Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Brokerage Instant Messages Must Be Saved

simoniker posted more than 11 years ago | from the casual-bathroom-conversations-also dept.

Privacy 265

DrEnter writes "According to an AP story on Yahoo!, the National Association of Securities Dealers (NASD) has told its members that they must keep a copy of all instant messages sent or received by employees for at least three years. This is similar to their requirements on keeping e-mail, although technically not nearly as easy. The NASD is a self-regulatory organization, and U.S. federal law requires almost all of the 5,300 U.S.-based securities firms and brokerages to be a member of it. There's a news release from the NASD concerning the requirement - it looks like the daunting technical issues have already resulted in some firms banning the use of IM completely."

Sorry! There are no comments related to the filter you selected.

daunting technical issues? (4, Insightful)

Surak (18578) | more than 11 years ago | (#6241327)

What daunting technical issues? Nearly every instant messaging client has the ability to always log conversations. Simply standardize the clients that can be used, make sure that conversations are logged, and lock down the configs so that brokers can't change them. I see no daunting technical issues here.

Re:daunting technical issues? (1)

Craig Maloney (1104) | more than 11 years ago | (#6241344)

Any time you see "daunting technical issue" when related to financial software, read "it'll cost us money to fix, and we'd rather implement some proprietary measure where we're guaranteed to make money rather than spend it for the perceived convenience of the customer".

Re:daunting technical issues? (1)

Surak (18578) | more than 11 years ago | (#6241387)

How much money? Most companies due new builds of their standard clients every 18 months or so anyway. The time to integrate and test a locked-down IM config that ensures that logging happens is very small compared to the time it takes to install and integrate major apps, like, oh say, Microsoft Office or Lotus Notes, and it could happen has part of the standard build, meaning the actual costs are spread out so thin as to be almost non-existant. It would take an admin maybe -- what? -- an hour or two to implement this? If that?

Re:daunting technical issues? (3, Informative)

bleh-of-the-huns (17740) | more than 11 years ago | (#6241587)

Its much eaiser to implement a corperate version of an IM server, that most IM networks now provide, then firewall off the other IM servers, forcing the clients to use the corperate version, or proxy all IM client request to std IM servers to the corperate one, provides central logging point, and peace of mind for the security personel.

On the other hand.. IM is not secure by any means, anyone stupid enough to use it in a financial industry for anything other then talking to friends and bullshitting around, should be shot.

Re:daunting technical issues? (1)

Clover_Kicker (20761) | more than 11 years ago | (#6241683)

>It would take an admin maybe -- what? -- an hour or two to implement
>this? If that?

Heh. They might want to test for more then 2 hours, just a thought :)

Re:daunting technical issues? (1, Funny)

sosume (680416) | more than 11 years ago | (#6241346)

1) Start National Association of Securities Dealers (NASD)
2) Oblige members to save instant messages
3) ???
4) Profit!!!

Re:daunting technical issues? (4, Interesting)

Max Romantschuk (132276) | more than 11 years ago | (#6241354)

What daunting technical issues? Nearly every instant messaging client has the ability to always log conversations.

Would you trust your IM to log messages? What if the logging fails? Will your boss listen to you, or would you rather not take the risk at all?

Re:daunting technical issues? (3, Interesting)

Surak (18578) | more than 11 years ago | (#6241369)

That's what IT staff are for. That's why you use standardized builds of client PCs. The IT staff does the integration work to ensure that things like logging occur. The standardized configs make sure that everything works and that users can't change it.

Re:daunting technical issues? (4, Insightful)

arkanes (521690) | more than 11 years ago | (#6241452)

Missing the point - in this case, all the logging is done on client machines, outside the direct control of the support staff. That'd be a disaster if, say, someones hard drive failed and the log was lost, and then they were sued. Email is easy because you just mirror it on a server. You'd need some sort of complicated transparent proxy to log normal IMs, and that wouldn't work with encrypted conversations.

In other words - yes, it can be done. No, it's not trivial.

Re:daunting technical issues? (3, Interesting)

shaitand (626655) | more than 11 years ago | (#6241472)

umm ok, last I checked it takes less than 5mins to write a shell script that uploads these logs in the background to an ftp. Pop it in a cron job and bam, all set.

Re:daunting technical issues? (1)

Talez (468021) | more than 11 years ago | (#6241475)

Missing the point - in this case, all the logging is done on client machines, outside the direct control of the support staff

Errr... Junction Points?

Think symbolic links for network resources under Windows 2000 and upwards.

Transparent, invisible logging to the server.

Re:daunting technical issues? (1, Insightful)

Surak (18578) | more than 11 years ago | (#6241500)

Now you're thinking. See what I mean? Put a smart IT staff to work, and the solutions just start pouring out. As I said, there are no daunting technical issues here.

