"Aleynikov’s last day at Goldman was June 5, 2009. At approximately 5:20 p.m., just before his going-away party, Aleynikov encrypted and uploaded to a server in Germany more than 500,000 lines of source code for Goldman’s HFT system, including code for a substantial part of the infrastructure, and some of the algorithms and market data connectivity programs." [Page 5].
"Aleynikov also transferred some open source software licensed for use by the public that was mixed in with Goldman's proprietary code. However, a substantially greater number of the uploaded files contained proprietary code than had open source software." [Page 5, Footnote 1].
He was convicted for violating the NSPA (National Stolen Property Act) and the EEA (Economic Espionage Act). The conviction for the former was vacated because the Second Circuit construed the NSPA not to extend to intangible property. [Page 18-19]. And the EEA conviction was vacated because the statute requires the product to be "produced for" or "placed in" interstate commerce, while Goldman never intended to sell or license the software. [Page 27].
The Court concluded that he had in fact tried to take 500,000 lines of valuable and mostly proprietary source code, but that his conduct didn't fall within the reach of the two laws charged in the indictment. Solid legal analysis, but an ordinary person would say that he got off on a technicality. Which is fine--if you can lawyer your way out of a conviction, you deserve to.
But help me understand what the FBI did wrong, or Goldman for that matter. The legal questions that were resolved in Aleynikov's favor were subtle ones. How would additional investigation on the part of the FBI have helped? And what exactly did Goldman do wrong in reporting him?
I think the most troubling part was that a huge, powerful company can get a government agency on the phone and have someone locked up based pretty much exclusively on them saying "You won't understand why, but he did really bad stuff. Trust us."
Most arrests are X telling government that you did Y, which the government didn't directly see.
You don't have to understand the source code to know it is a trade secret with enough certainty for probable cause. Goldman could be lying, but so could the shop owner who claims you drove off without paying for your gasoline.
If someone walked out of Intel with the design docs and recipe for the latest intel chipset, would you expect the FBI to understand it all before arresting the person?
The FBI has technical specialists on staff that could very quickly say, "Yes, this complaint checks out." The problem here is that the agent apparently just took Goldman at their word, and didn't conduct an independent investigation of Goldman's claims, which is kind of their entire job. This is especially relevant because the value of stolen property can seriously affect charging and sentencing.
If you or I called the FBI and said "An employee stole proprietary code worth millions," there's no way the FBI would take that at face value, if you could even get their attention.
When the Federal government treats powerful corporations differently, to the point of effectively outsourcing its investigation, that severely undermines the principle of equality before the law.
They confirmed that the guy took a ton of source code right? Taking Goldman at their word that it was their IP isn't a huge stretch.
Taking the time to confirm that the code itself is a trade secret is a monumental task, one that isn't needed to determine if there was probable cause.
His argument was that most of it was open source, or modified open source with licenses that required contributing back the source code. Basically, it sounds like he grabbed his stuff because he wanted to get his utility functions and open source modifications.
“Did you take the strats?” asked one (meaning Goldman’s trading strategies).
“No,” said Serge. That was one thing the prosecutors hadn’t accused him of.
“But that’s the secret sauce, if there is one,” said the juror. “If you’re going to take something, take the strats.”
“I wasn’t interested in the strats,” said Serge.
“But that’s like stealing the jewelry box without the jewels,” said another juror.
“You had super-user status!” said the first. “You could easily have taken the strats. Why didn’t you?”
“To me, the technology really is not interesting,” said Serge.
“You weren’t interested in how they made hundreds of millions of dollars?” asked someone else.
“Not really,” said Serge. “It’s all one big gamble, one way or another.”
So if the essence of the crime is theft of a trade secret, then you absolutely have to conduct an independent investigation that a trade secret was involved, and that it was stolen to have probable cause.
The precedent here is a large corporation can use the government as an enforcement arm, and will be taken completely at face value. Simple allegations by individuals are subject to investigation prior to arrest, as should be all allegations.
This boiled down to Goldman calling the FBI, and less than forty-eight hours later arresting the person Goldman told them to arrest. They didn't interview any witnesses or consult with any experts other than Goldman employees.
> His argument was that most of it was open source, or modified open source with licenses that required contributing back the source code. Basically, it sounds like he grabbed his stuff because he wanted to get his utility functions and open source modifications.
