Entropic Engineering DEFCON 32 Statement
220 points
28 days ago
| 17 comments
| entropicengineering.com
| HN
krisoft
28 days ago
[-]
As per usual nobody comes out of these things looking good.

To really understand who is right and who is wrong here we would need to read the letter of the agreements between these entities, and cross reference them with facts. Of course neither the contracts, nor the facts are available to us.

As is, the best I can do here is to put all participants on my personal “do not work with” list. Who needs the drama.

In particular there seems to be at least two points of miscommunication: it sounds like EE were told how much DEFCON can spend per badge. And they took that number to mean only the cost of the board and electrical engineering costs associated with it. Ignoring other costs (lanyard for sure, and maybe the cost of the plastic case too?).

The other missed connection seems to be the legal position of the firmware developer. EE seems to say they thought the guy was not their subcontractor but someone working for DEFCON. While DEFCON seems to imply that they thought he was an EE subcontractor.

I see a lot comments here with strong opinions on who is right and who is wrong in this dispute. It also seems to be that those strong opinions are based on assumptions. In particular assumptions about what the contract might say, but treated as if it is not a speculation but the truth. That logic is not persuasive to me.

reply
harshreality
28 days ago
[-]
Exactly. Let's see the formal contract. The deliverables, the payment schedule, and any emails indicating DC agreement to subsequent requests for changes of terms.

The way EE phrases it, they were paid much less than they were owed, but owed according to what? Their internal accounting, or what they'd mutually agreed on with DC? Only the latter matters.

Emails saying "it's going to cost $X more", if any of EE's emails rose to that level of clarity and directness, are legally useless and meaningless without clear assent from DC.

reply
iwontberude
28 days ago
[-]
If they said it will cost more and DC took delivery, that is sufficient. There is such a thing as unjust enrichment and DEFCON is responsible for paying for the goods and services they receive. You simply cannot stiff someone because the original agreement didn’t include the extra work. As with almost any project, it’s inevitable DEFCON wanted changes and those could make the original contract obsolete.
reply
red_trumpet
28 days ago
[-]
The firmware author themselves write[1]:

> I was not anybody’s contractor or subcontractor. I’m not employed by entropic nor by you [DEFCON]. I did this in my free time so attendees could have a fun badge.

[1] https://old.reddit.com/r/Defcon/comments/1ep00ln/def_cons_re...

reply
krisoft
28 days ago
[-]
I’m aware of that claim. I can’t verify it of course.

But even if I take it as true, doesn’t mean that DEFCON couldn’t have believed he was subcontracting for EE.

Similarly if it was DEFCON who introduced the firmware author to EE, EE might believe the firmware author is with DEFCON.

Obviously the contracts should be crystal clear about who is with who, and who is responsible for what. We hear that the fimware developer had no contract with anyone. That is very bad. But whose bad it is?

If there is a contract between EE and DEFCON which states clearly that EE is responsible for the firmware that is very bad for EE then.

If there is no contract between EE and DEFCON, or it is not clear enough who delivers the firmware then that is very bad on DEFCON. (I would be surprised if that is the case, but who knows in this whole mess.)

reply
threatofrain
28 days ago
[-]
What's strange is that Dmitry continued to work for defcon after a stop work order, and also that Dmitry was originally invited to speak on stage (smells like consideration).

Based on the sum of all statements it continues to be very plausible that Dmitry basically had no on-paper relationship with anyone... and did everything on a pure friends and family basis. If so that is a huge awkward fuckup.

Also unfortunate is the possibility that if Dmitry is just some detached party trying to defend Entropic's honor, he basically started a firestorm which burned bridges between Entropic and defcon.

Once Dmitry started the whole thing, defcon immediately attacked the reputation of Entropic by saying they exercised bad faith in business and were incompetent and profligate. Defcon attacked so hard that there was no way to unring that bell. Then Entropic had no choice but to respond to defcon.

reply
ranger_danger
28 days ago
[-]
> We hear that the fimware developer had no contract with anyone.

I see this occasionally with small companies, usually it's more of a personal request from one of the employees to provide some code on a volunteer basis, perhaps solely because they are passionate about that sort of thing and someone knew that about them.

In the end, if the favor is upheld and they provide the code/binary/whatever to the company (who has a contract to deliver such code), then that company's upstream contract is still fulfilled, technically it doesn't matter that the coder was not an employee or contractor. The only real downside I see for this is legal liability for the company if they end up unable to provide for their customer, but that's between the two of them and their contract, the coder is basically not on the hook for any problems.

reply
krisoft
27 days ago
[-]
> I see for this is legal liability for the company if they end up unable to provide for their customer,

That is not the only legal liability. If EE has a contract with DEFCON saying that they will give DEFCON the firmware and the rights to distribute it. But EE does not have those rights (because they haven't signed a thing with the developer) that can go very wrong for EE.

Basically the developer can sue DEFCON, since they are distributing his code. DEFCON believes they have the rights to do so, because of their contract with EE, but basically EE is giving away something they don't have. That can be a lot worse than just failing to deliver the contracted firmware. In my opinion.

reply
ranger_danger
27 days ago
[-]
To me that sounds the same as "unable to provide for their customer".
reply
echoangle
28 days ago
[-]
This statement seems to be intentionally inaccurate to me. He’s not someone’s contractor, subcontractor or employee, but he still has to have someone he’s communicating with about the project, either at EE, DC or both. Why not state what the situation was? Was he working with EEs team, DC directly or did he switch at some point?
reply
dmitrygr
26 days ago
[-]
Everyone talked to me and i reported to nobody. DC made only two requests total (color of frame around screen, auto-boot to game instead of menu). EE made no requests but gave me info on hardware as i needed it to write the SW.
reply
echoangle
26 days ago
[-]
How did you get into the project? I’m assuming DEFCON contracted EE and you were contacted by someone later to write the firmware? Was that EE or DEFCON? And to whom did you deliver your firmware code/binaries during development? Did you deliver to EE while they were still contracted by DEFCON and to DEFCON directly after the stop work order?

