[mafuyu]

Reading EE and DEFCON’s statements, I’m inclined to think whoever was managing this on DEFCON’s side was not on top of things and blinked at the last minute. I’m sure there were delays and issues on EE’s end, as it always goes with hardware, but it’s still EE’s design, parts sourcing, and manufacturing run that DEFCON just took over last minute?

I don’t know the terms of their contract, but that wouldn’t fly in a typical contractor setup. You can’t just cut out the contractors labor costs after the fact. I’d be more inclined to give DEFCON the benefit of the doubt if they canceled the entire project earlier on and engaged a different contractor to build an entirely different badge from scratch.

Given that dimitri wasn’t even paid for the firmware(!), my guess is this was low budget. For something of DEFCON’s scale, this can’t really be a “for fun” hacker project if you want to guarantee results. The “for fun” part is ensuring the attendees can all have a good time hacking on the badge, not the people doing the labor.

[tptacek]

On the contrary, if you have a signed master and SOW for a project, you absolutely cannot just bill over or outside of the SOW because of "contractors labor costs". The whole point of contracts is to agree to costs up front and eliminate these kinds of on-the-fly disputes.

[dredmorbius]

SOW: Statement of work.

<https://legal.thomsonreuters.com/blog/what-is-a-sow/>

[bjornsing]

But as I understand it EE did not bill outside or over the SOW. They just sent updated cost estimates indicating that they wanted to.

[tptacek]

All we have to go on are the statements, but DEF CON's statement is falsifiable and direct:

After going overbudget by more than 60%, [and] several bad-faith charges

Which, again, pattern matches to a pretty common mode in which consulting projects blow up: you give an optimistic estimate, learn partway into the project that you were hopelessly off, and then try to invoice your way through it.

[bjornsing]

EE’s statement is about as falsifiable and direct I would say:

Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets.

In June, after 5 months of late night work, badges were fully designed, prototypes were working, and mass production was ongoing with the manufacturers we contracted on behalf of DEFCON. We billed DEFCON for our most recent work, discounting our labor by 25% in order to meet the agreed upon targets. Unfortunately, we were instead met with a work stoppage request and informed we would no longer be paid for services already rendered.

Easiest way for me to reconcile these is by assuming that DEF CON’s statement about going 60% over budget is referring to the estimated per badge final cost, not actual invoices. But yea, it’s hard to know what happened here just based on these statements.

[aestetix]

I would be very interested to know what DefCon's budget for the badges is, and how much latitude was built in for things like chip shortages, rush shipping, etc. A big project like this, especially during major geopolitical strive, could have all sorts of unforseen complications. DefCon has been around the block a few times and should know how to handle things. But without details, it's impossible to know for sure.

[joezydeco]

This one seemed a bit riskier, using the new Raspberry Pi microcontroller that's not even for sale yet. Granted, the parts were probably donated, but getting the timelines right must have been a concern.

[llm_trw]

It's not defcon's job to figure out how EE should charge for their projects.

[5ci3nc3]

I'd like to know why badges are being used at all. It's DefCon- isn't there a more creative way to handle security?

[tptacek]

People love these stupid badges. That's why they get made.

[borski]

Every other year they build a hackable “smart badge,” and people love to hack on those things. Are they necessary? No. They’re toys. But they’re fun.

[Aeolun]

60% over budget sounds sort of within the realm of reasonable? Most projects that go over budget reach 100-200%.

If you agree to get monthly invoices instead of one fixed cost project, then you are implicitly agreeing that costs are variable.

[kelnos]

That's the thing that's weird to me. If DEFCON had a hard cost limit that they were unwilling to go over, structuring the contract with monthly invoicing based on materials and ongoing labor costs makes no sense. It would seem to me that the only sane way to do this would be to make it a fixed-cost $X contract, and the only monthly (or otherwise periodic) part of it would be to split payments by milestone or by some other rubric.

[jhaand]

It depends on the contract. I will never just do a single SOW contract and risk it all. I will do an hourly contract and maybe give a discount if a certain amount of money is spent because things get tough. The client will get an estimation but in this day and age, prices will vary in a few months.

Entropic Engineering should not have gone through with this project on this timescale of 6 months with a new chip. Defcon badge team doesn't know how to properly outsource electronics, collaborate and do risk management.

[mafuyu]

Agreed. I’m honestly not familiar with how they’re structured for hardware contracts like this. I was imagining some sort of cost plus structure. No point in speculating on the details of a contract dispute where we don’t have the contract, I suppose.

I was under the mistaken understanding that EE was not paid out at all. Rereading their statement, they say they were partially paid, so I think I was overly harsh. This is firmly in “boring, messy contract dispute” territory now, I’d say. :)

[thelittleone]

Its not uncommon for a contract and SOW to include an hourly rate for approved out of scope items.

[tptacek]

Yes.

https://news.ycombinator.com/item?id=31526196

I'm guessing that's not what they did, though, since DEF CON comes right out and says they submitted bad-faith invoices. That's a factual, falsifiable claim, and a commercially damaging, actionable claim if it's false.

[firesteelrain]

What kind of contract was it? If it’s cost plus you sure can

[minkles]

Clearly you've never worked on a government project!

I was on a defence project that overshot by a cool billion dollars on the SOW...

[tptacek]

I've made a point of not working on government projects, so yes, this is a blind spot for me.

[cowsandmilk]

There are multiple ways government contracts (and contracts in general) are billed. Blanket statements about billing for government and non-government contracts are not accurate.

[ipaddr]

Why not share some facts. A blanket statement about blanket statements is something a bot would do.

[mlyle]

DEF CON's response reeks of petty; characterizing dmitry as a "subcontractor" rather than a volunteer for spin purposes, and the choice to remove Entropic's logo from the case based on this budget dispute.

[echoangle]

I think the point of calling Dmitry a subcontractor was to make clear that dmitry worked for/with EE, not DEF CON.

[mjw1007]

But surely DEF CON know that isn't true, because Dmitry evidently provided them with the firmware after the "stop work" order to EE (otherwise it couldn't have included the easter egg).

[echoangle]

That’s a good point. From reading DEF CONs statement again, I could imagine that they would claim they issued the stop work order and then got delivery of the current state, which then included the Easter egg. That’s the only way I can come up with where this makes sense. It’s also not clear to me if DEF CON really got the firmware from dmitry or if he gave the firmware to EE which then delivered it together with everything else to DEF CON.

[Aeolun]

If he was working on the firmware until the moment of his flight to Defcon, then clearly they were happy to continue taking his time and effort for free.

This also seems to be implied by Entropic, which say they did work on the badge after DEF CON stopped paying them for it.

[crest]

The term implies the existence of a contract. By his own clear statements Dmitry did the firmware on his own as a volunteer because he liked the RP2350 and wanted to to contribute to the badge project.

[echoangle]

Yes, he probably wasn’t a subcontractor in the legal sense. DEFCON wanted to say “we didn’t directly work with Dmitry, we contracted EE and they got Dmitry to write the firmware” as I understand it. DEFCON probably doesn’t know/care about every relationship EE has to their contributors.

[rasz]

>You can’t just cut out the contractors labor costs after the fact.

Its not after the fact, thats exactly what Stop-Work Order was for.

[bjornsing]

EE claims that DEF CON does not want to pay up until the stop-work order though. So it seems to be at least a bit “after the fact”.

[darksim905]

why would DEFCON go with such a small outfit?