It's extremely important to include a clear statement of work in any pentesting contract exactly for this reason. The contents of the contract will become very important in this case, and depending on whether or not the SOW included physical intrusion into the buildings, one side or the other will end up with egg on their face.
Without the contract and/or other agreements it isn't clear who's at fault here, the pentesting firm involved may very well have been an incompetent one that exceeded their SOW or did not even produce one to be agreed on--and I tend to suspect that this is the case, because physical intrusion testing will almost always include measures to prevent the police being called or make them aware of the test due to both the expense of an intentional false alarm call and the risk involved in triggering a law enforcement response.
This is such an absurd case on so many levels. This miscommunication should have never happened, obviously.
Even if they turn out to be the criminally incompetent party in this relationship, I feel kind of bad for the contractors. They're facing felony charges for making what was clearly a mistake. I can't imagine they're consistently this incompetent - surely one of their previous clients would have noticed if they were physically broken into and didn't anticipate it. So either they've never done this before, or they messed up their contract.
I've seen plenty of similarly boneheaded, incompetent things in Big Tech (losing massive amounts of data, getting systematically defrauded in pretty stupid ways, etc) that resulted in getting fired at worst and a reprimand at best, so I feel kind of bad that these guys face felonies for being bad at their job.
Yeah, not a lawyer outside of my armchair, but I don't really see how they could ever be convicted of any of this. It sounds like there's a very good chance they were contracted by a legitimate security auditing firm to do a job of a nature they had no reason to believe was not already outlined some statement of work agreed upon by all parties. Even if there was some misunderstanding, it sounds like the fault lies with the firm rather than with the contractors themselves. Obviously there are more facts that would need to be reviewed to come to definitively arrive at a conclusion like this, but at a glance this whole thing seems ridiculous.
Probably a bad comparison to make, however in construction if something is built according to the plans from the engineering firm, and somehow those plans were not up to snuff and voided a warranty or worst case could be illegal and not up to code, it will NOT fall on the welders and workers who created the project (Unless they didn't perform job i.e. welds not up to par). Failure would be on the engineering firm who was supposed to ensure all plans were created according to the specifications.
If the company these two were working for had a "plan" much like building documents, or a scope of work document/contract then there should be no reason for these guys to get in trouble as physical penetration testing would be listed.
I see two possibilities.
1) Company did not have a good scope of work, which at the end of it all this should fall on them and not the employees in charge of performing their work. These guys should be let go, compensation to them paid from the employer for their error, and said employer has to pay everything, including fees and having their reputation tarnished.
2) There was bad miscommunication. There was physical penetration listed in the scope of work, however the police were not informed and acted as they would with anyone breaking into a courthouse. This would then fall on the department who hired them, which should pay the employees for their time/trauma and make an apology exonerating the company who was hired to pen test.
It's feasible that the charges will go through but the defendants can sue the employer who holds the contract for damages related to any fines or jail time.
A mistake or incompetence is no excuse for breaking the law. This was a courthouse. There is either CYA in writing they can request in discovery for that lawsuit or as evidence against the charges they face to demonstrate to a jury that they should be innocent or that an experienced prosecutor will see then look to drop charges.
But unless the charges are dropped, the jury favors the contractors, or the judge halts proceeding until a determination can be made, they may be SOL on the charges.
The company in question is Coalfire. This company assesses who can become FedRAMP compliant. They also have their pentesting team in-house, and they are fuckig sharp. They know their contracts, rules of engagement, and exactly what they are and aren't allowed to do.
These folks do this stuff for their livelihood. They test contractor, state, and fed systems at all scopes and levels.
And if 2 broke in (yes, you work in teams ABSOLUTELY onprem), they had the contract explicitly allowing physical penetration ON THEIR BODY. That contract is the difference between felony trespass and 100% legal.
I would LOVE to be a fly on the wall and watching the conversation between State IT and the public safety community there, and especially with the AG, who will have to release them.
