To be clear, it’s not just trial abuse — it’s actively ignoring the better, freer option in favor of repeatedly faking evaluations just to get the “easy mode.”
We’ll definitely tighten things up going forward. But in nearly a decade of doing this, they're the only ones to push it to this scale. So yeah, they've earned a spot in our open source hall of shame
A company is exploiting your free-trial offer, defrauding your project of resources even if it is only a buck and a half. Why are you sending them money? Just shut them down. Unless you have some really unfortunate wording in your TOS, there is nothing they can do. On Monday, send an e-mail to all accounts associated with $COMPANY and tell them in clear terms that you are going to terminate their free-trials COB EOW. Leave a special contact number to negotiate fees, wait for your phone to ring.
Seriously, why are you putting up with this?
I can understand that.
Obstacles to free trials and such often are more hassle than their worth and a determined person can get around them anyway.
This is why free trials require credit cards upfront, as they're more difficult to fake, not because you're about to be stealth billed. It's thanks to people like this.
There is a difference, this rocket company is not really going to generate a new virtual card every time? You think their business bank account even supports that?
https://www.nzherald.co.nz/business/companies/rocket-lab-rev...
And yeah:
> The company that developed and launched rockets in New Zealand and the United States, as well as spacecraft and software systems, made US$123 million revenue in the three months to the end of March.
I don't think it's Rocket Lab.
[0] https://www.macrotrends.net/stocks/charts/RKLB/rocket-lab-us...
I truly loved the way this article is written. To the point, sharp and quite comical. I certainly hope they achieve to clean the mess up.
Oh for the love of tech, do chase them. This absolutely has to be in void of the terms of your trial take them to court. If not, then at the very least name and shame the company, so some dumb manager orchestrating this silly theft will get fired and someone more mature can be rotated in.
We’re not rushing into legal action — it’s not worth the energy for now — but publicly calling out the behavior felt necessary. It also sends a message to others in the ecosystem about the kind of nonsense OSS maintainers sometimes face.
And yes, while I’m still holding off on naming the company directly… I haven’t ruled it out.
" it’s not worth the energy for now"
Not sure what the amount is, but Small Claims is pretty straightforward and energy efficient? You can get like 10K depending on jurisdiction. The whole trial is like 1 hour.
That said, I think that small cases are still worth pursuing on a matter of principle and strategy.
It's better to practice pursuing payment from international clients when it's small amounts you don't care about, so that you are prepared if you have an issue with a huge client and bankruptcy is on the line.
> I’m still holding off on naming the company directly
Does not compute. Why not name them?
(It was in France so the lawyers' fees weren't what they are in the US. But the way people advised me not to sue, was very similar.)
Legal risk. If the company decides to be a litigious prick about being named & shamed they might not win, but before losing they'll cost the product owner a pile of time and, at least temporarily, money.
Stating the errant company's industry and size gives us plenty of information to make an educated guess, without actually stating the name. I suspect that this action blocks any useful future relationship as much as direct naming would, so that risk has been taken, but I also assume that no such beneficial relationship was likely to happen anyway so doing this is worth it to get the publicity, both through the story and perhaps a little cheeky marketing down the road (“as used extensively by the famous company we won't name, but you can guess”).
One thing I would definitely do at this point, now the company knows they have been detected, is to try¹ make sure all support for that company is on the lowest priority possible. Absolute minimum response time 24 hours. 24 working hours, especially if the issue seems urgent to them. No responses beyond automated ones outside of normal business hours. Never try to guess: any missing information in a support query gets queried and the subsequent clarifying responses are subject to the same 24+ working hour latency. If anyone tries the “we are a big company, you should prioritise this” thing, respond with “With an email address like that? Yeah, nah.” or more directly “We know, a big company who knows it is massively in breach of our licence, and yet we are still generously responding to you at all.”.
------
[1] They may of course have/find crafty ways to get around this too, but if they are determined to avoid doing the right thing at least make them work to avoid doing the right thing!
The company will just apologise and the CEO will make sure to tell everyone they know never to deal with this vendor ever again. IT is a very small world and reputations last a long time.
Second, some thoughts.
A. State in your policy that multiple trials are possible but may incur a rest period between activations for a “given company.” Even 5 days should be reasonable for honest folks but cause a pain point for dishonest ones.
