[HN Gopher] DEF CON's response to the badge controversy
___________________________________________________________________
DEF CON's response to the badge controversy
Author : mmastrac
Score : 136 points
Date : 2024-08-10 19:07 UTC (3 hours ago)
(HTM) web link (old.reddit.com)
(TXT) w3m dump (old.reddit.com)
| mmastrac wrote:
| There's basically three sides to the story now, for reference:
|
| Entropic statement:
|
| https://www.entropicengineering.com/defcon-32-statement
|
| dmitrygr statement:
|
| https://news.ycombinator.com/item?id=41207469
|
| dmitrygr being removed:
|
| https://x.com/dmitrygr/status/1822124650547257637
| sergiotapia wrote:
| tldr: entropic made some mistakes because they're a small team
| with a very tight deadline. defcon shit the bed and refused to
| pay them over those problems. and dmitry forgot about an easter
| egg and was OK with being removed from speaking, but wanted
| security to pull him off stage for his clout.
|
| I still think DEFCON should've done better. their brand is in
| the shitter over what $20k?
| tptacek wrote:
| What should they have done better? They didn't have the
| option of doing better with Dmitry, right? He deliberately
| set up the confrontation with security.
|
| The idea that DEF CON's brand is "in the shitter" seems
| risible. I say that ruefully, as (in my declining years) I
| get more and more bitter about the comic convention spectacle
| the event has become. Whatever the outcome from "badge-gate",
| I assure you, they'll set attendance records next year
| regardless.
| ibash wrote:
| > They didn't have the option of doing better with Dmitry,
| right?
|
| Let him give his talk like they promised.
|
| Given _literally_ everyone in that room is using his work
| in that same moment and they are _literally_ there to hear
| him speak.
| tptacek wrote:
| Fuck no. People don't get to re-invite themselves to
| stages they've been disinvited from.
| mynameisvlad wrote:
| You asked someone to give you options and they did. Just
| because you don't like it doesn't mean it's not what you
| asked for.
| aaplok wrote:
| OP asked for a _better_ option. He was offered one, which
| he disagreed with. Because he doesn 't like it precisely
| means that (in his view at least) it is not what he asked
| for.
| tedunangst wrote:
| I would simply level up charisma and speech check him off
| the stage.
| josephg wrote:
| It was a huge mistake to uninvite him from the session.
|
| It sounds like defcon was mad at EE for going over budget -
| which honestly is fair even though they didn't handle it
| well. And thought (wrongly) that Dmitry was a salty
| subcontractor of theirs. Their actions make some sense in
| that context. Not great, but eh.
|
| But Dmitry has totally owned them in messaging - by forcing
| them to physically eject him (making a scene), and getting
| out ahead of the story. It's great drama. He's positioned
| defcon to look like an evil corporate buffoon hating on a
| hacker who was just donating his time.
|
| At this point, defcon should take the L and apologise, and
| let him have a session talking about the code. That would
| be a very satisfying end to the drama for attendees. (Even
| if it does encourage more drama in future years.)
|
| Either way, I agree - I'm sure attendance will go up next
| year too. People love this stuff.
| tptacek wrote:
| It sounds to me like they were mad at Dmitry for
| including an "easter egg" in their badge firmware that
| solicited donations to a Bitcoin address.
| 42lux wrote:
| Honestly sounds like typical "CON" stuff. Just children all
| around no matter the topic.
| sergiotapia wrote:
| my perception of them was they are hyper intelligent
| hackers, who have morals and clear north. if anybody would
| do the right thing it's these guys. but that illusion is no
| more. they are just normal dudes after all for better or
| worse.
| NegativeK wrote:
| I'm not sure if you're referring to the badge team or the
| Defcon people, but pretty much every group is just normal
| people.
| ryandrake wrote:
| Reading both accounts of the story, it sounds like a small
| company bit off more than it could chew, couldn't manage cost
| and schedule, and when it got to the drop-dead date, even
| though they say it was basically done (how many times did the
| client hear that one), the client pulled the plug and tried
| to salvage it some other way.
