[Goldman] called the F.B.I. in haste, just two days before, and then put their agent through what amounted to a crash course on high-frequency trading and computer programming. McSwain later conceded that he didn’t seek out independent expert advice to study the code Serge Aleynikov had taken. (“I relied on statements from Goldman employees.”) He himself had no idea of the value of the stolen code (“Representatives of Goldman told me it was worth a lot of money”) or if any of it was actually all that special (he based his belief that the code contained trade secrets on “representations made by members of Goldman Sachs”)...The F.B.I.’s investigation before the arrest consisted of trusting Goldman’s explanation of some extremely complicated stuff, and 48 hours after Goldman called the F.B.I., Serge was arrested.
That, as the complaint highlights, the FBI instinctively acted as Goldman's punitive arm rather than conducting an independent investigation into the facts of the case is disturbing, regardless of the merit of the allegations.
"Aleynikov’s last day at Goldman was June 5, 2009. At approximately 5:20 p.m., just before his going-away party, Aleynikov encrypted and uploaded to a server in Germany more than 500,000 lines of source code for Goldman’s HFT system, including code for a substantial part of the infrastructure, and some of the algorithms and market data connectivity programs." [Page 5].
"Aleynikov also transferred some open source software licensed for use by the public that was mixed in with Goldman's proprietary code. However, a substantially greater number of the uploaded files contained proprietary code than had open source software." [Page 5, Footnote 1].
He was convicted for violating the NSPA (National Stolen Property Act) and the EEA (Economic Espionage Act). The conviction for the former was vacated because the Second Circuit construed the NSPA not to extend to intangible property. [Page 18-19]. And the EEA conviction was vacated because the statute requires the product to be "produced for" or "placed in" interstate commerce, while Goldman never intended to sell or license the software. [Page 27].
The Court concluded that he had in fact tried to take 500,000 lines of valuable and mostly proprietary source code, but that his conduct didn't fall within the reach of the two laws charged in the indictment. Solid legal analysis, but an ordinary person would say that he got off on a technicality. Which is fine--if you can lawyer your way out of a conviction, you deserve to.
But help me understand what the FBI did wrong, or Goldman for that matter. The legal questions that were resolved in Aleynikov's favor were subtle ones. How would additional investigation on the part of the FBI have helped? And what exactly did Goldman do wrong in reporting him?
You don't have to understand the source code to know it is a trade secret with enough certainty for probable cause. Goldman could be lying, but so could the shop owner who claims you drove off without paying for your gasoline.
If someone walked out of Intel with the design docs and recipe for the latest intel chipset, would you expect the FBI to understand it all before arresting the person?
The FBI has technical specialists on staff that could very quickly say, "Yes, this complaint checks out." The problem here is that the agent apparently just took Goldman at their word, and didn't conduct an independent investigation of Goldman's claims, which is kind of their entire job. This is especially relevant because the value of stolen property can seriously affect charging and sentencing.
If you or I called the FBI and said "An employee stole proprietary code worth millions," there's no way the FBI would take that at face value, if you could even get their attention.
When the Federal government treats powerful corporations differently, to the point of effectively outsourcing its investigation, that severely undermines the principle of equality before the law.
Taking the time to confirm that the code itself is a trade secret is a monumental task, one that isn't needed to determine if there was probable cause.
Here's the piece in Vanity Fair where the general consensus was that what his actions indicate his intent was defintely not to steal valuable IP. http://www.vanityfair.com/news/2013/09/michael-lewis-goldman...
Witness this exchange:
“Did you take the strats?” asked one (meaning Goldman’s trading strategies).
“No,” said Serge. That was one thing the prosecutors hadn’t accused him of.
“But that’s the secret sauce, if there is one,” said the juror. “If you’re going to take something, take the strats.”
“I wasn’t interested in the strats,” said Serge.
“But that’s like stealing the jewelry box without the jewels,” said another juror.
“You had super-user status!” said the first. “You could easily have taken the strats. Why didn’t you?”
“To me, the technology really is not interesting,” said Serge.
“You weren’t interested in how they made hundreds of millions of dollars?” asked someone else.
“Not really,” said Serge. “It’s all one big gamble, one way or another.”
So if the essence of the crime is theft of a trade secret, then you absolutely have to conduct an independent investigation that a trade secret was involved, and that it was stolen to have probable cause.
The precedent here is a large corporation can use the government as an enforcement arm, and will be taken completely at face value. Simple allegations by individuals are subject to investigation prior to arrest, as should be all allegations.
This boiled down to Goldman calling the FBI, and less than forty-eight hours later arresting the person Goldman told them to arrest. They didn't interview any witnesses or consult with any experts other than Goldman employees.
That was his defense. But the jury found that he had in fact grabbed valuable proprietary software, and the Second Circuit agreed that the 500,000 lines that he uploaded were mostly proprietary, valuable code.
> So if the essence of the crime is theft of a trade secret, then you absolutely have to conduct an independent investigation that a trade secret was involved, and that it was stolen to have probable cause.
> The precedent here is a large corporation can use the government as an enforcement arm, and will be taken completely at face value. Simple allegations by individuals are subject to investigation prior to arrest, as should be all allegations.
Probable cause does not require a mini-trial before an arrest. Goldman didn't make "simple allegations." They backed up those allegations with evidence of Aleynikov having sent himself 500,000 lines of code, under suspicious circumstances (not just erasing his bash history, but doing so on his last day, doing so contrary to company policy, and doing so right before going to work at a competitor). The FBI didn't take any allegations at face value, and when Aleynikov was acquitted, it wasn't because the software he copied wasn't actually proprietary and valuable.
According to Michael Lewis, Aleynikov was in the habit of exporting his svn repo weekly. So, not really suspicious at all.
>>He sent the files the same way he had sent himself files nearly every week, since his first month on the job at Goldman.
You and rayiner and Aleynikov all agree that it's fine and reasonable that Aleynikov was pardoned. There's no argument to be had about that.