That was his defense. But the jury found that he had in fact grabbed valuable proprietary software, and the Second Circuit agreed that the 500,000 lines that he uploaded were mostly proprietary, valuable code.
> So if the essence of the crime is theft of a trade secret, then you absolutely have to conduct an independent investigation that a trade secret was involved, and that it was stolen to have probable cause.
> The precedent here is a large corporation can use the government as an enforcement arm, and will be taken completely at face value. Simple allegations by individuals are subject to investigation prior to arrest, as should be all allegations.
Probable cause does not require a mini-trial before an arrest. Goldman didn't make "simple allegations." They backed up those allegations with evidence of Aleynikov having sent himself 500,000 lines of code, under suspicious circumstances (not just erasing his bash history, but doing so on his last day, doing so contrary to company policy, and doing so right before going to work at a competitor). The FBI didn't take any allegations at face value, and when Aleynikov was acquitted, it wasn't because the software he copied wasn't actually proprietary and valuable.
I'm confused, fnordfnordfnord; what is it you (and others in this thread) think you're arguing about?
You and rayiner and Aleynikov all agree that it's fine and reasonable that Aleynikov was pardoned. There's no argument to be had about that.
Aleynikov thinks that the FBI agents who arrested him did so improperly. rayiner is doubtful, and would like to hear if anyone can convince him.
Your arguments for why the FBI agents acted improperly amount to "yeah, but it turns out that ....". This arguments are not a good reason to not arrest someone. They're a good reason to find someone innocent after trying them.
Sometimes circumstances are such that an innocent person looks highly suspicious to reasonable people with a reasonable amount of evidence. In those cases, it's reasonable, though unfortunate, that law enforcement arrest and charge that innocent person. Isn't it?
As far as I can tell, rayiner is right.... we have no evidence that Aleynikov was arrested improperly.
I say, ssh, gzip, and svn are pretty normal tools that programmers use frequently. So are hosted servers in foreign countries.
rayiner says that deleting .bash_history is sketchy, I say it's a reasonable, nay a responsible thing to do if failing to do so would leave sensitive information (such as a password) available for others to peruse.
>This arguments are not a good reason to not arrest someone. They're a good reason to find someone innocent after trying them.
IMO if the government is going to arrest a person, attempt to hold them without bond, settle for mere $700,000 bond, (arguably depriving the person of counsel); then the government's burden of "probable cause" ought to be a bit more substantial than "some bros down at Goldman Sachs said...", and this guy uses "subversion" software. We can't have the police running around arresting everyone who might have possibly committed a crime. There needs to be actual, you know, probable cause.
>Sometimes circumstances are such that an innocent person looks highly suspicious to reasonable people with a reasonable amount of evidence. In those cases, it's reasonable, though unfortunate, that law enforcement arrest and charge that innocent person. Isn't it?
What do you make of the fact that:
>>"In the New York state case, a judge ruled the 2009 arrest was illegal. He threw out seized physical evidence, including computer hardware carrying the source code."
and
>>"New York State Supreme Court Justice Ronald Zweibel also barred prosecutors from using statements Aleynikov made to the FBI after his arrest at Newark Liberty International Airport."
Are these judges unreasonable? Sure, mistakes happen, everyone deserves a Mulligan once in a while. That's not what we have here though. The FBI had plenty of opportunities to check their work, which was shabby. Instead of doing that, they forged ahead doing the bidding of Goldman Sachs, uncritically. And, now that the federal case has failed, GS has their hand up the back of a Manhattan DA. We can quibble about these little details more if you want but this whole affair has got a stench about it.
>As far as I can tell, rayiner is right.... we have no evidence that Aleynikov was arrested improperly.
No evidence? What's Zweibel's problem then?:
>In a 71-page opinion, Justice Ronald A. Zweibel of State Supreme Court in Manhattan ruled that the F.B.I. “did not have probable cause to arrest defendant, let alone search him or his home.” The arrest was “illegal,” Justice Zweibel wrote, and Mr. Aleynikov’s “Fourth Amendment rights were violated as a result of a mistake of law.”
I have a passing understanding of the policies and procedures binding on developers at trading firms.
