Goldman Sachs Trading Source Code In the Wild? 324
Hangtime writes "The world's most valuable source code could be in the wild. According to a report by Reuters, a Russian immigrant and former Goldman Sachs developer named Sergey Aleynikov was picked up at Newark Airport on July 4th by the FBI on charges of industrial espionage. According to the complaint, Sergey, prior to his early June exit from Goldman, copied, encrypted and uploaded source code inferred to be the code used by Goldman Sachs to process in real-time (micro-seconds) trades between multiple equity and commodity platforms. While trying to cover his tracks, the system backed up a series of bash commands so he was unable to erase his history, which would later give him away to Goldman and the authorities. So the question is: where are the 32MB of encrypted files that Sergey uploaded to a German server?
Even More Interesting (Score:5, Interesting)
The author mentions some things but gives no clear motivation for GS hiding their stats. I would speculate that if one of your developers copied your code and uploaded it to a server discretely, you could have that in your logs and not notice it for days or weeks. But if he then did something to your system to ensure his new employer's ownership of that code you wuold notice that pretty damn fast I imagine. Sergey Aleynikov sounds like a brilliant coder but maybe he's not so smart on legal issues, is it possible he completely hobbled GS to please his new employer? Are they keeping their transaction report hush hush so investers don't worry? Was Sergey Aleynikov thinking he could sell the code and the rights to the code? After all, if he could remove all copies of the code from GS how could they take people to court over the code without a local copy to prove ownership?
If GS remained #1, they would have left themselves on the list. I presume that something else related to this has gone wrong with their operation, the news just hasn't broke yet.
Re:Surely not? (Score:5, Interesting)
This code could be worth significant amounts of money on the international fraud market.
Proving theft.. (Score:5, Interesting)
Its hardly surprising that this sort of code is highly valuable but the challenge is surely going to be proving that it was actually stolen. If they have a bash history that doesn't include the IP addresses but just shows that he created a tar ball then where is the proof that he actually stole anything at all?
The original is of course still there, what he took is a copy, so you can't show something is missing.
They currently don't know where it has gone, so they can't prove that a copy was moved outside the firewall successfully
If he hasn't yet sold the stuff on they can't prove there was a financial benefit linked to the theft
So how will they prove beyond a reasonable doubt that some actual theft has gone on?
Its not like he has just lobbed it on Bit-torrent or posted it to Wikileaks. What he has done is taken a copy of the code, which means its Intellectual Property and copyright issues rather than "simple" theft and therefore they really need to prove (surely) that he has done something with the code.
Should be interesting to see how the police "generate" and prove the evidence on this one.
Re:Even More Interesting (Score:3, Interesting)
It seems unlikely to me that any single person, or even small group of people, would have the capability to remove all copies of this code, binary and source, from the company's information infrastructure.
Is it possible that they have suspended use of this code because they fear that someone analyzing it could profit from the trades it would have made?
Re:nationalism vs. anti-corporatism (Score:5, Interesting)
Don't worry, multinationals have no such weaknesses, and won't bat an eye when you are on the hook.
Re:Proving theft.. (Score:4, Interesting)
Re:Even More Interesting (Score:3, Interesting)
A brilliant coder...
who's never heard of "history -c"???
TFS says that his history file was backed up while he was Hacking The Gibson. He might have cleared his .history afterwards but presumably didn't know about/didn't have access to/didn't bother clearing the backup.
TFA doesn't mention anything about his history btw, but slashdot wouldn't lie to me.
Re:Non-story (Score:3, Interesting)
Of course, it wont be easy to install the whole system and then put those bits of code he stole on it and run it. But it is entirely possible those algos were not his, but coming from some of the very important core modules. It can still carry a large value.
Cheating (Score:2, Interesting)
Re:Surely not? (Score:5, Interesting)
Knowing such things will allow you to tailor your fraudulant trades so as to not raise suspicion, or to make more money within a set amount of time. If you know precisely how far to push your actions, and then push no further, then you could continue with the same fraud for longer than you would otherwise without being discovered. If you know how often the trend analysis reports are run, and how they do what they do, then you can tailor your trades so as to not appear on those reports - just enough, no more.
All of which means you can make more money without being detected - and you haven't attacked the software itself, you haven't changed how the code works, you have stayed within the boundaries that the software creates. All because you knew *precisely* how the code works.
Re:Even More Interesting (Score:4, Interesting)
Seems more likely he was caught by auditing through the audit daemon [die.net] in Red Hat Enterprise Linux. It records both high level "actions" taken on the machine, and (in some cases) commands typed at the shell. Unless you have root (in some cases, even if you have root), it's hard to erase those logs.
Rich.
Re:Surely not? (Score:4, Interesting)
Perhaps GS haven't immediately stopped real-time trading using their existing system because they're able to analyze trades made by other brokerages to identify patterns that would indicate whether their own trading system is being used by others.
