[Aurornis]

DEFCON’s response was posted on Reddit: https://www.reddit.com/r/Defcon/s/NVw5T4LXQR

Unsurprisingly, it contradicts some of the claims Entropic has been making. Entropic admits to having exceeded agreed upon budgets by a significant amount, which DEFCON corroborates. There is some disagreement about what has been paid, though, as DEFCON believes they have paid for the hardware development.

Some of the other claims also appear to have been exaggerated or at least phrased in misleading ways. The Entropic Engineering logo was not removed from the PCBs. Their logo was not included on the plastics because Entropic was not responsible for the plastics and the initial plan to include their logo was only a courtesy before the relationship soured. The DEFCON statement alludes to budgets being exceeded by a significant margin (not covered by minor reductions in hourly rate as the other statement implied) and even calls out some “bad-faith” charges.

I’m also confused about the earlier threats to use the DMCA against DEFCON for using the firmware without a license. As far as I can tell, the firmware was produced as part of the agreement between DEFCON and Entropic, in which case there shouldn’t be much question about the license as it’s a work for hire. Imagine hiring a company to write software to your spec and then to have them later try to claim they’re going to pursue legal action for using the software you paid them to write. Something is strange here.

It also appears that the firmware engineer’s dismissal from the talk was communicated before it began, so his choice to get on stage anyway knowingly violated that decision. Regardless of what we think should have happened, getting up on stage after being told not to isn’t going to go well at any conference for any reason.

I think there’s a lot more to this story than the initial round of accusations let on. I think the first movers in publishing their narrative often win the public opinion debate, but if even half of what DEFCON is saying is true then Entropic and their team don’t appear to be operating entirely in good faith with the way they’ve handled this publicity.

[gizmo686]

> there shouldn’t be much question about the license as it’s a work for hire.

Work for hire is about employees. Entropic is not an employee of DEFCON, it is a company with a contractual agreement to provide something in exchange for money. The details of when, if ever, IP rights are transferred to DEFCON should be spelled out in the contract. I have seen all sorts of arrangements for that. However, in a well drafted contract, IP ownership probably wouldn't transfer prior to payment.

Also, the firmware author isn't an employee of anyone. In a lawyerly world, that would be resolved with a clear copyright assignment or license, but I have no idea if that happened.

[hansvm]

> As far as I can tell, the firmware was produced as part of the agreement between DEFCON and Entropic, in which case there shouldn’t be much question about the license as it’s a work for hire.

The default state of things is that the author owns the code, regardless of any contracts between Entropic and DEFCON. He may or may not have signed those rights away, but if his other assertions are true (that he wasn't anyone's employee or contractor) then I'd be mildly surprised if the right legal structures were in place to ensure DEFCON owned the code.

That's an issue when writing code for hire too (or, e.g., hiring a photographer). If you're not careful, you don't have very many rights with respect to the final product, even after paying somebody to write it for you.

Implied, limited, non-exclusive licenses are a thing, and I wouldn't be terribly shocked if (assuming a judge had to decide) all parties aren't at least allowed to continue distributing the badges (perhaps not to redistribute the firmware itself, modify the firmware, ...). Things get murky in a hurry though, and finding a resolution not requiring a court is probably better for all parties.

[tzs]

To add some detail to what others have said, to be a work for hire in the US it must either be a work made by one of your employees within the scope of their employment or all three of the following must hold:

1. You specifically ordered or commissioned the work,

2. There is a written contract that states that it is a work for hire, and

3. The work falls into at least one of these 9 categories:

• a contribution to a collective work

• a translation

• a part of a motion picture or other audiovisual work

• a supplementary work (e.g., foreword, illustration, editorial notes)

• a compilation

• an instructional text

• a test

• answer material for a test

• an atlas

For a long time contract software usually could not be a work for hire because it usually did not fall into one of those 9 categories. I believe in recent years some courts have decided that contract software usually does fall into one or more of them and so can be a work for hire. I don't know if that view has become widespread or is just confined to some federal court districts.

Practically what this means is that when hiring a contractor you either put in the contract that the contractor will assign the copyright to you or that you will be given a suitable license to use the code that is pretty much equivalent to owning the code (irrevocable, exclusive, allows making and distributing derivative works, you can sublicense to others on any terms you want, etc).

[parkaboy]

> I’m also confused about the earlier threats to use the DMCA against DEFCON for using the firmware without a license. As far as I can tell, the firmware was produced as part of the agreement between DEFCON and Entropic, in which case there shouldn’t be much question about the license as it’s a work for hire

In theory that's true if they legally structured things properly. All comes down to what legal structures were put in place between all three parties starting with the contract (if any) between Entropic and the sub.

I kind of agree, but that assumes they all set up their contracts appropriately... which, having been deeply involved in that community for many years... let's just say I could toss a coin about that assumption being true. If the sub didn't sign anything and Entropic/DEFCON just took his firmware and used it (even if that was the contractor's intention), it's still a significant IP liability for whoever was flashing it all.

[dmitrygr]

> As far as I can tell, the firmware was produced as part of the agreement between DEFCON and Entropic

Nope, DC knew that i was writing firmware and i am not a part of entropic, nor report to them. From the very start of this project they knew this. The first email at the start of the project stated this.