
Men Arrested at Courthouse Say They Were Sent to Test Its Security - brdd
https://www.nytimes.com/2019/09/16/us/iowa-courthouse-burglary.html
======
jcrawfordor
It's extremely important to include a clear statement of work in any
pentesting contract exactly for this reason. The contents of the contract will
become very important in this case, and depending on whether or not the SOW
included physical intrusion into the buildings, one side or the other will end
up with egg on their face.

Without the contract and/or other agreements it isn't clear who's at fault
here, the pentesting firm involved may very well have been an incompetent one
that exceeded their SOW or did not even produce one to be agreed on--and I
tend to suspect that this is the case, because physical intrusion testing will
almost always include measures to prevent the police being called or make them
aware of the test due to both the expense of an intentional false alarm call
and the risk involved in triggering a law enforcement response.

~~~
crankylinuxuser
The company in question is Coalfire. This company assesses who can become
FedRAMP compliant. They also have their pentesting team in-house, and they are
fuckig sharp. They know their contracts, rules of engagement, and exactly what
they are and aren't allowed to do.

These folks do this stuff for their livelihood. They test contractor, state,
and fed systems at all scopes and levels.

And if 2 broke in (yes, you work in teams ABSOLUTELY onprem), they had the
contract explicitly allowing physical penetration ON THEIR BODY. That contract
is the difference between felony trespass and 100% legal.

I would LOVE to be a fly on the wall and watching the conversation between
State IT and the public safety community there, and especially with the AG,
who will have to release them.

~~~
mrb
That's right. If I had to bet who was incompetent, Coalfire or the state
agency, my bet is on the latter. The state agency probably didn't
understand/read the full contract or maybe some internal miscommunication
through hierarchy lead to confusion about what was or wasn't allowed in the
pentest. I'll be waiting for Coalfire's press release who will probably
confirm the contract did allow physical pentest...

~~~
godzillabrennus
This is dealing directly with the government. I doubt we ever hear of this
again if the government screwed up.

No way coalfire would embarrass a client if they can avoid it.

I feel bad for the contractors who now have arrest records. They are the
victims here.

~~~
crankylinuxuser
> This is dealing directly with the government. I doubt we ever hear of this
> again if the government screwed up.

Exactly. We won't hear of it. They do work all across the US in the state and
federal space. It's too lucrative to give up to shame them into submission
publicly. Privately, sure.

> I feel bad for the contractors who now have arrest records. They are the
> victims here.

Well, they've been arrested. So their clearances have been yanked already, as
per standard for Confidential/TS/SCI. Unless they can get complete
restoration, including expungement of the arrest, and admission of unlawful
arrest, they're done in federal/state infosec.

------
Mathnerd314
[https://www.coalfire.com/Solutions/Coalfire-Labs/Red-Team-
Ex...](https://www.coalfire.com/Solutions/Coalfire-Labs/Red-Team-Exercise)
does list physical testing, but who knows what the agreement was.

The case numbers are 05251 FECR042175 and 05251 FECR042176 if anyone's
interested:
[https://www.iowacourts.state.ia.us/ESAWebApp/DefaultFrame](https://www.iowacourts.state.ia.us/ESAWebApp/DefaultFrame).
The latest appears to be that this guy is representing them:
[http://www.grllaw.com/blog/attorneys/Matthew-
Lindholm-A3.asp...](http://www.grllaw.com/blog/attorneys/Matthew-
Lindholm-A3.aspx)

~~~
vivekd
Here in Canada the prosecution would have quickly withdrawn the charges. It's
pretty clear that they were acting under the color of law, given that the
State admitted they hired them. If they went beyond the contract, it seems
pretty clear they did it under the mistaken but reasonable belief that they
had proper authority to enter. I understand ignorance of law isn't a defense
but ignorance of the facts is and it seems pretty clear that's what happened
here. It seems unreasonable and unnecessary to hold them in jail and
unnecessary to take this to trial. I don't see how proceeding with a
prosecution like this could be in the public interest.

~~~
peteretep
> Here in Canada the prosecution would have quickly withdrawn the charges

There in Canada, prosecutors are not elected, because that would be completely
batshit insane.

~~~
golergka
Why is this insane? At least it's some kind of accountability to the public.

