It’s probably time to channel larry ellison and shake these guys down. Or at least shake their pockets for loose change.
They are stealing from you. As you point out you go out of your way to help companies with your oss options: you’re way on the right side of principled and generous. this is abuse. Don’t put up with it.
Given the history, I’d suggest a short C&D recounting the 10 years(!) of theft, the measures they’ve gone to, and tell them they have 15 days to either stop or get licensed, or you will seek 10 years of back licensing, interest and penalties. I assure you that you will receive a call from someone. Especially if you have to turn the software off on day 16.
Anyway this seems substantial to me, but also there’s an ethical and philosophical question of responsibilities. Do you have more responsibility to your employees and shareholders or to this space company? Even if you’re crazy rich as a company, I propose as the CEO you owe a pretty strong duty to those stakeholders to try and recover stolen assets. You don’t have to be mad at random spaceco, but I propose you might think hard before walking away.
Quick edit: just to frame your head on this: If the company is in the US then this behavior likely falls under DMCA anti-circumvention laws. if it does, people would have criminal liability. Now, I believe the DMCA is terrible legislation; it lets corporations create criminal liability through license agreements. But, it is the law of the land here, and I would guess as soon as your attorney can lay this out, and their attorneys get an eye on it, you will find willing negotiation happening.
I agree. The company will almost immediately settle because this is a cut and dry theft that will cost them (literally) millions just in the recoup. More if a penalty can be applied.
This won't go to court, the actions are indefensible. The only argument will be how much they have to pay the OPs company.
You can start by sending them a bill. Get legal advice on drafting it. Each month, a new bill, with the new charges for that month. After a few cycles, you start threatening to go to collection. It may take a while, but you'll collect eventually.
> We’re not going to waste days chasing them. But at some point, this goes beyond saving a few bucks: it becomes performance art.
Oh for the love of tech, do chase them. This absolutely has to be in void of the terms of your trial take them to court. If not, then at the very least name and shame the company, so some dumb manager orchestrating this silly theft will get fired and someone more mature can be rotated in.
I’m actually considering reaching out directly to the CEO and telling the full story. But honestly? There’s a good chance he’s fully aware — and totally fine with it. That’s part of what makes it so disappointing.
We’re not rushing into legal action — it’s not worth the energy for now — but publicly calling out the behavior felt necessary. It also sends a message to others in the ecosystem about the kind of nonsense OSS maintainers sometimes face.
And yes, while I’m still holding off on naming the company directly… I haven’t ruled it out.
I very much doubt the CEO is aware. It is much more likely that some person is doing this because that is what they have always done- they are coasting. Alternatively, it is some poor sap that is in over their head and just following some instructions the original jerk put together to keep things running.
The CEO will prob hand you off to some director who is going to be annoyed that they were made out to look foolish and that they now have a task that the CEO is going to want regular status updates on.
If you don't do anything legally threatening, then you make it that much harder for every single OSS vendor to make money, because the precedent is getting established that there is no penalty for breaking the rules.
When I was a teenager I would do super cut-rate work on computers for people, and my father did helpfully point out that undercharging for valuable work just makes it harder for people whose day job is to do the same work, because then they have to compete with a naive teenager. You're the kind hearted OSS / freemium vendor in this case. Threatening legal action costs nothing. Punishment is meant as a deterrent for antisocial behavior. Failing to even threaten them will result in less money going to people who deliver a public good.
Not really. If you want it to have teeth, then it should come under a lawyer's letterhead, and that usually costs something (probably not much, for one letter).
> It costs your reputation as a vendor which is permanent.
You say that as if that is some bad thing. As a vendor you want to have a reputation for asking what you are fairly owed. The other option is to have a reputation for being a wet tissue anyone can walk through.
> You don't threaten legal action against companies before calmly advising them of the situation.
These are not incompatible with each other. Of course you calmly advise the company of the situation. 100%. You tell them that their 15 day trial period lapsed at <date> and that they continue using the <product> without proper license in place. You tell them where they can reach out to find the right licence for their needs. And you tell them that you intend to pursue them for damages if they remain out of compliance. All very calmly and professionally. Nobody is angry with anyone here. There is no bad blood. It is just a contracting oopsie!
There's no obligation to publicly reveal the threat of a lawsuit to a party that is abusing your license. In fact, if you don't reveal the existence of the lawsuit, the only way then that you'd gain that reputation is if the threatened party then publishes their threat, which they won't do if they straight up know that they're in the wrong, because then that damages their reputation. Why would a big company publish a blog about a small company suing them for blatantly violating their software license? They want that crap to go away. Get the money. Shaming a company doesn't make anyone any money unless they decide to voluntarily comply, which is what is being asked here. They're being asked to voluntarily do the right thing. If they were likely to voluntarily do the right thing, they would've done that first.
Legal risk. If the company decides to be a litigious prick about being named & shamed they might not win, but before losing they'll cost the product owner a pile of time and, at least temporarily, money.
Stating the errant company's industry and size gives us plenty of information to make an educated guess, without actually stating the name. I suspect that this action blocks any useful future relationship as much as direct naming would, so that risk has been taken, but I also assume that no such beneficial relationship was likely to happen anyway so doing this is worth it to get the publicity, both through the story and perhaps a little cheeky marketing down the road (“as used extensively by the famous company we won't name, but you can guess”).
One thing I would definitely do at this point, now the company knows they have been detected, is to try¹ make sure all support for that company is on the lowest priority possible. Absolute minimum response time 24 hours. 24 working hours, especially if the issue seems urgent to them. No responses beyond automated ones outside of normal business hours. Never try to guess: any missing information in a support query gets queried and the subsequent clarifying responses are subject to the same 24+ working hour latency. If anyone tries the “we are a big company, you should prioritise this” thing, respond with “With an email address like that? Yeah, nah.” or more directly “We know, a big company who knows it is massively in breach of our licence, and yet we are still generously responding to you at all.”.
------
[1] They may of course have/find crafty ways to get around this too, but if they are determined to avoid doing the right thing at least make them work to avoid doing the right thing!
Because as long as they don't name them, there's still a chance they'll pay up or self-host. As soon as they do name them, any chance of a meaningful business relationship will disappear.
Because this is almost always just the fault of some low level engineer trying to save some time rather than some systemic issue at the heart of the company.
The company will just apologise and the CEO will make sure to tell everyone they know never to deal with this vendor ever again. IT is a very small world and reputations last a long time.
by declaring, but not acting yet, the OP gives the company an out, and allow a potential payday to come. After all, everybody is after money. Any action which seems strange or wild, when considered from the POV of making money, would start to sense.
Yes but the company in question has no motive to sue. They aren't named and any lawsuit would be completely fraught and easily dismissed. On top of that, they would be revealing themselves by suing. It gets more complicated if they are named and now have an actual reason.
They vaguely apologized and claimed they’d switch to using the source version instead.
Which — fine. Not ideal, but technically within the rules. What stung more was their complete disinterest in any kind of professional support — even when we simply brought up the idea of a volume discount (!). They shut it down immediately. Apparently, sending satellites into orbit is easier than entertaining the thought of paying for open source support.
And did they actually switch to the source?
Of course not.
They just kept going — now using personal Outlook addresses and incrementing the email handles like they were running a script.
> There’s a good chance he’s fully aware — and totally fine with it
Why would you think that a CEO would involve himself in matters like this ?
Especially given that whichever aerospace company it is would be far more concerned with issues like tariffs, geopolitics, recession risks etc than whether or not a company is using an open source versus a community edition of some forgettable infrastructure component.
Also choosing to pursue legal action instead of simply blocking them from downloading more free trials seems childish and short sighted.
"forgettable infrastructure component": this is what runs their entire IT. We build both the hypervisor and the backup/orchestration for it. Our stack could kill their entire operations if it's down because $whatever. 4000 virtual machines running isn't just the print server or the coffee machine.
I'm not sure you are aware about the cost of migrating from one virtualization platform to another, especially when you have 4000 VMs. I can tell you it's not exactly easy, and that's even our business now (migrating from VMware to our stack).
Huh? Blocking them seems much more "actual fight" and disruptive than going for legal action. Legal action was invented to settle disputues without resorting to raw power.
First, congrats on having a successful company and doing what you love (and employing others - a great feeling to know you are helping technical folks live their dream).
Second, some thoughts.
A. State in your policy that multiple trials are possible but may incur a rest period between activations for a “given company.” Even 5 days should be reasonable for honest folks but cause a pain point for dishonest ones.
B. If you can add a license activation feature to your software, collect metrics when you present the license activation screen, and “bake in” the telemetry to your trial license key request. Things like CPU ID, hard drive serial numbers, TPM quotes, asset tag serial number. Use that telemetry to determine “given company.” The abusers are likely installing this on the same system over and over.
C. Independent of the activation idea, If the trial hard-stops after 30 days, maybe you could delay the approval process on all new trials by X days (X randomly chosen from range 0..5, and all trial requests independent of requestor) and then activate the product for 30-X days. Assuming the dishonests have integrated the VM into their production systems, this will cause an unpredictable unavailability and trigger a pain point somewhere. At worst, it will cause them to step up their request efforts.
