I was not at the conference and have no first hand knowledge of what happened.
But before everyone gets on their high horse, please pause to reflect:
This was all company work product being presented by company employees who were on a company funded conference trip. Therefore there is an approval process for vetting presentations as well as a legal process for opensourcing code. This is standard practice at all companies.
Now what do you think is more likely: That the PR department would approve of a talk titled "meatpistol" (FIXED) (have you seen the slides?) and the legal dept would approve of open sourcing the code and then at the very last minute both groups would change their mind and try to pull the talk, or that the presenters never got the OK in the first place, the company found out at the last minute, asked them to pull the talk and they refused?
How likely is it that they would get official approval for their talk under a "Chatham's rules" meeting in February to for a presentation <strike>in August</strike>at the end of July? Isn't it more likely that they got some initial approval for a talk in February, but that PR still wanted to vet the actual slides in <strike>August</strike>July? (I'm assuming that the slides were made after February.) Which PR department gives approvals like that? What legal department works this way? In my experience, stuff like this happens at the last minute, because that's when you're finishing your slides (as well as your code), and generally PR is going to ask that you make some changes to your slides and they will want the final copy before signing off. Now maybe I'm wrong and the article is correct, but I think it's unlikely.
Moreover given that Salesforce can't talk about this matter, who do you think is the source for the article and whose side are you hearing?
The last few days have really highlighted how quick people are to pile on with outrage and self-righteous indignation before getting all the facts.
During the talk they told us why they called it meat pistol.. it's an anagram for metasploit. Meat Pistol made sense because it shoots out malware implants.
Also why pull out in the last 30 mins? And why fire them? No warnings ? Mistakes happen, you don't fire a director for something like that. The PR process is to make sure the company's image looks good, who better knows the Defcon audience? Hackers or PR people who don't understand the framework?
There is really no other way to see it than Salesforce fucked up.
> During the talk they told us why they called it meat pistol.. it's an anagram for metasploit. Meat Pistol made sense because it shoots out malware implants.
What are you more likely to remember a week from now: Meatpistol or Metapistol? Reminds me of the resistor color code mnemonic, something I memorized for life the first time I heard it.
The original comment was flagged to oblivion, but I'm assuming it quoted one of the ones on https://en.wikipedia.org/wiki/List_of_electronic_color_code_..., in which case - unless you feel inclined to start yet another Wikipedia edit war - it will probably not "be forgotten with the rest of the mental trash".
I too hope that nobody actually uses such a mnemonic in this day and age, but for such a mnemonic to be forgotten entirely would be a massive loss. Whitewashing the past of its blatant racism and sexism will only serve to erase the reminders we as a society have of why the present is an improvement on the past. Every artifact of such archaic and abhorrent beliefs serves as yet another datapoint demonstrating the whole concept of "Mak[ing] America Great Again™" to be misguided at best and abhorrent at worst.
In other words: we absolutely shouldn't be teaching such a mnemonic in classrooms, but we absolutely should continue to document their existence as evidence of exactly how fucked up the past really was.
>During the talk they told us why they called it meat pistol.. it's an anagram for metasploit. Meat Pistol made sense because it shoots out malware implants.
OK, try getting a PR department to sign off on that.
The whole point is that they already knew about it before hand(It being called meatpistol, hence the previous meeting) so firing them 30 mins prior is bullshit, hence the drama.
And they presented it at Hushcon before with approval so what's the problem with that?
Because Salesforce did nothing after hushcon? Which means it would have been approved.. say if it wasn't approved, isn't that a failure on SF's part because the employees would think it's fine.
I don't see why you keep defending Salesforce, they did mess up even if say the employees did not go through the approval process. You don't fire People over that, especially if previous talks are public on the same subject. Especially not at Defcon. That's why SF is in the wrong.
There's a lot of assumptions in this interpretation of events. It's entirely possible that warnings were issued after hushcon and that's why action was so severe this time around. It's also possible that no warnings were ever issued and there is blame for overreacting due to the management. Either way, it seems like there's plenty of information available for interpretation but not conclusion in this scenario.
