183 comments

[ 2.4 ms ] story [ 238 ms ] thread
I always imagine large scale financial fraud as something requiring a great amount of financial expertise. Seeing this code snippet is surreal.
It's the large scale financial fraud that aren't caught which requires a great amount of financial expertise.
You should check out "Madoff: the Monster of Wall Street" on Netflix, which struggles to dramatize the actual operation of his scam because the reality of it was so incredibly simplistic.
> reality of it was so incredibly simplistic.

the reality of it boiled down to “Madoff was too big and important for anyone to dare question”.

Yes, the fraud itself was extremely simple, but I also highly doubt that a random noname like SBF could have pulled that off at the time. You really had to be someone. Someone the SEC didn’t want to touch.

Hey, they used numpy.random.normal, it at least appears credible.
I’m really disappointed by the lack of comments explaining the logic
There are, however, some type annotations.
Gotta avoid bugs, imagine if they lost some customer funds due to poorly written code.
I am sorry we didn't serve your interests
They mean code comments, not HN comments.
I was ready to reply with an “um actually it is an arbitrary number” but… no… it is literally a random number. How did someone commit that and sleep at night?

It’s amazing that some people still defend SBF. Among his sycophants is Michael Lewis, author of Moneyball, The Big Short, and now “Going Infinite” which somehow manages to gloss over the rampant fraud happening at FTX since inception.

Can you link to anyone defending him? The Michael Lewis book was a character study. I can’t think of a single person who defends what happened.
He describes it as a "letter to the jury" (which I interpret as an statement of intention to reframe the popular understanding of what happened - presumably Lewis knows that jurors aren't supposed to read editorials about the case & is speaking figuratively) and casts SBF in a sympathetic light while casting aspersions on the executives executing the bankruptcy. Like GP mentioned, it glosses over the red flags and such to present a different narrative of Lewis' choosing. I think it's fair to characterize Lewis as carrying water. It's also a character study, sure, but there's no contradiction there.
Matt Levine's take on _Going Infinite_:

"Many of the reviews that I have read of the book complain that Lewis does not sufficiently explain that Bankman-Fried is Guilty and Bad, Actually, but that is not the book that he wanted to write... If you want to read a moral condemnation of crypto theft, you can get that anywhere. You go to Michael Lewis for character and story.

Also, reading those reviews you would think that the book is a defense of Bankman-Fried, but it is actually quite damning."

Have you watched 60 minutes with Michael Lewis? He's openly defending SBF
I’d say it’s less random than the headline makes it seem. It’s a random value with mean of 7500 and standard deviation of 3000 pulled from a normal distribution. And, it’s multiplied by the daily volume. So, there may be some thought here. It’s adding about $7,500 per trading unit volume. Not saying it’s legal or anything.
So basically, your claim is that a normal distribution is less random than a uniform distribution? Can’t say I agree.
Well, by definition it is. It’s why we have names like normal and uniform.
By definition it's not. It's just as random. These names just tell you a few key properties of the distribution.
You've probably just got different understandings of the term "random."
Would you say that a function that always returned 0 or 1 would be more/less/equally random than a function that returned any int32 with equal probability?

I would normally say the latter is more random, because you're getting more entropy per call. In the same sense, a function drawing from a normal distribution is less random than one drawing from a uniform distribution.

(All of this depends on a computers view of the world, where values are in data types that have some number of bits. In a mathy view of the world where every value is effectively infinitely many bits you get just as much entropy sampling from a normal distribution as a uniform one.)

> a function drawing from a normal distribution is less random than one drawing from a uniform distribution

That's some mathematical nonsense.

A normal distribution is continuous from negative infinity to positive infinity, so even by your flawed judgement of what makes something "random", a sample from the normal distrubtion has far more possibilities.

The standard normal distribution is almost the definition of random.

Again, it depends on whether you are looking at this from a pure math perspective or a "math as implemented on computers" perspective. I'm only claiming that this use of more/less random makes sense in a computational context.

But in that context, there is more entropy in a float32 drawn from a uniform distribution than a float32 drawn from a normal distribution, no?

Actually, I'm not sure this is mostly about a mathematical vs computational perspective. Let's look at how entropy is defined.

