> a former interim IT manager still had an email client connected via token authentication - with access to all messages. And that person had signed the original contract with the provider years before. Informally questioned, he admitted contacting them "to warn them" but claimed it was harmless.
This kind of behavior rubs me the wrong way. People leaking stuff, breaking compliance and then say - It was just harmless.
I work with a Director who has done something similar multiple times. The chain of events often is - She attends an industry conferences, there she learns about a piece of software, she goes ahead and schedules product demos and solicits a contract. She then contacts the only outsourcing agency she is aware of and promises to give them the implementation contract. Then reaches out as she doesn't have the authority to sign those contracts.
Since the time I have been responsible for product selection this has happened twice. Both times I have been under different managers. Both managers have insisted it was harmless.
Last time this happened the Director was told by promising work and soliciting contracts she was in gross non compliance of the company policies. Her response showed how little she cared. As per her, this was an internal matter and no one could punish her.
Later when we evaluated the product and it promised to "get better with time". All the company's data was being ingested into an AI without regard for enterprise data security rules. Even then her response was - What is the big deal? Everyone reads everyone's data. Legal got involved and shut it down - they asked the product to turn off AI features for our instances.
It is really hard to contend against a malicious or dumb team mate. In a corporate setting if they are higher than you then it is even more difficult. They can chalk it up to a harmless mistake and no one can do a thing.
I worked for two very large fortune 100 companies. Both of them had people in management quite obviously taking personal kickbacks from vendors. Sometimes right out in the open. I would loudly point it out in meetings, which got me uninvited from a bunch of meetings.
Definitely. I've watched a company move its entire health care plan to a startup, buddy of the CEO, to help juice said startup's customer base for investors.
When the company were invited to a call to learn how their health plans had changed compared to the old provider (but after the contract was signed) - the startup 'would need more time to figure that out' .. you can imagine the deafening silence on that well-attended zoom call.
What you're describing the director do sounds like the favorite pastime of HR directors. They just love going out and changing up the performance review software every couple years without consulting anyone else and paying enormous amounts of money for it. At least the current favorite for this (Lattice) has decent UX versus some of the past ones I saw used all over (PeopleSoft in particular)
PeopleSoft, especially before the mid-2010s and depending on how it was configured, was an exercise in terrible UX. You'd have to click through like 6 pages just to change one thing. At one point, I remember there being an encoding difference between Firefox and IE that meant that you could have longer self evaluations in IE. The way they'd configure SMART goals and such was insane and it would regularly error out and dump your written text, so people would write their stuff in notepad and paste it in to submit.
Lattice is not perfect but it legitimately seems to be designed by people who understand that it's not actually useful to anyone and that the best user experience is just to make it as easy as possible to phone it in, complete with built in LLM stuff to take your poorly written self eval and make it look better.
Sounds like Oracle. Of course, they're much more clever about how they do it but always recommend people stay as far away from any of their products as possible.
> The request was simple: “Evaluate this solution, and if it’s suitable, we’ll migrate.”.
This took me a few tries to figure out. "This solution" is the open source stack without the vendor from the previous paragraph. I thought it was including the vendor and got very confused when more comparisons started to happen.
The author says the company is very litigious. He probably doesn't want them suing him on a personal basis, which makes a lot of sense. Keep in mind their own directors wouldn't pick a fight with this company themselves.
I hope one day we get to see real names in this story.
> to protect the privacy of the people and companies involved
Companies get privacy rights now?
Snark aside, I think I understand how this person feels.
I once worked for a company that did something abhorrent during a natural disaster. I spoke up and was reprimanded, while my coworkers just sat there and accepted it. I came very close to losing my job, and ended up leaving the company at my first opportunity.
It was 20 years ago, and I keep meaning to write an article about it, but never do. It's not that you want to protect the company, or that you're afraid of being sued. But there's something that weighs on you when you think about actually putting the words down.
It's all a decade or more old, so what's the point? Nobody will be held to account. The company is no longer under the same leadership (or even the same name).
My personal blog has a dead-man's switch that will reveal a number of ugly things about several of the companies for which I've worked. But who cares? That's part of the weight. What good will it do? If, by some remote chance, someone reads it, it will only make them mad. How does that help anything?
But I'm also one of those people on HN who's always crying "name and shame." So, I'm a hypocrite. Such is life.
It doesn't help that really everyone already understands that basically every company is completely devoid of morality and ethics. Noone who pays attention is surprised or shocked at companies taking advantage of disasters. They're not even above manufacturing the disaster themselves if they think they'll get away with it. Reporting on what they do feels like screaming into the void.
This company sounds like it is working (or at least did work, hard to say how long ago it was, pre-GDPR, so a while) in a really unethical manner. If we want the market and freedom-of-association to fix this sort of problem we need to learn who to avoid, right?
The predatory bullshit in TFA is widespread, not just in Open Source.
We should grant each other herd immunity by spreading knowledge of disreputable entities, ideally with receipts. You're basically complicit in abuse if you do nothing to help others.
We're doing so with Oracle. Never knowingly do business with Oracle.
The minefield is just the reality of the Italian business landscape. In a country dominated by small companies run by families and friends, this sort of thing happens every other day.
In that particular story, if true, I bet the writer is a relative of someone in the branch of police dedicated to tax checks (the much-feared Guardia di Finanza, who effectively wields power of life and death over most small businesses).
There are plenty of projects like that. Gitlab, for example, has an open-source "Community Edition" and then "Premium" and "Ultimate" editions which they charge for.
I think it's one of these "reading the letter of the law" instances. European laws (or rather, laws in European countries) often mandate public sector to use open source. The reasons vary, some of them are about promoting interoperability, and avoiding vendor lock-in, digital sovereignty, and the EU commission has a principle of "public money = public code".
So using open source on someone else's computer technically fulfills that requirement, without completing some of the reasons why the requirement exist (vendor lock-in in this particular instance is particularly laughable).
Yup, even for smaller business stuff. For a non-profit I'm on the board of, the staff wanted a more useful printer/copy machine than just a store bought thing, it's a small office, so I said sure find something and let us know.
So I get a contract and am told it's been vetted and I should sign it. What I found was outrageous.
- If we cancelled for any reason, including if they just didn't do any of there terms in the contract, we owed the full price of the remaining contract immediately.
