Why Two Pentesters In Iowa Are Facing A Criminal Investigation and Trespassing Charges (arstechnica.com) 110
Ars Technica's security editor re-visits the story of two security penetration testers from Coalfire who were arrested one midnight in the county courthouse in Adel, Iowa (population 3,682):
"They were crouched down like turkeys peeking over the balcony," Dallas County Sheriff Chad Leonard said in an interview. "Here we are at 12:30 in the morning confronted with this issue -- on September 11, no less. We have two unknown people in our courthouse -- in a government building -- carrying backpacks that remind me and several other deputies of maybe the pressure cooker bombs." After more deputies arrived, Justin Wynn, 29 of Naples, Florida, and Gary De Mercurio, 43 of Seattle, slowly proceeded down the stairs with hands raised. They then presented the deputies with a letter that explained the intruders weren't criminals but rather penetration testers who had been hired by Iowa's State Court Administration to test the security of its court information system. After calling one or more of the state court officials listed in the letter, the deputies were satisfied the men were authorized to be in the building...
When Leonard arrived on the scene, the mood quickly changed. Leonard read the letter and sized the men up. It said the men were authorized to perform "physical social engineering to attempt to gain access" to courthouse systems... The letter also listed tasks that should not be performed, including alarm subversion, force-opening doors, and accessing environments that require personal protective equipment. The pentesters had already said they used a tool to open the front door. Leonard took that to mean the men had violated the restriction against forcing doors open. Leonard also said the men attempted to turn off the alarm -- something Coalfire officials vehemently deny. In Leonard's mind that was a second violation. Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn't answer the deputies' calls, while another said he didn't believe the men had permission to conduct physical intrusions. The sheriff also said he and his deputies smelled alcohol on the breath of one of the men. (Leonard, who didn't identify which Coalfire employee it was, said a test later showed the pentester had a blood alcohol content of 0.05, the equivalent of one or two drinks. It is below the 0.08 threshold for an operating while intoxicated conviction.) Leonard promptly had the men arrested on felony third-degree burglary charges...
The charges have since been reduced to misdemeanor trespassing charges. Trial is scheduled for April. Meanwhile, the sheriff's department in nearby Polk County is conducting a criminal investigation into a September 10 break-in on its courthouse under the same arrangement with the State Judicial Administration.... The get-out-of-jail-free letter "said you won't manipulate doors," Leonard said. "Well, they picked four doors. It said they won't manipulate the alarm system. They went right up to the alarm and tried to shut it off. The biggest issue is they were only supposed to work from 6AM to 6PM. They came out in the middle of the night and broke in." Equally important, Leonard said, is what he believed to be the overstepping of Iowa officials who retained Coalfire. When the sheriff confronted the men that night, he said: "The State of Iowa has no authority to allow you to break into a county building. You're going to jail."
When Leonard arrived on the scene, the mood quickly changed. Leonard read the letter and sized the men up. It said the men were authorized to perform "physical social engineering to attempt to gain access" to courthouse systems... The letter also listed tasks that should not be performed, including alarm subversion, force-opening doors, and accessing environments that require personal protective equipment. The pentesters had already said they used a tool to open the front door. Leonard took that to mean the men had violated the restriction against forcing doors open. Leonard also said the men attempted to turn off the alarm -- something Coalfire officials vehemently deny. In Leonard's mind that was a second violation. Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn't answer the deputies' calls, while another said he didn't believe the men had permission to conduct physical intrusions. The sheriff also said he and his deputies smelled alcohol on the breath of one of the men. (Leonard, who didn't identify which Coalfire employee it was, said a test later showed the pentester had a blood alcohol content of 0.05, the equivalent of one or two drinks. It is below the 0.08 threshold for an operating while intoxicated conviction.) Leonard promptly had the men arrested on felony third-degree burglary charges...
