> a former interim IT manager still had an email client connected via token authentication - with access to all messages. And that person had signed the original contract with the provider years before. Informally questioned, he admitted contacting them "to warn them" but claimed it was harmless.
This kind of behavior rubs me the wrong way. People leaking stuff, breaking compliance and then say - It was just harmless.
I work with a Director who has done something similar multiple times. The chain of events often is - She attends an industry conferences, there she learns about a piece of software, she goes ahead and schedules product demos and solicits a contract. She then contacts the only outsourcing agency she is aware of and promises to give them the implementation contract. Then reaches out as she doesn't have the authority to sign those contracts.
Since the time I have been responsible for product selection this has happened twice. Both times I have been under different managers. Both managers have insisted it was harmless.
Last time this happened the Director was told by promising work and soliciting contracts she was in gross non compliance of the company policies. Her response showed how little she cared. As per her, this was an internal matter and no one could punish her.
Later when we evaluated the product and it promised to "get better with time". All the company's data was being ingested into an AI without regard for enterprise data security rules. Even then her response was - What is the big deal? Everyone reads everyone's data. Legal got involved and shut it down - they asked the product to turn off AI features for our instances.
It is really hard to contend against a malicious or dumb team mate. In a corporate setting if they are higher than you then it is even more difficult. They can chalk it up to a harmless mistake and no one can do a thing.
I worked for two very large fortune 100 companies. Both of them had people in management quite obviously taking personal kickbacks from vendors. Sometimes right out in the open. I would loudly point it out in meetings, which got me uninvited from a bunch of meetings.
What you're describing the director do sounds like the favorite pastime of HR directors. They just love going out and changing up the performance review software every couple years without consulting anyone else and paying enormous amounts of money for it. At least the current favorite for this (Lattice) has decent UX versus some of the past ones I saw used all over (PeopleSoft in particular)
Sounds like Oracle. Of course, they're much more clever about how they do it but always recommend people stay as far away from any of their products as possible.
> The request was simple: “Evaluate this solution, and if it’s suitable, we’ll migrate.”.
This took me a few tries to figure out. "This solution" is the open source stack without the vendor from the previous paragraph. I thought it was including the vendor and got very confused when more comparisons started to happen.
The author says the company is very litigious. He probably doesn't want them suing him on a personal basis, which makes a lot of sense. Keep in mind their own directors wouldn't pick a fight with this company themselves.
I hope one day we get to see real names in this story.
> to protect the privacy of the people and companies involved
Companies get privacy rights now?
Snark aside, I think I understand how this person feels.
I once worked for a company that did something abhorrent during a natural disaster. I spoke up and was reprimanded, while my coworkers just sat there and accepted it. I came very close to losing my job, and ended up leaving the company at my first opportunity.
It was 20 years ago, and I keep meaning to write an article about it, but never do. It's not that you want to protect the company, or that you're afraid of being sued. But there's something that weighs on you when you think about actually putting the words down.
It's all a decade or more old, so what's the point? Nobody will be held to account. The company is no longer under the same leadership (or even the same name).
My personal blog has a dead-man's switch that will reveal a number of ugly things about several of the companies for which I've worked. But who cares? That's part of the weight. What good will it do? If, by some remote chance, someone reads it, it will only make them mad. How does that help anything?
But I'm also one of those people on HN who's always crying "name and shame." So, I'm a hypocrite. Such is life.
The minefield is just the reality of the Italian business landscape. In a country dominated by small companies run by families and friends, this sort of thing happens every other day.
In that particular story, if true, I bet the writer is a relative of someone in the branch of police dedicated to tax checks (the much-feared Guardia di Finanza, who effectively wields power of life and death over most small businesses).
There are plenty of projects like that. Gitlab, for example, has an open-source "Community Edition" and then "Premium" and "Ultimate" editions which they charge for.
I think it's one of these "reading the letter of the law" instances. European laws (or rather, laws in European countries) often mandate public sector to use open source. The reasons vary, some of them are about promoting interoperability, and avoiding vendor lock-in, digital sovereignty, and the EU commission has a principle of "public money = public code".
So using open source on someone else's computer technically fulfills that requirement, without completing some of the reasons why the requirement exist (vendor lock-in in this particular instance is particularly laughable).
Yup, even for smaller business stuff. For a non-profit I'm on the board of, the staff wanted a more useful printer/copy machine than just a store bought thing, it's a small office, so I said sure find something and let us know.