That's right. If I had to bet who was incompetent, Coalfire or the state agency, my bet is on the latter. The state agency probably didn't understand/read the full contract or maybe some internal miscommunication through hierarchy lead to confusion about what was or wasn't allowed in the pentest. I'll be waiting for Coalfire's press release who will probably confirm the contract did allow physical pentest...
> This is dealing directly with the government. I doubt we ever hear of this again if the government screwed up.
Exactly. We won't hear of it. They do work all across the US in the state and federal space. It's too lucrative to give up to shame them into submission publicly. Privately, sure.
> I feel bad for the contractors who now have arrest records. They are the victims here.
Well, they've been arrested. So their clearances have been yanked already, as per standard for Confidential/TS/SCI. Unless they can get complete restoration, including expungement of the arrest, and admission of unlawful arrest, they're done in federal/state infosec.
Coalfire just released their statement and, yup, I was right: «Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work. Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement»
https://finance.yahoo.com/news/coalfire-comments-penetration...
Ya, I've spoken with Coalfire employees in the past and have respect for them. I'm very curious to follow-up on the outcome of this case, and I feel for the employees sitting in jail right now. Hope it ends well for them
From my background with FedRAMP, a firm's involvement in FedRAMP assessments does not improve my confidence in them. :)
That said, yes, Coalfire is large enough and old enough that I would be very surprised if they made such a mistake - but I still think it's quite possible. Consider that such an established firm would also be absolutely expected to coordinate this kind of testing with the PD beforehand - a blind test of a PD's response on a contract with another agency of the state government is something I have never heard of before and raises huge concerns for personal safety and taxpayer expense. I would consider Coalfire to also be extremely irresponsible for knowingly entering such a situation.
That was my though I suspect some jobsworth promoted above their natural pay grade threw their teddy's out of the pram, when their poor security got penetrated.
They HAD intent - they intended to break into the building, brought the tools, etc. If the contract does not stipulate that they are allowed to break in then they're basically screwed.
"I didn't mean to break in" holds no ground in court if they actually were breaking in.
This isn't how the law works for intent. Google "mens rea", in particular, the "knowing" part. Under your definition, every locksmith is engaging in felony break and enter on a daily basis.
So dirty the AG's Chief of Staff Eric Tabor has his sister on the Iowa Court of Appeals Mary Tabor who corruptly fails to recuse herself on his cases. Usually she is impartial, but when Eric gets caught in shenanigans she has went so far as to commit fraud (literally lying about the facts of cases in the appellate record she prosecuted to invent case law) to cover his ass.
Here in Canada the prosecution would have quickly withdrawn the charges. It's pretty clear that they were acting under the color of law, given that the State admitted they hired them. If they went beyond the contract, it seems pretty clear they did it under the mistaken but reasonable belief that they had proper authority to enter. I understand ignorance of law isn't a defense but ignorance of the facts is and it seems pretty clear that's what happened here. It seems unreasonable and unnecessary to hold them in jail and unnecessary to take this to trial. I don't see how proceeding with a prosecution like this could be in the public interest.
Wait, who elects prosecutors? The public or some other group? I've never heard of going to the voting ballots for anything other than a referendum or electing various levels of legislators (typically municipal, state/province/departement/district/whatever, federal/national, and perhaps transnational like European; in NL we also vote on water boards but they don't really matter as far as I can tell).
Americans love elections! They elect sheriffs [1], prosecutors [2], and often judges [3]. Imagine, you could be arrested, charged, and sentenced by whoever the general public thought had the best hair!
I would prefer that law enforcement officers, prosecutors, and judges are appointed by administrative processes which minimise political influence, as they are in civilised countries.
I've up-voted this because I agree with you that the election of prosecutors (and judges) is a bad idea. I suspect you are getting down-voted mostly due to your poor choice of terminology.
It creates perverse incentives, and it actually reduces accountability.
The prosecutor's job is to represent the State by applying the law to the facts. The public doesn't pay attention to the details of every individual case. The Public looks for narratives like "tough on crime," or "protecting the children," or "cracking down on illegals" or "protecting minorities," depending on where voters fall on the political spectrum.
Elected politicians put their voters’ demands first, but prosecutors are supposed to put the law and department policy first. Prosecutors would be tempted to prosecute based on political will - not guilt and evidence - which is unjust by definition. And since they're elected, they don't have to answer to the AG or city council - just the polls.
It's better to elect reps that hire/confirm, supervise and set policy for prosecutors instead.
In states that don't elect judges, they are appointed. Who makes a decision on who is appointed? The politicians of course. And you’re never going to get appointed unless someone owes you it.
Here, the justice system is completely unaccountable to the public, and if persecutors would be elected (in open elections), they would win by not jailing innocents.
That is literally not how electing prosecutors is playing out in the US. They have the highest incarceration rate in the world. Jailing innocents is rarely even an election issue.
It's in the interest of the lawyers working for the state to enrich themselves and their lawyer friends who will probably take the other side of the case. Money for lawyers everywhere! America works like this because our laws are written by them.
For those who, like me, had trouble figuring out the case ID search system:
There are four fields in "case ID". The first is for the county code ("05251"). The second is for city code, which isn't present in these. The third is for the case type, which is FE (felony). The fourth is for the specific case number, which is /CR.*/
EDIT: Sadly, to actually read any of the documents requires a $25/month description.
EDIT2: So apparently those first fields are supposed to be autofilled by the dropdowns, but this doesn't work on my phone. Given the following message on the landing page, this isn't too surprising: "This Web Based Electronic Public Access application requires a 128 bit Cipher Strength on your Internet Explorer. To verify this click on 'Help' menu item and select 'About Internet Explorer'. If it's less than 128 bit click on link 'Update Information' to update Cipher Strength."
Same Dallas County Attorney is taking a dive on my Qui Tam to claw back Apple's brazen $100m property tax abatement vote bribe to the City of Waukee unjustly enriching the city to abate $170m. Tim Cook is a tax crook.
>>> Mr. Demercurio told the deputies that part of the job was to “check out law enforcement response time,” the documents say
HA! There is nothing that cops like more than to participate in random timed response tests. I cannot imagine anything worse that one could ever say to a cop. Even if it is true, do not ever admit that you are "testing" police, not to the overworked, under-staffed and generally frustrated officers who are stuck working the night shift.
Well, it may be necessary to tell them, but there needs to be a backstop in place, a contract to wave around, proper identification, a live phone number to call to get confirmation, etc. The cops will still be pissed, if you weren't careful in following their instructions when they caught you then you might find yourself tasered and soaked in someone's urine (hopefully your own, I guess) But you wouldn't be, as these two are, getting charged with felony burglary.
You're 100% correct. Having done multiple red teams I would never attempt to break into a building without 1) the CEO on call, 2) a notarized statement of work identifying my and the client's identity, and 3) notarized authorization from the landlord.
If a client refuses any of these then the physical pillar is quite simply off the table.
You tell them you were testing security. You tell them you were testing the alarm system. You DO NOT tell them that you are measuring their response time.
GP made a point of talking about how overworked and aggrieved the cops tend to be, which is a talking point among thin blue line types; I didn't necessarily read anything into their statement other than maybe wondering about how true it is (IME cops more-or-less tend to be well compensated and work reasonable hours, due to strong unions and cultural priorities) -- but I can see where someone would read more into it.
Whether the cops are actually overworked or not doesn't matter. If the responding officers think themselves overworked, they will react negatively to being tested. What matters isn't reality but how they think of themselves.
It's completely unrelated and off-topic. This community does not derail posts with inflammatory remarks just to satisfy our own emotional need for argument or validation, regardless of the validity of the statement. It just does not belong here.
They "did not intend, or anticipate, those efforts to include the forced entry into a building"
Isn't that the point of the test? If you thought you were properly anticipated all attack vectors you wouldn't need the test. Or if you did, it would be to find out if you were right.
