Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT Technology

Salesforce Fires Red Team Staffers Who Gave Defcon Talk (zdnet.com) 154

Josh Schwartz, Salesforce's director of offensive security, and John Cramb, a senior offensive security engineer, have been fired by the company after they gave talk at the Defcon security conference talk in Las Vegas last month, reports ZDNet. Schwartz and Cramb were presenting the details of their tool, called Meatpistol, a "modular malware implant framework (PDF)" similar in intent to the Metasploit toolkit used by many penetration testers. The tool, "pitched as taking 'the boring work' out of pen-testing to make red teams, including at Salesforce, more efficient and effective", was anticipated to be released as open source at the time of the presentation, but Salesforce has held back the code. From the report: [...] The two were fired "as soon as they got off stage" by a senior Salesforce executive, according to one of several people who witnessed the firing and offered their accounts. The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended. The talk had been months in the making. Salesforce executives were first made aware of the project in a February meeting, and they had signed off on the project, according to one person with knowledge of the meeting. The tool was expected to be released later as an open-source project, allowing other red teams to use the project in their own companies. But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release. Later, on stage, Schwartz told attendees that he would fight to get the tool published.
This discussion has been archived. No new comments can be posted.

Salesforce Fires Red Team Staffers Who Gave Defcon Talk

Comments Filter:
  • Run up the mini bar bill and bill some table time as well They don't work there any more so TS!

    • by bws111 ( 1216812 ) on Thursday August 10, 2017 @02:40PM (#54985505)

      So are you suggesting they waste their own money (now that they are jobless), or that they commit fraud and wind up arrested in addition to being jobless?

      • by Grishnakh ( 216268 ) on Thursday August 10, 2017 @04:21PM (#54986531)

        How is it fraud? The company can't just fire them on the spot and expect them to pay their own hotel bills and return airfare; by sending them on *company-approved* travel, the company is responsible for all their travel bills. That includes any extra hotel charges and airline fees.

        Now the problem is if they have to get reimbursement from the company for travel costs, or if they have a company credit card that the company pays. If the former, it's not worth it because it'll be too hard getting the company to reimburse, and would probably require suing them, which certainly won't be worth it. If it's the latter, then the company would have to try suing them, which of course isn't worth it for a few hundred $$$. There's no fraud; all those expenses are justifiable travel expenses. (I'm not so sure about "table time" though, I'm really only talking about room charges, extra-baggage fees on the return flight, etc.)

        • The company can't just fire them on the spot and expect them to pay their own hotel bills and return airfare; by sending them on *company-approved* travel, the company is responsible for all their travel bills.

          The video game company that I worked for prior to the dot com bust promoted a video game tester to assistant producer, sent him to the Texas studio to live and work, and then closed the studio two weeks later. When the guy requested money to move back to California, he was told to get lost. Last I heard he was still in Texas.

          • This should be a good lesson in moving for a job. As soon as a company doesn't need you any more, that's it, unless they happen to be really nice and give you a severance. So if you're being moved on a company's dime, make sure it's 1) a place you want to go, and 2) you're not going to be up shit-creek if the job dries up (i.e., don't let a company move you to someplace where there's zero jobs for you if things go south). These situations are great if you wanted to move to that place anyway, since moving

        • by Obfuscant ( 592200 ) on Thursday August 10, 2017 @05:11PM (#54986813)

          by sending them on *company-approved* travel, the company is responsible for all their travel bills. That includes any extra hotel charges and airline fees.

          You must have never traveled for any company ever in your lifetime. "All" is a very inappropriate word here. Try "per-diem". Try making unjustifiable changes to your itinerary and getting the company to pay for the change fee. Nope. Try checking a couple extra bags to carry all the stuff you bought while on that trip -- same "nope" for those fees. Order a couple rounds of room service for all your buddies, nope, not covered, nor is getting a suite when you had a single booked.

          and would probably require suing them, which certainly won't be worth it.

          Because they'd lose. "Hookers and blow" on the hotel bill are not legitimate travel expenses, nor would a $1000 dinner be. And $300 on the mini-bar bill? Ha.

          There's no fraud; all those expenses are justifiable travel expenses.

          Now I know you've never traveled for a company. "Run up the mini bar bill and bill some table time as well..." Anything over the authorized per-diem rate is on their own dime and deliberately trying to charge it to the company is fraud, even if you consider it "justifiable travel expenses". Whatever you "bill" for gambling is never a justifiable expense.

