DEF CON 32's Raspberry Pi RP2350-Powered Badge Sits at the Center of a Major Disagreement
Refusal to pay and manhandling of the firmware author puts DEF CON's latest badge in the spotlight for all the wrong reasons.
The DEF CON 32 badge, a Raspberry Pi RP2350-powered gadget that runs a PalmOS-based Nintendo Game Boy emulator on firmware written by Dmitry Grinberg, has become the subject of a major falling-out — with the event organizers accused of hiding the work of hardware designer Entropic Engineering and Grinberg himself being dramatically man-handled off stage ahead of a scheduled talk on the badge's development.
DEF CON opened its doors for the first time in 1993 as a party for founder Jeff Moss and his friends, and has since grown into a giant security conference which retains a somewhat anarchic reputation despite its attendance by everyone from major cybersecurity firms to federal law enforcement agencies — and, still, the hackers who made it what it is today. Attendees at the event are given an electronic badge as a memento, with this year's being an impressive handheld console built around — and unveiled at the same time as — Raspberry Pi's impressive new RP2350 microcontroller.
The badge, however, has been at the center of a growing storm of discontent as DEF CON organizers stand accused of refusing to pay and credit the designer of the hardware: Entropic Engineering. "Entropic Engineering was approached in January '24 by the DEF CON Badge Team, who were looking for a small company to partner with," Entropic Engineering's Matthew Pang claims in a statement on the company website. "They expressed that they specifically wanted to work with us as a woman-owned, queer- and POC [People of Color]-driven engineering firm to develop an electronic badge with a gaming element for this year’s conference.
"In June, after five months of late night work, badges were fully designed, prototypes were working, and mass production was ongoing with the manufacturers we contracted on behalf of DEF CON. We billed DEF CON for our most recent work, discounting our labor by 25% in order to meet the agreed upon targets. Unfortunately, we were instead met with a work stoppage request and informed we would no longer be paid for services already rendered."
The DEF CON organizers tell a somewhat different tale. "After going overbudget by more than 60%, several bad-faith charges, and with a product still in preproduction," the group claims in an unsigned post, "DEF CON issued a stop work order. Any claims that DEF CON did not pay Entropic Engineering for its hardware or firmware development are false. We decided at that point to finish the badge on our own."
The final straw for engineer Dmitry Grinberg, who had been working free-of-charge to build the firmware for the badge, appears to have been the disinvitation of Entropic Engineering from a DEF CON Talk on the badge's creation and the removal of the company's logo from the badge housing — something DEF CON admits, though stating that "Entropic was not involved in the design and production of the case, and we removed their logo we had added as a courtesy." The result: the insertion of an "Easter egg" in the firmware that, when accessed, revealed the Entropic Engineering logo and a call for donations to a cryptocurrency address.
This, it seems, did not sit well with DEF CON. "[We] became aware that unauthorized code had been included in the firmware we had paid Entropic Engineering to produce," the organizers say. "When asked about the unauthorized code, the engineer said it had been done as a 'joke' two months ago and forgot to remove it, and we decided as an organization not to have him on stage while we kept the slides in the talk giving him credit for his work. We communicated the change in advance of the talk, and this individual decided to show up for the panel anyway. He refused to leave, demanding that our security team remove him."
Grinberg — for he is the engineer in question — has his own take on the subject. "I’m not employed by Entropic nor by [DEF CON]. I did this in my free time so attendees could have a fun badge. [DEF CON] told me less than 30 minutes before the talk that I would no longer be welcome in it," he writes in a series of posts to Reddit. "They offered me the option for me to apologize and I said that I would happily state that I meant to offend nobody. They told me that was not good enough."
When Grinberg went up on stage anyway, staff at the event carried him bodily from the arena — leading Grinberg to give a talk outside the venue instead. A bigger issue for DEF CON: a claim that the firmware on the badges is, as a result of the disagreement, now invalidated for anyone who did not meet Grinberg outside the event to have their badge signed or who has not been in touch with him another way. "I gave [DEF CON] a binary. With no license and no agreement attached. They never had full sources," he explains.
"As far as I’m aware, that does not give them permission to make 28,000 copies of that binary. Unless all those lawsuits about music copying were wrong. Since DEF CON has no contract with me and has no right to my firmware, I expect they will be getting a DMCA [Digital Millennium Copyright Act] notice soon."
At the time of writing, DEF CON had not responded to Grinberg's claims of unlicensed firmware distribution on the badges.