
Salesforce fires red team staffers who gave Defcon talk - stevekillian
http://www.zdnet.com/article/salesforce-fires-red-team-staffers-who-gave-defcon-talk/
======
defcontalks
I was one of the people that was there when it happened. My coworkers and I
were asking one of them questions after the talk. The goons were kicking us
out of the rooms because it was the last talk of the day and they wanted
People to leave. We were talking in the hallway and asking him questions when
we ran into the other presenter there(And people were asking him questions
too). Anyway few mins later I see our old executive walk to them and tell them
they have to talk. They started walking and talking but it was right in the
open and you could pretty much hear them. They end up stopping and looks like
they were trying to defend themselves. Few mins later the executive leaves and
the end up walking back to the group that was still waiting to ask them
questions (including us). They had been fired effective immediately.

The executive is Jim Alkove. He is a moron and our security org has completed
revamped after he "left" to join other companies. All the recent advancements
in Microsoft security/Win10 were because we no longer had a leader like him.

Feel sorry for these guys.

~~~
tlogan
In a large corporation I worked for a long time, if EVP fires somebody on the
spot it means that EVP is next to go. I assume this will be the case for
Salesforce.

~~~
whipoodle
Wait, what's the reason for that rule? Sounds interesting.

~~~
elgenie
Firing someone on the spot in a public setting is either a drastic
overreaction (and why that's fireable is obvious), or a response to a complete
blindsiding … at a level at which the job is to not get blindsided.

~~~
throwanem
Either way, it's a complete PR catastrophe, at a level at which the job is
_not to do those_.

~~~
schwarrrtz
It's also a complete HR catastrophe. How could anyone feel comfortable in
their position, knowing they could be fired at any moment, publicly and
without warning? Terrorizing your employees is completely unacceptable as a
manager.

Edit: I guess I don't have much experience with HR at large companies - I use
the term to refer to aspects of management related to maintaining employee
wellbeing, workplace culture etc.

~~~
throwanem
HR doesn't care about that! Not unless it's actionable. Good way to lose your
star contributors, sure, but past a certain basic point retention isn't really
part of HR's role.

~~~
beobab
"Retention isn't part of HR's role"

Really? I've always seen HR as a sort of "union for un-unionised employees".
They help you get stuff out of the business, and help the business get the
most out of you.

Perhaps I've only encountered the good kind of HR.

~~~
KineticLensman
A significant aspect of HR (at least in the UK) is protecting the company from
its 'resources', and ensuring that the company has a robust (i.e. legally
defensible) paper trail when disputes arise. E.g a process for putting people
on an 'improvement plan' in response to poor behaviours / performance, and
which can ultimately lead to dismissal.

Back in the day, the term 'anti-personnel department' was often used.

And don't get me started on the use of the term 'human resources'

[Edit] - more detail. I'm a techie but have occasionally had line management
(in addition to tech lead) responsibilities. The first time I took on these
duties, I had to do the relevant HR training and was amazed at the attitude: a
little bit of 'duty-of-care' and a lot of 'follow-this-process-to-make-sure-
the-law-is-on-our-side'

~~~
arethuza
My experiences of UK large company HR departments was basically that they were
the hit squad - if they were in the building then you knew _someone_ was in
major trouble.

I had an interesting experience a couple of years back when everyone in our
office was called to a surprise meeting with HR _except_ me.... I had already
resigned, everyone else got the bullet in that caring way that HR departments
are famous for.

~~~
tlavoie
A company I worked at did something similar; those who were being kept were
told to go somewhere else, not to go to that meeting. Those that were still
around were herded into the classroom, to be met by the HR head and a hired
goon of a security guard. The entire office was being closed, but the _way_ it
was done was more hurtful to those folks than the basic business decision.

------
phobeusappola
If you're close to the Silicon Valley tech community you know the Salesforce
datacenter organization and recently security organization has been taken over
by many ex-Microsoft executives who are fairly clueless when it comes to
security.

This has left the security organization mired in internal political turmoil
and has triggered the exodus of most intelligent security professionals from
the organization.

This situation appears to be a case of the new and confused security executive
mentioned in comments on this thread over reacting.