Sorry for the many questions but you’re the only real source to get more info on this situation here.

reply
mannykannot
28 days ago
[-]
It seems quintessentially DEFCON to infiltrate both organizations by exploiting the breakdown of communication between them.
reply
flumpcakes
28 days ago
[-]
I think this is a very balanced take and probably one that most people should follow. However, I do slightly favour defcon in this mess - why did Entropic take on a project that was nearly "impossible". Why did the firmware engineer add a crypto beg for a "joke".
reply
krisoft
28 days ago
[-]
> I do slightly favour defcon in this mess

I do favour Entropic slightly. Simply because DEFCON being the larger entity has more power in the situation to dictate terms, and also because the end result favours DEFCON. They have their badges using the work Entropic put into them.

But I recognise that this is entirely feel and vibe based. Which is not the proper basis to decide anything.

> Why did the firmware engineer add a crypto beg for a "joke".

He seen the relationship between EE and DEFCON going bad, and decided that it is not okay and took a stance to protest it. Half of his stance was the screen in the firmware, the other half was him making a scene at the main stage.

If he didn’t do that we wouldn’t know about the issue.

reply
echoangle
28 days ago
[-]
> I do favour Entropic slightly. Simply because DEFCON being the larger entity has more power in the situation to dictate terms […]

If the terms were clarified before the contract was signed, i don’t really see this point. If you sign a contract to do something, it doesn’t matter how much power the other party has. If you don’t like the terms they dictate, don’t take them as a customer. And once there is a contract, the terms should be locked in.

reply
vextea
28 days ago
[-]
Entropic wasn't the people that added the hidden screen with the credit
reply
rasz
27 days ago
[-]
That would require DC sign a contract for a badge with no firmware.
reply
trickstra
28 days ago
[-]
So how do you deal with the claim that they were sending regular cost updates and estimations throughout the development? (assuming they really did that). Shouldn't DEFCON stop it as soon as they realized some miscommunication about the price?
reply
harshreality
28 days ago
[-]
DEFCON isn't the entity doing the work. It's up to EE to get DC's clear agreement on changes of terms. Otherwise, EE must either:

a) acknowledge that they can't fulfill the contract under the existing terms, and follow the contract's termination procedures

b) keep working to try to complete the project, because the agreed upon payment is better, even considering the extra work, than whatever contract termination involved

When DC told EE to stop work, they did so rather than say "everything's fine, we're continuing as agreed"? That means they knew they couldn't deliver as contracted, or didn't want to because every day they kept working would lose them more money even if they fulfilled the contract.

This is why they should've had a reasonable contract that didn't require heroics in order to break even. Because, when things started to go bad, they needed a fallback besides taking a big loss for partial work, and taking a bigger loss for complete work.

Or alternatively, they could've reasonably contracted to do something nearly impossible, if they were okay with failing and getting nothing, at least for the r&d portion, turning it into an RP2350 learning opportunity. (Presumably, if they made it to production, the contract easily covered production costs.)

reply
firesteelrain
28 days ago
[-]
We can only take that at face value because we don’t know what contractual communication mechanisms were in place to handle these scenarios. It could EE revising history here. We simply don’t know
reply
trogdor
28 days ago
[-]
> EE seems to say they thought the guy was not their subcontractor but someone working for DEFCON.

I didn’t see that in their statement.

reply
Aurornis
28 days ago
[-]
DEFCON’s response was posted on Reddit: https://www.reddit.com/r/Defcon/s/NVw5T4LXQR

Unsurprisingly, it contradicts some of the claims Entropic has been making. Entropic admits to having exceeded agreed upon budgets by a significant amount, which DEFCON corroborates. There is some disagreement about what has been paid, though, as DEFCON believes they have paid for the hardware development.

Some of the other claims also appear to have been exaggerated or at least phrased in misleading ways. The Entropic Engineering logo was not removed from the PCBs. Their logo was not included on the plastics because Entropic was not responsible for the plastics and the initial plan to include their logo was only a courtesy before the relationship soured. The DEFCON statement alludes to budgets being exceeded by a significant margin (not covered by minor reductions in hourly rate as the other statement implied) and even calls out some “bad-faith” charges.

I’m also confused about the earlier threats to use the DMCA against DEFCON for using the firmware without a license. As far as I can tell, the firmware was produced as part of the agreement between DEFCON and Entropic, in which case there shouldn’t be much question about the license as it’s a work for hire. Imagine hiring a company to write software to your spec and then to have them later try to claim they’re going to pursue legal action for using the software you paid them to write. Something is strange here.

It also appears that the firmware engineer’s dismissal from the talk was communicated before it began, so his choice to get on stage anyway knowingly violated that decision. Regardless of what we think should have happened, getting up on stage after being told not to isn’t going to go well at any conference for any reason.

I think there’s a lot more to this story than the initial round of accusations let on. I think the first movers in publishing their narrative often win the public opinion debate, but if even half of what DEFCON is saying is true then Entropic and their team don’t appear to be operating entirely in good faith with the way they’ve handled this publicity.

reply
gizmo686
28 days ago
[-]
> there shouldn’t be much question about the license as it’s a work for hire.