- The way they structured it was also as a rental, so we were paying full price for purchase of the equipment embedded into the term of the contract, but it was the vendors equipment, so if we cancelled we still paid them full price for the equipment, and they got to keep it.
- If there were any legal disputes, no matter which party was at fault, my side would pay for all the lawyers.
I said nope, can't do it. And my staff were pissed at me for like a year because everyone just signs those things.
I’m also on a nonprofit board. They have an independent LLC and an independent nonprofit which signs contracts for various services like that, and then contracts with the “real” nonprofit to actually use the services. Was advised to set it up this way by an experienced nonprofit consultant.
We had to shred a bad contract (oddly enough, also for a printer / copier) and simply abandoned the LLC and declared it defunct. The service provider never has even showed up to pick up the printer. It was a pay per page contract where they unilaterally raised the price about 200% for no reason.
We also abandoned a water cooler and water cooler service after the vendor simply refused to answer our requests to end the service. (It’s $20 a month. There was no long term contract signed.) Apparently nonprofits are a target for this sort of thing, so we now don’t even mention we are a nonprofit and handle business relationships via the LLC.
How are you setting up LLCs nowadays? I set one up through legalzoom and get charged an increasing amount each year (it increased $100) this year and I can't cancel / dissolve the charges via the UI. Even though I signed up online, I have to contact the state to dissolve the LLC then show legalzoom proof in order to cancel their yearly fee. Its pretty crazy.
Are there other better vendors for this kind of work out there?
I form them myself, which takes about 5 minutes on the Secretary of State's website. The only fee to the state is a one time formation fee. This is true in a variety of states.
I got this advice to do so from (a) the aforementioned nonprofit consultant and (b) an actual attorney, who does serve as a registered agent, for no fee. He is glad to do so since in the very rare event of a lawsuit, he'll be the one representing us. However, you could also just be your own registered agent if you have an office where people regularly work.
Note that I am not going out of my way to conceal the identity of the nonprofit board members / members of the LLC.
Why do you need a "vendor" at all? Do the paperwork yourself and pay the $100 fee (or whatever it is in your chosen state), and Bob's yer uncle. At worst add in a one-time cost of $40 or so to buy a book like Nolo's LLC Handbook[1].
Not everyone wants to have their location publicly available for the world to see. If you can be served a lawsuit, people can "serve" you a bunch of other things too.
You might want to use a registered agent rather than blasting someone's home address into all kinds of public records, or using an attorney who starts the billing clock to receive spam. And when you go for the more reasonably priced registered agents, it feels like a ticking clock until they start to enshittify.
I get why your staff would be pissed because dealing with a crappy printer/scanner is the bane of a lot of office workers' existence... but they must have been able to find a better vendor or something off the shelf which supported the features they needed right? What special feature could they possibly offer to make them brave enough to put all those terms in their contract?
So make sure you fully read the fine print before signing an agreement for something.
The article makes it sound like that wouldn't have helped.
It states that the terms of the contract were "unilaterally" changed, without anyone being told -- Something that the tech industry has normalized.
Reading the fine print of the signed contract wouldn't have helped, since the contract changed since then.
These days you're lucky if you even get an e-mail saying "Our terms of service have changed, and if you don't like it, tough noogies." People who are not lawyers on HN will say it's illegal, yet it still happens constantly, and doesn't seem to have been struck down in any court, or it wouldn't keep happening.
If you sign such a contract then you have already screwed up. Note that terms of service and licenses are not the same thing as such contracts and are a bit more limited legally (heck, such a clause in a full-on contract is already on shaky ground)
I'm curious about about how the "unilateral amendment" works. If you didn't like the fine print in it, do you have to give your six month termination notice then and there?
If they unilaterally amend the contract to go from 6 months' notice to 12 months' notice, then presumably you'd have to give your 12 month termination notice then and there...
...and hope they don't unilaterally amend the contract in the interim to allow them to retroactively extend the termination period.
AFAIK, "unilateral amendment" should be considered at least very suspect by most courts?
Unilateral amendment might be a bit of a misnomer because its basically a new contract that your continued use implicitly accepts. There is never any retroactive term change. If they unilaterally change the notice period to 12 months and you reject, you would have to give your of rejection but it would be under the 6 month term because you are not accepting the new contract.
Unless there are other provisions for unilateral changes for contracts in the termination period, no new terms would apply to your final 6 months.
As written they are usually a Hobson's choice - accept the new terms or terminate the agreement. So the other party can't throw something completely heinous in there. But it does open you up to all kinds of issues, especially if accepting the new terms is implicit in taking no action, since this kind of thing can easily wind up ignored in an organisation.
"You can’t watch YouTube without a Google account"
you cant??? I reinstall my dekstop the other day, it let me view without login
the problem is recommendation tab/service is empty because there is no history so it cant recommend something, hence you assume that you couldn't view videos
I'm no lawyer, but I would think the purposes for which they read your email and the actions taken subsequently are blatantly illegal, and would invalidate the entire contract.
Yes, but severing would end up in court versus a very belligerent party, who would do their utmost to cost you money. An organization that prioritizes safety over ethics will just suck up the extra cost, apparently.
There are companies and organizations out there fighting for what’s right in courtrooms. Invalidating troll-owned patents, striking down unfair contracts etc. Agency A was obviously not one of those organizations.
I worked for a very successful multinational that I think was relatively moral (at least very moral vs average - e.g. we at least stood by our commitments and contracts and didn’t try and re-trade them if they went against us) and they took the approach that they were never going to be a “soft target”: nuisance law suits - litigate don’t settle, unethical behavior by vendors or customers - we’ll see you in court. It was probably more expensive for a decade or so, but over the long run it saved a ton of money and hassle.
Yes, especially since this sounds like a government agency. Some contractor snuck a backdoor into your email servers and is secretly reading them? Imagine what kind of corrupt practices, up to and including foreign espionage, that they could get up to. They could have been justified in sending in the FBI or CIA if this was the US. Probably would have put a stop to their vendor problems really quick.
> On 21 July 2006, Adamo Bove, predecessor of Tavaroli as responsible of security at the Telecom company and former DIGOS member, died in Naples by falling from a motorway bridge. Bove had discovered a flaw in the system which enabled people to enter the Telecom system and implement wiretaps without leaving a trace.
I feel like many HN'ers have been in this situation.
