tldr: entropic made some mistakes because they're a small team with a very tight deadline. defcon shit the bed and refused to pay them over those problems. and dmitry forgot about an easter egg and was OK with being removed from speaking, but wanted security to pull him off stage for his clout.
I still think DEFCON should've done better. their brand is in the shitter over what $20k?
Reading both accounts of the story, it sounds like a small company bit off more than it could chew, couldn’t manage cost and schedule, and when it got to the drop-dead date, even though they say it was basically done (how many times did the client hear that one), the client pulled the plug and tried to salvage it some other way.
Y’all need project managers, at least someone with a plan! jeez.
> Y’all need project managers, at least someone with a plan! jeez.
Or do what every other event does, and don't make your badges so complicated they need a project manager
Every other event has badges that look like they cost substantially less than $1. I'm not saying they have to go that cheap - but when you're hiring a project manager to coordinate the multiple teams, schedule challenges, and providers biting off more than they can chew? Maybe scale things back a bit.
They tried last year with the injection molded plastic part that you could mod and didn’t get enough of them shipped in time. To your point on $1 badges, they gave paper out and people complained (and still complain) for a long time. They felt they spent $300-400 plus travel expenses so they have this idea they should get a special badge. It has an entire culture around it.
Me and a partner designed an insert that fit into that injection molded part and it had games. You could even connect via RS232 if you had the right board and it would print out DEFCON in ASCII then it had whole menu of games.
We sold this add on for $20 at cost to recoup our costs. Sold about 100+ of these add ons.
DEFCON definitely bit off more than they could chew.
We designed our add on around a cheap STM32 series chip and wrote the code ourselves in C. It didn’t have an emulator like this as this is like an entire gaming platform that DEFCON created. But ours was more like DOS level game add on that took us a couple months to make and have produced. We made the stickers ourselves and cut acrylic ourselves.
If you take this situation and make the circuit boards not be the badge, it doesn't really change the situation much. There's a little bit less pressure if the badge is separate, but I'm sure an emergency backup badge could have been arranged.
If you're saying not to have a cool gizmo at all, I think that's too harsh of a lesson.
From what I understand, the DEFCON badges are a fun thing they like to do every year. I don't see this as a problem; what is a problem is deciding to try to create something so complicated in under eight months. I get that it might be a heavy lift for them to start planning and engaging companies to work on the DEFCON '24 badge before DEFCON '23 had even happened, but this particular badge warrants a year-plus of lead time.
I suspect that the comment implies the absence of project manager on the Entropic side of the deal.
As for the cost of the badge, sourcing even sub-$1 badge is still a project. And especially when your target audience is somewhat skilled at counterfeiting such things.
Is the badge the actual thing that lets you enter? Why don’t they just have digital tickets that get scanned at the entrance like everyone else? Does the badge need to be hard to counterfeit?
I mean, its defcon's money, if they want to spend it on fancy badges, that is there right. If someone offers to do something, knowing full well what the requirements are, but can't, that is not defcon's fault but the people who agreed to do the badges.
I think I agree with the assessment. Especially the part about PM hits close to home. It seems how a lot of projects I was involved lately lacked an actual project manager. Is the problem that it is a hard job to do right?
The thing is that people on here think project managers are evil incarnate and just useless middle management.
It requires a very specific skill set to be able to lead a technical project and cut through the bullshit on BOTH SIDES: the client asking for features and the team building the product.
Clients always either ask for stuff they don't really need or have vague requirements that crystallise only 3 days after the deadline. "Of course when we said it needs to do foo, it also MUST do bar, doh!"
And teams tend to overestimate their ability to deliver and underestimate the work needed to get to the finish. (Infinite coast problem).
There's also several more classes of B.S., for what it's worth.
An exaggerated/anonymized version of a recent one I got, from an otherwise-really-strong senior engineer: "Of course when I said we would put a button there, it also meant we MUST build an entire UI framework from scratch, with full test coverage for the entire thing!"
...actually, that's not even that exaggerated. Shipping software at big companies can be unreasonably difficult, sometimes.
Yea, I've had the privilege of working with a few _excellent_ project managers (or Producers as they're called in gaming) and they work literal magic.
I've studied project management, I've managed projects and lead teams, but holy crap those people are on a whole other level with how well they gather and disseminate information and communicate it effectively.
