
Goldman Sachs sent a computer scientist to jail over 8MB of open source code - nrcha
http://blog.garrytan.com/goldman-sachs-sent-a-brilliant-computer-scientist-to-jail-over-8mb-of-open-source-code-uploaded-to-an-svn-repo
======
downandout
I read the original Vanity Fair article. I have to say that the whole thing
looks like nothing more than Goldman using its governmental influence to send
a message to its programmers that if they leave for another firm, there will
be hell to pay. After he won his federal appeal and was released from federal
prison, Goldman convinced the State of New York to file charges for the same
conduct. That case is pending and he is out on bail. A recent motion to
dismiss that case based on double jeopardy was denied. Welcome to the USA -
where money buys you all the justice you could ever want.

~~~
scorpion032
Justice as it was meant to be (John Rawls, Kant, et all): "Entitlement to
legitimate expectation."

Justice as it is practiced: "Legitimising the expectations of the entitled."

------
WestCoastJustin
Link bait title -- _It was open source code mixed with Goldman Sachs
proprietary code_. This is also a summery of a much larger and more complete
Vanity Fair article [1].

[1] [http://www.vanityfair.com/business/2013/09/michael-lewis-
gol...](http://www.vanityfair.com/business/2013/09/michael-lewis-goldman-
sachs-programmer)

~~~
mathattack
It was stealing proprietary code that could have cost Goldman hundreds of
millions of dollars.

~~~
Unosolo
To me it is not clear why stealing the proprietary code could have cost CG
hundreds of millions of dollars.

Proprietary code that wasn't developed and tested with generic requirements in
mind can rarely be economically re-used outside of the original company
context, as it reflects the structure and the processes of the mother-company.
In fact most organisations I know decided to throw away their code base
entirely when restructuring or upgrading their internal systems as re-work was
deemed uneconomic, because the gap between the code and changed environment is
too great.

Data is salvageable and immediately valuable; however re-using the code
requires a considerable effort, it would also be very hard to keep in secret.
The news of their platform being fully or partially re-used at competitor's
would have quickly reached GC and they could have shut down the competitor
entirely whilst suing them for all of the profit.

Of course one could steal the code for analysis so they could try and exploit
the technological weaknesses in GC trading patterns, however this is not the
argument given by the article or GC.

~~~
mathattack
There's two reasons here...

1) As was mentioned by Shubb, there is a predatory aspect to algorithms. If I
know how your algorithm will work, I can create one that will be it. You can
think of it as programming robots to fight. If I've seen the source code for
your robot, I may be able to program one that can exploit it's weaknesses.
(Worked against the Death Star!)

2) The HFT world works best when the ideas aren't well known. Let's say I
identify a mispricing. It could be, "When this Mutual Fund moves, this similar
ETF moves 0.1ms later, and these stocks react to the EFT and move 0.2ms later,
but they forget these other 3 stocks 0.3ms later, so actively long those
stocks for 0.3ms, and short the rest, and reverse after the time is up." No
need to dwell on the details, just understand that it exists. If only one
person has identified this mispricing, there are a lot of pennies to be swept
up. As soon as two people know about it, the game is up.

While this type of competition could conceivably be good for the market as a
whole, it's definitely not good for ther person with the algorithm.

If I have the code, perhaps I can deduce the algorithm.

~~~
cosmie
Although it doesn't state what _was_ taken, it does mention that the copied
code in question is _not_ related to the trading algorithms.

If it did, then Goldman's reaction would be well justified (to the extent that
sub-millisecond arbitrage that siphons billions out of the markets each year
and into the hands of a few firms can be justified).

------
nikcub
The most interesting part of the reaction from the Vanity Fair piece for me is
how so many geeks had no idea of this story until it was spelled out to them
by a mainstream magazine (even though the Aleynikov case was extensively
covered here on HN).

Now would be a good time to highlight the cases of hackers that Michael Lewis
doesn't have time to write about: Bo Zhang, Michael Meneses, the Madoff
programmers, John Kane (has had most charges dropped now), the Liberty Reserve
guys and almost everybody ever charged with Computer Fraud and Abuse Act