I was once in a confedential "back out" of a system. There was some shared code base with the other company. One of our devs made a comment that was something like "Reversing Migration Script" in the code.
In less than an hour from that commit(I didn't know at the time) I was in stuck in a firestorm WTF DID YOU DO battle between the two CEO's of the companies. It turns out that the other company was ACTIVELY spying for such terms in the code so they could react if we tried to leave. It was going to be an honest non renewal at the end of the contract so not even anything shady. I didn't find out till later about how they were spying out so there was this huge witch hunt about who was the rat and such. It was awful.
It seems this level of sociopathy is just the norm these days and I'm just an old fuddy duddy doing regular honest work without having a Machiavellian scheme running in parallel no wonder places only want to hire 20yo's /s /sorta.
They are, but I’m saying go to the other extreme, where every variable triggers their sensors and floods them with useless data until they give up monitoring.
I'm not really sure. As a said in another comment. They normally took weeks to respond to code/tech issues. For some reason this random code edit was run up to the CEO within minutes of it being made.
The CI/CD was on github actions. IDK if there is a standard spy tool there.
> There was some shared code base with the other company. One of our devs made a comment that was something like "Reversing Migration Script" in the code.
"However, to protect the privacy of the people and companies involved, I have deliberately mixed things up: technologies, contexts, and specific details have been modified or merged with other experiences."
Enough changes to avoid a libel suit, I'd imagine. Like when media outlets use and disclose a fake name for someone's story out of fear for retaliation.
I can't help shaking the feeling that it could be ragebait? Which ended up on HN as a result? Sure, companies act like bullies sometimes, but I don't know that I think this story is more likely than "person I've never heard of makes up outrageous story for attention". Both seem equally plausible.
The thing that doesn't make sense to me is if there was pretty clear evidence that some vendor had put in a backdoor into the email servers of multiple government agencies and there were directors and managers at all of these agencies that had good reason to believe they were being spied on, then this would have warranted a criminal investigation of the contractor. At that point, voiding the contract, migrating to whatever other email service you have and getting out of the bill would have been easy. It wouldn't have mattered what sneaky language got slipped into the contract by the vendor, you do not ever get to spy on internal government emails.
Perhaps you're right that it's government agencies (I may have even skimmed over a mention confirming that?) but my assumption, especially after the author mentioned one of the "agencies" being about 500 people total, is that he's more likely talking about something like a marketing or design agency, or a talent agency, or... something.
He mentions regulation in a couple of places, including:
> the new regulations were clear: embrace Open Source solutions whenever possible.
Which certainly sounds like something at a government agency. Also the fact that there are multiple agencies talking, coordinating and sharing resources with each other. Competitive firms don't really behave like that.
The issue is the will to fight it, basically. Even if you're wronged, if the other party is belligerant you need to be willing to push for the criminal investigation, push for the transfer, defend yourself against lawsuits even if they're frivilous, etc. Many people in these organisations just want a quiet life and will bend over to such behaviour because the demands are not bad enough to make them want to fight it.
The truth is not a defense against libel laws in all countries. Depending on where this is the poster could be out a lot of money just for naming names. As such not naming names is the safe answer.
Even in the US where the truth is a defense, you still can be out a lot of lawyer fees because you can be sued for things you say and it can cost a lot of hours in court.
The author is located in Italy, where "it's the truth" is not an absolute defense against defamation like you say - basically, here, causing "reputational harm" is actually against the law, even if you are telling the truth. There are a few exceptions like social interest which may apply, but it is a dangerous game to play because you need to prove that to the courts, as opposed to just proving what you wrote is what actually happened.
Plus, any court proceedings in Italy can routinely take decades, destroying one's life even if they are completely innocent, even if the complaint is trivial, even if the complainant is obviously malicious.
In the USA it used to be very rare for companies to directly mention competitors in ads. Products would be compared to "Brand X" or some other genericized name instead.
I think it still is somwhat rare. Why even let a potential customer know that a competitor exists?
Moral of the story is that going to open-source is only part of avoiding the traps that vendors set. You also have to trust the vendor you're working with and make sure that the contract isn't full of lawyer tricks.
a company with a history of threatening baseless lawsuits, combined with possible NDAs, or possible professional backlash when lawsuit-happy company threatens former employer. not worth it for a blog post.
Naming names is exactly what prevents a witch hunt. By keeping it vague, everyone here is wondering which company this is and whether they're currently doing business with them.
The point of this story is that open source can't protect you against a bully with a legal department at his command, and neither can it protect you against bad contract clauses. Frivolous legal threats may be frivolous, but you have to prove that in court and a lot of companies would rather take the easier way out to avoid having to do that.
The "FOSS" company never directly threatened the author, but the implication of it alone was enough to scare off both agencies. Given a lot of the tech is mixed up here on purpose, there's a few FOSS companies & vendors I can think of with legal departments that I'd describe as "pretty aggressive" and "expensive for a managed solution" that aren't solely about Exchange related services but would definitely behave like this, given their PR over the years at times has had slipped masks.
This basically sums up modern corporate status quo. T
> "pretty aggressive"
The legal system has been weaponized against the average person. This is the veil it hides behind. A legal department can be downright boring yet vicious at the same time. Like how they slow roll any employee legal dispute to the maximum legal time limit in expectation that they can financially out wait the employee. Which they almost always can.
Harper Lee's novel To Kill a Mockingbird is a creative writing exercise which didn't actually happen and isn't verifiably true to any degree. There were never any Finches, Ewells, Robinsons or Radleys, yet readers often find it quite powerful because they're perfectly aware the story's events have played out between real people many, many times. They don't need to be told the real names of people who have been in lynch mobs to know real people have been lynched.
Email servers aren't quite as heavy a subject, but we know these things happen.
Know your contracts. Read the fine print. Be careful who you do business with. Not all companies selling services for open source software embrace the ethos that we assume they do.
After reading the story, I can understand why somebody would not name and shame. The author could be inviting lawsuits from a company that clearly has no qualms playing dirty.
Something I read in the story is that the legal system fails to do its job: to make society fair. There are contracts and lawyers in the story, but they do not work toward ensuring fairness or justice, they work to help the company with more laywers and less scruples.
The legal system, in Italy, has been fundamentally bankrupt for a long time. It's one of the reasons a lot of foreign companies don't invest over there - if anything goes wrong, the legal system is unlikely to be of any help.
