The executive is Jim Alkove. He is a moron and our security org has completed revamped after he "left" to join other companies. All the recent advancements in Microsoft security/Win10 were because we no longer had a leader like him.
Feel sorry for these guys.
If I hear a manager fires them at such a moment, it already gives me an idea of what kind of manager we're talking about.
If a manager sends a text message half an hour before the talk starts to not give the talk, I definitely know what kind of manager it is.
You have 2 kinds of managers: The ones that think ahead of the time, and the ones that don't think ahead of the time. It's pretty easy to distinguish the two.
Let's say Employee A comes up to Manager three months before Defcon, saying he'd like to do such and such. Manager doesn't like it, but he doesn't want to upset A at that time because Reasons. He says "sure bud, you go ahead, I'll check with the lawyers just in case and let you know if there is any problem". Then he waits, and half an hour before the talk, through an indirect medium like email or text, he goes "sorry man, I only just got a message back from the lawyers that you can't talk about that. Totally gutted! Oh well, better luck next year, uh?"
30 mins before the presentation, after they've all flown to the conference, is not incompetence; it's malice.
Incredibly bad leader. Ask away.
Edit: I guess I don't have much experience with HR at large companies - I use the term to refer to aspects of management related to maintaining employee wellbeing, workplace culture etc.
Really? I've always seen HR as a sort of "union for un-unionised employees". They help you get stuff out of the business, and help the business get the most out of you.
Perhaps I've only encountered the good kind of HR.
Back in the day, the term 'anti-personnel department' was often used.
And don't get me started on the use of the term 'human resources'
[Edit] - more detail. I'm a techie but have occasionally had line management (in addition to tech lead) responsibilities. The first time I took on these duties, I had to do the relevant HR training and was amazed at the attitude: a little bit of 'duty-of-care' and a lot of 'follow-this-process-to-make-sure-the-law-is-on-our-side'
I had an interesting experience a couple of years back when everyone in our office was called to a surprise meeting with HR except me.... I had already resigned, everyone else got the bullet in that caring way that HR departments are famous for.
In other news, for a bunch of smart people, engineers are spectacularly underunionized.
Because they will be involved in recruiting, they will also have a keen understanding of how much that increases their workload, which is otherwise pretty flimsy in a lot of cases. The more churn, the more they can justify their headcount.
Which isn't to say HR won't want him gone. Just not yet.
Nope; they help the business get the most out of you without getting sued. That's the alpha and omega of HR.
Their obligations are to the company, not to you. When they answer your questions, they do it so you can't claim later on that the company didn't tell you such and such or that the procedure XYZ was unclear, and sue them. They are nice so that you won't see the company as adversarial and sue them. And so on and so forth.
I doubt it will make even a dent in Salesforce's profits or that anybody of their clients will even blink about it.
As for their PR, that's paid for (and customers might even like the drastic action).
Except if you mean PR to prospective security hacker hires.
1) The PR backlash is going to be gigantic.
2) If you fire someone on the spot (I have), you'd better have a damn good reason (I did--repository sabotage) as the company is now going to have to pay money to defend/payoff this.
3) Suddenly firing important people disrupts daily business functions for weeks or months.
4) Unless you think they are going to actively sabotage something, you can wait until they get home to reprimand or fire people.
All told, some manager is getting thrown under the bus for this.
The Google thing was gigantic. This is a blip.
(I'm only half joking. People don't talk about how poor the layout of that document was, but it was my first and lasting impression)
It's unbelievable that it was only the memo. And quite likely just the last straw.
I can easily imagine someone that produces poor quality once publically probably did so many times privately and likely more of a symptom of underlying inadequacy than the actual reason for firing.
But you know, headlines..
And yes, have no previous experience or knowledge about this so sorry if I'm armchairing a bit.
Larry Summers (a leading economist with often controversial opinions) got fired from his position as the president of harvard for effectively making the same point  except, you know, well argued unlike in the Google manifesto.
If Larry Summers gets fired for that, a random engineer is definitely getting the boot.
Everyone agrees it was polite, but well-argued and coherent is where not everyone does agree.