So I get a contract and am told it's been vetted and I should sign it. What I found was outrageous.
- If we cancelled for any reason, including if they just didn't do any of there terms in the contract, we owed the full price of the remaining contract immediately.
- The way they structured it was also as a rental, so we were paying full price for purchase of the equipment embedded into the term of the contract, but it was the vendors equipment, so if we cancelled we still paid them full price for the equipment, and they got to keep it.
- If there were any legal disputes, no matter which party was at fault, my side would pay for all the lawyers.
I said nope, can't do it. And my staff were pissed at me for like a year because everyone just signs those things.
So make sure you fully read the fine print before signing an agreement for something.
The article makes it sound like that wouldn't have helped.
It states that the terms of the contract were "unilaterally" changed, without anyone being told -- Something that the tech industry has normalized.
Reading the fine print of the signed contract wouldn't have helped, since the contract changed since then.
These days you're lucky if you even get an e-mail saying "Our terms of service have changed, and if you don't like it, tough noogies." People who are not lawyers on HN will say it's illegal, yet it still happens constantly, and doesn't seem to have been struck down in any court, or it wouldn't keep happening.
I'm curious about about how the "unilateral amendment" works. If you didn't like the fine print in it, do you have to give your six month termination notice then and there?
I'm no lawyer, but I would think the purposes for which they read your email and the actions taken subsequently are blatantly illegal, and would invalidate the entire contract.
Yes, but severing would end up in court versus a very belligerent party, who would do their utmost to cost you money. An organization that prioritizes safety over ethics will just suck up the extra cost, apparently.
There are companies and organizations out there fighting for what’s right in courtrooms. Invalidating troll-owned patents, striking down unfair contracts etc. Agency A was obviously not one of those organizations.
Yes, especially since this sounds like a government agency. Some contractor snuck a backdoor into your email servers and is secretly reading them? Imagine what kind of corrupt practices, up to and including foreign espionage, that they could get up to. They could have been justified in sending in the FBI or CIA if this was the US. Probably would have put a stop to their vendor problems really quick.
I feel like many HN'ers have been in this situation.
I was once in a confedential "back out" of a system. There was some shared code base with the other company. One of our devs made a comment that was something like "Reversing Migration Script" in the code.
In less than an hour from that commit(I didn't know at the time) I was in stuck in a firestorm WTF DID YOU DO battle between the two CEO's of the companies. It turns out that the other company was ACTIVELY spying for such terms in the code so they could react if we tried to leave. It was going to be an honest non renewal at the end of the contract so not even anything shady. I didn't find out till later about how they were spying out so there was this huge witch hunt about who was the rat and such. It was awful.
It seems this level of sociopathy is just the norm these days and I'm just an old fuddy duddy doing regular honest work without having a Machiavellian scheme running in parallel no wonder places only want to hire 20yo's /s /sorta.
"However, to protect the privacy of the people and companies involved, I have deliberately mixed things up: technologies, contexts, and specific details have been modified or merged with other experiences."
Enough changes to avoid a libel suit, I'd imagine. Like when media outlets use and disclose a fake name for someone's story out of fear for retaliation.
There’s something odd about this story. Not naming companies is weird - this happened before GDPR which means it happened a minimum of nine years ago. There were no lawyers involved at any point, not even before signing amendments with a company known for punishing vendors on their way out. Nobody even seemed to mind that this shady company with such a bad reputation was reading client emails. There was no attempt to warn anybody or to even solve the problem.
I don’t believe that this ever happened. I don’t know why someone would make up a story like this but this one is very odd.
Of course, you're free to think that. Sometimes dynamics aren't very linear and people are more inclined to avoid problems rather than create more. The concern about this company was obviously well-founded and valid, and the people involved didn't like it. Some of the choices they made were undoubtedly questionable, and I admit I was disappointed. Of course, I couldn't tell the whole story or all the details, but in the end, the company didn't get away with it completely. This event gained some traction through word-of-mouth among colleagues, and their user base plummeted in a short time.
The truth is not a defense against libel laws in all countries. Depending on where this is the poster could be out a lot of money just for naming names. As such not naming names is the safe answer.
Even in the US where the truth is a defense, you still can be out a lot of lawyer fees because you can be sued for things you say and it can cost a lot of hours in court.
a company with a history of threatening baseless lawsuits, combined with possible NDAs, or possible professional backlash when lawsuit-happy company threatens former employer. not worth it for a blog post.