I know of no legal system that doesn't fail in some way. Some are much worse than others, but all have flaws. Often correcting the flaws is worse than living with them.
Don't take the above as we should just accept the flaws. We should not. However what to do about them is a hard problem and we should not do something that makes things worse.
I'm sorry, I don't mean to be rude, but also I can't discern a single bit of useful information in your comment. It is all tautologies, and would apply to any human endeavour. Yes, nothing is perfect, it's possible to make things worse and we should avoid that. Sooo...?
There’s something odd about this story. Not naming companies is weird - this happened before GDPR which means it happened a minimum of nine years ago. There were no lawyers involved at any point, not even before signing amendments with a company known for punishing vendors on their way out. Nobody even seemed to mind that this shady company with such a bad reputation was reading client emails. There was no attempt to warn anybody or to even solve the problem.
I don’t believe that this ever happened. I don’t know why someone would make up a story like this but this one is very odd.
Of course, you're free to think that. Sometimes dynamics aren't very linear and people are more inclined to avoid problems rather than create more. The concern about this company was obviously well-founded and valid, and the people involved didn't like it. Some of the choices they made were undoubtedly questionable, and I admit I was disappointed. Of course, I couldn't tell the whole story or all the details, but in the end, the company didn't get away with it completely. This event gained some traction through word-of-mouth among colleagues, and their user base plummeted in a short time.
Some companies are just incredibly naive sometimes. Case in point: i work at a game dev studio, and our main competitor on the segment we are on is a game published by Microsoft.
The other day a coworker was talking about how that other game had a tendency to release similar content as us, sometimes right before us, with marketing material that looked eerily like stuff still in production from our marketing team, to the point that they suspected someone was leaking stuff.
Dude, all we do is discussed on teams and it's all in documents stored in office 365. They dont need us to leak anything, they can simply read our team channels and our documents. They probably spend more time discussing plausible deniability with their legal team than researching what we do.
We are also moving our analytics from Tableau to whatever Microsoft's equivalent, and nobody seems to see the issue with that either.
This is the kind of story that perfectly captures why “open source” != “freedom.”
You can run 100% FOSS software and still be completely imprisoned if you give control to a middleman.
The company in this story didn’t just sell “support”, they sold permission. They took something open, wrapped it in contracts, lock-ins, and managed-service handcuffs, and then claimed ownership of it. That’s the new vendor lock-in model: control the interface, not the code.
The chilling part isn’t that they could read customer emails, it’s that they thought it was normal. Somewhere between “managed service” and “surveillance,” the moral line vanished, replaced by legalese.
This story should be printed and taped above every government IT procurement desk.
If you don’t own your servers, your keys, and your contracts, you don’t own your data, no matter how “open” the stack is.
I disagree that you can’t own something that isn’t physically controlled by you. Almost all of us have money which is not kept on our persons or property, in banks and investments. I think people would be outraged if someone told them it belonged to the bank.
What’s really important is the laws and regulations governing ownership. Ownership in a modern society is nearly entirely a legal construct. Ownership of data shouldn’t be any different.
> I think people would be outraged if someone told them it belonged to the bank.
You might find it interesting to read about 2013 Cyprus bank levy then. The government unilaterally raided people's savings accounts, taking between 6.75% and 10% as a one-off tax with essentially no warning. When you put money in the bank you are implicitly accepting the (small but real) risk that the government will come along and say "I'm having some of that" and there's nothing you can do about it.
More anecdotally, I once had to help a family friend sue a bank for several tens of thousands of pounds in the UK because they refused to pay him back his balance when he closed the account and refused to explain the reason. It took a little over 6 months to get the money back. While researching the case, I discovered countless other cases in which businesses had gone bankrupt because of delays in recovering their money from the bank. Under UK legislation, banks can and do do this if they have "suspicions" of money laundering (which can be triggered for any reason whatsoever - the suspicion doesn't have to be reasonable). Not only do they not have to explain to the customer what those suspicious are, they are legally required not to. They can hold onto your money for up to 31 days and this can be extended to up to 6 months by a court order after a hearing which you will be excluded from and likely not even know took place until after the fact.
Legally you do not own your money in the bank. Instead you own a "chose in action" (https://en.wikipedia.org/wiki/Chose) which is the right to sue the bank for the money. Although it sounds similar to outright ownership, it's not the same thing.
The government could also tax you an extra $5000 out of nowhere by pushing a law through. That levy happened to go for bank accounts but the general concept isn't tied to whether your money is stored personally.
Freezes are a big problem but they don't get to keep it. The delay is the problem, not a transfer of ownership.
Nonetheless, there's a fundamental legal difference between ownership (e.g. of the notes and coins in your pocket) and a chose in action (the right to sue the bank for the money which you don't own).
If you own something and someone withholds it from you, in the general case that's theft. Because theft is a criminal offence, people generally won't risk doing it. With a chose in action, you have to sue in a civil court for damages. In the meantime, the bank might go bust, you might lose your case, you may give up without even going to court because the amount they've kept isn't worth the time and legal costs of recovery.
You've probably heard the phrase "possession is 9/10ths of the law". If the government introduces a no-warning one-time $5000 levy, they still have to recover the money from you. The effort of doing so is on them and they have the burden of proof. Maybe they will, maybe they won't. Maybe you'll decide to leave the country before the legal process concludes. These are some of the advantages of ownership.
When the money is in the bank, the bank and the government can simply agree (without a court's involvement) that you owe the $5000 and there is nothing you can do other than try to sue the bank (and likely lose) because you never owned the money in the first place. The burden of proof shifts to you and it's unlikely you'll ever see that money again.
> I disagree that you can’t own something that isn’t physically controlled by you.
We're not talking about "something" in general, but about digital infrastructure.
> Almost all of us have money which is not kept on our persons or property, in banks and investments. I think people would be outraged if someone told them it belonged to the bank.
A better analogy is if you have a cryptocurrency wallet managed by Coinbase. You don't own. And they can in fact suspend your account (and probably take your crypto) if they don't like you.
I’m not sure that analogy contradicts ownership. Physical assists can be seized or stolen also (if Deloitte’s AI doesn’t like you) but it doesn’t negate the concept of ownership of those
Maybe possession would be a more accurate legal term? You can own something that isn’t in your possession (eg might have been loaned, stolen, etc) or possess something that you don’t own (eg the other side of the transaction)
> If you don’t own your servers, your keys, and your contracts, you don’t own your data, no matter how “open” the stack is.
Quite true, but the choice is nearly never between an agency letting someone else own the data and owning it themselves. The idea of switching in one fell swoop from a labyrinth of duplicative, proprietary SaaS/hosted systems to self-managed open source is a fantasy for all agencies. Even if we take that as the goal (not necessarily something I agree with), nobody can get there in a single migration/political season/anything short of years.
Rather, the near-term choice is between who and how many parties own the data. Do you work with a stack of midsize cloud resellers, each of which has questionable quality and a lot of experience maximizing government revenue via advantageous connections and contracts? Or do you work with one of the hyperscaler clouds--higher quality, less specifically designed to exploit gov (I said less, GovCloud, now get your hands out of my wallet!), slightly more friendly to "build what you want how you want" approaches?
Neither of those approaches lets you take ownership of your servers/data/contracts fully. But the latter moves you closer to that ideal; the former does not.
> However, to protect the privacy of the people and companies involved, I have deliberately mixed things up: technologies, contexts, and specific details have been modified or merged with other experiences.
Why wouldn’t a person stop reading there, unless they were the author’s mom or roommate or something and were reading out of politeness?
How in the world did you read "hit piece on open source" into this article? There's nothing negative about open source at all, he's making exactly the same point as you.
I'm sorry but this reads like AI slop. Or maybe it's not AI slop, it's just regular human-generated slop, but regardless: it's useless.
For one: it's intentionally completely unverifiable. Sure, maybe the writer's not brave enough to break their NDA by sharing names. But it's also convenient: nobody can ever poke holes in the story, or add their own context to it. The story just gets to live on its own and earn internet karma regardless of whether it's at all true.
For two: completely inconsistent. Let's take these two paragraphs:
> A few years earlier, a major public institution - let’s call it Agency A - was still running an ancient Exchange mail server. It hadn’t received security updates for ages, the anti-spam was completely ineffective, and the new regulations were clear: embrace Open Source solutions whenever possible.
> They had already received a proposal - expensive but seemingly reasonable - for a managed service, hosted by an external provider, built on an open source mail stack. The company offered a managed version with its own proprietary additions and enterprise support. The catch? The price was absurd, and Agency A already had solid infrastructure - reputable IP classes, redundant datacenters, everything working fine. We had built and maintained that environment for years, and it was still running perfectly.
So we have just learned in paragraph 1 that the current system is dated and full of security holes and missing features. In paragraph 2 we have learned that the current system's infrastructure is "solid" and "working fine". Can you really say the infrastructure is solid and working fine if it's preventing you from upgrading your Exchange mail server?
And let's take paragraph two: it says the proposal is "expensive but seemingly reasonable" and then one sentence later says "the catch? The price is absurd". How can the price be both "reasonable" and "absurd?"
I agree it's not written in the clearest way, nor verifiable (though Stefano Marinelli does seem to be a semi-public figure in the online IT community, so it's not some anonymous blog).
>So we have just learned in paragraph 1 that the current system is dated and full of security holes and missing features. In paragraph 2 we have learned that the current system's infrastructure is "solid" and "working fine".
This confused me too, until I realized that he probably meant that his company set up the hardware infrastructure ("reputable IP classes, redundant datacenters"), but doesn't manage the software. Otherwise, why shred your own credibility from the first sentence by crapping on the "ancient," "insecure," and "ineffective" Exchange server?
>How can the price be both "reasonable" and "absurd?"
The price was reasonable given the average quotes received by similar entities and the prices on the market, but it was absurd when considering the service provided. Perhaps I didn't make that point clear, and I'll likely modify it slightly. The concept is that the price, which was initially acceptable to them, was in fact absurd when viewed in terms of what was being provided.
Side question: If you and your co-workers (across multiple government agencies) had strong suspicion that the vendor had a backdoor to spying on your emails why wasn't the obvious choice contacting federal law enforcement? I'm not sure what it is like in the EU, but in the US I'm pretty sure that if something like this was discovered at a government agency that vendor would quickly find their office raided by FBI agents.
I've modified this sentence, I hope it's clearer now:
They had already received a proposal - expensive but, when compared to similar offers made to other organizations, apparently reasonable — for a managed service hosted by an external provider and based on an open source mail stack. The company offered a managed version with its own proprietary additions and enterprise support.
The catch? While such pricing had become almost "normal" in the market, it was still wildly inflated considering what was actually being delivered. Agency A already had solid infrastructure - reputable IP classes, redundant datacenters, everything running smoothly. We had built and maintained that environment for years, and it was still performing perfectly.
> I'm sorry but this reads like AI slop. Or maybe it's not AI slop, it's just regular human-generated slop, but regardless: it's useless.
> For one: it's intentionally completely unverifiable. Sure, maybe the writer's not brave enough to break their NDA by sharing names. But it's also convenient: nobody can ever poke holes in the story, or add their own context to it. The story just gets to live on its own and earn internet karma regardless of whether it's at all true.
I’m not sure why this would be surprising: it’s a personal story shared on a blog, not an investigative article in a newspaper.
I also don’t think it helps calling everything “AI slop” these days only if one doesn’t like it for some reason.
Updating Exchange would have meant spending a lot on new licenses to upgrade to a new release, and public administrations were encouraged to seek open-source solutions. The underlying server infrastructure was solid, but the VM with Exchange was now old. The entire setup would have needed to be redone. The second paragraph, on the other hand, says that the quote was "acceptable" for them, knowing the average costs for that service. But it was also very high, even in the opinion of the IT manager.
This isn't AI slop. These are real-life experiences. The goal is to raise awareness that open source doesn't always and necessarily mean freedom: lock-in exists.
Makes sense and thank you for explaining and improving the article! Apologies for jumping to conclusions. It might be worth adding a tidbit directly to the article on why Exchange couldn’t be updated and how it was irrelevant to the “solid” infrastructure (I.e. something like “while Exchange was sorely out of date due to the hassle and cost of upgrading, the underlying infrastructure of the in-house servers it ran on was solid”), but defer to you and other folks here. If I’m the only who was bothered by that then the fault is mine!