I've seen people with advanced degrees host debates where they legitimately advocated creationism as the truth against evolutionary biologists with equally advanced degrees. They were polite, and their supporters would say well-argued and coherent. But anyone who knows anything about the topic would see that the creationists weren't actually adding to the discussion or making strong points at all. Those creationist debates are always unsatisfying and exhausting to listen to, and after a while, that schtick becomes old and non-creationists stop engaging because it's just boring. But creationists will attend and be excited every time because having a debate against a real scientist legitimizes them.
That's how this memo thing felt. Nothing new was added to the discussion (at least not to those of us who have had this discussion before) and it just seemed like an opportunity that some less savory folks jumped on to promote some out-dated views (and more importantly, for mainstream media to jump on to paint all of tech as a place where those views are the norm. That story sells despite how wrong it is).
FWIW, I do hate impoliteness though. I understand why people felt defensive for the author after watching the internet freak the hell out (in rude or dismissive ways) about the memo which was not impolite in itself.
At the risk of perpetuating the disagreement, IMO if anything is similar to the creationinst debaters, it's the voices against the memo.
Going through the few recent HN discussions on the topic, I found that on the one side, you had people (including an actual scientist in the domain) telling that the memo basically got the science (even if not ultimate conclusions) right, as supported by _even more_ research people linked to, vs. the other side saying he presents "outdated" views of "biological determinism", etc., with no counter to the research cited by the memo itself (not to mention others) - just unsubstantiated accusations and dismissals.
Instead it wanted to connect that research to a) company policy and b) American-specific political divides. And to do that required a battery of assumptions regarding intention, merit, aptitude, worth, values.
That's where the wheels came off and everyone started projecting their own ideological interpretations, and you've been arguing past each other ever since.
You don't have any evidence to substantiate any of what you are writing and this individual has no opportunity to respond to what you are writing.
This is highly unprofessional behavior no matter what you think the justification is.
Statements from witness ARE evidence. What do you think evidence is?
The "individual" could create an account here and respond if he wanted to. It would be stupid, but he definitely has an opportunity.
And who told you anybody had to be professional on here?
They had executive signoff until half an hour prior to the talk, and they didn't see the text revoking permission until after the talk. I'm not sure what else they were supposed to have done.
It sounds so extreme that either the exec is unusually unaware of the consequences of his action or there is more to the story.
Does the story they are presenting make sense to you? It doesn't to me!
All that's left is to assume there is more to the story than what is written.
Seriously - the guy above you would support anyone in power and talk down to anyone not in it.
This has left the security organization mired in internal political turmoil and has triggered the exodus of most intelligent security professionals from the organization.
This situation appears to be a case of the new and confused security executive mentioned in comments on this thread over reacting.
I say "confused" because for the presenters to get this far they obviously has gone through levels of approval for the talk and presented material internally. This talk was indeed presented before at the Chatham House Red Team Summit in SF where many tech company Red teams were present and code released to some collaborating parties. If you don't know what is going on in your own organization with your directors you are confused.
I say "over reacting" because any decent security executive knows you can't ask a team member to pull a Defcon talk on extremely short notice as it would be damaging to their personal reputation in the community. Firing them for not pulling the talk is completely idiotic as it's likely burn the organizational reputation with the security community. It was likely just a snap decision by said confused executive who did not understand the ramifications of his decision. If you fire someone after they get off the stage at Defcon you more than likely have overreacted.
Sadly these are the types of this that happen when you have poor leadership at high levels. I feel bad for the good security folks still left at Salesforce who have to tolerate this garbage. Luckily there is a massive demand for good security professionals so they should have no trouble finding other employment, hopefully with competent leadership.
If you're close to the Silicon Valley tech community you know the Salesforce datacenter organization and recently security organization has been taken over by many ex-Microsoft executives who are fairly clueless
This. A thousand times this. The Microsoft rot started in the Datacenter and Security org but is fast spreading to all of infrastructure resulting in a culture that is dramatically different from the rest of Salesforce.
If you're from Microsoft (or better yet, a crony of a high up Microsoftie in Salesforce) you are guaranteed to receive a plum job with a bump up of at least two or more seniority levels and preferential treatment in every aspect.