It's not just the number of possibilities, it's how likely they are. For example, consider two functions:

    A: 1% chance of 1, 1% chance of 2, 98% chance of 3
    B: 50% chance of 1, 50% chance of 2
The entropy of a distribution, in bits, is:

    H = - sum over all possibilities of (p * log_2 p)
So for A it is:

    H_A = -(2 * 0.01 * log_2(0.01) + 0.98 * log_2(0.98))
        = 0.16
And for B it is:

    H_B = -(2 * 0.5 * log_2(0.5))
        = 1
So you can see that A has lower entropy than B, because it's more concentrated.

For continuous distributions this is defined with an integral instead of a sum, but it's the same idea:

    H = - integral from -inf to + inf of (p * log_2 p)
Whether there's more entropy in a sample drawn from a uniform or normal distribution, then, depends on how wide your distributions are. Consider:

   C: uniform distribution from -1000 to +1000
   D: normal distribution centered on 0 with standard deviation 10
   E: uniform distribution from -1 to 1
We then have:

   H_C = - log_2(2000) / log_2(2) = 10.97
   H_D = 1/2 (log_2(2pi * 10^2) + 1) = 5.15
   H_E = 1
Note that continuous and discrete entropies mean different things, and their values can't be compared directly. That H_E and H_B are both 1 is not meaningful.
I think you've changed what you're meaning by entropy, it isn't really a meaningful measure of "randomness".

Afterall, how can U(0,1) be considered to be "less random" than U(0,1000) when U(0,1000) = 1000*U(0,1). A constant factor can't change how "random" something is.

If you look at this from a computers ("everything is discrete eventually") perspective, U(0,1) is less random than U(0,1000) because U(0,1000) != 1000U(0,1). For example, if you're using a fixed-point encoding that allocates values uniformly, it will have 1000x as many possible values for [0,1000] as [0,1], and so getting any specific value from U(0,1) is 1000x more likely than any specific value from U(0,1000). If you draw from U(0,1) and then multiply by 1000 you'll never produce most values that U(0,1000) could produce.

If you look at it from a math ("continuous is actually possible") perspective I have a much weaker handle on it, but I think the problem is that the entropy of 1000U(0,1) is not the same as the entropy of U(0,1)?

That’s a bit like saying that our bodies are random numbers because of quantum fluctuations. It may be true, but the distribution is the part that matters.

It’s still ridiculous to use a normal distribution to calculate how much money should go into an insurance fund that needs to cover sudden, severe losses.

> just as random

Let’s do a lottery together. We each throw in some money. Since they’re both just as random, I’m sure you won’t mind if I use a normal distribution, and choose each of our positions on the number line. :)

Your assertion is missing some needed qualifiers.

> Well, by definition it is.

If given only mean and standard deviation, the normal distribution is the maximum entropy distribution i.e. maximally random distribution.

(comment deleted)
As I understand it, the claim is that the volume being added is tiny compared to the real volume.
If you order randomness by entropy, the uniform distribution is indeed, in some sense, "more random" than any other probability distribution with the same support.
(comment deleted)
> multiplied by the daily volume

How does volume correlate to the value of the insurance fund? Isnt value equal to number of tokens * price per token?

see: https://news.ycombinator.com/item?id=37805256

It basically takes the daily volume, multiplies it by 0.00075% (on average) and adds that to the insurance fund. FTX charges a % fee on every trade, so this is the equivalent of taking a fraction of their fee revenue and putting that into an insurance fund, which seems pretty reasonable.

No it doesn’t add it to the insurance fund - there’s no transactions here, it just increments the fake insurance fund variable.
In another company, it wouldn't be impossible that some other function in some other code used that variable for an actual transaction into an actual fund.
Except the value isn't saved anywhere, it's just added to the total. And running again would give a new value.
If you look closely, you may notice that the code that "adds to the insurance fund" doesn't _take_ that money from anywhere. It's just retrieving a number from the database, adding a value to it out of thin air and writing it back. This number was then presented to users as representing the balance of the insurance fund protecting their assets.

There was an actual insurance fund and it had a tiny fraction (5% or less) of what this number in the database claimed. The random numbers generated by this code did not represent actual contributions to said insurance fund. They were not, in fact, taking a fraction of their fee revenue and putting it into an insurance fund.

They were not doing anything even remotely reasonable, this was a flat-out lie.

Also not saying it's illegal.

The non-zero mean and relatively small standard deviation (0.4 sigma) make all the difference here.