Aleynikov thinks that the FBI agents who arrested him did so improperly. rayiner is doubtful, and would like to hear if anyone can convince him.
Your arguments for why the FBI agents acted improperly amount to "yeah, but it turns out that ....". This arguments are not a good reason to not arrest someone. They're a good reason to find someone innocent after trying them.
Sometimes circumstances are such that an innocent person looks highly suspicious to reasonable people with a reasonable amount of evidence. In those cases, it's reasonable, though unfortunate, that law enforcement arrest and charge that innocent person. Isn't it?
As far as I can tell, rayiner is right.... we have no evidence that Aleynikov was arrested improperly.
I doubt I could convince rayiner of anything, but I'll at least refute some of the more ridiculous things he says.
>Your arguments for why the FBI agents acted improperly amount to "yeah, but it turns out that ...."
No, I've responded to rayiner's suppositions that because some activity might be sketchy, it must be.
[rayiner says](https://news.ycombinator.com/item?id=9047068) encrypting and exporting files to a repository in a foreign land is sketchy.
I say, ssh, gzip, and svn are pretty normal tools that programmers use frequently. So are hosted servers in foreign countries.
rayiner says that deleting .bash_history is sketchy, I say it's a reasonable, nay a responsible thing to do if failing to do so would leave sensitive information (such as a password) available for others to peruse.
>This arguments are not a good reason to not arrest someone. They're a good reason to find someone innocent after trying them.
IMO if the government is going to arrest a person, attempt to hold them without bond, settle for mere $700,000 bond, (arguably depriving the person of counsel); then the government's burden of "probable cause" ought to be a bit more substantial than "some bros down at Goldman Sachs said...", and this guy uses "subversion" software. We can't have the police running around arresting everyone who might have possibly committed a crime. There needs to be actual, you know, probable cause.
>Sometimes circumstances are such that an innocent person looks highly suspicious to reasonable people with a reasonable amount of evidence. In those cases, it's reasonable, though unfortunate, that law enforcement arrest and charge that innocent person. Isn't it?
What do you make of the fact that:
>>"In the New York state case, a judge ruled the 2009 arrest was illegal. He threw out seized physical evidence, including computer hardware carrying the source code."
>>"New York State Supreme Court Justice Ronald Zweibel also barred prosecutors from using statements Aleynikov made to the FBI after his arrest at Newark Liberty International Airport."
Are these judges unreasonable? Sure, mistakes happen, everyone deserves a Mulligan once in a while. That's not what we have here though. The FBI had plenty of opportunities to check their work, which was shabby. Instead of doing that, they forged ahead doing the bidding of Goldman Sachs, uncritically. And, now that the federal case has failed, GS has their hand up the back of a Manhattan DA. We can quibble about these little details more if you want but this whole affair has got a stench about it.
>As far as I can tell, rayiner is right.... we have no evidence that Aleynikov was arrested improperly.
No evidence? What's Zweibel's problem then?:
>In a 71-page opinion, Justice Ronald A. Zweibel of State Supreme Court in Manhattan ruled that the F.B.I. “did not have probable cause to arrest defendant, let alone search him or his home.” The arrest was “illegal,” Justice Zweibel wrote, and Mr. Aleynikov’s “Fourth Amendment rights were violated as a result of a mistake of law.”
I dispute the idea that any senior developer could work at Goldman Sachs on an HFT infrastructure and believe that they were authorized to --- or, indeed, that they would not be immeditely fired for --- uploading the code to a proprietary automated trading system to a random SVN host in a different country. This is the code we, as security testers, were never allowed to see, even after owning up the machines hosting it. These firms are not kidding around about this stuff. It is a huge smoking gun to have uploaded any of it to some off-brand foreign svn host.
These are firms where you can be fired for plugging a thumb drive into your computer, or for using the company network to access Dropbox. I have worked for more than one financial firm that spent literally millions of dollars merely on the problem of detecting their network users trying to reach Google Mail.
I also dispute the idea that because developers commonly use ssh, gzip, and svn, that it is common practice to (1) gzip a tarball of source code, (2) encrypt that source code, (3) commit that compressed encrypted blob to svn, (4) remove all traces of the encryption key from their work computer. That's something happens zero times on normal dev machines.
The conviction was overturned because the technical details of exactly what Aleynikov took from GS didn't fit the ambitious charge the DOJ filed against him. But the appeal doesn't refute the finding of facts from the original trial, which include:
There was more than sufficient evidence presented at trial, however, for a rational juror to conclude that Aleynikov intended to steal Goldman Sachs' proprietary source code. First, it was undisputed at trial that Aleynikov actually did take proprietary source code from Goldman Sachs. As Aleynikov concedes in his motion papers, the code he took from Goldman Sachs included a “purposefully designed” portion of the Goldman Sachs “proprietary, custom-built trading system.” Indeed, the evidence showed that Aleynikov took a significant percentage of the proprietary source code for that system. While Aleynikov attempted to show that there was open source code embedded within the proprietary code and to identify the files in which that might be true, his expert witness was only able to identify one file among those taken by Aleynikov that both bore a Goldman Sachs copyright banner and appeared to contain open source code.
I'm just fine with Aleynikov's conviction being overturned. Again, the charges against him seemed ambitious.
But this is a forum full of software developers. Rayiner is a lawyer and a compiler developer. It's somewhat insulting to everyone's intelligence to pretend that people here are unfamiliar with ssh and svn. We understand how software development works. What happened here was extremely sketchy. You can't play the "well in the world of software development, this is totally normal" card on HN.
"Ambitious" is a bit charitable, in this context.
"Patently vacuous" -- to an extent that suggested, at the very least, a breakdown in the internal controls and safeguards (on the part of both the FBI and the prosecutor's office) designed to present precisely this kind of a fiasco from happening -- might be a better description.
Like Rayiner said, in layman's terms, he got off on a technicality.
The FBI and DOJ being on the wrong side of a close call in statutory interpretation isn't "patently vacuous."
