Slashdot Mirror
Salesforce Fires Red Team Staffers Who Gave Defcon Talk (zdnet.com)
Josh Schwartz, Salesforce's director of offensive security, and John Cramb, a senior offensive security engineer, have been fired by the company after they gave talk at the Defcon security conference talk in Las Vegas last month, reports ZDNet. Schwartz and Cramb were presenting the details of their tool, called Meatpistol, a "modular malware implant framework (PDF)" similar in intent to the Metasploit toolkit used by many penetration testers. The tool, "pitched as taking 'the boring work' out of pen-testing to make red teams, including at Salesforce, more efficient and effective", was anticipated to be released as open source at the time of the presentation, but Salesforce has held back the code. From the report: [...] The two were fired "as soon as they got off stage" by a senior Salesforce executive, according to one of several people who witnessed the firing and offered their accounts. The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended. The talk had been months in the making. Salesforce executives were first made aware of the project in a February meeting, and they had signed off on the project, according to one person with knowledge of the meeting. The tool was expected to be released later as an open-source project, allowing other red teams to use the project in their own companies. But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release. Later, on stage, Schwartz told attendees that he would fight to get the tool published.
The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended.
If course it wasn't seen. You don't carry anything electronic at Defcon. That executive is an idiot.
I think we've missed an opportunity for a much better headline: "Meatpistol killed by meatheads".
Also, for some reason Meatpistol sounds like a good name for a metal album, or maybe even the band.
Shitting on everyone at defcon and then firing your lead security engineers.
So are you suggesting they waste their own money (now that they are jobless), or that they commit fraud and wind up arrested in addition to being jobless?
Well, at least around here, if I give them two weeks notice, then I'll give them two weeks of my time.
If they lay me off, they will give me 6 months of pay.
I don't mind being kicked out of the building, I care about my pay.
XML is like violence. If it doesn't solve the problem, use more.
Let's go for some Streisand effect and expose him.
It said 'later on stage', so they might have learned after the fact and decided to fight then.
Of course, it's hard to imagine they would be completely oblivious to what was likely a controversial discussion...
XML is like violence. If it doesn't solve the problem, use more.
There were 2 text messages sent to the presenting duo. Both by the same exec.
The first was sent an hour before the talk telling them not to announce the release of the tool (emphasis on ANOTHER and AN HOUR:
"But in ###another text message### seen by Schwartz and Cramb ###an hour before their talk###, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release"
and then a second text message was sent to them telling them not to present (emphasis on half an hour)
"The unnamed Salesforce executive is said to have sent a text message to the duo ###half an hour before they were expected on stage### to not to give the talk, but the message wasn't seen until after the talk had ended.
Reading comprehension is such a difficult skill to master, isn't it? No wonder the US is going to shit.
Since TFS states, "Later, on stage, Schwartz told attendees that he would fight to get the tool published.", clearly you need to work on your reading comprehension.
Where was the exec 1/2 hour or the hour before the end of the talk so that he could properly warn them not to give the talk?
If you ask me, it's the exec that needs to be fired.
AC comments get piped to
"Schwartz and Cramb are now being represented by the Electronic Frontier Foundation."
All the more reason to send them your dollars so they can sue the shit out of Salesforce for their asstastical support of engineering.
Wheel of Time: Book by Book and Sumview (summary review) Bigdady92 style: http://bigdady92.blogspot.com/
I always avoided working for the local spam company,
- (Has spam in his signature.)
Righhhhhttttt.
I hope this story is true, but my bullshit alarm is going off slightly. So when you didn't get a response to your text... you simply did nothing and waited to fire two of the best pen testers in the world? Sorry sounds fishing, but moving on...
If it did go down this way something tells me when the upper-upper management gets wind of how poorly this piece of asshattery was executed, this executive will be told politely to GTFO. The bad press alone will likely be this clowns undoing. The angry masses will demand a sacrifice and one they shall have.
Yes Francis, the world has gone crazy.
I know a ton of Engineering Directors in tech companies in the Bay Area. It ain't no thing, and literally none of the ones I know have a special contract that exempts them from at-will employment.
It isn't like there are enough great pentesters around to satisfy market demand, and we don't run around with all wireless devices active while there. Defcon can be a hostile area.
No doubt they are high-talent folks; they'll be offered 100 jobs before leaving Defcon, all at a substantial increase.
then do both. Send the message and follow up with a phone call to verify that it was received. Proof of sending is not proof of receipt.
How is it fraud? The company can't just fire them on the spot and expect them to pay their own hotel bills and return airfare; by sending them on *company-approved* travel, the company is responsible for all their travel bills. That includes any extra hotel charges and airline fees.
