Salesforce Fires Red Team Staffers Who Gave Defcon Talk (zdnet.com) 154
Josh Schwartz, Salesforce's director of offensive security, and John Cramb, a senior offensive security engineer, have been fired by the company after they gave talk at the Defcon security conference talk in Las Vegas last month, reports ZDNet. Schwartz and Cramb were presenting the details of their tool, called Meatpistol, a "modular malware implant framework (PDF)" similar in intent to the Metasploit toolkit used by many penetration testers. The tool, "pitched as taking 'the boring work' out of pen-testing to make red teams, including at Salesforce, more efficient and effective", was anticipated to be released as open source at the time of the presentation, but Salesforce has held back the code. From the report: [...] The two were fired "as soon as they got off stage" by a senior Salesforce executive, according to one of several people who witnessed the firing and offered their accounts. The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended. The talk had been months in the making. Salesforce executives were first made aware of the project in a February meeting, and they had signed off on the project, according to one person with knowledge of the meeting. The tool was expected to be released later as an open-source project, allowing other red teams to use the project in their own companies. But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release. Later, on stage, Schwartz told attendees that he would fight to get the tool published.
Unrealistic expectations (Score:5, Insightful)
The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended.
If course it wasn't seen. You don't carry anything electronic at Defcon. That executive is an idiot.
Re:Text Message??!?! (Score:1, Insightful)
Since they announced on stage that they would 'fight' to get it published, they clearly knew that they had been told not to make the announcement. Kind of hard to play the 'but I didn't know' angle at that point.
Re:At-Will Employment (Score:5, Insightful)
Well, at least around here, if I give them two weeks notice, then I'll give them two weeks of my time.
If they lay me off, they will give me 6 months of pay.
I don't mind being kicked out of the building, I care about my pay.
Re:Unrealistic expectations (Score:5, Insightful)
If course it wasn't seen. You don't carry anything electronic at Defcon. That executive is an idiot.
Agreed. Signing off on it by the executive is fait accomplit. Withdrawing permission the day of a conference is Not an option. The executive should be fired. Josh Schwartz and John Cramb should be reinstated AND publicly apologized to, AND each awarded a huge bonus for that bullshit.
So the exec was there to fire them... (Score:5, Insightful)
Where was the exec 1/2 hour or the hour before the end of the talk so that he could properly warn them not to give the talk?
If you ask me, it's the exec that needs to be fired.
Donate to the EFF Folks (Score:5, Insightful)
All the more reason to send them your dollars so they can sue the shit out of Salesforce for their asstastical support of engineering.
Re:Run up the mini bar bill and bill some table ti (Score:4, Insightful)
How is it fraud? The company can't just fire them on the spot and expect them to pay their own hotel bills and return airfare; by sending them on *company-approved* travel, the company is responsible for all their travel bills. That includes any extra hotel charges and airline fees.
Now the problem is if they have to get reimbursement from the company for travel costs, or if they have a company credit card that the company pays. If the former, it's not worth it because it'll be too hard getting the company to reimburse, and would probably require suing them, which certainly won't be worth it. If it's the latter, then the company would have to try suing them, which of course isn't worth it for a few hundred $$$. There's no fraud; all those expenses are justifiable travel expenses. (I'm not so sure about "table time" though, I'm really only talking about room charges, extra-baggage fees on the return flight, etc.)
Re:Run up the mini bar bill and bill some table ti (Score:5, Insightful)
by sending them on *company-approved* travel, the company is responsible for all their travel bills. That includes any extra hotel charges and airline fees.
You must have never traveled for any company ever in your lifetime. "All" is a very inappropriate word here. Try "per-diem". Try making unjustifiable changes to your itinerary and getting the company to pay for the change fee. Nope. Try checking a couple extra bags to carry all the stuff you bought while on that trip -- same "nope" for those fees. Order a couple rounds of room service for all your buddies, nope, not covered, nor is getting a suite when you had a single booked.
and would probably require suing them, which certainly won't be worth it.
Because they'd lose. "Hookers and blow" on the hotel bill are not legitimate travel expenses, nor would a $1000 dinner be. And $300 on the mini-bar bill? Ha.
There's no fraud; all those expenses are justifiable travel expenses.
Now I know you've never traveled for a company. "Run up the mini bar bill and bill some table time as well..." Anything over the authorized per-diem rate is on their own dime and deliberately trying to charge it to the company is fraud, even if you consider it "justifiable travel expenses". Whatever you "bill" for gambling is never a justifiable expense.
(I'm not so sure about "table time" though,
Which is it, ALL or maybe not so much? Are all you actually claiming now is that the original travel expenses are all you are referring to and you didn't mean to join the discussion to defend the act of running up the bills and billing for extraneous stuff?