To really understand who is right and who is wrong here we would need to read the letter of the agreements between these entities, and cross reference them with facts. Of course neither the contracts, nor the facts are available to us.
As is, the best I can do here is to put all participants on my personal “do not work with” list. Who needs the drama.
In particular there seems to be at least two points of miscommunication: it sounds like EE were told how much DEFCON can spend per badge. And they took that number to mean only the cost of the board and electrical engineering costs associated with it. Ignoring other costs (lanyard for sure, and maybe the cost of the plastic case too?).
The other missed connection seems to be the legal position of the firmware developer. EE seems to say they thought the guy was not their subcontractor but someone working for DEFCON. While DEFCON seems to imply that they thought he was an EE subcontractor.
I see a lot comments here with strong opinions on who is right and who is wrong in this dispute. It also seems to be that those strong opinions are based on assumptions. In particular assumptions about what the contract might say, but treated as if it is not a speculation but the truth. That logic is not persuasive to me.
The way EE phrases it, they were paid much less than they were owed, but owed according to what? Their internal accounting, or what they'd mutually agreed on with DC? Only the latter matters.
Emails saying "it's going to cost $X more", if any of EE's emails rose to that level of clarity and directness, are legally useless and meaningless without clear assent from DC.
> I was not anybody’s contractor or subcontractor. I’m not employed by entropic nor by you [DEFCON]. I did this in my free time so attendees could have a fun badge.
[1] https://old.reddit.com/r/Defcon/comments/1ep00ln/def_cons_re...
But even if I take it as true, doesn’t mean that DEFCON couldn’t have believed he was subcontracting for EE.
Similarly if it was DEFCON who introduced the firmware author to EE, EE might believe the firmware author is with DEFCON.
Obviously the contracts should be crystal clear about who is with who, and who is responsible for what. We hear that the fimware developer had no contract with anyone. That is very bad. But whose bad it is?
If there is a contract between EE and DEFCON which states clearly that EE is responsible for the firmware that is very bad for EE then.
If there is no contract between EE and DEFCON, or it is not clear enough who delivers the firmware then that is very bad on DEFCON. (I would be surprised if that is the case, but who knows in this whole mess.)
Based on the sum of all statements it continues to be very plausible that Dmitry basically had no on-paper relationship with anyone... and did everything on a pure friends and family basis. If so that is a huge awkward fuckup.
Also unfortunate is the possibility that if Dmitry is just some detached party trying to defend Entropic's honor, he basically started a firestorm which burned bridges between Entropic and defcon.
Once Dmitry started the whole thing, defcon immediately attacked the reputation of Entropic by saying they exercised bad faith in business and were incompetent and profligate. Defcon attacked so hard that there was no way to unring that bell. Then Entropic had no choice but to respond to defcon.
I see this occasionally with small companies, usually it's more of a personal request from one of the employees to provide some code on a volunteer basis, perhaps solely because they are passionate about that sort of thing and someone knew that about them.
In the end, if the favor is upheld and they provide the code/binary/whatever to the company (who has a contract to deliver such code), then that company's upstream contract is still fulfilled, technically it doesn't matter that the coder was not an employee or contractor. The only real downside I see for this is legal liability for the company if they end up unable to provide for their customer, but that's between the two of them and their contract, the coder is basically not on the hook for any problems.
That is not the only legal liability. If EE has a contract with DEFCON saying that they will give DEFCON the firmware and the rights to distribute it. But EE does not have those rights (because they haven't signed a thing with the developer) that can go very wrong for EE.
Basically the developer can sue DEFCON, since they are distributing his code. DEFCON believes they have the rights to do so, because of their contract with EE, but basically EE is giving away something they don't have. That can be a lot worse than just failing to deliver the contracted firmware. In my opinion.
Sorry for the many questions but you’re the only real source to get more info on this situation here.
I do favour Entropic slightly. Simply because DEFCON being the larger entity has more power in the situation to dictate terms, and also because the end result favours DEFCON. They have their badges using the work Entropic put into them.
But I recognise that this is entirely feel and vibe based. Which is not the proper basis to decide anything.