Logging crypted traffic (2, Informative)

arth1 (260657) | more than 11 years ago | (#6241685)

It's easy enough to log encrypted traffic. Decrypting it afterwards can become more of a problem, but not unsolvable.
Clients can be modified to securely send a copy of their session keys to a central repository, for example.
Or the proxy can do the authentication for the clients, pretending to be the other end, and establish its own encrypted session with the clients.
Or, for dual-key systems, instead of the normal M*N pseudoprime, there's an M=(X*Y) where Y is a fixed value known to the company -- in effect a "master key" to allow decryption. This is already used for logging encrypted email from employees in many places.

Another thing is whether it won't be easier to just ban instant messaging altogether. More and more companies do so, both out of productivity concerns and for multiple security reasons (not only can it open up for bringing harmful content into the environment, but also be used to quickly send confidential information to those who shouldn't get it).

Time to revive "talk" :-)

Regards,
--
*Art

Re:daunting technical issues? (1)

Simon (S2) (600188) | more than 11 years ago | (#6241477)

"The standardized configs make sure that everything works and that users can't change it."

and then some user downloads any other IM, wich is not the one configured by the IT staff, and bypasses any logging.
your solution is buggy.

Re:daunting technical issues? (2)

AlecC (512609) | more than 11 years ago | (#6241642)

So you make it a disciplinary offence to install unapproved software on a PC used for financial work - which is what our finance department does. And occasionally sweem pachines for unauthorised executables.

At a certain level, it doesn't make sense to insist that something marginally untrustworth cannot be done. It is not as if installing a new IM client would be a way to instant riches, so there isn't the motivation of theft to make someone do it. A financial services house should have a culture that says that IT should approve all software. If you want play-around machines, they should be separarte from the "trustworthy" machines and firewalled off.

After all, employees could bypass the current email logging by installing hteir own email client, or by posting from a hotmail account or... But they don't.

re: daunting technical issues? (2, Informative)

ed.han (444783) | more than 11 years ago | (#6241702)

having previously worked in a financial services company, i can tell you that most of them will already disallow installation of non-certified apps on the desktop. and of course, entire departments within IT exist to certify apps on the approved firm builds. indeed, at my previous employer, users are not admins on their own PCs and hence cannot install anything.

i cannot imagine the CTO saying, "well, IM is an important communications medium for the employee staff with one another so let's put together a team to address the scripting issues. we need to include the resulting gigs of data in our backup processes as well."

no, i think the liability issues will simply result in IM going away permanently within financial services firms.

heck, when i was working there, i wasn't even able to post comments to slashdot. but then again, we were obliged to run netscape as our browser and e-mail client: outlook was verboten.

[insert obligatory outlook joke here.]

ed

Re:daunting technical issues? (1)

viking099 (70446) | more than 11 years ago | (#6241435)

ICQ logs every message that comes down the pipe, and organises it chronologically by user ID number in a database.
I've got ICQ conversations in my backup archives that go back to when I first got the application; approximately early-mid 1997.
Backing it up is easy on any platform, as it stores it in a couple of files in a single directory. You can have a scheduled task download the directory on a weekly basis and put it in the backup directories.
And since they're all text, you don't need the user password to read them (if someone leaves), and they're easily zipped up and encrypted.

Re:daunting technical issues? (3, Informative)

funkman (13736) | more than 11 years ago | (#6241388)

No its not. If they use AIM, then they can use the AOL gateway. The AOL gateway product can do also do their own authentication and force AIM clients (based on AIM handle) to use the gateway. The gateway can do all the needed logging. A strict IT policy to be followed by employees makes this task trivial.

Re:daunting technical issues? (4, Insightful)

muffen (321442) | more than 11 years ago | (#6241401)

As you said, they have the ability to log it on a client level. Imagine a company with 500 000 machines. Are you going to collect logs from each and every one every single day?? Even if you saved the logs on a network drive, do you want 500 000 different files per day?

The difficulty is logging the traffic on a server level. The reasons are many. I think this article [securityfocus.com] describes them fairly well.

Basically, IM traffic tries to hide itself, generally as HTTP traffic. Yahoo for example prepends a HTTP header to all packets, thereby being disguised as a HTTP GET request. AOL/ICQ/MSN has the ability to use HTTP Proxy servers, and AOL provides www.proxy.aol.com for free (port 80, no pass). MSN will auto-configure itself to use a proxy server if direct access is blocked.

Here's the result of logging IM traffic on a client level. [com.com]

Re:daunting technical issues? (1)

Surak (18578) | more than 11 years ago | (#6241436)

As you said, they have the ability to log it on a client level. Imagine a company with 500 000 machines. Are you going to collect logs from each and every one every single day?? Even if you saved the logs on a network drive, do you want 500 000 different files per day?

Scripting. Simply produce a script that processes the logs and concatenates them into one big log. That's part of the process of integration that I mentioned. And not even General Motors as 500,000 machines (I used to work there, so I know), and most brokerages are fall smaller than General Motors.

Re:daunting technical issues? (4, Funny)

blibbleblobble (526872) | more than 11 years ago | (#6241579)

"Imagine a company with 500 000 machines..."