I'd say the ethics and legality are entirely determined by how this distribution was determined and if it's consistent with promises to customers.

agreed- title vs what is written in twitter is a bit misleading than what the code actually does. at first glance it is far too easy to assume the random numbers will be around 7500 - but in reality folks may not understand stddev's, and that the random number produced in this method can still yield a negative (just with less likelihood)
What on earth are you taking about? It’s literally a random number taken from normal distribution, used to calculate the figure.

What _possible_ justification could there be for using that as an accounting practice for a fund other than fraud?

> Among his sycophants is Michael Lewis, author of ...

Also Flash Boys, which was basically a book-length advertisement for the IEX exchange.

and The Blind Side, in which he missed the fact that a couple put an athlete into a conservatorship so they could profit from his royalties.
[flagged]
> he did commit many of the moral breeches that are committed by existing governmental and financial institutions at scale without any legal repercussions

Example? Bankman-Fried committed outright fraud. He lied and stole money. This is simply incomparable to what anyone in finance is doing, much less being left unpunished for.

I disagree. Banks take my money and lend it out to others, like businesses who are losing money, not profitable, and want venture debt. They take MY money, and give it to unprofitable businesses, with the hope that they'll be some day profitable.

"But that's how banks work", you say. Only because you drunk the Kool-Aid. Only because banks are so damn good at managing risk that we haven't questioned the practice. But at the end of the day, it's my money, and they shouldn't have the right to lend it against my will.

"But you could store money under your mattress", you say. If taxpayer money can provide me with the necessary security guards for that, sure. If not, I don't consider it an option.

SBF was just worse than Bank of America at managing the risk, and got into deep shit. SVB got into deep shit but because the law allows them to legally commit the same fraud of lending out money they don't own, the law protected them with FDIC funds. Bank of America is equally in the wrong, though, it's a messed up system that we just accept because everyone around you accepts it.

Banks are forced to have some capabilities in risk management and controls because they are regulated and supervised to that effect.

You can buy short-dated treasury bills if you want direct tax payers support for your money, for example. Giving money to a bank is lending the money to the bank with your permission, but there are other debtors available.

> Giving money to a bank is lending the money to the bank with your permission

It shouldn't be that way. Banks should be forced to either (a) never lend your money out, or (b) offer an interest rate higher than the Treasury plus state taxes -- that's the only reason I'd ever want to lend to them.

Why? That's not what a bank is... What would the bank do then anyway? Store cash?
Yeah why not? They can also lend my money out if they want, and give me 8% interest, if so I'm interested and I would agree. Any less than 6.5% and it's a hard no-consent-to-lending-my-money because the Treasury gives me more.
> They can also lend my money out if they want, and give me 8% interest, if so I'm interested and I would agree

But you're already agreeing at prevailing rates! You have other options, and you're not taking them. Why would they pay you more for shits and giggles?

> Any less than 6.5% and it's a hard no-consent-to-lending-my-money because the Treasury gives me more.

So buy Treasuries!

> You have other options, and you're not taking them.

I am taking them!

> So buy Treasuries!

I do! But everyone seems to fall for the same bank(man-fried) trap.

So why are you complaining? There is no trap anywhere.
(comment deleted)
Other than shutting down the economy by making all those assets unproductive, how would bank earn money?

Use a custodian account. Put your money in a safe deposit box. Nobody is forcing you to use a standard bank account.

If you want taxpayer-funded protection of your savings, that comes in return for your money being used to fund economic activity that generates those taxes.

Thems the breaks. Take it up with your government if you don't like it.

> If you want taxpayer-funded protection of your savings, that comes in return for your money being used to fund economic activity that generates those taxes.

Sure, if you give me the interest rate, sure.

But if the feds are giving me 5.5%, you, as a private bank, better well give me 6.25% so that it's >5.5% after state taxes. If you give me ANY LESS than 6.25% you have no right to lend out my money.

> If you give me ANY LESS than 6.25% you have no right to lend out my money.

Where do you want this free return to come from? While also funding all the things people using a checking account properly (i.e. not to generate a return) want from it, e.g. transaction capabilities?

Again, you can literally get this by buying Treasuries. But you don't want that--you also want the other things. For free. I, too, want free things. But it's obviously not a serious suggestion.

> Where do you want this free return to come from?

I dunno, the Treasury gives me the 5.5% which is the same as a private bank giving me 6.25% and getting robbed by the state of California which leaves me with 5.5%.

Banks want my money? They need to beat that bar.

