To really understand who is right and who is wrong here we would need to read the letter of the agreements between these entities, and cross reference them with facts. Of course neither the contracts, nor the facts are available to us.
As is, the best I can do here is to put all participants on my personal “do not work with” list. Who needs the drama.
In particular there seems to be at least two points of miscommunication: it sounds like EE were told how much DEFCON can spend per badge. And they took that number to mean only the cost of the board and electrical engineering costs associated with it. Ignoring other costs (lanyard for sure, and maybe the cost of the plastic case too?).
The other missed connection seems to be the legal position of the firmware developer. EE seems to say they thought the guy was not their subcontractor but someone working for DEFCON. While DEFCON seems to imply that they thought he was an EE subcontractor.
I see a lot comments here with strong opinions on who is right and who is wrong in this dispute. It also seems to be that those strong opinions are based on assumptions. In particular assumptions about what the contract might say, but treated as if it is not a speculation but the truth. That logic is not persuasive to me.
The way EE phrases it, they were paid much less than they were owed, but owed according to what? Their internal accounting, or what they'd mutually agreed on with DC? Only the latter matters.
Emails saying "it's going to cost $X more", if any of EE's emails rose to that level of clarity and directness, are legally useless and meaningless without clear assent from DC.
> I was not anybody’s contractor or subcontractor. I’m not employed by entropic nor by you [DEFCON]. I did this in my free time so attendees could have a fun badge.
[1] https://old.reddit.com/r/Defcon/comments/1ep00ln/def_cons_re...
But even if I take it as true, doesn’t mean that DEFCON couldn’t have believed he was subcontracting for EE.
Similarly if it was DEFCON who introduced the firmware author to EE, EE might believe the firmware author is with DEFCON.
Obviously the contracts should be crystal clear about who is with who, and who is responsible for what. We hear that the fimware developer had no contract with anyone. That is very bad. But whose bad it is?
If there is a contract between EE and DEFCON which states clearly that EE is responsible for the firmware that is very bad for EE then.
If there is no contract between EE and DEFCON, or it is not clear enough who delivers the firmware then that is very bad on DEFCON. (I would be surprised if that is the case, but who knows in this whole mess.)
I do favour Entropic slightly. Simply because DEFCON being the larger entity has more power in the situation to dictate terms, and also because the end result favours DEFCON. They have their badges using the work Entropic put into them.
But I recognise that this is entirely feel and vibe based. Which is not the proper basis to decide anything.
> Why did the firmware engineer add a crypto beg for a "joke".
He seen the relationship between EE and DEFCON going bad, and decided that it is not okay and took a stance to protest it. Half of his stance was the screen in the firmware, the other half was him making a scene at the main stage.
If he didn’t do that we wouldn’t know about the issue.
a) acknowledge that they can't fulfill the contract under the existing terms, and follow the contract's termination procedures
b) keep working to try to complete the project, because the agreed upon payment is better, even considering the extra work, than whatever contract termination involved
When DC told EE to stop work, they did so rather than say "everything's fine, we're continuing as agreed"? That means they knew they couldn't deliver as contracted, or didn't want to because every day they kept working would lose them more money even if they fulfilled the contract.
This is why they should've had a reasonable contract that didn't require heroics in order to break even. Because, when things started to go bad, they needed a fallback besides taking a big loss for partial work, and taking a bigger loss for complete work.
Or alternatively, they could've reasonably contracted to do something nearly impossible, if they were okay with failing and getting nothing, at least for the r&d portion, turning it into an RP2350 learning opportunity. (Presumably, if they made it to production, the contract easily covered production costs.)
I didn’t see that in their statement.
Unsurprisingly, it contradicts some of the claims Entropic has been making. Entropic admits to having exceeded agreed upon budgets by a significant amount, which DEFCON corroborates. There is some disagreement about what has been paid, though, as DEFCON believes they have paid for the hardware development.
