exactly what they appeared to be — very attractive women taking in the sun. It was the national pastime of Brazil, for rich and poor alike, especially in Rio.

Beyond them, Sonia, Bandeira’s current mistress, rose from the water and stood there a moment, moving her long blond hair onto her back, then met his gaze with her bright dark eyes. Of primarily German stock, Sonia was Brazilian about the eyes and in the languid manner of her every motion.

Bandeira’s yacht, the Esmeralda, was in dry dock. Otherwise, they’d have spent the day aboard her, but this beach was very nice indeed. Bandeira made a mental note to visit it more often. He turned to summon a waiter for another beer. As he did so, he caught a glimpse of the Copacabana Palace Hotel, the oldest premier resort in South America. Built in 1923 when the tunnel through the mountains from central Rio opened up Copacabana beach and what became the South Zone of the city, the structure, with its distinctive art deco design, was now a national landmark. Almost anybody who was anyone had spent time here: the rich, the famous, royalty, movie stars, millionaires, billionaires, and the grifters they drew. The hotel had been remodeled and extended but remained from the beach as unchanged as the day it went into operation.

Unlike in modern hotels, you actually felt as if you were living in luxury when staying at the Palace. The only irritation from Bandeira’s perspective was that thus far, his attempt to acquire a penthouse on the top floor with a view of the beach and sea had been rebuffed. Well, he thought, if money doesn’t talk, there are other ways.

Sonia had come over to stand beside him, her firm legs dominating his view, droplets of water sparkling on her lightly tanned skin, pretending to shiver as she toweled herself dry, making a brrr sound with her lips. Then she smiled — always an invitation there — before lying back on the beach towel, squirming this way and that, her breasts commanding his attention as she made herself comfortable. “The water is very refreshing,” she said. “You should go in.” As she slipped on her sunglasses, her pretty face assumed the aspect of an innocent child.

“Soon.” It was pleasant here with the sun and warm sand. The water would be cold.

The waiter arrived with his Bohemia beer and glass balanced atop a small silver serving tray and held it down for Bandeira, then vanished when the beer alone was removed, taking the empty bottle with him. Bandeira took a pull, instinctively glancing down at his stomach and wondering where they had gone — his youth and fitness. He’d been a slender young man, one who always took his vitality and vigor for granted. Over the years, with greater personal and financial success, he’d slowly filled out, first into a man of stature, now into one of advancing years with too much fat.

Despite the excess weight he was a handsome man, just above average height for his generation, a bit darker in complexion than the upper class of Brazil, with gleaming teeth behind fleshy lips. He wore his lustrous, mostly black hair combed straight back. Occasionally when he smiled, there was just a touch of cruelty about his mouth, the hint of something more sinister than his usual pleasant demeanor suggested.

Bandeira had no illusions about Sonia. At fifty-one years of age, he knew his appeal lay with his bank account. He’d seen more than one man in his place make a fool of himself over a woman like her — a girl, really. He wasn’t about to play that game — or be played.

Still, her affection seemed genuine enough, and with the exception of telling him that her ambition was to become Miss Brazil, she’d never asked him for a thing, absolutely nothing. Of course, they’d been involved only a few weeks. That self-suffiency could change.

Sonia came from a good family, one of the oldest if no longer the richest in the country. She knew other wealthy men. In fact, her father would have been very happy if she’d shown an interest in nearly any of the rich men with whom he worked. It was still traditional and common in Brazil for the young daughters of the wealthy to marry men who were contemporaries of their fathers. Such arrangements were mutually profitable to everyone concerned. Through such a marriage her father, Carlos Lopes de Almeida, long president of the Banco do Novo Brasil, would unite his family with another powerful and affluent family. The patriarchs would share the same grandchildren, who would in time inherit. His daughter would be assured of a life that continued in the style in which she’d been raised. All would remain as it was.

Bandeira wondered what Lopes de Almeida would think if he knew about the two of them. He smiled at the thought. He wondered even more just how much of Sonia’s interest in him was a youthful act of rebellion against her father and his traditional ways; certainly more than a small measure. Not that it mattered. He gazed at her and speculated what she’d think and do if she knew his real history, where he’d come from.

“What are you smiling at?” she asked.

He hadn’t realized she was looking at him. “Nothing.”

“Mmmm. I’ll bet it was something.”

I’ll tell her, Bandeira decided. I’ll tell her the whole story and just watch. That, he thought, easing back in his chair, will be something. Better yet, he reconsidered, I’ll show her.

7

As Jeff Aiken and Frank worked in their assigned office on Wall Street that morning, Jeff reflected on how this assignment had come about. He was contacted two months earlier by the director of Trading Platforms IT Security for the New York Stock Exchange and had negotiated the terms of the project as well as the start date. The two had never met, but as was often the case, Jeff’s reputation preceded him, and his name came up by word of mouth. A common bot had been discovered on one of the Exchange’s Web servers, and security had no idea how it got there. The breach should have been impossible.

The director was Bill Stenton, a handsome African American man whom Jeff estimated to be in his early forties. Before meeting, Jeff had done his usual background research and learned that Stenton had been with the Exchange just three years, having come from the IT department of Wells Fargo. Though Stenton was reportedly competent, some of the feedback Jeff got characterized the director as high-strung and even difficult at times.

Jeff couldn’t help noticing that though trading platform security was a major component in maintaining the integrity of the world’s most important financial trading institution, there were three layers of bureaucracy between Stenton and the CEO. That was just one of several indicators to Jeff that the Exchange, despite all its computer and software dependency, didn’t give its core system’s security the attention it required.

When they met, Stenton told Jeff that his IT team was of the opinion that the trading platform had not been targeted specifically by the malware bot, but rather the NYSE site had been accessed by an automated scan searching for a vulnerability. Finding one, it had infected the system. The bot didn’t appear to have impacted any customers or disrupted operations, but there was concern because it had managed to get past the security team’s defenses, and it had been on the server for at least three days before IT stumbled across it while performing routine software upgrades on the system. If something as straightforward as a bot could make it into NYSE’s computers, then certainly malware far more dangerous could break through as well.

“We regularly run internal red team versus blue team exercises, but I’m concerned that we’re overlooking obvious weaknesses,” Stenton said evenly. “What we want is an external penetration test, the very best and most sophisticated you can manage. Our suspicion is that one of our own employees inadvertently opened the door for this bot. Pull no punches. I want you to be sneaky as hell. Learn our exposure and tell us where it is so it can be fixed. Our own people won’t even know what you’re up to. It is absolutely essential that the integrity of our trading software not be subject to question. The stability of world financial markets depends on it.”

“Pentests” were the cybersecurity equivalent of military war games, designed to evaluate the security of a computer system by simulating a malicious attack from outsiders as well as insiders. Once the pentest was completed, its results were presented to the system operator. The report included an assessment of the system’s security and vulnerability along with specific recommendations to counter them.