I dunno, lend it out to someone at 10% to buy a car and then give me 6.25%. Be creative. But I'm not taking Chase Bank's laughable 0.01% or even WealthFront's stupid 4.8%. It's not 6.25%, they didn't beat the bar, plain and simple.

If you're only giving me 1% you might as well give me 0% and I forbid you to lend out my money.

> Banks want my money? They need to beat that bar.

Do you have a bank account?

> If you're only giving me 1% you might as well give me 0% and I forbid you to lend out my money

Then do this! You're railing against a scarecrow.

So you want to make banking dramatically more expensive for everyone?

All that'd do is make credit hilariously more expensive for everyone, which will push up the price of everything. I'm not sure that's a good idea.

I don't think so. If people buy things only with money they actually have, prices will be forced to come down.

Prices are high because the whole damn country has a habit of buying things they can't afford. It's not actually normal to do that in a lot of the world.

> Banks take my money and lend it out to others

They' don't lie about it.

> SBF was just worse than Bank of America at managing the risk

He lied about it. Also, he wasn't lending money to anyone. He was lending it to himself. If Bank of America was lending most of its balance sheet to its CEO, that would be a problem!

> SVB got into deep shit but because the law allows them to legally commit the same fraud of lending out money they don't own

They do own it. You lent it to them. Depositing money at a bank is not putting your cash in custody. There are cash custodian services, though it's more traditional to custody Treasuries. You didn't go to them. And again, at no point were you mislead.

We get these frauds every generation because money and banking is complicated. But instead of addressing that deficit with understanding, enough people deal with it by pretending it doesn't exist, thereby making themselves vulnerable to those who take advantage of that willful ignorance.

That's just moral defeatism. Fraud exists in many businesses and institutions. A healthier outlook on this is that we need to stop it whenever we can, not that we should give up because "everyone does it".
I read it to mean let's hold our governmental and financial institutions to a higher standard. The Fed has allow_negative too, are they truly held accountable?
> Fed has allow_negative too, are they truly held accountable?

To an inefficient degree, yes. Congressional oversight of the Fed is massive because it's popular with many voters. That unfortunately crowds out oversight over the many other financial organs of the United States, e.g. the FHLB.

SBF did what he did outside the system because that's the only way he could have committed fraud like this.

He ran a literal ponzi scheme, something the SEC was created to combat and that Bernie madoff ramped protects against up to 11. He could not have pulled of this scheme without unregulated securities, that was the point.

Say what you will about finance, but the fact is you get a ton of information and protection when you go through the system. Bypass it at your own peril.

HAHAHA this was my first thought too!

To be fully pedantic: it's both things! It's a random number chosen from an arbitrarily sized range around an arbitrary number :)

Semi-related: AIUI, in most places where you legitimately want a “random number”, what you actually want is a number that is knowably, causally unrelated to the other figures so you know you’re screening off accidental correlations. In practice, random numbers accomplish this, but randomness isn’t quite the same thing as what you’re striving for.

So, for example, the problem with “randomly” picking 4 every time (a la xkcd) is that it introduces a spurious correlation between the places where it’s used.

4 doesn't originate from XKCD, it originates from Playstation 3's firmware. Ultimately, 4 is a random number, so the developer in question could argue he was technically correct, it's the specification that's wrong.
The xkcd reference was a joke used in the fail0verflow CCC PS3 presentation in 2010. I don't know what the reused nonce was but it probably wasn't 4, and the xkcd comic is from 2007.
I appreciate the background, but I'm not aware of any usage of "X a la Y" that implies "Y is the first ever instance of X".
> How did someone commit that and sleep at night?

# TODO: stub for now until we have an actual insurance fund

(comment deleted)
The book isn't as damning as it could be but I wouldn't call it sycophantic. There's plenty of negative information.
I have many of his books on my shelf. Each and every one was a great read. However, his defiant defense of SBF makes me question every thing I learned from them. They are still great reads but now I'm more inclined to just treat everything by Michael Lewis as frivolous fiction only loosely based on reality. It's a shame, he lost a lot of credibility with his latest publication. Even more after his 60 minutes interview.
It's nice to see (from a quick lock) SQLAlchemy being used in production software on such a scale. However the purpose is quite disappointing
The line wrap on line 27 in that text editor is really confusing.
I think its a screenshot from a commit in github/gitlab. I hate how gitlab makes the code viewer tiny in the review screen
Even if it's tiny, it could still have the line wrap done more intelligently.
Can't that go negative occasionally too? Was that intentional?
The function doesn't calculate the insurance fund amount directly, it only applies a change to the insurance fund (line 28), based on last day's trading volume. Presumably this function gets run every day, so the size of the insurance fund would be the sum of this process repeated multiple times. The chances of that going to negative would be astronomically low.
np.random itself with that configuration can go negative with a probability of 0.62% as can be derived with scipy.stats.norm(loc = 7500, scale = 3000).cdf(0) or by looping a million times and counting the negative numbers.