Moral of the story is that going to open-source is only part of avoiding the traps that vendors set. You also have to trust the vendor you're working with and make sure that the contract isn't full of lawyer tricks.
I can't help shaking the feeling that it could be ragebait? Which ended up on HN as a result? Sure, companies act like bullies sometimes, but I don't know that I think this story is more likely than "person I've never heard of makes up outrageous story for attention". Both seem equally plausible.
The thing that doesn't make sense to me is if there was pretty clear evidence that some vendor had put in a backdoor into the email servers of multiple government agencies and there were directors and managers at all of these agencies that had good reason to believe they were being spied on, then this would have warranted a criminal investigation of the contractor. At that point, voiding the contract, migrating to whatever other email service you have and getting out of the bill would have been easy. It wouldn't have mattered what sneaky language got slipped into the contract by the vendor, you do not ever get to spy on internal government emails.
The point of this story is that open source can't protect you against a bully with a legal department at his command, and neither can it protect you against bad contract clauses. Frivolous legal threats may be frivolous, but you have to prove that in court and a lot of companies would rather take the easier way out to avoid having to do that.
The "FOSS" company never directly threatened the author, but the implication of it alone was enough to scare off both agencies. Given a lot of the tech is mixed up here on purpose, there's a few FOSS companies & vendors I can think of with legal departments that I'd describe as "pretty aggressive" and "expensive for a managed solution" that aren't solely about Exchange related services but would definitely behave like this, given their PR over the years at times has had slipped masks.
Know your contracts. Read the fine print. Be careful who you do business with. Not all companies selling services for open source software embrace the ethos that we assume they do.
After reading the story, I can understand why somebody would not name and shame. The author could be inviting lawsuits from a company that clearly has no qualms playing dirty.
Some companies are just incredibly naive sometimes. Case in point: i work at a game dev studio, and our main competitor on the segment we are on is a game published by Microsoft.
The other day a coworker was talking about how that other game had a tendency to release similar content as us, sometimes right before us, with marketing material that looked eerily like stuff still in production from our marketing team, to the point that they suspected someone was leaking stuff.
Dude, all we do is discussed on teams and it's all in documents stored in office 365. They dont need us to leak anything, they can simply read our team channels and our documents. They probably spend more time discussing plausible deniability with their legal team than researching what we do.
We are also moving our analytics from Tableau to whatever Microsoft's equivalent, and nobody seems to see the issue with that either.
> However, to protect the privacy of the people and companies involved, I have deliberately mixed things up: technologies, contexts, and specific details have been modified or merged with other experiences.
Why wouldn’t a person stop reading there, unless they were the author’s mom or roommate or something and were reading out of politeness?
How in the world did you read "hit piece on open source" into this article? There's nothing negative about open source at all, he's making exactly the same point as you.
I'm sorry but this reads like AI slop. Or maybe it's not AI slop, it's just regular human-generated slop, but regardless: it's useless.
For one: it's intentionally completely unverifiable. Sure, maybe the writer's not brave enough to break their NDA by sharing names. But it's also convenient: nobody can ever poke holes in the story, or add their own context to it. The story just gets to live on its own and earn internet karma regardless of whether it's at all true.
For two: completely inconsistent. Let's take these two paragraphs:
> A few years earlier, a major public institution - let’s call it Agency A - was still running an ancient Exchange mail server. It hadn’t received security updates for ages, the anti-spam was completely ineffective, and the new regulations were clear: embrace Open Source solutions whenever possible.
> They had already received a proposal - expensive but seemingly reasonable - for a managed service, hosted by an external provider, built on an open source mail stack. The company offered a managed version with its own proprietary additions and enterprise support. The catch? The price was absurd, and Agency A already had solid infrastructure - reputable IP classes, redundant datacenters, everything working fine. We had built and maintained that environment for years, and it was still running perfectly.
So we have just learned in paragraph 1 that the current system is dated and full of security holes and missing features. In paragraph 2 we have learned that the current system's infrastructure is "solid" and "working fine". Can you really say the infrastructure is solid and working fine if it's preventing you from upgrading your Exchange mail server?
And let's take paragraph two: it says the proposal is "expensive but seemingly reasonable" and then one sentence later says "the catch? The price is absurd". How can the price be both "reasonable" and "absurd?"