Their source code is useless (Score:5, Interesting)
I worked for a financial services company that had similar types of systems. The legal department and security people were always concerned about people stealing our source code.
But their fears were unfounded. Why? Because the source code is highly customized code that not only implements thoroughly non-standards-based algorithms, but is also tightly coupled to underlying hardware/software platforms (and the non-standardized APIs of their peer systems). The result: you can't run it anywhere but on the infrastructure of the company for which it was built. Sure, you could pull out a subroutine here or there. But overall, it's pretty worthless stuff.
Humorously, we had a large, difficult, multi-year project to port our code to a newer hardware platform (same O.S. and language tools). I joked that we should post all our source code on the web for free unencumbered download, and if somebody could get it to run on the newer (or any other) platform, we could pay them $2 million for their effort and still come out way ahead in the deal. Everybody laughed and agreed that that would be a dream come true.
Re:Even More Interesting (Score:4, Interesting)
I had not thought of this, although I believe these transactions would be done on secure networks with insane encryption.
Knowing the algorithms that Goldman Sachs uses to do realtime trades could possibly give you insider information you wouldn't have otherwise had. When doing realtime transactions, if you know the ORDER Goldman Sachs will use to do the transactions, for instance, you could buy certain stocks a minute or two before Goldman Sachs does...since the act of GS (or anyone) buying a stock will increase its trading price some, and you've just automatically made money and hurt GS at the same time.
This type of insider trading information will likely result in criminal prosecution by the SEC, however, so don't try this at home, kiddies.
Re:Surely not? (Score:1, Interesting)
Maybe Goldman is worried that if someone reviews the code, they might be able to discover that Goldman is gaming the system and the source code is just the smoking gun.
Surely that would be a much bigger problem for Goldman Sachs than an individual or small groups trying (probably unsuccessfully) to game the market.
Re:Access controls anyone? (Score:3, Interesting)
You don't need internet access that is in any way shared with your development work. Completely sandboxed internet access in a totally locked down thin client session might be OK, but you certainly don't need to be able to upload data to remote servers. If you think you do, you need to go and read up about segregation of duties.
But I don't expect you to agree. Your signature displays more about your attitude to the world than you perhaps realise.
Re:nationalism vs. anti-corporatism (Score:2, Interesting)
I damn sure can fault them when they are the architects of said perks. Last I checked [opensecrets.org], Goldman Sachs "donates" quite heavily in DC.
Re:Non-story (Score:5, Interesting)
you seem to be assuming the intent would be to out-compete Goldman by re-implementing this system, perhaps with some changes/optimizations. for that, sure, you'd need the rest of the environment. but a good understanding of the algorithm and implementation could be obtained without the rest of the environment (like i can read C# code and extract the algorithms without having the rest of the environment). that seems like it would be enough to game Goldman's system (which is a sizable part of the system overall).
note that i am not asserting that this is a catastrophe for Goldman, just that your explanation isn't convincing. i will, however, agree with a previous poster that Goldman's sudden absence from NYSE's 15 most active members [nyse.com], rather than being #1 as they had for a good while, is very suspicious.
Re:Their source code is useless (Score:3, Interesting)
a convenient fire (Score:3, Interesting)
US v Sergey Aleynikov, Violations of 18 U.S.C $$ 1832(a) (2), 2314, & 2
"ALEYNIKOV claimed, however, that he only intended to collect "open source" files on which he had worked, but later realized he had obtained more files than he intended. ALEYNIKOV aslo admitted that he has uploaded files from his work desktop from home. ALEYNIKOV claimed he did not distribute any of the proprietary software that he obtained from the Financial Institution, and further claimed that he has abided by an agreement he entered into with his new employer not to use any unlicensed software"
Likely not another angle (Score:3, Interesting)
Crooks aren't always that smart. The guy may have the plan of "I take code, sell it to rival, I make millions," having not thought the practical matter through. As another poster noted, the Pepsi/Coke thing DID happen and what they did was contact the FBI.
While this isn't quite the same situation here, I'm betting the result would be the same. No legit corp wants to be involved in shit like this. It just wouldn't make sense and you'd stand to lose WAY more than you'd stand to gain. So they'd ignore the guy or, more likely, go to the authorities.
He probably has essentially stolen something that is worthless because there is no market. In theory it has a high value because it is special and was expensive to make but in practice nobody probably wants to buy it and as such it isn't worth anything.
Re:Even More Interesting (Score:3, Interesting)
[...]since most financial institutions [...]
I know, because I work for $LARGE_BANK, and we use it there. [...]
That's a hell of an extrapolation. It could only be correct if there are less than 2.0 possible $LARGE_BANK values...
Re:Alternative theory....(and more probable) (Score:2, Interesting)
I'm not real sure someone with the code would be able to do much at all. I guess someone with the code, billions of dollars (or at least tens of millions), a high volume trading interconnect, and quite a lot of time to analyze the code for self re-enforcing behaviors might be able to make a little bit of money.