As others probably are saying, this might be one for the lawyers.
I believe all options you suggest are more than OK, but.
Why don't you limit the trial with some capacity limits?
Say, 1000 vms for installation.
Of course, you'll need to have two artifacts: one for paying customers, and a second one to non-paying ones.
Sad to hear this and I hope (some semblance of) justice will be served, but just to play the devil’s advocate: if you refuse to name them, how can we know you’re telling the truth and not just pulling a publicity stunt?
It sounds like you’re navigating a really difficult and emotionally draining situation—and I respect the restraint and clarity in how you’re approaching it.
one option is to talk to their customers. the customers almost certainly don't know, and might be interested to know that their launch provider is possibly going to have some serious issues
Not sure what the amount is, but Small Claims is pretty straightforward and energy efficient? You can get like 10K depending on jurisdiction. The whole trial is like 1 hour.
We operate globally, and this company isn’t even on our continent. On top of that, it’s a semi state-operated entity — so you can probably imagine where any legal effort would end up: somewhere between bureaucratic limbo and /dev/null.
Ah I didn't consider that. International case certainly is going to be more complex.
That said, I think that small cases are still worth pursuing on a matter of principle and strategy.
It's better to practice pursuing payment from international clients when it's small amounts you don't care about, so that you are prepared if you have an issue with a huge client and bankruptcy is on the line.
I thought that was weird too. Surely this is a breach of whatever licensing they agreed to with the free trial. Are they allergic to getting paid for their work?
....have you seen how much code and work vates has contributed upstream to xen? It's more than citrix at this point IIRC. Everything they do gets pushed back to upstream projects so I'm not sure what point you're trying to make
No, I don't follow legacy hypervisors but fair enough perhaps my initial impression was off-base... still you can appreciate the irony of complaining about Rocket Company getting free stuff :/
"Our product is so great aerospace companies are literally stealing it, also have you seen our new 30 day trial? So back to that aerospace company and how cheaply it could use our software, just take a look at our current offerings..."
It is not, but yeah, we also have NASA as customers. However, we do not chase specifically aerospace companies. We are simply an open source alternative to VMware. So doing an ad explaining how to literally git pull the product without even talking to anyone or giving your email to our sales would be a weird strategy :D
Devil's advocate: If supplying an email address opens up a 30 day free trial, you can hardly complain when people do supply email addresses... especially when, to smooth the experience, there is absolutely nothing else but a email address field and a "start free trial" button.
People will always find ways to use things to the limit or abuse them. You need to consider where to put the limit to balance user experience vs. preventing abuse.
We'd have to see the ToS, but I'd suspect the lawyer that wrote it didn't say email, they said individual. Further, I suspect there's a clause in there about commercial usage.
Then you need an explicit check box "I have read and accept the T&C" and those T&Cs allow you to block an account, which is often the most effective option against abusers. If you go legal every time someone abuses a free trial you might as well give up free trials.
As things stand there is no point in going legal. Either let it slide or block them and use it for PR with a blog post and an HN submission (wait a minute ;)
> If you go legal every time someone abuses a free trial you might as well give up free trials.
What silly "all or nothing" thinking.
You don't have to "go legal" on every free trial abuse, just the egregious ones. Here we have a company that's been abusing the free trial for 10 years and 1000s of instances. Vates rightfully can claim millions (~40M to be exact) from this instance. The company, in particular, can't claim they didn't know this wasn't allowed because they automated creating fake email accounts to abuse the situation.
It's particularly more egregious because Vates allows companies to build and maintain the software directly without support for free.
Well, now I’ve seen it — and yes, lesson learned. But here’s the good news about humanity: they’re the only ones abusing it at this scale. So far, it seems most people still choose sanity over spreadsheets of throwaway emails.
This is no way justifies this blatant illegal and immoral behavior, especially since the behavior seems excessive compared to what I state below but I have seen things like this tending to happen in places where it's next to impossible to get Accounting to pay or even renew anything on time before licenses for dev tools expire, rather than being an intentional way to save costs or "steal".
I've seen huge delays spanning months, and needing approvals from the very top, which you need to keep following up and makes the entire process a very painful experience.
Maybe it's by design to reduce costs but it happens even in places where the budget is overflowing and underused.
Payments won't happen until things are literally burning or production is about to go down tomorrow and the fear of the client getting super mad(that a relatively small payment couldn't be made in months) will drive some urgency. Sometimes not even then, so people are left with bad choices, let something terrible happen or make terrible workarounds like in the article. This results in a drive to only use free tools or make do with none.
I hope this results in better and easier accounting practices, which is probably ripe for disruption.
At my last job (a billion dollar company) someone had set up some kind of proxy where one free user account was used by ~100 employees. We wanted some more features they didn't offer so we looked at some of their competitors. I was in the meeting where we were going to decide to keep using what we had or use the better solution (in my opinion). Both were presented fairly except for the price. The plan was to continue the piracy, not paying what it should cost, or use the other service which would have been cheaper if done legally. I voiced my concern that if we are going to compare them we should at least compare them with their actual cost. No one shared my concern and they ended up with not switching a just continue pirating, even though money wasn't really an issue. The person who set this up wasn't in the company anymore, but I guess no one wanted to deal with this issue and decided it was easier to ignore it.
How much money did they save over 5-10 years through this illegal or unethical behavior?
If "Rocket Company" averaged 30 machines per month, max $1600 per month let's say $600k / year before discount. Maybe kept 3 million dollars over 10 years. I imagine the only way Vates will get paid for their service is if control is taken from the operational groups doing the actual work and "abstracted" to a centralized IT group.
They run 4000 VMS as a stingy aerospace company so you can definitely assume less than a 100 physical machines.
Without further enterprise negotiations, it's 1800 per host/year. $180k max.
I don't blame Vates for refusing to chase down the company. They'll bring you way more pain as paying clients than the shameless theft they're perpetuating.
> But at some point, this goes beyond saving a few bucks: it becomes performance art.
Love it. I appreciate the humor and good example behind that.
It's entirely likely the company is spending more money on staff time, than on the product.
I also cannot even imagine running mission-critical stuff on free trials (I have heard of it, before. I think Adobe was successfully sued, once, because someone created an image in their free trial, and then, couldn't open it, after the trial expired).
If I were one of that company's customers, I'd be fairly concerned.
I think the most depressing thing is how unsurprising this is.
This is why free trials require credit cards upfront, as they're more difficult to fake, not because you're about to be stealth billed. It's thanks to people like this.
it's practically trivial to bypass this if you really want to. CapitalOne in the US allows you to have virtual cards that can be verified but you can delete and block at any time for free if you have a credit card from them. I'm sure the practice discourages casuals from gaming trials, but it just feels like it's making life miserable for paying customers but doing almost nothing to stop bad actors
If you also ban virtual and pre-paid cards it cuts this to almost zero.
There is a difference, this rocket company is not really going to generate a new virtual card every time? You think their business bank account even supports that?
They are detectable only if the issuer has a dedicated BIN for virtual cards. If they issue in the same BIN as your regular card, there's no way to detect without issuer cooperation, which would defeat the point.
Tell them that their free trial is over and their company will no longer receive free trial keys. You can do that. It doesn't require a lawyer and it doesn't require threats. Just "We're glad you like our product! Unfortunately we can no longer support you with free trials." Be polite.
If they secretly keep getting free trials by pretending to be unaffiliated, then escalate to 1) blocking the fake ones when you discover them (very annoying to them, even if you don't get them all) and 2) as a very last resort, legal threats.
The goal is to get them onboarded as paying customers. Every other outcome is effectively a loss. You want to be polite but firm.
If it was me, I'd have- at the least - a little routine in the trial-signup logic on the backend which would check the company name and known aliases, and return "not eligible for free, but sales would love to talk! Have a nice day!" message.
As CTO, I feel pretty strongly about this type of behavior and lie the blame squarely on the Aerospace Co’s CTO.
Being scrappy early on is part of the job, but when you are starting to generate revenue it’s time to convert your free tiers to starter tiers as you scale.
I’m sorry that there are people in our industry who choose to behave this way.
I agree 120% with you...
... but I am wondering about how good you are using free tiers.
IMHO the free tier in cloud/saas just offsets the initial costs of using the cloud/saas.
So... unless you're really small free tiers won't work for you.
I had this happen on a consumer startup with referrals. Every month like clockwork one person would fake referrals to get a free moth, which involved jumping through non trivial hoops (re-installing all, creating content in the fake account, going back). all to save $5, and when we had a free plan with almost the exact same quality.
I think the thrill of beating a system and getting away with is as much a factor as anything. And I get it.
You could indirectly promote this unnamed reference customer with a dedicated marketing page. This blog post is already the seed of a case study. List the top ten unnamed companies who requested trials, by industry sector, sorted in descending order by count and years and VMs, with them at top. Presumably #2 - #10 have much smaller numbers.
