I read Michael Lewis's article in Vanity Fair about this case back in 2013, and I remember being struck by this excerpt in particular:
[Goldman] called the F.B.I. in haste, just two days before, and then put their agent through what amounted to a crash course on high-frequency trading and computer programming. McSwain later conceded that he didn’t seek out independent expert advice to study the code Serge Aleynikov had taken. (“I relied on statements from Goldman employees.”) He himself had no idea of the value of the stolen code (“Representatives of Goldman told me it was worth a lot of money”) or if any of it was actually all that special (he based his belief that the code contained trade secrets on “representations made by members of Goldman Sachs”)...The F.B.I.’s investigation before the arrest consisted of trusting Goldman’s explanation of some extremely complicated stuff, and 48 hours after Goldman called the F.B.I., Serge was arrested.
That, as the complaint highlights, the FBI instinctively acted as Goldman's punitive arm rather than conducting an independent investigation into the facts of the case is disturbing, regardless of the merit of the allegations.
"Aleynikov’s last day at Goldman was June 5, 2009. At approximately 5:20 p.m., just before his going-away party, Aleynikov encrypted and uploaded to a server in Germany more than 500,000 lines of source code for Goldman’s HFT system, including code for a substantial part of the infrastructure, and some of the algorithms and market data connectivity programs." [Page 5].
"Aleynikov also transferred some open source software licensed for use by the public that was mixed in with Goldman's proprietary code. However, a substantially greater number of the uploaded files contained proprietary code than had open source software." [Page 5, Footnote 1].
He was convicted for violating the NSPA (National Stolen Property Act) and the EEA (Economic Espionage Act). The conviction for the former was vacated because the Second Circuit construed the NSPA not to extend to intangible property. [Page 18-19]. And the EEA conviction was vacated because the statute requires the product to be "produced for" or "placed in" interstate commerce, while Goldman never intended to sell or license the software. [Page 27].
The Court concluded that he had in fact tried to take 500,000 lines of valuable and mostly proprietary source code, but that his conduct didn't fall within the reach of the two laws charged in the indictment. Solid legal analysis, but an ordinary person would say that he got off on a technicality. Which is fine--if you can lawyer your way out of a conviction, you deserve to.
But help me understand what the FBI did wrong, or Goldman for that matter. The legal questions that were resolved in Aleynikov's favor were subtle ones. How would additional investigation on the part of the FBI have helped? And what exactly did Goldman do wrong in reporting him?
I think the most troubling part was that a huge, powerful company can get a government agency on the phone and have someone locked up based pretty much exclusively on them saying "You won't understand why, but he did really bad stuff. Trust us."
Most arrests are X telling government that you did Y, which the government didn't directly see.
You don't have to understand the source code to know it is a trade secret with enough certainty for probable cause. Goldman could be lying, but so could the shop owner who claims you drove off without paying for your gasoline.
If someone walked out of Intel with the design docs and recipe for the latest intel chipset, would you expect the FBI to understand it all before arresting the person?
The FBI has technical specialists on staff that could very quickly say, "Yes, this complaint checks out." The problem here is that the agent apparently just took Goldman at their word, and didn't conduct an independent investigation of Goldman's claims, which is kind of their entire job. This is especially relevant because the value of stolen property can seriously affect charging and sentencing.
If you or I called the FBI and said "An employee stole proprietary code worth millions," there's no way the FBI would take that at face value, if you could even get their attention.
When the Federal government treats powerful corporations differently, to the point of effectively outsourcing its investigation, that severely undermines the principle of equality before the law.
They confirmed that the guy took a ton of source code right? Taking Goldman at their word that it was their IP isn't a huge stretch.
Taking the time to confirm that the code itself is a trade secret is a monumental task, one that isn't needed to determine if there was probable cause.
His argument was that most of it was open source, or modified open source with licenses that required contributing back the source code. Basically, it sounds like he grabbed his stuff because he wanted to get his utility functions and open source modifications.
“Did you take the strats?” asked one (meaning Goldman’s trading strategies).
“No,” said Serge. That was one thing the prosecutors hadn’t accused him of.
“But that’s the secret sauce, if there is one,” said the juror. “If you’re going to take something, take the strats.”
“I wasn’t interested in the strats,” said Serge.
“But that’s like stealing the jewelry box without the jewels,” said another juror.
“You had super-user status!” said the first. “You could easily have taken the strats. Why didn’t you?”
“To me, the technology really is not interesting,” said Serge.
“You weren’t interested in how they made hundreds of millions of dollars?” asked someone else.
“Not really,” said Serge. “It’s all one big gamble, one way or another.”
So if the essence of the crime is theft of a trade secret, then you absolutely have to conduct an independent investigation that a trade secret was involved, and that it was stolen to have probable cause.
The precedent here is a large corporation can use the government as an enforcement arm, and will be taken completely at face value. Simple allegations by individuals are subject to investigation prior to arrest, as should be all allegations.
This boiled down to Goldman calling the FBI, and less than forty-eight hours later arresting the person Goldman told them to arrest. They didn't interview any witnesses or consult with any experts other than Goldman employees.
> His argument was that most of it was open source, or modified open source with licenses that required contributing back the source code. Basically, it sounds like he grabbed his stuff because he wanted to get his utility functions and open source modifications.
That was his defense. But the jury found that he had in fact grabbed valuable proprietary software, and the Second Circuit agreed that the 500,000 lines that he uploaded were mostly proprietary, valuable code.
> So if the essence of the crime is theft of a trade secret, then you absolutely have to conduct an independent investigation that a trade secret was involved, and that it was stolen to have probable cause.
> The precedent here is a large corporation can use the government as an enforcement arm, and will be taken completely at face value. Simple allegations by individuals are subject to investigation prior to arrest, as should be all allegations.
Probable cause does not require a mini-trial before an arrest. Goldman didn't make "simple allegations." They backed up those allegations with evidence of Aleynikov having sent himself 500,000 lines of code, under suspicious circumstances (not just erasing his bash history, but doing so on his last day, doing so contrary to company policy, and doing so right before going to work at a competitor). The FBI didn't take any allegations at face value, and when Aleynikov was acquitted, it wasn't because the software he copied wasn't actually proprietary and valuable.
I'm confused, fnordfnordfnord; what is it you (and others in this thread) think you're arguing about?
You and rayiner and Aleynikov all agree that it's fine and reasonable that Aleynikov was pardoned. There's no argument to be had about that.
Aleynikov thinks that the FBI agents who arrested him did so improperly. rayiner is doubtful, and would like to hear if anyone can convince him.
Your arguments for why the FBI agents acted improperly amount to "yeah, but it turns out that ....". This arguments are not a good reason to not arrest someone. They're a good reason to find someone innocent after trying them.
Sometimes circumstances are such that an innocent person looks highly suspicious to reasonable people with a reasonable amount of evidence. In those cases, it's reasonable, though unfortunate, that law enforcement arrest and charge that innocent person. Isn't it?
As far as I can tell, rayiner is right.... we have no evidence that Aleynikov was arrested improperly.
I say, ssh, gzip, and svn are pretty normal tools that programmers use frequently. So are hosted servers in foreign countries.
rayiner says that deleting .bash_history is sketchy, I say it's a reasonable, nay a responsible thing to do if failing to do so would leave sensitive information (such as a password) available for others to peruse.
>This arguments are not a good reason to not arrest someone. They're a good reason to find someone innocent after trying them.
IMO if the government is going to arrest a person, attempt to hold them without bond, settle for mere $700,000 bond, (arguably depriving the person of counsel); then the government's burden of "probable cause" ought to be a bit more substantial than "some bros down at Goldman Sachs said...", and this guy uses "subversion" software. We can't have the police running around arresting everyone who might have possibly committed a crime. There needs to be actual, you know, probable cause.
>Sometimes circumstances are such that an innocent person looks highly suspicious to reasonable people with a reasonable amount of evidence. In those cases, it's reasonable, though unfortunate, that law enforcement arrest and charge that innocent person. Isn't it?
What do you make of the fact that:
>>"In the New York state case, a judge ruled the 2009 arrest was illegal. He threw out seized physical evidence, including computer hardware carrying the source code."
and
>>"New York State Supreme Court Justice Ronald Zweibel also barred prosecutors from using statements Aleynikov made to the FBI after his arrest at Newark Liberty International Airport."