The pentest itself involved an analysis for gaps that were usually a consequence of inadequate system configuration, hardware or software flaws, or other operational process weaknesses or lax security countermeasures. Those conducting a pentest approached the computer system as a potential attacker might and sought to aggressively exploit any security holes they discovered. Those chinks in the armor could include misconfigured and unpatched software or systems not properly secured. Employees might be lured into visiting infected Web sites or opening malicious e-mails. Malware then tried to take advantage of missteps in the system.

Jeff and Frank Renkin, Daryl’s replacement at Red Zoya, had been housed in a Holiday Day Inn Express off nearby Water Street and were given an office on Wall Street in IT operations not far from the Exchange itself. Jeff was surprised the software development and computer operations were housed here, as it was some of the most expensive real estate on earth. The location was especially questionable, as the main data center was in New Jersey. The Exchange’s primary IT operation could have been housed anywhere; much of its supporting IT operation was, in fact, in Chicago. Apparently, NYSE Euronext had money to burn.

Access granted to a receptionist or data-entry employee was the weakest link of the Exchange’s cyberdefense because through those users, malware could gain entry into the system. Receptionist-level accounts on the network position served as Red Zoya’s starting point. Frank and Jeff were given contractor key cards to enter the building and assigned a shared office. They found it to be standard IT issue. Jeff had worked in dozens, likely more than a hundred, similar offices, each interchangeable with every other. The staff itself worked from cubicles, with managers occupying real offices around the perimeter. Jeff and Frank were given one of the small outer offices containing two desktop computers with flat-panel monitors, a modest gesture acknowledging the significance of their work but really chosen for privacy concerns.

The staff was told that the consultants were software contractors finishing the last stages of a project on-site. They were given computer accounts with the limited access permissions of basic staff unaffiliated with any particular group or project. The e-mail program that came with the accounts contained a directory of users, while the browser was programmed by default to open the Exchange’s intranet portal. That page served as a central source of company news and was a hub to which department and team sites were linked. It also served as a search facility that enabled users to find documents and sites across the network. With no more information than that, Jeff and Frank were to launch their attack.

Neither Jeff nor Frank had been surprised at being hired by the Exchange, or the nature of their project. NYSE Euronext was entirely computer and software driven. It was essential that the trading public and world financial system have faith in the Exchange’s operation, so its security needed to be as close to perfect as possible.

There had always been problems with operationalizing high security. The keys to the Exchange were information and transaction speed. During the crash of 1929, the ticker tapes that recorded trades and were the lifeblood of traders had run hours behind events. The growing lag had spread panic and, it was believed, intensified the financial disaster. Traders had speculated in the dark, acting on rumors, many of which later proved unfounded. Reforms, including faster ticker machines and new regulations concerning trades, had improved transactions and renewed traders’ faith in the Exchange but never eliminated a lingering level of unease.

NYSE Euronext traded equities, derivatives, futures, and options of nearly every sort. It listed nearly ten thousand individual items from more than sixty countries. The Exchange’s markets represented a quarter of all worldwide equities trading and provided the most liquidity of any global exchange group, meaning it was almost always possible to actually make a trade. It was rapidly working to become the only exchange any trader would ever need for every kind of financial trading transaction.

As a consequence, NYSE Euronext had embarked on the greatest expansion in its history. When the expansion was completed, nearly all the world’s trades would, at some point, pass through the Exchange’s computers. The envisioned future was breathtaking in its audacity.

Nothing so innocuous as a bit of untargeted malware was going to bring the integrity of NYSE operation into question. The implications of broad distrust in its security were simply unimaginable, not just to the Exchange, but also to the interconnected world financial system. It was a system that operated largely on faith. Break that faith, and a financial catastrophe of epic proportions loomed.

As the pair had expected, NYSE system security was first rate. But once past the initial layer of defense, Jeff discovered the same erratic patching he had seen time and again with companies that asked the public to trust them with their private information. Some of this exposure had to do with time, as a certain delay was inherent in how patching was actually performed. First the vulnerability had to be detected, which usually took place only after an exploit that took advantage of it was released. It then took the software vendor, security research firms, or in-house shops anywhere from two to four weeks to develop mitigating configurations and a corrective patch, which would then be rolled out. The actual patching itself was time consuming and many times failed to receive the immediate IT attention it deserved, resulting in another delay until a patch was finally applied to the company’s software, though too often even that failed to take place.

Part of the reason for delays and failures was simply human error and sloppiness. But there was more than just negligence involved. Every business had to make an assessment of the consequences that might arise from installing a patch. Updates were not always smooth and could create any number of unintended problems. Businesses, therefore, tended to err on the side of assuming the patch might compromise their software or interfere with something that interacted with it. In many cases, security risks were balanced against the risks to business processes, and then there was a period of reflection, during which the consequences were weighed. Sometimes after deliberation, the patch was intentionally never installed.

But whether holes were left unpatched as a result of a conscious decision or from plain ineptitude, they remained open doors for aggressors who might come later. Banks with household names too frequently had tin-box defenses within their outer walls, even though they usually adhered to industry-approved responses and followed cybersecurity best practices.

In the case at hand, an unpatched vulnerability in Payment Dynamo, a popular business application, was the missing brick in the wall that had separated Jeff and Frank from the fantastically complex internal IT network connecting the Exchange’s hundreds of servers and thousands of employee PCs.

This was the first time Jeff and Frank had worked on-site together, and it was going well so far. Persuading Frank to join him at Red Zoya after Daryl’s departure had not proved as difficult as Jeff initially feared. Though Daryl and Frank were old college friends, Jeff had known the man nearly as long. There’d been years when he had little contact with Frank, though they’d met in person to compare notes and complain from time to time when they worked with the CIA. Their work was related, often overlapping, and if colleagues didn’t go around the bureaucracy occasionally, then nothing would get done.

For a time, the two men had been on the same Company league ball team, where Frank played a competent second base. He was of average height and a bit thin. Both on and off the field, he was even-tempered and solid. He approached everything methodically.

Frank had a background in technology, with a degree in computer science, and he’d joined the CIA after college. But instead of moving into computers, which were then in their relative infancy and not a priority, he worked as a field agent for seven years, employing his computer knowledge as a cover. Frank never spoke of his assignment much, but Jeff surmised that he’d been the real McCoy, trained in tradecraft. He’d been stationed in the United Kingdom and Spain, neither of them hot spots, and as a consequence spoke excellent Spanish.

But Frank gave all that up when he decided to marry Carol, and a safer and more predictable life became a priority. Theirs was a happy marriage, and the couple had three young children. One measure of Frank and Carol’s close relationship with Daryl was that they had named their third and likely final child Daryl.

Frank had done well when assigned to Langley. He worked just two years as a cybersecurity researcher with the Company while obtaining a graduate degree before becoming a team manager and from there moved further into technical management.