That's not what the court found. Otherwise the charges wouldn't have been dropped.
It sounds like you're conflating the issue of whether he violated the "spirit" of the law (or whether he was, in your view, just plain morally culpable somehow) -- versus what the law actually had to say about his actions.
If you want to minimize any sense of exoneration or vindication the accused might want to derive from the court's decision, by saying he "got off on a technicality", that's fine.
But to claim that he "definitely violated" the law when the courts found that he definitely did not -- I'm just not sure I see the point in that.
I've never set foot in one, but one thing I have learned watching this incident and others is that some of theses firms have varying degrees of carelessness and cluelessness within their businesses; especially with respect to IT (Knight Capital comes to mind). In that respect, they are like any other company, some careful and fastidious, some, flying on a wing and a prayer.
>This is the code we, as security testers, were never allowed to see, even after owning up the machines hosting it. These firms are not kidding around about this stuff.
I may often disagree with some of your opinions here, but I can't say that I have the impression that you're not competent within your profession or that you lack integrity. It occurs to me that the firms that would hire your firm to audit them as opposed to some lesser outfit, are the same firms that run a pretty tight ship in their own businesses. Has it occurred to you that not all trading firms or even divisions within the same company are cut from the same cloth?
>These are firms where you can be fired for plugging a thumb drive into your computer
Yeah, I've seen some companies with ridiculously conservative IT policies. I can see it being applied at a bank or a trading firm. The policies are often meaningless though, when the policies basically state that you can be fired for doing anything, but in reality that doesn't happen. I've worked at one of those companies where a too-large portion of engineering's time was spent circumventing IT systems, activities for which one could've been fired. Those companies always have plenty of ways to fire people.
>I also dispute the idea that because developers commonly use ssh, gzip, and svn, that it is common practice to
I remember about ten years ago working with an engineer whose idea of a source code revision control system was to zip up and password protect source code archives. It may not be common, and Aleynikov wasn't doing it for the same reasons, but by itself, it isn't proof of anything nefarious.
>There was more than sufficient evidence presented at trial, however, for a rational juror to
Interestingly, none of the jurors were employed in tech, and none had a college degree. Not that it would always be necessary, but it is worth considering the possibility that none of them understood what they were being told. It's hard for me to agree that situation was rational unless those were some exceptional high school graduates.
>But this is a forum full of software developers. Rayiner is a lawyer and a compiler developer. It's somewhat insulting to everyone's intelligence to pretend that people here are unfamiliar with ssh and svn.
If you or Rayiner don't like my tone, I'll tell you that I think it is a bit of an embarrassment to have to point some of these things out here. Maybe Rayiner will have enough respect in the future not to parrot statements from the FBI's and the prosecutor's press releases. We've all been spectators here of a number of high profile prosecutions of software developers, and if there is anything to be learned from those experiences, it is that prosecutors and FBI agents will characterize the suspect/defendant in the most damning light possible. Anything that one of them says has to be taken with a grain of salt.
>We understand how software development works. What happened here was extremely sketchy.
Probably so, but not necessarily so, and not on the basis of some of the things ITT.
>You can't play the "well in the world of software development, this is totally normal" card on HN.
It is laughable. I'm probably one of the least qualified people to lecture to this audience, but here it is.
And I also delete my bash history all the time if I do something stupid like manually enter a password into the command line.
One thing to keep in mind is that Aleynikov is clearly one of those rare types for whom the technology is an end in itself rather than a means toward anything. That leads to a type of naiveté about following IT security policies. I don't know quite what the proper name is for this disposition, but we've all encountered them.
>I also dispute the idea that because developers commonly use ssh, gzip, and svn, that it is common practice to (1) gzip a tarball of source code, (2) encrypt that source code, (3) commit that compressed encrypted blob to svn, (4) remove all traces of the encryption key from their work computer. That's something happens zero times on normal dev machines.
Agreed, but it was established that he did this fairly consistently throughout the course of his employment. It's idiosyncratic, but not unexplainable. Sure, it was poor development practice, but I'm not convinced it was malicious.
Again, if the intent was trade secret theft, why not take the valuable part, the trading strategies?
With regard to the "valuable part," financial experts will tell you that lives in the trading strategies, which he didn't take. You must admit that's very odd behavior for a malicious thief.
You keep trying to shift the focus to the trial, when what disturbs me and so many others is not the trial or its findings.
Whether or not he actually stole the code is immaterial to whether the FBI did a proper investigation prior to arrest, or whether Goldman Sachs received special treatment because of their size, wealth, and power.
Civil people can disagree without being disagreeable, and I know from your comments around the site that you're a civil person, so if my tone has been less than appropriate I apologize.
As for the conversation itself, as you said, it stands as is, and we can let the other readers judge the facts for themselves.
My challenge to the validity of the arrest is that there was no independent investigation performed prior. This wasn't just contempt prior to investigation, it was arrest prior to investigation.
Now, I will acknowledge that probable cause is a very low standard, and it is likely that there isn't a legal course of action here.
If you read the complaint, the trial transcript, or even the top post here, it's abundantly clear the so-called investigation relied solely upon the word of Goldman Sachs's employees. The FBI agent even admitted that he did not understand the nature of the crime at the time he filed the complaint.
>"McSwain later conceded that he didn’t seek out independent expert advice to study the code Serge Aleynikov had taken. (“I relied on statements from Goldman employees.”) He himself had no idea of the value of the stolen code (“Representatives of Goldman told me it was worth a lot of money”) or if any of it was actually all that special (he based his belief that the code contained trade secrets on “representations made by members of Goldman Sachs”)...The F.B.I.’s investigation before the arrest consisted of trusting Goldman’s explanation of some extremely complicated stuff, and 48 hours after Goldman called the F.B.I., Serge was arrested."
Your argument amounts to: "Sure, but the guy was guilty and only got off on a technicality, so who cares."
People keep explaining the dire problems with this viewpoint, and I don't know why it needs to be continually repeated.
