must read Do you know how to talk the talk?: Communications tips for tech managers

Salesforce fires red team staffers who gave Defcon talk

"As soon as they got off the stage, they were fired."

The creators of MEATPISTOL said they are working to get the tool open sourced. (Image: file photo)

Salesforce has fired its director of offensive security and another senior staff member after they gave talk at the Defcon security conference talk in Las Vegas last month.

Josh Schwartz, director of offensive security based in San Francisco, and John Cramb, senior offensive security engineer in Sydney, Australia, worked on the cloud giant's security "red team," which launches offensive attacks against the company from within to test its cyber posture and defenses.

But the two were fired "as soon as they got off stage" by a senior Salesforce executive, according to one of several people who witnessed the firing and offered their accounts.

The unnamed Salesforce executive is said to have sent a text message to the duo half an hour before they were expected on stage to not to give the talk, but the message wasn't seen until after the talk had ended.

The talk was to reveal MEATPISTOL, a modular malware framework for implant creation, infrastructure automation, and shell interaction, aimed at reducing the time and energy spent on reconfiguration and rewriting malware. The tool -- an anagram of a similar tool, Metasploit -- doesn't launch attacks or exploit systems, but it allows red teamers to control the system once access has been granted. MEATPISTOL was pitched as taking "the boring work" out of pen-testing to make red teams, including at Salesforce, more efficient and effective.

The talk had been months in the making.

Salesforce executives were first made aware of the project in a February meeting, and they had signed off on the project, according to one person with knowledge of the meeting. (The meeting was held under Chatham House rules.)

The tool was expected to be released later as an open-source project, allowing other red teams to use the project in their own companies.

But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release.

Later, on stage, Schwartz told attendees that he would fight to get the tool published.

Cramb also said in a tweet after the firing that they both "care deeply about MEATPISTOL being open sourced and are currently working to achieve this" without being "legaled to death."

News of the firing broke when Schwartz tweeted several hours after the talk, by which point it was already well known throughout the conference. He later deleted the tweet at the company's request citing "due process," and he set his Twitter account to private.

Schwartz and Cramb are now being represented by the Electronic Frontier Foundation.

The specific reason for the firing is unknown.

When reached, Schwartz and Cramb declined to comment. A Salesforce spokesperson declined to comment on an "employee matter."

The duo's talk was well received, according to those who attended.

Several prominent security researchers criticized Salesforce following the firing. Khalil Sehnaoui, a security researcher who was at the conference, said in a tweet: "If you're going to start a rebellion amongst all your red-teamers, don't do it at Defcon."

The community has since forwarded the duo a number of job offers.

Schwartz and Cramb are due to speak at DerbyCon and BruCon later this year.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Visit ZDNET