
A turf war and a botched contract landed two pentesters in Iowa jail - chha
https://arstechnica.com/information-technology/2019/11/how-a-turf-war-and-a-botched-contract-landed-2-pentesters-in-iowa-jail/
======
noodlesUK
I think redteam physical security is a necessary practice, and it’s a fun
career for people I know in the industry, but you wouldn’t ever be able to
convince me to break into a facility with an armed response without first
telling the actual security on site (in this case the police, and all of them
at that) that there would be a red team test between a specific set of dates
and NOT TO SHOOT. This could have gone much worse for the poor bastards who
got arrested.

edit: not that that justifies at all the absurd response of the sheriff in
this case.

~~~
chrisseaton
Why would anyone shoot an intruder on commercial premises? Is that ever legal?
I know homes are different in the US, but would a security guard ever
literally see someone they didn’t recognise, draw their gun, and just execute
them like that?

~~~
t34543
Armed responders are human. Humans make mistakes. Drop guns aren’t unheard of
when a bad officer decides to cover up a mistake.

~~~
chrisseaton
Why do they arm normal police officers and security guards? Why not leave the
armed response to specialist officers with much higher levels of training and
accountability?

~~~
LiNeXT
Violent criminals don't break for tea time while everyone waits for the "armed
response" people to show up. Cops and security guards are armed because they
encounter situations where they have to defend themselves against someone who
wants to kill them. If a criminal is pulling a gun out of his waistband,
suggesting that the cop or security guard should have to be a defenseless
sitting duck while screaming into the radio for "armed response" is an utterly
silly proposition.

~~~
chrisseaton
Are most criminals really carrying guns? It seems like a bad trade-off to arm
everyone all the time just for the one in a billion case that a criminal is
armed.

~~~
LiNeXT
First of all, there are more ways than just guns for a criminal adversary to
kill someone, including knives, hammers, baseball bats, pounding a person's
head into the sidewalk using bare hands only, etc. Secondly, a cursory glance
at crime statistics ought to dispossess you of the notion that criminals are
only armed every "one in a billion" cases. Thirdly, if you really think this
only happens "one in a billion" cases, why would you bother standing up an
armed response team at all?

~~~
chrisseaton
Police and security in the UK manage just fine without guns. I think arming
the police means criminals feel the need to be armed in response.

~~~
LiNeXT
The United States isn't the UK. That aside, considering the UK's recent surge
in knife violence, I'm not sure your assertion that armed police cause
criminals to arm themselves can be substantiated.

------
mindslight
> _on September 11, no less. We have two unknown people in our courthouse—in a
> government building—carrying backpacks that remind me and several other
> deputies of maybe the pressure cooker bombs._

What a sad existence to be ruled by such fear, living out some constant
delusion of being attacked like the mass media spectacles. Then trying to push
that fear onto everyone else to validate their own overreactions.

~~~
Trisell
TBH. It’s more the governments fault. These local jurisdictions are constantly
undergoing terrorism training from the state and federal governments. When I
was a firefighter we constantly trained for NBC and other types of terrorist
attacks and were required to have a mandatory amount training regarding other
types of incidents that could all be caused by terrorism. It’s been a
basically constant drumbeat by the state and federal governments since
September 11.

And honestly the pentest company should have thought twice before conducting
this type of test on September 11th. Any anniversary date of a major terrorist
attack is a potential day of a second copycat attack.

~~~
mindslight
I agree it's a much bigger problem than just the boots on the ground watching
too much _24_. But the "September 11" focus in the latter half of your comment
is itself part of that problem. If you're talking about historical effects, at
least refer to the date with the year attached.

FWIW "copycat attack" is just yet another minimally-plausible scenario that
propagates fear.

~~~
Zenbit_UX
> If you're talking about historical effects, at least refer to the date with
> the year attached.

That seems unnecessary, I don't think there's a person alive unaware of the
year he's referring to.

No one in the comments here is "worshipping" 9/11 but the GP is correct in
saying Coalfire should have thought twice about a redteam pentest on a date
that puts law enforcement on high alert.