Placed in a marketing context, this human attention could be converted to revenue from other customers. Fund a creative writing competition on VeryBigCo Procurement Anti-Patterns and Shadow IT. Prizes could be paid licenses. If you get enough entries, ask a business school to do a case study on the same subject, then organize a multi-vendor survey on the topic. Also, memes.
You may also need to update the ToS on the trial. At some point, a motivated salesperson could convert the account with a multi-year license that covers both past and future usage.
I have a theory this happens because for individual contributors, the effort to buy SaaS software in the era of "vendor risk assessment" is a nightmare. So you end up with grassroots avoidance of that process, at all costs, inside the company.
Assuming this telling is pretty accurate, I'm wondering what the thinking was on both ends.
On the freeloader end: Did they think they were within the rules? How far up was the approval to keep doing it this way? Did someone try to pay, but get blocked? Did someone tell their boss they did this all in-house, and now doesn't want to admit they outsourced and exposed the company? Did it go to the top, and a lawyer told them to put the company name and a real person each time, and that they were covered on good faith if they only did that?
On the provider end: Seeing this locked-in enterprise user for 10 years, how was a salesperson not all over that that slam-dunk sale? How did they let this go on for 10 years without tweaking their policy to stop the freeloader and any others who might emulate them? What did the business people say about this over the years when it came up? Was business so good it wasn't worth the time to convert the freeloader to a paying customer?
Totally tangent: What's a 30-day Rial? GenAI poster art with no spell checking I guess. Yet all of the pages of paper are spelled correctly. So now I'm wondering if there was a typo in the prompt used to create the art, or if the genAI is just unaware of the same text being used repeatedly while making a slight change in one place?
until openai’s recent updates, this was a very common issue with genai art… sometimes you could not even beg it to spell it correctly haha. in my experience, o3’s generation is much, much better in this regard.
If they're using it in prod then there are plenty of regulations that should force them to establish a real support relationship.
Sometimes this type of stuff happens for a prototype that an org is trying to get funded, but not for 10 years. I'd collect all of the org email addresses they used for the initial d/ls and contact them first- maybe one of the ones from ten years ago has gotten promoted to a point where they can establish a paid relationship or approve use of the open source version.
> The company that developed and launched rockets in New Zealand and the United States, as well as spacecraft and software systems, made US$123 million revenue in the three months to the end of March.
4000 VMs doesn't imply 4k satellites, does it?
Regarding revenues, it may be correct if it is a specific division of SL.
Anyways, OneWeb has 130+ millions in annual revenues (and a fleet of 400+ satellites, which would result in 10 VMs per satellite <- fwiw).
I truly loved the way this article is written. To the point, sharp and quite comical. I certainly hope they achieve to clean the mess up.
I can imagine the investors in this company would not be pleased with this kind of scrappy nonsense, especially given the industry.
> We’re not going to waste days chasing them. But at some point, this goes beyond saving a few bucks: it becomes performance art.
It's likely that the CEO is not aware(...hopefully); it's a good idea to reach out to them asap. Do try and point out what's going on.
If anything, the sooner you reach out, you'll be doing the business (and whoever is backing it) a favor: trust has been misplaced. Somebody chose a very unprofessional path with what (one can assume) is a very critical system.
As a solo-founder I have experienced this on a massive scale over nearly 15 years. It's really strange how happy people are with unethical behavior, yet on my end it just doesn't feel right to cut off peoples systems. After multiple attempts to contact them, we will often disable their accounts. It is against the social contract. It is stealing. In many cases companies may have 15+ free trial accounts, the company itself absolutely dwarfs our 3-person company. The cost is beans for them. But they just don't care.
OP says the offending company is quasi governmental aerospace. Sounds like a defense contractor.
There will be a security officer at such a company. If I was that officer, I would be profoundly unhappy that employees, whose job (by the nature of the company) regularly takes them into classified waters, were freely giving their personal gmails to a third party overseas. I mean, you just broadened the attack surface on the employees by tying them to their presence in the Google ecosystem. Yikes.
Isn't this a failure by the company to recognize free trial abuse sooner? and to not close the loophole immediately seems like even more of a weak behavior. Calling them out but not taking decisive action beyond claiming that they are acting immorally ultimately accomplishes nothing. Businesses are not beholden to your ideas about what is nice and fair, but whatever the rules and constraints are to your system. if you keep a practice like this that allows free trial abuse forever, why would they spend money?
You're absolutely right that businesses act within whatever constraints exist — and yes, we were a bit naive. We assumed that if someone had a fully functional, free, open source version available (well-documented and easy to install), nobody sane would go out of their way to abuse the trial system instead.
To be clear, it’s not just trial abuse — it’s actively ignoring the better, freer option in favor of repeatedly faking evaluations just to get the “easy mode.”
We’ll definitely tighten things up going forward. But in nearly a decade of doing this, they're the only ones to push it to this scale. So yeah, they've earned a spot in our open source hall of shame
Ignoring an OSS option is not the crux of the issue, it only adds more stupid to the cake. They don't deserve a place on the OSS hall of shame, but on the list of shysters and fraudsters.
A company is exploiting your free-trial offer, defrauding your project of resources even if it is only a buck and a half. Why are you sending them money? Just shut them down. Unless you have some really unfortunate wording in your TOS, there is nothing they can do. On Monday, send an e-mail to all accounts associated with $COMPANY and tell them in clear terms that you are going to terminate their free-trials COB EOW. Leave a special contact number to negotiate fees, wait for your phone to ring.
Yes. Your pain point is the level of support you are giving on good faith to these charlatans. Maybe add a clause to your license that you reserve the right to limit the amount of technical assistance on the free download. Outside of that, if I understand this matter correctly, most of your customers are honest and you’re willing to write off this one company in the interest of keeping your own corporate sanity.
Agreed. I would hellban their entire company permanently, and devote time and effort to write tooling to catch future signup attempts. This is utterly despicable.
I wonder if you can sue for breach of contract or something. Maybe not worth it... I would consider adding some actual limitations into the free trial rather than just time.
Was thinking the same. If you clearly are only meant to have access for X days, and abuse a loophole to continue indefinitely, how is that far removed from hacking/scamming/stealing/pickyourpoison?
It's pretty straightforward to me at least what needs to be done. Add 2fa sms authentication and restrict trials to one per phone number. It's less easier to get new phone numbers.
and most 2fa security dont use sms any more. It's an insecure option - forcing it sucks for the legit customers. But if you don't force it, then one can bypass the sms and thus no longer need a phone number. Or you can try force sms on first login, _then_ allow the move to use a OTP app.
And even with this, what happens if the company simply shares the company phone, authenticate, then remove the phone and switch to OTP (for each time, or each user)? Unless if a phone number cannot be used twice...which means you have to keep storing it, and handle the support requests when a number is legitimately recycled (and how do you differentiate that?)
Offering something that is quite full featured for free (even as a trial) will get it exploited; it's only going to increasely be the case going forward. The internet is hostile, and getting more hostile.
You cared enough to write a blog post so I think talking to a lawyer is worthwhile. Perhaps if you send them a legal letter threatening international action they will pony up. Writing the CEO will get you nowhere. Either way this is lame behavior and the public deserves to know the company so we can avoid doing business with them. But I understand not wanting to open yourself up for retaliation.
Entirely understandable why it wouldn't be named. And that the comments section would have some people guessing. I wonder if it isn't a company named after an insect, given the revenue and timeline of their operations seems to match with that graph, but the "semi-governmental" is throwing me off.
How about the opposite? You're not a paying customer, don't use trials... but let us put your logo in our website as a valued user... with some praise from the CTO, please.
I saw that your company is in Grenoble. Just drop me an email, and I will personally come to your office and help set up tirreno to resolve this trial abuse.
chances are: checks it against a database of addresses it has seen before (e.g. because they were used to register stuff elsewhere). No such entry, or entries all younger than n days -> 'freshly registered'.
Sucks for people who don't use their addresses for just about anything.
It is not a healthy idea to prevent access to a trial solely because of a lack of reputation associated with an email. However, in this specific case, if there is a rotation of numbers at the end of the email, tirreno has rules that detect similar email patterns.
Additionally, I assume that registrations are coming from the same IP or network, which should make it simple to detect through platform.
Thank you. I'm still not sure if this should be mentioned. On the one hand, I don't want to overly promote the tirreno, but on the other hand, when I see an issue such as trial abuse that could be easily resolved, I can't resist. My bad.
If you mention the product, even if it’s an absolutely perfect fit, you should definitely disclose the conflict of interest upfront.
This is not about overly promoting the product, it’s about making clear that you are promoting your product (or project, doesn’t even have to be a product).
Time to disable the free trial for a month halfway into their trial and see how it goes. This is probably why most trials now request you to reach sales first (well, on top of obviously ensuring they have a way to send an offer).
