CEO Of Security Company Behind Unorthodox Penetration Tests Wants To Know Why His Employees Are Still Being Criminally Charged

from the sheriff-determined-to-show-state's-court-who-the-biggest-dick-is dept

A couple of months ago, security researchers performing a very physical penetration test of an Iowa courthouse were arrested for breaking and entering. They were also charged with possessing burglar's tools, which they did indeed possess.

The employees of Coalfire Security said they had been employed by the state's judicial branch to test physical accessibility of courthouses. They had paperwork granting them permission to perform "physical security assessments" at multiple locations. While nothing specifically instructed the security testers to break into buildings, nothing in the documents suggested this was forbidden either. All it told the testers to do was to attempt to gain access to documents, internal systems, and areas closed off to the public.

A statement from the judicial branch suggested there had been some sort of misunderstanding and it apologized to the law enforcement officers for the "confusion" caused by this unorthodox penetration test. That apparently wasn't enough for sheriff's department and local prosecutors who moved ahead with felony charges.

Coalfire Security didn't have much to say when the news first broke, but the company has now issued a lengthy statement [PDF] that accuses the Dallas County Sheriff of turning a routine security test into a battle of wills between his office and the state's judicial branch.

[Coalfire Security employees Gary] Demercurio and [Justin] Wynn proceeded to purposefully trip the alarm to test law enforcement's response time. When they arrived, [Coalfire CEO Tom] McAndrew said, the deputies seemed delighted to be shown the tools and tactics the Coalfire employees used to enter the building.

McAndrew blamed the men's arrest on the arrival of Dallas County Sheriff Chad Leonard on the men's arrest, saying he failed to "de-escalate" the situation, as the deputies already on site were ready to let the men go.

"Sheriff Leonard failed to exercise common sense and good judgment and turned this engagement into a political battle between the State and the County." McAndrew wrote. "I was stunned that the next morning the issues were not resolved and were actually amplified when bail was set as $100,000."

Prosecutors have performed a slight bit of de-escalation, at least. The felony charges have been dropped, but the researchers are still facing misdemeanor trespassing charges. This prosecution continues despite the judicial branch's statement backing up the arrested men's story that they were hired to test courthouse security.

Sheriff Leonard's needless escalation began during the arrest and continued forward past that point. Emails obtained by the Des Moines Register show Sheriff Leonard refused to release the security employees when their story checked out and further aggravated the situation by promising to give a heads up to other law enforcement agencies who might be interested in capitalizing on some trouble-free arrests.

A police sergeant called one of the state employees, who confirmed what the men said: that this was a legitimate contract and that the men should be let go, according to the email.

"I advised them that this building belonged to the taxpayers of Dallas County and the State had no authority to authorize a break-in of this building," [Sheriff] Leonard wrote in the email.

Leonard wrote that he then called the state employee to tell him his contractors had been arrested and that he didn't have the authority to authorize this.

The state employee disagreed and asked Leonard not to tell other sheriffs, wrote Leonard, who said he responded by saying he was going to tell every sheriff.

It sounds like some "law is the law" bullshit being pushed by Sheriff Leonard, who isn't going to let anyone get away with security research in his jurisdiction. Coalfire's CEO wants to know if Iowans are OK with this.

If what is happening in Iowa begins to happen elsewhere, who will keep those who are supposed to protect citizens honest? This is setting a horrible precedent for the millions of information security professionals who are now wondering if they too may find themselves in jail as criminals simply for doing their job. I believe that citizens of Iowa would benefit from using their resources to fix vulnerabilities, protect their data, and secure their public buildings rather than waste time and taxpayer money on this criminal pursuit.

Joke's on all of us. This is already happening elsewhere. Security researchers constantly face the possibility of arrest, prosecution, or civil lawsuits just for doing their jobs. That this penetration test involved a physical break-in doesn't make it any less legitimate. The court system apologized for the misunderstanding, but good deeds apparently aren't going to go unpunished in this county.

Filed Under: breaking and entering, courthouse, iowa, penetration testing, security researchers
Companies: coalfire security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 7 Nov 2019 @ 3:52am

    'Oh, would you look at that, I'm busy. Forever.'

    Do you want to ensure that only the least skilled, most desperate people are willing to perform security tests that will allow you to see how secure your systems/buildings are before you have to find that out the hard way that they aren't, because anyone sane will refuse to answer your calls or sign a contract to do that for you?