Are these judges unreasonable? Sure, mistakes happen, everyone deserves a Mulligan once in a while. That's not what we have here though. The FBI had plenty of opportunities to check their work, which was shabby. Instead of doing that, they forged ahead doing the bidding of Goldman Sachs, uncritically. And, now that the federal case has failed, GS has their hand up the back of a Manhattan DA. We can quibble about these little details more if you want but this whole affair has got a stench about it.
>As far as I can tell, rayiner is right.... we have no evidence that Aleynikov was arrested improperly.
No evidence? What's Zweibel's problem then?:
>In a 71-page opinion, Justice Ronald A. Zweibel of State Supreme Court in Manhattan ruled that the F.B.I. “did not have probable cause to arrest defendant, let alone search him or his home.” The arrest was “illegal,” Justice Zweibel wrote, and Mr. Aleynikov’s “Fourth Amendment rights were violated as a result of a mistake of law.”
I have a passing understanding of the policies and procedures binding on developers at trading firms.
I dispute the idea that any senior developer could work at Goldman Sachs on an HFT infrastructure and believe that they were authorized to --- or, indeed, that they would not be immeditely fired for --- uploading the code to a proprietary automated trading system to a random SVN host in a different country. This is the code we, as security testers, were never allowed to see, even after owning up the machines hosting it. These firms are not kidding around about this stuff. It is a huge smoking gun to have uploaded any of it to some off-brand foreign svn host.
These are firms where you can be fired for plugging a thumb drive into your computer, or for using the company network to access Dropbox. I have worked for more than one financial firm that spent literally millions of dollars merely on the problem of detecting their network users trying to reach Google Mail.
I also dispute the idea that because developers commonly use ssh, gzip, and svn, that it is common practice to (1) gzip a tarball of source code, (2) encrypt that source code, (3) commit that compressed encrypted blob to svn, (4) remove all traces of the encryption key from their work computer. That's something happens zero times on normal dev machines.
The conviction was overturned because the technical details of exactly what Aleynikov took from GS didn't fit the ambitious charge the DOJ filed against him. But the appeal doesn't refute the finding of facts from the original trial, which include:
There was more than sufficient evidence presented at trial, however, for a rational juror to conclude that Aleynikov intended to steal Goldman Sachs' proprietary source code. First, it was undisputed at trial that Aleynikov actually did take proprietary source code from Goldman Sachs. As Aleynikov concedes in his motion papers, the code he took from Goldman Sachs included a “purposefully designed” portion of the Goldman Sachs “proprietary, custom-built trading system.” Indeed, the evidence showed that Aleynikov took a significant percentage of the proprietary source code for that system. While Aleynikov attempted to show that there was open source code embedded within the proprietary code and to identify the files in which that might be true, his expert witness was only able to identify one file among those taken by Aleynikov that both bore a Goldman Sachs copyright banner and appeared to contain open source code.
I'm just fine with Aleynikov's conviction being overturned. Again, the charges against him seemed ambitious.
But this is a forum full of software developers. Rayiner is a lawyer and a compiler developer. It's somewhat insulting to everyone's intelligence to pretend that people here are unfamiliar with ssh and svn. We understand how software development works. What happened here was extremely sketchy. You can't play the "well in the world of software development, this is totally normal" card on HN.
I'm just fine with Aleynikov's conviction being overturned. Again, the charges against him seemed ambitious.
"Ambitious" is a bit charitable, in this context.
"Patently vacuous" -- to an extent that suggested, at the very least, a breakdown in the internal controls and safeguards (on the part of both the FBI and the prosecutor's office) designed to present precisely this kind of a fiasco from happening -- might be a better description.
You are being ridiculous. Aleynikov definitely violated New York trade secret law. He got off the federal charge because the trading software wasn't a product for sale, it was a product for internal use. The law was poorly drafted and once that came to light it was immediately fixed.
Like Rayiner said, in layman's terms, he got off on a technicality.
The FBI and DOJ being on the wrong side of a close call in statutory interpretation isn't "patently vacuous."
Aleynikov definitely violated New York trade secret law.
That's not what the court found. Otherwise the charges wouldn't have been dropped.
It sounds like you're conflating the issue of whether he violated the "spirit" of the law (or whether he was, in your view, just plain morally culpable somehow) -- versus what the law actually had to say about his actions.
Like Rayiner said, in layman's terms, he got off on a technicality.
If you want to minimize any sense of exoneration or vindication the accused might want to derive from the court's decision, by saying he "got off on a technicality", that's fine.
But to claim that he "definitely violated" the law when the courts found that he definitely did not -- I'm just not sure I see the point in that.
>I have a passing understanding of the policies and procedures binding on developers at trading firms.
I've never set foot in one, but one thing I have learned watching this incident and others is that some of theses firms have varying degrees of carelessness and cluelessness within their businesses; especially with respect to IT (Knight Capital comes to mind). In that respect, they are like any other company, some careful and fastidious, some, flying on a wing and a prayer.
>This is the code we, as security testers, were never allowed to see, even after owning up the machines hosting it. These firms are not kidding around about this stuff.
I may often disagree with some of your opinions here, but I can't say that I have the impression that you're not competent within your profession or that you lack integrity. It occurs to me that the firms that would hire your firm to audit them as opposed to some lesser outfit, are the same firms that run a pretty tight ship in their own businesses. Has it occurred to you that not all trading firms or even divisions within the same company are cut from the same cloth?
>These are firms where you can be fired for plugging a thumb drive into your computer
Yeah, I've seen some companies with ridiculously conservative IT policies. I can see it being applied at a bank or a trading firm. The policies are often meaningless though, when the policies basically state that you can be fired for doing anything, but in reality that doesn't happen. I've worked at one of those companies where a too-large portion of engineering's time was spent circumventing IT systems, activities for which one could've been fired. Those companies always have plenty of ways to fire people.
>I also dispute the idea that because developers commonly use ssh, gzip, and svn, that it is common practice to
I remember about ten years ago working with an engineer whose idea of a source code revision control system was to zip up and password protect source code archives. It may not be common, and Aleynikov wasn't doing it for the same reasons, but by itself, it isn't proof of anything nefarious.
>There was more than sufficient evidence presented at trial, however, for a rational juror to
Interestingly, none of the jurors were employed in tech, and none had a college degree. Not that it would always be necessary, but it is worth considering the possibility that none of them understood what they were being told. It's hard for me to agree that situation was rational unless those were some exceptional high school graduates.
>But this is a forum full of software developers. Rayiner is a lawyer and a compiler developer. It's somewhat insulting to everyone's intelligence to pretend that people here are unfamiliar with ssh and svn.
If you or Rayiner don't like my tone, I'll tell you that I think it is a bit of an embarrassment to have to point some of these things out here. Maybe Rayiner will have enough respect in the future not to parrot statements from the FBI's and the prosecutor's press releases. We've all been spectators here of a number of high profile prosecutions of software developers, and if there is anything to be learned from those experiences, it is that prosecutors and FBI agents will characterize the suspect/defendant in the most damning light possible. Anything that one of them says has to be taken with a grain of salt.
>We understand how software development works. What happened here was extremely sketchy.
Probably so, but not necessarily so, and not on the basis of some of the things ITT.
>You can't play the "well in the world of software development, this is totally normal" card on HN.
It is laughable. I'm probably one of the least qualified people to lecture to this audience, but here it is.
Pretty sure my local git repository contains thousands of lines of valuable proprietary code (granted on a hardened dedicated work laptop), mixed with open source libraries etc.
And I also delete my bash history all the time if I do something stupid like manually enter a password into the command line.
One thing to keep in mind is that Aleynikov is clearly one of those rare types for whom the technology is an end in itself rather than a means toward anything. That leads to a type of naiveté about following IT security policies. I don't know quite what the proper name is for this disposition, but we've all encountered them.
>I also dispute the idea that because developers commonly use ssh, gzip, and svn, that it is common practice to (1) gzip a tarball of source code, (2) encrypt that source code, (3) commit that compressed encrypted blob to svn, (4) remove all traces of the encryption key from their work computer. That's something happens zero times on normal dev machines.
