
I didn't get paid, so I open-sourced my client’s project - bubblehack3r
https://github.com/TrillCyborg/onefraction
======
Animats
This thing _wants the password for your bank account?_ WTF? That's way more
than it needs. Enough info to authorize an ACH transfer, maybe. But the _login
password for your bank account?_ No way.

That voids Bank of America's security guarantee.[1] If you provide info for an
ACH transfer, and the other party abuses that info, it's reversible. If you
provide login info and the other party abuses that info, it's not.

[1] [https://www.bankofamerica.com/online-banking/online-
banking-...](https://www.bankofamerica.com/online-banking/online-banking-
security-guarantee/)

~~~
qafy
If you aren't comfortable with that you better not use any fintech apps like
Cash App, Venmo, Wealthfront, Robinhood, any Intuit products, etc. These
services use Plaid (like this app does) or similar APIs like Quovo, Yodlee,
etc. Even financial institutions themselves like Citi Bank, American Express,
Chime, PayPal, etc use these APIs to link your accounts.

And to be clear, the app itself never has access to your credentials. This all
happens in an iframe that tokenizes your credentials.

~~~
jwr
Well of course I won't use anything like that! I find it mind-boggling that
people even consider giving a third party their bank account login+password.
It's like saying "yes, I want to be robbed of all my money, please take these
credentials and spread them forth to whichever leaked data pile they might end
up in".

My bank considers transactions done using login credentials to be final. There
is no recourse if someone steals your money.

Last year an iOS mail application called "Spark" (otherwise a great app)
decided to quietly upload my login and password to their cloud servers so that
their servers can access my mail for me. I dropped the app immediately
([https://jan.rychter.com/enblog/spark-email-app-why-i-dont-
us...](https://jan.rychter.com/enblog/spark-email-app-why-i-dont-use-it-
anymore-2018-07-20)).

This should not be considered acceptable. If you want to let users authorize
external access to account data, use Oauth2.

~~~
rrix2
Which bank implements OAuth?

~~~
slartibardfast0
Every bank in the EU will have to have it or near equivalent very soon under
the EU’s Payment Services Directive 2 which mandates API based access to
accounts.

Sandboxes are already available under reasonable terms for many banks in for
example Ireland.

*edit, first word

------
trillcyborg
Hey guys its cool to see that you like my project. Unfortunately these types
of things happen to independent contractors often and theres not a whole lot
you can do about it but learn from mistakes. I used some awesome tech for the
first time in this one like react-native-web which is now in Expo and react-
spring for those sexy animations. Im happy for any of you guys to use this
project as a boilerplate, learn some stuff from it or make fun of my code

~~~
olliej
Have you ever seen mike monteiro’s “fuck you pay me” talk?

Assuming that your contract leaves you with copyright until you’re paid you
could always have dmca’d them when they deployed. But that’s the vindictive
side of me :D

~~~
thaumasiotes
> Assuming that your contract leaves you with copyright until you’re paid

Why would this matter? If he's not paid, what validity does the contract have?

~~~
ncallaway
> If he's not paid, what validity does the contract have?

What does this mean? The contract is valid absent payment.

A contract has to have consideration for both parties to be a valid contract,
but a promise of payment is a perfectly valid consideration and would make the
contract valid.

~~~
thaumasiotes
How can a promise of payment, combined with a refusal to honor that promise,
be valid consideration? It doesn't differ from a promise of nothing.

~~~
lawtalkinghuman
This seems like very basic contract law 101 stuff.

The promise of payment is the consideration. A contract is literally an
exchange of promises. When you go into a car dealership and buy a car, they
are exchanging a promise (you get a car!) for your promise to pay them.

The refusal to pay is a failure to live up to the promise - that is what makes
it a breach of contract. If not paying meant consideration didn’t exist, then
nobody would be able to sue for breach of contract for non-payment. If breach
meant the contract was invalid, you wouldn’t be able to enforce the contract.

------
verisimilitudes
I find it odd that the license is MIT here. Since he ultimately wrote this
gratis, that license means his client could easily return and use it gratis,
whereas a license such as AGPLv3 would help ensure he'd actually get paid if
this client decided it wanted to use it again.

~~~
coldtea
> _whereas a license such as AGPLv3 would help ensure he 'd actually get paid
> if this client decided it wanted to use it again._

a) So would any competitor to the client.

b) The client can use the AGPLv3 version gratis too, even if they modify it,
as it will be on their own server anyway.

~~~
giancarlostoro
> b) The client can use the AGPLv3 version gratis too, even if they modify it,
> as it will be on their own server anyway.

The AGPL covers using code in servers. They would have to provide code for any
server side changes.