    Because this is how you ensure that that happens.

    I rather suspect that this isn't a case of 'the law is the law' and more a case of the sheriff being all stoked that he'd found him some criminals to prosecute to make himself look better finding out that they were nothing of the sort being utterly incapable of admitting that he was wrong, because if you've got a badge you don't make mistakes, ever.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Nov 2019 @ 4:13am

    The court case

    Prosecutor:

    These men broke into the court house and were trespassing.

    Judge:

    You are not trespassing if you are invited in. We invited them.
    Case dismissed.

    Oh, and please stop wasting the court's time, or I'll uninvite you and you will be trespassing.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Nov 2019 @ 6:36am

      Re: The court case

      Prosecutor: We did not invite them. They invited them. And they don't have the right to invite people to break into our courthouse.

      Judge: Oh yeah, there's actually laws that I have to use to justify my decisions. Guess I'll have to actually do my job, darn!

      The legal question at hand is who has the authority to order that kind of trespass on a county courthouse. The state should not be messing with county property without the explicit knowledge and consent of the county, and they sure as heck know that.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Nov 2019 @ 7:55am

        Re: Re: The court case

        Under established U.S. Federalism rule of law, subordinate governments (ie, counties) have no seperate soverignty apart from their state. The State is soverign, and the subordinate government (ie, counties) are delegated that soverignty at the direction of, and for the convenience of, the state.

        A prosecution of a violation of a state law fails when it's pointed out that the state very much does have the right to do with any county property as it sees fit.

        (All of the above often does not apply in states where the state constraints its soverignty in "home rule" municipalities. But even in those states, that doesn't apply to entire counties.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 7 Nov 2019 @ 9:52am

          Re: Re: Re: The court case

          Citation needed. I'd like to see any legal precedent showing a state can make use of county property as it sees fit. Everything you've said flies in the face of my direct experience working for state and municipal agencies.

          reply to this | link to this | view in chronology ]

          • icon
            Bergman (profile), 7 Nov 2019 @ 9:58am

            Re: Re: Re: Re: The court case

            If you were correct, then a town or city would be able to ignore county laws. For that matter, a neighborhood within a city would be able to hold a vote and ignore city laws. A household could unanimously vote that city laws don't apply to their house.

            While it might be a fun idea to contemplate that you could get your wife, children and dog to all agree that none of your household owes any taxes to the city, county, state or nation, it's not likely to end well if you actually tried it.

            reply to this | link to this | view in chronology ]

            • icon
              btr1701 (profile), 7 Nov 2019 @ 10:43am

              Re: Re: Re: Re: Re: The court case

              If you were correct, then a town or city would be able to ignore county laws.

              Not hardly. There's a difference between property ownership and legal jurisdiction to pass statutes and ordinances.

              The county owns the building and enjoys all the rights and privileges of property ownership that anyone else does. That doesn't mean the county can also ignore all duly passed laws passed by the state legislature. The two things have nothing to do with one another.

              reply to this | link to this | view in chronology ]

      • icon
        Wyrm (profile), 8 Nov 2019 @ 8:16am

        Re: Re: The court case

        Going by this logic, the state deputies that arrived first should be arrested too. They are not invited, and are not county agents.

        More seriously, this building is used for official state business, and who "paid" for the building doesn't matter. It is only fitting that the state can invite anyone they need to do their state business, including validating their security.

        If not, anyone could technically be considered trespassing arbitrarily, including the judges, lawyers and parties to suits being judged in this courthouse. I'm pretty sure that's not how the law works.

        Finally, the researchers had proof that they were invited in by someone who, by all appearances, had authority over the premise. More so than a case of murder by cop, I would say that "good faith exception" should apply here. They did everything right, except that they were tricked into thinking that state judicial authorities had authority over a building used for official state judicial business. Ah yes, how could anyone make such a rookie mistake?

        reply to this | link to this | view in chronology ]

        • icon
          nasch (profile), 8 Nov 2019 @ 8:42am

          Re: Re: Re: The court case

          Going by this logic, the state deputies that arrived first should be arrested too. They are not invited, and are not county agents.

          They are county sheriff's deputies, not state law enforcement.

          They did everything right, except that they were tricked into thinking that state judicial authorities had authority over a building used for official state judicial business.