Agreed, but it was established that he did this fairly consistently throughout the course of his employment. It's idiosyncratic, but not unexplainable. Sure, it was poor development practice, but I'm not convinced it was malicious.
Again, if the intent was trade secret theft, why not take the valuable part, the trading strategies?
The court found that he took large amounts of "the valuable part". He did more to cover his tracks than delete his bash history --- which my comment didn't mention. I feel like you're repeating talking points rather than addressing what I wrote.
With regard to the "valuable part," financial experts will tell you that lives in the trading strategies, which he didn't take. You must admit that's very odd behavior for a malicious thief.
You keep trying to shift the focus to the trial, when what disturbs me and so many others is not the trial or its findings.
Whether or not he actually stole the code is immaterial to whether the FBI did a proper investigation prior to arrest, or whether Goldman Sachs received special treatment because of their size, wealth, and power.
Agreed, and as do I. Perhaps our tone has gotten too rancorous.
Civil people can disagree without being disagreeable, and I know from your comments around the site that you're a civil person, so if my tone has been less than appropriate I apologize.
As for the conversation itself, as you said, it stands as is, and we can let the other readers judge the facts for themselves.
My concern is that the investigation of the incident relied solely upon the word of Goldman Sachs. An agent essentially parroted back what Goldman employees told him, putting it in the form of a criminal complaint, and without further investigation, had him arrested.
My challenge to the validity of the arrest is that there was no independent investigation performed prior. This wasn't just contempt prior to investigation, it was arrest prior to investigation.
Now, I will acknowledge that probable cause is a very low standard, and it is likely that there isn't a legal course of action here.
People keep explaining how that isn't true, and that there was much more than GS's word backing the charges up, so much so that Aleynikov had to rely on a technicality to evade a conviction, one that was closed immediately after he used it:
We're arguing past one another. I am discussing the investigation and arrest, not the subsequent trial or any evidence brought to light therein.
If you read the complaint, the trial transcript, or even the top post here, it's abundantly clear the so-called investigation relied solely upon the word of Goldman Sachs's employees. The FBI agent even admitted that he did not understand the nature of the crime at the time he filed the complaint.
>"McSwain later conceded that he didn’t seek out independent expert advice to study the code Serge Aleynikov had taken. (“I relied on statements from Goldman employees.”) He himself had no idea of the value of the stolen code (“Representatives of Goldman told me it was worth a lot of money”) or if any of it was actually all that special (he based his belief that the code contained trade secrets on “representations made by members of Goldman Sachs”)...The F.B.I.’s investigation before the arrest consisted of trusting Goldman’s explanation of some extremely complicated stuff, and 48 hours after Goldman called the F.B.I., Serge was arrested."
Your argument amounts to: "Sure, but the guy was guilty and only got off on a technicality, so who cares."
People keep explaining the dire problems with this viewpoint, and I don't know why it needs to be continually repeated.
If someone steals a million dollar painting from a private gallery, you think the police should need a statement from a 3rd party art historian in order to make an arrest?
If someone steals a donut from a donut shop, do you think the police need a statement from a third party donut vendor to make an arrest?
Silly analogies lead to silly conclusions, because they inherently obscure essential facts in the comparison.
This wasn't a piece of tangible property, which the agent could understand. This was an immensely complicated issue to a lay person who admitted that he didn't really understand what had been stolen or how much it was worth.
He just listened to Goldman Sachs say trust us and made an arrest within 48 hours.
If you don't understand why its disturbing that the FBI blindly did the bidding of one of the most powerful corporations on Earth, there's simply no point in continuing to debate the issue.
Unlike donuts, art is incredibly difficult to value, so much so that there's a whole profession dedicated to that problem. Must the FBI engage one of those professionals before deciding to arrest someone who steals a painting?
Before deciding the value of the theft to attach to the charge? Certainly. That would be one reason the FBI employs art specialists as well. Absent a fleeing felon, I would definitely expect the FBI to consult with an art specialist.
You're moving the goalposts. First, Aleynikov is "arrested" on GS's say-so. Now he's being prosecuted on their say-so. By the time Aleynikov is arraigned, expertise has been engaged. What makes this an especially pointless debate is that the trial uncovers that he did in fact take valuable source code!
"Arrested and charged", without independent and investigation, on Goldman Sachs say-so has been consistently my point all along. Nobody moved the goalposts. You just got farther from them.
If someone steals a million dollar painting from a private gallery,
Except that you're starting with a false premise: the offenses for which Aleynikov was initially charged -- theft of trade secrets, and transportation of stolen property in interstate commerce -- were in no way as clear cut as simply "taking a painting from a private gallery." As you are no doubt aware, from your detailed knowledge of the case.
you think the police should need a statement from a 3rd party art historian in order to make an arrest?
What the FBI (and the prosecution team) have primarily been faulted for has been their (by now obvious, if not admitted) failure to understand the basic nature of the charges against the accused -- to the extent that they missed the fact that his conduct would not even have constituted an offense against either statute.
In addition, yes, there's the matter of how much the "stolen" (or rather, copied) bits were actually "worth" (or whether they could, in fact, "be used to manipulate markets in unfair ways", per GS's initial complaint.) Should the FBI have waited to consult an outside authority to make an independent assessment of these claims before making an arrest? That I cannot say.
But that both the premier criminal investigative arm of the richest country in the world -- and the highest-profile prosecution office tasked with keeping us safe from white collar crime, in that same country -- should have known that the "value" of copied source code just might be a teensy, weensy bit trickier and more nuanced to assess than that of say, an Edvard Munch painting pilfered from a major gallery in broad daylight? Or that they should have like, you know, read the actual text of the statutes he was being prosecuted under before filing actual charges against him (and throwing him in the klink for a year as a protective measure)? We should hope so.
out of curiosity, because you and others keep repeating it as if it inherently means something obviously sinister, how did they count the 500K lines of code from a vcs repository? is it actually 500K distinct lines of code? is it a number significantly smaller that was ballooned for dramatic effect because it appears in multiple revisions/branches/tags, etc.?
Law enforcement SOP requires an independent investigation. That was not performed. The trial is a separate issue, and has its own package of issues.
I'm far more concerned with the FBI acting almost as an extension of Goldman, effectively abrogating their responsibility to investigate prior to arrest to a large private corporation.
No open source licenses require that. An early version of the Emacs license did require that (I think TECO Emacs and not GNU Emacs), and there may be other licenses, but both the Debian Free Software Guidelines and the Open Source Definition based on them are careful not to require that people contribute modifications they’ve made privately. The reasons for this are discussed in the DFSG FAQ: https://people.debian.org/~bap/dfsg-faq.html#dissident
>> Taking the time to confirm that the code itself is a trade secret is a monumental task, one that isn't needed to determine if there was probable cause.
And yet the finding here is there was no probable cause.
"Goldman could be lying, but so could the shop owner who claims you drove off without paying for your gasoline."
Indeed, but the difference is that the FBI (or police) will arrest whomever Goldman tells them to while completely ignoring the shopkeeper's complaints, possibly even going as far as to tell them not to waste their time.
I had a police officer knock on my door one the evening looking for a previous occupant of my house who apparently drove off without paying for gasoline.
Well, I think that's sarcasm but I'm not sure. The fact is, yes, they did send an officer to my house within hours so it seems they did take the shopkeepers word and considered it some sort of priority. Perhaps they looked at the video showing a license plate, but I doubt that they looked over the payment records to verify that the person did in fact not pay.
> Then [the FBI agent] explained what he knew, or thought he knew: in April 2009, Serge had accepted a job at a new high-frequency-trading shop called Teza Technologies, but had remained at Goldman for the next six weeks, until June 5, during which time he sent himself, through a so-called “subversion repository,” 32 megabytes of source code from Goldman’s high-frequency stock-trading system.
Lewis weaves a lot of editorializing and red-herrings into the account, but here's the punchline:
> All of which was true, as far as it went...
Nobody disputes that at the time Aleynikov was arrested, the FBI had evidence that he had sent himself a bunch of source code and covered his tracks. And at trial, the prosecution proved that he had in fact done that.
