I read the original Vanity Fair article. I have to say that the whole thing looks like nothing more than Goldman using its governmental influence to send a message to its programmers that if they leave for another firm, there will be hell to pay. After he won his federal appeal and was released from federal prison, Goldman convinced the State of New York to file charges for the same conduct. That case is pending and he is out on bail. A recent motion to dismiss that case based on double jeopardy was denied. Welcome to the USA - where money buys you all the justice you could ever want.
Link bait title -- It was open source code mixed with Goldman Sachs proprietary code. This is also a summery of a much larger and more complete Vanity Fair article [1].
To me it is not clear why stealing the proprietary code could have cost CG hundreds of millions of dollars.
Proprietary code that wasn't developed and tested with generic requirements in mind can rarely be economically re-used outside of the original company context, as it reflects the structure and the processes of the mother-company. In fact most organisations I know decided to throw away their code base entirely when restructuring or upgrading their internal systems as re-work was deemed uneconomic, because the gap between the code and changed environment is too great.
Data is salvageable and immediately valuable; however re-using the code requires a considerable effort, it would also be very hard to keep in secret. The news of their platform being fully or partially re-used at competitor's would have quickly reached GC and they could have shut down the competitor entirely whilst suing them for all of the profit.
Of course one could steal the code for analysis so they could try and exploit the technological weaknesses in GC trading patterns, however this is not the argument given by the article or GC.
I understand that high frequency trading algorithms are often predatory, identifying other algorithms making trades, and exploiting their known behavior to trick them into making bad decisions.
Although it may not be the case here, one can imagine that this source would let you fingerprint the Goldman algorithms, and give you an idea of the way they make decisions. That might allow one of these automatic con man algorithms to steal a huge amount of money.
In this instance, the case is more likely that Goldman payed the programmer a million a year to deliver software that gave them a competitive advantage (of significantly more than they paid). By taking that software, he removes the competitive advantage they bought from him.
Let me ask a question:
Imagine you paid an online contractor to write you software. Maybe you paid them to make an Ap idea, or a website. Under what circumstances would you object to them putting the whole thing on a public github? What harm could it do you? That harm, amplified by the money involved, is Goldmans case.
1) As was mentioned by Shubb, there is a predatory aspect to algorithms. If I know how your algorithm will work, I can create one that will be it. You can think of it as programming robots to fight. If I've seen the source code for your robot, I may be able to program one that can exploit it's weaknesses. (Worked against the Death Star!)
2) The HFT world works best when the ideas aren't well known. Let's say I identify a mispricing. It could be, "When this Mutual Fund moves, this similar ETF moves 0.1ms later, and these stocks react to the EFT and move 0.2ms later, but they forget these other 3 stocks 0.3ms later, so actively long those stocks for 0.3ms, and short the rest, and reverse after the time is up." No need to dwell on the details, just understand that it exists. If only one person has identified this mispricing, there are a lot of pennies to be swept up. As soon as two people know about it, the game is up.
While this type of competition could conceivably be good for the market as a whole, it's definitely not good for ther person with the algorithm.
If I have the code, perhaps I can deduce the algorithm.
Although it doesn't state what was taken, it does mention that the copied code in question is not related to the trading algorithms.
If it did, then Goldman's reaction would be well justified (to the extent that sub-millisecond arbitrage that siphons billions out of the markets each year and into the hands of a few firms can be justified).
Without having sat on the jury, I will have to rely on public documents for the relative size of Goldman's proprietary business. This may not meet your standard of proof. After the Volcker rule, it has become much tougher to find data on principal transactions, so let's go back to 2010 and look at the Financials of their annual review.
On page 58 of the document (page 91 of the footnotes, since it starts at 34) revenues from "Other principal transactions" is $6+ billion for the year. Revenue from "Market Making" is $13+ billion. It can be murky where this activity falls, but it's definitely one of those buckets.
On page 69(102) you get a breakout of which product areas these come from. Without going too deep, it's just worth observing that it's multiple billions of dollars of risk across each of these area.
Going to another source, on page 3 of this paper (http://repository.upenn.edu/cgi/viewcontent.cgi?article=1689...) they quote Goldman estimating the size of High Frequency Trading to be $0.5 billion in revenues, with others estimating it to be $1.5 to $3 billion.
Do I know enough to say how much of this he was accountable for? Enough that he would get a big offer to work somewhere else. And I am very confident that he knew that copying this model was against the law. Everyone in this type of environment knows this.
Are you sure you read the full Vanity Fair article? It's pretty strongly suggested from the article (assuming the picture there is complete) that he didn't actually take any business or trading strategies.
The most interesting part of the reaction from the Vanity Fair piece for me is how so many geeks had no idea of this story until it was spelled out to them by a mainstream magazine (even though the Aleynikov case was extensively covered here on HN).
Now would be a good time to highlight the cases of hackers that Michael Lewis doesn't have time to write about: Bo Zhang, Michael Meneses, the Madoff programmers, John Kane (has had most charges dropped now), the Liberty Reserve guys and almost everybody ever charged with Computer Fraud and Abuse Act
Here is a Wikipedia article on the upcoming federal trial, but a warning that it is all based on the indictment and doesn't have the defense side of the story:
This case contradicts the FBI findings from the Madoff case, and relies on the programmers having of had to know that their system could also be used to print out fake trades.
I love to stick it to Goldman as much as anyone else here, but I think the story is probably more nuanced than "Goldman jails innocent programmer for leaving the firm". I know that I have on occasion kept copies of source code for projects that I'm proud of (and there was often some open source code involved; that changes nothing). Not to give it to someone else, but because I was proud of the work.
That is probably a breach of contract but I don't think it should be a crime punishable by jail time (unless someone can prove that said code was used to aid another company).
Proving that the code was used to aid a company is not a good measure of the seriousness of of the crime. What if you take the code and store it on a device with really low security? You don't share it, but you allow "hackers" to easily take it, so you are in fact aiding competing companies.
The developer was not innocent:- but the punishment was disproportionate and heavy-handed, considering that he did not appear to have made use of the source code that was taken.
The major problems raised by the story lie firstly in the technological ignorance that the authorities displayed; secondly in the developer's legal ignorance (in trying to correct the authorities' technical ignorance) and finally, and perhaps most importantly, in the breathtaking arrogance and conceit displayed by GS in it's handling of the case -- yet more evidence (as if we needed it) of the vile, corrosive, and fundamentally corrupt culture that infects our financial services.
I suppose most programmers do this. I'm just playing the devils advocate here, but the difference might be in the type of code that was kept on file. Nothing I've ever kept was rocket science or novel in any form - No competitor would ever gain an advantage by peeking into it. But they could supposedly be something novel in a trading algorithm.
The article talks about the requirement to release source code to the public, if modifications are made. This is a common misconception, but generally not the case, depending on the license. Typically, source code release is required if the software is distributed. If you've modified open source software for internal, private use, you typically are not compelled to release the source code, because you are not distributing the software.
It could have as easily been phrased (and likely would by a prosecutor) as "a cache of source code longer than the King James version of the bible." The defence could respond "only about three millionths of the amount of data in a human cell's nucleus." "More than seventy times the amount of software needed to land on the moon!". The amount is irrelevant. He released proprietary source code which is an offence under current law, with fairly well established sentencing guidelines. I agree that the law should be changed, but if you protest a law by breaking it, the results shouldn't come as a surprise.
I said that breaking a law has fairly predictable results. Among them the possibility of acquittal on appeal. In fact, if you're doing it for some sort of protest reason, this might actually be the goal (building case law against an unfair/unconstitutional law or interpretation).
a) I didn't read anything that suggested he was protesting the law. Perhaps you could point out that part of the story.
b) He didn't release proprietary source code. Or did I miss that part?
(a)I was offering him the benefit of the doubt. You're correct. Other possibilities include that he's simply a criminal or merely dumb. (b) You did. Reread the third line of the post.
Which third line of the post is this? I don't see anything about him releasing the source. And if you read up on the case, you will find that what he actually did was to upload encrypted archives that he then downloaded from home. I don't believe there's any allegation that he publicly distributed any of this source.
Apologies. I thought you were objecting to "proprietary". I think we've just a semantic issue. How about "he knowingly caused proprietary source code to leave the control of its owner"? Although, as he did post to a public server, I think I can defend "released" if I need to. The word "encrypted" does not occur in the linked story, nor does it seem to be implied.
Hmmm. Ok so this guy uploaded both OS and Goldman-authored code - as stated in the article. And uploading pure OS code wouldn't make sense anyway as it would be available anywhere. And did so immediately prior to taking a principle role at a competitor start up - no wonder they checked. He knew he was doing something wrong - as stated in the article - and his reason for deleting his bash history makes no sense (surely bash doesn't cache passwords) - indicating he was trying to cover his tracks.
They're gonna want to protect their IP - particularly when it could give a competitor a huge advantage. It's not surprising they went after him.
I assume he was performing some sort of authenticated action - e.g. against the svn repository - and providing the password as a command-line argument rather than interactively. This would not only leave the password in the history, but would make it visible to anyone else on the machine who runs ps whilst the command is executing. It's terrible security practice, but I've seen it done more times than I can count.
The original Vanity Fair article tries very hard to paint a picture of a stereotypical overly naive techy.
Little carefully inserted details such as pain-the-back side of having to mow the lawn, all these details should be creating a picture of life-unsavvy coding reclude in reader's mind. The reader supposed to chuckle "how naive, anyone who is on $270K can just hire gardener to take care of the lawn!"
I have personal knowledge of programmers taking the code with them when leaving employment for no particular reason except for "in case I might need it as a reference" and then never ever looking at it again. In my mind it's very much akin to hoarding.
I have very little doubt that the code would be unusable outside of GC infrastructure.
What does seem unusually harsh is the punishment for the crime when no damage was ever done to the victim; to me this is an attribute of a show-case trial.
I think there is probably still a little bit to be said for curation in this world. The original article was quite long (and a great read and I recommend it) and there were nuggets in it I found interesting.
I actually did try to submit the original article myself earlier today, and noticed that it had already been submitted several days ago. So at least I did upvote that.
Garry, yes curation is important, in fact, that's why HN exists, to curate and comment primary sources.
If the article has already been submitted then why try to resubmit it after copying and pasting the content into another URL?
The best way to do this on HN is to take the stance of the opposition and write an inflammatory headline, "I support (unpopular position) X, because (popular position) Y is considered harmful"
I was disappointed in that previous discussion. Take away the off-topic stuff and it seemed like most reactions varied from "Good, throw the book at him" to "God that guy was dumb".
If Lewis' portrayal is accurate, then Aleynikov is pretty clearly an otherworldly technical type. That doesn't mean he should be exempt from laws, but it's not irrelevant either. For one thing, to anyone who knows the type, it says something about intent: his intent was likely not to exploit someone else's secrets, but to work on interesting things. A programmer like that wouldn't download code because it contained secrets; he'd download it because it contained library routines that he didn't want to have to rewrite someday. Why would he steal secrets? Anything important, he could just derive later. He probably thought that Goldman's technical designs were all wrong and would make a point of not copying them anyway.
There are countless stories of otherworldly technical types, including many heroes to people here, running afoul of laws or regulations and having to be rescued by the more worldly members of their scientific/technical community. I expected this technical community to recognize that pattern in Aleynikov and react with some empathy, because we all know someone like that or have a little of the type in ourselves. Instead we got a bit of a Colonel Blimp chorus. I hope that was just sample bias.
I wish we could see that source code. After reading Lewis' article, I would be shocked if it contained anything of nontrivial value to Goldman.
But the Vanity article explicitly states that the "Jury" asked him whether he took the strats (the trading strategies) and he said "No."; the response from the "Jury" was telling, they said "Why not take the valuable stuff?"
Pricing algorithms are different from trading strategies (although they're obviously related). In any case that's purely a matter of evidence, he either copied a piece of code or he didn't.
But breach of contract and copyright are civil issues, not criminal (modulo the insane copyright criminality laws of late). Besides, no damages have ever been postulated, let alone proved.
Trade secret violations can be prosecuted under criminal law, any company can request a criminal investigation in such a case. In the last decade there have been around 100 criminal convictions for theft of trade secrets.
Only his side of the story? Rather the opposite. As far as I know his side has been told just this once.
I don't care about the "autistic spectrum", but I know this type of programmer, and if Lewis' portrayal is accurate (note the if, here and in what I said above), then this really is a mitigating factor. As a "legal ploy", it's far from obvious. Do you think Fabulous Fab could have used it?
The degree of harm caused is often a factor in measuring a crime, especially when it comes to sentencing. As Garry points out, 8 years for this is crazy.
Do you think it's plausible that 8 MB of source code, consisting of modified open-source libraries, represented a theft of critical Goldman Sachs secrets?
