I was one of the people that was there when it happened. My coworkers and I were asking one of them questions after the talk. The goons were kicking us out of the rooms because it was the last talk of the day and they wanted People to leave. We were talking in the hallway and asking him questions when we ran into the other presenter there(And people were asking him questions too). Anyway few mins later I see our old executive walk to them and tell them they have to talk. They started walking and talking but it was right in the open and you could pretty much hear them. They end up stopping and looks like they were trying to defend themselves. Few mins later the executive leaves and the end up walking back to the group that was still waiting to ask them questions (including us). They had been fired effective immediately.
The executive is Jim Alkove. He is a moron and our security org has completed revamped after he "left" to join other companies. All the recent advancements in Microsoft security/Win10 were because we no longer had a leader like him.
I worked at a lot of companies under a lot of different managers.
If I hear a manager fires them at such a moment, it already gives me an idea of what kind of manager we're talking about.
If a manager sends a text message half an hour before the talk starts to not give the talk, I definitely know what kind of manager it is.
You have 2 kinds of managers: The ones that think ahead of the time, and the ones that don't think ahead of the time. It's pretty easy to distinguish the two.
You forget the 3rd kind: the ones who think ahead of the time, but use urgency as a way of shielding their decision-making reasoning.
Let's say Employee A comes up to Manager three months before Defcon, saying he'd like to do such and such. Manager doesn't like it, but he doesn't want to upset A at that time because Reasons. He says "sure bud, you go ahead, I'll check with the lawyers just in case and let you know if there is any problem". Then he waits, and half an hour before the talk, through an indirect medium like email or text, he goes "sorry man, I only just got a message back from the lawyers that you can't talk about that. Totally gutted! Oh well, better luck next year, uh?"
30 mins before the presentation, after they've all flown to the conference, is not incompetence; it's malice.
At least in that case I wouldn't mind if a superior was honestly and truly checking with Legal Departments, and others of authority, to verify whether some action I was considering taking was going to cost me my job... Could any of us here really be upset about a Manager that does that?
I'm fairly certain the implication here is that he was not, in fact, checking with Legal or anyone, but simply holding off to make it seem as if he was and it was too late to question.
Jim is known for retaliating against his employees. That's why we got rid of him at MSFT and then Google... He is happy enjoying his millions in stock units and 100% bonus target. What did you expect? SOP.
No, I don't think so, assuming the manager also said something along the lines of "The check might run right up before your talk. Please make sure to check your phones before walking on stage so that if something happens last minute you'll know. I'll promise to text you either way."
In a large corporation I worked for a long time, if EVP fires somebody on the spot it means that EVP is next to go. I assume this will be the case for Salesforce.
On the spot, At defcon, 30k people. Anyone at Salesforce wanna talk about what's going on? Make a throwaway, use opsec. What are your opinions on this? What is your opinion of Jim as your leader?
what are this "leader"'s justifications for preventing the talks and for preventing the open sourcing of this software?
Is it liability or competitive advantage based?
Firing someone on the spot in a public setting is either a drastic overreaction (and why that's fireable is obvious), or a response to a complete blindsiding … at a level at which the job is to not get blindsided.
It's also a complete HR catastrophe. How could anyone feel comfortable in their position, knowing they could be fired at any moment, publicly and without warning? Terrorizing your employees is completely unacceptable as a manager.
Edit: I guess I don't have much experience with HR at large companies - I use the term to refer to aspects of management related to maintaining employee wellbeing, workplace culture etc.
HR doesn't care about that! Not unless it's actionable. Good way to lose your star contributors, sure, but past a certain basic point retention isn't really part of HR's role.
Really? I've always seen HR as a sort of "union for un-unionised employees". They help you get stuff out of the business, and help the business get the most out of you.
Perhaps I've only encountered the good kind of HR.
A significant aspect of HR (at least in the UK) is protecting the company from its 'resources', and ensuring that the company has a robust (i.e. legally defensible) paper trail when disputes arise. E.g a process for putting people on an 'improvement plan' in response to poor behaviours / performance, and which can ultimately lead to dismissal.
Back in the day, the term 'anti-personnel department' was often used.
And don't get me started on the use of the term 'human resources'
[Edit] - more detail. I'm a techie but have occasionally had line management (in addition to tech lead) responsibilities. The first time I took on these duties, I had to do the relevant HR training and was amazed at the attitude: a little bit of 'duty-of-care' and a lot of 'follow-this-process-to-make-sure-the-law-is-on-our-side'
My experiences of UK large company HR departments was basically that they were the hit squad - if they were in the building then you knew someone was in major trouble.
I had an interesting experience a couple of years back when everyone in our office was called to a surprise meeting with HR except me.... I had already resigned, everyone else got the bullet in that caring way that HR departments are famous for.
A company I worked at did something similar; those who were being kept were told to go somewhere else, not to go to that meeting. Those that were still around were herded into the classroom, to be met by the HR head and a hired goon of a security guard. The entire office was being closed, but the way it was done was more hurtful to those folks than the basic business decision.
Can confirm as a programmer in UK. I hit this wall recently when asking for extended leave to deal with a personal crisis. The colluded response from HR/the business was to give me notice.
Take it from someone whose partner works in HR: they are not your friend. They may be nice people, they may try to help, but their _job_ is to protect the company's interests. Each time you talk to them about conflict, you're taking a bet your interests and theirs align.
In other news, for a bunch of smart people, engineers are spectacularly underunionized.
They are however, definitely interested in retention. They have a keen understanding of the total cost of finding and onboarding a new employee. If a particular executive is putting that in jeopardy then a good HR department will take note.
> They have a keen understanding of the total cost of finding and onboarding a new employee.
Because they will be involved in recruiting, they will also have a keen understanding of how much that increases their workload, which is otherwise pretty flimsy in a lot of cases. The more churn, the more they can justify their headcount.
They definitely are, but in a circumstance like this the most _urgent_ problem they've got is a bunch of ex-employees with a legal action brewing. Implicitly admitting liability without a quid-pro-quo isn't going to happen.
Which isn't to say HR won't want him gone. Just not yet.
Nope; they help the business get the most out of you without getting sued. That's the alpha and omega of HR.
Their obligations are to the company, not to you. When they answer your questions, they do it so you can't claim later on that the company didn't tell you such and such or that the procedure XYZ was unclear, and sue them. They are nice so that you won't see the company as adversarial and sue them. And so on and so forth.
At some places, they have one branch of "good cop" HR that cuddles the employees, hands out candy and attempt to boost morale, and one "bad cop" branch that does all the dirty work of protecting the company from liability and attempting to squeeze out as many hours as possible while keeping compensation and human costs to a minimum.