I agree it's not written in the clearest way, nor verifiable (though Stefano Marinelli does seem to be a semi-public figure in the online IT community, so it's not some anonymous blog).
>So we have just learned in paragraph 1 that the current system is dated and full of security holes and missing features. In paragraph 2 we have learned that the current system's infrastructure is "solid" and "working fine".
This confused me too, until I realized that he probably meant that his company set up the hardware infrastructure ("reputable IP classes, redundant datacenters"), but doesn't manage the software. Otherwise, why shred your own credibility from the first sentence by crapping on the "ancient," "insecure," and "ineffective" Exchange server?
>How can the price be both "reasonable" and "absurd?"
> I'm sorry but this reads like AI slop. Or maybe it's not AI slop, it's just regular human-generated slop, but regardless: it's useless.
> For one: it's intentionally completely unverifiable. Sure, maybe the writer's not brave enough to break their NDA by sharing names. But it's also convenient: nobody can ever poke holes in the story, or add their own context to it. The story just gets to live on its own and earn internet karma regardless of whether it's at all true.
I’m not sure why this would be surprising: it’s a personal story shared on a blog, not an investigative article in a newspaper.
I also don’t think it helps calling everything “AI slop” these days only if one doesn’t like it for some reason.
Updating Exchange would have meant spending a lot on new licenses to upgrade to a new release, and public administrations were encouraged to seek open-source solutions. The underlying server infrastructure was solid, but the VM with Exchange was now old. The entire setup would have needed to be redone. The second paragraph, on the other hand, says that the quote was "acceptable" for them, knowing the average costs for that service. But it was also very high, even in the opinion of the IT manager.
This isn't AI slop. These are real-life experiences. The goal is to raise awareness that open source doesn't always and necessarily mean freedom: lock-in exists.
This is the kind of story that perfectly captures why “open source” != “freedom.”
You can run 100% FOSS software and still be completely imprisoned if you give control to a middleman.
The company in this story didn’t just sell “support”, they sold permission. They took something open, wrapped it in contracts, lock-ins, and managed-service handcuffs, and then claimed ownership of it. That’s the new vendor lock-in model: control the interface, not the code.
The chilling part isn’t that they could read customer emails, it’s that they thought it was normal. Somewhere between “managed service” and “surveillance,” the moral line vanished, replaced by legalese.
This story should be printed and taped above every government IT procurement desk.
If you don’t own your servers, your keys, and your contracts, you don’t own your data, no matter how “open” the stack is.
I disagree that you can’t own something that isn’t physically controlled by you. Almost all of us have money which is not kept on our persons or property, in banks and investments. I think people would be outraged if someone told them it belonged to the bank.
What’s really important is the laws and regulations governing ownership. Ownership in a modern society is nearly entirely a legal construct. Ownership of data shouldn’t be any different.
> If you don’t own your servers, your keys, and your contracts, you don’t own your data, no matter how “open” the stack is.
Quite true, but the choice is nearly never between an agency letting someone else own the data and owning it themselves. The idea of switching in one fell swoop from a labyrinth of duplicative, proprietary SaaS/hosted systems to self-managed open source is a fantasy for all agencies. Even if we take that as the goal (not necessarily something I agree with), nobody can get there in a single migration/political season/anything short of years.
Rather, the near-term choice is between who and how many parties own the data. Do you work with a stack of midsize cloud resellers, each of which has questionable quality and a lot of experience maximizing government revenue via advantageous connections and contracts? Or do you work with one of the hyperscaler clouds--higher quality, less specifically designed to exploit gov (I said less, GovCloud, now get your hands out of my wallet!), slightly more friendly to "build what you want how you want" approaches?
Neither of those approaches lets you take ownership of your servers/data/contracts fully. But the latter moves you closer to that ideal; the former does not.
thisisit|4 months ago
This kind of behavior rubs me the wrong way. People leaking stuff, breaking compliance and then say - It was just harmless.
I work with a Director who has done something similar multiple times. The chain of events often is - She attends an industry conferences, there she learns about a piece of software, she goes ahead and schedules product demos and solicits a contract. She then contacts the only outsourcing agency she is aware of and promises to give them the implementation contract. Then reaches out as she doesn't have the authority to sign those contracts.
Since the time I have been responsible for product selection this has happened twice. Both times I have been under different managers. Both managers have insisted it was harmless.
