This is the kind of story that perfectly captures why “open source” != “freedom.”
You can run 100% FOSS software and still be completely imprisoned if you give control to a middleman.
The company in this story didn’t just sell “support”, they sold permission. They took something open, wrapped it in contracts, lock-ins, and managed-service handcuffs, and then claimed ownership of it. That’s the new vendor lock-in model: control the interface, not the code.
The chilling part isn’t that they could read customer emails, it’s that they thought it was normal. Somewhere between “managed service” and “surveillance,” the moral line vanished, replaced by legalese.
This story should be printed and taped above every government IT procurement desk.
If you don’t own your servers, your keys, and your contracts, you don’t own your data, no matter how “open” the stack is.
> If you don’t own your servers, your keys, and your contracts, you don’t own your data, no matter how “open” the stack is.
Quite true, but the choice is nearly never between an agency letting someone else own the data and owning it themselves. The idea of switching in one fell swoop from a labyrinth of duplicative, proprietary SaaS/hosted systems to self-managed open source is a fantasy for all agencies. Even if we take that as the goal (not necessarily something I agree with), nobody can get there in a single migration/political season/anything short of years.
Rather, the near-term choice is between who and how many parties own the data. Do you work with a stack of midsize cloud resellers, each of which has questionable quality and a lot of experience maximizing government revenue via advantageous connections and contracts? Or do you work with one of the hyperscaler clouds--higher quality, less specifically designed to exploit gov (I said less, GovCloud, now get your hands out of my wallet!), slightly more friendly to "build what you want how you want" approaches?
Neither of those approaches lets you take ownership of your servers/data/contracts fully. But the latter moves you closer to that ideal; the former does not.
Some companies are just incredibly naive sometimes. Case in point: i work at a game dev studio, and our main competitor on the segment we are on is a game published by Microsoft.
The other day a coworker was talking about how that other game had a tendency to release similar content as us, sometimes right before us, with marketing material that looked eerily like stuff still in production from our marketing team, to the point that they suspected someone was leaking stuff.
Dude, all we do is discussed on teams and it's all in documents stored in office 365. They dont need us to leak anything, they can simply read our team channels and our documents. They probably spend more time discussing plausible deniability with their legal team than researching what we do.
We are also moving our analytics from Tableau to whatever Microsoft's equivalent, and nobody seems to see the issue with that either.
I'm no lawyer, but I would think the purposes for which they read your email and the actions taken subsequently are blatantly illegal, and would invalidate the entire contract.
There are plenty of projects like that. Gitlab, for example, has an open-source "Community Edition" and then "Premium" and "Ultimate" editions which they charge for.
I'm sorry but this reads like AI slop. Or maybe it's not AI slop, it's just regular human-generated slop, but regardless: it's useless.
For one: it's intentionally completely unverifiable. Sure, maybe the writer's not brave enough to break their NDA by sharing names. But it's also convenient: nobody can ever poke holes in the story, or add their own context to it. The story just gets to live on its own and earn internet karma regardless of whether it's at all true.
For two: completely inconsistent. Let's take these two paragraphs:
> A few years earlier, a major public institution - let’s call it Agency A - was still running an ancient Exchange mail server. It hadn’t received security updates for ages, the anti-spam was completely ineffective, and the new regulations were clear: embrace Open Source solutions whenever possible.
> They had already received a proposal - expensive but seemingly reasonable - for a managed service, hosted by an external provider, built on an open source mail stack. The company offered a managed version with its own proprietary additions and enterprise support. The catch? The price was absurd, and Agency A already had solid infrastructure - reputable IP classes, redundant datacenters, everything working fine. We had built and maintained that environment for years, and it was still running perfectly.
So we have just learned in paragraph 1 that the current system is dated and full of security holes and missing features. In paragraph 2 we have learned that the current system's infrastructure is "solid" and "working fine". Can you really say the infrastructure is solid and working fine if it's preventing you from upgrading your Exchange mail server?
And let's take paragraph two: it says the proposal is "expensive but seemingly reasonable" and then one sentence later says "the catch? The price is absurd". How can the price be both "reasonable" and "absurd?"
> However, to protect the privacy of the people and companies involved, I have deliberately mixed things up: technologies, contexts, and specific details have been modified or merged with other experiences.
Why wouldn’t a person stop reading there, unless they were the author’s mom or roommate or something and were reading out of politeness?
I feel like many HN'ers have been in this situation.
I was once in a confedential "back out" of a system. There was some shared code base with the other company. One of our devs made a comment that was something like "Reversing Migration Script" in the code.
In less than an hour from that commit(I didn't know at the time) I was in stuck in a firestorm WTF DID YOU DO battle between the two CEO's of the companies. It turns out that the other company was ACTIVELY spying for such terms in the code so they could react if we tried to leave. It was going to be an honest non renewal at the end of the contract so not even anything shady. I didn't find out till later about how they were spying out so there was this huge witch hunt about who was the rat and such. It was awful.
