Sergey Aleynikov has been called the dumbest man at Goldman Sachs. Aleynikov was arrested last week on charges that he stole proprietary trading software from Goldman Sachs, which was in no mood for that — even if it is on the verge of announcing eye-popping profits.
For an investment firm, much of the game is in convincing people that its traders know something the rest of the world doesn't. That secret sauce, often enough, may actually be trading software made by a programmer toiling away on Wall Street. In March, Michael Osinski wrote an article in New York magazine confessing that he'd blown up Wall Street. How? "I wrote the software that turned mortgages into bonds." (Update: Jonathan Weil's "Goldman Sachs Loses Grip on Its Doomsday Machine.")
Now comes the story of Aleynikov, the Goldman Sachs programmer who's free on a $750,000 bond. The FBI says he has begun explaining the actions that got him in trouble. I asked a few developer types in our Twitter crowd to see whether the accounts sounded plausible to them and why someone might make such a "career-limiting move," as geekosaur put it.
Bloomberg reported over the weekend that an FBI statement details his uploading of software to a sight that offers "subversion hosting," then erasing the "bash history" of commands he'd allegedly entered to accomplish this.
Let's let a few developers walk us through:
1). Aleynikov had reportedly told colleagues he was about to take a job with another firm for three times his current $400,000 annual pay.
Andy Grundman considers the exit plan:
Sure, so most, if not all, developers, rightfully feel some ownership over code they write at work, even if technically it belongs to the company. They were your own ideas, solutions to problems, etc. My hunch is this guy was getting ready to quit and wanted to be sure he could refer back to previous solutions, instead of having to reinvent them. If he had to give up all that code, one analogy might be if a business manager were forced to undergo a "brain wipe" device upon leaving a job to cause them to forget everything they learned or developed while there, such as a cool new management style. Obviously, no one expects those people to leave that kind of information behind.
The same should be true for developers, although unfortunately it's not. I'm talking only about algorithms, "light-bulb" solutions to a hard problem that took a week to come up with, not things that clearly belong to the company like customer databases and such. Of course an [intellectual property] lawyer would disagree, saying those things are exactly the kind of thing that should stay with the company because they give them an advantage. Working almost exclusively in open-source development, I take the view that software algorithms should be public domain for the benefit of everyone.
Now in this case, I guess the guy just copied the entire source of an application, which was not 100% his own code. It was probably difficult/impossible to just pull out his own code, and he'd probably get in just as much trouble for "stealing" 1 line vs. the whole thing. He tried to cover his tracks because it would have been obvious what he did when someone came in to clear out his account later. He didn't figure they would be watching for certain kinds of file edits! (I'm pretty surprised they caught him actually.)
I could be wrong about his motives, but that's my benefit-of-the-doubt impression. If he really wanted to damage Goldman and leak the code, it would have gone up on a pirated software site immediately under an anonymous name.
2.) It's a small point, but the FBI statement includes what might be a misleading name for some. That "subversion hosting" Aleynikov allegedly sought doesn't mean "subversive hosting." Think sub-version instead, emphasis on version.
In that light, Michael Randers-Pehrson notes that Aleynikov wrote in the FBI statement that he was after open source code, meaning programming that outside developers can view and change. Randers-Pehrson writes:
[H]e's claiming he was trying to copy non-Goldman code from Goldman computers for his own use, but inadvertently copied too much code. Highly suspect as it seems unlikely Aleynikov would unintentionally copy anything (he's pretty savvy) and very often open source code is highly customized or modified to become proprietary.
Aleynikov sent the files to [Roopinder] Singh's site, xp-dev.com. Singh runs a service used to help with software development by hosting Subversion, a software versioning application. (Software versioning is an important part of development as it allows coders to easily keep copies of all their work and changes over time. It's like a writer keeping every single draft of a novel in order to review and compare incremental changes over time.)
3). Finally, the deal with the "bash history." As Bloomberg reports, erasing the bash history catches the attention of Goldman Sachs' security — i.e., leads to a world of trouble.
For my money, this is the tough part. Sandra Galejs writes:
Open-source software usually is developed on a variant of the UNIX operating system (such as Linux). In the UNIX world, one typically works in a command-line environment (a window on the computer desktop that resembles an old-style computer terminal). The shell is the program that processes command-line input and executes commands. "Bash" is the name of one of the commonly used shells. As a convenience to the user, all shells retain an input history, so that you can execute a previously entered command without retyping (helpful for those of us who never actually learned to touch-type). There is no reason to erase the history, except to cover one's tracks.
Without having read much about the case, my gut feeling is this is an amazingly naive programmer. I assumed he was fresh out of school until I read the biographical info at the bottom of the article. It's quite naive to think that erasing your shell history will actually hide your activity, when you're working on a networked computer system that's owned by a financial services company. There are so many audit processes that are now running in the corporate world, both for security purposes and Sarbanes-Oxley compliance.
Aleynikov also has a poor understanding of open-source software licensing if he believes that he is entitled to take a copy of any open-source software that he worked on. To quote an old open-source software slogan, "It's free software in the sense of "free speech," not "free beer". Any piece of open-source software still has a license agreement, even though the software is free. This license agreement is sometimes called a "copyleft." The license agreement determines the conditions under which you can modify and redistribute the open-source code, and whether you have the right to charge for the modified product. It is possible for open-source software to become a component of a proprietary system.
And it's just silly to say that you uploaded code to an offshore server because you want to "inspect the work later in a more usable environment." I've worked with open-source code repositories, and I can assure you that it is always easier to read code in a local environment (i.e. your own computer).