          Again, it's a county courthouse, used for county judicial business. This is not to defend the sheriff or prosecutors - their actions were stupid and unjust.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 8 Nov 2019 @ 8:51am

            Re: Re: Re: Re: The court case

            Counties aren't allowed to be independent of the state. That's part of the stupidity in the argument. All counties are part of the state or they're not a county. All county employees are state employees. They are not separate legal entities.

            reply to this | link to this | view in chronology ]

            • icon
              nasch (profile), 8 Nov 2019 @ 9:14am

              Re: Re: Re: Re: Re: The court case

              They are not separate legal entities.

              Yeah they are separate legal entities. A county is part of a state, but that doesn't mean they're the same thing. Counties have courts and law enforcement and all sorts of functions that the state doesn't have anything to do with. A county is not part of its state in the same way that a department is part of a company. It's closer to the way that a US state is part of the US, though counties have less autonomy than states.

              For example, if you were to sue your county government, the defense would be handled by the county, not the state. There are some exceptions to all this, for example a handful of states (two I think) where counties are strictly a geographic boundary and have no governmental function at all. But Texas (the state in question) is not one of those states.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 8 Nov 2019 @ 9:33am

                Re: Re: Re: Re: Re: Re: The court case

                I understand the situation is that many states give counties significant autonomy but as I noted above, this question has been decided by the federal courts as a federal constitutional issue. Constitutionally counties are subdivisions of states, not separate entities.

                reply to this | link to this | view in chronology ]

                • icon
                  nasch (profile), 8 Nov 2019 @ 10:55am

                  Re: Re: Re: Re: Re: Re: Re: The court case

                  this question has been decided by the federal courts as a federal constitutional issue.

                  In what case(s)?

                  reply to this | link to this | view in chronology ]

                  • identicon
                    Anonymous Coward, 8 Nov 2019 @ 11:21am

                    Re: Re: Re: Re: Re: Re: Re: Re: The court case

                    Okay, there have been many many many cases

                    Here is the first court case that came up in the Justia search engine when I searched: "county subdivision of state"

                    https://law.justia.com/cases/federal/appellate-courts/F3/299/1077/521697/

                    reply to this | link to this | view in chronology ]

                    • icon
                      nasch (profile), 8 Nov 2019 @ 12:18pm

                      Re: Re: Re: Re: Re: Re: Re: Re: Re: The court case

                      So that states the county is a subdivision of the state. That doesn't mean it isn't its own entity, with its own employees, organizations, and so on.

                      "King County filed suit against the Rasmussens"

                      The county can take actions on its own.

                      "Because we conclude that no genuine issues of material fact exist for trial and that King County holds the strip in fee simple, we affirm."

                      The county can own property. Note the court doesn't say the state holds the land in fee simple (whatever that is), but the county.

                      Nobody is saying counties aren't subordinate to or part of their states, but I haven't seen anything indicating there's no such thing as a county employee as you claimed. What do you get when you search "county employees"?

                      reply to this | link to this | view in chronology ]

                      • identicon
                        Anonymous Coward, 8 Nov 2019 @ 12:44pm

                        Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: The court case

                        A large portion of the thread is arguing about whether counties are a part of the state or an independent entity of some kind. That argument has actually gone on for a while.

                        Others were arguing that the county is somehow not a state government body.

                        My view is that the county is the state so it by definition can't take independent actions because every county government action is a state government action.

                        County employees are real. They all are just described equally well as state employees.

                        reply to this | link to this | view in chronology ]

                        • icon
                          nasch (profile), 8 Nov 2019 @ 3:23pm

                          Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: The court case

                          So far I have not seen any supporting evidence that:

                          • the county and the state are the same thing
                          • the county government is part of the state government
                          • county employees are state employees

                          I have never heard anyone claim any of that before today. I enjoy learning new things however and if someone has a reference explaining how any of that is true I would be happy to read about it.

                          reply to this | link to this | view in chronology ]

          • icon
            Wyrm (profile), 8 Nov 2019 @ 9:47am

            Re: Re: Re: Re: The court case

            Ok, I reread both articles.
            My mistake. It's indeed a county courthouse, though it seems to fall under the authority of the state. I might be wrong about the level of autonomy of county versus state.
            So, either state has authority over county, in which case the case is null because the researchers had proper authorization... or they didn't, in which case the state made the mistake of authorizing an operation it didn't have authority to. Still doesn't seem like a mistake on the researchers' side. The county sheriff even had confirmation of the whole story. He just wants to change someone for... something? And he knows the individuals are easier targets than the state.

            reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 9 Nov 2019 @ 7:17pm

          Re: Re: Re: The court case

          They were NOT state deputies. They were Dallas County Deputies

          reply to this | link to this | view in chronology ]

    • icon
      btr1701 (profile), 7 Nov 2019 @ 10:40am

      Re: The court case

      Prosecutor: These men broke into the court house and were trespassing.

