I don’t know the terms of their contract, but that wouldn’t fly in a typical contractor setup. You can’t just cut out the contractors labor costs after the fact. I’d be more inclined to give DEFCON the benefit of the doubt if they canceled the entire project earlier on and engaged a different contractor to build an entirely different badge from scratch.
Given that dimitri wasn’t even paid for the firmware(!), my guess is this was low budget. For something of DEFCON’s scale, this can’t really be a “for fun” hacker project if you want to guarantee results. The “for fun” part is ensuring the attendees can all have a good time hacking on the badge, not the people doing the labor.
Entropic statement:
https://www.entropicengineering.com/defcon-32-statement
dmitrygr statement:
https://news.ycombinator.com/item?id=41207469
dmitrygr being removed:
Its an event kids go to to have fun with their friends.
They have game rooms and furry parades karaoke and cool badges!
And their website doesnt work.
https://forum.defcon.org/calendar
Its not a serious event any more.
What are the real infosec conferences these days?
1. The badge manufacturing issue and subsequent non-payment due to contract dispute.
2. The firmware author (not hired by the manufacturer) put in unauthorized 'easter egg' code that asks for money via crypto.
I am not familiar with 1 so I can't comment on a contract dispute.
But 2 is definitely over the line, and this is coming from me who is supportive of some usage of cryptocurrency. You don't put in unexpected monetization mechanisms into your volunteer work, without asking the charity organization for permission. Asking for money secretly is way different than putting in a harmless Easter egg. At that point, it's not a harmless easter egg anymore.
Maybe the money is for the manufacturer. In that case, do what a normal person would do and raise the issue on a social channel (eg. Twitter, Thread, blog).
> The DEFCON community is and has always been near and dear to my heart; I started my local DEFCON group as a kid growing up in Malaysia decades ago
Sad that people (defcon) use and abuse the passion of others. EE let DEFCON step all over them. EE even discounted the labor in the invoices to defcon to meet whatever vague budget they had.
This is just a reminder that you should never meet or work with your childhood heroes. The reality is they will most likely take advantage of this.
>discount our work as necessary in order to hit DEFCON’s per unit cost targets
Sounds like DEF CON established a budged and you kept going over it. No wonder they did a stop work order.
(Obviously doing crowd control, providing information, and front line emergency response is absolutely fine, although tbh even that they should probably have guard cards in most jurisdictions for liability reasons. If someone is violently disruptive, as a private citizen go for it, but unauthorized speaking on stage is pretty far from that. Would be hilarious if dude makes more money from that than he was stiffed by his employer.)
Given this complexity and confusion, short of conducting a full court trial with months of document subpoenas and depositions under oath, IMHO, confidently believing you've arrived at a complete, objective understanding of who is right or wrong is as likely to be incorrect as it is correct. And, at this point, this probably holds true for most of the actual participants too.
I base this on decades of experience untangling screwed up business transactions and communications. No matter how thorough, credible and complete a certain retelling seems, I've often discovered there is another layer (sometimes even unknown to many of those involved) which changes enough to shift whatever I initially believed. I've had this cycle of "Aha, now I understand" / "Oh... wait. No I don't" repeat several times while digging through a single incident.
It sounds like Dmitry was a subcontractor of Entropic and producing a screen asking for money after their contract had been terminated (for good-sounding reasons) was bad form. I'm not commenting on the legalities (I don't know anything about contract law) and I don't necessarily take either side's account at face value, but this response doesn't sound unreasonable to me.
From his time-line https://en.m.wikipedia.org/wiki/Jeff_Moss_(hacker) "Later career" he seems to be CIA: Council of Foreign Relations member, and Atlantic Council member. But it would fit to the other folks who I got to know from this background.
> (dang) Previous related thread: Defcon stiffs badge HW vendor, drags FW author offstage during talk
Despite the project being "impossible," EE made some sort of agreement to complete the work and deliver within time and budget. EE, not DC, made the decision to work with Dmitry.
> I am not a subcontractor of anyone. I was doing this in my own free time for fun so attendees have a fun badge. There exist no contracts between me and anyone. It was an evenings-and-weekends project for me [1]
This work by Dmitry was unpaid, presumed: uninvoiced and not under contract directly with DF, and is not an agent of ES.