At work, Frank’s personality and appearance caused him to blend in, to be forgettable, which must have been an advantage, Jeff decided, when he’d been a case officer. For all that, he had no problem pulling his own weight or standing up to other managers in the relentless internecine struggles that marked CIA bureaucracy.

It had been the ongoing struggles for ownership of cybersecurity charters among various government organizations that finally wore Frank down. Once he became eligible for a pension, he was open to Jeff’s offer. When he put in his papers, he’d been serving as the assistant director of Counter-Cyber Research.

More than once over the last eight months, Frank had mentioned to Jeff how little he missed the Company. The only part of his new job he disliked was the occasional travel assignments required of him. It might be a digital age, but some things still had to take place on-site. Direct access was especially common with highly secured companies. Though Jeff worked every day since arriving, Frank had squeezed in a weekend trip to his Maryland home.

Jeff’s decision to remain on the job had been rewarded late yesterday morning, when the pair succeeded in positioning themselves for final penetration into the NYSE Euronext core operating system.

Frank had turned to Jeff with a profound smile and said, “That was as thrilling an achievement as I’ve ever experienced with computers. No wonder you love this job so much.”

8

Jonathan Russo started over, trying to make sense of the incomprehensible. If his first pass was correct, the company was $16 million in the hole since the opening bell. Not only was that a great deal of money for Mitri Growth, but it also wasn’t supposed to be possible. The firm had experienced temporary, unanticipated losses previously, but never anything like this.

In 2010, the NYSE Euronext opened its new trading hub in northern New Jersey, just across the line from New York State. Located at the site were the actual computing engines that formed the heart of the Exchange. The hub had been built to increase transfer speed, as most trades were now executed by computers rather than by individuals; to give transactions a greater measure of security, both physical and digital; and to increase profits.

Though rather ordinary looking as a building, the 400,000-square-foot data center was a contemporary fortress. There was but one way into the windowless structure, and that entrance was located not at the street address but in the rear. Surrounded by a river on one side and a moat about the rest, the trading hub was invulnerable even to a car bomb.

The visible building was an illusion, an outer wrapper that served much like medieval armor. Within it lay the actual structure. And while the hub’s physical barriers were formidable, augmented by skilled armed guards and bomb-sniffing dogs, every electronic security measure possible was in place as well.

From this highly favorable location, the facility had ready access to any number of cybernetworks, along with two independent power grids. It also possessed its own backup electrical generator system. In fact, the facility had two of everything. An ever-increasing percentage of equities and options trading in North America was processed within its powerful servers. It was critical that it never fail to process them.

The facility was also designed to provide a colocation opportunity for trading firms seeking high-speed access to its engines. In an arrangement known as proximity hosting, the trader pods were each twenty thousand square feet and cost millions, not including the significant ongoing access fees. With the first pods selling out before the hub opened, construction was already under way to provide another five. These housed entire computer ecosystems used primarily by hedge funds and trading firms. The proximal location allowed clients to conduct trades in microseconds, and in this industry, being first meant everything.

The logic was simple: For every one thousand feet a hedge fund’s servers were distant from the Exchange engines, one-millionth of a second was added to a trade, the length of time it took light to travel that distance. The NYSE servers processed more than one million orders every second. Each trade required the acquisition and processing of data, then a return of the decision. The process was accomplished in microseconds, round-trip. Colocation offered traders a highly profitable advantage, which explained why the pods leased for such exorbitant sums, a significant income stream for the Exchange.

The NYSE wasn’t stopping with hub expansion. It was also feverishly constructing a series of microwave towers from Manhattan to its operation in Chicago, more than seven hundred miles distant. Microwave technology allowed the transmission of data in 4.13 milliseconds, 95 percent of the theoretical speed of light. The chain of towers would replace the existing fiber-optic cables, which transferred data at just 65 percent light speed. NASDAQ already had similar towers in place. NYSE’s structures reduced latency by three milliseconds at a cost of $300 million, and were expected to be highly profitable.

Mitri Growth had acquired a proximity pod in New Jersey, though its trading code was written at the office here in St. Louis. One of the beauties of high-frequency trading was that it could be managed from anywhere on earth.

Russo glanced up at his team. They were feverishly at work to remedy the disaster still unfolding. Did he dare pull the plug? He was reluctant to do so before he knew what was taking place. But Mitri Growth couldn’t sustain a loss like this for long. The hedge fund catered to high-end investors. In fact, much of its $250 million came from the personal portfolio of the company’s Lebanese founder.

But if Russo’s people could get this fixed before close of trading, there’d still be time to undo some or much of the loss. If the losses were real, that is. What he suspected, and what had thus far prevented him from acting, was the possibility of an aberration created by the new algo the team launched. The computers stated that Mitri Growth was losing money, but they might mistakenly be reporting a freakish reaction to the new software, not actual trades involving real money.

His chief assistant, Alexander Baker, had first proposed the possibility to Russo earlier in the day, when they discovered that the trouble came from the test code of the new program. His team was acting on the assumption that the test code had somehow activated in the production system, where it discerned the actual trades, but was reporting back to them using one of the fictitious scenarios embedded within it. The team was testing each of those in an attempt to confirm their hypothesis.

In the meanwhile, Russo’s computer continued to claim that Mitri Growth was hemorrhaging capital. He looked at the wall clock with a sinking heart. If they were wrong, if this loss was real, they were running out of time to recover.

After eight years with Jump Trading in Chicago, Russo had joined Mitri Growth the previous year and assumed supervision of its ten-person programming team. He arrived right after the founder had taken the step of acquiring a proximity hosting pod at the NYSE Euronext hub.

Jump Trading was one of the earliest companies to migrate to electronic trading on the old New York Stock Exchange. Known for its cutting-edge algorithmic trading, the company had established itself as one of the founders of the new digital trading world.

With a Ph.D. in computational mathematics, Russo had worked in creating the algos, as they were commonly known, that generated the company’s profits. He’d enjoyed the work, but in his view, too much of what he devised had been vetoed as too risky. Jump, he’d discovered, was too conservative for his taste. He couldn’t understand the persistent aversion to a higher level of risk, which made possible far greater profits. He should have been a very wealthy man by now, rather than one with just a few million. The challenge, and profit sharing, Mitri Growth offered had been the career change he was searching for.

The founder of Mitri Growth wanted cutting-edge code to exploit the company’s recent, expensively acquired proximity advantage, but more than that, he’d challenged Russo to discover new ways to leverage capital out of the Exchange. The assignment was entirely possible, and Russo was eager to discover the next clever means to achieve his mission. The best part had been the founder’s willingness to run with Russo’s instincts in crafting algos.