If you have 500,000 machines running Windows, this will be the least of your problems.

Re:daunting technical issues? (1)

bleh-of-the-huns (17740) | more than 11 years ago | (#6241634)

500k machines.. easy. pick any federal orginasation that has satellite offices around the country... think FAA, think FBI, each of those easily has 500k machines (granted about half to may 2/3 are workstations, but you get the point)

Scripting is not the answer in a large scale enviroment. It works great for small groups of machines where they interact alot, but for large scale applications, where say everyone is using said application, a server solution is the most cost effective and scalable solution.

That, and like I said in an earlier response to you, the IM Providers actually have commercial versions of their servers for corperate customers, those solutions also include secure communications, unlike std IMing which is plain text for the most part, or very very week encryption (usually to make the non provider supplied clients incompatable with those supplied by the IM Provider themselves).

Re:daunting technical issues? (1)

shaitand (626655) | more than 11 years ago | (#6241494)

As someone else already noted, you cat the logs, then upload them to server using a scheduled script. This is not exactly difficult.

Re:daunting technical issues? (1)

Clover_Kicker (20761) | more than 11 years ago | (#6241601)

Yes, but since the logs originate on the desktop machines, they can't be trusted. I could edit the IM transcript before I log off for the day, to ensure that my evil comments don't make it into the archive.

I usually use NET SEND for my smartass/obscene OOB communication, nobody logs/monitors that :)

Re:daunting technical issues? (1)

AlecC (512609) | more than 11 years ago | (#6241708)

I think that you are probably one level of paranoia too high here. It is not that they expect their users to be plotting over the IM to rob the company or plan evil deeds, it is keeping a record of what promises/lies/truths were said about a transaction when it goes sour some months later. If a client says "I only bought those securities because the dealer said they were a no-fail bet", you need to be able to recall what the dealer actually did say - whether s/he properly pointed out the risks in a transaction etc.

Generally, I don't think they are protecting against fraud on the day the conversation happens - they are protecting against cover-ups after the fact - when the heavily boosted company goes bust or suchlike. I think that if they were into direct fraud, these dealers would have other ways of doing it.

There are no daunting technical issues (1)

arrogance (590092) | more than 11 years ago | (#6241604)

I know others have already commented on it but: standardize the client that you use and make it secure. Basically if you want to use IM at your brokerage, you have to use the one that the industry body requires. It's a useful tool but maybe if you want to do your front-running and insider trading you shouldn't use port 80 to do it.

And who the hell seriously expects AIM (or other IMs currently out) to have good security? It's going out over HTTP. C'mon.

Re:daunting technical issues? (1)

jkrise (535370) | more than 11 years ago | (#6241409)

The daunting issues aren't with logging, rather with tapping. In a client-server setup (e-mail) it's pretty simple (apparently) to intercept and probe messages. Value added services (Spam, HTML, worms, viruses, etc.. ) can be provided as well. If the world shifted to encrypted peer-to-peer instant messages, many shady firms could go broke!

Who should go broke first - brokers or firms?

Re:daunting technical issues? (1)

shaitand (626655) | more than 11 years ago | (#6241501)

This sounds like a concern for the firm... but how exactly is this a technical issues that makes it difficult to log IM's for 3yrs?

Re:daunting technical issues? (2, Interesting)

Anonymous Coward | more than 11 years ago | (#6241461)

I work for a very large Chicago-based financial institution that has banned IM entirely for their brokerage staff and disallowed Internet-capable IM for the rest of the company and I can safely say that a combination of FUD and CYA prompted this decision.

Basically, the bank's Infosec team was told to log everything and to ensure that no unauthorized external IM communication between the investment brokers and the outside world occurs, so instead of trying to overengineer a solution to ensure that only authorized IM occurs, they simply blocked outbound IM altogether and disallowed the brokers to have any IM client installed at all. Elegant? No. Effective? Yes.

Perhaps at some time they'll go back and address the situation more granularly, but for now, it fits the requirements and protects the bank from being targeted by the SEC. Staying off their radar these days is a "Good Thing" [TM].

Re:daunting technical issues? (1)

schnozzy (218978) | more than 11 years ago | (#6241491)

One of my company's clients is a broker/dealer who is crazy about compliance and has been logging all IM conversations for months now. They have an OpenBSD firewall running a little ruby+pf+ethereal+snort script to detect all IM activity and log it to sorted files, but you could probably do this sort of thing on any box. The only thing it can't log thus far is SSL'd jabber. (Which can log on it's own)

Daunting, pushaw.

Re:daunting technical issues? (4, Insightful)

bmongar (230600) | more than 11 years ago | (#6241544)

Nearly every instant messaging client has the ability to always log conversations

Client side logging is not sufficient. An employee can turn that off or delete the logs. The logging would have to be done server side. That would require a corporate IM solution which would log. I work for a company effected by this law. They don't allow any external or web based e-mail access for the same reason, they can't log it unless you go through their server.

