Hacker News new | comments | show | ask | jobs | submit login
Salesforce fires red team staffers who gave Defcon talk (zdnet.com)
698 points by stevekillian 163 days ago | hide | past | web | favorite | 290 comments

I was one of the people that was there when it happened. My coworkers and I were asking one of them questions after the talk. The goons were kicking us out of the rooms because it was the last talk of the day and they wanted People to leave. We were talking in the hallway and asking him questions when we ran into the other presenter there(And people were asking him questions too). Anyway few mins later I see our old executive walk to them and tell them they have to talk. They started walking and talking but it was right in the open and you could pretty much hear them. They end up stopping and looks like they were trying to defend themselves. Few mins later the executive leaves and the end up walking back to the group that was still waiting to ask them questions (including us). They had been fired effective immediately.

The executive is Jim Alkove. He is a moron and our security org has completed revamped after he "left" to join other companies. All the recent advancements in Microsoft security/Win10 were because we no longer had a leader like him.

Feel sorry for these guys.

I worked at a lot of companies under a lot of different managers.

If I hear a manager fires them at such a moment, it already gives me an idea of what kind of manager we're talking about.

If a manager sends a text message half an hour before the talk starts to not give the talk, I definitely know what kind of manager it is.

You have 2 kinds of managers: The ones that think ahead of the time, and the ones that don't think ahead of the time. It's pretty easy to distinguish the two.

You forget the 3rd kind: the ones who think ahead of the time, but use urgency as a way of shielding their decision-making reasoning.

Let's say Employee A comes up to Manager three months before Defcon, saying he'd like to do such and such. Manager doesn't like it, but he doesn't want to upset A at that time because Reasons. He says "sure bud, you go ahead, I'll check with the lawyers just in case and let you know if there is any problem". Then he waits, and half an hour before the talk, through an indirect medium like email or text, he goes "sorry man, I only just got a message back from the lawyers that you can't talk about that. Totally gutted! Oh well, better luck next year, uh?"

30 mins before the presentation, after they've all flown to the conference, is not incompetence; it's malice.

At least in that case I wouldn't mind if a superior was honestly and truly checking with Legal Departments, and others of authority, to verify whether some action I was considering taking was going to cost me my job... Could any of us here really be upset about a Manager that does that?

I'm fairly certain the implication here is that he was not, in fact, checking with Legal or anyone, but simply holding off to make it seem as if he was and it was too late to question.

Jim is known for retaliating against his employees. That's why we got rid of him at MSFT and then Google... He is happy enjoying his millions in stock units and 100% bonus target. What did you expect? SOP.

No, I don't think so, assuming the manager also said something along the lines of "The check might run right up before your talk. Please make sure to check your phones before walking on stage so that if something happens last minute you'll know. I'll promise to text you either way."

In a large corporation I worked for a long time, if EVP fires somebody on the spot it means that EVP is next to go. I assume this will be the case for Salesforce.

On the spot, At defcon, 30k people. Anyone at Salesforce wanna talk about what's going on? Make a throwaway, use opsec. What are your opinions on this? What is your opinion of Jim as your leader?

Throwaway for obvious reasons.

Incredibly bad leader. Ask away.

No questions from me, but I've met Josh and the rest of the redteam. I hope they are doing well. Lots of good folks in salesforce security =)

Okay, umm... Why is he an incredibly bad leader?

what are this "leader"'s justifications for preventing the talks and for preventing the open sourcing of this software? Is it liability or competitive advantage based?

Were there any consequences for the leader? If not, it sounds like those above him are just as bad.

How do we even know you work there?

why are you still there?

Wait, what's the reason for that rule? Sounds interesting.

Firing someone on the spot in a public setting is either a drastic overreaction (and why that's fireable is obvious), or a response to a complete blindsiding … at a level at which the job is to not get blindsided.

Either way, it's a complete PR catastrophe, at a level at which the job is not to do those.

It's also a complete HR catastrophe. How could anyone feel comfortable in their position, knowing they could be fired at any moment, publicly and without warning? Terrorizing your employees is completely unacceptable as a manager.

Edit: I guess I don't have much experience with HR at large companies - I use the term to refer to aspects of management related to maintaining employee wellbeing, workplace culture etc.

HR doesn't care about that! Not unless it's actionable. Good way to lose your star contributors, sure, but past a certain basic point retention isn't really part of HR's role.

"Retention isn't part of HR's role"

Really? I've always seen HR as a sort of "union for un-unionised employees". They help you get stuff out of the business, and help the business get the most out of you.

Perhaps I've only encountered the good kind of HR.

A significant aspect of HR (at least in the UK) is protecting the company from its 'resources', and ensuring that the company has a robust (i.e. legally defensible) paper trail when disputes arise. E.g a process for putting people on an 'improvement plan' in response to poor behaviours / performance, and which can ultimately lead to dismissal.

Back in the day, the term 'anti-personnel department' was often used.

And don't get me started on the use of the term 'human resources'

[Edit] - more detail. I'm a techie but have occasionally had line management (in addition to tech lead) responsibilities. The first time I took on these duties, I had to do the relevant HR training and was amazed at the attitude: a little bit of 'duty-of-care' and a lot of 'follow-this-process-to-make-sure-the-law-is-on-our-side'

My experiences of UK large company HR departments was basically that they were the hit squad - if they were in the building then you knew someone was in major trouble.

I had an interesting experience a couple of years back when everyone in our office was called to a surprise meeting with HR except me.... I had already resigned, everyone else got the bullet in that caring way that HR departments are famous for.

A company I worked at did something similar; those who were being kept were told to go somewhere else, not to go to that meeting. Those that were still around were herded into the classroom, to be met by the HR head and a hired goon of a security guard. The entire office was being closed, but the way it was done was more hurtful to those folks than the basic business decision.

Can confirm as a programmer in UK. I hit this wall recently when asking for extended leave to deal with a personal crisis. The colluded response from HR/the business was to give me notice.

Take it from someone whose partner works in HR: they are not your friend. They may be nice people, they may try to help, but their _job_ is to protect the company's interests. Each time you talk to them about conflict, you're taking a bet your interests and theirs align.

In other news, for a bunch of smart people, engineers are spectacularly underunionized.

They are however, definitely interested in retention. They have a keen understanding of the total cost of finding and onboarding a new employee. If a particular executive is putting that in jeopardy then a good HR department will take note.

> They have a keen understanding of the total cost of finding and onboarding a new employee.

Because they will be involved in recruiting, they will also have a keen understanding of how much that increases their workload, which is otherwise pretty flimsy in a lot of cases. The more churn, the more they can justify their headcount.

They definitely are, but in a circumstance like this the most _urgent_ problem they've got is a bunch of ex-employees with a legal action brewing. Implicitly admitting liability without a quid-pro-quo isn't going to happen.

Which isn't to say HR won't want him gone. Just not yet.

Well yes, but companys interest in this case is not to have a PR fail at their hands.

> They help you get stuff out of the business

Nope; they help the business get the most out of you without getting sued. That's the alpha and omega of HR.

Their obligations are to the company, not to you. When they answer your questions, they do it so you can't claim later on that the company didn't tell you such and such or that the procedure XYZ was unclear, and sue them. They are nice so that you won't see the company as adversarial and sue them. And so on and so forth.

At some places, they have one branch of "good cop" HR that cuddles the employees, hands out candy and attempt to boost morale, and one "bad cop" branch that does all the dirty work of protecting the company from liability and attempting to squeeze out as many hours as possible while keeping compensation and human costs to a minimum.

They aren't your friends. They protect the company first. Definitely think twice before going to HR for anything not related to the normal benefits/vacation type issues. If you have an issue with another employee, you may very well be the problem that gets eliminated, not the other employee.

Many people, myself included, feel that HR is almost totally on the side of the company and don't represent employee interests effectively (if at all).


I doubt it will make even a dent in Salesforce's profits or that anybody of their clients will even blink about it.

As for their PR, that's paid for (and customers might even like the drastic action).

Except if you mean PR to prospective security hacker hires.