          (I'm not so sure about "table time" though,

          Which is it, ALL or maybe not so much? Are all you actually claiming now is that the original travel expenses are all you are referring to and you didn't mean to join the discussion to defend the act of running up the bills and billing for extraneous stuff?

          • You must have never traveled for any company ever in your lifetime.

            I've done a lot of traveling for an engineer that doesn't work in sales. Things varied by company; some companies gave me a company credit card and didn't question things (but I didn't run up unreasonable expenses either), others gave me a credit card but made me submit an expense report afterwards, others I had to buy stuff on my own and then submit an expense report to get reimbursed.

            Try making unjustifiable changes to your itinerary and

            • Yes, it'll all be covered if you're paying on a company credit card.

              Try charging $1000 of hookers and blow on the company credit card and see how much is covered. "All" is a very wrong word to be using.

              "Hookers and blow" is excessive, I'm really talking about a few hundred or so in charges.

              This whole discussion started when you defended the act of running up the bill to get back at the employer who fired them. We're not talking about reasonable travel expenses when you talk about running up the bill. A few hundred or so dollars in run-up charges won't be covered by any sane travel department.

              Yes, they WILL be covered, because the company has to pay the credit card.

              You've never contested a charge, have you? But even if the company pa

              • by bws111 ( 1216812 )

                Well put. How dumb do you have to be to think that corporate accounting departments and credit card companies don't have all kinds of policies and procedures for dealing with crap like this? And none of them end up with the (ex) employee getting away with it.

            • by bws111 ( 1216812 )

              No, the company most certainly does NOT 'have to pay the credit card'. Merely possessing a card does NOT give one the authorization to use it. The moment they were fired they lost their authorization to use the card, and using the card from that point on is no different than using a stolen card. Even if still an active employee the card is only to be used for authorized expenses, and any other use is unauthorized use of the card. The company will then dispute the charges as fraudulent when they get the

          • Most of my employers have rubber-stamped most travel expenses -- $50 steaks, ample booze. Managers renting SUV's. I routinely average half what co-workers expense.

            A former co-woker told me of his time working for a Taiwan-based tech company. They were expected to pay *all* of their own travel expenses. I would have thought that illegal in the US, but when I looked it up it doesn't seem like it is. Most companies do pay, but it stunned me that it isn't apparently required by law.

            In 1992 a guy who had wo

            • A former co-woker told me of his time working for a Taiwan-based tech company. They were expected to pay *all* of their own travel expenses. I would have thought that illegal in the US, but when I looked it up it doesn't seem like it is. Most companies do pay, but it stunned me that it isn't apparently required by law.

              No, why would it be? But why on Earth would anyone work for such a company in the first place? The whole point of companies paying for employee travel is to get them to do it: presumably the

              • Why would it be? Same reasons as unpaid overtime, it's basically theft from the employee.

                Why would anyone work for such a company? Lack of better choices perhaps, and cultural familiarity with hierarchy. This company wasn't paying my associate particularly well, and he differed ethnically from them.

                Everything you write is completely true.

                • Why would it be? Same reasons as unpaid overtime, it's basically theft from the employee.

                  Sorry, no such thing as "unpaid overtime" with a salaried position (assuming of course this is a salaried position in question, but I suspect it is). I've gone on travel many times as a salaried employee; I don't get any bonus for it taking 24 hours/day instead of just 8. But I do get to have a nice, fancy meal on the company's dime, stay in a nice hotel with a pool, and frequently take a trip in a nice city that othe

        • Even when I've left jobs (I've never been fired in these circumstances), I had no issue with getting expenses paid. Sure if the company is bankrupt or something. Somebody will figure out the most economic way to end their trip and get them home, they will file expense reports for outstanding expenses, and everybody will move on. Companies this size aren't interested in vendettas over small amounts of money.
          • Yes, exactly my point. Now if you charge up thousands for Vegas chips, that's probably a different matter. Charging a $100 meal isn't worth squabbling over for a company that size.

  • by Anonymous Coward on Thursday August 10, 2017 @02:26PM (#54985381)

    The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended.

    If course it wasn't seen. You don't carry anything electronic at Defcon. That executive is an idiot.

    • by Anonymous Coward

      That executive is an idiot.

      Aren't they all?

      • by zifn4b ( 1040588 ) on Thursday August 10, 2017 @02:49PM (#54985629)

        That executive is an idiot.

        Aren't they all?

        Of course not, they have mad visionary skills, they gots the gap performance evaluations and the stretch goals. You are all not l33t compared to them. You are too stupid to get it.

        • they have mad visionary skills...

          and yet he didn't see that coming.

