I seriously do not understand why any employee would steal their previous employers' code to use at a new employer.
There's little-to-no personal upside, and only horrible downside if you get caught.
I mean, this guy:
> Moniruzzaman allegedly gave his personal email unauthorized access to Valeo's systems to steal "tens of thousands of files" and 6GB of source code shortly after that development... Valeo said its former employee admitted to stealing its software and that German police found its documentation and hardware pinned on Moniruzzaman's walls when his home was raided.
And while Nvidia presumably hired him for his expertise, they certainly didn't expect him to be stealing code, not even wink-wink-nudge-nudge. Corporate lawyers at trillion-dollar-companies take this stuff super seriously.
So this guy puts himself at massive legal risk... for what? So he can slack off for a few months while he pretends to write code that's already been written -- and gets to browse Reddit? Or so he can deliver code extra-fast in hopes of a quicker promotion -- that may or may not come? Is that really worth it?
If nothing else, it seems pretty silly to have the stolen source accessible from the new work computer. That's just asking for the ruse to be detected too easily (automated backups, virus scanning, etc which could fingerprint the data). Keep the illicit goods on an air-gapped, encrypted, personal computer that you can reference as required.
As far as I know, they were never able to find the Waymo files that Anthony Levandowski stole, because he was at least crafty enough to not load everything directly onto Uber hardware.
Rationally seen, you'd at least have to assume to get caught at some point, and you'd have to assume the company will do anything to hold you alone accountable for damages, therefore making any possible upside a terrible risk reward scenario for you - so far true.
Also if it was your own code, stealing it to "kickstart" your position at your new employer also feels like a rather bad deal: just bringing your knowledge and spend a good part of your time recreating something you already know how to do sounds like low effort for big money, a much better deal for you if your aim was to get better comp and job security.
The one thing that might skew this equation, and can only be theorized about with the knowledge we have here would be if your new employer DID collude with you and proposed tremendous returns for giving them access - eg a kind of off-the-record deal where you'll engage in corporate espionage & theft of ip for big cash following through some hidden compensation construct.
Assuming the latter would border on conspiracy theories and i don't want to suggest this would have been the case here. Just a play of thoughts to add to the reasoning that YOU doing it on your own for ill-guided hypothetical benefits might not be the sole factor leading to such theft at all.
Maybe the employee sees greater potential at another employer (whether for positive impact on the world, or just better execution of their own vision, or whatever) and wants to pick up where they left off, instead of having to restart.
Everyone seems to assume some explanation involving money or laziness, but it could be for a less selfish (though still illegal/immoral) reason.
While I wouldn’t steal IP, I can appreciate a somewhat similar sentiment: looking forward to patents expiring. There are too many scenarios where a company creates and patents some new invention, only to produce some product that kinda sucks… until the patent expires and someone comes along and does it right and at a lower price.
> There's little-to-no personal upside, and only horrible downside if you get caught.
Here you just mention upsides with very small chance of small downside. See the case for Anthony Levandowski which was much more serious crime as he knowingly created and sold a company with only moat being Wyamo docs and everything bad that could happen to him did happen. He spent 6 months in jail and now he rejoined as CEO in Pronto. The much more probable case is he got to enjoy $680M that Uber gave him and not have to worry about money again.
You can be lazy and get lots of promotions and bonuses. That's why. People risk major felonies to steal $5k from a bank. Getting fired on the (let's be real) low risk you get caught is nothing
I wonder if this would become more common with things like ChatGPT.
Let's say you've been working in place A, you show your code to an LLM service (like the dozen or so Copilot-like services) and tell them to refactor. And for the sake of argument, let's say the LLM uses your code and questions for its next training dataset.
A few years pass, then you go to work at Place B, and ask a question that happens to be related to the problem that Place A's code solved, and they give you Place A's code as is.
For this reason, and a few others, my workplace simply put a blanket ban on these kinds of tools. If our code is never exposed to the learning tool, it’s never in danger of being showing up somewhere else.
Incidental to that, I feel like these tools expose the reality behind “copyrighting code/math” and how fallacious it is. If the tool can generate the efficient methods of achieving a result, I think it becomes obvious that one shouldn’t be able to protect it via IP law.
Just like with social media, all it takes is one person to not honor that request, and boom! your shit is out there. Sure, you can fire the offending party, but you can't just ask Co-pilot to not use your contributions. That's like asking the internet to give those pictures back. It ain't gonna happen.
I’m assuming you’re implying that a firewall rule can be applied to block access from the corp network. However, this is clearly ignoring the fact that work from home exists where the corp network can be bypassed.
If the tool can generate the efficient methods of achieving a result, I think it becomes obvious that one shouldn’t be able to protect it via IP law.
But these kinds of tools can only do that because someone else already put in the work to write the solutions that are used to train their models. Isn't this exactly the kind of situation when copyright is supposed to apply?
But with enough training data, it's not generating it because it remembers the exact code line for line, it does it because it knows that to be a good method. Especially if you ask it to refactor it, that's a whole new creation even if it's been done before by some engineer somewhere.
It's still parroting what other people did, it's not doing any math reasoning, and it's not any different to LLMs seemingly able to compose prose or poetry.
If you want to make an argument that math or software shouldn't be copyrighted, LLMs actually make the case for stronger copyright protections.
> If you want to make an argument that math or software shouldn't be copyrighted, LLMs actually make the case for stronger copyright protections.
Maybe, but as long as managers and shareholders all over the world are excited about the upside of the new technology, this is very unlikely to happen. ;)
LLMs would be dead in the water legally, if their owners had to account for every bit of IP the LLMs have been trained with.