I say "confused" because for the presenters to get this far they obviously has
gone through levels of approval for the talk and presented material
internally. This talk was indeed presented before at the Chatham House Red
Team Summit in SF where many tech company Red teams were present and code
released to some collaborating parties. If you don't know what is going on in
your own organization with your directors you are confused.

I say "over reacting" because any decent security executive knows you can't
ask a team member to pull a Defcon talk on extremely short notice as it would
be damaging to their personal reputation in the community. Firing them for not
pulling the talk is completely idiotic as it's likely burn the organizational
reputation with the security community. It was likely just a snap decision by
said confused executive who did not understand the ramifications of his
decision. If you fire someone after they get off the stage at Defcon you more
than likely have overreacted.

Sadly these are the types of this that happen when you have poor leadership at
high levels. I feel bad for the good security folks still left at Salesforce
who have to tolerate this garbage. Luckily there is a massive demand for good
security professionals so they should have no trouble finding other
employment, hopefully with competent leadership.

~~~
throwaway795464
Using a throwaway account as my username is very close to my real name :-(

 _If you 're close to the Silicon Valley tech community you know the
Salesforce datacenter organization and recently security organization has been
taken over by many ex-Microsoft executives who are fairly clueless_

This. A thousand times this. The Microsoft rot started in the Datacenter and
Security org but is fast spreading to all of infrastructure resulting in a
culture that is dramatically different from the rest of Salesforce.

If you're from Microsoft (or better yet, a crony of a high up Microsoftie in
Salesforce) you are guaranteed to receive a plum job with a bump up of at
least two or more seniority levels and preferential treatment in every aspect.

It's not hard to find examples of mid level ICs (level 61 - 62) being brought
in as Senior Directors, level 63's being brought in as principal architects
etc. What about non microsoft people ? Well, in that case we need to
'carefully consider the feedback', 'be conservative in our approach', 'avoid
being too generous' etc.

Every process, from hiring, to promotions, to appraisals has been
systematically corrupted and taken over almost exclusively by Microsoft people
with the inevitable results.

It's like watching an aggressive strain of flesh eating bacteria at work. It
would be comical the amount of damage this is causing Salesforce if it weren't
for the enormous human impact.

~~~
valdiorn
Wait, there are 63 or more levels of management at salesforce? Is the a level
1? Is there anything higher than 63? What's the distinction between a 61 and a
62?!

Sounds more like Futurama's bureaucracy skit.

~~~
ansy
There are "80" levels at Microsoft [1]. But they begin around 59 for
engineers.

The levels at Salesforce are a lot more coarse [2].

[1] [https://www.quora.com/What-are-all-the-job-levels-in-
Microso...](https://www.quora.com/What-are-all-the-job-levels-in-Microsofts-
technical-career-track)

[2] [https://www.quora.com/What-does-the-Salesforce-career-
ladder...](https://www.quora.com/What-does-the-Salesforce-career-ladder-look-
like-both-in-software-development-and-management)

------
kafkaesq
_The unnamed Salesforce executive is said to have sent a text message to the
duo half an hour before they were expected on stage to not to give the talk,
but the message wasn 't seen until after the talk had ended._

Which said unnamed executive should have known was patently unreasonable to
expect to be received and read in time.

Sounds like a failure in basic communication, somewhere in the organization.
And if someone in the C-level feels they need to intervene at the last minute
to set things straight -- this very strongly suggests point source of the
failure was most likely somewhere _in the middle_ layers (or at the C-level
itself) - not with the frontline engineers.†

But which at Salesforce is apparently no protection against getting hung out
to dry.

† Especially when we read the parts about "The talk had been months in the
making" and that the executive pulled the plug at the last minute "despite a
publicized and widely anticipated release."

~~~
jacquesm
There's a good chance that those guys didn't even have their phones on. If
something is that urgent you don't text, you call, and if the call doesn't go
through you find someone else that you can call who can go to the people
involved and so on until you have _guaranteed_ timely delivery and if you
can't achieve that then you're going to have to live with the consequences.

