I read the original Vanity Fair article. I have to say that the whole thing looks like nothing more than Goldman using its governmental influence to send a message to its programmers that if they leave for another firm, there will be hell to pay. After he won his federal appeal and was released from federal prison, Goldman convinced the State of New York to file charges for the same conduct. That case is pending and he is out on bail. A recent motion to dismiss that case based on double jeopardy was denied. Welcome to the USA - where money buys you all the justice you could ever want.
Link bait title -- It was open source code mixed with Goldman Sachs proprietary code. This is also a summery of a much larger and more complete Vanity Fair article [1].
The most interesting part of the reaction from the Vanity Fair piece for me is how so many geeks had no idea of this story until it was spelled out to them by a mainstream magazine (even though the Aleynikov case was extensively covered here on HN).
Now would be a good time to highlight the cases of hackers that Michael Lewis doesn't have time to write about: Bo Zhang, Michael Meneses, the Madoff programmers, John Kane (has had most charges dropped now), the Liberty Reserve guys and almost everybody ever charged with Computer Fraud and Abuse Act
I love to stick it to Goldman as much as anyone else here, but I think the story is probably more nuanced than "Goldman jails innocent programmer for leaving the firm". I know that I have on occasion kept copies of source code for projects that I'm proud of (and there was often some open source code involved; that changes nothing). Not to give it to someone else, but because I was proud of the work.
That is probably a breach of contract but I don't think it should be a crime punishable by jail time (unless someone can prove that said code was used to aid another company).
Proving that the code was used to aid a company is not a good measure of the seriousness of of the crime. What if you take the code and store it on a device with really low security? You don't share it, but you allow "hackers" to easily take it, so you are in fact aiding competing companies.
The developer was not innocent:- but the punishment was disproportionate and heavy-handed, considering that he did not appear to have made use of the source code that was taken.
The major problems raised by the story lie firstly in the technological ignorance that the authorities displayed; secondly in the developer's legal ignorance (in trying to correct the authorities' technical ignorance) and finally, and perhaps most importantly, in the breathtaking arrogance and conceit displayed by GS in it's handling of the case -- yet more evidence (as if we needed it) of the vile, corrosive, and fundamentally corrupt culture that infects our financial services.
I suppose most programmers do this. I'm just playing the devils advocate here, but the difference might be in the type of code that was kept on file. Nothing I've ever kept was rocket science or novel in any form - No competitor would ever gain an advantage by peeking into it. But they could supposedly be something novel in a trading algorithm.
The article talks about the requirement to release source code to the public, if modifications are made. This is a common misconception, but generally not the case, depending on the license. Typically, source code release is required if the software is distributed. If you've modified open source software for internal, private use, you typically are not compelled to release the source code, because you are not distributing the software.
It could have as easily been phrased (and likely would by a prosecutor) as "a cache of source code longer than the King James version of the bible." The defence could respond "only about three millionths of the amount of data in a human cell's nucleus." "More than seventy times the amount of software needed to land on the moon!". The amount is irrelevant. He released proprietary source code which is an offence under current law, with fairly well established sentencing guidelines. I agree that the law should be changed, but if you protest a law by breaking it, the results shouldn't come as a surprise.
a) I didn't read anything that suggested he was protesting the law. Perhaps you could point out that part of the story.
b) He didn't release proprietary source code. Or did I miss that part?
Hmmm. Ok so this guy uploaded both OS and Goldman-authored code - as stated in the article. And uploading pure OS code wouldn't make sense anyway as it would be available anywhere. And did so immediately prior to taking a principle role at a competitor start up - no wonder they checked. He knew he was doing something wrong - as stated in the article - and his reason for deleting his bash history makes no sense (surely bash doesn't cache passwords) - indicating he was trying to cover his tracks.
They're gonna want to protect their IP - particularly when it could give a competitor a huge advantage. It's not surprising they went after him.
I assume he was performing some sort of authenticated action - e.g. against the svn repository - and providing the password as a command-line argument rather than interactively. This would not only leave the password in the history, but would make it visible to anyone else on the machine who runs ps whilst the command is executing. It's terrible security practice, but I've seen it done more times than I can count.
The original Vanity Fair article tries very hard to paint a picture of a stereotypical overly naive techy.
Little carefully inserted details such as pain-the-back side of having to mow the lawn, all these details should be creating a picture of life-unsavvy coding reclude in reader's mind. The reader supposed to chuckle "how naive, anyone who is on $270K can just hire gardener to take care of the lawn!"
