Ground control to Major Trial
184 comments
·May 16, 2025vessenes
cogman10
I agree. The company will almost immediately settle because this is a cut and dry theft that will cost them (literally) millions just in the recoup. More if a penalty can be applied.
This won't go to court, the actions are indefensible. The only argument will be how much they have to pay the OPs company.
Animats
You can start by sending them a bill. Get legal advice on drafting it. Each month, a new bill, with the new charges for that month. After a few cycles, you start threatening to go to collection. It may take a while, but you'll collect eventually.
florbnit
> We’re not going to waste days chasing them. But at some point, this goes beyond saving a few bucks: it becomes performance art.
Oh for the love of tech, do chase them. This absolutely has to be in void of the terms of your trial take them to court. If not, then at the very least name and shame the company, so some dumb manager orchestrating this silly theft will get fired and someone more mature can be rotated in.
plam503711
I’m actually considering reaching out directly to the CEO and telling the full story. But honestly? There’s a good chance he’s fully aware — and totally fine with it. That’s part of what makes it so disappointing.
We’re not rushing into legal action — it’s not worth the energy for now — but publicly calling out the behavior felt necessary. It also sends a message to others in the ecosystem about the kind of nonsense OSS maintainers sometimes face.
And yes, while I’m still holding off on naming the company directly… I haven’t ruled it out.
1234letshaveatw
I very much doubt the CEO is aware. It is much more likely that some person is doing this because that is what they have always done- they are coasting. Alternatively, it is some poor sap that is in over their head and just following some instructions the original jerk put together to keep things running.
The CEO will prob hand you off to some director who is going to be annoyed that they were made out to look foolish and that they now have a task that the CEO is going to want regular status updates on.
null
Edman274
If you don't do anything legally threatening, then you make it that much harder for every single OSS vendor to make money, because the precedent is getting established that there is no penalty for breaking the rules.
When I was a teenager I would do super cut-rate work on computers for people, and my father did helpfully point out that undercharging for valuable work just makes it harder for people whose day job is to do the same work, because then they have to compete with a naive teenager. You're the kind hearted OSS / freemium vendor in this case. Threatening legal action costs nothing. Punishment is meant as a deterrent for antisocial behavior. Failing to even threaten them will result in less money going to people who deliver a public good.
ChrisMarshallNY
> Threatening legal action costs nothing.
Not really. If you want it to have teeth, then it should come under a lawyer's letterhead, and that usually costs something (probably not much, for one letter).
threeseed
> Threatening legal action costs nothing
It costs your reputation as a vendor which is permanent.
You don't threaten legal action against companies before calmly advising them of the situation.
bambax
> publicly calling out the behavior
> I’m still holding off on naming the company directly
Does not compute. Why not name them?
dspillett
> Does not compute. Why not name them?
Legal risk. If the company decides to be a litigious prick about being named & shamed they might not win, but before losing they'll cost the product owner a pile of time and, at least temporarily, money.
Stating the errant company's industry and size gives us plenty of information to make an educated guess, without actually stating the name. I suspect that this action blocks any useful future relationship as much as direct naming would, so that risk has been taken, but I also assume that no such beneficial relationship was likely to happen anyway so doing this is worth it to get the publicity, both through the story and perhaps a little cheeky marketing down the road (“as used extensively by the famous company we won't name, but you can guess”).
One thing I would definitely do at this point, now the company knows they have been detected, is to try¹ make sure all support for that company is on the lowest priority possible. Absolute minimum response time 24 hours. 24 working hours, especially if the issue seems urgent to them. No responses beyond automated ones outside of normal business hours. Never try to guess: any missing information in a support query gets queried and the subsequent clarifying responses are subject to the same 24+ working hour latency. If anyone tries the “we are a big company, you should prioritise this” thing, respond with “With an email address like that? Yeah, nah.” or more directly “We know, a big company who knows it is massively in breach of our licence, and yet we are still generously responding to you at all.”.
------
[1] They may of course have/find crafty ways to get around this too, but if they are determined to avoid doing the right thing at least make them work to avoid doing the right thing!