Having a major disruption in your security department can mean an upcoming disaster for a company offering cloud based services. From what this sounds, they not only got rid of 2 very competent employees, the manager doesn't seem to have acted especially brilliant, and they might have discouraged competent security people from applying at the company. What could possibly go wrong with this?

How does one even make this mistake? There seems to be nothing strategic about this...

People aren't fully strategic 100% of the time. When clouded by emotion, suboptimal decisions can look strategic. (Ex. establishing/asserting their authority.)

Oh, gotcha. Thanks.

Executives who make hasty hot headed decisions are not the guys you want steering the ship, regardless of what the popular caricatures you see on TV.

Well, in this case:

1) The PR backlash is going to be gigantic.

2) If you fire someone on the spot (I have), you'd better have a damn good reason (I did--repository sabotage) as the company is now going to have to pay money to defend/payoff this.

3) Suddenly firing important people disrupts daily business functions for weeks or months.

4) Unless you think they are going to actively sabotage something, you can wait until they get home to reprimand or fire people.

All told, some manager is getting thrown under the bus for this.

> The PR backlash is going to be gigantic.

The Google thing was gigantic. This is a blip.

The Google thing is a medium splash in a big pond. This is a small splash, but arguably in a much smaller and more concentrated pond. Within the community of red teams and DEFCON regulars I wouldn't be surprised if this is much better known than the (now) ex Googler is within the more general tech community.

What Google thing?

An internal memo with astonishingly poor typography was leaked. Since Google sell a word processor and are a font vendor this made them look bad. So he was fired.

(I'm only half joking. People don't talk about how poor the layout of that document was, but it was my first and lasting impression)

Surely there is more context to that story.

It's unbelievable that it was only the memo. And quite likely just the last straw.

I can easily imagine someone that produces poor quality once publically probably did so many times privately and likely more of a symptom of underlying inadequacy than the actual reason for firing.

But you know, headlines..

And yes, have no previous experience or knowledge about this so sorry if I'm armchairing a bit.

No, it was just the memo.

Larry Summers (a leading economist with often controversial opinions) got fired from his position as the president of harvard for effectively making the same point [1] except, you know, well argued unlike in the Google manifesto.

If Larry Summers gets fired for that, a random engineer is definitely getting the boot.

[1] http://www.harvard.edu/president/speeches/summers_2005/nber....

Honestly, relative to the usual discussions on the topic (including discussions about the Google memo), the memo was refreshingly well-argued, coherent and polite.

That's just like, your opinion man.

Everyone agrees it was polite, but well-argued and coherent is where not everyone does agree.

I've seen people with advanced degrees host debates where they legitimately advocated creationism as the truth against evolutionary biologists with equally advanced degrees. They were polite, and their supporters would say well-argued and coherent. But anyone who knows anything about the topic would see that the creationists weren't actually adding to the discussion or making strong points at all. Those creationist debates are always unsatisfying and exhausting to listen to, and after a while, that schtick becomes old and non-creationists stop engaging because it's just boring. But creationists will attend and be excited every time because having a debate against a real scientist legitimizes them.

That's how this memo thing felt. Nothing new was added to the discussion (at least not to those of us who have had this discussion before) and it just seemed like an opportunity that some less savory folks jumped on to promote some out-dated views (and more importantly, for mainstream media to jump on to paint all of tech as a place where those views are the norm. That story sells despite how wrong it is).

FWIW, I do hate impoliteness though. I understand why people felt defensive for the author after watching the internet freak the hell out (in rude or dismissive ways) about the memo which was not impolite in itself.

Well yes, that's my opinion :). I found the memo coherent, in the sense that it was well-structured and followed consistent reasoning, and well-argued, in the sense that it linked to supporting research and reasoned mostly correctly from it. It doesn't mean everything there was 100% correct, but almost no one is; it still was a quality entry to the intellectual debate.

At the risk of perpetuating the disagreement, IMO if anything is similar to the creationinst debaters, it's the voices against the memo.

Going through the few recent HN discussions on the topic, I found that on the one side, you had people (including an actual scientist in the domain) telling that the memo basically got the science (even if not ultimate conclusions) right, as supported by _even more_ research people linked to, vs. the other side saying he presents "outdated" views of "biological determinism", etc., with no counter to the research cited by the memo itself (not to mention others) - just unsubstantiated accusations and dismissals.

More than 5 doctors confirmed the memo was consistent with science and his text referenced appropriate sources, as common with any paper. It's incredible that non-medical people can override science with their belief. It's Galileo all over again, fired because one shall not contradict [place godly entity here].

The paper went much further than presenting a summary of mashed up research from a variety of fields that investigate sex & gender variations. For that, all you need is some reprints of Nature and Scientific American.

Instead it wanted to connect that research to a) company policy and b) American-specific political divides. And to do that required a battery of assumptions regarding intention, merit, aptitude, worth, values.

That's where the wheels came off and everyone started projecting their own ideological interpretations, and you've been arguing past each other ever since.

The memo also put forth a position that women were, on average, biologically inferior to men at engineering roles.

In the off chance you're not making a point/being funny, they're most likely referring to the diversity manifesto

Sorry, I thought it was a vulnerability/technique impacting Google services that dropped at the convention. Now I get the connection was being made to widely reported staff behavior.

In most corporations there's nothing like that.

I am not sure that creating burner accounts to libel people by name is an entirely appropriate use of this site no matter what your personal feelings are.

You don't have any evidence to substantiate any of what you are writing and this individual has no opportunity to respond to what you are writing.

This is highly unprofessional behavior no matter what you think the justification is.

It's not libel unless it's proven FALSE.

Statements from witness ARE evidence. What do you think evidence is?

The "individual" could create an account here and respond if he wanted to. It would be stupid, but he definitely has an opportunity.

And who told you anybody had to be professional on here?

If this is true then I feel like I've avoided a bullet. Was looking at a position at SF that would have rolled up to him.

Do you know if these former employees reside in California or New York?

FTA: "Josh Schwartz, director of offensive security based in San Francisco, and John Cramb, senior offensive security engineer in Sydney, Australia, worked on the cloud giant's security 'red team'"

The one we were talking to had an Australian accent, but I did not ask. The other one is @fuzzynop and yes he's in California. He actually DJ'd for dualcore.

I understand feeling sorry, but doing a talk like this without the full support of your leadership is an incredible error. If you work for a big company, you can't do talks like this without aligning pr, leadership etc.

From TFA: "Salesforce executives were first made aware of the project in a February meeting, and they had signed off on the project, according to one person with knowledge of the meeting."

They had executive signoff until half an hour prior to the talk, and they didn't see the text revoking permission until after the talk. I'm not sure what else they were supposed to have done.

And Alkove was there - physically present. He could've warned them off in person, and made sure they knew what was up. No one is going to care why he didn't.

Aware and signed off on the project and aware and signed off on the defcon presentation are two different things. I only know what I've read in this article and discussion on this, but I don't read "Salesforce executives were first made aware of the project in a February meeting" as meaning they had corporate sign off (they may have, but thats not what that sentence means)

I don't think the article makes sense. Firing someone on the spot for a talk that was approved would put the company at risk of legal action.

It sounds so extreme that either the exec is unusually unaware of the consequences of his action or there is more to the story.

Did you read the article? Your comment suggests you didn't.

I read the article.

Does the story they are presenting make sense to you? It doesn't to me!

All that's left is to assume there is more to the story than what is written.

Did you? They didn't explicitly say the company signed off on the talk/presentation, just the project.

Did you read the authoritarian spectre? Your deductions hint you didn't.

Seriously - the guy above you would support anyone in power and talk down to anyone not in it.

If you're close to the Silicon Valley tech community you know the Salesforce datacenter organization and recently security organization has been taken over by many ex-Microsoft executives who are fairly clueless when it comes to security.

This has left the security organization mired in internal political turmoil and has triggered the exodus of most intelligent security professionals from the organization.

This situation appears to be a case of the new and confused security executive mentioned in comments on this thread over reacting.

I say "confused" because for the presenters to get this far they obviously has gone through levels of approval for the talk and presented material internally. This talk was indeed presented before at the Chatham House Red Team Summit in SF where many tech company Red teams were present and code released to some collaborating parties. If you don't know what is going on in your own organization with your directors you are confused.

I say "over reacting" because any decent security executive knows you can't ask a team member to pull a Defcon talk on extremely short notice as it would be damaging to their personal reputation in the community. Firing them for not pulling the talk is completely idiotic as it's likely burn the organizational reputation with the security community. It was likely just a snap decision by said confused executive who did not understand the ramifications of his decision. If you fire someone after they get off the stage at Defcon you more than likely have overreacted.

Sadly these are the types of this that happen when you have poor leadership at high levels. I feel bad for the good security folks still left at Salesforce who have to tolerate this garbage. Luckily there is a massive demand for good security professionals so they should have no trouble finding other employment, hopefully with competent leadership.

Using a throwaway account as my username is very close to my real name :-(

If you're close to the Silicon Valley tech community you know the Salesforce datacenter organization and recently security organization has been taken over by many ex-Microsoft executives who are fairly clueless

This. A thousand times this. The Microsoft rot started in the Datacenter and Security org but is fast spreading to all of infrastructure resulting in a culture that is dramatically different from the rest of Salesforce.

If you're from Microsoft (or better yet, a crony of a high up Microsoftie in Salesforce) you are guaranteed to receive a plum job with a bump up of at least two or more seniority levels and preferential treatment in every aspect.

It's not hard to find examples of mid level ICs (level 61 - 62) being brought in as Senior Directors, level 63's being brought in as principal architects etc. What about non microsoft people ? Well, in that case we need to 'carefully consider the feedback', 'be conservative in our approach', 'avoid being too generous' etc.

Every process, from hiring, to promotions, to appraisals has been systematically corrupted and taken over almost exclusively by Microsoft people with the inevitable results.

It's like watching an aggressive strain of flesh eating bacteria at work. It would be comical the amount of damage this is causing Salesforce if it weren't for the enormous human impact.

Wait, there are 63 or more levels of management at salesforce? Is the a level 1? Is there anything higher than 63? What's the distinction between a 61 and a 62?!

Sounds more like Futurama's bureaucracy skit.

There are "80" levels at Microsoft [1]. But they begin around 59 for engineers.

The levels at Salesforce are a lot more coarse [2].

[1] https://www.quora.com/What-are-all-the-job-levels-in-Microso...

[2] https://www.quora.com/What-does-the-Salesforce-career-ladder...

No, usually Microsoft levels start at 59 for new hires and get all the way to 70 for CVPs, it is related to compensation bands.

Sorry not so sorry. These people leaving MS was the best thing that ever happened to MS. It's sad that because of one of them, this unfortunate event had to occur.

OT, but I'm curious, what kept you at the company in the face of such leadership?

(Glad you stayed, the security work done at MS is high-impact and far-reaching).

I wonder if future iterations of linked In will track not only the performance but also the culture you are taking along with you.

> ... security organization has been taken over by many ex-Microsoft executives who are fairly clueless when it comes to security.

i.e. the people who hired them are also clueless wen it comes to security. And, the people who hired them did not perform due diligence to be sure that the hirees were competent.

Or, maybe one "bad apple" got hired via bluff and bluster, and then proceeded to hire tons of incompetent cronies.

Either way, the higher ups at Sales Force haven't been paying attention to how their organization is being run.

The article says that they were forbidden to announce open-sourcing of the tool. They were required not to cancel the speech, but to not announce open-sourcing. Having such second thoughts about open source is so typical of old-school managers, it doesn't even surprise me.

>said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk,

That says they were required to cancel it.

>The tool was expected to be released later as an open-source project, allowing other red teams to use the project in their own companies.

>But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release.

If the executive told them not to announce the open-sourcing, then he was expecting them to speak, just not that they would announce the open-sourcing. My guess is that they did not acknowledge that first request, and thus the executive told them half an hour later to cancel all. So the original issue of confrontation was about the open-sourcing, not about the speech itself.

If they don't acknowledge the first text the answer is to send another much more extreme text? Why not just a reminder of the first text? Or call them? Or talk to them in person, because he seems to have been there in person.

If they missed the first text there's a good chance they might miss the second text as well.

The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended.

Which said unnamed executive should have known was patently unreasonable to expect to be received and read in time.

Sounds like a failure in basic communication, somewhere in the organization. And if someone in the C-level feels they need to intervene at the last minute to set things straight -- this very strongly suggests point source of the failure was most likely somewhere in the middle layers (or at the C-level itself) - not with the frontline engineers.†

But which at Salesforce is apparently no protection against getting hung out to dry.

† Especially when we read the parts about "The talk had been months in the making" and that the executive pulled the plug at the last minute "despite a publicized and widely anticipated release."

There's a good chance that those guys didn't even have their phones on. If something is that urgent you don't text, you call, and if the call doesn't go through you find someone else that you can call who can go to the people involved and so on until you have guaranteed timely delivery and if you can't achieve that then you're going to have to live with the consequences.

Doing a 'fire-and-forget' text message and then attaching grave consequences to the timing is ridiculous.

>> There's a good chance that those guys didn't even have their phones on.

Nevermind the fact that it was defcon, I'm a regular presenter at conferences and meetups, and literally #1 on my last-minute checklist is to text my wife that I'm now unreachable and silence my phone.

Nevermind the fact that it was defcon. Having your phone on in a place where thousands of security experts are running amok is a surefire recipe for ensuing hilarity.

> Having your phone at all


I thought it was SOP to not bring your phones to DEFCON

Right - there's that, too.

Maybe next time, Salesforce should think twice about sending its executives to DEFCON. Without some basic introduction as to what it's actually about.

I used burners at DEFCON 2016. Eventually moved back to my actual phones. But, I talked with other people and according to them there were cell sites that were suspect. Never found out if it was true or not. But, as others have stated I turned off my WiFi.

Before DEF CON there are about 20 cell towers in the area, during DEF CON there were almost 130 (rumour I heard, while gooning in the contest area)...

Pretty sure some of those are FBI and other agencies ;-)

I was at this past DEFCON, we had cell sites named "Arnold's Biggest Scam" and "AT&T Totally 1337 Tower". There are others, but those two were prominent because I could access them in my room lol.

From what I’ve read, all you really need to do is turn off wi-fi, which is already fairly paranoid given that no one is realistically going to burn a serious chipset zero-day on random people at a conference. Fake cell towers do occasionally happen but rapidly lead to arrests.

Why wouldn’t they burn a chipset 0-day? It’s unlikely that only one exploit has been and will ever be uncovered. Imagine the shitstorm if you phoned all of DEFCON with a recording to attend your talk, on their radio “off” devices, because you powered them back on at the right time. Imagine the respect. That would be worth a 0-day.

"random people" who with high probability may have undisclosed 0day exploits stockpiled on other devices.... yeah if I'm an APT author DEFCON attendees are (the hardest to exploit and most paranoid [read: likely to get caught by]) the ideal target for any nation-state. not to mention that the conference is often attended by multiple state agencies which makes the target even juicer. yes it's an extremely hard and dangerous group of people to attempt to exploit, but that doesn't detract from the potential value and payoff of a successful APT exploit on said group of people

That's not how Nation State actors work. One of the things that makes Nation State actors dangerous is they have the patience and resources to attack a high value target at the most likely to succeed point. Backing that up, they generally have the intelligence to know when that best time is. And they for sure know that it's not at defcon when everyone is, as you say, paranoid and on the alert. They're going to get you at home, at happy hour with your non-security friends, in that bar with the great but insecure wifi and no 4g.

Or they'll get you while you're in the security line at the airport on your way home.

I guess it depends which State we're talking about, but yes.

You just made that up. There are fake cell stations every year, and there has never been an arrest.

I might be wrong, but I most certainly did not make it up. Will Strafach and Dan Tentler would at least appear to disagree with you: https://twitter.com/chronic/status/884434768380776448

There are no arrests listed for cellular activities at Wikipedia’s “Notable Incidents” list for DEFCON, so if you have direct confirmation of any such arrests, you should add them to the page at https://en.m.wikipedia.org/wiki/DEF_CON

You just pasted a conversation full of people saying that there are rogue base stations. And I don't see anyone reporting arrests!

> all you really need to do is turn off wi-fi, which is already fairly paranoid given that no one is realistically going to burn a serious chipset zero-day on random people at a conferenc

I know very little about security or defcon, but I was under the illusion that stuff like running Wifi Pineapple to trick people to connect to their hotspots was common and doesn't require any 0-days.

There are more advanved tricks which are less overt, but you are correct, none require zero days.

> chipset zero-day

The concern is man-in-the-middle attacks. Easy, no user interaction required, and works very well. No chipset zero days involved.

Not really. Folks usually switch between LTE-only and airplane mode if they're trying to be cautious.

It's defcon. There's a fair chance those guys locked their phones in the hotel safe.

Here's what I do with my phone before heading to DEF CON (yes, I don't bother with burners anymore):

1) Make sure it has an Apple logo on the back and is up to date. I'm serious on this one. Too many Android phones don't get updated by the carrier and that's why I'm not a fan. Yes, if you have the latest phone from Google, you are fine. From another manufacturer, very questionable. The sheer number of Android phones which have connected to my open research WiFi networks over the years and exposed some secret is just tragic, from user PINs thanks to a carrier installed warranty app to e-mail passwords thanks to broken Samsung KNOX TLS middling implementations.

2) Shut off all background activity from apps when not on and in front of me: settings -> general -> background app refresh. Slide that one to off for everything.

3) Turn off WiFi and Bluetooth.

4) For added paranoia, put it in airplane mode when not being used.

5) Make sure it doesn't have any information or accounts on it which I'd not like to be made public.

6) Back it up.

7) A quick audit of apps I'll be using at the con to ensure they are reasonably secure on the wire by using working TLS exclusively. Yeah, very few people will ever do this but thankfully 1-6 should be sufficient.

> Make sure it has an Apple logo

From what I hear all those Chinese dissidents that are tragically no longer with us were all using Apple products...

[citation needed]

There was also this one for which I had involvement: http://www.falseconnect.com/ which while impacting nearly every major technology vendor was particularly bad for Apple. Pretty much anyone who'd been using a proxy service (which includes some VPN providers like TorGuard) for privacy with iOS or macOS opened themselves up to full compromise of the cryptographic channel. The thing is, Apple recognized it was a big problem and got it patched and that patch distributed to all impacted devices in under 45 days from the first report. A similar flaw I reported to Samsung a few years earlier is still not patched on every Android phone impacted because some carriers didn't push the patch.

What good is the magically secure Apple logo on top, when you actually have a Broadcom doing the work down in the metal? I doubt this was the only existing hole: http://thehackernews.com/2017/07/android-ios-broadcom-hackin... (but Apple updated fastest, I do concede that)

Indeed, the same Broadcom chip used in a bunch of Android phones and to my original point, yes Apple was not only the quickest to patch, but there's a good chance a large number of Android phones will never get a patch.

Thanks for the rundown. What's your opinion on LineageOS, security-wise?

LineageOS is pretty good on security and privacy. But IIRC you may NOT have the latest patches even if you have the latest version.

There is a XDA post somewhere explaining this.

Haven't looked at it.

Any DEFCON attendee knows the hotel safe is a laughably insecure place to keep valuables.

So they would never expect it!

Oh god...

Reminds me of a friend who said his MySpace password was just "password123" because "It's such a stupid password that nobody would ever use it, so hackers don't even bother trying it!"

I wish I had multiple faces so I could palm more than one.

> If something is that urgent you don't text, you call

SMS is UDP, and voice is TCP?

p good analogy, people will generally ACK a phone call since it implies a higher level of importance and could be about anything under the sun, but right before giving a talk at a conference i think most people would drop that text message UDP packet.

They usually ACK...on the happy path. They might RST, for one, or even timeout.

Yes! A million times, yes! Defcon is the only Vegas conference I ever bring a burner too.

Man, I missed so many good party invitations at Defcon this year just by not checking Facebook until Sunday night!!!

"Come to Dark Alley 2b, totally great party!!!"

No, these were invitations from people I knew.

From accounts you believed belonged to people you knew, you mean ;o) DEFCON, after all.

I bumped into several of them in person who went "too bad you missed my party"

> Which said unnamed executive should have known was patently unreasonable to expect to be received and read in time.

As others have mentioned, this is Defcon - it's very common for folks (myself included) to go dark while on premises. At one company I worked for that was actually handed down in the form of policy & attendance guidelines.

Not only that but the executive in question was physically present and watching the talk. If this was so critical as to warrant the immediate termination of two senior team members, then I have to believe it was critical enough to go talk to them immediately prior or even during the talk if necessary.

The entire chain of events makes no logical sense, and does not inspire much faith in the Salesforce executive team.

It does make perfect logical sense - as soon as you exclude the requirement "acting in good faith".

It's possible the executive knew they wouldn't see it and thereby could then use it as an excuse to fire them.

It's probably way too early for us to know what's really happened here. If you're unfamiliar with this stuff, you should know that Salesforce has a large and relatively savvy security team, including people who have presented at offensive security conferences in the past.

There's a lot of weirdness in the reporting here; for instance, the notion that Salesforce management had a meeting with members of their own team under "Chatham House rules".

I wasn't familiar with "Chatham House rules". But it is allows members to present controversial arguments but prevents anyone from associating their arguments to them after the fact. For example, I can cite the argument later but not say who made the argument in order to prevent them from political repercussions. https://en.m.wikipedia.org/wiki/Chatham_House_Rule

Certainly very weird that the environment was that charged politically that these rules were needed.

Red Team operations can be very controversial as they risk impacting day-to-day operations and data integrity, and can have legal repercussions. I expect they would have this sort of meetings relatively often, regardless of this particular case.

I was not at the conference and have no first hand knowledge of what happened.

But before everyone gets on their high horse, please pause to reflect:

This was all company work product being presented by company employees who were on a company funded conference trip. Therefore there is an approval process for vetting presentations as well as a legal process for opensourcing code. This is standard practice at all companies.

Now what do you think is more likely: That the PR department would approve of a talk titled "meatpistol" (FIXED) (have you seen the slides?) and the legal dept would approve of open sourcing the code and then at the very last minute both groups would change their mind and try to pull the talk, or that the presenters never got the OK in the first place, the company found out at the last minute, asked them to pull the talk and they refused?

How likely is it that they would get official approval for their talk under a "Chatham's rules" meeting in February to for a presentation <strike>in August</strike>at the end of July? Isn't it more likely that they got some initial approval for a talk in February, but that PR still wanted to vet the actual slides in <strike>August</strike>July? (I'm assuming that the slides were made after February.) Which PR department gives approvals like that? What legal department works this way? In my experience, stuff like this happens at the last minute, because that's when you're finishing your slides (as well as your code), and generally PR is going to ask that you make some changes to your slides and they will want the final copy before signing off. Now maybe I'm wrong and the article is correct, but I think it's unlikely.

Moreover given that Salesforce can't talk about this matter, who do you think is the source for the article and whose side are you hearing?

The last few days have really highlighted how quick people are to pile on with outrage and self-righteous indignation before getting all the facts.

During the talk they told us why they called it meat pistol.. it's an anagram for metasploit. Meat Pistol made sense because it shoots out malware implants.

Also why pull out in the last 30 mins? And why fire them? No warnings ? Mistakes happen, you don't fire a director for something like that. The PR process is to make sure the company's image looks good, who better knows the Defcon audience? Hackers or PR people who don't understand the framework?

There is really no other way to see it than Salesforce fucked up.

> During the talk they told us why they called it meat pistol.. it's an anagram for metasploit. Meat Pistol made sense because it shoots out malware implants.

I wonder why they didn't pick Metapistol.

What are you more likely to remember a week from now: Meatpistol or Metapistol? Reminds me of the resistor color code mnemonic, something I memorized for life the first time I heard it.

Ahh! Violet! I miss her.

Leave her alone, she's just 7.


The former, because it is both risque and clever. The latter is just rude and unrelated, and will be forgotten with the rest of the mental trash.