They aren't your friends. They protect the company first. Definitely think twice before going to HR for anything not related to the normal benefits/vacation type issues. If you have an issue with another employee, you may very well be the problem that gets eliminated, not the other employee.
Many people, myself included, feel that HR is almost totally on the side of the company and don't represent employee interests effectively (if at all).
Having a major disruption in your security department can mean an upcoming disaster for a company offering cloud based services. From what this sounds, they not only got rid of 2 very competent employees, the manager doesn't seem to have acted especially brilliant, and they might have discouraged competent security people from applying at the company. What could possibly go wrong with this?
People aren't fully strategic 100% of the time. When clouded by emotion, suboptimal decisions can look strategic. (Ex. establishing/asserting their authority.)
2) If you fire someone on the spot (I have), you'd better have a damn good reason (I did--repository sabotage) as the company is now going to have to pay money to defend/payoff this.
3) Suddenly firing important people disrupts daily business functions for weeks or months.
4) Unless you think they are going to actively sabotage something, you can wait until they get home to reprimand or fire people.
All told, some manager is getting thrown under the bus for this.
The Google thing is a medium splash in a big pond. This is a small splash, but arguably in a much smaller and more concentrated pond. Within the community of red teams and DEFCON regulars I wouldn't be surprised if this is much better known than the (now) ex Googler is within the more general tech community.
An internal memo with astonishingly poor typography was leaked. Since Google sell a word processor and are a font vendor this made them look bad. So he was fired.
(I'm only half joking. People don't talk about how poor the layout of that document was, but it was my first and lasting impression)
It's unbelievable that it was only the memo. And quite likely just the last straw.
I can easily imagine someone that produces poor quality once publically probably did so many times privately and likely more of a symptom of underlying inadequacy than the actual reason for firing.
But you know, headlines..
And yes, have no previous experience or knowledge about this so sorry if I'm armchairing a bit.
Larry Summers (a leading economist with often controversial opinions) got fired from his position as the president of harvard for effectively making the same point [1] except, you know, well argued unlike in the Google manifesto.
If Larry Summers gets fired for that, a random engineer is definitely getting the boot.
Honestly, relative to the usual discussions on the topic (including discussions about the Google memo), the memo was refreshingly well-argued, coherent and polite.
Everyone agrees it was polite, but well-argued and coherent is where not everyone does agree.
I've seen people with advanced degrees host debates where they legitimately advocated creationism as the truth against evolutionary biologists with equally advanced degrees. They were polite, and their supporters would say well-argued and coherent. But anyone who knows anything about the topic would see that the creationists weren't actually adding to the discussion or making strong points at all. Those creationist debates are always unsatisfying and exhausting to listen to, and after a while, that schtick becomes old and non-creationists stop engaging because it's just boring. But creationists will attend and be excited every time because having a debate against a real scientist legitimizes them.
That's how this memo thing felt. Nothing new was added to the discussion (at least not to those of us who have had this discussion before) and it just seemed like an opportunity that some less savory folks jumped on to promote some out-dated views (and more importantly, for mainstream media to jump on to paint all of tech as a place where those views are the norm. That story sells despite how wrong it is).
FWIW, I do hate impoliteness though. I understand why people felt defensive for the author after watching the internet freak the hell out (in rude or dismissive ways) about the memo which was not impolite in itself.
Well yes, that's my opinion :). I found the memo coherent, in the sense that it was well-structured and followed consistent reasoning, and well-argued, in the sense that it linked to supporting research and reasoned mostly correctly from it. It doesn't mean everything there was 100% correct, but almost no one is; it still was a quality entry to the intellectual debate.
At the risk of perpetuating the disagreement, IMO if anything is similar to the creationinst debaters, it's the voices against the memo.
Going through the few recent HN discussions on the topic, I found that on the one side, you had people (including an actual scientist in the domain) telling that the memo basically got the science (even if not ultimate conclusions) right, as supported by _even more_ research people linked to, vs. the other side saying he presents "outdated" views of "biological determinism", etc., with no counter to the research cited by the memo itself (not to mention others) - just unsubstantiated accusations and dismissals.
More than 5 doctors confirmed the memo was consistent with science and his text referenced appropriate sources, as common with any paper. It's incredible that non-medical people can override science with their belief. It's Galileo all over again, fired because one shall not contradict [place godly entity here].
The paper went much further than presenting a summary of mashed up research from a variety of fields that investigate sex & gender variations. For that, all you need is some reprints of Nature and Scientific American.
Instead it wanted to connect that research to a) company policy and b) American-specific political divides. And to do that required a battery of assumptions regarding intention, merit, aptitude, worth, values.
That's where the wheels came off and everyone started projecting their own ideological interpretations, and you've been arguing past each other ever since.
Sorry, I thought it was a vulnerability/technique impacting Google services that dropped at the convention. Now I get the connection was being made to widely reported staff behavior.
I am not sure that creating burner accounts to libel people by name is an entirely appropriate use of this site no matter what your personal feelings are.
You don't have any evidence to substantiate any of what you are writing and this individual has no opportunity to respond to what you are writing.
This is highly unprofessional behavior no matter what you think the justification is.
FTA: "Josh Schwartz, director of offensive security based in San Francisco, and John Cramb, senior offensive security engineer in Sydney, Australia, worked on the cloud giant's security 'red team'"
The one we were talking to had an Australian accent, but I did not ask. The other one is @fuzzynop and yes he's in California. He actually DJ'd for dualcore.
I understand feeling sorry, but doing a talk like this without the full support of your leadership is an incredible error. If you work for a big company, you can't do talks like this without aligning pr, leadership etc.
From TFA: "Salesforce executives were first made aware of the project in a February meeting, and they had signed off on the project, according to one person with knowledge of the meeting."
They had executive signoff until half an hour prior to the talk, and they didn't see the text revoking permission until after the talk. I'm not sure what else they were supposed to have done.
And Alkove was there - physically present. He could've warned them off in person, and made sure they knew what was up. No one is going to care why he didn't.
Aware and signed off on the project and aware and signed off on the defcon presentation are two different things. I only know what I've read in this article and discussion on this, but I don't read "Salesforce executives were first made aware of the project in a February meeting" as meaning they had corporate sign off (they may have, but thats not what that sentence means)
If you're close to the Silicon Valley tech community you know the Salesforce datacenter organization and recently security organization has been taken over by many ex-Microsoft executives who are fairly clueless when it comes to security.
This has left the security organization mired in internal political turmoil and has triggered the exodus of most intelligent security professionals from the organization.