This kind of behavior rubs me the wrong way. People leaking stuff, breaking compliance and then say - It was just harmless.
I work with a Director who has done something similar multiple times. The chain of events often is - She attends an industry conferences, there she learns about a piece of software, she goes ahead and schedules product demos and solicits a contract. She then contacts the only outsourcing agency she is aware of and promises to give them the implementation contract. Then reaches out as she doesn't have the authority to sign those contracts.
Since the time I have been responsible for product selection this has happened twice. Both times I have been under different managers. Both managers have insisted it was harmless.
Last time this happened the Director was told by promising work and soliciting contracts she was in gross non compliance of the company policies. Her response showed how little she cared. As per her, this was an internal matter and no one could punish her.
Later when we evaluated the product and it promised to "get better with time". All the company's data was being ingested into an AI without regard for enterprise data security rules. Even then her response was - What is the big deal? Everyone reads everyone's data. Legal got involved and shut it down - they asked the product to turn off AI features for our instances.
It is really hard to contend against a malicious or dumb team mate. In a corporate setting if they are higher than you then it is even more difficult. They can chalk it up to a harmless mistake and no one can do a thing.
So, not a total loss.
Lattice is not perfect but it legitimately seems to be designed by people who understand that it's not actually useful to anyone and that the best user experience is just to make it as easy as possible to phone it in, complete with built in LLM stuff to take your poorly written self eval and make it look better.
This took me a few tries to figure out. "This solution" is the open source stack without the vendor from the previous paragraph. I thought it was including the vendor and got very confused when more comparisons started to happen.
> to protect the privacy of the people and companies involved
Companies get privacy rights now?
Snark aside, I think I understand how this person feels.
I once worked for a company that did something abhorrent during a natural disaster. I spoke up and was reprimanded, while my coworkers just sat there and accepted it. I came very close to losing my job, and ended up leaving the company at my first opportunity.
It was 20 years ago, and I keep meaning to write an article about it, but never do. It's not that you want to protect the company, or that you're afraid of being sued. But there's something that weighs on you when you think about actually putting the words down.
It's all a decade or more old, so what's the point? Nobody will be held to account. The company is no longer under the same leadership (or even the same name).
My personal blog has a dead-man's switch that will reveal a number of ugly things about several of the companies for which I've worked. But who cares? That's part of the weight. What good will it do? If, by some remote chance, someone reads it, it will only make them mad. How does that help anything?
But I'm also one of those people on HN who's always crying "name and shame." So, I'm a hypocrite. Such is life.
i would love they mentioned the name of the people involved.
The predatory bullshit in TFA is widespread, not just in Open Source.
We should grant each other herd immunity by spreading knowledge of disreputable entities, ideally with receipts. You're basically complicit in abuse if you do nothing to help others.
We're doing so with Oracle. Never knowingly do business with Oracle.
https://news.ycombinator.com/item?id=43985971
In that particular story, if true, I bet the writer is a relative of someone in the branch of police dedicated to tax checks (the much-feared Guardia di Finanza, who effectively wields power of life and death over most small businesses).
> The company offered a managed version with its own proprietary additions
Doesn't sound like open source to me?
So using open source on someone else's computer technically fulfills that requirement, without completing some of the reasons why the requirement exist (vendor lock-in in this particular instance is particularly laughable).
You should do this for consumer stuff, but it's mandatory for business stuff.
So I get a contract and am told it's been vetted and I should sign it. What I found was outrageous.
- If we cancelled for any reason, including if they just didn't do any of there terms in the contract, we owed the full price of the remaining contract immediately.
- The way they structured it was also as a rental, so we were paying full price for purchase of the equipment embedded into the term of the contract, but it was the vendors equipment, so if we cancelled we still paid them full price for the equipment, and they got to keep it.
- If there were any legal disputes, no matter which party was at fault, my side would pay for all the lawyers.
I said nope, can't do it. And my staff were pissed at me for like a year because everyone just signs those things.
We had to shred a bad contract (oddly enough, also for a printer / copier) and simply abandoned the LLC and declared it defunct. The service provider never has even showed up to pick up the printer. It was a pay per page contract where they unilaterally raised the price about 200% for no reason.
We also abandoned a water cooler and water cooler service after the vendor simply refused to answer our requests to end the service. (It’s $20 a month. There was no long term contract signed.) Apparently nonprofits are a target for this sort of thing, so we now don’t even mention we are a nonprofit and handle business relationships via the LLC.
It’s absurd things have become this way.
Are there other better vendors for this kind of work out there?
I got this advice to do so from (a) the aforementioned nonprofit consultant and (b) an actual attorney, who does serve as a registered agent, for no fee. He is glad to do so since in the very rare event of a lawsuit, he'll be the one representing us. However, you could also just be your own registered agent if you have an office where people regularly work.
Note that I am not going out of my way to conceal the identity of the nonprofit board members / members of the LLC.
[1]: https://www.amazon.com/Nolos-LLC-Handbook-Agreements-Instruc...
Typical customers for these types of scams are small offices with no technical person in the loop.
Whereas our local bank will do it for $10 a month, interchange plus 0.15%, no contract. Versus fees of 3%, 3 year contract.
The article makes it sound like that wouldn't have helped.
It states that the terms of the contract were "unilaterally" changed, without anyone being told -- Something that the tech industry has normalized.
Reading the fine print of the signed contract wouldn't have helped, since the contract changed since then.
These days you're lucky if you even get an e-mail saying "Our terms of service have changed, and if you don't like it, tough noogies." People who are not lawyers on HN will say it's illegal, yet it still happens constantly, and doesn't seem to have been struck down in any court, or it wouldn't keep happening.
ToS are for low-value consumer accounts. 500 seats and public institutions is very different.
...and hope they don't unilaterally amend the contract in the interim to allow them to retroactively extend the termination period.
AFAIK, "unilateral amendment" should be considered at least very suspect by most courts?
Unless there are other provisions for unilateral changes for contracts in the termination period, no new terms would apply to your final 6 months.
https://www.oncontracts.com/unilateral-amendments/
There is no other way to log into IRS.gov.
You can’t watch YouTube without a Google account.
You can’t be in the parent group chat without agreeing to the Meta TOS for WhatsApp.
The list goes on.