Realistically (loopholes aside) - all of the code not under GPL would be theft no? (Goldman replacing the copyrights on other open-source stuff with their own is probably illegal (as long as the license stipulates that the original copyright notice must remain), but their modifications are still proprietary.
He of course could have had proprietary source code in his repositories for work in the first place - but bundling and uploading everything does look highly suspicious - and he should have known better.
[Goldman] called the F.B.I. in haste, just two days before, and then put their agent through what amounted to a crash course on high-frequency trading and computer programming. McSwain later conceded that he didn’t seek out independent expert advice to study the code Serge Aleynikov had taken.
I'm not one of the people who would ever equate copying code to theft, regardless of intent. But Aleynikov admitted that he expected GS to be upset about it, mostly due to their cultural attitudes about IP (ie: everything is theirs). Note that he didn't "bundling and uploading everything" he specifically avoided uploading the trading strategies code.
On the one hand, people seem to be giving GS a pass for stripping the copyright notices from GPL'd code they used, but taking them at their word and treating it as high treason when Aleynikov makes a copy of the modified GPL code for himself.
>> "McSwain later conceded that he didn’t seek out independent expert advice to study the code Serge Aleynikov had taken."
>This is the very surprising part.
It's just the lazy careless work of a modern day Pinkerton man.
> Goldman replacing the copyrights on other open-source stuff with their own is probably illegal (as long as the license stipulates that the original copyright notice must remain)
It's only illegal if Goldman distributed it, which they didn't. It's perfectly okay to modify GPL'ed code for internal purposes without open-sourcing the changes.
>It's only illegal if Goldman distributed it, which they didn't. It's perfectly okay to modify GPL'ed code for internal purposes without open-sourcing the changes.
I'm not a lawyer but as far as I understand they were stripping the copyright notice, which is explicitly forbidden by the licenses. i.e. the MIT license:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
> The stripping clause only comes into place when you distribute the code, just as the GPL's copy-left requirement only comes into play when you distribute the code.
I absolutely wish this was the case: copying internally within an organization such as a school, a church, or a business should be legal for any purposes regardless of the license something comes with... However, I'd not be very certain of support of companies like Microsoft which would argue that their copyright licenses dictate usage within the organization and not just on distribution. And no, for these purposes there is no difference between Microsoft EULA and MIT license.
I'd imagine you can argue that you can argue that you are in compliance if you distributed a git (or hg etc) repository with an older version that does include the copyright notice though.
My point is just that at what point does distribution begin? The entertainment industry wants us to believe that if I buy a CD, I am violating copyright by the audio CD to an iPod (doubly so if to a friend's iPod).
The stripping clause only comes into place when you distribute the code, just as the GPL's copy-left requirement only comes into play when you distribute the code.
> The stripping clause only comes into place when you distribute the code, just as the GPL's copy-left requirement only comes into play when you distribute the code.
No, it doesn't. The stripping clause is a license condition with no limitation to distribution -- it expressly applies to all copies. Anything you need a license to do -- which is, anything that involves any of the exclusive rights tied to copyright (of which, the most prominent is copying, regardless of distribution) must follow it, barring an exception in the license or a some other provision of law that limits the applicability of the exclusive rights in copyright.
As well as the stripping clause of the MIT license, this is also true with regard to GPLv2 provisions related to copyright notices, which are required for both modification of GPL-licensed code and copying and distribution of GPL-licensed code, though the GPLv3 only applies this to copies that are "conveyed" (compare Section 2 of the GPLv2 with the combination of Sections 2, 4, & 5 of the GPLv3.)
Fair enough. Why does the FSF FAQ say you don't need to distribute source if you modify the code for internal purposes. Is it an explicit provision of the license?
That part made me kind of angry -- "so-called" makes the writer sound like they know something we don't, like "subversion" is some cool trick that smart people know.
"so-called" here is a way of distinguishing the use of "subversion" as a name/description distinction (somewhat similar to a use/mention distinction, but not the right way of making that distinction, IMO, as correctly using "Subversion" as a proper noun would be better, though) as the common noun "subversion" has meaning, but the word "subversion" was not being used for that meaning, only as the name of a thing.
Would it have? On my last day at work at Google, before I am slated to start working in the Bing group at Microsoft, I mail myself a copy of the PageRank source code. Does it matter what VCS I use?
Technically no. In a court description or in a press article, both addressed to people who are not technical, the name of the VCS is important.
Consider the extreme case where the VCS was called "theft-assistance" for example.
How does "He copied the code from a theft-assistance repository" would sound to a jury that doesn't know what a VCS is and that theft-assistance is just a name?
If it was something generic and inoffensive, like Git, it would be OK, but "subversion" has a ...subversive undertone.
In a previous video posted on HN, a police officer explains how they would use a concession made by a honest humble person during an interview to boost their conviction rate: "Sure, I never like the guy. But I would never do anything malicious against anyone or even animals, especially not theft or murder which is totally against my conscience." would become big uppercase red letters on a videoprojector: "I NEVER LIKE THE GUY". Be sure you nail every emotional aspect to convince a jury.
Most people have no idea what VCS is. To a lay person, "a so called 'mercurial repository'" would sound far less sinister than "a so called 'subversion repository'". The reality is that the repo probably had little to do with subverting anything, and was just a convenient way to transfer code.
I'm referring to the fact that no matter how damning the evidence is on its own, it probably seems even more damning to a layperson who doesn't know the name "subversion" is a pun and not something subversive.
Except the code copied by Aleynikov wasn't anything like PageRank. It was like some Go library that fetches the pages, and one that was primarily open source code to begin with.
This was some initial (mis?)-information about the case, but at least according to the Second Circuit:
> In addition to proprietary source code, Aleynikov
also transferred some open source software licensed for use
by the public that was mixed in with Goldman’s proprietary
code. However, a substantially greater number of the
uploaded files contained proprietary code than had open
source software.
Were the files source code or were they some sort of transaction logs, generated records, and what have you? Or were they various forks/branches of mostly the same thing intended for testing? If you don't know then you can't assess their relative "value".
> have someone locked up based pretty much exclusively on them saying "You won't understand why, but he did really bad stuff. Trust us."
At best that might extend to his initial arrest but not to his subsequent imprisonment. That was the result of a criminal trial that showed he violated the EEA. Which was subsequently overturned on appeal, but only because of a "technicality" in the phrasing of the law which has subsequently been clarified to explicitly and unreservedly criminalize the actions that he took.
>But help me understand what the FBI did wrong, or Goldman for that matter.
What law Goldman reported violation of? What law FBI investigated violation of? While one can report some alleged violation of some law, the FBI is aware of laws, especially the laws the FBI is assigned to enforce. Bringing charges under obviously un-applicable here NSPA and EEA instead of whatever (if any) law may have been applicable here is a gross negligence, to say the least, on behalf of FBI. As a result, they wasted a lot of valuable (taxpayer) resources and ultimately let the criminal (if there was real crime committed) go free.
>The legal questions that were resolved in Aleynikov's favor were subtle ones.
are you kidding? How a subtle legal question(s) can be summarized in one paragraph on an Internet forum?
I would not say the EEA is "obviously un-applicable". As rayiner noted, it is a subtle matter of phrasing in the law.
When Congress updated the letter of the law they merely rephrased "included in a product that is produced for or placed in", which the court found to be not applicable to code not directly sold on the market, to "a product or service used in or intended for use in".[1]
I'm not sure how well that one paragraph in an Internet forum summarizes it, but that's literally the only change that Congress made to declare his actions illegal (should they happen again). And it was at the behest of the judge who overturned the conviction, who specifically noted a problem with the phrasing of the law while noting that he fully expected Congress meant to include these actions in the criminal code.
What Aleynikov did was clearly slap-on-the-wrist-worthy. It's not like he took code and sold it to the highest bidder for zillions of dollars. It didn't merit depleting his entire life's savings and (almost) sending him to jail for many years. This was clearly about more than merely the value of the code he took.
> The Court concluded that he had in fact tried to take 500,000 lines of valuable and mostly proprietary source code
I would dispute the value of the code. The code he took wasn't part of the "secret sauce". It didn't contain any of the logic for actually making High-speed trades.
I would dispute the value of the code. The code he took wasn't part of the "secret sauce". It didn't contain any of the logic for actually making High-speed trades.
