I doubt I could convince rayiner of anything, but I'll at least refute some of the more ridiculous things he says.

>Your arguments for why the FBI agents acted improperly amount to "yeah, but it turns out that ...."

No, I've responded to rayiner's suppositions that because some activity might be sketchy, it must be.

[rayiner says](https://news.ycombinator.com/item?id=9047068) encrypting and exporting files to a repository in a foreign land is sketchy.

I say, ssh, gzip, and svn are pretty normal tools that programmers use frequently. So are hosted servers in foreign countries.

rayiner says that deleting .bash_history is sketchy, I say it's a reasonable, nay a responsible thing to do if failing to do so would leave sensitive information (such as a password) available for others to peruse.

>This arguments are not a good reason to not arrest someone. They're a good reason to find someone innocent after trying them.

IMO if the government is going to arrest a person, attempt to hold them without bond, settle for mere $700,000 bond, (arguably depriving the person of counsel); then the government's burden of "probable cause" ought to be a bit more substantial than "some bros down at Goldman Sachs said...", and this guy uses "subversion" software. We can't have the police running around arresting everyone who might have possibly committed a crime. There needs to be actual, you know, probable cause.

>Sometimes circumstances are such that an innocent person looks highly suspicious to reasonable people with a reasonable amount of evidence. In those cases, it's reasonable, though unfortunate, that law enforcement arrest and charge that innocent person. Isn't it?

What do you make of the fact that:

>>"In the New York state case, a judge ruled the 2009 arrest was illegal. He threw out seized physical evidence, including computer hardware carrying the source code."

and

>>"New York State Supreme Court Justice Ronald Zweibel also barred prosecutors from using statements Aleynikov made to the FBI after his arrest at Newark Liberty International Airport."

Are these judges unreasonable? Sure, mistakes happen, everyone deserves a Mulligan once in a while. That's not what we have here though. The FBI had plenty of opportunities to check their work, which was shabby. Instead of doing that, they forged ahead doing the bidding of Goldman Sachs, uncritically. And, now that the federal case has failed, GS has their hand up the back of a Manhattan DA. We can quibble about these little details more if you want but this whole affair has got a stench about it.

>As far as I can tell, rayiner is right.... we have no evidence that Aleynikov was arrested improperly.

No evidence? What's Zweibel's problem then?:

>In a 71-page opinion, Justice Ronald A. Zweibel of State Supreme Court in Manhattan ruled that the F.B.I. “did not have probable cause to arrest defendant, let alone search him or his home.” The arrest was “illegal,” Justice Zweibel wrote, and Mr. Aleynikov’s “Fourth Amendment rights were violated as a result of a mistake of law.”

I dispute the idea that any senior developer could work at Goldman Sachs on an HFT infrastructure and believe that they were authorized to --- or, indeed, that they would not be immeditely fired for --- uploading the code to a proprietary automated trading system to a random SVN host in a different country. This is the code we, as security testers, were never allowed to see, even after owning up the machines hosting it. These firms are not kidding around about this stuff. It is a huge smoking gun to have uploaded any of it to some off-brand foreign svn host.

These are firms where you can be fired for plugging a thumb drive into your computer, or for using the company network to access Dropbox. I have worked for more than one financial firm that spent literally millions of dollars merely on the problem of detecting their network users trying to reach Google Mail.

I also dispute the idea that because developers commonly use ssh, gzip, and svn, that it is common practice to (1) gzip a tarball of source code, (2) encrypt that source code, (3) commit that compressed encrypted blob to svn, (4) remove all traces of the encryption key from their work computer. That's something happens zero times on normal dev machines.

The conviction was overturned because the technical details of exactly what Aleynikov took from GS didn't fit the ambitious charge the DOJ filed against him. But the appeal doesn't refute the finding of facts from the original trial, which include:

There was more than sufficient evidence presented at trial, however, for a rational juror to conclude that Aleynikov intended to steal Goldman Sachs' proprietary source code. First, it was undisputed at trial that Aleynikov actually did take proprietary source code from Goldman Sachs. As Aleynikov concedes in his motion papers, the code he took from Goldman Sachs included a “purposefully designed” portion of the Goldman Sachs “proprietary, custom-built trading system.” Indeed, the evidence showed that Aleynikov took a significant percentage of the proprietary source code for that system. While Aleynikov attempted to show that there was open source code embedded within the proprietary code and to identify the files in which that might be true, his expert witness was only able to identify one file among those taken by Aleynikov that both bore a Goldman Sachs copyright banner and appeared to contain open source code.