None of them could code themselves out of a wet paper bag, but that's not the skill they get hired for.
It's actually really hard to do well. Moreover, it suffers from "how hard could it really be" syndrome, especially when working with developers who think they're smarter than everybody. It's the kind of job that a software developer approches from first principals and does a terrible job at, because starting from first principals ignores all of humanity's experience and practice managing projects, and projects have existed since before the Great Pyramids in Egypt.
We have better tools today, but it takes a skilled practitioner to wield them well. Yes I'm talking about Jira and I hate sitting down and pointing things too, but managing a large complex project with a large number of humans is real actual work and a full time job in and of itself. sometimes even more than one person can handle. places that I've seen are successful are able to recognize that, and don't treat it as dead weight.
Good project managers are rare. They need to have some real experiences working on some projects and then some managing projects. It's rarer than good engineering managers IMO.
The fact that Dmitry was still pushing changes on the aeroplane, although he seemed to frame this as a positive, doesn't exactly inspire a lot of confidence in their professionalism, viewed from the outside.
Ah yes, classic "insert an unauthorized coin wallet soliciting money from badge owners" easter egg. Timeless prank, how could anyone be mad at such a normal and anodyne "easter egg"?
lmao DEFCON's "brand" isn't in any danger.
edit: And now he's pulling the classic hacker move of (checks notes) enforcing strict software IP ownership rights? Guy's a class act all around. Hope everyone learned an important lesson about Dmitry and Entropic with this mess.
> edit: And now he's pulling the classic hacker move of (checks notes) enforcing strict software IP ownership rights? Guy's a class act all around. Hope everyone learned an important lesson about Dmitry and Entropic with this mess.
Doing it as counterplay to a lack of credit is a great hack.
It’s not like it’s blocking the badge from functioning unless you pay. It doesn’t even pop up unless you specifically go looking for it. It seems perfectly in line with the ‘shareware’ and ‘buy me a cup of coffee’ spirit that characterized the early years.
Generally you dont make secret shareware out of software you make for other people.
Just imagine what would happen if you created a shareware scene in the software of some company you work for. You would get fired (and possibly sued) so fast it would make your head spin.
My understanding is that Dmitry was a volunteer. IMO that makes the "shareware" more reasonable than if he were an employee writing the code on the clock(and it doesn't seem like he was soliciting money for himself)
He wasn’t employed by anyone, and didn’t get paid by anyone for his work. (Defcon is wrong about this in their statement, and admitted as such in the comment thread).
When I write code that nobody is paying for, you better believe I’ll write it how I damn well please. If you aren’t paying, you aren’t the customer. And you don’t get to control the output of my work.
The wallet address soliciting donations is for the hardware company, not on his own behalf. But even if it was on his own behalf, would you still be mad? Since when is it a crime to be proud of the code you’ve written, for free, to bring joy to an hacker conference? That deserves mad credit in my book.
> When I write code that nobody is paying for, you better believe I’ll write it how I damn well please.
You're under no obligation to write code. You are under an obligation not to sneak an advert into someone else's conference via essentially fraudulent means.
Just because nobody is paying you, doesn't mean you have carte blanche to do whatever you want.
I dont think this is a controversial opinion. If someone created a piece of open source software but hid a trojan or cryptominer in it people would find it objectionable. You could quibble about where the line is, but i think everyone agrees that just because something is free does not give you the absolute right to do whatever you want.
Its not an ad. It was a request for donations to a company that put themselves out to the tune of $100k to make the badges happen. And then had credit and publicity stripped from them during defcon - even though that was part of the deal! Apparently they aren't even mentioned in the program, and their company logo was taken off the cases for the badges.
We aren't talking about client work here. We're talking about defcon, where cheekily thumbing your nose at authority through code is the heart and soul of the conference. This single, hidden page asking for donations on behalf of the hardware company is a total nothingburger. Getting up in arms about it for being unprofessional is ridiculous.
> We're talking about defcon, where cheekily thumbing your nose at authority through code is the heart and soul of the conference. This single, hidden page asking for donations on behalf of the hardware company is a total nothingburger. Getting up in arms about it for being unprofessional is ridiculous.
People in this thread do seem to be very upset about a hacker doing hacker things. For a bit more irony, we're on Hacker News...