Philpax
Because as long as they don't name them, there's still a chance they'll pay up or self-host. As soon as they do name them, any chance of a meaningful business relationship will disappear.
threeseed
Because this is almost always just the fault of some low level engineer trying to save some time rather than some systemic issue at the heart of the company.
The company will just apologise and the CEO will make sure to tell everyone they know never to deal with this vendor ever again. IT is a very small world and reputations last a long time.
chii
by declaring, but not acting yet, the OP gives the company an out, and allow a potential payday to come. After all, everybody is after money. Any action which seems strange or wild, when considered from the POV of making money, would start to sense.
mattmaroon
Because they could sue you. Even if the suit is baseless it’ll cost a lot to defend, and you might accidentally give them some basis in the process
balls187
Lawsuits aren’t fun.
bmacho
> We’re not rushing into legal action — it’s not worth the energy for now — but publicly calling out the behavior felt necessary.
Wth. Why go public instead of just .. emailing them, and asking for payment?
Kikawala
They did reach out.
So we reached out.
They vaguely apologized and claimed they’d switch to using the source version instead.
Which — fine. Not ideal, but technically within the rules. What stung more was their complete disinterest in any kind of professional support — even when we simply brought up the idea of a volume discount (!). They shut it down immediately. Apparently, sending satellites into orbit is easier than entertaining the thought of paying for open source support.
And did they actually switch to the source?
Of course not.
They just kept going — now using personal Outlook addresses and incrementing the email handles like they were running a script.
threeseed
> There’s a good chance he’s fully aware — and totally fine with it
Why would you think that a CEO would involve himself in matters like this ?
Especially given that whichever aerospace company it is would be far more concerned with issues like tariffs, geopolitics, recession risks etc than whether or not a company is using an open source versus a community edition of some forgettable infrastructure component.
Also choosing to pursue legal action instead of simply blocking them from downloading more free trials seems childish and short sighted.
plam503711
"forgettable infrastructure component": this is what runs their entire IT. We build both the hypervisor and the backup/orchestration for it. Our stack could kill their entire operations if it's down because $whatever. 4000 virtual machines running isn't just the print server or the coffee machine.
actionfromafar
Huh? Blocking them seems much more "actual fight" and disruptive than going for legal action. Legal action was invented to settle disputues without resorting to raw power.
russfink
First, congrats on having a successful company and doing what you love (and employing others - a great feeling to know you are helping technical folks live their dream).
Second, some thoughts.
A. State in your policy that multiple trials are possible but may incur a rest period between activations for a “given company.” Even 5 days should be reasonable for honest folks but cause a pain point for dishonest ones.
B. If you can add a license activation feature to your software, collect metrics when you present the license activation screen, and “bake in” the telemetry to your trial license key request. Things like CPU ID, hard drive serial numbers, TPM quotes, asset tag serial number. Use that telemetry to determine “given company.” The abusers are likely installing this on the same system over and over.
C. Independent of the activation idea, If the trial hard-stops after 30 days, maybe you could delay the approval process on all new trials by X days (X randomly chosen from range 0..5, and all trial requests independent of requestor) and then activate the product for 30-X days. Assuming the dishonests have integrated the VM into their production systems, this will cause an unpredictable unavailability and trigger a pain point somewhere. At worst, it will cause them to step up their request efforts.
As others probably are saying, this might be one for the lawyers.
eb0la
I believe all options you suggest are more than OK, but. Why don't you limit the trial with some capacity limits? Say, 1000 vms for installation. Of course, you'll need to have two artifacts: one for paying customers, and a second one to non-paying ones.
bsza
Sad to hear this and I hope (some semblance of) justice will be served, but just to play the devil’s advocate: if you refuse to name them, how can we know you’re telling the truth and not just pulling a publicity stunt?
casey2
It sounds like you’re navigating a really difficult and emotionally draining situation—and I respect the restraint and clarity in how you’re approaching it.
FactolSarin
I thought that was weird too. Surely this is a breach of whatever licensing they agreed to with the free trial. Are they allergic to getting paid for their work?
nand_gate
We're not going to waste days chasing them when we could waste days writing a blog post to advertise our product.
