
CopperheadOS has imploded - nitrohorse
https://twitter.com/DanielMicay/status/1006299769214562305
======
FreakLegion
Context from when this showed up last week:
[https://news.ycombinator.com/item?id=17239259](https://news.ycombinator.com/item?id=17239259)

The CEO, _jayy, posted a number of comments, then deleted all but one. The
deleted comments were preserved by yegortimoshenko. Links:
[https://news.ycombinator.com/item?id=17241694](https://news.ycombinator.com/item?id=17241694)

~~~
axlprose
There's even more context about how this CEO managed the business in a reddit
thread in response to those tweets as well, which includes some detailed and
revealing comments from the developer:

[https://www.reddit.com/r/CopperheadOS/comments/8oq1l3/cos_fu...](https://www.reddit.com/r/CopperheadOS/comments/8oq1l3/cos_future_questions_and_concerns_from_a_customer/e06a4cr)

[https://www.reddit.com/r/CopperheadOS/comments/8oq1l3/cos_fu...](https://www.reddit.com/r/CopperheadOS/comments/8oq1l3/cos_future_questions_and_concerns_from_a_customer/e0drnyv)

~~~
nailer
That's the most detailed explanation of things I can find in this thread.
Thanks.

------
nitrohorse
"I already prevented any possible compromise of the OS. I am not capable of
compromising it anymore so no form of coercion can make me do that. It's very
unfortunate that things ended this way and now I guess the little money I
earned from this will go to legal fees, etc." \- Daniel Micay

[https://twitter.com/DanielMicay/status/1006331205682384896](https://twitter.com/DanielMicay/status/1006331205682384896)

Apparently he's deleted the signing keys.

[https://twitter.com/DanielMicay/status/1006334186725224448](https://twitter.com/DanielMicay/status/1006334186725224448)

~~~
erhardm
I'm wondering if destroying the signing keys will have legal consequences. Are
signing keys considered company IP when their identity is "fused" with the
main developer?

Reading online posts it seems that the community is trusting the developer,
not the company behind him.

~~~
toyg
If those keys were generated before the company existed, and there is no
explicit assignment, then they clearly belonged to him.

If they were generated later, it gets very hairy. Were they created with
company resources? On company time? Is there a record of this happening? Etc
etc.

Going to court would be a huge waste of money for all parties involved, at
this point.

~~~
earenndil
His twitter says he originally generated them in 2009-2010 to submit packages
to the aur. So he's probably in the clear.

------
Fnoord
Ultimately, who cares who's morally right or wrong? Lets skip the drama and
try to see the legal angle, with the goal of figuring out a way to "save" the
source code (of possible).

The way I see it (with my limited legal knowledge, IANAL) is that Daniel Micay
got paid for his services, and therefore the copyright is assigned to the
company behind CopperheadOS. I'm not sure if Daniel can be fired, that'd
depend on the legal entity of CopperheadOS (for example, in a general
partnership both partners bear responsibility and liability which levels the
playing field). I tried looking it up on the homepage, but I've been unable to
figure that out. What is the legal entity behind the company "Copperhead
Security"?

[1]
[https://en.wikipedia.org/wiki/General_partnership](https://en.wikipedia.org/wiki/General_partnership)

~~~
itake
Also IANAL,

As a SWE, all of my employment contracts explicitly state that code that I
wrote for the company is owned by the company. Just because he was paid for
services does not mean that the company owns the copyright of the code he
wrote.

~~~
INTPenis
Sorry to be even more anal but that has nothing to do with Sweden.

I live and work in Sweden too and I am able to dictate those parts of my
contract. Especially as I do a lot of open source work.

~~~
larzang
SWE refers to software engineer, not being a Swede.

~~~
INTPenis
Oic, I had never seen that term used before.

------
surrealize
Not a huge surprise if you followed rust a few years back:

[http://slash-r-slash-rust.github.io/archived/2u1dme.html](http://slash-r-
slash-rust.github.io/archived/2u1dme.html)

~~~
agumonkey
didn't know Graydon Hoare left rust o_o

ps: the archived date confused me, just in case, this is a 3yo thread
[https://www.reddit.com/r/rust/comments/2u1dme/daniel_micay/](https://www.reddit.com/r/rust/comments/2u1dme/daniel_micay/)
(enjoy the art)

~~~
DyslexicAtheist
yikes, what happened here?