The original comment was flagged to oblivion, but I'm assuming it quoted one of the ones on https://en.wikipedia.org/wiki/List_of_electronic_color_code_..., in which case - unless you feel inclined to start yet another Wikipedia edit war - it will probably not "be forgotten with the rest of the mental trash".

I too hope that nobody actually uses such a mnemonic in this day and age, but for such a mnemonic to be forgotten entirely would be a massive loss. Whitewashing the past of its blatant racism and sexism will only serve to erase the reminders we as a society have of why the present is an improvement on the past. Every artifact of such archaic and abhorrent beliefs serves as yet another datapoint demonstrating the whole concept of "Mak[ing] America Great Again™" to be misguided at best and abhorrent at worst.

In other words: we absolutely shouldn't be teaching such a mnemonic in classrooms, but we absolutely should continue to document their existence as evidence of exactly how fucked up the past really was.

No, it's not quoting anything from there. It's just random obscenities jumbled together.

HN has a setting that allows you to view dead posts.

There's a lot of things you can wonder, but they're not all worth mentioning.

>During the talk they told us why they called it meat pistol.. it's an anagram for metasploit. Meat Pistol made sense because it shoots out malware implants.

OK, try getting a PR department to sign off on that.

The whole point is that they already knew about it before hand(It being called meatpistol, hence the previous meeting) so firing them 30 mins prior is bullshit, hence the drama.

And they presented it at Hushcon before with approval so what's the problem with that?

And this is what I'm saying is unlikely, because, try getting a PR department to sign off on that.

> And they presented it at Hushcon before with approval so what's the problem with that?

Why do you think they got approval at Hushcon?

Because Salesforce did nothing after hushcon? Which means it would have been approved.. say if it wasn't approved, isn't that a failure on SF's part because the employees would think it's fine.

I don't see why you keep defending Salesforce, they did mess up even if say the employees did not go through the approval process. You don't fire People over that, especially if previous talks are public on the same subject. Especially not at Defcon. That's why SF is in the wrong.

There's a lot of assumptions in this interpretation of events. It's entirely possible that warnings were issued after hushcon and that's why action was so severe this time around. It's also possible that no warnings were ever issued and there is blame for overreacting due to the management. Either way, it seems like there's plenty of information available for interpretation but not conclusion in this scenario.

Not all companies are like that. I developed an internal admin tool and called it RETARD (it's an acronym).

I'm glad I don't work at a company where that's an acceptable project name.

One dictionary I have at hand details five definitions of the word retard.

Why do we have to feel obliged to take offense at the whole word due to one slang definition.

Why should MEATPISTOL be a problem?


1. to make slow; delay the development or progress of (an action, process, etc.); hinder or impede. verb (used without object)

2. to be delayed.


3. a slowing down, diminution, or hindrance, as in a machine.

4. Slang: Disparaging and Offensive. a contemptuous term used to refer to a person who is cognitively impaired.

a person who is stupid, obtuse, or ineffective in some way: a hopeless social retard.

5. Automotive, Machinery. an adjustment made in the setting of the distributor of an internal-combustion engine so that the spark for ignition in each cylinder is generated later in the cycle.

I'm not offended and don't take issues with the use of retard in a non-slang context, but for the naming of a project I think it's inappropriate to use a word that could bring back hurtful memories of harassment that people have potentially endured.

Don't get anywhere near fire retardants...

Seriously, there is a balance to be had. People who went through traumatic events are often offered therapy precisely because you can't reasonably expect the entire world to guess and remove every single thing that can trigger someone's hurtful memories.

Then can we at least postpone the renaming until someone actually complains about it first-hand, rather than "just in case" and on someone else's behalf?

Would you name a project the same as your username?

That's a historical accident. My name in RuneScape when I played as a kid had football in it and I shortened it to foota.

I'm glad I don't work at a company where the thought police will come down on you if you don't take yourself too seriously.

"Thought Police" is alt-right for "Nazi"

Didn't you get the memo? Anyone who doesn't immediately and fully agree with your position is a "nazi", regardless of what that position is.

Still okay if there were any co-workers who found it offensive? Perhaps because it hits home for them?

Am I the only one who immediately thinks of the verb form of "retard" when it's presented with absolutely no context?

I'm so used to hearing without any conceit that antibacterial mouthwashes can retard bacterial growth.

I'm glad we haven't been forced to stop using ritardando in music settings yet.

To me the word "retard" immediately brings to mind fire retardants. Offense is in the eye of the person who takes offense...


^^ Spot the Salesforce corporate communications team kicking in...

ha good catch.

"Also why pull out in the last 30 mins?"

Actively developing and planning to release a malware creation tool? That sounds like developing and releasing cyber weaponry. We've got export laws regarding that IIRC.

Yea. EAR and ITA explicitly cover this, in fact.

Which part, specifically? The only restriction on the EAR I see that applies is that on encryption, and Part 742.15(b) provides an explicit exception for software where the source is publicly available. That's why, for example, non-US citizens must request a special license to download the paid Metasploit version but can download the open source version freely[1].

[1] https://community.rapid7.com/community/infosec/blog/2015/06/...

Journal of National Security Law and Policy, Vol. 8, No. 2, 2015. Quite the argument made there that EAR and ITA do indeed deal with the making and distribution of cyber weaponry.

Thanks for the reference!

I think that article only emphasises that it is not subject to those regulations. Quote:

We conclude that, at a technical level, the distinction between weaponry and non-weapon malicious software lies in the payload component of the tool, which must be capable of creating destructive digital or physical effects

Meatpistol is only a framework, therefore there's no payload component.

Apparently the fired employees have enough of a case that the EFF agreed to represent them.

Given that SF employees have presented at many conferences in the past I don't see that getting official approval for the presentation is that strange.

I agree that we need more details, but can you really say that this situation has not played out many times before?

I'm a little confused what their case is, can't the company fire them at any time with no reason? I don't really know much about employment law, but that was my understanding.

Like if they went on stage and flopped, they could get fired. Similarly maybe they were too good. Or the boss was having a bad day.

> can't the company fire them at any time with no reason?

One of the employees is based out of Sydney, so No, California at-will employment law doesn't apply.

It would be interesting to see what grounds they are using to fire him.

Based on previous experiences with other companies, I found that it's not unusual for executives in one country to think that the employment law in their jurisdiction is universal and just assume they can apply it to employees in other countries.

You can be fired as an Australian employee at any time but they will still need to pay out the notice period in their contract and whatever accrued annual leave they had.

Most notice periods in AU are 4 weeks so you either are fired with 4 weeks notice or fired immediately and paid for those 4 weeks.

(The notice period also applies if you decide to leave the organisation)

The rule specifically is:

Can notice be paid out instead of worked?

Yes. An employer can either:

Let the employee work through their notice period, or

pay it out to them (also known as pay in lieu of notice).

If the employer pays out the notice, the amount paid to the employee must equal the full amount the employee would have been paid if they worked until the end of the notice period. This includes:

incentive-based payments and bonuses loadings monetary allowances overtime penalty rates any other separately identifiable amounts.

If the employer pays out the notice, the employee does not accrue any annual leave for the notice period they were paid out for.


But employment in Australia is not at-will, so regardless of their obligations to pay out the notice period they also need to have a valid reason for the dismissal.


They might have one here, but I doubt it.

Specifically John Cramb (the Australian) was presenting alongside Josh Schwartz the director of offensive security. It seems that one could reasonably establish that John was acting under the directions of his superior, and that would mean that the default position would be to assume that his actions were sanctioned by the company unless they can prove that he knew otherwise.

And even then, they would be expected to provide a written warning, or justify why the violation was so extreme to justify immediate termination (which would be very difficult given he was active under the instructions of a superior).

Base on the limited evidence we have, it seems that Salesforce has unfairly dismissed John, and that the Californian executive ought to have consulted with an Australian HR lawyer before he acted.

I'm ignorant as far as Australian law. Is this true if the company is based in America and the worker is laboring either in America or remotely? It seems like at that point Australian law wouldn't directly apply to termination decisions.

It depends.

