def con The electronic badges at DEF CON have long been a hot commodity for attendees, tinkerers, and collectors, though this year they're getting attention for an entirely different reason.

Forget the usual basic plastic attendee badges you get at conferences; the annual DEF CON conference in Las Vegas has a tradition of providing badges featuring custom electronics hackers can play with. The badges change each year and 2024’s model is a small computer with the same processor as the Raspberry Pi Pico 2, a screen, firmware, and buttons, that looks like a 1990s-era handheld electronic game. The conference entry fee is $460 (£360) on the door in cash, and that includes the badge.

What began as quiet rumblings that players couldn't save their games in the custom GameBoy emulator bundled with the badge has since exploded. Dmitry Grinberg, firmware developer for this year's DEF CON 32 badge, was physically removed from a talk about the project Friday, forcing both DEF CON organizers and the company that designed the badge hardware, Entropic Engineering, to issue dueling statements on the matter.

We've got ourselves a good old fashioned hacker kerfuffle on our hands, folks.

You're gonna have a badge time

To get a good understanding of the matter, it's best - as always - to start from the beginning.

Both sides agree that work on the badges began back in January, 2024, with DEF CON's hiring of Entropic to design the hardware. The idea was to produce a badge that could play a custom DEF CON-themed game on a bare-metal GameBoy emulator, as outlined here (the device can even run PalmOS).

Grinberg agreed to produce the firmware with the expectation, according to several statements from him, that he was working as a volunteer. Entropic would be paid by DEF CON to produce the hardware, and he would do the software for fun.

According to DEF CON, Entropic’s work on the project went off the rails.

"After going over budget by more than 60 percent, several bad-faith charges, and with a product still in pre-production, DEF CON issued a stop work order," the conference organizers said in their statement, adding that they'd "heard these issues with Entropic Engineering were not unique to DEF CON."

At that point, DEF CON claimed it sent its own engineers to Vietnam to oversee the final assembly of the 30,000 badges ordered for the event, and decided to remove Entropic's logo from the badge case that was "added as a courtesy."

Entropic's side of the story makes the entire project sound kinda doomed from the start.

"The specifics of what [DEF CON] requested in January were extremely difficult / almost impossible," Entropic said, but due to the company's design partner status with the Raspberry Pi operation, early access to the new Pico 2's RP2350 chip, and previous work with Grinberg to develop a GameBoy emulator, the company decided to pursue the project.

Entropic claimed that in its first meeting about the project, in January 2024, it pushed the show’s organizers to delay production of the badge to have it ready for 2025’s DEF CON 33 rather than this year’s event. Apparently the badge team at DEF CON "remained confident they could meet and mitigate" any problems.

Entropic said the badges were designed, and functional prototypes had been produced, by June. The company claims it billed DEF CON for its latest round of work and knocked 25 percent off the invoice to keep the project within the event's per-badge cost target. "We were instead met with a work stoppage request and informed we would no longer be paid for services already rendered," said Entropic.

"We take responsibility for and ownership of any oversights and mistakes that we have made in this project," Entropic co-founder and CTO Matthew Pang wrote in the company's statement on the matter. Pang added that Entropic had tried "multiple times over the past months to negotiate fair compensation for work completed prior to June 7," when DEF CON requested a stoppage, "but attempts at resolution have been unsuccessful."

Entropic further claimed it was offered a "one-time 'take it or leave it' amount worth well under half of what we were owed pre-stoppage," and again alleged DEF CON refused to negotiate.

"Any claims that DEF CON did not pay Entropic Engineering for its hardware or firmware development are false," DEF CON officials stressed in their statement.

In an email to The Register, Entropic’s Pang said it would be wrong to say Entropic had been paid as hoped, reiterating that the money received from DEF CON to date was only a partial amount despite attempts to extract what the biz says it is owed.

"We hit the 'per badge' cost target that we were given," Pang said. "We also indicated to DEF CON that we would continue to further discount our labor rates in order to hit this target if necessary." Instead, the stop work order was issued, Pang said, adding that "multiple and repeated offers" for further discounts "received no meaningful response."

As for the bad-faith charges, Pang told us DEF CON's statement is the first he's heard of this. He told us Entropic hadn't been contacted by DEF CON at any point "with concerns about any such charges."

"We stand behind the validity … of all our regular, monthly invoices and updates," Pang said, noting that he'd be glad for the opportunity to rectify any errors.

Pang told us he was willing to share receipts, bills, cost forecasts, and exchanges about settling matters between Entropic and DEF CON - if DEF CON organizers will allow it. DEF CON organizers have declined to answer additional questions about the matter, and when we followed up about their allowing Entropic to release discussions between the pair, we were told they would get back to us.

"Given the extreme budget restraints cited by the badge team in their decision to issue the stop work order, we are curious how much was spent on grinding off our logo from the molds at the eleventh hour," the Entropic founder added.

Enter, easter egg; Exit, Grinberg

Despite all that disagreement, DEF CON said it was still willing to have Grinberg, who is not an Entropic employee, join a panel to discuss the badge's concept and development - at least until it came out that Grinberg slipped an Easter egg into the badge firmware during the Entropic/DEF CON beef as a protest.