Work for hire is about employees. Entropic is not an employee of DEFCON, it is a company with a contractual agreement to provide something in exchange for money. The details of when, if ever, IP rights are transferred to DEFCON should be spelled out in the contract. I have seen all sorts of arrangements for that. However, in a well drafted contract, IP ownership probably wouldn't transfer prior to payment.

Also, the firmware author isn't an employee of anyone. In a lawyerly world, that would be resolved with a clear copyright assignment or license, but I have no idea if that happened.

reply
hansvm
28 days ago
[-]
> As far as I can tell, the firmware was produced as part of the agreement between DEFCON and Entropic, in which case there shouldn’t be much question about the license as it’s a work for hire.

The default state of things is that the author owns the code, regardless of any contracts between Entropic and DEFCON. He may or may not have signed those rights away, but if his other assertions are true (that he wasn't anyone's employee or contractor) then I'd be mildly surprised if the right legal structures were in place to ensure DEFCON owned the code.

That's an issue when writing code for hire too (or, e.g., hiring a photographer). If you're not careful, you don't have very many rights with respect to the final product, even after paying somebody to write it for you.

Implied, limited, non-exclusive licenses are a thing, and I wouldn't be terribly shocked if (assuming a judge had to decide) all parties aren't at least allowed to continue distributing the badges (perhaps not to redistribute the firmware itself, modify the firmware, ...). Things get murky in a hurry though, and finding a resolution not requiring a court is probably better for all parties.

reply
tzs
28 days ago
[-]
To add some detail to what others have said, to be a work for hire in the US it must either be a work made by one of your employees within the scope of their employment or all three of the following must hold:

1. You specifically ordered or commissioned the work,

2. There is a written contract that states that it is a work for hire, and

3. The work falls into at least one of these 9 categories:

• a contribution to a collective work

• a translation

• a part of a motion picture or other audiovisual work

• a supplementary work (e.g., foreword, illustration, editorial notes)

• a compilation

• an instructional text

• a test

• answer material for a test

• an atlas

For a long time contract software usually could not be a work for hire because it usually did not fall into one of those 9 categories. I believe in recent years some courts have decided that contract software usually does fall into one or more of them and so can be a work for hire. I don't know if that view has become widespread or is just confined to some federal court districts.

Practically what this means is that when hiring a contractor you either put in the contract that the contractor will assign the copyright to you or that you will be given a suitable license to use the code that is pretty much equivalent to owning the code (irrevocable, exclusive, allows making and distributing derivative works, you can sublicense to others on any terms you want, etc).

reply
parkaboy
28 days ago
[-]
> I’m also confused about the earlier threats to use the DMCA against DEFCON for using the firmware without a license. As far as I can tell, the firmware was produced as part of the agreement between DEFCON and Entropic, in which case there shouldn’t be much question about the license as it’s a work for hire

In theory that's true if they legally structured things properly. All comes down to what legal structures were put in place between all three parties starting with the contract (if any) between Entropic and the sub.

I kind of agree, but that assumes they all set up their contracts appropriately... which, having been deeply involved in that community for many years... let's just say I could toss a coin about that assumption being true. If the sub didn't sign anything and Entropic/DEFCON just took his firmware and used it (even if that was the contractor's intention), it's still a significant IP liability for whoever was flashing it all.

reply
dmitrygr
26 days ago
[-]
> As far as I can tell, the firmware was produced as part of the agreement between DEFCON and Entropic

Nope, DC knew that i was writing firmware and i am not a part of entropic, nor report to them. From the very start of this project they knew this. The first email at the start of the project stated this.

reply
metadat
28 days ago
[-]
I'm struggling to reconcile this response vs the Bitcoin address "Easter egg" and the other claims in the prior article (https://news.ycombinator.com/item?id=41211519), and a few other aspects.

Such a gross "oversight" does not reflect the care they're claiming to have exercised.

This part also seems a tad over the top and dramatic:

> We are especially grateful that Dmitry was not hurt in the physical removal he was subjected to as a result of his demonstration of solidarity

This individual chose to not comply with the venue operator's request to leave the stage, so they pretty gently escorted him away, as can be seen in the video which has been linked in every prior submission. Risk of injury was negligible, if any.

So I'm left uncertain which story is to be trusted here.

To be fair, it's clear DefCon has previously been fueled by Supermen and Superwomen who threw themselves under the bus (possibly were exploited) by working for free or nearly free to deliver. People deserve to be compensated for their work according to the terms of whatever employment agreement was signed, not the games that have been played here.

If quality of work was misaligned, it'd be another matter, but neither party has alluded to this.

reply
kalleboo
28 days ago
[-]
The software developer who added the Easter egg was not employed or paid by EE, just sympathetic to them
reply
metadat
28 days ago
[-]
Then apparently I understand nothing, now I regret commenting.

Thanks for the information, my mistake.

reply
kalleboo
28 days ago
[-]
It's complicated and the information is all over the place hidden in reddit comments, the whole thing is a mess
reply
firesteelrain
28 days ago
[-]
The firmware developer is really the one causing most of the problems. If not for him, this would have handled amicably between EE and DEFCON.
reply
oefrha
28 days ago
[-]
No. It might have been kept hush hush without the stunt, but there’s nothing amicable about it.

> EE has tried multiple times over the past months to negotiate fair compensation for work completed prior to June 7th, but attempts at resolution have been unsuccessful.