~~~
sterlind
It creates perverse incentives, and it actually reduces accountability.

The prosecutor's job is to represent the State by applying the law to the
facts. The public doesn't pay attention to the details of every individual
case. The Public looks for narratives like "tough on crime," or "protecting
the children," or "cracking down on illegals" or "protecting minorities,"
depending on where voters fall on the political spectrum.

Elected politicians put their voters’ demands first, but prosecutors are
supposed to put the law and department policy first. Prosecutors would be
tempted to prosecute based on political will - not guilt and evidence - which
is unjust by definition. And since they're elected, they don't have to answer
to the AG or city council - just the polls.

It's better to elect reps that hire/confirm, supervise and set policy for
prosecutors instead.

~~~
refurb
You’re just swapping one master for another.

In states that don't elect judges, they are appointed. Who makes a decision on
who is appointed? The politicians of course. And you’re never going to get
appointed unless someone owes you it.

------
sandworm101
>>> Mr. Demercurio told the deputies that part of the job was to “check out
law enforcement response time,” the documents say

HA! There is nothing that cops like more than to participate in random timed
response tests. I cannot imagine anything worse that one could ever say to a
cop. Even if it is true, do not ever admit that you are "testing" police, not
to the overworked, under-staffed and generally frustrated officers who are
stuck working the night shift.

~~~
ineedasername
Well, it may be necessary to tell them, but there needs to be a backstop in
place, a contract to wave around, proper identification, a live phone number
to call to get confirmation, etc. The cops will still be pissed, if you
weren't careful in following their instructions when they caught you then you
might find yourself tasered and soaked in someone's urine (hopefully your own,
I guess) But you wouldn't be, as these two are, getting charged with felony
burglary.

~~~
austinheap
You're 100% correct. Having done multiple red teams I would never attempt to
break into a building without 1) the CEO on call, 2) a notarized statement of
work identifying my and the client's identity, and 3) notarized authorization
from the landlord.

If a client refuses any of these then the physical pillar is quite simply off
the table.

~~~
elif
If the "physical pillar" is off the table, would you really feel confident
giving any sort of certification of security?

Kinda like a mechanic saying "I checked the brakes, this car will definitely
go for 100k miles without a breakdown"

------
ineedasername
They _" did not intend, or anticipate, those efforts to include the forced
entry into a building"_

Isn't that the point of the test? If you thought you were properly anticipated
all attack vectors you wouldn't need the test. Or if you did, it would be to
find out if you were right.

It will be interesting to see what the actual RFP or statement of work said on
the matter though. If it was specific in mentioning only electronic methods,
that's a problem. It doesn't seem like it should be a "Charge them with felony
burglary" problem though. More like "make them pay damages" (if any)

~~~
dmix
The court is claiming it wasn't a prearranged part of the test that they were
aware of. It will be up to the company to prove that it was.

> But it added that the administration “did not intend, or anticipate, those
> efforts to include the forced entry into a building.”

It's possible they misunderstood something in the contract such as what
physical entry means and the scope of red teaming.

In the article it said they were aware of a forced entry made at another court
house, but I'm assuming it was after the fact and the security company told
them they did it before? If it was before the test then that changes the story
but I dont know why they'd admit it to the press otherwise.

> Iowa’s State Court Administration also said in the statement that it had
> been made aware of a break-in at the Polk County Historic Courthouse in
> nearby Polk County on Sept. 9 that was similar in nature to the break-in at
> the Dallas County Courthouse.

The fact they courts aren't fully supporting the guys raises a lot of
questions.

It's not like the guys were caught doing anything for personal gain. But
there's a small possibility they wanted to show off their ability and keep it
hyper realistic, and crossed a lined that should have been better
communicated.