It's not hard to find examples of mid level ICs (level 61 - 62) being brought in as Senior Directors, level 63's being brought in as principal architects etc. What about non microsoft people ? Well, in that case we need to 'carefully consider the feedback', 'be conservative in our approach', 'avoid being too generous' etc.
Every process, from hiring, to promotions, to appraisals has been systematically corrupted and taken over almost exclusively by Microsoft people with the inevitable results.
It's like watching an aggressive strain of flesh eating bacteria at work. It would be comical the amount of damage this is causing Salesforce if it weren't for the enormous human impact.
Sounds more like Futurama's bureaucracy skit.
The levels at Salesforce are a lot more coarse .
(Glad you stayed, the security work done at MS is high-impact and far-reaching).
i.e. the people who hired them are also clueless wen it comes to security. And, the people who hired them did not perform due diligence to be sure that the hirees were competent.
Or, maybe one "bad apple" got hired via bluff and bluster, and then proceeded to hire tons of incompetent cronies.
Either way, the higher ups at Sales Force haven't been paying attention to how their organization is being run.
That says they were required to cancel it.
>But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release.
If the executive told them not to announce the open-sourcing, then he was expecting them to speak, just not that they would announce the open-sourcing. My guess is that they did not acknowledge that first request, and thus the executive told them half an hour later to cancel all. So the original issue of confrontation was about the open-sourcing, not about the speech itself.
If they missed the first text there's a good chance they might miss the second text as well.
Which said unnamed executive should have known was patently unreasonable to expect to be received and read in time.
Sounds like a failure in basic communication, somewhere in the organization. And if someone in the C-level feels they need to intervene at the last minute to set things straight -- this very strongly suggests point source of the failure was most likely somewhere in the middle layers (or at the C-level itself) - not with the frontline engineers.†
But which at Salesforce is apparently no protection against getting hung out to dry.
† Especially when we read the parts about "The talk had been months in the making" and that the executive pulled the plug at the last minute "despite a publicized and widely anticipated release."
Doing a 'fire-and-forget' text message and then attaching grave consequences to the timing is ridiculous.
Nevermind the fact that it was defcon, I'm a regular presenter at conferences and meetups, and literally #1 on my last-minute checklist is to text my wife that I'm now unreachable and silence my phone.
Maybe next time, Salesforce should think twice about sending its executives to DEFCON. Without some basic introduction as to what it's actually about.
Pretty sure some of those are FBI and other agencies ;-)
I know very little about security or defcon, but I was under the illusion that stuff like running Wifi Pineapple to trick people to connect to their hotspots was common and doesn't require any 0-days.
The concern is man-in-the-middle attacks. Easy, no user interaction required, and works very well. No chipset zero days involved.
1) Make sure it has an Apple logo on the back and is up to date. I'm serious on this one. Too many Android phones don't get updated by the carrier and that's why I'm not a fan. Yes, if you have the latest phone from Google, you are fine. From another manufacturer, very questionable. The sheer number of Android phones which have connected to my open research WiFi networks over the years and exposed some secret is just tragic, from user PINs thanks to a carrier installed warranty app to e-mail passwords thanks to broken Samsung KNOX TLS middling implementations.
2) Shut off all background activity from apps when not on and in front of me: settings -> general -> background app refresh. Slide that one to off for everything.
3) Turn off WiFi and Bluetooth.
4) For added paranoia, put it in airplane mode when not being used.
5) Make sure it doesn't have any information or accounts on it which I'd not like to be made public.
6) Back it up.
7) A quick audit of apps I'll be using at the con to ensure they are reasonably secure on the wire by using working TLS exclusively. Yeah, very few people will ever do this but thankfully 1-6 should be sufficient.
From what I hear all those Chinese dissidents that are tragically no longer with us were all using Apple products...
There is a XDA post somewhere explaining this.
Reminds me of a friend who said his MySpace password was just "password123" because "It's such a stupid password that nobody would ever use it, so hackers don't even bother trying it!"
I wish I had multiple faces so I could palm more than one.
SMS is UDP, and voice is TCP?