You realize that you just gave hacker news gave enough details to commit some satellite controlling backdoor into their system... It's not like some of us aren't going to be like: "Yeah, let's get 'em!" Not me. I'm the ethical type, but some people might think:
Step 1: Modify OSS repository to gain control of satellites
Step 2: ...
Step 3: Profit!
Knowing the details of an open source tool a company uses does not magically give you a backdoor.
By that logic, merely knowing coinbase uses the open source go language for some things would let you steal all their crypto, and I assure you if it was that simple their coffers would be empty.
btw I use linux and firefox and have an unencrypted bitcoin wallet.dat on my computer, feel free to prove me wrong.
I’m reminded of the “business ethics” scene in Billy Madison[0]. This is what capitalism has wrought in the US: People for whom ethics are anathema, or arguably worse: a completely unexamined topic.
This is a classic case of IP abuse, and it's tough to ignore. If the company has been using your work without a license for a decade, that’s a huge liability on their side. It might be time to remind them that open source is not free labor, and they can’t just brush off 10 years of unpaid work. At the very least, they should come to the table for a serious negotiation.
Change your terms slightly, to say that if you abuse the free trial say over 100 times, any user using the free trial agrees to a permanent irrevocable license to any of their IP
EDIT
Change your terms to require any usage off planet specifically prohibited by the free trial license
I used to work in IT in a large corporation back in the days. Amount of work necessary to procure software was so staggering, that any alternative "creative solution" would be much more preferable. And the worst thing is that the cheap software was the one that suffered most. The gazillion-dollar CISCO upgrade was no problem, it's already gazillion dollars. But to get $10 email shareware license one would spend many work-hours of many people, so who's gonna do it.
Took a meeting once with a customer who had been evaluating our product, which was not OSS. It was a nice meeting, they loved our product and seemingly they would purchase. Awkwardly the guy said their CEO had a rule: they could only use OSS. Their own product was not OSS.
Yes I am having this with trying to get some Neurodiversity software on my laptop, lots of people keen to help, government even refunds the cost, but setting up a new supplier is hard work, and then security approval too.
The most concerning part in this article is this: "To me, that’s a pretty blatant breach of the unwritten “moral contract” of Open Source."
It talks about the breach of some unwritten contract. But surely they should have a very written, real world contract to describe the terms of that 15 day trial. And this should be a breach of that. The fact that this is not mentioned, or even entertained as a notion is concerning.
Moral contracts are good for philosophy discussions. Real contracts are much better when you need to use instruments of law to get someone to something.
Dude, quit whining in a blog post and change your policy. Make it per-org instead of per-email. Heck, carve out an exception to block that particular org.
Complete assclown behavior throughout. It would be one thing if this had been going for for a month or two, maybe a quarter or two… but ten years?! They’re clearly fucking you over out of either malice and/or incompetence, and by allowing it to go on, you’re politely enabling them to do this bad behavior to someone else’s business.
If you feed stray dogs, you end up with a neighborhood full of dogshit everywhere you step. Bill them; if they don’t pay, talk to an attorney.
I first write my entire text and then after that I use a LLM to fix the grammar and have a better flow. I'm doing my best but I'm not a native US speaker. Before LLMs, people complained about the weird sentences or mistakes I made. Pick your poison ;)
Anyway, I'm doing my best to keep my own "signature" in writing, but it's really hard when you see a better phrasing generated on your original more limited vocabulary. But anyway, I'll do better next time, thanks for the feedback!
Comparing it to the LLM's previous post on your blog, it's a little better - that one's got far more of the superfluous analogies and interrupting em-dashes. I honestly think you'd be better off posting your own writing put through DeepL than letting the LLM churn it into mediocrity.
LLMs don't have good "flow" either. Their signature style is full of clichés. Personally, I would prefer to read the quirky non-idiomatic structures of a foreign language speaker than something fixed by an LLM.
There's a certain sort of "snarkiness" that's very easy to spot. There's a convicted scammer named Craig Wright (long story) who uses ChatGPT to write long, smug essays on X which have the exact same sort of tone, complete with the weird florid analogies.
> Hard to say if it was a mistake, a flex, or just their way of making sure we didn’t miss who was milking the trials.
> It’s tested. It updates with a single click. It saves time and reduces risk. That’s what we sell. And that’s what they keep pirouetting around with their email dance.
> We’re not going to waste days chasing them. But at some point, this goes beyond saving a few bucks: it becomes performance art.
ChatGPT loves to do that artificial, inauthentic snark thing with me. Its style and tone are reflective of its reinforcement training.
I’d assert that unless it was specifically trained on my writing style, it is almost impossible to “prompt away” the tone it uses.
And that is the thing about authentic snark, it is crisp and edgy and unique. But LLM’s are trained in a way that would average out millions of different “snarks” so all of the attributes that make snark work go away.
Unhappy with AI generated contributions, but perfectly happy to have a big AI generated image at the top of their page, complete with spelling mistakes
The both imply a similar lack of care to me. Like, not even being bothered to check the words, and if they make no sense just click the magic "generate image" button again, or fix them in photoshop or just erase them...
You're probably right in that they didn't really care if the header image was top quality. The codebase or security reviews, understandably, will have a different need for quality.
It’s probably time to channel larry ellison and shake these guys down. Or at least shake their pockets for loose change.
They are stealing from you. As you point out you go out of your way to help companies with your oss options: you’re way on the right side of principled and generous. this is abuse. Don’t put up with it.
Given the history, I’d suggest a short C&D recounting the 10 years(!) of theft, the measures they’ve gone to, and tell them they have 15 days to either stop or get licensed, or you will seek 10 years of back licensing, interest and penalties. I assure you that you will receive a call from someone. Especially if you have to turn the software off on day 16.
Anyway this seems substantial to me, but also there’s an ethical and philosophical question of responsibilities. Do you have more responsibility to your employees and shareholders or to this space company? Even if you’re crazy rich as a company, I propose as the CEO you owe a pretty strong duty to those stakeholders to try and recover stolen assets. You don’t have to be mad at random spaceco, but I propose you might think hard before walking away.
Quick edit: just to frame your head on this: If the company is in the US then this behavior likely falls under DMCA anti-circumvention laws. if it does, people would have criminal liability. Now, I believe the DMCA is terrible legislation; it lets corporations create criminal liability through license agreements. But, it is the law of the land here, and I would guess as soon as your attorney can lay this out, and their attorneys get an eye on it, you will find willing negotiation happening.
I agree. The company will almost immediately settle because this is a cut and dry theft that will cost them (literally) millions just in the recoup. More if a penalty can be applied.
This won't go to court, the actions are indefensible. The only argument will be how much they have to pay the OPs company.
You can start by sending them a bill. Get legal advice on drafting it. Each month, a new bill, with the new charges for that month. After a few cycles, you start threatening to go to collection. It may take a while, but you'll collect eventually.
> We’re not going to waste days chasing them. But at some point, this goes beyond saving a few bucks: it becomes performance art.
Oh for the love of tech, do chase them. This absolutely has to be in void of the terms of your trial take them to court. If not, then at the very least name and shame the company, so some dumb manager orchestrating this silly theft will get fired and someone more mature can be rotated in.
I’m actually considering reaching out directly to the CEO and telling the full story. But honestly? There’s a good chance he’s fully aware — and totally fine with it. That’s part of what makes it so disappointing.
We’re not rushing into legal action — it’s not worth the energy for now — but publicly calling out the behavior felt necessary. It also sends a message to others in the ecosystem about the kind of nonsense OSS maintainers sometimes face.
And yes, while I’m still holding off on naming the company directly… I haven’t ruled it out.
I very much doubt the CEO is aware. It is much more likely that some person is doing this because that is what they have always done- they are coasting. Alternatively, it is some poor sap that is in over their head and just following some instructions the original jerk put together to keep things running.
The CEO will prob hand you off to some director who is going to be annoyed that they were made out to look foolish and that they now have a task that the CEO is going to want regular status updates on.
If you don't do anything legally threatening, then you make it that much harder for every single OSS vendor to make money, because the precedent is getting established that there is no penalty for breaking the rules.
When I was a teenager I would do super cut-rate work on computers for people, and my father did helpfully point out that undercharging for valuable work just makes it harder for people whose day job is to do the same work, because then they have to compete with a naive teenager. You're the kind hearted OSS / freemium vendor in this case. Threatening legal action costs nothing. Punishment is meant as a deterrent for antisocial behavior. Failing to even threaten them will result in less money going to people who deliver a public good.
> Threatening legal action costs nothing.
Not really. If you want it to have teeth, then it should come under a lawyer's letterhead, and that usually costs something (probably not much, for one letter).
> Threatening legal action costs nothing
It costs your reputation as a vendor which is permanent.
You don't threaten legal action against companies before calmly advising them of the situation.
> It costs your reputation as a vendor which is permanent.
You say that as if that is some bad thing. As a vendor you want to have a reputation for asking what you are fairly owed. The other option is to have a reputation for being a wet tissue anyone can walk through.
> You don't threaten legal action against companies before calmly advising them of the situation.