Genius marketing, I guess Rocket Company is supposed to be exploiting the OSS community, but who built Xen ;)
Before you soapbox on the 'open source moral contract' consider repaying the OSS works you gladly derived.
fohdeesha
....have you seen how much code and work vates has contributed upstream to xen? It's more than citrix at this point IIRC. Everything they do gets pushed back to upstream projects so I'm not sure what point you're trying to make
nand_gate
No, I don't follow legacy hypervisors but fair enough perhaps my initial impression was off-base... still you can appreciate the irony of complaining about Rocket Company getting free stuff :/
josefx
Tinfoil hat: The entire thing is just an ad.
"Our product is so great aerospace companies are literally stealing it, also have you seen our new 30 day trial? So back to that aerospace company and how cheaply it could use our software, just take a look at our current offerings..."
plam503711
It is not, but yeah, we also have NASA as customers. However, we do not chase specifically aerospace companies. We are simply an open source alternative to VMware. So doing an ad explaining how to literally git pull the product without even talking to anyone or giving your email to our sales would be a weird strategy :D
InsideOutSanta
There aren't many aerospace companies with annual revenues of around $130 million and satellites in space. I'd guess it's Planet Labs.
MarkusQ
Except that Planet Labs annual revenue is almost twice that, and has been for a while. So it's likely not them. No idea who it would be though.
fohdeesha
it's not
mytailorisrich
Devil's advocate: If supplying an email address opens up a 30 day free trial, you can hardly complain when people do supply email addresses... especially when, to smooth the experience, there is absolutely nothing else but a email address field and a "start free trial" button.
People will always find ways to use things to the limit or abuse them. You need to consider where to put the limit to balance user experience vs. preventing abuse.
cogman10
We'd have to see the ToS, but I'd suspect the lawyer that wrote it didn't say email, they said individual. Further, I suspect there's a clause in there about commercial usage.
mytailorisrich
Then you need an explicit check box "I have read and accept the T&C" and those T&Cs allow you to block an account, which is often the most effective option against abusers. If you go legal every time someone abuses a free trial you might as well give up free trials.
As things stand there is no point in going legal. Either let it slide or block them and use it for PR with a blog post and an HN submission (wait a minute ;)
plam503711
Well, now I’ve seen it — and yes, lesson learned. But here’s the good news about humanity: they’re the only ones abusing it at this scale. So far, it seems most people still choose sanity over spreadsheets of throwaway emails.
mytailorisrich
Whenever someone asks "but who's gonna do that??" the real world answer is always "Well..." for better or worse ;)
ivewonyoung
This is no way justifies this blatant illegal and immoral behavior, especially since the behavior seems excessive compared to what I state below but I have seen things like this tending to happen in places where it's next to impossible to get Accounting to pay or even renew anything on time before licenses for dev tools expire, rather than being an intentional way to save costs or "steal".
I've seen huge delays spanning months, and needing approvals from the very top, which you need to keep following up and makes the entire process a very painful experience.
Maybe it's by design to reduce costs but it happens even in places where the budget is overflowing and underused.
Payments won't happen until things are literally burning or production is about to go down tomorrow and the fear of the client getting super mad(that a relatively small payment couldn't be made in months) will drive some urgency. Sometimes not even then, so people are left with bad choices, let something terrible happen or make terrible workarounds like in the article. This results in a drive to only use free tools or make do with none.
I hope this results in better and easier accounting practices, which is probably ripe for disruption.
o_m
At my last job (a billion dollar company) someone had set up some kind of proxy where one free user account was used by ~100 employees. We wanted some more features they didn't offer so we looked at some of their competitors. I was in the meeting where we were going to decide to keep using what we had or use the better solution (in my opinion). Both were presented fairly except for the price. The plan was to continue the piracy, not paying what it should cost, or use the other service which would have been cheaper if done legally. I voiced my concern that if we are going to compare them we should at least compare them with their actual cost. No one shared my concern and they ended up with not switching a just continue pirating, even though money wasn't really an issue. The person who set this up wasn't in the company anymore, but I guess no one wanted to deal with this issue and decided it was easier to ignore it.
axus
How much money did they save over 5-10 years through this illegal or unethical behavior?