On what basis, may we ask?
The only statements from the court that I'm aware of are those confirming that a significant amount of proprietary code (in comparison to the amount of OS code) was taken.
But not as to the "value" of the copied bits, or their potential to otherwise wreak havoc.
I can totally believe that account. The people at Goldman were probably totally sincere in their belief that he had "stolen" their magic sauce when talking to the FBI.
These are presumably the same kind of people that think anything that's source code is some kind stuff that lays magical golden goose eggs, regardless of how trivial it is -- or even if it's open-source.
IMHO there is a much bigger, broader problem with non-technical people in positions of influence (and even the general public!). It's this same kind of disconnect that leads to mountains of trivial patents being filed. (I can't even count how many times I've heard of an engineer being put in a situation where they're told they need to patent some of their work, regardless of whether the engineer(s) think it's worth doing.)
Given Goldman's actions, it seems to me that additional defendants in this case should be Goldman itself for misrepresenting what was actually taken, and any Goldman employees personally involved. Additionally, those employees involved should be charged criminally for making a false statement to a federal agent.
Wait, from where are we getting the presumption that GS misrepresented what was taken? There's a meme that Aleynikov copied mostly GPL'd code, but despite Techdirt-styling reporting to that effect, the opposite turns out to be true: the court, carefully considering the notion of open-source code, found that a large portion of what Aleynikov knowingly took was proprietary and secret; along with it, Aleynikov also took confidential internal GS documentation about the connectivity their order routing system had to exchanges.
I don't completely understand the problem here. Is the FBI really expected to put their investigation on hold while they first investigate the reporter? Like, if my $X vase is stolen and I say it's worth $X, I would hope the cops don't waste a lot of time getting the missing vase appraised in absentia before they try tracking it down.
Like, hopefully the FBI obeys the law and respects suspects' rights regardless of the particulars of Goldman's claim. If they're not doing that, that's a problem. But if somebody is lying to them, that's a felony they can pursue later, right?
To extend and correct your analogy, if you accuse your neighbor of stealing your vase, I would hope the cops spend some time investigating whether a) there was actually a vase to begin with and b) he actually took it, before they haul him off to prison.
Determining whether or not a crime has actually occurred is usually an essential part of a criminal investigation.
But based on the facts of the case, the analogy is more like: you accuse your neighbor of stealing your rare Chinese vase. Evidence shows that he did in fact take your vase. He's charged under a law for stealing historic artifacts. But after being convicted, an appellate court interprets the law not to apply because while your vase is rare, it's not "historic."
This is not a meaningful distinction in this case, as AFAIK it's about misappropriation of secrets rather than loss of property, so that isn't meant to be the same in the two presented scenarios.
Didn't the court rule that the secrets were not subject to protection under the law? It sounds an awful lot like the court ruled that no theft occurred, regardless of your definition.
The gist is: everyone agrees the conviction needs to be overturned by the letter of the law, and so it was, but that's because the law was silly, which is why it was immediately changed by unanimous consent in the Senate and a 388-4 vote in the House in a bill specifically mentioning Aleynikov.
The analogy omits the thorough criminal trial process that led to his imprisonment, suggesting it was all because the FBI didn't investigate properly.
In actuality he got out because an appeals court found a loophole in the phrasing of the Economic Espionage Act -- which was immediately closed by Congress at the behest of the judge. [1] It had nothing to do with the lack of investigative thoroughness on the part of the FBI.
> That, as the complaint highlights, the FBI instinctively acted as Goldman's punitive arm rather than conducting an independent investigation into the facts of the case is disturbing, to say the least.
needs, I think, to be taken with the following quote from your linked article:
> The Web site Serge had used (which has the word “subversion” in its name) as well as the location of its server (Germany) McSwain clearly found highly suspicious.
It looks like the FBI agent did "[conduct] an independent investigation into the facts"...it just wasn't a, shall we say, "good" investigation.
I had intended to write that concerns about the FBI acting as "Goldman's punitive arm" seem overblown, but as I was writing I think I changed my mind. While I initially thought liability would be a sufficient way of resolving this situation, the diffuse nature of responsibility here is going to make it really hard. On the other hand, I've seen instances where Michael Lewis himself has seemed to condemn the level of care in the application of government enforcement that seems to have been called for here.
How can we let FBI agents get away with arresting people for using Subversion? That's hardly an investigation into facts... more like an investigation into only the first definition of words, along with a lot of jumping to conclusions.
This is one of the main problems with LEA's as it stands today, namely the fact that while many have heard about the mass privatization of the prison system, many don't realize that effective privatization of LEA's is happening. To me this is especially dangerous because the LEO's increasingly will end up failing to protect people from companies but will almost always try to do the opposite, in blatant disregard for their purpose and oaths.
Also, much of the workers rights we have today are because of workers pushing back against such tactics. I feel like the people have forgotten how we got to the 8 hour day we are at, and when we forget history we tend to end up repeating it.
_Flash Boys_ is a terrible book. It's incoherent, very poorly ties the narrative about this case to HFT, gets a lot of trading details wrong, and makes an underdog story out of an attempt by a bunch of bigbank insiders to route bigbank brokerage trade through their new firm. If you're interested in the technical story behind HFT, a much better thing to read is that series of articles that's been running on HN for the last few months.
I'm a Michael Lewis fan --- I even liked _Next: The Future Just Happened_ --- but this book was so disappointing I've actually become disillusioned. What else was he wrong about that I wasn't clued in enough to notice? Do Greek people in reality try hard to pay their taxes? Was Chad Bradford a terrible deal for the A's? Was Marillion a terrible band?
Even more pedantic - It could be ironic if he came here in a deliberate attempt to avoid more information about this case. Or maybe he was trying to show a friend how people on HN are averse to pedantic grammar related comments. Or maybe he deliberately inserted a vocabulary error so he could expose the more nit picky among us so he could hunt them down and destroy there credibility.
While the article gives some background, here is a bit more from the wikipedia article about Sergey Aleynikov [1]:
>Sergey Aleynikov is a former Goldman Sachs computer programmer. In December 2010 he was wrongfully convicted of two counts of theft of trade secrets and sentenced to 97 months in prison. In February 2012 his conviction was overturned by the United States Court of Appeals for the Second Circuit that entered a judgement of acquittal, reversing the decision of the District court.
The main reason why he is suing the FBI is beacause:
>On June 20, 2014, upon reviewing the evidence, Justice Ronald Zweibel published a 71-page opinion in which the court ruled that F.B.I. “did not have probable cause to arrest defendant, let alone search him or his home.” The arrest was “illegal,” and Mr. Aleynikov’s “Fourth Amendment rights were violated as a result of a mistake of law.”[2] Besides finding that he was arrested illegally without probable cause, the court blocked the majority of evidence passed by the F.B.I. to prosecutors at the NY State DA's office, as that property was supposed to be returned to Mr. Aleynikov upon his acquittal.
While I agree it was egregious I think people may be missing the point. The FBI is getting a huge black eye here, Goldman is already losing out. This is how our system works.
Goldman over reached and through their efforts got this guy arrested. That they could do that, is a problem, but now everyone involved has been thoroughly spanked (with some bonus civil case spanking as well it seems). So the next time Goldman call's the FBI, they are going to be treated much more skeptically and the agents in charge are going to be unwilling to do anything based on Goldman's "word". Because the agents will remember this and they do not want to be the butt of interagency jokes, or up on civil liability.
In a meta sense I'm curious why you had to create a new account just to post this, although I know the position that the system we have in place actually does work [1] is unpopular.
The system is messy, it doesn't travel in a straight line from broken to fixed, and it takes a lot of time and energy to get right. Consider Prohibition for a moment, it was freaking unconstitutional to drink for a while there. Yes it was broken, yes it got fixed. Just like Marijuana use is getting fixed, slowly, inexorably, fixed.
Martin Luther King was jailed by a broken system, and slowly, over time, it has been getting fixed.
You cannot see a tree grow, but it does. And many people cannot see that our system of governing is working, but it does. As long as you take the long view, it will. Believe that you are a helpless pawn and all is lost, and it won't.
[1] Rights for same sex marriage anyone? Used strong encryption in email?