Re:daunting technical issues? (1)

HighOrbit (631451) | more than 11 years ago | (#6241570)

Bingo ! You hit the nail on the head.

I love pussy (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6241329)

fuck you !

No thanks (-1, Offtopic)

agent dero (680753) | more than 11 years ago | (#6241334)

I am not comfortable knowing that the Cyber Sex I had two years ago with GlitzyGirl44 on the job can come back and haunt me.

But why??? (3, Funny)

jkrise (535370) | more than 11 years ago | (#6241335)

Can't they simply use Echelon instead??

Maybe it would be easier (0)

Anonymous Coward | more than 11 years ago | (#6241336)


If they didn't have staff, seems like humans and their tendancies are more trouble than they are worth, fkuc people over profit

Read more about this here! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6241337)

NYT story [tinyurl.com]

FP?

parent is goatse link!!!! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6241352)

goatse.cx link. Seriously.

Re:Read more about this here! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6241411)

Seems like this pre-pube has discovered tinyurl.com to obfuscate goatse today. Well done, you're nearly a man! All you need to do now is play one game of russian roulette (six rounds) and you will achieve your goal!

What's the value? (5, Insightful)

monkey_tennis (649997) | more than 11 years ago | (#6241342)

I struggle to see the value in this. If a broker wants to have an 'off the record' conversation they could still use their mobile phone or some other mechanism. Doesn't there come a point where you have to acknowledge that not all communication that takes place at a place of work is 'owned' (in a responsibility-for sense) by the employer?

Re:What's the value? (4, Informative)

darkov (261309) | more than 11 years ago | (#6241447)

You're looking at it from the wrong side. The biggest issue is brokers is having clients ring up or whatever give instructions and then take issue later (when the trades goes bad, presumably) or the client saying the the broker told them X and it caused them a loss.

Re:What's the value? (1)

monkey_tennis (649997) | more than 11 years ago | (#6241471)

I admit it's not an angle I'd considered, but surely in the case you suggest it's in the dealer's interest not to accept instruction without an audit trail - I'd be surprised that that any external body would need to enforce that.

Re:What's the value? (2, Insightful)

the uNF cola (657200) | more than 11 years ago | (#6241485)

The slightest word from a worker's mouth on the status of the stock market in terms of purchasing, can give a hint to a stock owner to buy or sell.

This is insider trading, trading with information from the inside.

The proxy'ing is simply a restrictive measure. It makes it easier to detect. Yes, you can't monitor all communications, but it makes it harder to do live communications, especially since the sound of typing doesn't say WHAT you are typing.

After hours stuff you can't prevent, but then again, after hours information is stale and is less usefull... though could be useful none-the-less.

Re:What's the value? (2, Informative)

pak-man (125298) | more than 11 years ago | (#6241499)

Mobile phones and other methods of personal communication are banned in trading areas.

Re:What's the value? (1, Insightful)

Anonymous Coward | more than 11 years ago | (#6241660)

"If a broker wants to have an 'off the record' conversation they could still use their mobile phone"

Err, exactly how off-the-record did they want? Do you know anyone who works at a telephone company?

Re:What's the value? (1)

Anml4ixoye (264762) | more than 11 years ago | (#6241677)

And really, the issue being addressed here is one that the government has been dealing with. We have to block all IMing because we are under state and federal laws to record all electronic communications because it is considered public record. Not only to we have to record it, but we have to make it available to anyone making a public records request for the information.

Several people have mentioned about installing IM servers, client logs, etc, but you have to remember when it comes down to it certain things are fine until they start costing the business money at which point they become an expense and a hassle.

Re:What's the value? (0)

Anonymous Coward | more than 11 years ago | (#6241691)

I think you misreading the issue. Main reson for this is not to look for bad guys. For many years brokers and dealers were taping conversations between their clients and traders. This was done to protect the both parties from making false claims like: "I told you to sell XYZ stok at $30.00 and not at $25.00 and 1000 shares and not 10000". E-mail and IM is just the next step. As long as you can recieve orders through this media, you have to have a way to resolve disputes.

Re:What's the value? (4, Insightful)

sagneta (539541) | more than 11 years ago | (#6241725)

It's not the employer that is making this requirement. The SEC has regulated such communication since its inception in 1934 in accordance with the Securities ACT of 1933 and the Securties and Exchange ACT of 1934. This is the law. Period.

Insider trading and information dissemination is strictly regulated to prevent classic insider stock manipulation gambits. To get some idea of how that worked you can read "Reminiscence of a Stock Operator " first publised in 1924.

Sam Waksel who was found guilty of violation of several securities laws and could have been hung up on obstruction of justice to boot is now spending 7 years in prison. He could have gotton 40.

The laws have become stricter more recently. Just before the bubble burst Congress enacted more legislation that prevented companies from providing non-public information to traders, analysists and the like. They mean it. Siebel executives during a dinner recently that off the cuff mentioned some data to an analysist are now having to explain themselves to the SEC. SEC is in a bad mood these days.