If "Rocket Company" averaged 30 machines per month, max $1600 per month let's say $600k / year before discount. Maybe kept 3 million dollars over 10 years. I imagine the only way Vates will get paid for their service is if control is taken from the operational groups doing the actual work and "abstracted" to a centralized IT group.
elorm
They run 4000 VMS as a stingy aerospace company so you can definitely assume less than a 100 physical machines.
Without further enterprise negotiations, it's 1800 per host/year. $180k max.
I don't blame Vates for refusing to chase down the company. They'll bring you way more pain as paying clients than the shameless theft they're perpetuating.
JoblessWonder
FYI they said "hundreds of physical hosts" so it is significantly more than that.
ChrisMarshallNY
> But at some point, this goes beyond saving a few bucks: it becomes performance art.
Love it. I appreciate the humor and good example behind that.
It's entirely likely the company is spending more money on staff time, than on the product.
I also cannot even imagine running mission-critical stuff on free trials (I have heard of it, before. I think Adobe was successfully sued, once, because someone created an image in their free trial, and then, couldn't open it, after the trial expired).
If I were one of that company's customers, I'd be fairly concerned.
matt-p
I think the most depressing thing is how unsurprising this is.
This is why free trials require credit cards upfront, as they're more difficult to fake, not because you're about to be stealth billed. It's thanks to people like this.
rocketvole
it's practically trivial to bypass this if you really want to. CapitalOne in the US allows you to have virtual cards that can be verified but you can delete and block at any time for free if you have a credit card from them. I'm sure the practice discourages casuals from gaming trials, but it just feels like it's making life miserable for paying customers but doing almost nothing to stop bad actors
matt-p
If you also ban virtual and pre-paid cards it cuts this to almost zero.
There is a difference, this rocket company is not really going to generate a new virtual card every time? You think their business bank account even supports that?
yurishimo
Considering it's a startup, high likelihood they are using something like Brex, which does support virtual card numbers.
sumanthvepa
Those types of card numbers are detectable though.
hiatus
How? Based on issuer identification number?
idiotsecant
They are detectable only if the issuer has a dedicated BIN for virtual cards. If they issue in the same BIN as your regular card, there's no way to detect without issuer cooperation, which would defeat the point.
bsder
> CapitalOne in the US allows you to have virtual cards
Anything recurring will not take a virtual card or gift card in the US.
I got burned on this a couple times until I figured it out.
TechDebtDevin
privacy.com
stickfigure
Tell them that their free trial is over and their company will no longer receive free trial keys. You can do that. It doesn't require a lawyer and it doesn't require threats. Just "We're glad you like our product! Unfortunately we can no longer support you with free trials." Be polite.
If they secretly keep getting free trials by pretending to be unaffiliated, then escalate to 1) blocking the fake ones when you discover them (very annoying to them, even if you don't get them all) and 2) as a very last resort, legal threats.
The goal is to get them onboarded as paying customers. Every other outcome is effectively a loss. You want to be polite but firm.
pnathan
If it was me, I'd have- at the least - a little routine in the trial-signup logic on the backend which would check the company name and known aliases, and return "not eligible for free, but sales would love to talk! Have a nice day!" message.
walterbell
The lucky winner of an interview with our professional services team!
balls187
As CTO, I feel pretty strongly about this type of behavior and lie the blame squarely on the Aerospace Co’s CTO.
Being scrappy early on is part of the job, but when you are starting to generate revenue it’s time to convert your free tiers to starter tiers as you scale.
I’m sorry that there are people in our industry who choose to behave this way.
eb0la
I agree 120% with you... ... but I am wondering about how good you are using free tiers. IMHO the free tier in cloud/saas just offsets the initial costs of using the cloud/saas. So... unless you're really small free tiers won't work for you.
balls187
They’re deffo helpful when building PoC’s and building MVP’s.
