Slashdot Mirror
Programmer Admits Stealing US Gov't Accounting Software Source Code
An anonymous reader writes with this excerpt from NetSecurity.org: "A Chinese computer programmer that was charged with stealing the source code of software developed by the U.S. Treasury Department pleaded guilty to the charge on Tuesday. The 33-year-old Bo Zhang, legally employed by a U.S. consulting firm contracted by the Federal Reserve Bank of New York, admitted that he took advantage of the access he had to the Government-wide Accounting and Reporting Program (GWA) in order to copy the code onto an external hard disk and take it home." Just such things make me think that the default setting for software created with public money should be released with source code anyhow, barring context-specific reasons that it shouldn't be.
That seems like less harm then depriving the rightful owners of the code access, the american taxpayer.
if NON_DISCRET_SPENDING => WASTE
HIDE;
else
PROMOTE;
end
I swear they give me mod points to shut me up.
If the world had better accounting software, maybe the world economy would be healthier? But, I think what the author is of this submissions is suggesting is that the American public should have public access to any source code written by the public sector. See the words public there? It's no coincidence they're all spelled the same.
Just such things make me think that the default setting for software created with public money should be released with source code anyhow, barring context-specific reasons that it shouldn't be.
So that countries who have not spent money can use it for free?
I, for one, do not want the overpriced, often delayed, over managed & under performing software my taxes pay for to be 'free' for anyone, any company or any country. Let them overpay and wait for their own.
The ownership of the code can often get a little muddied, as the company who is paid to develop it may use their own funds at times too--or extend an existing product the company has for the government's needs--meaning some of it is proprietary and privately funded. This is why most such software is available for use within the government, but the private company maintains rights to continue to develop and sell it commercially as well.
The answer is simple - and possibly already implemented - keep the source and executable under a license and confidentiality agreement.
License it free to American companies/individuals but not for free (or at all) to foreign ones.
Certainly there would be issues with keeping a multitude of licensees from leaking source like a sieve to similar foreign moles/agents, but we aren't talking about a DVD or mp3 file either.
A Chinese national who used to work at my company lifted our proprietary code and fled back to China as well.
Not to sell the code afterwards but to keep at home so I can save some code patterns and ideas for future use.
If you're going to steal something from the United States, I'd think it would be much better to steal something that works well!
I am officially gone from
Normally, works of the US federal government are in the public domain, and not protected by copyright. How is this not the case here?
On another note, Slashdot editors, please stop using the word "stealing" for immaterial right infringements.
But he was Chinese, not American. In fact, that may be the only reason he was prosecuted.
dom
Given the way our government seems to run its accounts, perhaps we should hope that all potential competitors / adversaries steal it.
So is he Chinese as in decent, or Chinese as in citizen of China? Those are two very very different things. Even though the code may not be classified I'm typically against having non US citizens working on US funded code bases. This seems like a security and political issue to me. Though the code may not be classified it is likely subject to the same rigid standards that classified code is subject to. This seems like giving out too much information about how the US government requires code to be developed to a foreign body. I don't like it and politically I like it even less. When the government is outsourcing, even by proxy, it makes this country look like a bunch of morons who can't do anything themselves. We have out of work developers right here. Typically I have no problem whatsoever with using products from other countries. This country was founded on a principle that immigration and diversification make a wide open place where anyone on Earth is welcome. I do like that a lot, but national security is national security even when its something as small and seemingly meaningless as this.
That's making the false assumption that "physical property" and "intellectual property" are the same thing. Hint: they are not.
Any work of the United States government, or an employee of such working on government time, is automatically in the public domain. Everything from NASA photographs to recordings of the Marine Corps Band to every boring office memo are public domain. I don't see why that should not apply to program code.
Note also that "classified" and "public domain" are separate things - technically, even the ultra-top-secret "list of nuclear launch codes" is public domain, in that no one can claim copyright or trademark on it. So the "fire ze missiles" program can be (and probably should be) classified. But the accounting programs?
> Just such things make me think that the default setting for software created with public money should be released with source code anyhow, barring context-specific reasons that it shouldn't be.
posting as a coward for obvious reasons... a lot of government generated code is released as public domain. I've done it, several people I work with do it. I believe this wasn't released because it is considered "sensitive" (but where does this sensitive and non-sensitive line get crossed? government is conservative and will make something sensitive rather than risk it).
This isn't my agency or even department, but here is an example (not a great one): http://www1.eere.energy.gov/buildings/commercial_initiative/modeling_software.html
Do you really think anyone would want to steal that?
Do you really think no-one would? What if there's a vulnerability in there that could send the entire tumbling down? I'm sure no foreign power would be interested in that.
systemd is Roko's Basilisk.
since a Government employee can use Office in the course of their job affecting you would that mean that Microsoft must provide the source for viewing?
At what level would we set a limit? As the person you replied stated, most times government contracts are for making minor changes, many soft coded at that, to adapt existing proprietary software to the customer's needs.
I would agree with software created expressly for the government, as in it was the original customer.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
No, that he was Chinese, not American is why it made the front page. He's clearly part of the Chinese conspiracy to steal our IP, even though there is absolutely no mention that he sent the code back home to some Chinese corporation. In fact if they had proof of that I think he'd be facing a bit more than 1.5yrs, even with cooperation and you can bet your ass they looked. In this case his story makes sense, he's probably not the only person to do this.
I'm not sure how many American engineers and developers make copies of the work that they did while an employee of some company, but I know the number is greater than 0. Almost none of them are using it for industrial espionage or in allegiance to some foreign power. But it is almost always against your employment agreement, and if caught you likely will be sued or worse.
When the employer is the government, everything just gets escalated a few steps.
Someone please mod this as +1 Informative.
The key here is that no one can claim copyright to work done by the US Government. This does not mean that it is accessible to the public.
We don't live in Shouldland.
... it was written in Ada, so nobody knows what to do with it anyway.
Slightly disreputable, albeit gregarious
So he risked 10 years in jail just for bedtime reading? Seems improbable. And seems likely he will jump bail and pull another Charlie Trie.
I would have been more concerned if he took the data not the source code. Unless the Chinese officials wanted to analysis it for security flaws?
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Not quite. It's true that a work of a U.S. federal government employee, performed as part of their official duties, cannot normally have copyright in the U.S. HOWEVER... most software developed for the government is developed by contractors, at least in part, and those parts DO have a copyright. (There are even a few exceptions for government employees, but they practically never apply.) Also, the term "public domain" has multiple meanings, presumably you mean public domain in the copyright sense (not the export control sense, which is different).
To see when contractors or the U.S. government can currently release software as OSS, see Publicly Releasing Open Source Software Developed for the U.S. Government by David A. Wheeler (me), Journal of Software Technology, February 2011. That's the current state of affairs.
I agree with the poster above: When "we the people" pay for software, then by default "we the people" should get it. I even posted an entry about that in 2010. Sure, there need to be exceptions, but they should be exceptions; it's not obvious why accounting software developed by the government is treated this way! I also agree that we should use clearer terms like intellectual rights (and intellectual works) - not "intellectual property" - because "intellectual property" is a fundamentally misleading term.
- David A. Wheeler (see my Secure Programming HOWTO)
Should the public also have keys to the government offices? The reasoning around here being if we paid with our tax dollars for the software, we should get the source code. Should we also get all the keys to all the doors? Or should we just not have locks on the doors to the gov't buildings?
That seems like less harm then depriving the rightful owners of the code access, the american taxpayer.
Simply out of curiosity:
of what possible use is internal accounting software designed for enterprises on the scale of the US government to the average American taxpayer?
The software in question keeps track of money exchanged between US government agencies and, according to the authorities, its development cost nearly $10 millions.
Programmer pleads guilty to US govt software source code theft
He said to the FBI that he did so that the code would be available to him in the event of losing his job, and to use it for his private business, which is teaching computer programming.
Ummm - am I the only one that would wonder why anybody would want this?
So that countries who have not spent money can use it for free?
Sure. Why not? What interest does the USA have in keeping the rest of the world down? The World Economy is not a zero sum game.
Unless of course the actual owners of the source code is a private company who sell the same software to multiple governments or countries (state governments or other countries) at which point open sourcing it just fucked them out of a huge chunk of their revenue.
Worse still is that the same basic accounting software may be used by corporations as well. There's lots of problems when writing software for money that aren't unique to the US, any decimalized system that uses numbers in the approximate ranges that dollars are used in, so there's a whole backend of making sure you are correctly representing numbers and dealing with them properly that could be used for any accounting software, even if part of it is US government specific.
a search for the program in the article points to http://www.fms.treas.gov/cars/index.html
which specifically includes reporting to a US government programme, so a corporation might need very similar if not the same software to plug into the treasury and bill them for example.
I can't imagine why? In cases like tax info, it's the data that's valuable, not the over-engineered lovecraftian spreadsheet that are the tax calculations.
I quite agree w/ this. In fact, despite my general disagreement w/ the GPL, this is one of those rare cases where I think GPLv3 is useful: the original software written, since it's done for the US taxpayer, should be public domain, and any modifications made to it should be available under the same T&C. That way, businesses normally wouldn't want to touch it and taxpayers wouldn't be subsidizing free work for them, any improvements made to it will be publicly viewable, and so on. IRS written software would be one of the best examples of what should be GPL'ed.
If other countries or entities then want to use it, they can, but any changes they make would have to be made available. Which can then be determined whether it's useful to its original creators and included in the main branch. Same goes for other individuals or organizations doing it.
Only exception to the above rule is if the government software in question is needed to work on classified information, or for things like the military, in which case, secrecy is important. In such cases, a good idea would be to have such software w/ source code under limited distribution, so that it doesn't fall into the hands of enemies.
The Federal Reserve is actually a public-private corporation that happens to do some important Treasury-related functions. They're not an actual federal agency like the US Mint.
Yeah. I am sure that somebody that wants to attack the west would never be interested in getting access to our software. I mean how useful would it be for China to see where we are spending money at (note that this was about REPORTING) or being able to change the numbers so as to cause chaos within the gov. Likewise, they would never want to control our utilities, our transportation, etc.
I prefer the "u" in honour as it seems to be missing these days.
You'll see that the main reason they went after him was because he took the source code in order to use it for his personal profit, and it hadn't gone through the proper channels to make it public-ready. In other words, what he did with the accounting software was roughly equivalent to taking classified missile control software home in order to either start a competing business or use it to help his current one. Technically, the software is "public domain," but the Federal Reserve had not actually gone through the process of making it ready to be released to the public.
I have no problem with him doing a few years for that because what he did is no different than taking a work-for-hire work home to use for a customer who didn't pay for it nor was authorized by the paying customer to have it. That's for-profit copyright violation in the private sector, and since he intended to derive private benefits from it, I don't see much of a difference. It's not like he took it home, modified it to be attractive to the Department of the Treasury and tried to demo it to another part of the government (since the Federal Reserve is a quasi-federal agency, taking their code to show to the Treasury would have been less legally problematic)
"US Government Accounting".
Have gnu, will travel.
Yes it is in the public domain, but there is no requirement for them to proactively share it to the public.
I see the Chinese governments attempts to derail forums dealing with anything mentioning china are ongoing.
He said to the FBI that he did so that the code would be available to him in the event of losing his job, and to use it for his private business, which is teaching computer programming.
How much involvement did he have with the code? Meaning how much of it did he write?
Even in a complex system, a hands on developer should know enough of the concepts that they could mock up something for later. Not necessarily a functioning application, but pseudo-coding at a high level to re-evaluate later.
Seriously, if someone is teaching computer programming, how much specifics are you going into? You don't need the line by line, but the concepts.
Well maybe if you are teaching how to debug large scale code, I could see the need to have a library.
Maybe he is an example of the old joke, "those who can't, teach." I'm not a fan of the joke as it was good teachers who helped me to hone my analysis skills.
But for security reasons there are some good things about closed source.
Lets be real here, we're talking about root financial systems. Neither individuals nor most corporations have any interest in this software. This is the prevue of nations and huge trade alliances.
Keeping the code secret makes it more secure. Yes, it can't be used as the only level of security. It must be on TOP of everything else. I don't think giving the chinese access to our treasury accounting software is going to make the world a better place.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
I, for one, do not want the overpriced, often delayed, over managed & under performing software my taxes pay for to be 'free' for anyone, any company or any country. Let them overpay and wait for their own.
Hmm, maybe 'free use' for any of the US naturalized/tax paying citizens.
PS: I don't reply to ACs.
That's embarrassing and just because US currently has no conservative parties
You misspelled "liberal".
We hope your rules and wisdom choke you / Now we are one in everlasting peace
I can't believe the comments I'm reading here. The crime, as I understand it, is that a Chinese citizen used his trusted access to US government goods to STEAL US government goods. I don't care what it is...if he stole staples, it's still stealing.
The comments here all seem to think that, simply because the US government paid for the code at some point *then* everyone in the world should have access to that code. Surely you're joking, right?
He said to the FBI that he did so that the code would be available to him in the event of losing his job, and to use it for his private business, which is teaching computer programming.
So, as I understand it, his defense is that he stole the code for his own commercial use. He admits to stealing code "for his own commercial use". I put the second half in quote, because we have no proof as to his ultimate intentions. He could have been planning to bring that code back to China with him and share it with the Chinese government in a private, espionage sense. It doesn't matter if the code is the most boring, useless code...it's still US government property. Even if all US government property is "US public property" - you still have to be a US citizen to legally lay use to that property in any legal way. What he did was illegal and highly suspicious.
PS: I don't reply to ACs.
That's a good point. As a minor point of clarification, the Board of Governors in DC is part of the Federal Government (an agency within the US Treasury), whereas the reserve banks and branches are public-private corporations, as described. Since this happened at the New York reserve bank, your comment applies. I just wanted pipe up with that minor distinction.
This space intentionally left blank.
Software is acquired from a contractor, so the Federal Acquisition Rules and various tailored versions, e.g., DFARS, apply.
The government purchases systems. Source code is considered data -- so the applicable FARS and DFARS are technical rights to data. Data rights are negotiated separately from software (system) rights and source code is delivered as part of a separate contract deliverable requirement list (CDRL) item, if the source code is even delivered. In 99.999% of contracts I've seen, source code is never delivered and when it is delivered, the most restrictive data rights are applied.
A lot, though, is changing through the DoD's Open Architecture initiatives (formerly the Navy's Open Architecture Program). Source code is expected to be delivered as a CDRL item with unrestricted rights as the default. And it turns out that the GPL is a version of a unrestricted license (I know because I spent a week with the SFLC and a Navy IP attorney collecting the information), so there's some hope on the horizon.
Bad news for those of you hoping to get a major weapons system's source code: The USG is the owner of the conveyed executable, so only the USG gets the source code.
Software is acquired from a contractor, so the Federal Acquisition Rules and various tailored versions, e.g., DFARS, apply. It is not developed by the USG, unless specifically talking about something that a USG civilian employee (__not__ a contractor) authored.
The government purchases systems, writes contracts to acquire systems. Source code is considered data -- so the applicable FARS and DFARS are technical rights to data. Data rights are negotiated separately from software (system) rights and source code is delivered as part of a separate contract deliverable requirement list (CDRL) item, if the source code is even delivered. In 99.999% of contracts I've seen, source code is never delivered and when it is delivered, the most restrictive data rights are applied.
A lot, though, is changing through the DoD's Open Architecture initiatives (formerly the Navy's Open Architecture Program). Source code is expected to be delivered as a CDRL item with unrestricted rights as the default. And it turns out that the GPL is a version of a unrestricted license (I know because I spent a week with the SFLC and a Navy IP attorney collecting the information), so there's some hope on the horizon.
Bad news for those of you hoping to get a major weapons system's source code: The USG is the owner of the conveyed executable, so only the USG gets the source code.
Well, if they're using Hollywood accounting, I can see what they'd want that classified...
"Bo Zhang .. said .. he did so that the code would be available to him in the event of losing his job, and to use it for his private business, which is teaching computer programming".
...
'The software in question keeps track of money exchanged between US government agencies and, according to the authorities, its development cost nearly $10 millionsM`.
This is, of course, bullShit
AccountKiller
(too late, I suspect), but the first thing that came to mind while reading TFS are all the tech companies yet again whining for even more work visas because they just can't find 'good enough' US citizens. 'Good enough' being a working definition for mole, nationalist, or just straight-up thief. But hey, they work hard and cheap (discounting the rather negative ROI of IP theft).
Note also that "classified" and "public domain" are separate things - technically, even the ultra-top-secret "list of nuclear launch codes" is public domain, in that no one can claim copyright or trademark on it. So the "fire ze missiles" program can be (and probably should be) classified. But the accounting programs?
If I was a criminal I would rather have access to the source code for someone's accounting program than almost anything else. If you gave me the list of nuclear launch codes tomorrow I wouldn't have any use for them.
To have a right to do a thing is not at all the same as to be right in doing it
Is that "public domain" in the US doesn't mean "available to the public".
Who knew?
To have a right to do a thing is not at all the same as to be right in doing it
Stop sticking your fucking opinion in the posts and shut the fuck up.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
True. But Liberals seem to think their decisions are not just better for themselves, but the decisions they want to make for everyone else are better also.
And the decisions are different. Bad Conservative, stop polluting our environment. Now, 'scuse me while I hop in my private jet and get to Cannes in time for lunch with the gang. OK? We good here?
deleting the extra space after periods so i can stay relevant, yeah.