[HN Gopher] The email they shouldn't have read
___________________________________________________________________
The email they shouldn't have read
Author : miniBill
Score : 337 points
Date : 2025-10-08 12:56 UTC (10 hours ago)
(HTM) web link (it-notes.dragas.net)
(TXT) w3m dump (it-notes.dragas.net)
| OptionOfT wrote:
| I hope one day we get to see real names in this story.
| reaperducer wrote:
| _I hope one day we get to see real names in this story._
|
| > to protect the privacy of the people and companies involved
|
| Companies get privacy rights now?
|
| Snark aside, I think I understand how this person feels.
|
| I once worked for a company that did something abhorrent during
| a natural disaster. I spoke up and was reprimanded, while my
| coworkers just sat there and accepted it. I came very close to
| losing my job, and ended up leaving the company at my first
| opportunity.
|
| It was 20 years ago, and I keep meaning to write an article
| about it, but never do. It's not that you want to protect the
| company, or that you're afraid of being sued. But there's
| something that weighs on you when you think about actually
| putting the words down.
|
| It's all a decade or more old, so what's the point? Nobody will
| be held to account. The company is no longer under the same
| leadership (or even the same name).
|
| My personal blog has a dead-man's switch that will reveal a
| number of ugly things about several of the companies for which
| I've worked. But who cares? That's part of the weight. What
| good will it do? If, by some remote chance, someone reads it,
| it will only make them mad. How does that help anything?
|
| But I'm also one of those people on HN who's always crying
| "name and shame." So, I'm a hypocrite. Such is life.
| Lammy wrote:
| Apologies for trying to guess, but: PayPal freezing
| SomethingAwful's Katrina fundraiser?
| thatguy0900 wrote:
| It doesn't help that really everyone already understands that
| basically every company is completely devoid of morality and
| ethics. Noone who pays attention is surprised or shocked at
| companies taking advantage of disasters. They're not even
| above manufacturing the disaster themselves if they think
| they'll get away with it. Reporting on what they do feels
| like screaming into the void.
| lawlessone wrote:
| I'm curious how you implement a deadmans switch for a blog?
| yason wrote:
| Schedule a post to be published next month and bump it
| forward a sufficient period each time before it gets to
| trigger?
| gtirloni wrote:
| The author says the company is very litigious. He probably
| doesn't want them suing him on a personal basis, which makes a
| lot of sense. Keep in mind their own directors wouldn't pick a
| fight with this company themselves.
| yadaeno wrote:
| Too bad they are in EU which seems to not value free speech
| legally or culturally.
| megiddo wrote:
| What's the point of this story? Bad actors win?
|
| Here's a hot take: Name and Shame.
|
| If this story is true, the author should be shouting their names
| from the rooftop.
|
| Instead, we get this nonsense.
| draga79 wrote:
| The point is: always own your data
| jimmar wrote:
| > What's the point of this story? Bad actors win?
|
| Know your contracts. Read the fine print. Be careful who you do
| business with. Not all companies selling services for open
| source software embrace the ethos that we assume they do.
|
| After reading the story, I can understand why somebody would
| not name and shame. The author could be inviting lawsuits from
| a company that clearly has no qualms playing dirty.
| draga79 wrote:
| Exactly!
| lucianbr wrote:
| Something I read in the story is that the legal system fails
| to do its job: to make society fair. There are contracts and
| lawyers in the story, but they do not work toward ensuring
| fairness or justice, they work to help the company with more
| laywers and less scruples.
| bluGill wrote:
| I know of no legal system that doesn't fail in some way.
| Some are much worse than others, but all have flaws. Often
| correcting the flaws is worse than living with them.
|
| Don't take the above as we should just accept the flaws. We
| should not. However what to do about them is a hard problem
| and we should not do something that makes things worse.
| lucianbr wrote:
| I'm sorry, I don't mean to be rude, but also I can't
| discern a single bit of useful information in your
| comment. It is all tautologies, and would apply to any
| human endeavour. Yes, nothing is perfect, it's possible
| to make things worse and we should avoid that. Sooo...?
| bluGill wrote:
| So the earlier pointing out problems isn't useful
| information.
| Dylan16807 wrote:
| Everything is flawed so pointing out specific flaws is
| useless? Nah.
| toyg wrote:
| The legal system, in Italy, has been fundamentally bankrupt
| for a long time. It's one of the reasons a lot of foreign
| companies don't invest over there - if anything goes wrong,
| the legal system is unlikely to be of any help.
| NickC25 wrote:
| >The author could be inviting lawsuits from a company that
| clearly has no qualms playing dirty.
|
| Could it possibly involve a particularly litigious law firm
| masquerading as a tech company run by one rich asshole?
| sam_lowry_ wrote:
| Oracle?
|
| Even RedHat is capable of such behaviour, and remember that
| the author is likely based in Italy, where companies run by
| crooks are the norm.
|
| But my best guess is Grommunio.
| abirch wrote:
| The naming and shaming should be the top organic google result.
| People need to own their reputation.