If you your going to make these kinds of accusations (the kind that if proved true would lead to multi-million dollar lawsuits), you should at least try to provide sources.
That caveat is irrelevant as it has nothing to do with a private repository. When code is public, especially with a GPL license, it can end up in multiple repositories which may not all de-check the share check.
I tried, all I could find was one other HN comment asking about it. Admittedly I could have tried harder but it really isn't my assertion to defend.
I think there might be some confusion here between private repositories and public repositories with restrictive licenses. There is evidence of the latter but not the former.
Because you can patent a machine. The argument is that software is "just math" (because it literally is just doing binary arithmetic) and mathematics cannot be patented.
Math should be patentable, too. I see no reason for why not.
The old argument that it's discovered rather than invented is bullshit. Multiple people can always have the same idea for an invention because we think alike and live in the same environment.
Or just ban patents altogether. Of course, this may discourage companies from investing in R&D and that's the real problem: how expensive is it to invent something, and does it justify a 20-year monopoly? But there are no good answers here, and trying to draw a line between math and non-math is bollocks.
There’s just something obscene about patenting mathematics. The universe gifts us these truths and our first instinct is that it should be the property of a human.
Patents exist to incentivize invention. As long as mathematicians are content to do mathematics for the love of it, and they certainly are, there’s no need for mathematical patents.
Practically speaking, mathematical ideas are building blocks not products. Patents on mathematical ideas discourage invention rather than encouraging it because they prevent use of that idea in new products - an idea that would have been discovered anyway. For example the parents of elliptic curve cryptography and arithmetic coding were hugely damaging to invention overall. Patenting a new kind of cork screw doesn’t have this problem, it’s a destination, not an intermediate.
Math can be viewed as a product of how our minds work. We use abstractions to understand and predict the universe, but it's always imperfect, and the theories always incomplete.
E g., you'd think 1+1=2 is some universal truth, except integers don't exist in nature, being just another abstraction that we came up with. And of course, people can rediscover integers repeatedly, but that just says more about how our mind works.
And yes, math is a building block, but so is software. If math theories aren't patentable, that should happen based on them being trivial or perhaps being too useful to society, and not due to some romantic notions of discovery and the universe. Software, too.
But a machine can also be mathematically described. Should that render it unpatentable, or will that have to wait until the grand unified theory of everything is sorted out?
for this ChatGPT has a 'private' mode in which your conversation exists only while you keep it open. It's not used for training, an no human see it (presumably). The negative side is it disappears with no history, so you can't continue next day. That was introduced after complains similar to yours. Some companies put a total ban.
Is printing out and pinning the prints to the wall still a thing done IRL and not just a movie thing? We had to do prints to green-bar back in school days when we only had shared time at the school's computer lab. But I haven't considered printing code out since the early 90s. It seems so out of place in today's time
>But I haven't considered printing code out since the early 90s.
TFA says he had documentation printouts, not code listings. That I can relate to; when learning something new or unfamiliar it's nice to be able to flip back and forth through the physical copy, make annotations, etc.
This seems so so extremely unlikely for an auto parking feature vs the huge legal risk and the certainty of getting caught: at any time Valeo can see that an algorithm is tuned similarly, sue and find their source code at Nvidia. The AV department at Nvidia is huge and it is not like they don't know what they are doing.
Prove that conversation didn't happen. Of course it's not going to be in writing. Of course they are denying it now. Otherwise, there's literally no defense. So you either fall on the sword, or blame someone else.
One of the generally accepted reasons why its hard to get graphics companies to open source their drives has always been that everybody is violating everybody else's patents. And while everybody knows this making it too obvious is a legal disadvantage. But I hadn't expected it was also true of copyright.
For Nvidia, the most likely reason they've strongly avoided Open Sourcing their drivers isn't anything like that.
It's simply a function of their history. They used to have professional level graphics cards ("Nvidia Quadro") using exactly the same chips as their consumer graphics cards.
The BIOS of the cards was different, enabling different features. So people wanting those features cheaply would buy the consumer graphics cards and flash the matching Quadro BIOS to them. Worked perfectly fine.
Nvidia naturally wasn't happy about those "lost sales", so began a game of whack-a-mole to stop BIOS flashing from working. They did stuff like adding resistors to the boards to tell the card whether it was a Geforce or Quadro card, and when that was promptly reverse engineered they started getting creative in other ways.
Meanwhile, they couldn't really Open Source their drivers because then people could see what the "Geforce vs Quadro" software checks were. That would open up software countermeasures being developed.
---
In the most recent few years the professional cards and gaming cards now use different chips. So the BIOS tricks are no longer relevant.
Which means Nvidia can "safely" Open Source their drivers now, and they've begun doing so.
> It's a long term loss, despite a short term gain.
While I dislike market segmentation as much as anyone, it seems like it worked out ok for Nvidia.
It let them keep a (very) profitable segment of the business, which in turn financed other developments and let them become the GPU leader for a very long time.
No idea how it'll play out in the end of course, but we're definite past the whole "short term" time frame.
1) NVidia drivers had a lot of secret sauce to give high performance.
2) NVidia for machine learning still has a lot of platform lock-in (although fading gradually), and cross-compatibility doesn't help them
3) Quite often, if you've licensed something from a third-party, you can't legally open-source. Proprietary codebases sometimes get... messy.