This situation appears to be a case of the new and confused security executive mentioned in comments on this thread over reacting.
I say "confused" because for the presenters to get this far they obviously has gone through levels of approval for the talk and presented material internally. This talk was indeed presented before at the Chatham House Red Team Summit in SF where many tech company Red teams were present and code released to some collaborating parties. If you don't know what is going on in your own organization with your directors you are confused.
I say "over reacting" because any decent security executive knows you can't ask a team member to pull a Defcon talk on extremely short notice as it would be damaging to their personal reputation in the community. Firing them for not pulling the talk is completely idiotic as it's likely burn the organizational reputation with the security community. It was likely just a snap decision by said confused executive who did not understand the ramifications of his decision. If you fire someone after they get off the stage at Defcon you more than likely have overreacted.
Sadly these are the types of this that happen when you have poor leadership at high levels. I feel bad for the good security folks still left at Salesforce who have to tolerate this garbage. Luckily there is a massive demand for good security professionals so they should have no trouble finding other employment, hopefully with competent leadership.
Using a throwaway account as my username is very close to my real name :-(
If you're close to the Silicon Valley tech community you know the Salesforce datacenter organization and recently security organization has been taken over by many ex-Microsoft executives who are fairly clueless
This. A thousand times this. The Microsoft rot started in the Datacenter and Security org but is fast spreading to all of infrastructure resulting in a culture that is dramatically different from the rest of Salesforce.
If you're from Microsoft (or better yet, a crony of a high up Microsoftie in Salesforce) you are guaranteed to receive a plum job with a bump up of at least two or more seniority levels and preferential treatment in every aspect.
It's not hard to find examples of mid level ICs (level 61 - 62) being brought in as Senior Directors, level 63's being brought in as principal architects etc. What about non microsoft people ? Well, in that case we need to 'carefully consider the feedback', 'be conservative in our approach', 'avoid being too generous' etc.
Every process, from hiring, to promotions, to appraisals has been systematically corrupted and taken over almost exclusively by Microsoft people with the inevitable results.
It's like watching an aggressive strain of flesh eating bacteria at work. It would be comical the amount of damage this is causing Salesforce if it weren't for the enormous human impact.
Wait, there are 63 or more levels of management at salesforce? Is the a level 1? Is there anything higher than 63? What's the distinction between a 61 and a 62?!
Sorry not so sorry. These people leaving MS was the best thing that ever happened to MS. It's sad that because of one of them, this unfortunate event had to occur.
> ... security organization has been taken over by many ex-Microsoft executives who are fairly clueless when it comes to security.
i.e. the people who hired them are also clueless wen it comes to security. And, the people who hired them did not perform due diligence to be sure that the hirees were competent.
Or, maybe one "bad apple" got hired via bluff and bluster, and then proceeded to hire tons of incompetent cronies.
Either way, the higher ups at Sales Force haven't been paying attention to how their organization is being run.
The article says that they were forbidden to announce open-sourcing of the tool. They were required not to cancel the speech, but to not announce open-sourcing. Having such second thoughts about open source is so typical of old-school managers, it doesn't even surprise me.
>The tool was expected to be released later as an open-source project, allowing other red teams to use the project in their own companies.
>But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release.
If the executive told them not to announce the open-sourcing, then he was expecting them to speak, just not that they would announce the open-sourcing. My guess is that they did not acknowledge that first request, and thus the executive told them half an hour later to cancel all. So the original issue of confrontation was about the open-sourcing, not about the speech itself.
If they don't acknowledge the first text the answer is to send another much more extreme text? Why not just a reminder of the first text? Or call them? Or talk to them in person, because he seems to have been there in person.
If they missed the first text there's a good chance they might miss the second text as well.
The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended.
Which said unnamed executive should have known was patently unreasonable to expect to be received and read in time.
Sounds like a failure in basic communication, somewhere in the organization. And if someone in the C-level feels they need to intervene at the last minute to set things straight -- this very strongly suggests point source of the failure was most likely somewhere in the middle layers (or at the C-level itself) - not with the frontline engineers.†
But which at Salesforce is apparently no protection against getting hung out to dry.
† Especially when we read the parts about "The talk had been months in the making" and that the executive pulled the plug at the last minute "despite a publicized and widely anticipated release."
There's a good chance that those guys didn't even have their phones on. If something is that urgent you don't text, you call, and if the call doesn't go through you find someone else that you can call who can go to the people involved and so on until you have guaranteed timely delivery and if you can't achieve that then you're going to have to live with the consequences.
Doing a 'fire-and-forget' text message and then attaching grave consequences to the timing is ridiculous.
>> There's a good chance that those guys didn't even have their phones on.
Nevermind the fact that it was defcon, I'm a regular presenter at conferences and meetups, and literally #1 on my last-minute checklist is to text my wife that I'm now unreachable and silence my phone.
Nevermind the fact that it was defcon. Having your phone on in a place where thousands of security experts are running amok is a surefire recipe for ensuing hilarity.
I used burners at DEFCON 2016. Eventually moved back to my actual phones. But, I talked with other people and according to them there were cell sites that were suspect. Never found out if it was true or not. But, as others have stated I turned off my WiFi.
I was at this past DEFCON, we had cell sites named "Arnold's Biggest Scam" and "AT&T Totally 1337 Tower".
There are others, but those two were prominent because I could access them in my room lol.
From what I’ve read, all you really need to do is turn off wi-fi, which is already fairly paranoid given that no one is realistically going to burn a serious chipset zero-day on random people at a conference. Fake cell towers do occasionally happen but rapidly lead to arrests.
Why wouldn’t they burn a chipset 0-day? It’s unlikely that only one exploit has been and will ever be uncovered. Imagine the shitstorm if you phoned all of DEFCON with a recording to attend your talk, on their radio “off” devices, because you powered them back on at the right time. Imagine the respect. That would be worth a 0-day.
"random people" who with high probability may have undisclosed 0day exploits stockpiled on other devices.... yeah if I'm an APT author DEFCON attendees are (the hardest to exploit and most paranoid [read: likely to get caught by]) the ideal target for any nation-state. not to mention that the conference is often attended by multiple state agencies which makes the target even juicer. yes it's an extremely hard and dangerous group of people to attempt to exploit, but that doesn't detract from the potential value and payoff of a successful APT exploit on said group of people
That's not how Nation State actors work. One of the things that makes Nation State actors dangerous is they have the patience and resources to attack a high value target at the most likely to succeed point. Backing that up, they generally have the intelligence to know when that best time is. And they for sure know that it's not at defcon when everyone is, as you say, paranoid and on the alert. They're going to get you at home, at happy hour with your non-security friends, in that bar with the great but insecure wifi and no 4g.
