CEO Of Security Company Behind Unorthodox Penetration Tests Wants To Know Why His Employees Are Still Being Criminally Charged

from the sheriff-determined-to-show-state's-court-who-the-biggest-dick-is dept

A couple of months ago, security researchers performing a very physical penetration test of an Iowa courthouse were arrested for breaking and entering. They were also charged with possessing burglar's tools, which they did indeed possess.

The employees of Coalfire Security said they had been employed by the state's judicial branch to test physical accessibility of courthouses. They had paperwork granting them permission to perform "physical security assessments" at multiple locations. While nothing specifically instructed the security testers to break into buildings, nothing in the documents suggested this was forbidden either. All it told the testers to do was to attempt to gain access to documents, internal systems, and areas closed off to the public.

A statement from the judicial branch suggested there had been some sort of misunderstanding and it apologized to the law enforcement officers for the "confusion" caused by this unorthodox penetration test. That apparently wasn't enough for sheriff's department and local prosecutors who moved ahead with felony charges.

Coalfire Security didn't have much to say when the news first broke, but the company has now issued a lengthy statement [PDF] that accuses the Dallas County Sheriff of turning a routine security test into a battle of wills between his office and the state's judicial branch.

[Coalfire Security employees Gary] Demercurio and [Justin] Wynn proceeded to purposefully trip the alarm to test law enforcement's response time. When they arrived, [Coalfire CEO Tom] McAndrew said, the deputies seemed delighted to be shown the tools and tactics the Coalfire employees used to enter the building.

McAndrew blamed the men's arrest on the arrival of Dallas County Sheriff Chad Leonard on the men's arrest, saying he failed to "de-escalate" the situation, as the deputies already on site were ready to let the men go.

"Sheriff Leonard failed to exercise common sense and good judgment and turned this engagement into a political battle between the State and the County." McAndrew wrote. "I was stunned that the next morning the issues were not resolved and were actually amplified when bail was set as $100,000."

Prosecutors have performed a slight bit of de-escalation, at least. The felony charges have been dropped, but the researchers are still facing misdemeanor trespassing charges. This prosecution continues despite the judicial branch's statement backing up the arrested men's story that they were hired to test courthouse security.

Sheriff Leonard's needless escalation began during the arrest and continued forward past that point. Emails obtained by the Des Moines Register show Sheriff Leonard refused to release the security employees when their story checked out and further aggravated the situation by promising to give a heads up to other law enforcement agencies who might be interested in capitalizing on some trouble-free arrests.

A police sergeant called one of the state employees, who confirmed what the men said: that this was a legitimate contract and that the men should be let go, according to the email.

"I advised them that this building belonged to the taxpayers of Dallas County and the State had no authority to authorize a break-in of this building," [Sheriff] Leonard wrote in the email.

Leonard wrote that he then called the state employee to tell him his contractors had been arrested and that he didn't have the authority to authorize this.

The state employee disagreed and asked Leonard not to tell other sheriffs, wrote Leonard, who said he responded by saying he was going to tell every sheriff.

It sounds like some "law is the law" bullshit being pushed by Sheriff Leonard, who isn't going to let anyone get away with security research in his jurisdiction. Coalfire's CEO wants to know if Iowans are OK with this.

If what is happening in Iowa begins to happen elsewhere, who will keep those who are supposed to protect citizens honest? This is setting a horrible precedent for the millions of information security professionals who are now wondering if they too may find themselves in jail as criminals simply for doing their job. I believe that citizens of Iowa would benefit from using their resources to fix vulnerabilities, protect their data, and secure their public buildings rather than waste time and taxpayer money on this criminal pursuit.

Joke's on all of us. This is already happening elsewhere. Security researchers constantly face the possibility of arrest, prosecution, or civil lawsuits just for doing their jobs. That this penetration test involved a physical break-in doesn't make it any less legitimate. The court system apologized for the misunderstanding, but good deeds apparently aren't going to go unpunished in this county.

Filed Under: breaking and entering, courthouse, iowa, penetration testing, security researchers
Companies: coalfire security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anon, 7 Nov 2019 @ 7:51am

    Re: Re: Re: Re: Re: Re: Re:

    Well, if name-calling settled arguments, we'd have an idiot for a president. .. oh, wait...

    The counties are creatures of the state in the same way as an incorporated private company. The state has certain rights and certain limitations, as prescribed by law and the state constitution. they cannot override these laws except as allowed by those same laws. they cannot dictate county actions, except by a judicial order that cites the law which allows this.

    So yes, a county can charge and maybe even convict a state contractor of violating the state law on trespass; then the defendant can appeal that to the state court of appeals. how will that turn out? or the county judge might put the law ahead of urinary competition and say without the intent, and with the honest impression they had permission, they are not guilty.

    So the county has every right to do what they do, but depending on what the local laws are on intent, it may or may not be malicious prosecution. Certainly the comments of the sheriff are pretty good evidence that it is.

    (Recall something similar I heard of - professor back in the good old days (late 80's) challenged students in his Computer Science class that if they could break into the system and change their mark they could have that mark. One clever student went through the ceiling tiles and got into the glass room where the console was logged on to change his mark. The prof had him expelled and charged with trespassing - sore loser)


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.