One dictionary I have at hand details five definitions of the word retard.
Why do we have to feel obliged to take offense at the whole word due to one slang definition.
Why should MEATPISTOL be a problem?
retard
1. to make slow; delay the development or progress of (an action, process, etc.); hinder or impede.
verb (used without object)
2. to be delayed.
noun
3. a slowing down, diminution, or hindrance, as in a machine.
4. Slang: Disparaging and Offensive.
a contemptuous term used to refer to a person who is cognitively impaired.
a person who is stupid, obtuse, or ineffective in some way: a hopeless social retard.
5. Automotive, Machinery. an adjustment made in the setting of the distributor of an internal-combustion engine so that the spark for ignition in each cylinder is generated later in the cycle.
I'm not offended and don't take issues with the use of retard in a non-slang context, but for the naming of a project I think it's inappropriate to use a word that could bring back hurtful memories of harassment that people have potentially endured.
Seriously, there is a balance to be had. People who went through traumatic events are often offered therapy precisely because you can't reasonably expect the entire world to guess and remove every single thing that can trigger someone's hurtful memories.
Then can we at least postpone the renaming until someone actually complains about it first-hand, rather than "just in case" and on someone else's behalf?
Actively developing and planning to release a malware creation tool? That sounds like developing and releasing cyber weaponry. We've got export laws regarding that IIRC.
Which part, specifically? The only restriction on the EAR I see that applies is that on encryption, and Part 742.15(b) provides an explicit exception for software where the source is publicly available. That's why, for example, non-US citizens must request a special license to download the paid Metasploit version but can download the open source version freely[1].
Journal of National Security Law and Policy, Vol. 8, No. 2, 2015. Quite the argument made there that EAR and ITA do indeed deal with the making and distribution of cyber weaponry.
I think that article only emphasises that it is not subject to those regulations. Quote:
We conclude that, at a technical level, the distinction between weaponry and non-weapon malicious software lies in the payload component of the tool, which must be capable of creating destructive digital or physical effects
Meatpistol is only a framework, therefore there's no payload component.
Apparently the fired employees have enough of a case that the EFF agreed to represent them.
Given that SF employees have presented at many conferences in the past I don't see that getting official approval for the presentation is that strange.
I agree that we need more details, but can you really say that this situation has not played out many times before?
I'm a little confused what their case is, can't the company fire them at any time with no reason? I don't really know much about employment law, but that was my understanding.
Like if they went on stage and flopped, they could get fired. Similarly maybe they were too good. Or the boss was having a bad day.
> can't the company fire them at any time with no reason?
One of the employees is based out of Sydney, so No, California at-will employment law doesn't apply.
It would be interesting to see what grounds they are using to fire him.
Based on previous experiences with other companies, I found that it's not unusual for executives in one country to think that the employment law in their jurisdiction is universal and just assume they can apply it to employees in other countries.
You can be fired as an Australian employee at any time but they will still need to pay out the notice period in their contract and whatever accrued annual leave they had.
Most notice periods in AU are 4 weeks so you either are fired with 4 weeks notice or fired immediately and paid for those 4 weeks.
(The notice period also applies if you decide to leave the organisation)
The rule specifically is:
Can notice be paid out instead of worked?
Yes. An employer can either:
Let the employee work through their notice period, or
pay it out to them (also known as pay in lieu of notice).
If the employer pays out the notice, the amount paid to the employee must equal the full amount the employee would have been paid if they worked until the end of the notice period. This includes:
incentive-based payments and bonuses
loadings
monetary allowances
overtime
penalty rates
any other separately identifiable amounts.
If the employer pays out the notice, the employee does not accrue any annual leave for the notice period they were paid out for.
But employment in Australia is not at-will, so regardless of their obligations to pay out the notice period they also need to have a valid reason for the dismissal.
Specifically John Cramb (the Australian) was presenting alongside Josh Schwartz the director of offensive security. It seems that one could reasonably establish that John was acting under the directions of his superior, and that would mean that the default position would be to assume that his actions were sanctioned by the company unless they can prove that he knew otherwise.
And even then, they would be expected to provide a written warning, or justify why the violation was so extreme to justify immediate termination (which would be very difficult given he was active under the instructions of a superior).
Base on the limited evidence we have, it seems that Salesforce has unfairly dismissed John, and that the Californian executive ought to have consulted with an Australian HR lawyer before he acted.
I'm ignorant as far as Australian law. Is this true if the company is based in America and the worker is laboring either in America or remotely? It seems like at that point Australian law wouldn't directly apply to termination decisions.
Generally speaking, multinational companies will offer employment contracts through a local subsidiary. In that case the employment will fall under the laws of that country. And if they send you on an overseas business trip that doesn't change anything - even if the parent company is domiciled in that country.
If they don't have a local presence, and you're working remotely, then you're more likely to be a contractor and dismissal laws are pretty loose.
The interesting thing would be if they had a local subsidiary but chose to employ you on contract to the parent company. I suspect (but IANAL) that the Australian Fair Work Commission would determine that (if the contract was long term and indefinite) that you were actually an employee of the local subsidiary.
* your dismissal was harsh, unjust or unreasonable, and
* your dismissal was not a case of genuine redundancy, and
* if you were employed by a small business, your dismissal was not consistent with the Small Business Fair Dismissal Code.
Personally I would consider this harsh, unjust and unreasonable, especially if this is the first time and the person doesn't have a lot of publicity experience.
Even if they have a corporate structure that seems to make the Fair Work Act not apply (say, making you a contractor of a foreign company), I'm pretty sure that the commission will still generally rule against the employer if you're effectively working as an employee and you take it to the ombudsman. So if, say, they provide office space and a computer, you work regular full-time hours and it's more than a temporary contract then it will usually be considered a sham contracting arrangement and you'll be eligible for all the standard full-time employment protections.
Are you an employee or a contractor? From among my circle of friends working for foreign companies the possible arrangements I've seen are: (a) employee of Australian subsidiary of foreign company (my situation) (b) employee, under a contract governed by Australian law, of a foreign company directly or (c) independent contractor of foreign company.
(a) and (b) give you Australian employment protections. (c) obviously only gives you whatever protections are in the contract.
I've never seen anyone under a contract of employment (rather than a contract for services) of a foreign company that purports to not be governed by Australian employment law.
California labor code section 201 (a): "If an employer discharges an employee, the wages earned and unpaid at the time of discharge are due and payable immediately."
Firing someone in California requires that they be paid in full right then and there. This includes payment for accrued vacation time, comp time, etc. Were these employees paid off properly?
The penalty is the employee's wages, day-for-day, up to 30 days. So yes, it will probably be payable, but it's just money (rather than somehow invalidating the termination, for example), and it's unlikely either side will care much about the amount.
They are probably still getting full salary and benefits until the next scheduled payday.
That's how companies in CA get around the rule that employees must be paid in full on their last day.
For the California employee, they have to PAY YOU IMMEDIATELY, THEN AND THERE. That means either a pre-loaded card, check, or cash in hand, or other acceptable instrument of legal tender, such as a money order.
> Not any reason, wrongful termination lawsuits happen, and companies usually have processes for firing people, reviews to document performance etc..
Actually, they can (with a few exceptions). California is at-will employment:
"At-will employment is a term used in U.S. labor law for contractual relationships in which an employee can be dismissed by an employer for any reason (that is, without having to establish "just cause" for termination), and without warning."
Or, as the Supreme Court of California explains:
"[A]n employer may terminate its employees at will, for any or no reason ... the employer may act peremptorily, arbitrarily, or inconsistently, without providing specific protections such as prior warning, fair procedures, objective evaluation, or preferential reassignment ... The mere existence of an employment relationship affords no expectation, protectable by law, that employment will continue, or will end only on certain conditions, unless the parties have actually adopted such terms."
