
Charges dropped against pentesters paid to break into Iowa courthouse - froindt
https://arstechnica.com/information-technology/2020/01/criminal-charges-dropped-against-2-pentesters-who-broke-into-iowa-courthouse/
======
irjustin
At first, I assumed I was going to be only angry at the justice system, but
after understanding the contract document was split in 3 with very wishy/washy
language, part of the problem is on the contracted company.

This is why you have explicit language in your documents. It's not there for
when things go well - it's when things go bad like this situation. In fact, I
argue this is an expected outcome. How can you run a security contract that
does explicitly illegal things w/o having clear language about what is
supposed to happen.

FWIW:

\- The pen testers should be ready to spend time in jail and be compensated as
such. A piece of paper should not get you off free immediately. That thing
needs to be verified, so expect it to take time.

\- Language in your doc needs to be clear exactly what will happen. The whole
fiasco afterwards should not needed to have taken place. If the customers want
'more pen testing' charge them for it.

Overall this is a great outcome. Just need to clean up the edges a bit.

~~~
peeters
> \- The pen testers should be ready to spend time in jail and be compensated
> as such. A piece of paper should not get you off free immediately. That
> thing needs to be verified, so expect it to take time.

Sure, that might explain the 12 hours in jail. It does NOT explain why the
county attorney continued with prosecution well after it was clear the men had
no criminal intent and were acting on the direction of the state of Iowa. That
was a pissing contest, full stop, and the men caught in the middle should be
pursuing legal action against the county.

~~~
GlitchMr
After it became clear they had no criminal intent, they decided to change the
crime to one that doesn't require criminal intent. The initial charges were on
"third-degree burglary", but then changed to "misdemeanor trespassing".

~~~
nighthawk648
Article didn’t mention how they got caught.

Further research shows it was while doing the activities.

Would’ve been impressive if they got away with it...

~~~
HenryBemis
> DeMercurio and Wynn were arrested in the early hours of September 11 after a
> dispatcher with the Dallas County sheriff’s department observed the men
> wandering through the closed county courthouse with dark backpacks.

I understand that they didn't resist arrest:

> Deputies were friendly and interested as DeMercurio and Wynn explained how
> they used a lock-picking device to bypass a locked front door.

Looks like all participating in that initial encountered were having a laugh
about this (while the dispatch center of course was running the
check/authenticity of the claim). And then the politics/pissing contest
started.

It would have been better if they (pentesters) had bodycams to have the
evidence of the whole attempt. That would give them extra defensive points in
court.

~~~
nighthawk648
You think it would’ve been possible for them to evade capture? Ala mr. robot
style?

~~~
freeone3000
Why? Them getting caught proves that the physical security measures worked.
Job done, write the report, send it off.

------
guug
About 10 years ago, I stumbled across a local government website that leaked
personal information about all registered citizens (including full names,
civil id numbers, dates of birth, academic grades, etc). I didn't report it
because I knew they would try to go after me.

Fast forward to last year, the government decided to double down on their
stance by making punishments harsher than most crimes of violence without
carving exemptions for white hat researches.

Unsurprisingly, my country's infrastructure was shown to be completely
compromised by Snowden's (or Manning's) leaks.

~~~
parliament32
If you're "stumbling" around without a VPN you deserve everything terrible
that will happen to you. As a researcher you should know better.

~~~
guug
I was a normal user who made a mistake when entering my own information.
Government employees who think like you are the reason why security issues
don't get reported.

Don't make baseless assumptions.

------
LeonB
This has been quite a wild ride.

Part of me says Wynn and De Mercurio could try to sue someone -- either their
initial customer for not giving them sufficient safety, or people responsible
for them being charged -- but then I consider that suing "The law" is such a
famously bad idea that it's celebrated in song ("I fought the law and the law
won.")

Ultimately, I think they'll get some good conference talks out of it.

~~~
thaumasiotes
> then I consider that suing "The law" is such a famously bad idea that it's
> celebrated in song ("I fought the law and the law won.")

But that song is about armed robbery being _punished_ by the law, not suing
anyone. The lyrics aren't subtle:

> Robbin' people with a six-gun

> I fought the law and the, the law won

Fighting the law outside the system by disobeying it is a totally different
concept from fighting the law within the system by suing over it.

~~~
ineedasername
Well, fighting the law outside the system is actually a bit more complicated.
See civil disobedience, the civil Rights movement, etc as examples where laws
were.deliberately broken to _successfully_ fight against and change those
laws.

~~~
thaumasiotes
Yeah, I agree that that's fighting the law outside the system. I don't think
it's different from robbery in the same way that fighting the law from within
the system is, I think they're similar in that regard. They're different in
that robbery commands nearly zero popular support, making it a bad candidate
for change through civil disobedience.

~~~
ineedasername
true, short of Robin Hood there's not much of a positive example of roberry as
civil disobedience.

------
exabrial
Lesson here is don't embarrass the prosecutor's office. These people aren't
held accountable to anyone and they don't want that to change.

~~~
sonotathrowaway
Wouldn’t the lesson here be don’t perform any penetrates for courthouses in
Iowa? They’ve shown themselves to be vindictive and petty, why exactly is
their security worth risking my freedom?

~~~
clort
On the other side of this, surely your freedom is already at risk if the
courthouse has poor security?

~~~
ashtonian
I keep telling people the only solution is to get rid of the but nobody
listens..

~~~
SketchySeaBeast
> is to get rid of the but nobody listens

Sorry, get rid of what?

~~~
jakeasmith
Don’t worry about it. He got rid of it.

------
Pyxl101
Why did it take so long to dismiss the charges? Wasn’t it obvious from the
beginning that they had no criminal intent? (Or is criminal intent not
necessary for this crime?)

I would love to read some reporting about what was going on behind the scenes.
Anyone have a link?

~~~
dannyw
It was a pissing contest amongst two sheriffs. The original first responders
were going to let them go, and a new sheriff arrived on the scene and said the
original state administrative office had no authority to authorize it for
_his_ courthouse.

------
korethr
So, are these guys going to be at DefCon, with a presentation about their
experience, and lessons to share with the wider security community? Because I
would be interested in watching said presentation.

------
lightedman
Charges dropped? Time to file for malicious prosecution against the DA's
office.

------
cartothemax
That county had a breach in late November of last year too.
[https://www.kcci.com/article/dhs-data-breach-in-dallas-
count...](https://www.kcci.com/article/dhs-data-breach-in-dallas-county-
affects-more-than-4000-peoples-information/30657725)

------
lasky
And once again, any US organization allowed to use a .gov domain loses yet
ANOTHER notch of credibility, and confidence in their competence.

~~~
swebs
What does this have to do with that TLD? The link doesn't even mention any
.gov sites.

~~~
lasky
US Government organization

------
qaq
Might be safer to work for larger outfit with good legal department?

~~~
noodlesUK
Coalfire _is_ one of the larger more reputable orgs in this space.

------
auiya
Last I heard the attrition rate at Coalfire was quite high. Issues like these
I'm sure aren't helping.

------
fyfy18
Nobody here has mentioned the fact that they went through a locked door (well
supposedly it was unlocked, they closed it, and they broke in to test it) even
though their 'get-out-of-jail-free' letter explicitly said that was not
permitted. I agree it took embarrassingly long to get the case dropped, but it
seems like if they hadn't done this there wouldn't have been a problem in the
first place.