The point that is lost outside the industry is that the witch hunt is on. This happens after every debacle. It is not a technical issue. The IM infrastructure *must* meet SEC and NASD ( 1938 ACT ) rules and regulations otherwise the companies face prosecution and the individuals lose Series 7.

I am actually astonished NASD waited this long. Brokerage firms are all ready rushing to comply in 2003 because it has been assumed this would happen.

FYI

hmmmm, no SCO scoop yet (-1, Offtopic)

yobobs (674862) | more than 11 years ago | (#6241350)

i'm outa here

That should be easy (3, Interesting)

Daath (225404) | more than 11 years ago | (#6241353)

Just build a custom Jabber server that saves everything serverside!

Call it Corporate Jabber or something... Users should, however, be warned of the logging!

Recently, here in Denmark, an employee of a company was dragged in court, because she was sending private mails from work (through an online dating site). The court ruled that it was ok, and that the company should stay out of the employees private life - even if she had some [private life] at work. Go Denmark ;)

Anyway, there are lots of things to think about when logging...

Re:That should be easy (1)

arkanes (521690) | more than 11 years ago | (#6241459)

I believe that Jabber uses end-to-end encryption, so the server couldn't actually log like this - unless the Jabber protocol is trivially vulnerable to man in the middle attacks, or you add an extension to the protocol.

On the other hand, using a Jabber server as a front end to the other IM networks would probably work.

Re:That should be easy (1)

interiot (50685) | more than 11 years ago | (#6241514)

Yeah, encryption and stuff doesn't really matter in this context... ssh uses encryption too, but court rulings still stand... corporations like this are required to set up an extra ssh server on the firewall edge that everyone on the inside connects to (and where things are decrypted and logged) and then from there makes one more ssh connection to the outside.

"Daunting technical issues"?? (2, Insightful)

The-Bus (138060) | more than 11 years ago | (#6241355)

You mean, like the logs you can keep in ICQ? And if AIM/others doesn't support it, don't you think AOL will implement it pretty damn quickly so they don't lose market share in that industry?

Re:"Daunting technical issues"?? (1)

xpulsar87x (305131) | more than 11 years ago | (#6241719)

While resource hacking my copy of AIM at work here (we run win2k, deadaim doesn't work properly for some reason), I noticed several dialogs in the resource file already that seem to be dedicated towards logging. Someone also said that MacAIM supports it, so perhaps the Windows version has it as a planned expansion but just hasn't been completed yet?

This is ridiculous... (2, Interesting)

brucmack (572780) | more than 11 years ago | (#6241356)

What's next? Are they going to make it a requirement to keep audio tapes of all conversations, phone or otherwise, for 3 years? Surely they must stop sometime when the cost of implementation greatly outweigh any benefits.

Re:This is ridiculous... (4, Informative)

Anonymous Coward | more than 11 years ago | (#6241393)

Actually at my firm, we do log all calls made from our traders' phones for a 3 year period, it's more a protection against illegally/incorrect executed market orders, and liability mitigation and it is not an SEC requirement.

If you think this is bad, we need to have full data backups for files, fax, and e-mail transmissions for a 7 year retention. That eats up a lot of tape...

Re:This is ridiculous... (3, Informative)

tgma (584406) | more than 11 years ago | (#6241543)

It may not be an SEC requirement, but isn't it an NASD requirement? I've been working at brokerages for the last ten years, and it would have been unthinkable for us not to have our conversations recorded.

It wasn't just the traders and the salesmen, but the analysts as well. Maybe it wasn't a regulatory requirement, but it's definitely part of doing business in securities, because so much is done over the phone. It was actually surprising how little we used those recordings after they were made, but maybe we were just fortunate. Mostly it was to check trades, but the threat was always there that if you gave out inside information, you could be nailed.

Interestingly we were allowed to use mobiles on the trading floor, but I can imagine that people are much more cautious in the US. Post-Spitzer, they are all running very scared. Most US investment bankers that I talk to now, virtually have to append a disclaimer to everything that they say. Must make for some interesting pillow talk.

Yes they are... (5, Informative)

alistair (31390) | more than 11 years ago | (#6241407)

Most banks already log phone calls, what is being added is the requirements to archive email and IM messaging.

Do a quick search for "Basel 2" or "Basel ii" for more details on this. One very interesting quote I found is;

"The Institute of International Finance has projected a total investment of US$2.25 trillion over 5 years for the 30,000 banks that will be affected, on top of systemsâ(TM) budgets, implementation costs and training. With such a huge increase in costs, this may precipitate another round of banking consolidation, especially in Asia. Basel 2 will certainly reward banks with sophisticated management and systems â" they should be able to generate higher returns on equity, and have less capital required by the market and regulators."

Re:Yes they are... (1)

brucmack (572780) | more than 11 years ago | (#6241458)

Thanks for pointing out my ignorance :) I had no idea it went so deep.