~~~
dopamean
What's the story with the guys who worked for Madoff? I've heard nothing of
this.

~~~
nikcub
Here is a Wikipedia article on the upcoming federal trial, but a warning that
it is all based on the indictment and doesn't have the defense side of the
story:

[http://en.wikipedia.org/wiki/United_States_v._Jerome_O'Hara_...](http://en.wikipedia.org/wiki/United_States_v._Jerome_O'Hara_and_George_Perez)

This case contradicts the FBI findings from the Madoff case, and relies on the
programmers having of _had to know_ that their system could also be used to
print out fake trades.

------
jhuckestein
I love to stick it to Goldman as much as anyone else here, but I think the
story is probably more nuanced than "Goldman jails innocent programmer for
leaving the firm". I know that I have on occasion kept copies of source code
for projects that I'm proud of (and there was often some open source code
involved; that changes nothing). Not to give it to someone else, but because I
was proud of the work.

That is probably a breach of contract but I don't think it should be a crime
punishable by jail time (unless someone can prove that said code was used to
aid another company).

~~~
ratzinho87
Proving that the code was used to aid a company is not a good measure of the
seriousness of of the crime. What if you take the code and store it on a
device with really low security? You don't share it, but you allow "hackers"
to easily take it, so you are in fact aiding competing companies.

------
jcnnghm
The article talks about the _requirement_ to release source code to the
public, if modifications are made. This is a common misconception, but
generally not the case, depending on the license. Typically, source code
release is required if the software is distributed. If you've modified open
source software for internal, private use, you typically are not compelled to
release the source code, because you are not distributing the software.

~~~
garry
I've updated the post to reflect this.

------
ajarmst
It could have as easily been phrased (and likely would by a prosecutor) as "a
cache of source code longer than the King James version of the bible." The
defence could respond "only about three millionths of the amount of data in a
human cell's nucleus." "More than seventy times the amount of software needed
to land on the moon!". The amount is irrelevant. He released proprietary
source code which is an offence under current law, with fairly well
established sentencing guidelines. I agree that the law should be changed, but
if you protest a law by breaking it, the results shouldn't come as a surprise.

~~~
milkshakes
you'd have a point, except for the part where an appeals court unanimously
acquitted him

~~~
ajarmst
I said that breaking a law has fairly predictable results. Among them the
possibility of acquittal on appeal. In fact, if you're doing it for some sort
of protest reason, this might actually be the goal (building case law against
an unfair/unconstitutional law or interpretation).

------
retube
Hmmm. Ok so this guy uploaded both OS and Goldman-authored code - as stated in
the article. And uploading pure OS code wouldn't make sense anyway as it would
be available anywhere. And did so immediately prior to taking a principle role
at a competitor start up - no wonder they checked. He knew he was doing
something wrong - as stated in the article - and his reason for deleting his
bash history makes no sense (surely bash doesn't cache passwords) - indicating
he was trying to cover his tracks.

They're gonna want to protect their IP - particularly when it could give a
competitor a huge advantage. It's not surprising they went after him.

~~~
ksaua
> surely bash doesn't cache passwords

It does if you're careless enough to type them out in clear text, e.g. when
connecting to a mysql database:

    
    
        mysql -h host -u user -pMyPassword database

~~~
ordinary
Useful tip: with

    
    
      HISTCONTROL=ignorespace
    

in your .bashrc, if you start a line with a space, it won't be entered into
your history.

------
Unosolo
The original Vanity Fair article tries very hard to paint a picture of a
stereotypical overly naive techy.

Little carefully inserted details such as pain-the-back side of having to mow
the lawn, all these details should be creating a picture of life-unsavvy
coding reclude in reader's mind. The reader supposed to chuckle "how naive,
anyone who is on $270K can just hire gardener to take care of the lawn!"

I have personal knowledge of programmers taking the code with them when
leaving employment for no particular reason except for "in case I might need
it as a reference" and then never ever looking at it again. In my mind it's
very much akin to hoarding.

I have very little doubt that the code would be unusable outside of GC
infrastructure.

What does seem unusually harsh is the punishment for the crime when no damage
was ever done to the victim; to me this is an attribute of a show-case trial.

------
thejosh
Linkbait title to blogspam for a vanity fair article, contains copypaste
snippets from the original.

