Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Government Crime Security

Why Two Pentesters In Iowa Are Facing A Criminal Investigation and Trespassing Charges (arstechnica.com) 110

Ars Technica's security editor re-visits the story of two security penetration testers from Coalfire who were arrested one midnight in the county courthouse in Adel, Iowa (population 3,682): "They were crouched down like turkeys peeking over the balcony," Dallas County Sheriff Chad Leonard said in an interview. "Here we are at 12:30 in the morning confronted with this issue -- on September 11, no less. We have two unknown people in our courthouse -- in a government building -- carrying backpacks that remind me and several other deputies of maybe the pressure cooker bombs." After more deputies arrived, Justin Wynn, 29 of Naples, Florida, and Gary De Mercurio, 43 of Seattle, slowly proceeded down the stairs with hands raised. They then presented the deputies with a letter that explained the intruders weren't criminals but rather penetration testers who had been hired by Iowa's State Court Administration to test the security of its court information system. After calling one or more of the state court officials listed in the letter, the deputies were satisfied the men were authorized to be in the building...

When Leonard arrived on the scene, the mood quickly changed. Leonard read the letter and sized the men up. It said the men were authorized to perform "physical social engineering to attempt to gain access" to courthouse systems... The letter also listed tasks that should not be performed, including alarm subversion, force-opening doors, and accessing environments that require personal protective equipment. The pentesters had already said they used a tool to open the front door. Leonard took that to mean the men had violated the restriction against forcing doors open. Leonard also said the men attempted to turn off the alarm -- something Coalfire officials vehemently deny. In Leonard's mind that was a second violation. Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn't answer the deputies' calls, while another said he didn't believe the men had permission to conduct physical intrusions. The sheriff also said he and his deputies smelled alcohol on the breath of one of the men. (Leonard, who didn't identify which Coalfire employee it was, said a test later showed the pentester had a blood alcohol content of 0.05, the equivalent of one or two drinks. It is below the 0.08 threshold for an operating while intoxicated conviction.) Leonard promptly had the men arrested on felony third-degree burglary charges...

The charges have since been reduced to misdemeanor trespassing charges. Trial is scheduled for April. Meanwhile, the sheriff's department in nearby Polk County is conducting a criminal investigation into a September 10 break-in on its courthouse under the same arrangement with the State Judicial Administration.... The get-out-of-jail-free letter "said you won't manipulate doors," Leonard said. "Well, they picked four doors. It said they won't manipulate the alarm system. They went right up to the alarm and tried to shut it off. The biggest issue is they were only supposed to work from 6AM to 6PM. They came out in the middle of the night and broke in." Equally important, Leonard said, is what he believed to be the overstepping of Iowa officials who retained Coalfire. When the sheriff confronted the men that night, he said: "The State of Iowa has no authority to allow you to break into a county building. You're going to jail."

This discussion has been archived. No new comments can be posted.

Why Two Pentesters In Iowa Are Facing A Criminal Investigation and Trespassing Charges

Comments Filter:
  • They were stupid, not doubt about it.

    But they should plead guilty to a misdemeanour, no jail time.

    • Except they didn't knowingly trespass, which is what the law requires.

      It's unlikely a Judge is going to allow this to even go to trial. If it went to trial, there's no way a jury is going to convict. The Chief of the State Supreme Court signed documents giving them access. Who is going convict someone for a crime for doing something the Chief Judge told them they could legally do? Crimes require mens rea, the intention or knowledge of wrongdoing. It's impossible for a prosecutor to prove the "knowingly" part beyond a reasonable doubt when these guys can reasonably claim based on signed contracts that they were just doing their job.

      • Re: (Score:1, Insightful)

        Yes, the Bonapartism of black robed tyrants should be able to override the very laws they are sworn to uphold. They weren't supposed to be in the building after 6pm. To jail with them, and remove the Chief Justice for malfeasance.
        • Good lord, that's a very black and white view.
          Are you sure there's no way to resolve this without someone ending up incarcerated?
          • Re: (Score:2, Insightful)

            Are you sure there's no way to resolve this without someone ending up incarcerated?

            You may see them as overly enthusiastic security testers who intended no harm. But to the prison guard unions, their incarceration means jobs. To the stockholders in private prisons, it means profit.

            Every empty prison cell is a wasted resource. Lock'em up. It's the American way.

        • You obviously didn't bother to RTFA, as usual, but from the independent investigation report the SCA commissioned:

          And while one section of the rules of engagement was unclear whether the 6AM to 6PM time frame applied only to systems penetration or physical assessments as well, a Scope of Testing section within that document said physical assessments “can be during the day and evening.” That authorization made no mention of any specific time of day.

          The three different contracts/documents had partially conflicting requirements. The night before the team was congratulated by the State IT Director for breaking into one of the other buildings in the middle of the night. There was clearly no expectation by the pen-testers nor the person they were coordinating with that they were limited in physical intrusions to before 6pm.

          The Chief wasn't "overriding" laws, he was doing routing administrative work that he's supposed to be the one managing. Just because the County owns the courthouse doesn't mean Judges don't have legitimate access and the ability to allow others access. Certainly you can't convict someone of a crime for relying on the head Judge's permissions to visit a courthouse. There's obviously no criminal intent there, which is what the law requires for a conviction.

          • by gentlydick ( 6223022 ) on Monday November 18, 2019 @03:35AM (#59425306)
            Sounds like this company and those employees were unfortunate enough to get caught in the middle of a pissing match between state and county govt officials.
          • by mysidia ( 191772 )

            Just because the County owns the courthouse doesn't mean Judges don't have legitimate access and the ability to allow others access.

            A county is an instrument of the State government; at least in one respect --- the signature of a State Judge is powerful in every state and can only be overridden by a Judge that sits at a higher court. How fitting that the testers' permission slip was signed by a state Judge, a bonafide officer of the court.

            This case sounds like a non-starter. There is hardly a

        • by dpille ( 547949 )
          Looks like someone took care of removing him already.

          https://www.kcci.com/article/public-service-celebrating-iowa-chief-justice-mark-cadys-life-scheduled-for-wednesday/29820163
        • Yeah your either trolling or not so bright.....

          I worked in the courts. In a courthouse the judges are second only to god (and in a properly separated church and state, the judge IS god) , if the judge authorises it , it's authorised no ifs no butts. That there was a breach of contract regarding doors and alarms is a civil matter, not a criminal one. They where authorised to enter, and that's all a trespass conviction cares about.

        • by mysidia ( 191772 )

          They weren't supposed to be in the building after 6pm.

          They had a clear letter from a state authority acting in their governmental role providing them to be there. The fact that they were there or remained there outside the exact times expected does not automatically convert the activity to trespassing.

          If there's a Law against an employee or contractor being present in the building past work hours OR against an employee or contractor touching the alarm system without permission, then... By all

      • by Moryath ( 553296 )
        The reason these guys were arrested for doing their jobs is that their jobs embarrassed the "security" and the cops who didn't do theirs.
        • by ShanghaiBill ( 739463 ) on Sunday November 17, 2019 @10:17PM (#59424804)

          The reason these guys were arrested for doing their jobs is that their jobs embarrassed the "security" and the cops who didn't do theirs.

          The security system detected the intrusion and the cops caught the intruders. So they did do their job.

          • The reason these guys were arrested for doing their jobs is that their jobs embarrassed the "security" and the cops who didn't do theirs.

            The security system detected the intrusion and the cops caught the intruders. So they did do their job.

            Uh...

            "The night before the team was congratulated by the State IT Director for breaking into one of the other buildings in the middle of the night."

            Sure as hell helps a lot when the cops likely knew exactly where and when the next test was going to happen. I'd reserve judgement on their ability to do their job for now.

      • by Bert64 ( 520050 )

        Exactly, these guys believed they were within the law and doing nothing illegal.

        "The State of Iowa has no authority to allow you to break into a county building."

        They had no reason to know this, they should go after the state for acting in excess of their authority.

        • by mysidia ( 191772 )

          They had no reason to know this, they should go after the state for acting in excess of their authority.

          They're probably technically incorrect.... The State of Iowa has the power to allow ANY named person into ANY location, building, etc, within the state of Iowa. Technically, under the right circumstances: the state of Iowa could even foreclose on a County-owned or Privately-owned property; for example, a Judge can sign a document called a court order designating the new owner of propert

      • by Zontar_Thing_From_Ve ( 949321 ) on Monday November 18, 2019 @07:50AM (#59425770)

        It's unlikely a Judge is going to allow this to even go to trial. If it went to trial, there's no way a jury is going to convict.

