There's basically three sides to the story now, for reference:
Entropic statement:
https://www.entropicengineering.com/defcon-32-statement
dmitrygr statement:
https://news.ycombinator.com/item?id=41207469
dmitrygr being removed:
I believe DEF CON on this, because the other side of the story --- that they vindictively withheld payment from Entropic and later harassed the firmware developer --- just doesn't make any sense. We are probably talking about rounding error sums of money for the conference organizers themselves.
I don't understand why DEFCON deserves the benefit of the doubt, but Entropic and dmitry don't. Here's Entropic's response:
We were clear as early as our first conversation in January that the risk in trying to push to mass production of this size and on this timeline was immense, even advocating for a DEFCON 2025 release of this particular badge. DEFCON’s Badge Team remained confident that they could meet and mitigate this risk.
Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets.
In June, after 5 months of late night work, badges were fully designed, prototypes were working, and mass production was ongoing with the manufacturers we contracted on behalf of DEFCON. We billed DEFCON for our most recent work, discounting our labor by 25% in order to meet the agreed upon targets. Unfortunately, we were instead met with a work stoppage request and informed we would no longer be paid for services already rendered.
https://www.entropicengineering.com/defcon-32-statement
It feels to me like DEFCON is relying on being able to say "well, we're DEFCON" when defending themselves, and people like you are just blindly trusting their word. How many times have big organizations like this screwed their suppliers? And yet DEFCON is "clearly" innocent? You must be joking.
At least wait until we get a better picture of everything before deciding on a judgment of any of the parties involved. It's going to take time before we find out what actually happened.
DEF CON is making a falsifiable claim, that Entropic blew their budget and billed outside the SOW. Entropic is handwaving (who gives a shit what RPi hardware they had access to?). I'm not in DEF CON's corner generally but my priors as a consultant lock in pretty solidly on this being a consultant fuckup.
Entropic says their bills were discounted to still meet the per unit cost target. Isn't that a falsifiable statement that contradicts Defcon?
They also said they didn’t take into account anything outside the board, because only Defcon had access to that data.
It’s perfectly possible for Entropic to be calculating to a $100k total cost (for the board), while Defcon is calculating the cost for everything (case/lanyard, etc.), and gets to $160k for the entire project, then says they’re 60% over budget.
I imagine Entropic was discounting their bills to say within the 100K, while Defcon already felt they were over.
(Numbers made up)
Injection molds for that nice clear case can't be cheap too. Has four parts, clips, undercuts, and not tiny. They're not making that shell for under $100k total at any volume.
I didn't see the case, so this is speculation based in my knowledge with injection molding.
A fairly simple mold costs 5-10k, a complex mold 10-20k. Since this is a limited production run, I would argue that they didn't need the highest tolerances.
Thus my guess would be ~$50k for the molds and ~$5 for the parts.
Entropic also pointed out that they made new molds to take their logo off the case. How much did that cost? Why not just pay Entropic with that money? The whole thing stinks...
There was never any question as to whether DEF CON was capable of further funding Entropic. They fired Entropic, which mooted the question of how to find additional money for them.
I was mistaken about parts count, it's just front and back. But both sides of both halves seem polished to show components inside, and it's assembled by finger sized clips around the edge instead of bosses and screws. I thought those clips might need slide core things. Or have those come down in cost in the last few decades?
https://old.reddit.com/r/Defcon/comments/1en7jxz/
No, that statement doesn't contradict DEF CON's. Both things could easily be true.
If both statements are true, then why would DEFCON order them to stop work? Unless I misunderstood their statement, Entropic claims they were willing to be paid only what was agreed to up-front, and not for any over-budget work they'd been doing.
This doesn't really add up to me. Ultimately we'll never know for sure. Personally I'm inclined to believe Entropic more on this one (though I'm sure neither party is blame-free, regardless of where the bulk of fault lies), but I can see why you'd be more inclined to trust DEFCON's response.
(I just don't consider "DEFCON made a falsifiable claim and Entropic didn't" to be strong evidence either way.)
People keep talking about this "stop work" thing. DEF CON fired their contractor. That's all that means. There's no particular ceremony to "stop work".
Def CON: Budged it $200K for 20K badges.
EE: It will cost us $300K to make those
Def CON: Ok too bad, see you around.
EE: No no, what I meant to say is 'it would cost us $300K, but we will gladly do for $200K, we will "discount" our work.
Def CON: Dont care about your internal accounting, can you do it for $200K or not?
EE: Where do I sign up?
...time passes...
EE: keeps trying to send invoices totaling $300K
EE: keeps trying to send invoices totaling $300K
Where are you getting that, though? EE says:
Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets.
And:
We billed DEFCON for our most recent work, discounting our labor by 25% in order to meet the agreed upon targets.
So it sounds like they were billing with an expected total of $200k, not anything higher. Perhaps they were listing in their invoice all the actual costs, but then had a "discount" line item to bring the cost back down, but if so... so what?
Entropic's statements have been really vague but I don't think they "discounted" anything. They couldn't charge their full labour cost because they had a signed SOW. So they may have put in more hours than estimated and weren't able to bill their usual hourly rate, but that's why we have SOWs - to protect the clients in the case of overages. If they wanted a time and materials style contract they could have bid that.
We were clear as early as our first conversation in January that the risk in trying to push to mass production of this size and on this timeline was immense, even advocating for a DEFCON 2025 release of this particular badge. DEFCON’s Badge Team remained confident that they could meet and mitigate this risk.
Assuming this is true it’s simple: you walk away. If you’re being contracted to do something you don’t think you can do, you don’t sign the contract. Anything else is a recipe for pain.
Sure, but I can understand why they'd want to do this. If they could have pulled it off (and honestly it sounds like they did; the badges ended up in the hands of conference attendees in working order), it would have been amazing publicity.
Arguably it still is amazing publicity, at least for the people who will end up believing Entropic's version of events. Maybe not a good look when it comes to people who side with DEFCON on this.
I think the issue is that they got used to pulling a rabbit out of a hat with their badges. The budget they have for them is apparently ridiculously low, and it seems like sheer luck that it somehow worked out in the past. At some point, defcon must have confused luck with skill. Meanwhile, others paid the price for that by working "for exposure."
This year, it blew up in everybody's faces. Whose fault is it? Defcon, for having unrealistic budgets? Contractors, for taking on an unrealistic project for the prestige?
IMO there's plenty of blame to go around.
I would say the fault is on the both sides. Defcon being so big knew that someone will pick up their unrealistic budget. But it’s still the contractor’s fault if they took a project with full knowledge of its scope and agreed on the price, and then did not deliver.
After going overbudget by more than 60%, several bad-faith charges, and with a product still in preproduction, DEF CON issued a stop work order.
My reaction was "only 60% over budget"? This is a low volume custom computer. The way Defcon pushes promotion and recognition, I do not think they paid full commercial price.
We all don't know how the contract was structured.
EE claims, they stayed in Budget while also claiming they did not receive the agreed upon payment.
DC claims, EE went 60% over budget
A run with 30k badges is not that small and eight months is not that short of a timeframe.
Somewhere I read about a $20 target price all in which I find realistic for PCB parts and assembly, but not if the cost include injection molding ($10k / mold and $1/pcs I guess) and especially not if it contains hardware and software development cost
The whole point of being the vendor is that you're the party with the expertise to know what is and isn't a realistic budget for a project. Clients ask for unrealistic stuff all the time; part of your job is saying "no".
We are not talking about a ordinary computer nerd - newb buisness relationship here.
HN comments were dismissive of the Google SRE "no heroes" article recently, but this is a great example of why that policy is in place. Heroism leads to unrealistic expectations until something implodes far more catastrophically than setting reasonable expectations and not killing yourself to make magic would have.
HN comments were dismissive of the Google SRE "no heroes" article recently
If (like me) you hadn't seen this one, I think it is https://news.ycombinator.com/item?id=41172531
(Some of the top-level comments do indeed seem a bit oddly negative to me)
The last defcon I attended (5 or so years ago) they didn’t pull a rabbit out of the hat and we ended up with lame plastic badges. Obviously badges aren’t everything, but they’re not nothing either.
People do petty stupid things.
My priors align with the client having unreasonable expectations and then squabbling over the inconsequential bill. That is totally a thing that clients sometimes do.
Having spent a very long time as a consultant, a thing vendors sometimes do is commit to unrealistic project schedules and then attempt to invoice their way out of the hole they've dug for themselves, and by "sometimes" I mean "every times, every of the times", it is one of the most common ways consulting projects blow up.
When your project blows up, the professional thing to do is to resolve the problem with the client before billing another hour over the SOW. The common, crazy thing to do instead is optimistic invoicing: the client must share our priors, we're all reasonable people, so we'll just implicitly revise the SOW to match our learnings on this project and proceed, prioritizing what we believe would be a successful delivery of the project over everything else. That rarely works.
Serious consultancies routinely eat billable weeks of time in order to meet client success criteria and retain relationships.
What's "SOW"?
Scope of Work
I’ve always seen it as Statement of Work, but either way it defines the work that will be done.
I read it as “Statement of Work” which is description of the work to be performed/delivered, although often much more general than a full technical specification, sometimes in a comedically tragic way.
How much money do you think the DEFCON organizers make?
Their top line is 8 figures annually.
Do you have a source for that?
Seems reasonable just looking at number of attendees * cost
The groans you hear on Reddit and social make it sound like this isn't DEF CON's first time finding itself in this kind of kerfuffle with a contractor
Why reach for a stop work order if the whole thing is a rounding error. Entropic seems like they were able to finish, except that cost was an issue
Why reach for a stop work order if the whole thing is a rounding error.
My interpretation is that the project was at risk of not being delivered. No doubt Entropic had made and broken many promises leading to the stop work, and at some point DEF CON needs to take ownership of the project in order to ensure delivery.
The whining in the Entropic's statement about how "extremely difficult / almost impossible" the project was is what gets me. Come on--you're grown-ass adults that signed a contract to deliver X work by Y date. Nobody cares how hard it was. I've been on the other side of the coin many times, managing a small vendor who's in over their head, and I try to have empathy, but where is the project manager? Where are the milestones and checkpoints? They didn't suddenly stop-work out of the blue. I'd guess multiple checkpoints were missed, and everyone knew this was coming.
And that’s not even mentioning the Easter Egg! Good grief!
Exactly. A badge is not really rocket science, there are no real hidden risks.
I read about the $20 target price, which I find quite hard to reach, but that is something you know before you agree to deliver X by date Y costing Z
For me, it was in the attempted follow-up, "We told them almost impossible, too risky, do it for 2025! --- and they just didn't listen!" (real quote in [1])
My alarm bells go off loud when people invoke tropes indirectly and lazily, hoping it'll influence my perception of a situation
DEFCON isn't the pointy-haired boss stereotype that needs you to deliver exactly $X, this quarter, with duct tape and glue. They know tech and wouldn't have talked a team saying they can't do it until 2025 into 2024.
Well, what if they really wanted it for publicity?
DEFCON had 0 stake in a new Raspberry Pi release, and Entropic self-reports they were the ones with early access to an unreleased product and decided it was the right vehicle. [2]
[1] We were clear as early as our first conversation in January that the risk in trying to push to mass production of this size and on this timeline was immense, even advocating for a DEFCON 2025 release of this particular badge. DEFCON’s Badge Team remained confident that they could meet and mitigate this risk.
[2] The specifics of what they requested in January were extremely difficult / almost impossible, but we had been working with Raspberry Pi as a Design Partner and had early access to the unreleased Raspberry Pi RP 2350, a chip that would enable exactly the kind of device DEFCON was requesting.
That's kinda weird too, as DEFCON does electronic badges every other year, so they would not really be able to delay this project until 2025, but would instead need to delay to 2026 and hire a different vendor for 2024.
National politicians have taken bribes for less.
National politicians have legible incentives. What’s the incentive for DEF CON here? It’s not like they’re apart from the community; people know exactly who they are, and the existence of their conference is tied entirely to the community’s perception of their leadership.
That a mostly-finished, working project of this complexity ends in fiasco can't be the fault of the contractors. What failed is communications - and apparently only on one side. Both Entropic and Dmitry were shocked by this outcome; not communicated with.
Reading EE and DEFCON’s statements, I’m inclined to think whoever was managing this on DEFCON’s side was not on top of things and blinked at the last minute. I’m sure there were delays and issues on EE’s end, as it always goes with hardware, but it’s still EE’s design, parts sourcing, and manufacturing run that DEFCON just took over last minute?
I don’t know the terms of their contract, but that wouldn’t fly in a typical contractor setup. You can’t just cut out the contractors labor costs after the fact. I’d be more inclined to give DEFCON the benefit of the doubt if they canceled the entire project earlier on and engaged a different contractor to build an entirely different badge from scratch.
Given that dimitri wasn’t even paid for the firmware(!), my guess is this was low budget. For something of DEFCON’s scale, this can’t really be a “for fun” hacker project if you want to guarantee results. The “for fun” part is ensuring the attendees can all have a good time hacking on the badge, not the people doing the labor.
On the contrary, if you have a signed master and SOW for a project, you absolutely cannot just bill over or outside of the SOW because of "contractors labor costs". The whole point of contracts is to agree to costs up front and eliminate these kinds of on-the-fly disputes.
But as I understand it EE did not bill outside or over the SOW. They just sent updated cost estimates indicating that they wanted to.
All we have to go on are the statements, but DEF CON's statement is falsifiable and direct:
After going overbudget by more than 60%, [and] several bad-faith charges
Which, again, pattern matches to a pretty common mode in which consulting projects blow up: you give an optimistic estimate, learn partway into the project that you were hopelessly off, and then try to invoice your way through it.
I would be very interested to know what DefCon's budget for the badges is, and how much latitude was built in for things like chip shortages, rush shipping, etc. A big project like this, especially during major geopolitical strive, could have all sorts of unforseen complications. DefCon has been around the block a few times and should know how to handle things. But without details, it's impossible to know for sure.
I'd like to know why badges are being used at all. It's DefCon- isn't there a more creative way to handle security?
People love these stupid badges. That's why they get made.
Every other year they build a hackable “smart badge,” and people love to hack on those things. Are they necessary? No. They’re toys. But they’re fun.
It's not defcon's job to figure out how EE should charge for their projects.
This one seemed a bit riskier, using the new Raspberry Pi microcontroller that's not even for sale yet. Granted, the parts were probably donated, but getting the timelines right must have been a concern.
60% over budget sounds sort of within the realm of reasonable? Most projects that go over budget reach 100-200%.
If you agree to get monthly invoices instead of one fixed cost project, then you are implicitly agreeing that costs are variable.
That's the thing that's weird to me. If DEFCON had a hard cost limit that they were unwilling to go over, structuring the contract with monthly invoicing based on materials and ongoing labor costs makes no sense. It would seem to me that the only sane way to do this would be to make it a fixed-cost $X contract, and the only monthly (or otherwise periodic) part of it would be to split payments by milestone or by some other rubric.
EE’s statement is about as falsifiable and direct I would say:
Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets.
In June, after 5 months of late night work, badges were fully designed, prototypes were working, and mass production was ongoing with the manufacturers we contracted on behalf of DEFCON. We billed DEFCON for our most recent work, discounting our labor by 25% in order to meet the agreed upon targets. Unfortunately, we were instead met with a work stoppage request and informed we would no longer be paid for services already rendered.
Easiest way for me to reconcile these is by assuming that DEF CON’s statement about going 60% over budget is referring to the estimated per badge final cost, not actual invoices. But yea, it’s hard to know what happened here just based on these statements.
Clearly you've never worked on a government project!
I was on a defence project that overshot by a cool billion dollars on the SOW...
There are multiple ways government contracts (and contracts in general) are billed. Blanket statements about billing for government and non-government contracts are not accurate.
Why not share some facts. A blanket statement about blanket statements is something a bot would do.
I've made a point of not working on government projects, so yes, this is a blind spot for me.