There are no arrests listed for cellular activities at Wikipedia’s “Notable Incidents” list for DEFCON, so if you have direct confirmation of any such arrests, you should add them to the page at https://en.m.wikipedia.org/wiki/DEF_CON
> all you really need to do is turn off wi-fi, which is already fairly paranoid given that no one is realistically going to burn a serious chipset zero-day on random people at a conferenc
I know very little about security or defcon, but I was under the illusion that stuff like running Wifi Pineapple to trick people to connect to their hotspots was common and doesn't require any 0-days.
Here's what I do with my phone before heading to DEF CON (yes, I don't bother with burners anymore):
1) Make sure it has an Apple logo on the back and is up to date. I'm serious on this one. Too many Android phones don't get updated by the carrier and that's why I'm not a fan. Yes, if you have the latest phone from Google, you are fine. From another manufacturer, very questionable. The sheer number of Android phones which have connected to my open research WiFi networks over the years and exposed some secret is just tragic, from user PINs thanks to a carrier installed warranty app to e-mail passwords thanks to broken Samsung KNOX TLS middling implementations.
2) Shut off all background activity from apps when not on and in front of me: settings -> general -> background app refresh. Slide that one to off for everything.
3) Turn off WiFi and Bluetooth.
4) For added paranoia, put it in airplane mode when not being used.
5) Make sure it doesn't have any information or accounts on it which I'd not like to be made public.
6) Back it up.
7) A quick audit of apps I'll be using at the con to ensure they are reasonably secure on the wire by using working TLS exclusively. Yeah, very few people will ever do this but thankfully 1-6 should be sufficient.
There was also this one for which I had involvement: http://www.falseconnect.com/ which while impacting nearly every major technology vendor was particularly bad for Apple. Pretty much anyone who'd been using a proxy service (which includes some VPN providers like TorGuard) for privacy with iOS or macOS opened themselves up to full compromise of the cryptographic channel. The thing is, Apple recognized it was a big problem and got it patched and that patch distributed to all impacted devices in under 45 days from the first report. A similar flaw I reported to Samsung a few years earlier is still not patched on every Android phone impacted because some carriers didn't push the patch.
What good is the magically secure Apple logo on top, when you actually have a Broadcom doing the work down in the metal? I doubt this was the only existing hole: http://thehackernews.com/2017/07/android-ios-broadcom-hackin... (but Apple updated fastest, I do concede that)
Indeed, the same Broadcom chip used in a bunch of Android phones and to my original point, yes Apple was not only the quickest to patch, but there's a good chance a large number of Android phones will never get a patch.
Reminds me of a friend who said his MySpace password was just "password123" because "It's such a stupid password that nobody would ever use it, so hackers don't even bother trying it!"
I wish I had multiple faces so I could palm more than one.
p good analogy, people will generally ACK a phone call since it implies a higher level of importance and could be about anything under the sun, but right before giving a talk at a conference i think most people would drop that text message UDP packet.
> Which said unnamed executive should have known was patently unreasonable to expect to be received and read in time.
As others have mentioned, this is Defcon - it's very common for folks (myself included) to go dark while on premises. At one company I worked for that was actually handed down in the form of policy & attendance guidelines.
Not only that but the executive in question was physically present and watching the talk. If this was so critical as to warrant the immediate termination of two senior team members, then I have to believe it was critical enough to go talk to them immediately prior or even during the talk if necessary.
The entire chain of events makes no logical sense, and does not inspire much faith in the Salesforce executive team.
I was not at the conference and have no first hand knowledge of what happened.
But before everyone gets on their high horse, please pause to reflect:
This was all company work product being presented by company employees who were on a company funded conference trip. Therefore there is an approval process for vetting presentations as well as a legal process for opensourcing code. This is standard practice at all companies.
Now what do you think is more likely: That the PR department would approve of a talk titled "meatpistol" (FIXED) (have you seen the slides?) and the legal dept would approve of open sourcing the code and then at the very last minute both groups would change their mind and try to pull the talk, or that the presenters never got the OK in the first place, the company found out at the last minute, asked them to pull the talk and they refused?
How likely is it that they would get official approval for their talk under a "Chatham's rules" meeting in February to for a presentation <strike>in August</strike>at the end of July? Isn't it more likely that they got some initial approval for a talk in February, but that PR still wanted to vet the actual slides in <strike>August</strike>July? (I'm assuming that the slides were made after February.) Which PR department gives approvals like that? What legal department works this way? In my experience, stuff like this happens at the last minute, because that's when you're finishing your slides (as well as your code), and generally PR is going to ask that you make some changes to your slides and they will want the final copy before signing off. Now maybe I'm wrong and the article is correct, but I think it's unlikely.
Moreover given that Salesforce can't talk about this matter, who do you think is the source for the article and whose side are you hearing?
The last few days have really highlighted how quick people are to pile on with outrage and self-righteous indignation before getting all the facts.
During the talk they told us why they called it meat pistol.. it's an anagram for metasploit. Meat Pistol made sense because it shoots out malware implants.
Also why pull out in the last 30 mins? And why fire them? No warnings ? Mistakes happen, you don't fire a director for something like that. The PR process is to make sure the company's image looks good, who better knows the Defcon audience? Hackers or PR people who don't understand the framework?
There is really no other way to see it than Salesforce fucked up.
> During the talk they told us why they called it meat pistol.. it's an anagram for metasploit. Meat Pistol made sense because it shoots out malware implants.
What are you more likely to remember a week from now: Meatpistol or Metapistol? Reminds me of the resistor color code mnemonic, something I memorized for life the first time I heard it.
The original comment was flagged to oblivion, but I'm assuming it quoted one of the ones on https://en.wikipedia.org/wiki/List_of_electronic_color_code_..., in which case - unless you feel inclined to start yet another Wikipedia edit war - it will probably not "be forgotten with the rest of the mental trash".
I too hope that nobody actually uses such a mnemonic in this day and age, but for such a mnemonic to be forgotten entirely would be a massive loss. Whitewashing the past of its blatant racism and sexism will only serve to erase the reminders we as a society have of why the present is an improvement on the past. Every artifact of such archaic and abhorrent beliefs serves as yet another datapoint demonstrating the whole concept of "Mak[ing] America Great Again™" to be misguided at best and abhorrent at worst.
In other words: we absolutely shouldn't be teaching such a mnemonic in classrooms, but we absolutely should continue to document their existence as evidence of exactly how fucked up the past really was.