As others have mentioned, this is Defcon - it's very common for folks (myself included) to go dark while on premises. At one company I worked for that was actually handed down in the form of policy & attendance guidelines.
Not only that but the executive in question was physically present and watching the talk. If this was so critical as to warrant the immediate termination of two senior team members, then I have to believe it was critical enough to go talk to them immediately prior or even during the talk if necessary.
The entire chain of events makes no logical sense, and does not inspire much faith in the Salesforce executive team.
There's a lot of weirdness in the reporting here; for instance, the notion that Salesforce management had a meeting with members of their own team under "Chatham House rules".
Certainly very weird that the environment was that charged politically that these rules were needed.
But before everyone gets on their high horse, please pause to reflect:
This was all company work product being presented by company employees who were on a company funded conference trip. Therefore there is an approval process for vetting presentations as well as a legal process for opensourcing code. This is standard practice at all companies.
Now what do you think is more likely: That the PR department would approve of a talk titled "meatpistol" (FIXED) (have you seen the slides?) and the legal dept would approve of open sourcing the code and then at the very last minute both groups would change their mind and try to pull the talk, or that the presenters never got the OK in the first place, the company found out at the last minute, asked them to pull the talk and they refused?
How likely is it that they would get official approval for their talk under a "Chatham's rules" meeting in February to for a presentation <strike>in August</strike>at the end of July? Isn't it more likely that they got some initial approval for a talk in February, but that PR still wanted to vet the actual slides in <strike>August</strike>July? (I'm assuming that the slides were made after February.) Which PR department gives approvals like that? What legal department works this way? In my experience, stuff like this happens at the last minute, because that's when you're finishing your slides (as well as your code), and generally PR is going to ask that you make some changes to your slides and they will want the final copy before signing off. Now maybe I'm wrong and the article is correct, but I think it's unlikely.
Moreover given that Salesforce can't talk about this matter, who do you think is the source for the article and whose side are you hearing?
The last few days have really highlighted how quick people are to pile on with outrage and self-righteous indignation before getting all the facts.
Also why pull out in the last 30 mins? And why fire them? No warnings ? Mistakes happen, you don't fire a director for something like that. The PR process is to make sure the company's image looks good, who better knows the Defcon audience? Hackers or PR people who don't understand the framework?
There is really no other way to see it than Salesforce fucked up.
I wonder why they didn't pick Metapistol.
I too hope that nobody actually uses such a mnemonic in this day and age, but for such a mnemonic to be forgotten entirely would be a massive loss. Whitewashing the past of its blatant racism and sexism will only serve to erase the reminders we as a society have of why the present is an improvement on the past. Every artifact of such archaic and abhorrent beliefs serves as yet another datapoint demonstrating the whole concept of "Mak[ing] America Great Again™" to be misguided at best and abhorrent at worst.
In other words: we absolutely shouldn't be teaching such a mnemonic in classrooms, but we absolutely should continue to document their existence as evidence of exactly how fucked up the past really was.
HN has a setting that allows you to view dead posts.
OK, try getting a PR department to sign off on that.
And they presented it at Hushcon before with approval so what's the problem with that?
I don't see why you keep defending Salesforce, they did mess up even if say the employees did not go through the approval process. You don't fire People over that, especially if previous talks are public on the same subject. Especially not at Defcon. That's why SF is in the wrong.
Why do we have to feel obliged to take offense at the whole word due to one slang definition.
Why should MEATPISTOL be a problem?
1. to make slow; delay the development or progress of (an action, process, etc.); hinder or impede.
verb (used without object)
2. to be delayed.
3. a slowing down, diminution, or hindrance, as in a machine.
4. Slang: Disparaging and Offensive.
a contemptuous term used to refer to a person who is cognitively impaired.
a person who is stupid, obtuse, or ineffective in some way: a hopeless social retard.
5. Automotive, Machinery. an adjustment made in the setting of the distributor of an internal-combustion engine so that the spark for ignition in each cylinder is generated later in the cycle.
Seriously, there is a balance to be had. People who went through traumatic events are often offered therapy precisely because you can't reasonably expect the entire world to guess and remove every single thing that can trigger someone's hurtful memories.