~~~
kibwen
/r/rust mod here, strcat asked us to remove the thread in order to keep it
from being associated with his real name in Google search results etc. In
order to keep the useful discussion in that thread from being lost entirely I
created the archived version seen above, with his real name redacted.

~~~
exikyut
Hang on a very very large second here.

 _I thought you couldn 't edit post titles on reddit_, and especially not 3
years ago.

Please please clarify.

Context:

    
    
      From       Title           ID      Date
      github.io  "[strcat]"      2u1dme  Thu Jan 29 02:39:34 2015 UTC
      reddit     "Daniel Micay"  2u1dme  Thu Jan 29 02:39:34 2015 UTC
    

_It 's exactly the same post._

EDIT: This is now at 0 points. If I have missed something or misunderstand I
welcome clarification. Thanks very much!

~~~
dkmb
Check the URL of the archived thread.

~~~
exikyut
Okay, I've done that. The only thing I can think of to specifically look at is
the ID fragment. I see the same ID in the archived thread on reddit.com and
the archived thread stored on github.io (I'm not sure which source to
disambiguate "archived thread" to).

My point was/is that the threads are identical, and given the different titles
points to an supposedly-impossible ability to change thread titles. This is
very interesting to me.

In case I'm [still] missing the point you're trying to get at. Further
clarification and patience is appreciated.

~~~
rcxdude
he explained the point. The archived copy has been redacted, the whole reason
the archive exists (and the original deleted) is because its impossible to
redact the information on reddit while leaving the rest of the post intact.

------
cbHXBY1D
What a shame. I used to hang out on Rust IRC when Daniel was still engaged
with the project. He always seemed so knowledgeable and he fought for what he
thought was best for the language.

------
tdb7893
So the tweet makes it sound like someone seized control but the email just
makes it sound like this guy was just fired. I'm pretty confused

~~~
gsnedders
They were the two co-founders of the company, and both still own 50% of the
shares of the company, with Daniel having been the CTO and sole developer of
its products.

~~~
chris_wot
What does the other guy do then?

~~~
chaosite
Handle the "business side".

From 30 minutes reading about this and no prior knowledge about the project or
the people involved, this seems to be the probably wrong timeline:

1\. Developer starts a project, hacks on it for a while.

2\. Developer decides he'd like to get paid for hacking on project.

3\. Enter guy. Developer and guy incorporate, with guy as CEO and director,
developer as CTO and person who does all the coding. Ownership is 50-50,
company assets and personal assets are a mess (domain name & DNS are on the
CEO's personal card, copyright for the code CTO writes is not assigned to the
company, CTO controls private keys, and some are his personal private keys
from before the incorporation).

4\. CEO & CTO have a falling out wrt company direction.

5\. CTO takes this personally, as a betrayal, seeing the falling out as the
destruction of the project he has built basically single-handedly at great
personal sacrifice.

6\. CTO destroys private keys, plans to sue over copyright. Project is now
imploded.

~~~
vader1
Insert between 5 and 6: CEO "fires" CTO (while simultaneously asking him to
sign an employment agreement in the first place)

strncat seems to have conceded that despite the 50/50 ownership, "guy" has the
ultimate power since he's a "director" and strncat is not. Does that even make
sense? I'm no expert in American contract law, but usually the director(s)
serve at the pleasure of the majority of stakeholders and if the stakeholders
reach an impasse it's up to the bylaws or a court to figure it out. The way I
see it, strncat is still 50% owner of Copperhead and could succesfully
challenge all of guy's actions.

~~~
gsnedders
Note they're in Canada, so American contract law has no say in this case.

------
craftyguy
I figured it was only a matter of time. It's absurd to think you can run a
company with a product like this, with only one full-time developer. RIP folks
who bought devices from them, who will not longer be receiving updates.

------
nitrohorse
Reddit discussion:

[https://www.reddit.com/r/CopperheadOS/comments/8qdnn3/goodby...](https://www.reddit.com/r/CopperheadOS/comments/8qdnn3/goodbye/)

------
bitL
Note to technical cofounders - always keep 51%.