>During the talk they told us why they called it meat pistol.. it's an anagram for metasploit. Meat Pistol made sense because it shoots out malware implants.
OK, try getting a PR department to sign off on that.
The whole point is that they already knew about it before hand(It being called meatpistol, hence the previous meeting) so firing them 30 mins prior is bullshit, hence the drama.
And they presented it at Hushcon before with approval so what's the problem with that?
Because Salesforce did nothing after hushcon? Which means it would have been approved.. say if it wasn't approved, isn't that a failure on SF's part because the employees would think it's fine.
I don't see why you keep defending Salesforce, they did mess up even if say the employees did not go through the approval process. You don't fire People over that, especially if previous talks are public on the same subject. Especially not at Defcon. That's why SF is in the wrong.
There's a lot of assumptions in this interpretation of events. It's entirely possible that warnings were issued after hushcon and that's why action was so severe this time around. It's also possible that no warnings were ever issued and there is blame for overreacting due to the management. Either way, it seems like there's plenty of information available for interpretation but not conclusion in this scenario.
One dictionary I have at hand details five definitions of the word retard.
Why do we have to feel obliged to take offense at the whole word due to one slang definition.
Why should MEATPISTOL be a problem?
retard
1. to make slow; delay the development or progress of (an action, process, etc.); hinder or impede.
verb (used without object)
2. to be delayed.
noun
3. a slowing down, diminution, or hindrance, as in a machine.
4. Slang: Disparaging and Offensive.
a contemptuous term used to refer to a person who is cognitively impaired.
a person who is stupid, obtuse, or ineffective in some way: a hopeless social retard.
5. Automotive, Machinery. an adjustment made in the setting of the distributor of an internal-combustion engine so that the spark for ignition in each cylinder is generated later in the cycle.
I'm not offended and don't take issues with the use of retard in a non-slang context, but for the naming of a project I think it's inappropriate to use a word that could bring back hurtful memories of harassment that people have potentially endured.
Seriously, there is a balance to be had. People who went through traumatic events are often offered therapy precisely because you can't reasonably expect the entire world to guess and remove every single thing that can trigger someone's hurtful memories.
Then can we at least postpone the renaming until someone actually complains about it first-hand, rather than "just in case" and on someone else's behalf?
Actively developing and planning to release a malware creation tool? That sounds like developing and releasing cyber weaponry. We've got export laws regarding that IIRC.
Which part, specifically? The only restriction on the EAR I see that applies is that on encryption, and Part 742.15(b) provides an explicit exception for software where the source is publicly available. That's why, for example, non-US citizens must request a special license to download the paid Metasploit version but can download the open source version freely[1].
Journal of National Security Law and Policy, Vol. 8, No. 2, 2015. Quite the argument made there that EAR and ITA do indeed deal with the making and distribution of cyber weaponry.
I think that article only emphasises that it is not subject to those regulations. Quote:
We conclude that, at a technical level, the distinction between weaponry and non-weapon malicious software lies in the payload component of the tool, which must be capable of creating destructive digital or physical effects
Meatpistol is only a framework, therefore there's no payload component.
Apparently the fired employees have enough of a case that the EFF agreed to represent them.
Given that SF employees have presented at many conferences in the past I don't see that getting official approval for the presentation is that strange.
I agree that we need more details, but can you really say that this situation has not played out many times before?
I'm a little confused what their case is, can't the company fire them at any time with no reason? I don't really know much about employment law, but that was my understanding.
Like if they went on stage and flopped, they could get fired. Similarly maybe they were too good. Or the boss was having a bad day.
> can't the company fire them at any time with no reason?
One of the employees is based out of Sydney, so No, California at-will employment law doesn't apply.
It would be interesting to see what grounds they are using to fire him.
Based on previous experiences with other companies, I found that it's not unusual for executives in one country to think that the employment law in their jurisdiction is universal and just assume they can apply it to employees in other countries.
You can be fired as an Australian employee at any time but they will still need to pay out the notice period in their contract and whatever accrued annual leave they had.
Most notice periods in AU are 4 weeks so you either are fired with 4 weeks notice or fired immediately and paid for those 4 weeks.
(The notice period also applies if you decide to leave the organisation)
The rule specifically is:
Can notice be paid out instead of worked?
Yes. An employer can either:
Let the employee work through their notice period, or
pay it out to them (also known as pay in lieu of notice).
If the employer pays out the notice, the amount paid to the employee must equal the full amount the employee would have been paid if they worked until the end of the notice period. This includes:
incentive-based payments and bonuses
loadings
monetary allowances
overtime
penalty rates
any other separately identifiable amounts.
If the employer pays out the notice, the employee does not accrue any annual leave for the notice period they were paid out for.
But employment in Australia is not at-will, so regardless of their obligations to pay out the notice period they also need to have a valid reason for the dismissal.
Specifically John Cramb (the Australian) was presenting alongside Josh Schwartz the director of offensive security. It seems that one could reasonably establish that John was acting under the directions of his superior, and that would mean that the default position would be to assume that his actions were sanctioned by the company unless they can prove that he knew otherwise.
And even then, they would be expected to provide a written warning, or justify why the violation was so extreme to justify immediate termination (which would be very difficult given he was active under the instructions of a superior).
Base on the limited evidence we have, it seems that Salesforce has unfairly dismissed John, and that the Californian executive ought to have consulted with an Australian HR lawyer before he acted.
I'm ignorant as far as Australian law. Is this true if the company is based in America and the worker is laboring either in America or remotely? It seems like at that point Australian law wouldn't directly apply to termination decisions.
Generally speaking, multinational companies will offer employment contracts through a local subsidiary. In that case the employment will fall under the laws of that country. And if they send you on an overseas business trip that doesn't change anything - even if the parent company is domiciled in that country.
If they don't have a local presence, and you're working remotely, then you're more likely to be a contractor and dismissal laws are pretty loose.
The interesting thing would be if they had a local subsidiary but chose to employ you on contract to the parent company. I suspect (but IANAL) that the Australian Fair Work Commission would determine that (if the contract was long term and indefinite) that you were actually an employee of the local subsidiary.
* your dismissal was harsh, unjust or unreasonable, and
* your dismissal was not a case of genuine redundancy, and
* if you were employed by a small business, your dismissal was not consistent with the Small Business Fair Dismissal Code.
Personally I would consider this harsh, unjust and unreasonable, especially if this is the first time and the person doesn't have a lot of publicity experience.
