back to article Salesforce sacks two top security engineers for their DEF CON talk

Salesforce fired two of its senior security engineers after they revealed details of an internal tool for testing IT defenses at DEF CON last month. Josh Schwartz, director of offensive security, and John Cramb, a senior offensive security engineer based in Australia, were sacked by a senior Salesforce executive minutes after …

  1. Anonymous Coward
    Anonymous Coward

    Shoot the Messengers.

    1. Sorry that handle is already taken. Silver badge

      WITH THE meatpistol

      1. Rob Isrob

        That's what she said . . .

        Bada-bing... Meanwhile, Google Trumpets: "You're fired!"

    2. Destroy All Monsters Silver badge

      There is not even a Message.

      What can one conclude about a company that behaves like that about employees who care?

      1. Doctor Syntax Silver badge

        "What can one conclude about a company that behaves like that about employees who care?"

        The conclusion is the message. Of course it's a message the execs who sign the POs won't get.

      2. FuzzyWuzzys Silver badge

        "What can one conclude about a company that behaves like that about employees who care?"

        Unless I've misunderstood the story, Salesforce owned the code and therefore no employee is allowed disclose or distribute the company's property without permission. Almost all companies have that in place, I know that everything I write for my company is owned by them and I'm not allowed to use it. Obviously no one ever does stick to the rule of law, we all backup our code and take it from job to job we simply rework bits of it rather than the entire product.

        I think this could have been handled better, the CEO should have spoken to the researchers directly and warned them not to go ahead. It sounds like a text message was used to ensure they wouldn't see it in time and ensure they could be fired, all sounds like a set up to me.

        1. Anonymous Coward
          Anonymous Coward

          we all backup our code and take it from job to job

          All? I never did it. Not everybody pretends to be ethical when is not. Also, in code reviews, I do look for code with suspicious origins, because I don't want troubles.

          1. SomeoneInDelaware

            Re: we all backup our code and take it from job to job

            Never did it -- I didn't want to go to Leavenworth!

        2. Yet Another Anonymous coward Silver badge

          Unless "based on the ... open source metasploit" means derived work and it really should have been released.

          But this is basically a hiring stunt for these two guys who are now in demand freelance pen testers

        3. Mad Hacker

          Apparently it had been signed off on being released as open source

          So you think if you develop open source code you can't talk about it?

        4. TheVogon Silver badge

          "Salesforce owned the code and therefore no employee is allowed disclose or distribute the company's property without permission"

          Sure but I don't think *talking about* something your company has / does would normally a problem. Unless something has been specifically flagged as a trade secret I can't see how they are in the wrong.

          1. Ian Michael Gumby Silver badge

            @TheVogon

            If you walk away with anything and reuse the code you are on thin ice regardless of if its a trade secret. In fact, the company could call pretty much a ham sandwich a trade secret and have grounds to sue you in to oblivion if they wanted. (You got caught walking away with their code.)

            The developers aren't in the wrong unless the company can show that they disregarded the text message prior to their talk. Remember the company did give prior approval of the talk before they left for the conference which means that they had reviewed and approved the content.

            1. LaeMing Bronze badge
              Boffin

              Re: @TheVogon

              I would never back up my company's work! That is the company's responsibility (which they do, provided I don't keep important stuff on my local PC, which - of course - I don't, because I read the IT policies!).

        5. Roland6 Silver badge

          "Salesforce owned the code and therefore no employee is allowed disclose or distribute the company's property without permission."

          From the article, this was a presentation about MEATPISTOL not a disclosure and/or distribution of the code that forms MEATPISTOL.

          So having looked through the slide deck which reveals no real design details about MEATPISTOL, it would seem that senior executives at SalesForce had a last minute change of heart and didn't want the existence of MEATPISTOL be to publicly known; at the present time; unless they only got to know about the presentation at the last minute...

          A decision left to last minute that obviously wasn't that important as no steps were taken to ensure the intended recepient(s) of the text actually received the text before they went on stage...

          Finally, I note one of the employees job title includes the word 'director' - in the UK that is a legally significant word to have in your job title.

          1. missingegg

            not significant in the USA

            In the United States, "Director" is a title commonly assigned to middle managers, and is used to indicate you have significant responsibility, but are less senior than a Vice President. It is not a legally significant title.

        6. Ian Michael Gumby Silver badge
          Mushroom

          @FuzzyWuzzy? Put down that crack pipe son, its rotting your brain.

          I guess you don't bother to read or pay attention to some of the news stories... Stop me if you've heard this one... There's this company called Waymo that was recently purchased by Uber...

          There are more stories like that where a programmer who worked for a trading company got jail time for stealing proprietary code he wrote when he went to work for another company.

          The point is that as an employee, your work is owned by the company and you have no writes to the work unless the company expressly grants you rights to them.

          You want to work on an Apache project? When you submit code, you are agreeing to indemnify Apache if they get sued and you are explicitly claiming ownership of the work so that you can grant Apache license to use it.

          Salesforce is in trouble and can be sued for the termination.

          The issue is that they first approved the presentation. They then attempted to cancel it before they were to present. If the claim that they didn't see or get the text before the presentation started, is true, then they shouldn't be fired because they were unaware that the presentation had been rescinded.

          If the company can prove that they saw the text and said 'oh fsck it', then they would have been right to terminate.

          I'll wager that the company will give them a heft severance settlement to quiet things down.

          BTW, if you take your code with you... you are breaking the law and you can be sued. Even if you win the lawsuit, it will still cost you massive amounts of money and could get you terminated from your current job.

        7. Cyberspy
          FAIL

          Yes, you misunderstood the story

          "Unless I've misunderstood the story, Salesforce owned the code and therefore no employee is allowed disclose or distribute the company's property without permission."

          Correct, except when this has been signed off months before.

          And, they weren't sacked (so it seems) for actually sharing the code - that will come later. They were sacked for giving the presentation.

          The Exec text messaged them 30 mins before the presentation - at a time where their phones were likely already switched off (also remember, this is DEFCON - many people turn their phones off all the time there. It's a good chance you'll be hacked otherwise!), and then used the fact they had given the presentation as an excuse to fire them.

          Quite shockingly bad management from a Salesforce Exec - which I predict we will hear more about over the next few weeks, possibly including the sacking of the said Exec.

  2. J J Carter Silver badge
    Childcatcher

    Oh, matron!

    Fnar, fnar! He said 'MEATPISTOL'!

    1. SuccessCase

      Re: Oh, matron!

      They say the name comes from an anagram, but surely, surely it has to be a joke on the fact it is used for penetration testing. Surely.

      1. This post has been deleted by its author

  3. Mark 85 Silver badge

    Hold on a second....

    So they tweeted and the pulled the tweet under pressure from management???? If they were canned, then they don't have any management, only "former management". Was the firing rescinded or maybe employment is being re-negotiated?

    1. highdiver_2000

      Re: Hold on a second....

      Their pay checks have not cleared. Yet

      1. Anonymous Coward
        Anonymous Coward

        Re: Hold on a second....

        > Their pay checks have not cleared. Yet

        This. There may be a severance package contingent on them leaving the company quietly.

        1. Pascal Monett Silver badge

          "There may be a severance package contingent on them leaving the company quietly"

          Um, the fact that they've been fired is now public knowledge. I hardly see how removing a tweet is going to change the facts.

          PR really is a shite business. It skirts around the law so often you have to wonder what kind of people work in it.

          1. Craig McGill 1

            Don't go blaming the PRs for this one as it may have been nothing to do with them but surely a bit of common sense would have told them that if they were going to be talking about an internal tool then they should get clearance for that - either from comms or compliance - because if the tool wasn't well known externally then technically they are in breach of contract.

            Removing the tweet was just daft though, but they may have done it voluntarily.

            (Also, they were told beforehand apparently about what would happen if they did their talk - perhaps that shouldn't have been left as a text message though.)

    2. jgarbo

      Re: Hold on a second....

      Undisclosed NDA bars them from commenting on company business?

    3. Geoff Campbell
      Facepalm

      Re: Hold on a second....

      Most likely someone pointed out that their employment contracts had some quite reasonable clauses around company information both during and after employment.

      GJC

      1. Anonymous Coward
        Anonymous Coward

        Re: Hold on a second....

        How can "I've been sacked" be a gagged clause in any NDA?

        Sigh, they should leave the computery stuff alone and just concentrate on delivering those damn parcels.

        1. Steve K Silver badge

          Re: Hold on a second....

          Unless I have missed something, aren't you confusing Salesforce with Parcelforce here?

          1. Anonymous Coward
            Anonymous Coward

            Re: Hold on a second....

            > Unless I have missed something, aren't you confusing Salesforce with Parcelforce here?

            Yes. It was intentional. I was trying to be funny :-(

            1. Steve K Silver badge

              Re: Hold on a second....

              Sorry - didn't mean to piss in your knitting ;-)

              It's been a long week...

              1. Anonymous Coward
                Anonymous Coward

                Re: Hold on a second....

                No worries. If I was actually confident it was funny, I wouldn't have posted anonymously!

                And my knitting needed a good wash!

    4. Mad Hacker

      Re: Hold on a second....

      They are still negotiating to get the code open sourced. I'm sure playing nice helps negotiations.

    5. TheVogon Silver badge

      Re: Hold on a second....

      "So they tweeted and the pulled the tweet under pressure from management????"

      T&C of the compromise agreement to get a pay off and shutup probably.

  4. John Smith 19 Gold badge
    Coat

    Think of this as the ultimate in guerilla marketing

    Software so good their company would rather fire them than they talk about it.

    Coat, because they said if I posted this I'd have to go.

    Is it just me or does the malware seem to be better structured and more tightly coded than the software it's attacking?

    1. Wensleydale Cheese Silver badge

      Re: Think of this as the ultimate in guerilla marketing

      "Is it just me or does the malware seem to be better structured and more tightly coded than the software it's attacking?"

      The skill level required to write obfuscated assembler would indicate that.

      Then there's the business side of it. El Reg: So you're thinking about becoming an illegal hacker – what's your business plan?

      One sometimes wonders whether legitimate software producers should study malware authors' business methods. Money back guarantee if it doesn’t work as advertised, for example.

    2. Anonymous Coward
      Anonymous Coward

      Re: Think of this as the ultimate in guerilla marketing

      Software so good their company would rather fire them than they talk about it.

      Yet another argument not to hand over your precious, confidential customer details and intelligence about how well your company is doing to a US based third party which seems keen on security through obscurity.

      That said, if you're going to give ANY public talk about your company, surely you get that signed off in writing first? If that didn't happen, it's not the company who is at fault here. From the corporate side, if you want to stop something you call and keep trying, not rely on a text which may or may not be read in time.

    3. P. Lee Silver badge
      Paris Hilton

      Re: Think of this as the ultimate in guerilla marketing

      >Is it just me or does the malware seem to be better structured and more tightly coded than the software it's attacking?

      Is it just me who's wondering why Salesforce has developed an *offensive* metasploit-type ability?

      1. Anonymous Coward
        Anonymous Coward

        Re: Think of this as the ultimate in guerilla marketing

        Is it just me who's wondering why Salesforce has developed an *offensive* metasploit-type ability?

        Oooh, I *like* your BOFH thinking. That observation would be worth throwing onto Reddit and see the conspiracy theorists climb all over it. Prep beverage + popcorn, post and watch it explode..

  5. TRT Silver badge

    If they wrote this...

    "building upon a framework designed to support efficient yoloscoped adversarial campaigns against capable targets."