        You've obviously never served on a US jury or you wouldn't say that. All bets are off when anything goes to a jury. I've served on a jury twice and I hope I never, ever do it again. It has permanently soured me on the whole US justice system. If these guys hire cheap, bad lawyers to represent them and the DA decides he/she wants to make an example of them, yes, a jury certainly could convict. You need to understand that juries are made up of mostly idiots. I wish I could tell you this is an exaggeration but it's not - the last jury I served on had 3 guys who one morning in the jury room tried to top each other with each one in turn insisting that he was stupider about technology than the others. It was like it was a contest. I also am not exaggerating in telling you that another guy on the jury, who was black, was very deeply prejudiced against the defendant specifically because the defendant was black. You have people on juries who see the entire world in black and white and want to give the death penalty to people who run traffic lights. Others will shrug and say they are powerless to do anything but convict because these guys technically met the definition of doing what the law prohibited, even though they don't want to convict. These are the kinds of people who serve on juries and yes, any outcome is possible.

        • Conversely, this is one reason (along with cost) that prosecutors generally try very hard to get a plea bargain rather than go to trial. A charismatic defendant with a good lawyer can potentially talk their way out of anything.

      • Knowingly or using the legal term âwillfulâ(TM) trespass is just a more severe crime. You can be charged and convicted of tresspass even if you donâ(TM)t know or intend. If itâ(TM)s not your property, and itâ(TM)s not business hours, and you have no right to be there - itâ(TM)s tresspass.
    • by msauve ( 701917 )
      They _should_ get their pee-pees slapped.

      Assuming the summary is correct, they went well beyond what was authorized. Outside of the 6AM-6PM timeframe, yup. And picking a lock or breaking a door isn't "physical social engineering." (although it's not clear what that means, perhaps phishing via mail instead of email)
      • by sjames ( 1099 )

        You really should read TFA if you're going to pass that sort of judgement. The 6AM to 6PM part was for the computers and networks. The language for the physical penetration was much more vague (day and evening). It's very much standard that physical penetration attempts will include after hours access (how can you test the alarm system and such during hours that it's turned off?).

        It's worth noting that the previous evening they successfully penetrated a different building pursuant to the same contract witho

        • by Bert64 ( 520050 ) <.moc.eeznerif.todhsals. .ta. .treb.> on Monday November 18, 2019 @02:15AM (#59425186) Homepage

          It's also worth noting that "forcing a door" was forbidden, but lock picking was not. The act of forcing causes damage to the door or the locking mechanism, whereas picking it is opening it with an instrument which acts like the original key and does no damage.
          It's normal during such an assessment that they won't want any physical damage done, but an intrusion that causes no damage is the whole point of the exercise.

          • by msauve ( 701917 ) on Monday November 18, 2019 @06:08AM (#59425574)

            It's also worth noting that "forcing a door" was forbidden, but lock picking was not.

            Lock picking wasn't forbidden in exactly the same way breaking a window or using dynamite to blast through a wall weren't forbidden.

            You might want to look up "breaking and entering," and what's considered use of force on a door. You may be surprised.

            • When we hack into banks, we're not allowed to brute force passwords; we guess passwords, so generally have 3-5 trials and manage to find one that works.

              This is a fairly valuable exercise, and can apply to alarms, e.g. hacking into the wifi and disabling the alarm system by using an authentication bypass is bullshit (it can be done, but how many super-cool hackers are physically breaking into the building?), but picking the lock and PUSHING THE "OFF BUTTON" ON THE ALARM is a huge wtf that the client needs

          • It is also worth noting that no party contests that it was within the written contract that specifically gave the men the authority to pick locks and to utilize physical penetration testing techniques to gain access to facilities, sensitive information, networks or systems. The issue is one of scope as the State could not authorize said action against a County building. This is literally a case of entrapment as without the contract signed by an agent of the state, it is implausible to believe these two men
        • by msauve ( 701917 )
          "day and evening"

          Evening isn't legally defined. Dictionary says "the latter part of the day and early part of the night." I equate it to twilight. So, astronomical dusk at the latest. 12:30 AM isn't even vaguely "evening", by any definition. It's the middle of the night.