~~~
m-p-3
Considering the initial unethical behavior of the client, I doubt they'll
respect the AGPL license.

~~~
giancarlostoro
They could be taken to court and found guilty (I doubt they'd have the time to
build up a fake clone with an entirely different codebase that produces the
same results). It would become quite apparent to the contractor they're using
their software. The contractors terms could include them paying for money lost
in the whole process AND lawyer fees covered.

------
neya
Most contracts always have a clause about IP which usually states the work
done for the project is the clients' IP regardless of you got paid or not. The
smarter thing to do without violating this clause is to add "Fuck you pay me"
sort of notices inside the application that doesn't allow the user to use the
software until you get paid AKA kill switch. Kill switches are pretty easy to
implement and you usually obscure key parts of your code. The other way, which
is the best way is to use some complex programming language that the client
will require a LOT of effort to understand that he might as well pay you. Eg.
Haskell, Elixir, Scala, etc. Generally speaking, functional programming
languages can be designed to look complex. Eg.

    
    
        def validate(_vin, vin_arr) when length(vin_arr) != 6, do: {:error, "VIN has incorrect length."}
        def validate(vin, [_, "ma3", _, "0", "0", _] = _vin_arr) do
          case String.length(vin) do
            17 ->
              {:error, "You must include the full VIN. Including the last two extra digits. It may not be included in your RC book. You may need to get it from your chassis."}
            19 ->
              {:ok, :valid}
            _ ->
              {:error, "VIN has incorrect length."}
        end
    

Normally, the whole app I develop usually will sit inside my Google Cloud
account and the handover is done only when payment is made. The types of
clients I work with normally don't care about source code, they just care
about the working app. These days I avoid clients who are pretty nosy with
asking for source code access upfront as it's a huge red flag for me, as like
the OP, my personal experience also has been bitter with these clients running
away with the source code.

I run an IT shop, not a restaurant to serve you first and wait for your
cheque. Sorry.

~~~
finkin1
I run a dev shop and that's not how our contract works.

Here's our transfer of work clause:

"Transfer of Work. Except for any portion of the deliverables subject to
license terms (collectively, the “licensed materials”), Stratosphere initially
owns all rights in the work created. Subject only to Stratosphere’s receipt of
the fees and costs described in the applicable SOW, Stratosphere assigns all
of its right, title and interest in and to the deliverables (other than the
licensed materials) provided to you by Stratosphere under that SOW. Licensed
materials are copyright of their original authors and provided subject to the
terms of their applicable licenses or the license terms described in the SOW.
You may not use licensed materials other than as described in the SOW or their
applicable licenses."

In case you're wondering, our lawyer is Gabe Levine, the same lawyer in the
famous "F*ck you, Pay Me" talk by Mike Monteiro.

~~~
neya
> In case you're wondering, our lawyer is Gabe Levine, the same lawyer in the
> famous "F*ck you, Pay Me" talk by Mike Monteiro.

Wow, that's awesome. And thanks for sharing that clause :)

------
vzaliva
INAL but even if you did not get paid does not automatically means the result
of work for hire belongs to you. If you are a contractor this is a smart thing
to explicitly stipulate in the contract.

~~~
nostrademons
Also NAL, but my understanding is that if no "consideration" (something of
value) changes hands, the contract is null and void. This is why people sell
things for $1 instead of giving them away, or why executives take $1 salaries
instead of working for free. Thus, if he really never received anything of
value for the work, it's as if the contract never happened, and ownership of
the IP remains with the person who created it.

It probably is better to explicitly stipulate this in the contract, to avoid
any misunderstandings or protracted legal battles.

~~~
TuringNYC
How does this prevent a tricky client from paying a nominal $1 (far below
whatever was promised) and again throwing the ownership in limbo?

~~~
zdragnar
I imagine you then go to small claims court for breech of contract. Since the
client made an effort to pay, but failed to pay the agreed amount, any judge
will side with you.

Depending on how payment in the contract was stipulated, you could also refuse
partial payments. If it did go to court, I don't think a judge would find that
an offer of $1 counts as a good faith effort on behalf of your client.

------
McDev
So I'm guessing this is US based, is not getting paid and then going "ah well"
a common thing there?

I'd just take them to court if an invoice followed by "fuck you, pay me"
didn't work.

------
xwdv
Don’t understand why someone would throw away their integrity by doing this.
When a client refuses to pay, the standard procedure is to take them to court
and then make them pay what is owed + attorney fees.