B. If you can add a license activation feature to your software, collect metrics when you present the license activation screen, and “bake in” the telemetry to your trial license key request. Things like CPU ID, hard drive serial numbers, TPM quotes, asset tag serial number. Use that telemetry to determine “given company.” The abusers are likely installing this on the same system over and over.
C. Independent of the activation idea, If the trial hard-stops after 30 days, maybe you could delay the approval process on all new trials by X days (X randomly chosen from range 0..5, and all trial requests independent of requestor) and then activate the product for 30-X days. Assuming the dishonests have integrated the VM into their production systems, this will cause an unpredictable unavailability and trigger a pain point somewhere. At worst, it will cause them to step up their request efforts.
As others probably are saying, this might be one for the lawyers.
The CEO will prob hand you off to some director who is going to be annoyed that they were made out to look foolish and that they now have a task that the CEO is going to want regular status updates on.
Why would you think that a CEO would involve himself in matters like this ?
Especially given that whichever aerospace company it is would be far more concerned with issues like tariffs, geopolitics, recession risks etc than whether or not a company is using an open source versus a community edition of some forgettable infrastructure component.
Also choosing to pursue legal action instead of simply blocking them from downloading more free trials seems childish and short sighted.
They can easily move to the hundreds of alternative platforms which do exactly the same thing.
It's not like changing a light bulb.
At that point I would have created some scripts to randomly reboot or fuck with their VMs. How long will you accept this? They won't pay ever.
When I was a teenager I would do super cut-rate work on computers for people, and my father did helpfully point out that undercharging for valuable work just makes it harder for people whose day job is to do the same work, because then they have to compete with a naive teenager. You're the kind hearted OSS / freemium vendor in this case. Threatening legal action costs nothing. Punishment is meant as a deterrent for antisocial behavior. Failing to even threaten them will result in less money going to people who deliver a public good.
Not really. If you want it to have teeth, then it should come under a lawyer's letterhead, and that usually costs something (probably not much, for one letter).
It costs your reputation as a vendor which is permanent.
You don't threaten legal action against companies before calmly advising them of the situation.
You say that as if that is some bad thing. As a vendor you want to have a reputation for asking what you are fairly owed. The other option is to have a reputation for being a wet tissue anyone can walk through.
> You don't threaten legal action against companies before calmly advising them of the situation.
These are not incompatible with each other. Of course you calmly advise the company of the situation. 100%. You tell them that their 15 day trial period lapsed at <date> and that they continue using the <product> without proper license in place. You tell them where they can reach out to find the right licence for their needs. And you tell them that you intend to pursue them for damages if they remain out of compliance. All very calmly and professionally. Nobody is angry with anyone here. There is no bad blood. It is just a contracting oopsie!
Wth. Why go public instead of just .. emailing them, and asking for payment?
So we reached out.
They vaguely apologized and claimed they’d switch to using the source version instead.
Which — fine. Not ideal, but technically within the rules. What stung more was their complete disinterest in any kind of professional support — even when we simply brought up the idea of a volume discount (!). They shut it down immediately. Apparently, sending satellites into orbit is easier than entertaining the thought of paying for open source support.
And did they actually switch to the source?
Of course not.
They just kept going — now using personal Outlook addresses and incrementing the email handles like they were running a script.
I've seen huge delays spanning months, and needing approvals from the very top, which you need to keep following up and makes the entire process a very painful experience.
Maybe it's by design to reduce costs but it happens even in places where the budget is overflowing and underused.
Payments won't happen until things are literally burning or production is about to go down tomorrow and the fear of the client getting super mad(that a relatively small payment couldn't be made in months) will drive some urgency. Sometimes not even then, so people are left with bad choices, let something terrible happen or make terrible workarounds like in the article. This results in a drive to only use free tools or make do with none.
I hope this results in better and easier accounting practices, which is probably ripe for disruption.
People will always find ways to use things to the limit or abuse them. You need to consider where to put the limit to balance user experience vs. preventing abuse.
As things stand there is no point in going legal. Either let it slide or block them and use it for PR with a blog post and an HN submission (wait a minute ;)
What silly "all or nothing" thinking.
You don't have to "go legal" on every free trial abuse, just the egregious ones. Here we have a company that's been abusing the free trial for 10 years and 1000s of instances. Vates rightfully can claim millions (~40M to be exact) from this instance. The company, in particular, can't claim they didn't know this wasn't allowed because they automated creating fake email accounts to abuse the situation.
It's particularly more egregious because Vates allows companies to build and maintain the software directly without support for free.
Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.