These are not incompatible with each other. Of course you calmly advise the company of the situation. 100%. You tell them that their 15 day trial period lapsed at <date> and that they continue using the <product> without proper license in place. You tell them where they can reach out to find the right licence for their needs. And you tell them that you intend to pursue them for damages if they remain out of compliance. All very calmly and professionally. Nobody is angry with anyone here. There is no bad blood. It is just a contracting oopsie!
There's no obligation to publicly reveal the threat of a lawsuit to a party that is abusing your license. In fact, if you don't reveal the existence of the lawsuit, the only way then that you'd gain that reputation is if the threatened party then publishes their threat, which they won't do if they straight up know that they're in the wrong, because then that damages their reputation. Why would a big company publish a blog about a small company suing them for blatantly violating their software license? They want that crap to go away. Get the money. Shaming a company doesn't make anyone any money unless they decide to voluntarily comply, which is what is being asked here. They're being asked to voluntarily do the right thing. If they were likely to voluntarily do the right thing, they would've done that first.
> publicly calling out the behavior
> I’m still holding off on naming the company directly
Does not compute. Why not name them?
> Does not compute. Why not name them?
Legal risk. If the company decides to be a litigious prick about being named & shamed they might not win, but before losing they'll cost the product owner a pile of time and, at least temporarily, money.
Stating the errant company's industry and size gives us plenty of information to make an educated guess, without actually stating the name. I suspect that this action blocks any useful future relationship as much as direct naming would, so that risk has been taken, but I also assume that no such beneficial relationship was likely to happen anyway so doing this is worth it to get the publicity, both through the story and perhaps a little cheeky marketing down the road (“as used extensively by the famous company we won't name, but you can guess”).
One thing I would definitely do at this point, now the company knows they have been detected, is to try¹ make sure all support for that company is on the lowest priority possible. Absolute minimum response time 24 hours. 24 working hours, especially if the issue seems urgent to them. No responses beyond automated ones outside of normal business hours. Never try to guess: any missing information in a support query gets queried and the subsequent clarifying responses are subject to the same 24+ working hour latency. If anyone tries the “we are a big company, you should prioritise this” thing, respond with “With an email address like that? Yeah, nah.” or more directly “We know, a big company who knows it is massively in breach of our licence, and yet we are still generously responding to you at all.”.
------
[1] They may of course have/find crafty ways to get around this too, but if they are determined to avoid doing the right thing at least make them work to avoid doing the right thing!
Because as long as they don't name them, there's still a chance they'll pay up or self-host. As soon as they do name them, any chance of a meaningful business relationship will disappear.
Did you read how much work these people put into not paying? I think that ship has sailed long ago.
Because this is almost always just the fault of some low level engineer trying to save some time rather than some systemic issue at the heart of the company.
The company will just apologise and the CEO will make sure to tell everyone they know never to deal with this vendor ever again. IT is a very small world and reputations last a long time.
by declaring, but not acting yet, the OP gives the company an out, and allow a potential payday to come. After all, everybody is after money. Any action which seems strange or wild, when considered from the POV of making money, would start to sense.
Because they could sue you. Even if the suit is baseless it’ll cost a lot to defend, and you might accidentally give them some basis in the process
This doesn’t make sense as a risk… can’t anyone in the US already sue anyone else whenever?
Yes but the company in question has no motive to sue. They aren't named and any lawsuit would be completely fraught and easily dismissed. On top of that, they would be revealing themselves by suing. It gets more complicated if they are named and now have an actual reason.
Lawsuits aren’t fun.
Aren't they? I sued a huge multinational company years ago, as an individual. People predicted the apocalypse. I won. It was lots of fun.
(It was in France so the lawyers' fees weren't what they are in the US. But the way people advised me not to sue, was very similar.)
> We’re not rushing into legal action — it’s not worth the energy for now — but publicly calling out the behavior felt necessary.
Wth. Why go public instead of just .. emailing them, and asking for payment?
They did reach out.
So we reached out.
They vaguely apologized and claimed they’d switch to using the source version instead.
Which — fine. Not ideal, but technically within the rules. What stung more was their complete disinterest in any kind of professional support — even when we simply brought up the idea of a volume discount (!). They shut it down immediately. Apparently, sending satellites into orbit is easier than entertaining the thought of paying for open source support.
And did they actually switch to the source?
Of course not.
They just kept going — now using personal Outlook addresses and incrementing the email handles like they were running a script.
> There’s a good chance he’s fully aware — and totally fine with it
Why would you think that a CEO would involve himself in matters like this ?
Especially given that whichever aerospace company it is would be far more concerned with issues like tariffs, geopolitics, recession risks etc than whether or not a company is using an open source versus a community edition of some forgettable infrastructure component.
Also choosing to pursue legal action instead of simply blocking them from downloading more free trials seems childish and short sighted.
"forgettable infrastructure component": this is what runs their entire IT. We build both the hypervisor and the backup/orchestration for it. Our stack could kill their entire operations if it's down because $whatever. 4000 virtual machines running isn't just the print server or the coffee machine.
> 4000 virtual machines
At that point I would have created some scripts to randomly reboot or fuck with their VMs. How long will you accept this? They won't pay ever.
No they run their entire IT. Not you.
They can easily move to the hundreds of alternative platforms which do exactly the same thing.
I'm not sure you are aware about the cost of migrating from one virtualization platform to another, especially when you have 4000 VMs. I can tell you it's not exactly easy, and that's even our business now (migrating from VMware to our stack).
It's not like changing a light bulb.
Huh? Blocking them seems much more "actual fight" and disruptive than going for legal action. Legal action was invented to settle disputues without resorting to raw power.
First, congrats on having a successful company and doing what you love (and employing others - a great feeling to know you are helping technical folks live their dream).
Second, some thoughts.
A. State in your policy that multiple trials are possible but may incur a rest period between activations for a “given company.” Even 5 days should be reasonable for honest folks but cause a pain point for dishonest ones.
B. If you can add a license activation feature to your software, collect metrics when you present the license activation screen, and “bake in” the telemetry to your trial license key request. Things like CPU ID, hard drive serial numbers, TPM quotes, asset tag serial number. Use that telemetry to determine “given company.” The abusers are likely installing this on the same system over and over.
C. Independent of the activation idea, If the trial hard-stops after 30 days, maybe you could delay the approval process on all new trials by X days (X randomly chosen from range 0..5, and all trial requests independent of requestor) and then activate the product for 30-X days. Assuming the dishonests have integrated the VM into their production systems, this will cause an unpredictable unavailability and trigger a pain point somewhere. At worst, it will cause them to step up their request efforts.
As others probably are saying, this might be one for the lawyers.
I believe all options you suggest are more than OK, but. Why don't you limit the trial with some capacity limits? Say, 1000 vms for installation. Of course, you'll need to have two artifacts: one for paying customers, and a second one to non-paying ones.
Sad to hear this and I hope (some semblance of) justice will be served, but just to play the devil’s advocate: if you refuse to name them, how can we know you’re telling the truth and not just pulling a publicity stunt?
It sounds like you’re navigating a really difficult and emotionally draining situation—and I respect the restraint and clarity in how you’re approaching it.
one option is to talk to their customers. the customers almost certainly don't know, and might be interested to know that their launch provider is possibly going to have some serious issues
it's astra isn't it? I had an internship there and it was pretty toxic. I could totally see them pulling this shit.
Just straight to court
" it’s not worth the energy for now"
Not sure what the amount is, but Small Claims is pretty straightforward and energy efficient? You can get like 10K depending on jurisdiction. The whole trial is like 1 hour.
We operate globally, and this company isn’t even on our continent. On top of that, it’s a semi state-operated entity — so you can probably imagine where any legal effort would end up: somewhere between bureaucratic limbo and /dev/null.
Ah I didn't consider that. International case certainly is going to be more complex.
That said, I think that small cases are still worth pursuing on a matter of principle and strategy.
It's better to practice pursuing payment from international clients when it's small amounts you don't care about, so that you are prepared if you have an issue with a huge client and bankruptcy is on the line.
I thought that was weird too. Surely this is a breach of whatever licensing they agreed to with the free trial. Are they allergic to getting paid for their work?
We're not going to waste days chasing them when we could waste days writing a blog post to advertise our product.
Genius marketing, I guess Rocket Company is supposed to be exploiting the OSS community, but who built Xen ;)
Before you soapbox on the 'open source moral contract' consider repaying the OSS works you gladly derived.
....have you seen how much code and work vates has contributed upstream to xen? It's more than citrix at this point IIRC. Everything they do gets pushed back to upstream projects so I'm not sure what point you're trying to make
No, I don't follow legacy hypervisors but fair enough perhaps my initial impression was off-base... still you can appreciate the irony of complaining about Rocket Company getting free stuff :/
Tinfoil hat: The entire thing is just an ad.
"Our product is so great aerospace companies are literally stealing it, also have you seen our new 30 day trial? So back to that aerospace company and how cheaply it could use our software, just take a look at our current offerings..."