Re:This is ridiculous... (2, Interesting)

anjrober (150253) | more than 11 years ago | (#6241608)

I use to work at a brokerage firm, a big one, and they do exactly that. Record each and every call that comes in. All of them. And the real kicker is they use the recorded calls all the time. They have to go back to the calls to find out exactly what was said and when.

Foolish... (2, Insightful)

andreMA (643885) | more than 11 years ago | (#6241360)

I can see drawing an analogy between email and postal mail and requiring the saving of that correspondence, but IM is better treated as telephone conversation -- which apparently isn't required to be saved.

Re:Foolish... (0)

Anonymous Coward | more than 11 years ago | (#6241568)

Actually, the NASD does require that phone conversations, e-mail and basicaly any communication between a licensed broker and anyone he/she gives market information to or might give market information to be stored for a minimum of 3 years and in some cases, 7 years. This is whats known as CYA (cover your a$$) in the business. It's really hard for the smaller firms to comply with some of this stuff tho. Even compressed, you hve any idea how much space an hours worth of phone conversations takes up? There is in existance, network based devices to record and index these conversations but they cost tens of thousands of dollars. IM logs, being text based would have to be many times smaller. Securities firms are already used to storing large amounts of documents and data files (or they had better be used to it). I don't see where having to store a few more megs would be that big of a deal.


Megabyte
Who is too lazy to register.

Instant message : Sell SCO!! (1, Funny)

jkrise (535370) | more than 11 years ago | (#6241362)

Hey brokers! Sell SCO! Sell SCO!! Sell SCO!!! Sell SCO!!!! Sell SCO!!!!! Sell SCO !!!!!!

Got the message?

Okay.. now log all you want.

Re:Instant message : Sell SCO!! (1)

Prof.Phreak (584152) | more than 11 years ago | (#6241665)

Actually, this is precicely what they'd want you to do - "a large company going through a period of unpopularity" is usually a bargain stock wise. If everyone sells (and you buy) and assuming the company survives, a few years down the road you could've made a hefty profit (you bought really low - when everyone was selling).

Or so me thinks...

Boom Town (3, Funny)

Deton8 (522248) | more than 11 years ago | (#6241368)

These new data retention laws are a boon to those of us in the data storage industry. If this keeps up I'm going to name my new yacht after the dude at the SEC (although "Cunt" is probably already taken).

Have they looked at facetime? (3, Informative)

alistair (31390) | more than 11 years ago | (#6241373)

From the facetime.com [facetime.com] website;

"Since 1999, FaceTime has been delivering instant messaging (IM) solutions for the security, management and control of IM in the enterprise.

Our integrated enterprise IM management suite of products address the challenges of:

* Network and Information Security
* Regulatory and Corporate Compliance
* Call Center Customer Service

IM Auditor has been chosen by 32 of the largest 100 financial institutions and 7 of the 8 largest U.S. banks including Bank of America and Wachovia Securities to satisfy regulatory compliance requirements."

The one thing that wouldn't be addressed is encrypted clients suched as the recently discussed Nullsoft "Waste" IM client. However, with businesses increasingly becoming addicted to IM clients and Blackberry devices, this would be a far more palatable solution than banning IM completely.

This is understandable (4, Insightful)

Millbuddah (677912) | more than 11 years ago | (#6241374)

Considering the recent media frenzy over Martha Stewart's case regarding insider trading, this really shouldn't come as much of a surprise. They're only trying to cover their own ass by having records for evidence if any insider trading information is being passed along with these instant messaging programs.

Use Trillian (1)

los furtive (232491) | more than 11 years ago | (#6241375)

Trillian [trillian.cc] has excellent logging facilities on a per user/contact basis for all of the major IM services, and can be obtained for free.

Re:Use Trillian (2, Informative)

intermodal (534361) | more than 11 years ago | (#6241398)

and for any firms wanting to use linux, BSD, or OSX on the desktop, GAIM builds above .60 all have excellent logging and even have a good division-by-conversation format. Though your best bet for logging it all would be a custom jabber server that would save everything serverside (with warnings at conversation starts, of course)

Daunting? (2, Interesting)

kikta (200092) | more than 11 years ago | (#6241376)

I don't see why they couldn't standardize on something like ICQ, Trillian, a Jabber client or anything else that logs everything. Then all they have to do is set the log to be saved on a network drive, rather than thier own. Is that really so daunting?

Shit, I have logs for the last two years on this system. If you look at my laptop, it has logs from 1999 back to like 3 months after ICQ was first released. I was "daunted", but I overcame! ;-)

Re:Daunting? (1)

pointwood (14018) | more than 11 years ago | (#6241413)

erhm...as others have said - Use Jabber and let it log everything on the server.