~~~
garry
I think there is probably still a little bit to be said for curation in this
world. The original article was quite long (and a great read and I recommend
it) and there were nuggets in it I found interesting.

I actually did try to submit the original article myself earlier today, and
noticed that it had already been submitted several days ago. So at least I did
upvote that.

~~~
josephkern
Garry, yes curation is important, in fact, that's why HN exists, to curate and
comment _primary_ sources.

If the article has already been submitted then why try to resubmit it after
copying and pasting the content into another URL?

The best way to do this on HN is to take the stance of the opposition and
write an inflammatory headline, "I support (unpopular position) X, because
(popular position) Y is considered harmful"

~~~
garry
I didn't submit this particular item, nor did I upvote it. I wrote it on my
personal blog because I thought it was interesting.

Also that sort of title is editorializing, and that's not encouraged.

~~~
josephkern
My apologies garry, I didn't look at the OP. Personal blogs are personal. ;-)

I completely misunderstood your initial comment.

------
davidw
Previous discussion here:

[https://news.ycombinator.com/item?id=6146446](https://news.ycombinator.com/item?id=6146446)

~~~
gruseom
I was disappointed in that previous discussion. Take away the off-topic stuff
and it seemed like most reactions varied from "Good, throw the book at him" to
"God that guy was dumb".

If Lewis' portrayal is accurate, then Aleynikov is pretty clearly an
otherworldly technical type. That doesn't mean he should be exempt from laws,
but it's not irrelevant either. For one thing, to anyone who knows the type,
it says something about intent: his intent was likely not to exploit someone
else's secrets, but to work on interesting things. A programmer like that
wouldn't download code because it contained secrets; he'd download it because
it contained library routines that he didn't want to have to rewrite someday.
Why would he steal secrets? Anything important, he could just derive later. He
probably thought that Goldman's technical designs were all wrong and would
make a point of not copying them anyway.

There are countless stories of otherworldly technical types, including many
heroes to people here, running afoul of laws or regulations and having to be
rescued by the more worldly members of their scientific/technical community. I
expected this technical community to recognize that pattern in Aleynikov and
react with some empathy, because we all know someone like that or have a
little of the type in ourselves. Instead we got a bit of a Colonel Blimp
chorus. I hope that was just sample bias.

I wish we could see that source code. After reading Lewis' article, I would be
shocked if it contained anything of nontrivial value to Goldman.

~~~
ig1
According to the indictment the source code included Goldman's propriety stock
option pricing algos.

~~~
tankenmate
But the Vanity article explicitly states that the "Jury" asked him whether he
took the strats (the trading strategies) and he said "No."; the response from
the "Jury" was telling, they said "Why not take the valuable stuff?"

~~~
ig1
Pricing algorithms are different from trading strategies (although they're
obviously related). In any case that's purely a matter of evidence, he either
copied a piece of code or he didn't.

~~~
tankenmate
But breach of contract and copyright are civil issues, not criminal (modulo
the insane copyright criminality laws of late). Besides, no damages have ever
been postulated, let alone proved.

~~~
ig1
Trade secret violations can be prosecuted under criminal law, any company can
request a criminal investigation in such a case. In the last decade there have
been around 100 criminal convictions for theft of trade secrets.

------
Narkov
Since when is a crime measured in megabytes?

~~~
gruseom
The degree of harm caused is often a factor in measuring a crime, especially
when it comes to sentencing. As Garry points out, 8 years for this is crazy.

~~~
cocoflunchy
Well it is 1 year per megabyte... seems perfectly fair to me!

~~~
troels
Now, that'll teach people to be concise!

------
adambratt
I'm reposting one of the comments from the blog here for a bit more exposure.
I think this gives a good alternative viewpoint on the case:

"I worked literally side by side with Serge while at Goldman Sachs, so I have
substantial perspective on this. Let's be clear -- Goldman Sachs did not
pursue him, the relevant district attorney of NY did. Goldman's job is not to
prosecute, it is to provide the facts of the case to the judicial system,
which decides whether to go after him or not. We can argue about whether the
punishment was excessive but let's stop blaming a firm that is a private
company which has no ability to prosecute. And I can tell you that what Serge
did was incredibly against the terms of his employment agreement. The open
source aspect is overblown, obviously if it were freely available and not
substantially different he would have no need to upload it days before he
left. The fact of the industry is people steal code all the time, he just
happened to be one of the unfortunate programmers to be caught and made an
example of. But it certainly doesn't mean he's a victim here. When a company
is paying you 500k+ a year to write code on its time, the understanding is
that they have the say as to what happens to it, not you. You can't just say,
I don't think this is that materially different so I'm going to send it to
myself before I work for a competitor."