      Judge: You are not trespassing if you are invited in. We invited them. Case dismissed.

      Prosecutor: You don't own the building. The county does and the county didn't invite them in. Notice of appeal filed.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Nov 2019 @ 4:29am

    Time to escalate

    I would sue the sheriff personally for the deprivation of rights.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Nov 2019 @ 4:30am

    This is a tricky area of law.

    https://biotech.law.lsu.edu/map/LiabilityofStateContractors.html

    It could honestly go either way but acting in good faith should at least count in their favor.

    reply to this | link to this | view in chronology ]

  • identicon
    Michael, 7 Nov 2019 @ 5:36am

    purposefully trip the alarm to test law enforcement's response time

    Let's just point out that the guy making all of the noise here was also the one with the response time that was so horrible that other officers arrived, found the suspects, identified they were not actually burglars, and were talking with them about how the broke in and they tools they use.

    Can we start by firing him for being incompetent at his actual job?

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 7 Nov 2019 @ 6:06pm

      Re:

      Can we start by firing him for being incompetent at his actual job?

      Only if you expect all the officers to arrive at the same time for some reason. Why should the sheriff have to arrive as quickly as the closest deputy to the call?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Nov 2019 @ 6:08am

    "I advised them that this building belonged to the taxpayers of Dallas County and the State had no authority to authorize a break-in of this building," [Sheriff] Leonard wrote in the email.

    Please correct me if I'm wrong, but aren't counties part of the state, and therefore, wouldn't county property would be state property?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Nov 2019 @ 6:28am

      Re:

      You'd be wrong. Counties own county property, cities own city property, and states own state property. The State can't tell the County what to do with its property, they had no authority to authorize a break-in, or any of the other penetration testing that they ordered, without the consent of the County. That's why this is still an issue.
      The Sheriff is basically telling the State to stay in its lane, and the State is claiming it can do whatever it wants cause it's a judicial building. The contractors are caught up in the middle.
      Personally I think the contractors should have done a lot more due diligence, but it's ultimately on the people that ordered the testing.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Nov 2019 @ 6:33am

        Re: Re:

        No, counties are subdivisions of the state. However, it's up to the states internal politics to decide who gets their way in these circumstances.

        One easy way to tell is that a county courts cases may be appealed to the Iowa Supreme Court

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 7 Nov 2019 @ 6:38am

          Re: Re: Re:

          Counties are subdivisions of the state in the same way that states are subdivisions of the USA.
          They operate independently and hold their own property, which the state can't take or use without county permission.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 7 Nov 2019 @ 6:42am

            Re: Re: Re: Re:

            The county is the state. You are simply wrong on this.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 7 Nov 2019 @ 6:45am

              Re: Re: Re: Re: Re:

              The county is not the state. You are simply wrong on this.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 7 Nov 2019 @ 6:54am

                Re: Re: Re: Re: Re: Re:

                Well, this is actually a federal constitutional issue and the courts have already ruled that counties are subdivisions of states. Also you're an idiot.

                reply to this | link to this | view in chronology ]

                • identicon
                  Anon, 7 Nov 2019 @ 7:51am

                  Re: Re: Re: Re: Re: Re: Re:

                  Well, if name-calling settled arguments, we'd have an idiot for a president. .. oh, wait...

                  The counties are creatures of the state in the same way as an incorporated private company. The state has certain rights and certain limitations, as prescribed by law and the state constitution. they cannot override these laws except as allowed by those same laws. they cannot dictate county actions, except by a judicial order that cites the law which allows this.

                  So yes, a county can charge and maybe even convict a state contractor of violating the state law on trespass; then the defendant can appeal that to the state court of appeals. how will that turn out? or the county judge might put the law ahead of urinary competition and say without the intent, and with the honest impression they had permission, they are not guilty.

                  So the county has every right to do what they do, but depending on what the local laws are on intent, it may or may not be malicious prosecution. Certainly the comments of the sheriff are pretty good evidence that it is.

                  (Recall something similar I heard of - professor back in the good old days (late 80's) challenged students in his Computer Science class that if they could break into the system and change their mark they could have that mark. One clever student went through the ceiling tiles and got into the glass room where the console was logged on to change his mark. The prof had him expelled and charged with trespassing - sore loser)

                  reply to this | link to this | view in chronology ]

                  • icon
                    btr1701 (profile), 7 Nov 2019 @ 10:39am

                    Re: Re: Re: Re: Re: Re: Re: Re:

                    (Recall something similar I heard of - professor back in the good old days (late 80's) challenged students in his Computer Science class that if they could break into the system and change their mark they could have that mark. One clever student went through the ceiling tiles and got into the glass room where the console was logged on to change his mark. The prof had him expelled and charged with trespassing - sore loser)

                    Wow. Seems like it'd be easy to beat the trespassing charge, since he was given permission in front of dozens of witnesses. The expulsion might be harder to fight because universities usually have wide latitude to decide those things on their own, but again, permission was given for him to do what he did and there'd have been ample evidence of it to use in any kind of expulsion hearing.

                    reply to this | link to this | view in chronology ]

                    • identicon
                      ANOn, 7 Nov 2019 @ 1:22pm

                      Re: Re: Re: Re: Re: Re: Re: Re: Re:

                      Yeah, the prof was being a dick because he overlooked one simple trick and so appeared to be stupid. (more than "appeared") He was so proud of his software security enhancements he overlooked simple physical security. I'm sure he told the admin that he said "break in with software" even if he didn't; if you're already a major dick, what's a little lying to compound it?

                      reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 7 Nov 2019 @ 6:44am

            Re: Re: Re: Re:

            Is every state the same?

            reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 7 Nov 2019 @ 6:52am

            Re: Re: Re: Re:

            State constitutions likely dictate the bounds of political subdivisions within the state, just as the federal constitution dictates the bounds of states within the US.. in theory..

            reply to this | link to this | view in chronology ]

          • identicon
            Local Gov Employee, 7 Nov 2019 @ 9:51am

            About that...

            Hi! Actual County employee here, though not in Iowa. This will be written from the perspective of my County.

            Good news, everything you said here is accurate! County owns the courthouse, and the state can't just take it or do with it as they please on a whim.

            Bad news is that they 100% can do those things, just not on a whim. There are a couple different things in play here, and I'll start with the most broad:

            1. The state can write a law taking control of the operations and building
            2. The state can use eminent domain to take ownership of the property, including the building
            3. The state can mandate, at a policy level rather than via law, that the County must take or allow specific actions. Being a subordinate agency, the County must follow this policy.
            4. As a tenant of the building, with independent Information Systems installed (from workstations to a network core and likely a couple purpose specific servers), the State is allowed to and likely required by Federal statute to execute penetration tests and maintain active and passive security measures. Remember, court cases deal with privileged information from HIPAA to state secrets to sealed testimony. (Specific tenancy agreements may require notification to the property owner)

            The County has no valid argument here. I say that as an employee of a County with >$1B in yearly revenue who regularly takes issue with how the state treats us.

            So your statements are factually correct, up until the state exercises any of its power. The other poster's statements are just as factually correct and address a different argument than the one you're using. Neither of you is more correct than the other, and that's simply a matter of framing and perspective.

            I hope this both clarified the issue at hand and made everybody feel better about themselves.

            reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Nov 2019 @ 6:37am

    Why "unorthodox"?

    Nondestructive physical bypass of building security systems is a completely normal part of a penetration test. The only unusual thing is the lack of explicitness in the paperwork. If you watch talks by penetration testers, for example Deviant Ollam, they describe bypassing locks all the time—with lockpicks and other tools, even elevator fire service modes. They're paid to do it and give detailed reports to the companies operating the facilities. Often the doors and locks have major problems, and they need to know about it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Nov 2019 @ 6:44am

      Re: Why "unorthodox"?

      If it's completely normal then why did nobody except the contractors know they were going to be performing a physical break-in on the property?
      Penetration testers should be doing only what is specifically ordered in their contracts, anything else is outside scope and probably illegal.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Nov 2019 @ 6:48am

        Re: Re: Why "unorthodox"?

        Penetration testers have the same right to tinker as any other engineer. Badly worded or non controlling contracts aren't binding anyway.

        reply to this | link to this | view in chronology ]

        • icon
          btr1701 (profile), 7 Nov 2019 @ 10:32am

          Re: Re: Re: Why "unorthodox"?