The charges have since been reduced to misdemeanor trespassing charges. Trial is scheduled for April. Meanwhile, the sheriff's department in nearby Polk County is conducting a criminal investigation into a September 10 break-in on its courthouse under the same arrangement with the State Judicial Administration.... The get-out-of-jail-free letter "said you won't manipulate doors," Leonard said. "Well, they picked four doors. It said they won't manipulate the alarm system. They went right up to the alarm and tried to shut it off. The biggest issue is they were only supposed to work from 6AM to 6PM. They came out in the middle of the night and broke in." Equally important, Leonard said, is what he believed to be the overstepping of Iowa officials who retained Coalfire. When the sheriff confronted the men that night, he said: "The State of Iowa has no authority to allow you to break into a county building. You're going to jail."
Stupid should not mean jail (Score:1, Flamebait)
They were stupid, not doubt about it.
But they should plead guilty to a misdemeanour, no jail time.
Re:Stupid should not mean jail (Score:5, Insightful)
Except they didn't knowingly trespass, which is what the law requires.
It's unlikely a Judge is going to allow this to even go to trial. If it went to trial, there's no way a jury is going to convict. The Chief of the State Supreme Court signed documents giving them access. Who is going convict someone for a crime for doing something the Chief Judge told them they could legally do? Crimes require mens rea, the intention or knowledge of wrongdoing. It's impossible for a prosecutor to prove the "knowingly" part beyond a reasonable doubt when these guys can reasonably claim based on signed contracts that they were just doing their job.
Re: (Score:1, Insightful)
Re: (Score:3)
Are you sure there's no way to resolve this without someone ending up incarcerated?
Re: (Score:2, Insightful)
Are you sure there's no way to resolve this without someone ending up incarcerated?
You may see them as overly enthusiastic security testers who intended no harm. But to the prison guard unions, their incarceration means jobs. To the stockholders in private prisons, it means profit.
Every empty prison cell is a wasted resource. Lock'em up. It's the American way.
Re: (Score:2)
No, sounds like they're pretty sure it was just a heart attack, no head-removing autopsy will be performed.
https://apnews.com/b0032565dd174fc1bc1acb5285d64d7e [apnews.com]
Re:Stupid should not mean jail (Score:5, Interesting)
You obviously didn't bother to RTFA, as usual, but from the independent investigation report the SCA commissioned:
The three different contracts/documents had partially conflicting requirements. The night before the team was congratulated by the State IT Director for breaking into one of the other buildings in the middle of the night. There was clearly no expectation by the pen-testers nor the person they were coordinating with that they were limited in physical intrusions to before 6pm.
The Chief wasn't "overriding" laws, he was doing routing administrative work that he's supposed to be the one managing. Just because the County owns the courthouse doesn't mean Judges don't have legitimate access and the ability to allow others access. Certainly you can't convict someone of a crime for relying on the head Judge's permissions to visit a courthouse. There's obviously no criminal intent there, which is what the law requires for a conviction.
Re: Stupid should not mean jail (Score:4, Insightful)
Re: (Score:2)
Just because the County owns the courthouse doesn't mean Judges don't have legitimate access and the ability to allow others access.
A county is an instrument of the State government; at least in one respect --- the signature of a State Judge is powerful in every state and can only be overridden by a Judge that sits at a higher court. How fitting that the testers' permission slip was signed by a state Judge, a bonafide officer of the court.
This case sounds like a non-starter. There is hardly a
Re: (Score:3)
https://www.kcci.com/article/public-service-celebrating-iowa-chief-justice-mark-cadys-life-scheduled-for-wednesday/29820163
Re: Stupid should not mean jail (Score:1)
Yeah your either trolling or not so bright.....
I worked in the courts. In a courthouse the judges are second only to god (and in a properly separated church and state, the judge IS god) , if the judge authorises it , it's authorised no ifs no butts. That there was a breach of contract regarding doors and alarms is a civil matter, not a criminal one. They where authorised to enter, and that's all a trespass conviction cares about.
Re: (Score:2)
No, but the Chief Justice has administrative control of the non-Federal courts in the State and so he can say it's okay for someone to enter a _courthouse_, even if the County owns title to the land and building.
Re: (Score:2)
They weren't supposed to be in the building after 6pm.
They had a clear letter from a state authority acting in their governmental role providing them to be there. The fact that they were there or remained there outside the exact times expected does not automatically convert the activity to trespassing.
If there's a Law against an employee or contractor being present in the building past work hours OR against an employee or contractor touching the alarm system without permission, then... By all
Re: (Score:1)
Re:Stupid should not mean jail (Score:5, Insightful)
The reason these guys were arrested for doing their jobs is that their jobs embarrassed the "security" and the cops who didn't do theirs.
The security system detected the intrusion and the cops caught the intruders. So they did do their job.
Re: (Score:2)
The reason these guys were arrested for doing their jobs is that their jobs embarrassed the "security" and the cops who didn't do theirs.
The security system detected the intrusion and the cops caught the intruders. So they did do their job.
Uh...
"The night before the team was congratulated by the State IT Director for breaking into one of the other buildings in the middle of the night."
Sure as hell helps a lot when the cops likely knew exactly where and when the next test was going to happen. I'd reserve judgement on their ability to do their job for now.
Re: (Score:3)
Exactly, these guys believed they were within the law and doing nothing illegal.
"The State of Iowa has no authority to allow you to break into a county building."
They had no reason to know this, they should go after the state for acting in excess of their authority.
Re: (Score:2)
They had no reason to know this, they should go after the state for acting in excess of their authority.
They're probably technically incorrect.... The State of Iowa has the power to allow ANY named person into ANY location, building, etc, within the state of Iowa. Technically, under the right circumstances: the state of Iowa could even foreclose on a County-owned or Privately-owned property; for example, a Judge can sign a document called a court order designating the new owner of propert
Re:Stupid should not mean jail (Score:5, Interesting)
It's unlikely a Judge is going to allow this to even go to trial. If it went to trial, there's no way a jury is going to convict.
You've obviously never served on a US jury or you wouldn't say that. All bets are off when anything goes to a jury. I've served on a jury twice and I hope I never, ever do it again. It has permanently soured me on the whole US justice system. If these guys hire cheap, bad lawyers to represent them and the DA decides he/she wants to make an example of them, yes, a jury certainly could convict. You need to understand that juries are made up of mostly idiots. I wish I could tell you this is an exaggeration but it's not - the last jury I served on had 3 guys who one morning in the jury room tried to top each other with each one in turn insisting that he was stupider about technology than the others. It was like it was a contest. I also am not exaggerating in telling you that another guy on the jury, who was black, was very deeply prejudiced against the defendant specifically because the defendant was black. You have people on juries who see the entire world in black and white and want to give the death penalty to people who run traffic lights. Others will shrug and say they are powerless to do anything but convict because these guys technically met the definition of doing what the law prohibited, even though they don't want to convict. These are the kinds of people who serve on juries and yes, any outcome is possible.
Re: (Score:2)
Conversely, this is one reason (along with cost) that prosecutors generally try very hard to get a plea bargain rather than go to trial. A charismatic defendant with a good lawyer can potentially talk their way out of anything.
Re: Stupid should not mean jail (Score:2)
Re: (Score:2)
Assuming the summary is correct, they went well beyond what was authorized. Outside of the 6AM-6PM timeframe, yup. And picking a lock or breaking a door isn't "physical social engineering." (although it's not clear what that means, perhaps phishing via mail instead of email)
Re: (Score:3)
You really should read TFA if you're going to pass that sort of judgement. The 6AM to 6PM part was for the computers and networks. The language for the physical penetration was much more vague (day and evening). It's very much standard that physical penetration attempts will include after hours access (how can you test the alarm system and such during hours that it's turned off?).
It's worth noting that the previous evening they successfully penetrated a different building pursuant to the same contract witho
Re:Stupid should not mean jail (Score:5, Informative)
It's also worth noting that "forcing a door" was forbidden, but lock picking was not. The act of forcing causes damage to the door or the locking mechanism, whereas picking it is opening it with an instrument which acts like the original key and does no damage.