Its not uncommon for a contract and SOW to include an hourly rate for approved out of scope items.
Yes.
https://news.ycombinator.com/item?id=31526196
I'm guessing that's not what they did, though, since DEF CON comes right out and says they submitted bad-faith invoices. That's a factual, falsifiable claim, and a commercially damaging, actionable claim if it's false.
Agreed. I’m honestly not familiar with how they’re structured for hardware contracts like this. I was imagining some sort of cost plus structure. No point in speculating on the details of a contract dispute where we don’t have the contract, I suppose.
I was under the mistaken understanding that EE was not paid out at all. Rereading their statement, they say they were partially paid, so I think I was overly harsh. This is firmly in “boring, messy contract dispute” territory now, I’d say. :)
It depends on the contract. I will never just do a single SOW contract and risk it all. I will do an hourly contract and maybe give a discount if a certain amount of money is spent because things get tough. The client will get an estimation but in this day and age, prices will vary in a few months.
Entropic Engineering should not have gone through with this project on this timescale of 6 months with a new chip. Defcon badge team doesn't know how to properly outsource electronics, collaborate and do risk management.
What kind of contract was it? If it’s cost plus you sure can
SOW: Statement of work.
DEF CON's response reeks of petty; characterizing dmitry as a "subcontractor" rather than a volunteer for spin purposes, and the choice to remove Entropic's logo from the case based on this budget dispute.
I think the point of calling Dmitry a subcontractor was to make clear that dmitry worked for/with EE, not DEF CON.
But surely DEF CON know that isn't true, because Dmitry evidently provided them with the firmware after the "stop work" order to EE (otherwise it couldn't have included the easter egg).
That’s a good point. From reading DEF CONs statement again, I could imagine that they would claim they issued the stop work order and then got delivery of the current state, which then included the Easter egg. That’s the only way I can come up with where this makes sense. It’s also not clear to me if DEF CON really got the firmware from dmitry or if he gave the firmware to EE which then delivered it together with everything else to DEF CON.
If he was working on the firmware until the moment of his flight to Defcon, then clearly they were happy to continue taking his time and effort for free.
This also seems to be implied by Entropic, which say they did work on the badge after DEF CON stopped paying them for it.
The term implies the existence of a contract. By his own clear statements Dmitry did the firmware on his own as a volunteer because he liked the RP2350 and wanted to to contribute to the badge project.
Yes, he probably wasn’t a subcontractor in the legal sense. DEFCON wanted to say “we didn’t directly work with Dmitry, we contracted EE and they got Dmitry to write the firmware” as I understand it. DEFCON probably doesn’t know/care about every relationship EE has to their contributors.
You can’t just cut out the contractors labor costs after the fact.
Its not after the fact, thats exactly what Stop-Work Order was for.
EE claims that DEF CON does not want to pay up until the stop-work order though. So it seems to be at least a bit “after the fact”.
why would DEFCON go with such a small outfit?
This is a great example of why both sides of a story are needed. From DEF CON's perspective, assuming this is all true, there's nothing unreasonable here.
It sounds like Dmitry was a subcontractor of Entropic and producing a screen asking for money after their contract had been terminated (for good-sounding reasons) was bad form. I'm not commenting on the legalities (I don't know anything about contract law) and I don't necessarily take either side's account at face value, but this response doesn't sound unreasonable to me.
Dmitry has repeatedly stated he was not hired by Entropic nor was asking to be paid for his work. He did it for fun. I'm not sure where this misunderstanding is coming from.
He apparently put in extra code showing a wallet address (presumably his) and the request to "donate".
Does sound like "asking to be paid", even if it's then switched to "it was all a prank, bro" when it turns out that wasn't the greatest idea.
From what I've read, it's very difficult to access the easter egg. It's not clear if the address belongs to him or not. Despite that, he has refused donations the entire time.
From what I've read, it's very difficult to access the easter egg.
The reports I've seen have said "Go to the about screen and press the select button". That's not difficult.
How often do you visit an about screen and press random buttons?
First of all, it's DEF CON, so lots of people are going to be doing that. But also, only one person needs to find it before word of mouth gets around.
Where did you read that it was very difficult to access?
He has stated that he does not own the wallet, EE does: https://www.reddit.com/r/Defcon/s/Ch5NvKWuns
The wallet address he put in there was Entropic's, not his own. He was soliciting donations for Entropic, presumably because he was unhappy that DEFCON stopped paying them.
To add: Dmitry has stated that EE owns the wallet address.
Why scrub their name from the badge though? That just seems like being vindictive.
According to DC: they scrubbed their name from a component of the badge Entropic had no part in creating; they retained Entropic's name on Entropic's actual parts.
OK, but also didn't credit them in any of the communication about the badge, uninvited them from the badge talk, and uninvited the firmware author when they found out he'd put credit to them in the firmware. Really isn't looking like they were keen to give credit.
Def Con is the Coachella of tech conferences.
Its an event kids go to to have fun with their friends.
They have game rooms and furry parades karaoke and cool badges!
And their website doesnt work.
https://forum.defcon.org/calendar
Its not a serious event any more.
What are the real infosec conferences these days?
Have you even attended? It is not a corporate event doesn't mean it is not serious. Real conf, what sort of gatekeeping is that.
There is still zero days being dropped and you meet a lot of the smartest people in infosec.
"Gatekeeping"
There are a ton of other infosec conferences where you'll meet just as many if not more of the smartest people, with a much better SNR.
The furry part is most certainly true.
All of it is true.
Black Hat is the "real" security conference that runs alongside DEF CON.
Your local BSides.
Cansecwest, recon, there are tons of great, much smaller venues. Blackhat is more and more like RSA, and DC is more and more just a time to hang out with friends and catch up. The size of crowds is just unbelievable. My first DefCon was 18 years ago. It’s just so different.
This is a great example of why both sides of a story are needed. From DEF CON's perspective, assuming this is all true, there's nothing unreasonable here. It sounds like Dmitry was a subcontractor of Entropic and producing a screen asking for money after their contract had been terminated (for good-sounding reasons) was bad form.
I'm not commenting on the legalities (I don't know anything about contract law) and I don't necessarily take either side's account at face value, but this response doesn't sound unreasonable to me.
Dmitry was a volunteer and did all the firmware work for free. "Subcontractor" is DEF CON PR spin.
If we believe the firmware's author that it was volunteer work, who was relying on him? Entropic or Defcon?
Did Entropic promise to deliver the firmware?
And assuming Entropic did promise a firmware, would the "stop work" order also affect firmware? Apparently the "easter egg" was added after that order.
https://www.entropicengineering.com/defcon-32-statement
The specifics of what they requested in January were extremely difficult / almost impossible, but we had been working with Raspberry Pi as a Design Partner and had early access to the unreleased Raspberry Pi RP 2350, a chip that would enable exactly the kind of device DEFCON was requesting. Dmitry and Entropic had already been working on a GB emulator and were thrilled to be able to contribute our work to a project directly for and by the community.
...
Despite the near impossibly short timeline to achieve 30k unit mass production, our team of 5 worked tirelessly alongside Dmitry. He handled all of the emulator software while we sourced components, designed all of the hardware, wrote production test software, and organized all circuit board manufacturing, prototype manufacturing, facilitated large volume production manufacturing and logistics, and general project coordination. Through this period, Defcon’s responsibility was the game-specific software, badge accessories (i.e.: plastic case and lanyard), and the printed circuit board artwork including the cat shape, colors, and silkscreen.
-- -- --
It appears that Defcon contracted with Entropic. Entropic was working with Dmitry.
Yea well "worked alongside" as stated by Entropic is compatible with either "subcontractor" or "volunteer". Not both.
If we believe the firmware's author that it was volunteer work, who was relying on him? Entropic or Defcon?
This really is the fulcrum of which way this drama tips.
Who forced him to do all this work, if neither DEFCON nor EE were employing/contracting him? Why was he even given access to this project then?
Dmitry didn't ask for money. He raised awareness that DEFCON had slinked away from its financial obligation to Entropic, and asked that Entropic be paid what they are owed for their work on the hardware.