Traditionally, stock trading took place in a pit. Sellers stood there, offering stock at a certain price using hand gestures; buyers either bought or didn’t. The price was constantly fluctuating in the pit, in sight of everyone. With the introduction of computers, all that had changed. Stocks were no longer bought and sold at a public location by traders. Now the work was done by machines. As late as 2005, 80 percent of all stock and equity trades were still executed at the New York Stock Exchange, but computers allowed those trades to complete not just more quickly but also remotely. The pit could be anywhere. The consequence was that by 2009, just 25 percent of all trades originated at the Exchange; the rest occurred within alternative trading systems known as ATSes.

That was the primary reason for creating the New Jersey hub, and for giving key traders such as Mitri Growth favored access. The Exchange needed this not just to stay profitable, but remain relevant as well. Already, similar Exchange hubs were opening or under construction around the world. Forty global “liquidity hubs,” as the Exchange preferred to call them, were planned. A major hub in Basildon, east of London, was already operational and linked.

Despite public statements to the contrary, the key to all the NYSE expansion was the high-frequency trader, or HFT. Initially, computers had introduced greater efficiency into an aging system, but it wasn’t long before the bright code writers known in the industry as “quants” began figuring out ways to take advantage of a computer’s ability to process enormous amounts of information at inhuman speeds. Once they inserted the code authorizing a machine to buy and sell when specific conditions existed, without human interaction, it functioned like a moneymaking robot. High-frequency traders now accounted for most of the action reported on the Exchange.

As in sports competitions, when it came to high-frequency trading, speed made up for shortcomings. If one performed enough transactions fast enough, one didn’t necessarily require the best code. Volume and speed compensated for minor missteps. Still, those with superior code, preferred access, and the most powerful engines made the most money.

At heart, HFTs were profitable because the computers knew the trading price of a stock anyplace in the world at the same instant and simultaneously compared it to the options price. Then, with lightning speed, they bought and sold on any detected difference before the Exchange’s trading computers could adjust for price fluctuations. One of Russo’s young designers had crafted an elegant bit of code that gave Mitri Growth the ability to predict the options price just ahead of its competitors, based on dozens of inputs and trends from across securities and exchanges. That was the algo they’d launched just after midnight with such high expectations.

The unspoken truth about HFTs was that they worked very much like a Las Vegas or Atlantic City casino, which takes a piece of all the action. It didn’t matter to Mitri Growth if the market went up or down. It could ride a stock up, or short it on the way down. What counted was the action, because Mitri Growth’s algos were structured to make money either way. It was not unusual for an HFT company with as few as thirty employees to earn a net profit of $1 billion. That was Mitri Growth’s target with Russo’s new algo program. But, as in a poker game that required a high stake to compete, money could be lost as quickly as it was won.

And that’s what Russo was seeing — if the downturn was really happening.

Just then, Baker walked up. Tall and prematurely balding, his chief assistant had elected to trim his hair and grow a goatee to compensate. “Well?” Russo asked.

“We’ve ruled out the test code.”

“So the new algo isn’t performing in production the way it did in simulation.”

“It doesn’t seem to be.” Before launching a new algorithm, Mitri Growth fed it current market data to see how it would have reacted in the past. Though not a perfect predictor of future success, it was the best validation the team could perform before letting a new version out to compete with everyone in the real world. Still, a slight unanticipated pattern and coded protections could cause the algo to become unstable in practice.

“So what’s different now?” Russo asked.

The senior programmer shook his head. “We have no idea.”

“So you’re telling me these trades are real?”

“I’m afraid so.” Baker cleared his throat. “We have to shut down, Jon. Then regroup. It’s going to take days to figure this out and fix it.”

“All right!” Russo snapped. “Take us off.” He buried his face into his hands and slowly exhaled. He had to tell the founder. “How much?” he asked without looking at the screen, struggling to control himself.

“Twenty-three million. Hey, it could have been a lot worse.”

9

From the day they started with this project, Jeff and Frank had enjoyed playing hacker. It was one of the more satisfying aspects of their job, especially when they succeeded. “This is the New York Stock Exchange,” Frank had said when Jeff told him about the engagement in their D.C. office. “Do you think we can do it?”

“My bet is that we can. No matter how much a company depends on computers, no matter how big it is or how solid its reputation, its software and network are so complicated, the demands to make the process responsive to the market so great, that there are cracks everywhere. If we probe long enough, we’ll get in.”

“That’s a little unsettling. This is a major cog in the world financial system we’re talking about.”

“Yes, it is.”

They launched the pentest by casing the network from their low-privileged workstation. Jeff ran his own tools to develop a map of the systems in the network, looking to obtain as much information as possible from his position as an outsider. Once that step was completed, he ran other tools, attempting to connect to the systems at the ports used by standard system software and applications. He observed and carefully examined the responses he received. Even error codes returned when his attempts were refused revealed information, if nothing other than what software version was running, along with a few configuration details.

While Jeff was doing that, Frank trawled the Exchange’s intranet directory, following links to the connected Web sites and scanning documents for tidbits of useful intelligence relating to the jump servers. He located a year-old document for the Universal Trading Platform, or UTP, which contained lists of names and user accounts for the team that deployed trading software to the New Jersey engines.

The UTP was designed to support all trading scenarios with submillisecond response time known as latency. The platform was integral to the Exchange’s functionality and capable of being expanded as necessary. It also allowed outside parties “easy integration” within the NYSE Euronext global marketplace, which meant traders could pursue an endless variety of strategic initiatives of every type.

Frank was amazed at the lax approach to a system so essential to the world’s financial security. He had anticipated that the system would be accessible only to NYSE Euronext’s most trusted software engineers. Instead, many of the major traders had all but unfettered access. It was like a bank allowing its biggest customers to play around with its software to make things easy on themselves.

The consequence was that high-frequency traders typically tested new algos, live, on the Exchange, in secret. More than once, they were believed to have nearly caused a catastrophe. For one week, a mysterious computer program had placed orders, then canceled them before they were executed. Those algos made orders in twenty-five-millisecond bursts involving some five hundred stocks. In so doing, the program occupied 10 percent of the bandwidth allocated for the Exchange, certainly shutting out legitimate traders, just to test software in real time. That seemed to Jeff and Frank an unacceptable risk, but it was routinely permitted.

They’d conducted their reconnaissance exactly as a hacker would, constructing a schematic of the Exchange network. This included Web sites, server software, antivirus systems, user accounts, and their roles. Both of them noted potential points of vulnerability from time to time but this phase of their operation was primarily about collecting intelligence.

As they’d anticipated, the Exchange network was segmented into two zones. The first zone was standard issue to most companies and considered both insecure and untrustworthy. It constituted the public face of the Exchange, offering the usual applications anyone visiting a company on the Internet expected to find. It was also where the workstations and servers supporting the business operations of the Exchange operated. The second zone, where the actual trading engine functioned, was buried within the interior of the site and locked down. For security reasons, it was not linked to the Internet.