          "how can you test the alarm system and such during hours that it's turned off?"

          You test when the alarm should be on, like testing on weekends when courthouses are normally closed for business. Not that it matters. If _you_ had done your h
          • Quoting TFA: The investigators found that neither Wynn and De Mercurio nor Iowa's SCA acted with deception or ill-intent. The report also made a strong case that the pentesters had good reason to believe that everything they did was within the scope of the agreement between the SCA and Coalfire. The Rules of Engagement, the investigators found, specifically gave the men the authority to pick locks and to âoeutilize physical penetration testing techniques to gain access to facilities, sensitive informat
          • by sjames ( 1099 )

            Wikipedia offers that many consider evening to be twilight to bed time. The testers clearly hadn't gone to bed yet...

            There isn't even a solid agreed upon casual definition.

            Even twilight can mean civil, nautical, or astronomical twilight.

            That's why I called it vague. In cases like that, the benefit of the doubt goes to the defendant. In contract law, the benefit of the doubt goes against the author of the contract,

    • While I don’t believe this rises to felony level, I believe this warrants more than a slap on the wrist. Misdemeanor and minimal jail time, but they should definitely do some time for doing something this stupid. Gives them time to think about what they did.

  • Which was it? (Score:4, Interesting)

    by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Sunday November 17, 2019 @07:59PM (#59424494) Homepage Journal

    Were they prohibited from "force-opening doors" or "[manipulating] doors"? The two are not the same thing. Or was the language in the agreement some third thing? In particular, the former implies damage. If all they did was pick a lock, is that actually force? It's certainly manipulation, so it seems like the specifics are critically important.

    • Re:Which was it? (Score:5, Interesting)

      by AvitarX ( 172628 ) <me@@@brandywinehundred...org> on Sunday November 17, 2019 @08:23PM (#59424570) Journal

      Yeah, the door part seems ambiguous, but if they really were only supposed to be around 6-6 and the (allegedly) messed with the alarm around midnight seems super shady.

      The jurisdiction thing is interesting too, if the state can't allow them to break into a county building, it seems like a problem, and probably one their lawyers should have known.

      • Re:Which was it? (Score:5, Interesting)

        by _Sharp'r_ ( 649297 ) <sharper AT booksunderreview DOT com> on Sunday November 17, 2019 @08:37PM (#59424610) Homepage Journal

        The court commissioned an independent law firm to conduct an investigation. The results?

        The investigators found that neither Wynn and De Mercurio nor Iowa's SCA acted with deception or ill-intent. The report also made a strong case that the pentesters had good reason to believe that everything they did was within the scope of the agreement between the SCA and Coalfire. The Rules of Engagement, the investigators found, specifically gave the men the authority to pick locks and to “utilize physical penetration testing techniques to gain access to facilities, sensitive information, networks or systems.” (The report did find that Coalfire and the SCA failed to adequately draft the agreement. More about that later.)

        The rules of engagement also state that the physical assessments were to be conducted on the Polk County Courthouse and the Judicial building—both in Des Moines—as well as the Dallas County Courthouse in Adel, Iowa. And while one section of the rules of engagement was unclear whether the 6AM to 6PM time frame applied only to systems penetration or physical assessments as well, a Scope of Testing section within that document said physical assessments “can be during the day and evening.” That authorization made no mention of any specific time of day.

        The investigators also mentioned that on September 10—one day before Wynn and De Mercurio entered the Dallas County Courthouse after hours—John Hoover, the IT manager for the SCA, found Wynn’s business card on his desk when he arrived at his office at the Judicial Building that morning. Hoover immediately knew the Coalfire pentesters had successfully broken into the building, and entered his office, the night before.

        “Well done,” the IT manager wrote to Wynn in an email. “I'll be interested to hear how easy it was.”

        There's no way based on that these guys should be convicted for knowingly committing a crime, which is what the law requires.

        • There's no way based on that these guys should be convicted for knowingly committing a crime, which is what the law requires.