It is not, but yeah, we also have NASA as customers. However, we do not chase specifically aerospace companies. We are simply an open source alternative to VMware. So doing an ad explaining how to literally git pull the product without even talking to anyone or giving your email to our sales would be a weird strategy :D
There aren't many aerospace companies with annual revenues of around $130 million and satellites in space. I'd guess it's Planet Labs.
Except that Planet Labs annual revenue is almost twice that, and has been for a while. So it's likely not them. No idea who it would be though.
it's not
Devil's advocate: If supplying an email address opens up a 30 day free trial, you can hardly complain when people do supply email addresses... especially when, to smooth the experience, there is absolutely nothing else but a email address field and a "start free trial" button.
People will always find ways to use things to the limit or abuse them. You need to consider where to put the limit to balance user experience vs. preventing abuse.
We'd have to see the ToS, but I'd suspect the lawyer that wrote it didn't say email, they said individual. Further, I suspect there's a clause in there about commercial usage.
Then you need an explicit check box "I have read and accept the T&C" and those T&Cs allow you to block an account, which is often the most effective option against abusers. If you go legal every time someone abuses a free trial you might as well give up free trials.
As things stand there is no point in going legal. Either let it slide or block them and use it for PR with a blog post and an HN submission (wait a minute ;)
> If you go legal every time someone abuses a free trial you might as well give up free trials.
What silly "all or nothing" thinking.
You don't have to "go legal" on every free trial abuse, just the egregious ones. Here we have a company that's been abusing the free trial for 10 years and 1000s of instances. Vates rightfully can claim millions (~40M to be exact) from this instance. The company, in particular, can't claim they didn't know this wasn't allowed because they automated creating fake email accounts to abuse the situation.
It's particularly more egregious because Vates allows companies to build and maintain the software directly without support for free.
Guidelines:
Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.
When disagreeing, please reply to the argument instead of calling names. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."
Well, now I’ve seen it — and yes, lesson learned. But here’s the good news about humanity: they’re the only ones abusing it at this scale. So far, it seems most people still choose sanity over spreadsheets of throwaway emails.
Whenever someone asks "but who's gonna do that??" the real world answer is always "Well..." for better or worse ;)
This is no way justifies this blatant illegal and immoral behavior, especially since the behavior seems excessive compared to what I state below but I have seen things like this tending to happen in places where it's next to impossible to get Accounting to pay or even renew anything on time before licenses for dev tools expire, rather than being an intentional way to save costs or "steal".
I've seen huge delays spanning months, and needing approvals from the very top, which you need to keep following up and makes the entire process a very painful experience.
Maybe it's by design to reduce costs but it happens even in places where the budget is overflowing and underused.
Payments won't happen until things are literally burning or production is about to go down tomorrow and the fear of the client getting super mad(that a relatively small payment couldn't be made in months) will drive some urgency. Sometimes not even then, so people are left with bad choices, let something terrible happen or make terrible workarounds like in the article. This results in a drive to only use free tools or make do with none.
I hope this results in better and easier accounting practices, which is probably ripe for disruption.
At my last job (a billion dollar company) someone had set up some kind of proxy where one free user account was used by ~100 employees. We wanted some more features they didn't offer so we looked at some of their competitors. I was in the meeting where we were going to decide to keep using what we had or use the better solution (in my opinion). Both were presented fairly except for the price. The plan was to continue the piracy, not paying what it should cost, or use the other service which would have been cheaper if done legally. I voiced my concern that if we are going to compare them we should at least compare them with their actual cost. No one shared my concern and they ended up with not switching a just continue pirating, even though money wasn't really an issue. The person who set this up wasn't in the company anymore, but I guess no one wanted to deal with this issue and decided it was easier to ignore it.
How much money did they save over 5-10 years through this illegal or unethical behavior?
If "Rocket Company" averaged 30 machines per month, max $1600 per month let's say $600k / year before discount. Maybe kept 3 million dollars over 10 years. I imagine the only way Vates will get paid for their service is if control is taken from the operational groups doing the actual work and "abstracted" to a centralized IT group.
They run 4000 VMS as a stingy aerospace company so you can definitely assume less than a 100 physical machines.
Without further enterprise negotiations, it's 1800 per host/year. $180k max.
I don't blame Vates for refusing to chase down the company. They'll bring you way more pain as paying clients than the shameless theft they're perpetuating.
FYI they said "hundreds of physical hosts" so it is significantly more than that.
> But at some point, this goes beyond saving a few bucks: it becomes performance art.
Love it. I appreciate the humor and good example behind that.
It's entirely likely the company is spending more money on staff time, than on the product.
I also cannot even imagine running mission-critical stuff on free trials (I have heard of it, before. I think Adobe was successfully sued, once, because someone created an image in their free trial, and then, couldn't open it, after the trial expired).
If I were one of that company's customers, I'd be fairly concerned.
I think the most depressing thing is how unsurprising this is.
This is why free trials require credit cards upfront, as they're more difficult to fake, not because you're about to be stealth billed. It's thanks to people like this.
it's practically trivial to bypass this if you really want to. CapitalOne in the US allows you to have virtual cards that can be verified but you can delete and block at any time for free if you have a credit card from them. I'm sure the practice discourages casuals from gaming trials, but it just feels like it's making life miserable for paying customers but doing almost nothing to stop bad actors
If you also ban virtual and pre-paid cards it cuts this to almost zero.
There is a difference, this rocket company is not really going to generate a new virtual card every time? You think their business bank account even supports that?
Considering it's a startup, high likelihood they are using something like Brex, which does support virtual card numbers.
Those types of card numbers are detectable though.
How? Based on issuer identification number?
As one example, Oracle Cloud's Free Tier sign-up prevents any type of virtual card.
Oracle could productize a Trial Filter.. powered by Oracle Lawyers™.
I'm pretty sure it can be done via the IIN. Services like https://binlist.net/ provide a convenient solution to identify if it's a prepaid card.
They are detectable only if the issuer has a dedicated BIN for virtual cards. If they issue in the same BIN as your regular card, there's no way to detect without issuer cooperation, which would defeat the point.
> CapitalOne in the US allows you to have virtual cards
Anything recurring will not take a virtual card or gift card in the US.
I got burned on this a couple times until I figured it out.
privacy.com
Tell them that their free trial is over and their company will no longer receive free trial keys. You can do that. It doesn't require a lawyer and it doesn't require threats. Just "We're glad you like our product! Unfortunately we can no longer support you with free trials." Be polite.
If they secretly keep getting free trials by pretending to be unaffiliated, then escalate to 1) blocking the fake ones when you discover them (very annoying to them, even if you don't get them all) and 2) as a very last resort, legal threats.
The goal is to get them onboarded as paying customers. Every other outcome is effectively a loss. You want to be polite but firm.
If it was me, I'd have- at the least - a little routine in the trial-signup logic on the backend which would check the company name and known aliases, and return "not eligible for free, but sales would love to talk! Have a nice day!" message.
The lucky winner of an interview with our professional services team!
As CTO, I feel pretty strongly about this type of behavior and lie the blame squarely on the Aerospace Co’s CTO.
Being scrappy early on is part of the job, but when you are starting to generate revenue it’s time to convert your free tiers to starter tiers as you scale.
I’m sorry that there are people in our industry who choose to behave this way.
I agree 120% with you... ... but I am wondering about how good you are using free tiers. IMHO the free tier in cloud/saas just offsets the initial costs of using the cloud/saas. So... unless you're really small free tiers won't work for you.
They’re deffo helpful when building PoC’s and building MVP’s.
Once you get traction converting off free/basic tiers should be a no brainer.
We were on AWS Free Tier and once we hit market adoption, our costs were fully covered by paying customers (and then some…)
I had this happen on a consumer startup with referrals. Every month like clockwork one person would fake referrals to get a free moth, which involved jumping through non trivial hoops (re-installing all, creating content in the fake account, going back). all to save $5, and when we had a free plan with almost the exact same quality.
I think the thrill of beating a system and getting away with is as much a factor as anything. And I get it.
You could indirectly promote this unnamed reference customer with a dedicated marketing page. This blog post is already the seed of a case study. List the top ten unnamed companies who requested trials, by industry sector, sorted in descending order by count and years and VMs, with them at top. Presumably #2 - #10 have much smaller numbers.
Placed in a marketing context, this human attention could be converted to revenue from other customers. Fund a creative writing competition on VeryBigCo Procurement Anti-Patterns and Shadow IT. Prizes could be paid licenses. If you get enough entries, ask a business school to do a case study on the same subject, then organize a multi-vendor survey on the topic. Also, memes.
You may also need to update the ToS on the trial. At some point, a motivated salesperson could convert the account with a multi-year license that covers both past and future usage.
I have a theory this happens because for individual contributors, the effort to buy SaaS software in the era of "vendor risk assessment" is a nightmare. So you end up with grassroots avoidance of that process, at all costs, inside the company.
This is what I was thinking too. Some places make it insanely difficult to purchase anything.
Assuming this telling is pretty accurate, I'm wondering what the thinking was on both ends.
