dang
Previous related thread:

Defcon stiffs badge HW vendor, drags FW author offstage during talk - https://news.ycombinator.com/item?id=41207221 - Aug 2024 (118 comments)

mafuyu
Reading EE and DEFCON’s statements, I’m inclined to think whoever was managing this on DEFCON’s side was not on top of things and blinked at the last minute. I’m sure there were delays and issues on EE’s end, as it always goes with hardware, but it’s still EE’s design, parts sourcing, and manufacturing run that DEFCON just took over last minute?

I don’t know the terms of their contract, but that wouldn’t fly in a typical contractor setup. You can’t just cut out the contractors labor costs after the fact. I’d be more inclined to give DEFCON the benefit of the doubt if they canceled the entire project earlier on and engaged a different contractor to build an entirely different badge from scratch.

Given that dimitri wasn’t even paid for the firmware(!), my guess is this was low budget. For something of DEFCON’s scale, this can’t really be a “for fun” hacker project if you want to guarantee results. The “for fun” part is ensuring the attendees can all have a good time hacking on the badge, not the people doing the labor.

mmastrac
There's basically three sides to the story now, for reference:

Entropic statement:

https://www.entropicengineering.com/defcon-32-statement

dmitrygr statement:

https://news.ycombinator.com/item?id=41207469

dmitrygr being removed:

https://x.com/dmitrygr/status/1822124650547257637

tptacek
I believe DEF CON on this, because the other side of the story --- that they vindictively withheld payment from Entropic and later harassed the firmware developer --- just doesn't make any sense. We are probably talking about rounding error sums of money for the conference organizers themselves.
the_real_cher
Def Con is the Coachella of tech conferences.

Its an event kids go to to have fun with their friends.

They have game rooms and furry parades karaoke and cool badges!

And their website doesnt work.

https://forum.defcon.org/calendar

Its not a serious event any more.

What are the real infosec conferences these days?

guardiangod
It seems that 2 issues are conflated together-

1. The badge manufacturing issue and subsequent non-payment due to contract dispute.

2. The firmware author (not hired by the manufacturer) put in unauthorized 'easter egg' code that asks for money via crypto.

I am not familiar with 1 so I can't comment on a contract dispute.

But 2 is definitely over the line, and this is coming from me who is supportive of some usage of cryptocurrency. You don't put in unexpected monetization mechanisms into your volunteer work, without asking the charity organization for permission. Asking for money secretly is way different than putting in a harmless Easter egg. At that point, it's not a harmless easter egg anymore.

Maybe the money is for the manufacturer. In that case, do what a normal person would do and raise the issue on a social channel (eg. Twitter, Thread, blog).

xyst
I have read all accounts and points of view. Defcon clearly dropped the ball here. Whoever was managing this badge creation team should never be allowed near defcon again. I am very unlikely to recommend or go to any future defcon events unless defcon makes this right with the vendor.

> The DEFCON community is and has always been near and dear to my heart; I started my local DEFCON group as a kid growing up in Malaysia decades ago

Sad that people (defcon) use and abuse the passion of others. EE let DEFCON step all over them. EE even discounted the labor in the invoices to defcon to meet whatever vague budget they had.

This is just a reminder that you should never meet or work with your childhood heroes. The reality is they will most likely take advantage of this.

bawolff
If the "joke" involved shilling for crypto, that instantly makes me more sympathetic to the defcon side.
timthelion
Am I the only pne who lmthinks it is rediculously wastefull to have electronic badges for all atendees?
rasz
>After going overbudget by more than 60%

>discount our work as necessary in order to hit DEFCON’s per unit cost targets

Sounds like DEF CON established a budged and you kept going over it. No wonder they did a stop work order.

cdchn
Dmitry is posted on reddit that he is going to DMCA DEFCON for using his code unauthorized and is granting napkin licenses to people in reddit comments or who had the badge signed at DC https://www.reddit.com/user/dmitrygr/
rdl
I don't understand how volunteer, non-sworn officer, non nevada licensed security guards (volunteer "goons", who are just private citizens at a private event in a public convention center) can use physical force to take a non-violent trespasser off stage without exposing themselves personally and their organization to substantial liability. Not super familiar with Nevada law.

(Obviously doing crowd control, providing information, and front line emergency response is absolutely fine, although tbh even that they should probably have guard cards in most jurisdictions for liability reasons. If someone is violently disruptive, as a private citizen go for it, but unauthorized speaking on stage is pretty far from that. Would be hilarious if dude makes more money from that than he was stiffed by his employer.)

mrandish
Just skimming the top level of various back and forth claims, I can already tell this is one of those situations where there are too many variables, disparate communications, perspectives, individual recollections and partial retellings, all about a unique, one-off transaction, and all evolving over a significant period of time between individuals who are not deeply experienced business people - to confidently conclude anything about ultimate fault based on the currently available statements and posts.

Given this complexity and confusion, short of conducting a full court trial with months of document subpoenas and depositions under oath, IMHO, confidently believing you've arrived at a complete, objective understanding of who is right or wrong is as likely to be incorrect as it is correct. And, at this point, this probably holds true for most of the actual participants too.

I base this on decades of experience untangling screwed up business transactions and communications. No matter how thorough, credible and complete a certain retelling seems, I've often discovered there is another layer (sometimes even unknown to many of those involved) which changes enough to shift whatever I initially believed. I've had this cycle of "Aha, now I understand" / "Oh... wait. No I don't" repeat several times while digging through a single incident.

mvdtnz
This is a great example of why both sides of a story are needed. From DEF CON's perspective, assuming this is all true, there's nothing unreasonable here.

It sounds like Dmitry was a subcontractor of Entropic and producing a screen asking for money after their contract had been terminated (for good-sounding reasons) was bad form. I'm not commenting on the legalities (I don't know anything about contract law) and I don't necessarily take either side's account at face value, but this response doesn't sound unreasonable to me.

rurban
I don't know DT (Dark Tangent) aka Jeff Moss, the one who got pissed at dmitryg to throw him out. Is this his usual behavior?

From his time-line https://en.m.wikipedia.org/wiki/Jeff_Moss_(hacker) "Later career" he seems to be CIA: Council of Foreign Relations member, and Atlantic Council member. But it would fit to the other folks who I got to know from this background.

creer
More summary of how it apparently went at defcon https://old.reddit.com/r/Defcon/comments/1eoe4u7/so_the_guy_...
fsckboy
I can't reply to dang's informational post, but in light of the new claims from defcon, isn't the previous discussion title potentially defamatory?

> (dang) Previous related thread: Defcon stiffs badge HW vendor, drags FW author offstage during talk

chriscappuccio
These badges sound pretty cool. I'd like to get one without attending.
thomascountz
> The specifics of what they requested in January were extremely difficult / almost impossible, but we had been working with Raspberry Pi as a Design Partner and had early access to the unreleased Raspberry Pi RP 2350, a chip that would enable exactly the kind of device DEFCON was requesting. Dmitry and Entropic had already been working on a GB emulator and were thrilled to be able to contribute our work to a project directly for and by the community. [0]

Despite the project being "impossible," EE made some sort of agreement to complete the work and deliver within time and budget. EE, not DC, made the decision to work with Dmitry.

> I am not a subcontractor of anyone. I was doing this in my own free time for fun so attendees have a fun badge. There exist no contracts between me and anyone. It was an evenings-and-weekends project for me [1]

This work by Dmitry was unpaid, presumed: uninvoiced and not under contract directly with DF, and is not an agent of ES.

> While we as a company did not ask Dmitry to program the easter egg, the outpouring of support and community for EE has been appreciated and inspiring. [0]

EE did not request the Easter egg be included by Dmitry. As a free agent (not under contract) Dmitry is free to do as they wish. Dmitry's involvement with DF was an invitation to participate on a panel. Given the discovery of the Easter egg, DF withdrew the invitation. Without any explicit agreement, it is irrelevant as to why DF would withdraw their invitation as it is presumed DF can withdraw any such privileges at anytime for any reason, though a reason was given in the case.

> At this point, all work had been completed except our physically attending the overseas production run and providing ongoing troubleshooting/debugging. In fact, the day we received this surprising news, we were actively working on the SD card debug that became a central concern earlier this week. [0]

This sounds consistent with DF's claim that the product was still in pre-production and all services had not yet fully been rendered, therefore, the original agreement may already have been breached at this point. What is "owed," is likely no longer stipulated under the main clauses of the contract.

