Salesforce sacks two top security engineers for their DEF CON talk

Revealing penetration-testing tool sealed staffers' fate

Salesforce fired two of its senior security engineers after they revealed details of an internal tool for testing IT defenses at DEF CON last month.

Josh Schwartz, director of offensive security, and John Cramb, a senior offensive security engineer based in Australia, were sacked by a senior Salesforce executive minutes after giving a talk at the hacking conference, according to our sources familiar with the matter.

The duo were warned in a message from a manager, sent half an hour before the start of their presentation, not to go on stage. Schwartz and Cramb didn't see the text in time, gave their talk, and were told shortly after they no longer worked at Salesforce.

The presentation centered on an internal project called MEATPISTOL, which was described as "a modular malware framework for implant creation, infrastructure automation, and shell interaction." It's similar to the popular penetration-testing tool Metasploit; that MEATPISTOL is an anagram of Metasploit is no coincidence.

The plan was to open-source MEATPISTOL, although this move was resisted by bosses and lawyers at Salesforce at virtually the last minute despite being signed off earlier this year.

Schwartz and Cramb were part of the San Francisco financial cloud giant's red team, a group of hackers specializing in testing and strengthening network security by finding and exploiting weaknesses. They had been working on MEATPISTOL to help other red teamers do their job. Here's a description of the code and the presentation from the DEF CON website:

Attention Red Teamers, Penetration Testers, and Offensive Security Operators, isn't the overhead of fighting attribution, spinning up infrastructure, and having to constantly re-write malware an absolute pain and timesink!?! It was for us too, so we're fixing that for good (well, maybe for evil). Join us for the public unveiling and open source release of our latest project, MEATPISTOL, a modular malware framework for implant creation, infrastructure automation, and shell interaction.

This framework is designed to meet the needs of offensive security operators requiring rapid configuration and creation of long lived malware implants and associated command and control infrastructure. Say goodbye to writing janky one-off malware and say hello to building upon a framework designed to support efficient yoloscoped adversarial campaigns against capable targets.

Within hours of giving their talk at 5pm on Friday, July 28, Schwartz tweeted that he and Cramb had exited Salesforce. He later removed the tweet after pressure from managers. Four days later, Cramb tweeted to say they “both care deeply about MEATPISTOL being open sourced and are currently working to achieve this.”

A spokesperson for Salesforce declined to comment as the matter involved individual employees. Schwartz and Cramb could not be reached for immediate comment. The pair are being represented by attorneys at the EFF, who told The Register no legal action has been taken so far by either side as a result of the DEF CON presentation. ®

Additional reporting by Shaun Nichols. Hat-tip to journo Zack Whittaker for breaking the news late on Wednesday.

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017