It seems this level of sociopathy is just the norm these days and I'm just an old fuddy duddy doing regular honest work without having a Machiavellian scheme running in parallel no wonder places only want to hire 20yo's /s /sorta.
I can't help shaking the feeling that it could be ragebait? Which ended up on HN as a result? Sure, companies act like bullies sometimes, but I don't know that I think this story is more likely than "person I've never heard of makes up outrageous story for attention". Both seem equally plausible.
Sounds like Oracle. Of course, they're much more clever about how they do it but always recommend people stay as far away from any of their products as possible.
There’s something odd about this story. Not naming companies is weird - this happened before GDPR which means it happened a minimum of nine years ago. There were no lawyers involved at any point, not even before signing amendments with a company known for punishing vendors on their way out. Nobody even seemed to mind that this shady company with such a bad reputation was reading client emails. There was no attempt to warn anybody or to even solve the problem.
I don’t believe that this ever happened. I don’t know why someone would make up a story like this but this one is very odd.
> a former interim IT manager still had an email client connected via token authentication - with access to all messages. And that person had signed the original contract with the provider years before. Informally questioned, he admitted contacting them "to warn them" but claimed it was harmless.
This kind of behavior rubs me the wrong way. People leaking stuff, breaking compliance and then say - It was just harmless.
I work with a Director who has done something similar multiple times. The chain of events often is - She attends an industry conferences, there she learns about a piece of software, she goes ahead and schedules product demos and solicits a contract. She then contacts the only outsourcing agency she is aware of and promises to give them the implementation contract. Then reaches out as she doesn't have the authority to sign those contracts.
Since the time I have been responsible for product selection this has happened twice. Both times I have been under different managers. Both managers have insisted it was harmless.
Last time this happened the Director was told by promising work and soliciting contracts she was in gross non compliance of the company policies. Her response showed how little she cared. As per her, this was an internal matter and no one could punish her.
Later when we evaluated the product and it promised to "get better with time". All the company's data was being ingested into an AI without regard for enterprise data security rules. Even then her response was - What is the big deal? Everyone reads everyone's data. Legal got involved and shut it down - they asked the product to turn off AI features for our instances.
It is really hard to contend against a malicious or dumb team mate. In a corporate setting if they are higher than you then it is even more difficult. They can chalk it up to a harmless mistake and no one can do a thing.
What you're describing the director do sounds like the favorite pastime of HR directors. They just love going out and changing up the performance review software every couple years without consulting anyone else and paying enormous amounts of money for it. At least the current favorite for this (Lattice) has decent UX versus some of the past ones I saw used all over (PeopleSoft in particular)
> The request was simple: “Evaluate this solution, and if it’s suitable, we’ll migrate.”.
This took me a few tries to figure out. "This solution" is the open source stack without the vendor from the previous paragraph. I thought it was including the vendor and got very confused when more comparisons started to happen.
29 comments
[ 5.3 ms ] story [ 56.4 ms ] threadi would love they mentioned the name of the people involved.
Here's a hot take: Name and Shame.
If this story is true, the author should be shouting their names from the rooftop.
Instead, we get this nonsense.
The company in this story didn’t just sell “support”, they sold permission. They took something open, wrapped it in contracts, lock-ins, and managed-service handcuffs, and then claimed ownership of it. That’s the new vendor lock-in model: control the interface, not the code.
The chilling part isn’t that they could read customer emails, it’s that they thought it was normal. Somewhere between “managed service” and “surveillance,” the moral line vanished, replaced by legalese.
This story should be printed and taped above every government IT procurement desk. If you don’t own your servers, your keys, and your contracts, you don’t own your data, no matter how “open” the stack is.
Quite true, but the choice is nearly never between an agency letting someone else own the data and owning it themselves. The idea of switching in one fell swoop from a labyrinth of duplicative, proprietary SaaS/hosted systems to self-managed open source is a fantasy for all agencies. Even if we take that as the goal (not necessarily something I agree with), nobody can get there in a single migration/political season/anything short of years.
Rather, the near-term choice is between who and how many parties own the data. Do you work with a stack of midsize cloud resellers, each of which has questionable quality and a lot of experience maximizing government revenue via advantageous connections and contracts? Or do you work with one of the hyperscaler clouds--higher quality, less specifically designed to exploit gov (I said less, GovCloud, now get your hands out of my wallet!), slightly more friendly to "build what you want how you want" approaches?
Neither of those approaches lets you take ownership of your servers/data/contracts fully. But the latter moves you closer to that ideal; the former does not.
