Salesforce sacks two top security engineers for their DEF CON talk Salesforce fired two of its senior security engineers after they revealed details of an internal tool for testing IT defenses at DEF CON last month. Josh Schwartz, director of offensive security, and John Cramb, a senior offensive security engineer based in Australia, were sacked by a senior Salesforce executive minutes after …
"What can one conclude about a company that behaves like that about employees who care?"
Unless I've misunderstood the story, Salesforce owned the code and therefore no employee is allowed disclose or distribute the company's property without permission. Almost all companies have that in place, I know that everything I write for my company is owned by them and I'm not allowed to use it. Obviously no one ever does stick to the rule of law, we all backup our code and take it from job to job we simply rework bits of it rather than the entire product.
I think this could have been handled better, the CEO should have spoken to the researchers directly and warned them not to go ahead. It sounds like a text message was used to ensure they wouldn't see it in time and ensure they could be fired, all sounds like a set up to me.
"Salesforce owned the code and therefore no employee is allowed disclose or distribute the company's property without permission"
Sure but I don't think *talking about* something your company has / does would normally a problem. Unless something has been specifically flagged as a trade secret I can't see how they are in the wrong.
If you walk away with anything and reuse the code you are on thin ice regardless of if its a trade secret. In fact, the company could call pretty much a ham sandwich a trade secret and have grounds to sue you in to oblivion if they wanted. (You got caught walking away with their code.)
The developers aren't in the wrong unless the company can show that they disregarded the text message prior to their talk. Remember the company did give prior approval of the talk before they left for the conference which means that they had reviewed and approved the content.
"Salesforce owned the code and therefore no employee is allowed disclose or distribute the company's property without permission."
From the article, this was a presentation about MEATPISTOL not a disclosure and/or distribution of the code that forms MEATPISTOL.
So having looked through the slide deck which reveals no real design details about MEATPISTOL, it would seem that senior executives at SalesForce had a last minute change of heart and didn't want the existence of MEATPISTOL be to publicly known; at the present time; unless they only got to know about the presentation at the last minute...
A decision left to last minute that obviously wasn't that important as no steps were taken to ensure the intended recepient(s) of the text actually received the text before they went on stage...
Finally, I note one of the employees job title includes the word 'director' - in the UK that is a legally significant word to have in your job title.
I guess you don't bother to read or pay attention to some of the news stories... Stop me if you've heard this one... There's this company called Waymo that was recently purchased by Uber...
There are more stories like that where a programmer who worked for a trading company got jail time for stealing proprietary code he wrote when he went to work for another company.
The point is that as an employee, your work is owned by the company and you have no writes to the work unless the company expressly grants you rights to them.
You want to work on an Apache project? When you submit code, you are agreeing to indemnify Apache if they get sued and you are explicitly claiming ownership of the work so that you can grant Apache license to use it.
Salesforce is in trouble and can be sued for the termination.
The issue is that they first approved the presentation. They then attempted to cancel it before they were to present. If the claim that they didn't see or get the text before the presentation started, is true, then they shouldn't be fired because they were unaware that the presentation had been rescinded.
If the company can prove that they saw the text and said 'oh fsck it', then they would have been right to terminate.
I'll wager that the company will give them a heft severance settlement to quiet things down.
BTW, if you take your code with you... you are breaking the law and you can be sued. Even if you win the lawsuit, it will still cost you massive amounts of money and could get you terminated from your current job.
"Unless I've misunderstood the story, Salesforce owned the code and therefore no employee is allowed disclose or distribute the company's property without permission."
Correct, except when this has been signed off months before.
And, they weren't sacked (so it seems) for actually sharing the code - that will come later. They were sacked for giving the presentation.
The Exec text messaged them 30 mins before the presentation - at a time where their phones were likely already switched off (also remember, this is DEFCON - many people turn their phones off all the time there. It's a good chance you'll be hacked otherwise!), and then used the fact they had given the presentation as an excuse to fire them.
Quite shockingly bad management from a Salesforce Exec - which I predict we will hear more about over the next few weeks, possibly including the sacking of the said Exec.
This post has been deleted by its author
"There may be a severance package contingent on them leaving the company quietly"
Um, the fact that they've been fired is now public knowledge. I hardly see how removing a tweet is going to change the facts.
PR really is a shite business. It skirts around the law so often you have to wonder what kind of people work in it.
Don't go blaming the PRs for this one as it may have been nothing to do with them but surely a bit of common sense would have told them that if they were going to be talking about an internal tool then they should get clearance for that - either from comms or compliance - because if the tool wasn't well known externally then technically they are in breach of contract.
Removing the tweet was just daft though, but they may have done it voluntarily.
(Also, they were told beforehand apparently about what would happen if they did their talk - perhaps that shouldn't have been left as a text message though.)
Software so good their company would rather fire them than they talk about it.
Coat, because they said if I posted this I'd have to go.
Is it just me or does the malware seem to be better structured and more tightly coded than the software it's attacking?
"Is it just me or does the malware seem to be better structured and more tightly coded than the software it's attacking?"
The skill level required to write obfuscated assembler would indicate that.
Then there's the business side of it. El Reg: So you're thinking about becoming an illegal hacker – what's your business plan?
One sometimes wonders whether legitimate software producers should study malware authors' business methods. Money back guarantee if it doesn’t work as advertised, for example.
Software so good their company would rather fire them than they talk about it.
Yet another argument not to hand over your precious, confidential customer details and intelligence about how well your company is doing to a US based third party which seems keen on security through obscurity.
That said, if you're going to give ANY public talk about your company, surely you get that signed off in writing first? If that didn't happen, it's not the company who is at fault here. From the corporate side, if you want to stop something you call and keep trying, not rely on a text which may or may not be read in time.
Is it just me who's wondering why Salesforce has developed an *offensive* metasploit-type ability?
Oooh, I *like* your BOFH thinking. That observation would be worth throwing onto Reddit and see the conspiracy theorists climb all over it. Prep beverage + popcorn, post and watch it explode..
I'm a senior engineer, but if I wanted to give a talk about an in-house pentest tool at DEFCON I'm pretty sure my manager would have me up to my knees in lawyers and executive-level red tape before even approving the submission of the paper, let alone signing off on travel. I think I'd want to see that approval too, in writing.
If these guys were presenting without approval then the consequences can hardly be a surprise, but if they had prior permission then rescinding it with one SMS, and firing them for not seeing it, will give their lawyers a field day.
My guess is that the manager approved this without higher consultation, and then got cold feet, in which case it's not the presenters that Salesforce should have fired.
"... wonder if white hatting is just a cover job for those guys."
Wonder?
No white hatting here, it was just a matter of time for this to happen.
Or be discovered.
After all, governments and corporations of all sorts (with government's consent) screw the general public constantly and the money flows.
Why would these guys lose out on the opportunuity?
This is just *another* way screw the general public.
Cheers.
This post has been deleted by its author
were they not describing their threat defense assessment tool as a hackers resource for active penetration of targets.
Agreed it should have been handled differently but I don't think it should come as a shock if you re-badge your internal corporate tools as a hackers resource kit for malevolent purposes.
This would create a very difficult corporate position for salesforce if someone was hacked using their "exploit kit". They would not even be able to suggest it was a defensive tool being misused.
Possibly right outcome, but should have been handled differently and way before it ever got to the conference too!
No, and even broad terms of what they were capable of and what they did would have been considered by any competent hacker and factored into what they produce (exploit and anti-exploit is an interesting arms race of sorts). Of course, most hackers are not actually competent and just operate systems provided by others... not that this is a "bad" thing in itself, I drive a car but really don't have the capability to build one, or at least to the quality of the one that I drive.
Their Slogan is "Connect to your customers in a whole new way"
And they don't mean by communication!
I wouldn't have thought they were really a malware company. I wonder if they work for the US, RU, China, or just freelance.
One thing for sure, their owners/managers don't have ethics.
Oh sure, your text will eventually get there, but not necessarily the same hour or day you send it. If you didn't get a confirmation reply, you should assume your text has not yet been read.
Sends the message that, as employees, they just weren't that important.
Let's see... the presenters said they would present the information. The suits agreed.
The suits send a text message not knowing it was received then fire the presenters for not seeing the text message.
This is one of the times I wish I followed through and went to law school. I would take this case in a heartbeat and let Salesforce pay for this because I am willing to bet that texting is not an official means for communicating in their personnel policy.
Too bad my company does not use Salesforce products. If it did, I would cease being a customer!
Suspect the issue was 'marketing'!
If we are to believe things, the intent was to open source the tool. Hence it would not surprise me if it dawned on someone that these guys presenting a paper at DEFCON would preempt the intended big marketing splash of releasing the tool to the world...
I worked for a big company for a while. When I left they immediately reminded me that I may not do this, this, this, this, this, this, that or this... for a year.
Really? I asked them to send me a copy of the signed NDA.
No answer..... I never signed it and they never noticed. We had a very short discussion. Dumb shit management. That was the reason I left.
Hola!
I work in blue team we sit on same floor. I have worked closely with them in the past.I would just like to clarify few things about this incident.
Was the management aware of this project ?
Answer: Yes, they presented this in few smaller conferences last year. And various people even outside of red team were contributing to this project. They announced back then that this project is going to be opensourced.
Does company favor/like malware based security projects ?
No there was resistance from various non-security teams and their leaders. It does not go positive with kind of business we do at Salesforce. Another CISO named Brendan was fired earlier this year for same reason because security was always trying to do its own thing rather than working together with rest of company.
Was the red team cocky about this incident ? Is the phone text message theory correct ?
Answer: No. They saw the message and also an email thread which several of their team members saw. They were all staying together too. They definitely saw the message and even talked about it. They decided to ignore it. Which bought the same point/reasoning --> CISO was fired (Cocky attitude and always trying to do their own thing)
Phone conversation afterwards did not went well and they took it to twitter ASAP. Which further escalated the issue.
Overall I would like to say people in red team worked really hard on this and they were able to do that because of the support from the company and excellent atmosphere and env. Salesforce provides to its workers. But thing went out of hand here because Red team lacks certain management skills/styles. The director himself Josch is a core red team kinda guy and has great social skills for security people but in the end a director needs to work with everyone in company.
This whole situation could have been avoided if he would have acted more professionally especially after the presentation. I just know that's why things got worse and finally they were fired not because they build "MEATPISTOL" but coz they ended up building a very unfriendly attitude towards others.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