Cool spin though.
If the "joke" involved shilling for crypto, that instantly makes me more sympathetic to the defcon side.
I genuinely don’t mean to be snarky but I don’t think the method of soliciting donations is at all relevant here. It sounds like you would have otherwise been fine if he handed out a hat and asked for cash in USD.
Are they wrong? Passing around a hat for USD might be unprofessional but it's a lot more open and honest.
How so? The inappropriate act in question is soliciting donations; the method to transfer the money for those donations is immaterial. I have a dim view of cryptocurrency in general, but I don't see how that fact of it is relevant.
I think soliciting donations via something hidden/obscure/confusing is a lot more dubious than soliciting them openly. And the very act of using crypto suggests that you're doing something that you know is wrong.
Crypto has a bad reputation, it makes sense to be more upset about someone soliciting donations in crypto over USD. Especially in a branded product
I mean... it makes sense that internet people would be interested in donations by mean of internet currency.
I think crypto has a certain scummy reputation that really doesn't help the situation. However i would feel the same way if they put a paypal link.
If the person just passed a hat, i think that would be fine (albeit weird and cringe) because the objectionable part was sneaking it into the badge. Asking for mony outside of the badge would not raise the same concerns with me.
Am I the only pne who lmthinks it is rediculously wastefull to have electronic badges for all atendees?
No, when the point of the badges is to hack and repurpose them, they're arguably _less_ wasteful than a simple paper & plastic badge.
I don't disagree with the joy in producing these kinds of badges, but I do wonder how many people actually do anything with them after the conference, aside from tossing them on a shelf to collect dust for years. Which IMO is genuinely sad! But I suspect that's what happens to the majority of them, even considering the type of person who attends a conference like DEFCON.
It's a form of swag and one of the reasons for attending.
From the outside, it certainly looks to me like the whole badge thing has become a monster. Something that began as cute, clever — but one-upmanship over the years has taken a toll.
I don't understand how volunteer, non-sworn officer, non nevada licensed security guards (volunteer "goons", who are just private citizens at a private event in a public convention center) can use physical force to take a non-violent trespasser off stage without exposing themselves personally and their organization to substantial liability. Not super familiar with Nevada law.
(Obviously doing crowd control, providing information, and front line emergency response is absolutely fine, although tbh even that they should probably have guard cards in most jurisdictions for liability reasons. If someone is violently disruptive, as a private citizen go for it, but unauthorized speaking on stage is pretty far from that. Would be hilarious if dude makes more money from that than he was stiffed by his employer.)
I doubt this is anywhere even close to the frontier of physical confrontation DEF CON goons have been involved in in the last 10 years; it's a drunk, druggy conference. I imagine at this point they know what the boundaries are. And if you're going to use words like "non-sworn", let's acknowledge that Dmitry was surely better off being escorted out by the Goons than by actual Vegas security.
The USA has fairly robust personal property laws. Each state is a little different, but for the most part, you have a right to defend yourself and your property, including removing trespassers from your property.
I'm not trying to defend DEF CON's overall actions here, but in this case it looks like the physical interaction itself was essentially consensual? The goons asked Dmitry to leave, his response indicated that he wasn't going to leave voluntarily on his own but also that he would cooperate with a minimal physical display that demonstrated the non-voluntary dynamic. I suspect that if he had physically resisted or even just gone limp, they would have escalated to actual security guards, who then may have laid actual criminal trespassing charges (if for nothing else than to cover themselves).
Dmitry is posted on reddit that he is going to DMCA DEFCON for using his code unauthorized and is granting napkin licenses to people in reddit comments or who had the badge signed at DC https://www.reddit.com/user/dmitrygr/
If the agreement with EE included the delivery of firmware (of which Dmitry is the original license holder), DF is responsible for acquiring the software licensing agreement. If EE signed the licensing agreement, claiming to be the license holder, it would be EE who misrepresented their claim and would be noncompliant. DF has a duty to verify that EE can issue licenses, but I'm unsure how far is considered adequate with respect to damages or license violations.
There is also a thing called concludent action. If the FW author gave DC the firmware with the expectation the firmware will be used on the devices and DC did just that, there might be an implicit license granted
It seems that 2 issues are conflated together-
1. The badge manufacturing issue and subsequent non-payment due to contract dispute.
2. The firmware author (not hired by the manufacturer) put in unauthorized 'easter egg' code that asks for money via crypto.
I am not familiar with 1 so I can't comment on a contract dispute.
But 2 is definitely over the line, and this is coming from me who is supportive of some usage of cryptocurrency. You don't put in unexpected monetization mechanisms into your volunteer work, without asking the charity organization for permission. Asking for money secretly is way different than putting in a harmless Easter egg. At that point, it's not a harmless easter egg anymore.
Maybe the money is for the manufacturer. In that case, do what a normal person would do and raise the issue on a social channel (eg. Twitter, Thread, blog).
Maybe the money is for the manufacturer.
Yes, it was for the manufacturer, not for the firmware author himself.
I agree that he shouldn't have put in the donation solicitation, but I think DEFCON's response to kick him out of his talk was an overreaction. Especially considering what prompted the easter egg was DEFCON removing the Entropic's badge credit from the badge case that they were promised. Even if DEFCON's statement about the manufacturing/cost issues with the badge (your point 1) was entirely true, the final badge that ended up in attendees' hands was still almost completely Entropic's and Dmitry's work, and they deserve credit for putting together something of that complexity in such a short time frame.
No one is coming out of this looking perfectly rosy, regardless of the truth behind things. The donation link was over the line, but DEFCON's change to the badge case was completely unethical, and disinviting Dmitry from the badge talk over an inappropriate easter egg was a dirty thing to do.
What’s a badge and why does it need firmware? This is a conference right? Not a nuclear silo?
DEF CON as a hacking convention has a long tradition of sometimes instead of giving printed name tags during registration like normal conferences but printed circuit boards with microcontrollers and firmware (aka software).
Some years had ctf challenges in the firmware this year there was a playable game boy emulator.
Man DefCon has changed since I was a regular. Back when all tickets were sold by cash only
A hacker conference is upset that someone "hacked" their badges. and put unwanted code into the firmware. Users are (meant) to be hacking these boards. That is the entire point isn't it?
Have guys who did it come in in, talk about the exploit, share how they did it. Then the corpDefCon can talk about what they missed and how to avoid it. Have a talk "How DefCon got hacked"
Have some fun for f-sake. Tangent man, come on.
"" Unfortunately, shortly before the talk was set to take place DEF CON became aware that unauthorized code had been included in the firmware we had paid Entropic Engineering to produce, ""
You have to get into something cool before it has a reddit dedicated to it otherwise the killjoys will infest it and their calls of "actually!" will ruin all your fun.
I have read all accounts and points of view. Defcon clearly dropped the ball here. Whoever was managing this badge creation team should never be allowed near defcon again. I am very unlikely to recommend or go to any future defcon events unless defcon makes this right with the vendor.
The DEFCON community is and has always been near and dear to my heart; I started my local DEFCON group as a kid growing up in Malaysia decades ago
Sad that people (defcon) use and abuse the passion of others. EE let DEFCON step all over them. EE even discounted the labor in the invoices to defcon to meet whatever vague budget they had.
This is just a reminder that you should never meet or work with your childhood heroes. The reality is they will most likely take advantage of this.
The specifics of what they requested in January were extremely difficult / almost impossible, but we had been working with Raspberry Pi as a Design Partner and had early access to the unreleased Raspberry Pi RP 2350, a chip that would enable exactly the kind of device DEFCON was requesting. Dmitry and Entropic had already been working on a GB emulator and were thrilled to be able to contribute our work to a project directly for and by the community. [0]
Despite the project being "impossible," EE made some sort of agreement to complete the work and deliver within time and budget. EE, not DC, made the decision to work with Dmitry.
I am not a subcontractor of anyone. I was doing this in my own free time for fun so attendees have a fun badge. There exist no contracts between me and anyone. It was an evenings-and-weekends project for me [1]
This work by Dmitry was unpaid, presumed: uninvoiced and not under contract directly with DF, and is not an agent of ES.