I dispute the idea that any senior developer could work at Goldman Sachs on an HFT infrastructure and believe that they were authorized to --- or, indeed, that they would not be immeditely fired for --- uploading the code to a proprietary automated trading system to a random SVN host in a different country. This is the code we, as security testers, were never allowed to see, even after owning up the machines hosting it. These firms are not kidding around about this stuff. It is a huge smoking gun to have uploaded any of it to some off-brand foreign svn host.
These are firms where you can be fired for plugging a thumb drive into your computer, or for using the company network to access Dropbox. I have worked for more than one financial firm that spent literally millions of dollars merely on the problem of detecting their network users trying to reach Google Mail.
I also dispute the idea that because developers commonly use ssh, gzip, and svn, that it is common practice to (1) gzip a tarball of source code, (2) encrypt that source code, (3) commit that compressed encrypted blob to svn, (4) remove all traces of the encryption key from their work computer. That's something happens zero times on normal dev machines.
The conviction was overturned because the technical details of exactly what Aleynikov took from GS didn't fit the ambitious charge the DOJ filed against him. But the appeal doesn't refute the finding of facts from the original trial, which include:
There was more than sufficient evidence presented at trial, however, for a rational juror to conclude that Aleynikov intended to steal Goldman Sachs' proprietary source code. First, it was undisputed at trial that Aleynikov actually did take proprietary source code from Goldman Sachs. As Aleynikov concedes in his motion papers, the code he took from Goldman Sachs included a “purposefully designed” portion of the Goldman Sachs “proprietary, custom-built trading system.” Indeed, the evidence showed that Aleynikov took a significant percentage of the proprietary source code for that system. While Aleynikov attempted to show that there was open source code embedded within the proprietary code and to identify the files in which that might be true, his expert witness was only able to identify one file among those taken by Aleynikov that both bore a Goldman Sachs copyright banner and appeared to contain open source code.
I'm just fine with Aleynikov's conviction being overturned. Again, the charges against him seemed ambitious.
But this is a forum full of software developers. Rayiner is a lawyer and a compiler developer. It's somewhat insulting to everyone's intelligence to pretend that people here are unfamiliar with ssh and svn. We understand how software development works. What happened here was extremely sketchy. You can't play the "well in the world of software development, this is totally normal" card on HN.
I'm just fine with Aleynikov's conviction being overturned. Again, the charges against him seemed ambitious.
"Ambitious" is a bit charitable, in this context.
"Patently vacuous" -- to an extent that suggested, at the very least, a breakdown in the internal controls and safeguards (on the part of both the FBI and the prosecutor's office) designed to present precisely this kind of a fiasco from happening -- might be a better description.
You are being ridiculous. Aleynikov definitely violated New York trade secret law. He got off the federal charge because the trading software wasn't a product for sale, it was a product for internal use. The law was poorly drafted and once that came to light it was immediately fixed.
Like Rayiner said, in layman's terms, he got off on a technicality.
The FBI and DOJ being on the wrong side of a close call in statutory interpretation isn't "patently vacuous."
Aleynikov definitely violated New York trade secret law.
That's not what the court found. Otherwise the charges wouldn't have been dropped.
It sounds like you're conflating the issue of whether he violated the "spirit" of the law (or whether he was, in your view, just plain morally culpable somehow) -- versus what the law actually had to say about his actions.
Like Rayiner said, in layman's terms, he got off on a technicality.
If you want to minimize any sense of exoneration or vindication the accused might want to derive from the court's decision, by saying he "got off on a technicality", that's fine.
But to claim that he "definitely violated" the law when the courts found that he definitely did not -- I'm just not sure I see the point in that.
>I have a passing understanding of the policies and procedures binding on developers at trading firms.
I've never set foot in one, but one thing I have learned watching this incident and others is that some of theses firms have varying degrees of carelessness and cluelessness within their businesses; especially with respect to IT (Knight Capital comes to mind). In that respect, they are like any other company, some careful and fastidious, some, flying on a wing and a prayer.
>This is the code we, as security testers, were never allowed to see, even after owning up the machines hosting it. These firms are not kidding around about this stuff.
I may often disagree with some of your opinions here, but I can't say that I have the impression that you're not competent within your profession or that you lack integrity. It occurs to me that the firms that would hire your firm to audit them as opposed to some lesser outfit, are the same firms that run a pretty tight ship in their own businesses. Has it occurred to you that not all trading firms or even divisions within the same company are cut from the same cloth?