Silly analogies lead to silly conclusions, because they inherently obscure essential facts in the comparison.
This wasn't a piece of tangible property, which the agent could understand. This was an immensely complicated issue to a lay person who admitted that he didn't really understand what had been stolen or how much it was worth.
He just listened to Goldman Sachs say trust us and made an arrest within 48 hours.
If you don't understand why its disturbing that the FBI blindly did the bidding of one of the most powerful corporations on Earth, there's simply no point in continuing to debate the issue.
Except that you're starting with a false premise: the offenses for which Aleynikov was initially charged -- theft of trade secrets, and transportation of stolen property in interstate commerce -- were in no way as clear cut as simply "taking a painting from a private gallery." As you are no doubt aware, from your detailed knowledge of the case.
you think the police should need a statement from a 3rd party art historian in order to make an arrest?
What the FBI (and the prosecution team) have primarily been faulted for has been their (by now obvious, if not admitted) failure to understand the basic nature of the charges against the accused -- to the extent that they missed the fact that his conduct would not even have constituted an offense against either statute.
In addition, yes, there's the matter of how much the "stolen" (or rather, copied) bits were actually "worth" (or whether they could, in fact, "be used to manipulate markets in unfair ways", per GS's initial complaint.) Should the FBI have waited to consult an outside authority to make an independent assessment of these claims before making an arrest? That I cannot say.
But that both the premier criminal investigative arm of the richest country in the world -- and the highest-profile prosecution office tasked with keeping us safe from white collar crime, in that same country -- should have known that the "value" of copied source code just might be a teensy, weensy bit trickier and more nuanced to assess than that of say, an Edvard Munch painting pilfered from a major gallery in broad daylight? Or that they should have like, you know, read the actual text of the statutes he was being prosecuted under before filing actual charges against him (and throwing him in the klink for a year as a protective measure)? We should hope so.
I'm far more concerned with the FBI acting almost as an extension of Goldman, effectively abrogating their responsibility to investigate prior to arrest to a large private corporation.
Which license does that?
And yet the finding here is there was no probable cause.
Indeed, but the difference is that the FBI (or police) will arrest whomever Goldman tells them to while completely ignoring the shopkeeper's complaints, possibly even going as far as to tell them not to waste their time.
> Then [the FBI agent] explained what he knew, or thought he knew: in April 2009, Serge had accepted a job at a new high-frequency-trading shop called Teza Technologies, but had remained at Goldman for the next six weeks, until June 5, during which time he sent himself, through a so-called “subversion repository,” 32 megabytes of source code from Goldman’s high-frequency stock-trading system.
Lewis weaves a lot of editorializing and red-herrings into the account, but here's the punchline:
> All of which was true, as far as it went...
Nobody disputes that at the time Aleynikov was arrested, the FBI had evidence that he had sent himself a bunch of source code and covered his tracks. And at trial, the prosecution proved that he had in fact done that.
So what the heck else was the FBI supposed to do?
He deleted his bash history. For all you know, that may have been a standard procedure.
email@example.com:~/ >svn export --username Aleynikov --password Hunter2 --non-interactive svn://subversion.ZOMG.think.of.the.children.com/espionage/exportFile
firstname.lastname@example.org:~/ >rm .bash_history
He of course could have had proprietary source code in his repositories for work in the first place - but bundling and uploading everything does look highly suspicious - and he should have known better.
[Goldman] called the F.B.I. in haste, just two days before, and then put their agent through what amounted to a crash course on high-frequency trading and computer programming. McSwain later conceded that he didn’t seek out independent expert advice to study the code Serge Aleynikov had taken.
This is the very surprising part.
On the one hand, people seem to be giving GS a pass for stripping the copyright notices from GPL'd code they used, but taking them at their word and treating it as high treason when Aleynikov makes a copy of the modified GPL code for himself.
>> "McSwain later conceded that he didn’t seek out independent expert advice to study the code Serge Aleynikov had taken."
>This is the very surprising part.
It's just the lazy careless work of a modern day Pinkerton man.
It's only illegal if Goldman distributed it, which they didn't. It's perfectly okay to modify GPL'ed code for internal purposes without open-sourcing the changes.
I'm not a lawyer but as far as I understand they were stripping the copyright notice, which is explicitly forbidden by the licenses. i.e. the MIT license:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
> The stripping clause only comes into place when you distribute the code, just as the GPL's copy-left requirement only comes into play when you distribute the code.
I absolutely wish this was the case: copying internally within an organization such as a school, a church, or a business should be legal for any purposes regardless of the license something comes with... However, I'd not be very certain of support of companies like Microsoft which would argue that their copyright licenses dictate usage within the organization and not just on distribution. And no, for these purposes there is no difference between Microsoft EULA and MIT license.
I'd imagine you can argue that you can argue that you are in compliance if you distributed a git (or hg etc) repository with an older version that does include the copyright notice though.
My point is just that at what point does distribution begin? The entertainment industry wants us to believe that if I buy a CD, I am violating copyright by the audio CD to an iPod (doubly so if to a friend's iPod).
No, it doesn't. The stripping clause is a license condition with no limitation to distribution -- it expressly applies to all copies. Anything you need a license to do -- which is, anything that involves any of the exclusive rights tied to copyright (of which, the most prominent is copying, regardless of distribution) must follow it, barring an exception in the license or a some other provision of law that limits the applicability of the exclusive rights in copyright.
As well as the stripping clause of the MIT license, this is also true with regard to GPLv2 provisions related to copyright notices, which are required for both modification of GPL-licensed code and copying and distribution of GPL-licensed code, though the GPLv3 only applies this to copies that are "conveyed" (compare Section 2 of the GPLv2 with the combination of Sections 2, 4, & 5 of the GPLv3.)
Where is distribution mentioned? Or, do you mean that nobody would have the chance to sue unless it were distributed, because they wouldn't find out?