Maybe the f2d function filters negative values but it sounds like a simple float-to-double conversion.

I'm not sure whether it was intentional, but, contrary to the headline, this random value was used to update the fund size daily as shown in the rest of the code. So, a single day for which the fund actually decreases wouldn't matter much. It might even be beneficial to make it look more real.

f2d does seem like float-to-decimal (edit, typo). My brain is off for the evening but might that part have a misplaced parenthesis? They f2d() the random number but then multiply it by the higher-precision expression (previous day's volume / 1 billion), which will give 8 numbers after the decimal in USD as in the tweet they posted. Still, it's fewer digits than without the call I suppose.
Since it's a normal distribution with a mean of 7500, and a standard deviation of 3000 multiplied by daily volume—it would only cause a negative change less than 1% of the time. This "PublicInsuranceFund" truly embodies their culture of "number go up".
This is obviously just speculation, but there probably wasn't a whole lot of thought put into it by the coder. The goal was "produce a fluctuating number based on daily trading volume so that it looks like we have a real insurance fund". The randomness is simply there to help make the fraudulent representation less obvious. The fact that the number can (very rarely) go negative is just another example of the fly-by-the-seat-of-your-pants thinking pervasive at FTX.
Knowing FTX, they might have even convinced themselves that this was a legitimate hedging strategy.
I'd imagine that the person writing it thought the function generates numbers 7500 +/- 3000 and not anything outside this range.
Isn’t the bigger issue that the fund itself was fake? If they made the decision to set aside some amount of money to be untouchable based on a random number, that is, uh, unconventional to say the least, but they very purposefully chose not to have an insurance fund despite advertising that they did which makes this all the more sinister.
Yes. This should be an instrumental price of evidence in proving that FTX leadership was not “tragically incompetent” but rather willfully and knowingly defrauded its customers.
(comment deleted)
i think when you are trying to prove a company is lying about having a zillion dollars of insurance, it helps if you can kind of pull the curtain down and show everyone the number 'zillion' was made up by someone throwing a pair of dice, not by someone counting a pile of zillions of dollar bills.
Well, yes, the issue is it was fake. But they compounded their fraud by publicly asserting a value of the fund, and the fact they implemented it as a random number shows malicious intent. Sometimes you can wave around incompetence etc as a mitigating factor, but this is clearly intentional deception and this proves it clearly and beyond a doubt.
On the contrary, you want your fund to cover unlucky situations. By linking the size of the insurance to a random number, you cancel out unlucky external events with a lucky internal event, thereby ensuring proper coverage.

So long as the random value is truly random. Were there lava lamps in the FTX server room?

You don't cover "unlucky" with 'random numbers". You cover it with a detailed risk analysis.

Insurance companies have very detailed models on how much risk their customers provide, how much they're likely to cost, and charge accordingly.

They don't just go "yolo random(1,100)'l" and hope they're in business in 5 years.

Well, a random number covers nothing at all. Money covers risk, a number backed by nothing is nothing.
In this case, the random element was almost insignificantly small after a few days.

The fund size was 7500 * the trading volume since the fund was set up.

OP was joking
(comment deleted)
How is the number being random a problem?
When you tell your customers that a particular number corresponds to something real (e.g. the amount of money in the insurance fund that protects their assets) but you know the number was actually chosen randomly with no connection to that allegedly real thing, that's called "lying", or in the business world "fraud", and you can go to jail for it.
I could imagine they could possibly choose the amount randomly and truly deposit such amount to the fund.
> could imagine they could possibly choose the amount randomly and truly deposit such amount to the fund

This would be bad risk management. The random number makes it clear that not creating the fund wasn't an oversight, it was a willful deception.

