Slashdot Mirror
Salesforce Fires Red Team Staffers Who Gave Defcon Talk (zdnet.com)
Josh Schwartz, Salesforce's director of offensive security, and John Cramb, a senior offensive security engineer, have been fired by the company after they gave talk at the Defcon security conference talk in Las Vegas last month, reports ZDNet. Schwartz and Cramb were presenting the details of their tool, called Meatpistol, a "modular malware implant framework (PDF)" similar in intent to the Metasploit toolkit used by many penetration testers. The tool, "pitched as taking 'the boring work' out of pen-testing to make red teams, including at Salesforce, more efficient and effective", was anticipated to be released as open source at the time of the presentation, but Salesforce has held back the code. From the report: [...] The two were fired "as soon as they got off stage" by a senior Salesforce executive, according to one of several people who witnessed the firing and offered their accounts. The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended. The talk had been months in the making. Salesforce executives were first made aware of the project in a February meeting, and they had signed off on the project, according to one person with knowledge of the meeting. The tool was expected to be released later as an open-source project, allowing other red teams to use the project in their own companies. But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release. Later, on stage, Schwartz told attendees that he would fight to get the tool published.
Run up the mini bar bill and bill some table time as well They don't work there any more so TS!
The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended.
If course it wasn't seen. You don't carry anything electronic at Defcon. That executive is an idiot.
I think we've missed an opportunity for a much better headline: "Meatpistol killed by meatheads".
Also, for some reason Meatpistol sounds like a good name for a metal album, or maybe even the band.
Shitting on everyone at defcon and then firing your lead security engineers.
What?! The executive is 12?!?!
If I had an important message to give someone I'd get them on the phone - talking - or see them in person.
What an idiot!
So are you suggesting they waste their own money (now that they are jobless), or that they commit fraud and wind up arrested in addition to being jobless?
It's so fantastic you're going to allow people to quit a job if you don't agree with their decision to do so. Just super.
What I don't understand is why I'm asked to give 2 weeks notice when I quit, while companies will never tell you until 5 minutes before they escort you out. Fuck that.
I always avoided working for the local spam company, exact target. I kind of regretted that after they were acquired by Salesforce, but I guess I dodged a bullet. This is going to make many people think twice.
Cheap storage VM.
Where's the link to the talk for this framework?
Well, at least around here, if I give them two weeks notice, then I'll give them two weeks of my time.
If they lay me off, they will give me 6 months of pay.
I don't mind being kicked out of the building, I care about my pay.
XML is like violence. If it doesn't solve the problem, use more.
Let's go for some Streisand effect and expose him.
Someone needed to be fired for that horrible slide deck. The Exec was probably just offended by their lack of PowerpointFu.
If the guy is a director level employee, I wager he has a employment services contract and is therefore not at-will. On the side note, a bunch of lawyers are going to get richer off this.
The two were fired "as soon as they got off stage" by a senior Salesforce executive, according to one of several people who witnessed the firing and offered their accounts.
END OF PRESENTATION
The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk.
30 minutes prior and (allegedly) missed message, do not give the talk
, but the message wasn't seen until after the talk had ended. The talk had been months in the making. Salesforce executives were first made aware of the project in a February meeting, and they had signed off on the project, according to one person with knowledge of the meeting. The tool was expected to be released later as an open-source project, allowing other red teams to use the project in their own companies. But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release. Later, on stage, Schwartz told attendees that he would fight to get the tool published.
One hour before and seen, don't announce that the code would be opened to public.
So read it again, and notice that the timeline works backwards.
Where was the exec 1/2 hour or the hour before the end of the talk so that he could properly warn them not to give the talk?
If you ask me, it's the exec that needs to be fired.
AC comments get piped to
He could built up quite a cadre of disaffected geeks to be his Leaky Minions.
Yes, he is
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Safety considerations are strongly suggested while handling meat pistols. You wouldn't want one to go off unexpectedly.
Just tell the TSA dude . . . yes, that's hard; and it might go off, but it's not a bomb.
I'll see your senator, and I'll raise you two judges.
