I say, ssh, gzip, and svn are pretty normal tools that programmers use frequently. So are hosted servers in foreign countries.
rayiner says that deleting .bash_history is sketchy, I say it's a reasonable, nay a responsible thing to do if failing to do so would leave sensitive information (such as a password) available for others to peruse.
>This arguments are not a good reason to not arrest someone. They're a good reason to find someone innocent after trying them.
IMO if the government is going to arrest a person, attempt to hold them without bond, settle for mere $700,000 bond, (arguably depriving the person of counsel); then the government's burden of "probable cause" ought to be a bit more substantial than "some bros down at Goldman Sachs said...", and this guy uses "subversion" software. We can't have the police running around arresting everyone who might have possibly committed a crime. There needs to be actual, you know, probable cause.
>Sometimes circumstances are such that an innocent person looks highly suspicious to reasonable people with a reasonable amount of evidence. In those cases, it's reasonable, though unfortunate, that law enforcement arrest and charge that innocent person. Isn't it?
What do you make of the fact that:
>>"In the New York state case, a judge ruled the 2009 arrest was illegal. He threw out seized physical evidence, including computer hardware carrying the source code."
and
>>"New York State Supreme Court Justice Ronald Zweibel also barred prosecutors from using statements Aleynikov made to the FBI after his arrest at Newark Liberty International Airport."
Are these judges unreasonable? Sure, mistakes happen, everyone deserves a Mulligan once in a while. That's not what we have here though. The FBI had plenty of opportunities to check their work, which was shabby. Instead of doing that, they forged ahead doing the bidding of Goldman Sachs, uncritically. And, now that the federal case has failed, GS has their hand up the back of a Manhattan DA. We can quibble about these little details more if you want but this whole affair has got a stench about it.
>As far as I can tell, rayiner is right.... we have no evidence that Aleynikov was arrested improperly.
No evidence? What's Zweibel's problem then?:
>In a 71-page opinion, Justice Ronald A. Zweibel of State Supreme Court in Manhattan ruled that the F.B.I. “did not have probable cause to arrest defendant, let alone search him or his home.” The arrest was “illegal,” Justice Zweibel wrote, and Mr. Aleynikov’s “Fourth Amendment rights were violated as a result of a mistake of law.”
I have a passing understanding of the policies and procedures binding on developers at trading firms.
I dispute the idea that any senior developer could work at Goldman Sachs on an HFT infrastructure and believe that they were authorized to --- or, indeed, that they would not be immeditely fired for --- uploading the code to a proprietary automated trading system to a random SVN host in a different country. This is the code we, as security testers, were never allowed to see, even after owning up the machines hosting it. These firms are not kidding around about this stuff. It is a huge smoking gun to have uploaded any of it to some off-brand foreign svn host.
These are firms where you can be fired for plugging a thumb drive into your computer, or for using the company network to access Dropbox. I have worked for more than one financial firm that spent literally millions of dollars merely on the problem of detecting their network users trying to reach Google Mail.
I also dispute the idea that because developers commonly use ssh, gzip, and svn, that it is common practice to (1) gzip a tarball of source code, (2) encrypt that source code, (3) commit that compressed encrypted blob to svn, (4) remove all traces of the encryption key from their work computer. That's something happens zero times on normal dev machines.
The conviction was overturned because the technical details of exactly what Aleynikov took from GS didn't fit the ambitious charge the DOJ filed against him. But the appeal doesn't refute the finding of facts from the original trial, which include:
There was more than sufficient evidence presented at trial, however, for a rational juror to conclude that Aleynikov intended to steal Goldman Sachs' proprietary source code. First, it was undisputed at trial that Aleynikov actually did take proprietary source code from Goldman Sachs. As Aleynikov concedes in his motion papers, the code he took from Goldman Sachs included a “purposefully designed” portion of the Goldman Sachs “proprietary, custom-built trading system.” Indeed, the evidence showed that Aleynikov took a significant percentage of the proprietary source code for that system. While Aleynikov attempted to show that there was open source code embedded within the proprietary code and to identify the files in which that might be true, his expert witness was only able to identify one file among those taken by Aleynikov that both bore a Goldman Sachs copyright banner and appeared to contain open source code.
I'm just fine with Aleynikov's conviction being overturned. Again, the charges against him seemed ambitious.
But this is a forum full of software developers. Rayiner is a lawyer and a compiler developer. It's somewhat insulting to everyone's intelligence to pretend that people here are unfamiliar with ssh and svn. We understand how software development works. What happened here was extremely sketchy. You can't play the "well in the world of software development, this is totally normal" card on HN.