I'm jumping ship as soon as Intel drivers are good enough. I don't trust AMD to have anything working -- too many bad experiences -- but Intel has a good track record. Arc A770 gives 16gb for <$300. That's as much as I have on my >$1000 NVidia card. I don't need maximum FLOPS. So long as deep learning models run, and 3d apps are accelerated, I'm happy.
Nvidia still sells Quadro cards with the same chips as their gaming counterparts but much more VRAM. They are mainly used for workstations (CAD stuff, VFX, some CFD, maybe also some AI for small scale testing).
it's possibly even less evil, may be to remove flashing the bios at all for support simplicity. I flashed a 7800gt to a gtx for use in sli with a gtx I bought much later. weirdly I expected to flash the gtx down to the older GT but that wouldn't boot.
Violating patents is one thing, as you're only violating the concept/idea, but the implementation is still up to you meaning it will still be clean room design, whereas this guy also blatantly copied the source code and design files which is a slam dunk lawsuit, hence why no company ever wants to have competitors' IP on their systems.
> Violating patents is one thing, as you're only violating the concept/idea, but the implementation is still up to you
The concept/idea is not what is patented. The patent is (or should be) for the specific execution of the idea. Competitors are free to implement their feature using methods other that what is covered by the patent, even if the end result gives the exact same functionality.
> The concept/idea is not what is patented. The patent is (or should be) for the specific execution of the idea. Competitors are free to implement their feature using methods other that what is covered by the patent, even if the end result gives the exact same functionality.
IP lawyer here (EDIT: not yours, of course): That's a considerable (and potentially-dangerous) oversimplification. What matters is whether what you do comes within the claims of the patent.
Yea, this is a more correct explanation. Not a patent lawyer, but raised by one lol.
Tangentially, it gets difficult in software because a lot of patents are .... maybe overbroad in their wording of claims. Lot of ambiguous looking landmines.
This is somewhat similar to business method patents (which were curtailed a little by the SC a decade ago, but were already known to be kinda sketchy for decade+ before that). Can't patent a pure algorithm, for example.
At some point I was told to never ever look at a competitor's patents, because doing so would worsen the penalties if it turned out that our design infringed upon them. Can you confirm that's true?
Doesn't that mean that in general it is also a really bad idea to ask an engineer questions about a particular piece of tech that they patented at a previous employer, even though the specific information is a matter of public record by virtue of being explained in the patent?
Willful infringement allows for up to triple damages. The expectation is you can't do willful infringement if you're not aware of competitor's patents, and you can't be aware of them if your policy is to never look at patent documents. Or that's the idea anyway.
> The expectation is you can't do willful infringement if you're not aware of competitor's patents, and you can't be aware of them if your policy is to never look at patent documents. Or that's the idea anyway.
"Willful blindness" can be a danger (according to the Supreme Court, albeit in a different context).
Possibly a bigger danger: Your product gets kicked out of the market by an injunction (a court order to stop making, using, selling, etc.)
The case in the original article is not patents at all. Closer to copyright? Idk if it's actually copyright or some other trade secret law (? sorry, don't know much about non-patent IP law)
>The concept/idea is not what is patented. The patent is (or should be) for the specific execution of the idea.
Have you ever seen patents? They rarely cover the implementation details, or at most they're intentionally super vague about that, most of the time it's just the general idea on how the widget would work and what it does, but not how to implement it technically.
I have seen patents. The whole point is to share a method of doing something, in return for exclusive use of that method for a period of time. That's the theory, anyway.
A good example of a patent that was challenged in court and wasn’t totally invalidated is Amazon’s 1-click ordering. They patented storing customer shipping and payment details in a database so they could purchase something with a single click.
It expired in 2017 but for the period it was in force, Amazon collected millions in licensing fees.
Patents really shouldn't be granted when any competent junior engineer could have designed and implemented the feature. This method is doesn't pass the "nonobvious" test.
Batteries used to have cardboard instead of metal shells. Because of this batteries used to leak prolifically. Then an inventor patented the modern metal shelled battery. His competitors all started infringing so he sued. They claimed that the invention was "obvious." The judge ruled that it clearly wasn't obvious, because if it had been they wouldn't have been making the obnoxiously stupid cardboard batteries for so many years.
You realize the patent you’re referring to was a design patent, not a utility patent? They are very different, the former only covers look and feel, not method.
Idea is a pretty general term. I have a bunch of patents and I would describe them all as patenting an idea (for how to achieve some goal).
The implementation or execution of the idea usually takes the form of some Verilog or some C++. That is covered by copyright.
The patent is for the idea. Which is part of why I'm so opposed to patents, not just in software. In other fields, like medicine, patents are perhaps for discoveries, which are IMHO similarly valuable as the execution. But ideas aren't that valuable, or shouldn't be.
The specific execution of an idea is also an idea, though
I feel like the granularity of patents is defined more so by where the frontier of knowledge is for a given domain than the patent office (i.e. what is hard but also valuable). But, I also haven’t spent a lot of time with patents
Given independent invention is apparently not a defense against infringement, that makes a lot of sense. I can’t even imagine trying to screen the codebase for that.
"Infringement" is not specific enough there. Independent invention is not a defense against patent infringement, but is a defense against copyright infringement.
No, but a patent can be invalidated if you can show that the idea is obvious to practitioners of the trade, i.e. given the same problem most software engineers would arrive at the same solution.
TFA makes it sound as if the entirety of the blame can be placed on one employee. Sure, his actions do seem to support that view, but then again, Nvidia did hire him precisely for his previous experience at this rival company, on the very same project that the two companies were partnered on, which is the same project that Nvidia hired him for.