Last time this happened the Director was told by promising work and soliciting contracts she was in gross non compliance of the company policies. Her response showed how little she cared. As per her, this was an internal matter and no one could punish her.
Later when we evaluated the product and it promised to "get better with time". All the company's data was being ingested into an AI without regard for enterprise data security rules. Even then her response was - What is the big deal? Everyone reads everyone's data. Legal got involved and shut it down - they asked the product to turn off AI features for our instances.
It is really hard to contend against a malicious or dumb team mate. In a corporate setting if they are higher than you then it is even more difficult. They can chalk it up to a harmless mistake and no one can do a thing.
dec0dedab0de|4 months ago
viccis|4 months ago
indoordin0saur|4 months ago
myko|4 months ago
Dylan16807|4 months ago
This took me a few tries to figure out. "This solution" is the open source stack without the vendor from the previous paragraph. I thought it was including the vendor and got very confused when more comparisons started to happen.
johnmaguire|4 months ago
arresin|4 months ago
OptionOfT|4 months ago
gtirloni|4 months ago
reaperducer|4 months ago
> to protect the privacy of the people and companies involved
Companies get privacy rights now?
Snark aside, I think I understand how this person feels.
I once worked for a company that did something abhorrent during a natural disaster. I spoke up and was reprimanded, while my coworkers just sat there and accepted it. I came very close to losing my job, and ended up leaving the company at my first opportunity.
It was 20 years ago, and I keep meaning to write an article about it, but never do. It's not that you want to protect the company, or that you're afraid of being sued. But there's something that weighs on you when you think about actually putting the words down.
It's all a decade or more old, so what's the point? Nobody will be held to account. The company is no longer under the same leadership (or even the same name).
My personal blog has a dead-man's switch that will reveal a number of ugly things about several of the companies for which I've worked. But who cares? That's part of the weight. What good will it do? If, by some remote chance, someone reads it, it will only make them mad. How does that help anything?
But I'm also one of those people on HN who's always crying "name and shame." So, I'm a hypocrite. Such is life.
1oooqooq|4 months ago
i would love they mentioned the name of the people involved.
stronglikedan|4 months ago
[deleted]
yadaeno|4 months ago
buran77|4 months ago
https://news.ycombinator.com/item?id=43985971
toyg|4 months ago
In that particular story, if true, I bet the writer is a relative of someone in the branch of police dedicated to tax checks (the much-feared Guardia di Finanza, who effectively wields power of life and death over most small businesses).
adrian17|4 months ago
> The company offered a managed version with its own proprietary additions
Doesn't sound like open source to me?
Meneth|4 months ago
charles_f|4 months ago
So using open source on someone else's computer technically fulfills that requirement, without completing some of the reasons why the requirement exist (vendor lock-in in this particular instance is particularly laughable).
Workaccount2|4 months ago
You should do this for consumer stuff, but it's mandatory for business stuff.
kevin_nisbet|4 months ago
So I get a contract and am told it's been vetted and I should sign it. What I found was outrageous.
- If we cancelled for any reason, including if they just didn't do any of there terms in the contract, we owed the full price of the remaining contract immediately.
- The way they structured it was also as a rental, so we were paying full price for purchase of the equipment embedded into the term of the contract, but it was the vendors equipment, so if we cancelled we still paid them full price for the equipment, and they got to keep it.
- If there were any legal disputes, no matter which party was at fault, my side would pay for all the lawyers.
I said nope, can't do it. And my staff were pissed at me for like a year because everyone just signs those things.
reaperducer|4 months ago
The article makes it sound like that wouldn't have helped.
It states that the terms of the contract were "unilaterally" changed, without anyone being told -- Something that the tech industry has normalized.
Reading the fine print of the signed contract wouldn't have helped, since the contract changed since then.
These days you're lucky if you even get an e-mail saying "Our terms of service have changed, and if you don't like it, tough noogies." People who are not lawyers on HN will say it's illegal, yet it still happens constantly, and doesn't seem to have been struck down in any court, or it wouldn't keep happening.
morkalork|4 months ago
rectang|4 months ago
sneak|4 months ago
There is no other way to log into IRS.gov.
You can’t watch YouTube without a Google account.
You can’t be in the parent group chat without agreeing to the Meta TOS for WhatsApp.