> Once the manufacturing was fully completed, we were offered a one-time “take it or leave it” amount worth well under half of what we were owed pre-stoppage. Given that what we were owed was already discounted by 25% in order to hit agreed upon cost targets, this has had a huge impact on our small team. We are also still owed substantial sums for parts that we purchased on behalf of DEFCON for use in the badge. Again, all subsequent offers to negotiate a settlement in good faith have not received any productive response.

reply
firesteelrain
28 days ago
[-]
It’s a time and materials contract. DEFCON has the right to cancel at any time for any reason.
reply
oefrha
28 days ago
[-]
No one posted any contract (that I’ve seen). And even if true, there’s still nothing amicable about it. Btw you may have been commenting too much on something that’s “none of our business” according to you.
reply
firesteelrain
28 days ago
[-]
Ha gal
reply
krisoft
28 days ago
[-]
Does not appear to be the case?

If not for him we would not know that there is a dispute between EE and DEFCON. DEFCON would be still pissed with EE that they went overbudget, and EE would be pissed that they were not paid what they think are owed. EE would also be pissed that their logo was removed from the case which (rightly or wrongly) they thought was part of their compensation.

Without his actions we would be none the wiser about any of it, but clearly the relationship would be anything but amicable.

reply
firesteelrain
28 days ago
[-]
It’s none of our business.

He is some sort of poorman’s vigilante and even embedding an unauthorized Easter egg with a BTC address.

reply
krisoft
27 days ago
[-]
> It’s none of our business.

Thank you for your opinion. I will decide what is my business and what is not.

reply
firesteelrain
26 days ago
[-]
Thank you for your opinion.
reply
dmitrygr
26 days ago
[-]

  >The firmware developer is really the one causing most of the problems. If not for him, this would have handled amicably between EE and DEFCON.

Defcon stopped paying and talking. They would have brushed this all under a rug
reply
firesteelrain
26 days ago
[-]
EE went way over budget. DEFCON was right to cancel the contract.

What’s your involvement anyways besides a free contributor to the emulator?

reply
dmitrygr
24 days ago
[-]
"contributor" implies someone else participated, i feel i have been clear about the fact that every single bit of the firmware was my work. Nobody else worked on it.
reply
firesteelrain
24 days ago
[-]
Your work that you gave away. No more data rights on the executable.
reply
wokwokwok
28 days ago
[-]
> So I'm left uncertain which story is to be trusted here

I mean, it seems pretty clear to me that defcon is in the wrong here, and everything else is just drama.

Filing the serial numbers off to hide that EE was to credit for it, getting f’d at a hidden screen that credited them.

Come on, fuck off. EE did the work here. Not crediting them sucks.

The rest of the stuff, I really dont care about, but you can’t put a ribbon on what they did. Remastering the injection mold cast? Removing the logo? That sucks.

:(

Give credit where credit is due.

If you didn’t make it, don’t try to pretend you did.

reply
dylan604
28 days ago
[-]
> If you didn’t make it, don’t try to pretend you did.

Just because you don't visibly put the creator's logo on the thing does not mean you are pretending that you made the thing. Your Ford F150 does not have the logos of the 3rd party companies that programmed the ECUs, made the brake pads, etc, and yet I doubt anyone here would think that Ford is pretending they did whatever.

This is not agreeing with what was done, just brake checking your broadbrushing

reply
olalonde
28 days ago
[-]
> They expressed that they specifically wanted to work with us as a woman-owned, queer- and POC-driven engineering firm

Why would someone's gender, sexual orientation or skin color be relevant to developing a badge? This is so weird.

reply
jawns
28 days ago
[-]
You're right, it's not relevant to their abilities. It's relevant to the historical opportunities that such companies have had available to them.

Likely, the thinking was, "We know that in the past such firms have experienced disadvantages. In years past, bias and discrimination against them may have hurt their chances of procuring a contract like this. Recognizing that historical disadvantage, we now want to give such firms opportunities to show the world that they are every bit as capable."

reply
fortran77
28 days ago
[-]
Cutting edge, avant garde creative companies have for centuries been staffed by non-conforming people. We could give a similar description for the staff of our consulting company.

But we don't. We just use our work and our reputation.

There's no "historical disadvantage" for a company that supports the hacker community to be full off all sorts of eccentric, non-conforming people.

reply
firesteelrain
28 days ago
[-]
Especially since this is JLCPCB type work. It should be fairly automated.
reply
echoangle
28 days ago
[-]
I would guess most of the work was the design, not the manufacturing.
reply
firesteelrain
28 days ago
[-]
“ we sourced components, designed all of the hardware, wrote production test software, and organized all circuit board manufacturing, prototype manufacturing, facilitated large volume production manufacturing and logistics, and general project coordination. ”
reply
echoangle
28 days ago
[-]
Is that supposed to contradict my response? Because I see a “designed all of the hardware” in there, that’s what I was talking about.
reply
firesteelrain
28 days ago
[-]
You said most. It wasn’t most.
reply
echoangle
28 days ago
[-]
How do you know it wasn’t most of the work? Most effort, not most characters in a list of tasks.
reply
firesteelrain
28 days ago
[-]
In this case, where the supplier has been involved in almost every aspect of the project, the design portion could be on the lower end of this range since they are also managing manufacturing, logistics, and coordination. For a typical custom PCB project with the involvement described, design work could represent around 25% to 35% of the overall effort.
reply
firesteelrain
28 days ago
[-]
If you have ever done this type of work then you would know it’s not most
reply
echoangle
28 days ago
[-]
Well I haven’t, maybe explain how I’m wrong instead of posting a standalone quote which doesn’t even contradict my assertion. I said “I guess” because I have no clue what takes more work, that was my initial impression.
reply
maxlin
28 days ago
[-]
Who starts an article, especially one questioning responsibility with the lines in the sort of "woman-owned, queer- and POC-driven ... " ??

It's impossible to try to remove the sense of entitlement one gets from this company after that, given the rest of the situation seems to weight in to that way especially given I've heard of procurement of these badges having no such problems before.

EDIT: That said, Defcon doesn't end up looking too good either after this. Nothing good can come of this given things like this are usually probably done in quite good faith.

reply
neilv
28 days ago
[-]
> Who starts an article, especially one questioning responsibility with the lines in the sort of "woman-owned, queer- and POC-driven ... " ?? It's impossible to try to remove the sense of entitlement one gets from this company after that, [...]

FWIW, I noticed that line as I read it, but it didn't make me prejudge the situation.

I mostly noted it as a potential interesting bit of info that might reflect well on DEFCON organizers involved with the badges.

Are you critiquing the writer's PR savvy -- that they should know that progressive references can both help and hurt them, due to political polarization?

(Examples: Some people warm to them. Others feel skepticism or even anger. Others might be personally indifferent, but assessing the PR situation.)

Or are you saying that you think a line like that definitely hurts reception of the writer's argument much more than helps them, with whomever their target audiences are?

reply
itsoktocry
28 days ago
[-]
>that they should know that progressive references can both help and hurt them, due to political polarization?

Why is it "political polarization"?

DC hired an engineering firm based on, at least in part, reasons that have nothing to do with engineering. The project fell apart. Should the procurement process not be questioned, along with selection criteria?

reply
neilv
28 days ago
[-]
I don't know whether that was part of the selection criteria, and I can't tell from the quote.

The assertion of "they expressed that they specifically wanted to work with us" doesn't assert anything about the selection criteria.

Even if we parsed every word rigorously, and took it as absolute truth, it doesn't necessarily mean anything more than the usual excited to be working with you polite enthusiasm convention that many business people and creatives/talent tell each other at the start of a partnership.

It could also be an overture to establish friendliness, in context, like to delicately convey that they are not one of those people who might seem biased against some groups.

Or it could, as you suggest, be alluding to selection criteria (e.g., we need X, Y, and Z, and bonus points if the partner happens to not look like they usually do, because the org wants to appeal to and benefit from a larger pool of hackers who currently don't feel like this this event is for them).

Or maybe we can't even parse it that carefully. Where did someone say they "wanted to work with [Entropic] as a woman-owned, queer- and POC-driven engineering firm to develop an electronic badge with a gaming element for this year’s conference." What exactly did they say, and in what context.

reply
maxlin
27 days ago
[-]
>Are you critiquing the writer's PR savvy -- that they should know that progressive references can both help and hurt them, due to political polarization?

Yes. This is something that appears extremely defensive / conflict-seeking and just increases the chance of escalation. It's the kind of similar thing if they wrote something like "an engineering firm where 70% of the engineers have proudly summitted Mount Everest, something most people are only hope to do", that has zero relevance to the issue at hand but by default sets a setting where they are trying to appear somehow holier-than-thou and whatever they say is put under undue scrutiny even if that is the only snafu.

In making clarifications like this, one must be as possibly humble as they can and only talk about things with immediate relevance to the issue. That should be so unbelievably obvious. What they say on their frontpage, like trying to give some "vibe" might be something else of course, and doesn't as necessarily have to do with their craft. This PR person confused these two and should probably be fired, for the same reasons of doing the opposite of their job as for example some Helldivers 2 community manager semi-recently did. If a golden retriever in their position would do less damage, they are not the person for the job.

reply
neilv
27 days ago
[-]
Good point about relevance.

I can make a few guesses why they put it out there (including, but not limited to, a kind of defensive signal "please hear us out, we're good people here", which would be understandable, since they're threatened).

But it's predictably inviting both biased/triggered negative reactions, as well as other people who wonder why you're leading with that when allegations are about something else.

I'm not a PR expert, so I can only guess at what all nuances they have to juggle. As a person, I imagine the situation has been pretty rough on a number of people.

reply
waihtis
28 days ago
[-]
> Who starts an article, especially one questioning responsibility with the lines in the sort of "woman-owned, queer- and POC-driven ... " ??

Exactly those type of orgs which exist primarily to fill this quota. Any kind of capacity to actually fulfill project requirements is secondary

reply
ChrisArchitect
28 days ago
[-]
Related:

Defcon stiffs badge HW vendor, drags FW author offstage during talk

https://news.ycombinator.com/item?id=41207221

reply
djfergus
28 days ago
[-]
How does one reconcile the statement below with DEFCON’s claim that they were 60% over budget?

> Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets.

reply
jawns
28 days ago
[-]
Just a guess, but the overall budget and the unit cost of the badges are likely two separate things. And you can express unit cost in two different ways: one that includes the cost to develop them, and one that includes only the cost to produce them.
reply
dmitrygr
26 days ago
[-]
defcon folks rarely looked at those status emails, and more than once ADMITTED having not looked!
reply
j0hnyl
28 days ago
[-]
DEFCON continues to demonstrate year after year just how poorly its run. There are bigger events out there (albeit not hacking cons) that cost less and go much more smoothly. Meanwhile, the price of DEFCON admission continues to increase every year while value diminishes.
reply
tedunangst
28 days ago
[-]
Did the contract between defcon and EE include working firmware? If Dmitry rescinds the license, is the deliverable now even more short of specification?
reply
iseanstevens
28 days ago
[-]
Very classy response. I hope things get worked out
reply
chambers
28 days ago
[-]
Reading this statement, DEFCON's, and Reddit: it looks like the lowest bidder was a hired to do a complicated and costly project that the client historically underfunded (paper badges last year).