> Why did the firmware engineer add a crypto beg for a "joke".
He seen the relationship between EE and DEFCON going bad, and decided that it is not okay and took a stance to protest it. Half of his stance was the screen in the firmware, the other half was him making a scene at the main stage.
If he didn’t do that we wouldn’t know about the issue.
If the terms were clarified before the contract was signed, i don’t really see this point. If you sign a contract to do something, it doesn’t matter how much power the other party has. If you don’t like the terms they dictate, don’t take them as a customer. And once there is a contract, the terms should be locked in.
a) acknowledge that they can't fulfill the contract under the existing terms, and follow the contract's termination procedures
b) keep working to try to complete the project, because the agreed upon payment is better, even considering the extra work, than whatever contract termination involved
When DC told EE to stop work, they did so rather than say "everything's fine, we're continuing as agreed"? That means they knew they couldn't deliver as contracted, or didn't want to because every day they kept working would lose them more money even if they fulfilled the contract.
This is why they should've had a reasonable contract that didn't require heroics in order to break even. Because, when things started to go bad, they needed a fallback besides taking a big loss for partial work, and taking a bigger loss for complete work.
Or alternatively, they could've reasonably contracted to do something nearly impossible, if they were okay with failing and getting nothing, at least for the r&d portion, turning it into an RP2350 learning opportunity. (Presumably, if they made it to production, the contract easily covered production costs.)
I didn’t see that in their statement.
Unsurprisingly, it contradicts some of the claims Entropic has been making. Entropic admits to having exceeded agreed upon budgets by a significant amount, which DEFCON corroborates. There is some disagreement about what has been paid, though, as DEFCON believes they have paid for the hardware development.
Some of the other claims also appear to have been exaggerated or at least phrased in misleading ways. The Entropic Engineering logo was not removed from the PCBs. Their logo was not included on the plastics because Entropic was not responsible for the plastics and the initial plan to include their logo was only a courtesy before the relationship soured. The DEFCON statement alludes to budgets being exceeded by a significant margin (not covered by minor reductions in hourly rate as the other statement implied) and even calls out some “bad-faith” charges.
I’m also confused about the earlier threats to use the DMCA against DEFCON for using the firmware without a license. As far as I can tell, the firmware was produced as part of the agreement between DEFCON and Entropic, in which case there shouldn’t be much question about the license as it’s a work for hire. Imagine hiring a company to write software to your spec and then to have them later try to claim they’re going to pursue legal action for using the software you paid them to write. Something is strange here.
It also appears that the firmware engineer’s dismissal from the talk was communicated before it began, so his choice to get on stage anyway knowingly violated that decision. Regardless of what we think should have happened, getting up on stage after being told not to isn’t going to go well at any conference for any reason.
I think there’s a lot more to this story than the initial round of accusations let on. I think the first movers in publishing their narrative often win the public opinion debate, but if even half of what DEFCON is saying is true then Entropic and their team don’t appear to be operating entirely in good faith with the way they’ve handled this publicity.
Work for hire is about employees. Entropic is not an employee of DEFCON, it is a company with a contractual agreement to provide something in exchange for money. The details of when, if ever, IP rights are transferred to DEFCON should be spelled out in the contract. I have seen all sorts of arrangements for that. However, in a well drafted contract, IP ownership probably wouldn't transfer prior to payment.
Also, the firmware author isn't an employee of anyone. In a lawyerly world, that would be resolved with a clear copyright assignment or license, but I have no idea if that happened.
The default state of things is that the author owns the code, regardless of any contracts between Entropic and DEFCON. He may or may not have signed those rights away, but if his other assertions are true (that he wasn't anyone's employee or contractor) then I'd be mildly surprised if the right legal structures were in place to ensure DEFCON owned the code.
That's an issue when writing code for hire too (or, e.g., hiring a photographer). If you're not careful, you don't have very many rights with respect to the final product, even after paying somebody to write it for you.
Implied, limited, non-exclusive licenses are a thing, and I wouldn't be terribly shocked if (assuming a judge had to decide) all parties aren't at least allowed to continue distributing the badges (perhaps not to redistribute the firmware itself, modify the firmware, ...). Things get murky in a hurry though, and finding a resolution not requiring a court is probably better for all parties.