|
| Y'all need project managers, at least someone with a plan!
| jeez.
| A4ET8a8uTh0 wrote:
| I think I agree with the assessment. Especially the part
| about PM hits close to home. It seems how a lot of projects
| I was involved lately lacked an actual project manager. Is
| the problem that it is a hard job to do right?
| theshrike79 wrote:
| The thing is that people on here think project managers
| are evil incarnate and just useless middle management.
|
| It requires a very specific skill set to be able to lead
| a technical project and cut through the bullshit on BOTH
| SIDES: the client asking for features and the team
| building the product.
|
| Clients always either ask for stuff they don't really
| need or have vague requirements that crystallise only 3
| days after the deadline. "Of course when we said it needs
| to do foo, it also MUST do bar, doh!"
|
| And teams tend to overestimate their ability to deliver
| and underestimate the work needed to get to the finish.
| (Infinite coast problem).
| q7xvh97o2pDhNrh wrote:
| There's also several more classes of B.S., for what it's
| worth.
|
| An exaggerated/anonymized version of a recent one I got,
| from an otherwise-really-strong senior engineer: "Of
| course when I said we would put a button there, it also
| meant we MUST build an entire UI framework from scratch,
| with full test coverage for the entire thing!"
|
| ...actually, that's not even _that_ exaggerated. Shipping
| software at big companies can be unreasonably difficult,
| sometimes.
| fragmede wrote:
| It's actually really hard to do well. Moreover, it
| suffers from "how hard could it _really_ be " syndrome,
| especially when working with developers who think they're
| smarter than everybody. It's the kind of job that a
| software developer approches from first principals and
| does a terrible job at, because starting from first
| principals ignores all of humanity's experience and
| practice managing projects, and projects have existed
| since before the Great Pyramids in Egypt.
|
| We have better tools today, but it takes a skilled
| practitioner to wield them well. Yes I'm talking about
| Jira and I hate sitting down and pointing things too, but
| managing a large complex project with a large number of
| humans is real actual work and a full time job in and of
| itself. sometimes even more than one person can handle.
| places that I've seen are successful are able to
| recognize that, and don't treat it as dead weight.
| michaelt wrote:
| _> Y'all need project managers, at least someone with a
| plan! jeez._
|
| Or do what every other event does, and _don 't_ make your
| badges so complicated they need a project manager
|
| Every other event has badges that look like they cost
| _substantially_ less than $1. I 'm not saying they have to
| go that cheap - but when you're hiring a project manager to
| coordinate the multiple teams, schedule challenges, and
| providers biting off more than they can chew? Maybe scale
| things back a bit.
| firesteelrain wrote:
| They tried last year with the injection molded plastic
| part that you could mod and didn't get enough of them
| shipped in time. To your point on $1 badges, they gave
| paper out and people complained (and still complain) for
| a long time. They felt they spent $300-400 plus travel
| expenses so they have this idea they should get a special
| badge. It has an entire culture around it.
|
| Me and a partner designed an insert that fit into that
| injection molded part and it had games. You could even
| connect via RS232 if you had the right board and it would
| print out DEFCON in ASCII then it had whole menu of
| games.
|
| We sold this add on for $20 at cost to recoup our costs.
| Sold about 100+ of these add ons.
|
| DEFCON definitely bit off more than they could chew.
|
| We designed our add on around a cheap STM32 series chip
| and wrote the code ourselves in C. It didn't have an
| emulator like this as this is like an entire gaming
| platform that DEFCON created. But ours was more like DOS
| level game add on that took us a couple months to make
| and have produced. We made the stickers ourselves and cut
| acrylic ourselves.
| dfox wrote:
| I suspect that the comment implies the absence of project
| manager on the Entropic side of the deal.
|
| As for the cost of the badge, sourcing even sub-$1 badge
| is still a project. And especially when your target
| audience is somewhat skilled at counterfeiting such
| things.
