Hacker News new | past | comments | ask | show | jobs | submit login
Pen-testers nabbed, jailed in Iowa courthouse break-in attempt (arstechnica.com)
31 points by cchoffme 9 months ago | hide | past | favorite | 10 comments



I guess the Dallas County Court passed the 'physical security of documents' part of the test.

I'm not sure why you would attempt to break into a court house without some paperwork saying what you're doing with some signatures from the proper authorities. It seems kind of dumb, frankly. Pen testing is risky if you can't prove that someone with the right to do so asked you to do it.


Getting arrested is one thing.

Getting prosecuted is different.


Isn’t getting arrested enough to fail background checks for the rest of your life and never get a job or apartment again?


No, from everything I read, you can often still get a security clearance.

See:

https://news.clearancejobs.com/2018/01/28/ever-questions-sf-...


Ever been arrested while poor? It's a completely life-changing and world-disrupting experience, even if charges are dropped, even if you never need to appear in court.


Are the pen-testers poor?


Maybe the people they hired to break in are poor.


True, but it's always better not to get arrested in the first place.


"pen-tester" -- this reminds me of the times "pen testers" have literally stalked people and broken into their houses.

Breaking and entry and stalking, are both illegal for very good reasons. Pentesters who do this without consent are acting unethically, breaking the law, and putting themselves and others in danger.

If a pen tester really believes physical compromise is something that should be tested, they absolutely cannot do it without consent of the involved parties. If the business reduces the value of the test by changing security rules during the process that's their own wasted money. If you want to be testing employees you need case by case consent - again, if they changing behaviour during the test, it's simply the company's money be wasted. A company cannot tell the pen testers to target employees without the both informing and getting the employee's consent.

I continue to think people calling themselves "pentesters" while doing this kind of nonsense give actual professionals a bad name.


This must have been the first time this pentest company did physical pentesting.

With all the popularity pentesting has these days I'm not surprised that some companies that try to make a quick buck don't understand how serious something like this is.

Pentesters need an "out of jail for free" card, signed by all necessary stakeholders (as high up the mgmt chain from all organizations involved as needed) and carry that with them during such exercises. At least have a number of someone on hand to call for checking authorization.

The fact they didnt do some basic paperwork before shines bad on the pentest company and now really means the pentesters broke the law. It's crazy. Poor guys, but they have to know better in this profession.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: