I followed the link, and while there is a video of someone getting dragged off stage, I can't really verify the other claims.
But even so, dragging a presenter off stage is sus. And doesn't seem smart because even if the other claims are not true, I'm tempted to never attend Defcon if that's what they do.
Entropic is engaged to make hw. I am asked (unofficially) to do sw.
Entropic works for free but does charge for parts and subcontracted stuff . Eventually defcon stops paying. Entropic is uninvited from badge talk. Their logo is ground out of plastic case. Their logo hidden in publicity photos of pcb.
Tempers are high. I implement the Easter egg. This is months ago cause thats how long one needs to pre-flash chips.
Time passed. Defcon still working on their game last moment. They had volunteers reflash badges cause they didn’t make the real pre flashing deadline. I forgot about the screen entirely more or less.
Day of con. I spend all day helping debug badge issues. Push updates. Help people. Even pushed an update from plane on way to con to fix some things.
Badge talk time. Half an hour before defcon tells me no talk for me cause someone found the Easter egg screen and they are pissed. I show up anyways since it was promised.
I get dragged off stage.
I hold talk outside answering questions.
Next steps: I have no contact with defcon. They never bothered to. Normally: who cares? I get to talk, people get to play with badges. Nobody cares.
But… I got kicked out, and… they have no license to my firmware they are distributing. Likely DMCA notice.
Man. I've never been to defcon, but it's been more than a passing curiosity ever since the first real announcement[0] crossed my BBS in '93.
And recently I've had a string of bad, unalterable, and irrevocably-permanent events occur in my life. And yet, I'm very pleased to say that your write-up on your experiences with the RP2350[1] presented a small but meaningfully-positive thing for me to look forward to.
Please be well -- and don't take any guff from these swine[2].
Blackhat is even more of a pay-to-play corporate event.A few years ago, someone paid to do a talk on time traveling crypto and the CEO of trail of bits(iirc) stood up and called him out on the spot over the nonsense tech.
Defcon has a lot more grassroots stuff, but it's grown to a size that it cannot avoid the corporate BS anymore. It's probably one of the biggest and most disruptive conferences in Vegas, venues don't like having 1000s of hackers hanging around slot machines.
A friend said "getting out of vegas would mean losing half the point of going to bh/defcon (which is getting your company to pay for you to go to vegas)"
The people that go there for that reason are probably not the ones you want there anyway.
And most corp trips are to black hat, not def con.
I've been offered a trip to black hat before and asked if I could go to def con as well but no. I was thinking of just staying longer on my own dime but we got a travel ban for cost cutting reasons so the whole thing never happened. I wasn't really interested in black hat anyway so I didn't care, I hate corporate PR.
But Vegas to me is a detractor. I hate gambling. I'd love it if it were in NYC or something. Much easier from Europe too.
I worked in a "blue team" and we would only get travel approvals for black hat. Even though I've never been as I didn't want to and I was hesitant to visit the US. Black Hat doesn't interest me precisely for the reason you mentioned. I don't want sales pitches, I want unrestricted flow of technical information without marketing motives.
Why’d they be pissed about people donating money to the people they didn’t want to pay :/
I just don’t see how they lose anything there (or rather, don’t see how they lose anything there that they lose a hundred times more of by their actual actions, namely reputation).
Every niche convention either stops existing or transitions into a business that slowly gets rid of all the fun stuff that created it in the first place.
There is not just the big end of year congress, but also lots of smaller events organised and run by regional CCC (like) groups in Europe e.g. MRMCD, EasterHegg, the Dutch camps changing the name every time (next one is WHY2025).
> Every niche convention either stops existing or transitions into a business that slowly gets rid of all the fun stuff that created it in the first place.
It parallels what Ivan Illich said about revolutions, namely that if a revolution survives it will turn into a system that stifles the same freedoms it supported.
Aka, either you die the hero, or see yourself become the corporate stooge/villain.
Not really. The Dutch hacker camps have been pretty constant (save for 2021 for Covid reasons). Run by mostly volunteers yes but basically every participant is a volunteer. It's part of the fun.
They've not really shrunk or significantly grown and are really opposed to corporate and government interests (as Fox-IT found out in 2013)
Absolutely. They're a bit more maker than hacker focused but for me that's a good thing.
I just don't really like going to the UK anymore since Brexit. It just puts me off because the main driver of it was xenophobia. I've avoided it, I have not been there at all since Brexit. I probably won't ever go there again unless there's a serious change. Of course none of this is on the EMF community which is great, I've met many of them at other things.
As for the hacker camps I only really go to the Netherlands ones. The Congress is too expensive for me with the hotels around Christmas and with my lack of car it's hard to go camping in Germany so I've never been to the chaos camp either. Within Holland it's been easier because they've recently been at locations near me.
Commercial copyright infringement has a per instance statutory minimum.
Demand the minimum for every badge distributed — as even if you later provided licenses to holders, DC had no license when distributing the copies as merchandise at their for-pay event.
Why do you think they don't have a license from Entropic in the contract they both agreed to? Unless they are utterly incompetent, their contract with Entropic covered this and if Enrtopic delivered firmware that they don't have rights to, that's on them, not on Def Con. Anything that comes to Def Con just results in a lawsuit against Entropic. Additionally, he apparently wrote the code on the plane prior to his arrival and then worked to get it on all the badges. That's going to make it pretty hard to argue that they don't have permission to distribute the badges with this code on them.
You left out the part where the "Goons" physically touched you, and forcibly removed you from a location against your will. The "Goons" have no authority to carry out such an act. And there's video footage. Congratulations on winning the lawsuit!
"and forcibly removed you from a location against your will"
Not saying they were morally or ethically right, or smart to do this at all - but legally there usually is a right to remove a unwanted person from your stage with the help of your own security.
Under german law, it would be anyone officially acting as security on that property. (It does not have to be a professional security, it can be anyone from staff filling in that role).
The police does not want to be called, for every bouncer action.
It can get into a grey area, if violence will happen, the security may not simply beat someone out - but grabbing and forcefully moving or carrying out is legal. But if there is serious resistance and the security unable to handle it in a nonescalating way, then they would need to call the police.
But usually, the bouncers would just get brutal, then. Attacking security gives them some freedom to act.
If other people are endangered by someone, very different scenario, anyone can (and must if possible) stop violence.
I don't know why people think this, you're not the first person I've heard it from either.
First, I literally saw them do shots during a talk yesterday for some first-time presenters. Secondly that WASN'T the "old defcon" either! Drinking is a relatively new tradition in the history of the con. I've spoken twice. Once at DC 17 (no shot offered) and once at DC 23 (shots were offered). There's video proof:
This is textbook copyright infringement. $150k statutory damages plus, at the court's discretion, legal costs and fees. And that is just the result of civil action. You could probably find a prosecutor who would love pursue criminal action against the conference to appear strong on cybersecurity.
There is a reason why even large corporations, which often play chicken with lesser laws, are extremely careful about copyright infringement. The law has real teeth if the infringer has significant wealth.
One part of me wants you to DMCA the living daylight out of them. The other part is currently seeding torrents and thinks copyright is kinda dumb. Anyway, shitty thing to do by the defcon people.
I have been giving out licenses to the firmware to anybody who asks in the unofficial badge hacking discord. :) also my signature on the badge acts as a nontransferable license to the firmware in source and binary. i signed maybe a thousand today at my unofficial talk outside after i was dragged out.
Sounds like there's more going on though. They must have had a reason for not paying? Especially considering the apparent anger with which they removed all references to them. I mean, if they simply ran out of money and couldn't pay they wouldn't be so angry because it was really their own fault.
I'd love to hear their sides of that story. (Both Def Con and Entropic). I'm curious now.
I'm sorry you got roped into this conflict too though. I have great respect for your work.
It sounds like they called the police, that is not swatting. Swatting is a specific tactic where you abuse the minimal training and disposition to violence of US police forces to attempt to murder people by reporting that they’re armed and/or threatening violence.
Claiming the calling the police on someone is swatting, even though US police routinely execute people unprovoked attacks, is not swatting. The difference is the intent - the intent of swatting is terrorism and murder.
No, it's not. Let's not dillute the term. SWATing someone is calling in a fake situation on a person that earns them a visit, specifically, from SWAT. Hostage situation, bomb threat, etc. are the usual means of doing so.
When people get SWATed, usually a fake call is made, were the police are told that a murder was already committed by the caller and that we will kill everyone on sight. Thus the police expect real danger, brings the big guns and their trigger happy attitude, kick the door in and are more likely to kill the victim.
It's not SWATing if the police come to handle a disturbance. The SWAT team need to be deployed for a SWATing.
Anyone could have called the cops too. A gathering of 100 people can make people nervous. But I wouldn't be surprised if Defcon called them too.
How isn't it? SWATting is nothing more then calling the police and sending them out to somewhere you known nothing is going on as an attack dog. This seems extremely similar to what has happened here.
> SWATting is nothing more then calling the police and sending them out to somewhere you known nothing is going on as an attack dog
Bullshit.
Swatting is:
> the action or practice of making a prank call to emergency services in an attempt to bring about the dispatch of a large number of armed police officers to a particular address.
The cops response for like, someone disturbing the peace or someone playing loud music in the middle of the night, is nothing like when the SWAT team comes with automatic weapon, full body armor and flash bangs, expecting to be shot at, as promised by the phrank call.
I would definitely say calling the police on someone you know is doing nothing wrong could be considered " a prank call to emergency services in an attempt to bring about the dispatch of a large number of armed police officers to a particular address.". I definitely don't think it can be waved away with bullshit. People in the US are routinely shot for no reason at all. Any contact with police should be taken extremely seriously.
Yeah, after some more digging, it does appear to be you.
I do wish I had more context from the video, but at this point, it's getting hard to imagine any good reason for Defcon to do what they did. Assuming that you weren't threatening someone in the audience or something like that. Doubtful, from the way you've been talking.
Anyway, it looks like good stuff. Wish I had some Game Boy games to try it.
I would counter that by asking why would any of us not want to dig or investigate claims and assertions made in 2024? It’s hugely important to approach life with a critical mindset these days, and something we should all be doing.
This is Dmitry Grinberg[1] some of whose absolutely amazing projects (like, running Palm OS on other devices) have recently gotten some traction here on HN.
(In particular, he managed to get Palm OS running on the badges in question).
If there's one person whose credibility I wouldn't doubt on those matters, it's him.
Option A: let the dude have his talk. Nobody hears about it beyond the walls of defcon. Move along.
Option B: uninvite and call security. Guy becomes instant personality on reddit and hn. I didn't know that defcon had become a shitty, small minded operation that abuses volunteer time and can't take an Easter egg, well now I do!
I stopped paying attention a few years ago because their leadership was visibly heading in this direction.
It's always kind of frustrating to see programmers and other software people participating/defending that kind of thing considering logic is our whole game to begin with.
The premise of ‘tech people’ not at all succumbing to the same shortcomings as any other human is utterly language and the source of so much undeserved hubris in this industry. Developers are some of the worst, ‘illogical’ people I’ve ever met, especially when it comes to anything interpersonal.
IANAL, but I'm skeptical that Dmitry's interpretation that Defcon has no license is correct. It sounds like Dmitry sent them firmware images with the mutual expectation that those will be used on badges, and they invited him to the Badge talk which could be considered consideration. That should constitute a contract, either verbal, or through concludent acts. This should give Defcon the right to use Dmitry's on the badges, but not modify it. So legally the whole thing would probably be considered a contract dispute, not use of unlicensed software.
Defcon will probably argue that including the easter egg was some kind breach of duty of Dmitry's part, and gave them the right to remove him from the talk, and modify the firmware to remove the easter egg. My expectation is that courts would decide that Defcon has the right to use the firmware, but will require them to pay some kind of compensation for not living up to their side of the bargain.
IMO the thing that may matter most here is the PR effect on Defcon. It's the badge - every attendee takes this thing home and engages with it. It's a talking point, memento and representation of the spirit of the conference.
That's an unmitigated PR disaster for Defcon. It doesn't matter to this who was right or wrong or what laws were broken, even if somehow all legally ended up in Defcon's favour, the damage to the brand is huge, enduring and set aside from those issues.
To address this, whoever at Defcon ultimately actioned this series of events should be held to account, for this PR aspect, and the matter immediately and publicly handed to someone with an appropriate understanding of Defcon's culture & reputation.
Did Defcon contract with Entropic Engineering for hardware and software? Or did Defcon contract with EE for Hardware and non-contract it from Dmitry?
If it is the former, Defcon could say "you need to work that out with EE and if it turns out that EE wants to revoke the license for the software, we'll have our lawyers talk with your lawyers about what is in the contract."
If its the later, then things get trickier and more difficult in many different directions.
Based on https://old.reddit.com/r/Defcon/comments/1eoe4u7/so_the_guy_... "/u/dmitrygr wrote the firmware for the badges as well at the behest of Entropic" - its the former. And so if anyone is in trouble with the licensing, it's Entropic for not having a contract with Dmitry and providing the software to Defcon." Defcon used it, with the understanding that they had a license to the firmware.
This would depend on the contract that DEFCON has (had) with Entropic Engineering and what the deliverables were.
It may turn out that Entropic would be the one paying the penalty and footing the bill if one of the people they worked with decided to change the license.
Revoking or changing that license afterwards may fall on the vendor rather than the distributor to make things right.
While this isn't likely to be something anyone is going to come out smelling like roses out of... my crystal ball says that Entropic is going to come out the worse for it.
Having a "volunteer" working for a for profit company has hints of FLSA violations ( https://www.reddit.com/r/Defcon/comments/1ep00ln/comment/lhj... ). Having a person that Entropic is working with for embedded software put in easter eggs that went counter to the SOW becomes difficult. Entropic relying on software that has a license of "as long as the software author is ok with it" may complicate future business relationships with other clients.
Isn't it kind of too late at that point? If i understand correctly, this notice came after the badges were already distributed. Like maybe that would work for future uses of the software, but i don't think constructive notice can be retroactive.
Um, removing a person who’s giving a talk is a completely different action from the distribution of (potentially) unlicensed software.
DEFCON may well have many reasons and legal recourses to stop a talk from occurring. But if they do not meet the terms of the contract for the IP, then the author/developer/manufacturer is entirely free to pursue action against them.
Now it’s possible the developers had not watched Mike Monteiro’s “fuck you pay me” talk (https://creativemornings.com/talks/mike-monteiro--2/1), but assuming that the claims in this tweet are remotely accurate you can bet that - assuming they can get someone to do it at all - next years defcon badge will be produce by someone with a contract that has the only sane language: “no transfer of any IP or right to distribute occurs until receipt of full payment”
Minor addendum due to being outside of the edit window.
The “um,” start to this was unnecessarily shitty/passive aggressive and I just noticed it when I was checking for replies, so apologies for that attitude.
The issue I was wanting to address is that the reply was talking about removing the speaker as if that is relevant to the OP’s comment about IP, etc and in hindsight I guess I assumed a bad faith argument and responded to that assumed intent rather than the actual comment.
If including an Easter egg voids the contract, then they should also start a class action against Microsoft for frivolously including a flight simulator in excel.
It would be surprising to me that even if DEFCON could be considered to have a license, that that license would be irrevocable. At the end of the day they have received work product for free which they do not own and the owner is saying they can’t distribute it.
While it doesn't show you any thread context, for media tweets like the video one linked if you paste the URL into a site like https://savetwitter.net/en it will spit out the video file to watch as well as telling you the text of that tweet (although, testing it with that tweet on my phone just now I had to select the title and paste it elsewhere to see as the page truncated the visible amount to fit phone width).
I believe the hardware designer was stiffed (according to some threads on Twitter)? There doesn't seem to be a summary of what happened anywhere, but from the reactions I've seen, it looks like DEFCON didn't pay a vendor for badge hardware, and the firmware has an easter egg showing that vendor.
Yes and no, they may have been informed in a non-public setting on _why_ DEFCON has refused to pay.
DEFCON themselves is likely to not state a reason publicly, so getting a "here's what I was told by DEFCON" is likely the closest thing that we're going to get for an answer.
I read it as tinged with the implication that the wronged party must have done something to deserve it. In retrospect, perhaps I was being too sensitive.
The event being named after a US military meeter to indicate how far away the US is from nuclear war should already be an indication.
There are some good people there but also a lot of people who do not care what happens with what they build and look away when it would be time to speak up.
I feel like this is a good spot to mention that Dmitry's a friggin beast when it comes to engineering. As that Tweetster put it: "Dmitry is an insanely skilled dude. Easily on par with Carmack or Karpathy IMO. They almost had to delay the original Kindle Fire tablet because of a rare bug that all the king's horses and all the king's men couldn't fix in 6 months, but Dmitry nailed it in a few days"
Summary of the events unfolding by Sargonas on Reddit:
Maybe this will help with a listed summary of the known facts from first hands accounts. I am leaving gaps where there has just been speculation or second hand unverifiable information, and welcome anyone with first-hand knowledge of those aspects to comment below me to fill in the gaps. I'm merely presenting the facts as we have them from first-hand accounts (mostly from reddit and discord), without personal opinion or bias (hopefully, human nature is a tricky thing.)
Entropic Engineering designed and built the circuitry of the badges, physically. They were either only partially, or not at all, paid by DEFCON for this work, contrary to whatever formal agreement they had in place. (Other amazingly talented individuals create the silk screen design, the shells, and the game, but are totally removed from this drama so I'm leaving them out of it.) Subsequently, all references to them have been removed in various materials, and even one of their logos was removed from the silk screen. (apparently small one may be left under the battery? but I can't check because I affixed mine to the board to stop it's shifting.)
dmitrygr wrote the firmware for the badges as well
Somewhere along the way, Entropic was cut out of the process and left to the side by DEFCON in a way that left Entropic feeling burned and under/un paid for their non-trivial work (according to some comments below it is 6 figure sum, but this is second hand info).
Dmitry felt this was unfair, and put an easter egg into the badge code. This easter egg simply comments that Entropic engineered the badges, and had their credits removed everywhere, with an address for donations if you wish to support them. This was entirely Dmitrys doing as a gesture of thanks to the Entropic team.
This easter egg more or less flew under the radar until EoD friday.
Friday evening, after spending most of his day traveling to DEFCON and writing a 1.5 update in his spare time on his flight to fix some issues, Dmitry was up on stage with the other badge creators about to present the usual badge talk, when word of the Easter egg went around (likely due to him including some slides on his portion of the presentation about it.)
DEFCON staff had Goons escort Dmitry off stage shortly before the talk started, delaying the talk some.
during the talk, a comment was made about “unauthorized code“ being on the badges.
Dmitry setup himself on the sidewalk outside the hall, and basically held his own mini talk about the work he did and Entropics contributions.
At some point, LVMPD showed up. It is unclear to me personally who issued the call but second hand info says it was DEFCON staff. They noted Dmitry was simply talking to people (albiet nearly 100 of them) on a public sidewalk, outside a building owned by the county, and nothing was really amiss, and left shortly after.
Dmitry, in his (likely valid) opinion feels this whole situation has not been handled well, and since his code was written free of charge, without any signed agreements with DEFCON or consequently any rights assignments, has announced that he intends to assert his legal ownership of the code (which is his right under us copyright law). As a result, he will gladly issue a non-transferable right to the code to any attendee who asks him for one, but is no longer going to "turn a blind eye" to the fact DEFCON does not have a legal license to his code, and instead look into taking actions that are within his power to take to clarify their lack of ownership of the code on the badges. (I believe in discord he may have gone so far as to say DMCA, but I need to double-check.)
bearing this in mind this does add a curious wrinkle to the statement about “unauthorized code” from DEFCON given… The obvious.
Can confirm. Dmitry saved the Fire tablet by finding an error in TI’s BSP while J.S. documented the repro steps, and gave me the info to get it fixed. This was during manufacture, 3 days before public release iirc.
He also rescued the Bowser pinmux that I had screwed up. And stepped in when the display IP didn’t work. And a ton of other heroic engineering.
The early Fire Phone engineering team was really talented and Dmitry was the best.
Am I missing something about how this story went missing from the front page? There is at least one story with less points posted 12 hours earlier that is still visisble there.
Frankly… i’m not surprised. The whole industry is filled with this kind of fascistoid attitude now. Every organization takes any chance they can to silence opinions they don’t like (and this happens both left and right).
I see from the link above that the POLICE was called on dmitrygr for… speaking to people in a public space?
Really?
Defcon has gone from outcast meeting to full mainstream and interest-preserving. Kinda lost all of its hacker attitude, and this is proof.
I was not in the crowd so I can't say anything more about that. That said,
> This dude, as a contractor-for-hire, injected unwanted code he calls "just an easter egg" in the final firmware of the badge. This "unwanted code" is a screen asking for bitcoin donations and self-aggrandizing himself.
If this is how you feel about an easter egg I suspect you misunderstand the point of DEF CON. Maybe the organizers of the conference do too.
Besides what other commenters wrote, I think it'd odd to gloss over Defcon stiffing their Badge HW vendor while attacking Dmitry, Defcon's other business partner, for not having "a responsible business dispute".
Are you sure Dmitry was a paid contractor? Let's see if Defcon disputes that Dmitry was basically asked to informally work on a friends and family basis.
Where are you getting this information that Dmitry was a paid contractor?
It's a bit of inference on my part, I'll give you that but the premise doesn't make sense if he wasn't paid.
If he was working as an unpaid volunteer with the "compensation" being a part of a talk on stage... What was he protesting before the event even started when he injected the screen asking for money? That's a pretty garbage thing to do, but he did it before the consequence he claimed he was protesting.
> What was he protesting before the event even started when he injected the screen asking for money?
The hardware vendor was stiffed and Defcon scratched their trademark from the badges, so this man added an easter egg asking for donations to them, not himself, as far as I understood.
> "He walked on stage and started yelling at the presenters. He was asked to leave by multiple groups of security staff and refused to leave while interrupting the talk. He demanded he be physically removed. The staff security eventually acquiesced to his demands."
From my read, Dmitry didn't upset his audience, excluding the flagged TrueDuality commenter. Rather, after Dimitry's protest and physical removal, a bunch of the audience went outside to listen to his impromptu talk on the sidewalk.
But even so, dragging a presenter off stage is sus. And doesn't seem smart because even if the other claims are not true, I'm tempted to never attend Defcon if that's what they do.