There is no argument to be made that Nvidia wasn't aware he'd be coming with secrets. The argument that that's precisely why he was hired, OTOH, is looking very strong.
> Nvidia did hire him precisely for his previous experience at this rival company, on the very same project that the two companies were partnered on, which is the same project that Nvidia hired him for.
Yes, this happens all the time.
> There is no argument to be made that Nvidia wasn't aware he'd be coming with secrets.
This is not a logical conclusion from the above. Hiring for the exp is fine. Hiring for the trade secrets obviously is not. No serious company would do the latter, esp a company the size of Nvidia.
This proves individual employees routinely steal trade secrets; yes, they do. It does not prove that the companies they join (US public companies in the United States anyway) willfully use it.
Think about the large scale conspiracy required to keep something like that secret from an entire company.
There's no need to rope conspiracies into this. The structure of incentives in corporate environments have people in the company not looking for something they don't want to find. Managers would rather not know about violations and be able to tell their boss that their team are pros who got the job done fast, than investigate their reports for violations and quite possibly find a big mess that needs to be cleaned up.
Point is, shit that shouldn't happen routinely does happen anyway. "That wouldn't happen because it would be illegal" is generally bullshit.
Companies of this size have routine code audits that would find copyright infringements of this sort. If the employee literally brought in source code files and not even change the name of the directory like it was highlighted here, it'd have been caught. The audit is also not conducted by the manager, but a third party. There is no possible way this would fly unless the individual intentionally stripped the source of copyright notices (the individual's fault), or the source code was just sitting on their laptop and never acted upon, etc.
So I think the question (and I'm not a lawyer...) is whether Nvidia conducted such audit and to what extent (if any) the other company's source code was merged into theirs (versus just sitting on the laptop).
The article mentions the directory containing the files was still named as it was in Valeo. If he didn't bother renaming the path, I'm not sure he bothered removing the copyright.
> "This proves individual employees routinely steal trade secrets; yes, they do. It does not prove that the companies they join (US public companies in the United States anyway) willfully use it."
Why do you think that either the ethics or the willingness to risk breaking the law would be different between people being hired by a company vs. people working at a company?
A company's decisions are the decisions made by people who work there, and who once were being hired there. For a company to be complicit in encouraging a new hire bringing illegal IP with them requires one or more people at the company to make the same ethical/risk decision as the person joining. It doesn't require an announcement at an all-hands followed by a long slack conversation with the legal department, it doesn't need to be a huge scale conspiracy.
And it's no harder for a person who said "hey come bring your old employer's IP to my team" to keep it a secret from the entire company than it is for the person who joined doing that to do so.
In fact it's a bit easier, as long as they weren't stupid enough to discuss in a way that gets logged, the person or people encouraging it from inside the company are less likely to get caught, as a comparison of IP may be enough to prove wrongdoing on the part of the person who brought it, while anyone in the company who encouraged it couldn't be caught unless somebody ratted them out.
A thought that came to me recently in the shower: Isn't all knowledge effectively based on previous knowledge, and by extension, experience?
i.e: A programmer knows how to do X, leaves a company to do Y, where Y is in the same field of work as X. Doesn't X still affect the programmer on a subconscious level and henceforth, their thoughts indirectly?
This is the "inevitable disclosure" argument - AKA the idea that the experience is the secret, and thus nobody should ever be allowed to switch employers ever again.
For various reasons (notably, the fact that slavery is illegal), we don't accept this in general. You have to show that secrets were copied in full. Employees cannot memorize millions of lines of source, they can only memorize vague architectural details that would be easily reverse engineered by competitors. If you want to own those vague details, get a patent, or shut up.
> nobody should ever be allowed to switch employers ever again
Venetian glassmakers were banned from leaving Venice with their technical know-how. The Venetian government employed assassins to take them down if they tried to defect.
Bringing knowledge is one thing, which is legal, but stealing source code and design files from your employer to copy it to the systems of their competitor where you now work is a completely different thing which is illegal.
Companies want your knowledge, not you bringing proprietary IP from their competitor to work, as they know that's a very expensive lawsuit waiting to happen.
Idemic or "photographic" memory as depicted in popular culture does not exist. most of the people who can remember a lot of information very quickly are actually on some level of deliberately using mnemotechnique methods, such as nursery ryhming (like that one released soldier in vietnam) or graph traversal. it's preposterous to assume that anyone could recite fragmented data such as source code simply by being exposed to it (ie not by purposefully memorizing it)
Then you'd be able to draw and type out everything from scratch directly on your employer's PC and not have to download it via USB drives or email, like this guy did.
Probably because very few people have idetic memory to store 6GB of data in their brains with the utmost fidelity and unless you can also install a printer to your brain, it would take you a long time to reproduce 6GB of data by hand from your brain.
Transport method it is because it means there's hard proof and a paper trail of the IP theft that you can prove in court. Memorizing something has no paper trail and also leads to a clean room deisgn. That's why companies want to hire people or entire teams, to do clean room deign, without any of the original data.
If I go watch a movie and then tell people what I saw it's fine. If I record the movie with a camera and show it on screen that's the IP theft.
Then copyright comes in to play. You should have been taught how to avoid plagiarism in school. Use those techniques to reimplement. These techniques involve more than just using synonyms and rephrasing.
Where is the proof that the source code was merged? The article only mentions that former employees caught an eye of the source on the individual's computer; it does not mean the source code was merged or acted upon.
Risk is always balanced against reward. I doubt Nvidia is culpable here not because I have some strong belief in their morality but because I trust they would not take stupid tradeoffs.