On the freeloader end: Did they think they were within the rules? How far up was the approval to keep doing it this way? Did someone try to pay, but get blocked? Did someone tell their boss they did this all in-house, and now doesn't want to admit they outsourced and exposed the company? Did it go to the top, and a lawyer told them to put the company name and a real person each time, and that they were covered on good faith if they only did that?
On the provider end: Seeing this locked-in enterprise user for 10 years, how was a salesperson not all over that that slam-dunk sale? How did they let this go on for 10 years without tweaking their policy to stop the freeloader and any others who might emulate them? What did the business people say about this over the years when it came up? Was business so good it wasn't worth the time to convert the freeloader to a paying customer?
For all of the above, the answer is probably shaped something like this:
https://250bpm.substack.com/p/accountability-sinks
Totally tangent: What's a 30-day Rial? GenAI poster art with no spell checking I guess. Yet all of the pages of paper are spelled correctly. So now I'm wondering if there was a typo in the prompt used to create the art, or if the genAI is just unaware of the same text being used repeatedly while making a slight change in one place?
until openai’s recent updates, this was a very common issue with genai art… sometimes you could not even beg it to spell it correctly haha. in my experience, o3’s generation is much, much better in this regard.
'semi-governmental company'
If they're using it in prod then there are plenty of regulations that should force them to establish a real support relationship.
Sometimes this type of stuff happens for a prototype that an org is trying to get funded, but not for 10 years. I'd collect all of the org email addresses they used for the initial d/ls and contact them first- maybe one of the ones from ten years ago has gotten promoted to a point where they can establish a paid relationship or approve use of the open source version.
Around 130$ million yearly revenue? Matches RocketLab.
https://www.nzherald.co.nz/business/companies/rocket-lab-rev...
Rocket Lab did ~$123m/quarter in Q1 and ~$400m in 2024 [0], while this article claims, "Around $130 million in annual revenue."
I don't think it's Rocket Lab.
[0] https://www.macrotrends.net/stocks/charts/RKLB/rocket-lab-us...
I think Rocket Lab is ~$130M quarterly, not annually. Isn't it?
Unpaywalled archive: https://archive.is/20250509020949/https://www.nzherald.co.nz...
And yeah:
> The company that developed and launched rockets in New Zealand and the United States, as well as spacecraft and software systems, made US$123 million revenue in the three months to the end of March.
Starlink has launched over 4000 satellites.
4000 VMs doesn't imply 4k satellites, does it? Regarding revenues, it may be correct if it is a specific division of SL. Anyways, OneWeb has 130+ millions in annual revenues (and a fleet of 400+ satellites, which would result in 10 VMs per satellite <- fwiw).
I truly loved the way this article is written. To the point, sharp and quite comical. I certainly hope they achieve to clean the mess up.
I can imagine the investors in this company would not be pleased with this kind of scrappy nonsense, especially given the industry.
> We’re not going to waste days chasing them. But at some point, this goes beyond saving a few bucks: it becomes performance art.
It's likely that the CEO is not aware(...hopefully); it's a good idea to reach out to them asap. Do try and point out what's going on.
If anything, the sooner you reach out, you'll be doing the business (and whoever is backing it) a favor: trust has been misplaced. Somebody chose a very unprofessional path with what (one can assume) is a very critical system.
As a solo-founder I have experienced this on a massive scale over nearly 15 years. It's really strange how happy people are with unethical behavior, yet on my end it just doesn't feel right to cut off peoples systems. After multiple attempts to contact them, we will often disable their accounts. It is against the social contract. It is stealing. In many cases companies may have 15+ free trial accounts, the company itself absolutely dwarfs our 3-person company. The cost is beans for them. But they just don't care.
OP says the offending company is quasi governmental aerospace. Sounds like a defense contractor.
There will be a security officer at such a company. If I was that officer, I would be profoundly unhappy that employees, whose job (by the nature of the company) regularly takes them into classified waters, were freely giving their personal gmails to a third party overseas. I mean, you just broadened the attack surface on the employees by tying them to their presence in the Google ecosystem. Yikes.
Could be a company that has a similar format as Airbus, where governments own a sizeable part of it.
Isar Aerospace has funding from NATO, for example :P
Isn't this a failure by the company to recognize free trial abuse sooner? and to not close the loophole immediately seems like even more of a weak behavior. Calling them out but not taking decisive action beyond claiming that they are acting immorally ultimately accomplishes nothing. Businesses are not beholden to your ideas about what is nice and fair, but whatever the rules and constraints are to your system. if you keep a practice like this that allows free trial abuse forever, why would they spend money?
You're absolutely right that businesses act within whatever constraints exist — and yes, we were a bit naive. We assumed that if someone had a fully functional, free, open source version available (well-documented and easy to install), nobody sane would go out of their way to abuse the trial system instead.
To be clear, it’s not just trial abuse — it’s actively ignoring the better, freer option in favor of repeatedly faking evaluations just to get the “easy mode.”
We’ll definitely tighten things up going forward. But in nearly a decade of doing this, they're the only ones to push it to this scale. So yeah, they've earned a spot in our open source hall of shame
Ignoring an OSS option is not the crux of the issue, it only adds more stupid to the cake. They don't deserve a place on the OSS hall of shame, but on the list of shysters and fraudsters.
A company is exploiting your free-trial offer, defrauding your project of resources even if it is only a buck and a half. Why are you sending them money? Just shut them down. Unless you have some really unfortunate wording in your TOS, there is nothing they can do. On Monday, send an e-mail to all accounts associated with $COMPANY and tell them in clear terms that you are going to terminate their free-trials COB EOW. Leave a special contact number to negotiate fees, wait for your phone to ring.
Seriously, why are you putting up with this?
To be fair to them - they've been doing it for 10 years without a problem!
Yes. Your pain point is the level of support you are giving on good faith to these charlatans. Maybe add a clause to your license that you reserve the right to limit the amount of technical assistance on the free download. Outside of that, if I understand this matter correctly, most of your customers are honest and you’re willing to write off this one company in the interest of keeping your own corporate sanity.
Based on what I read, it sounds like they believe in their model and aren’t looking to come down on everyone because of one bad actor.
I can understand that.
Obstacles to free trials and such often are more hassle than their worth and a determined person can get around them anyway.
Agreed. I would hellban their entire company permanently, and devote time and effort to write tooling to catch future signup attempts. This is utterly despicable.
I wonder if you can sue for breach of contract or something. Maybe not worth it... I would consider adding some actual limitations into the free trial rather than just time.
Was thinking the same. If you clearly are only meant to have access for X days, and abuse a loophole to continue indefinitely, how is that far removed from hacking/scamming/stealing/pickyourpoison?
It's pretty straightforward to me at least what needs to be done. Add 2fa sms authentication and restrict trials to one per phone number. It's less easier to get new phone numbers.
and most 2fa security dont use sms any more. It's an insecure option - forcing it sucks for the legit customers. But if you don't force it, then one can bypass the sms and thus no longer need a phone number. Or you can try force sms on first login, _then_ allow the move to use a OTP app.
And even with this, what happens if the company simply shares the company phone, authenticate, then remove the phone and switch to OTP (for each time, or each user)? Unless if a phone number cannot be used twice...which means you have to keep storing it, and handle the support requests when a number is legitimately recycled (and how do you differentiate that?)
Offering something that is quite full featured for free (even as a trial) will get it exploited; it's only going to increasely be the case going forward. The internet is hostile, and getting more hostile.
This is exactly why we put this as a forbidden use case in the MXroute policy:
“Deceptive use against third party services by creating multiple email accounts to pretend to be multiple users of their service”
Because if you want to maintain a good reputation with people, you don’t facilitate people taking advantage of them.
You cared enough to write a blog post so I think talking to a lawyer is worthwhile. Perhaps if you send them a legal letter threatening international action they will pony up. Writing the CEO will get you nowhere. Either way this is lame behavior and the public deserves to know the company so we can avoid doing business with them. But I understand not wanting to open yourself up for retaliation.
Entirely understandable why it wouldn't be named. And that the comments section would have some people guessing. I wonder if it isn't a company named after an insect, given the revenue and timeline of their operations seems to match with that graph, but the "semi-governmental" is throwing me off.
> We’re not going to waste days chasing them. But at some point, this goes beyond saving a few bucks: it becomes performance art.
How about creating a "Wall of Shame" page and name shaming such companies, until the get the message that they have the financial resources to pay?
How about the opposite? You're not a paying customer, don't use trials... but let us put your logo in our website as a valued user... with some praise from the CTO, please.
You can easily prevent such trial abuse through the tirreno [0] platform, as freshly registered email accounts can be blocked almost in real time.
[0] https://github.com/TirrenoTechnologies/tirreno
(creator of tirreno)
I take my words back!
I saw that your company is in Grenoble. Just drop me an email, and I will personally come to your office and help set up tirreno to resolve this trial abuse.