It's normal during such an assessment that they won't want any physical damage done, but an intrusion that causes no damage is the whole point of the exercise.
Re:Stupid should not mean jail (Score:4, Interesting)
Lock picking wasn't forbidden in exactly the same way breaking a window or using dynamite to blast through a wall weren't forbidden.
You might want to look up "breaking and entering," and what's considered use of force on a door. You may be surprised.
Re: (Score:3)
When we hack into banks, we're not allowed to brute force passwords; we guess passwords, so generally have 3-5 trials and manage to find one that works.
This is a fairly valuable exercise, and can apply to alarms, e.g. hacking into the wifi and disabling the alarm system by using an authentication bypass is bullshit (it can be done, but how many super-cool hackers are physically breaking into the building?), but picking the lock and PUSHING THE "OFF BUTTON" ON THE ALARM is a huge wtf that the client needs
Re: Stupid should not mean jail (Score:2)
Re: (Score:2)
Evening isn't legally defined. Dictionary says "the latter part of the day and early part of the night." I equate it to twilight. So, astronomical dusk at the latest. 12:30 AM isn't even vaguely "evening", by any definition. It's the middle of the night.
"how can you test the alarm system and such during hours that it's turned off?"
You test when the alarm should be on, like testing on weekends when courthouses are normally closed for business. Not that it matters. If _you_ had done your h
Re: Stupid should not mean jail (Score:2)
Re: (Score:2)
Wikipedia offers that many consider evening to be twilight to bed time. The testers clearly hadn't gone to bed yet...
There isn't even a solid agreed upon casual definition.
Even twilight can mean civil, nautical, or astronomical twilight.
That's why I called it vague. In cases like that, the benefit of the doubt goes to the defendant. In contract law, the benefit of the doubt goes against the author of the contract,
Re: (Score:2)
While I don’t believe this rises to felony level, I believe this warrants more than a slap on the wrist. Misdemeanor and minimal jail time, but they should definitely do some time for doing something this stupid. Gives them time to think about what they did.
Re: (Score:2)
They were paid by the state to do this.
Which was it? (Score:4, Interesting)
Were they prohibited from "force-opening doors" or "[manipulating] doors"? The two are not the same thing. Or was the language in the agreement some third thing? In particular, the former implies damage. If all they did was pick a lock, is that actually force? It's certainly manipulation, so it seems like the specifics are critically important.
Re:Which was it? (Score:5, Interesting)
Yeah, the door part seems ambiguous, but if they really were only supposed to be around 6-6 and the (allegedly) messed with the alarm around midnight seems super shady.
The jurisdiction thing is interesting too, if the state can't allow them to break into a county building, it seems like a problem, and probably one their lawyers should have known.
Re:Which was it? (Score:5, Interesting)
The court commissioned an independent law firm to conduct an investigation. The results?
There's no way based on that these guys should be convicted for knowingly committing a crime, which is what the law requires.
Re: (Score:3)
There's no way based on that these guys should be convicted for knowingly committing a crime, which is what the law requires.
This is incorrect. Intent varies between crimes, and can vary even between the elements of a single crime. For example, burglary typically requires knowingly breaking and entering a residence, with a specific intent to commit a felony during the break-in, which is probably why that charge was dropped. I'm guessing that misdemeanor criminal trespass in Iowa requires only an intentional, knowing, or reckless trespass, or the charge wouldn't still be pending. Their lawyers seem to think the state's not going t
Re:Which was it? (Score:4, Informative)
Instead of guessing, google next time.
Re: (Score:2)
716.7(2)(a) [not 716.7a] requires to unlawfully enter (no intent required here) with intent to commit a public offense, yada, yada, yada or "place thereon or therein anything animate or inanimate". They probably had intent to do that. :/
Re: (Score:2)
You need to:
1) Pull out a legal dictionary, because words in law, do not mean what words mean in the common tongue
2) Realise that for each law, there is a massive weight of common-law court decisions behind it, and common-law decisions about that specific bit of law.