        • by r0kk3rz ( 825106 )

          That executive is an idiot.

          Aren't they all?

          Of course not, they have mad visionary skills, they gots the gap performance evaluations and the stretch goals. You are all not l33t compared to them. You are too stupid to get it.

          I have been wondering whether or not its actually due to their level of expertise being the optimal point on the Dunning-Kruger curve.

          True expertise takes a long time to gain, and if you're on the downward slope you realise how much you don't know and delay making decisions. Executives need to be confident making decisions with incomplete information, and to do that effectively they need to be at the Dunning-Kruger peak.

    • by mysidia ( 191772 ) on Thursday August 10, 2017 @02:51PM (#54985657)

      If course it wasn't seen. You don't carry anything electronic at Defcon. That executive is an idiot.

      Agreed. Signing off on it by the executive is fait accomplit. Withdrawing permission the day of a conference is Not an option. The executive should be fired. Josh Schwartz and John Cramb should be reinstated AND publicly apologized to, AND each awarded a huge bonus for that bullshit.

      • They definitely should sue, since they were apparently originally given permission. (Upon reading only the headline, I had expected them to not have even gotten permission.. IF that were true, which it wasn't, then of course they should have been fired (in this hypothetical situation).

      • Re: (Score:2, Interesting)

        by avandesande ( 143899 )
        You are just speculating. They might have admitted to having read the message and decided to go along with the talk anyway.
      • I don't think they will have trouble finding jobs. If anything, after this, their market demand just went way up!
    • IF you don't carry electronics, then how do you hack other people?
    • by Anonymous Coward

      I can't recall anyone at Defcon that wasn't carrying around electronics. Nearly everyone had their phones on them albeit with Bluetooth, WiFi, and location disabled. There are always the hyper-paranoid that bring burner phones, but just no phone would be extremely challenging to coordinate actives with other people.

      • ...but just no phone would be extremely challenging to coordinate actives with other people.

        Goodness, how did we EVER do it in the past decades before the advent of the cell phone and even the pager.....

        [rolls eyes]

        I guess absolutely NOTHING ever got done, nor coordinated between people and groups....nothing.

        • by suutar ( 1860506 )

          before the advent of the cellphone we coordinated with people who didn't have cell phones and didn't expect the corresponding level of responsiveness. Nowadays if you don't have a cellphone, you may have the same absolute level of responsiveness but it's significantly below average.

          • by Anonymous Coward

            That's the main reason I don't own a phone.

            They can be a useful tool (would have been nice a couple of times in the last year to have one) but once you get one other people expect you to be available whenever THEY want, not whenever YOU want.

            Not on my dime.

            • A cell phone you don't need to refill every month, but stays active like maybe a $1 a month, just to leave in your car's glove box that needs to be recharged every month or two. That's the dream.
              • A cell phone you don't need to refill every month, but stays active like maybe a $1 a month, just to leave in your car's glove box that needs to be recharged every month or two. That's the dream.

                That's achievable in countries outside North America. I lived in New Zealand until a few years ago, and much prefer their cell plans to what I see in Canada. In NZ I could put $10 on a pay-as-you-go phone (I was using Vodafone), and that $10 was active for 1 year. Put on to a Nokia 1101 (I know, laugh away), which lasted a month on a charge if no calls were made, and it was great for emergencies.

                Here in Canada pay-as-you-go recharges seem to be valid for a maximum of 30 - 60 days (depending on how much

      • Still it us not uncommon to not read a message immediately. For example when you are talking with other people at the time. This would be impolite and shows how less you care about other people. In addition using an asynchronous communication channel with limited message length to govern any structure is ludicrous. Only idiots would do so.

  • by alvinrod ( 889928 ) on Thursday August 10, 2017 @02:27PM (#54985383)
    I think we've missed an opportunity for a much better headline: "Meatpistol killed by meatheads".

    Also, for some reason Meatpistol sounds like a good name for a metal album, or maybe even the band.
  • Good luck (Score:5, Funny)

    by Anonymous Coward on Thursday August 10, 2017 @02:30PM (#54985407)

    Shitting on everyone at defcon and then firing your lead security engineers.

  • I always avoided working for the local spam company, exact target. I kind of regretted that after they were acquired by Salesforce, but I guess I dodged a bullet. This is going to make many people think twice.
  • Who is the exec? (Score:4, Informative)

    by AnthonywC ( 4415891 ) on Thursday August 10, 2017 @02:47PM (#54985611)
    Let's go for some Streisand effect and expose him.
  • Someone needed to be fired for that horrible slide deck. The Exec was probably just offended by their lack of PowerpointFu.
  • by Sebby ( 238625 ) on Thursday August 10, 2017 @03:00PM (#54985743)

    Where was the exec 1/2 hour or the hour before the end of the talk so that he could properly warn them not to give the talk?