1. You specifically ordered or commissioned the work,
2. There is a written contract that states that it is a work for hire, and
3. The work falls into at least one of these 9 categories:
• a contribution to a collective work
• a translation
• a part of a motion picture or other audiovisual work
• a supplementary work (e.g., foreword, illustration, editorial notes)
• a compilation
• an instructional text
• a test
• answer material for a test
• an atlas
For a long time contract software usually could not be a work for hire because it usually did not fall into one of those 9 categories. I believe in recent years some courts have decided that contract software usually does fall into one or more of them and so can be a work for hire. I don't know if that view has become widespread or is just confined to some federal court districts.
Practically what this means is that when hiring a contractor you either put in the contract that the contractor will assign the copyright to you or that you will be given a suitable license to use the code that is pretty much equivalent to owning the code (irrevocable, exclusive, allows making and distributing derivative works, you can sublicense to others on any terms you want, etc).
In theory that's true if they legally structured things properly. All comes down to what legal structures were put in place between all three parties starting with the contract (if any) between Entropic and the sub.
I kind of agree, but that assumes they all set up their contracts appropriately... which, having been deeply involved in that community for many years... let's just say I could toss a coin about that assumption being true. If the sub didn't sign anything and Entropic/DEFCON just took his firmware and used it (even if that was the contractor's intention), it's still a significant IP liability for whoever was flashing it all.
Nope, DC knew that i was writing firmware and i am not a part of entropic, nor report to them. From the very start of this project they knew this. The first email at the start of the project stated this.
Such a gross "oversight" does not reflect the care they're claiming to have exercised.
This part also seems a tad over the top and dramatic:
> We are especially grateful that Dmitry was not hurt in the physical removal he was subjected to as a result of his demonstration of solidarity
This individual chose to not comply with the venue operator's request to leave the stage, so they pretty gently escorted him away, as can be seen in the video which has been linked in every prior submission. Risk of injury was negligible, if any.
So I'm left uncertain which story is to be trusted here.
To be fair, it's clear DefCon has previously been fueled by Supermen and Superwomen who threw themselves under the bus (possibly were exploited) by working for free or nearly free to deliver. People deserve to be compensated for their work according to the terms of whatever employment agreement was signed, not the games that have been played here.
If quality of work was misaligned, it'd be another matter, but neither party has alluded to this.
Thanks for the information, my mistake.
> EE has tried multiple times over the past months to negotiate fair compensation for work completed prior to June 7th, but attempts at resolution have been unsuccessful.
> Once the manufacturing was fully completed, we were offered a one-time “take it or leave it” amount worth well under half of what we were owed pre-stoppage. Given that what we were owed was already discounted by 25% in order to hit agreed upon cost targets, this has had a huge impact on our small team. We are also still owed substantial sums for parts that we purchased on behalf of DEFCON for use in the badge. Again, all subsequent offers to negotiate a settlement in good faith have not received any productive response.
If not for him we would not know that there is a dispute between EE and DEFCON. DEFCON would be still pissed with EE that they went overbudget, and EE would be pissed that they were not paid what they think are owed. EE would also be pissed that their logo was removed from the case which (rightly or wrongly) they thought was part of their compensation.
Without his actions we would be none the wiser about any of it, but clearly the relationship would be anything but amicable.
He is some sort of poorman’s vigilante and even embedding an unauthorized Easter egg with a BTC address.
Thank you for your opinion. I will decide what is my business and what is not.
>The firmware developer is really the one causing most of the problems. If not for him, this would have handled amicably between EE and DEFCON.
Defcon stopped paying and talking. They would have brushed this all under a rugWhat’s your involvement anyways besides a free contributor to the emulator?
I mean, it seems pretty clear to me that defcon is in the wrong here, and everything else is just drama.
Filing the serial numbers off to hide that EE was to credit for it, getting f’d at a hidden screen that credited them.
Come on, fuck off. EE did the work here. Not crediting them sucks.
