I really need some help and guidance on an issue of software security and a potential programming solution. I am using a specialized computer program for trading stocks/shares online and am concerned that this program could be a security risk. I have provided quite a bit of detailed background information on the program and outlined my concerns and objective later in this post.
If it is possible, I would like to get some real constructive advice on how a solution to this problem could be implemented. Please don't post obvious comments such as "use another program" "ask the developer if he is spying on you" "do a risk analysis and see if you really need to worry about this". I have spent the better part of three weeks brainstorming this issue and trying to find a solution to this problem. I have come to the conclusion that the most promising approach probably rests in a custom software solution. However as I am not a programmer, I would like to get some feedback in terms of what it would take to get from theory to solution. I really need to get some help with this.
[b]BACKGROUND INFORMATION ON THE PROGRAM[/b]
The program runs solely on Windows, uses the .Net framework and appears to rely heavily on XML. The primary function of the program is to display real-time non-delayed charts of the price of stocks. The program has built-in datafeed connectivity and is designed to be used with all of the major providers of stock market price data. If one has a subscription to a stock market data provider, it is simply a matter of entering one's user name and password into a connection wizard provided by the program. The program can then automatically connect to the data provider via the internet. Once a connection is made, real-time charts of stocks can be displayed. As you can imagine, to do this, the stock-trading program requires both inbound and outbound Internet access so that it can communicate with the datafeed provider and thereby display price data on any particular stock. The data providers are 3rd parties; they are not linked to the company that produces the software.
The stock-trading program allows the user to add a variety of mathematical studies, known as indicators, to each stock chart. For instance, if one had a chart that showed a stock's price over a period of time, one could add a moving average of the price to the chart. Such indicators help traders identify buy and sell points.
The program also allows the user to create custom indicators by means of a wizard. Once a custom indicator is created by the wizard, it is possible to edit it and have quite a range of freedom without the necessity for a great deal of programming knowledge. Both the indicators included in the program--and any customised indicators that are created by the end-user--are written in a "script," which according to the program's help file, is an extension to the C# language. Before any custom indicator can be used, it has to be compiled. The program has a built-in facility for this function. The program's help file states that it uses C# and the .Net framework and runs compiled code rather than interpreted code.
[b]THE CONCERNS THAT I HAVE[/b]
Many people within the stock trading community are concerned about the potential for trading programs to take advantage of their connections to the internet. Indeed some very astute traders within the professional community have personally told me that this type of snooping activity does occur. I'm sure that it wouldn't take much programming savvy on the part of the developers to instruct the program to send the source code of any custom indicators back to the developers.
While I do not have the security resources available to professional traders, it would be irresponsible to simply turn a blind eye to this--it makes sense that a company could easily use the collective knowledge of professional traders to gain knowledge to help develop their stock trading software. I do not want to unwittingly enable the developers of the program to use my own indicators within their commercially available software.
While my interest in the stock market could be described an amateurish hobby as I do not use it to support myself, it is nonetheless my life's work. I do not like the prospect of someone pirating the result of so many years of effort.
In my efforts to tackle this problem, I have used a firewall (McAfee) to ban all ip addresses except the three that the datafeed uses. When I restrict internet traffic in this way, the program displays an error message that it can't connect to its licence servers, but otherwise seems to function without problems. Also, judging by what I see in WireShark there is no ip traffic except the data to the three datafeed ip addresses.
As someone who is not too familiar with networks, I am by no means certain that a lack of ip traffic would indicate that the computer is effectively locked down. I would think that there are other means of communicating that would be unaffected by an ip blocking firewall.
[b]POTENTIAL SOLUTION [/b]
It seems to me that perhaps the best solution is isolate the computer from the internet by means an intermediary program. As I noted earlier in this post, the stock-trading program uses a connection to the internet to access real-time stock prices provided by 3rd party data providers. Knowing that the stock-trading program utilises .NET and C#, would it be possible to write an intermediary program that would be "placed between" the stock-trading program and the internet?
Currently, the stock-trading program sends a request for data directly over the internet. Would it be possible for a custom program to read that request data and then create a virgin data request of its own? In effect this would cut the outbound communication between the stock-trading program and the internet.
When inbound data arrived, a similar process could take place. Thus, no data would pass through the custom intermediary program. Instead, it would be translated by that program and sent onward in a virgin form.
I have looked over the program's help file and it contains references to DLL, COM and .NET interfaces, which I think are primarily used to integrate the program with the 3rd party software (provided by stock broker companies) used to place orders to buy and sell stock. Perhaps the presence of such interfaces is a clue as to how the stock-trading program could interact with the proposed intermediary data transfer software.
In summary, my concern lies in whether the program is abusing its connection to the internet. And my objective is to somehow control the program so that it can receive price data through a datafeed, but neither send nor receive any other information via its connection to the internet.
I am not concerned about random attackers. I have always used a firewall/antivirus/antispyware to minimize exposure and use my trading computer only for trading. It is not connected to any other computers at home. When I'm not trading, it is unplugged from the internet.
I would very much value feedback on a possible software-based solution. Is such a solution possible? From a programmer