Now the problem is if they have to get reimbursement from the company for travel costs, or if they have a company credit card that the company pays. If the former, it's not worth it because it'll be too hard getting the company to reimburse, and would probably require suing them, which certainly won't be worth it. If it's the latter, then the company would have to try suing them, which of course isn't worth it for a few hundred $$$. There's no fraud; all those expenses are justifiable travel expenses. (I'm not so sure about "table time" though, I'm really only talking about room charges, extra-baggage fees on the return flight, etc.)
Wrong, learn to read.
They were told the company decided not to publish the code, but they announced they'd fight with the company to publish it anyway.
Nothing wrong with any of that.
"Trump!!", the new Godwin.
by sending them on *company-approved* travel, the company is responsible for all their travel bills. That includes any extra hotel charges and airline fees.
You must have never traveled for any company ever in your lifetime. "All" is a very inappropriate word here. Try "per-diem". Try making unjustifiable changes to your itinerary and getting the company to pay for the change fee. Nope. Try checking a couple extra bags to carry all the stuff you bought while on that trip -- same "nope" for those fees. Order a couple rounds of room service for all your buddies, nope, not covered, nor is getting a suite when you had a single booked.
and would probably require suing them, which certainly won't be worth it.
Because they'd lose. "Hookers and blow" on the hotel bill are not legitimate travel expenses, nor would a $1000 dinner be. And $300 on the mini-bar bill? Ha.
There's no fraud; all those expenses are justifiable travel expenses.
Now I know you've never traveled for a company. "Run up the mini bar bill and bill some table time as well..." Anything over the authorized per-diem rate is on their own dime and deliberately trying to charge it to the company is fraud, even if you consider it "justifiable travel expenses". Whatever you "bill" for gambling is never a justifiable expense.
(I'm not so sure about "table time" though,
Which is it, ALL or maybe not so much? Are all you actually claiming now is that the original travel expenses are all you are referring to and you didn't mean to join the discussion to defend the act of running up the bills and billing for extraneous stuff?
But he still was in Texas, which is far preferable to the overpriced shithole that is Silicon Valley.
It seems you've never been to Texas.
#DeleteChrome
You must have never traveled for any company ever in your lifetime.
I've done a lot of traveling for an engineer that doesn't work in sales. Things varied by company; some companies gave me a company credit card and didn't question things (but I didn't run up unreasonable expenses either), others gave me a credit card but made me submit an expense report afterwards, others I had to buy stuff on my own and then submit an expense report to get reimbursed.
Try making unjustifiable changes to your itinerary and getting the company to pay for the change fee. Nope. Try checking a couple extra bags to carry all the stuff you bought while on that trip -- same "nope" for those fees. Order a couple rounds of room service for all your buddies, nope, not covered, nor is getting a suite when you had a single booked.
Yes, it'll all be covered if you're paying on a company credit card. No, it won't be covered if you have to get reimbursed. I wrote this in my prior message. If you abuse the privilege, you'll lose your company card, or even get fired, but these guys were already fired, but they presumably still had their company cards (again, if it's not the kind of company that makes you buy stuff yourself and get reimbursed; usually it's just tiny companies that go that route).
Because they'd lose. "Hookers and blow" on the hotel bill are not legitimate travel expenses, nor would a $1000 dinner be. And $300 on the mini-bar bill? Ha.
"Hookers and blow" is excessive, I'm really talking about a few hundred or so in charges. Yes, they WILL be covered, because the company has to pay the credit card. When employee do stuff like this, they get reprimanded, have to pay it back, or get fired. These guys are already fired. They can do what they want; what is the company going to do, double-fire them? They can sue them, but it'll cost the company a lot more in legal fees and lawyer time then they'll get back for $1000 of charges or less.
Now I know you've never traveled for a company.
No, you have no idea what the fuck you're talking about. Per-diem rate? WTF is that? I've traveled for only a couple of places that had such a thing; usually it's government-related stuff that has such a thing. No, it's not "fraud" to charge stuff to your company's expense account that's exorbitant, like a ridiculously fancy dinner or room service, it's just abuse that the company can deal with on its own. Good luck getting the DA to prosecute someone for charging a $250 dinner to their company credit card; that's the stupidest thing I've read all day.
The Executive VP / CISO (Jim Alkove) fired the employees shortly after they walked off stage, and several of us heard bits of that conversation.
After removing every senior leader from the previous organization, he brought dozens of Microsoft VPs and managers to Salesforce. From what I understand, the company used to have one of the top security teams in the industry, but 80% of their security leaders and top talent left in the last 6 months. If their CEO doesn't get involved, the despotic culture will prevail and sadly whatever talent is left will flock to other companies.
This is how he works. This is the reason he was invited to leave Nest.
When it comes between "giving a talk at DEFCON" and "keeping your job at Salesforce," for a penetration tester the former is a much better career choice.
"First they came for the slanderers and i said nothing."