~~~
Fnoord
That's an option, but not necessarily the sole one. This problem isn't new.
I'd say its one of the primary reasons why a general partnership is a legal
entity, or a good choice in this case [1]. It'd level the playing field
between both partners, creating a mutual interest from an authority higher
than themselves (ultimately, the government). I'm not saying it is without
problems though (imagine one of the partners becomes terminally ill).

Another option would've been to call it earlier, before burn-out, when it
turned out there was no market for this. If people don't wanna pay or donate
for the product, there's no demand apparently. No need to work for a minimum
wage. Get a regular job, and use your leisure time as you see fit (for EXAMPLE
on a project like this but without pressure or obligation).

[1]
[https://en.wikipedia.org/wiki/General_partnership](https://en.wikipedia.org/wiki/General_partnership)

~~~
mindslight
The fundamental tension of "unprofitability" was there from the very start, as
real security is directly at odds with traditional business models. The goal
of the businessman is to become a middleman, but security precludes having a
man-in-the-middle!

Which is why these projects overwhelmingly flame out. The engineer figures
there can't be much harm from a business type trying to design a business
around their project, as they assume the _project philosophy_ will remain
unaffected. Meanwhile the business type is excited about having a new in-
demand raw material to which they can _add inefficiency_ to derive a revenue
stream. The engineer figures they own the code, so whatever games the business
monkey plays, they can only end up back in the same spot. Meanwhile the
business type is busy conjuring and documenting bureaucracy like corporate
structure and implicit contracts with which to seize power over the raw
resource (the project) if the coder doesn't submit to his "real world"
supervision.

It's likely that the engineer could prevail and end up owning the code, but
only after an expensive and draining legal battle - it's simply easier to move
on to productive non-zero-sum things. Meanwhile the business type is all too
willing to fight said battle, as investing real money into paperwork games was
basically their entire operation all along.

IMHO the real shame in this case was licensing the code base something other
than GPL. GPL would have made continued _use_ unambiguous even in the presence
of ambiguous ownership.

~~~
Fnoord
I can follow you until

> IMHO the real shame in this case was licensing the code base something other
> than GPL. GPL would have made continued use unambiguous even in the presence
> of ambiguous ownership.

I don't understand how GPLv2 or GPLv3 or BSDL and many (any, AFAICT) FOSS
license would _not_ have done the same. The problem is CC non-commercial. Its
actually an anti competitive license. Imagine RedHat using that for all their
software. Oracle not allowed to compete?

~~~
mindslight
Yes, the non-commercial license is the bigger problem as it's an ambiguous
club that a hostile copyright holder could FUDgeon any sizable community with.

I had been thinking that with BSD, a gone-hostile company could make an
argument that more recent changes were not actually intended to be released
under BSD, whereas with GPL we know they would have had to have stuck with the
license to build on top. But that latter part isn't true if they're arguing
that they're the copyright holder.

edit: Actually what I was thinking is true IF there is an _additional_
contributor who's patch got accepted into the main tree. But in this case,
given that the ostensible goal of CC non-commercial was so that the code could
be dual licensed, we'd expect any such contributor to have been shuffled into
copyright assignment.

------
Apocryphon
Between CopperheadOS and CyanogenMod imploding, what's left? LineageOS and
Replicant? Anything else?

~~~
kjeetgill
I didn't hear about CyanogenMod imploding. What happened there?

~~~
detaro
Cyanogen Inc, the company founded to do commercial work on it and running a
lot of the project infrastructure, ran out of money after some weird things
like cancelling a licensing deal with OnePlus suddenly and closed. community
part of the project rebranded to LineageOS

~~~
spindle
Right. The community part - which is still alive and well in its rebranded
form as LineageOS - was doing the most important work anyway (or, even if
that's a loaded statement, the community part was extremely productive and
still is).

------
ocdtrekkie
It seems a little silly to me that someone would trust a "secure OS" from a
situation where one guy could "seize control" of the company and
infrastructure. This is largely why I've never seen third party ROMs as a
significant solution to the security situation with mobile phones.