Instead, this developer has put himself on industry blacklists by doing this.
No way he’ll be trusted with sensitive projects. Don’t do this.

~~~
Brian_K_White
He's not on my blacklist.

Perhaps he's aware that every action that anyone ever takes, is approved of by
some people and disapproved of by others, and your only choice is between who
approves of you and who disapproves of you.

I for one, approve of this resolution a hell of a lot more than courts and
suits. They are tools you may be forced to use sometimes. It's great that the
system is there for when you need it. But they are merely detestable
necessities, not my first or preferred choice.

Did it occur to you that by advertizing this attitude, you may have caused
yourself to be blacklisted, even if only informally? Probably not.

It's a favor and a pleasure to be blacklisted by some people or organizations.
It's the trash taking itself out.

~~~
a13n
Yeah, and what's more, this whole thing is fantastic marketing for his
contracting business. He'll definitely get more work from this.

------
tyingq
I wonder if the reverse has happened. Where a client pays for a project, and
gets code, but it's terrible. So, open source it with attribution to the
original developer and an appropriate README analysis of the low points.

Edit: Wondering if it has happened doesn't mean I'm promoting it as a terrific
idea.

~~~
Jare
But why would you opensource terrible code? Even if you want to write an essay
about bad practices, it sounds easier to write it just taking extracts to
illustrate the points.

That said, attributing those extracts that you are criticizing would be pretty
bad form, maybe even basis for a defamation suit. So, sounds messy either way.

~~~
dymk
The point would be to name-and-shame the coder that wrote it

~~~
codingdave
What a terrible thing to do to a new, inexperienced coder.

~~~
tyingq
I don't see any context where it's necessarily a new, inexperienced coder.

~~~
codingdave
Fine, what a terrible thing to do to an experienced coder.

As an industry, we work so hard to build a culture of constructive critique
via code reviews, of mentoring up new developers, of constantly improving our
skills. We strive not to judge people for their code any more than we would
want to be judged for our own.

Naming and shaming coders because they wrote bad code is just uncool, as it
fights against the aspects of this work that make it enjoyable, and instead
turns it toxic.

~~~
Veen
If a client has richly rewarded you for your work in good faith, is it not
also a terrible thing to deliver a pile of crap? If I pay a developer
thousands of dollars and the result is garbage, you can bet I’ll be judging
them for it.

If I paid a photographer to take my wedding photos and they did a terrible
job, am I a bad person for judging and shaming them to warn others who might
be similarly conned? Or is it only developers who get the kid gloves
treatment?

------
Tharkun
There's a certain irony in not paying for a platform that incentivizes paying
rent through said platform...

------
jmull
Interesting: there are a bunch of comments along the lines of "this is why you
always get $X or X% up-front".

Over 30-some years of side-work, I've actually never gotten anything up-front
and I've always been paid.

For me, the work has always been for clients I've known for quite a while
before the contract work came up, and whom I had reason to trust.

I just bring it up as a counter-point to the idea you "always" get paid
something up-front. Context counts.

------
Improvotter
I watched this video from Mike Monteiro and I always refer to it since. It's
about getting paid for the work you do.
[https://www.youtube.com/watch?v=jVkLVRt6c1U](https://www.youtube.com/watch?v=jVkLVRt6c1U)

~~~
techstrategist
This was my introduction to Mike a few years ago, and he's been a really
interesting guy to follow since then.

------
luckydata
The idea was dumb by the way, but the code looks interesting, thanks for
sharing.

------
belzebalex
I had a similar story. At 16, a summer friend came to me. He told me that he
knew a company that needed a web app. He got a 5500$ contract. It was so much
for us, just high-schoolers.

We didn't know how to do a web app. I knew a bit of Python, him a bit of
Javascript. So a month during, we learned how to and built the app they asked
with Django. I never learned so quickly!

After a month, we shipped the app. They had a lot of users (900+), so our app
that worked well with a database of two people failed miserably.

We spent nights fixing its problems. It used an external API that we had rate
limiting problems with. I implemented a cache using Postgresql.

Then, they started to ask us for more features that weren't in the original
contract. They said that if we wanted to get paid, we had to do them.

Eventually, we realized they weren't going to pay for us. We asked them to pay
us, and they said yes. Then they said no, contact our lawyers. Their lawyers
told us they wanted to engage charges because we didn't do the job well. They
were still using our website without paying us! We contacted a lawyer and
quickly realized that because of the legal fees (2500$ upfront + 500$/hour),
it wasn't worth it to seek justice.

We were completely fucked.

Then, I remembered they used Heroku, which was based in the US and therefore
applied the DMCA laws. We sent them an email explaining the situation and, in
under 48H, they took the website down. I will always remember that morning
when my friend woke me up to show me their site down.

As we did the deployment, they took a week to re-deploy our app at a server
under French jurisdiction (that we could never have taken down).

Then, their whole company ran out of business as customers were leaving and
asking refunds because of the lousy service. They laid off everyone, but our
app is still freely accessible at [https://crypto-analyse.com](https://crypto-
analyse.com).

This experience taught us many lessons: \- Never work for something that
you're not paid for unless you're doing charity or working for yourself. \-
Contracts are no guarantee \- They made a lot of money with our app. We could
have made a lot more by just selling it ourselves.

And that's what we did! We just shipped our new app (it's an app to automate
crypto trading with a conditions editor),
[https://kaktana.com](https://kaktana.com)

We now make more money than we had thought before, all of that using the
experience we gained from that shitty deal.

“The phoenix must burn to emerge.” - Janet Fitch

------
futureastronaut
Another take on this would be to open source components developed, but not the
application itself, and be more subtle about the client mess. That's a better
way to get some positive marketing out of what would be wasted time.

------
paulsutter
If a vendor doesn't pay you, call a collections lawyer.

Generally speaking the client owns the code whether or not they've paid yet.
Of course if the client agrees this is fine. But it's not fine if the client
hasn't agreed.

Stunts like this are a really bad idea. There's a right way to do it, and it
works really well. Call a collections lawyer.