------
ivan_gammel
This guy has made two mistakes: 1\. He used OS code without consulting first
with legal departament of the company. 2\. Transferred the source code outside
the corporate network without consulting first with legal departament. His
boss may be not competent in this field, but the legal departament must be
and, I beleive, they already have a policy for OS solutions. This developer
made a measurable damage to the company, which should now take some efforts to
clean up the OS code or face possibility of being required to release it's own
code under OS license. I clearly see this as a good reason to sue him.

The main problem with this situation is educational: "brilliant scientists"
and "smart developers" (especially from ex-USSR countries) are not paying
enough attention to the legal issues related to their jobs. They do not try to
secure their rights and do not consider the possibility that they violate the
other's rights by their technical actions. It would be great if CS courses in
universities will include a short talk about what's good and what's bad in
legal field. For now, the more attention will be paid to such cases, the
better for everyone.

~~~
redblacktree
So then you support making an example of this guy, because others don't pay
enough attention to the law? Am I reading that right?

~~~
ivan_gammel
No, you are not reading it right. There's no "because" in my comment.

------
nallerooth
Seriously, this part (if true) doesn't really help him.

"He pulled up his browser and typed into it the words: Free Subversion
Repository. Up popped a list of places that stored code, for free, and in a
convenient fashion. He clicked the first link on the list. The entire process
took about eight seconds."

Pushing "proprietary" code to a repo without knowing that it is a) secure and
b) allowed feels like a great way do not follow a NDA.

------
chrisbennet
From the comments: "Why are you putting him in jail? Again, Goldman has no
ability to put people in jail. Only the justice system does. Why this kind of
narrative continues to be OK with people, I have no idea."

This justice system didn't decide out the blue to go after Aleynikov one day.
G.S. _asked_ them to do it. I suppose if you work for G.S. you need to be very
good at rationalizing things in order to sleep it at night.

If I worked for G.S. I would probably tell myself: "G.S. doesn't cause the
starvation of millions of people, we just speculate on food commodities."
(Google "goldman sach starvation")

------
ig1
From the indictment the source code contained "the trading algorithms that
determined the value of stock options" and was "hundreds of thousands of lines
of source code".

Source:
[http://online.wsj.com/public/resources/documents/021110aleyn...](http://online.wsj.com/public/resources/documents/021110aleynikovindictment.pdf)

------
MyDogHasFleas
After reading the whole VF article I come to two conclusions.

1\. If you work for a company which (as I'm sure GS does) has a policy
forbidding you from uploading company data to the public cloud, don't violate
that policy. Especially if it's source code you wrote while working there.
(The open source argument is a red herring. It doesn't matter.). And super
especially if you're about to leave for a competitor.

2\. If you work in an industry and for a company that is being scrutinized by
the Feds and is heavily regulated, really REALLY don't violate policies like
this arbitrarily and on your own, because you might go to jail.

Is it "fair" what happened to him? No. But lots of unfair things happen. He
paved the way with his thoughtless actions.

------
woah
Was he tried by a jury of software engineers?

~~~
petegrif
The notion that once be tried by a jury of one's peers is practically
meaningless for any 'crime' involving scientific knowledge or any specialized
competence.

~~~
sriramk
If you read the original Vanity Fair piece, Lewis assembles a true 'jury' of
his peers - that's the best part of the piece.

~~~
Tyrannosaurs
The problem with that is you tend to start narrowing down the views and
opinions in that group.

People who work in IT tend to be smarter, richer, more inclined to be left
leaning in their politics and so on. They have expertise to understand the
problem but they don't necessarily represent the views of the country which is
what a jury is meant to do.

------
pawrvx
Goldman is above the law...