| viccis wrote:
| >dmitry forgot about an easter egg
|
| Ah yes, classic "insert an unauthorized coin wallet
| soliciting money from badge owners" easter egg. Timeless
| prank, how could anyone be mad at such a normal and anodyne
| "easter egg"?
|
| lmao DEFCON's "brand" isn't in any danger.
|
| edit: And now he's pulling the classic hacker move of (checks
| notes) enforcing strict software IP ownership rights? Guy's a
| class act all around. Hope everyone learned an important
| lesson about Dmitry and Entropic with this mess.
| josephg wrote:
| He wasn't employed by anyone, and didn't get paid by anyone
| for his work. (Defcon is wrong about this in their
| statement, and admitted as such in the comment thread).
|
| When I write code that nobody is paying for, you better
| believe I'll write it how I damn well please. If you aren't
| paying, you aren't the customer. And you don't get to
| control the output of my work.
|
| The wallet address soliciting donations is for the hardware
| company, not on his own behalf. But even if it was on his
| own behalf, would you still be mad? Since when is it a
| crime to be proud of the code you've written, for free, to
| bring joy to an hacker conference? That deserves mad credit
| in my book.
| viccis wrote:
| I don't really care whether money changed hands. Secretly
| putting an ad into software that you know will be
| distributed to many people is the oldest scumbag move in
| the scumbag book. All sympathy ended there, and that was
| weeks _before_ he trespassed.
| simpaticoder wrote:
| Thank you. This stood out to me:
|
| _" They expressed that they specifically wanted to work with
| us as a woman-owned, queer- and POC-driven engineering firm to
| develop an electronic badge with a gaming element for this
| year's conference."_
|
| I would have expected the core criteria to be ability to
| execute on time. Choosing an engineering firm based on the
| race, gender, or sexual orientation of the owner is foolish,
| and DEF CON is ultimately to blame for introducing superfluous
| criteria and missing the core criteria.
| cj wrote:
| That sentence seems like the most irrelevant part of all of
| what I've read.
|
| They could have easily rephrased that sentence to simply say
| "They expressed interest in working with us" and the point
| they're making is the same.
| echoangle wrote:
| Isn't the implication of the sentence that they were chosen
| specifically for those properties and wouldn't have been
| chosen otherwise?
| superb_dev wrote:
| The implication is that they were chosen because of that,
| but not that this was the only qualification.
|
| It could easily be that multiple teams looked qualified
| during bidding for the job and that this was the
| distinguishing factor.
| simpaticoder wrote:
| No other qualification was mentioned. I've been maximally
| downvoted for my comment, but I stand by it. I stand by
| it as someone who prefers the company of queer people,
| and who's favorite programmer is trans (Justine Tunney,
| fwiw). Note: she is not my favorite trans programmer, she
| is my favorite programmer, who happens to be trans.
| Identity becomes a problem when it displaces everything
| else about a person - it dehumanizes, and in DEF CON's
| case, blinds them to the relevant strengths and
| weaknesses of a firm.
| A4ET8a8uTh0 wrote:
| And yet, a party to this conflict thought it was a relevant
| piece of information to the audience. Now, the fact that OP
| noted it as interesting is not completely without merit.
| After all, interested party certainly thought it was worth
| to mention.
| smsm42 wrote:
| If they have to reach for idpol at the start to make their
| case, my immediate suspicion is the case is not that
| strong.
| neilv wrote:
| Regarding "https://x.com/dmitrygr/status/1822124650547257637",
| was there some kind of written consent involved in being
| removed like that?
|
| Or some less formal consent was understood, and considered low-
| risk?
|
| Or were they otherwise legally empowered to do that?
|
| (I'm thinking about civil and criminal liability.)
| metadat wrote:
| It's a private event on private property. There is no
| inherent right to be there, especially up on stage without
| invitation (TFA mentions this was what happened).
| neilv wrote:
| I'm wondering how the organizers of an event cover all the
| bases sufficiently on something like that.
|
| I'm asking out of the curiosity about how that actually
| works, in practice, not what arguments we could imagine.