I have personal knowledge of programmers taking the code with them when leaving employment for no particular reason except for "in case I might need it as a reference" and then never ever looking at it again. In my mind it's very much akin to hoarding.
I have very little doubt that the code would be unusable outside of GC infrastructure.
What does seem unusually harsh is the punishment for the crime when no damage was ever done to the victim; to me this is an attribute of a show-case trial.
I think there is probably still a little bit to be said for curation in this world. The original article was quite long (and a great read and I recommend it) and there were nuggets in it I found interesting.
I actually did try to submit the original article myself earlier today, and noticed that it had already been submitted several days ago. So at least I did upvote that.
I was disappointed in that previous discussion. Take away the off-topic stuff and it seemed like most reactions varied from "Good, throw the book at him" to "God that guy was dumb".
If Lewis' portrayal is accurate, then Aleynikov is pretty clearly an otherworldly technical type. That doesn't mean he should be exempt from laws, but it's not irrelevant either. For one thing, to anyone who knows the type, it says something about intent: his intent was likely not to exploit someone else's secrets, but to work on interesting things. A programmer like that wouldn't download code because it contained secrets; he'd download it because it contained library routines that he didn't want to have to rewrite someday. Why would he steal secrets? Anything important, he could just derive later. He probably thought that Goldman's technical designs were all wrong and would make a point of not copying them anyway.
There are countless stories of otherworldly technical types, including many heroes to people here, running afoul of laws or regulations and having to be rescued by the more worldly members of their scientific/technical community. I expected this technical community to recognize that pattern in Aleynikov and react with some empathy, because we all know someone like that or have a little of the type in ourselves. Instead we got a bit of a Colonel Blimp chorus. I hope that was just sample bias.
I wish we could see that source code. After reading Lewis' article, I would be shocked if it contained anything of nontrivial value to Goldman.
The degree of harm caused is often a factor in measuring a crime, especially when it comes to sentencing. As Garry points out, 8 years for this is crazy.
Your Honor, while my client did indeed steal billions of dollars from the defendant's bank account, the balance of the account was represented as a 64-bit value. That makes this a crime of only 0.0625KB; I suggest a slap on the wrist
I'm reposting one of the comments from the blog here for a bit more exposure. I think this gives a good alternative viewpoint on the case:
"I worked literally side by side with Serge while at Goldman Sachs, so I have substantial perspective on this. Let's be clear -- Goldman Sachs did not pursue him, the relevant district attorney of NY did. Goldman's job is not to prosecute, it is to provide the facts of the case to the judicial system, which decides whether to go after him or not. We can argue about whether the punishment was excessive but let's stop blaming a firm that is a private company which has no ability to prosecute. And I can tell you that what Serge did was incredibly against the terms of his employment agreement. The open source aspect is overblown, obviously if it were freely available and not substantially different he would have no need to upload it days before he left. The fact of the industry is people steal code all the time, he just happened to be one of the unfortunate programmers to be caught and made an example of. But it certainly doesn't mean he's a victim here. When a company is paying you 500k+ a year to write code on its time, the understanding is that they have the say as to what happens to it, not you. You can't just say, I don't think this is that materially different so I'm going to send it to myself before I work for a competitor."
This guy has made two mistakes:
1. He used OS code without consulting first with legal departament of the company.
2. Transferred the source code outside the corporate network without consulting first with legal departament.
His boss may be not competent in this field, but the legal departament must be and, I beleive, they already have a policy for OS solutions. This developer made a measurable damage to the company, which should now take some efforts to clean up the OS code or face possibility of being required to release it's own code under OS license. I clearly see this as a good reason to sue him.
The main problem with this situation is educational: "brilliant scientists" and "smart developers" (especially from ex-USSR countries) are not paying enough attention to the legal issues related to their jobs. They do not try to secure their rights and do not consider the possibility that they violate the other's rights by their technical actions. It would be great if CS courses in universities will include a short talk about what's good and what's bad in legal field. For now, the more attention will be paid to such cases, the better for everyone.
There are many good reasons to sue him... but, in theory, in the US you can't send someone to jail for a simple breach of contract or violation of corporate policies about OS, or even breach of an NDA or non-compete (neither of which he had).
Seriously, this part (if true) doesn't really help him.
"He pulled up his browser and typed into it the words: Free Subversion Repository. Up popped a list of places that stored code, for free, and in a convenient fashion. He clicked the first link on the list. The entire process took about eight seconds."
Pushing "proprietary" code to a repo without knowing that it is a) secure and b) allowed feels like a great way do not follow a NDA.
From the comments:
"Why are you putting him in jail? Again, Goldman has no ability to put people in jail. Only the justice system does. Why this kind of narrative continues to be OK with people, I have no idea."
This justice system didn't decide out the blue to go after Aleynikov one day. G.S. asked them to do it. I suppose if you work for G.S. you need to be very good at rationalizing things in order to sleep it at night.
If I worked for G.S. I would probably tell myself:
"G.S. doesn't cause the starvation of millions of people, we just speculate on food commodities."
(Google "goldman sach starvation")
From the indictment the source code contained "the trading algorithms that determined the value of stock options" and was "hundreds of thousands of lines of source code".
After reading the whole VF article I come to two conclusions.
1. If you work for a company which (as I'm sure GS does) has a policy forbidding you from uploading company data to the public cloud, don't violate that policy. Especially if it's source code you wrote while working there. (The open source argument is a red herring. It doesn't matter.). And super especially if you're about to leave for a competitor.
2. If you work in an industry and for a company that is being scrutinized by the Feds and is heavily regulated, really REALLY don't violate policies like this arbitrarily and on your own, because you might go to jail.
Is it "fair" what happened to him? No. But lots of unfair things happen. He paved the way with his thoughtless actions.
The notion that once be tried by a jury of one's peers is practically meaningless for any 'crime' involving scientific knowledge or any specialized competence.
[+] [-] downandout|12 years ago|reply
[+] [-] scorpion032|12 years ago|reply
Justice as it is practiced: "Legitimising the expectations of the entitled."
[+] [-] VerilyForsooth|12 years ago|reply
[deleted]
[+] [-] WestCoastJustin|12 years ago|reply
[1] http://www.vanityfair.com/business/2013/09/michael-lewis-gol...
[+] [-] raverbashing|12 years ago|reply
A SSL key can be smaller than 1k (ok, today more like 4k maybe more) and be very valuable
Not to mention older source code that was smaller but very valuable (think IBM PC bios, or the first Apple II ROM)
[+] [-] mathattack|12 years ago|reply
[+] [-] nikcub|12 years ago|reply
Now would be a good time to highlight the cases of hackers that Michael Lewis doesn't have time to write about: Bo Zhang, Michael Meneses, the Madoff programmers, John Kane (has had most charges dropped now), the Liberty Reserve guys and almost everybody ever charged with Computer Fraud and Abuse Act
[+] [-] dopamean|12 years ago|reply
[+] [-] speeder|12 years ago|reply
[+] [-] jhuckestein|12 years ago|reply
That is probably a breach of contract but I don't think it should be a crime punishable by jail time (unless someone can prove that said code was used to aid another company).
[+] [-] ratzinho87|12 years ago|reply
[+] [-] w_t_payne|12 years ago|reply
The major problems raised by the story lie firstly in the technological ignorance that the authorities displayed; secondly in the developer's legal ignorance (in trying to correct the authorities' technical ignorance) and finally, and perhaps most importantly, in the breathtaking arrogance and conceit displayed by GS in it's handling of the case -- yet more evidence (as if we needed it) of the vile, corrosive, and fundamentally corrupt culture that infects our financial services.
[+] [-] troels|12 years ago|reply
[+] [-] jcnnghm|12 years ago|reply
[+] [-] garry|12 years ago|reply
[+] [-] ajarmst|12 years ago|reply
[+] [-] milkshakes|12 years ago|reply
[+] [-] petegrif|12 years ago|reply
[+] [-] retube|12 years ago|reply
They're gonna want to protect their IP - particularly when it could give a competitor a huge advantage. It's not surprising they went after him.
[+] [-] russgray|12 years ago|reply
[+] [-] ksaua|12 years ago|reply
It does if you're careless enough to type them out in clear text, e.g. when connecting to a mysql database:
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] Unosolo|12 years ago|reply
Little carefully inserted details such as pain-the-back side of having to mow the lawn, all these details should be creating a picture of life-unsavvy coding reclude in reader's mind. The reader supposed to chuckle "how naive, anyone who is on $270K can just hire gardener to take care of the lawn!"
I have personal knowledge of programmers taking the code with them when leaving employment for no particular reason except for "in case I might need it as a reference" and then never ever looking at it again. In my mind it's very much akin to hoarding.
I have very little doubt that the code would be unusable outside of GC infrastructure.
What does seem unusually harsh is the punishment for the crime when no damage was ever done to the victim; to me this is an attribute of a show-case trial.
[+] [-] thejosh|12 years ago|reply
[+] [-] garry|12 years ago|reply
I actually did try to submit the original article myself earlier today, and noticed that it had already been submitted several days ago. So at least I did upvote that.