    If you ask me, it's the exec that needs to be fired.

  • by bigdady92 ( 635263 ) on Thursday August 10, 2017 @03:25PM (#54986007) Homepage
    "Schwartz and Cramb are now being represented by the Electronic Frontier Foundation."

    All the more reason to send them your dollars so they can sue the shit out of Salesforce for their asstastical support of engineering.
    • So much for Salesforce Ohana.

      Earlier this year they contact me and were real hot to bring me on board. Said they could get over their initial demand for me to relocate, did multiple web interviews, said they wanted me to go to SF to interview in person. Then they didn't schedule that, and eventually came back saying relocation was required. Even though there was a local-ish office I could have made it to at least once a week.

      Rep for an awesome place to work. Wonder if that's progressively becoming a thin

  • by Mysticalfruit ( 533341 ) on Thursday August 10, 2017 @03:42PM (#54986185) Homepage Journal
    I hope this story is true, but my bullshit alarm is going off slightly. So when you didn't get a response to your text... you simply did nothing and waited to fire two of the best pen testers in the world? Sorry sounds fishing, but moving on...

    If it did go down this way something tells me when the upper-upper management gets wind of how poorly this piece of asshattery was executed, this executive will be told politely to GTFO. The bad press alone will likely be this clowns undoing. The angry masses will demand a sacrifice and one they shall have.
    • by meerling ( 1487879 ) on Thursday August 10, 2017 @05:21PM (#54986883)
      Actually that sounds pretty standard for a lot of execs out there.

      You have no idea how many support calls I took from crying secretaries because their boss told them to have it fixed today or they were fired. That's pretty rough, but it gets worse. The executive douche has the box locked, hasn't told the secretary what the password is, and can't be reached or won't answer the phone.

      I'd get about 2 or 3 of those calls a month on the corporate support lines. I could do some pretty fantastic things over the phone with people that are marginally competent, but if they can't access the machine due to locks or passwords, there's nothing I can (legally) do about it. (When on a support call, even if you know a grey area way around the access issue, you don't even mention it. If they think of it on their own and do it, that's not your problem. Specifically where one company had to break down the door to the server room to get in and fix the server because the boss was out of the state on a 2 week vacation and took the only key with him.)
      • They have these people called locksmiths. Apparently they are really good at picking locks or making keys to get through locks.

        Crazy I know. Much easier to physically break a door down.

        • by Afty0r ( 263037 )

          They have these people called locksmiths. Apparently they are really good at picking locks or making keys to get through locks. Crazy I know. Much easier to physically break a door down.

          I can see you have never worked in a large company on a Monday morning when there is a problem. One where the suggestion alone is enough to cause some "oohs" and "ummms" among people. When you query them what the noises are for, no-one is aware of which colleague would be the right one to sign off on such a purchase order.

    • My best guess is that some middle manager signed off on it, but then had seconds thoughts and wanted to "monetize" it (read: sell it) with delusions of becoming the next rapid 7 or something. The authors protested because they wanted to release Meatpistol to the community and do their presentation. Butthurt manager fired them in retaliation, probably not knowing what sort of shit show he was starting.
    • That would certainly be a rational response. From executives. Rational executives, if you will.

  • by brennz ( 715237 ) on Thursday August 10, 2017 @03:53PM (#54986325)

    It isn't like there are enough great pentesters around to satisfy market demand, and we don't run around with all wireless devices active while there. Defcon can be a hostile area.

    No doubt they are high-talent folks; they'll be offered 100 jobs before leaving Defcon, all at a substantial increase.

  • This being the perfect sort of news /. should have posted the day of or even after the incident. Not "last month.

    And how about an interview and or posting questions to them and the EFF about the incident.

  • Expected Outcome (Score:2, Interesting)

    by Anonymous Coward

    The Executive VP / CISO (Jim Alkove) fired the employees shortly after they walked off stage, and several of us heard bits of that conversation.

    After removing every senior leader from the previous organization, he brought dozens of Microsoft VPs and managers to Salesforce. From what I understand, the company used to have one of the top security teams in the industry, but 80% of their security leaders and top talent left in the last 6 months. If their CEO doesn't get involved, the despotic culture will preva

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...