

XP-Dev.com gets taken offline by Goldman source code theft - billclerico
http://zerohedge.blogspot.com/2009/07/breaking-news-httpwwwxp-devcom.html

======
hvs
Just goes to show you how little the "authorities" understand technology. If
this had been a brick and mortar business it is highly unlikely that they
would shut them down for 45 hours for one file. They didn't even bother to
contact the owner of the site? The assumption that he is involved in the theft
simply because he owns the site (which apparently is openly accessible) is
asinine. You can just imagine the "authorities" talking in their little
uniforms about "these hacker kids" while prodding the the strange boxes with
their billy clubs.

~~~
cema
I agree. An analogy would be closing a long-term storage facility because
someone stored a bomb-making manual in one of its lockers.

Well, perhaps they would still close it and search for an actual bomb. But
would they also close all of the facilities owned by the same storage company?
More to the point, I guess, would they suspect that the storage company is an
accomplice? Unlikely.

The problem is, hi tech is outside of the daily experience of most of the
people, and much less understood by them. So they have to rely on experts and
take the most conservative point of view (as potentially the least dangerous
one). We have to be patient with them: education takes time.

------
randrews
If I ran Github, I'd put a link to this and a summary on the front page. I
haven't heard a better argument for distributed source control.

The guy who uploaded the stolen code is a moron, but the other people using
the site don't deserve this.

~~~
nailer
The guy says he was uploading OSS work he did at Goldmans, same as he did when
he worked there. It's not unusual for Quant researchers who work in R or
SciPy/NumPy to update the modules they use to build their models, that source
code is copyright by the developers of the statistical language modules -
Goldman's don't own it.

~~~
rs
Eh ? Not sure what you meant there, but if you and your employer do have a
contract that says "all work that you produce while working here is owned by
your employer", my understanding would be that updates to those modules, when
written for your employers are actually owned by them, no ? (well, within
software licensing terms)

~~~
nailer
Let me know what wasn't clear. Most employers who use OSS apps - including R,
SciPy NumPy and other statistical languages - are comfortable with staff
fixing bugs in those languages and distributing their modified copies of the
works.

------
cema
Aleinikov, though Sergey, is no Brin, that's for sure.

More seriously, he obviously did a stupid move. Whether it was malicious or
not, I do not know.

But the way the whole collection of servers goes down just because a single
remote user has done something suspicious from a legal (not technical) point
of view raises concerns, both of legal and technical nature.

One issue is whether a distributed server system would have been able to
withstand what is technically an attack from the legal authority.

Another issue is whether there is a technical solution to a legal challenge,
specifically, if it is possible to recognize an illegal action by technical
means. And if it is advisable too (for example, I would hate to see watermarks
in the source code or, more likely, udp/tcp packets, but I would hate it much
more if a whole system went down).

This kind of attack may be more efficient than a DOS attack. Can it be
prevented?

------
lsc
I wonder... in what jurisdictions are these "oh a user is doing something bad,
let's take out the company hosting that user with no warning" outages most
common in? Most that I remember reading about were in Europe, but at the
behest of US corporations.

Now, it does seem like this is a rare occurrence; data center problems are
more common, so it doesn't seem like a reason to move just yet, but when it
comes time to set up my European location, this is certainly something I will
research and I will be less likely to host in countries more likely to give me
an unplanned outage.

------
embeddedradical
this part got me thinking: _I then erased the bash history, he said, referring
to a method of recalling commands used in previous computer sessions.Goldman
security measures prevent such deletions, which tipped the firm off to his
activities, prosecutors said._

Perhaps he would have gotten away with it had he not erased the bash history.
Outside of that, there's probably a lot of data/operations moving about, and
would be tough to spot, because I get the impression that he was up to stuff
for a while and no one was the wiser.

------
billclerico
it's scary how the actions of one of your users can cause prolonged outages,
regardless of how redundant or robust your infrastructure setup is

~~~
jonknee
I'd love to see what would happen if they tried to do this to a big firm like
Google (or hell, GS). There would be congressional hearings.

~~~
jrockway
Yeah, I would like to see what would happen if these files were in S3 instead.

~~~
dabeeeenster
They probably already are!

