
Coalfire Comments on Penetration Tests for Iowa Judicial Branch - ajay-d
https://www.coalfire.com/News-and-Events/Press-Releases/Coalfire-Comments-on-Pen-Tests-for-Iowa-Judicial
======
sullivanmatt
Here's the scoping doc:
[https://iowacourts.gov/static/media/cms/Rules_of_Engag_E9D80...](https://iowacourts.gov/static/media/cms/Rules_of_Engag_E9D807B3D13D3.pdf)

Some highlights include authorization to attempt entry by tail gating, lock
picking, place devices once access has been gained, etc. It's a total
vindication for Coalfire (IMO).

~~~
nekoashide
They specifically stated that this access would only be between 6AM and 6PM
MST or "Normal Business hours". Not seeing anything that's allowing them
outside of these hours.

~~~
scrumper
"Expected to be" is not the same as "will only be", and that's the sort of
thing that gets decided by a judge. (The existence of the additional charges
language does weaken that argument a bit since if "expected to be" really was
meaning that things could happen outside of those hours, then you wouldn't
need to reference those MSA terms.)

IANAL, but have written more than my share of SOWs and contracts of this type.
Drafters tend to always default to the position of greatest optionality for
them. Hence, "expected to be".

------
equalunique
There is a legend from the time of my Uncle's tenure at the US DOJ. During the
Clinton administration, he hired so-called hackers he met at DEF CON to
conduct a pen test of an immigration processing center somewhere around New
England. The hackers were given some form of "get out of jail free card" for
use during the pen test. In spite of it, they were arrested anyway by the
overzealous administrator of the center. My uncle's group in the DOJ had a
hard time getting those hackers out of jail, and when they finally came out,
they were quite mad, since the whole fiasco had put their permanent records at
risk of a bad mark. The pen test project was still on, and it seems they went
to extra lengths to exact their revenge on that overzealous administrator. As
proof of their total compromise of the immigration processing center, the then
Attorney General Janet Reno received in the mail from a green card for a Kang
G. Roo. Subsequently, said administrator was demoted and reassigned to some
cold desolate part of Alaska. (So the story goes, anyway.)

Edit: The "reassignment" may have led to an almost-immediate resignation.

~~~
metalliqaz
sounds believable until the Alaska part

~~~
equalunique
I have no idea what actually happened to the former administrator, but I'm
told that this hyperbole is method for forcing Special Executive Service
employees to resign. There are many hoops to jump through if the intent is to
fire them, but part of being an SES includes not having much leeway when it
comes to where you are assigned. So by forcing the person to work in some
unwanted location, they tend to almost always submit their resignation
instead. Where they were reassigned to I don't know for certain, but that's
the tactic I'm told was used.

I suppose "forced to resign" might have been a more belivable way to end the
story, but supposedly the mechanism by which that happens involves
reassignment to some unwanted location.

~~~
mirimir
The first EPA assessment of dioxins started under the Carter administration,
but wasn't completed until the first or second year of the Reagan
administration. The lead author ended up reassigned to a tiny branch office,
and working in basically a broom closet. Or at least, that's what he said,
when I tracked him down to ask questions.

------
Slenth
This article [1] seems to imply the reason for the arrest is a disagreement
between the county sheriff's department and the state as to who has the
authority to sign off on them attempting to break in to the building.

[1] [https://www.desmoinesregister.com/story/news/crime-and-
court...](https://www.desmoinesregister.com/story/news/crime-and-
courts/2019/09/18/iowa-courts-dallas-county-courthouse-coalfire-contract-
judicial-branch-test-security-ia-crime-arrest/2356047001/)

~~~
danShumway
Importantly, in this story it's confirmed that the pen testers were carrying
documentation and phone numbers of people in the State department who could
(and did) confirm their stories.

When this story first broke, there was speculation that, "this is why you
carry a get out of jail free card." But if this story is true, the testers did
everything right, and the deputy just decided to jail them anyway.

~~~
mike_d
I know physical testers who will carry a fake "get out of jail free card" that
lists their own people as the point-of-contact so they can highlight the lack
of verification as a weakness. If it does get verified they have a "backup"
real one.

It is possible they attempted this and the police were none too happy being
lied to.

~~~
danShumway
It's not possible in this case, unless the news source above is misreporting
the story.