While we as a company did not ask Dmitry to program the easter egg, the outpouring of support and community for EE has been appreciated and inspiring. [0]
EE did not request the Easter egg be included by Dmitry. As a free agent (not under contract) Dmitry is free to do as they wish. Dmitry's involvement with DF was an invitation to participate on a panel. Given the discovery of the Easter egg, DF withdrew the invitation. Without any explicit agreement, it is irrelevant as to why DF would withdraw their invitation as it is presumed DF can withdraw any such privileges at anytime for any reason, though a reason was given in the case.
At this point, all work had been completed except our physically attending the overseas production run and providing ongoing troubleshooting/debugging. In fact, the day we received this surprising news, we were actively working on the SD card debug that became a central concern earlier this week. [0]
This sounds consistent with DF's claim that the product was still in pre-production and all services had not yet fully been rendered, therefore, the original agreement may already have been breached at this point. What is "owed," is likely no longer stipulated under the main clauses of the contract.
EE has tried multiple times over the past months to negotiate fair compensation for work completed prior to June 7th, but attempts at resolution have been unsuccessful. [0]
Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets. [0]
Once the manufacturing was fully completed, we were offered a one-time “take it or leave it” amount worth well under half of what we were owed pre-stoppage. Given that what we were owed was already discounted by 25% in order to hit agreed upon cost targets, this has had a huge impact on our small team. [0]
We have also continued to pour lots of time, effort, and love into the project post-stoppage. I want to be clear that we never expected to be paid for this post-stoppage work, but simply did it as a labor of love for the community. [0]
This is contract dispute. What EE is "owed" is defined (or should be defined) in the agreement. What is "invoiced," despite any "discount", does not, on its own, constitute what is owed by DF. Unbilled and discounted labor significantly complicates this, especially if it was not itemized as such on the invoices sent to DF. Parts and materials, which come with invoices attached, should be paid per the agreement.
Any claims that DEF CON did not pay Entropic Engineering for its hardware or firmware development are false.[OP source]
My assumption is the agreement was for a fixed-cost fixed-timeline per-badge payment and the targets were not met, despite EE trying their best. The claims made by both sides are verifiable by receipts and, should it come to that, can be arbitrated either by a court of law or the court of PR (public relations, ie, the internet).
Regarding Dmitry's experience and the Easter egg, for better or worse, DF can make whatever decision they please at their conference. The Easter egg was antagonistic towards DF and is significantly unrelated to the payment dispute with EE. The Easter egg being a "prank" or "difficult to find" or "not technically owned by DF," is also unrelated (although the code seems to be part of services rendered to DF by the agreement with EE [0]).
We were clear as early as our first conversation in January that the risk in trying to push to mass production of this size and on this timeline was immense, even advocating for a DEFCON 2025 release of this particular badge. DEFCON’s Badge Team remained confident that they could meet and mitigate this risk. [0]
EE' admissions illustrates that DF's decision to push forward with this vendor was ill-advised. Given their experience, it would have been charitable to not put EE in this position. Arguably, DF did mitigate their risk (financial and reputational risk) by issuing a stop order and seeing the product to completion by other means; attendees did get their badges after all. By admission, EE also recognized the risk themselves and continuing their attempt to render the agreement under the circumstances was also ill-advised. Their risk (to reputation) was also managed by providing free labor. This is unrelated to the payment dispute as both parties chose, and were not forced, to continue to engage under the terms of their agreement until such time the agreement was made null. The only dispute is in regards to the original agreement, which should be rendered whole by the terms of the contract that were completed and satisfied by EE.
[0]: EE's statement. https://www.entropicengineering.com/defcon-32-statement
I don't know DT (Dark Tangent) aka Jeff Moss, the one who got pissed at dmitryg to throw him out. Is this his usual behavior?
From his time-line https://en.m.wikipedia.org/wiki/Jeff_Moss_(hacker) "Later career" he seems to be CIA: Council of Foreign Relations member, and Atlantic Council member. But it would fit to the other folks who I got to know from this background.
After going overbudget by more than 60%
discount our work as necessary in order to hit DEFCON’s per unit cost targets
Sounds like DEF CON established a budged and you kept going over it. No wonder they did a stop work order.
Just skimming the top level of various back and forth claims, I can already tell this is one of those situations where there are too many variables, disparate communications, perspectives, individual recollections and partial retellings, all about a unique, one-off transaction, and all evolving over a significant period of time between individuals who are not deeply experienced business people - to confidently conclude anything about ultimate fault based on the currently available statements and posts.
Given this complexity and confusion, short of conducting a full court trial with months of document subpoenas and depositions under oath, IMHO, confidently believing you've arrived at a complete, objective understanding of who is right or wrong is as likely to be incorrect as it is correct. And, at this point, this probably holds true for most of the actual participants too.
I base this on decades of experience untangling screwed up business transactions and communications. No matter how thorough, credible and complete a certain retelling seems, I've often discovered there is another layer (sometimes even unknown to many of those involved) which changes enough to shift whatever I initially believed. I've had this cycle of "Aha, now I understand" / "Oh... wait. No I don't" repeat several times while digging through a single incident.
I like M. Hutchins' take:
I can't reply to dang's informational post, but in light of the new claims from defcon, isn't the previous discussion title potentially defamatory?
(dang) Previous related thread: Defcon stiffs badge HW vendor, drags FW author offstage during talk
Previous related thread:
Defcon stiffs badge HW vendor, drags FW author offstage during talk - https://news.ycombinator.com/item?id=41207221 - Aug 2024 (118 comments)
More summary of how it apparently went at defcon https://old.reddit.com/r/Defcon/comments/1eoe4u7/so_the_guy_...
These badges sound pretty cool. I'd like to get one without attending.
"Badges? We ain't got no badges. We don't need no badges. I don't have to show you any steenkin badges."
defcon complaining that firmware they dont have a licence to use and distribute has a semi malicious easter egg....
defcon cheats, defcon loses.
tldr: entropic made some mistakes because they're a small team with a very tight deadline. defcon shit the bed and refused to pay them over those problems. and dmitry forgot about an easter egg and was OK with being removed from speaking, but wanted security to pull him off stage for his clout.
I still think DEFCON should've done better. their brand is in the shitter over what $20k?
What should they have done better? They didn't have the option of doing better with Dmitry, right? He deliberately set up the confrontation with security.
The idea that DEF CON's brand is "in the shitter" seems risible. I say that ruefully, as (in my declining years) I get more and more bitter about the comic convention spectacle the event has become. Whatever the outcome from "badge-gate", I assure you, they'll set attendance records next year regardless.
Let him give his talk like they promised.
Given literally everyone in that room is using his work in that same moment and they are literally there to hear him speak.
Fuck no. People don't get to re-invite themselves to stages they've been disinvited from.
You asked someone to give you options and they did. Just because you don't like it doesn't mean it's not what you asked for.
OP asked for a better option. He was offered one, which he disagreed with. Because he doesn't like it precisely means that (in his view at least) it is not what he asked for.
I take their point; I didn't mean to be slapping back at them for taking the time to write a response!
Your point was valid though. You can't let someone rock up to the stage uninvited. This would open the door to all kinds of issues.
And the original question of how the situation could have been handled better is the most interesting one. The rest is a game of he said/she said, which hn commenters tend to enjoy arguing about but is ultimately not very instructive.
With hindsight it is clear that the situation had been brewing for some time, and the conflict had been escalating slowly. Perhaps due to the pressure and stress (and time pressure) of organising an event like that nobody managed to have enough distance to deescalate it, which culminated in someone being escorted off stage by security, not a good experience for anyone.
Most likely once the invitation to talk had been rescinded the dice were thrown. It would have been hard for the speaker not to be offended, and unfair on him to expect him to take it quietly and move on without reacting. Someone should have been aware of that and worked with him to control the impact of this on his own reputation.
People don’t get to dis-invite people from stages when that is quite literally the only compensation given either.
