{"id":544,"date":"2017-08-10T21:27:25","date_gmt":"2017-08-10T21:27:25","guid":{"rendered":"http:\/\/securitycurve.com\/?p=544"},"modified":"2017-08-10T21:27:25","modified_gmt":"2017-08-10T21:27:25","slug":"musings-on-meatpistol-firings","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=544","title":{"rendered":"Musings on MEATPISTOL firings"},"content":{"rendered":"<p><img decoding=\"async\" class=\"alignright lazyload\" data-src=\"https:\/\/upload.wikimedia.org\/wikipedia\/commons\/0\/06\/Meat_Stick_Studio.png\" width=\"388\" height=\"331\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 388px; --smush-placeholder-aspect-ratio: 388\/331;\" \/>So apparently Salesforce <a href=\"http:\/\/www.zdnet.com\/article\/salesforce-fires-red-team-staffers-who-gave-defcon-talk\/\">fired two of their engineers<\/a> after they gave a talk at DefCon about their work. \u00a0The <a href=\"https:\/\/media.defcon.org\/DEF%20CON%2025\/DEF%20CON%2025%20presentations\/DEFCON-25-FuzzyNop-and-Ceyx-MEATPISTOL-A-Modular-Malware-Implant-Framework-UPDATED.pdf\">talk<\/a> was about a tool called MEATPISTOL which, per their materials, is a &#8220;gun made out of meat&#8230; that shoots malware bullets&#8221;. \u00a0(&#8220;<em>Semp&#8217;a scuppetta mane tene&#8221;,\u00a0<\/em> I guess.)<\/p>\n<p>Anyway, perhaps a less surreal way to describe it would be as a platform that automates management of implants (malware) for a red team. \u00a0What <a href=\"https:\/\/twitter.com\/i\/moments\/891787766400299008?lang=en\">happened<\/a> was that the folks at SalesForce, apparently 30 minutes before their talk, received a text from the mothership telling them not to do the talk. \u00a0They say they didn&#8217;t see it until after the talk was done so they did the talk anyway. \u00a0And apparently, shortly after their talk was over, they were fired.<\/p>\n<p>This isn&#8217;t the first time this type of thing has happened. \u00a0Getting fired after doing a security talk (particularly DefCon) is something that happens every few years. \u00a0In fact, I personally had a &#8220;near miss&#8221; with this myself: an employer decided at the last minute that they didn&#8217;t want me doing a talk because of how they thought it&#8217;d make them look (wasn&#8217;t DefCon). This despite the fact that they reviewed the materials and granted permission many months in advance. \u00a0I didn&#8217;t ultimately get fired for giving it &#8212; I suppose mostly because I tendered my resignation and did the talk as &#8220;John Q. Public&#8221; rather than as their representative. \u00a0Had I stayed in their employ,\u00a0I&#8217;m sure consequences would have been (ahem) &#8220;undesirable&#8221; since I was straight-up doing that talk anyway.<\/p>\n<p>Anyway, the reason I&#8217;m commenting on this is because of the terrible optics here for Salesforce. \u00a0At least, what I think are terrible optics. \u00a0Now, note that I&#8217;m not saying that firing them was the wrong move necessarily. \u00a0The specific circumstances are unknown, and there could be parameters that make it a &#8220;must do&#8221; from Salesforce&#8217;s point of view (that we don&#8217;t know about). \u00a0For example, maybe Salesforce considers the techniques to be proprietary trade secrets. \u00a0Yes, I realize MEATPISTOL is open source so that argument is a bit thin, but we all know how companies can be &#8212; so it&#8217;s not a completely unreasonable position for them to take. \u00a0If that&#8217;s the case, it could be that their policy requires terminating people who publicly divulge trade secrets &#8211; in fact, they might be seen as negligent should they not do so (depending on how that policy is written.) \u00a0I&#8217;m not defending them mind you &#8212; just pointing out that there is at least one possible situation where they had no other choice but to do this.<\/p>\n<p>Inadvertently or not though, Salesforce undermined their credibility in the security community to a significant degree. \u00a0Don&#8217;t believe it? \u00a0Look at the Twitter. But facts being facts, it seems to me like Salesforce clearly doesn&#8217;t care. \u00a0For example, they could have done this quietly weeks from now. \u00a0They could have, for example, put out a statement about why their hand was forced to fire these guys despite their tremendous value to the security community, how their policy leaves them no other choice but to fire them, how it grieves them that the world is the way it is and and how much they wish they had another option but to fire them. \u00a0Oh and while they were at it, they could include some saccharin language about how much they support full disclosure, how they value the free and open exchange of information, how much they are committed to supporting the security community at large, and how much they love truth, justice and the American Way &#8211; and puppies. \u00a0In other words, big group hug with the end state of firing these engineers being equivalent as what they wound up doing (just with better optics).<\/p>\n<p>They did not do that though. \u00a0Instead, they let them go on the spot. \u00a0In my mind, this is a signal that perception about how they are perceived by the security community isn&#8217;t top of their list of things they care about. \u00a0Should it be? \u00a0I suppose it&#8217;s about utility. \u00a0To the extent that they can ignore the security community but yet still have their products be robust, reliable, and hardened, I&#8217;m not sure I care all that much about how deep their head is in the echo chamber. \u00a0That said, I feel like pissing off potential customers isn&#8217;t usually a good practice. \u00a0Maybe the security community is offering something to them that helps their business; maybe making enemies of an entire group of constituents could have a bottom line impact? We&#8217;ll see.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So apparently Salesforce fired two of their engineers after they gave a talk at DefCon about their work. \u00a0The talk was about a tool called MEATPISTOL which, per their materials, is a &#8220;gun made out of meat&#8230; that shoots malware bullets&#8221;. \u00a0(&#8220;Semp&#8217;a scuppetta mane tene&#8221;,\u00a0 I guess.) Anyway, perhaps a less surreal way to describe [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[80,103],"class_list":["post-544","post","type-post","status-publish","format-standard","hentry","category-security","tag-meatpistol","tag-salesforce"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/544","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=544"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/544\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=544"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=544"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=544"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}