IMO this is more of a "don't ask don't tell" thing. I'm sure there was never an explicit agreement that the employee would bring trade secrets, but they can promise to be able to build for Nvidia what was built at the last company, and Nvidia could say "yes I want that", and not audit the new employee's dev environment.
>IMO this is more of a "don't ask don't tell" thing.
I assure you isn't. If your company (in the law abiding west) has any suspicion you're using another company's illegally obtained proprietary IP, they won't see you as some hero doing God's work and put you on the promotion track wile closing a blind eye to what you're doing, but they immediately ask you to delete everything and every trace related to that.
Foreign IP is radioactive and they don't want to get sued because you're bringing some source code and PDFs from their competitor, which might not even be that useful for them anyway.
There were even cases of companies ratting out their employees they found using IP they stolen from their previous employers and getting them arrested, because if you stole IP from their competitor what's stopping you from also stealing from them?
>not audit the new employee's dev environment
Audit how? Against what? Stolen foreign source code you don't have? That's just not realistically possible to audit every employees work and accurately determine if they are or not reusing source code they stolen form a competitor, especially if the employee doing this is careful to change or redact what he's checking in.
Only thing you can audit is against FOSS code that is public, but not if it's stolen proprietary code and the employee made sure to not check-in anything giving away the origin of the original IP holder. They didn't catch this guy until he got sloppy and made this huge blunder.
You can never secure everything and audit everyone, especially if you want people to get any work done and not feel violated, so everything boils down to trusting employees they won't steal from you, and trusting the legal framework and law enforcement they'll do their job when in need, so you just have everyone sign NDAs and hope for the best.
I don't have direct knowledge of this company or the parties involved but I would be highly doubtful that Nvidia would want to have an employee steal the secrets of a competitor/partner. In my experience, companies of this size would aggressively not want tainted IP inside their companies. He would need to be bringing across something as valuable as AGI, cure for cancer, etc for it to be even worth considering. There are numerous examples of companies being offered trade secrets of their competitors and reporting it back to the FBI just so they can avoid even the suspicion of stealing corporate secrets.
If you think about it for a second, it is kind of obvious. Pretty much every technology is reproducible with the right amount of talent, funding and time. Why commit a crime when you can simply throw money (of which you have a lot) at the problem? Responsible corporate officers know this and act accordingly.
The company I worked for, was paranoid as hell about IP in the code. They hired some source scanning firm, for a lot of money, to continually scan our codebase.
They were mostly looking for GPL (nasty, naasssssty GPL!) code, but they also scanned for code that couldn't be accounted for in our "clean" repos. Not exactly sure how that worked (or even, if it worked at all. I think they brought smoke[0]).
What does that mean? Why would scanning for gpl code be looked at badly? It presumably means a company is proactively abiding by gpl licensing. The only thing better would be to use gpl and share their source as well. But of course it's a legit choice to just not use any gpl'd code.
It's probably more common to just turn a blind eye to gpl code, so it's good to see companies making sure they're on the right side of it.
I'm not a fan of "viral" licenses, and agree that, if a company doesn't want to abide by the license, they should not include them, but I am also not a fan of trying to force others to force others, to force others, etc., ad nauseam.
I tend to use MIT, which isn't always everyone's cup of tea, but means that you can use my code, and it would be nice to be credited, but I won't cry myself to sleep, if you don't.
The MIT license requires giving credit. The difference between MIT and GPL is that GPL requires sharing the modified source code and licensing it the same.
Huh, I wasn't trying to argue one license is better than the other. I was just trying to clarify what the licenses require. I didn't want someone to see your comment and think that it would be ok to use someone else's MIT-licensed code in a product without giving credit.
I take the MIT license and excise the credit clause for publishing my least important personal projects. I feel it gives me just enough cover (no warranty etc.) and avoids requiring people to stick my name into whichever unaffiliated project.
For work, I’ve definitely had to bury the fineprint MIT credits on some random help screen. It’s easy enough to do.
Re TFA: it’s kind of nice doing a bit of open source work on the job when you can reference or use random utility code later. There’s only so many times I want to write code for walking a dictionary in JavaScript or whatever.
As with anything, there are shades of gray and certainly more or less scrupulous ways to behave. Stealing GB’s of code is a bit much.
Would Nvidia the company want to engage in this? No. Would some middle manager involved in poaching this guy from the competitor want to do it? I have my suspicions. It takes two to tango and Nvidia didn't catch this themselves which raises some red flags. How was he hired? What kind of compensation was he able to negotiate? Was it well above the compensation Nvidia would ordinarily pay for an engineer of his level? How did he introduce the code into Nvidia's version control? Were there obvious red flags about the "development" pace that should have raised eyebrows during peer review?
I work at a big tech company and if I tried something similar, I'm pretty sure it would be caught internally. Even if I managed to pull it off, all it could realistically give me is a foot in the door. Some sketchy hiring manager isn't going to be able to just sweep some $500,000 signing bonus under the rug and $100k isn't unheard of for regular engineers here anyways. As far as compensation and promotion opportunities afterwards it stands little chance of mattering for that either. For the first few months nothing I did was even used performance reviews and it's a peer driven process to rate/promote engineers.
Combined that means that even if I wanted to do this, and I found a corrupt hiring manager that wanted to play ball, I'd have to sit on that IP for a few months after being hired, slowly introduce it into the codebase, alter it in response to peer review and to fit the new code base's coding styles, etc. In the end, that would prove useful for a grand total of one peer review cycle and then it's sink or swim on my own merits from that point forward.