The two zones were connected through dedicated computers called jump servers. Those servers substituted for the more traditional internal firewall. A jump server was designed to act as the secure conduit between the two zones. In other words, though anyone could access the public zone from their personal computing device, to enter the secure zone, one had to pass through a jump server, the sole gateway to the core systems.

One inherent advantage of the jump server was that all the tools required for network management were maintained within a single system. This made maintenance and updating a straightforward process, performed in a single location. Access permissions were tightly controlled, and all operations performed on it were continuously audited and monitored as well. And it could be thoroughly locked down.

But it was much like keeping all one’s eggs in a single basket. This system had the advantage of isolating a vital gateway, which made it easier to control, but the disadvantage of presenting a single target for hackers to penetrate. If the jump server remained secure, it was a wall against intruders; if it failed, it served as a highway for them. It posed as their greatest challenge, but as a consequence, it was also their target.

Jeff’s tool had identified servers in the Exchange running Payment Dynamo, and on the US-CERT Web site, he learned that a slew of security bugs had been recently patched with an update from the vendor, Payment Data Corp. The bugs were only the latest of a string of holes found over the last year in this particular package, a product that was not unique to the New York Stock Exchange; it was used for many applications within a wide range of financial institutions. For all that, neither Jeff nor Frank had been surprised at its poor design. They saw the same thing time and again. Like fancy chrome-plated door locks easily bypassed, this package offered no sophisticated security. The designers had focused on its utility, as what it did made the sale, not how well it was secured.

When the recent patches were released, FirstReact, the cybersecurity research firm that had reported the vulnerabilities, began selling exploit code for them at a hefty price. This practice, while controversial, was common. FirstReact specialized in discovering holes in software, as well as in writing exploits for those vulnerabilities and ones others had reported. Their customers were willing to pay a premium to gain protection against a hacker discovering the flaw and exploiting it.

Companies purchased these via subscriptions, ostensibly both to check for their exposure by trying the exploits out on their own networks, and develop and deploy mitigations specific to their environment. Because many of the vulnerabilities were unpatched when FirstReact sold them, they were “zero days,” and could be used to spread malware and perform targeted attacks if they fell into the wrong hands. For that reason, FirstReact had a policy to sell them only to publicly traded companies and government agencies from a list of U.S.-friendly countries. But the assumption that knowledge of both the bugs and means to exploit them wouldn’t leak was flawed. The fact was that some of the buyers, typically government agencies, used them to infiltrate foreign governments for espionage and to cyberattack criminal and terrorist organizations.

Jeff viewed zero day bugs to be the digital equivalent of nuclear weapons and believed the only way to make sure they didn’t fall into the wrong hands was to strictly limit knowledge of them.

In this case, Payment Dynamo’s vendor had released patches just a week earlier, so while the bugs weren’t zero days, there was a chance that the Exchange hadn’t yet rolled out the fix. So that it could stay competitive, Red Zoya was one of the companies that paid the FirstReact subscription fees, so Jeff was in possession of the exploit codes to match the vulnerabilities and had used them to break into the fourth Payment Dynamo server he tried them against.

That’s where he and Frank had pried a space open yesterday.

10

Bill Stenton placed the telephone in its cradle and leaned back in his chair. This is happening too often, he thought. It was the third call in the last two weeks, each from a senior director on the Exchange, each with the same complaint. He’d been receiving similar calls for months.

His right hand had developed a tremor, and he placed his left on it. He closed his eyes for a moment and forced himself to breathe deeply, to slow down. Always tightly wound, he worked hard to present himself in the assured manner expected of someone in his position. He checked the clock on his computer screen. In three hours, he’d have his first double Scotch. He pulled his mind away from the thought.

Earlier, he’d received a call from a financial institution. The caller was a college fraternity brother who reported having experienced unanticipated and significant losses in a major trade. On such calls, Stenton had observed no pattern in the type of company or in the nature of the securities involved. In some cases they’d been hedge funds, in others private investment groups, in another a retirement fund — but in every case, the complaint was the same: Something out of the ordinary had taken place during a major transaction, which resulted in an unexplained reduction in the anticipated return, losses well outside the anticipated parameters.

The most common complaint was that HFT algorithms that had been reliable in the past, previously providing a profit within the margins established, were suddenly showing dramatic failures. As HFT systems were all located at the hub, they should have had the least latency. Instead, trades that should have netted a modest profit or at least been neutral ended up implausibly losing tens or hundreds of thousands. In more than one case, the loss had exceeded a million dollars.

Until now, Stenton had viewed the complaints, each taken in isolation, as so much griping by traders who were not keeping up with the game. Dealing with complaints like these came with the territory, but over the past few months, their rate and the magnitude of the individual issues had caused him to suspect there might be more to this than the usual Wall Street whining.

Still, Stenton had explained to the callers that it was not unusual for brokers to blame the system when they made a bad judgment call or when the market suddenly moved against a position they’d taken. In these days of high-speed transactions and high-frequency trades, that was to be expected. Yes, he understood that men and women had been fired, careers likely ruined over unforeseen moves, and that the losses had been significant enough to place the survival of some of the smaller financial institutions at risk. But the system wasn’t at fault, Stenton was sure of that and had said as much. He told them he knew they wouldn’t like it, but that was the reality.

But in the last few weeks, he’d also received two calls from other men he knew personally, reasonable brokers with serious questions about what was taking place. They’d been puzzled at unanticipated losses, not suspicious, and Stenton assured them that all was well with the Exchange.

But taken together, the string of calls caused him to rethink his position. He’d been searching for common links in the complaints. He thought perhaps there was a shared broker somewhere in the mix, or common stock. It might have been a time-of-day issue or the location of their programs in the hub. He had some of his top data analysts working to mine the available data, searching for any correlating factors.

Now Stenton held last week’s report from the Chicago office. An IT operations manager there, Vince Piscopia, had forwarded a report to his superior, which then landed on Stenton’s desk. As director of the Trading Platform IT Security for NYSE Euronext, he was in charge of this issue, but so far he wasn’t certain how to respond. The day after receiving it, he’d copied the report to all his senior staff and his key analysts, requesting input.

What he didn’t tell anyone, what he scarcely allowed himself to think, was that perhaps all these issues were connected.

What the IT manager in Chicago had reported was a file concealed within the core of their system, software outside the directory listing command. He’d been unable to access the file or determine what it did. What he’d been confident of was that it was not part of the legitimate function of the Exchange.

The IT manager, Piscopia, had speculated that it might be a bit of legacy code left over from one of the periodic updates of the system. Unnecessary code was left behind from time to time, but never before had it been hidden, and there was no way to know if it was harmless or somehow interfering with operations. In the same report, he stated that he’d also uncovered trades that were not properly registering and speculated that they were related to the code. This raised the same possibility in the mind of the Chicago IT manager as it had in Stenton’s.

Impossible as he found it to accept, just maybe they’d been hacked.