Re:Daunting? (0)

Anonymous Coward | more than 11 years ago | (#6241467)

You'll find it's a wee bit more difficult to admin other people than it is to admin yourself--unless you have mental issues, in which case you already know what the average user is like. :)

Reuters already offers an IM client for them (2, Informative)

Anonymous Coward | more than 11 years ago | (#6241381)

http://about.reuters.com/productinfo/messaging/

Its actually pretty nifty, corporate IM already exists and I am sure if Reuters does not have built in logging they will add it quickly and dominate another part of IT for the financial community.

record everything (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6241386)

when will they be required to carry a digital recorder with them to record everything they talk about?

Re:record everything (5, Informative)

signifying nothing (520593) | more than 11 years ago | (#6241465)

Don't get overexcited - this is only for communications with clients, not for purely internal conversations.

The Slashdot summary says otherwise, but the press released linked to is pretty clear.

Knowledge is power or was it data-logs are power? (1)

lordsilence (682367) | more than 11 years ago | (#6241390)

I can't for one, understand the need of gathering data and logs about everything. Sure, making sure nothing illegal is going on. But is there nothing called privacy in the US anymore?

Keeping records for future lawsuits (1)

Rosco P. Coltrane (209368) | more than 11 years ago | (#6241392)

So, for the purpose of having evidence for future possible lawsuits, first email messages must be recorded for 2 years or whatever, then IM messages, then what next ?

Here's a way to take care of the problem for good : log *all* incoming and outgoing TCP, UDP and ICMP packets, so you'll have plenty of evidence when that lawsuit comes. And hire me to sift through the records to find that crucial piece of evidence : it won't take me very long and I only take $45/hr. I'll sell you hard-disks to store all the packets too if you want ...

If using Windows... (-1, Redundant)

Jace of Fuse! (72042) | more than 11 years ago | (#6241422)

Use Trillian.

Compatible. Stable. Banner Free. Skinnable. Logging Optional.

Unless you use AOL's voice, or Yahoo's Cam's/Voice/Chat, there is nothing you will want to do that Trillian doesn't support.

If you want to use the best features of Yahoo, just go to the web-site http://chat.yahoo.com and use the Java based applet. It supports all those features (yes, including voice, cam, and chat) and it runs alongside Trillian which will still handle and log your Instant Messages.

Trillian's only downside is the slightly higher difficulty for a newbie in setting up. Large firms can hire consultants to do that, though. (I'm for hire...)

All in all, what it came down to in the end is that when on Windows I couldn't find a single reason why I should use the official AIM/ICQ/YAHOO/MSN clients, when there were too many reasons that I SHOULD be using Trillian.

http://www.trillian.cc

FNORD

Re:If using Windows... (1)

switzer (244132) | more than 11 years ago | (#6241470)

What about sending SMS messages (like you can in ICQ)???

Gaim also has logging facilities - it is also churning out releases every few weeks...

Already somebody's business (2, Informative)

hrieke (126185) | more than 11 years ago | (#6241444)


IMLogic [imlogic.com] does this, and is quite good at meeting these requirements (one of their coders is a friend of mine).

As for the daunting bit, hyperbole anyone?

Your .sig: (0)

Anonymous Coward | more than 11 years ago | (#6241552)

III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIIIV IIVIIIIIIVIII...

Is that supposed to be PI in roman numerals? 'Cause it looks like you have 3.1449..., instead of 3.1459...

Re:Your .sig: (1)

The Mayor (6048) | more than 11 years ago | (#6241636)

Well, without spaces, it's a little confusing. But he actually has 3.14159....the adjacent 1 & 5 look like a 4. But, in either case, the Romans never thought in terms of decimals. I would assome a better way to write it would be something along the lines of:

XXII / VII (approximately)

Re:My.sig: (1)

hrieke (126185) | more than 11 years ago | (#6241713)

I think my sig get more attention then my messages (or it appears that way!). I have at home a email folder just on this topic. *grin*

Long story short- my sig was in response to someone else's sig that read to the effect of "It's like calculating PI in Roman Numerals".

And while the romans never thought in terms of decimals, they did think in terms of fractions, (giving us the word decimation for example) -

Etymology: Latin decimatus, past participle of decimare, from decimus tenth, from decem ten.
www.m-w.com

Re:Your .sig: (0)

Anonymous Coward | more than 11 years ago | (#6241641)

Learn PI - 3.1415...

The obvious solution is quite easy... (1)

ites (600337) | more than 11 years ago | (#6241474)

What businesses need are historical file systems in which every single data file is tracked through its every version. The point of logging messages is not to monitor them so much as to find the 'guilty' parties when problems have happened. A historical file system can provide this, but at every level: web, ICQ, email and documents.

This may seem extreme, but disks are big enough, if you don't mix business and pleasure. Perhaps some partitions (swap) that are not historical...

A killer application for Linux in the business workplace, perhaps?

Makes sense to me (5, Insightful)

jamie(really) (678877) | more than 11 years ago | (#6241481)

Brokerage firms make deals minute to minute, and conversations with a broker are legally binding. There isnt time to fax a contract back and forth. If you phone anyone at a brokerage firm, you will be recorded. Something to remember before you phone your mate and tell them about your weekend in ibiza. I totally understand why banks would view instant messages as the 21st century equivalent of a phone converstaion. Get over it!