~~~
ineedasername
_The court is claiming it wasn 't a prearranged part of the test that they
were aware of. It will be up to the company to prove that it was_

It should be pretty straightforward to determine if the contract explicitly
specified electronic penetration or left some ambiguity. Unfortunately it
looks like they won't release the contract so we won't know. (I'm sure the
defense will get to see it, unless they go to Kafka land, though presumably
they also wouldn't have charged these guys if there was such a large hole in
the contract language.)

~~~
gizmo686
The contract will almost definitely go into evidence. Unless the judge makes
an explicit ruling to the contrary, I believe this means that it will be made
public (although access might involve a physical visit and some fees)

------
danpalmer
It's not clear exactly what happened here, but hypothetically...

If the state/public office did _not_ agree to it in contract, but if the
individuals doing the breaking in a) do it for a living, and b) were operating
under the knowledge that they had a contract enabling them to do so legally...
what happens to them?

In this case they committed a crime, to them everything including past
experience led them to believe it was explicitly not a crime. Obviously the
contracting company would be ultimately at fault (at least morally so), but
the person messing up the contract isn't going to go to prison for burglary.

How would this likely be resolved? Would the burglary case be dropped and it
be turned into a criminal negligence case against the company? If not, how do
we effectively protect physical penetration testers like this?

~~~
golergka
IANAL, especially in American law, but mens rea is usually a neccessary
element for criminal liability.

~~~
giancarlostoro
Hadnt heard of the term before:

[https://en.m.wikipedia.org/wiki/Mens_rea](https://en.m.wikipedia.org/wiki/Mens_rea)

~~~
Ensorceled
It's okay, there are a number of people in this thread who haven't. The
interesting part is, legally, how there are two separate parts: intent (I
intended to do this action, why car accidents are not murder) and knowledge (I
knew, or should have known, this was a crime).

In this case, they could not form mens rea because, to their knowledge, they
had permission to "break into" the building. Like when you lock yourself out
of your house and hire a locksmith to "break in". The locksmith has intent,
but no "criminal knowledge" because you gave them permission.

~~~
danpalmer
I guess the "or should have known" is a key part here. In most cases where the
person didn't know, they should have. The difference here being that they
_did_ know that they _weren't_, and they had probably taken reasonable steps
to ensure that they weren't breaking the law.

~~~
Ensorceled
Right, "ignorance of the law is no excuse", but in this case they had an
exemption.

------
wfbarks
Reminds me of that time I hired a boxing coach and he punched me in the face,
what a jerk!

------
userbinator
Well, I guess the (physical) security has been tested and found acceptable.

------
mythrwy
Moving on to phase 2 of the test: Jail containment capabilities.

------
mythrwy
What a surreal article.

`the administration “did not intend, or anticipate, those efforts to include
the forced entry into a building.”`

It seems a little crazy they went so far as to break into the building when it
looks like what was actually wanted was just do a few things and sign off on
our security. You know, things we "anticipate" (doesn't that defeat the entire
purpose?).

Contractors seem like they went above and beyond really. Bureaucrats don't
appear to like that.

------
gtirloni
_> and possession of burglary tools_

Is that a crime? Like picks and stuff?

~~~
leetrout
In most states, unless you are a locksmith, yes it is a crime.

~~~
alasdair_
>In most states, unless you are a locksmith, yes it is a crime.

This is not true. Only nine of forty one states make lockpicks illegal.
[https://tihk.co/blogs/news/116232133-lock-pick-
legality](https://tihk.co/blogs/news/116232133-lock-pick-legality)

------
thrownaway954
I don't understand all the secrecy in doing these types of pen-testing. Why
wouldn't you just tell the cops what you intend to do and make sure everyone
involved has a clear understanding of what is going to be done and what not.
Personally, there is NO WAY I would have tried to break into a court for a
pen-test without the cops and a representative from the state right there
while I'm doing it.

Sorry everyone, but as you can see, now these employees risk criminal records
and prison over something stupid. And if you think some over zealous
prosecutor isn't going to see this to the end, you have another thing coming.

And the worst part about it, I highly doubt the company does ANYTHING to help
these dudes. I feel so bad for them.

~~~
elliekelly
> I don't understand all the secrecy in doing these types of pen-testing. Why
> wouldn't you just tell the cops what you intend to do and make sure everyone
> involved has a clear understanding of what is going to be done and what not.

It's not really an accurate measure of response time if the responding parties
are told ahead of time. That said, I would imagine the benefit of an accurate
measurement vs. the cost of a heads-up is vastly different when you're dealing
with first responders as opposed to a vendor.

------
dmix
I'm curious, couldn't they have warned the police or alarm security company
ahead of time so they dont get accidentally shot by confused responding
police? Or were they so confident/cocky that they assumed this wasn't a
possible outcome? At a minimum you could warn the top managers the night in
question.

Especially at a serious government building that's typically always has law
enforcement during the day as security there in important. As opposed to some
mid-level corporation office which they'd normally hit up.

Some precautions in the situation just sound prudent.