The other day a coworker was talking about how that other game had a tendency to release similar content as us, sometimes right before us, with marketing material that looked eerily like stuff still in production from our marketing team, to the point that they suspected someone was leaking stuff.
Dude, all we do is discussed on teams and it's all in documents stored in office 365. They dont need us to leak anything, they can simply read our team channels and our documents. They probably spend more time discussing plausible deniability with their legal team than researching what we do.
We are also moving our analytics from Tableau to whatever Microsoft's equivalent, and nobody seems to see the issue with that either.
> The company offered a managed version with its own proprietary additions
Doesn't sound like open source to me?
For one: it's intentionally completely unverifiable. Sure, maybe the writer's not brave enough to break their NDA by sharing names. But it's also convenient: nobody can ever poke holes in the story, or add their own context to it. The story just gets to live on its own and earn internet karma regardless of whether it's at all true.
For two: completely inconsistent. Let's take these two paragraphs:
> A few years earlier, a major public institution - let’s call it Agency A - was still running an ancient Exchange mail server. It hadn’t received security updates for ages, the anti-spam was completely ineffective, and the new regulations were clear: embrace Open Source solutions whenever possible.
> They had already received a proposal - expensive but seemingly reasonable - for a managed service, hosted by an external provider, built on an open source mail stack. The company offered a managed version with its own proprietary additions and enterprise support. The catch? The price was absurd, and Agency A already had solid infrastructure - reputable IP classes, redundant datacenters, everything working fine. We had built and maintained that environment for years, and it was still running perfectly.
So we have just learned in paragraph 1 that the current system is dated and full of security holes and missing features. In paragraph 2 we have learned that the current system's infrastructure is "solid" and "working fine". Can you really say the infrastructure is solid and working fine if it's preventing you from upgrading your Exchange mail server?
And let's take paragraph two: it says the proposal is "expensive but seemingly reasonable" and then one sentence later says "the catch? The price is absurd". How can the price be both "reasonable" and "absurd?"
Overall an annoying read.
You should do this for consumer stuff, but it's mandatory for business stuff.
Why wouldn’t a person stop reading there, unless they were the author’s mom or roommate or something and were reading out of politeness?
I was once in a confedential "back out" of a system. There was some shared code base with the other company. One of our devs made a comment that was something like "Reversing Migration Script" in the code.
In less than an hour from that commit(I didn't know at the time) I was in stuck in a firestorm WTF DID YOU DO battle between the two CEO's of the companies. It turns out that the other company was ACTIVELY spying for such terms in the code so they could react if we tried to leave. It was going to be an honest non renewal at the end of the contract so not even anything shady. I didn't find out till later about how they were spying out so there was this huge witch hunt about who was the rat and such. It was awful.
It seems this level of sociopathy is just the norm these days and I'm just an old fuddy duddy doing regular honest work without having a Machiavellian scheme running in parallel no wonder places only want to hire 20yo's /s /sorta.
1) completely from one person's version of events
2) absolutely unverifiable
I can't help shaking the feeling that it could be ragebait? Which ended up on HN as a result? Sure, companies act like bullies sometimes, but I don't know that I think this story is more likely than "person I've never heard of makes up outrageous story for attention". Both seem equally plausible.
I don’t believe that this ever happened. I don’t know why someone would make up a story like this but this one is very odd.
So is it fiction? Details matter. If any of the details are not true, this makes story is waaay less interesting.
https://news.ycombinator.com/item?id=43985971
This kind of behavior rubs me the wrong way. People leaking stuff, breaking compliance and then say - It was just harmless.
I work with a Director who has done something similar multiple times. The chain of events often is - She attends an industry conferences, there she learns about a piece of software, she goes ahead and schedules product demos and solicits a contract. She then contacts the only outsourcing agency she is aware of and promises to give them the implementation contract. Then reaches out as she doesn't have the authority to sign those contracts.
Since the time I have been responsible for product selection this has happened twice. Both times I have been under different managers. Both managers have insisted it was harmless.
Last time this happened the Director was told by promising work and soliciting contracts she was in gross non compliance of the company policies. Her response showed how little she cared. As per her, this was an internal matter and no one could punish her.
Later when we evaluated the product and it promised to "get better with time". All the company's data was being ingested into an AI without regard for enterprise data security rules. Even then her response was - What is the big deal? Everyone reads everyone's data. Legal got involved and shut it down - they asked the product to turn off AI features for our instances.
It is really hard to contend against a malicious or dumb team mate. In a corporate setting if they are higher than you then it is even more difficult. They can chalk it up to a harmless mistake and no one can do a thing.
This took me a few tries to figure out. "This solution" is the open source stack without the vendor from the previous paragraph. I thought it was including the vendor and got very confused when more comparisons started to happen.
That sounds like it might be grounds for criminal charges, if evidenced properly, the threat of which could be used to get that company to back down.