One wonders whether this would have seemed less nefarious if he'd used a VCS that wasn't called "subversion." :)
Consider the extreme case where the VCS was called "theft-assistance" for example.
How does "He copied the code from a theft-assistance repository" would sound to a jury that doesn't know what a VCS is and that theft-assistance is just a name?
If it was something generic and inoffensive, like Git, it would be OK, but "subversion" has a ...subversive undertone.
Most people have no idea what VCS is. To a lay person, "a so called 'mercurial repository'" would sound far less sinister than "a so called 'subversion repository'". The reality is that the repo probably had little to do with subverting anything, and was just a convenient way to transfer code.
I have to admit, that line made me chuckle.
> In addition to proprietary source code, Aleynikov
also transferred some open source software licensed for use
by the public that was mixed in with Goldman’s proprietary
code. However, a substantially greater number of the
uploaded files contained proprietary code than had open
At best that might extend to his initial arrest but not to his subsequent imprisonment. That was the result of a criminal trial that showed he violated the EEA. Which was subsequently overturned on appeal, but only because of a "technicality" in the phrasing of the law which has subsequently been clarified to explicitly and unreservedly criminalize the actions that he took.
What law Goldman reported violation of? What law FBI investigated violation of? While one can report some alleged violation of some law, the FBI is aware of laws, especially the laws the FBI is assigned to enforce. Bringing charges under obviously un-applicable here NSPA and EEA instead of whatever (if any) law may have been applicable here is a gross negligence, to say the least, on behalf of FBI. As a result, they wasted a lot of valuable (taxpayer) resources and ultimately let the criminal (if there was real crime committed) go free.
>The legal questions that were resolved in Aleynikov's favor were subtle ones.
are you kidding? How a subtle legal question(s) can be summarized in one paragraph on an Internet forum?
When Congress updated the letter of the law they merely rephrased "included in a product that is produced for or placed in", which the court found to be not applicable to code not directly sold on the market, to "a product or service used in or intended for use in".
I'm not sure how well that one paragraph in an Internet forum summarizes it, but that's literally the only change that Congress made to declare his actions illegal (should they happen again). And it was at the behest of the judge who overturned the conviction, who specifically noted a problem with the phrasing of the law while noting that he fully expected Congress meant to include these actions in the criminal code.
What he did is illegal now and everyone thought was illegal then.
He is also being charged under state law for it. It was also civil trade secret misappropriation and Goldman can sue him.
Like Rayiner said, he got off on a technicality.
> The Court concluded that he had in fact tried to take 500,000 lines of valuable and mostly proprietary source code
I would dispute the value of the code. The code he took wasn't part of the "secret sauce". It didn't contain any of the logic for actually making High-speed trades.
On what basis, may we ask?
The only statements from the court that I'm aware of are those confirming that a significant amount of proprietary code (in comparison to the amount of OS code) was taken.
But not as to the "value" of the copied bits, or their potential to otherwise wreak havoc.
These are presumably the same kind of people that think anything that's source code is some kind stuff that lays magical golden goose eggs, regardless of how trivial it is -- or even if it's open-source.
IMHO there is a much bigger, broader problem with non-technical people in positions of influence (and even the general public!). It's this same kind of disconnect that leads to mountains of trivial patents being filed. (I can't even count how many times I've heard of an engineer being put in a situation where they're told they need to patent some of their work, regardless of whether the engineer(s) think it's worth doing.)
Like, hopefully the FBI obeys the law and respects suspects' rights regardless of the particulars of Goldman's claim. If they're not doing that, that's a problem. But if somebody is lying to them, that's a felony they can pursue later, right?
Determining whether or not a crime has actually occurred is usually an essential part of a criminal investigation.
The gist is: everyone agrees the conviction needs to be overturned by the letter of the law, and so it was, but that's because the law was silly, which is why it was immediately changed by unanimous consent in the Senate and a 388-4 vote in the House in a bill specifically mentioning Aleynikov.
In actuality he got out because an appeals court found a loophole in the phrasing of the Economic Espionage Act -- which was immediately closed by Congress at the behest of the judge.  It had nothing to do with the lack of investigative thoroughness on the part of the FBI.
Yes, the very first thing you should do if investigating a reported crime is find out if the report is reliable.
needs, I think, to be taken with the following quote from your linked article:
> The Web site Serge had used (which has the word “subversion” in its name) as well as the location of its server (Germany) McSwain clearly found highly suspicious.
It looks like the FBI agent did "[conduct] an independent investigation into the facts"...it just wasn't a, shall we say, "good" investigation.
I had intended to write that concerns about the FBI acting as "Goldman's punitive arm" seem overblown, but as I was writing I think I changed my mind. While I initially thought liability would be a sufficient way of resolving this situation, the diffuse nature of responsibility here is going to make it really hard. On the other hand, I've seen instances where Michael Lewis himself has seemed to condemn the level of care in the application of government enforcement that seems to have been called for here.
Our government's actions weren't much different than what Putin might do in Sergey's old country of Russia. I'm sure he appreciates the irony in that.
Also, much of the workers rights we have today are because of workers pushing back against such tactics. I feel like the people have forgotten how we got to the 8 hour day we are at, and when we forget history we tend to end up repeating it.
I'm a Michael Lewis fan --- I even liked _Next: The Future Just Happened_ --- but this book was so disappointing I've actually become disillusioned. What else was he wrong about that I wasn't clued in enough to notice? Do Greek people in reality try hard to pay their taxes? Was Chad Bradford a terrible deal for the A's? Was Marillion a terrible band?
Possibly even Baader-Meinhof phenomenon / AKA Frequency Illusion 
btw. obvious troll was obvious
>Sergey Aleynikov is a former Goldman Sachs computer programmer. In December 2010 he was wrongfully convicted of two counts of theft of trade secrets and sentenced to 97 months in prison. In February 2012 his conviction was overturned by the United States Court of Appeals for the Second Circuit that entered a judgement of acquittal, reversing the decision of the District court.