Even if they have a corporate structure that seems to make the Fair Work Act not apply (say, making you a contractor of a foreign company), I'm pretty sure that the commission will still generally rule against the employer if you're effectively working as an employee and you take it to the ombudsman. So if, say, they provide office space and a computer, you work regular full-time hours and it's more than a temporary contract then it will usually be considered a sham contracting arrangement and you'll be eligible for all the standard full-time employment protections.
Are you an employee or a contractor? From among my circle of friends working for foreign companies the possible arrangements I've seen are: (a) employee of Australian subsidiary of foreign company (my situation) (b) employee, under a contract governed by Australian law, of a foreign company directly or (c) independent contractor of foreign company.
(a) and (b) give you Australian employment protections. (c) obviously only gives you whatever protections are in the contract.
I've never seen anyone under a contract of employment (rather than a contract for services) of a foreign company that purports to not be governed by Australian employment law.
California labor code section 201 (a): "If an employer discharges an employee, the wages earned and unpaid at the time of discharge are due and payable immediately."
Firing someone in California requires that they be paid in full right then and there. This includes payment for accrued vacation time, comp time, etc. Were these employees paid off properly?
The penalty is the employee's wages, day-for-day, up to 30 days. So yes, it will probably be payable, but it's just money (rather than somehow invalidating the termination, for example), and it's unlikely either side will care much about the amount.
They are probably still getting full salary and benefits until the next scheduled payday.
That's how companies in CA get around the rule that employees must be paid in full on their last day.
For the California employee, they have to PAY YOU IMMEDIATELY, THEN AND THERE. That means either a pre-loaded card, check, or cash in hand, or other acceptable instrument of legal tender, such as a money order.
> Not any reason, wrongful termination lawsuits happen, and companies usually have processes for firing people, reviews to document performance etc..
Actually, they can (with a few exceptions). California is at-will employment:
"At-will employment is a term used in U.S. labor law for contractual relationships in which an employee can be dismissed by an employer for any reason (that is, without having to establish "just cause" for termination), and without warning."
Or, as the Supreme Court of California explains:
"[A]n employer may terminate its employees at will, for any or no reason ... the employer may act peremptorily, arbitrarily, or inconsistently, without providing specific protections such as prior warning, fair procedures, objective evaluation, or preferential reassignment ... The mere existence of an employment relationship affords no expectation, protectable by law, that employment will continue, or will end only on certain conditions, unless the parties have actually adopted such terms."
Yes, but an employee can still file a wrongful termination lawsuit if they believe that the "no reason" termination was bullshit and that they were actually fired for an illegal reason.
Like, if someone decides to come out of the closet on social media and their co-workers find out and their boss hears about it and fires themthe next day but claims that it's a "no reason" termination, it would certainly raise suspicion that they were actually being fired for being gay and they might win a wrongful termination lawsuit, even in an at-will employment state.
>Given that SF employees have presented at many conferences in the past I don't see that getting official approval for the presentation is that strange.
It's not strange at all. So dig up some of those slide decks of past SF talks and compare them to what was presented in the meatpistol talk. Then you can decide for yourself whether you think this talk was approved or not -- it would be the same PR department approving all the talks, right?. In any case, the facts may come out in the representation, as you suggest.
I have no idea about SF's processes specifically but it's certainly not universal practice to have conference presentations signed off by PR or anyone else within an organization. Doesn't mean there can't be repercussions if you say something inappropriate or disclose information you shouldn't, but not all companies require signoff from presentations.
Any comparatively large corporation very likely has a release process for these sorts of things where a bunch of groups (like PR, maybe Legal etc) would take a look. Releasing company IP as open source outside of such a process would be a gross violation of any number of non-disclosure agreements between employer and employee.
Help me out here. What is EFF's involvement in this?
Generally I can kinda see how the EFF would be interested in the topic of their presentation, but effectively this is an employee and employer legal issue now.
Which is more likely? That someone wanted this cancelled in the last 30 minutes. As you said, this was a company funded trip. There is no way this wasn't known. Multiple people were on the trip that knew of the talk well before it started. And if you knew something was going to be released that shouldn't be released, why wouldn't you go to the place where the talk was being held and stop it? Especially without confirmation.
Let's say this talk was never approved by PR and the employees went rogue.
Firing someone in public right after they give a talk is still terrible optics. Even if salesforce is in the right, this executive looks totally incompetent, which in turn reflects poorly on the company.
Unless it was an extended salesforce trash talk, that is.
The facts are the exec that hired them was an attendee at the conference. He must have known perfectly well what they were going to present well in advance. So the facts are that prior authorisation doesn't look like it could possibly be the issue.
I think you're exactly right here. The article leaves off too many details and speculates entirely too much for me to feel comfortable making any kind of assessment and I think that this is exactly what they want. We haven't heard any official statements from EFF, Salesforce, or anyone besides anonymous sources. That kind of deliberate omission usually means that there's more to the story than we're led to believe and they need to get their side out there immediately to drudge up quick support and a clickbait headline to put in people's heads. There's still a chance that it's exactly what they said, but I find that hard to believe at this stage.
It's probably way too early for us to know what's really happened here. If you're unfamiliar with this stuff, you should know that Salesforce has a large and relatively savvy security team, including people who have presented at offensive security conferences in the past.
There's a lot of weirdness in the reporting here; for instance, the notion that Salesforce management had a meeting with members of their own team under "Chatham House rules".
I wasn't familiar with "Chatham House rules". But it is allows members to present controversial arguments but prevents anyone from associating their arguments to them after the fact. For example, I can cite the argument later but not say who made the argument in order to prevent them from political repercussions. https://en.m.wikipedia.org/wiki/Chatham_House_Rule
Certainly very weird that the environment was that charged politically that these rules were needed.
Red Team operations can be very controversial as they risk impacting day-to-day operations and data integrity, and can have legal repercussions. I expect they would have this sort of meetings relatively often, regardless of this particular case.
Seems like a bad idea for a public SaaS company that relies on trust from customers that their data is secure to piss off their own offensive security team by firing them suddenly without even a warning received.
I expect that lots new Salesforce vulnerabilities will be discovered and disclosed.
Last year we reported a vulnerability where a default option in Salesforce orgs allows browser session hijacking. They came back telling us that it wasn't a bug, but working as intended, and that bugs like that aren't part of their bug bounty program anyway. Then when we found a public salesforce forum post from eons ago where a salesforce employee confirmed this bug/feature and tweeted it to our clients, they kicked us out of the bug bounty program for disclosing vulnerabilities.
Much of the talk on this is about wether it not SFDC has a ‘right’ to do this, or if it’s legal. Frankly that’s all immaterial - this sounds like a perfect way to either lose most of your security staff over the next 6-8 months, or get yourself fired. Not sure the exec in question was planning on either of those outcomes, but they are the most likely.