          This is incorrect. Intent varies between crimes, and can vary even between the elements of a single crime. For example, burglary typically requires knowingly breaking and entering a residence, with a specific intent to commit a felony during the break-in, which is probably why that charge was dropped. I'm guessing that misdemeanor criminal trespass in Iowa requires only an intentional, knowing, or reckless trespass, or the charge wouldn't still be pending. Their lawyers seem to think the state's not going t

          • Re:Which was it? (Score:4, Informative)

            by Zero__Kelvin ( 151819 ) on Sunday November 17, 2019 @11:31PM (#59424950) Homepage
            716.7a clearly states [justia.com] that mens rea [wikipedia.org] is required as an element of the crime.

            " I'm guessing that misdemeanor criminal trespass in Iowa requires only an intentional, knowing, or reckless trespass, or the charge wouldn't still be pending."

            Instead of guessing, google next time.

            • by mlyle ( 148697 )

              716.7(2)(a) [not 716.7a] requires to unlawfully enter (no intent required here) with intent to commit a public offense, yada, yada, yada or "place thereon or therein anything animate or inanimate". They probably had intent to do that. :/

              • by Blymie ( 231220 )

                You need to:

                1) Pull out a legal dictionary, because words in law, do not mean what words mean in the common tongue

                2) Realise that for each law, there is a massive weight of common-law court decisions behind it, and common-law decisions about that specific bit of law.

                Going to wikipedia for 'mens rea' is like going to wikipedia to learn how to do a heart transplant, code, or make steal. You'll do neither successfully without sufficient, real world experience and learning, and the same goes for law.

                • There is also a case to be made here for entrapment considering the parties entered what would otherwise appear a legally binding agreement authorizing said actions with an agent of the state. Which, last I checked meets the legal definition quite cleanly.
                  • by dougmc ( 70836 )

                    It's refreshing to see somebody say "it could be entrapment" ... and what they describe actually does fit the way entrapment is legally defined as opposed to how entrapment is described in popular culture.

          • Wouldn't meet the definition of *any* intent save for strict liability, but thanks for playing, Armchair Counselor.
          • You have to knowingly commit a criminal action. You don't have to know it's criminal; and you're generally guarded when you reasonably believe it's not criminal for special reasons.

            For example: pouring oil into the stormwater runoff system is illegal. If you pour oil into the stormwater runoff system believing this is not illegal, you are knowingly pouring oil into the stormwater runoff system and are thus knowingly committing a crime. If you call the county and they come back with a form letter sayin

            • That's an interesting distinction.

              If you poured water into the stormwater thinking it's the storage tank, then yeah you didn't know you where doing it, not a crime, it's an accident. If you knew it was the stormwater but didn't think it's a crime, well tough shit your in trouble.

      • ... if they really were only supposed to be around 6-6 and the (allegedly) messed with the alarm around midnight seems super shady.

        On the other hand, their restrictions are a little wonky. If they were only suppose to be there between 6am and 6pm (business hours), then messing with the alarm system wouldn't be necessary -- so, hmm ...

        • Re:Which was it? (Score:5, Informative)

          by _Sharp'r_ ( 649297 ) <sharper AT booksunderreview DOT com> on Sunday November 17, 2019 @10:32PM (#59424842) Homepage Journal

          According to the independent investigation, part of their instructions were that once they'd successfully broken in, they were told to deliberately set off the alarm and hide in order to see what the response to an alarm was like and how well the camera coverage worked to find them. There's nothing suspicious about following the instructions their client gave them. There were three different contract documents, which partially contradicted themselves, which is why some of this is confused.

      • by Holi ( 250190 )
        if it was a social engineering test then going after hours makes absolutely no sense.
    • Where do you draw the line? For example, is slipping a credit card up against a door lock "force-opening" it or "manipulating" it? I'd say both. It's a distinction without a difference really. If the cops catch you doing that or something similar to circumvent a lock you will probably be charged with breaking and entering...even if you don't actually enter.

      It's the thought that counts.

  • by Brett Buck ( 811747 ) on Sunday November 17, 2019 @08:00PM (#59424496)

    I guess someone will have to tell me why I should be indignant over this - they appear to have violated the terms of the their contract in several regards.

          That the state of Iowa has no authority to direct these sorts of tests is beyond their control, of course.

    • "I guess someone will have to tell me why I should be indignant over this - they appear to have violated the terms of the their contract in several regards"

      Because violating a contract is not a criminal offense.