|
| (For example: Say, someone rushes up on stage during a rock
| music concert. Was removal covered in the fine print terms
| of the ticket? Are the security personnel deputized by
| local law enforcement? Are there special ordinances
| applying to security at some kinds of events? Do the event
| organizers fall back on the claim that they felt safety was
| threatened? Do the event organizers think any risk of
| penalties or lawsuit is less than the cost of disrupting
| the event? Does setting precedent for response also factor
| into the calculus? How is insurance and venue contracts
| involved? Etc. There's a some related history, involving
| the Hell's Angels at a concert, but I don't know how
| practice has evolved since then.)
| lukan wrote:
| I only know german law from a short time as a security,
| but I assume it is quite similar:
|
| Cops do not want to be called for every bouncer action.
|
| The owner (or the one renting the property) has legal
| rights and set the rules. You break the rules, by beeing
| somewhere you are not supposed to be - any staff member
| can act as security to physically remove you.
|
| They may not beat you, though. Or otherwise escalating.
|
| But forcefully leading (or carrying) out someone breaking
| the house rules (by using minimum of violence) is legal
| and standard procesure on every big event.
| NegativeK wrote:
| Hell no they're not deputized.
|
| America relevant: It's similar to security anywhere,
| including "loss prevention" at a grocery store. They can
| tell you to leave, and if you don't, they can physically
| remove you from the property. That's pretty well
| established. It also applies to kicking someone out of
| your house that doesn't have a right to be there.
|
| If they hurt you inappropriately (there's a wide range
| between a trespasser bruising their fist on a guard's
| face and a guard holding someone down and pummeling them
| for no reason), they've committed a crime and might lose
| a civil lawsuit. Some places won't let guards touch
| trespassers. Other places lean on discretion and the
| training they've given to the guard, the cameras they
| have spammed everywhere, etc.
|
| The removal is usually covered in something like "we have
| the right to kick you out at any time, even if you paid."
| That doesn't cover all bases, but it covers a lot. If you
| never signed a contract with a venue, the removal is
| covered by the fact that you have zero intrinsic right to
| be there.
|
| For more examples, you can look at casinos in Vegas
| trespassing people. If you act out of line or gamble in a
| way they don't like (like successfully counting cards at
| blackjack,) they'll boot you. They might spread your name
| to other casinos if they really don't like you. And if
| you enter one again, it's criminal trespass. They can do
| it for anything that isn't legally protected.
| tptacek wrote:
| I believe DEF CON on this, because the other side of the story
| --- that they vindictively withheld payment from Entropic and
| later harassed the firmware developer --- just doesn't make any
| sense. We are probably talking about rounding error sums of money
| for the conference organizers themselves.
| gavinhoward wrote:
| National politicians have taken bribes for less.
| woodruffw wrote:
| National politicians have legible incentives. What's the
| incentive for DEF CON here? It's not like they're apart from
| the community; people know exactly who they are, and the
| existence of their conference is tied entirely to the
| community's perception of their leadership.
| JonChesterfield wrote:
| People do petty stupid things.
|
| My priors align with the client having unreasonable
| expectations and then squabbling over the inconsequential bill.
| That is totally a thing that clients sometimes do.
| tptacek wrote:
| Having spent a very long time as a consultant, a thing
| vendors sometimes do is commit to unrealistic project
| schedules and then attempt to invoice their way out of the
| hole they've dug for themselves, and by "sometimes" I mean
| "every times, every of the times", it is one of the most
| common ways consulting projects blow up.
|
| When your project blows up, the professional thing to do is
| to resolve the problem with the client before billing another
| hour over the SOW. The common, crazy thing to do instead is
| optimistic invoicing: the client must share our priors, we're
| all reasonable people, so we'll just implicitly revise the
| SOW to match our learnings on this project and proceed,
| prioritizing what we believe would be a successful delivery
| of the project over everything else. _That rarely works._
|
| Serious consultancies routinely eat billable weeks of time in
| order to meet client success criteria and retain
| relationships.