It will be interesting to see what the actual RFP or statement of work said on the matter though. If it was specific in mentioning only electronic methods, that's a problem. It doesn't seem like it should be a "Charge them with felony burglary" problem though. More like "make them pay damages" (if any)
The court is claiming it wasn't a prearranged part of the test that they were aware of. It will be up to the company to prove that it was.
> But it added that the administration “did not intend, or anticipate, those efforts to include the forced entry into a building.”
It's possible they misunderstood something in the contract such as what physical entry means and the scope of red teaming.
In the article it said they were aware of a forced entry made at another court house, but I'm assuming it was after the fact and the security company told them they did it before? If it was before the test then that changes the story but I dont know why they'd admit it to the press otherwise.
> Iowa’s State Court Administration also said in the statement that it had been made aware of a break-in at the Polk County Historic Courthouse in nearby Polk County on Sept. 9 that was similar in nature to the break-in at the Dallas County Courthouse.
The fact they courts aren't fully supporting the guys raises a lot of questions.
It's not like the guys were caught doing anything for personal gain. But there's a small possibility they wanted to show off their ability and keep it hyper realistic, and crossed a lined that should have been better communicated.
The court is claiming it wasn't a prearranged part of the test that they were aware of. It will be up to the company to prove that it was
It should be pretty straightforward to determine if the contract explicitly specified electronic penetration or left some ambiguity. Unfortunately it looks like they won't release the contract so we won't know. (I'm sure the defense will get to see it, unless they go to Kafka land, though presumably they also wouldn't have charged these guys if there was such a large hole in the contract language.)
The contract will almost definitely go into evidence. Unless the judge makes an explicit ruling to the contrary, I believe this means that it will be made public (although access might involve a physical visit and some fees)
> In the article it said they were aware of a forced entry made at another court house, but I'm assuming it was after the fact and the security company told them they did it before? If it was before the test then that changes the story but I dont know why they'd admit it to the press otherwise.
It isn't clear at all. Perhaps Coalfire informed the Iowa State Court Administration of the Polk county break in when this came to light to avoid further misunderstandings? Who knows what "similar in nature" actually means in this context.
Nope, that theory is busted. I found an article that references a Polk County press release:
> The Polk County Sheriff's Office said in a release Monday that the two suspects in the burglary have been identified as, 43-year-old Gary Demercurio and 29-year-old Justin Wynn. Deputies said the suspects were identified through surveillance footage captured at the courthouse. According to the news release, they are the same suspects in the Dallas County Courthouse burglary. Polk County Sheriff's Detectives continue to work closely with Dallas County Sheriff's Office in this case. Deputies said a small electronic devise baring the company logo to Coal Fire was located in the Polk County Historic Courthouse during the investigation. [0]
It's not clear exactly what happened here, but hypothetically...
If the state/public office did _not_ agree to it in contract, but if the individuals doing the breaking in a) do it for a living, and b) were operating under the knowledge that they had a contract enabling them to do so legally... what happens to them?
In this case they committed a crime, to them everything including past experience led them to believe it was explicitly not a crime. Obviously the contracting company would be ultimately at fault (at least morally so), but the person messing up the contract isn't going to go to prison for burglary.
How would this likely be resolved? Would the burglary case be dropped and it be turned into a criminal negligence case against the company? If not, how do we effectively protect physical penetration testers like this?
It's okay, there are a number of people in this thread who haven't. The interesting part is, legally, how there are two separate parts: intent (I intended to do this action, why car accidents are not murder) and knowledge (I knew, or should have known, this was a crime).
In this case, they could not form mens rea because, to their knowledge, they had permission to "break into" the building. Like when you lock yourself out of your house and hire a locksmith to "break in". The locksmith has intent, but no "criminal knowledge" because you gave them permission.