Going to wikipedia for 'mens rea' is like going to wikipedia to learn how to do a heart transplant, code, or make steal. You'll do neither successfully without sufficient, real world experience and learning, and the same goes for law.
Re: Which was it? (Score:2)
Re: (Score:2)
It's refreshing to see somebody say "it could be entrapment" ... and what they describe actually does fit the way entrapment is legally defined as opposed to how entrapment is described in popular culture.
Re: (Score:1)
Re: (Score:2)
You have to knowingly commit a criminal action. You don't have to know it's criminal; and you're generally guarded when you reasonably believe it's not criminal for special reasons.
For example: pouring oil into the stormwater runoff system is illegal. If you pour oil into the stormwater runoff system believing this is not illegal, you are knowingly pouring oil into the stormwater runoff system and are thus knowingly committing a crime. If you call the county and they come back with a form letter sayin
Re: Which was it? (Score:2)
That's an interesting distinction.
If you poured water into the stormwater thinking it's the storage tank, then yeah you didn't know you where doing it, not a crime, it's an accident. If you knew it was the stormwater but didn't think it's a crime, well tough shit your in trouble.
Re: Which was it? (Score:2)
We read that as pour oil on stormwater drain. 2am typing going on here :/
Re: Which was it? (Score:2)
For the love of god Slashdot, it's 2019. Let us fix our damn typos already
Re: (Score:2)
For the love of god, /. ... let me include pictures, such as the meme of Bugs Bunny saying "No".
(And yes, I know what the answer to this is too ...)
Re: (Score:2)
On the other hand, their restrictions are a little wonky. If they were only suppose to be there between 6am and 6pm (business hours), then messing with the alarm system wouldn't be necessary -- so, hmm ...
Re:Which was it? (Score:5, Informative)
According to the independent investigation, part of their instructions were that once they'd successfully broken in, they were told to deliberately set off the alarm and hide in order to see what the response to an alarm was like and how well the camera coverage worked to find them. There's nothing suspicious about following the instructions their client gave them. There were three different contract documents, which partially contradicted themselves, which is why some of this is confused.
Re: (Score:2)
Re: (Score:2)
Where do you draw the line? For example, is slipping a credit card up against a door lock "force-opening" it or "manipulating" it? I'd say both. It's a distinction without a difference really. If the cops catch you doing that or something similar to circumvent a lock you will probably be charged with breaking and entering...even if you don't actually enter.
It's the thought that counts.
Straightforward, if true (Score:4, Insightful)
I guess someone will have to tell me why I should be indignant over this - they appear to have violated the terms of the their contract in several regards.
That the state of Iowa has no authority to direct these sorts of tests is beyond their control, of course.
Re: (Score:3)
Because violating a contract is not a criminal offense.
Re: (Score:1)
Re: (Score:2)
Re:Straightforward, if true (Score:4, Informative)
It is when the contract grants legal permission to do certain, otherwise illegal things and then one party goes beyond the scope of what permissions were granted.
Re: (Score:3)
Re: (Score:2)
They had permission to enter the building. Trespassing is entering without permission, and they had permission to enter.
They had permission to be there between 6am and 6pm; they were there at Midnight, which they didn't have permission to do, so they were trespassing.
Re: (Score:3)
Re: (Score:2)
[Citation Needed]
Re: (Score:2)
Re: (Score:2)
*R*T*F*A*
Re: Straightforward, if true (Score:2)
Because violating a contract is not a criminal offense.
Except when it, quite literally, is (yes, I suppose it's recursive).
Re: (Score:2)
They violated *the law* (apparently) when the contract was arguably keeping them from doing so.
I say apparently, because it may well be true that they State of Iowa doesn't have the legal authority to order or hire anyone to "test" a county office. Even if they do, they only allowed them to violate *some* laws.
Re: (Score:2)
Re: (Score:2)
If the state didn't have that authority, they will need to be prosecuted even if the actual pen-testers are found not-guilty.