I'm open to discuss, please add me on LinkedIn :) (you can find it in the author icon at the end of the blog post)
I had sent an email. (-;
> freshly registered email accounts can be blocked almost in real time.
How does it detect if an email account is freshly registered?
We provide an API to check IP and email reputation.
chances are: checks it against a database of addresses it has seen before (e.g. because they were used to register stuff elsewhere). No such entry, or entries all younger than n days -> 'freshly registered'.
Sucks for people who don't use their addresses for just about anything.
It is not a healthy idea to prevent access to a trial solely because of a lack of reputation associated with an email. However, in this specific case, if there is a rotation of numbers at the end of the email, tirreno has rules that detect similar email patterns.
Additionally, I assume that registrations are coming from the same IP or network, which should make it simple to detect through platform.
^ creator of Tirreno
Thank you. I'm still not sure if this should be mentioned. On the one hand, I don't want to overly promote the tirreno, but on the other hand, when I see an issue such as trial abuse that could be easily resolved, I can't resist. My bad.
If you mention the product, even if it’s an absolutely perfect fit, you should definitely disclose the conflict of interest upfront.
This is not about overly promoting the product, it’s about making clear that you are promoting your product (or project, doesn’t even have to be a product).
Noted with thanks. Will do.
This behavior suck.
Time to disable the free trial for a month halfway into their trial and see how it goes. This is probably why most trials now request you to reach sales first (well, on top of obviously ensuring they have a way to send an offer).
It's great to call it out here. But with all due respect, if you have let this company do this for 10 years...
Why not do what most profit-conscious companies would do and just say "we notice unusual activity and.."
You realize that you just gave hacker news gave enough details to commit some satellite controlling backdoor into their system... It's not like some of us aren't going to be like: "Yeah, let's get 'em!" Not me. I'm the ethical type, but some people might think:
Step 1: Modify OSS repository to gain control of satellites Step 2: ... Step 3: Profit!
This is simply magical thinking.
Knowing the details of an open source tool a company uses does not magically give you a backdoor.
By that logic, merely knowing coinbase uses the open source go language for some things would let you steal all their crypto, and I assure you if it was that simple their coffers would be empty.
btw I use linux and firefox and have an unencrypted bitcoin wallet.dat on my computer, feel free to prove me wrong.
I’m reminded of the “business ethics” scene in Billy Madison[0]. This is what capitalism has wrought in the US: People for whom ethics are anathema, or arguably worse: a completely unexamined topic.
So, is the company SpaceX or what?
0: https://m.youtube.com/watch?v=xKGeHuln08A
This is a classic case of IP abuse, and it's tough to ignore. If the company has been using your work without a license for a decade, that’s a huge liability on their side. It might be time to remind them that open source is not free labor, and they can’t just brush off 10 years of unpaid work. At the very least, they should come to the table for a serious negotiation.
Change your terms slightly, to say that if you abuse the free trial say over 100 times, any user using the free trial agrees to a permanent irrevocable license to any of their IP
EDIT
Change your terms to require any usage off planet specifically prohibited by the free trial license
I hope your ToS includes abuse clauses. Behaviour like that should always be responded to with force. Otherwise bullies will just keep bullying.
I used to work in IT in a large corporation back in the days. Amount of work necessary to procure software was so staggering, that any alternative "creative solution" would be much more preferable. And the worst thing is that the cheap software was the one that suffered most. The gazillion-dollar CISCO upgrade was no problem, it's already gazillion dollars. But to get $10 email shareware license one would spend many work-hours of many people, so who's gonna do it.
Took a meeting once with a customer who had been evaluating our product, which was not OSS. It was a nice meeting, they loved our product and seemingly they would purchase. Awkwardly the guy said their CEO had a rule: they could only use OSS. Their own product was not OSS.
Yes I am having this with trying to get some Neurodiversity software on my laptop, lots of people keen to help, government even refunds the cost, but setting up a new supplier is hard work, and then security approval too.
From the accounting perspective, it's likely to prevent accounts payable fraud.
Be hard nosed about it. This advice comes from being 25 years in software as Product Manager among other things.
Maybe turn off trial for some time :)
Invoice them.
The worst they can do is not pay it.
The most concerning part in this article is this: "To me, that’s a pretty blatant breach of the unwritten “moral contract” of Open Source."
It talks about the breach of some unwritten contract. But surely they should have a very written, real world contract to describe the terms of that 15 day trial. And this should be a breach of that. The fact that this is not mentioned, or even entertained as a notion is concerning.
Moral contracts are good for philosophy discussions. Real contracts are much better when you need to use instruments of law to get someone to something.
Name and shame.
> And that’s what they keep pirouetting...
Arr, the use of "pirouetting" is such ticklingly brilliant punnage, mematey.
Spirit and morality don't work so well in the business world. Cut them off and make them pay. Why are you still supporting them?
IANAL but sounds like you've got a solid case for going after them.
What's Xen Orchestra? $1800/host/year seems pretty expensive
$1,800 on $130,000,000 a year sounds expensive? Company dinners/outings have almost certainly cost the business more.
The article mentions 4000, so 1800*4000 = 7.2 mil
4000 VMs, not hosts. More likely $3-400k a year before negotiating a volume discount.
VMware enterprise tier is probably 10x more expensive.
Oh I see
Then self-host if the volume you require means you can do it cheaper in-house.
Amer
This sounds like wire fraud ....
There has to be something cosmically funny and tragic about the number of respondents here ascribing some sort of failure to the hosting company.
God bless those among us who steal the candy bowl at Halloween.
So they can run 4k virtual machines during trial period, and somehow transfer data between accounts? What kind of trial is this?
Honestly, just sue them. You could probably recover enough damages to subsidize the product for non profits or others for years.
Worst case, they just mysteriously stop using your product.
Is this the company behind xcp-ng? This looks like a completely different interface than XOA. First I’ve ever heard of Vates.
Vates is the company doing both XCP-ng and Xen Orchestra, and now selling support for both in a single "bundle" called Vates VMS.
Dude, quit whining in a blog post and change your policy. Make it per-org instead of per-email. Heck, carve out an exception to block that particular org.
Solution: Have the courage to get rid of the free trial.
Job done.
Complete assclown behavior throughout. It would be one thing if this had been going for for a month or two, maybe a quarter or two… but ten years?! They’re clearly fucking you over out of either malice and/or incompetence, and by allowing it to go on, you’re politely enabling them to do this bad behavior to someone else’s business.
If you feed stray dogs, you end up with a neighborhood full of dogshit everywhere you step. Bill them; if they don’t pay, talk to an attorney.
I got distracted a few paragraphs in by the realization that the text was AI-generated.
I first write my entire text and then after that I use a LLM to fix the grammar and have a better flow. I'm doing my best but I'm not a native US speaker. Before LLMs, people complained about the weird sentences or mistakes I made. Pick your poison ;)
Anyway, I'm doing my best to keep my own "signature" in writing, but it's really hard when you see a better phrasing generated on your original more limited vocabulary. But anyway, I'll do better next time, thanks for the feedback!
Comparing it to the LLM's previous post on your blog, it's a little better - that one's got far more of the superfluous analogies and interrupting em-dashes. I honestly think you'd be better off posting your own writing put through DeepL than letting the LLM churn it into mediocrity.
Kudos for owning it so earnestly
LLMs don't have good "flow" either. Their signature style is full of clichés. Personally, I would prefer to read the quirky non-idiomatic structures of a foreign language speaker than something fixed by an LLM.
*English speaker
What tipped you off?
(I'm not a native speaker either)
There's a certain sort of "snarkiness" that's very easy to spot. There's a convicted scammer named Craig Wright (long story) who uses ChatGPT to write long, smug essays on X which have the exact same sort of tone, complete with the weird florid analogies.
> Hard to say if it was a mistake, a flex, or just their way of making sure we didn’t miss who was milking the trials.
> It’s tested. It updates with a single click. It saves time and reduces risk. That’s what we sell. And that’s what they keep pirouetting around with their email dance.
> We’re not going to waste days chasing them. But at some point, this goes beyond saving a few bucks: it becomes performance art.
Thanks for taking time to enlighten me.
ChatGPT loves to do that artificial, inauthentic snark thing with me. Its style and tone are reflective of its reinforcement training.
I’d assert that unless it was specifically trained on my writing style, it is almost impossible to “prompt away” the tone it uses.
And that is the thing about authentic snark, it is crisp and edgy and unique. But LLM’s are trained in a way that would average out millions of different “snarks” so all of the attributes that make snark work go away.
Unhappy with AI generated contributions, but perfectly happy to have a big AI generated image at the top of their page, complete with spelling mistakes
One bothers people like you, one has the potential to waste people’s time and energy.
Unless your job involves critiquing the header image of people’s personal blogs I don’t think these are equivalent.
The both imply a similar lack of care to me. Like, not even being bothered to check the words, and if they make no sense just click the magic "generate image" button again, or fix them in photoshop or just erase them...
You're probably right in that they didn't really care if the header image was top quality. The codebase or security reviews, understandably, will have a different need for quality.