That being said, I'm curious what the other side of this story is. The email
makes it sound like the guy's being fired.

~~~
nextos
I disagree, at least to some extent.

CopperheadOS is open source. The scripts to build a ROM are open and it's
possible to audit them. In fact, if you don't want to pay for COS you are free
to build your own image using said scripts. I've done it. It's easy.

I think the whole mistake CopperheadOS did was switching to a Creative Commons
license that prevented commercial use by third parties. This has effectively
made it tricky for Daniel Micay to continue his great work on CopperheadOS
elsewhere once the company imploded.

It's sad, because it's IMHO the very best ROM out there. I don't want to use
anything else. I think they should have gone for a more sustainable business
model. In his shoes, I'd restart COS by doing a crowdfunding round and aiming
at a few other devices (which may not be hard now with device-agnostic ROMs
made possible by Treble).

COS has had a reduced target market since Google decided to price Pixel
terminals much higher than Nexus. There are rumours that they might release a
cheap Pixel to compete with iPhone SE. That might be good for COS.

~~~
beojan
CC non-commercial isn't open source.

~~~
jexah
Yes it is. Open source literally means that the source is public. I think you
mean CC non-commercial is not "free software".

~~~
beojan
No, open source means the license meets the OSI definition of open source,
which CC NC doesn't.

~~~
jexah
opensource.com would beg to differ. I suppose it depends on where one gets
their definition from.

~~~
n_jd
CC NC forbids using the material for commercial purposes [1]. On 'use',
opensource.com defers to the four freedoms [2], which includes the freedom to
use software for whatever you like. So by opensource.com, software licensed
under CC BY-NC-SA 4.0 is not open source. Also they don't mention creative
commons when discussing open source licenses [5] because it doesn't make sense
for code.

I can see why you might think opensource.com says that open source "literally
means the source is public" if you only read the first sentence in their
defining article [3]. Fair enough, this is a common misunderstanding [4].

[1] - [https://creativecommons.org/licenses/by-nc-
sa/4.0/](https://creativecommons.org/licenses/by-nc-sa/4.0/)

[2] - [https://opensource.com/law/10/10/license-compliance-not-
prob...](https://opensource.com/law/10/10/license-compliance-not-problem-open-
source-users)

[3] - [https://opensource.com/resources/what-open-
source](https://opensource.com/resources/what-open-source)

[4] -
[https://www.forbes.com/sites/wenjiazhao/2012/07/06/beliefs-a...](https://www.forbes.com/sites/wenjiazhao/2012/07/06/beliefs-
and-misbeliefs-on-open-source-software/)

[5] - [https://opensource.com/law/13/1/which-open-source-
software-l...](https://opensource.com/law/13/1/which-open-source-software-
license-should-i-use)

------
signa11
fwiw, the screen-shot:
[https://paste.xinu.at/QIWIC7/](https://paste.xinu.at/QIWIC7/)

~~~
mar77i
On the upside, the damage that's there remains in plain sight thanks to the
guy who made the opposite of the last paragraph happen.

------
beenBoutIT
Does anyone have any idea how many devices run CopperheadOS? The market has to
be extremely tiny. How many people are capable of manually flashing an image
onto a Nexus/Pixel, and then what subset of that group is interested in a
"more secure" ROM?

~~~
bubblethink
>How many people are capable of manually flashing an image onto a Nexus/Pixel,
and then what subset of that group is interested in a "more secure" ROM?

It's mostly their commercial clients. Very few regular people can use COS for
recent devices (for free) since you need to build it from source.

~~~
garyfirestorm
It's not that hard. I'm a mechanical engineer who happens to care about
privacy. I was able to build it by following a guide. There are many tutorials
if you search. I don't have any degrees in computer science or IT, if I could
build it I would guess anyone could.