Some of the other claims also appear to have been exaggerated or at least phrased in misleading ways. The Entropic Engineering logo was not removed from the PCBs. Their logo was not included on the plastics because Entropic was not responsible for the plastics and the initial plan to include their logo was only a courtesy before the relationship soured. The DEFCON statement alludes to budgets being exceeded by a significant margin (not covered by minor reductions in hourly rate as the other statement implied) and even calls out some “bad-faith” charges.
I’m also confused about the earlier threats to use the DMCA against DEFCON for using the firmware without a license. As far as I can tell, the firmware was produced as part of the agreement between DEFCON and Entropic, in which case there shouldn’t be much question about the license as it’s a work for hire. Imagine hiring a company to write software to your spec and then to have them later try to claim they’re going to pursue legal action for using the software you paid them to write. Something is strange here.
It also appears that the firmware engineer’s dismissal from the talk was communicated before it began, so his choice to get on stage anyway knowingly violated that decision. Regardless of what we think should have happened, getting up on stage after being told not to isn’t going to go well at any conference for any reason.
I think there’s a lot more to this story than the initial round of accusations let on. I think the first movers in publishing their narrative often win the public opinion debate, but if even half of what DEFCON is saying is true then Entropic and their team don’t appear to be operating entirely in good faith with the way they’ve handled this publicity.
Work for hire is about employees. Entropic is not an employee of DEFCON, it is a company with a contractual agreement to provide something in exchange for money. The details of when, if ever, IP rights are transferred to DEFCON should be spelled out in the contract. I have seen all sorts of arrangements for that. However, in a well drafted contract, IP ownership probably wouldn't transfer prior to payment.
Also, the firmware author isn't an employee of anyone. In a lawyerly world, that would be resolved with a clear copyright assignment or license, but I have no idea if that happened.
The default state of things is that the author owns the code, regardless of any contracts between Entropic and DEFCON. He may or may not have signed those rights away, but if his other assertions are true (that he wasn't anyone's employee or contractor) then I'd be mildly surprised if the right legal structures were in place to ensure DEFCON owned the code.
That's an issue when writing code for hire too (or, e.g., hiring a photographer). If you're not careful, you don't have very many rights with respect to the final product, even after paying somebody to write it for you.
Implied, limited, non-exclusive licenses are a thing, and I wouldn't be terribly shocked if (assuming a judge had to decide) all parties aren't at least allowed to continue distributing the badges (perhaps not to redistribute the firmware itself, modify the firmware, ...). Things get murky in a hurry though, and finding a resolution not requiring a court is probably better for all parties.
1. You specifically ordered or commissioned the work,
2. There is a written contract that states that it is a work for hire, and
3. The work falls into at least one of these 9 categories:
• a contribution to a collective work
• a translation
• a part of a motion picture or other audiovisual work
• a supplementary work (e.g., foreword, illustration, editorial notes)
• a compilation
• an instructional text
• a test
• answer material for a test
• an atlas
For a long time contract software usually could not be a work for hire because it usually did not fall into one of those 9 categories. I believe in recent years some courts have decided that contract software usually does fall into one or more of them and so can be a work for hire. I don't know if that view has become widespread or is just confined to some federal court districts.
Practically what this means is that when hiring a contractor you either put in the contract that the contractor will assign the copyright to you or that you will be given a suitable license to use the code that is pretty much equivalent to owning the code (irrevocable, exclusive, allows making and distributing derivative works, you can sublicense to others on any terms you want, etc).
In theory that's true if they legally structured things properly. All comes down to what legal structures were put in place between all three parties starting with the contract (if any) between Entropic and the sub.
I kind of agree, but that assumes they all set up their contracts appropriately... which, having been deeply involved in that community for many years... let's just say I could toss a coin about that assumption being true. If the sub didn't sign anything and Entropic/DEFCON just took his firmware and used it (even if that was the contractor's intention), it's still a significant IP liability for whoever was flashing it all.
Nope, DC knew that i was writing firmware and i am not a part of entropic, nor report to them. From the very start of this project they knew this. The first email at the start of the project stated this.
Such a gross "oversight" does not reflect the care they're claiming to have exercised.