The whole point of the programmed trades is to take advantage of market conditions, staging the market so that one system goes AWOL is going to be a hell of a trick.
Disabling bash history logging (Score:3, Interesting)
I believe disabling bash's history logging into a file is as easy as typing :
HISTFILE=
at the prompt. In other words, he was probably one command line away from being detected..
not exactly (Score:1, Interesting)
They weren't forced, they were part of the insider deals to get the loot. What backfired on them was the executive bonus compensations limitations proposals that came along later. They were perfectly willing to take money they didn't have and use it to acquire other assets initially.
Re:No, it belongs to the U.S. people (Score:2, Interesting)
elrous0 is bitching about something else. AIG is 'unwinding' the insane contracts that drove them out of business; rather than declaring bankruptcy and paying pennies on the dollar, they got 80-some billion dollars from the government and payed it to the people they had these contracts with. elrous0 is saying that Goldman Sachs got $13 billion of that money.
Of course, between Goldman manipulating and controlling the government in order to receive that money (Secretary Paulson, who did much of the bailing out of AIG was a former Goldman CEO) and the government deciding to bail out AIG in order to preserve millions of annuities and whole life insurance policies, I choose to wear the blinders that let me believe in the latter.
Re:Surely not? (Score:1, Interesting)
Re:Their source code is useless (Score:3, Interesting)
It's easy to think of these companies as monoliths, but it's not like that at all. Most of them have grown through acquisition. The systems of the acquired companies are only loosely integrated into core systems. And you'd be surprised how competitive and autonomous their traders are...each one tries to find his own advantage, and when he does, he's HIGHLY protective of it and unlikely to have the inclination or resources to put it into code.
There are some exceptions to this. For example, there are some large asset inventory databases with an occasionally interesting costing methodology that could be useful to just the right kind of person who is positioned just right to take advantage of that knowledge. But that's a highly speculative and unlikely possibility.
Re:Surely not? (Score:4, Interesting)
Yes, but the root password list consists of having large numbers of government positions filled with former (and future) GS employees.
Hard to put that in a suitcase.
A lot of money was funneled to GS by Paulsen (a GS alumni) and some of their major competitors were crippled.
Recently close to 40% of NYSE volume was GS which gives them enormous power to manipulate prices.
Re:Surely not? (Score:3, Interesting)
Knowing such things will allow you to tailor your fraudulant trades so as to not raise suspicion, or to make more money within a set amount of time. If you know precisely how far to push your actions, and then push no further, then you could continue with the same fraud for longer than you would otherwise without being discovered
And if the public has access to this source code, we can figure out how someone trying to avoid detection would behave and nab them. Someone out there has access to this source code, and is almost certainly abusing it. Opening this source code would level the playing field. Absolutely nothing about our financial systems should be secret.
Re:Surely not? (Score:3, Interesting)
"While in the good old days the banking business was simply a place to store and borrow money, it has now become a mess so complicated that nobody really understands it anymore."
The real problem is that stocks are a legalized ponzi sceheme and should be done away with entirely, it's basically a ponzi scheme through abstraction using machiens so you don't see the other people trying to fuck one another over for personal gain.
Securities themselves are the problem they allow the wealthy to suck wealth out of society on unprecedented scales in a legal way that is entirely suspect to begin with. If we could get rid of things like securities and credit default swaps, savings would probably pay pay a hell of a lot better. Trading is just too enticing for those that have the mega bucks and quite rankly it's a drag on the real economy.
Re:Access controls anyone? (Score:3, Interesting)
Re:Why should Goldman Sachs have an unfair advanta (Score:1, Interesting)
The easy answer is to close the market, or to limit anyone to two trades per day (or one trade an hour, or something like that), but that will likely not fly.
The easiest answer would be for everyone to wise up and pull all their money out of the market.
I'd like to see the banks keep playing if everyone else takes all their chips and goes home. We might even get back to a stable market instead of the "thing" that got created ever since the heyday of the Day Trader in the '90s. :/
Uses Neural Networks ? (Score:3, Interesting)
Found a post on ACM by someone with same name as the accused. Looked like a person with research background in Neural Networks. No idea if it is the same person, but it would be intriguing to me if Goldman Sachs was using neural networks for trading.
One interesting facet: if two or more counterparties in a market had neural networks that were trained to coordinate and cooperate in ways that would violate trading rules (e.g. like bridge players sharing info through actions), would the company be liable if the neural networks had developed these exchanges by themselves? In other words, would it be an instrumentality for violating the law if it learned, on its own, to violate the law, and the programmers / administrators "had no idea" it was doing that?
Re:It was market manipulation. (Score:2, Interesting)
I have to make an errata of sorts, Goldman Sachs not only didn't go bankrupt they actually profited heavily from the crash in the subprime market... kind of takes the edge off half my comments.