I guess the "or should have known" is a key part here. In most cases where the person didn't know, they should have. The difference here being that they _did_ know that they _weren't_, and they had probably taken reasonable steps to ensure that they weren't breaking the law.
`the administration “did not intend, or anticipate, those efforts to include the forced entry into a building.”`
It seems a little crazy they went so far as to break into the building when it looks like what was actually wanted was just do a few things and sign off on our security. You know, things we "anticipate" (doesn't that defeat the entire purpose?).
Contractors seem like they went above and beyond really. Bureaucrats don't appear to like that.
Kevin mitnick's business card has a popout lockpick in it. He came to give us a talk, and gave out cards afterward. Later, I learned we all committed crime that day.
Depends on the state. I believe in some states it's legal so long as you're not actively engaged in a crime, but becomes illegal if you get caught with them in a criminal act, even if they weren't directly related to the criminal act?
Edit: People REALLY like answering this question, apparently. :D
I do locksport and breaching for fun (in a safe, legal manner) and I live here in NY.
Certain tools only have a purpose for forced entry, like the shove it tool and halligan bar. If you are caught with such tools and are not a first responder, you will be treated as a burglar and in all likelihood successfully prosecuted.
It seems odd. A halligan bar is basically a hybrid between a large crow bar and a pick axe. Seems strange for a sort of multi-tool to be illegal when its individual components are just fine (and equally up to the breaking -> entering job)
Yeah I can't find anything at all about possession of such a tool being illegal by itself. In Oregon, our law is very specific that possessing burglary tools is only illegal when you intend to use them to commit burglary, or know that someone else intends to use them for it.
Oh yeah the law has all sorts of things to increase charges.
In some jurisdictions having a crowbar while “committing a crime” turns the crowbar into a burglary tool. Better yet: having a burglary tool can count as evidence you were committing a crime (see an interesting bit of logic there?)
Or CA using possession of condoms as evidence women were sex workers. Immediately resulting in a reduction in use of protection (remember the anti-prostitution laws are all in the interests of “public safety”). Literally the interpretation of reality chosen was one where if a woman in a specific location had a condom they were automatically a sex worker, carrying evidence of sex work.
In some states it's legal to own them, but if you are caught using them or being somewhere you shouldn't be while carrying them it can be tacked onto your charges.
Other states it's totally illegal to own or carry them.
In some states I feel like they just thought “well we can’t just keep letting these guys off when we catch them before actually picking the lock” so they made the lock picks illegal.
In most states, no, it is not a crime unless intent to burglarize can also be demonstrated. Simply having them or using them where you have permission is fine.
I don't understand all the secrecy in doing these types of pen-testing. Why wouldn't you just tell the cops what you intend to do and make sure everyone involved has a clear understanding of what is going to be done and what not. Personally, there is NO WAY I would have tried to break into a court for a pen-test without the cops and a representative from the state right there while I'm doing it.
Sorry everyone, but as you can see, now these employees risk criminal records and prison over something stupid. And if you think some over zealous prosecutor isn't going to see this to the end, you have another thing coming.
And the worst part about it, I highly doubt the company does ANYTHING to help these dudes. I feel so bad for them.
> I don't understand all the secrecy in doing these types of pen-testing. Why wouldn't you just tell the cops what you intend to do and make sure everyone involved has a clear understanding of what is going to be done and what not.
It's not really an accurate measure of response time if the responding parties are told ahead of time. That said, I would imagine the benefit of an accurate measurement vs. the cost of a heads-up is vastly different when you're dealing with first responders as opposed to a vendor.
I'm curious, couldn't they have warned the police or alarm security company ahead of time so they dont get accidentally shot by confused responding police? Or were they so confident/cocky that they assumed this wasn't a possible outcome? At a minimum you could warn the top managers the night in question.
Especially at a serious government building that's typically always has law enforcement during the day as security there in important. As opposed to some mid-level corporation office which they'd normally hit up.
Some precautions in the situation just sound prudent.