They made the software for the badge of your entire conference, for free, and then you won’t let them talk about it because what you got for free, wasn’t what you expected/wanted?
That’s just dumb on so many levels I don’t even know where to begin.
It’s like playing, no, selling someone elses mod and complaining it’s not up to the standards of a finished game.
They absolutely do get to do that. Absolutely, and without qualification. It's their stage. There's a whole long history of this with DC/BH.
I don't think GP meant "don't get to" as in it's not their legal right to do so (which of course it is). I think they meant that it's a profoundly shitty thing to do to someone, and DEFCON should rightly be criticized for disinviting him in the first place.
I think an easter egg that includes a monetary solicitation is (at best) in poor taste, regardless of the circumstances. But canceling his talk 30 minutes prior to its start time for that? Nope, not cool. DEFCON's behavior in disinviting him was much much worse than his action that triggered it.
You are saying this like it is unreasonable, but it seems entirely reasonable to me.
Just because you do something for free does not entitile you to a conference talk about it. If you wanted to be paid for it (and make no mistake, a conference talk is a form of compensation. In many conferences companies pay huge sums of money to have a platform) then they should have got a contract.
He was given a 30 minute notice that he was disinvited. That’s pretty egregious.
Especially since they were okay with him giving the talk as long as he apologized. And he offered to say “I didn’t mean to offend anyone”.
So for a misunderstanding and mistake to drag him off the stage is stupid and ridiculous.
Maybe I misunderstood, I previously read that as “what could they have done better about the situation”.
Did you mean “what could they have done better once he was at the stage?”
I got locked in a hotel room by an actual goon who demanded a line-item veto of my slides (clients! what you'll do to keep clients happy!), and ask Mike Lynn how he feels about the response to his talk. Being asked not to take a stage to take credit for the annual DEF CON badge toy seems pretty low on the scale of security conference dramas.
The "drag him off the stage" thing was his own arrangement.
What does that have to do with anything?
It was a huge mistake to uninvite him from the session.
It sounds like defcon was mad at EE for going over budget - which honestly is fair even though they didn’t handle it well. And thought (wrongly) that Dmitry was a salty subcontractor of theirs. Their actions make some sense in that context. Not great, but eh.
But Dmitry has totally owned them in messaging - by forcing them to physically eject him (making a scene), and getting out ahead of the story. It’s great drama. He’s positioned defcon to look like an evil corporate buffoon hating on a hacker who was just donating his time.
At this point, defcon should take the L and apologise, and let him have a session talking about the code. That would be a very satisfying end to the drama for attendees. (Even if it does encourage more drama in future years.)
Either way, I agree - I’m sure attendance will go up next year too. People love this stuff.
It sounds to me like they were mad at Dmitry for including an "easter egg" in their badge firmware that solicited donations to a Bitcoin address.
It was definitely an easter egg. A secret screen that gives credit to someone that worked on a thing and otherwise wouldn't get credit is the textbook example of an easter egg.
It probably shouldn't have had the Bitcoin address, but it doesn't sound like that would have been treated much differently.
I think you're going to find that firms who contract embedded designs have viewpoints about "easter eggs" that would be surprising, even off-putting, to message board communities that savor them like single malts. Generally, when firms arrange to deliver hardware/software to their own customers sourced from vendors, they want a clear understanding of what the software actually does.
I know some companies dislike easter eggs a lot, and some of their reasons are valid.
But it's objectively an easter egg. Why the scare quotes?
Because it solicited money.
I will note that it's not soliciting money for the person that put it there. So I don't think that's even close to disqualifying it.
This is a hacker con, not an enterprise engineering con, Easter eggs have always been a part of hacker culture.
Yep. But again, it’s really not clear in this case if DEFCON was paying their vendor (EE) for software at all. I can see how it was ambiguous from their side given Dimitri was friends with the hardware design company. But from the POV of Dimitri and EE, DEFCON was paying for hardware and a separate 3rd party (Dimitri) volunteered to write the software. It’s very spicy to attack people in your community who volunteer their time.
And unpaid programmers doing cheeky things with code because they want to is the heart of DEFCON.
I can see where DEFCON is coming from with the calls they made here. But it’s a mistake to treat Dimitri as if he were a vendor. He's not.
Yep. Given that they thought Dmitry was a subcontractor of EE, them being mad about that makes a lot more sense.
It's not that letting him do the talk would be any better for defcon, given that he literally said he will present these "easter eggs".
I'd like to ask as someone who is interested in RE/Security/Malware in general but without experience. Which events are good for me if I have to pay out of my own pocket? I don't work in related fields so education stipend does not apply.
I surveyed the ground tonight and found two that are interesting: Recon (in Montreal) and CCC (in Hamburg).
What do you think?
I think CCC is basically in the same bracket as DEF CON in terms of seriousness. Someone's going to get mad at me for saying that, but I'll note that serious people go to DEF CON too, even though it is 100% a cultural event and not a real part of the cite record for our field.
I've never heard anyone say anything but good things about REcon. I have FOMO about having never been.
Thanks for sharing. I'm actually close to Montreal so REcon is probably my best bet. The ticket is more expensive but I save lodging and transportation.
Hugo, the organizer of Recon, has historically been willing to work with people who are attending on their own dime. I suspect that if you were to send him an email explaining your situation, you'd be very happy with the response you received.
It is an excellent conference that I've enjoyed every single time I've gone
Thanks a lot! I'll definitely reach out to him next year.
I would simply level up charisma and speech check him off the stage.
Reading both accounts of the story, it sounds like a small company bit off more than it could chew, couldn’t manage cost and schedule, and when it got to the drop-dead date, even though they say it was basically done (how many times did the client hear that one), the client pulled the plug and tried to salvage it some other way.
Y’all need project managers, at least someone with a plan! jeez.
> Y’all need project managers, at least someone with a plan! jeez.
Or do what every other event does, and don't make your badges so complicated they need a project manager
Every other event has badges that look like they cost substantially less than $1. I'm not saying they have to go that cheap - but when you're hiring a project manager to coordinate the multiple teams, schedule challenges, and providers biting off more than they can chew? Maybe scale things back a bit.
From what I understand, the DEFCON badges are a fun thing they like to do every year. I don't see this as a problem; what is a problem is deciding to try to create something so complicated in under eight months. I get that it might be a heavy lift for them to start planning and engaging companies to work on the DEFCON '24 badge before DEFCON '23 had even happened, but this particular badge warrants a year-plus of lead time.
If that's the case, a competent vendor should not have signed contracts committing themselves to deliver it.
It could even be that EE was not the first engineering firm contacted by Defcon. But they were the ones that said yes to this product.
On what planet can you get ICs for less than a $1?
Here's not only the IC but an entire development board for $0.95: https://www.aliexpress.us/item/3256805283269799.html
cool, I guess we can go make lightsabers instead of badges...
I suspect that the comment implies the absence of project manager on the Entropic side of the deal.
As for the cost of the badge, sourcing even sub-$1 badge is still a project. And especially when your target audience is somewhat skilled at counterfeiting such things.
Is the badge the actual thing that lets you enter? Why don’t they just have digital tickets that get scanned at the entrance like everyone else? Does the badge need to be hard to counterfeit?
They tried last year with the injection molded plastic part that you could mod and didn’t get enough of them shipped in time. To your point on $1 badges, they gave paper out and people complained (and still complain) for a long time. They felt they spent $300-400 plus travel expenses so they have this idea they should get a special badge. It has an entire culture around it.
Me and a partner designed an insert that fit into that injection molded part and it had games. You could even connect via RS232 if you had the right board and it would print out DEFCON in ASCII then it had whole menu of games.
We sold this add on for $20 at cost to recoup our costs. Sold about 100+ of these add ons.
DEFCON definitely bit off more than they could chew.
We designed our add on around a cheap STM32 series chip and wrote the code ourselves in C. It didn’t have an emulator like this as this is like an entire gaming platform that DEFCON created. But ours was more like DOS level game add on that took us a couple months to make and have produced. We made the stickers ourselves and cut acrylic ourselves.