All that to say, yes Nvidia doesn't want this kind of thing as a company, but there are still individuals who potentially stand to benefit and there's a lot of opportunities for Nvidia to catch this before it's accidentally shown on screen to the competitor it was stolen from this far down the line. I don't know much about Nvidia's corporate structure but it kinda seems like they're trying to avoid finding out about it rather than trying to actually prevent it.
>Would some middle manager involved in poaching this guy from the competitor want to do it? I have my suspicions.
No company or manager I ever worked at, at both good and bad companies, would even think you'd be bringing stolen proprietary IP from your old job let alone allow something like this to happen under their nose with their knowledge.
They're far too afraid of IP lawsuits, as knowledge of the use of stolen IP can easily leak, and you then rating out that manager making them an accomplice, for anyone to allow for something like this to happen with their blessing. And plus, you never want to hire IP thieves, if they stole source code from their old job they'll steal from you as well.
>How was he hired?
Most likely Nvidia poached the guy on the premise he's gonna build form them something very similar to what he was working on at Valeo. The guy probably sold himself well to get the senior job at Nvidia but most likely knew he overpromised and would underdeliver, so to make his life easy at his new job, he took all the sourcecode and documents from his old job to use at is next job.
>How did he introduce the code into Nvidia's version control?
Well it's not like he was dumb enough to just dump in git all the stolen source code from Valeo with all the headers, variable names and copyright notices and nobody would notice. Most likely he kept the code on the laptop as an offline copy and only used it as inspiration for the code he wrote for Nvidia or maybe he even bluntly took Valeo's source code then pruned, redacted or renamed any and all references to Valeo and checked it in as Nvidia's project so nobody was the wiser that the code was not originally written by him.
> Why commit a crime when you can simply throw money (of which you have a lot) at the problem?
Indeed. But the stupidity of committing a crime does not actually stop companies from doing so. Mainly because the penalties for it are never harsh enough.
>Stupidity in this case probably means low level employees cheating for benefits and career
That's most likely the case here. FFS, the guy stole 6GB of proprietary data and police found the stolen design files pinned on his wall at home, so the guy was fully committed to his scammer role, and not just an accidental "oopsie I walked out with some proprietary IP by mistake, better discard it and keep this low key so nobody finds out".
By the looks of it, this guy, most likely a Bluecard(German equivalent of H1B) was just cheating and stealing his way up the career chain through the revolving door of the blue-chip automotive sector, until he got caught.
Companies both big and small, never ever encourage you to bring to work proprietary files and data from your previous workplaces, since that's a guaranteed lawsuit as these things always get out eventually.
A problem here is that while the companies will generally make very clear that they don't want you to have any single line of code, any schematic, any drawing, anything at all from your previous company; they may also expect you to bring "experience" from the previous company, thereby pressuring more junior employees into doing exactly that - bringing some docs from the previous company - but not telling about it. Through my career I have been to several meetings where everyone was, notebook in hand, expecting to hear the "experience" from the new guy. That is obviously as legal as it gets, but the pressure for the junior employee to have kept a couple of notes is there, and you'd never know.
i.e. I suppose no one was aware that he had this code, and it's unlikely it went into nvidia's codebases or that nvidia wanted it; but it also doesn't mean nvidia did not pressure the guy into doing that.
That sounds wrong in so many ways. Do you live in China or something where this is expected?
I've worked at about 10 or so companies in 3 countries and it was never expected for the juniors to ever "bring documents from previous workplaces as knowledge and not tell about it".
Bringing your "experience" means only the experience and problem solving skills that are in your head as we're in the knowledge work business. Bringing documents to regurgitate just means IP theft, not knowledge work and is no guarantee to make you a productive employee, and no company would ever touch you for ever doing that.
> Bringing your "experience" means only the experience and problem solving skills that are in your head
it's hard to differentiate experience with IP. For example, there might be a tricky problem (say, in manufacturing), and the solution is a trade secret. The "experience" from said employee is really just relaying that trade secret.
Some people have very, very good memories and can bring all of that in their brain. Does that make it legal or not, just because it's in someone's brain and can be easily regurgigated at will? It's a subtle question.
This often happens ingenuously, not out of calculated ill intent. Coders will keep code snippets and thoughts in personal knowledge tools like Notion, and then reuse them in different companies. Or contractors will straight up copy and paste code from source files of projects they worked on for different companies, thinking "I wrote it, so I could write it again, but why bother?", or something along those lines. People don't usually brag about these things, but they do come to light in random conversations.
This is exactly what happened here:
> According to Valeo's complaint, Mohammad Moniruzzaman, an engineer for NVIDIA who used to work for its company, had mistakenly showed its source code files on his computer as he was sharing his screen during a meeting with both firms in 2022
In most cases, these people are asked to remove all such code from the codebase and never do it again, but news about this rarely reaches the executive level. Usually, there aren't clear rules that it's supposed to be reported, so low level managers handle it the best they can. Of course, this guy got caught in very unusual circumstances.
It is also very unfortunate to be the software engineer who notices others doing this, because it puts you in a whistleblower's dilemma. The upper management does not want to be implicated in this and they do not want to know. Besides, informing them would definitely lead to the coder's firing. What is worse, many programmers see liberal use of IP as "not a big deal". So you would be perceived as causing problems for upper management, and getting people fired for "petty" reasons. It can sink your career in most companies if you witness this and it gets out. There are laws that protect whistleblowers from being let go sometimes, but it's not conducive to anyone's career growth to remain in the company because they cannot be fired.