I don't really care whether money changed hands. Secretly putting an ad into software that you know will be distributed to many people is the oldest scumbag move in the scumbag book. All sympathy ended there, and that was weeks before he trespassed.
Characterizing it as an "ad" feels a bit dishonest, as if it was an ad for some random product completely unrelated to the conference or the badges themselves. It was a shout-out to the company that made the badges! And that after DEFCON promised to give that company credit on the badge case, and then reneged on that promise.
Even if Entropic shat the bed so badly that DEFCON's takeover of badge production was actually warranted (I'm super skeptical of this claim), the badges still consisted nearly entirely of Entropic's & Dmitry's work. DEFCON's removal of credit from the badge case was deeply unethical.
Eh. When I was young, I played a demo of Doom that came with a magazine. When you finish the demo level, the game show an ad that said if I ponied up money, I could play the whole game.
I fail to see the problem.
And in this case it wasn’t an ad. It was a page saying you could donate to the hardware company if you want, who were out of pocket $100k for making the hardware. That’s an incredibly tame prank by Defcon standards.
What should they have done better? They didn't have the option of doing better with Dmitry, right? He deliberately set up the confrontation with security.
The idea that DEF CON's brand is "in the shitter" seems risible. I say that ruefully, as (in my declining years) I get more and more bitter about the comic convention spectacle the event has become. Whatever the outcome from "badge-gate", I assure you, they'll set attendance records next year regardless.
OP asked for a better option. He was offered one, which he disagreed with. Because he doesn't like it precisely means that (in his view at least) it is not what he asked for.
Your point was valid though. You can't let someone rock up to the stage uninvited. This would open the door to all kinds of issues.
And the original question of how the situation could have been handled better is the most interesting one. The rest is a game of he said/she said, which hn commenters tend to enjoy arguing about but is ultimately not very instructive.
With hindsight it is clear that the situation had been brewing for some time, and the conflict had been escalating slowly. Perhaps due to the pressure and stress (and time pressure) of organising an event like that nobody managed to have enough distance to deescalate it, which culminated in someone being escorted off stage by security, not a good experience for anyone.
Most likely once the invitation to talk had been rescinded the dice were thrown. It would have been hard for the speaker not to be offended, and unfair on him to expect him to take it quietly and move on without reacting. Someone should have been aware of that and worked with him to control the impact of this on his own reputation.
He was given a 30 minute notice that he was disinvited. That’s pretty egregious.
Especially since they were okay with him giving the talk as long as he apologized. And he offered to say “I didn’t mean to offend anyone”.
So for a misunderstanding and mistake to drag him off the stage is stupid and ridiculous.
> What should they have done better? They didn't have the option of doing better with Dmitry, right? He deliberately set up the confrontation with security.
Maybe I misunderstood, I previously read that as “what could they have done better about the situation”.
Did you mean “what could they have done better once he was at the stage?”
I got locked in a hotel room by an actual goon who demanded a line-item veto of my slides (clients! what you'll do to keep clients happy!), and ask Mike Lynn how he feels about the response to his talk. Being asked not to take a stage to take credit for the annual DEF CON badge toy seems pretty low on the scale of security conference dramas.
The "drag him off the stage" thing was his own arrangement.
People don’t get to dis-invite people from stages when that is quite literally the only compensation given either.
They made the software for the badge of your entire conference, for free, and then you won’t let them talk about it because what you got for free, wasn’t what you expected/wanted?
That’s just dumb on so many levels I don’t even know where to begin.
It’s like playing, no, selling someone elses mod and complaining it’s not up to the standards of a finished game.
I don't think GP meant "don't get to" as in it's not their legal right to do so (which of course it is). I think they meant that it's a profoundly shitty thing to do to someone, and DEFCON should rightly be criticized for disinviting him in the first place.
I think an easter egg that includes a monetary solicitation is (at best) in poor taste, regardless of the circumstances. But canceling his talk 30 minutes prior to its start time for that? Nope, not cool. DEFCON's behavior in disinviting him was much much worse than his action that triggered it.
> They made the software for the badge of your entire conference, for free, and then you won’t let them talk about it because what you got for free, wasn’t what you expected/wanted?
You are saying this like it is unreasonable, but it seems entirely reasonable to me.