It wouldn't be terrible risk management. The value chosen (after many days) is going to converge to being awfully close to the trading volume × 0.0075
If that's the level the fund should be at than that's how they should have written it (as a constant multiple). This implementation makes it possible for the "insurance" fund to be reduced by an unbounded amount on a day of record high trading volume (indeed, the higher the trading volume, the more likely it is you'll withdraw a large sum from the fund).

Creating the possibility that some rotten luck could wreck you when you're most vulnerable is bad risk management. It's thumbing your nose in the face of Murphy's Law.

Oh of course, but then it would be breach of fiduciary duty or maybe just gross negligence.
If you were doing that, don't you think it'd be handy to have a record of the amount to deposit? The random amount that's generated isn't even stored anywhere, it's just added directly to the total and written back to the database. What are you going to do, have another daily task that tops off the actual insurance fund to whatever the website says the total should be? Why would you treat a display value meant for the website as the source of truth about the correct value of an actual account?

The only reason to do it this way is if there's no intent for the number to correspond to reality at all.

To be fair I do think they do that on line 27. They have a table of deltas which they then materialize manually in a different table (which presumably only has one row?). And amusingly link them with foreign keys. ORMs make for some weird schemas, this looks like how I might do it MongoDB.

But to your point; if this code is written honestly, it's pretty weird that we don't see any code to post a transaction to the blockchain, or to verify that the funds are available to be allocated to the insurance funds. You would think that would happen before you wrote the new total to the database.

You're right, misread that because of the indentation and diff formatting, good catch!
Strictly speaking the problem isn’t that it’s random, the problem is that it’s a lie. The fact it’s random proves that the number isn’t real.

The RNG is used to give some variance to the number without accidentally making a pattern (which humans making up numbers tend to do). Literally using a RNG in code that’s meant to produce a value based on real world data is blatant and hard to defend if true.

>accidentally making a pattern (which humans making up numbers tend to do)

...and if you are stealing, repeat a few digits occasionally: lack of repetition has caught several-a-tea leaf.

If you claim it's a fund to mitigate risk you probably should actually put money into said fund and not just pull some number out of your code.

So technically it's not the randomness that's the issue, and a constant or manually updated fake amount would be as bad, but to me as a layman but it seems like they use a random number to imply a sophisticated risk management system.

The problem is that the reason it is random is to mislead. If it were a static number then it would be obvious it was faked. The value is designed to look like it is pulled from a fund whose balance is determined by market conditions. But viewing the code, there is no fund to get the balance from, only a call out to random().

It’s like putting pillows under your blanket so someone thinks you’re in bed. Once they find the pillows you aren’t going to get away with “oh I thought I was allowed to be out all night.”

...and this is how this code gets written.

When a software engineer writes code because the code makes sense or solves the problem, without interrogating the problem or how it applies to the real world, there can be real and significant consequences. We trust far too much of our lives to tech to ignore these issues when we're on the side of writing the code.

> without interrogating the problem or how it applies to the real world, there can be real and significant consequences. We trust far too much of our lives to tech to ignore these issues

Seriously, that part is a humanities problem, and many engineers have little education in or understanding of humanitities (to the point of disdaining it).

I think you've hit the nail on the head with the disdain. I have no real humanities education, did exclusively STEM/languages after the age of 16, but I learnt quickly at university and in my first job that STEM is nothing special, that all disciplines have something to contribute, and that ignoring them is just going to lead to ignorance on my part.

If you study to do software engineering from the earliest age you can, do CS at university, don't join any clubs with others from non-STEM backgrounds, or even go to a STEM only university, then join a tech company big enough that you don't have to talk to non software engineers, you've just spent your life in a bubble. Sadly I think this is too easy to do.

Agreed — isn’t the problem that nothing was actually being set aside for the insurance fund, not that the amount being set aside was based on a random number?
Fun to see an open source project I contribute to (numpy) used to commit some light fraud.
I'd guess numpy has been used for lots of fraudulent accounting! Congratulations, I guess?
(comment deleted)
At least it's _efficient_ fraud!
It’s getting a single random number. It would be easier, and probably similarly efficient, to use the `random` module instead.
Forgot to put the “Use for good, not evil” clause, ey?

https://web.archive.org/web/20130203112329/http://dev.hasenj...

But that’s not GPL compliant, what about respecting user freedoms?
I thought it was obvious.

But it poses a larger question: OSS can be used for war and pedophilia.

It is very refreshing and surprising compared to cloud platforms being adamant that they ought to deplatform people who hold even slightly wrong views.