The screen sharing incident is not the important thing that happened here. From the article:
> Moniruzzaman allegedly gave his personal email unauthorized access to Valeo's systems to steal "tens of thousands of files" and 6GB of source code shortly after that development. He then left Valeo a few months later and took the stolen information with him when he was given a senior position at NVIDIA, the complaint reads.
>Valeo said its former employee admitted to stealing its software and that German police found its documentation and hardware pinned on Moniruzzaman's walls when his home was raided. According to Bloomberg, he was already convicted of infringement of business secrets in a German court and was ordered to pay €14,400 ($15,750) in September.
> paste code from source files of projects they worked on for different companies
I wonder what would happen if legal action started between two companies and it turned out a coder pasted code from personal projects that predates both.
INAL (so take this with the pinch of salt that it comes from someone just thinking out loud), but I think it would depend on a number of factors such as how novel the code was, and how integral the code is (just to name two factors)
If the code was something as simple as let’s say leftpad for a simple example, it could be argued that it’s not the “meat” of the application so those few lines can not by themselves be copyrighted but the whole work (or even larger portions of it) can be.
If it was some special sauce algorithm, it could be argued under their work contract that the employee assigned copyright of the code of the personal project to the first employer they did the work for.
It also depends on the status of the employee, the contract of the employee, and the jurisdiction of both employee/employee.
A “full fledged” employee work is often deemed as the companies property if done under the course of their employment. A contractor in the US is about the same, however in the UK a contractor by default can retain the copyright of the “work product” unless stipulated otherwise in the work contract (so most contracts will state that you as a contractor are assigning copyright for the work you do to the company).
So in that last case it could be argued that the coder still owns the copyright but licenses the use to both parties. It would then be a case of the two companies maybe suing the coder for selling code they may have represented as given them an exclusive license to it, but obv didn’t because it was licensed to multiple companies.
>I wonder what would happen if legal action started between two companies and it turned out a coder pasted code from personal projects that predates both.
Highly unlikely. This was no FOSS web library he was working on, but some relatively cutting edge embedded automotive stuff, which few people do in their free time as a side project to put on github.
And anyway, according to most industry contracts and work laws, whatever code you check in your employer's systems during work hours and using work equipment, automatically now becomes your employer's code which you now can't share anymore.
You can easily add terms to employment contracts that grant non-exclusive license to code you own that you use in the course of employment. I've done it many times. The only issue that has come up out of this is when someone wants a warrant of exclusivity downstream of that, but that has never been a showstopper.
Isn’t it almost always much better in acquisitions that the acquired company owns all of their code? I have been told so many times. Apparently the valuation is significantly impacted if they do not.
My Director of Development once explained to me that our company rented all its offices; that its only assets (other than people) was its code; and people can leave. He was scrupulous about keeping GPL out of the codebase.
Companies use tons of open source code, it isn’t any different than that. And in many cases, these were huge companies, not startups. It was a shortcut to reimplementing the same code. No valuation impact.
For most contractual agreements you assign copy-write of your work to your employer. So if you used your personal project in work for your employer the copy-write becomes theirs.
My guess is that in your hypothetical scenario the first company would own the IP and could sue the worker or other company for infringement.
>Coders will keep code snippets and thoughts in personal knowledge tools like Notion,
Do they? I’ve never personally done such a thing, though I may keep some code in public GitHub repos. I’ve rewritten quite a bit of the same logic at most places I’ve worked over the years.
I’ve seen it happen, including other employees telling me I should make sure to zip up my code before I left (which I would never do). It’s only been at the earlier companies I worked for with many devs of questionable skill level. I’m not sure what’s behind the mentality, I assumed the act of writing decent code was challenging to them or it was perhaps something they were proud of, but maybe it’s also some misplaced sense of ownership. At one company I’ve experienced a dev asking back printouts of a design for a CRM at the end of a presentation, I assumed it was “borrowed” from their last job (thankfully we went a different direction). But regardless it definitely is a thing.
> I’ve rewritten quite a bit of the same logic at most places I’ve worked over the years.
Same here. I’ve learned to enjoy it, like perfecting a craft.
Or worse, they may just remember how they coded it last time and code it the same, or only remember subconsciously and code it the same without knowing.
Someday there will be technology to erase all memory of work you did in service of your corporate overlords and you’ll be able to start with a true clean slate at every job.
> Someday there will be technology to erase all memory of work you did in service of your corporate overlords and you’ll be able to start with a true clean slate at every job.
One of the employees had his previous employers' code. There will have to be proof that Nvidia even knew about it for this to go anywhere beyond the employee.
I am positive Nvidia has no part in this. A corporation of this size is severely allergic to foreign proprietary code and would not risk the lawsuit. Sounds more like this individual forgot to read the memo on IP, and the article says he was already sued by the German courts for prior misconduct anyway.
Kind of reminds me of the guys who do personal stuff on their work laptop and then get the entire company pwned. Do people not read the fucking manual anymore?
What does it mean for "Nvidia to know" something? Does it never count as a "corporation knowing" unless the executives are aware of it? Obviously this cannot be the standard by which companies are held accountable.
How many managers need to be in-the-loop with the theft before we can fairly say "the corporation knows"? As far as I'm concerned, even if no managers are aware of it, they should have been aware of it (it's their job to know what their reports are doing) so the corporation should be liable for the theft. Otherwise it's trivial for everybody to play dumb and turn a blind eye to what's going on.
Yea "they were too big to know something illegal was going on" is a narrative that benefits these large companies while ensuring any individuals or small companies that do the same see the full force of the law.
> Moniruzzaman allegedly gave his personal email unauthorized access to Valeo's systems to steal "tens of thousands of files" and 6GB of source code shortly after that development.