| ainonsense44 wrote:
| What's "SOW"?
| maxbond wrote:
| Scope of Work
| jdlshore wrote:
| I've always seen it as Statement of Work, but either way
| it defines the work that will be done.
| kailden wrote:
| I read it as "Statement of Work" which is description of
| the work to be performed/delivered, although often much
| more general than a full technical specification,
| sometimes in a comedically tragic way.
| squigz wrote:
| How much money do you think the DEFCON organizers make?
| tptacek wrote:
| Their top line is 8 figures annually.
| tux3 wrote:
| The groans you hear on Reddit and social make it sound like
| this isn't DEF CON's first time finding itself in this kind of
| kerfuffle with a contractor
|
| Why reach for a stop work order if the whole thing is a
| rounding error. Entropic seems like they were able to finish,
| except that cost was an issue
| mvdtnz wrote:
| > Why reach for a stop work order if the whole thing is a
| rounding error.
|
| My interpretation is that the project was at risk of not
| being delivered. No doubt Entropic had made and broken many
| promises leading to the stop work, and at some point DEF CON
| needs to take ownership of the project in order to ensure
| delivery.
| refulgentis wrote:
| For me, it was in the attempted follow-up, "We told them almost
| impossible, too risky, do it for 2025! --- and they just didn't
| listen!" (real quote in [1])
|
| My alarm bells go off loud when people invoke tropes indirectly
| and lazily, hoping it'll influence my perception of a situation
|
| DEFCON isn't the pointy-haired boss stereotype that needs you
| to deliver exactly $X, this quarter, with duct tape and glue.
| They know tech and wouldn't have talked a team saying they
| can't do it until 2025 into 2024.
|
| Well, what if they really wanted it for publicity?
|
| DEFCON had 0 stake in a new Raspberry Pi release, and Entropic
| self-reports _they_ were the ones with early access to an
| unreleased product and decided it was the right vehicle. [2]
|
| [1] We were clear as early as our first conversation in January
| that the risk in trying to push to mass production of this size
| and on this timeline was immense, even advocating for a DEFCON
| 2025 release of this particular badge. DEFCON's Badge Team
| remained confident that they could meet and mitigate this risk.
|
| [2] The specifics of what they requested in January were
| extremely difficult / almost impossible, but we had been
| working with Raspberry Pi as a Design Partner and had early
| access to the unreleased Raspberry Pi RP 2350, a chip that
| would enable exactly the kind of device DEFCON was requesting.
| aftbit wrote:
| That's kinda weird too, as DEFCON does electronic badges
| every other year, so they would not really be able to delay
| this project until 2025, but would instead need to delay to
| 2026 and hire a different vendor for 2024.
| ryandrake wrote:
| The whining in the Entropic's statement about how "extremely
| difficult / almost impossible" the project was is what gets me.
| Come on--you're grown-ass adults that signed a contract to
| deliver X work by Y date. Nobody cares how hard it was. I've
| been on the other side of the coin many times, managing a small
| vendor who's in over their head, and I try to have empathy, but
| where is the project manager? Where are the milestones and
| checkpoints? They didn't suddenly stop-work out of the blue.
| I'd guess multiple checkpoints were missed, and everyone knew
| this was coming.
|
| And that's not even mentioning the _Easter Egg_! Good grief!
| InsideOutSanta wrote:
| I think the issue is that they got used to pulling a rabbit out
| of a hat with their badges. The budget they have for them is
| apparently ridiculously low, and it seems like sheer luck that
| it somehow worked out in the past. At some point, defcon must
| have confused luck with skill. Meanwhile, others paid the price
| for that by working "for exposure."
|
| This year, it blew up in everybody's faces. Whose fault is it?
| Defcon, for having unrealistic budgets? Contractors, for taking
| on an unrealistic project for the prestige?
|
| IMO there's plenty of blame to go around.
| M4v3R wrote:
| I would say the fault is on the both sides. Defcon being so
| big knew that _someone_ will pick up their unrealistic
| budget. But it's still the contractor's fault if they took a
| project with full knowledge of its scope and agreed on the
| price, and then did not deliver.