I'm just fine with Aleynikov's conviction being overturned. Again, the charges against him seemed ambitious.
"Ambitious" is a bit charitable, in this context.
"Patently vacuous" -- to an extent that suggested, at the very least, a breakdown in the internal controls and safeguards (on the part of both the FBI and the prosecutor's office) designed to present precisely this kind of a fiasco from happening -- might be a better description.
You are being ridiculous. Aleynikov definitely violated New York trade secret law. He got off the federal charge because the trading software wasn't a product for sale, it was a product for internal use. The law was poorly drafted and once that came to light it was immediately fixed.
Like Rayiner said, in layman's terms, he got off on a technicality.
The FBI and DOJ being on the wrong side of a close call in statutory interpretation isn't "patently vacuous."
Aleynikov definitely violated New York trade secret law.
That's not what the court found. Otherwise the charges wouldn't have been dropped.
It sounds like you're conflating the issue of whether he violated the "spirit" of the law (or whether he was, in your view, just plain morally culpable somehow) -- versus what the law actually had to say about his actions.
Like Rayiner said, in layman's terms, he got off on a technicality.
If you want to minimize any sense of exoneration or vindication the accused might want to derive from the court's decision, by saying he "got off on a technicality", that's fine.
But to claim that he "definitely violated" the law when the courts found that he definitely did not -- I'm just not sure I see the point in that.
>I have a passing understanding of the policies and procedures binding on developers at trading firms.
I've never set foot in one, but one thing I have learned watching this incident and others is that some of theses firms have varying degrees of carelessness and cluelessness within their businesses; especially with respect to IT (Knight Capital comes to mind). In that respect, they are like any other company, some careful and fastidious, some, flying on a wing and a prayer.
>This is the code we, as security testers, were never allowed to see, even after owning up the machines hosting it. These firms are not kidding around about this stuff.
I may often disagree with some of your opinions here, but I can't say that I have the impression that you're not competent within your profession or that you lack integrity. It occurs to me that the firms that would hire your firm to audit them as opposed to some lesser outfit, are the same firms that run a pretty tight ship in their own businesses. Has it occurred to you that not all trading firms or even divisions within the same company are cut from the same cloth?
>These are firms where you can be fired for plugging a thumb drive into your computer
Yeah, I've seen some companies with ridiculously conservative IT policies. I can see it being applied at a bank or a trading firm. The policies are often meaningless though, when the policies basically state that you can be fired for doing anything, but in reality that doesn't happen. I've worked at one of those companies where a too-large portion of engineering's time was spent circumventing IT systems, activities for which one could've been fired. Those companies always have plenty of ways to fire people.
>I also dispute the idea that because developers commonly use ssh, gzip, and svn, that it is common practice to
I remember about ten years ago working with an engineer whose idea of a source code revision control system was to zip up and password protect source code archives. It may not be common, and Aleynikov wasn't doing it for the same reasons, but by itself, it isn't proof of anything nefarious.
>There was more than sufficient evidence presented at trial, however, for a rational juror to
Interestingly, none of the jurors were employed in tech, and none had a college degree. Not that it would always be necessary, but it is worth considering the possibility that none of them understood what they were being told. It's hard for me to agree that situation was rational unless those were some exceptional high school graduates.
>But this is a forum full of software developers. Rayiner is a lawyer and a compiler developer. It's somewhat insulting to everyone's intelligence to pretend that people here are unfamiliar with ssh and svn.
If you or Rayiner don't like my tone, I'll tell you that I think it is a bit of an embarrassment to have to point some of these things out here. Maybe Rayiner will have enough respect in the future not to parrot statements from the FBI's and the prosecutor's press releases. We've all been spectators here of a number of high profile prosecutions of software developers, and if there is anything to be learned from those experiences, it is that prosecutors and FBI agents will characterize the suspect/defendant in the most damning light possible. Anything that one of them says has to be taken with a grain of salt.
>We understand how software development works. What happened here was extremely sketchy.
Probably so, but not necessarily so, and not on the basis of some of the things ITT.
>You can't play the "well in the world of software development, this is totally normal" card on HN.
It is laughable. I'm probably one of the least qualified people to lecture to this audience, but here it is.
Pretty sure my local git repository contains thousands of lines of valuable proprietary code (granted on a hardened dedicated work laptop), mixed with open source libraries etc.