The list goes on.
chuckadams|4 months ago
Jolter|4 months ago
There are companies and organizations out there fighting for what’s right in courtrooms. Invalidating troll-owned patents, striking down unfair contracts etc. Agency A was obviously not one of those organizations.
indoordin0saur|4 months ago
mattnewton|4 months ago
kazinator|4 months ago
That sounds like it might be grounds for criminal charges, if evidenced properly, the threat of which could be used to get that company to back down.
citizenpaul|4 months ago
I was once in a confedential "back out" of a system. There was some shared code base with the other company. One of our devs made a comment that was something like "Reversing Migration Script" in the code.
In less than an hour from that commit(I didn't know at the time) I was in stuck in a firestorm WTF DID YOU DO battle between the two CEO's of the companies. It turns out that the other company was ACTIVELY spying for such terms in the code so they could react if we tried to leave. It was going to be an honest non renewal at the end of the contract so not even anything shady. I didn't find out till later about how they were spying out so there was this huge witch hunt about who was the rat and such. It was awful.
It seems this level of sociopathy is just the norm these days and I'm just an old fuddy duddy doing regular honest work without having a Machiavellian scheme running in parallel no wonder places only want to hire 20yo's /s /sorta.
bombcar|4 months ago
Like the old NSA copypasta.
esafak|4 months ago
hamilyon2|4 months ago
So is it fiction? Details matter. If any of the details are not true, this makes story is waaay less interesting.
ceejayoz|4 months ago
Enough changes to avoid a libel suit, I'd imagine. Like when media outlets use and disclose a fake name for someone's story out of fear for retaliation.
hluska|4 months ago
I don’t believe that this ever happened. I don’t know why someone would make up a story like this but this one is very odd.
draga79|4 months ago
m-s-y|4 months ago
bluGill|4 months ago
Even in the US where the truth is a defense, you still can be out a lot of lawyer fees because you can be sued for things you say and it can cost a lot of hours in court.
93po|4 months ago
indoordin0saur|4 months ago
beambot|4 months ago
stronglikedan|4 months ago
[deleted]
rossdavidh|4 months ago
1) completely from one person's version of events
2) absolutely unverifiable
I can't help shaking the feeling that it could be ragebait? Which ended up on HN as a result? Sure, companies act like bullies sometimes, but I don't know that I think this story is more likely than "person I've never heard of makes up outrageous story for attention". Both seem equally plausible.
indoordin0saur|4 months ago
unknown|4 months ago
[deleted]
megiddo|4 months ago
Here's a hot take: Name and Shame.
If this story is true, the author should be shouting their names from the rooftop.
Instead, we get this nonsense.
noirscape|4 months ago
The "FOSS" company never directly threatened the author, but the implication of it alone was enough to scare off both agencies. Given a lot of the tech is mixed up here on purpose, there's a few FOSS companies & vendors I can think of with legal departments that I'd describe as "pretty aggressive" and "expensive for a managed solution" that aren't solely about Exchange related services but would definitely behave like this, given their PR over the years at times has had slipped masks.
draga79|4 months ago
jimmar|4 months ago
Know your contracts. Read the fine print. Be careful who you do business with. Not all companies selling services for open source software embrace the ethos that we assume they do.
After reading the story, I can understand why somebody would not name and shame. The author could be inviting lawsuits from a company that clearly has no qualms playing dirty.
abirch|4 months ago
emmelaich|4 months ago
Moosdijk|4 months ago
That's easier said than done, hence why Stefano probably didn't.
lezojeda|4 months ago
clownpenis_fart|4 months ago
The other day a coworker was talking about how that other game had a tendency to release similar content as us, sometimes right before us, with marketing material that looked eerily like stuff still in production from our marketing team, to the point that they suspected someone was leaking stuff.
Dude, all we do is discussed on teams and it's all in documents stored in office 365. They dont need us to leak anything, they can simply read our team channels and our documents. They probably spend more time discussing plausible deniability with their legal team than researching what we do.
We are also moving our analytics from Tableau to whatever Microsoft's equivalent, and nobody seems to see the issue with that either.
ACCount37|4 months ago
[deleted]
draga79|4 months ago
OutOfHere|4 months ago
justin66|4 months ago
Why wouldn’t a person stop reading there, unless they were the author’s mom or roommate or something and were reading out of politeness?
OutOfHere|4 months ago
gipp|4 months ago
elijahcarrel|4 months ago
For one: it's intentionally completely unverifiable. Sure, maybe the writer's not brave enough to break their NDA by sharing names. But it's also convenient: nobody can ever poke holes in the story, or add their own context to it. The story just gets to live on its own and earn internet karma regardless of whether it's at all true.