| tptacek wrote:
| The whole point of being the vendor is that you're the
| party with the expertise to know what is and isn't a
| realistic budget for a project. Clients ask for unrealistic
| stuff all the time; part of your _job_ is saying "no".
| lukan wrote:
| We are not talking about a ordinary computer nerd - newb
| buisness relationship here.
| trte9343r4 wrote:
| > After going overbudget by more than 60%, several bad-
| faith charges, and with a product still in preproduction,
| DEF CON issued a stop work order.
|
| My reaction was "only 60% over budget"? This is a low
| volume custom computer. The way Defcon pushes promotion and
| recognition, I do not think they paid full commercial
| price.
| Arainach wrote:
| HN comments were dismissive of the Google SRE "no heroes"
| article recently, but this is a great example of why that
| policy is in place. Heroism leads to unrealistic expectations
| until something implodes far more catastrophically than
| setting reasonable expectations and not killing yourself to
| make magic would have.
| cannam wrote:
| > HN comments were dismissive of the Google SRE "no heroes"
| article recently
|
| If (like me) you hadn't seen this one, I think it is
| https://news.ycombinator.com/item?id=41172531
|
| (Some of the top-level comments do indeed seem a bit oddly
| negative to me)
| Sakos wrote:
| I don't understand why DEFCON deserves the benefit of the
| doubt, but Entropic and dmitry don't. Here's Entropic's
| response:
|
| > We were clear as early as our first conversation in January
| that the risk in trying to push to mass production of this size
| and on this timeline was immense, even advocating for a DEFCON
| 2025 release of this particular badge. DEFCON's Badge Team
| remained confident that they could meet and mitigate this risk.
|
| > Once a month, we billed for our work and submitted an updated
| estimated per badge final cost - committing as costs built to
| discount our work as necessary in order to hit DEFCON's per
| unit cost targets.
|
| > In June, after 5 months of late night work, badges were fully
| designed, prototypes were working, and mass production was
| ongoing with the manufacturers we contracted on behalf of
| DEFCON. We billed DEFCON for our most recent work, discounting
| our labor by 25% in order to meet the agreed upon targets.
| Unfortunately, we were instead met with a work stoppage request
| and informed we would no longer be paid for services already
| rendered.
|
| https://www.entropicengineering.com/defcon-32-statement
|
| It feels to me like DEFCON is relying on being able to say
| "well, we're DEFCON" when defending themselves, and people like
| you are just blindly trusting their word. How many times have
| big organizations like this screwed their suppliers? And yet
| DEFCON is "clearly" innocent? You must be joking.
|
| At least wait until we get a better picture of everything
| before deciding on a judgment of any of the parties involved.
| It's going to take time before we find out what actually
| happened.
| tptacek wrote:
| DEF CON is making a falsifiable claim, that Entropic blew
| their budget and billed outside the SOW. Entropic is
| handwaving (who gives a shit what RPi hardware they had
| access to?). I'm not in DEF CON's corner generally but my
| priors as a consultant lock in pretty solidly on this being a
| consultant fuckup.
| TheCleric wrote:
| > We were clear as early as our first conversation in January
| that the risk in trying to push to mass production of this
| size and on this timeline was immense, even advocating for a
| DEFCON 2025 release of this particular badge. DEFCON's Badge
| Team remained confident that they could meet and mitigate
| this risk.
|
| Assuming this is true it's simple: you walk away. If you're
| being contracted to do something you don't think you can do,
| you don't sign the contract. Anything else is a recipe for
| pain.
| robxorb wrote:
| That a mostly-finished, working project of this complexity ends
| in fiasco can't be the fault of the contractors. What failed is
| communications - and apparently only on one side. Both Entropic
| and Dmitry were shocked by this outcome; not communicated with.
| bawolff wrote:
| If the "joke" involved shilling for crypto, that instantly makes
| me more sympathetic to the defcon side.