Is it the same programmers holding very different philosophical views?

This is a proper disgrace to software as a discipline. Who writes this?
One advantage of source code control systems is you know who to send to prison.
admin@MacBook-Pro.local is going behind bars for a loooong time!
Unless you make sure to only have signed commits it's pretty easy to impersonate someone in Git repo.
So the main architect goes to prison. At one point, he put the system on production, so it doesn’t matter who was the original programmer, he had to check.
True, though GitHub at least tracks the authenticated user that pushed the commit.
Most people are convinced to take plea bargains based on primarily circumstantial evidence. The idea that unsigned commits are questionable is really only a cypherpunk fantasy.

If you get as far as a federal criminal trial, you're almost certainly getting convicted regardless of what cryptographic signatures do or do not exist.

I guess the dude who wrote that function thought, maybe I shouldn't add a docstring or any comments to that function. What is he/she even supposed to write "function to commit corporate insurance fraud."?

Protip. If you are committing fraud in the future - use a compiled language, do not use offsite version control and UPLOAD ONLY THE BINARY.

> Protip. If you are committing fraud in the future. Use a compiled language, do not use offsite version control and UPLOAD ONLY THE BINARY.

Until you get prosecuted and legally required to turn over the source code, as it happened here.

Seriously, the real pro tip is, "Don't commit fraud, even unethical businesses don't need to do that." If your workplace is encouraging outright criminality, document everything, and either become a whistleblower or run like hell.
(comment deleted)
The bytecode of the binary could also be used to prove it was a random number generator, right?
You’re missing the point here, which is that it would be impossible to prove who wrote it by the bytecode/disassembly alone.
ah, yes. I missed the point. Thanks
It's always weird when people try to give advice on how to commit crimes here, but it's even weirder when the advice is horrible.
(comment deleted)
I wonder what happened to that guy who wanted to get in touch with a drug cartel.
Does anyone know what happened to that guy? Or is everyone who could reply swimming with da fishes
It was a satire. Presumably nothing happened, other than that we all looked pretty silly and got a good laugh out of it.
I remember an old slashdot thread about a pedophile who took pictures of his victims and then tried to obscure it by swirl-distorting the faces. Police were able to sufficiently unswirl the faces and identify the victims and get a conviction.

The comments were all like, “well, duh you have to use a randomized Gaussian blur to make it irreversible”. “Yeah or black out the faces entirely.”

Finally someone said, “right. Or, you know, you could just not molest children.”

Edit: this might have been it but I remember a more involved thread:

https://slashdot.org/comments.pl?sid=321921&cid=20908895

Put the fraudy bit in a config file and don't commit your config.
I don't know python, but what is the "or" here?

For me it looks like this value is used only when there was no data?

Basically else part of monad

Yeah you're barking up the right tree.

    >>> None or Decimal()
    Decimal('0')
So if their aggregation returned no results they'd substitute a 0. It's a client-side `coalesce()`
That’s on reading the daily volume. Basically daily_volume = daily volume or 0. It is multiplied by the random number either way
(comment deleted)
(comment deleted)
Is python typically used in production trading systems?
(comment deleted)
Yes, but less commonly than Excel.
Someone needs to run a `git blame` on that line of code!
That screenshot is already a diff view, which means this is already from either a commit or a PR.
Notice that now prosecutors not only understand code, but feel comfortable showing to judges and juries. Not that long ago, everyone's eyes glazed over at the mention of it.
No they don't. The defense attorneys likely know it better actually (I know one). But if the guy who wrote it actually walks a prosecutor through it, it isn't that complicated
Maybe abit weird …

No “import numpy as np” !?

A life of crime warps your world view a little bit at a time, until you find yourself doing things you never would have thought yourself capable of.
‘_get_change’ is written so poorly
Not defending FTX here, but I think everyone is jumping to a conclusion that this function is used for display purposes only and not to persist the amount that another process then uses to to transfer the insurance amount.

Using some randomization on the daily trading volume makes some sense for what to actually move each day during an end of day process.

Look, the issue is that there is no insurance amount. When asked to show it publicly, they used a random function.

Ofc many websites do that. I did one in my previous company, it's a common social gimmick. But, once a journalist asked us how it was calculated, we removed it... we knew it was wrong from the CEO to the code monkey.

The rule I believe is: don't lie to your customers, yes even if that can extract more money from them.