| Moosdijk wrote:
| >Here's a hot take: Name and Shame.
|
| That's easier said than done, hence why Stefano probably
| didn't.
| noirscape wrote:
| The point of this story is that open source can't protect you
| against a bully with a legal department at his command, and
| neither can it protect you against bad contract clauses.
| Frivolous legal threats may be frivolous, but you have to prove
| that in court and a lot of companies would rather take the
| easier way out to avoid having to do that.
|
| The "FOSS" company never _directly_ threatened the author, but
| the implication of it alone was enough to scare off both
| agencies. Given a lot of the tech is mixed up here on purpose,
| there 's a few FOSS companies & vendors I can think of with
| legal departments that I'd describe as "pretty aggressive" and
| "expensive for a managed solution" that aren't solely about
| Exchange related services but would definitely behave like
| this, given their PR over the years at times has had slipped
| masks.
| m-s-y wrote:
| > The point of this story is...
|
| The point is that without the identifying information it
| might as well be a creative writing exercise.
|
| Good anecdotes have power because they actually happened and
| are verifiable to some degree. This is neither.
| passivegains wrote:
| Harper Lee's novel _To Kill a Mockingbird_ is a creative
| writing exercise which didn 't actually happen and isn't
| verifiably true to any degree. There were never any
| Finches, Ewells, Robinsons or Radleys, yet readers often
| find it quite powerful because they're perfectly aware the
| story's events have played out between real people many,
| many times. They don't need to be told the real names of
| people who have been in lynch mobs to know real people have
| been lynched. Email servers aren't quite as heavy a
| subject, but we know these things happen.
| citizenpaul wrote:
| >a bully with a legal department
|
| This basically sums up modern corporate status quo. T
|
| > "pretty aggressive"
|
| The legal system has been weaponized against the average
| person. This is the veil it hides behind. A legal department
| can be downright boring yet vicious at the same time. Like
| how they slow roll any employee legal dispute to the maximum
| legal time limit in expectation that they can financially out
| wait the employee. Which they almost always can.
| emmelaich wrote:
| What if the vendors or management have organised crime
| connections? It's not worth your kneecaps.
| poszlem wrote:
| This is the kind of story that perfectly captures why "open
| source" != "freedom." You can run 100% FOSS software and still be
| completely imprisoned if you give control to a middleman.
|
| The company in this story didn't just sell "support", they sold
| permission. They took something open, wrapped it in contracts,
| lock-ins, and managed-service handcuffs, and then claimed
| ownership of it. That's the new vendor lock-in model: control the
| interface, not the code.
|
| The chilling part isn't that they could read customer emails,
| it's that they thought it was normal. Somewhere between "managed
| service" and "surveillance," the moral line vanished, replaced by
| legalese.
|
| This story should be printed and taped above every government IT
| procurement desk. If you don't own your servers, your keys, and
| your contracts, you don't own your data, no matter how "open" the
| stack is.
| draga79 wrote:
| Totally agree (but I may be biased :-) )
| mr_toad wrote:
| I disagree that you can't own something that isn't physically
| controlled by you. Almost all of us have money which is not
| kept on our persons or property, in banks and investments. I
| think people would be outraged if someone told them it belonged
| to the bank.
|
| What's really important is the laws and regulations governing
| ownership. Ownership in a modern society is nearly entirely a
| legal construct. Ownership of data shouldn't be any different.
| MYEUHD wrote:
| > I disagree that you can't own something that isn't
| physically controlled by you.
|
| We're not talking about "something" in general, but about
| digital infrastructure.
|
| > Almost all of us have money which is not kept on our
| persons or property, in banks and investments. I think people
| would be outraged if someone told them it belonged to the
| bank.
|
| A better analogy is if you have a cryptocurrency wallet
| managed by Coinbase. You don't own. And they can in fact
| suspend your account (and probably take your crypto) if they
| don't like you.
| manwe150 wrote:
| I'm not sure that analogy contradicts ownership. Physical
| assists can be seized or stolen also (if Deloitte's AI
| doesn't like you) but it doesn't negate the concept of
| ownership of those
|
| Maybe possession would be a more accurate legal term? You
| can own something that isn't in your possession (eg might
| have been loaned, stolen, etc) or possess something that
| you don't own (eg the other side of the transaction)
| jbstack wrote:
| > I think people would be outraged if someone told them it
| belonged to the bank.
|
| You might find it interesting to read about 2013 Cyprus bank
| levy then. The government unilaterally raided people's
| savings accounts, taking between 6.75% and 10% as a one-off
| tax with essentially no warning. When you put money in the
| bank you are implicitly accepting the (small but real) risk
| that the government will come along and say "I'm having some
| of that" and there's nothing you can do about it.