Pressing the FN button to open a menu, selecting 'About' and pressing 'A', then pressing 'Select' will show the egg. It's understood that Grinberg didn't like that Entropic had been scrubbed from the device, the fight over payment, and all mention of the biz working on the badge dropped from the show's publicity, and so had the egg included to display Entropic's logo and ask for Bitcoin donations.

The event organizers were not happy that an unexpected feature, particularly the call for donations, was added to the software.

"Shortly before the talk was set to take place, DEF CON became aware that unauthorized code had been included in the firmware," the hacker event organizers said, referring to the on-stage presentation about the badge's development.

That code also displayed the line "stolen credit returned," and made it clear who designed the electronics. Pang confirmed to us that the BTC wallet address link belongs to Entropic.

Pang described Grinberg's Easter egg as having been intended as a joke. DEF CON has a different explanation: "When asked about the unauthorized code, the engineer said it had been done as a 'joke' two months ago and forgot to remove it."

"This kind of low-stakes programming prank is a language DEF CON attendees are fluent in," Pang told us. "In our community, this kind of Easter egg is regarded as a feature, not a bug."

Grinberg, for his part, said: "I forgot about the screen entirely more or less," and thus he never removed it.

In an emailed statement, Grinberg told us that he finished the firmware, and added the Easter egg, more than two months ago when "tempers were high and fuses were short," and that he spent the rest of his time until the conference "helping DEF CON adapt their GameBoy game to use the badge’s unique features."

"As the chip pre-flashing deadline was missed by them and each of the 29,770 badges had to be programmed manually by volunteers, there were many last-minute fires to address," Grinberg told us.

Grinberg told us he thought the Easter egg would a "funny and fair" way to get Entropic "their due credit if anyone stumbled onto the screen," and noted that DEF CON had months to examine the firmware binary to find it for themselves.

DEF CON organizers didn't find the matter funny, though, describing the inclusion of the message an attempt "to solicit money from DEF CON attendees above and beyond what we had negotiated."

To compound the disagreement, DEF CON says it wasn't aware of the Easter egg until shortly before the badge panel was scheduled to begin. When event officials found out, they decided to un-invite Grinberg from the panel.

Grinberg claimed he wasn't told of the change until half an hour before the talk, and decided to show up anyway since his inclusion in the panel "was promised," resulting in a group of DEF CON Goons (Goon being the self described nickname of the all-volunteer security staff) lifting him off stage and walking him out.

According to DEF CON, Grinberg "refused to leave, demanding that our security team remove him," a request they were all too happy to oblige. "We complied with his wishes and escorted him off the stage, where he was free to continue attending the conference."

Photos and video of the incident show Grinberg being asked to leave the premises by law enforcement, rather limiting his ability to "continue attending the conference." Out on the street, he attempted to give an impromptu talk about the badge to onlookers and signed some of their electronics.

Grinberg told us he asked every Goon he could find outside the Las Vegas conference center hosting the show about his status for the rest of the con. He claims he was told the Goons weren't sure what to do about him, but if he entered he "would get flagged."

"I am still not sure what that means, and I did not wish to find out," Grinberg added.

The firmware developer said he also takes umbrage with several of the claims in DEF CON's statement, including the organization's claim that "unauthorized code had been included in the firmware we had paid Entropic Engineering to produce."

"Entropic was not paid to produce any code for this badge," Grinberg told us. "I am not affiliated with Entropic, which DEF CON is well aware of. In fact, no one was paid to produce the code for this badge."

Grinberg also disputed DEF CON's "unauthorized code" claim, telling us the idea "is hard to understand, as it suggests that the rest of the code is somehow 'authorized.'

"If DEF CON is implying that guidance was provided on the firmware, all I can find in the chat logs was a request for the color image that frames the display of the game and a request that the game auto-start when the badge boots," Grinberg said. "This interpretation would make everything on the badge 'unauthorized code.'"

Furthermore, he was considering bringing a DMCA complaint against DEF CON for its use of his code. Grinberg also wanted to clarify DEF CON's mention of non-payment issues between him and Entropic, which he called "underhanded."

"There has not been, nor is there now, any conflict between me and Entropic," Grinberg explained. "The Easter egg says it all - 'stolen credit returned.'"

Pang, likewise, told us several of the claims in DEF CON's statement were "confusing and disappointing," particularly allegations that the issues the convention experienced weren't unique to the badge order. Pang said he had spoken with several Entropic customers and found "no one has shared [DEF CON's] concerns."

"On the subject of business practices and patterns, though, we encourage the community to reach out to past and current DEF CON conference vendors," Pang claimed. "It seems we may have joined an unfortunate demographic."

Speaking of the badge's software, updates for those unable to save their games (an issue Entropic claimed it was trying to address when the work stoppage was issued) will be made available on DEF CON's badge site. ®

https://www.theregister.com//2024/08/13/defcon_badge_disagreement_gets_physical/