      • by Anonymous Coward
        Try telling the MPAA that.
      • by DaHat ( 247651 ) on Sunday November 17, 2019 @08:15PM (#59424540)

        It is when the contract grants legal permission to do certain, otherwise illegal things and then one party goes beyond the scope of what permissions were granted.

        • They were granted permission to violate their security and penetrate the system to enter the building and that is what they did. How they did it is in question, not if they did it. They had permission to enter the building. Trespassing is entering without permission, and they had permission to enter. Again, this is a civil, not criminal matter.
      • Because violating a contract is not a criminal offense.

        Except when it, quite literally, is (yes, I suppose it's recursive).

      • They violated *the law* (apparently) when the contract was arguably keeping them from doing so.

                I say apparently, because it may well be true that they State of Iowa doesn't have the legal authority to order or hire anyone to "test" a county office. Even if they do, they only allowed them to violate *some* laws.

             

        • What law did they violate? They had permission to enter the building, so it wasn't trespassing.
        • by sjames ( 1099 )

          If the state didn't have that authority, they will need to be prosecuted even if the actual pen-testers are found not-guilty.

    • by geek ( 5680 ) on Sunday November 17, 2019 @08:35PM (#59424602)

      I guess someone will have to tell me why I should be indignant over this - they appear to have violated the terms of the their contract in several regards.

            That the state of Iowa has no authority to direct these sorts of tests is beyond their control, of course.

      Yes and it should be penalized. I have experienced way too many of these cowboy pentesters pulling stupid shit, not reporting work they did, leaving artifacts behind, testing things not explicitly authorized, to feel any sympathy for them. The industry needs better certifications and standards in general. When I got my OSCP it was stressed vehemently that you NEVER do anything not expressly authorized and signed/agreed upon. Shit like this is why.

      • by sjames ( 1099 )

        Sounds like somebody didn't look too good in the final report.

      • I'm surprised that pentesters like these are allowed to work unsupervised. If you're testing my servers, I would like to know the plan of attack in detail, and perhaps have someone oversee the details to make sure the testers do not go out of bounds as they respond and adapt to what they encounter trying to get in.

        In this case, the court should have sent a cop or a security guard along with these testers, one who is aware of the boundaries of the test. If the cops show up and see two shifty dudes fiddlin
        • by guruevi ( 827432 )

          Not how pentesters work in general. If you know the plan of attack, you can specifically shut it down. Hackers and criminals don't give you notice or a plan of attack, hence pen testers likewise do it without your knowledge (your boss invites them)

          • That's why you don't notify the entire organisation, but still assign an employee to oversee things. Especially in case of a physical pen test.
      • Yes and it should be penalized

        Ahhh yes. That is a statement made from emotion considering you a) don't have access to the written contract, b) don't have all the details required to come to your conclusion logically.

        I take it you failed last time you hired pen-testers and had to have an awkward conversation with your boss? What's the word kids are using these days? Butthurt?

    • by raymorris ( 2726007 ) on Sunday November 17, 2019 @09:01PM (#59424666) Journal

      The independent analysis by a law firm hired by thr court says they didn't knowingly do anything wrong. It sounds like the cops are trying to cover their ass, however.

      The contract says they are allowed to pick locks.
      The contract says they can work "in the day and in the evening", etc.

      The county is a subdivision of the state, created by the state. States tell counties what they can and cannot do. Counties don't tell the state what the state can do.

      I haven't spent a hundred hours looking into every be little detail, but it sounds like the pentesters did roughly what they were hired to do, and the cops got embarrassed.

      • I said it sounds like they did what they were hired to do.
        As a security professional, I should also say they should have been more careful, I order to avoid having to plead their case. If it's not 100% clear that what you're thinking of doing is okay, don't do it. That's the rule I follow for these types of things.

        To throw in a poor car analogy, if the speed limit was 65, they were going somewhere between 63-70. They should kept it at 60 or lower to be on the safe side. Maybe they didn't violate the law

      • by Python ( 1141 )

        The independent analysis by a law firm hired by thr court says they didn't knowingly do anything wrong. It sounds like the cops are trying to cover their ass, however.

        The contract says they are allowed to pick locks.
        The contract says they can work "in the day and in the evening", etc.