The main reason why he is suing the FBI is beacause:
>On June 20, 2014, upon reviewing the evidence, Justice Ronald Zweibel published a 71-page opinion in which the court ruled that F.B.I. “did not have probable cause to arrest defendant, let alone search him or his home.” The arrest was “illegal,” and Mr. Aleynikov’s “Fourth Amendment rights were violated as a result of a mistake of law.” Besides finding that he was arrested illegally without probable cause, the court blocked the majority of evidence passed by the F.B.I. to prosecutors at the NY State DA's office, as that property was supposed to be returned to Mr. Aleynikov upon his acquittal.
Goldman over reached and through their efforts got this guy arrested. That they could do that, is a problem, but now everyone involved has been thoroughly spanked (with some bonus civil case spanking as well it seems). So the next time Goldman call's the FBI, they are going to be treated much more skeptically and the agents in charge are going to be unwilling to do anything based on Goldman's "word". Because the agents will remember this and they do not want to be the butt of interagency jokes, or up on civil liability.
They've already "clarified" and "closed" that loophole. Next time, the programmer actually would go to jail.
The system is messy, it doesn't travel in a straight line from broken to fixed, and it takes a lot of time and energy to get right. Consider Prohibition for a moment, it was freaking unconstitutional to drink for a while there. Yes it was broken, yes it got fixed. Just like Marijuana use is getting fixed, slowly, inexorably, fixed.
Martin Luther King was jailed by a broken system, and slowly, over time, it has been getting fixed.
You cannot see a tree grow, but it does. And many people cannot see that our system of governing is working, but it does. As long as you take the long view, it will. Believe that you are a helpless pawn and all is lost, and it won't.
 Rights for same sex marriage anyone? Used strong encryption in email?
Events led me to conclude that using the same account consistently was a bad idea from an employment standpoint. It has nothing to do with this. It is just what I do now. Hell, the password for this account should be easy to guess if you start with the letter a and work your way to the right.
> You cannot see a tree grow, but it does. And many people cannot see that our system of governing is working, but it does. As long as you take the long view, it will. Believe that you are a helpless pawn and all is lost, and it won't.
It is my belief that wealthy people can (usually) get away with passing whatever crap they want through Congress.
The only tool I have at my disposal is point out when this happens and hope people get outraged enough to do something. I'm confused why you view that with a belief that I'm helpless?
P.s. Given that I basically gave away the password, this is the last time I'll use the account.
> It is my belief that wealthy people can (usually)
> get away with passing whatever crap they want
> through Congress.
If you are wondering how to "engage with Congress" the easy way is during election season but you can also visit them in Washington or at their office in your district. While some districts are quite gerrymandered by their nature the local office is often within driving distance. They also host fund raisers and that while there are some expensive ones, there are also cheap ones (like $25 or $50 a "plate") since every dollar counts in a war chest. You can meet their staff at these (often quite accessible) and if you're at all reasonable develop something of a "relationship" with your elected representative. And even if you dislike their point of view until the next go-round they are your representative.
If you talk with other donors at the event you may find other donors who share your point of view on a particular issue and with some persuasion you may be able to develop a coalition of donors who think like you do, bringing even more attention to your issues.
Politics is people, and it is always local. You don't need to be wealthy to get access, you just need to be reasonable.
For a household making above the median, this might be viable.
You do have to admit people who have large families, single earner households due to disabled SO, etc. are going to have trouble justifying the expense of spending $200 a year "networking" in political circles.
If a homeless man says to you, "Mr. Loop, I am homeless and a veteran, and an alcoholic, and a deadbeat father, I deserve help from the government I fought for." You would tell him, "Well good luck with that." Or would you say, "I will see about getting your requirements heard."
The point is why is it "their" problem that they can't talk to the government effectively? Aren't they also citizens in this land?
I completely agree that for people who, for what ever reason, are unable to participate in the governance of the country, will be unable, by their very circumstance, to affect change. And you may very well be a member of that group. But if you are not, is there any reason that you couldn't be their voice if you chose to?
The way our system works is you get out what you put in. And there are people who are unable to put in, but there are also people who can put in for them and serve as their "influence" in the bigger picture. People and even the news media will tell you that they don't exist, and that the world is full of corruption and greed. That sells more newspapers I guess. But have you met your city council? Talked with them? Your county supervisors? If you haven't because you've been told it won't make a difference you have been lied to. And you can put that lie to the test by seeking those people out and putting yourself out there to help.
Yes, there are people with bogus motives in office. And there are good people in office. You can't really tell who is who without talking to them though. And when you find the bogus ones and get them removed, well that helps everyone.
And, as I started this conversation, it takes time. And there are set backs, and sometimes the bozos win one. But you take the long view, the commitment that you will continue to push for a better version of the world. You may find more support than you expect.
Demonstrating that multiple people could have access to the account makes an excellent case for plausible deniability. In the right circumstances a court could compel HN to distinguish between these users (or at least, prove that the "multiple" aspect is a fiction), but the existence of doubt minimalizes the professional risk. This feels like about the right level of security for unpopular political meta-comments of this sort.
Then again, the risk of a court is never really a risk. This is perfectly legal. :P
Maybe for the former, the latter is true without a doubt.
> I guess that makes sense if the reason the FBI didn't have probably cause was because they should have known that, even if everything Goldman alleged, he still wouldn't have broken any laws.
From the article:
> On December 28, 2012, President Obama enacted the Theft of Trade Secrets Clarification Act of 2012, which clarifies the scope of the Economic Espionage Act of 1996 (18 U.S.C. §§ 1831-39). The newly enacted amendments are intended to reverse the recent Second Circuit decision in United States v. Aleynikov, 676 F.3d 71 (2d Cir. 2012).
The only way that statement makes sense is if the author believed that the FBI failed due to a lack of the acts alleged by Goldman Sachs being a crime. Imo, anyway.
maybe. but I sort of doubt it.