Previously. Not the current SCOTUS, of course.
you cant??? I reinstall my dekstop the other day, it let me view without login the problem is recommendation tab/service is empty because there is no history so it cant recommend something, hence you assume that you couldn't view videos
I routinely watch YouTube in private, not signed in, and only open a video in a normal, signed in window if I want it preserved in my history.
That sounds like it might be grounds for criminal charges, if evidenced properly, the threat of which could be used to get that company to back down.
There are companies and organizations out there fighting for what’s right in courtrooms. Invalidating troll-owned patents, striking down unfair contracts etc. Agency A was obviously not one of those organizations.
"Falling from a motorway bridge"???!!
I was once in a confedential "back out" of a system. There was some shared code base with the other company. One of our devs made a comment that was something like "Reversing Migration Script" in the code.
In less than an hour from that commit(I didn't know at the time) I was in stuck in a firestorm WTF DID YOU DO battle between the two CEO's of the companies. It turns out that the other company was ACTIVELY spying for such terms in the code so they could react if we tried to leave. It was going to be an honest non renewal at the end of the contract so not even anything shady. I didn't find out till later about how they were spying out so there was this huge witch hunt about who was the rat and such. It was awful.
It seems this level of sociopathy is just the norm these days and I'm just an old fuddy duddy doing regular honest work without having a Machiavellian scheme running in parallel no wonder places only want to hire 20yo's /s /sorta.
Like the old NSA copypasta.
The CI/CD was on github actions. IDK if there is a standard spy tool there.
This company normally took weeks to respond for any other code related issue. I would describe them as passive aggressively slow.
Maybe they really did review everything spot on and just deliberately slow rolled approval to "manage expectations" on the day to day.
So is it fiction? Details matter. If any of the details are not true, this makes story is waaay less interesting.
Enough changes to avoid a libel suit, I'd imagine. Like when media outlets use and disclose a fake name for someone's story out of fear for retaliation.
1) completely from one person's version of events
2) absolutely unverifiable
I can't help shaking the feeling that it could be ragebait? Which ended up on HN as a result? Sure, companies act like bullies sometimes, but I don't know that I think this story is more likely than "person I've never heard of makes up outrageous story for attention". Both seem equally plausible.
> the new regulations were clear: embrace Open Source solutions whenever possible.
Which certainly sounds like something at a government agency. Also the fact that there are multiple agencies talking, coordinating and sharing resources with each other. Competitive firms don't really behave like that.
Even in the US where the truth is a defense, you still can be out a lot of lawyer fees because you can be sued for things you say and it can cost a lot of hours in court.
I think it still is somwhat rare. Why even let a potential customer know that a competitor exists?
Here's a hot take: Name and Shame.
If this story is true, the author should be shouting their names from the rooftop.
Instead, we get this nonsense.
The "FOSS" company never directly threatened the author, but the implication of it alone was enough to scare off both agencies. Given a lot of the tech is mixed up here on purpose, there's a few FOSS companies & vendors I can think of with legal departments that I'd describe as "pretty aggressive" and "expensive for a managed solution" that aren't solely about Exchange related services but would definitely behave like this, given their PR over the years at times has had slipped masks.
This basically sums up modern corporate status quo. T
> "pretty aggressive"
The legal system has been weaponized against the average person. This is the veil it hides behind. A legal department can be downright boring yet vicious at the same time. Like how they slow roll any employee legal dispute to the maximum legal time limit in expectation that they can financially out wait the employee. Which they almost always can.
The point is that without the identifying information it might as well be a creative writing exercise.
Good anecdotes have power because they actually happened and are verifiable to some degree. This is neither.
Know your contracts. Read the fine print. Be careful who you do business with. Not all companies selling services for open source software embrace the ethos that we assume they do.
After reading the story, I can understand why somebody would not name and shame. The author could be inviting lawsuits from a company that clearly has no qualms playing dirty.
Don't take the above as we should just accept the flaws. We should not. However what to do about them is a hard problem and we should not do something that makes things worse.
Could it possibly involve a particularly litigious law firm masquerading as a tech company run by one rich asshole?
Even RedHat is capable of such behaviour, and remember that the author is likely based in Italy, where companies run by crooks are the norm.
But my best guess is Grommunio.
That's easier said than done, hence why Stefano probably didn't.
I don’t believe that this ever happened. I don’t know why someone would make up a story like this but this one is very odd.
The other day a coworker was talking about how that other game had a tendency to release similar content as us, sometimes right before us, with marketing material that looked eerily like stuff still in production from our marketing team, to the point that they suspected someone was leaking stuff.
Dude, all we do is discussed on teams and it's all in documents stored in office 365. They dont need us to leak anything, they can simply read our team channels and our documents. They probably spend more time discussing plausible deniability with their legal team than researching what we do.
We are also moving our analytics from Tableau to whatever Microsoft's equivalent, and nobody seems to see the issue with that either.
(Emdashes were included in the above to set off a siren in their brains.)
https://www.youtube.com/watch?v=zIV4poUZAQo
The company in this story didn’t just sell “support”, they sold permission. They took something open, wrapped it in contracts, lock-ins, and managed-service handcuffs, and then claimed ownership of it. That’s the new vendor lock-in model: control the interface, not the code.
The chilling part isn’t that they could read customer emails, it’s that they thought it was normal. Somewhere between “managed service” and “surveillance,” the moral line vanished, replaced by legalese.
This story should be printed and taped above every government IT procurement desk. If you don’t own your servers, your keys, and your contracts, you don’t own your data, no matter how “open” the stack is.
What’s really important is the laws and regulations governing ownership. Ownership in a modern society is nearly entirely a legal construct. Ownership of data shouldn’t be any different.
You might find it interesting to read about 2013 Cyprus bank levy then. The government unilaterally raided people's savings accounts, taking between 6.75% and 10% as a one-off tax with essentially no warning. When you put money in the bank you are implicitly accepting the (small but real) risk that the government will come along and say "I'm having some of that" and there's nothing you can do about it.
More anecdotally, I once had to help a family friend sue a bank for several tens of thousands of pounds in the UK because they refused to pay him back his balance when he closed the account and refused to explain the reason. It took a little over 6 months to get the money back. While researching the case, I discovered countless other cases in which businesses had gone bankrupt because of delays in recovering their money from the bank. Under UK legislation, banks can and do do this if they have "suspicions" of money laundering (which can be triggered for any reason whatsoever - the suspicion doesn't have to be reasonable). Not only do they not have to explain to the customer what those suspicious are, they are legally required not to. They can hold onto your money for up to 31 days and this can be extended to up to 6 months by a court order after a hearing which you will be excluded from and likely not even know took place until after the fact.