When disagreeing, please reply to the argument instead of calling names. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."
"Our product is so great aerospace companies are literally stealing it, also have you seen our new 30 day trial? So back to that aerospace company and how cheaply it could use our software, just take a look at our current offerings..."
VMware enterprise tier is probably 10x more expensive.
Job done.
Love it. I appreciate the humor and good example behind that.
It's entirely likely the company is spending more money on staff time, than on the product.
I also cannot even imagine running mission-critical stuff on free trials (I have heard of it, before. I think Adobe was successfully sued, once, because someone created an image in their free trial, and then, couldn't open it, after the trial expired).
If I were one of that company's customers, I'd be fairly concerned.
Unless your job involves critiquing the header image of people’s personal blogs I don’t think these are equivalent.
[0] https://github.com/TirrenoTechnologies/tirreno
(creator of tirreno)
This is not about overly promoting the product, it’s about making clear that you are promoting your product (or project, doesn’t even have to be a product).
How does it detect if an email account is freshly registered?
Sucks for people who don't use their addresses for just about anything.
Additionally, I assume that registrations are coming from the same IP or network, which should make it simple to detect through platform.
I saw that your company is in Grenoble. Just drop me an email, and I will personally come to your office and help set up tirreno to resolve this trial abuse.
Anyway, I'm doing my best to keep my own "signature" in writing, but it's really hard when you see a better phrasing generated on your original more limited vocabulary. But anyway, I'll do better next time, thanks for the feedback!
(I'm not a native speaker either)
> Hard to say if it was a mistake, a flex, or just their way of making sure we didn’t miss who was milking the trials.
> It’s tested. It updates with a single click. It saves time and reduces risk. That’s what we sell. And that’s what they keep pirouetting around with their email dance.
> We’re not going to waste days chasing them. But at some point, this goes beyond saving a few bucks: it becomes performance art.
I’d assert that unless it was specifically trained on my writing style, it is almost impossible to “prompt away” the tone it uses.
And that is the thing about authentic snark, it is crisp and edgy and unique. But LLM’s are trained in a way that would average out millions of different “snarks” so all of the attributes that make snark work go away.
Worst case, they just mysteriously stop using your product.
If "Rocket Company" averaged 30 machines per month, max $1600 per month let's say $600k / year before discount. Maybe kept 3 million dollars over 10 years. I imagine the only way Vates will get paid for their service is if control is taken from the operational groups doing the actual work and "abstracted" to a centralized IT group.
Without further enterprise negotiations, it's 1800 per host/year. $180k max.
I don't blame Vates for refusing to chase down the company. They'll bring you way more pain as paying clients than the shameless theft they're perpetuating.
Time to disable the free trial for a month halfway into their trial and see how it goes. This is probably why most trials now request you to reach sales first (well, on top of obviously ensuring they have a way to send an offer).
Being scrappy early on is part of the job, but when you are starting to generate revenue it’s time to convert your free tiers to starter tiers as you scale.
I’m sorry that there are people in our industry who choose to behave this way.
And even with this, what happens if the company simply shares the company phone, authenticate, then remove the phone and switch to OTP (for each time, or each user)? Unless if a phone number cannot be used twice...which means you have to keep storing it, and handle the support requests when a number is legitimately recycled (and how do you differentiate that?)
Offering something that is quite full featured for free (even as a trial) will get it exploited; it's only going to increasely be the case going forward. The internet is hostile, and getting more hostile.
They are stealing from you. As you point out you go out of your way to help companies with your oss options: you’re way on the right side of principled and generous. this is abuse. Don’t put up with it.
Given the history, I’d suggest a short C&D recounting the 10 years(!) of theft, the measures they’ve gone to, and tell them they have 15 days to either stop or get licensed, or you will seek 10 years of back licensing, interest and penalties. I assure you that you will receive a call from someone. Especially if you have to turn the software off on day 16.
Anyway this seems substantial to me, but also there’s an ethical and philosophical question of responsibilities. Do you have more responsibility to your employees and shareholders or to this space company? Even if you’re crazy rich as a company, I propose as the CEO you owe a pretty strong duty to those stakeholders to try and recover stolen assets. You don’t have to be mad at random spaceco, but I propose you might think hard before walking away.
Quick edit: just to frame your head on this: If the company is in the US then this behavior likely falls under DMCA anti-circumvention laws. if it does, people would have criminal liability. Now, I believe the DMCA is terrible legislation; it lets corporations create criminal liability through license agreements. But, it is the law of the land here, and I would guess as soon as your attorney can lay this out, and their attorneys get an eye on it, you will find willing negotiation happening.