Stenton shivered at the thought. He was at the helm. If the Exchange had been hacked and clients were experiencing losses as a consequence, his career was finished. In the worst-case scenario, one that in his fear he deemed possible, he might go to prison.

This possibility had come to his attention since Jeff Aiken had been hired and started his penetration test. Stenton had considered alerting the consultant but decided instead to see what Aiken and his man came up with on their own. Also, alerting them would leave a record of his suspicions, which so far existed only in his thoughts. It was his hope that Red Zoya not only stumbled onto what Chicago had described but also figured out what it was in the process. That was his safest course of action.

Just then, a tech poked his head into Stenton’s doorway. “I’m Marc,” he said. “You asked to see me?”

Stenton recalled that Marc Campos worked on the core trading platform team on one of the trading modules at the heart of the matching engines. There was no more sensitive operation in NYSE Euronext. He was one of the techs who attempted to trace a suspect trade a financial institution had reported to Stenton.

“Yes, come in. What do you have?”

Campos was over six feet tall, thirty-three years old, with dark skin and average looks, though his eyes bulged slightly. Originally from Portugal, he’d worked for the NYSE for the past five years, and his performance had been outstanding. He spoke near colloquial English with just the trace of his native accent. He was one of the handful of techs with unfettered access to the core of the Exchange’s trading system. This was the first time Stenton had met with him alone though he’d seen Campos from time to time in staff meetings.

For several minutes, Campos described the steps he’d taken in tracing a reported $8.7 million loss in a transaction by one of the smaller financial institutions that had lodged a complaint. The referral had come directly to Stenton from a broker he’d known for years, a very reasonable man who was more perplexed than angry at what had taken place. When Campos finished, he smiled and made a dismissive gesture. “I worked on it until the trade just vanished. There was nothing I could do.”

“Have you seen this before?” Stenton asked.

“Sure, but not often. Some of these offshore funds like to remain off the radar, you know? They don’t like anyone knowing what they’re doing. They go to great lengths to conceal their tracks beyond the minimum they need to trade with the Exchange. I’ve attempted to trace back trades with them, usually as a result of an SEC subpoena, and not always been successful, though you understand it’s not really my area.”

“Well, thank you anyway. I’d hoped for better news.”

Campos hesitated, then said, “I’ve also been working on this Chicago report you sent out a few days ago.”

“Any luck?”

Campos shook his head. “I don’t see any sign of it. I think the guy in Chicago was confused somehow. He was likely misreading what he was seeing. Frankly, I don’t see how anything could get into our system undetected. We’re as locked down as you can get. Do we have his data? Maybe I’m missing something.”

“No. I requested it, but he didn’t come to work today,” Stenton answered. Campos nodded in return and Stenton asked, “So for now, you don’t think this stealth file exists?”

“I can’t see it—” He paused and smiled. “—but then, it’s supposed to be hidden.”

Stenton thought a second, then took the plunge. “I know that you’ve been with this department for some time now, Marc. Do you think there might be a connection between the trade you traced and this hidden file Chicago reported?”

Campos looked surprised at the question. “That’s an interesting idea, but there’s nothing that connects them in theory. And there’s no way a secret file could get into the engines. If by some magic it did, we’d be all over it in an instant. Like I said, I don’t think this file even exists — and if it does, from what I read, there is no indication of what it does, if it does anything. Not only that, but we run an incredibly complex system. If getting an unauthorized file into the system is hard, manipulating a trade is simply impossible.”

Stenton sighed. “You’re right. I guess I’m just getting paranoid.”

“Is this what those two are working on? Red Zoya?”

“Why do you ask?”

“The timing. I thought maybe you’d put a team on this even before the guy in Chicago made his report.”

“No, that’s something else.” Stenton eyed Campos, then said, “Thanks for dropping by. I’ll let your manager know I requested this meeting, so no concerns there. Have a good day.”

“When you get the data from Chicago, you’ll pass it along?” Campos asked as he stood up.

“Yes. Of course. We need to figure this out. And as for Red Zoya, just let them be. They aren’t connected to this at all.”

11

In practice, a trusted Exchange employee accessed the secure zone by first logging in to the jump server through an account specific to that zone. Since gaining their toehold in the system, Jeff and Frank were next tasked to compromise someone with privileged access.

Working from their office at IT Security that afternoon, Jeff and Frank had been consumed with analyzing the log-in records on the breached Payment Dynamo server. They soon identified a systems administrator who routinely connected to it from the other systems. When a user connected, the encrypted version of his password was cached by the server, allowing the user to connect to other servers without having to reenter the password. Being able to connect to different systems using a single entry of credentials is known as “single sign on” (SSO) and penetration testers, just like hackers, took advantage of SSO’s caching behavior to execute what was known as a “pass the hash” (PTH) attack on other systems. This attack used the cached cryptographic hash of the password, a form of shorthand, to impersonate the user and connect to remote servers. Servers verified only the hash of passwords, not the passwords themselves. Because of the considerable security risk, systems administrators were never to use their administrator accounts when logging on to other servers remotely. Jeff knew it was a common practice, however, either because of ignorance or sheer laziness.

Within minutes, they’d successfully infected the administrator’s computer. For now, they had administrative rights on the insecure network only, not the jump servers and therefore not the secure network they sought. But so far, they could view all the users in the network, identify their computers, even change their passwords and create new accounts, giving themselves administrative permission.

They were confident, however, operations of this kind were audited to prevent the kind of tampering they were doing. Automated software trolls checked logs and flagged unusual reports to detect illegitimate or unauthorized activity.

Next, Red Zoya targeted the team members from the UTP list Frank had identified. Working remotely from the administrator’s own workstation, they determined the computers that corresponded to those users. Some users were inactive, but most were not. It was necessary to employ different users for different functions to prevent any security tool monitoring user activity from spotting the same user executing different operations at the same time. Frank and Jeff gave one account administrative permission to the computer of another user whom they believed had jump server access. Next they logged in to that user’s computer, connected to the system of the programmer they were targeting, dropped their software backdoor, logged out, and then removed the administrative access to conceal their tracks. Even if part of their trail was spotted, it would be difficult for anyone to connect the dots.

During the next phase of their penetration attack, Jeff and Frank performed an enhanced reconnaissance on the UTP programmer’s system. They were careful to keep their presence at a low profile, operating only when their user was logged in, so the activity blended in. They read his e-mail, the documents on his system, and observed the software environment, all undetected.

They finally ascertained the jump server system to which the user connected. The issue they now faced was that the jump server required a two-factor authentication, which meant that a password alone wasn’t enough to get through it. When gaining access, the user read a pass code shown on a USB key fob, issued with a small LCD display on it. They then entered this number, along with a personally chosen four-digit PIN as the password. This scheme ensured that access required both possession of the USB key fob and knowledge of the PIN. And because the pass code changed every sixty seconds, it could not be saved and reused later. This meant that Frank and Jeff had to wait for the moment when the user logged in to the jump server, at which point they’d piggyback onto the connection.