And I also delete my bash history all the time if I do something stupid like manually enter a password into the command line.
One thing to keep in mind is that Aleynikov is clearly one of those rare types for whom the technology is an end in itself rather than a means toward anything. That leads to a type of naiveté about following IT security policies. I don't know quite what the proper name is for this disposition, but we've all encountered them.
>I also dispute the idea that because developers commonly use ssh, gzip, and svn, that it is common practice to (1) gzip a tarball of source code, (2) encrypt that source code, (3) commit that compressed encrypted blob to svn, (4) remove all traces of the encryption key from their work computer. That's something happens zero times on normal dev machines.
Agreed, but it was established that he did this fairly consistently throughout the course of his employment. It's idiosyncratic, but not unexplainable. Sure, it was poor development practice, but I'm not convinced it was malicious.
Again, if the intent was trade secret theft, why not take the valuable part, the trading strategies?
The court found that he took large amounts of "the valuable part". He did more to cover his tracks than delete his bash history --- which my comment didn't mention. I feel like you're repeating talking points rather than addressing what I wrote.
With regard to the "valuable part," financial experts will tell you that lives in the trading strategies, which he didn't take. You must admit that's very odd behavior for a malicious thief.
You keep trying to shift the focus to the trial, when what disturbs me and so many others is not the trial or its findings.
Whether or not he actually stole the code is immaterial to whether the FBI did a proper investigation prior to arrest, or whether Goldman Sachs received special treatment because of their size, wealth, and power.
Agreed, and as do I. Perhaps our tone has gotten too rancorous.
Civil people can disagree without being disagreeable, and I know from your comments around the site that you're a civil person, so if my tone has been less than appropriate I apologize.
As for the conversation itself, as you said, it stands as is, and we can let the other readers judge the facts for themselves.
I doubt I could convince rayiner of anything, but I'll at least refute some of the more ridiculous things he says.
>Your arguments for why the FBI agents acted improperly amount to "yeah, but it turns out that ...."
No, I've responded to rayiner's suppositions that because some activity might be sketchy, it must be.
[rayiner says](https://news.ycombinator.com/item?id=9047068) encrypting and exporting files to a repository in a foreign land is sketchy.
I say, ssh, gzip, and svn are pretty normal tools that programmers use frequently. So are hosted servers in foreign countries.
rayiner says that deleting .bash_history is sketchy, I say it's a reasonable, nay a responsible thing to do if failing to do so would leave sensitive information (such as a password) available for others to peruse.
>This arguments are not a good reason to not arrest someone. They're a good reason to find someone innocent after trying them.
IMO if the government is going to arrest a person, attempt to hold them without bond, settle for mere $700,000 bond, (arguably depriving the person of counsel); then the government's burden of "probable cause" ought to be a bit more substantial than "some bros down at Goldman Sachs said...", and this guy uses "subversion" software. We can't have the police running around arresting everyone who might have possibly committed a crime. There needs to be actual, you know, probable cause.
>Sometimes circumstances are such that an innocent person looks highly suspicious to reasonable people with a reasonable amount of evidence. In those cases, it's reasonable, though unfortunate, that law enforcement arrest and charge that innocent person. Isn't it?
What do you make of the fact that:
>>"In the New York state case, a judge ruled the 2009 arrest was illegal. He threw out seized physical evidence, including computer hardware carrying the source code."
and
>>"New York State Supreme Court Justice Ronald Zweibel also barred prosecutors from using statements Aleynikov made to the FBI after his arrest at Newark Liberty International Airport."
Are these judges unreasonable? Sure, mistakes happen, everyone deserves a Mulligan once in a while. That's not what we have here though. The FBI had plenty of opportunities to check their work, which was shabby. Instead of doing that, they forged ahead doing the bidding of Goldman Sachs, uncritically. And, now that the federal case has failed, GS has their hand up the back of a Manhattan DA. We can quibble about these little details more if you want but this whole affair has got a stench about it.
>As far as I can tell, rayiner is right.... we have no evidence that Aleynikov was arrested improperly.
No evidence? What's Zweibel's problem then?:
>In a 71-page opinion, Justice Ronald A. Zweibel of State Supreme Court in Manhattan ruled that the F.B.I. “did not have probable cause to arrest defendant, let alone search him or his home.” The arrest was “illegal,” Justice Zweibel wrote, and Mr. Aleynikov’s “Fourth Amendment rights were violated as a result of a mistake of law.”