Generally speaking, multinational companies will offer employment contracts through a local subsidiary. In that case the employment will fall under the laws of that country. And if they send you on an overseas business trip that doesn't change anything - even if the parent company is domiciled in that country.

If they don't have a local presence, and you're working remotely, then you're more likely to be a contractor and dismissal laws are pretty loose.

The interesting thing would be if they had a local subsidiary but chose to employ you on contract to the parent company. I suspect (but IANAL) that the Australian Fair Work Commission would determine that (if the contract was long term and indefinite) that you were actually an employee of the local subsidiary.

> You can be fired as an Australian employee at any time

That's not true, we have unfair dismissal laws: https://www.fwc.gov.au/termination-of-employment/unfair-dism... . From the page:

Your dismissal may be considered unfair if:

* you were dismissed, and

* your dismissal was harsh, unjust or unreasonable, and

* your dismissal was not a case of genuine redundancy, and

* if you were employed by a small business, your dismissal was not consistent with the Small Business Fair Dismissal Code.

Personally I would consider this harsh, unjust and unreasonable, especially if this is the first time and the person doesn't have a lot of publicity experience.

I am an Australian in Sydney with a Californian contract. Both parties can walk at any time.

Even if they have a corporate structure that seems to make the Fair Work Act not apply (say, making you a contractor of a foreign company), I'm pretty sure that the commission will still generally rule against the employer if you're effectively working as an employee and you take it to the ombudsman. So if, say, they provide office space and a computer, you work regular full-time hours and it's more than a temporary contract then it will usually be considered a sham contracting arrangement and you'll be eligible for all the standard full-time employment protections.

Are you an employee or a contractor? From among my circle of friends working for foreign companies the possible arrangements I've seen are: (a) employee of Australian subsidiary of foreign company (my situation) (b) employee, under a contract governed by Australian law, of a foreign company directly or (c) independent contractor of foreign company.

(a) and (b) give you Australian employment protections. (c) obviously only gives you whatever protections are in the contract.

I've never seen anyone under a contract of employment (rather than a contract for services) of a foreign company that purports to not be governed by Australian employment law.

California labor code section 201 (a): "If an employer discharges an employee, the wages earned and unpaid at the time of discharge are due and payable immediately."

Firing someone in California requires that they be paid in full right then and there. This includes payment for accrued vacation time, comp time, etc. Were these employees paid off properly?

The penalty is the employee's wages, day-for-day, up to 30 days. So yes, it will probably be payable, but it's just money (rather than somehow invalidating the termination, for example), and it's unlikely either side will care much about the amount.

They are probably still getting full salary and benefits until the next scheduled payday. That's how companies in CA get around the rule that employees must be paid in full on their last day.

Err, no. Payable immediately doesn't mean somebody has to hand you a wad of cash.

In California, it does.[1] California has the strictest law in the US on this.

[1] http://www.turleylawfirm.com/blog/final-paycheck-laws-for-te...

Fair enough. Salesforce has enough money that they can afford to pay the minor penalty for violating this.

For the California employee, they have to PAY YOU IMMEDIATELY, THEN AND THERE. That means either a pre-loaded card, check, or cash in hand, or other acceptable instrument of legal tender, such as a money order.

You're right. They can also hand you a check.

Any reason that isn't prevented by labor protection laws, examples: sexism, racism, ageism, whistleblowing retaliation.

Not any reason, wrongful termination lawsuits happen, and companies usually have processes for firing people, reviews to document performance etc..

> Not any reason, wrongful termination lawsuits happen, and companies usually have processes for firing people, reviews to document performance etc..

Actually, they can (with a few exceptions). California is at-will employment:

"At-will employment is a term used in U.S. labor law for contractual relationships in which an employee can be dismissed by an employer for any reason (that is, without having to establish "just cause" for termination), and without warning."

Or, as the Supreme Court of California explains:

"[A]n employer may terminate its employees at will, for any or no reason ... the employer may act peremptorily, arbitrarily, or inconsistently, without providing specific protections such as prior warning, fair procedures, objective evaluation, or preferential reassignment ... The mere existence of an employment relationship affords no expectation, protectable by law, that employment will continue, or will end only on certain conditions, unless the parties have actually adopted such terms."

Yes, but an employee can still file a wrongful termination lawsuit if they believe that the "no reason" termination was bullshit and that they were actually fired for an illegal reason.

Like, if someone decides to come out of the closet on social media and their co-workers find out and their boss hears about it and fires themthe next day but claims that it's a "no reason" termination, it would certainly raise suspicion that they were actually being fired for being gay and they might win a wrongful termination lawsuit, even in an at-will employment state.

Sexual orientation is a protected class in California[0].

[0] http://www.nolo.com/legal-encyclopedia/california-employment...

>Given that SF employees have presented at many conferences in the past I don't see that getting official approval for the presentation is that strange.

It's not strange at all. So dig up some of those slide decks of past SF talks and compare them to what was presented in the meatpistol talk. Then you can decide for yourself whether you think this talk was approved or not -- it would be the same PR department approving all the talks, right?. In any case, the facts may come out in the representation, as you suggest.

I have no idea about SF's processes specifically but it's certainly not universal practice to have conference presentations signed off by PR or anyone else within an organization. Doesn't mean there can't be repercussions if you say something inappropriate or disclose information you shouldn't, but not all companies require signoff from presentations.

Any comparatively large corporation very likely has a release process for these sorts of things where a bunch of groups (like PR, maybe Legal etc) would take a look. Releasing company IP as open source outside of such a process would be a gross violation of any number of non-disclosure agreements between employer and employee.

Help me out here. What is EFF's involvement in this?

Generally I can kinda see how the EFF would be interested in the topic of their presentation, but effectively this is an employee and employer legal issue now.

Which is more likely? That someone wanted this cancelled in the last 30 minutes. As you said, this was a company funded trip. There is no way this wasn't known. Multiple people were on the trip that knew of the talk well before it started. And if you knew something was going to be released that shouldn't be released, why wouldn't you go to the place where the talk was being held and stop it? Especially without confirmation.

Let's say this talk was never approved by PR and the employees went rogue. Firing someone in public right after they give a talk is still terrible optics. Even if salesforce is in the right, this executive looks totally incompetent, which in turn reflects poorly on the company. Unless it was an extended salesforce trash talk, that is.

So your. Intention is that they have this talk without the exec knowing it was going to happen?

The exec that fired them was an attendee at the conference. How can he not have known about their talk? That makes no sense.

puppet is not mentioned once in the article. It's called MEATPISTOL, which is a obviously a codename. Also this is Defcon.

You're right, fixed. Of course it was defcon -- where did I say it was something else?

>> The last few days have really highlighted how quick people are to pile on with outrage and self-righteous indignation before getting all the facts.


The facts are the exec that hired them was an attendee at the conference. He must have known perfectly well what they were going to present well in advance. So the facts are that prior authorisation doesn't look like it could possibly be the issue.

I think you're exactly right here. The article leaves off too many details and speculates entirely too much for me to feel comfortable making any kind of assessment and I think that this is exactly what they want. We haven't heard any official statements from EFF, Salesforce, or anyone besides anonymous sources. That kind of deliberate omission usually means that there's more to the story than we're led to believe and they need to get their side out there immediately to drudge up quick support and a clickbait headline to put in people's heads. There's still a chance that it's exactly what they said, but I find that hard to believe at this stage.

Seems like a bad idea for a public SaaS company that relies on trust from customers that their data is secure to piss off their own offensive security team by firing them suddenly without even a warning received.

I expect that lots new Salesforce vulnerabilities will be discovered and disclosed.

Last year we reported a vulnerability where a default option in Salesforce orgs allows browser session hijacking. They came back telling us that it wasn't a bug, but working as intended, and that bugs like that aren't part of their bug bounty program anyway. Then when we found a public salesforce forum post from eons ago where a salesforce employee confirmed this bug/feature and tweeted it to our clients, they kicked us out of the bug bounty program for disclosing vulnerabilities.

>I expect that lots new Salesforce vulnerabilities will be discovered and disclosed.

