So apparently Salesforce fired two of their engineers after they gave a talk at DefCon about their work. The talk was about a tool called MEATPISTOL which, per their materials, is a “gun made out of meat… that shoots malware bullets”. (“Semp’a scuppetta mane tene”, I guess.)
Anyway, perhaps a less surreal way to describe it would be as a platform that automates management of implants (malware) for a red team. What happened was that the folks at SalesForce, apparently 30 minutes before their talk, received a text from the mothership telling them not to do the talk. They say they didn’t see it until after the talk was done so they did the talk anyway. And apparently, shortly after their talk was over, they were fired.
This isn’t the first time this type of thing has happened. Getting fired after doing a security talk (particularly DefCon) is something that happens every few years. In fact, I personally had a “near miss” with this myself: an employer decided at the last minute that they didn’t want me doing a talk because of how they thought it’d make them look (wasn’t DefCon). This despite the fact that they reviewed the materials and granted permission many months in advance. I didn’t ultimately get fired for giving it — I suppose mostly because I tendered my resignation and did the talk as “John Q. Public” rather than as their representative. Had I stayed in their employ, I’m sure consequences would have been (ahem) “undesirable” since I was straight-up doing that talk anyway.
Anyway, the reason I’m commenting on this is because of the terrible optics here for Salesforce. At least, what I think are terrible optics. Now, note that I’m not saying that firing them was the wrong move necessarily. The specific circumstances are unknown, and there could be parameters that make it a “must do” from Salesforce’s point of view (that we don’t know about). For example, maybe Salesforce considers the techniques to be proprietary trade secrets. Yes, I realize MEATPISTOL is open source so that argument is a bit thin, but we all know how companies can be — so it’s not a completely unreasonable position for them to take. If that’s the case, it could be that their policy requires terminating people who publicly divulge trade secrets – in fact, they might be seen as negligent should they not do so (depending on how that policy is written.) I’m not defending them mind you — just pointing out that there is at least one possible situation where they had no other choice but to do this.
Inadvertently or not though, Salesforce undermined their credibility in the security community to a significant degree. Don’t believe it? Look at the Twitter. But facts being facts, it seems to me like Salesforce clearly doesn’t care. For example, they could have done this quietly weeks from now. They could have, for example, put out a statement about why their hand was forced to fire these guys despite their tremendous value to the security community, how their policy leaves them no other choice but to fire them, how it grieves them that the world is the way it is and and how much they wish they had another option but to fire them. Oh and while they were at it, they could include some saccharin language about how much they support full disclosure, how they value the free and open exchange of information, how much they are committed to supporting the security community at large, and how much they love truth, justice and the American Way – and puppies. In other words, big group hug with the end state of firing these engineers being equivalent as what they wound up doing (just with better optics).
They did not do that though. Instead, they let them go on the spot. In my mind, this is a signal that perception about how they are perceived by the security community isn’t top of their list of things they care about. Should it be? I suppose it’s about utility. To the extent that they can ignore the security community but yet still have their products be robust, reliable, and hardened, I’m not sure I care all that much about how deep their head is in the echo chamber. That said, I feel like pissing off potential customers isn’t usually a good practice. Maybe the security community is offering something to them that helps their business; maybe making enemies of an entire group of constituents could have a bottom line impact? We’ll see.