Without knowing how much of that 8Mb was proprietary and what the nature of the proprietary code is it's impossible to say. It could be massive over kill, it could be lenient.
Your Honor, while my client did indeed steal billions of dollars from the defendant's bank account, the balance of the account was represented as a 64-bit value. That makes this a crime of only 0.0625KB; I suggest a slap on the wrist
I'm reposting one of the comments from the blog here for a bit more exposure. I think this gives a good alternative viewpoint on the case:
"I worked literally side by side with Serge while at Goldman Sachs, so I have substantial perspective on this. Let's be clear -- Goldman Sachs did not pursue him, the relevant district attorney of NY did. Goldman's job is not to prosecute, it is to provide the facts of the case to the judicial system, which decides whether to go after him or not. We can argue about whether the punishment was excessive but let's stop blaming a firm that is a private company which has no ability to prosecute. And I can tell you that what Serge did was incredibly against the terms of his employment agreement. The open source aspect is overblown, obviously if it were freely available and not substantially different he would have no need to upload it days before he left. The fact of the industry is people steal code all the time, he just happened to be one of the unfortunate programmers to be caught and made an example of. But it certainly doesn't mean he's a victim here. When a company is paying you 500k+ a year to write code on its time, the understanding is that they have the say as to what happens to it, not you. You can't just say, I don't think this is that materially different so I'm going to send it to myself before I work for a competitor."
This guy has made two mistakes:
1. He used OS code without consulting first with legal departament of the company.
2. Transferred the source code outside the corporate network without consulting first with legal departament.
His boss may be not competent in this field, but the legal departament must be and, I beleive, they already have a policy for OS solutions. This developer made a measurable damage to the company, which should now take some efforts to clean up the OS code or face possibility of being required to release it's own code under OS license. I clearly see this as a good reason to sue him.
The main problem with this situation is educational: "brilliant scientists" and "smart developers" (especially from ex-USSR countries) are not paying enough attention to the legal issues related to their jobs. They do not try to secure their rights and do not consider the possibility that they violate the other's rights by their technical actions. It would be great if CS courses in universities will include a short talk about what's good and what's bad in legal field. For now, the more attention will be paid to such cases, the better for everyone.
There are many good reasons to sue him... but, in theory, in the US you can't send someone to jail for a simple breach of contract or violation of corporate policies about OS, or even breach of an NDA or non-compete (neither of which he had).
Seriously, this part (if true) doesn't really help him.
"He pulled up his browser and typed into it the words: Free Subversion Repository. Up popped a list of places that stored code, for free, and in a convenient fashion. He clicked the first link on the list. The entire process took about eight seconds."
Pushing "proprietary" code to a repo without knowing that it is a) secure and b) allowed feels like a great way do not follow a NDA.
From the comments:
"Why are you putting him in jail? Again, Goldman has no ability to put people in jail. Only the justice system does. Why this kind of narrative continues to be OK with people, I have no idea."
This justice system didn't decide out the blue to go after Aleynikov one day. G.S. asked them to do it. I suppose if you work for G.S. you need to be very good at rationalizing things in order to sleep it at night.
If I worked for G.S. I would probably tell myself:
"G.S. doesn't cause the starvation of millions of people, we just speculate on food commodities."
(Google "goldman sach starvation")
From the indictment the source code contained "the trading algorithms that determined the value of stock options" and was "hundreds of thousands of lines of source code".
After reading the whole VF article I come to two conclusions.
1. If you work for a company which (as I'm sure GS does) has a policy forbidding you from uploading company data to the public cloud, don't violate that policy. Especially if it's source code you wrote while working there. (The open source argument is a red herring. It doesn't matter.). And super especially if you're about to leave for a competitor.
2. If you work in an industry and for a company that is being scrutinized by the Feds and is heavily regulated, really REALLY don't violate policies like this arbitrarily and on your own, because you might go to jail.
Is it "fair" what happened to him? No. But lots of unfair things happen. He paved the way with his thoughtless actions.
The notion that once be tried by a jury of one's peers is practically meaningless for any 'crime' involving scientific knowledge or any specialized competence.
The problem with that is you tend to start narrowing down the views and opinions in that group.
People who work in IT tend to be smarter, richer, more inclined to be left leaning in their politics and so on. They have expertise to understand the problem but they don't necessarily represent the views of the country which is what a jury is meant to do.