>These are firms where you can be fired for plugging a thumb drive into your computer
Yeah, I've seen some companies with ridiculously conservative IT policies. I can see it being applied at a bank or a trading firm. The policies are often meaningless though, when the policies basically state that you can be fired for doing anything, but in reality that doesn't happen. I've worked at one of those companies where a too-large portion of engineering's time was spent circumventing IT systems, activities for which one could've been fired. Those companies always have plenty of ways to fire people.
>I also dispute the idea that because developers commonly use ssh, gzip, and svn, that it is common practice to
I remember about ten years ago working with an engineer whose idea of a source code revision control system was to zip up and password protect source code archives. It may not be common, and Aleynikov wasn't doing it for the same reasons, but by itself, it isn't proof of anything nefarious.
>There was more than sufficient evidence presented at trial, however, for a rational juror to
Interestingly, none of the jurors were employed in tech, and none had a college degree. Not that it would always be necessary, but it is worth considering the possibility that none of them understood what they were being told. It's hard for me to agree that situation was rational unless those were some exceptional high school graduates.
>But this is a forum full of software developers. Rayiner is a lawyer and a compiler developer. It's somewhat insulting to everyone's intelligence to pretend that people here are unfamiliar with ssh and svn.
If you or Rayiner don't like my tone, I'll tell you that I think it is a bit of an embarrassment to have to point some of these things out here. Maybe Rayiner will have enough respect in the future not to parrot statements from the FBI's and the prosecutor's press releases. We've all been spectators here of a number of high profile prosecutions of software developers, and if there is anything to be learned from those experiences, it is that prosecutors and FBI agents will characterize the suspect/defendant in the most damning light possible. Anything that one of them says has to be taken with a grain of salt.
>We understand how software development works. What happened here was extremely sketchy.
Probably so, but not necessarily so, and not on the basis of some of the things ITT.
>You can't play the "well in the world of software development, this is totally normal" card on HN.
It is laughable. I'm probably one of the least qualified people to lecture to this audience, but here it is.
Pretty sure my local git repository contains thousands of lines of valuable proprietary code (granted on a hardened dedicated work laptop), mixed with open source libraries etc.
And I also delete my bash history all the time if I do something stupid like manually enter a password into the command line.
One thing to keep in mind is that Aleynikov is clearly one of those rare types for whom the technology is an end in itself rather than a means toward anything. That leads to a type of naiveté about following IT security policies. I don't know quite what the proper name is for this disposition, but we've all encountered them.
>I also dispute the idea that because developers commonly use ssh, gzip, and svn, that it is common practice to (1) gzip a tarball of source code, (2) encrypt that source code, (3) commit that compressed encrypted blob to svn, (4) remove all traces of the encryption key from their work computer. That's something happens zero times on normal dev machines.
Agreed, but it was established that he did this fairly consistently throughout the course of his employment. It's idiosyncratic, but not unexplainable. Sure, it was poor development practice, but I'm not convinced it was malicious.
Again, if the intent was trade secret theft, why not take the valuable part, the trading strategies?
The court found that he took large amounts of "the valuable part". He did more to cover his tracks than delete his bash history --- which my comment didn't mention. I feel like you're repeating talking points rather than addressing what I wrote.
With regard to the "valuable part," financial experts will tell you that lives in the trading strategies, which he didn't take. You must admit that's very odd behavior for a malicious thief.
You keep trying to shift the focus to the trial, when what disturbs me and so many others is not the trial or its findings.
Whether or not he actually stole the code is immaterial to whether the FBI did a proper investigation prior to arrest, or whether Goldman Sachs received special treatment because of their size, wealth, and power.
Agreed, and as do I. Perhaps our tone has gotten too rancorous.
Civil people can disagree without being disagreeable, and I know from your comments around the site that you're a civil person, so if my tone has been less than appropriate I apologize.
As for the conversation itself, as you said, it stands as is, and we can let the other readers judge the facts for themselves.
My concern is that the investigation of the incident relied solely upon the word of Goldman Sachs. An agent essentially parroted back what Goldman employees told him, putting it in the form of a criminal complaint, and without further investigation, had him arrested.