    ...Death's too good for them.

    Well, if they didn't have tongue firmly in cheek at the time.

  6. Anonymous Coward
    Anonymous Coward

    Seems a bit odd

    I'm a senior engineer, but if I wanted to give a talk about an in-house pentest tool at DEFCON I'm pretty sure my manager would have me up to my knees in lawyers and executive-level red tape before even approving the submission of the paper, let alone signing off on travel. I think I'd want to see that approval too, in writing.

    If these guys were presenting without approval then the consequences can hardly be a surprise, but if they had prior permission then rescinding it with one SMS, and firing them for not seeing it, will give their lawyers a field day.

    My guess is that the manager approved this without higher consultation, and then got cold feet, in which case it's not the presenters that Salesforce should have fired.

    1. Anonymous Coward
      Anonymous Coward

      Re: Seems a bit odd

      Reading a sales pitch like the one in the article it makes you wonder if white hatting is just a cover job for those guys

      1. oiseau Silver badge
        WTF?

        Re: Seems a bit odd

        "... wonder if white hatting is just a cover job for those guys."

        Wonder?

        No white hatting here, it was just a matter of time for this to happen.

        Or be discovered.

        After all, governments and corporations of all sorts (with government's consent) screw the general public constantly and the money flows.

        Why would these guys lose out on the opportunuity?

        This is just *another* way screw the general public.

        Cheers.

    2. joeldillon

      Re: Seems a bit odd

      'Josh Schwartz, director of offensive security' sounds like one of the guys giving the presentation was 'the manager', to be honest.

  7. Will Godfrey Silver badge
    Meh

    To quote Mr Asimov

    "Insufficient data for a meaningful answer".

    {the last question}

  8. Unep Eurobats
    Happy

    L33t letter-rearranging skillz

    They just wanted to get their anagram out there.

    It's crying out for a backronym. How about Meta-Exploit Attack Tool for Penetration of Infrastructure and Security Testing On-Line?

  9. This post has been deleted by its author

  10. Jason Bloomberg Silver badge

    Open sourced

    "Join us for the public unveiling and open source release of our latest project, MEATPISTOL"

    So has it been released as open source?

  11. RyokuMas Silver badge
    Facepalm

    "yoloscoped"

    Use of this term should be a sacking - and preferably a shooting - offence.

  12. Anonymous Coward
    Anonymous Coward

    So, then plan maybe was to get themselves fired, some publicity and great consulting number, afterwards?

  13. Anonymous Coward
    Anonymous Coward

    did i read it wrong

    were they not describing their threat defense assessment tool as a hackers resource for active penetration of targets.

    Agreed it should have been handled differently but I don't think it should come as a shock if you re-badge your internal corporate tools as a hackers resource kit for malevolent purposes.

    This would create a very difficult corporate position for salesforce if someone was hacked using their "exploit kit". They would not even be able to suggest it was a defensive tool being misused.

    Possibly right outcome, but should have been handled differently and way before it ever got to the conference too!

  14. a_yank_lurker Silver badge

    Something?

    I would assume the talk and slides were approved earlier as a matter of good practice. Also, how much detail did they go into? I doubt they gave everyone the source code.

    1. Nick Ryan Silver badge

      Re: Something?

      No, and even broad terms of what they were capable of and what they did would have been considered by any competent hacker and factored into what they produce (exploit and anti-exploit is an interesting arms race of sorts). Of course, most hackers are not actually competent and just operate systems provided by others... not that this is a "bad" thing in itself, I drive a car but really don't have the capability to build one, or at least to the quality of the one that I drive.

  15. Gnosis_Carmot

    MEATPISTOL?

    Sounds like a porn name rather than security tool.

  16. Nolveys Silver badge

    It's never a good idea to expose your meat pistol in public.

  17. elmondoh

    Newfangled wordspeak stuff #getoffmylawn

    "Yoloscoped"? WTF is that??

    God, I feel like The Old Guy at work right now. :(

  18. Mahhn

    Salesforce a hacking company?

    Their Slogan is "Connect to your customers in a whole new way"

    And they don't mean by communication!

    I wouldn't have thought they were really a malware company. I wonder if they work for the US, RU, China, or just freelance.

    One thing for sure, their owners/managers don't have ethics.

  19. tekHedd

    Repeat After Me: Text Messaging Is Not Reliable

    Oh sure, your text will eventually get there, but not necessarily the same hour or day you send it. If you didn't get a confirmation reply, you should assume your text has not yet been read.

    Sends the message that, as employees, they just weren't that important.

  20. Anonymous Coward
    Anonymous Coward

    Meatpistol

    Obligatory David Cronenberg reference:

    https://www.youtube.com/watch?v=eQKkCMDaN54

  21. Former Cyber Spook

    I wish I was a lawyer

    Let's see... the presenters said they would present the information. The suits agreed.

    The suits send a text message not knowing it was received then fire the presenters for not seeing the text message.

    This is one of the times I wish I followed through and went to law school. I would take this case in a heartbeat and let Salesforce pay for this because I am willing to bet that texting is not an official means for communicating in their personnel policy.

    Too bad my company does not use Salesforce products. If it did, I would cease being a customer!

  22. James 132

    Can everyone please just stop saying MEATPISTOL

  23. Anonymous Coward
    Anonymous Coward

    Its a big problem

    If a company can retroactively classify something that is clearly not a "trade secret" in this way, then the way is open to simply randomly sack people for "divulging trade secrets" for the heinous crime of visiting DEFCON.

    1. Roland6 Silver badge

      Re: Its a big problem

      Suspect the issue was 'marketing'!

      If we are to believe things, the intent was to open source the tool. Hence it would not surprise me if it dawned on someone that these guys presenting a paper at DEFCON would preempt the intended big marketing splash of releasing the tool to the world...

  24. TheElder

    NDA

    I worked for a big company for a while. When I left they immediately reminded me that I may not do this, this, this, this, this, this, that or this... for a year.

    Really? I asked them to send me a copy of the signed NDA.

    No answer..... I never signed it and they never noticed. We had a very short discussion. Dumb shit management. That was the reason I left.

  25. Anonymous Coward
    Anonymous Coward

    Salesforce - Internal blue team employee

    Hola!

    I work in blue team we sit on same floor. I have worked closely with them in the past.I would just like to clarify few things about this incident.

    Was the management aware of this project ?

    Answer: Yes, they presented this in few smaller conferences last year. And various people even outside of red team were contributing to this project. They announced back then that this project is going to be opensourced.

    Does company favor/like malware based security projects ?

    No there was resistance from various non-security teams and their leaders. It does not go positive with kind of business we do at Salesforce. Another CISO named Brendan was fired earlier this year for same reason because security was always trying to do its own thing rather than working together with rest of company.

    Was the red team cocky about this incident ? Is the phone text message theory correct ?

    Answer: No. They saw the message and also an email thread which several of their team members saw. They were all staying together too. They definitely saw the message and even talked about it. They decided to ignore it. Which bought the same point/reasoning --> CISO was fired (Cocky attitude and always trying to do their own thing)

    Phone conversation afterwards did not went well and they took it to twitter ASAP. Which further escalated the issue.

    Overall I would like to say people in red team worked really hard on this and they were able to do that because of the support from the company and excellent atmosphere and env. Salesforce provides to its workers. But thing went out of hand here because Red team lacks certain management skills/styles. The director himself Josch is a core red team kinda guy and has great social skills for security people but in the end a director needs to work with everyone in company.

    This whole situation could have been avoided if he would have acted more professionally especially after the presentation. I just know that's why things got worse and finally they were fired not because they build "MEATPISTOL" but coz they ended up building a very unfriendly attitude towards others.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019