|
| More anecdotally, I once had to help a family friend sue a
| bank for several tens of thousands of pounds in the UK
| because they refused to pay him back his balance when he
| closed the account and refused to explain the reason. It took
| a little over 6 months to get the money back. While
| researching the case, I discovered countless other cases in
| which businesses had gone bankrupt because of delays in
| recovering their money from the bank. Under UK legislation,
| banks can and do do this if they have "suspicions" of money
| laundering (which can be triggered for any reason whatsoever
| - the suspicion doesn't have to be reasonable). Not only do
| they not have to explain to the customer what those
| suspicious are, they are legally required not to. They can
| hold onto your money for up to 31 days and this can be
| extended to up to 6 months by a court order after a hearing
| which you will be excluded from and likely not even know took
| place until after the fact.
|
| Legally you do _not_ own your money in the bank. Instead you
| own a "chose in action"
| (https://en.wikipedia.org/wiki/Chose) which is the right to
| sue the bank for the money. Although it sounds similar to
| outright ownership, it's not the same thing.
| Dylan16807 wrote:
| The government could also tax you an extra $5000 out of
| nowhere by pushing a law through. That levy happened to go
| for bank accounts but the general concept isn't tied to
| whether your money is stored personally.
|
| Freezes are a big problem but they don't get to keep it.
| The delay is the problem, not a transfer of ownership.
| NoMoreNicksLeft wrote:
| >I think people would be outraged if someone told them it
| belonged to the bank.
|
| I have some bad news.
| OutOfHere wrote:
| (deleted)
| gipp wrote:
| How in the world did you read "hit piece on open source" into
| this article? There's nothing negative about open source at
| all, he's making exactly the same point as you.
| clownpenis_fart wrote:
| Some companies are just incredibly naive sometimes. Case in
| point: i work at a game dev studio, and our main competitor on
| the segment we are on is a game published by Microsoft.
|
| The other day a coworker was talking about how that other game
| had a tendency to release similar content as us, sometimes right
| before us, with marketing material that looked eerily like stuff
| still in production from our marketing team, to the point that
| they suspected someone was leaking stuff.
|
| Dude, all we do is discussed on teams and it's all in documents
| stored in office 365. They dont need us to leak anything, they
| can simply read our team channels and our documents. They
| probably spend more time discussing plausible deniability with
| their legal team than researching what we do.
|
| We are also moving our analytics from Tableau to whatever
| Microsoft's equivalent, and nobody seems to see the issue with
| that either.
| chuckadams wrote:
| I'm no lawyer, but I would think the purposes for which they read
| your email and the actions taken subsequently are blatantly
| illegal, and would invalidate the entire contract.
| Jolter wrote:
| Yes, but severing would end up in court versus a very
| belligerent party, who would do their utmost to cost you money.
| An organization that prioritizes safety over ethics will just
| suck up the extra cost, apparently.
|
| There are companies and organizations out there fighting for
| what's right in courtrooms. Invalidating troll-owned patents,
| striking down unfair contracts etc. Agency A was obviously not
| one of those organizations.
| balderdash wrote:
| I worked for a very successful multinational that I think was
| relatively moral (at least very moral vs average - e.g. we at
| least stood by our commitments and contracts and didn't try
| and re-trade them if they went against us) and they took the
| approach that they were never going to be a "soft target":
| nuisance law suits - litigate don't settle, unethical
| behavior by vendors or customers - we'll see you in court. It
| was probably more expensive for a decade or so, but over the
| long run it saved a ton of money and hassle.
| a_e_k wrote:
| I remember that being the Newegg philosophy w.r.t. patent
| trolls.
| indoordin0saur wrote:
| Yes, especially since this sounds like a government agency.
| Some contractor snuck a backdoor into your email servers and is
| secretly reading them? Imagine what kind of corrupt practices,
| up to and including foreign espionage, that they could get up
| to. They could have been justified in sending in the FBI or CIA
| if this was the US. Probably would have put a stop to their
| vendor problems really quick.
| toyg wrote:
| I don't need to imagine anything, it's just another day in
| the _Belpaese_ : https://en.wikipedia.org/wiki/SISMI-
| Telecom_scandal
| cycomanic wrote:
| > On 21 July 2006, Adamo Bove, predecessor of Tavaroli as
| responsible of security at the Telecom company and former
| DIGOS member, died in Naples by falling from a motorway
| bridge. Bove had discovered a flaw in the system which
| enabled people to enter the Telecom system and implement
| wiretaps without leaving a trace.
|
| "Falling from a motorway bridge"???!!
| mattnewton wrote:
| Also, not legal advice, but you absolutely should name and
| shame them for this
| adrian17 wrote:
| Maybe I'm confused with the timeline but the actors involved,
| but:
|
| > The company offered a managed version with its own proprietary
| additions
|
| Doesn't sound like open source to me?
| charles_f wrote:
| I think it's one of these "reading the letter of the law"
| instances. European laws (or rather, laws in European
| countries) often mandate public sector to use open source. The
| reasons vary, some of them are about promoting
| interoperability, and avoiding vendor lock-in, digital
| sovereignty, and the EU commission has a principle of "public
| money = public code".
|
| So using open source on someone else's computer _technically_
| fulfills that requirement, without completing some of the
| reasons why the requirement exist (vendor lock-in in this
| particular instance is particularly laughable).