~~~
catalogia
> _That seems unnecessary, I don 't think there's a person alive unaware of
> the year he's referring to._

Yes but explicitly stating the year emphasizes that you're talking about an
event the better part of two decades ago. A "copycat" of something that
happened when one of these guys was about 11 years old. It's farcical and
stating the year emphasizes that. If they'd done it on December 7th, _" the
date that will live in infamy"_, would a copycat attack on Pearl Harbor be
suspected? Give me a break.

~~~
dillonmckay
We did not get the Patriot Act from Pearl Harbor.

~~~
catalogia
That's an inane and irrelevant point to make. More than 100,000 Japanese
Americans were interned in the aftermath so in either case there was an
extreme reaction from the US government, but that's not relevant because it's
no more plausible that two guys creeping around a courthouse at night were
trying to torpedo battleships than they were trying to fly airplanes into
skyscrapers.

~~~
dillonmckay
I respectfully disagree.

It took almost 50 years for the US government to acknowledge the extreme
reaction to Pearl Harbor and provide reparations.

If that is any indication, 9/11, will remain in the zeitgeist for at least
another 30 years.

------
broknbottle
Every time I read an article about this spectacle, I can't help but think of
Sheriff Buford T. Justice. Some rinky dink sheriff pulling up his britches and
making some statement about how these boys must not know who the law is around
these parts.

~~~
crb002
The sheriff was 100%. The State Court Administrator and Chief Justice
orchestrates an illegal break in of a county property in violation of Iowa
Code 721. Chief Justice Cady died last night of a heart attack.

~~~
Lazare
> The State Court Administrator and Chief Justice orchestrates an illegal
> break in of a county property in violation of Iowa Code 721.

That's a very open question. Under Iowa law, the counties have to provide the
buildings to the state, but the state controls them. The position of the state
court is that this control is _total_ when it comes to security, and thus they
can authorize whatever they like. (And their are court decisions supporting
this view.)

Ultimately this is a legal question, which will be answered by the courts. But
uh, the smart money is that the Iowa state courts will decide that the Iowa
state courts were correct the first time, have lots of power, and didn't break
any laws. But hey, anything could happen...

~~~
crb002
Chief Justice Cady admitted he was in the wrong before his death Friday. It
won’t be revisited.

~~~
kencausey
You might want to consider citing some evidence.

~~~
javagram
Excerpt from the article:

‘In October, Iowa Supreme Court Chief Justice Mark Cady, who oversees the
state’s judicial branch including all judicial officers and court employees,
apologized for the incident before the state’s Senate Government Oversight
Committee, according to the Des Moines Register, which has been closely
following developments in the case.

“In our efforts to fulfill our duty to protect confidential information of
Iowans from cyberattacks, mistakes were made,” he said, using the passive
voice that’s so common in leaders’ admissions of responsibility. “We are doing
everything possible to correct those mistakes, be accountable for the mistakes
and to make sure they never, ever occur again.” He declined to comment for
this story.’

------
MaupitiBlue
I find this is absolutely shocking. The Iowa Supreme Court chief justice
apologized for the mess, how have charged not been dropped?

Malicious prosecution or 1983 action?

~~~
crb002
The Chief Justice died last night of a heart attack. 1983 would be against
Chief Justice and State Court Administrator for setting them up.

~~~
gpm
1983 would be against the Sherrif for false arrest and imprisonment. As soon
as it became clear that they did not have the appropriate mens rea for any of
the crimes holding them in jail was blatantly illegal. Even if you somehow
manage to misinterpret the law to not require mens rea, as soon as it became
clear that it was entrapment it became illegal to continue to hold them.

There is no reasonable legal theory in which they are not innocent, unless
there are substantial non public facts.

That's whether or not you think that the state has the authority to authorize
this.

~~~
crb002
It was a clear breakin. The 99 County Courthouses are County owned and
operated buildings. Iowa fully localized building control in the 1970s.

~~~
shkkmo
> He also noted that a provision in the contract required the SCA to secure
> all necessary permission for the execution of the contract.

Therefore it seems to me that if anything illegal was done, it was SCA failing
to acquire permission the pentest.

------
moomin
So... they’re trying to prosecute two guys and have not only zero evidence of,
but an awful lot of counter-evidence of mens rea.

America has a serious problem with prosecuting people it’s pretty sure are
innocent.

~~~
JoeAltmaier
They broke into a county building with no authorization. Even the purported
state authorization didn't permit any of the activities they performed
(defeating locks; operating at night; interfering with the alarm).

'Zero' is hyperbole, since 4 significant charges is greater than zero.

Its true they have no evidence of intent to harm. But its hardly a harmless
mistake that they, after a few drinks, broke into the wrong building without
permission. During the night (supposed to be during the day). A judicial
building.