If it's true that DEFCON wanted dirt cheap badges produced in record time, then I think the fault lies not in the project's management & execution but in the client's expectations & resourcing. No accomplished vendor would accept such a low price point, so that just leaves the unaccomplished. Vendors who overpromise and underdeliver, who would accept payment in terms of "clout", or who would be too afraid to pushback on crazy or high pressure expectations until it's too late.

A classic set-up-to-fail situation.

reply
daghamm
28 days ago
[-]
On the contrary, it seems like EE were chosen due to previous experience and close connections with the pi foundation. This is how they got access to the new chip.

For me, this is a clear case of mismanagement and bad communication. DC gave EE the wrong budget (cost for the whole badge instead of the PCB+fw) and then completely ignored the reports they received until it was too late. At which point they decided force EE pay for their mistake instead of man-ing up and accepting at least some responsibility.

Don't forget DC gets 460$ × 30k from ticket sales alone, they should be able to handle this better. And this is not the first time they have screwed suppliers.

reply
jmward01
28 days ago
[-]
It sounds like an independent third party needs to review what happened.
reply
firesteelrain
28 days ago
[-]
No, that’s entirely unnecessary and unrealistic. This happens nearly every day between a Buyer and Seller. Entropic was basically on a Time and Materials (T&M) contract. Buyer (DEFCON) had every right to terminate when it looked like costs were starting to soar.

Entropic appears to pulling at some emotional response with their initial introduction in regards to LBGTQ, etc. That’s irrelevant information.

reply
krisoft
28 days ago
[-]
> Entropic was basically on a Time and Materials (T&M) contract.

What is your source for this?

reply
kalleboo
28 days ago
[-]
You've seen the contract?
reply
trickstra
28 days ago
[-]
> when it looked like costs were starting to soar.

But it appears they waited until the end.

reply
firesteelrain
28 days ago
[-]
This is unfortunate however it is common. DEFCON still had the right to terminate and try to salvage what they did by sending their own team. EE got in over their head.

Contractual terms and timeline should have been better. Starting this in January was probably too late. Badge issues have been common in past years.

reply
trickstra
28 days ago
[-]
> This is unfortunate however it is common.

It is quite common for a big entity to act shitty towards smaller makers. So *if* this is the case, DEFCON are the bad guys, no matter how common it is.

reply
firesteelrain
28 days ago
[-]
“Big entity to act..”

Citation needed. I have never heard this

reply
numpad0
28 days ago
[-]
Do this look like someone mistook budget allotted by a magnitude, or was too scared to speak up until it's too late and situation had to be escalated to (no offense)an adult to initiate shutdown?
reply
tillulen
28 days ago
[-]
It looks like a case of managerial miscommunication. Entropic seems to have expected that sending emails with higher budget estimates would give DEFCON the opportunity to say no if they did not agree, and took the lack of response as a sign of DEFCON’s agreement to the new budget. DEFCON seems to have either not read or ignored those emails and expected Entropic to work within the originally agreed-upon budget.
reply
gizmo686
28 days ago
[-]
What higher budget estimates?

According to the (admittadly biased) article, Entropic ate all of the cost overruns:

> Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets.

reply
trogdor
28 days ago
[-]
> According to the (admittadly biased) article, Entropic ate all of the cost overruns

I’m not sure of that. Entropic’s statement uses odd language: “…in order to hit DEFCON’s per unit cost targets.”

Why not just say “in order to hit DEFCON’s cost target”? Why “per unit”? It sounds like Entropic might have gone over budget on some other costs (for example, development) and only discounted hardware or manufacturing cost.

reply
dylan604
28 days ago
[-]
That sounds like a really dumb way to fly. Any decent form of communication would never word something that could be misinterpreted by lack of response. Either it comes from inexperience or hopeful mischievous confusion. It's like the old mobile carrier commercial where the wrong message was received when the call was dropped at inappropriate times because of the phrasing.

It would just be so easy for the other party to retort with "we never agreed to that" because the did not. I'm no legal type, but this just doesn't seem like it would ever hold up in any way. Even with wording of "if we do not hear back, it will be assumed as your agreement" as there's no proof it was actually ever received.

reply
LMYahooTFY
28 days ago
[-]
In what line of work/business can you proceed to incur more expenses without approval from the paying client? This can't really be what they expected.
reply
atoav
28 days ago
[-]
In any line of work, if you agree about it beforehand?

E.g. many craftspeople bull you by the hour and give you a rough estimate how long it could take beforehand. If the thing they are fixing for you has 3 more faults that you didn't mention to you, they will mention to you that it costs more and if they should proceed.

That is totally common, but the increased estimate needs to be communicated clearly and get an OK from the customer.

reply
echoangle
28 days ago
[-]
> they will mention to you that it costs more and if they should proceed.

Yes, they ask before proceeding. The parent assumed EE proceeded without asking, which is also how I interpret the situation. That’s not the norm, right?

reply
rincebrain
28 days ago
[-]
It depends.