| Meneth wrote:
| There are plenty of projects like that. Gitlab, for example,
| has an open-source "Community Edition" and then "Premium" and
| "Ultimate" editions which they charge for.
| emmelaich wrote:
| And even if it's all open source, there can be branding
| issues like Moodle and SugarCRM.
| elijahcarrel wrote:
| I'm sorry but this reads like AI slop. Or maybe it's not AI slop,
| it's just regular human-generated slop, but regardless: it's
| useless.
|
| For one: it's intentionally completely unverifiable. Sure, maybe
| the writer's not brave enough to break their NDA by sharing
| names. But it's also convenient: nobody can ever poke holes in
| the story, or add their own context to it. The story just gets to
| live on its own and earn internet karma regardless of whether
| it's at all true.
|
| For two: completely inconsistent. Let's take these two
| paragraphs:
|
| > A few years earlier, a major public institution - let's call it
| Agency A - was still running an ancient Exchange mail server. It
| hadn't received security updates for ages, the anti-spam was
| completely ineffective, and the new regulations were clear:
| embrace Open Source solutions whenever possible.
|
| > They had already received a proposal - expensive but seemingly
| reasonable - for a managed service, hosted by an external
| provider, built on an open source mail stack. The company offered
| a managed version with its own proprietary additions and
| enterprise support. The catch? The price was absurd, and Agency A
| already had solid infrastructure - reputable IP classes,
| redundant datacenters, everything working fine. We had built and
| maintained that environment for years, and it was still running
| perfectly.
|
| So we have just learned in paragraph 1 that the current system is
| dated and full of security holes and missing features. In
| paragraph 2 we have learned that the current system's
| infrastructure is "solid" and "working fine". Can you really say
| the infrastructure is solid and working fine if it's preventing
| you from upgrading your Exchange mail server?
|
| And let's take paragraph two: it says the proposal is "expensive
| but seemingly reasonable" and then one sentence later says "the
| catch? The price is absurd". How can the price be both
| "reasonable" and "absurd?"
|
| Overall an annoying read.
| MontyCarloHall wrote:
| I agree it's not written in the clearest way, nor verifiable
| (though Stefano Marinelli does seem to be a semi-public figure
| in the online IT community, so it's not some anonymous blog).
|
| >So we have just learned in paragraph 1 that the current system
| is dated and full of security holes and missing features. In
| paragraph 2 we have learned that the current system's
| infrastructure is "solid" and "working fine".
|
| This confused me too, until I realized that he probably meant
| that his company set up the hardware infrastructure ("reputable
| IP classes, redundant datacenters"), but doesn't manage the
| software. Otherwise, why shred your own credibility from the
| first sentence by crapping on the "ancient," "insecure," and
| "ineffective" Exchange server?
|
| >How can the price be both "reasonable" and "absurd?"
|
| Agreed, this part makes no sense.
| draga79 wrote:
| The price was reasonable given the average quotes received by
| similar entities and the prices on the market, but it was
| absurd when considering the service provided. Perhaps I
| didn't make that point clear, and I'll likely modify it
| slightly. The concept is that the price, which was initially
| acceptable to them, was in fact absurd when viewed in terms
| of what was being provided.
| MontyCarloHall wrote:
| Ah, that makes sense. I would update it to say something
| like "the price was competitive with the generally
| overpriced market."
| draga79 wrote:
| I've modified this sentence, I hope it's clearer now:
|
| They had already received a proposal - expensive but,
| when compared to similar offers made to other
| organizations, apparently reasonable -- for a managed
| service hosted by an external provider and based on an
| open source mail stack. The company offered a managed
| version with its own proprietary additions and enterprise
| support.
|
| The catch? While such pricing had become almost "normal"
| in the market, it was still wildly inflated considering
| what was actually being delivered. Agency A already had
| solid infrastructure - reputable IP classes, redundant
| datacenters, everything running smoothly. We had built
| and maintained that environment for years, and it was
| still performing perfectly.
| MontyCarloHall wrote:
| Perfect! Exchanges like this are why the internet is
| still a great place.
| elijahcarrel wrote:
| Thank you, agree this is much better!
| draga79 wrote:
| PS: thank you for your suggestion!
| indoordin0saur wrote:
| Side question: If you and your co-workers (across multiple
| government agencies) had strong suspicion that the vendor
| had a backdoor to spying on your emails why wasn't the
| obvious choice contacting federal law enforcement? I'm not
| sure what it is like in the EU, but in the US I'm pretty
| sure that if something like this was discovered at a
| government agency that vendor would quickly find their
| office raided by FBI agents.
| draga79 wrote:
| Updating Exchange would have meant spending a lot on new
| licenses to upgrade to a new release, and public
| administrations were encouraged to seek open-source solutions.
| The underlying server infrastructure was solid, but the VM with
| Exchange was now old. The entire setup would have needed to be
| redone. The second paragraph, on the other hand, says that the
| quote was "acceptable" for them, knowing the average costs for
| that service. But it was also very high, even in the opinion of
| the IT manager.