[+] [-] davidw|12 years ago|reply
https://news.ycombinator.com/item?id=6146446
[+] [-] gruseom|12 years ago|reply
If Lewis' portrayal is accurate, then Aleynikov is pretty clearly an otherworldly technical type. That doesn't mean he should be exempt from laws, but it's not irrelevant either. For one thing, to anyone who knows the type, it says something about intent: his intent was likely not to exploit someone else's secrets, but to work on interesting things. A programmer like that wouldn't download code because it contained secrets; he'd download it because it contained library routines that he didn't want to have to rewrite someday. Why would he steal secrets? Anything important, he could just derive later. He probably thought that Goldman's technical designs were all wrong and would make a point of not copying them anyway.
There are countless stories of otherworldly technical types, including many heroes to people here, running afoul of laws or regulations and having to be rescued by the more worldly members of their scientific/technical community. I expected this technical community to recognize that pattern in Aleynikov and react with some empathy, because we all know someone like that or have a little of the type in ourselves. Instead we got a bit of a Colonel Blimp chorus. I hope that was just sample bias.
I wish we could see that source code. After reading Lewis' article, I would be shocked if it contained anything of nontrivial value to Goldman.
[+] [-] Narkov|12 years ago|reply
[+] [-] gruseom|12 years ago|reply
[+] [-] sliverstorm|12 years ago|reply
[+] [-] adambratt|12 years ago|reply
"I worked literally side by side with Serge while at Goldman Sachs, so I have substantial perspective on this. Let's be clear -- Goldman Sachs did not pursue him, the relevant district attorney of NY did. Goldman's job is not to prosecute, it is to provide the facts of the case to the judicial system, which decides whether to go after him or not. We can argue about whether the punishment was excessive but let's stop blaming a firm that is a private company which has no ability to prosecute. And I can tell you that what Serge did was incredibly against the terms of his employment agreement. The open source aspect is overblown, obviously if it were freely available and not substantially different he would have no need to upload it days before he left. The fact of the industry is people steal code all the time, he just happened to be one of the unfortunate programmers to be caught and made an example of. But it certainly doesn't mean he's a victim here. When a company is paying you 500k+ a year to write code on its time, the understanding is that they have the say as to what happens to it, not you. You can't just say, I don't think this is that materially different so I'm going to send it to myself before I work for a competitor."
[+] [-] ivan_gammel|12 years ago|reply
The main problem with this situation is educational: "brilliant scientists" and "smart developers" (especially from ex-USSR countries) are not paying enough attention to the legal issues related to their jobs. They do not try to secure their rights and do not consider the possibility that they violate the other's rights by their technical actions. It would be great if CS courses in universities will include a short talk about what's good and what's bad in legal field. For now, the more attention will be paid to such cases, the better for everyone.
[+] [-] jrochkind1|12 years ago|reply
[+] [-] redblacktree|12 years ago|reply
[+] [-] nallerooth|12 years ago|reply
"He pulled up his browser and typed into it the words: Free Subversion Repository. Up popped a list of places that stored code, for free, and in a convenient fashion. He clicked the first link on the list. The entire process took about eight seconds."
Pushing "proprietary" code to a repo without knowing that it is a) secure and b) allowed feels like a great way do not follow a NDA.
[+] [-] chrisbennet|12 years ago|reply
This justice system didn't decide out the blue to go after Aleynikov one day. G.S. asked them to do it. I suppose if you work for G.S. you need to be very good at rationalizing things in order to sleep it at night.
If I worked for G.S. I would probably tell myself: "G.S. doesn't cause the starvation of millions of people, we just speculate on food commodities." (Google "goldman sach starvation")
[+] [-] ig1|12 years ago|reply
Source: http://online.wsj.com/public/resources/documents/021110aleyn...
[+] [-] MyDogHasFleas|12 years ago|reply
1. If you work for a company which (as I'm sure GS does) has a policy forbidding you from uploading company data to the public cloud, don't violate that policy. Especially if it's source code you wrote while working there. (The open source argument is a red herring. It doesn't matter.). And super especially if you're about to leave for a competitor.
2. If you work in an industry and for a company that is being scrutinized by the Feds and is heavily regulated, really REALLY don't violate policies like this arbitrarily and on your own, because you might go to jail.
Is it "fair" what happened to him? No. But lots of unfair things happen. He paved the way with his thoughtless actions.
[+] [-] woah|12 years ago|reply
[+] [-] petegrif|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] pawrvx|12 years ago|reply