Once you get traction converting off free/basic tiers should be a no brainer.
We were on AWS Free Tier and once we hit market adoption, our costs were fully covered by paying customers (and then some…)
scosman
I had this happen on a consumer startup with referrals. Every month like clockwork one person would fake referrals to get a free moth, which involved jumping through non trivial hoops (re-installing all, creating content in the fake account, going back). all to save $5, and when we had a free plan with almost the exact same quality.
I think the thrill of beating a system and getting away with is as much a factor as anything. And I get it.
walterbell
You could indirectly promote this unnamed reference customer with a dedicated marketing page. This blog post is already the seed of a case study. List the top ten unnamed companies who requested trials, by industry sector, sorted in descending order by count and years and VMs, with them at top. Presumably #2 - #10 have much smaller numbers.
Placed in a marketing context, this human attention could be converted to revenue from other customers. Fund a creative writing competition on VeryBigCo Procurement Anti-Patterns and Shadow IT. Prizes could be paid licenses. If you get enough entries, ask a business school to do a case study on the same subject, then organize a multi-vendor survey on the topic. Also, memes.
You may also need to update the ToS on the trial. At some point, a motivated salesperson could convert the account with a multi-year license that covers both past and future usage.
ruffrey
I have a theory this happens because for individual contributors, the effort to buy SaaS software in the era of "vendor risk assessment" is a nightmare. So you end up with grassroots avoidance of that process, at all costs, inside the company.
cruffle_duffle
This is what I was thinking too. Some places make it insanely difficult to purchase anything.
neilv
Assuming this telling is pretty accurate, I'm wondering what the thinking was on both ends.
On the freeloader end: Did they think they were within the rules? How far up was the approval to keep doing it this way? Did someone try to pay, but get blocked? Did someone tell their boss they did this all in-house, and now doesn't want to admit they outsourced and exposed the company? Did it go to the top, and a lawyer told them to put the company name and a real person each time, and that they were covered on good faith if they only did that?
On the provider end: Seeing this locked-in enterprise user for 10 years, how was a salesperson not all over that that slam-dunk sale? How did they let this go on for 10 years without tweaking their policy to stop the freeloader and any others who might emulate them? What did the business people say about this over the years when it came up? Was business so good it wasn't worth the time to convert the freeloader to a paying customer?
MarkusQ
For all of the above, the answer is probably shaped something like this:
panzagl
'semi-governmental company'
If they're using it in prod then there are plenty of regulations that should force them to establish a real support relationship.
Sometimes this type of stuff happens for a prototype that an org is trying to get funded, but not for 10 years. I'd collect all of the org email addresses they used for the initial d/ls and contact them first- maybe one of the ones from ten years ago has gotten promoted to a point where they can establish a paid relationship or approve use of the open source version.
It’s probably time to channel larry ellison and shake these guys down. Or at least shake their pockets for loose change.
They are stealing from you. As you point out you go out of your way to help companies with your oss options: you’re way on the right side of principled and generous. this is abuse. Don’t put up with it.
Given the history, I’d suggest a short C&D recounting the 10 years(!) of theft, the measures they’ve gone to, and tell them they have 15 days to either stop or get licensed, or you will seek 10 years of back licensing, interest and penalties. I assure you that you will receive a call from someone. Especially if you have to turn the software off on day 16.
Anyway this seems substantial to me, but also there’s an ethical and philosophical question of responsibilities. Do you have more responsibility to your employees and shareholders or to this space company? Even if you’re crazy rich as a company, I propose as the CEO you owe a pretty strong duty to those stakeholders to try and recover stolen assets. You don’t have to be mad at random spaceco, but I propose you might think hard before walking away.
Quick edit: just to frame your head on this: If the company is in the US then this behavior likely falls under DMCA anti-circumvention laws. if it does, people would have criminal liability. Now, I believe the DMCA is terrible legislation; it lets corporations create criminal liability through license agreements. But, it is the law of the land here, and I would guess as soon as your attorney can lay this out, and their attorneys get an eye on it, you will find willing negotiation happening.