
State employees authorized courthouse 'penetration,' records show - whatsreal
https://www.desmoinesregister.com/story/news/crime-and-courts/2019/09/18/iowa-courts-dallas-county-courthouse-coalfire-contract-judicial-branch-test-security-ia-crime-arrest/2356047001/
======
rubyfan
This seems silly. The state clearly authorized the operation. The contractor
acted in good faith. Yes some mistakes may have been made on both sides but it
serves no one to prosecute these guys and label them burglars.

~~~
externalexperts
yes your correct

------
duxup
>"I advised them that this building belonged to the taxpayers of Dallas County
and the State had no authority to authorize a break-in of this building,"
Leonard wrote in the email.

I was wondering about that. If it is the county courthouse I'm not sure a
state employee necessarily can authorize something like a break in.

~~~
sb8244
If the courthouse "belonged to the taxpayers of Dallas County", who could
authorize the break in? This was a really confusing/nuanced piece of the story
and I'm not sure what's correct on it.

~~~
AmericanChopper
It read it as him asserting his jurisdiction over the county, and this whole
case seems to boil down to an implied conflict between the county and the
state over that jurisdiction. I’m not a lawyer, but it doesn’t look like
there’s a very strong mens rea component to this accusation. I imagine they’d
have to prove that the accused acted negligently, supposing it is in fact true
that the state didn’t have the authority to authorise the test. But then who
else is also culpable? Coalfire? The state of Iowa? The particular state
official involved in this engagement?

------
Mathnerd314
Document links 404, this article has working links:
[https://www.weareiowa.com/news/local-news/state-court-
admini...](https://www.weareiowa.com/news/local-news/state-court-
administration-private-security-firm-had-different-interpretations-of-
contract-leading-to-courthouse-break-ins/)

I guess it's going to trial, unless the prosecutors drop the case. The waiting
continues.

------
elasticventures
..

PenTesters for the state/government cybersecurity require a special
designation #red_team that allows for incursion and flag dropping;
'tracepoints' \-- public disclosure. There are a lot of steps and often it
involves writing out a clear mission scope/goals to avoid this type of
circumstance.

This includes progress reports to their organizational handler announcing the
intentions/progress .. progressive research. Introductions by state employees,
informing the law enforcement.

OFTEN ..

I find myself informing the officials & administrators during normal business
hours, etc. "people who may be affected" that could be conducting an exercise
that involves your building in [timeframe] you have until then to prepare;
readiness drills etc. bring it.

Afaik getting caught is part of the fun (how far can I get before you catch
me?) but there's always a point of no return where it's not fair; never typing
the rm -Rf or "encrypt *" commands but you never actually do if you're a good
person; I know I had a lot of interesting "oops" moments in my early career
where I accidentally embarrassed somebody and made an enemy.

IT Departments are run by normal people who have limited budgets and time; and
I like to point out that a failure usually means a better budget justification
to fix it; and assurance that anything we break we'll fix; but how confident
are they in their backups and how easily I can get to them.

So fuck that cowboy pen testing bullshit, a great hacker will only use that as
a last resort and then EVERYBODY should know it's happening so there is less
risk. This is why "this is a test" is played during military exercises;
because it's about the readiness drill. I will take your system down; with or
without you -- do you want to watch?

I've had new guys on teams suggest cutting primary wires; to trigger failures
i.e. "video camera feeds" etc to demonstrate coverage lapses in physical
security. if they did any property damage; they are liable for that.

If the building administrators decline the #red_team audit; then we submit
that back into the report and put them on our "naughty list"; which means well
try 2x harder to embarrass that particular person; shame on them.... it needs
to be clear that a failure does not necessarily reflect badly on them in our
report; unless they were blocking the audit; that is bad. that's all you can
do; they don't want to engage -- forward it to the foreign upper bureaus who
don't need to follow the same disclosure rules as a good place to train
recruits.

As a hacker; pen-tester #red_team I make it clear that's exactly what I'm
going to do if they don't personally cooperate; usually they'd rather be
helpful than risk pissing me off and being the subject of my wrath - we work
together to fix it. It's a bit heavy handed; .. 2020 election security is
going to suck donkey balls btw.

/ #red_team

~~~
saagarjha
> If the building administrators decline the #red_team audit; then we submit
> that back into the report and put them on our "naughty list"; which means
> well try 2x harder to embarrass that particular person

You sound quite unprofessional :/

~~~
elasticventures
is there a better technique? please share. independent cyber-merc "white hat;
with blood stains"

my best approach -- marking people "declined to participate" and naughty list;
or for shaming them for not participating in the drill?

?? as i see it; i'm a good guy by paying them a courtesy by informing them of
the intentions; working with them; they are the unprofessional ones. perhaps
this is my low EQ; and it's why I have assistants.

I have no patience for bureaucrats (i.e. election officials) telling me their
system is secure while I know damn well they aren't .. usually I suspect
corruption/secrets they would rather not be public ... and the funny thing is
... most of the time I'm right and they turn out to be real pieces of shit
that I just happened to get caught on my boot.

Too many of our systems relying on closed source software vendors hiding
behind the law pretending (i'm looking at you Oracle) .. ignoring that 90% of
North Koreas income comes from hacking; cyber-terrorism cyber-ransom funding
radical terrorism scares me.

the small terrorists cells usually don't have a hypermind *(180+ IQ); but
nation state [even small ones] probably have at least one or two on the
payroll.

iran is a good example of this; we've been talking about these types of
attacks "in theory" for years; literally 10 years -- more importantly; due to
the success how long before this type of guerilla warfare expands to schools
in the USA.

~~~
michaelt

      is there a better technique? please share.
    

Get hired by someone who has the authority to instruct building services to
cooperate.

If the person hiring you doesn't have the authority to do that, they
_certainly_ don't have the authority to get your guys out of jail.