~~~
finkin1
My understanding is that the person who produces the work produces generally
owns the code until they are paid. Obviously it depends on the specifics of
the signed agreement, but I'm curious why you think the client owns the code
by default?

~~~
paulsutter
I’ve never seen a contract like that, have any examples?

~~~
kentrado
It's the copyright law. You own your work, all rights are reserved until by
means of a license you give it away.

No payment would invalidate the license.

~~~
paulsutter
No actually most contracts assign full ownership and not a license.

What about partial payment? What about a payment dispute? in all these cases
ownership remains as defined in the contract.

You could try to make a contract that works the way you describe but it would
be unwieldy and I’m skeptical anyone would use it.

It’s really straightforward to call a collections lawyer. In most cases the
money is paid after one or two letters.

Not paying money owed can have bad consequences. The collections lawyer
reminds them of this, and the situation is remedied in short order.

On the other hand, pulling some cowboy stunt to teach them a lesson (like
releasing their source code, or the related idiotic idea of sabotaging their
website or business) could lead to paying significant civil and even criminal
penalties.

------
robot
Never thought about building an app with Plaid, cool. It's also a good example
to play with react native.

~~~
pysxul
This might affect your decision: "Plaid Deletes GitHub Issue Exposing
Imitation of Bank Login UIs"

[https://news.ycombinator.com/item?id=20133806](https://news.ycombinator.com/item?id=20133806)

~~~
praneshp
Clickbait headline warning for that, btw.

------
amorphous
This reflects badly on the developer who posted this. Though it is easy to
sympathise, this is not professional behaviour. Learn from mistakes and move
on focussing on finding good clients.

------
leerob
Is anyone willing to share their opinions on react-native-web?

~~~
trillcyborg
its great

------
antoineMoPa
Could you like... Start a business with that?

~~~
sheeshkebab
You could - or could start without it. The code is really nothing special -
relies on Plaid for processing payments and small dB to keep user profiles...

it’s done well though, so could certainly build it up if this model is what
you are looking for.

~~~
kombucha11
I'm trying to wrap my mind around what the author means by saying the value
would come "from leveraging data to eventually create a rental marketplace
where users can find the perfect apartment to move into."

~~~
taormina
I think the intention was that by building an audience of apartment renters,
that he could pivot into a related idea with this audience.

------
grogenaut
Super cool. I've been looking for a more in depth example for a while like
this.

------
vinniejames
That's why you always require a sizeable deposit, never start working for free

------
jedikv
I appreciate you open sourcing this. Good luck on future projects.

------
Brian_K_White
Only cockroaches fear the light.

------
nryuk
As someone who occasionally does recruiting for developers and always do some
quick searches for GitHub profiles. You'd be dropped as a potential candidate
on our team if we stumbled upon this, "After he signed and I began building he
decided to pivot and not pay me."

Just screams unprofessionalism in my opinion.

~~~
dkersten
> Just screams unprofessionalism in my opinion.

Surely the guy not paying is the unprofessional one?

Sure, since _" he signed"_, he could have probably taken legal action, but
that's often a long and costly process. How is cutting your losses and walking
away (but outsourcing the code you wrote) unprofessional?

~~~
rangerpolitic
> Surely the guy not paying is the unprofessional one?

Surely, both people in the relationship can behave unprofessionally.

> How is cutting your losses and walking away (but outsourcing the code you
> wrote) unprofessional?

That's not why people are suggesting the developer is unprofessional. It's
because he's complaining about a client publicly.