It also reminds me of the AT&T case where someone accessed records on public URLs and instead of AT&T getting a black eye for being so incompetent the dude went to jail. When will a corporation metaphorically go to jail? They steal, they lie, they cheat, they launder money, but yet they're always "too big to prosecute."
For those not in the know, that someone was weev .
(Not quite public URLs as the WWW was quite new at the time, but public information all the same.)
I'd like to see how corporate behavior changes if "jail" was a real possibility. For a crime that an individual would get two years in prison, shut down the company for two years. They can try to pick up the pieces after that period, just like the individual.
Nazi guards tried that defense. Didn't work for them either.
(Some of them were relatives of mine.)
I searched but didn't find anything about BoA home invasion. Link to story?
While malicious intent may be absent, to the victims that does not matter one iota.
Except if you have some information that I don't outside of the scope of my comment above.
Especially when the case relates to intellectual property, they have no special position in the society, and the crime may not be a crime but a civil case.
Of course it doesn't. That's the job of the FBI and legal system to determine.
How so? Anybody can contact the FBI.
And when that "someone" happens to be a massive, multi-billion dollar bank reporting a "crime", then I sure hope that they have the FBI's ears.
Action taken: none.
Your unverifiable anecdote doesn't hold much weight, I'm afraid. But do you really believe random-guy calling the FBI should warrant as much attention as multi-national financial institution reporting a potential crime?
People are complaining as if GS putting the FBI on people is rampant. As far as I'm aware it has happened this once (though I'm open to other tales) and an over-zealous investigator tried to make a name for himself and messed it up royally.
I agree, what they did to this poor fellow is disgraceful, but let's not pretend that the justice system doesn't have a habit of railroading people when they desire a suspect. That's the real tragedy.
Well, yeah, if corporations are people with equal rights, that means that the law should treat them equally to other people.
On the other hand if young female student is raped, her newborn daughter brutally murdered and house burned to the ground, I expect half the police to be on high alert and FBI to get involved.
GS report of theft of software that produces billions in profits falls somewhere between these two extremes. Police/FBI does not have resources to investigate all crimes equally so they have to prioritize. The same way as browse remote-execution exploit is fixed way faster than small UI glitch.
The question wasn't "should a person reporting a potentially wide-ranging crime doing lots of damage and impacting potentially large number of victims be treated differently than a person reporting a crime with lesser impacts".
There is a difference between asking if the magnitude of the crime reported should result in a different response and what actually was asked, which was whether who is reporting the crime should result in a different response.
Except that I could provide a complete paper trail of where the money went (to a local scam artist) -- that's how the financial system works.
It would be analogous to providing and end-to-end video of a car being stolen to a previously unknown chop shop.
What the police actually did would be analogous to ignoring that video but then arresting a car thief on a GS executive's say-so.
Or would you put just as much faith in Joe Programmer as you would in Steve Woz?
But in an account of a burglary - yes I would.
It seems you've accepted that justice favors those with high status over those with low status.
Perhaps you don't find that troubling. I do.
From the Vanity Fair article:
"The Web site Serge had used (which has the word 'subversion' in its name) as well as the location of its server (Germany) McSwain clearly found highly suspicious."
"Hacker News" is just in the title of the HTML document.
I would say Source Safe is your best bet.
On a serious note, I guess the modern lesson is names are used by idiots to attack us so pick your project names carefully.
sudo cp /usr/bin/git /usr/bin/patriot
This, in particular, is extremely useful for anyone using Erlang to interact with external processes: https://github.com/saleyn/erlexec
However the law is changed for future source code thefts. Here is an industry perspective
The only technicality that freed Aleynikov was that the source code was not sold as a product itself.
Aleynikov intended to monetize code which was technically Goldman's property, even if he wrote most of it. It would be a different story if he simply wanted to keep the code for archival and review purposes; he actually tried to help a startup by using it.
It sounds like he did violate the spirit of the law, if not the letter.
However I would also like to add that 8 years (+3 under supervision) is bonkers and completely disproportionate with the crime.
Just to put that into perspective, someone could commit rape twice and be out of jail first (3 years piece approximately, or 6-7 years total).
It seems like as soon as a computer is involved in a crime, the sentence gets quadrupled. Instead of breaking into someone's computer, you should just run them down with your car, you'll likely get off easier in the latter case...
I don't know if it was definitively proven that he copied the code with the intent of helping the new startup. The evidence the FBI found was that he had the code on a laptop when meeting some of their founders, but I don't believe they had proof of what his intent was or proof that he shared it with them or that they were even aware of it.
He claims he did not intend to do any such thing:
>When he left, Sergey Aleynikov took a segment of code with him that was based on open source, but had some alterations that technically made it proprietary Goldman Sachs software.
>According to Sergey Aleynikov, the software was of no consequence to his job at Teza Technologies, but once they realized he had taken a segment of code from their servers Goldman Sachs contacted the FBI and within 48 hours Aleynikov was in custody.
So I would say the sentence should be based on the proven intent. If he really did intend to use most or all of the codebase while at the startup to gain them an edge, then I think a jail sentence is fair (though I agree 8 years is way too long). Otherwise, probably not, at least depending on how accurate his story is of what % of the codebase was open source originally.
"He agreed to hang around for six weeks and teach other Goldman people everything he knew, so they could continue to find and fix the broken bands in their gigantic rubber ball. Four times in the course of those last weeks he mailed himself source code he was working on. (He’d later be accused of sending himself 32 megabytes of code, but what he sent was essentially the same 8 megabytes of code four times over.) The files contained a lot of open-source code he had worked with, and modified, over the past two years, mingled together with code that wasn’t open source but proprietary to Goldman Sachs. As he would later try and fail to explain to an F.B.I. agent, he hoped to disentangle the one from the other, in case he needed to remind himself how he had done what he had done with the open-source code, in the event he might need to do it again. He sent these files the same way he had sent himself files nearly every week, since his first month on the job at Goldman. “No one had ever said a word to me about it,” he says. He pulled up his browser and typed into it the words: Free Subversion Repository. Up popped a list of places that stored code, for free, and in a convenient fashion. He clicked the first link on the list. The entire process took about eight seconds. And then he did what he had always done since he first started programming computers: he deleted his bash history. To access the computer he was required to type his password. If he didn’t delete his bash history, his password would be there to see, for anyone who had access to the system."