> "I advised them that this building belonged to the taxpayers of Dallas
> County and the State had no authority to authorize a break-in of this
> building," Leonard wrote in the email.

> Leonard wrote that he then called the state employee to tell him his
> contractors had been arrested and that he didn't have the authority to
> authorize this.

If Leonard had called their point-of-contact and it had been fake, it would be
weird for him not to lead with that detail.

------
matthewdgreen
Why is this still going on? It made sense before when there was a possibility
of confusion, but at this point it is _at worst_ a mistake, not someone with
intent to commit a crime. Are charges still being pressed?

~~~
doctoboggan
The question here is not whether they were contracted to do the pen test, I
think everyone agrees they were. The question is whether those who contracted
them had the authority to authorize it.

If someone from craigslist give me a contract to break into a house to test
their security system, but it turns out the owner of the house did not know
about the contract, who is at fault for the break-in?

I do think that Coalfire acted in good faith here, but it is a complicated
situation.

~~~
mcherm
> The question here is not whether they were contracted to do the pen test, I
> think everyone agrees they were. The question is whether those who
> contracted them had the authority to authorize it.

No, the question is whether the prosecutor believes beyond a shadow of a doubt
that the accused had the requisite intent to be committing burglary. If not,
the they have an ethical obligation to drop the prosecution.

~~~
doctoboggan
You are correct, I didn’t know burglary was a specific intent law.

------
exabrial
Sounds like yet another over-zealous prosecutor hell bent on putting non-
violent [and non-criminals] behind bars.

~~~
jnbiche
Yep. Someone has his or her eye on a higher office.

~~~
jstanley
Can you ELI5 why putting pentesters in prison would help a prosecutor get
promoted to a higher office?

Wouldn't it just piss off (among others) the very people who have the
authority to promote the prosecutor to a higher office?

~~~
fotbr
Prosecutor gets to go trumpet a victory over those who would show such
disresepect to the law as to try to break into the courthouse itself (or
various press releases to similar effect).

The "very people who have the authority to promote the prosecutor" are the
voters, who, for the most part, do not understand what pen-testing is, or that
it exists, or that it is (or can be, when done correctly) a legitimate thing.

ELI5 A person is smart, people are stupid. Voters are people, and details get
lost in campaigns.

------
Animats
One of the many books on CIA training describes how they handle this. The CIA
has written agreements with law enforcement in the areas where they do
training exercises. Trainees are given a number to call. If they call it,
someone from CIA HQ comes over, with, as one trainee put it, the "rumored but
never seen get out of jail free letter".

This usually means the trainee failed the exercise.

------
sandworm101
>> It's a total vindication for Coalfire (IMO)

But think about this from the perspective of the cops. The contract can get
coalfire out of any liability for damage done to the building and any
potential break and enter. That is consent between contracting parties. But an
alarm was set off. The police were called. This isn't exactly a case of them
filing a false police report, but the police were indeed called under false
pretenses.

I used to work in a building with remote monitoring and extensive security,
including armed response (military). We did these tests monthly. But as soon
as the alarm was triggered, someone was on the phone to the military police.
If their supervisor decided to roll the cars and test his officer's response
time that was with his permission. We would never, ever, have insist that cops
stop what they were doing, possibly something dangerous/real/important, and
physically respond to our not-real security test.

~~~
tantalor
Who cares about the cops? They don't have any role in prosecution.

"In the criminal justice system, the people are represented by two separate,
yet equally important, groups: the police, who investigate crime; and the
district attorneys, who prosecute the offenders. These are their stories."

------
heyflyguy
Are these bot comments? Looks like a simple contractual misunderstanding,
probably exasperated by a bureaucratic communication issue of some sort. I'm
sure we'll discover that coalfire had ducks in a row and Iowa didn't know what
they bought. Nobody communicated it and here we are.

~~~
cududa
It so far appears the county sheriff is behind this, insisting that the
courthouse belongs to the county, and the state had to right to authorize this
test.

~~~
mitchty
Remember that Sherriffs are elected, they can have zero training related to
the job. That alone can explain a lot of this. You might be surprised at
recent efforts to politicize them as well.

[https://www.politicalresearch.org/2019/06/10/how-a-right-
win...](https://www.politicalresearch.org/2019/06/10/how-a-right-wing-network-
mobilized-sheriffs-departments)