Oh even worse no new vulnerability discovery and disclosure which in turn decreases the security of Saleforce products.

Oh, they will be discovered and disclosed, just not to Salesforce or the public but to "interested third parties".

Much of the talk on this is about wether it not SFDC has a ‘right’ to do this, or if it’s legal. Frankly that’s all immaterial - this sounds like a perfect way to either lose most of your security staff over the next 6-8 months, or get yourself fired. Not sure the exec in question was planning on either of those outcomes, but they are the most likely.

That seems like a tad bit of an overreaction on Salesforce's part. The only mismatch here was the expectation set around the availability of the tool's source? So yeah, it was clear the tool is owned by Salesforce and ultimately something like that is decided by the company, but saying you're going to "fight to have it open sourced" and advocating to have tooling you build be shared outside of your company doesn't seem like a fireable offense to me. Look at what it's done for companies like Facebook and Google.

What the hell, Salesforce? This looks bad. There's either more to the story or this is just extreme knee jerk.

EEK. When speaking in front of a large audience, it's generally a good idea to either mute your phone, or ditch it entirely before you get up onstage.

To get canned for not responding to a text message 30 minutes before a talk - which you were already approved for - seems terribly unfair and a decision probably made in the heat of the moment.

I don't think that "not responding to a text mesaage" was the actual reason.

They got fired right after the talk, looks like the person on the other end took it too seriously.

Oh, the irony! Months before he was fired, in his talk [1] at QCon London 2017 (March 5-7), Josh Schwartz jokingly said: "I am going to tell some stories and hopefully I won't get fired for sharing this stuff but we'll see how it goes".

[1] How to Backdoor Invulnerable Code: https://youtu.be/EGshffkzZsY?t=680

I think that may be the opposite of irony. It's foretelling if he's not 100% sure what's been approved.

Speakers at large companies must get the entire content of their public presentations approved by PR and upper management well in advance. The process can take weeks even for completely innocuous information because accidental disclosure can have serious implications.

1. Disclosure of number of customers, number of transactions, number of anything can be reverse engineered by investors and competitors to derive forward looking information about the company's finances. Or worse, transactions related to specific customers so their financials could be reverse engineered. Good way to lose a client.

2. Disclosures of internal resources, urls, domains, architectures etc can be a treasure trove for competitors and malicious attackers.

Maybe it was a tongue in cheek joke because he was fully aware his content had been vetted 10 times over. Or maybe not and this is part of a pattern.

I think both you and OP are reading a bit too much into that phrase and it seems like both of you definitely did not listen to the talk.

In contrast I _did_ watch the linked video and can tell you that it was professional, did not expose any personal details of SF employees, any company secrets nor did it disparage the company or paint it in a negative light.

Don't believe me? Just watch the video.

Don't know OP's motivation in making his comment. He blames a misunderstanding of a colloquialism for the confusion, but to me it looks like an attempt to discredit the presenter.

Oh, the irony! You've just created a whopping conspiracy theory out of my comment.

Salesforce PR in the house!

That's a really old account to just have 10 karma...

Hey! I'm not doing much better and I'm very sensitive about it.

I'm in Australia, so I almost never see stories as they start rising. :D

And I may have locked my last account (i336_) a while back by setting "noprocrast" to a ridiculous value, which I TIL that day actually is not fixable. This is a new account. I'm debating whether to ask for my old account to be unlocked, or to start again.

FWIW, this account's first post went badly - https://news.ycombinator.com/item?id=14909407 (downvoted to 0) - and I got bitten a couple days ago as well - https://news.ycombinator.com/item?id=14975515 (down to -1), hmph.

I am sorry for my poor karma. I did not live up to your standards. My account is a failure.

You're not a failure though. Just to make that clear.

Forgive me for my poor English, - looks like I have misunderstood meaning of "Oh, the irony!" expression. I thought when someone says "oh the irony" they mean what they are saying it about wasn't expected and is kind of crazy to believe. I was wrong. I am sorry.

No, you're right. The statement is an exclamation of being overwhelmed by the irony of a situation, and irony itself is... slightly editing Wikipedia's definition for clarity, it's "an event in which what appears to be the case on the surface, differs radically from what is actually the case."

I find that irony indirectly relates to cynicism sometimes.

I think the "in the house" exclamation/reply was in agreement with what you were saying, and that it was directed at Salesforce.

Why in the hell would Executive Dumbass, er Jim Alkove, send such an urgent request via an asynchronous form of communication? Is he a moron (obviously)?

If I wanted to ensure something did or didn't happen, and time was a critical factor, I would call, talk in person, or use some other form of synchronous communication to ensure my message was received. I certainly wouldn't blast out a text message and then have a baby tantrum after the fact.

Considering he was present at Defcon and could've simply talked to his employees he def. is a moron.

Very weird. Seems possible that some clueless higher-up found out about it at the last minute and said "don't you dare let this happen," some middle manager tried to stop it, failed, panicked, and threw Schwartz and Cramb under the bus to evade blame. Could also be office politics bullshit; a high-up was gunning for them with no real justification and ginned up a smokescreen to fire them.

Either way, "director of offensive security" is a pretty hefty-sounding title to fire off-the-cuff like an incompetent intern.

"Could also be office politics bullshit; a high-up was gunning for them with no real justification and ginned up a smokescreen to fire them."

Ding, ding, ding! We may have a winner.

Here's my guess - the guys that got fired were more than technically competent (basically experts going off what I've read), but probably were pushing the envelope in terms of what Salesforce, or more specifically Salesforce's large enterprise customers, felt comfortable having discussed out in the open.

My impression of the security team at Salesforce is that it's always been a bit of a fiefdom with little input or control from the mothership.

Maybe a plausible explanation of what happened here was that all awareness / approval of the talk was limited to that team, and when an exec outside of the security team heard about it, they freaked out, causing all of this.

I'd be fascinated to learn more of the backstory here, because the story as reported so far is baffling.

Looks like the executive who messaged them 30 mins before took it personally that they ended up presenting even though he asked them not to so he fired them. Otherwise it makes no sense to fire people right after they finish their talk, unless of course you got an ego to show.

Either way Salesforce really fucked up here.

Right. Even if he legitimately felt the engineers were out of line in some way -- firing them at a public conference (and not just any conference - but that industry's leading annual conference) is just dumb.

I guess. It's just so horrendously counterproductive, even for Salesforce, if it really was was it's being reported as.

I have a feeling that we're only getting half of the story here. I kinda feel, because of the way the article is written, that these 2 didn't actually get approval to do this release but decided to anyways. There are too many details about that process left out of the article that it feels like it's being disingenuous in its "transparency".

Sounds like an executive that's afraid of "Hackers" and well out of tune with what the industry is about.

As a Sales(overpriced)force user, it's definitely something that infuriates me as someone that would both leverage their platform and METAPISTOL for our firms consulting work.

Bad on them. It could have been great PR like Netflix and their open source tools.

I find it hilarious that at the end of the post it says "Contact me securely" and goes on to give a PGP fingerprint. All while being served up via http...

It's up to you to check the Web of trust of this fingerprint. It being served over HTTP is not an issue at all. Even in Trust on First Use I would argue delivering over HTTP is not an issue.

It is an issue because you could MITM this and give a different address and fingerprint. This seems highly unlikely but is possible.

I was at a talk at a Math Conference where the speaker wasn't allowed to give the talk due to it being Classified. This speaker was able to register at the Math Conference with the talk and canceled it at the last minute during the presentation. I don't believe that that person had any issues after the talk and was not fired from their position as a researcher.

From what I can read about this the case is similar but in both actions it was a miscommunication. The speakers should have been informed that it was unacceptable. They should have been talked to about their instability to give the talk and the talk should have been cancelled. I would like to hear the other side of the story from Salesforce to give a full judgement but, I would expect a reprimand at best and not a firing.

That is a very different situation-

1. The researcher you are talking about should have known the content was classified well before he did the talk. Whether it was classified or not was not based off the decision of a executive.

2. The punishment for revealing classified data to an audience is clearance loss & likely prison. It is not comparable to revealing proprietary company data that is not classified or not even covered under ITAR.

