[tptacek]

On the contrary, if you have a signed master and SOW for a project, you absolutely cannot just bill over or outside of the SOW because of "contractors labor costs". The whole point of contracts is to agree to costs up front and eliminate these kinds of on-the-fly disputes.

[dredmorbius]

SOW: Statement of work.

<https://legal.thomsonreuters.com/blog/what-is-a-sow/>

[bjornsing]

But as I understand it EE did not bill outside or over the SOW. They just sent updated cost estimates indicating that they wanted to.

[tptacek]

All we have to go on are the statements, but DEF CON's statement is falsifiable and direct:

After going overbudget by more than 60%, [and] several bad-faith charges

Which, again, pattern matches to a pretty common mode in which consulting projects blow up: you give an optimistic estimate, learn partway into the project that you were hopelessly off, and then try to invoice your way through it.

[bjornsing]

EE’s statement is about as falsifiable and direct I would say:

Once a month, we billed for our work and submitted an updated estimated per badge final cost - committing as costs built to discount our work as necessary in order to hit DEFCON’s per unit cost targets.

In June, after 5 months of late night work, badges were fully designed, prototypes were working, and mass production was ongoing with the manufacturers we contracted on behalf of DEFCON. We billed DEFCON for our most recent work, discounting our labor by 25% in order to meet the agreed upon targets. Unfortunately, we were instead met with a work stoppage request and informed we would no longer be paid for services already rendered.

Easiest way for me to reconcile these is by assuming that DEF CON’s statement about going 60% over budget is referring to the estimated per badge final cost, not actual invoices. But yea, it’s hard to know what happened here just based on these statements.

[aestetix]

I would be very interested to know what DefCon's budget for the badges is, and how much latitude was built in for things like chip shortages, rush shipping, etc. A big project like this, especially during major geopolitical strive, could have all sorts of unforseen complications. DefCon has been around the block a few times and should know how to handle things. But without details, it's impossible to know for sure.

[joezydeco]

This one seemed a bit riskier, using the new Raspberry Pi microcontroller that's not even for sale yet. Granted, the parts were probably donated, but getting the timelines right must have been a concern.

[llm_trw]

It's not defcon's job to figure out how EE should charge for their projects.

[5ci3nc3]

I'd like to know why badges are being used at all. It's DefCon- isn't there a more creative way to handle security?

[tptacek]

People love these stupid badges. That's why they get made.

[borski]

Every other year they build a hackable “smart badge,” and people love to hack on those things. Are they necessary? No. They’re toys. But they’re fun.

[Aeolun]

60% over budget sounds sort of within the realm of reasonable? Most projects that go over budget reach 100-200%.

If you agree to get monthly invoices instead of one fixed cost project, then you are implicitly agreeing that costs are variable.

[kelnos]

That's the thing that's weird to me. If DEFCON had a hard cost limit that they were unwilling to go over, structuring the contract with monthly invoicing based on materials and ongoing labor costs makes no sense. It would seem to me that the only sane way to do this would be to make it a fixed-cost $X contract, and the only monthly (or otherwise periodic) part of it would be to split payments by milestone or by some other rubric.

[jhaand]

It depends on the contract. I will never just do a single SOW contract and risk it all. I will do an hourly contract and maybe give a discount if a certain amount of money is spent because things get tough. The client will get an estimation but in this day and age, prices will vary in a few months.

Entropic Engineering should not have gone through with this project on this timescale of 6 months with a new chip. Defcon badge team doesn't know how to properly outsource electronics, collaborate and do risk management.

[mafuyu]

Agreed. I’m honestly not familiar with how they’re structured for hardware contracts like this. I was imagining some sort of cost plus structure. No point in speculating on the details of a contract dispute where we don’t have the contract, I suppose.

I was under the mistaken understanding that EE was not paid out at all. Rereading their statement, they say they were partially paid, so I think I was overly harsh. This is firmly in “boring, messy contract dispute” territory now, I’d say. :)

[thelittleone]

Its not uncommon for a contract and SOW to include an hourly rate for approved out of scope items.

[tptacek]

Yes.

https://news.ycombinator.com/item?id=31526196

I'm guessing that's not what they did, though, since DEF CON comes right out and says they submitted bad-faith invoices. That's a factual, falsifiable claim, and a commercially damaging, actionable claim if it's false.

[firesteelrain]

What kind of contract was it? If it’s cost plus you sure can

[minkles]

Clearly you've never worked on a government project!

I was on a defence project that overshot by a cool billion dollars on the SOW...

[tptacek]

I've made a point of not working on government projects, so yes, this is a blind spot for me.

[cowsandmilk]

There are multiple ways government contracts (and contracts in general) are billed. Blanket statements about billing for government and non-government contracts are not accurate.

[ipaddr]

Why not share some facts. A blanket statement about blanket statements is something a bot would do.