This part also seems a tad over the top and dramatic:
> We are especially grateful that Dmitry was not hurt in the physical removal he was subjected to as a result of his demonstration of solidarity
This individual chose to not comply with the venue operator's request to leave the stage, so they pretty gently escorted him away, as can be seen in the video which has been linked in every prior submission. Risk of injury was negligible, if any.
So I'm left uncertain which story is to be trusted here.
To be fair, it's clear DefCon has previously been fueled by Supermen and Superwomen who threw themselves under the bus (possibly were exploited) by working for free or nearly free to deliver. People deserve to be compensated for their work according to the terms of whatever employment agreement was signed, not the games that have been played here.
If quality of work was misaligned, it'd be another matter, but neither party has alluded to this.
Thanks for the information, my mistake.
I mean, it seems pretty clear to me that defcon is in the wrong here, and everything else is just drama.
Filing the serial numbers off to hide that EE was to credit for it, getting f’d at a hidden screen that credited them.
Come on, fuck off. EE did the work here. Not crediting them sucks.
The rest of the stuff, I really dont care about, but you can’t put a ribbon on what they did. Remastering the injection mold cast? Removing the logo? That sucks.
:(
Give credit where credit is due.
If you didn’t make it, don’t try to pretend you did.
Just because you don't visibly put the creator's logo on the thing does not mean you are pretending that you made the thing. Your Ford F150 does not have the logos of the 3rd party companies that programmed the ECUs, made the brake pads, etc, and yet I doubt anyone here would think that Ford is pretending they did whatever.
This is not agreeing with what was done, just brake checking your broadbrushing
Why would someone's gender, sexual orientation or skin color be relevant to developing a badge? This is so weird.
Likely, the thinking was, "We know that in the past such firms have experienced disadvantages. In years past, bias and discrimination against them may have hurt their chances of procuring a contract like this. Recognizing that historical disadvantage, we now want to give such firms opportunities to show the world that they are every bit as capable."
But we don't. We just use our work and our reputation.
There's no "historical disadvantage" for a company that supports the hacker community to be full off all sorts of eccentric, non-conforming people.
It's impossible to try to remove the sense of entitlement one gets from this company after that, given the rest of the situation seems to weight in to that way especially given I've heard of procurement of these badges having no such problems before.
EDIT: That said, Defcon doesn't end up looking too good either after this. Nothing good can come of this given things like this are usually probably done in quite good faith.
FWIW, I noticed that line as I read it, but it didn't make me prejudge the situation.
I mostly noted it as a potential interesting bit of info that might reflect well on DEFCON organizers involved with the badges.
Are you critiquing the writer's PR savvy -- that they should know that progressive references can both help and hurt them, due to political polarization?
(Examples: Some people warm to them. Others feel skepticism or even anger. Others might be personally indifferent, but assessing the PR situation.)
Or are you saying that you think a line like that definitely hurts reception of the writer's argument much more than helps them, with whomever their target audiences are?
Why is it "political polarization"?
DC hired an engineering firm based on, at least in part, reasons that have nothing to do with engineering. The project fell apart. Should the procurement process not be questioned, along with selection criteria?
Yes. This is something that appears extremely defensive / conflict-seeking and just increases the chance of escalation. It's the kind of similar thing if they wrote something like "an engineering firm where 70% of the engineers have proudly summitted Mount Everest, something most people are only hope to do", that has zero relevance to the issue at hand but by default sets a setting where they are trying to appear somehow holier-than-thou and whatever they say is put under undue scrutiny even if that is the only snafu.
In making clarifications like this, one must be as possibly humble as they can and only talk about things with immediate relevance to the issue. That should be so unbelievably obvious. What they say on their frontpage, like trying to give some "vibe" might be something else of course, and doesn't as necessarily have to do with their craft. This PR person confused these two and should probably be fired, for the same reasons of doing the opposite of their job as for example some Helldivers 2 community manager semi-recently did. If a golden retriever in their position would do less damage, they are not the person for the job.
Exactly those type of orgs which exist primarily to fill this quota. Any kind of capacity to actually fulfill project requirements is secondary
Defcon stiffs badge HW vendor, drags FW author offstage during talk
> Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets.
