
Pen-testers nabbed, jailed in Iowa courthouse break-in attempt - cchoffme
https://arstechnica.com/information-technology/2019/09/check-the-scope-pen-testers-nabbed-jailed-in-iowa-courthouse-break-in-attempt/
======
sverige
I guess the Dallas County Court passed the 'physical security of documents'
part of the test.

I'm not sure why you would attempt to break into a court house without some
paperwork saying what you're doing with some signatures from the proper
authorities. It seems kind of dumb, frankly. Pen testing is risky if you can't
prove that someone with the right to do so asked you to do it.

~~~
VikingCoder
Getting arrested is one thing.

Getting prosecuted is different.

~~~
closeparen
Isn’t getting arrested enough to fail background checks for the rest of your
life and never get a job or apartment again?

~~~
perl4ever
No, from everything I read, you can often still get a security clearance.

See:

[https://news.clearancejobs.com/2018/01/28/ever-questions-
sf-...](https://news.clearancejobs.com/2018/01/28/ever-questions-sf-86/)

------
olliej
"pen-tester" \-- this reminds me of the times "pen testers" have literally
stalked people and broken into their houses.

Breaking and entry and stalking, are both illegal for very good reasons.
Pentesters who do this without consent are acting unethically, breaking the
law, and putting themselves and others in danger.

If a pen tester really believes physical compromise is something that should
be tested, they absolutely cannot do it without consent of the involved
parties. If the business reduces the value of the test by changing security
rules during the process that's their own wasted money. If you want to be
testing employees you need case by case consent - again, if they changing
behaviour during the test, it's simply the company's money be wasted. A
company cannot tell the pen testers to target employees without the both
informing and getting the employee's consent.

I continue to think people calling themselves "pentesters" while doing this
kind of nonsense give actual professionals a bad name.

------
kerng
This must have been the first time this pentest company did physical
pentesting.

With all the popularity pentesting has these days I'm not surprised that some
companies that try to make a quick buck don't understand how serious something
like this is.

Pentesters need an "out of jail for free" card, signed by all necessary
stakeholders (as high up the mgmt chain from all organizations involved as
needed) and carry that with them during such exercises. At least have a number
of someone on hand to call for checking authorization.

The fact they didnt do some basic paperwork before shines bad on the pentest
company and now really means the pentesters broke the law. It's crazy. Poor
guys, but they have to know better in this profession.