        The county is a subdivision of the state, created by the state. States tell counties what they can and cannot do. Counties don't tell the state what the state can do.

        I haven't spent a hundred hours looking into every be little detail, but it sounds like the pentesters did roughly what they were hired to do, and the cops got embarrassed.

        I think youre right. If the Sherrifs department was also responsible for the security of the building, then this is a conflict of interest: theyre aggrieved and possibly embarrassed.

    • they appear to have violated the terms of the their contract in several regards.

      Do you have a link to share with the wording of the contract, or are you just jumping to conclusions which you aren't qualified nor capable of making with the information you have?

  • by account_deleted ( 4530225 ) on Sunday November 17, 2019 @08:42PM (#59424624)
    Comment removed based on user account deletion
  • When the sheriff confronted the men that night, he said: "The State of Iowa has no authority to allow you to break into a county building. You're going to jail."

    It's always encouraging when an elected official doesn't know how government works.

  • It's been 18 years, mister police chief. You can't KEEP pulling the "on September 11, no less!" card.

  • Yes, the people who are going to steal from you will often ask you first to sign a lengthy contract allowing them to steal from you but at the same time list out the various do's and don'ts of their techniques by which they will steal from you.

    You have to admit, these thieves came with honor and with a contract. Unfortunately, they came outside their agreed upon hours of operations as they were only to come during normal business hours. No real thief will come after business hours. They have families to tak

  • by portwojc ( 201398 ) on Monday November 18, 2019 @05:55AM (#59425552) Homepage

    If you want a good chance to identify a pentester you look for three things.

    1. Wearing a backpack.
    2. Both arms through the straps.
    3. The backpack is Swissgear.

    Sure I know others wear those but it's a giveaway in my experience. Doesn't hurt to vigilant.

  • by Musical_Joe ( 1565075 ) on Monday November 18, 2019 @09:54AM (#59426122)

    Am I the only one here who wouldn't do this "penetration testing" job for any amount of money - in the USA, at least. There seem to be enough Americans who think nothing of using 'lethal force' if someone puts a single foot on their property, and cops who will shoot an unarmed kid for running away that I'd be scared of my life every minute. All it needs is one trigger-happy idiot to assume you ARE a terrorist/intruder/criminal/black and bang, you're dead. These guys must have big balls, and for that alone they should be exempt from prosecution...

    • Am I the only one here who wouldn't do this "penetration testing" job for any amount of money - in the USA, at least. There seem to be enough Americans who think nothing of using 'lethal force' if someone puts a single foot on their property, and cops who will shoot an unarmed kid for running away that I'd be scared of my life every minute.

      You must have dark skin. If your skin is light enough, you're fine.

    • by Python ( 1141 )

      Am I the only one here who wouldn't do this "penetration testing" job for any amount of money - in the USA, at least. There seem to be enough Americans who think nothing of using 'lethal force' if someone puts a single foot on their property, and cops who will shoot an unarmed kid for running away that I'd be scared of my life every minute. All it needs is one trigger-happy idiot to assume you ARE a terrorist/intruder/criminal/black and bang, you're dead. These guys must have big balls, and for that alone they should be exempt from prosecution...

      In general we dont recommend customers do this kind of testing unless they had a solid program. If you think your physical security is lacking, then a daytime site assessment with the cooperation of the site is both a lot more effective and its safe. You can just tour the site, and look at anything you want preferably with someone from the site thats an SME on their measures along to show you what they have, how they use it, and to prove it works to you.

      It can also be an excellent opportunity to build rep

      • Thank you for an interesting and relevant, in-depth reply. If I could have modded up I would have done. Also, you hold the lowest /.ID of any reply I've had. Which is nice.

  • They were charged with doing their work under specific conditions, and they violated those terms, committing several crimes in the process.

    Why should they be given a free pass?

  • I'm sorry, but this is how organizations behave when they know they have security issues and want to hide that fact. A pentesters job is to test security controls in the wild, under realistic scenarios. The Sheriff is changing the subject, they got in. So theres problems with the security of those buildings, fix it, end of discussion. And apparently the state is conducting these assessments because they suspect some counties have security problems, which in this case they do.

    The fact that this time the

Avoid strange women and temporary variables.

Working...