|
| This isn't AI slop. These are real-life experiences. The goal
| is to raise awareness that open source doesn't always and
| necessarily mean freedom: lock-in exists.
| elijahcarrel wrote:
| Makes sense and thank you for explaining and improving the
| article! Apologies for jumping to conclusions. It might be
| worth adding a tidbit directly to the article on why Exchange
| couldn't be updated and how it was irrelevant to the "solid"
| infrastructure (I.e. something like "while Exchange was
| sorely out of date due to the hassle and cost of upgrading,
| the underlying infrastructure of the in-house servers it ran
| on was solid"), but defer to you and other folks here. If I'm
| the only who was bothered by that then the fault is mine!
| bigfishrunning wrote:
| > The goal is to raise awareness that open source doesn't
| always and necessarily mean freedom: lock-in exists.
|
| This lock-in was legal and political, not technical. The
| lesson I would take away is "don't do business with parties
| that you don't trust".
| jotaen wrote:
| > I'm sorry but this reads like AI slop. Or maybe it's not AI
| slop, it's just regular human-generated slop, but regardless:
| it's useless.
|
| > For one: it's intentionally completely unverifiable. Sure,
| maybe the writer's not brave enough to break their NDA by
| sharing names. But it's also convenient: nobody can ever poke
| holes in the story, or add their own context to it. The story
| just gets to live on its own and earn internet karma regardless
| of whether it's at all true.
|
| I'm not sure why this would be surprising: it's a personal
| story shared on a blog, not an investigative article in a
| newspaper.
|
| I also don't think it helps calling everything "AI slop" these
| days only if one doesn't like it for some reason.
| ACCount37 wrote:
| Yep, there's at least a dozen "AI writing" red flags across the
| text.
|
| Low coherence sentence to sentence, stray emdashes, loads of
| those LLM-was-trying-too-hard writing turns.
|
| If it wasn't written by an AI entirely, then at least it was
| edited to shit by one.
| Workaccount2 wrote:
| So make sure you fully read the fine print before signing an
| agreement for something.
|
| You should do this for consumer stuff, but it's mandatory for
| business stuff.
| morkalork wrote:
| I'm curious about about how the "unilateral amendment" works.
| If you didn't like the fine print in it, do you have to give
| your six month termination notice then and there?
| danaris wrote:
| If they unilaterally amend the contract to go from 6 months'
| notice to 12 months' notice, then presumably you'd have to
| give your 12 month termination notice then and there...
|
| ...and hope they don't unilaterally amend the contract in the
| interim to allow them to retroactively extend the termination
| period.
|
| AFAIK, "unilateral amendment" should be considered at least
| very suspect by most courts?
| arethuza wrote:
| Unilateral amendments appear to be fairly standard legal
| things:
|
| https://www.oncontracts.com/unilateral-amendments/
| exe34 wrote:
| doesn't it defeat the point of a contract?
| blochist wrote:
| Usually "unilateral amendments" are allowed via the
| contract terms, so it's part of the original contract.
| exe34 wrote:
| so you might as well sign a blank sheet. why bother with
| a contract?
| rcxdude wrote:
| As written they are usually a Hobson's choice - accept
| the new terms or terminate the agreement. So the other
| party can't throw something completely heinous in there.
| But it does open you up to all kinds of issues,
| especially if accepting the new terms is implicit in
| taking no action, since this kind of thing can easily
| wind up ignored in an organisation.
| arcbyte wrote:
| Unilateral amendment might be a bit of a misnomer because
| its basically a new contract that your continued use
| implicitly accepts. There is never any retroactive term
| change. If they unilaterally change the notice period to 12
| months and you reject, you would have to give your of
| rejection but it would be under the 6 month term because
| you are not accepting the new contract.
|
| Unless there are other provisions for unilateral changes
| for contracts in the termination period, no new terms would
| apply to your final 6 months.
| kevin_nisbet wrote:
| Yup, even for smaller business stuff. For a non-profit I'm on
| the board of, the staff wanted a more useful printer/copy
| machine than just a store bought thing, it's a small office, so
| I said sure find something and let us know.
|
| So I get a contract and am told it's been vetted and I should
| sign it. What I found was outrageous.
|
| - If we cancelled for any reason, including if they just didn't
| do any of there terms in the contract, we owed the full price
| of the remaining contract immediately.
|
| - The way they structured it was also as a rental, so we were
| paying full price for purchase of the equipment embedded into
| the term of the contract, but it was the vendors equipment, so
| if we cancelled we still paid them full price for the
| equipment, and they got to keep it.
|
| - If there were any legal disputes, no matter which party was
| at fault, my side would pay for all the lawyers.
|
| I said nope, can't do it. And my staff were pissed at me for
| like a year because everyone just signs those things.
| xmprt wrote:
| I get why your staff would be pissed because dealing with a
| crappy printer/scanner is the bane of a lot of office
| workers' existence... but they must have been able to find a
| better vendor or something off the shelf which supported the
| features they needed right? What special feature could they
| possibly offer to make them brave enough to put all those
| terms in their contract?