Doing a 'fire-and-forget' text message and then attaching grave consequences
to the timing is ridiculous.

~~~
steveplace
I thought it was SOP to not bring your phones to DEFCON

~~~
mortenjorck
From what I’ve read, all you really need to do is turn off wi-fi, which is
already fairly paranoid given that no one is realistically going to burn a
serious chipset zero-day on random people at a conference. Fake cell towers do
occasionally happen but rapidly lead to arrests.

~~~
anonymousjunior
"random people" who with high probability may have undisclosed 0day exploits
stockpiled on other devices.... yeah if I'm an APT author DEFCON attendees are
(the hardest to exploit and most paranoid [read: likely to get caught by]) the
ideal target for any nation-state. not to mention that the conference is often
attended by multiple state agencies which makes the target even juicer. yes
it's an extremely hard and dangerous group of people to attempt to exploit,
but that doesn't detract from the potential value and payoff of a successful
APT exploit on said group of people

~~~
Godel_unicode
That's not how Nation State actors work. One of the things that makes Nation
State actors dangerous is they have the patience and resources to attack a
high value target at the most likely to succeed point. Backing that up, they
generally have the intelligence to know when that best time is. And they for
sure know that it's not at defcon when everyone is, as you say, paranoid and
on the alert. They're going to get you at home, at happy hour with your non-
security friends, in that bar with the great but insecure wifi and no 4g.

~~~
TallGuyShort
Or they'll get you while you're in the security line at the airport on your
way home.

~~~
Godel_unicode
I guess it depends which State we're talking about, but yes.

------
rsj_hn
I was not at the conference and have no first hand knowledge of what happened.

But before everyone gets on their high horse, please pause to reflect:

This was all company work product being presented by company employees who
were on a company funded conference trip. Therefore there is an approval
process for vetting presentations as well as a legal process for opensourcing
code. This is standard practice at all companies.

Now what do you think is more likely: That the PR department would approve of
a talk titled "meatpistol" (FIXED) (have you seen the slides?) and the legal
dept would approve of open sourcing the code and then at the very last minute
both groups would change their mind and try to pull the talk, or that the
presenters never got the OK in the first place, the company found out at the
last minute, asked them to pull the talk and they refused?

How likely is it that they would get official approval for their talk under a
"Chatham's rules" meeting in February to for a presentation <strike>in
August</strike>at the end of July? Isn't it more likely that they got some
initial approval for a talk in February, but that PR still wanted to vet the
actual slides in <strike>August</strike>July? (I'm assuming that the slides
were made after February.) Which PR department gives approvals like that? What
legal department works this way? In my experience, stuff like this happens at
the last minute, because that's when you're finishing your slides (as well as
your code), and generally PR is going to ask that you make some changes to
your slides and they will want the final copy before signing off. Now maybe
I'm wrong and the article is correct, but I think it's unlikely.

Moreover given that Salesforce can't talk about this matter, who do you think
is the source for the article and whose side are you hearing?

The last few days have really highlighted how quick people are to pile on with
outrage and self-righteous indignation before getting all the facts.

~~~
defcontalks
During the talk they told us why they called it meat pistol.. it's an anagram
for metasploit. Meat Pistol made sense because it shoots out malware implants.

Also why pull out in the last 30 mins? And why fire them? No warnings ?
Mistakes happen, you don't fire a director for something like that. The PR
process is to make sure the company's image looks good, who better knows the
Defcon audience? Hackers or PR people who don't understand the framework?

There is really no other way to see it than Salesforce fucked up.

~~~
jackgavigan
_> During the talk they told us why they called it meat pistol.. it's an
anagram for metasploit. Meat Pistol made sense because it shoots out malware
implants._

I wonder why they didn't pick Metapistol.

~~~
devrandomguy
What are you more likely to remember a week from now: Meatpistol or
Metapistol? Reminds me of the resistor color code mnemonic, something I
memorized for life the first time I heard it.

~~~
soft_serve
Ahh! Violet! I miss her.

~~~
squarefoot
Leave her alone, she's just 7.

------
tptacek
It's probably way too early for us to know what's really happened here. If
you're unfamiliar with this stuff, you should know that Salesforce has a large
and relatively savvy security team, including people who have presented at
offensive security conferences in the past.

There's a lot of weirdness in the reporting here; for instance, the notion
that Salesforce management had a meeting with members of their own team under
"Chatham House rules".