Just because you do something for free does not entitile you to a conference talk about it. If you wanted to be paid for it (and make no mistake, a conference talk is a form of compensation. In many conferences companies pay huge sums of money to have a platform) then they should have got a contract.
It was a huge mistake to uninvite him from the session.
It sounds like defcon was mad at EE for going over budget - which honestly is fair even though they didn’t handle it well. And thought (wrongly) that Dmitry was a salty subcontractor of theirs. Their actions make some sense in that context. Not great, but eh.
But Dmitry has totally owned them in messaging - by forcing them to physically eject him (making a scene), and getting out ahead of the story. It’s great drama. He’s positioned defcon to look like an evil corporate buffoon hating on a hacker who was just donating his time.
At this point, defcon should take the L and apologise, and let him have a session talking about the code. That would be a very satisfying end to the drama for attendees. (Even if it does encourage more drama in future years.)
Either way, I agree - I’m sure attendance will go up next year too. People love this stuff.
It was definitely an easter egg. A secret screen that gives credit to someone that worked on a thing and otherwise wouldn't get credit is the textbook example of an easter egg.
It probably shouldn't have had the Bitcoin address, but it doesn't sound like that would have been treated much differently.
I think you're going to find that firms who contract embedded designs have viewpoints about "easter eggs" that would be surprising, even off-putting, to message board communities that savor them like single malts. Generally, when firms arrange to deliver hardware/software to their own customers sourced from vendors, they want a clear understanding of what the software actually does.
Yep. But again, it’s really not clear in this case if DEFCON was paying their vendor (EE) for software at all. I can see how it was ambiguous from their side given Dimitri was friends with the hardware design company. But from the POV of Dimitri and EE, DEFCON was paying for hardware and a separate 3rd party (Dimitri) volunteered to write the software. It’s very spicy to attack people in your community who volunteer their time.
And unpaid programmers doing cheeky things with code because they want to is the heart of DEFCON.
I can see where DEFCON is coming from with the calls they made here. But it’s a mistake to treat Dimitri as if he were a vendor. He's not.
I'd like to ask as someone who is interested in RE/Security/Malware in general but without experience. Which events are good for me if I have to pay out of my own pocket? I don't work in related fields so education stipend does not apply.
I surveyed the ground tonight and found two that are interesting: Recon (in Montreal) and CCC (in Hamburg).
I think CCC is basically in the same bracket as DEF CON in terms of seriousness. Someone's going to get mad at me for saying that, but I'll note that serious people go to DEF CON too, even though it is 100% a cultural event and not a real part of the cite record for our field.
I've never heard anyone say anything but good things about REcon. I have FOMO about having never been.
Thanks for sharing. I'm actually close to Montreal so REcon is probably my best bet. The ticket is more expensive but I save lodging and transportation.
Hugo, the organizer of Recon, has historically been willing to work with people who are attending on their own dime. I suspect that if you were to send him an email explaining your situation, you'd be very happy with the response you received.
It is an excellent conference that I've enjoyed every single time I've gone
> The idea that DEF CON's brand is "in the shitter" seems risible.
Is it though? With 20+ attendances behind my belt, I was already sour on the experience at 2018 and didn't go in 2019 due to a family conflict and haven't been back since.
Not only did "badgelife" absolutely ruin the whole fucking experience, but I started seeing large numbers of people start getting othered and excluded because of running afoul of idpol which IMO is entirely counter to the spirit of what the con had always been about.
It permeates throughout the meta events of the con, like Ollam's Shoot, where you're warned very much in advance with overt threats to not express an opinion that even remotely smells right-wing while his staffers proudly wave antifa banners and shout the merits of being radleft.
At the same time, my experience with the security industry as a whole is that most vendors are completely full of shit and spend all of their time chasing after fake clout (and all of the shady bullshit that goes along with it).
That’s because that’s ultimately what happens everywhere. We just paper over it by paying people for their time so they have to listen to you. When you go back to being all volunteer driven the drama increases correspondingly.
>90% of the world is run by dumb unqualified children. It's not worth trying to get everyone up to your supreme standards(you'll get it later at no cost).
my perception of them was they are hyper intelligent hackers, who have morals and clear north. if anybody would do the right thing it's these guys. but that illusion is no more. they are just normal dudes after all for better or worse.
I still think DEFCON should've done better. their brand is in the shitter over what $20k?