> In a meta sense I'm curious why you had to create a new account just to post this
Events led me to conclude that using the same account consistently was a bad idea from an employment standpoint. It has nothing to do with this. It is just what I do now. Hell, the password for this account should be easy to guess if you start with the letter a and work your way to the right.
> You cannot see a tree grow, but it does. And many people cannot see that our system of governing is working, but it does. As long as you take the long view, it will. Believe that you are a helpless pawn and all is lost, and it won't.
It is my belief that wealthy people can (usually) get away with passing whatever crap they want through Congress.
The only tool I have at my disposal is point out when this happens and hope people get outraged enough to do something. I'm confused why you view that with a belief that I'm helpless?
P.s. Given that I basically gave away the password, this is the last time I'll use the account.
> It is my belief that wealthy people can (usually)
> get away with passing whatever crap they want
> through Congress.
And you will get a lot of reinforcement of that belief from a variety of sources. That said, the belief doesn't preclude non-wealthy people from getting away with passing whatever crap they want, it just says "People who engage with Congress, (usually) get away with passing what ever crap they want."
If you are wondering how to "engage with Congress" the easy way is during election season but you can also visit them in Washington or at their office in your district. While some districts are quite gerrymandered by their nature the local office is often within driving distance. They also host fund raisers and that while there are some expensive ones, there are also cheap ones (like $25 or $50 a "plate") since every dollar counts in a war chest. You can meet their staff at these (often quite accessible) and if you're at all reasonable develop something of a "relationship" with your elected representative. And even if you dislike their point of view until the next go-round they are your representative.
If you talk with other donors at the event you may find other donors who share your point of view on a particular issue and with some persuasion you may be able to develop a coalition of donors who think like you do, bringing even more attention to your issues.
Politics is people, and it is always local. You don't need to be wealthy to get access, you just need to be reasonable.
> They also host fund raisers and that while there are some expensive ones, there are also cheap ones (like $25 or $50 a "plate") since every dollar counts in a war chest.
For a household making above the median, this might be viable.
You do have to admit people who have large families, single earner households due to disabled SO, etc. are going to have trouble justifying the expense of spending $200 a year "networking" in political circles.
Are you saying that you cannot represent the interests of those people? And I am not sure where you computed $200, one fund raiser is one fundraiser, no additional donation required.
If a homeless man says to you, "Mr. Loop, I am homeless and a veteran, and an alcoholic, and a deadbeat father, I deserve help from the government I fought for." You would tell him, "Well good luck with that." Or would you say, "I will see about getting your requirements heard."
The point is why is it "their" problem that they can't talk to the government effectively? Aren't they also citizens in this land?
I completely agree that for people who, for what ever reason, are unable to participate in the governance of the country, will be unable, by their very circumstance, to affect change. And you may very well be a member of that group. But if you are not, is there any reason that you couldn't be their voice if you chose to?
The way our system works is you get out what you put in. And there are people who are unable to put in, but there are also people who can put in for them and serve as their "influence" in the bigger picture. People and even the news media will tell you that they don't exist, and that the world is full of corruption and greed. That sells more newspapers I guess. But have you met your city council? Talked with them? Your county supervisors? If you haven't because you've been told it won't make a difference you have been lied to. And you can put that lie to the test by seeking those people out and putting yourself out there to help.
Yes, there are people with bogus motives in office. And there are good people in office. You can't really tell who is who without talking to them though. And when you find the bogus ones and get them removed, well that helps everyone.
And, as I started this conversation, it takes time. And there are set backs, and sometimes the bozos win one. But you take the long view, the commitment that you will continue to push for a better version of the world. You may find more support than you expect.
Upon further reflection, maybe I should just keep using it.
Demonstrating that multiple people could have access to the account makes an excellent case for plausible deniability. In the right circumstances a court could compel HN to distinguish between these users (or at least, prove that the "multiple" aspect is a fiction), but the existence of doubt minimalizes the professional risk. This feels like about the right level of security for unpopular political meta-comments of this sort.
These seem to be 2 separate points. The original post said that he was exonerated because the FBI didn't have probable cause to search him. The article you linked said he was exonerated because the statute didn't cover HFT systems. I guess that makes sense if the reason the FBI didn't have probably cause was because they should have known that, even if everything Goldman alleged, he still wouldn't have broken any laws.
That seems to be the opinion espoused in the article. It was legal due to a "loophole".
> I guess that makes sense if the reason the FBI didn't have probably cause was because they should have known that, even if everything Goldman alleged, he still wouldn't have broken any laws.
From the article:
> On December 28, 2012, President Obama enacted the Theft of Trade Secrets Clarification Act of 2012, which clarifies the scope of the Economic Espionage Act of 1996 (18 U.S.C. §§ 1831-39). The newly enacted amendments are intended to reverse the recent Second Circuit decision in United States v. Aleynikov, 676 F.3d 71 (2d Cir. 2012).
The only way that statement makes sense is if the author believed that the FBI failed due to a lack of the acts alleged by Goldman Sachs being a crime. Imo, anyway.
The US is a pretty strange place when Bank of America can literally break into someone's home, steal everything they own, and never suffer either financially or criminally, but all a corporation has to do is point their finger at an individual and that individual will be arrested and prosecuted.
It also reminds me of the AT&T case where someone accessed records on public URLs and instead of AT&T getting a black eye for being so incompetent the dude went to jail. When will a corporation metaphorically go to jail? They steal, they lie, they cheat, they launder money, but yet they're always "too big to prosecute."
Weev is a dick, but what he did in that specific case shouldn't have been a interpreted as a crime, and I would have preferred his conviction be overturned on that basis, rather than the venue issue.
While I don't think weev should have gone to jail, I can't help but think there was a sense of "we have to get this guy for something," like locking up Al Capone for cheating on his taxes.
Weev probably should be in jail, just not for that. https://en.wikipedia.org/wiki/Weev#Trolling I probably would have been OK with them nailing him for "something", but the AT&T case set a bad precedent.
I'm uncomfortable with allowing prosecutors the leeway to just kind of decide who should be in jail based on gut judgements but I'm clearly in the minority because that's not the way the law or politics are moving (like look at the guys getting nailed for mail fraud because of Massachusetts patronage scandals that technically were probably not illegal).
And when they do get prosecuted, the punishment is laughable, typically a fine equal to weeks of profit, maybe months if it's something really terrible.
I'd like to see how corporate behavior changes if "jail" was a real possibility. For a crime that an individual would get two years in prison, shut down the company for two years. They can try to pick up the pieces after that period, just like the individual.
The problem with that is it would put lots of innocent employees out of work. You'd have to sell the company to a competitor or something so that the operation kept going but shareholders got wiped out. Make shareholders feel the pain and the behavior will change.
The same sort of thing happens when individuals go to jail. Family members lose their means of support, children lose their parents, etc. One person going to jail can potentially devastate an entire innocent extended family. That doesn't stop us.
I think at a minimum firing all CXX level employees and the loss of all stock options/pending bonuses is a good compromise. Fines harm investors, but the actual people that decide to break the law are rarely impacted.
Investors should be harmed if they invest in enterprises that engage in criminal acts. Perhaps then there will be a bit more appetite for some ethics at the expense of a little profit.
Not only that but you'll get shorts interested in criminal companies because they can profit by exposing wrong-doing. And, on the other side, the market will discount a company's stock if it is criminal which kills the executives incentives to take these actions.
Hamstringing the company is going to do a lot of collateral damage to innoccents. I mean, if all CXX level people are guilty then so be it- but purely punitive beheading of a company's leadership? Come on.
If your actions are destroying other people's lives and unlawfully disposessing them of their homes, then the word you're looking for is "criminally negligent". Not "innocent".
Nazi guards tried that defense. Didn't work for them either.
I'm talking about people like [Schindler](http://en.wikipedia.org/wiki/Oskar_Schindler) who was a Nazi but obviously not following orders. In a corporation with tens of thousands of employees, not all of them will have conspired to break the law. Those are the people that shouldn't be subject to putative measures.
A much better idea than that is to actually imprison all the top level executives of the company if their company commits a crime that would get an individual thrown in prison.
