alt Hacker NewsThe email they shouldn't have read
Comments
Sounds like Oracle. Of course, they're much more clever about how they do it but always recommend people stay as far away from any of their products as possible.
> The request was simple: “Evaluate this solution, and if it’s suitable, we’ll migrate.”.
This took me a few tries to figure out. "This solution" is the open source stack without the vendor from the previous paragraph. I thought it was including the vendor and got very confused when more comparisons started to happen.
I hope one day we get to see real names in this story.
This guy really works in a "minefield", with trouble and powerful enemies at every step.
> That strongly suggested it: it looked as if they might have been reading the emails.
That sounds like it might be grounds for criminal charges, if evidenced properly, the threat of which could be used to get that company to back down.
Maybe I'm confused with the timeline but the actors involved, but:
> The company offered a managed version with its own proprietary additions
Doesn't sound like open source to me?
So make sure you fully read the fine print before signing an agreement for something.
You should do this for consumer stuff, but it's mandatory for business stuff.
I'm no lawyer, but I would think the purposes for which they read your email and the actions taken subsequently are blatantly illegal, and would invalidate the entire contract.
I feel like many HN'ers have been in this situation.
I was once in a confedential "back out" of a system. There was some shared code base with the other company. One of our devs made a comment that was something like "Reversing Migration Script" in the code.
In less than an hour from that commit(I didn't know at the time) I was in stuck in a firestorm WTF DID YOU DO battle between the two CEO's of the companies. It turns out that the other company was ACTIVELY spying for such terms in the code so they could react if we tried to leave. It was going to be an honest non renewal at the end of the contract so not even anything shady. I didn't find out till later about how they were spying out so there was this huge witch hunt about who was the rat and such. It was awful.
It seems this level of sociopathy is just the norm these days and I'm just an old fuddy duddy doing regular honest work without having a Machiavellian scheme running in parallel no wonder places only want to hire 20yo's /s /sorta.
>a horror story based on real events
So is it fiction? Details matter. If any of the details are not true, this makes story is waaay less interesting.
What’s the point of not naming names? This could easily be just a creative writing exercise.
While the story is infuriating, it is also:
1) completely from one person's version of events
2) absolutely unverifiable
I can't help shaking the feeling that it could be ragebait? Which ended up on HN as a result? Sure, companies act like bullies sometimes, but I don't know that I think this story is more likely than "person I've never heard of makes up outrageous story for attention". Both seem equally plausible.
What's the point of this story? Bad actors win?
Here's a hot take: Name and Shame.
If this story is true, the author should be shouting their names from the rooftop.
Instead, we get this nonsense.
There’s something odd about this story. Not naming companies is weird - this happened before GDPR which means it happened a minimum of nine years ago. There were no lawyers involved at any point, not even before signing amendments with a company known for punishing vendors on their way out. Nobody even seemed to mind that this shady company with such a bad reputation was reading client emails. There was no attempt to warn anybody or to even solve the problem.
I don’t believe that this ever happened. I don’t know why someone would make up a story like this but this one is very odd.
Some companies are just incredibly naive sometimes. Case in point: i work at a game dev studio, and our main competitor on the segment we are on is a game published by Microsoft.
The other day a coworker was talking about how that other game had a tendency to release similar content as us, sometimes right before us, with marketing material that looked eerily like stuff still in production from our marketing team, to the point that they suspected someone was leaking stuff.
Dude, all we do is discussed on teams and it's all in documents stored in office 365. They dont need us to leak anything, they can simply read our team channels and our documents. They probably spend more time discussing plausible deniability with their legal team than researching what we do.
We are also moving our analytics from Tableau to whatever Microsoft's equivalent, and nobody seems to see the issue with that either.
This is the kind of story that perfectly captures why “open source” != “freedom.” You can run 100% FOSS software and still be completely imprisoned if you give control to a middleman.
The company in this story didn’t just sell “support”, they sold permission. They took something open, wrapped it in contracts, lock-ins, and managed-service handcuffs, and then claimed ownership of it. That’s the new vendor lock-in model: control the interface, not the code.
The chilling part isn’t that they could read customer emails, it’s that they thought it was normal. Somewhere between “managed service” and “surveillance,” the moral line vanished, replaced by legalese.
This story should be printed and taped above every government IT procurement desk. If you don’t own your servers, your keys, and your contracts, you don’t own your data, no matter how “open” the stack is.
> However, to protect the privacy of the people and companies involved, I have deliberately mixed things up: technologies, contexts, and specific details have been modified or merged with other experiences.
Why wouldn’t a person stop reading there, unless they were the author’s mom or roommate or something and were reading out of politeness?
I'm sorry but this reads like AI slop. Or maybe it's not AI slop, it's just regular human-generated slop, but regardless: it's useless.
For one: it's intentionally completely unverifiable. Sure, maybe the writer's not brave enough to break their NDA by sharing names. But it's also convenient: nobody can ever poke holes in the story, or add their own context to it. The story just gets to live on its own and earn internet karma regardless of whether it's at all true.
For two: completely inconsistent. Let's take these two paragraphs:
> A few years earlier, a major public institution - let’s call it Agency A - was still running an ancient Exchange mail server. It hadn’t received security updates for ages, the anti-spam was completely ineffective, and the new regulations were clear: embrace Open Source solutions whenever possible.
> They had already received a proposal - expensive but seemingly reasonable - for a managed service, hosted by an external provider, built on an open source mail stack. The company offered a managed version with its own proprietary additions and enterprise support. The catch? The price was absurd, and Agency A already had solid infrastructure - reputable IP classes, redundant datacenters, everything working fine. We had built and maintained that environment for years, and it was still running perfectly.
So we have just learned in paragraph 1 that the current system is dated and full of security holes and missing features. In paragraph 2 we have learned that the current system's infrastructure is "solid" and "working fine". Can you really say the infrastructure is solid and working fine if it's preventing you from upgrading your Exchange mail server?
And let's take paragraph two: it says the proposal is "expensive but seemingly reasonable" and then one sentence later says "the catch? The price is absurd". How can the price be both "reasonable" and "absurd?"
Overall an annoying read.
> a former interim IT manager still had an email client connected via token authentication - with access to all messages. And that person had signed the original contract with the provider years before. Informally questioned, he admitted contacting them "to warn them" but claimed it was harmless.
This kind of behavior rubs me the wrong way. People leaking stuff, breaking compliance and then say - It was just harmless.
I work with a Director who has done something similar multiple times. The chain of events often is - She attends an industry conferences, there she learns about a piece of software, she goes ahead and schedules product demos and solicits a contract. She then contacts the only outsourcing agency she is aware of and promises to give them the implementation contract. Then reaches out as she doesn't have the authority to sign those contracts.
Since the time I have been responsible for product selection this has happened twice. Both times I have been under different managers. Both managers have insisted it was harmless.
Last time this happened the Director was told by promising work and soliciting contracts she was in gross non compliance of the company policies. Her response showed how little she cared. As per her, this was an internal matter and no one could punish her.
Later when we evaluated the product and it promised to "get better with time". All the company's data was being ingested into an AI without regard for enterprise data security rules. Even then her response was - What is the big deal? Everyone reads everyone's data. Legal got involved and shut it down - they asked the product to turn off AI features for our instances.
It is really hard to contend against a malicious or dumb team mate. In a corporate setting if they are higher than you then it is even more difficult. They can chalk it up to a harmless mistake and no one can do a thing.