I mean, its defcon's money, if they want to spend it on fancy badges, that is there right. If someone offers to do something, knowing full well what the requirements are, but can't, that is not defcon's fault but the people who agreed to do the badges.
If you take this situation and make the circuit boards not be the badge, it doesn't really change the situation much. There's a little bit less pressure if the badge is separate, but I'm sure an emergency backup badge could have been arranged.
If you're saying not to have a cool gizmo at all, I think that's too harsh of a lesson.
I think I agree with the assessment. Especially the part about PM hits close to home. It seems how a lot of projects I was involved lately lacked an actual project manager. Is the problem that it is a hard job to do right?
The thing is that people on here think project managers are evil incarnate and just useless middle management.
It requires a very specific skill set to be able to lead a technical project and cut through the bullshit on BOTH SIDES: the client asking for features and the team building the product.
Clients always either ask for stuff they don't really need or have vague requirements that crystallise only 3 days after the deadline. "Of course when we said it needs to do foo, it also MUST do bar, doh!"
And teams tend to overestimate their ability to deliver and underestimate the work needed to get to the finish. (Infinite coast problem).
There's also several more classes of B.S., for what it's worth.
An exaggerated/anonymized version of a recent one I got, from an otherwise-really-strong senior engineer: "Of course when I said we would put a button there, it also meant we MUST build an entire UI framework from scratch, with full test coverage for the entire thing!"
...actually, that's not even that exaggerated. Shipping software at big companies can be unreasonably difficult, sometimes.
Yea, I've had the privilege of working with a few _excellent_ project managers (or Producers as they're called in gaming) and they work literal magic.
I've studied project management, I've managed projects and lead teams, but holy crap those people are on a whole other level with how well they gather and disseminate information and communicate it effectively.
None of them could code themselves out of a wet paper bag, but that's not the skill they get hired for.
Good project managers are rare. They need to have some real experiences working on some projects and then some managing projects. It's rarer than good engineering managers IMO.
It's actually really hard to do well. Moreover, it suffers from "how hard could it really be" syndrome, especially when working with developers who think they're smarter than everybody. It's the kind of job that a software developer approches from first principals and does a terrible job at, because starting from first principals ignores all of humanity's experience and practice managing projects, and projects have existed since before the Great Pyramids in Egypt.
We have better tools today, but it takes a skilled practitioner to wield them well. Yes I'm talking about Jira and I hate sitting down and pointing things too, but managing a large complex project with a large number of humans is real actual work and a full time job in and of itself. sometimes even more than one person can handle. places that I've seen are successful are able to recognize that, and don't treat it as dead weight.
The fact that Dmitry was still pushing changes on the aeroplane, although he seemed to frame this as a positive, doesn't exactly inspire a lot of confidence in their professionalism, viewed from the outside.
Ah yes, classic "insert an unauthorized coin wallet soliciting money from badge owners" easter egg. Timeless prank, how could anyone be mad at such a normal and anodyne "easter egg"?
lmao DEFCON's "brand" isn't in any danger.
edit: And now he's pulling the classic hacker move of (checks notes) enforcing strict software IP ownership rights? Guy's a class act all around. Hope everyone learned an important lesson about Dmitry and Entropic with this mess.
He wasn’t employed by anyone, and didn’t get paid by anyone for his work. (Defcon is wrong about this in their statement, and admitted as such in the comment thread).
When I write code that nobody is paying for, you better believe I’ll write it how I damn well please. If you aren’t paying, you aren’t the customer. And you don’t get to control the output of my work.
The wallet address soliciting donations is for the hardware company, not on his own behalf. But even if it was on his own behalf, would you still be mad? Since when is it a crime to be proud of the code you’ve written, for free, to bring joy to an hacker conference? That deserves mad credit in my book.
You're under no obligation to write code. You are under an obligation not to sneak an advert into someone else's conference via essentially fraudulent means.
Just because nobody is paying you, doesn't mean you have carte blanche to do whatever you want.
I dont think this is a controversial opinion. If someone created a piece of open source software but hid a trojan or cryptominer in it people would find it objectionable. You could quibble about where the line is, but i think everyone agrees that just because something is free does not give you the absolute right to do whatever you want.
Its not an ad. It was a request for donations to a company that put themselves out to the tune of $100k to make the badges happen. And then had credit and publicity stripped from them during defcon - even though that was part of the deal! Apparently they aren't even mentioned in the program, and their company logo was taken off the cases for the badges.
We aren't talking about client work here. We're talking about defcon, where cheekily thumbing your nose at authority through code is the heart and soul of the conference. This single, hidden page asking for donations on behalf of the hardware company is a total nothingburger. Getting up in arms about it for being unprofessional is ridiculous.
People in this thread do seem to be very upset about a hacker doing hacker things. For a bit more irony, we're on Hacker News...
Wannabe corporate programmer news.
You can't hide something in open source code for those who audit what they use. You can for those who just install without reviewing.
And yet, things like liblzma kerfuffle still happen.
I don't really care whether money changed hands. Secretly putting an ad into software that you know will be distributed to many people is the oldest scumbag move in the scumbag book. All sympathy ended there, and that was weeks before he trespassed.
Characterizing it as an "ad" feels a bit dishonest, as if it was an ad for some random product completely unrelated to the conference or the badges themselves. It was a shout-out to the company that made the badges! And that after DEFCON promised to give that company credit on the badge case, and then reneged on that promise.
Even if Entropic shat the bed so badly that DEFCON's takeover of badge production was actually warranted (I'm super skeptical of this claim), the badges still consisted nearly entirely of Entropic's & Dmitry's work. DEFCON's removal of credit from the badge case was deeply unethical.
Eh. When I was young, I played a demo of Doom that came with a magazine. When you finish the demo level, the game show an ad that said if I ponied up money, I could play the whole game.
I fail to see the problem.
And in this case it wasn’t an ad. It was a page saying you could donate to the hardware company if you want, who were out of pocket $100k for making the hardware. That’s an incredibly tame prank by Defcon standards.
It’s not like it’s blocking the badge from functioning unless you pay. It doesn’t even pop up unless you specifically go looking for it. It seems perfectly in line with the ‘shareware’ and ‘buy me a cup of coffee’ spirit that characterized the early years.
Generally you dont make secret shareware out of software you make for other people.
Just imagine what would happen if you created a shareware scene in the software of some company you work for. You would get fired (and possibly sued) so fast it would make your head spin.
My understanding is that Dmitry was a volunteer. IMO that makes the "shareware" more reasonable than if he were an employee writing the code on the clock(and it doesn't seem like he was soliciting money for himself)
Doing it as counterplay to a lack of credit is a great hack.
Honestly sounds like typical "CON" stuff. Just children all around no matter the topic.
my perception of them was they are hyper intelligent hackers, who have morals and clear north. if anybody would do the right thing it's these guys. but that illusion is no more. they are just normal dudes after all for better or worse.
I'm not sure if you're referring to the badge team or the Defcon people, but pretty much every group is just normal people.
That’s because that’s ultimately what happens everywhere. We just paper over it by paying people for their time so they have to listen to you. When you go back to being all volunteer driven the drama increases correspondingly.
Thank you. This stood out to me:
"They expressed that they specifically wanted to work with us as a woman-owned, queer- and POC-driven engineering firm to develop an electronic badge with a gaming element for this year’s conference."
I would have expected the core criteria to be ability to execute on time. Choosing an engineering firm based on the race, gender, or sexual orientation of the owner is foolish, and DEF CON is ultimately to blame for introducing superfluous criteria and missing the core criteria.
That sentence seems like the most irrelevant part of all of what I’ve read.
They could have easily rephrased that sentence to simply say “They expressed interest in working with us” and the point they’re making is the same.
And yet, a party to this conflict thought it was a relevant piece of information to the audience. Now, the fact that OP noted it as interesting is not completely without merit. After all, interested party certainly thought it was worth to mention.
It’s supposed to provoke an emotional response
In who, I wonder? Most people I see reacting emotionally appear to be opposed to even mentioning that.
To those sympathetic to awarding contracts to those with that societal lean. It’s irrelevant to their ability to perform a contract for DEFCON. If that was never mentioned it would have never been a point at all.
If it was meant to be a point then it can make people think that those with that societal lean are poor performers. It’s not helping their cause.
Isn’t the implication of the sentence that they were chosen specifically for those properties and wouldn’t have been chosen otherwise?
The implication is that they were chosen because of that, but not that this was the only qualification.
It could easily be that multiple teams looked qualified during bidding for the job and that this was the distinguishing factor.
If they have to reach for idpol at the start to make their case, my immediate suspicion is the case is not that strong.
DEFCON did not do proper estimation, risk analysis and due diligence with ordering these badges. Also if the cat design and other things were done by the Defcon orga and the electronics by EE, then this already sounds like a complicated mess.
If I look at the Defcon30 badge from 2022. It's the same thing. A small random engineering shop is selected and gets the order. And you get a nice little badge that can do stuff.
For the Dutch hacker camps we look a bit more long term and the engineers and designers have been part of the core team since 2017. And for 2025 we're already well underway.
https://badge.team
I'm definitely going to have to look into these Dutch events, not only did Defcon feel like much less value for money this year (and all the badge drama) but the Netherlands is way easier for me to get to as well.
The Dutch event is WHY2025. https://why2025.org
There's a nice overview website with all the events around The Netherlands. https://hackeropuit.nl/
Thank you!!!! I moved to NL last year and have been missing this.
How can you say that when badges were on time and working at the end of the day?
I would say that it seems a miracle there were working badges on time. Both EE and Defcon gave everything they could to make this happen.
But this breakdown in trust, too short timescales, using a new chip, not backing it up with extra funding and choosing this engineering company remains Defcons responsibility for running the project and realising a product.
Without full payment of the development costs, the IP for the PCB probably was still owned by EE and they could have stopped production. This shit show could have been prevented.
In Entropic's statement they say:
Has there been anything in all this that would suggest anyone was in danger at the conference?
This kind of comment about safety is pretty standard among very progressive communities anytime anyone disagrees with them.
Depends on how much you danger you consider someone making unwanted physical contact and restraining your movements.
I don't consider you trespassing and the people who have the authority to remove you removing you as danger. Additionally, it's arguable he gave permission when they told him to leave or they'd remove him and he told them to remove him.
I'd consider a bunch of untrained goons giving me the bum's rush a danger regardless of the circumstances.
It’s concerning to me that this has been downvoted so heavily.
Obviously as a private group DEF CON’s organizers have every right to contract with whatever companies they want to. In the same way, obviously the private individuals paying DEF CON’s organizers have every right to criticize them when they treat their contractors so poorly. However , I think it’s short-sighted and self-defeating to suggest that they shouldn’t ALSO have the right to criticize their choice of companies they work with when it impacts the quality of what they’re paying for.
This is not a sexist, anti-POC, or anti-trans criticism. Deciding on contractors for the reasons they claimed they did would be illegal in the public sector under France’s anti-discrimination laws, under Germany’s Grundgesetz, under Japan’s GPA, under the UK’s Equality Act in many cases, etc.
In the US Federal contract system, these preferences are formalized; has been for decades. It's a heavily-exploited game by those who play by its rules. Basic classes are "Service disabled veteran owned" "minority owned" "women owned" etc. I think "veteran owned" counts a bit too.
If I remember correctly there are some laws about discrimination by sexual orientation etc
To explain myself, try to imagine that they said to have been picked because white cis men
There are _much_ better ways to help the causes of Women, People of Color, or People of Different Sexual Orientations then making it a criteria of who you happen to create small one time contracts with.
In 2024, that statement doesn't really indicate much of anything. Traditionally, interfacing with the business world involved retaining an underemployed white guy who would wax poetic about the virtues of playing golf [0] or owning a boat. Now the trends have shifted to professing a different type of identity politics. The vectoralists with the old fashioned motif have even landed on their feet, spawning a cottage industry of bemoaning how unfair the world is. Plus ça change.
[0] the boring version without moving obstacles, PVC pipes, or fiberglass dinosaurs - further adding insult to injury
Another productivity victim to the woke movement.
This makes DEF CON look foolish and past it's prime. You would think technical requirements would be the only criteria used but I guess they wanted this project to make political gains with a certain community instead of just making badges.
when did they actually start working on it? ToyMakers starts their work right after a conference ends to prepare for the next conference. The logistics and scale even for several hundred badges is immense.
It's also an odd thing to bring up in their statement.
Regarding "https://x.com/dmitrygr/status/1822124650547257637", was there some kind of written consent involved in being removed like that?
Or some less formal consent was understood, and considered low-risk?
Or were they otherwise legally empowered to do that?
(I'm thinking about civil and criminal liability.)
It's a private event on private property. There is no inherent right to be there, especially up on stage without invitation (TFA mentions this was what happened).
I'm wondering how the organizers of an event cover all the bases sufficiently on something like that.
I'm asking out of curiosity about how that actually works, in practice, not what arguments we could imagine.
(For example: Say, someone rushes up on stage during a rock music concert. Was removal covered in the fine print terms of the ticket? Are the security personnel deputized by local law enforcement? Are there special ordinances applying to security at some kinds of events? Do the event organizers fall back on the claim that they felt safety was threatened? Do the event organizers think any risk of penalties or lawsuit is less than the cost of disrupting the event? Does setting precedent for response also factor into the calculus? How is insurance and venue contracts involved? Etc. There's a some related history, involving the Hell's Angels at a concert, but I don't know how practice has evolved since then.)
Hell no they're not deputized.
America relevant: It's similar to security anywhere, including "loss prevention" at a grocery store. They can tell you to leave, and if you don't, they can physically remove you from the property. That's pretty well established. It also applies to kicking someone out of your house that doesn't have a right to be there.
If they hurt you inappropriately (there's a wide range between a trespasser bruising their fist on a guard's face and a guard holding someone down and pummeling them for no reason), they've committed a crime and might lose a civil lawsuit. Some places won't let guards touch trespassers. Other places lean on discretion and the training they've given to the guard, the cameras they have spammed everywhere, etc.
The removal is usually covered in something like "we have the right to kick you out at any time, even if you paid." That doesn't cover all bases, but it covers a lot. If you never signed a contract with a venue, the removal is covered by the fact that you have zero intrinsic right to be there.
For more examples, you can look at casinos in Vegas trespassing people. If you act out of line or gamble in a way they don't like (like successfully counting cards at blackjack,) they'll boot you. They might spread your name to other casinos if they really don't like you. And if you enter one again, it's criminal trespass. They can do it for anything that isn't legally protected.
This isn’t 100% true. Security in Nevada and California are licensed and have what’s known as “powers to arrest”.
They can not grab you and physically remove you. This is called battery and it’s illegal. You can actually be charged with a crime as a security officer for this. Along with fined and lose your license.
What actually happens is them physically restraining you is a form of citizens arrest. They then hold you and call police to take you.
The issue with trespassing is it can only be charged if the individual continually refuses to leave. This means the moment they choose to leave, you must let them.
If in the act of being arrested they fight or assault people. They can be arrested for that. If they are violating the peace or committing another crime, they can be arrested for that.
However if it’s SOLELY trespassing. The moment they agree to leave; you need to let them leave.
The casinos do have police officers inside them and some security officers ARE deputized. A security officer can have powers to arrest as a security officer and powers to arrest as a police officer. They are entirely different things and have different levels of responsibility and liability.
I only know german law from a short time as a security, but I assume it is quite similar:
Cops do not want to be called for every bouncer action.
The owner (or the one renting the property) has legal rights and set the rules. You break the rules, by beeing somewhere you are not supposed to be - any staff member can act as security to physically remove you.
They may not beat you, though. Or otherwise act escalating.
But forcefully leading (or carrying) out someone breaking the house rules (by using minimum of violence) is legal and standard procesure on every big event.
Certainly, and usually in broad terms, like "event security may remove any person from the premises for any reason they believe is necessary to ensure the security and safety of the event". Once designated agents of the owners of the venue have told you to leave, you are illegally trespassing if you stay.