HFT barrier to entry is expertise. Any firm has as their biggest competitive risk their employees setting up with that expertise in competition. It happens all the time. To counter that the optimal strategy of an HFT shop where an expert resigns is to sue them as far and deep into the ground as they can why?
As a lesson to all remaining staff
This gets an HFT shop additional barrier to entry from competition from existing experts, their own.
Did GS deliberately follow this optimal tactic? I don't know, I have no evidence. Maybe the fact it is optimal for other reasons is unrelated and possibly even unknown to them. Form your own opinion on the balance of probabilities there.
1. They didn't sue him. They complained to the FBI and the government criminally prosecuted him for violation of the Economic Espionage Act.
2. The basis of the prosecution was that he exfiltrated 500,000+ lines of source code.
Doubtful this particular "tactic" could be more generally applied unless staff are engaging in similar activities now clearly prohibited under the EEA.
I would say the general tone here is "jack-booted FBI thugs falsely arrest hacker because their pal at Goldman Sachs pulled some strings". The implication being that this has all unravelled and he is now suing the government for corrupt trampling his constitutional rights.
After reading up, I would say a fairer characterization is "guy who got caught stealing proprietary code got off on a technicality because the law doesn't actually cover HFT code due to shortsighted phrasing".
Before you hit that downvote button, here's my support: the judge who overturned it called this out and Congress passed a law in 2012 to close the loophole through which he got his conviction overturned.
From the Congressional Record:
Quoting the appeals court, "just before his going-away party, Aleynikov encrypted and uploaded to a server in Germany more than 500,000 lines of source code for Goldman's HFT system ..... On June 2, 2009, Aleynikov flew ..... to Chicago to attend meetings at Teza. He brought with him a flash drive and a laptop containing portions of the Goldman source code. When Aleynikov flew back the following day, he was arrested by the FBI .....''"
In his concurring opinion, Judge Calabresi [Cal-abress-E] directly called upon Congress to clarify the scope of the EEA [Electronic Espionage Act] as he wrote:
[I]t is hard for me to conclude that Congress, in [the EEA], actually meant to exempt the kind of behavior in which Aleynikov engaged ..... [n]evertheless, while concurring [in the opinion], I wish to express the hope that Congress will return to the issue and state, in appropriate language, what I believe it meant to make criminal in the EEA.
Specifically the EEA used to say "included in a product that is produced for or placed in" interstate commerce, which the court thought didn't technically cover HFT code, and now reads "a product or service used in or intended for use in". That's it. That's the loophole.
If there ever was a case of violating the spirit, but not the letter of the law, this is it.
It is quite clear that he did not violate the spirit of the law. There was no clear intent to steal any "trade secrets" from Goldman Sachs, and the analogy brought up in the last part of the article that compares it to taking home a notebook you've used for scribbling down thoughts after you've quit your job, is apt
Very, very clearly, everyone from the legislature to the judiciary is in agreement that he violated the spirit of the law.
Even the judge who overturned the conviction said it was hard for him to believe that Congress didn't mean for the law to make his actions criminal. And then Congress immediately updated the letter of the law, unanimously, all the while explaining how it's unfortunate the previous letter of the law didn't capture the spirit of what they intended, specifically mentioning this case.
Also, the "it's just a notebook with scribbled down thoughts" analogy is poor. That implies that it's just his own thoughts he took. He uploaded 500,000+ lines of source code, then tried to cover up his tracks. That is exfiltrating extensive, proprietary trade secrets and was repeatedly cited by Congress as just the sort of activity they wished to criminalize in the Economic Espionage Act.
By the way, I don't think he should serve any more time. The sentence was too harsh IMO. But there is no question it is (now) illegal activity, because Congress specifically updated the law to make his exact actions illegal, naming him personally.
(Of course, they weren't technically illegal at the time he did them, according to the appellate court, which is why he was set free.)
And it's nonsensical to not try and interpret exactly what it is he copied and why he did so. As the vanity fair article points out, he did not in fact copy any of the vast amounts of valuable data he had access to. (He had access to everything!). But he chose tedious infrastructure code instead, to get a sense of what non-proprietary libraries that were used
That is a generous speculation regarding his motives. As GS notes in their response to Vanity Fair, "While some of those files included open source software, the Court determined that 'a substantially greater number of the uploaded files contained proprietary code.'" (emphasis mine)
But as far as whether what he did violated the spirit, and now letter of the law we have a conclusive answer direct from Congress: Yes, he did.
The trade secrets are the algorithms for trading. He did not touch those.
He took a very small amount of open source code that was mixed with proprietary code. This code may have been illegally obtained by Goldman Sachs due to common open source licenses requiring that improvements also be open sourced.
He was writing a new software in a different language. He was not stealing a platform to build code upon.
He was a very good programmer who was underpaid and mistreated. His own colleagues were coached to make him appear guilty of stealing 100% proprietary code. The majority of the code was open source. I find that to be dishonest testimony.
Stupid shit like this done by the FBI is causing tax payer money. If Sergey Aleynikov wins then guess where the money will come from...
I always thought people should be financially accountable for their actions. The only thing that really work, is touching the wallet.
The only lesson learned is that their coworkers, bosses and justice system will bend over backwards to make sure that they can get away with abuse and injustice without repercussions.
We tend to cheer for social justice against government abuse of power, but we're always the ones footing the bill.
Settlement and damage costs should come out of the agent's salaries across the entire organization.
Maybe police officers will stop shooting black teenagers if everyone on the force is docked $5000 for each application of lethal force.
If another officer's indiscretion or negligence were to reflect on your pay check, you would be less likely to help cover it up or ignore it.