If it's true that DEFCON wanted dirt cheap badges produced in record time, then I think the fault lies not in the project's management & execution but in the client's expectations & resourcing. No accomplished vendor would accept such a low price point, so that just leaves the unaccomplished. Vendors who overpromise and underdeliver, who would accept payment in terms of "clout", or who would be too afraid to pushback on crazy or high pressure expectations until it's too late.
A classic set-up-to-fail situation.
For me, this is a clear case of mismanagement and bad communication. DC gave EE the wrong budget (cost for the whole badge instead of the PCB+fw) and then completely ignored the reports they received until it was too late. At which point they decided force EE pay for their mistake instead of man-ing up and accepting at least some responsibility.
Don't forget DC gets 460$ × 30k from ticket sales alone, they should be able to handle this better. And this is not the first time they have screwed suppliers.
Entropic appears to pulling at some emotional response with their initial introduction in regards to LBGTQ, etc. That’s irrelevant information.
According to the (admittadly biased) article, Entropic ate all of the cost overruns:
> Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets.
It would just be so easy for the other party to retort with "we never agreed to that" because the did not. I'm no legal type, but this just doesn't seem like it would ever hold up in any way. Even with wording of "if we do not hear back, it will be assumed as your agreement" as there's no proof it was actually ever received.
Credit was not erased from the PCB nor the software, which were the parts Entropic was contracted to do. They declined to include entropic on the plastics, which is understandable given that Entropic didn’t do the plastics. It also likely saved machining costs on the mold for a project that was already over budget.
The original accusations appear to be a little exaggerated.
Any guesses on DEFCON's budgets "targets" and EE billed extra hours (including rates) anyone? :?
We are especially grateful that Dmitry was not hurt in the physical removal he was subjected to as a result of his demonstration of solidarity. We want to extend our thanks to all attendees who have been asking questions, reaching out, attending surprise side-walk cons, displaying the about page badge on the con floor, and, especially, keeping a community eye on law enforcement and conference security to help ensure our friend Dmitry’s safety in the last 48 hours.
The guy deliberately crashed the stage, knowing his invitation had been rescinded, demanding that "security" (read: random goobers who volunteer for this role in exchange for a colored t-shirt) remove him. He's fine. He got literally the thing he wanted, and "Entropic" knows that full well.
You're a vendor in a contract dispute, Entropic, not Poland's organized effort to throw off Soviet Communism. Miss me with this "solidarity" stuff.
I assume considering the size of Def Con the same applies.
After reading the further responses, I am convinced that DEF CON is kind of a crummy business. This commenter, who does not deserve to be downvoted, and the vendor were both stiffed by DEF CON. There seems to be a lot of drama attached to this organization that unfairly rubs off on its well meaning collaborators.
In the interest of curiosity, I wonder why IT organizations built on the free contributions of others can ever treat their collaborators indelicately. It would be one thing if DEF CON were some superstar artist, where taking the kid gloves off and delivering harsh feedback is part of the learning process, but it’s just a conference organizer.
What? Getting stiffed payments is probably the leading cause of "vendors with a contract dispute".
Go to your lawyer (you do have a laywer, right?) and have them nicely ask for the money before starting a lawsuit for it plus the contractually specified penalties.
Unlike a lot of non-paying customers, DEFCON probably has money, so you can rest relatively easy knowing you will see it (plus penalties) eventually. If DEFCON was planning on spending that money someplace else, that is their problem, not yours.
I dont know the company but this statement makes them sound like a bunch of amateurs, and I’m now inclined to believe Defcons statement on what actually happened.
That's what's kind of interesting about this entire drama. The entire conference is based on people that break systems, bend the rules, bask in pseudo outlaw rider cache, and an amorphous alternate shadow moral code.
And yet here we have Internet lawyers arguing formal contracts between contractors and suppliers. There's obviously greed involved here somewhere, and someone is being non-hacker-code compliant.
To me the public actions with the most scumminess is defcon: using security guards. Reforming molds. Using the produced badges rather than just paper badges. Thin accusations of malware at a hacker conference.
C'mon, man!