| yobbo wrote:
| They count on potential customers not reading the
| contracts, or being able to do math or research themselves.
|
| Typical customers for these types of scams are small
| offices with no technical person in the loop.
| trollbridge wrote:
| Another example is the predatory, abusive contracts sold
| for merchant card processing.
|
| Whereas our local bank will do it for $10 a month,
| interchange plus 0.15%, no contract. Versus fees of 3%, 3
| year contract.
| trollbridge wrote:
| I'm also on a nonprofit board. They have an independent LLC
| and an independent nonprofit which signs contracts for
| various services like that, and then contracts with the
| "real" nonprofit to actually use the services. Was advised to
| set it up this way by an experienced nonprofit consultant.
|
| We had to shred a bad contract (oddly enough, also for a
| printer / copier) and simply abandoned the LLC and declared
| it defunct. The service provider never has even showed up to
| pick up the printer. It was a pay per page contract where
| they unilaterally raised the price about 200% for no reason.
|
| We also abandoned a water cooler and water cooler service
| after the vendor simply refused to answer our requests to end
| the service. (It's $20 a month. There was no long term
| contract signed.) Apparently nonprofits are a target for this
| sort of thing, so we now don't even mention we are a
| nonprofit and handle business relationships via the LLC.
|
| It's absurd things have become this way.
| daheza wrote:
| How are you setting up LLCs nowadays? I set one up through
| legalzoom and get charged an increasing amount each year
| (it increased $100) this year and I can't cancel / dissolve
| the charges via the UI. Even though I signed up online, I
| have to contact the state to dissolve the LLC then show
| legalzoom proof in order to cancel their yearly fee. Its
| pretty crazy.
|
| Are there other better vendors for this kind of work out
| there?
| mindcrime wrote:
| Why do you need a "vendor" at all? Do the paperwork
| yourself and pay the $100 fee (or whatever it is in your
| chosen state), and Bob's yer uncle. At worst add in a
| one-time cost of $40 or so to buy a book like _Nolo 's
| LLC Handbook_[1].
|
| [1]: https://www.amazon.com/Nolos-LLC-Handbook-
| Agreements-Instruc...
| sneak wrote:
| I read the agreement for ID.me and it's atrocious. It requires
| that I "voluntarily" waive civil rights. I don't want to use
| the service.
|
| There is no other way to log into IRS.gov.
|
| You can't watch YouTube without a Google account.
|
| You can't be in the parent group chat without agreeing to the
| Meta TOS for WhatsApp.
|
| The list goes on.
| hoten wrote:
| Which civil rights?
| IAmBroom wrote:
| And regardless, courts have previously ruled that you can't
| waive your civil rights in a contract.
|
| Previously. Not the current SCOTUS, of course.
| seanw444 wrote:
| How does that hold up for arbitration clauses?
| brewdad wrote:
| What civil right is being violated? The sixth amendment
| only applies in criminal matters.
| tonyhart7 wrote:
| "You can't watch YouTube without a Google account"
|
| you cant??? I reinstall my dekstop the other day, it let me
| view without login the problem is recommendation tab/service
| is empty because there is no history so it cant recommend
| something, hence you assume that you couldn't view videos
| ponector wrote:
| If you use VPN then you'll get a login screen instead of
| the video content.
| reaperducer wrote:
| _So make sure you fully read the fine print before signing an
| agreement for something._
|
| The article makes it sound like that wouldn't have helped.
|
| It states that the terms of the contract were "unilaterally"
| changed, without anyone being told -- Something that the tech
| industry has normalized.
|
| Reading the fine print of the signed contract wouldn't have
| helped, since the contract changed since then.
|
| These days you're lucky if you even get an e-mail saying "Our
| terms of service have changed, and if you don't like it, tough
| noogies." People who are not lawyers on HN will say it's
| illegal, yet it still happens constantly, and doesn't seem to
| have been struck down in any court, or it wouldn't keep
| happening.
| x0x0 wrote:
| Contracts cannot be so amended unless you allow it. Why would
| you possibly allow it?
|
| ToS are for low-value consumer accounts. 500 seats and public
| institutions is very different.
| rcxdude wrote:
| If you _sign_ such a contract then you have already screwed
| up. Note that terms of service and licenses are not the same
| thing as such contracts and are a bit more limited legally
| (heck, such a clause in a full-on contract is already on
| shaky ground)
| rectang wrote:
| And factor the cost in time, effort and risk of mistaken
| analysis into the cost of what the contract offers. Many times,
| it just isn't worth it.
| m-s-y wrote:
| What's the point of not naming names? This could easily be just a
| creative writing exercise.
| bluGill wrote:
| The truth is not a defense against libel laws in all countries.
| Depending on where this is the poster could be out a lot of
| money just for naming names. As such not naming names is the
| safe answer.
|
| Even in the US where the truth is a defense, you still can be
| out a lot of lawyer fees because you can be sued for things you
| say and it can cost a lot of hours in court.