~~~
kevin_thibedeau
The police aren't supposed to be shooting unarmed people.

~~~
markovbot
That's never stopped them before

~~~
frankharv
Exactly. Police killed an innocent man with no gun and won't even charge the
policeman who opened fire.

[https://www.usatoday.com/story/news/nation/2019/09/15/casey-...](https://www.usatoday.com/story/news/nation/2019/09/15/casey-
viner-ohio-gamer-prison-swatting-call-of-duty/2336255001/)

Heck, the state will not even tell the cops name who executed a civilian at
his own door.

~~~
giancarlostoro
If that had been in Florida it would of been revealed.

------
ummonk
So from the sounds of it the courts hired coalfire to do pen testing but
neglected to mention it should be electronic only so they attempted physical
access?

~~~
kerng
Pentesting works the other way, you need to scope things in, not out.
Otherwise you'll get into all sort of legal and ethical issues.

------
dlgeek
UPDATE: [https://www.desmoinesregister.com/story/news/crime-and-
court...](https://www.desmoinesregister.com/story/news/crime-and-
courts/2019/09/18/iowa-courts-dallas-county-courthouse-coalfire-contract-
judicial-branch-test-security-ia-crime-arrest/2356047001/)

HN:
[https://news.ycombinator.com/item?id=21012191](https://news.ycombinator.com/item?id=21012191)

------
scott113341
Reminds me of this story posted a while ago:

Story of a failed pentest
[https://news.ycombinator.com/item?id=18475438](https://news.ycombinator.com/item?id=18475438)

------
Ratiofarmings
So now, next question. Have they done anything in there. They've caught the
intruders, good on them. But as a security guy myself I am asking: did they
check ALL electronics for tampering as well as do a basic bug sweep.

I am not saying it was, in fact I don't think the courthouse who let's them
rot in jail now gives a damn, but a thorough test could also test whether
after catching intruders the court bothers to check their equipment. Something
added/manipulated is sometimes worse than something stolen.

------
Ice_cream_suit
They appear to be employees of Coalfire Labs.

"The State Court Administration hired Coalfire Labs to test the security of
the court’s electronic records, said Steven Davis, a spokesman for the state
judicial branch."

Mr Demercurio's LinkedIn page appears state that he employed by that
organisation.

I understand that hubris is followed by nemesis...

------
ptah
i can just imagine the scene: cops: you are under arrest for breaking and
entering. pentester: we were just checking your security. you passed!
congratulations!

sorry couldn't resist /getscoat

------
doctor_eval
Successful test!!

------
sli
This shows such a comical level of incompetence from Iowa's state admin that
it borders on malicious.

------
pstrateman
Sounds like they were authorized and the court administration just made a
mistake in the contract.

------
aaron695
It is confirmed(allegedly) they also broke into Polk County Courthouse two
days earlier -

[https://www.desmoinesregister.com/story/news/crime-and-
court...](https://www.desmoinesregister.com/story/news/crime-and-
courts/2019/09/16/iowa-polk-county-courthouse-dallas-burglaries-linked-same-
two-suspects-judicial-branch-coalfire/2343135001/)

~~~
np_tedious
I'd be very interested to learn who hired them / their firm. Hope we find out!

~~~
lalaithion
We know who hired them. Read the article. Iowa’s State Court Administration
contracted with Coalfire, of which the two men are employees.

~~~
np_tedious
Doh. I skimmed the article and missed that. Thought they might have a common
client for both Iowa and Texas and therefore it was likely to be something
federal / higher up.

Thanks for correcting

------
dschuetz
What sort of pentesters was that who didn't specify and get a signed off code
of conduct _before_ they did a physical pentest? Having a paper to wave in
front of the arresting cops is more important than the promise of money.
Jesus. Amateurs.

~~~
rhinoceraptor
What's more likely, a big pentesting company messed up this one engagement, or
the state is incompetent and doesn't understand pentesting? I'm leaning
towards the latter.