My challenge to the validity of the arrest is that there was no independent investigation performed prior. This wasn't just contempt prior to investigation, it was arrest prior to investigation.
Now, I will acknowledge that probable cause is a very low standard, and it is likely that there isn't a legal course of action here.
People keep explaining how that isn't true, and that there was much more than GS's word backing the charges up, so much so that Aleynikov had to rely on a technicality to evade a conviction, one that was closed immediately after he used it:
We're arguing past one another. I am discussing the investigation and arrest, not the subsequent trial or any evidence brought to light therein.
If you read the complaint, the trial transcript, or even the top post here, it's abundantly clear the so-called investigation relied solely upon the word of Goldman Sachs's employees. The FBI agent even admitted that he did not understand the nature of the crime at the time he filed the complaint.
>"McSwain later conceded that he didn’t seek out independent expert advice to study the code Serge Aleynikov had taken. (“I relied on statements from Goldman employees.”) He himself had no idea of the value of the stolen code (“Representatives of Goldman told me it was worth a lot of money”) or if any of it was actually all that special (he based his belief that the code contained trade secrets on “representations made by members of Goldman Sachs”)...The F.B.I.’s investigation before the arrest consisted of trusting Goldman’s explanation of some extremely complicated stuff, and 48 hours after Goldman called the F.B.I., Serge was arrested."
Your argument amounts to: "Sure, but the guy was guilty and only got off on a technicality, so who cares."
People keep explaining the dire problems with this viewpoint, and I don't know why it needs to be continually repeated.
If someone steals a million dollar painting from a private gallery, you think the police should need a statement from a 3rd party art historian in order to make an arrest?
If someone steals a donut from a donut shop, do you think the police need a statement from a third party donut vendor to make an arrest?
Silly analogies lead to silly conclusions, because they inherently obscure essential facts in the comparison.
This wasn't a piece of tangible property, which the agent could understand. This was an immensely complicated issue to a lay person who admitted that he didn't really understand what had been stolen or how much it was worth.
He just listened to Goldman Sachs say trust us and made an arrest within 48 hours.
If you don't understand why its disturbing that the FBI blindly did the bidding of one of the most powerful corporations on Earth, there's simply no point in continuing to debate the issue.
Unlike donuts, art is incredibly difficult to value, so much so that there's a whole profession dedicated to that problem. Must the FBI engage one of those professionals before deciding to arrest someone who steals a painting?
Before deciding the value of the theft to attach to the charge? Certainly. That would be one reason the FBI employs art specialists as well. Absent a fleeing felon, I would definitely expect the FBI to consult with an art specialist.
You're moving the goalposts. First, Aleynikov is "arrested" on GS's say-so. Now he's being prosecuted on their say-so. By the time Aleynikov is arraigned, expertise has been engaged. What makes this an especially pointless debate is that the trial uncovers that he did in fact take valuable source code!
"Arrested and charged", without independent and investigation, on Goldman Sachs say-so has been consistently my point all along. Nobody moved the goalposts. You just got farther from them.
If someone steals a million dollar painting from a private gallery,
Except that you're starting with a false premise: the offenses for which Aleynikov was initially charged -- theft of trade secrets, and transportation of stolen property in interstate commerce -- were in no way as clear cut as simply "taking a painting from a private gallery." As you are no doubt aware, from your detailed knowledge of the case.
you think the police should need a statement from a 3rd party art historian in order to make an arrest?
What the FBI (and the prosecution team) have primarily been faulted for has been their (by now obvious, if not admitted) failure to understand the basic nature of the charges against the accused -- to the extent that they missed the fact that his conduct would not even have constituted an offense against either statute.
In addition, yes, there's the matter of how much the "stolen" (or rather, copied) bits were actually "worth" (or whether they could, in fact, "be used to manipulate markets in unfair ways", per GS's initial complaint.) Should the FBI have waited to consult an outside authority to make an independent assessment of these claims before making an arrest? That I cannot say.