I'm just fine with Aleynikov's conviction being overturned. Again, the charges against him seemed ambitious.

But this is a forum full of software developers. Rayiner is a lawyer and a compiler developer. It's somewhat insulting to everyone's intelligence to pretend that people here are unfamiliar with ssh and svn. We understand how software development works. What happened here was extremely sketchy. You can't play the "well in the world of software development, this is totally normal" card on HN.

"Ambitious" is a bit charitable, in this context.

"Patently vacuous" -- to an extent that suggested, at the very least, a breakdown in the internal controls and safeguards (on the part of both the FBI and the prosecutor's office) designed to present precisely this kind of a fiasco from happening -- might be a better description.

Like Rayiner said, in layman's terms, he got off on a technicality.

The FBI and DOJ being on the wrong side of a close call in statutory interpretation isn't "patently vacuous."

That's not what the court found. Otherwise the charges wouldn't have been dropped.

It sounds like you're conflating the issue of whether he violated the "spirit" of the law (or whether he was, in your view, just plain morally culpable somehow) -- versus what the law actually had to say about his actions.

Like Rayiner said, in layman's terms, he got off on a technicality.

If you want to minimize any sense of exoneration or vindication the accused might want to derive from the court's decision, by saying he "got off on a technicality", that's fine.

But to claim that he "definitely violated" the law when the courts found that he definitely did not -- I'm just not sure I see the point in that.

I've never set foot in one, but one thing I have learned watching this incident and others is that some of theses firms have varying degrees of carelessness and cluelessness within their businesses; especially with respect to IT (Knight Capital comes to mind). In that respect, they are like any other company, some careful and fastidious, some, flying on a wing and a prayer.

>This is the code we, as security testers, were never allowed to see, even after owning up the machines hosting it. These firms are not kidding around about this stuff.

I may often disagree with some of your opinions here, but I can't say that I have the impression that you're not competent within your profession or that you lack integrity. It occurs to me that the firms that would hire your firm to audit them as opposed to some lesser outfit, are the same firms that run a pretty tight ship in their own businesses. Has it occurred to you that not all trading firms or even divisions within the same company are cut from the same cloth?

>These are firms where you can be fired for plugging a thumb drive into your computer

Yeah, I've seen some companies with ridiculously conservative IT policies. I can see it being applied at a bank or a trading firm. The policies are often meaningless though, when the policies basically state that you can be fired for doing anything, but in reality that doesn't happen. I've worked at one of those companies where a too-large portion of engineering's time was spent circumventing IT systems, activities for which one could've been fired. Those companies always have plenty of ways to fire people.

>I also dispute the idea that because developers commonly use ssh, gzip, and svn, that it is common practice to

I remember about ten years ago working with an engineer whose idea of a source code revision control system was to zip up and password protect source code archives. It may not be common, and Aleynikov wasn't doing it for the same reasons, but by itself, it isn't proof of anything nefarious.

>There was more than sufficient evidence presented at trial, however, for a rational juror to

Interestingly, none of the jurors were employed in tech, and none had a college degree. Not that it would always be necessary, but it is worth considering the possibility that none of them understood what they were being told. It's hard for me to agree that situation was rational unless those were some exceptional high school graduates.

>But this is a forum full of software developers. Rayiner is a lawyer and a compiler developer. It's somewhat insulting to everyone's intelligence to pretend that people here are unfamiliar with ssh and svn.

If you or Rayiner don't like my tone, I'll tell you that I think it is a bit of an embarrassment to have to point some of these things out here. Maybe Rayiner will have enough respect in the future not to parrot statements from the FBI's and the prosecutor's press releases. We've all been spectators here of a number of high profile prosecutions of software developers, and if there is anything to be learned from those experiences, it is that prosecutors and FBI agents will characterize the suspect/defendant in the most damning light possible. Anything that one of them says has to be taken with a grain of salt.

>We understand how software development works. What happened here was extremely sketchy.

Probably so, but not necessarily so, and not on the basis of some of the things ITT.

>You can't play the "well in the world of software development, this is totally normal" card on HN.

It is laughable. I'm probably one of the least qualified people to lecture to this audience, but here it is.

And I also delete my bash history all the time if I do something stupid like manually enter a password into the command line.

One thing to keep in mind is that Aleynikov is clearly one of those rare types for whom the technology is an end in itself rather than a means toward anything. That leads to a type of naiveté about following IT security policies. I don't know quite what the proper name is for this disposition, but we've all encountered them.