I'm so used to hearing without any conceit that antibacterial mouthwashes can retard bacterial growth.
Actively developing and planning to release a malware creation tool? That sounds like developing and releasing cyber weaponry. We've got export laws regarding that IIRC.
I think that article only emphasises that it is not subject to those regulations. Quote:
We conclude that, at a technical level, the distinction between weaponry and non-weapon malicious software lies in the payload component of the tool, which must be capable of creating destructive digital or physical effects
Meatpistol is only a framework, therefore there's no payload component.
Given that SF employees have presented at many conferences in the past I don't see that getting official approval for the presentation is that strange.
I agree that we need more details, but can you really say that this situation has not played out many times before?
Like if they went on stage and flopped, they could get fired. Similarly maybe they were too good. Or the boss was having a bad day.
One of the employees is based out of Sydney, so No, California at-will employment law doesn't apply.
It would be interesting to see what grounds they are using to fire him.
Based on previous experiences with other companies, I found that it's not unusual for executives in one country to think that the employment law in their jurisdiction is universal and just assume they can apply it to employees in other countries.
Most notice periods in AU are 4 weeks so you either are fired with 4 weeks notice or fired immediately and paid for those 4 weeks.
(The notice period also applies if you decide to leave the organisation)
The rule specifically is:
Can notice be paid out instead of worked?
Yes. An employer can either:
Let the employee work through their notice period, or
pay it out to them (also known as pay in lieu of notice).
If the employer pays out the notice, the amount paid to the employee must equal the full amount the employee would have been paid if they worked until the end of the notice period. This includes:
incentive-based payments and bonuses
any other separately identifiable amounts.
If the employer pays out the notice, the employee does not accrue any annual leave for the notice period they were paid out for.
They might have one here, but I doubt it.
Specifically John Cramb (the Australian) was presenting alongside Josh Schwartz the director of offensive security. It seems that one could reasonably establish that John was acting under the directions of his superior, and that would mean that the default position would be to assume that his actions were sanctioned by the company unless they can prove that he knew otherwise.
And even then, they would be expected to provide a written warning, or justify why the violation was so extreme to justify immediate termination (which would be very difficult given he was active under the instructions of a superior).
Base on the limited evidence we have, it seems that Salesforce has unfairly dismissed John, and that the Californian executive ought to have consulted with an Australian HR lawyer before he acted.
Generally speaking, multinational companies will offer employment contracts through a local subsidiary. In that case the employment will fall under the laws of that country. And if they send you on an overseas business trip that doesn't change anything - even if the parent company is domiciled in that country.
If they don't have a local presence, and you're working remotely, then you're more likely to be a contractor and dismissal laws are pretty loose.
The interesting thing would be if they had a local subsidiary but chose to employ you on contract to the parent company. I suspect (but IANAL) that the Australian Fair Work Commission would determine that (if the contract was long term and indefinite) that you were actually an employee of the local subsidiary.
That's not true, we have unfair dismissal laws: https://www.fwc.gov.au/termination-of-employment/unfair-dism... . From the page:
Your dismissal may be considered unfair if:
* you were dismissed, and
* your dismissal was harsh, unjust or unreasonable, and
* your dismissal was not a case of genuine redundancy, and
* if you were employed by a small business, your dismissal was not consistent with the Small Business Fair Dismissal Code.
Personally I would consider this harsh, unjust and unreasonable, especially if this is the first time and the person doesn't have a lot of publicity experience.
(a) and (b) give you Australian employment protections. (c) obviously only gives you whatever protections are in the contract.
I've never seen anyone under a contract of employment (rather than a contract for services) of a foreign company that purports to not be governed by Australian employment law.
Firing someone in California requires that they be paid in full right then and there. This includes payment for accrued vacation time, comp time, etc. Were these employees paid off properly?
Actually, they can (with a few exceptions). California is at-will employment:
"At-will employment is a term used in U.S. labor law for contractual relationships in which an employee can be dismissed by an employer for any reason (that is, without having to establish "just cause" for termination), and without warning."
Or, as the Supreme Court of California explains:
"[A]n employer may terminate its employees at will, for any or no reason ... the employer may act peremptorily, arbitrarily, or inconsistently, without providing specific protections such as prior warning, fair procedures, objective evaluation, or preferential reassignment ... The mere existence of an employment relationship affords no expectation, protectable by law, that employment will continue, or will end only on certain conditions, unless the parties have actually adopted such terms."
Like, if someone decides to come out of the closet on social media and their co-workers find out and their boss hears about it and fires themthe next day but claims that it's a "no reason" termination, it would certainly raise suspicion that they were actually being fired for being gay and they might win a wrongful termination lawsuit, even in an at-will employment state.
It's not strange at all. So dig up some of those slide decks of past SF talks and compare them to what was presented in the meatpistol talk. Then you can decide for yourself whether you think this talk was approved or not -- it would be the same PR department approving all the talks, right?. In any case, the facts may come out in the representation, as you suggest.
Generally I can kinda see how the EFF would be interested in the topic of their presentation, but effectively this is an employee and employer legal issue now.
The exec that fired them was an attendee at the conference. How can he not have known about their talk? That makes no sense.
I expect that lots new Salesforce vulnerabilities will be discovered and disclosed.
Oh even worse no new vulnerability discovery and disclosure which in turn decreases the security of Saleforce products.
What the hell, Salesforce? This looks bad. There's either more to the story or this is just extreme knee jerk.
To get canned for not responding to a text message 30 minutes before a talk - which you were already approved for - seems terribly unfair and a decision probably made in the heat of the moment.
 How to Backdoor Invulnerable Code: https://youtu.be/EGshffkzZsY?t=680
Speakers at large companies must get the entire content of their public presentations approved by PR and upper management well in advance. The process can take weeks even for completely innocuous information because accidental disclosure can have serious implications.
1. Disclosure of number of customers, number of transactions, number of anything can be reverse engineered by investors and competitors to derive forward looking information about the company's finances. Or worse, transactions related to specific customers so their financials could be reverse engineered. Good way to lose a client.
2. Disclosures of internal resources, urls, domains, architectures etc can be a treasure trove for competitors and malicious attackers.
Maybe it was a tongue in cheek joke because he was fully aware his content had been vetted 10 times over. Or maybe not and this is part of a pattern.
In contrast I _did_ watch the linked video and can tell you that it was professional, did not expose any personal details of SF employees, any company secrets nor did it disparage the company or paint it in a negative light.
Don't believe me? Just watch the video.
Don't know OP's motivation in making his comment. He blames a misunderstanding of a colloquialism for the confusion, but to me it looks like an attempt to discredit the presenter.
And I may have locked my last account (i336_) a while back by setting "noprocrast" to a ridiculous value, which I TIL that day actually is not fixable. This is a new account. I'm debating whether to ask for my old account to be unlocked, or to start again.
FWIW, this account's first post went badly - https://news.ycombinator.com/item?id=14909407 (downvoted to 0) - and I got bitten a couple days ago as well - https://news.ycombinator.com/item?id=14975515 (down to -1), hmph.
I find that irony indirectly relates to cynicism sometimes.
I think the "in the house" exclamation/reply was in agreement with what you were saying, and that it was directed at Salesforce.
If I wanted to ensure something did or didn't happen, and time was a critical factor, I would call, talk in person, or use some other form of synchronous communication to ensure my message was received. I certainly wouldn't blast out a text message and then have a baby tantrum after the fact.
Either way, "director of offensive security" is a pretty hefty-sounding title to fire off-the-cuff like an incompetent intern.
Ding, ding, ding! We may have a winner.
Here's my guess - the guys that got fired were more than technically competent (basically experts going off what I've read), but probably were pushing the envelope in terms of what Salesforce, or more specifically Salesforce's large enterprise customers, felt comfortable having discussed out in the open.
Maybe a plausible explanation of what happened here was that all awareness / approval of the talk was limited to that team, and when an exec outside of the security team heard about it, they freaked out, causing all of this.
Either way Salesforce really fucked up here.
As a Sales(overpriced)force user, it's definitely something that infuriates me as someone that would both leverage their platform and METAPISTOL for our firms consulting work.