Re:Straightforward, if true (Score:5, Insightful)
I guess someone will have to tell me why I should be indignant over this - they appear to have violated the terms of the their contract in several regards.
That the state of Iowa has no authority to direct these sorts of tests is beyond their control, of course.
Yes and it should be penalized. I have experienced way too many of these cowboy pentesters pulling stupid shit, not reporting work they did, leaving artifacts behind, testing things not explicitly authorized, to feel any sympathy for them. The industry needs better certifications and standards in general. When I got my OSCP it was stressed vehemently that you NEVER do anything not expressly authorized and signed/agreed upon. Shit like this is why.
Re: (Score:2)
Sounds like somebody didn't look too good in the final report.
Re: (Score:3)
In this case, the court should have sent a cop or a security guard along with these testers, one who is aware of the boundaries of the test. If the cops show up and see two shifty dudes fiddlin
Re: (Score:2)
Not how pentesters work in general. If you know the plan of attack, you can specifically shut it down. Hackers and criminals don't give you notice or a plan of attack, hence pen testers likewise do it without your knowledge (your boss invites them)
Re: (Score:2)
Re: (Score:2)
Yes and it should be penalized
Ahhh yes. That is a statement made from emotion considering you a) don't have access to the written contract, b) don't have all the details required to come to your conclusion logically.
I take it you failed last time you hired pen-testers and had to have an awkward conversation with your boss? What's the word kids are using these days? Butthurt?
Maybe they did, maybe they didn't. Commission says (Score:5, Interesting)
The independent analysis by a law firm hired by thr court says they didn't knowingly do anything wrong. It sounds like the cops are trying to cover their ass, however.
The contract says they are allowed to pick locks.
The contract says they can work "in the day and in the evening", etc.
The county is a subdivision of the state, created by the state. States tell counties what they can and cannot do. Counties don't tell the state what the state can do.
I haven't spent a hundred hours looking into every be little detail, but it sounds like the pentesters did roughly what they were hired to do, and the cops got embarrassed.
But they should have been more careful (Score:1)
I said it sounds like they did what they were hired to do.
As a security professional, I should also say they should have been more careful, I order to avoid having to plead their case. If it's not 100% clear that what you're thinking of doing is okay, don't do it. That's the rule I follow for these types of things.
To throw in a poor car analogy, if the speed limit was 65, they were going somewhere between 63-70. They should kept it at 60 or lower to be on the safe side. Maybe they didn't violate the law
Re: (Score:2)
The independent analysis by a law firm hired by thr court says they didn't knowingly do anything wrong. It sounds like the cops are trying to cover their ass, however.
The contract says they are allowed to pick locks.
The contract says they can work "in the day and in the evening", etc.
The county is a subdivision of the state, created by the state. States tell counties what they can and cannot do. Counties don't tell the state what the state can do.
I haven't spent a hundred hours looking into every be little detail, but it sounds like the pentesters did roughly what they were hired to do, and the cops got embarrassed.
I think youre right. If the Sherrifs department was also responsible for the security of the building, then this is a conflict of interest: theyre aggrieved and possibly embarrassed.
Re: (Score:2)
I think we'd find that the 13 original colonies were/are - well, original. That is, Pennsylvania was chartered to William Penn by Charles II, there weren't pre-existing counties which came together to form Pennsylvania.
I think we'd find that the rest of the states were created created by the US Congress, then the state created counties after Congress created the state.
Louisiana is, as is often the case, kinda the odd man out because there were Catholic parishes in the area before the state was created by Co
Re: (Score:2)
they appear to have violated the terms of the their contract in several regards.
Do you have a link to share with the wording of the contract, or are you just jumping to conclusions which you aren't qualified nor capable of making with the information you have?
Comment removed (Score:5, Funny)
Certifications are key (Score:3)
I presume these were just a bunch of BIC (r) certified pen testers?
Lately everyone with a BIC pen certification think they can complete the task succesfully by following the outlined 6 step plan from the exam :
1. get pen
2. get paper
3. put pen on paper
4. move pen
5. chew on pen in case of colleague looking at you
6. put pen down.