| lowkey wrote:
| I genuinely don't mean to be snarky but I don't think the
| method of soliciting donations is at all relevant here. It
| sounds like you would have otherwise been fine if he handed out
| a hat and asked for cash in USD.
| lmm wrote:
| Are they wrong? Passing around a hat for USD might be
| unprofessional but it's a lot more open and honest.
| superb_dev wrote:
| Crypto has a bad reputation, it makes sense to be more upset
| about someone soliciting donations in crypto over USD.
| Especially in a branded product
| mouse_ wrote:
| I mean... it makes sense that internet people would be
| interested in donations by mean of internet currency.
| mvdtnz wrote:
| This is a great example of why both sides of a story are needed.
| From DEF CON's perspective, assuming this is all true, there's
| nothing unreasonable here. It sounds like Dmitry was a
| subcontractor of Entropic and producing a screen asking for money
| after their contract had been terminated (for good-sounding
| reasons) was bad form.
|
| I'm not commenting on the legalities (I don't know anything about
| contract law) and I don't necessarily take either side's account
| at face value, but this response doesn't sound unreasonable to
| me.
| notinmykernel wrote:
| Dmitry didn't ask for money. He raised awareness that DEFCON
| had slinked away from its financial obligation to Entropic, and
| asked that Entropic be paid what they are owed for their work
| on the hardware.
|
| Cool spin though.
| mintplant wrote:
| Dmitry was a volunteer and did all the firmware work for free.
| "Subcontractor" is DEF CON PR spin.
| timthelion wrote:
| Am I the only pne who lmthinks it is rediculously wastefull to
| have electronic badges for all atendees?
| wmf wrote:
| It's a form of swag and one of the reasons for attending.
| mvdtnz wrote:
| This is a great example of why both sides of a story are needed.
| From DEF CON's perspective, assuming this is all true, there's
| nothing unreasonable here.
|
| It sounds like Dmitry was a subcontractor of Entropic and
| producing a screen asking for money after their contract had been
| terminated (for good-sounding reasons) was bad form. I'm not
| commenting on the legalities (I don't know anything about
| contract law) and I don't necessarily take either side's account
| at face value, but this response doesn't sound unreasonable to
| me.
| theogravity wrote:
| Dmitry has repeatedly stated he was not hired by Entropic nor
| was asking to be paid for his work. He did it for fun. I'm not
| sure where this misunderstanding is coming from.
| luckylion wrote:
| He apparently put in extra code showing a wallet address
| (presumably his) and the request to "donate".
|
| Does sound like "asking to be paid", even if it's then
| switched to "it was all a prank, bro" when it turns out that
| wasn't the greatest idea.
| theogravity wrote:
| From what I've read, it's very difficult to access the
| easter egg. It's not clear if the address belongs to him or
| not. Despite that, he has refused donations the entire
| time.
| dang wrote:
| Previous related thread:
|
| _Defcon stiffs badge HW vendor, drags FW author offstage during
| talk_ - https://news.ycombinator.com/item?id=41207221 - Aug 2024
| (118 comments)
| briandear wrote:
| What's a badge and why does it need firmware? This is a
| conference right? Not a nuclear silo?
| ironhaven wrote:
| DEF CON as a hacking convention has a long tradition of
| sometimes instead of giving printed name tags during
| registration like normal conferences but printed circuit boards
| with microcontrollers and firmware (aka software).
|
| Some years had ctf challenges in the firmware this year there
| was a playable game boy emulator.
| mafuyu wrote:
| Reading EE and DEFCON's statements, I'm inclined to think whoever
| was managing this on DEFCON's side was not on top of things and
| blinked at the last minute. I'm sure there were delays and issues
| on EE's end, as it always goes with hardware, but it's still EE's
| design, parts sourcing, and manufacturing run that DEFCON just
| took over last minute?
|
| I don't know the terms of their contract, but that wouldn't fly
| in a typical contractor setup. You can't just cut out the
| contractors labor costs after the fact. I'd be more inclined to
| give DEFCON the benefit of the doubt if they canceled the entire
| project earlier on and engaged a different contractor to build an
| entirely different badge from scratch.