That seems like a tad bit of an overreaction on Salesforce's part. The only mismatch here was the expectation set around the availability of the tool's source? So yeah, it was clear the tool is owned by Salesforce and ultimately something like that is decided by the company, but saying you're going to "fight to have it open sourced" and advocating to have tooling you build be shared outside of your company doesn't seem like a fireable offense to me. Look at what it's done for companies like Facebook and Google.
What the hell, Salesforce? This looks bad. There's either more to the story or this is just extreme knee jerk.
EEK. When speaking in front of a large audience, it's generally a good idea to either mute your phone, or ditch it entirely before you get up onstage.
To get canned for not responding to a text message 30 minutes before a talk - which you were already approved for - seems terribly unfair and a decision probably made in the heat of the moment.
Oh, the irony! Months before he was fired, in his talk [1] at QCon London 2017 (March 5-7), Josh Schwartz jokingly said: "I am going to tell some stories and hopefully I won't get fired for sharing this stuff but we'll see how it goes".
I think that may be the opposite of irony. It's foretelling if he's not 100% sure what's been approved.
Speakers at large companies must get the entire content of their public presentations approved by PR and upper management well in advance. The process can take weeks even for completely innocuous information because accidental disclosure can have serious implications.
1. Disclosure of number of customers, number of transactions, number of anything can be reverse engineered by investors and competitors to derive forward looking information about the company's finances. Or worse, transactions related to specific customers so their financials could be reverse engineered. Good way to lose a client.
2. Disclosures of internal resources, urls, domains, architectures etc can be a treasure trove for competitors and malicious attackers.
Maybe it was a tongue in cheek joke because he was fully aware his content had been vetted 10 times over. Or maybe not and this is part of a pattern.
I think both you and OP are reading a bit too much into that phrase and it seems like both of you definitely did not listen to the talk.
In contrast I _did_ watch the linked video and can tell you that it was professional, did not expose any personal details of SF employees, any company secrets nor did it disparage the company or paint it in a negative light.
Don't believe me? Just watch the video.
Don't know OP's motivation in making his comment. He blames a misunderstanding of a colloquialism for the confusion, but to me it looks like an attempt to discredit the presenter.
I'm in Australia, so I almost never see stories as they start rising. :D
And I may have locked my last account (i336_) a while back by setting "noprocrast" to a ridiculous value, which I TIL that day actually is not fixable. This is a new account. I'm debating whether to ask for my old account to be unlocked, or to start again.
Forgive me for my poor English, - looks like I have misunderstood meaning of "Oh, the irony!" expression. I thought when someone says "oh the irony" they mean what they are saying it about wasn't expected and is kind of crazy to believe. I was wrong. I am sorry.
No, you're right. The statement is an exclamation of being overwhelmed by the irony of a situation, and irony itself is... slightly editing Wikipedia's definition for clarity, it's "an event in which what appears to be the case on the surface, differs radically from what is actually the case."
I find that irony indirectly relates to cynicism sometimes.
I think the "in the house" exclamation/reply was in agreement with what you were saying, and that it was directed at Salesforce.
Why in the hell would Executive Dumbass, er Jim Alkove, send such an urgent request via an asynchronous form of communication? Is he a moron (obviously)?
If I wanted to ensure something did or didn't happen, and time was a critical factor, I would call, talk in person, or use some other form of synchronous communication to ensure my message was received. I certainly wouldn't blast out a text message and then have a baby tantrum after the fact.
Very weird. Seems possible that some clueless higher-up found out about it at the last minute and said "don't you dare let this happen," some middle manager tried to stop it, failed, panicked, and threw Schwartz and Cramb under the bus to evade blame. Could also be office politics bullshit; a high-up was gunning for them with no real justification and ginned up a smokescreen to fire them.
Either way, "director of offensive security" is a pretty hefty-sounding title to fire off-the-cuff like an incompetent intern.
"Could also be office politics bullshit; a high-up was gunning for them with no real justification and ginned up a smokescreen to fire them."
Ding, ding, ding! We may have a winner.
Here's my guess - the guys that got fired were more than technically competent (basically experts going off what I've read), but probably were pushing the envelope in terms of what Salesforce, or more specifically Salesforce's large enterprise customers, felt comfortable having discussed out in the open.
My impression of the security team at Salesforce is that it's always been a bit of a fiefdom with little input or control from the mothership.
Maybe a plausible explanation of what happened here was that all awareness / approval of the talk was limited to that team, and when an exec outside of the security team heard about it, they freaked out, causing all of this.
Looks like the executive who messaged them 30 mins before took it personally that they ended up presenting even though he asked them not to so he fired them. Otherwise it makes no sense to fire people right after they finish their talk, unless of course you got an ego to show.
Right. Even if he legitimately felt the engineers were out of line in some way -- firing them at a public conference (and not just any conference - but that industry's leading annual conference) is just dumb.
I have a feeling that we're only getting half of the story here. I kinda feel, because of the way the article is written, that these 2 didn't actually get approval to do this release but decided to anyways. There are too many details about that process left out of the article that it feels like it's being disingenuous in its "transparency".
Sounds like an executive that's afraid of "Hackers" and well out of tune with what the industry is about.
As a Sales(overpriced)force user, it's definitely something that infuriates me as someone that would both leverage their platform and METAPISTOL for our firms consulting work.
Bad on them. It could have been great PR like Netflix and their open source tools.
I find it hilarious that at the end of the post it says "Contact me securely" and goes on to give a PGP fingerprint. All while being served up via http...
It's up to you to check the Web of trust of this fingerprint. It being served over HTTP is not an issue at all. Even in Trust on First Use I would argue delivering over HTTP is not an issue.
I was at a talk at a Math Conference where the speaker wasn't allowed to give the talk due to it being Classified. This speaker was able to register at the Math Conference with the talk and canceled it at the last minute during the presentation. I don't believe that that person had any issues after the talk and was not fired from their position as a researcher.
From what I can read about this the case is similar but in both actions it was a miscommunication. The speakers should have been informed that it was unacceptable. They should have been talked to about their instability to give the talk and the talk should have been cancelled. I would like to hear the other side of the story from Salesforce to give a full judgement but, I would expect a reprimand at best and not a firing.
1. The researcher you are talking about should have known the content was classified well before he did the talk. Whether it was classified or not was not based off the decision of a executive.
2. The punishment for revealing classified data to an audience is clearance loss & likely prison. It is not comparable to revealing proprietary company data that is not classified or not even covered under ITAR.