The rest of the stuff, I really dont care about, but you can’t put a ribbon on what they did. Remastering the injection mold cast? Removing the logo? That sucks.
:(
Give credit where credit is due.
If you didn’t make it, don’t try to pretend you did.
Just because you don't visibly put the creator's logo on the thing does not mean you are pretending that you made the thing. Your Ford F150 does not have the logos of the 3rd party companies that programmed the ECUs, made the brake pads, etc, and yet I doubt anyone here would think that Ford is pretending they did whatever.
This is not agreeing with what was done, just brake checking your broadbrushing
Why would someone's gender, sexual orientation or skin color be relevant to developing a badge? This is so weird.
Likely, the thinking was, "We know that in the past such firms have experienced disadvantages. In years past, bias and discrimination against them may have hurt their chances of procuring a contract like this. Recognizing that historical disadvantage, we now want to give such firms opportunities to show the world that they are every bit as capable."
But we don't. We just use our work and our reputation.
There's no "historical disadvantage" for a company that supports the hacker community to be full off all sorts of eccentric, non-conforming people.
It's impossible to try to remove the sense of entitlement one gets from this company after that, given the rest of the situation seems to weight in to that way especially given I've heard of procurement of these badges having no such problems before.
EDIT: That said, Defcon doesn't end up looking too good either after this. Nothing good can come of this given things like this are usually probably done in quite good faith.
FWIW, I noticed that line as I read it, but it didn't make me prejudge the situation.
I mostly noted it as a potential interesting bit of info that might reflect well on DEFCON organizers involved with the badges.
Are you critiquing the writer's PR savvy -- that they should know that progressive references can both help and hurt them, due to political polarization?
(Examples: Some people warm to them. Others feel skepticism or even anger. Others might be personally indifferent, but assessing the PR situation.)
Or are you saying that you think a line like that definitely hurts reception of the writer's argument much more than helps them, with whomever their target audiences are?
Why is it "political polarization"?
DC hired an engineering firm based on, at least in part, reasons that have nothing to do with engineering. The project fell apart. Should the procurement process not be questioned, along with selection criteria?
The assertion of "they expressed that they specifically wanted to work with us" doesn't assert anything about the selection criteria.
Even if we parsed every word rigorously, and took it as absolute truth, it doesn't necessarily mean anything more than the usual excited to be working with you polite enthusiasm convention that many business people and creatives/talent tell each other at the start of a partnership.
It could also be an overture to establish friendliness, in context, like to delicately convey that they are not one of those people who might seem biased against some groups.
Or it could, as you suggest, be alluding to selection criteria (e.g., we need X, Y, and Z, and bonus points if the partner happens to not look like they usually do, because the org wants to appeal to and benefit from a larger pool of hackers who currently don't feel like this this event is for them).
Or maybe we can't even parse it that carefully. Where did someone say they "wanted to work with [Entropic] as a woman-owned, queer- and POC-driven engineering firm to develop an electronic badge with a gaming element for this year’s conference." What exactly did they say, and in what context.
Yes. This is something that appears extremely defensive / conflict-seeking and just increases the chance of escalation. It's the kind of similar thing if they wrote something like "an engineering firm where 70% of the engineers have proudly summitted Mount Everest, something most people are only hope to do", that has zero relevance to the issue at hand but by default sets a setting where they are trying to appear somehow holier-than-thou and whatever they say is put under undue scrutiny even if that is the only snafu.
In making clarifications like this, one must be as possibly humble as they can and only talk about things with immediate relevance to the issue. That should be so unbelievably obvious. What they say on their frontpage, like trying to give some "vibe" might be something else of course, and doesn't as necessarily have to do with their craft. This PR person confused these two and should probably be fired, for the same reasons of doing the opposite of their job as for example some Helldivers 2 community manager semi-recently did. If a golden retriever in their position would do less damage, they are not the person for the job.
I can make a few guesses why they put it out there (including, but not limited to, a kind of defensive signal "please hear us out, we're good people here", which would be understandable, since they're threatened).
But it's predictably inviting both biased/triggered negative reactions, as well as other people who wonder why you're leading with that when allegations are about something else.
I'm not a PR expert, so I can only guess at what all nuances they have to juggle. As a person, I imagine the situation has been pretty rough on a number of people.
Exactly those type of orgs which exist primarily to fill this quota. Any kind of capacity to actually fulfill project requirements is secondary
Defcon stiffs badge HW vendor, drags FW author offstage during talk
> Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets.
If it's true that DEFCON wanted dirt cheap badges produced in record time, then I think the fault lies not in the project's management & execution but in the client's expectations & resourcing. No accomplished vendor would accept such a low price point, so that just leaves the unaccomplished. Vendors who overpromise and underdeliver, who would accept payment in terms of "clout", or who would be too afraid to pushback on crazy or high pressure expectations until it's too late.
A classic set-up-to-fail situation.
For me, this is a clear case of mismanagement and bad communication. DC gave EE the wrong budget (cost for the whole badge instead of the PCB+fw) and then completely ignored the reports they received until it was too late. At which point they decided force EE pay for their mistake instead of man-ing up and accepting at least some responsibility.
Don't forget DC gets 460$ × 30k from ticket sales alone, they should be able to handle this better. And this is not the first time they have screwed suppliers.
Entropic appears to pulling at some emotional response with their initial introduction in regards to LBGTQ, etc. That’s irrelevant information.
What is your source for this?
But it appears they waited until the end.
Contractual terms and timeline should have been better. Starting this in January was probably too late. Badge issues have been common in past years.
It is quite common for a big entity to act shitty towards smaller makers. So *if* this is the case, DEFCON are the bad guys, no matter how common it is.
Citation needed. I have never heard this
According to the (admittadly biased) article, Entropic ate all of the cost overruns:
> Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets.
I’m not sure of that. Entropic’s statement uses odd language: “…in order to hit DEFCON’s per unit cost targets.”
Why not just say “in order to hit DEFCON’s cost target”? Why “per unit”? It sounds like Entropic might have gone over budget on some other costs (for example, development) and only discounted hardware or manufacturing cost.
It would just be so easy for the other party to retort with "we never agreed to that" because the did not. I'm no legal type, but this just doesn't seem like it would ever hold up in any way. Even with wording of "if we do not hear back, it will be assumed as your agreement" as there's no proof it was actually ever received.
E.g. many craftspeople bull you by the hour and give you a rough estimate how long it could take beforehand. If the thing they are fixing for you has 3 more faults that you didn't mention to you, they will mention to you that it costs more and if they should proceed.
That is totally common, but the increased estimate needs to be communicated clearly and get an OK from the customer.
Yes, they ask before proceeding. The parent assumed EE proceeded without asking, which is also how I interpret the situation. That’s not the norm, right?
In a past life as a contractor, if we had a prior relationship with a company, we would absolutely sometimes start work on a new project without having all the ink dry, on the good faith assumption that they had reliably paid us before, and would, in turn, pay us again.
Jokes aside, we routinely work for clients without any contract. Contracts get finalized usually by the time a prototype (1/4 - 1/2 of the whole job) is done.
Corporate world is slow. They really like it when you come in and start delivering. Having something to show makes it easier for them to get the project green-lit.
There are obviously some reserves just in case it wouldn't pan out and I still feel quite uneasy. It works, though.
Haha, reminds me that the risk sometimes goes both ways. Like that one time we've got 100% paid for 1/2 the work and then kept working to finish the other 1/2. Can't betray that kind of trust.
(Not related to this drama. Just another data point from elsewhere. It's nice to see others to start working first and only call lawyers second.)
Credit was not erased from the PCB nor the software, which were the parts Entropic was contracted to do. They declined to include entropic on the plastics, which is understandable given that Entropic didn’t do the plastics. It also likely saved machining costs on the mold for a project that was already over budget.
The original accusations appear to be a little exaggerated.
And issuing a stop work order doesn't mean you can just not pay for the work done so far. It means you're not paying for any further work.
These two statements cannot be both true at the same time 🠉 🠋
> Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets.
Any guesses on DEFCON's budgets "targets" and EE billed extra hours (including rates) anyone? :?
We are especially grateful that Dmitry was not hurt in the physical removal he was subjected to as a result of his demonstration of solidarity. We want to extend our thanks to all attendees who have been asking questions, reaching out, attending surprise side-walk cons, displaying the about page badge on the con floor, and, especially, keeping a community eye on law enforcement and conference security to help ensure our friend Dmitry’s safety in the last 48 hours.
The guy deliberately crashed the stage, knowing his invitation had been rescinded, demanding that "security" (read: random goobers who volunteer for this role in exchange for a colored t-shirt) remove him. He's fine. He got literally the thing he wanted, and "Entropic" knows that full well.
You're a vendor in a contract dispute, Entropic, not Poland's organized effort to throw off Soviet Communism. Miss me with this "solidarity" stuff.
I assume considering the size of Def Con the same applies.
Then hacker conferences like defcon have their own volunteer staff of various kinds. These usually are doing crowd control and information, but occasionally get involved in attendee drunken or stupid incidents, usually with lesser consequences to attendees.
Some high profile attendees (NSA head, John McAfee, etc) have their own personal security; goons/volunteers then worked as a buffer between those people and attendees. (I did this for a McAfee event at BSides which was super fun because his armed security were also high on methamphetamine and erratic)
Casually thrown in there at the end! Tell us more?
This is not universal across Europe.
I've been part of organizing computer events in the 5k participant range without any hired security or medical staff. I think it greatly depends on the standing and culture of volunteer work in your country.
Defcon is completely insignificant compared to the scale and size of the events that occur in Las Vegas, there are more people partying on the strip on any average Tuesday.
After reading the further responses, I am convinced that DEF CON is kind of a crummy business. This commenter, who does not deserve to be downvoted, and the vendor were both stiffed by DEF CON. There seems to be a lot of drama attached to this organization that unfairly rubs off on its well meaning collaborators.
In the interest of curiosity, I wonder why IT organizations built on the free contributions of others can ever treat their collaborators indelicately. It would be one thing if DEF CON were some superstar artist, where taking the kid gloves off and delivering harsh feedback is part of the learning process, but it’s just a conference organizer.
Look, I've got two things going on with this whole story:
First, it's pretty clear that Dmitry (a name I know only from HN from the past couple days) deliberately arranged the showdown with the Goons. He got what he wanted. Nobody should be clutching pearls about his experience on the stage.
Second, while none of us know the particulars of Entropic's contracts with DEF CON, and we could still learn new stuff that would make it clear DEF CON is in the wrong, there are a lot of people on HN that are trying to (or aspire to) consulting, and there is something very important to learn from what's happening here: you do not want to do what Entropic did and pick a fight with your client, because (1) you're probably not experiencing something that is that out of the norm for consulting and (2) other prospective clients are absolutely going to take notice.
How would you feel that reading that line of yours made my eyes roll?
You’re mocking this guy for creating drama, then you go and say these conference organizers are some dramatic hyperbole. “The only valid drama is my drama.” It’s the pot calling the kettle black!
What? Getting stiffed payments is probably the leading cause of "vendors with a contract dispute".
Go to your lawyer (you do have a laywer, right?) and have them nicely ask for the money before starting a lawsuit for it plus the contractually specified penalties.
Unlike a lot of non-paying customers, DEFCON probably has money, so you can rest relatively easy knowing you will see it (plus penalties) eventually. If DEFCON was planning on spending that money someplace else, that is their problem, not yours.
I dont know the company but this statement makes them sound like a bunch of amateurs, and I’m now inclined to believe Defcons statement on what actually happened.
That's what's kind of interesting about this entire drama. The entire conference is based on people that break systems, bend the rules, bask in pseudo outlaw rider cache, and an amorphous alternate shadow moral code.
And yet here we have Internet lawyers arguing formal contracts between contractors and suppliers. There's obviously greed involved here somewhere, and someone is being non-hacker-code compliant.
To me the public actions with the most scumminess is defcon: using security guards. Reforming molds. Using the produced badges rather than just paper badges. Thin accusations of malware at a hacker conference.
C'mon, man!