>I also dispute the idea that because developers commonly use ssh, gzip, and svn, that it is common practice to (1) gzip a tarball of source code, (2) encrypt that source code, (3) commit that compressed encrypted blob to svn, (4) remove all traces of the encryption key from their work computer. That's something happens zero times on normal dev machines.

Agreed, but it was established that he did this fairly consistently throughout the course of his employment. It's idiosyncratic, but not unexplainable. Sure, it was poor development practice, but I'm not convinced it was malicious.

Again, if the intent was trade secret theft, why not take the valuable part, the trading strategies?

With regard to the "valuable part," financial experts will tell you that lives in the trading strategies, which he didn't take. You must admit that's very odd behavior for a malicious thief.

You keep trying to shift the focus to the trial, when what disturbs me and so many others is not the trial or its findings.

Whether or not he actually stole the code is immaterial to whether the FBI did a proper investigation prior to arrest, or whether Goldman Sachs received special treatment because of their size, wealth, and power.

Civil people can disagree without being disagreeable, and I know from your comments around the site that you're a civil person, so if my tone has been less than appropriate I apologize.

As for the conversation itself, as you said, it stands as is, and we can let the other readers judge the facts for themselves.

My challenge to the validity of the arrest is that there was no independent investigation performed prior. This wasn't just contempt prior to investigation, it was arrest prior to investigation.

Now, I will acknowledge that probable cause is a very low standard, and it is likely that there isn't a legal course of action here.

https://www.congress.gov/congressional-record/2012/11/27/sen...

If you read the complaint, the trial transcript, or even the top post here, it's abundantly clear the so-called investigation relied solely upon the word of Goldman Sachs's employees. The FBI agent even admitted that he did not understand the nature of the crime at the time he filed the complaint.

>"McSwain later conceded that he didn’t seek out independent expert advice to study the code Serge Aleynikov had taken. (“I relied on statements from Goldman employees.”) He himself had no idea of the value of the stolen code (“Representatives of Goldman told me it was worth a lot of money”) or if any of it was actually all that special (he based his belief that the code contained trade secrets on “representations made by members of Goldman Sachs”)...The F.B.I.’s investigation before the arrest consisted of trusting Goldman’s explanation of some extremely complicated stuff, and 48 hours after Goldman called the F.B.I., Serge was arrested."

Your argument amounts to: "Sure, but the guy was guilty and only got off on a technicality, so who cares."

People keep explaining the dire problems with this viewpoint, and I don't know why it needs to be continually repeated.

Silly analogies lead to silly conclusions, because they inherently obscure essential facts in the comparison.

This wasn't a piece of tangible property, which the agent could understand. This was an immensely complicated issue to a lay person who admitted that he didn't really understand what had been stolen or how much it was worth.

He just listened to Goldman Sachs say trust us and made an arrest within 48 hours.

If you don't understand why its disturbing that the FBI blindly did the bidding of one of the most powerful corporations on Earth, there's simply no point in continuing to debate the issue.

Except that you're starting with a false premise: the offenses for which Aleynikov was initially charged -- theft of trade secrets, and transportation of stolen property in interstate commerce -- were in no way as clear cut as simply "taking a painting from a private gallery." As you are no doubt aware, from your detailed knowledge of the case.

you think the police should need a statement from a 3rd party art historian in order to make an arrest?

What the FBI (and the prosecution team) have primarily been faulted for has been their (by now obvious, if not admitted) failure to understand the basic nature of the charges against the accused -- to the extent that they missed the fact that his conduct would not even have constituted an offense against either statute.

In addition, yes, there's the matter of how much the "stolen" (or rather, copied) bits were actually "worth" (or whether they could, in fact, "be used to manipulate markets in unfair ways", per GS's initial complaint.) Should the FBI have waited to consult an outside authority to make an independent assessment of these claims before making an arrest? That I cannot say.

But that both the premier criminal investigative arm of the richest country in the world -- and the highest-profile prosecution office tasked with keeping us safe from white collar crime, in that same country -- should have known that the "value" of copied source code just might be a teensy, weensy bit trickier and more nuanced to assess than that of say, an Edvard Munch painting pilfered from a major gallery in broad daylight? Or that they should have like, you know, read the actual text of the statutes he was being prosecuted under before filing actual charges against him (and throwing him in the klink for a year as a protective measure)? We should hope so.