          Penetration testers have the same right to tinker as any other engineer.

          They don't have the right to trespass on physical property that doesn't belong to them or the people who hired them. The bull-headed sheriff was actually right when he said the state has no authority to authorize break-ins of buildings that don't belong to the state.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 7 Nov 2019 @ 10:56am

            Re: Re: Re: Re: Why "unorthodox"?

            Ownership isn't necessarily what matters. For example, if I rent a house or some commercial property, I can authorize people to enter it, and those people would not be trespassing. I probably can't authorize them to damage that property without permission from the owner (but if they reasonably thought they had proper authorization, it shouldn't be criminal for them). Non-destructive lockpicking might be a gray area and depend on jurisdiction, but it wouldn't be surprising if a non-owner had authority to allow that.

            reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Nov 2019 @ 6:52am

        Re: Re: Why "unorthodox"?

        In the work of a penetration tester, there is also the issue of companies regularly writing invalid TOS. Usually companies have managed to take consideration before their is an overt contract agreement so they are illegal. (ie google and microsoft track you before you even know what a TOS is)

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Nov 2019 @ 7:41am

        Re: Re: Why "unorthodox"?

        If it's completely normal then why did nobody except the contractors know they were going to be performing a physical break-in on the property?

        "We are going to try to break into the property by the way of the east side entrance, on February 21, 2019, at exactly 6:38 p.m."

        [Fast-forward to 2019-02-21 @ 1838h]

        "Wow, the east side entrance is really secure! They've stationed about two hundred cops outside of it! Penetration test passed!"

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 7 Nov 2019 @ 8:14am

          Re: Re: Re: Why "unorthodox"?

          "Wow, the east side entrance is really secure! They've stationed about two hundred cops outside of it! Penetration test passed!"

          The guards are not parties to these contracts. If the official signing the contract wanted to sabotage the test, they could, but then they'd just be wasting their money.

          reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 7 Nov 2019 @ 7:57am

        Re: Re: Why "unorthodox"?

        "If it's completely normal then why did nobody except the contractors know they were going to be performing a physical break-in on the property?"

        Someone wasn't listening to what the physical aspect of the contract was actually referring to, or the wrong person was left uninformed by one of the parties.

        "Penetration testers should be doing only what is specifically ordered in their contracts"

        Apart from the fact that they seemed to believe that this was part of their contract - that's a risky move. Sure, if you're pen testing a particular environment, you don't want them messing with environments other than the one specified. But, you also don't want an incomplete pen test because you didn't allow the testers to take a particular path that any would-be attacker would use. It might feel safer during the test, but you have also possibly stopped testing of your most vulnerable spots.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Nov 2019 @ 8:02am

        Re: Re: Why "unorthodox"?

        If it's completely normal then why did nobody except the contractors know they were going to be performing a physical break-in on the property?

        That's not exactly true. They had a document giving them permission to do penetration testing, including physical access, and they told the guards who caught them whom to contact about the test. That person confirmed to the guard that the testers had permission. But they got arrested anyway.

        Yes, those documents and the statement of work should have been more detailed. The test was completely normal; the paperwork was unorthodox.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 7 Nov 2019 @ 8:12am

          Re: Re: Re: Why "unorthodox"?

          The test was completely normal; the paperwork was unorthodox.

          Actually, if they expected a police response, that could be unorthodox. I don't know how this works with courthouses, but in a private setting, the police would not be a party to the contract and would not appreciate someone triggering an alarm just to test them.

          reply to this | link to this | view in chronology ]

          • identicon
            Sharur, 7 Nov 2019 @ 8:32am

            Re: Re: Re: Re: Why "unorthodox"?

            True, but at court houses in the US, internal security is provided by the Sheriff's department. There are usually deputies manning the metal detectors at entrances, at least .

            So, its less trigger the alarm and see how long squad cars arrive, but more time the Sheriff's deputies' response time from their normal post in the building to the affected area.