Bad on them. It could have been great PR like Netflix and their open source tools.
From what I can read about this the case is similar but in both actions it was a miscommunication. The speakers should have been informed that it was unacceptable. They should have been talked to about their instability to give the talk and the talk should have been cancelled. I would like to hear the other side of the story from Salesforce to give a full judgement but, I would expect a reprimand at best and not a firing.
1. The researcher you are talking about should have known the content was classified well before he did the talk. Whether it was classified or not was not based off the decision of a executive.
2. The punishment for revealing classified data to an audience is clearance loss & likely prison. It is not comparable to revealing proprietary company data that is not classified or not even covered under ITAR.
Oh and try to be there on time if you need to do something that critical.
So nobody will see a text message in a timely manner, unless they knew the burner phone number.
I'd tried to force the phone to LTE only, but I'm not sure whether it worked.
If people are on iPhones, they're on their old one.
Because most burner phones use 2G or maybe 3G, both significantly weaker than LTE.
These days I update, backup, and lock down my daily use iPhone before going. See my post earlier in the comments for more details on that. In terms of what was happening in the last two years at DEF CON that could get you with all the steps I took, OpenLTE networks were tricking phones into attaching to them and the most disturbing thing I saw of that was middling of TLS. However, it was of course with a self-signed certificate so as long as you didn't accept the cert, you were likely fine.
If you had an older phone and one without all the latest updates and wasn't configured to be mostly silent, then your experience could be very different. There are a surprisingly high number of SMS exploits which still work to this day on a large number of phones and of course SS7 has architectural weaknesses which will likely never be fixed.
I am sure that many folks would be very interested in seeing any supporting data/captures. This is incredibly uncommon.
Unfortunately when it comes to calling it "incredibly uncommon", we really don't have any widely deployed solutions to identify rogue cellular base stations so it's very difficult to say how often it happens IRL although the only times I've ever seen it happen have been the last two years at DEF CON.
I bought a laptop at Staples, put Fedora on it, used it for the conference, and I only really use it for when I go to conferences and the like.
There is a mix of folks using late model phones and burner phones, but, there there is a lot of burner usage at DefCon/DerbyCon/BlackHat.
I highly doubt this. Also, bear in mind that few bug hunters would be dumb enough to burn an iOS RCE 0day on some of the most monitored/logged wireless airspace on the planet.
DEF CON provides conference WiFi with preauthorized certificates (WPA2), so if you remove all other known open networks then you can have secure and sane WiFi at the conference.
Emphasis mine. Merely "removing" networks from your device does not preclude you from being attacked. Broadcom and all the locked-down devices that aren't iphones or high-end android devices who use them demonstrate this quite nicely.
I'm not condoning firing as a response - that's as thoughtless and unimaginative as the name. And perhaps the name isn't even if reason for it - that doesn't seem to be clear. But come on guys, try to stay classy.
....really? That seems like an incredible stretch.
> I'm not condoning firing as a response - that's as thoughtless and unimaginative as the name. And perhaps the name isn't even if reason for it
The article and the surrounding discussion makes it super, super clear that it's nothing to do with the name at all.
How far do you take this word-association game?
I note that the US represents itself using the image of an eagle. So did the Roman Empire, and later the Nazi party. Should everyone be uncomfortable with America over that?
To be fair, I think it's more common for security projects to take on more aloof names. Who could forget "John The Ripper" or "back orfice" from the cult of the dead cow? I'm sure there are many more ..
True, although I also find the negative sides of "hacker culture" more pervasive and less challenged than "brogrammer" culture or whatever term you want to use.
> Why all this morality police?
I find it overly sexualised, from a very masculine perspective. That's not really appropriate in a professional context in my opinion, but more than that, it can really put some people off the industry. Unfortunately, those people it puts off are disproportionately from groups that are already minorities in the industry, and so it helps in some small way, to perpetuate the lack of diversity.
Obviously this particular example really is only a small part of the problem, but it all contributes, and one of the easiest ways to do our part for increasing diversity and making the industry more welcoming is to do things like improve the naming of our projects.