Yes, but an employee can still file a wrongful termination lawsuit if they believe that the "no reason" termination was bullshit and that they were actually fired for an illegal reason.
Like, if someone decides to come out of the closet on social media and their co-workers find out and their boss hears about it and fires themthe next day but claims that it's a "no reason" termination, it would certainly raise suspicion that they were actually being fired for being gay and they might win a wrongful termination lawsuit, even in an at-will employment state.
>Given that SF employees have presented at many conferences in the past I don't see that getting official approval for the presentation is that strange.
It's not strange at all. So dig up some of those slide decks of past SF talks and compare them to what was presented in the meatpistol talk. Then you can decide for yourself whether you think this talk was approved or not -- it would be the same PR department approving all the talks, right?. In any case, the facts may come out in the representation, as you suggest.
I have no idea about SF's processes specifically but it's certainly not universal practice to have conference presentations signed off by PR or anyone else within an organization. Doesn't mean there can't be repercussions if you say something inappropriate or disclose information you shouldn't, but not all companies require signoff from presentations.
Any comparatively large corporation very likely has a release process for these sorts of things where a bunch of groups (like PR, maybe Legal etc) would take a look. Releasing company IP as open source outside of such a process would be a gross violation of any number of non-disclosure agreements between employer and employee.
Help me out here. What is EFF's involvement in this?
Generally I can kinda see how the EFF would be interested in the topic of their presentation, but effectively this is an employee and employer legal issue now.
Which is more likely? That someone wanted this cancelled in the last 30 minutes. As you said, this was a company funded trip. There is no way this wasn't known. Multiple people were on the trip that knew of the talk well before it started. And if you knew something was going to be released that shouldn't be released, why wouldn't you go to the place where the talk was being held and stop it? Especially without confirmation.
Let's say this talk was never approved by PR and the employees went rogue.
Firing someone in public right after they give a talk is still terrible optics. Even if salesforce is in the right, this executive looks totally incompetent, which in turn reflects poorly on the company.
Unless it was an extended salesforce trash talk, that is.
The facts are the exec that hired them was an attendee at the conference. He must have known perfectly well what they were going to present well in advance. So the facts are that prior authorisation doesn't look like it could possibly be the issue.
I think you're exactly right here. The article leaves off too many details and speculates entirely too much for me to feel comfortable making any kind of assessment and I think that this is exactly what they want. We haven't heard any official statements from EFF, Salesforce, or anyone besides anonymous sources. That kind of deliberate omission usually means that there's more to the story than we're led to believe and they need to get their side out there immediately to drudge up quick support and a clickbait headline to put in people's heads. There's still a chance that it's exactly what they said, but I find that hard to believe at this stage.
But before everyone gets on their high horse, please pause to reflect:
This was all company work product being presented by company employees who were on a company funded conference trip. Therefore there is an approval process for vetting presentations as well as a legal process for opensourcing code. This is standard practice at all companies.
Now what do you think is more likely: That the PR department would approve of a talk titled "meatpistol" (FIXED) (have you seen the slides?) and the legal dept would approve of open sourcing the code and then at the very last minute both groups would change their mind and try to pull the talk, or that the presenters never got the OK in the first place, the company found out at the last minute, asked them to pull the talk and they refused?
How likely is it that they would get official approval for their talk under a "Chatham's rules" meeting in February to for a presentation <strike>in August</strike>at the end of July? Isn't it more likely that they got some initial approval for a talk in February, but that PR still wanted to vet the actual slides in <strike>August</strike>July? (I'm assuming that the slides were made after February.) Which PR department gives approvals like that? What legal department works this way? In my experience, stuff like this happens at the last minute, because that's when you're finishing your slides (as well as your code), and generally PR is going to ask that you make some changes to your slides and they will want the final copy before signing off. Now maybe I'm wrong and the article is correct, but I think it's unlikely.
Moreover given that Salesforce can't talk about this matter, who do you think is the source for the article and whose side are you hearing?
The last few days have really highlighted how quick people are to pile on with outrage and self-righteous indignation before getting all the facts.