> While we as a company did not ask Dmitry to program the easter egg, the outpouring of support and community for EE has been appreciated and inspiring. [0]
EE did not request the Easter egg be included by Dmitry. As a free agent (not under contract) Dmitry is free to do as they wish. Dmitry's involvement with DF was an invitation to participate on a panel. Given the discovery of the Easter egg, DF withdrew the invitation. Without any explicit agreement, it is irrelevant as to why DF would withdraw their invitation as it is presumed DF can withdraw any such privileges at anytime for any reason, though a reason was given in the case.
> At this point, all work had been completed except our physically attending the overseas production run and providing ongoing troubleshooting/debugging. In fact, the day we received this surprising news, we were actively working on the SD card debug that became a central concern earlier this week. [0]
This sounds consistent with DF's claim that the product was still in pre-production and all services had not yet fully been rendered, therefore, the original agreement may already have been breached at this point. What is "owed," is likely no longer stipulated under the main clauses of the contract.
> EE has tried multiple times over the past months to negotiate fair compensation for work completed prior to June 7th, but attempts at resolution have been unsuccessful. [0]
> Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets. [0]
> Once the manufacturing was fully completed, we were offered a one-time “take it or leave it” amount worth well under half of what we were owed pre-stoppage. Given that what we were owed was already discounted by 25% in order to hit agreed upon cost targets, this has had a huge impact on our small team. [0]
> We have also continued to pour lots of time, effort, and love into the project post-stoppage. I want to be clear that we never expected to be paid for this post-stoppage work, but simply did it as a labor of love for the community. [0]
This is contract dispute. What EE is "owed" is defined (or should be defined) in the agreement. What is "invoiced," despite any "discount", does not, on its own, constitute what is owed by DF. Unbilled and discounted labor significantly complicates this, especially if it was not itemized as such on the invoices sent to DF. Parts and materials, which come with invoices attached, should be paid per the agreement.
> Any claims that DEF CON did not pay Entropic Engineering for its hardware or firmware development are false.[OP source]
My assumption is the agreement was for a fixed-cost fixed-timeline per-badge payment and the targets were not met, despite EE trying their best. The claims made by both sides are verifiable by receipts and, should it come to that, can be arbitrated either by a court of law or the court of PR (public relations, ie, the internet).
Regarding Dmitry's experience and the Easter egg, for better or worse, DF can make whatever decision they please at their conference. The Easter egg was antagonistic towards DF and is significantly unrelated to the payment dispute with EE. The Easter egg being a "prank" or "difficult to find" or "not technically owned by DF," is also unrelated (although the code seems to be part of services rendered to DF by the agreement with EE [0]).
> We were clear as early as our first conversation in January that the risk in trying to push to mass production of this size and on this timeline was immense, even advocating for a DEFCON 2025 release of this particular badge. DEFCON’s Badge Team remained confident that they could meet and mitigate this risk. [0]
EE' admissions illustrates that DF's decision to push forward with this vendor was ill-advised. Given their experience, it would have been charitable to not put EE in this position. Arguably, DF did mitigate their risk (financial and reputational risk) by issuing a stop order and seeing the product to completion by other means; attendees did get their badges after all. By admission, EE also recognized the risk themselves and continuing their attempt to render the agreement under the circumstances was also ill-advised. Their risk (to reputation) was also managed by providing free labor. This is unrelated to the payment dispute as both parties chose, and were not forced, to continue to engage under the terms of their agreement until such time the agreement was made null. The only dispute is in regards to the original agreement, which should be rendered whole by the terms of the contract that were completed and satisfied by EE.
[0]: EE's statement. https://www.entropicengineering.com/defcon-32-statement
defcon cheats, defcon loses.
A hacker conference is upset that someone "hacked" their badges. and put unwanted code into the firmware. Users are (meant) to be hacking these boards. That is the entire point isn't it?
Have guys who did it come in in, talk about the exploit, share how they did it. Then the corpDefCon can talk about what they missed and how to avoid it. Have a talk "How DefCon got hacked"
Have some fun for f-sake. Tangent man, come on.
"" Unfortunately, shortly before the talk was set to take place DEF CON became aware that unauthorized code had been included in the firmware we had paid Entropic Engineering to produce, ""
I'm not commenting on the legalities (I don't know anything about contract law) and I don't necessarily take either side's account at face value, but this response doesn't sound unreasonable to me.
Defcon stiffs badge HW vendor, drags FW author offstage during talk - https://news.ycombinator.com/item?id=41207221 - Aug 2024 (118 comments)