This won't go to court, the actions are indefensible. The only argument will be how much they have to pay the OPs company.
Why not do what most profit-conscious companies would do and just say "we notice unusual activity and.."
I think the thrill of beating a system and getting away with is as much a factor as anything. And I get it.
God bless those among us who steal the candy bowl at Halloween.
How about creating a "Wall of Shame" page and name shaming such companies, until the get the message that they have the financial resources to pay?
The worst they can do is not pay it.
If they secretly keep getting free trials by pretending to be unaffiliated, then escalate to 1) blocking the fake ones when you discover them (very annoying to them, even if you don't get them all) and 2) as a very last resort, legal threats.
The goal is to get them onboarded as paying customers. Every other outcome is effectively a loss. You want to be polite but firm.
Arr, the use of "pirouetting" is such ticklingly brilliant punnage, mematey.
There will be a security officer at such a company. If I was that officer, I would be profoundly unhappy that employees, whose job (by the nature of the company) regularly takes them into classified waters, were freely giving their personal gmails to a third party overseas. I mean, you just broadened the attack surface on the employees by tying them to their presence in the Google ecosystem. Yikes.
Isar Aerospace has funding from NATO, for example :P
> We’re not going to waste days chasing them. But at some point, this goes beyond saving a few bucks: it becomes performance art.
It's likely that the CEO is not aware(...hopefully); it's a good idea to reach out to them asap. Do try and point out what's going on.
If anything, the sooner you reach out, you'll be doing the business (and whoever is backing it) a favor: trust has been misplaced. Somebody chose a very unprofessional path with what (one can assume) is a very critical system.
On the freeloader end: Did they think they were within the rules? How far up was the approval to keep doing it this way? Did someone try to pay, but get blocked? Did someone tell their boss they did this all in-house, and now doesn't want to admit they outsourced and exposed the company? Did it go to the top, and a lawyer told them to put the company name and a real person each time, and that they were covered on good faith if they only did that?
On the provider end: Seeing this locked-in enterprise user for 10 years, how was a salesperson not all over that that slam-dunk sale? How did they let this go on for 10 years without tweaking their policy to stop the freeloader and any others who might emulate them? What did the business people say about this over the years when it came up? Was business so good it wasn't worth the time to convert the freeloader to a paying customer?
Step 1: Modify OSS repository to gain control of satellites Step 2: ... Step 3: Profit!
Knowing the details of an open source tool a company uses does not magically give you a backdoor.
By that logic, merely knowing coinbase uses the open source go language for some things would let you steal all their crypto, and I assure you if it was that simple their coffers would be empty.
btw I use linux and firefox and have an unencrypted bitcoin wallet.dat on my computer, feel free to prove me wrong.
If you feed stray dogs, you end up with a neighborhood full of dogshit everywhere you step. Bill them; if they don’t pay, talk to an attorney.
EDIT
Change your terms to require any usage off planet specifically prohibited by the free trial license
If they're using it in prod then there are plenty of regulations that should force them to establish a real support relationship.
Sometimes this type of stuff happens for a prototype that an org is trying to get funded, but not for 10 years. I'd collect all of the org email addresses they used for the initial d/ls and contact them first- maybe one of the ones from ten years ago has gotten promoted to a point where they can establish a paid relationship or approve use of the open source version.
Placed in a marketing context, this human attention could be converted to revenue from other customers. Fund a creative writing competition on VeryBigCo Procurement Anti-Patterns and Shadow IT. Prizes could be paid licenses. If you get enough entries, ask a business school to do a case study on the same subject, then organize a multi-vendor survey on the topic. Also, memes.
You may also need to update the ToS on the trial. At some point, a motivated salesperson could convert the account with a multi-year license that covers both past and future usage.
It talks about the breach of some unwritten contract. But surely they should have a very written, real world contract to describe the terms of that 15 day trial. And this should be a breach of that. The fact that this is not mentioned, or even entertained as a notion is concerning.
Moral contracts are good for philosophy discussions. Real contracts are much better when you need to use instruments of law to get someone to something.
“Deceptive use against third party services by creating multiple email accounts to pretend to be multiple users of their service”
Because if you want to maintain a good reputation with people, you don’t facilitate people taking advantage of them.
IshKebab•7h ago
matsemann•7h ago