He's referring to several cases where they "foreclose" on the incorrect home. They break into homes, take everything in them, and auction it off and throw away anything they can't sell.
While malicious intent may be absent, to the victims that does not matter one iota.
Goldman Sachs was entirely within their rights to contact the FBI if they believed proprietary information was stolen from them by an ex-employee. It's the government (read: FBI) that screwed up here, as is most often the case.
I personally think that large financial organizations should have this privilege given their role in the financial markets. They are prone to fraud and theft, i.e. a large target.
Except if you have some information that I don't outside of the scope of my comment above.
Just because a bank says you're stealing doesn't make it so.
Especially when the case relates to intellectual property, they have no special position in the society, and the crime may not be a crime but a civil case.
I've reported a crime to the relevant FBI division, in which I could point out exactly where the money was went (same city, local bank) and provide proof of the fraud.
Your unverifiable anecdote doesn't hold much weight, I'm afraid. But do you really believe random-guy calling the FBI should warrant as much attention as multi-national financial institution reporting a potential crime?
People are complaining as if GS putting the FBI on people is rampant. As far as I'm aware it has happened this once (though I'm open to other tales) and an over-zealous investigator tried to make a name for himself and messed it up royally.
I agree, what they did to this poor fellow is disgraceful, but let's not pretend that the justice system doesn't have a habit of railroading people when they desire a suspect. That's the real tragedy.
> But do you really believe random-guy calling the FBI should warrant as much attention as multi-national financial institution reporting a potential crime?
Well, yeah, if corporations are people with equal rights, that means that the law should treat them equally to other people.
Magnitude of crime is different. If somebody breaks into my car in San Francisco and steals a bag, I totally expect police to laugh at me if I ask if they plan to investigate it.
On the other hand if young female student is raped, her newborn daughter brutally murdered and house burned to the ground, I expect half the police to be on high alert and FBI to get involved.
GS report of theft of software that produces billions in profits falls somewhere between these two extremes. Police/FBI does not have resources to investigate all crimes equally so they have to prioritize. The same way as browse remote-execution exploit is fixed way faster than small UI glitch.
The question wasn't "should a person reporting a potentially wide-ranging crime doing lots of damage and impacting potentially large number of victims be treated differently than a person reporting a crime with lesser impacts".
There is a difference between asking if the magnitude of the crime reported should result in a different response and what actually was asked, which was whether who is reporting the crime should result in a different response.
>Magnitude of crime is different. If somebody breaks into my car in San Francisco and steals a bag, I totally expect police to laugh at me if I ask if they plan to investigate it.
Except that I could provide a complete paper trail of where the money went (to a local scam artist) -- that's how the financial system works.
It would be analogous to providing and end-to-end video of a car being stolen to a previously unknown chop shop.
What the police actually did would be analogous to ignoring that video but then arresting a car thief on a GS executive's say-so.
Huh? My parent is upset that Joe-Random has less clout. My point is Joe-Random has no credence, which has absolutely nothing to do with "high status". Woz has credence about disk controllers. Big banks have credence about finance and trading. That is as it should be. Joe-Random does not deserve equal clout on matters of disk controllers, finance, or trading.
So you need to be the Steve Woz of crime victims before you should expect any law enforcement action whatsoever on a crime with an enormous paper trail?
It is worth remembering that part of the case against Mr. Aleynikov involves his use of "subversion" software, which sounds, well, subversive.
From the Vanity Fair article[1]:
"The Web site Serge had used (which has the word 'subversion' in its name) as well as the location of its server (Germany) McSwain clearly found highly suspicious."
Wow, thanks for pointing that out.. that makes this reporting look pretty laughable, and wildly uninformed:
"..through a so-called 'subversion repository'.."
Apparently I can add "not looking suspicious" to a list of reasons to use git.
Yep, that's about par for the course reporting. If it sounds ominous, it must be. I remember a small town newspaper that was all mad 10+ years ago about the master / slave IDE toggle and how it was racist. It was not an Onion article, sadly.
This quote was not about the reporter or the news outlet. Michael McSwain was the FBI agent in charge of the case, and the reporting seems to suggest that having 'subversion' in Sergey's Web history was a component of building probable cause.
I believe that stemmed from a lawsuit by a woman who took offense to those terms being used in some documentation that unfortunately passed through her hands.
Is the emphasis on the word "subversion" from McSwain, or is it from the author of the article? It's not made clear from the text which one of them is emphasizing that part.
To my ear, it seems that the emphasis comes from the FBI agent. The reporter keeps a fairly neutral voice, but the paragraph quoted, combined with the ones immediately before and after, paint the FBI agent as uninformed and credulous.
I hope he can, sooner or later, put these legal battles behind him and return to programming. He's a pretty good Erlang coder: https://github.com/saleyn
This, in particular, is extremely useful for anyone using Erlang to interact with external processes: https://github.com/saleyn/erlexec
Interest that after reading the wikipedia article the NY state prosectors messed up by trying to arrest him a second time. In that second arrest the judge ruled that the arrest by the FBI was illegal. Thereby giving him this opportunity for the civil case.
However the law is changed for future source code thefts. Here is an industry perspective
Wow, that Mondaq article is really the opposite of objective. Author Dylan W. Wiseman is really letting us know which side he's on with gems like "To correct the obvious injustice of the Aleynikov ruling..."
Ignoring the obvious FBI blunders and them being far too buddy-buddy with corporations, doesn't he have a point?
Aleynikov intended to monetize code which was technically Goldman's property, even if he wrote most of it. It would be a different story if he simply wanted to keep the code for archival and review purposes; he actually tried to help a startup by using it.
It sounds like he did violate the spirit of the law, if not the letter.
However I would also like to add that 8 years (+3 under supervision) is bonkers and completely disproportionate with the crime.
Just to put that into perspective, someone could commit rape twice and be out of jail first (3 years piece approximately, or 6-7 years total).
It seems like as soon as a computer is involved in a crime, the sentence gets quadrupled. Instead of breaking into someone's computer, you should just run them down with your car, you'll likely get off easier in the latter case...
Funnily enough, after reading more into this myself I'm actually going to partially retract some of my statements above.
I don't know if it was definitively proven that he copied the code with the intent of helping the new startup. The evidence the FBI found was that he had the code on a laptop when meeting some of their founders, but I don't believe they had proof of what his intent was or proof that he shared it with them or that they were even aware of it.
He claims he did not intend to do any such thing:
>When he left, Sergey Aleynikov took a segment of code with him that was based on open source, but had some alterations that technically made it proprietary Goldman Sachs software.
>According to Sergey Aleynikov, the software was of no consequence to his job at Teza Technologies, but once they realized he had taken a segment of code from their servers Goldman Sachs contacted the FBI and within 48 hours Aleynikov was in custody.
So I would say the sentence should be based on the proven intent. If he really did intend to use most or all of the codebase while at the startup to gain them an edge, then I think a jail sentence is fair (though I agree 8 years is way too long). Otherwise, probably not, at least depending on how accurate his story is of what % of the codebase was open source originally.
I remember reading that the code was mostly open source tools that he had done some modifications to such as fixing bugs and just wanted them for reference. He hadn't accessed the files since leaving Goldman.
I think Goldman Sachs was more worried that he was taking his brain with him to a competitor. The banking cartel certainly has to be high on Silicon Valley's list of "industries that need to be disrupted". The sad thing is he's probably being prosecuted for things he created within the walls of Goldman Sachs and could probably easily re-create from scratch without them.
"He agreed to hang around for six weeks and teach other Goldman people everything he knew, so they could continue to find and fix the broken bands in their gigantic rubber ball. Four times in the course of those last weeks he mailed himself source code he was working on. (He’d later be accused of sending himself 32 megabytes of code, but what he sent was essentially the same 8 megabytes of code four times over.) The files contained a lot of open-source code he had worked with, and modified, over the past two years, mingled together with code that wasn’t open source but proprietary to Goldman Sachs. As he would later try and fail to explain to an F.B.I. agent, he hoped to disentangle the one from the other, in case he needed to remind himself how he had done what he had done with the open-source code, in the event he might need to do it again. He sent these files the same way he had sent himself files nearly every week, since his first month on the job at Goldman. “No one had ever said a word to me about it,” he says. He pulled up his browser and typed into it the words: Free Subversion Repository. Up popped a list of places that stored code, for free, and in a convenient fashion. He clicked the first link on the list. The entire process took about eight seconds. And then he did what he had always done since he first started programming computers: he deleted his bash history. To access the computer he was required to type his password. If he didn’t delete his bash history, his password would be there to see, for anyone who had access to the system."