~~~
quantumhobbit
I wasn't familiar with "Chatham House rules". But it is allows members to
present controversial arguments but prevents anyone from associating their
arguments to them after the fact. For example, I can cite the argument later
but not say who made the argument in order to prevent them from political
repercussions.
[https://en.m.wikipedia.org/wiki/Chatham_House_Rule](https://en.m.wikipedia.org/wiki/Chatham_House_Rule)

Certainly very weird that the environment was that charged politically that
these rules were needed.

~~~
toyg
Red Team operations can be very controversial as they risk impacting day-to-
day operations and data integrity, and can have legal repercussions. I expect
they would have this sort of meetings relatively often, regardless of this
particular case.

------
Johnny555
Seems like a bad idea for a public SaaS company that relies on trust from
customers that their data is secure to piss off their own offensive security
team by firing them suddenly without even a warning received.

I expect that lots new Salesforce vulnerabilities will be discovered and
disclosed.

~~~
EthanHeilman
>I expect that lots new Salesforce vulnerabilities will be discovered and
disclosed.

Oh even worse no new vulnerability discovery and disclosure which in turn
decreases the security of Saleforce products.

~~~
PeterisP
Oh, they will be discovered and disclosed, just not to Salesforce or the
public but to "interested third parties".

------
djrogers
Much of the talk on this is about wether it not SFDC has a ‘right’ to do this,
or if it’s legal. Frankly that’s all immaterial - this sounds like a perfect
way to either lose most of your security staff over the next 6-8 months, or
get yourself fired. Not sure the exec in question was planning on either of
those outcomes, but they are the most likely.

------
just2n
That seems like a tad bit of an overreaction on Salesforce's part. The only
mismatch here was the expectation set around the availability of the tool's
source? So yeah, it was clear the tool is owned by Salesforce and ultimately
something like that is decided by the company, but saying you're going to
"fight to have it open sourced" and advocating to have tooling you build be
shared outside of your company doesn't seem like a fireable offense to me.
Look at what it's done for companies like Facebook and Google.

What the hell, Salesforce? This looks bad. There's either more to the story or
this is just extreme knee jerk.

------
whatsmyhandle
EEK. When speaking in front of a large audience, it's generally a good idea to
either mute your phone, or ditch it entirely before you get up onstage.

To get canned for not responding to a text message 30 minutes before a talk -
which you were already approved for - seems terribly unfair and a decision
probably made in the heat of the moment.

~~~
mikeryan
I don't think that "not responding to a text mesaage" was the actual reason.

~~~
LateChannels
They got fired right after the talk, looks like the person on the other end
took it too seriously.

------
0xfeeddeadbeef
Oh, the irony! Months before he was fired, in his talk [1] at QCon London 2017
(March 5-7), Josh Schwartz jokingly said: "I am going to tell some stories and
hopefully I won't get fired for sharing this stuff but we'll see how it goes".

[1] How to Backdoor Invulnerable Code:
[https://youtu.be/EGshffkzZsY?t=680](https://youtu.be/EGshffkzZsY?t=680)

~~~
valuearb
Salesforce PR in the house!

~~~
jessaustin
That's a really old account to just have 10 karma...

~~~
drewbuschhorn
Hey! I'm not doing much better and I'm very sensitive about it.

~~~
exikyut
I'm in Australia, so I almost never see stories as they start rising. :D

And I may have locked my last account (i336_) a while back by setting
"noprocrast" to a ridiculous value, which I TIL that day actually is not
fixable. This is a new account. I'm debating whether to ask for my old account
to be unlocked, or to start again.

FWIW, this account's first post went badly -
[https://news.ycombinator.com/item?id=14909407](https://news.ycombinator.com/item?id=14909407)
(downvoted to 0) - and I got bitten a couple days ago as well -
[https://news.ycombinator.com/item?id=14975515](https://news.ycombinator.com/item?id=14975515)
(down to -1), hmph.

------
innocentoldguy
Why in the hell would Executive Dumbass, er Jim Alkove, send such an urgent
request via an asynchronous form of communication? Is he a moron (obviously)?

If I wanted to ensure something did or didn't happen, and time was a critical
factor, I would call, talk in person, or use some other form of synchronous
communication to ensure my message was received. I certainly wouldn't blast
out a text message and then have a baby tantrum after the fact.

~~~
qaq
Considering he was present at Defcon and could've simply talked to his
employees he def. is a moron.