For two: completely inconsistent. Let's take these two paragraphs:
> A few years earlier, a major public institution - let’s call it Agency A - was still running an ancient Exchange mail server. It hadn’t received security updates for ages, the anti-spam was completely ineffective, and the new regulations were clear: embrace Open Source solutions whenever possible.
> They had already received a proposal - expensive but seemingly reasonable - for a managed service, hosted by an external provider, built on an open source mail stack. The company offered a managed version with its own proprietary additions and enterprise support. The catch? The price was absurd, and Agency A already had solid infrastructure - reputable IP classes, redundant datacenters, everything working fine. We had built and maintained that environment for years, and it was still running perfectly.
So we have just learned in paragraph 1 that the current system is dated and full of security holes and missing features. In paragraph 2 we have learned that the current system's infrastructure is "solid" and "working fine". Can you really say the infrastructure is solid and working fine if it's preventing you from upgrading your Exchange mail server?
And let's take paragraph two: it says the proposal is "expensive but seemingly reasonable" and then one sentence later says "the catch? The price is absurd". How can the price be both "reasonable" and "absurd?"
Overall an annoying read.
MontyCarloHall|4 months ago
>So we have just learned in paragraph 1 that the current system is dated and full of security holes and missing features. In paragraph 2 we have learned that the current system's infrastructure is "solid" and "working fine".
This confused me too, until I realized that he probably meant that his company set up the hardware infrastructure ("reputable IP classes, redundant datacenters"), but doesn't manage the software. Otherwise, why shred your own credibility from the first sentence by crapping on the "ancient," "insecure," and "ineffective" Exchange server?
>How can the price be both "reasonable" and "absurd?"
Agreed, this part makes no sense.
jotaen|4 months ago
> For one: it's intentionally completely unverifiable. Sure, maybe the writer's not brave enough to break their NDA by sharing names. But it's also convenient: nobody can ever poke holes in the story, or add their own context to it. The story just gets to live on its own and earn internet karma regardless of whether it's at all true.
I’m not sure why this would be surprising: it’s a personal story shared on a blog, not an investigative article in a newspaper.
I also don’t think it helps calling everything “AI slop” these days only if one doesn’t like it for some reason.
draga79|4 months ago
This isn't AI slop. These are real-life experiences. The goal is to raise awareness that open source doesn't always and necessarily mean freedom: lock-in exists.
ACCount37|4 months ago
Low coherence sentence to sentence, stray emdashes, loads of those LLM-was-trying-too-hard writing turns.
If it wasn't written by an AI entirely, then at least it was edited to shit by one.
poszlem|4 months ago
The company in this story didn’t just sell “support”, they sold permission. They took something open, wrapped it in contracts, lock-ins, and managed-service handcuffs, and then claimed ownership of it. That’s the new vendor lock-in model: control the interface, not the code.
The chilling part isn’t that they could read customer emails, it’s that they thought it was normal. Somewhere between “managed service” and “surveillance,” the moral line vanished, replaced by legalese.
This story should be printed and taped above every government IT procurement desk. If you don’t own your servers, your keys, and your contracts, you don’t own your data, no matter how “open” the stack is.
mr_toad|4 months ago
What’s really important is the laws and regulations governing ownership. Ownership in a modern society is nearly entirely a legal construct. Ownership of data shouldn’t be any different.
zbentley|4 months ago
Quite true, but the choice is nearly never between an agency letting someone else own the data and owning it themselves. The idea of switching in one fell swoop from a labyrinth of duplicative, proprietary SaaS/hosted systems to self-managed open source is a fantasy for all agencies. Even if we take that as the goal (not necessarily something I agree with), nobody can get there in a single migration/political season/anything short of years.
Rather, the near-term choice is between who and how many parties own the data. Do you work with a stack of midsize cloud resellers, each of which has questionable quality and a lot of experience maximizing government revenue via advantageous connections and contracts? Or do you work with one of the hyperscaler clouds--higher quality, less specifically designed to exploit gov (I said less, GovCloud, now get your hands out of my wallet!), slightly more friendly to "build what you want how you want" approaches?
Neither of those approaches lets you take ownership of your servers/data/contracts fully. But the latter moves you closer to that ideal; the former does not.
draga79|4 months ago