Compare Moniruzzaman with Sergey Aleynikov [0] who allegedly "stole" [open source] Erlang code from Goldman Sachs, was arrested by the FBI at Newark airport, found guilty in Federal court and was initially sentenced to 8 years in jail although it was overturned on appeal. He was then tried again on the same charges this time in NY state courts and again the conviction was overturned but then reinstated on appeal by the NYC DA, he was ultimately sentenced to time served (1 year) while waiting for the federal trial as he was deemed a "flight risk".
So I think with "only" a €14,400 fine, Moniruzzaman did better than Sergey despite apparently committing an actual crime.
Judges and prosecutors should lose their immunity and be held accountable for their negligent and reckless actions. Legal systems can never be just until bad actors face repercussions, irrespective of what role they serve.
What’s the difference between one person doing it individually and a company doing it to train an AI? I mean isn’t this exactly what a lot of LLm training data is built on as well?
I get there might be different legalities, but morally isn’t it all basically merely degrees of theft? Like this is trade secret theft, but training an AI on the code isn’t?
How is this morally theft anymore than hiring someone who has experience solving the problem to solve the problem again? As long as they aren’t reproducing the solution verbatim it’s already morally acceptable to hire experts for their experience. Why would “hiring” software for its “experience” be different?
Right, and if you do that, it’s theft under the law because we want to reward people for doing novel work. In the same way if I could get GitHub to send me a copy of your private proprietary repository without your consent, that would be called theft by the law, because it removes the incentive to invest in proprietary software. If I hire one of the engineers who worked in that repository and spent years on the problem so she could code solutions to it in their sleep that’s not theft in the law, because we value labor rights, the free exchange of ideas, and want to incentivize building up human capital. Even as it creates a new risk people investing in proprietary software have to deal with now.
If I hire “software” that learned from a copy written source, but doesn’t reproduce the copywritten code directly, why is that different from hiring someone who worked on that project before?
I think morality isn’t a useful compass here, it isn’t a moral problem. It’s a problem of what kinds of rules you want for society to increase utility for everyone around these tools. If you restrict learning from each other too much you stifle progress. If you make it too easy to copy the leader in a field you disincentivize anyone doing novel research first.
Probably easier to exfiltrate confidential documents when printed, rather than digitally through the company internet which is logged and points straight to you.
If I print something confidential and take it home there's only the printer logs as proof that I printed it, but no proof that I also took it home (unless there's surveillance footage).
>Let alone pins it to their walls?
The man is proud of his work, wants to see it daily for motivation.
I do. I can't read any length of text on a screen. I pin stuff to the wall too, of quick sheet character. Like Emacs hotkeys, C operator precedence, pinouts, general specs etc.
Same. I recently bought a Kindle Scribe (would have preferred Kobo, but enh) to see if that would make it easier than constant printing and shuffling papers. It's alright. Better than a monitor, slightly less good than paper.
FYI, a lot of other nationalities besides German work in Germany. It's natural to find immigrants in almost every company, especially the big international ones.
Most professional software engineers develop a coding style, with consistant function headers, names, case, variable naming etc. Rewriting a feature from scratch may look very similar to your previous work in a screenshot.
Not only do engineers face this problem, but so do hair dressers, architects, pizza masters, soccer players, etc when they switch employers.
I have been a software engineer and writing code in one role or another for over 20 years. I do not think any of the code I have written in any of the previous job can be used in the next ones.
I wonder how close the two companies following eachother's footstep that the code could be reused this way.
Not to mention tons of other projects that live outside of the main org, contributions to other projects all over the place, etc.
So much hate for free software.
The “I hate Nvidia because all I know is their driver is proprietary” schtick is old.
They crossed the $1T mark in value solely because of the almost completely open source ecosystem (a large portion of which they directly develop and contribute to) that runs on top of their hardware and (yes, proprietary) driver.
They’re not angels but this position is something out of Slashdot circa 2005.
CUDA. Non-free firmware. Still bad. And Radeon the same, propietary firmware run by the kernel is needed sometimes to even boot the GPU, it just happens Linux-Libre patches it and the Modesetting driver will work fine until you call 3D accelerated calls, when that happens the system may either panic or crash X entirely. That can be fixed by setting RenderAccel to none in the X.org config file.
I'm not acting - I'm genuinely saying, NVIDIA hates Free Software and this isn't a controversial stance. Always have. This is common knowledge and doesn't need sources, citations, etc.
Should just give the board of directors 100 lashes. Except of course if it turns out they didn't know about it, then they should get 200 lashes, have their genitals chopped off, and their immediate family be given 10 lashes. Just like the good old days.
There's little-to-no personal upside, and only horrible downside if you get caught.
I mean, this guy:
> Moniruzzaman allegedly gave his personal email unauthorized access to Valeo's systems to steal "tens of thousands of files" and 6GB of source code shortly after that development... Valeo said its former employee admitted to stealing its software and that German police found its documentation and hardware pinned on Moniruzzaman's walls when his home was raided.
And while Nvidia presumably hired him for his expertise, they certainly didn't expect him to be stealing code, not even wink-wink-nudge-nudge. Corporate lawyers at trillion-dollar-companies take this stuff super seriously.
So this guy puts himself at massive legal risk... for what? So he can slack off for a few months while he pretends to write code that's already been written -- and gets to browse Reddit? Or so he can deliver code extra-fast in hopes of a quicker promotion -- that may or may not come? Is that really worth it?
It's crazy to me. Why would you risk that?