------
PhasmaFelis
Very weird. Seems possible that some clueless higher-up found out about it at
the last minute and said "don't you dare let this happen," some middle manager
tried to stop it, failed, panicked, and threw Schwartz and Cramb under the bus
to evade blame. Could also be office politics bullshit; a high-up was gunning
for them with no real justification and ginned up a smokescreen to fire them.

Either way, "director of offensive security" is a pretty hefty-sounding title
to fire off-the-cuff like an incompetent intern.

~~~
chevman
"Could also be office politics bullshit; a high-up was gunning for them with
no real justification and ginned up a smokescreen to fire them."

Ding, ding, ding! We may have a winner.

Here's my guess - the guys that got fired were more than technically competent
(basically experts going off what I've read), but probably were pushing the
envelope in terms of what Salesforce, or more specifically Salesforce's large
enterprise customers, felt comfortable having discussed out in the open.

------
mi100hael
Screenshot of original tweet:
[https://twitter.com/framerate/status/891862938268573696](https://twitter.com/framerate/status/891862938268573696)

------
ryanbrunner
My impression of the security team at Salesforce is that it's always been a
bit of a fiefdom with little input or control from the mothership.

Maybe a plausible explanation of what happened here was that all awareness /
approval of the talk was limited to that team, and when an exec outside of the
security team heard about it, they freaked out, causing all of this.

------
Lazare
I'd be fascinated to learn more of the backstory here, because the story as
reported so far is baffling.

~~~
LateChannels
Looks like the executive who messaged them 30 mins before took it personally
that they ended up presenting even though he asked them not to so he fired
them. Otherwise it makes no sense to fire people right after they finish their
talk, unless of course you got an ego to show.

Either way Salesforce really fucked up here.

~~~
kafkaesq
Right. Even if he legitimately felt the engineers were out of line in some way
-- firing them at a public conference (and not just any conference - but that
industry's leading annual conference) is just dumb.

------
bwasti
I find it hilarious that at the end of the post it says "Contact me securely"
and goes on to give a PGP fingerprint. All while being served up via http...

~~~
arianvanp
It's up to you to check the Web of trust of this fingerprint. It being served
over HTTP is not an issue at all. Even in Trust on First Use I would argue
delivering over HTTP is not an issue.

~~~
aembleton
It is an issue because you could MITM this and give a different address and
fingerprint. This seems highly unlikely but is possible.

------
zitterbewegung
I was at a talk at a Math Conference where the speaker wasn't allowed to give
the talk due to it being Classified. This speaker was able to register at the
Math Conference with the talk and canceled it at the last minute during the
presentation. I don't believe that that person had any issues after the talk
and was not fired from their position as a researcher.

From what I can read about this the case is similar but in both actions it was
a miscommunication. The speakers should have been informed that it was
unacceptable. They should have been talked to about their instability to give
the talk and the talk should have been cancelled. I would like to hear the
other side of the story from Salesforce to give a full judgement but, I would
expect a reprimand at best and not a firing.

~~~
reek
That is a very different situation-

1\. The researcher you are talking about should have known the content was
classified well before he did the talk. Whether it was classified or not was
not based off the decision of a executive.

2\. The punishment for revealing classified data to an audience is clearance
loss & likely prison. It is not comparable to revealing proprietary company
data that is not classified or not even covered under ITAR.

------
batmansmk
There are methods better than a text to get a hold of someone. Phone, emails,
whatsapp, twitter, facebook, calling the conference management, calling
colleagues at the conf, go nearby the stage at the beginning of the talk.

Oh and try to be there on time if you need to do something that critical.

------
retox
Staffers, or staff? Seeing this phrase more often but to me it's always been
restricted to taking about staff of political campaigns...

~~~
Lazare
It's also commonly used for newspapers. I agree, I find it unusual to apply it
to generic employees.

------
bobwaycott
Zdnet apparently thinks it’s okay to redirect me (on mobile, after making it
halfway through the article) to a scammy website promising I’d won a $1000
gift card, then hijacked my back button so I couldn’t leave. Anyone else
experience this?

~~~
rsj_hn
ublock origin is your friend.

~~~
123youseeme
wonder if this is related to mike johnson leavin?

------
soft_serve
Most people at Defcon use a "burner phone" (a cheap supermarket feature-phone)
while there. Nobody who is sane would turn on their work phone anywhere near
the Defcon conference. I go there every year with a throwaway phone and
laptop.

So nobody will see a text message in a timely manner, unless they knew the
burner phone number.