Legally you do not own your money in the bank. Instead you own a "chose in action" (https://en.wikipedia.org/wiki/Chose) which is the right to sue the bank for the money. Although it sounds similar to outright ownership, it's not the same thing.
Freezes are a big problem but they don't get to keep it. The delay is the problem, not a transfer of ownership.
If you own something and someone withholds it from you, in the general case that's theft. Because theft is a criminal offence, people generally won't risk doing it. With a chose in action, you have to sue in a civil court for damages. In the meantime, the bank might go bust, you might lose your case, you may give up without even going to court because the amount they've kept isn't worth the time and legal costs of recovery.
You've probably heard the phrase "possession is 9/10ths of the law". If the government introduces a no-warning one-time $5000 levy, they still have to recover the money from you. The effort of doing so is on them and they have the burden of proof. Maybe they will, maybe they won't. Maybe you'll decide to leave the country before the legal process concludes. These are some of the advantages of ownership.
When the money is in the bank, the bank and the government can simply agree (without a court's involvement) that you owe the $5000 and there is nothing you can do other than try to sue the bank (and likely lose) because you never owned the money in the first place. The burden of proof shifts to you and it's unlikely you'll ever see that money again.
We're not talking about "something" in general, but about digital infrastructure.
> Almost all of us have money which is not kept on our persons or property, in banks and investments. I think people would be outraged if someone told them it belonged to the bank.
A better analogy is if you have a cryptocurrency wallet managed by Coinbase. You don't own. And they can in fact suspend your account (and probably take your crypto) if they don't like you.
Maybe possession would be a more accurate legal term? You can own something that isn’t in your possession (eg might have been loaned, stolen, etc) or possess something that you don’t own (eg the other side of the transaction)
I have some bad news.
Quite true, but the choice is nearly never between an agency letting someone else own the data and owning it themselves. The idea of switching in one fell swoop from a labyrinth of duplicative, proprietary SaaS/hosted systems to self-managed open source is a fantasy for all agencies. Even if we take that as the goal (not necessarily something I agree with), nobody can get there in a single migration/political season/anything short of years.
Rather, the near-term choice is between who and how many parties own the data. Do you work with a stack of midsize cloud resellers, each of which has questionable quality and a lot of experience maximizing government revenue via advantageous connections and contracts? Or do you work with one of the hyperscaler clouds--higher quality, less specifically designed to exploit gov (I said less, GovCloud, now get your hands out of my wallet!), slightly more friendly to "build what you want how you want" approaches?
Neither of those approaches lets you take ownership of your servers/data/contracts fully. But the latter moves you closer to that ideal; the former does not.
Why wouldn’t a person stop reading there, unless they were the author’s mom or roommate or something and were reading out of politeness?
For one: it's intentionally completely unverifiable. Sure, maybe the writer's not brave enough to break their NDA by sharing names. But it's also convenient: nobody can ever poke holes in the story, or add their own context to it. The story just gets to live on its own and earn internet karma regardless of whether it's at all true.
For two: completely inconsistent. Let's take these two paragraphs:
> A few years earlier, a major public institution - let’s call it Agency A - was still running an ancient Exchange mail server. It hadn’t received security updates for ages, the anti-spam was completely ineffective, and the new regulations were clear: embrace Open Source solutions whenever possible.
> They had already received a proposal - expensive but seemingly reasonable - for a managed service, hosted by an external provider, built on an open source mail stack. The company offered a managed version with its own proprietary additions and enterprise support. The catch? The price was absurd, and Agency A already had solid infrastructure - reputable IP classes, redundant datacenters, everything working fine. We had built and maintained that environment for years, and it was still running perfectly.
So we have just learned in paragraph 1 that the current system is dated and full of security holes and missing features. In paragraph 2 we have learned that the current system's infrastructure is "solid" and "working fine". Can you really say the infrastructure is solid and working fine if it's preventing you from upgrading your Exchange mail server?
And let's take paragraph two: it says the proposal is "expensive but seemingly reasonable" and then one sentence later says "the catch? The price is absurd". How can the price be both "reasonable" and "absurd?"
Overall an annoying read.
>So we have just learned in paragraph 1 that the current system is dated and full of security holes and missing features. In paragraph 2 we have learned that the current system's infrastructure is "solid" and "working fine".
This confused me too, until I realized that he probably meant that his company set up the hardware infrastructure ("reputable IP classes, redundant datacenters"), but doesn't manage the software. Otherwise, why shred your own credibility from the first sentence by crapping on the "ancient," "insecure," and "ineffective" Exchange server?
>How can the price be both "reasonable" and "absurd?"
Agreed, this part makes no sense.
They had already received a proposal - expensive but, when compared to similar offers made to other organizations, apparently reasonable — for a managed service hosted by an external provider and based on an open source mail stack. The company offered a managed version with its own proprietary additions and enterprise support.
The catch? While such pricing had become almost "normal" in the market, it was still wildly inflated considering what was actually being delivered. Agency A already had solid infrastructure - reputable IP classes, redundant datacenters, everything running smoothly. We had built and maintained that environment for years, and it was still performing perfectly.
> For one: it's intentionally completely unverifiable. Sure, maybe the writer's not brave enough to break their NDA by sharing names. But it's also convenient: nobody can ever poke holes in the story, or add their own context to it. The story just gets to live on its own and earn internet karma regardless of whether it's at all true.
I’m not sure why this would be surprising: it’s a personal story shared on a blog, not an investigative article in a newspaper.
I also don’t think it helps calling everything “AI slop” these days only if one doesn’t like it for some reason.
This isn't AI slop. These are real-life experiences. The goal is to raise awareness that open source doesn't always and necessarily mean freedom: lock-in exists.
This lock-in was legal and political, not technical. The lesson I would take away is "don't do business with parties that you don't trust".
Low coherence sentence to sentence, stray emdashes, loads of those LLM-was-trying-too-hard writing turns.
If it wasn't written by an AI entirely, then at least it was edited to shit by one.