You think that your senior offensive security engineers, two of the best penetration testers in the world, didn't get an unexpected text message that you sent to them at DEFCON telling them not to give a talk about advanced penetration testing tools and your plan is to fire these people?
"Schwartz and Cramb are now being represented by the Electronic Frontier Foundation."
All the more reason to send them your dollars so they can sue the shit out of Salesforce for their asstastical support of engineering.
Wheel of Time: Book by Book and Sumview (summary review) Bigdady92 style: http://bigdady92.blogspot.com/
I hope this story is true, but my bullshit alarm is going off slightly. So when you didn't get a response to your text... you simply did nothing and waited to fire two of the best pen testers in the world? Sorry sounds fishing, but moving on...
If it did go down this way something tells me when the upper-upper management gets wind of how poorly this piece of asshattery was executed, this executive will be told politely to GTFO. The bad press alone will likely be this clowns undoing. The angry masses will demand a sacrifice and one they shall have.
Yes Francis, the world has gone crazy.
I know a ton of Engineering Directors in tech companies in the Bay Area. It ain't no thing, and literally none of the ones I know have a special contract that exempts them from at-will employment.
Too small to find...
It isn't like there are enough great pentesters around to satisfy market demand, and we don't run around with all wireless devices active while there. Defcon can be a hostile area.
No doubt they are high-talent folks; they'll be offered 100 jobs before leaving Defcon, all at a substantial increase.
Same here, minimum 6 months gardening leave no matter how employment ends. Paid.
If you want a recommendation, you give them proper notice. Similarly, when they fire you, they aren't expecting a glowing endorsement of the company from you.
How is it fraud? The company can't just fire them on the spot and expect them to pay their own hotel bills and return airfare; by sending them on *company-approved* travel, the company is responsible for all their travel bills. That includes any extra hotel charges and airline fees.
Now the problem is if they have to get reimbursement from the company for travel costs, or if they have a company credit card that the company pays. If the former, it's not worth it because it'll be too hard getting the company to reimburse, and would probably require suing them, which certainly won't be worth it. If it's the latter, then the company would have to try suing them, which of course isn't worth it for a few hundred $$$. There's no fraud; all those expenses are justifiable travel expenses. (I'm not so sure about "table time" though, I'm really only talking about room charges, extra-baggage fees on the return flight, etc.)
It's so fantastic you're going to allow people to quit a job if you don't agree with their decision to do so. Just super.
It's not me, it's society, and it's a much bigger deal than you think. We fought a war over it. Courts basically never force people to continue working (even if there is a contract) precisely because it would be forced labor.
Real lawyers write in C++
The company can't just fire them on the spot and expect them to pay their own hotel bills and return airfare; by sending them on *company-approved* travel, the company is responsible for all their travel bills.
The video game company that I worked for prior to the dot com bust promoted a video game tester to assistant producer, sent him to the Texas studio to live and work, and then closed the studio two weeks later. When the guy requested money to move back to California, he was told to get lost. Last I heard he was still in Texas.
Well - an employee that leaves on their own free will likely will not be in a foul mood those last two weeks and actually try to pass along some knowledge to those remaining. However there is no law stating you must give a 2 week notice, you can walk out immediately if you desire.
If a company is firing you, there's a security risk to keeping you around.
"Action without philosophy is a lethal weapon; philosophy without action is worthless."
This being the perfect sort of news /. should have posted the day of or even after the incident. Not "last month.
And how about an interview and or posting questions to them and the EFF about the incident.
The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
But he still was in Texas, which is far preferable to the overpriced shithole that is Silicon Valley.
Lucky guy. They could have relocated him to Silicon Valley, and then shitcanned him, leaving him stranded in a third world country, working for peanuts. A short move to Austin gets him to a cool town in Texas, and the cost of living is quite reasonable.
They could have relocated him to Silicon Valley, and then shitcanned him, leaving him stranded in a third world country, working for peanuts.
He was from Silicon Valley. He wanted to come back to Silicon Valley.
A short move to Austin gets him to a cool town in Texas, and the cost of living is quite reasonable.