Trillian... (0)

Anonymous Coward | more than 11 years ago | (#6241482)

I see a bunch of posts supporting Trillian -- for its logging capabilities. But there is another even better reason to use Trillian: automatic message encryption!

Log this, big brother.

Hmm (1)

Ryvar (122400) | more than 11 years ago | (#6241486)

One of my best friends works as a trader (not sure of actual title but something roughly equivalent) at one of America's top three brokerages. Believe I'll be teaching him how to use Remote Desktop shortly (sorry, no X11 over SSH tunneling, he's not exactly a 'real' geek).

--Ryv

two words... (1)

Unominous Coward (651680) | more than 11 years ago | (#6241523)

SSH tunnel

Wow.... (1)

JaJ_D (652372) | more than 11 years ago | (#6241532)

Storing all AOL/YM for 3 years!!!! If someone has to wade thought that crap! Please pity them

Two hundred million AOL/YM - 95% of them porn.

Wow RSI with no typing involved. That hasn't occured since the Cindy Crawford work out video [amazon.com]

:^]

Jaj

Where I work... (4, Informative)

willis (84779) | more than 11 years ago | (#6241547)

I work at one of the larger investment banks...

rules:
All emails are kept (Archived, not by us)
No external email accounts (it's a big offense if you use hotmail, etc, from work)
Internal instant messaging (logged, of course)
No external instant messaging (you crazy? Hell no -- you can't just install random software from the web on a trader's desktop
All phone calls are recorded (not sure how)
Cell phones are banned on the trading floors (I see them sometimes (and carry mine), but I think it's not cool).
There might be cameras, but I don't know.

All of this promotes accountability & transparency... and is good for clients and the market in general...

It's not like they look/read everything, but it has to be on file in case of a lawsuit, etc.

re: the guy talking about remote desktop, etc...
That might work at some firms, but I'd imagine most of the bigger firms are really, really locked down.

Re:Where I work... (2, Informative)

Surak (18578) | more than 11 years ago | (#6241614)

All phone calls are recorded (not sure how)

That's not difficult. I used to work for a company that does this. There are companies that make reel-to-reel recorders specifically for the purpose of being hooked through a PBX phone system so that it can record all incoming and outgoing calls made on specific extensions (or all extensions you if specify it that way I suppose)

re: the guy talking about remote desktop, etc... That might work at some firms, but I'd imagine most of the bigger firms are really, really locked down.

How locked down? PuTTY can do SSH through any HTTP proxy server that allows CONNECT (which most of them if you want to support SSL). And it can use SSH's X11 forwarding capabilities. So setup a Linux box on a cablemodem at home, ssh into it and start launching X applications (i.e., gaim).

Re:Where I work... (1)

willis (84779) | more than 11 years ago | (#6241646)

How locked down? PuTTY can do SSH through any HTTP proxy server that allows CONNECT (which most of them if you want to support SSL). And it can use SSH's X11 forwarding capabilities. So setup a Linux box on a cablemodem at home, ssh into it and start launching X applications (i.e., gaim).
That's amazing. I had no idea.

Re:Where I work... (1)

Surak (18578) | more than 11 years ago | (#6241694)

I do it all the time. ;) Of course you need an X server running on your PC, such as Hummingbird eXceed or XFree86/CygWin...

Not a problem... (2, Interesting)

httpamphibio.us (579491) | more than 11 years ago | (#6241553)

Every other client logs except AIM... DeadAIM [jdennis.net] , AIM+ [big-o-software.com] , MyIM [http]

Problem solved.

If China can do it (0)

Anonymous Coward | more than 11 years ago | (#6241558)

then so can Wall St. brokerages. Doesn't seem too difficult.

Client version? (1)

BluGuy (617572) | more than 11 years ago | (#6241559)

Don't you think that larger firms are using more enterprise style apps tha AIM? All of the big business oriented messaging apps offer server side logging, and it's probably searchable and closed to boot. I think even AIM has a enterprise version out or coming out soon.

boy i'd love to be the sysadmin (1)

freedommatters (664657) | more than 11 years ago | (#6241569)

tail -f chat.log | grep -i "dead cert"

john

Sametime (0)

Anonymous Coward | more than 11 years ago | (#6241666)

For internal traffic, IBMs IM program Sametime can be made to log messages sent through it.

As for external messaging, it supports SIP, so any external IMs will also get caught if its set up properly.

Subject to the same law as email (1)

inepom01 (525367) | more than 11 years ago | (#6241674)

Email must be filed in a special format, and so must all IMs. There are many different IM messaging formats, so what you really have to do is be able to speak every protocol (or just any that your client might be using, which is still quite a few) out there and translate every message into the DB format. And of course you have to set up the database and make sure you don't run out of space, etc. It is quite daunting, if you think about it. Trillian logs might be good for you, but they are not for the NASD.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?