But that both the premier criminal investigative arm of the richest country in the world -- and the highest-profile prosecution office tasked with keeping us safe from white collar crime, in that same country -- should have known that the "value" of copied source code just might be a teensy, weensy bit trickier and more nuanced to assess than that of say, an Edvard Munch painting pilfered from a major gallery in broad daylight? Or that they should have like, you know, read the actual text of the statutes he was being prosecuted under before filing actual charges against him (and throwing him in the klink for a year as a protective measure)? We should hope so.
out of curiosity, because you and others keep repeating it as if it inherently means something obviously sinister, how did they count the 500K lines of code from a vcs repository? is it actually 500K distinct lines of code? is it a number significantly smaller that was ballooned for dramatic effect because it appears in multiple revisions/branches/tags, etc.?
Law enforcement SOP requires an independent investigation. That was not performed. The trial is a separate issue, and has its own package of issues.
I'm far more concerned with the FBI acting almost as an extension of Goldman, effectively abrogating their responsibility to investigate prior to arrest to a large private corporation.
No open source licenses require that. An early version of the Emacs license did require that (I think TECO Emacs and not GNU Emacs), and there may be other licenses, but both the Debian Free Software Guidelines and the Open Source Definition based on them are careful not to require that people contribute modifications they’ve made privately. The reasons for this are discussed in the DFSG FAQ: https://people.debian.org/~bap/dfsg-faq.html#dissident
>> Taking the time to confirm that the code itself is a trade secret is a monumental task, one that isn't needed to determine if there was probable cause.
And yet the finding here is there was no probable cause.
"Goldman could be lying, but so could the shop owner who claims you drove off without paying for your gasoline."
Indeed, but the difference is that the FBI (or police) will arrest whomever Goldman tells them to while completely ignoring the shopkeeper's complaints, possibly even going as far as to tell them not to waste their time.
I had a police officer knock on my door one the evening looking for a previous occupant of my house who apparently drove off without paying for gasoline.
Well, I think that's sarcasm but I'm not sure. The fact is, yes, they did send an officer to my house within hours so it seems they did take the shopkeepers word and considered it some sort of priority. Perhaps they looked at the video showing a license plate, but I doubt that they looked over the payment records to verify that the person did in fact not pay.
> Then [the FBI agent] explained what he knew, or thought he knew: in April 2009, Serge had accepted a job at a new high-frequency-trading shop called Teza Technologies, but had remained at Goldman for the next six weeks, until June 5, during which time he sent himself, through a so-called “subversion repository,” 32 megabytes of source code from Goldman’s high-frequency stock-trading system.
Lewis weaves a lot of editorializing and red-herrings into the account, but here's the punchline:
> All of which was true, as far as it went...
Nobody disputes that at the time Aleynikov was arrested, the FBI had evidence that he had sent himself a bunch of source code and covered his tracks. And at trial, the prosecution proved that he had in fact done that.
Realistically (loopholes aside) - all of the code not under GPL would be theft no? (Goldman replacing the copyrights on other open-source stuff with their own is probably illegal (as long as the license stipulates that the original copyright notice must remain), but their modifications are still proprietary.
He of course could have had proprietary source code in his repositories for work in the first place - but bundling and uploading everything does look highly suspicious - and he should have known better.
[Goldman] called the F.B.I. in haste, just two days before, and then put their agent through what amounted to a crash course on high-frequency trading and computer programming. McSwain later conceded that he didn’t seek out independent expert advice to study the code Serge Aleynikov had taken.
I'm not one of the people who would ever equate copying code to theft, regardless of intent. But Aleynikov admitted that he expected GS to be upset about it, mostly due to their cultural attitudes about IP (ie: everything is theirs). Note that he didn't "bundling and uploading everything" he specifically avoided uploading the trading strategies code.
On the one hand, people seem to be giving GS a pass for stripping the copyright notices from GPL'd code they used, but taking them at their word and treating it as high treason when Aleynikov makes a copy of the modified GPL code for himself.
>> "McSwain later conceded that he didn’t seek out independent expert advice to study the code Serge Aleynikov had taken."
>This is the very surprising part.
It's just the lazy careless work of a modern day Pinkerton man.
> Goldman replacing the copyrights on other open-source stuff with their own is probably illegal (as long as the license stipulates that the original copyright notice must remain)
It's only illegal if Goldman distributed it, which they didn't. It's perfectly okay to modify GPL'ed code for internal purposes without open-sourcing the changes.