> EE has tried multiple times over the past months to negotiate fair compensation for work completed prior to June 7th, but attempts at resolution have been unsuccessful. [0]

> Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets. [0]

> Once the manufacturing was fully completed, we were offered a one-time “take it or leave it” amount worth well under half of what we were owed pre-stoppage. Given that what we were owed was already discounted by 25% in order to hit agreed upon cost targets, this has had a huge impact on our small team. [0]

> We have also continued to pour lots of time, effort, and love into the project post-stoppage. I want to be clear that we never expected to be paid for this post-stoppage work, but simply did it as a labor of love for the community. [0]

This is contract dispute. What EE is "owed" is defined (or should be defined) in the agreement. What is "invoiced," despite any "discount", does not, on its own, constitute what is owed by DF. Unbilled and discounted labor significantly complicates this, especially if it was not itemized as such on the invoices sent to DF. Parts and materials, which come with invoices attached, should be paid per the agreement.

> Any claims that DEF CON did not pay Entropic Engineering for its hardware or firmware development are false.[OP source]

My assumption is the agreement was for a fixed-cost fixed-timeline per-badge payment and the targets were not met, despite EE trying their best. The claims made by both sides are verifiable by receipts and, should it come to that, can be arbitrated either by a court of law or the court of PR (public relations, ie, the internet).

Regarding Dmitry's experience and the Easter egg, for better or worse, DF can make whatever decision they please at their conference. The Easter egg was antagonistic towards DF and is significantly unrelated to the payment dispute with EE. The Easter egg being a "prank" or "difficult to find" or "not technically owned by DF," is also unrelated (although the code seems to be part of services rendered to DF by the agreement with EE [0]).

> We were clear as early as our first conversation in January that the risk in trying to push to mass production of this size and on this timeline was immense, even advocating for a DEFCON 2025 release of this particular badge. DEFCON’s Badge Team remained confident that they could meet and mitigate this risk. [0]

EE' admissions illustrates that DF's decision to push forward with this vendor was ill-advised. Given their experience, it would have been charitable to not put EE in this position. Arguably, DF did mitigate their risk (financial and reputational risk) by issuing a stop order and seeing the product to completion by other means; attendees did get their badges after all. By admission, EE also recognized the risk themselves and continuing their attempt to render the agreement under the circumstances was also ill-advised. Their risk (to reputation) was also managed by providing free labor. This is unrelated to the payment dispute as both parties chose, and were not forced, to continue to engage under the terms of their agreement until such time the agreement was made null. The only dispute is in regards to the original agreement, which should be rendered whole by the terms of the contract that were completed and satisfied by EE.

[0]: EE's statement. https://www.entropicengineering.com/defcon-32-statement

[1]: https://www.reddit.com/r/Defcon/s/OwxYvX1Z5z

DarkmSparks
defcon complaining that firmware they dont have a licence to use and distribute has a semi malicious easter egg....

defcon cheats, defcon loses.

ThinkBeat
Man DefCon has changed since I was a regular. Back when all tickets were sold by cash only

A hacker conference is upset that someone "hacked" their badges. and put unwanted code into the firmware. Users are (meant) to be hacking these boards. That is the entire point isn't it?

Have guys who did it come in in, talk about the exploit, share how they did it. Then the corpDefCon can talk about what they missed and how to avoid it. Have a talk "How DefCon got hacked"

Have some fun for f-sake. Tangent man, come on.

"" Unfortunately, shortly before the talk was set to take place DEF CON became aware that unauthorized code had been included in the firmware we had paid Entropic Engineering to produce, ""

ionwake
[flagged]
aaron695
[dead]
drno123
[flagged]
Broere
[flagged]
WalterBright
"Badges? We ain't got no badges. We don't need no badges. I don't have to show you any steenkin badges."
briandear
What’s a badge and why does it need firmware? This is a conference right? Not a nuclear silo?
mvdtnz
This is a great example of why both sides of a story are needed. From DEF CON's perspective, assuming this is all true, there's nothing unreasonable here. It sounds like Dmitry was a subcontractor of Entropic and producing a screen asking for money after their contract had been terminated (for good-sounding reasons) was bad form.

I'm not commenting on the legalities (I don't know anything about contract law) and I don't necessarily take either side's account at face value, but this response doesn't sound unreasonable to me.