Except he spent all his money to move out to Texas, find an apartment, and then only had a two-week paycheck when it came time to pay the rent. IIRC, We (the testers) took up a collection for him to pay his rent. This was in 2001. So no Go Fund Me site for donations.
by sending them on *company-approved* travel, the company is responsible for all their travel bills. That includes any extra hotel charges and airline fees.
You must have never traveled for any company ever in your lifetime. "All" is a very inappropriate word here. Try "per-diem". Try making unjustifiable changes to your itinerary and getting the company to pay for the change fee. Nope. Try checking a couple extra bags to carry all the stuff you bought while on that trip -- same "nope" for those fees. Order a couple rounds of room service for all your buddies, nope, not covered, nor is getting a suite when you had a single booked.
and would probably require suing them, which certainly won't be worth it.
Because they'd lose. "Hookers and blow" on the hotel bill are not legitimate travel expenses, nor would a $1000 dinner be. And $300 on the mini-bar bill? Ha.
There's no fraud; all those expenses are justifiable travel expenses.
Now I know you've never traveled for a company. "Run up the mini bar bill and bill some table time as well..." Anything over the authorized per-diem rate is on their own dime and deliberately trying to charge it to the company is fraud, even if you consider it "justifiable travel expenses". Whatever you "bill" for gambling is never a justifiable expense.
(I'm not so sure about "table time" though,
Which is it, ALL or maybe not so much? Are all you actually claiming now is that the original travel expenses are all you are referring to and you didn't mean to join the discussion to defend the act of running up the bills and billing for extraneous stuff?
I'm suggesting you have a stick shoved pretty far up your ass.
A company like sales force isn't in the security business , security is just part of what they have to do... overhead. So not sharing a tool that they aren't going to market anyway is lame. My company does the same thing.
That's how we know you're lying. Nobody wants to go back to Silicon Valley once they've left it. It's a third world shithole.
A minimum wage job in Texas will carry you pretty far. He was lucky to be relocated out of California and into a good place like Texas before he was laid off. Easy to find a crap job to tide you over, and plenty of jobs for a hard-working tech guy in Dallas, Houston, and Austin.
The quality of life in the Bay Area is much higher than anywhere in Texas.
But he still was in Texas, which is far preferable to the overpriced shithole that is Silicon Valley.
It seems you've never been to Texas.
#DeleteChrome
Bwahaha, nobody with a brain wants to live in a retarded shithole full of taxpayer subsidised rednecks like Texas.
Hmm. "Fired" via tweet. For presenting a company-sanctioned/signed-off-on paper?
And the negative level of publicity for such? The stock price delta (if this gains the attention of wall st. speculators) will knock off multiple $Billions from their net value. (No I do not own/short any salesforce stock)
Not quite; there's no creimer in Texas!
$10 a hand with once dancing near you 6-5 BJ
You must have never traveled for any company ever in your lifetime.
I've done a lot of traveling for an engineer that doesn't work in sales. Things varied by company; some companies gave me a company credit card and didn't question things (but I didn't run up unreasonable expenses either), others gave me a credit card but made me submit an expense report afterwards, others I had to buy stuff on my own and then submit an expense report to get reimbursed.
Try making unjustifiable changes to your itinerary and getting the company to pay for the change fee. Nope. Try checking a couple extra bags to carry all the stuff you bought while on that trip -- same "nope" for those fees. Order a couple rounds of room service for all your buddies, nope, not covered, nor is getting a suite when you had a single booked.
Yes, it'll all be covered if you're paying on a company credit card. No, it won't be covered if you have to get reimbursed. I wrote this in my prior message. If you abuse the privilege, you'll lose your company card, or even get fired, but these guys were already fired, but they presumably still had their company cards (again, if it's not the kind of company that makes you buy stuff yourself and get reimbursed; usually it's just tiny companies that go that route).
Because they'd lose. "Hookers and blow" on the hotel bill are not legitimate travel expenses, nor would a $1000 dinner be. And $300 on the mini-bar bill? Ha.
"Hookers and blow" is excessive, I'm really talking about a few hundred or so in charges. Yes, they WILL be covered, because the company has to pay the credit card. When employee do stuff like this, they get reprimanded, have to pay it back, or get fired. These guys are already fired. They can do what they want; what is the company going to do, double-fire them? They can sue them, but it'll cost the company a lot more in legal fees and lawyer time then they'll get back for $1000 of charges or less.
Now I know you've never traveled for a company.
No, you have no idea what the fuck you're talking about. Per-diem rate? WTF is that? I've traveled for only a couple of places that had such a thing; usually it's government-related stuff that has such a thing. No, it's not "fraud" to charge stuff to your company's expense account that's exorbitant, like a ridiculously fancy dinner or room service, it's just abuse that the company can deal with on its own. Good luck getting the DA to prosecute someone for charging a $250 dinner to their company credit card; that's the stupidest thing I've read all day.
This should be a good lesson in moving for a job. As soon as a company doesn't need you any more, that's it, unless they happen to be really nice and give you a severance. So if you're being moved on a company's dime, make sure it's 1) a place you want to go, and 2) you're not going to be up shit-creek if the job dries up (i.e., don't let a company move you to someplace where there's zero jobs for you if things go south). These situations are great if you wanted to move to that place anyway, since moving is expensive, but if it's not a place you want to go at all, it's time to either refuse, or start looking for a new job (or both).
Yes, for instance, in the Bay Area, you can watch homeless people shitting on the sidewalk in the middle of the day! And you can sit for endless hours on the freeways during rush hour! Or you can take overcrowded, overpriced, terribly inconvenient mass transit! And you can pay 2 times the national average cost of living for the privilege of doing so!
Yes, it'll all be covered if you're paying on a company credit card.
Try charging $1000 of hookers and blow on the company credit card and see how much is covered. "All" is a very wrong word to be using.
"Hookers and blow" is excessive, I'm really talking about a few hundred or so in charges.
This whole discussion started when you defended the act of running up the bill to get back at the employer who fired them. We're not talking about reasonable travel expenses when you talk about running up the bill. A few hundred or so dollars in run-up charges won't be covered by any sane travel department.
Yes, they WILL be covered, because the company has to pay the credit card.
You've never contested a charge, have you? But even if the company pays the card off, that doesn't mean that the employee will not get the money withheld from his last paycheck. And when he tries to sue, he's going to lose when the employer shows what the charges were for. You do realize, I hope, that when you charge something on a company credit card the company owns the account and has full access to all the records that go with it, like copies of charge slips and billing info. "Why is the hotel charge only $200 a night for the first four nights you were there, and then the day you were fired it went up to $1000/night? Oh, look, mini-bar and pay-porn movies." And then they'll notice the $250 dinners. You won't have the excuse that you were entertaining clients because you don't work for the company anymore and those will be yours to pay, too. That $1000 in chips you charged to the room, well, that's just outright theft.
but it'll cost the company a lot more in legal fees and lawyer time then they'll get back for $1000 of charges or less.
Now I know you've never been to Vegas. Otherwise, you'd know that it is trivial to run up a lot more than $1000 in charges in just one night of glorious revenge. But anyway, you know that last paycheck you thought you were getting? Surprise, we deducted the cost of the hookers and blow, and the excessive mini-bar, and the "table games" you put on the company credit card. And we've filed charged for theft, since you knew you were not authorized any of that and charged it to the company.
Per-diem rate? WTF is that?
You never have traveled. "Per-diem" is the standard reimbursement limit for travel, based on normal costs in the area you've traveled to. "Per day" is the English translation. So much for a hotel, so much for breakfast, so much for lunch, so much for dinner. Whether the company you work for calls it that or not, there are still reasonable and justifiable limits on travel expenses. No company tells an employee on travel to "spend all you want, we'll cover it all no matter what you spend it on."
No, it's not "fraud" to charge stuff to your company's expense account that's exorbitant,
You're right, it is theft. Quibble over what it is called, but it's still crime, it's outside the scope of justifiable expenses, and the company does not have to pay for it.
that's the stupidest thing I've read all day.
I'd say the claim that a company is responsible for all travel expenses, even when they're being run up in revenge for being fired, is the stupidest thing I've read all day. Claiming that the company has to cover all the expenses if they are on the company credit card is a very close second.
The Executive VP / CISO (Jim Alkove) fired the employees shortly after they walked off stage, and several of us heard bits of that conversation.
After removing every senior leader from the previous organization, he brought dozens of Microsoft VPs and managers to Salesforce. From what I understand, the company used to have one of the top security teams in the industry, but 80% of their security leaders and top talent left in the last 6 months. If their CEO doesn't get involved, the despotic culture will prevail and sadly whatever talent is left will flock to other companies.
This is how he works. This is the reason he was invited to leave Nest.
"watch homeless people shitting on the sidewalk in the middle of the day!"
That's just creimer counting outgoing calories!
" Last I heard he was still in Texas."
He just wanted to get away from you.
Other than the 30 million people who live there, I guess you're right.
Of course, when it comes to taxpayer subsidized shitheads, California would know a lot about it. How's that homeless population doing again, San Francisco?
Go spend a week in Austin sometime. It's basically a slice of Portland smacked down in the middle of Texas. Hell, even Dallas and Houston are part of reliably democrat-voting counties these days. Trump only won Texas with 52% of the vote - Clinton trailed by 9%, but given the reputation that Texas has as "full of regressive shitheads," it seems a bit curious that you'd dismiss 43% of the state that voted Democrat. Maybe they're in that basket of deplorables, huh?
I have to be cautious with my statements for obvious reasons, but... Randy Kern was publicly poached from Microsoft. Look at the executives hired by salesforce since and all will become clear. I very much doubt any executives will be harmed for this decision regardless of the outcome of a lawsuit. http://www.businessinsider.com...
The Executive (Jim, Chief Security Officer) fired the employees shortly after they walked off stage, and several of us heard bits of that conversation.
After removing every senior leader from the previous organization, he brought dozens of Microsoft VPs and managers to Salesforce. From what I understand, the company used to have one of the top security teams in the industry, but 80% of their security leaders and top talent left in the last 6 months. If their CEO doesn't get involved, the despotic culture will prevail and sadly whatever talent is left will flock to other companies.
Yeah I don't get the Texas hate, by many accounts it's a great place. The weather may be a problem for some people, I don't mind the heat.
Never lived in CA, but was in Texas for several years. Holy shit I was glad to the fuck out of there.
Except he spent all his money to move out to Texas,
Could have been worse, he could have spent all his money on your eBooks!
Could have been worse, he could have spent all his money on your eBooks!
Especially since I wouldn't have any ebooks for another ten years.
On that note, Casey Neistat did a video about "Ready Player One" by Ernest Cline because Steven Spielberg is turning the book into a movie.
It's just a big boring suburb of a state. Nothing really to hate (or care about) unless you're anti-W.
that's the stupidest thing I've read all day.
You must not read very much. There are a LOT of things much more stupid than that, just here on /.
..
I don't know where you live, but I've been laid off 4 times in my career (in the US) and I have never received more than 2 or 3 weeks of severance. Severence is not mandatory.
Of course it's not mandatory, you negotiate it before you sign the employment contract.
I live in the Austin area and can experience all of that just fine here already without having to move to the bay area.
You have obviously never had a corporate credit card. It doesn't work that way.
No, the company most certainly does NOT 'have to pay the credit card'. Merely possessing a card does NOT give one the authorization to use it. The moment they were fired they lost their authorization to use the card, and using the card from that point on is no different than using a stolen card. Even if still an active employee the card is only to be used for authorized expenses, and any other use is unauthorized use of the card. The company will then dispute the charges as fraudulent when they get the bill. The credit card company can then take whatever action they want (billing the person who made the charges, having them arrested, etc).
Of course, the company COULD just pay the card, and count that payment as 'money owed to the company by the employee'. That money would then be deducted from their pay (if still employeed) or from their final paycheck.
Thinking you found some clever scam to get the company to pay unauthorized charges is REALLY the dumbest thing I've read all day.
Affiliate link spam free version, so as not to encourage this huckster:
https://www.amazon.com/gp/product/B004J4WKUQ
Well put. How dumb do you have to be to think that corporate accounting departments and credit card companies don't have all kinds of policies and procedures for dealing with crap like this? And none of them end up with the (ex) employee getting away with it.
Even when I've left jobs (I've never been fired in these circumstances), I had no issue with getting expenses paid. Sure if the company is bankrupt or something. Somebody will figure out the most economic way to end their trip and get them home, they will file expense reports for outstanding expenses, and everybody will move on. Companies this size aren't interested in vendettas over small amounts of money.
You mean COST of life, not QUALITY of life.
You define homeless people all over the place, high, drunk, smoking weed, shitting/pissing all over the streets as HIGH quality of life?, then I suggest you raise your standards.
At least in Texas you can actually defend yourself from an attacker with a firearm.
Most of my employers have rubber-stamped most travel expenses -- $50 steaks, ample booze. Managers renting SUV's. I routinely average half what co-workers expense.
A former co-woker told me of his time working for a Taiwan-based tech company. They were expected to pay *all* of their own travel expenses. I would have thought that illegal in the US, but when I looked it up it doesn't seem like it is. Most companies do pay, but it stunned me that it isn't apparently required by law.
In 1992 a guy who had worked in Frito-Lay HR in TX told me of a manager interview candidate who submitted $600 in "limo rides". His response had been "Ah yeah no, I know what that is and we're not paying for it".
Yes, exactly my point. Now if you charge up thousands for Vegas chips, that's probably a different matter. Charging a $100 meal isn't worth squabbling over for a company that size.
A former co-woker told me of his time working for a Taiwan-based tech company. They were expected to pay *all* of their own travel expenses. I would have thought that illegal in the US, but when I looked it up it doesn't seem like it is. Most companies do pay, but it stunned me that it isn't apparently required by law.
No, why would it be? But why on Earth would anyone work for such a company in the first place? The whole point of companies paying for employee travel is to get them to do it: presumably there's a good reason to send them somewhere (and if there's not, that's why many companies scrutinize travel requests, perhaps by a separate department). If you make employees pay for it, they'll generally avoid travel if at all possible, which can end up costing more in employee time and time-to-market (delays in getting work done, delays in trying to work around the lack of being onsite), and also in customer satisfaction (engineers don't want to bother traveling to customer site to deal with problems there), and of course finally in employee turnover. Personally, I wouldn't take a job like that unless I was really desperate, or they were paying very very handsomely compared to other offers. It generally shows the employer is a cheap-ass and doesn't support its employees or want to pay for the tools needed to get the job done. Of course, lots of companies seem to be "cheap-asses" these days, but even so, it's still very much the norm to pay for employee travel, so one that doesn't must be much worse.
Or Silicon Valley.
Democracy is two wolves and a sheep voting on lunch.
Why would it be? Same reasons as unpaid overtime, it's basically theft from the employee.
Why would anyone work for such a company? Lack of better choices perhaps, and cultural familiarity with hierarchy. This company wasn't paying my associate particularly well, and he differed ethnically from them.
Everything you write is completely true.
Why would it be? Same reasons as unpaid overtime, it's basically theft from the employee.
Sorry, no such thing as "unpaid overtime" with a salaried position (assuming of course this is a salaried position in question, but I suspect it is). I've gone on travel many times as a salaried employee; I don't get any bonus for it taking 24 hours/day instead of just 8. But I do get to have a nice, fancy meal on the company's dime, stay in a nice hotel with a pool, and frequently take a trip in a nice city that otherwise I might not see so it's not all bad, at least in my experience (luckily, I never got sent someplace like downtown Detroit when I had to travel).
As for unreimbursed travel expenses being "theft", I really don't think that's the case legally in the US. Ethically I would agree with you, but many of our laws are very unethical. We don't have as many employee protections here as they do in Europe unfortunately.
I know that. I was talking about places that pressure hourly employees to work without pay, which is disjoint from travel.
I didn't say unreimbursed travel expenses are legal theft; they're ethical theft.