| IncreasePosts wrote:
| The author is located in Italy, where "it's the truth" is not
| an absolute defense against defamation like you say -
| basically, here, causing "reputational harm" is actually
| against the law, even if you are telling the truth. There are
| a few exceptions like social interest which may apply, but it
| is a dangerous game to play because you need to prove that to
| the courts, as opposed to just proving what you wrote is what
| actually happened.
| gtirloni wrote:
| It's a curse we also inherited in Brazil. Companies can't
| have any marketing mentioning their competitors or they
| face lawsuits.
| SoftTalker wrote:
| In the USA it used to be very rare for companies to
| directly mention competitors in ads. Products would be
| compared to "Brand X" or some other genericized name
| instead.
|
| I think it still is somwhat rare. Why even let a
| potential customer know that a competitor exists?
| gtirloni wrote:
| It's usually some new entrant taking on an old brand so
| they aren't really helping that brand's awareness.
| toyg wrote:
| Plus, any court proceedings in Italy can _routinely_ take
| _decades_ , destroying one's life even if they are
| completely innocent, even if the complaint is trivial, even
| if the complainant is obviously malicious.
| 93po wrote:
| a company with a history of threatening baseless lawsuits,
| combined with possible NDAs, or possible professional backlash
| when lawsuit-happy company threatens former employer. not worth
| it for a blog post.
| indoordin0saur wrote:
| Moral of the story is that going to open-source is only _part_
| of avoiding the traps that vendors set. You also have to trust
| the vendor you 're working with and make sure that the contract
| isn't full of lawyer tricks.
| beambot wrote:
| Assymetric legal battles are best avoided...
| justin66 wrote:
| > However, to protect the privacy of the people and companies
| involved, I have deliberately mixed things up: technologies,
| contexts, and specific details have been modified or merged with
| other experiences.
|
| Why wouldn't a person stop reading there, unless they were the
| author's mom or roommate or something and were reading out of
| politeness?
| citizenpaul wrote:
| I feel like many HN'ers have been in this situation.
|
| I was once in a confedential "back out" of a system. There was
| some shared code base with the other company. One of our devs
| made a comment that was something like "Reversing Migration
| Script" in the code.
|
| In less than an hour from that commit(I didn't know at the time)
| I was in stuck in a firestorm WTF DID YOU DO battle between the
| two CEO's of the companies. It turns out that the other company
| was ACTIVELY spying for such terms in the code so they could
| react if we tried to leave. It was going to be an honest non
| renewal at the end of the contract so not even anything shady. I
| didn't find out till later about how they were spying out so
| there was this huge witch hunt about who was the rat and such. It
| was awful.
|
| It seems this level of sociopathy is just the norm these days and
| I'm just an old fuddy duddy doing regular honest work without
| having a Machiavellian scheme running in parallel no wonder
| places only want to hire 20yo's /s /sorta.
| bombcar wrote:
| Anything that might be monitored should have EVERYTHING named
| variables that trigger the monitoring.
|
| Like the old NSA copypasta.
| esafak wrote:
| How _were_ they spying? Help people learn from this incident.
| gtirloni wrote:
| _> There was some shared code base with the other company.
| One of our devs made a comment that was something like
| "Reversing Migration Script" in the code._
| ayende wrote:
| That isn't spying. That is called doing code review on a
| shared depenendcy
| rossdavidh wrote:
| While the story is infuriating, it is also:
|
| 1) completely from one person's version of events
|
| 2) absolutely unverifiable
|
| I can't help shaking the feeling that it could be ragebait? Which
| ended up on HN as a result? Sure, companies act like bullies
| sometimes, but I don't know that I think this story is more
| likely than "person I've never heard of makes up outrageous story
| for attention". Both seem equally plausible.
| indoordin0saur wrote:
| The thing that doesn't make sense to me is if there was pretty
| clear evidence that some vendor had put in a backdoor into the
| email servers of multiple _government agencies_ and there were
| directors and managers at all of these agencies that had good
| reason to believe they were being spied on, then this would
| have warranted a _criminal_ investigation of the contractor. At
| that point, voiding the contract, migrating to whatever other
| email service you have and getting out of the bill would have
| been easy. It wouldn 't have mattered what sneaky language got
| slipped into the contract by the vendor, you do not ever get to
| spy on internal government emails.
| rcxdude wrote:
| The issue is the will to fight it, basically. Even if you're
| wronged, if the other party is belligerant you need to be
| willing to push for the criminal investigation, push for the
| transfer, defend yourself against lawsuits even if they're
| frivilous, etc. Many people in these organisations just want
| a quiet life and will bend over to such behaviour because the
| demands are not bad enough to make them want to fight it.
| swores wrote:
| Perhaps you're right that it's government agencies (I may
| have even skimmed over a mention confirming that?) but my
| assumption, especially after the author mentioned one of the
| "agencies" being about 500 people total, is that he's more
| likely talking about something like a marketing or design
| agency, or a talent agency, or... something.
| indoordin0saur wrote:
| Sounds like Oracle. Of course, they're much more clever about how
| they do it but always recommend people stay as far away from any
| of their products as possible.