But it was not classified and they had done the talk at a different conference. According to the article they got a message an hour earlier about not open sourcing it, which they did not do it looks like.
There are methods better than a text to get a hold of someone. Phone, emails, whatsapp, twitter, facebook, calling the conference management, calling colleagues at the conf, go nearby the stage at the beginning of the talk.
Oh and try to be there on time if you need to do something that critical.
Zdnet apparently thinks it’s okay to redirect me (on mobile, after making it halfway through the article) to a scammy website promising I’d won a $1000 gift card, then hijacked my back button so I couldn’t leave. Anyone else experience this?
Looks like you got lucky. I usually get fake virus warnings that vibrate the phone nonstop or redirects to my carrier's store, one misclick away from buying a shitty mobile game.
Most people at Defcon use a "burner phone" (a cheap supermarket feature-phone) while there. Nobody who is sane would turn on their work phone anywhere near the Defcon conference. I go there every year with a throwaway phone and laptop.
So nobody will see a text message in a timely manner, unless they knew the burner phone number.
The term "most people" is terribly exaggerated. Defcon is not nearly as scary as some people make it out to be. If you have the latest security updates across your devices, disable wifi and take a few other precautions things are fine. I was there this year as saw just as many late model iPhones (most likely not a burner) in peoples hands as I did at any other conference I attended.
I gave up on burner phones because they were typically old and terribly vulnerable with no possible way to update - think older Android phones. Although, I did win the WiFi Village Fox & Hound hunt a few years back using a Samsung S4, but I had that thing locked down to using only a WiFi strength meter app and of course it was running CyanogenMod back when that was still a thing.
These days I update, backup, and lock down my daily use iPhone before going. See my post earlier in the comments for more details on that. In terms of what was happening in the last two years at DEF CON that could get you with all the steps I took, OpenLTE networks were tricking phones into attaching to them and the most disturbing thing I saw of that was middling of TLS. However, it was of course with a self-signed certificate so as long as you didn't accept the cert, you were likely fine.
If you had an older phone and one without all the latest updates and wasn't configured to be mostly silent, then your experience could be very different. There are a surprisingly high number of SMS exploits which still work to this day on a large number of phones and of course SS7 has architectural weaknesses which will likely never be fixed.
Someone had put a map together of the OpenLTE / catchers they found but I can't find it. In my particular case, I had WiFi off the entire time and received certificate validation failure notices four times at different locations while at DEFCON. Given I was only connecting with LTE, there could only be one explanation for those certificate warnings. I was being redirected to an OpenLTE or other cellular base station and someone was running a MitM proxy or solution like SSLSplit on the connection.
Unfortunately when it comes to calling it "incredibly uncommon", we really don't have any widely deployed solutions to identify rogue cellular base stations so it's very difficult to say how often it happens IRL although the only times I've ever seen it happen have been the last two years at DEF CON.
I was at a company that sent a large cohort to Defcon. I wasn’t going but I went to the pre-conference security briefing. The requirements were fairly extensive: no company laptops, only company phones with a long password, no 2G, no 4G, must be locked to a specific carrier, no WiFi, no bluetooth... the list went on. They were pretty concerned.
Out of my sample size of 1, I didn't take either of my devices -- my work phone or my personal phone -- to defcon or Vegas when I went last year: they didn't even leave my home.
I bought a laptop at Staples, put Fedora on it, used it for the conference, and I only really use it for when I go to conferences and the like.
There is a mix of folks using late model phones and burner phones, but, there there is a lot of burner usage at DefCon/DerbyCon/BlackHat.
I highly doubt this. Also, bear in mind that few bug hunters would be dumb enough to burn an iOS RCE 0day on some of the most monitored/logged wireless airspace on the planet.
I went there with my iPhone 6S and a Macbook Pro, and was fine. Granted, I spent all of DEFCON holed up in Caesar's doing the CTF, but I didn't encounter any issues.
DEF CON provides conference WiFi with preauthorized certificates (WPA2), so if you remove all other known open networks then you can have secure and sane WiFi at the conference.
>DEF CON provides conference WiFi with preauthorized certificates (WPA2), so [if you remove all other known open networks] then [you can have secure and sane WiFi at the conference].
Emphasis mine. Merely "removing" networks from your device does not preclude you from being attacked. Broadcom and all the locked-down devices that aren't iphones or high-end android devices who use them demonstrate this quite nicely.
I haven't heard any reports of people using the Broadcom attack on a vulnerable device at DEFCON (And there are a whole lot of people monitoring the airwaves)
I didn't see this myself but the guy who works the drivethru at my local burger king told me that the red team has perfected the flame grilled whopper and they had to be fired because they had gone too far
The exploit name certainly has sexually violent connotations to me. I imagine that anyone who has been sexually assaulted would feel very uncomfortable working in an organisation that condoned such language - something like 10% of the population.
I'm not condoning firing as a response - that's as thoughtless and unimaginative as the name. And perhaps the name isn't even if reason for it - that doesn't seem to be clear. But come on guys, try to stay classy.
> I imagine that anyone who has been sexually assaulted would feel very uncomfortable working in an organisation..
How far do you take this word-association game?
I note that the US represents itself using the image of an eagle. So did the Roman Empire, and later the Nazi party. Should everyone be uncomfortable with America over that?
I don’t think that was related to the firing, from what I can tell, however I do agree with you, I thought the name was a bit distasteful and not appropriate for an open source project.
Why all this morality police? It's just humorous, and to understand the double meaning, it requires quite a bit of imagination.
To be fair, I think it's more common for security projects to take on more aloof names. Who could forget "John The Ripper" or "back orfice" from the cult of the dead cow? I'm sure there are many more ..
> I think it's more common for security projects to take on more aloof names
True, although I also find the negative sides of "hacker culture" more pervasive and less challenged than "brogrammer" culture or whatever term you want to use.
> Why all this morality police?
I find it overly sexualised, from a very masculine perspective. That's not really appropriate in a professional context in my opinion, but more than that, it can really put some people off the industry. Unfortunately, those people it puts off are disproportionately from groups that are already minorities in the industry, and so it helps in some small way, to perpetuate the lack of diversity.
Obviously this particular example really is only a small part of the problem, but it all contributes, and one of the easiest ways to do our part for increasing diversity and making the industry more welcoming is to do things like improve the naming of our projects.
The executive is Jim Alkove. He is a moron and our security org has completed revamped after he "left" to join other companies. All the recent advancements in Microsoft security/Win10 were because we no longer had a leader like him.
Feel sorry for these guys.