>It's only illegal if Goldman distributed it, which they didn't. It's perfectly okay to modify GPL'ed code for internal purposes without open-sourcing the changes.
I'm not a lawyer but as far as I understand they were stripping the copyright notice, which is explicitly forbidden by the licenses. i.e. the MIT license:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
> The stripping clause only comes into place when you distribute the code, just as the GPL's copy-left requirement only comes into play when you distribute the code.
I absolutely wish this was the case: copying internally within an organization such as a school, a church, or a business should be legal for any purposes regardless of the license something comes with... However, I'd not be very certain of support of companies like Microsoft which would argue that their copyright licenses dictate usage within the organization and not just on distribution. And no, for these purposes there is no difference between Microsoft EULA and MIT license.
I'd imagine you can argue that you can argue that you are in compliance if you distributed a git (or hg etc) repository with an older version that does include the copyright notice though.
My point is just that at what point does distribution begin? The entertainment industry wants us to believe that if I buy a CD, I am violating copyright by the audio CD to an iPod (doubly so if to a friend's iPod).
The stripping clause only comes into place when you distribute the code, just as the GPL's copy-left requirement only comes into play when you distribute the code.
> The stripping clause only comes into place when you distribute the code, just as the GPL's copy-left requirement only comes into play when you distribute the code.
No, it doesn't. The stripping clause is a license condition with no limitation to distribution -- it expressly applies to all copies. Anything you need a license to do -- which is, anything that involves any of the exclusive rights tied to copyright (of which, the most prominent is copying, regardless of distribution) must follow it, barring an exception in the license or a some other provision of law that limits the applicability of the exclusive rights in copyright.
As well as the stripping clause of the MIT license, this is also true with regard to GPLv2 provisions related to copyright notices, which are required for both modification of GPL-licensed code and copying and distribution of GPL-licensed code, though the GPLv3 only applies this to copies that are "conveyed" (compare Section 2 of the GPLv2 with the combination of Sections 2, 4, & 5 of the GPLv3.)
Fair enough. Why does the FSF FAQ say you don't need to distribute source if you modify the code for internal purposes. Is it an explicit provision of the license?
That part made me kind of angry -- "so-called" makes the writer sound like they know something we don't, like "subversion" is some cool trick that smart people know.
"so-called" here is a way of distinguishing the use of "subversion" as a name/description distinction (somewhat similar to a use/mention distinction, but not the right way of making that distinction, IMO, as correctly using "Subversion" as a proper noun would be better, though) as the common noun "subversion" has meaning, but the word "subversion" was not being used for that meaning, only as the name of a thing.
Would it have? On my last day at work at Google, before I am slated to start working in the Bing group at Microsoft, I mail myself a copy of the PageRank source code. Does it matter what VCS I use?
Technically no. In a court description or in a press article, both addressed to people who are not technical, the name of the VCS is important.
Consider the extreme case where the VCS was called "theft-assistance" for example.
How does "He copied the code from a theft-assistance repository" would sound to a jury that doesn't know what a VCS is and that theft-assistance is just a name?
If it was something generic and inoffensive, like Git, it would be OK, but "subversion" has a ...subversive undertone.
In a previous video posted on HN, a police officer explains how they would use a concession made by a honest humble person during an interview to boost their conviction rate: "Sure, I never like the guy. But I would never do anything malicious against anyone or even animals, especially not theft or murder which is totally against my conscience." would become big uppercase red letters on a videoprojector: "I NEVER LIKE THE GUY". Be sure you nail every emotional aspect to convince a jury.
Most people have no idea what VCS is. To a lay person, "a so called 'mercurial repository'" would sound far less sinister than "a so called 'subversion repository'". The reality is that the repo probably had little to do with subverting anything, and was just a convenient way to transfer code.
I'm referring to the fact that no matter how damning the evidence is on its own, it probably seems even more damning to a layperson who doesn't know the name "subversion" is a pun and not something subversive.
Except the code copied by Aleynikov wasn't anything like PageRank. It was like some Go library that fetches the pages, and one that was primarily open source code to begin with.
This was some initial (mis?)-information about the case, but at least according to the Second Circuit:
> In addition to proprietary source code, Aleynikov
also transferred some open source software licensed for use
by the public that was mixed in with Goldman’s proprietary
code. However, a substantially greater number of the
uploaded files contained proprietary code than had open
source software.
Were the files source code or were they some sort of transaction logs, generated records, and what have you? Or were they various forks/branches of mostly the same thing intended for testing? If you don't know then you can't assess their relative "value".
> have someone locked up based pretty much exclusively on them saying "You won't understand why, but he did really bad stuff. Trust us."
At best that might extend to his initial arrest but not to his subsequent imprisonment. That was the result of a criminal trial that showed he violated the EEA. Which was subsequently overturned on appeal, but only because of a "technicality" in the phrasing of the law which has subsequently been clarified to explicitly and unreservedly criminalize the actions that he took.
>But help me understand what the FBI did wrong, or Goldman for that matter.
What law Goldman reported violation of? What law FBI investigated violation of? While one can report some alleged violation of some law, the FBI is aware of laws, especially the laws the FBI is assigned to enforce. Bringing charges under obviously un-applicable here NSPA and EEA instead of whatever (if any) law may have been applicable here is a gross negligence, to say the least, on behalf of FBI. As a result, they wasted a lot of valuable (taxpayer) resources and ultimately let the criminal (if there was real crime committed) go free.
>The legal questions that were resolved in Aleynikov's favor were subtle ones.
are you kidding? How a subtle legal question(s) can be summarized in one paragraph on an Internet forum?
I would not say the EEA is "obviously un-applicable". As rayiner noted, it is a subtle matter of phrasing in the law.
When Congress updated the letter of the law they merely rephrased "included in a product that is produced for or placed in", which the court found to be not applicable to code not directly sold on the market, to "a product or service used in or intended for use in".[1]
I'm not sure how well that one paragraph in an Internet forum summarizes it, but that's literally the only change that Congress made to declare his actions illegal (should they happen again). And it was at the behest of the judge who overturned the conviction, who specifically noted a problem with the phrasing of the law while noting that he fully expected Congress meant to include these actions in the criminal code.
What Aleynikov did was clearly slap-on-the-wrist-worthy. It's not like he took code and sold it to the highest bidder for zillions of dollars. It didn't merit depleting his entire life's savings and (almost) sending him to jail for many years. This was clearly about more than merely the value of the code he took.
> The Court concluded that he had in fact tried to take 500,000 lines of valuable and mostly proprietary source code
I would dispute the value of the code. The code he took wasn't part of the "secret sauce". It didn't contain any of the logic for actually making High-speed trades.
I would dispute the value of the code. The code he took wasn't part of the "secret sauce". It didn't contain any of the logic for actually making High-speed trades.
On what basis, may we ask?
The only statements from the court that I'm aware of are those confirming that a significant amount of proprietary code (in comparison to the amount of OS code) was taken.
But not as to the "value" of the copied bits, or their potential to otherwise wreak havoc.
"Aleynikov’s last day at Goldman was June 5, 2009. At approximately 5:20 p.m., just before his going-away party, Aleynikov encrypted and uploaded to a server in Germany more than 500,000 lines of source code for Goldman’s HFT system, including code for a substantial part of the infrastructure, and some of the algorithms and market data connectivity programs." [Page 5].
"Aleynikov also transferred some open source software licensed for use by the public that was mixed in with Goldman's proprietary code. However, a substantially greater number of the uploaded files contained proprietary code than had open source software." [Page 5, Footnote 1].
He was convicted for violating the NSPA (National Stolen Property Act) and the EEA (Economic Espionage Act). The conviction for the former was vacated because the Second Circuit construed the NSPA not to extend to intangible property. [Page 18-19]. And the EEA conviction was vacated because the statute requires the product to be "produced for" or "placed in" interstate commerce, while Goldman never intended to sell or license the software. [Page 27].
The Court concluded that he had in fact tried to take 500,000 lines of valuable and mostly proprietary source code, but that his conduct didn't fall within the reach of the two laws charged in the indictment. Solid legal analysis, but an ordinary person would say that he got off on a technicality. Which is fine--if you can lawyer your way out of a conviction, you deserve to.
But help me understand what the FBI did wrong, or Goldman for that matter. The legal questions that were resolved in Aleynikov's favor were subtle ones. How would additional investigation on the part of the FBI have helped? And what exactly did Goldman do wrong in reporting him?