~~~
dillonmckay
‘Even the purported state authorization didn't permit any of the activities
they performed (defeating locks; operating at night; interfering with the
alarm).’

This is incorrect.

One of the three documents indicated this, however, the other documents
allowed those tactics.

Are the documents in conflict? Yes.

~~~
JoeAltmaier
The documents prepared before the contract supported all sorts of activities.

But the contract signed by the state, did not. It spelled out exactly what was
allowed. That the organization advertises it is capable of other physical
testing is interesting, but not relevant.

------
couchand
It sounds like one of the author's main questions is the valid time window for
intrusion testing. They make much of the fact that the contract is apparently
inconsistent in stating "6AM to 6PM mountain time" in one place and "day and
evening" in another. To me, this doesn't sound inconsistent at all: six
mountain time is seven central, which is clearly in the evening. I'm having a
very hard time seeing the contradiction there.

------
peteretep
I tend to think the term “victimless crime” is almost never applicable, but
I’m really struggling to see an injured party here.

~~~
Thorrez
A police response costs money.

But generally would trespassing be considered a victimless crime? If you find
out that someone trespassed, that might cause psychological harm. But if
someone trespasses and no one notices, I guess that might be victimless. If a
tree falls in the forest and no one is around, does it make a sound?

~~~
chmod775
> A police response costs money.

Police is already paid for with taxes. Writing bills for police responses not
only creates wrong incentives, it's also redundant.

There can be fines for calling the police frivolously, but that's a different
matter.

------
hpoe
TL;DR pentesting company gets a poorly defined and contradictory contract from
the state judiciary the county uses it as an opportunity to pick a fight by
pressing charges against two pen tester that were trying to break into the
court house.

~~~
crb002
No, Chief Justice and State Court Administrator dupe them into conducting an
illegal pen test. Prosecutor is an ass by not dropping charges on pen testers
if they testify against state court admin. Chief Justice died last night of a
heart attack so not an issue.

------
crb002
Sad news. Iowa Chief Justice Cady who headed the illegal pen test died last
night of a heart attack.

------
JoeAltmaier
Botched contract? The testers were told to do a 'social engineering' attack
during the daytime. They subverted locks during the night. It was botched
execution, by men who had had a few drinks apparently.

------
Spooky23
I think this type of pen-testing is asinine. A big part of why is that they
are providing information that isn’t actionable, and it isn’t necessary to
burgle a building — just do an audit.

The other is that the many of the companies in the space suck. Coalfire didn’t
have an attorney worth a nickel. No competent organization in their right mind
would accept a contract that includes illegal entry into another party’s
property.

Maybe if the people who hired the per-testers were interested in an outcome
(good security practices), instead of attention and shaming a business
partner, you’d have a different outcome.

~~~
Bnshsysjab
Pentesting can be about highlighting poor budgets and security practices -
I’ve had clients basically hand me findings because they just want a report
that says how crap they are.

I’m not a huge fan of physical breaches purely because they’re not a realistic
threat model - maybe in the case of larger court houses that house evidence in
cases where people might have the resources to do such a breach, but in most
situations no decent attacker would risk their face on camera when
malware.docx.exe would suffice

~~~
Spooky23
If what you describe had been done, this wouldn’t be news.

If I were the CIO or CISO of the state court, I would want to audit a few
courts, and work with them to test those controls. That’s where you work with
the county to test their controls - just like your scenario.

Then the test is a tool that can be used to get funds from the state, county
and federal government to fix the problems.

~~~
chris_wot
Well, I have to say the restricted parameters they gave them weren’t worth a
damn.

~~~
Bnshsysjab
Fwiw real breaches don’t care about parameters. I know the law doesn’t see it
that way, and the pentesters probably should have cared a bit more but most
contracts I see basically caveats reports to say ‘and any related systems’
which gives something that will cover basically anything that would be
considered ‘reasonable’ in the court of law.

The purpose isn’t to be an asshole, it’s to actually raise issues when you’re
otherwise limited by sleazy performance-paid project managers trying to limit
your scope to basically nothing.