~~~
bubblethink
Yeah, it's not hard. The steps are pretty well documented. It's just not very
practical. You need to do it every month and flash manually. You lose the OTA
mechanism unless you also set up an update server and hack on the code to
point to your update server. I don't know how well that stuff is documented.
In any case, all this is extremely niche. You need a good HPC like system to
have reasonable build times. Note that you are also building chromium in
addition to the ROM. The parent's point was about user numbers, and I am
pretty sure that that's minuscule outside of their paid users.

~~~
craftyguy
Well, you can't do any of that if there's even a hint of commercial use
because of the CC BY-NC-SA license they (CopperheadOS) used. So you can
basically only build it for yourself.

~~~
detaro
And the uncertainty of what Creative Commons means for code. It likely extends
to the produced binary. Does it extend to the use of that binary - are you
violating the license if you use a phone with self-built CopperheadOS for work
purposes?

------
eleitl
Reddit suspended strncat's account:
[https://www.reddit.com/r/CopperheadOS/comments/8r9su6/reddit...](https://www.reddit.com/r/CopperheadOS/comments/8r9su6/reddit_suspended_strncats_account/)

------
ddtaylor
Is it possible for them to fork under a new name? I ask because it depends on
how they have structured the copyright of their code and open source
licensing. I don't see any other simple solution besides forking and creating
a new entity he owns 100% of.

~~~
ReverseCold
I asked strncat, he said it's not possible even if provided a substantial
amount of funding. (Something about having to rewrite tools or something like
that.)

------
yolo1897
damn i was about to buy a phone compatible with it...

~~~
auslander
what was the price of yours vs iPhone 7?

------
johnnyOnTheSpot
Another Theo

~~~
auslander
I love Theo, no compromises. Theo Victor! :)

------
auslander
iOS is better :)

~~~
auslander
I was a techie, thinking Android is open source and I get SD slot. Busted big
time. Android is Google's child, tied to its services, like Chrome, phoning
home on every step.

iOS is years ahead in security and privacy. Read its whitepapers, read
forensics blogs - they're all about iOS, mentioning Android in the passing, as
too easy to be a blog post - blog.elcomsoft.com

------
cmurf
His employment is suspended with pay, stipulating signing an employee
agreement?

OK so you're suspended, and we will pay you only if you sign this agreement
that any ethical company would have had you sign at the start of employment.

This sort of duress after the fact is unethical and possibly illegal. And the
demand for control of a personal GPG key predating employment is eyebrow
raising and properly should invite ridicule.

------
wpdev_63
If the underlying hardware is compromised(it is) then it doesn't matter what
the os does.\ EDIT: If you are downvoting me - state why.

~~~
pvg
The first rule of vote club is you do not talk about vote club. Also, people
who vote on your comments either up or down don't owe you explanations. Both
of these are standard HN practice.

~~~
craftyguy
Not GP, but I don't consider it harmful or whatever to ask why folks disagree
with you if you don't understand why folks would disagree with you. Sure, none
of us owe them an explanation for voting a certain way, but maybe someone will
come along and explain it, and they'll learn something new.

I don't think the system is strictly "you're right" or "your're wrong" and
providing any supporting explanation is discouraged.

~~~
pvg
_I don 't consider it harmful_

It pretty much always devolves into pointless meta. If someone wanted to tell
you how right or wrong you are, they'd reply to your comment. Sometimes,
perfectly reasonable comments get downvoted. Sometimes, truly awful comments
get upvoted. Sometimes people fatfinger the wrong button on their phones.
Every poster and every thread is better off just living with it, not worrying
about it too much and sticking to the quality of the conversation itself.

~~~
staticautomatic
We _are_ the quality of the conversation itself.

~~~
pvg
No.

~~~
craftyguy
Yea, we literally are, unless all other commentors on HN are bots...

~~~
pvg
No you literally aren't. You are you. The conversation is the conversation.
Those are two distinct things. Nobody can ask you to be mindful of the quality
of other _people_. It's trivial to just avoid interminable discussions about
voting.

The most telling thing about this is that nobody ever demands explanations for
upvotes so it's obviously not because there's some real belief these
explanations would make the conversation better. It's just that being
downvoted feels bad. But really, at worst, you'd eat -4 points here or there.
Best is to just put on your wizard hat and Epictetain stoic robe and move on.
And this isn't merely a good idea - it's the law.