In a past life as a contractor, if we had a prior relationship with a company, we would absolutely sometimes start work on a new project without having all the ink dry, on the good faith assumption that they had reliably paid us before, and would, in turn, pay us again.

reply
mordae
28 days ago
[-]
Risky one?

Jokes aside, we routinely work for clients without any contract. Contracts get finalized usually by the time a prototype (1/4 - 1/2 of the whole job) is done.

Corporate world is slow. They really like it when you come in and start delivering. Having something to show makes it easier for them to get the project green-lit.

There are obviously some reserves just in case it wouldn't pan out and I still feel quite uneasy. It works, though.

Haha, reminds me that the risk sometimes goes both ways. Like that one time we've got 100% paid for 1/2 the work and then kept working to finish the other 1/2. Can't betray that kind of trust.

(Not related to this drama. Just another data point from elsewhere. It's nice to see others to start working first and only call lawyers second.)

reply
rcxdude
28 days ago
[-]
I was thinking it may have been something like that. But it's still shitty to a) wait until the project is complete to tell them they're not getting paid, and b) erase credit (I don't see any good justification for this. It's literally the reason they were getting a discount in the first place, and they went to quite some effort to do it)
reply
Aurornis
28 days ago
[-]
They didn’t wait until the project was complete. They issued a stop work order due to being over budget and also some “bad faith” charges they noticed. DEFCON then sent their own team to handle the production run.

Credit was not erased from the PCB nor the software, which were the parts Entropic was contracted to do. They declined to include entropic on the plastics, which is understandable given that Entropic didn’t do the plastics. It also likely saved machining costs on the mold for a project that was already over budget.

The original accusations appear to be a little exaggerated.

reply
rcxdude
28 days ago
[-]
They also don't credit them in the con booklet either (but did credit Rpi). And the credit in the software is what got the firmware author kicked out, so it very much feels like defcon went out of their way to avoid crediting them for some reason.

And issuing a stop work order doesn't mean you can just not pay for the work done so far. It means you're not paying for any further work.

reply
trickstra
28 days ago
[-]
> They didn’t wait until the project was complete

These two statements cannot be both true at the same time 🠉 🠋

> Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets.

https://www.entropicengineering.com/defcon-32-statement

reply
Gud
28 days ago
[-]
What would be interesting to see is if this is a pattern. DEFCCON is a yearly convention with many participants. Has others been treated in a similar fashion? Or are they usually fair.
reply
kovacs_x
28 days ago
[-]
Only meaningful info in whole this is that it was a production of 30'000 units.

Any guesses on DEFCON's budgets "targets" and EE billed extra hours (including rates) anyone? :?

reply
tptacek
28 days ago
[-]
I regret that I have only two eyes to roll at this:

We are especially grateful that Dmitry was not hurt in the physical removal he was subjected to as a result of his demonstration of solidarity. We want to extend our thanks to all attendees who have been asking questions, reaching out, attending surprise side-walk cons, displaying the about page badge on the con floor, and, especially, keeping a community eye on law enforcement and conference security to help ensure our friend Dmitry’s safety in the last 48 hours.

The guy deliberately crashed the stage, knowing his invitation had been rescinded, demanding that "security" (read: random goobers who volunteer for this role in exchange for a colored t-shirt) remove him. He's fine. He got literally the thing he wanted, and "Entropic" knows that full well.

You're a vendor in a contract dispute, Entropic, not Poland's organized effort to throw off Soviet Communism. Miss me with this "solidarity" stuff.

reply
bravetraveler
28 days ago
[-]
Just here to point out that security is generally made of random goobers volunteering for shirts, and other things.
reply
wkat4242
28 days ago
[-]
Not sure about this event but in Europe you have to hire a professional security company. I've been involved in organising a computer event and we simply wouldn't get a permit without it. Volunteers doing security is a big NO. Parking assistance (guiding), first aid, entrance checks etc yes. But if someone doesn't comply you get the real guys. And it makes sense. At one camp we had a drugged up visitor going ballistic and attacking security with a big stick when he was asked to leave. They disarmed him with ease. A volunteer would likely have fared catastrophically. Also, these guys have legal protection in case an assailant countersues. You can't put your volunteers in that position.

I assume considering the size of Def Con the same applies.

reply
rdl
28 days ago
[-]
For US and especially Las Vegas events: usually the venue has their own professional security staff, some with law enforcement status of some kind, mostly with just security guard accreditation, some armed, some medically trained, etc. Venue also provides other paid employee or contractor staff for some things like cleaning, food service, etc. Especially in Las Vegas, this is highly unionized and regulated (to the point where connecting network and power cables within your own booth at a convention center event is prohibited and must be done by venue electricians at something like $400/hr)

Then hacker conferences like defcon have their own volunteer staff of various kinds. These usually are doing crowd control and information, but occasionally get involved in attendee drunken or stupid incidents, usually with lesser consequences to attendees.

Some high profile attendees (NSA head, John McAfee, etc) have their own personal security; goons/volunteers then worked as a buffer between those people and attendees. (I did this for a McAfee event at BSides which was super fun because his armed security were also high on methamphetamine and erratic)

reply
trogdor
28 days ago
[-]
>I did this for a McAfee event at BSides which was super fun because his armed security were also high on methamphetamine and erratic)

Casually thrown in there at the end! Tell us more?

reply
kiloreven
28 days ago
[-]
> Not sure about this event but in Europe you have to hire a professional security company.

This is not universal across Europe.