They set up an alarm to notify them when the selected user was establishing his jump server connection, then resumed mapping more of the intranet systems and users. They created organizational charts, along with a thorough map of the network. This included the names and roles of users, names of servers and software installed on them, and the systems to which the users had access. They would submit this evidence with their report as proof they’d successfully penetrated the core of the trading engines and reinforce the picture of the damage they could have caused if they’d been genuine hackers.

During this phase they determined that the UTP system was running Linux and was locked down with “whitelisting,” a security policy that allowed only software digitally signed with a special key that only specific users had access to. They would have to place their own software on the system in the secure zone, and for this it had to be signed so it would appear to be authentic. To this end, they monitored the e-mail of several users until they spotted a programmer who was about to submit an update package to the UTP system. They immediately planted their software, along with configuration information that caused it to connect out to their software on the jump server once it was deployed to the UTP system through him. In this way, it was taken as part of the legitimate package and was digitally signed by the NYSE Euronext signature along with the update and then installed on the UTP system.

Now they just needed their user to connect so that they could plant their software that would act as a bridge from the UTP system to the compromised Dynamo Payments software via the jump server. Only then would they be able to reach into the UTP system and remotely control the software they had just planted there, giving them unfettered access to the most important financial trading engine in the world. This would complete the entry they’d already begun.

The hours passed as they waited anxiously for the last piece in the puzzle to fall into place. They continued their mapping effort and documentation until their alarm alerted them that their primary user was connecting to the jump server.

“We’re up,” Jeff announced while not taking his eyes from the screen. Frank rushed to stand behind him, and they monitored the programmer’s progress, then rode in with him without difficulty. They took no time at that moment for celebration, only exchanging a quick glance of elation. The minor crack they’d created was now an open door.

Once inside, they established their own connection, placing their software on the jump server, which connected it to the UTP system, completing the link and establishing remote control from their own system. Before exiting, they set up their second backdoor on the other side of the jump server, one that meant they could bypass this process in the future.

“That went smoothly,” Frank said.

“I told you we were good.”

12

Richard Iyers scanned the crowded bar and eyed a young woman at the far end. Blond and trim though a bit plain, with an oval-shaped face — and with that perpetual pout, just his type. She was laughing as she held her iPhone in front of her. From time to time, she took a quick look at a chubby man with a bright face, who was sitting at a table with two others not far away. They were playing a game, very likely one of the new ones on Toptical, currently the hottest social networking site. The man looked like a coworker, not a boyfriend.

Iyers checked his watch. There wasn’t enough time. Well, he’d seen her here before and would see her again. Athletic, naturally slim, Iyers was an attractive man. His light hair was brushed across his forehead in a boyish cut. His eyes, however, were set just a bit too closely together. They and his mildly lanternlike jaw prevented him from being genuinely handsome.

He looked at the menu and considered ordering a cold beef sandwich. This might not be London, but the pub did a decent job with it. No, better later. Iyers took a sip of Double Diamond ale, then over the glass spotted Marc Campos weaving his way toward their table through the noisy happy hour crowd. The man’s beer was waiting for him.

Campos scowled as he sat, his chin at an accusatory angle. He didn’t touch the drink. “I think you’re nuts,” he said without a greeting.

Iyers grinned. “Maybe. I’m inclined to think the possibility is one of my assets.”

Campos looked around, then leaned forward. “You’re the one who made the coding mistake. I warned you about it at the time, and when you didn’t act, I told you to fix the problem, not—” He hesitated, lowered his voice, then said, “—kill someone. I was talking about the file you left hanging out there.”

“Dead men tell no tales.”

“What’s that supposed to be? Funny?”

“Not at all. It’s a statement of fact, one you should appreciate, given your emphasis on security.”

“You may very well have ruined the entire operation.”

“I don’t think so. No one’s going to find anything.”

“They don’t know he’s … gone for good yet, but he didn’t report to work today. When he doesn’t tomorrow, they’ll check. Before long, people will be looking.”

“So he took off.” Iyers lowered his own voice, though with the surrounding noise there was no chance of being overheard. “They aren’t going to find him. I weighted him with rocks and dropped him into a sinkhole just off the stream. It was all overgrown with vines and crap. He’s fish food and gone for good.”

“Maybe you were seen.”

Iyers shook his head. “No chance. We were in a remote area. Relax. I was careful.”

“Listen to me. This guy took yesterday off; you called in sick. Someone looking at this might wonder about the coincidence.”

“You’ve got to be joking. I live in New York, this happened outside Chicago. There’s no connection between the two of us. Anyway, I took the train. There’s no record I ever left the city or that I was ever in Chicago.”

Campos stared at Iyers, then said, “I hope you know what you’re talking about. Because if they find him, who knows where the trail will lead.”

Iyers shrugged. “Not to us. You worry too much, Marc. Anyway, he’s a nerd. Nobody kills a nerd for writing code.”

“When I sent you a copy of his report and told you to fix the problem, this isn’t what I meant. You had to know that.”

Iyers made a face. “Yeah, I understood, but the guy was closing in. He reviewed operational logs while looking at a software failure from last month. You saw the report. He spotted that there’d been more than an acceptable number of connections between Vacation Homes and the trading engine. Automated security didn’t spot it, but he had.”

Iyers leaned forward. “Marc, he wasn’t going to let it go. He’d spotted our file. He didn’t know what it did yet, but he was working on it. I checked on this guy. He was tenacious and ambitious. Come on. There was nothing I could do that would have diverted him. In fact, if I’d changed anything in the software like you wanted, he’d have become suspicious that the culprit was someone who’d seen his report and was trying to cover his tracks. There aren’t that many. We don’t want anyone checking into what we’ve been doing this last year. There’s a lot at stake. You’ve said so yourself. It’s worth an extra risk or two.” Iyers sipped his drink, then changed the subject. “How’s Carnaval coming?”

Campos looked reluctant to move on. After a long pause, he said, “I think it will be ready for Toptical next week. There are still some bugs to work out.”

“This will be our first IPO,” Iyers said greedily. “If it goes smoothly, our take should spike dramatically. It’s ideal for an expanded version of Vacation Homes.”

“I agree, but no more mistakes. We’ll be uploading the code soon. It must be seamless, understand?”

“I get it.” Iyers looked aimlessly about the room, then said, “Did you find out about those two guys in the office?”

Campos, though, was still on subject number one. “Don’t go off the reservation again. You hear me?”

“I hear you. What about them?”

“I’m serious. The next time you do, you’ll have to answer for it.” Campos leaned back in his chair, then drew a deep breath. “Stenton told me they have nothing to do with Vacation Homes.”

“Do you believe him?”

Campos thought about that a moment. “I guess. I’m pretty sure we’re not their target.”