~~~
mercwear
The term "most people" is terribly exaggerated. Defcon is not nearly as scary
as some people make it out to be. If you have the latest security updates
across your devices, disable wifi and take a few other precautions things are
fine. I was there this year as saw just as many late model iPhones (most
likely not a burner) in peoples hands as I did at any other conference I
attended.

~~~
scdlbx
My burner phone, with disabled wifi, bluetooth, and data, was owned this year.

~~~
patcheudor
I gave up on burner phones because they were typically old and terribly
vulnerable with no possible way to update - think older Android phones.
Although, I did win the WiFi Village Fox & Hound hunt a few years back using a
Samsung S4, but I had that thing locked down to using only a WiFi strength
meter app and of course it was running CyanogenMod back when that was still a
thing.

These days I update, backup, and lock down my daily use iPhone before going.
See my post earlier in the comments for more details on that. In terms of what
was happening in the last two years at DEF CON that could get you with all the
steps I took, OpenLTE networks were tricking phones into attaching to them and
the most disturbing thing I saw of that was middling of TLS. However, it was
of course with a self-signed certificate so as long as you didn't accept the
cert, you were likely fine.

If you had an older phone and one without all the latest updates and wasn't
configured to be mostly silent, then your experience could be very different.
There are a surprisingly high number of SMS exploits which still work to this
day on a large number of phones and of course SS7 has architectural weaknesses
which will likely never be fixed.

~~~
willstrafach
> OpenLTE networks were tricking phones into attaching to them and the most
> disturbing thing I saw of that was middling of TLS

I am sure that many folks would be very interested in seeing any supporting
data/captures. This is incredibly uncommon.

~~~
patcheudor
Someone had put a map together of the OpenLTE / catchers they found but I
can't find it. In my particular case, I had WiFi off the entire time and
received certificate validation failure notices four times at different
locations while at DEFCON. Given I was only connecting with LTE, there could
only be one explanation for those certificate warnings. I was being redirected
to an OpenLTE or other cellular base station and someone was running a MitM
proxy or solution like SSLSplit on the connection.

Unfortunately when it comes to calling it "incredibly uncommon", we really
don't have any widely deployed solutions to identify rogue cellular base
stations so it's very difficult to say how often it happens IRL although the
only times I've ever seen it happen have been the last two years at DEF CON.

------
notreallythough
I didn't see this myself but the guy who works the drivethru at my local
burger king told me that the red team has perfected the flame grilled whopper
and they had to be fired because they had gone too far

------
foxylad
The exploit name certainly has sexually violent connotations to me. I imagine
that anyone who has been sexually assaulted would feel very uncomfortable
working in an organisation that condoned such language - something like 10% of
the population.

I'm not condoning firing as a response - that's as thoughtless and
unimaginative as the name. And perhaps the name isn't even if reason for it -
that doesn't seem to be clear. But come on guys, try to stay classy.

~~~
danpalmer
I don’t think that was related to the firing, from what I can tell, however I
do agree with you, I thought the name was a bit distasteful and not
appropriate for an open source project.

~~~
flashmob
Why all this morality police? It's just humorous, and to understand the double
meaning, it requires quite a bit of imagination.

To be fair, I think it's more common for security projects to take on more
aloof names. Who could forget "John The Ripper" or "back orfice" from the cult
of the dead cow? I'm sure there are many more ..

~~~
danpalmer
> I think it's more common for security projects to take on more aloof names

True, although I also find the negative sides of "hacker culture" more
pervasive and less challenged than "brogrammer" culture or whatever term you
want to use.

> Why all this morality police?

I find it overly sexualised, from a very masculine perspective. That's not
really appropriate in a professional context in my opinion, but more than
that, it can really put some people off the industry. Unfortunately, those
people it puts off are disproportionately from groups that are already
minorities in the industry, and so it helps in some small way, to perpetuate
the lack of diversity.

Obviously this particular example really is only a small part of the problem,
but it all contributes, and one of the easiest ways to do our part for
increasing diversity and making the industry more welcoming is to do things
like improve the naming of our projects.