False. Some un-armed have been shot. I've had police point guns at me and I'm not shot, same with the folk I was with - mixed racial group, Oakland, CA, c1995, 1997, 2001
E: oh yeah, and I've seen Seattle police draw but not fire on many occasions. Most recently was a few months ago, chasing a dealer up my street and hiding in the stairwell just outside my place.
E2: also, this is not the place for it - like all the other flagged comments
I do notice. The the parent said it "never" stopped them - I'm aware of a few. I'm sure not saying the police are perfect (they are not) - but "never"!? That's an absolute that's simply not true. Shit, kids I knew were killed by police (I also knew kids that were killed by other kids). Let's all be for real tho.
Some police have killed some Innocents - and it seems to be getting more frequent - but it's not an always/never thing.
I hope shit like this never happens to anyone you know.
Now, give me more downvotes, I'm still here and have a session tomorrow.
"That's never stopped them before" is a common figure of speech, it doesn't literally mean that they always do it, just that they have in the past. Think of it as similar to how people from the US say "could care less" instead of "couldn't care less".
Guns almost never go off unintentionally. Yes, people think the gun is unloaded, or toddlers are playing with the gun, or the person with the gun is being unsafe. But the vast majority of the time, somebody pulled the trigger. They are not accidents.
Since they were "line hunting", pretty much every hunter thought Cheney should have been charged with something. In Canada, he definitely would have been charged with unsafe usage of a firearm.
That’s something of a no true Scotsman argument, if someone did not intentionally fire it’s accidental.
There are ~500 accidental gun deaths in the US per year and vastly more accidental firings.
If you ever take a gun course a lot of effort is placed on getting people to never point a gun at something they are unwilling to shoot because of accidental firings. Trigger safety is similar emphasized because of how much it reduces accidental firings.
You could say the same about car accidents... it is rarely a mechanical failure, it is usually a driver not paying attention or doing something wrong.
Why does it matter, though? Whether it is negligent or accidental, it is out of my control and has a chance to happen. Whether I accidentally or negligently get shot by a cop, I am just as dead.
Car accidents can happen when the driver has incomplete or wrong information about the state of the roadway, e.g. roadway is slick, but doesn't appear so.
I'd concur that the majority are negligence, but I'd also wager that a non-negligable amount aren't.
So from the sounds of it the courts hired coalfire to do pen testing but neglected to mention it should be electronic only so they attempted physical access?
So now, next question. Have they done anything in there. They've caught the intruders, good on them. But as a security guy myself I am asking: did they check ALL electronics for tampering as well as do a basic bug sweep.
I am not saying it was, in fact I don't think the courthouse who let's them rot in jail now gives a damn, but a thorough test could also test whether after catching intruders the court bothers to check their equipment. Something added/manipulated is sometimes worse than something stolen.
"The State Court Administration hired Coalfire Labs to test the security of the court’s electronic records, said Steven Davis, a spokesman for the state judicial branch."
Mr Demercurio's LinkedIn page appears state that he employed by that organisation.
I understand that hubris is followed by nemesis...
i can just imagine the scene:
cops: you are under arrest for breaking and entering.
pentester: we were just checking your security. you passed! congratulations!
Doh. I skimmed the article and missed that. Thought they might have a common client for both Iowa and Texas and therefore it was likely to be something federal / higher up.
What sort of pentesters was that who didn't specify and get a signed off code of conduct before they did a physical pentest? Having a paper to wave in front of the arresting cops is more important than the promise of money. Jesus. Amateurs.
What's more likely, a big pentesting company messed up this one engagement, or the state is incompetent and doesn't understand pentesting? I'm leaning towards the latter.
Without the contract and/or other agreements it isn't clear who's at fault here, the pentesting firm involved may very well have been an incompetent one that exceeded their SOW or did not even produce one to be agreed on--and I tend to suspect that this is the case, because physical intrusion testing will almost always include measures to prevent the police being called or make them aware of the test due to both the expense of an intentional false alarm call and the risk involved in triggering a law enforcement response.