“I can’t get them to talk about what they’re up to. I’ve tried without being obvious. They’re very closemouthed. I did a little online research on them. They both used to work for the CIA, did you know that?”

Campos briefly looked stunned. Then he lifted his drink and took a long swig.

“Jeff Aiken’s the boss,” Iyers continued. “It’s his company. He’s big in cybersecurity. He’s rumored to have saved the world a couple of years ago.” He smiled.

“What are you talking about?” Campos’s thoughts were still on the idea these men worked for the CIA. He’d read once that no one ever really left the Company. The thought was sobering.

“Some kind of Internet terrorist attack. You remember all those incidents, the ship that ran aground in Japan, the near meltdown, some hospital deaths? They’re supposed to have been caused by al-Qaeda. I read on some forum this Aiken guy blunted the attack. There’ve been other things too. A plane crash in Turkey.”

“What? He’s some kind of secret agent?”

“Nothing like that. Just really good at snooping around systems.”

“Shit. Just what we need.”

Iyers leaned even closer and spoke very quietly. “I can fix this too, you know.”

Campos was startled. “Don’t even think about it.” He looked about again. The place was really getting crowded. “If more people … go missing, it’s going to draw attention we don’t need, especially with Carnaval coming online.”

Iyers pursed his lips. “I can make it look like an accident.”

“I said no, and I mean it.”

“Ask your boss. I’ll bet he sees it my way.”

“My boss?” Campos pulled himself up. “What are you talking about?”

“You don’t think I bought that line about this being your operation, do you? It’s too slick, too big, and sometimes you don’t make decisions right away. I’m just saying, check with your boss. Don’t take this on yourself.”

“Richard, when I came to you about this, I never said a word about violence. We write code. Vacation Homes is about making money. Nothing else.”

Iyers stared at Campos, and then he took a drink to mask his thoughts. The guy’s a fool.

Iyers was from Upstate New York. He possessed a congenial manner and had the knack of getting along with everyone while being close to no one. Since he formed his partnership with Campos, his self-image had taken on an unexpected aspect. He’d never seen himself as an outsider before, though if he were honest with himself, he always stood aside and looked in on normalcy. Those who played by the rules and lived conventional lives had always seemed to him to be suckers. Only when it came to women had he always felt himself to be a bit outside the norm, and even then, he wasn’t entirely convinced his behavior was all that unusual. Men just didn’t talk about it.

Then the economic meltdown had come, and with it a fresh appreciation of the worldwide financial system. He’d always stayed within his specialty, but now he studied the so-called system and saw it for what it was: an elaborate means for the corrupt to profit with the appearance of legality. That didn’t surprise him so much as his failure to realize it sooner.

An infrastructure specialist at the Exchange, Iyers managed the deployment of software and the configuration of the NYSE Euronext data center systems. It was a position of extreme sensitivity. The systems included third-party software, such as antivirus and systems management software as well as internal software. He was also part of the team responsible for deploying much of the trading software that was the heart and soul of the Exchange.

He’d met Campos three years earlier, and within a few months, over beers in this very pub, Iyers shared his thoughts. A few weeks later, Campos met with him in private and laid out the scheme, presenting the operation as his own. The two men were ideally suited to make it happen, given their responsibilities.

“I estimate our personal take at ten million dollars each,” said Campos on the night they closed the deal.

Iyers had nodded, his eyes flashing in greed. For an instant his mind had been filled with the thoughts of what he could do with that kind of money, the life he’d lead. Images danced before him, living rich in the Caribbean someplace, hosting parties full of hot girls. But the truth was, Campos already had him when he’d described the operation. This was his chance to hurt the Exchange, hurt it badly, to get back at the rich fat cats who thought they had it all figured out, a chance to make a statement.

And it was an opportunity to see just how far he could assert his power. He’d have done it just for that. The money made it an even better deal.

“You know,” Iyers said, “there’s talk about missing money.”

“What talk?”

“Some of the big brokers are complaining about not making what they expected in trades. I’ve not heard anything official, just comments during breaks, but Stenton’s getting nervous about it.”

“Stenton’s always nervous. That’s why he drinks so much.”

“He’s a drinker?”

“You didn’t know? Take a hard look at him on Mondays. You’ll see. Anyway, if you can believe it, I was told to trace one of our own transactions.”

Iyers found that amusing and chuckled. “How’d it go?”

“I was impressed. I did everything I’d normally do, and after two days, the trail finally just vanished into nonsense. I knew what we’d done, but from the side I was working on, I couldn’t make anything out.”

“See? We have nothing to worry about.”

“I guess. But if our code gets identified and reverse engineered, they might trace it to one of us, no matter how clever we think we’ve been.”

“I don’t see how. We routed it through other users and servers that you and I don’t have rights to. I used half a dozen laptops to set my part up and ditched each of them. There’s absolutely no trail back to me.”

“Let’s hope so.”

Iyers suppressed his immediate response. Instead he said, “So what did you tell Stenton?”

“Just what I told you.”

“Did he believe you?”

Campos nodded. “Sure. Why not? I don’t think I’m the only one he talked to about this, and no one had any luck, from what I heard. That’s when I asked him about those two guys.”

The men sat without comment; then Iyers said, “So what do we do? From what you say, we need to neutralize Aiken and Renkin. If you don’t want me doing it the easy way, I’m open to suggestions, but I still think you need to take this to your boss.”

“I don’t have a boss. Just drop it.”

“If you say so.”

Neither spoke for some minutes. Iyers finished his drink and gestured at the waitress for two more. Campos looked deep in thought. The blonde at the bar laughed in triumph. The chubby guy at the table grimaced and set his phone down. The place was getting very noisy.

After the drinks arrived, Iyers said, “I haven’t seen any real money yet.” This was his recurring complaint. Campos had given him less than $100,000 so far.

“It’s cooling off. I told you. We agreed.”

Iyers shrugged. “I’m just saying.” He looked around the room. “You know,” he continued, “I have the feeling that time is running out on us, and a whole lot faster than you talked about. I haven’t taken these chances for what little I’ve seen so far. Just so you know.”

“You may be right about time. I’ll get back to you on how we’ll proceed.” Iyers smirked but didn’t say what he was thinking. After a long pause, Campos said, “Can you insert Carnaval without any bells going off?”

Iyers pursed his lips. “I don’t know why not.”

“No shortcuts.”

“Enough of that. I told you at the time why I had to do it that way. There’s nothing I can do about it now. If we make any changes at this point, they’ll spot it and know for a fact something’s up.”

“Yeah. I get it.” Campos picked up his second drink.

“I don’t like these two guys working in the system,” Iyers said.

“I don’t either.” Campos set his drink down and looked off to the side, still not answering the implied question. And in that gesture and silence, Iyers got the unstated message.

He grinned and extended his hand. He touched Campos’s forearm in reassurance. “No problems, amigo. No problems. I’ll take care of it.”