Re: (Score:2)
Re: (Score:2)
Did you have explicit permission from the pen before performing those tests?
Re: (Score:2)
It signed the contract right here!
Re: (Score:2)
At least, it would have had the pen worked.
Re: (Score:2)
The smudge proves it
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Well it's pretty obvious they were told to use the paper already available and not forcibly open a new case.
Wonderful (Score:2)
When the sheriff confronted the men that night, he said: "The State of Iowa has no authority to allow you to break into a county building. You're going to jail."
It's always encouraging when an elected official doesn't know how government works.
Emotional Porn (Score:2)
It's been 18 years, mister police chief. You can't KEEP pulling the "on September 11, no less!" card.
Re: (Score:1)
Thieves wiht a contract to steal (Score:2)
Yes, the people who are going to steal from you will often ask you first to sign a lengthy contract allowing them to steal from you but at the same time list out the various do's and don'ts of their techniques by which they will steal from you.
You have to admit, these thieves came with honor and with a contract. Unfortunately, they came outside their agreed upon hours of operations as they were only to come during normal business hours. No real thief will come after business hours. They have families to tak
carrying backpacks (Score:3)
If you want a good chance to identify a pentester you look for three things.
1. Wearing a backpack.
2. Both arms through the straps.
3. The backpack is Swissgear.
Sure I know others wear those but it's a giveaway in my experience. Doesn't hurt to vigilant.
Re: (Score:2)
Woosh.....
The World's Most Dangerous Job (Score:3)
Am I the only one here who wouldn't do this "penetration testing" job for any amount of money - in the USA, at least. There seem to be enough Americans who think nothing of using 'lethal force' if someone puts a single foot on their property, and cops who will shoot an unarmed kid for running away that I'd be scared of my life every minute. All it needs is one trigger-happy idiot to assume you ARE a terrorist/intruder/criminal/black and bang, you're dead. These guys must have big balls, and for that alone they should be exempt from prosecution...
Re: (Score:2)
Am I the only one here who wouldn't do this "penetration testing" job for any amount of money - in the USA, at least. There seem to be enough Americans who think nothing of using 'lethal force' if someone puts a single foot on their property, and cops who will shoot an unarmed kid for running away that I'd be scared of my life every minute.
You must have dark skin. If your skin is light enough, you're fine.
Re: (Score:2)
Am I the only one here who wouldn't do this "penetration testing" job for any amount of money - in the USA, at least. There seem to be enough Americans who think nothing of using 'lethal force' if someone puts a single foot on their property, and cops who will shoot an unarmed kid for running away that I'd be scared of my life every minute. All it needs is one trigger-happy idiot to assume you ARE a terrorist/intruder/criminal/black and bang, you're dead. These guys must have big balls, and for that alone they should be exempt from prosecution...
In general we dont recommend customers do this kind of testing unless they had a solid program. If you think your physical security is lacking, then a daytime site assessment with the cooperation of the site is both a lot more effective and its safe. You can just tour the site, and look at anything you want preferably with someone from the site thats an SME on their measures along to show you what they have, how they use it, and to prove it works to you.
It can also be an excellent opportunity to build rep
Re: (Score:2)
Thank you for an interesting and relevant, in-depth reply. If I could have modded up I would have done. Also, you hold the lowest /.ID of any reply I've had. Which is nice.
Why do I not see a problem with this? (Score:2)
They were charged with doing their work under specific conditions, and they violated those terms, committing several crimes in the process.
Why should they be given a free pass?
This what people do when their security sucks (Score:2)
I'm sorry, but this is how organizations behave when they know they have security issues and want to hide that fact. A pentesters job is to test security controls in the wild, under realistic scenarios. The Sheriff is changing the subject, they got in. So theres problems with the security of those buildings, fix it, end of discussion. And apparently the state is conducting these assessments because they suspect some counties have security problems, which in this case they do.
The fact that this time the