If you're close to the Silicon Valley tech community you know the Salesforce datacenter organization and recently security organization has been taken over by many ex-Microsoft executives who are fairly clueless when it comes to security.
This has left the security organization mired in internal political turmoil and has triggered the exodus of most intelligent security professionals from the organization.
This situation appears to be a case of the new and confused security executive mentioned in comments on this thread over reacting.
I say "confused" because for the presenters to get this far they obviously has gone through levels of approval for the talk and presented material internally. This talk was indeed presented before at the Chatham House Red Team Summit in SF where many tech company Red teams were present and code released to some collaborating parties. If you don't know what is going on in your own organization with your directors you are confused.
I say "over reacting" because any decent security executive knows you can't ask a team member to pull a Defcon talk on extremely short notice as it would be damaging to their personal reputation in the community. Firing them for not pulling the talk is completely idiotic as it's likely burn the organizational reputation with the security community. It was likely just a snap decision by said confused executive who did not understand the ramifications of his decision. If you fire someone after they get off the stage at Defcon you more than likely have overreacted.
Sadly these are the types of this that happen when you have poor leadership at high levels. I feel bad for the good security folks still left at Salesforce who have to tolerate this garbage. Luckily there is a massive demand for good security professionals so they should have no trouble finding other employment, hopefully with competent leadership.
Using a throwaway account as my username is very close to my real name :-(
If you're close to the Silicon Valley tech community you know the Salesforce datacenter organization and recently security organization has been taken over by many ex-Microsoft executives who are fairly clueless
This. A thousand times this. The Microsoft rot started in the Datacenter and Security org but is fast spreading to all of infrastructure resulting in a culture that is dramatically different from the rest of Salesforce.
If you're from Microsoft (or better yet, a crony of a high up Microsoftie in Salesforce) you are guaranteed to receive a plum job with a bump up of at least two or more seniority levels and preferential treatment in every aspect.
It's not hard to find examples of mid level ICs (level 61 - 62) being brought in as Senior Directors, level 63's being brought in as principal architects etc. What about non microsoft people ? Well, in that case we need to 'carefully consider the feedback', 'be conservative in our approach', 'avoid being too generous' etc.
Every process, from hiring, to promotions, to appraisals has been systematically corrupted and taken over almost exclusively by Microsoft people with the inevitable results.
It's like watching an aggressive strain of flesh eating bacteria at work. It would be comical the amount of damage this is causing Salesforce if it weren't for the enormous human impact.
Wait, there are 63 or more levels of management at salesforce? Is the a level 1? Is there anything higher than 63? What's the distinction between a 61 and a 62?!
Sorry not so sorry. These people leaving MS was the best thing that ever happened to MS. It's sad that because of one of them, this unfortunate event had to occur.
> ... security organization has been taken over by many ex-Microsoft executives who are fairly clueless when it comes to security.
i.e. the people who hired them are also clueless wen it comes to security. And, the people who hired them did not perform due diligence to be sure that the hirees were competent.
Or, maybe one "bad apple" got hired via bluff and bluster, and then proceeded to hire tons of incompetent cronies.
Either way, the higher ups at Sales Force haven't been paying attention to how their organization is being run.
The article says that they were forbidden to announce open-sourcing of the tool. They were required not to cancel the speech, but to not announce open-sourcing. Having such second thoughts about open source is so typical of old-school managers, it doesn't even surprise me.
>The tool was expected to be released later as an open-source project, allowing other red teams to use the project in their own companies.
>But in another text message seen by Schwartz and Cramb an hour before their talk, the same Salesforce executive told the speakers that they should not announce the public release of the code, despite a publicized and widely anticipated release.
If the executive told them not to announce the open-sourcing, then he was expecting them to speak, just not that they would announce the open-sourcing. My guess is that they did not acknowledge that first request, and thus the executive told them half an hour later to cancel all. So the original issue of confrontation was about the open-sourcing, not about the speech itself.
If they don't acknowledge the first text the answer is to send another much more extreme text? Why not just a reminder of the first text? Or call them? Or talk to them in person, because he seems to have been there in person.
If they missed the first text there's a good chance they might miss the second text as well.
This has left the security organization mired in internal political turmoil and has triggered the exodus of most intelligent security professionals from the organization.
This situation appears to be a case of the new and confused security executive mentioned in comments on this thread over reacting.
I say "confused" because for the presenters to get this far they obviously has gone through levels of approval for the talk and presented material internally. This talk was indeed presented before at the Chatham House Red Team Summit in SF where many tech company Red teams were present and code released to some collaborating parties. If you don't know what is going on in your own organization with your directors you are confused.
I say "over reacting" because any decent security executive knows you can't ask a team member to pull a Defcon talk on extremely short notice as it would be damaging to their personal reputation in the community. Firing them for not pulling the talk is completely idiotic as it's likely burn the organizational reputation with the security community. It was likely just a snap decision by said confused executive who did not understand the ramifications of his decision. If you fire someone after they get off the stage at Defcon you more than likely have overreacted.
Sadly these are the types of this that happen when you have poor leadership at high levels. I feel bad for the good security folks still left at Salesforce who have to tolerate this garbage. Luckily there is a massive demand for good security professionals so they should have no trouble finding other employment, hopefully with competent leadership.