| hluska wrote:
| There's something odd about this story. Not naming companies is
| weird - this happened before GDPR which means it happened a
| minimum of nine years ago. There were no lawyers involved at any
| point, not even before signing amendments with a company known
| for punishing vendors on their way out. Nobody even seemed to
| mind that this shady company with such a bad reputation was
| reading client emails. There was no attempt to warn anybody or to
| even solve the problem.
|
| I don't believe that this ever happened. I don't know why someone
| would make up a story like this but this one is very odd.
| draga79 wrote:
| Of course, you're free to think that. Sometimes dynamics aren't
| very linear and people are more inclined to avoid problems
| rather than create more. The concern about this company was
| obviously well-founded and valid, and the people involved
| didn't like it. Some of the choices they made were undoubtedly
| questionable, and I admit I was disappointed. Of course, I
| couldn't tell the whole story or all the details, but in the
| end, the company didn't get away with it completely. This event
| gained some traction through word-of-mouth among colleagues,
| and their user base plummeted in a short time.
| hamilyon2 wrote:
| >a horror story based on real events
|
| So is it fiction? Details matter. If any of the details are not
| true, this makes story is waaay less interesting.
| ceejayoz wrote:
| "However, to protect the privacy of the people and companies
| involved, I have deliberately mixed things up: technologies,
| contexts, and specific details have been modified or merged
| with other experiences."
|
| Enough changes to avoid a libel suit, I'd imagine. Like when
| media outlets use and disclose a fake name for someone's story
| out of fear for retaliation.
| buran77 wrote:
| This guy really works in a "minefield", with trouble and powerful
| enemies at every step.
|
| https://news.ycombinator.com/item?id=43985971
| toyg wrote:
| The minefield is just the reality of the Italian business
| landscape. In a country dominated by small companies run by
| families and friends, this sort of thing happens every other
| day.
|
| In that particular story, if true, I bet the writer is a
| relative of someone in the branch of police dedicated to tax
| checks (the much-feared _Guardia di Finanza_ , who effectively
| wields power of life and death over most small businesses).
| thisisit wrote:
| > a former interim IT manager still had an email client connected
| via token authentication - with access to all messages. And that
| person had signed the original contract with the provider years
| before. Informally questioned, he admitted contacting them "to
| warn them" but claimed it was harmless.
|
| This kind of behavior rubs me the wrong way. People leaking
| stuff, breaking compliance and then say - It was just harmless.
|
| I work with a Director who has done something similar multiple
| times. The chain of events often is - She attends an industry
| conferences, there she learns about a piece of software, she goes
| ahead and schedules product demos and solicits a contract. She
| then contacts the only outsourcing agency she is aware of and
| promises to give them the implementation contract. Then reaches
| out as she doesn't have the authority to sign those contracts.
|
| Since the time I have been responsible for product selection this
| has happened twice. Both times I have been under different
| managers. Both managers have insisted it was harmless.
|
| Last time this happened the Director was told by promising work
| and soliciting contracts she was in gross non compliance of the
| company policies. Her response showed how little she cared. As
| per her, this was an internal matter and no one could punish her.
|
| Later when we evaluated the product and it promised to "get
| better with time". All the company's data was being ingested into
| an AI without regard for enterprise data security rules. Even
| then her response was - What is the big deal? Everyone reads
| everyone's data. Legal got involved and shut it down - they asked
| the product to turn off AI features for our instances.
|
| It is really hard to contend against a malicious or dumb team
| mate. In a corporate setting if they are higher than you then it
| is even more difficult. They can chalk it up to a harmless
| mistake and no one can do a thing.
| dec0dedab0de wrote:
| I worked for two very large fortune 100 companies. Both of them
| had people in management quite obviously taking personal
| kickbacks from vendors. Sometimes right out in the open. I
| would loudly point it out in meetings, which got me uninvited
| from a bunch of meetings.
| D-Coder wrote:
| > which got me uninvited from a bunch of meetings.
|
| So, not a total loss.
| steveBK123 wrote:
| Every POC I have been involved in, across multiple firms, was
| driven by management trying to send some business to a buddys
| company
| viccis wrote:
| What you're describing the director do sounds like the favorite
| pastime of HR directors. They just love going out and changing
| up the performance review software every couple years without
| consulting anyone else and paying enormous amounts of money for
| it. At least the current favorite for this (Lattice) has decent
| UX versus some of the past ones I saw used all over (PeopleSoft
| in particular)
| Dylan16807 wrote:
| > The request was simple: "Evaluate this solution, and if it's
| suitable, we'll migrate.".
|
| This took me a few tries to figure out. "This solution" is the
| open source stack _without_ the vendor from the previous
| paragraph. I thought it was including the vendor and got very
| confused when more comparisons started to happen.
| bn-l wrote:
| Interesting. That's where I stopped reading
| johnmaguire wrote:
| Took me a couple paragraphs to figure that out took.
___________________________________________________________________
(page generated 2025-10-08 23:01 UTC)