I've been part of organizing computer events in the 5k participant range without any hired security or medical staff. I think it greatly depends on the standing and culture of volunteer work in your country.

reply
oceanplexian
28 days ago
[-]
> I assume considering the size of Def Con the same applies.

Defcon is completely insignificant compared to the scale and size of the events that occur in Las Vegas, there are more people partying on the strip on any average Tuesday.

reply
doctorpangloss
28 days ago
[-]
You’d feel different if it were you getting stiffed payment!

After reading the further responses, I am convinced that DEF CON is kind of a crummy business. This commenter, who does not deserve to be downvoted, and the vendor were both stiffed by DEF CON. There seems to be a lot of drama attached to this organization that unfairly rubs off on its well meaning collaborators.

In the interest of curiosity, I wonder why IT organizations built on the free contributions of others can ever treat their collaborators indelicately. It would be one thing if DEF CON were some superstar artist, where taking the kid gloves off and delivering harsh feedback is part of the learning process, but it’s just a conference organizer.

reply
tptacek
28 days ago
[-]
Who, Dmitry? Dmitry had no arrangement with DEF CON. Entropic? I've been (I think!) where Entropic has been many times, and you've never read about any of them because, like most professionals, I didn't make a huge stink about it.
reply
threatofrain
28 days ago
[-]
If Dmitry had no arrangement with defcon, why was he invited (looks like consideration), and why did he do work after the request to stop work? Dmitry maintains that he was not doing contractual work for Entropic. Was anything ever written down on paper with regards to Dmitry's relationship to anything?
reply
tptacek
28 days ago
[-]
You tell me. The DEF CON badge thing is deeply cringe to me.
reply
dmitrygr
26 days ago
[-]
Nothing was ever on paper between me and anyone.
reply
adw
28 days ago
[-]
Is it reasonable to expect better of a prominent institution like DEFCON than from some other typical company?
reply
tptacek
28 days ago
[-]
No. I have been in (minor, our fault, it all worked out, though not the way I wanted it to) commercial disputes with this organization in the past. They are not fucking around.

Look, I've got two things going on with this whole story:

First, it's pretty clear that Dmitry (a name I know only from HN from the past couple days) deliberately arranged the showdown with the Goons. He got what he wanted. Nobody should be clutching pearls about his experience on the stage.

Second, while none of us know the particulars of Entropic's contracts with DEF CON, and we could still learn new stuff that would make it clear DEF CON is in the wrong, there are a lot of people on HN that are trying to (or aspire to) consulting, and there is something very important to learn from what's happening here: you do not want to do what Entropic did and pick a fight with your client, because (1) you're probably not experiencing something that is that out of the norm for consulting and (2) other prospective clients are absolutely going to take notice.

reply
threatofrain
28 days ago
[-]
From what I understand... it's possible that while Dmitry may have wanted to help Entropic, what ended up happening is Dmitry burned bridges for Entropic. Entropic by now has no choice but to come out with a statement since from their perspective, Defcon was already throwing their name under the bus, basically saying Entropic exercised bad faith and incompetence.
reply
doctorpangloss
28 days ago
[-]
> They are not fucking around.

How would you feel that reading that line of yours made my eyes roll?

You’re mocking this guy for creating drama, then you go and say these conference organizers are some dramatic hyperbole. “The only valid drama is my drama.” It’s the pot calling the kettle black!

reply
tptacek
28 days ago
[-]
I mean that they're serious about business, not "there's a lot of holes in the desert".
reply
cayley_graph
28 days ago
[-]
This does not seem like a standard way to conduct business to me by any stretch of the imagination, though I don't work in cybersecurity. Perhaps that community just has lower standards to which people and organizations are held. Would not be surprised. The things I've heard from that corner of the industry....
reply
fortran77
28 days ago
[-]
DEFCON has a lot of young, inexperienced people. That leads to a magnification of all sorts of drama. (I've been to 12 DEFCONs, sat it out this year.)
reply
gizmo686
28 days ago
[-]
> You’d feel different if it were you getting stiffed payment!

What? Getting stiffed payments is probably the leading cause of "vendors with a contract dispute".

Go to your lawyer (you do have a laywer, right?) and have them nicely ask for the money before starting a lawsuit for it plus the contractually specified penalties.

Unlike a lot of non-paying customers, DEFCON probably has money, so you can rest relatively easy knowing you will see it (plus penalties) eventually. If DEFCON was planning on spending that money someplace else, that is their problem, not yours.

reply
waihtis
28 days ago
[-]
That and this response is filled with appeals to emotion, but extremely thin on any actual details on the contract.

I dont know the company but this statement makes them sound like a bunch of amateurs, and I’m now inclined to believe Defcons statement on what actually happened.

reply
AtlasBarfed
28 days ago
[-]
Omg, someone didn't follow the rules at a hacker convention!

That's what's kind of interesting about this entire drama. The entire conference is based on people that break systems, bend the rules, bask in pseudo outlaw rider cache, and an amorphous alternate shadow moral code.

And yet here we have Internet lawyers arguing formal contracts between contractors and suppliers. There's obviously greed involved here somewhere, and someone is being non-hacker-code compliant.

To me the public actions with the most scumminess is defcon: using security guards. Reforming molds. Using the produced badges rather than just paper badges. Thin accusations of malware at a hacker conference.

C'mon, man!

reply
tptacek
27 days ago
[-]
Tell me you don't know much about the culture of DEF CON without telling me that: the "security guards" here were DEF CON "Goons".
reply
tokamak
28 days ago
[-]
Seems like they conveniently omitted some facts here. Very fishy.
reply