|
| Given that dimitri wasn't even paid for the firmware(!), my guess
| is this was low budget. For something of DEFCON's scale, this
| can't really be a "for fun" hacker project if you want to
| guarantee results. The "for fun" part is ensuring the attendees
| can all have a good time hacking on the badge, not the people
| doing the labor.
| tptacek wrote:
| On the contrary, if you have a signed master and SOW for a
| project, you absolutely cannot just bill over or outside of the
| SOW because of "contractors labor costs". The whole point of
| contracts is to agree to costs up front and eliminate these
| kinds of on-the-fly disputes.
| minkles wrote:
| Clearly you've never worked on a government project!
|
| I was on a defence project that overshot by a cool billion
| dollars on the SOW...
| tptacek wrote:
| I've made a point of not working on government projects, so
| yes, this is a blind spot for me.
| mafuyu wrote:
| Agreed. I'm honestly not familiar with how they're structured
| for hardware contracts like this. I was imagining some sort
| of cost plus structure. No point in speculating on the
| details of a contract dispute where we don't have the
| contract, I suppose.
|
| I was under the mistaken understanding that EE was not paid
| out at all. Rereading their statement, they say they were
| partially paid, so I think I was overly harsh. This is firmly
| in "boring, messy contract dispute" territory now, I'd say.
| :)
| bjornsing wrote:
| But as I understand it EE did not bill outside or over the
| SOW. They just sent updated cost estimates indicating that
| they wanted to.
| tptacek wrote:
| All we have to go on are the statements, but DEF CON's
| statement is falsifiable and direct:
|
| _After going overbudget by more than 60%, [and] several
| bad-faith charges_
|
| Which, again, pattern matches to a pretty common mode in
| which consulting projects blow up: you give an optimistic
| estimate, learn partway into the project that you were
| hopelessly off, and then try to invoice your way through
| it.
| mlyle wrote:
| DEF CON's response reeks of petty; characterizing dmitry as a
| "subcontractor" rather than a volunteer for spin purposes, and
| the choice to remove Entropic's logo from the case based on
| this budget dispute.
| ThinkBeat wrote:
| Man DefCon has changed since I was a regular. Back when all
| tickets were sold by cash only
|
| A hacker conference is upset that someone "hacked" their badges.
| and put unwanted code into the firmware. Users are (meant) to be
| hacking these boards. That is the entire point isn't it?
|
| Have guys who did it come in in, talk about the exploit, share
| how they did it. Then the corpDefCon can talk about what they
| missed and how to avoid it. Have a talk "How DefCon got hacked"
|
| Have some fun for f-sake. Tangent man, come on.
|
| "" Unfortunately, shortly before the talk was set to take place
| DEF CON became aware that unauthorized code had been included in
| the firmware we had paid Entropic Engineering to produce, ""
| willcipriano wrote:
| You have to get into something cool before it has a reddit
| dedicated to it otherwise the killjoys will infest it and their
| calls of "actually!" will ruin all your fun.
| guardiangod wrote:
| It seems that 2 issues are conflated together-
|
| 1. The badge manufacturing issue and subsequent non-payment due
| to contract dispute.
|
| 2. The firmware author (not hired by the manufacturer) put in
| unauthorized 'easter egg' code that asks for money via crypto.
|
| I am not familiar with 1 so I can't comment on a contract
| dispute.
|
| But 2 is definitely over the line, and this is coming from me who
| is supportive of some usage of cryptocurrency. You don't put in
| unexpected monetization mechanisms into your volunteer work,
| without asking the charity organization for permission. Asking
| for money secretly is way different than putting in a harmless
| Easter egg. At that point, it's not a harmless easter egg
| anymore.
|
| Maybe the money is for the manufacturer. In that case, do what a
| normal person would do and raise the issue on a social channel
| (eg. Twitter, Thread, blog).
___________________________________________________________________
(page generated 2024-08-10 23:00 UTC)