Can I just make sure that someone mentions the most powerful motive that a shop like GS wouldlikely have?
HFT barrier to entry is expertise. Any firm has as their biggest competitive risk their employees setting up with that expertise in competition. It happens all the time. To counter that the optimal strategy of an HFT shop where an expert resigns is to sue them as far and deep into the ground as they can why?
Asalessontoallremainingstaff
This gets an HFT shop additional barrier to entry from competition from existing experts, their own.
Did GS deliberately follow this optimal tactic? I don't know, I have no evidence. Maybe the fact it is optimal for other reasons is unrelated and possibly even unknown to them. Form your own opinion on the balance of probabilities there.
1. They didn't sue him. They complained to the FBI and the government criminally prosecuted him for violation of the Economic Espionage Act.
2. The basis of the prosecution was that he exfiltrated 500,000+ lines of source code.
Doubtful this particular "tactic" could be more generally applied unless staff are engaging in similar activities now clearly prohibited under the EEA.
I'm new to this but after reading up on the background I think this case is being somewhat mischaracterized in the comments here. I know we are all anti-authoritarian hackers at heart but HN also stands for accuracy and fairness.
I would say the general tone here is "jack-booted FBI thugs falsely arrest hacker because their pal at Goldman Sachs pulled some strings". The implication being that this has all unravelled and he is now suing the government for corrupt trampling his constitutional rights.
After reading up, I would say a fairer characterization is "guy who got caught stealing proprietary code got off on a technicality because the law doesn't actually cover HFT code due to shortsighted phrasing".
Before you hit that downvote button, here's my support: the judge who overturned it called this out and Congress passed a law in 2012 to close the loophole through which he got his conviction overturned.
From the Congressional Record[1]:
Quoting the appeals court, "just before his going-away party, Aleynikov encrypted and uploaded to a server in Germany more than 500,000 lines of source code for Goldman's HFT system ..... On June 2, 2009, Aleynikov flew ..... to Chicago to attend meetings at Teza. He brought with him a flash drive and a laptop containing portions of the Goldman source code. When Aleynikov flew back the following day, he was arrested by the FBI .....''"
In his concurring opinion, Judge Calabresi [Cal-abress-E] directly called upon Congress to clarify the scope of the EEA [Electronic Espionage Act] as he wrote:
[I]t is hard for me to conclude that Congress, in [the EEA], actually meant to exempt the kind of behavior in which Aleynikov engaged ..... [n]evertheless, while concurring [in the opinion], I wish to express the hope that Congress will return to the issue and state, in appropriate language, what I believe it meant to make criminal in the EEA.
Specifically the EEA used to say "included in a product that is produced for or placed in" interstate commerce, which the court thought didn't technically cover HFT code, and now reads "a product or service used in or intended for use in". That's it. That's the loophole.
If there ever was a case of violating the spirit, but not the letter of the law, this is it.
It is quite clear that he did not violate the spirit of the law. There was no clear intent to steal any "trade secrets" from Goldman Sachs, and the analogy brought up in the last part of the article that compares it to taking home a notebook you've used for scribbling down thoughts after you've quit your job, is apt
"It is quite clear that he did not violate the spirit of the law."
Very, very clearly, everyone from the legislature to the judiciary is in agreement that he violated the spirit of the law.
Even the judge who overturned the conviction said it was hard for him to believe that Congress didn't mean for the law to make his actions criminal. And then Congress immediately updated the letter of the law, unanimously, all the while explaining how it's unfortunate the previous letter of the law didn't capture the spirit of what they intended, specifically mentioning this case.
Also, the "it's just a notebook with scribbled down thoughts" analogy is poor. That implies that it's just his own thoughts he took. He uploaded 500,000+ lines of source code, then tried to cover up his tracks. That is exfiltrating extensive, proprietary trade secrets and was repeatedly cited by Congress as just the sort of activity they wished to criminalize in the Economic Espionage Act.
By the way, I don't think he should serve any more time. The sentence was too harsh IMO. But there is no question it is (now) illegal activity, because Congress specifically updated the law to make his exact actions illegal, naming him personally.
(Of course, they weren't technically illegal at the time he did them, according to the appellate court, which is why he was set free.)
He did not "try to cover up his tracks", he did what he'd do basically every day as a normal software developer doing his job. The "encrypted it and uploaded it to a server in Germany" is a red herring that shows exactly how inept the judiciary was in interpreting his actions. Why does it matter that the server was in Germany? Isn't it common sense that he would encrypt any data he uploads?
And it's nonsensical to not try and interpret exactly what it is he copied and why he did so. As the vanity fair article points out, he did not in fact copy any of the vast amounts of valuable data he had access to. (He had access to everything!). But he chose tedious infrastructure code instead, to get a sense of what non-proprietary libraries that were used
> he chose tedious infrastructure code instead, to get a sense of what non-proprietary libraries that were used
That is a generous speculation regarding his motives. As GS notes in their response to Vanity Fair, "While some of those files included open source software, the Court determined that 'a substantially greater number of the uploaded files contained proprietary code.'" (emphasis mine)
But as far as whether what he did violated the spirit, and now letter of the law we have a conclusive answer direct from Congress: Yes, he did.
The trade secrets are the algorithms for trading. He did not touch those.
He took a very small amount of open source code that was mixed with proprietary code. This code may have been illegally obtained by Goldman Sachs due to common open source licenses requiring that improvements also be open sourced.
He was writing a new software in a different language. He was not stealing a platform to build code upon.
He was a very good programmer who was underpaid and mistreated. His own colleagues were coached to make him appear guilty of stealing 100% proprietary code. The majority of the code was open source. I find that to be dishonest testimony.
What exactly was the code that he copied? I see that he did copy a bunch of code out for the purpose of collecting open-source code... but if it was code he or others wrote at his previous company, taking it seems like a bad idea.
It's unfortunate that the trend for law enforcement agencies is to shield individual agents and officers from any personal culpability. They'll get a month of paid leave, the agency pays out and they get to return to the same position with the same pay.
The only lesson learned is that their coworkers, bosses and justice system will bend over backwards to make sure that they can get away with abuse and injustice without repercussions.
No, then decent cops would leave, and we'd be left with jerks who have low job-mobility (no other skills), but are adept liars who can cover their asses when they get near trouble.
Most police officers already are jerks with low job-mobility - but I do think a framework where the department suffers for an individuals actions (and not the taxpayer footing the bill) would have a positive feedback effect.
If another officer's indiscretion or negligence were to reflect on your pay check, you would be less likely to help cover it up or ignore it.
I think I'd prefer the idea (I forget where I first saw it) that officers have to buy a bond/insurance. That way the worst ones would price themselves out of the market. Having group rates for officers/departments might have the effect you're looking for. I don't mind it terribly that local taxpayers have to foot at least some of the bill for this kind of thing. Hopefully they will be reminded come election time if a sheriff or a mayor has allowed deputies to run rough shod over peoples' rights.
[Goldman] called the F.B.I. in haste, just two days before, and then put their agent through what amounted to a crash course on high-frequency trading and computer programming. McSwain later conceded that he didn’t seek out independent expert advice to study the code Serge Aleynikov had taken. (“I relied on statements from Goldman employees.”) He himself had no idea of the value of the stolen code (“Representatives of Goldman told me it was worth a lot of money”) or if any of it was actually all that special (he based his belief that the code contained trade secrets on “representations made by members of Goldman Sachs”)...The F.B.I.’s investigation before the arrest consisted of trusting Goldman’s explanation of some extremely complicated stuff, and 48 hours after Goldman called the F.B.I., Serge was arrested.
That, as the complaint highlights, the FBI instinctively acted as Goldman's punitive arm rather than conducting an independent investigation into the facts of the case is disturbing, regardless of the merit of the allegations.
http://www.vanityfair.com/news/2013/09/michael-lewis-goldman...