            The analogy to a private setting (say an office building) would be how long would it take for security personal to arrive.

            reply to this | link to this | view in chronology ]

  • icon
    olde farte (profile), 7 Nov 2019 @ 6:52am

    it's more than just common sense

    There was a time when mens rea ("guilty mind") weighed heavily in determining whether to arrest, detain, and prosecute. Sadly, the sheriff has chosen to ignore this and has played a game of "gotcha". And since bail was set absurdly high, the judge is operating on the same pathetic level.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Nov 2019 @ 7:25am

    Sheriff Chad Leonard's official webpage ends with a list of organizational goals, one of which is "Educate the communities at large as to its role in establishing order and reversing moral decay." This sort of sanctimonious horseshit, certainly seems in keeping with this guy's approach to the Coalfire Security case.

    https://www.dallascountyiowa.gov/government/public-safety/sheriff

    reply to this | link to this | view in chronology ]

  • identicon
    Agammamon, 7 Nov 2019 @ 9:05am

    They had paperwork granting them permission to perform "physical security assessments" at multiple locations. While nothing specifically instructed the security testers to break into buildings, nothing in the documents suggested this was forbidden either.

    I'm pretty sure that, unless you're actually LEO - with a badge and everything - then you need that paperwork to specifically list which laws you can break in the process of testing.

    Now, I'm not saying these guys should be prosecuted - this is obviously a case of (fairly) innocent mistakes.

    But they got permission to do penetration testing on facilities that the people giving them permission didn't have the authority to permit them to test and then they went and exceeded the limits of the written permissions.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Nov 2019 @ 9:57am

      Re:

      That is horribly backwards. You don't sign a contract to break laws. That would never be a valid contract no matter how it was worded.

      I would bet they get off if they can afford the legal fight. Either way, they will now get to sue the state for either recruiting a legitimate business to break laws for them or false arrest/deprivation of liberty for the sheriffs idiotic response.

      reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 7 Nov 2019 @ 9:59am

    Nothing better than a Sheriff on a power trip. Sheriff Chad Leonard must have a pretty negative view of himself since he has such a huge need to show how powerful he is.

    reply to this | link to this | view in chronology ]

  • icon
    btr1701 (profile), 7 Nov 2019 @ 10:24am

    Sheriff Leonard's needless escalation began during the arrest and continued forward past that point.

    Leonard may have started the escalation, but anything occurring at this point is out of his hands. If they're still facing charges and prosecution, that's all on the county attorney's office now. They could easily drop the case altogether and the sheriff wouldn't have any say in the matter.

    "I advised them that this building belongs to the taxpayers of Dallas County and the State has no authority to authorize a break-in of this building," [Sheriff] Leonard wrote

    He's actually right about that even if he is addressing it in a less than ideal way.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Nov 2019 @ 2:14am

      Re:

      Is the county the occupiers, or are they only the landlords, because if the latter, the occupants can invite other into the building.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Nov 2019 @ 10:49am

    Governor?

    Really the governor should try writing a few quick pardons at this point just to quickly resolve this stupid bueracratic issue and save significant expenses.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Nov 2019 @ 10:57am

      Re: Governor?

      Governors grant pardons to the already convicted. They can't waive pending charges.

      reply to this | link to this | view in chronology ]

      • icon
        btr1701 (profile), 7 Nov 2019 @ 3:07pm

        Re: Re: Governor?

        Yes, they can. Just like Ford proactively pardoned Nixon. Absent specific Iowa state law to the contrary, the pardon power works the same on the state level.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 7 Nov 2019 @ 3:18pm

          Re: Re: Re: Governor?

          Some state pardon powers work the same way and some don't. I haven't read the Iowa Constitution recently but a lot of states have a bunch of constraints on their pardons that the federal government doesn't.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Nov 2019 @ 11:14am

    The contract should have included

    CLIENT represents and warrants without limitation that it has the authority to execute this agreement and to agree to all provisions contained herein.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Nov 2019 @ 11:58am

    @Techdirt...

    You include a link to "techdirt articles tagged 'shoot the messenger' ". This article is not so tagged.

    This article is tagged (company) "Coalfire security". Previous articles about this story were not so tagged.

    Should your tagging become a bit more standardized, perhaps? Or maybe go back and add tags to relevant previous stories?

    reply to this | link to this | view in chronology ]

  • icon
    Norahc (profile), 7 Nov 2019 @ 5:44pm

    They were also charged with possessing burglar's tools, which they did indeed possess.

    Of course they possessed burglar tools.

    Section 713.7 - Possession of burglar's tools
    Any person who possesses any key, tool, instrument, device or any explosive, with the intent to use it in the perpetration of a burglary, commits an aggravated misdemeanor.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.