But it was not classified and they had done the talk at a different conference. According to the article they got a message an hour earlier about not open sourcing it, which they did not do it looks like.

There are methods better than a text to get a hold of someone. Phone, emails, whatsapp, twitter, facebook, calling the conference management, calling colleagues at the conf, go nearby the stage at the beginning of the talk.

Oh and try to be there on time if you need to do something that critical.

Staffers, or staff? Seeing this phrase more often but to me it's always been restricted to taking about staff of political campaigns...

It's also commonly used for newspapers. I agree, I find it unusual to apply it to generic employees.

Zdnet apparently thinks it’s okay to redirect me (on mobile, after making it halfway through the article) to a scammy website promising I’d won a $1000 gift card, then hijacked my back button so I couldn’t leave. Anyone else experience this?

Looks like you got lucky. I usually get fake virus warnings that vibrate the phone nonstop or redirects to my carrier's store, one misclick away from buying a shitty mobile game.

ublock origin is your friend.

wonder if this is related to mike johnson leavin?

Most people at Defcon use a "burner phone" (a cheap supermarket feature-phone) while there. Nobody who is sane would turn on their work phone anywhere near the Defcon conference. I go there every year with a throwaway phone and laptop.

So nobody will see a text message in a timely manner, unless they knew the burner phone number.

The term "most people" is terribly exaggerated. Defcon is not nearly as scary as some people make it out to be. If you have the latest security updates across your devices, disable wifi and take a few other precautions things are fine. I was there this year as saw just as many late model iPhones (most likely not a burner) in peoples hands as I did at any other conference I attended.

People do routinely screw with the cell phone networks there. Here's what happened to my burner phone this year: https://twitter.com/ryancdotorg/status/891558627986751492

I'd tried to force the phone to LTE only, but I'm not sure whether it worked.

Yep. There were several fake towers setup that would allow man in the middle attacks for phones / networks that were insecure.

Exactly. I don't think the guy who said "nobody uses a burner phone" has ever been to DEFCON. And given that phones cost $10.00 why not?

If people are on iPhones, they're on their old one.

> And given that phones cost $10.00 why not?

Because most burner phones use 2G or maybe 3G, both significantly weaker than LTE.

My burner phone, with disabled wifi, bluetooth, and data, was owned this year.

I gave up on burner phones because they were typically old and terribly vulnerable with no possible way to update - think older Android phones. Although, I did win the WiFi Village Fox & Hound hunt a few years back using a Samsung S4, but I had that thing locked down to using only a WiFi strength meter app and of course it was running CyanogenMod back when that was still a thing.

These days I update, backup, and lock down my daily use iPhone before going. See my post earlier in the comments for more details on that. In terms of what was happening in the last two years at DEF CON that could get you with all the steps I took, OpenLTE networks were tricking phones into attaching to them and the most disturbing thing I saw of that was middling of TLS. However, it was of course with a self-signed certificate so as long as you didn't accept the cert, you were likely fine.

If you had an older phone and one without all the latest updates and wasn't configured to be mostly silent, then your experience could be very different. There are a surprisingly high number of SMS exploits which still work to this day on a large number of phones and of course SS7 has architectural weaknesses which will likely never be fixed.

> OpenLTE networks were tricking phones into attaching to them and the most disturbing thing I saw of that was middling of TLS

I am sure that many folks would be very interested in seeing any supporting data/captures. This is incredibly uncommon.

Someone had put a map together of the OpenLTE / catchers they found but I can't find it. In my particular case, I had WiFi off the entire time and received certificate validation failure notices four times at different locations while at DEFCON. Given I was only connecting with LTE, there could only be one explanation for those certificate warnings. I was being redirected to an OpenLTE or other cellular base station and someone was running a MitM proxy or solution like SSLSplit on the connection.

Unfortunately when it comes to calling it "incredibly uncommon", we really don't have any widely deployed solutions to identify rogue cellular base stations so it's very difficult to say how often it happens IRL although the only times I've ever seen it happen have been the last two years at DEF CON.

That's quite disturbing. Share more details? Model of phone and OS installed? Nature of the compromise, if you know?

I saw all sorts of attempts to pwn me when I was there this year!

I was at a company that sent a large cohort to Defcon. I wasn’t going but I went to the pre-conference security briefing. The requirements were fairly extensive: no company laptops, only company phones with a long password, no 2G, no 4G, must be locked to a specific carrier, no WiFi, no bluetooth... the list went on. They were pretty concerned.

Out of my sample size of 1, I didn't take either of my devices -- my work phone or my personal phone -- to defcon or Vegas when I went last year: they didn't even leave my home.

I bought a laptop at Staples, put Fedora on it, used it for the conference, and I only really use it for when I go to conferences and the like.

There is a mix of folks using late model phones and burner phones, but, there there is a lot of burner usage at DefCon/DerbyCon/BlackHat.

Most people at Defcon use a "burner phone"*

I highly doubt this. Also, bear in mind that few bug hunters would be dumb enough to burn an iOS RCE 0day on some of the most monitored/logged wireless airspace on the planet.

I went there with my iPhone 6S and a Macbook Pro, and was fine. Granted, I spent all of DEFCON holed up in Caesar's doing the CTF, but I didn't encounter any issues.

DEF CON provides conference WiFi with preauthorized certificates (WPA2), so if you remove all other known open networks then you can have secure and sane WiFi at the conference.

broadcom disagrees.

Are you referring to a bug which was fixed prior to Defcon?

>DEF CON provides conference WiFi with preauthorized certificates (WPA2), so [if you remove all other known open networks] then [you can have secure and sane WiFi at the conference].

Emphasis mine. Merely "removing" networks from your device does not preclude you from being attacked. Broadcom and all the locked-down devices that aren't iphones or high-end android devices who use them demonstrate this quite nicely.

I haven't heard any reports of people using the Broadcom attack on a vulnerable device at DEFCON (And there are a whole lot of people monitoring the airwaves)

I didn't see this myself but the guy who works the drivethru at my local burger king told me that the red team has perfected the flame grilled whopper and they had to be fired because they had gone too far

The exploit name certainly has sexually violent connotations to me. I imagine that anyone who has been sexually assaulted would feel very uncomfortable working in an organisation that condoned such language - something like 10% of the population.

I'm not condoning firing as a response - that's as thoughtless and unimaginative as the name. And perhaps the name isn't even if reason for it - that doesn't seem to be clear. But come on guys, try to stay classy.

Do you, by chance, also get sexual implications walking around sausage aisle in supermarket?

> The exploit name certainly has sexually violent connotations to me.

....really? That seems like an incredible stretch.

> I'm not condoning firing as a response - that's as thoughtless and unimaginative as the name. And perhaps the name isn't even if reason for it

The article and the surrounding discussion makes it super, super clear that it's nothing to do with the name at all.

> I imagine that anyone who has been sexually assaulted would feel very uncomfortable working in an organisation..

How far do you take this word-association game?

I note that the US represents itself using the image of an eagle. So did the Roman Empire, and later the Nazi party. Should everyone be uncomfortable with America over that?

I don’t think that was related to the firing, from what I can tell, however I do agree with you, I thought the name was a bit distasteful and not appropriate for an open source project.

Why all this morality police? It's just humorous, and to understand the double meaning, it requires quite a bit of imagination.

To be fair, I think it's more common for security projects to take on more aloof names. Who could forget "John The Ripper" or "back orfice" from the cult of the dead cow? I'm sure there are many more ..

> I think it's more common for security projects to take on more aloof names

True, although I also find the negative sides of "hacker culture" more pervasive and less challenged than "brogrammer" culture or whatever term you want to use.

> Why all this morality police?

I find it overly sexualised, from a very masculine perspective. That's not really appropriate in a professional context in my opinion, but more than that, it can really put some people off the industry. Unfortunately, those people it puts off are disproportionately from groups that are already minorities in the industry, and so it helps in some small way, to perpetuate the lack of diversity.

Obviously this particular example really is only a small part of the problem, but it all contributes, and one of the easiest ways to do our part for increasing diversity and making the industry more welcoming is to do things like improve the naming of our projects.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact