Some highlights include authorization to attempt entry by tail gating, lock picking, place devices once access has been gained, etc. It's a total vindication for Coalfire (IMO).
People do get arrested doing this type of work. It hasn't happened to me, but it has happened to people I know. Usually it is quickly and quietly resolved without the press being involved.
What I believe is at issue here is authority. Can a state entity authorize testing of county buildings? Some people just assume "the government" is one entity. This same type of issue arises in corporate work as well - can a tenant authorize testing against a landlords building? You need to get both to agree.
(Disclaimer: I do this type of work so I might be biased)
I think you are correct, the question is if the right stakeholders authorized this. You can't break into a 7/11 because some person working there authorized it. Authorization needs to be from all proper stakeholders.
Yes, the two employees could be liable for accepting a request from someone who obviously didn't have the authority to give it. But they wouldn't be the only people liable, and it seems silly to claim that they would be the first people liable.
Why is it that the only two people arrested are those who had the least amount of responsibility and ability to check on the authority of the State department?
That outcome is why the word "pawn" is being thrown around.
Then is it also the fault of the two testers in this case that they too did not verify that all the correct stakeholders were brought in?
It would suck to be in the position of the testers having little or no recourse.
IANAL but I've been tracking this pretty closely since I'm also a pentester; everything seems to reasonably indicate that the two guys should be released, but someone else is likely ending up in a court over this.
I work in professional services (although not pentesting), so I curious about what would happen to me if I was in a similar position.
I can see a situation where the decision to stay or swap off a system is being debated. If one party can send in testers and call out some vulns that might play to their hand.
My initial comment pointed more generally to an example of politics within a company though.
If the current cases were to actually go to trial, then even the most incompetent attorney would start asking for subpoenas of everyone involved, likely reaching into the highest political and law enforcement offices. These are people who can exert tremendous pressure in order to evade having to give sworn testimony.
I don’t know if the local prosecutors understand the massive political retaliation their are inviting.
> Many of the pentesting actions would violate hacking laws.
No. Just like the physical penetration, if you are authorized by a legal authority to access a computer system then you aren't breaking any law when you penetrate it. The question is whether these parties were in fact a legal authority.
IANAL, but have written more than my share of SOWs and contracts of this type. Drafters tend to always default to the position of greatest optionality for them. Hence, "expected to be".
They DID have permission to lockpick, and maybe the state asked for testing after 6pm MST but hasn't released the request (per the blurb below)
"Requests for testing outside this time period outside the above may result in additional charges per the terms of the MSA"
Edit: The "reassignment" may have led to an almost-immediate resignation.
I suppose "forced to resign" might have been a more belivable way to end the story, but supposedly the mechanism by which that happens involves reassignment to some unwanted location.
EG: He fucked up so bad, he will be manning a remote radar station in Alaska for the rest of his military career.
When this story first broke, there was speculation that, "this is why you carry a get out of jail free card." But if this story is true, the testers did everything right, and the deputy just decided to jail them anyway.
It is possible they attempted this and the police were none too happy being lied to.
> "I advised them that this building belonged to the taxpayers of Dallas County and the State had no authority to authorize a break-in of this building," Leonard wrote in the email.
> Leonard wrote that he then called the state employee to tell him his contractors had been arrested and that he didn't have the authority to authorize this.
If Leonard had called their point-of-contact and it had been fake, it would be weird for him not to lead with that detail.
That is the dispute here.
> A police sergeant called one of the state employees, who confirmed what the men said: that this was a legitimate contract and that the men should be let go, according to the email.
> The state employee disagreed and asked Leonard not to tell other sheriffs, wrote Leonard, who said he responded by saying he was going to tell every sheriff.
It's not just an implication, the police just decided to arrest them anyway.
"According to the agreement, all Coalfire tests were to be conducted between 7 a.m. and 7 p.m. Monday through Friday. But tests could be carried out outside that range if requested through a change order.
The break-ins in Adel and Des Moines were investigated around midnight on separate days.
No change order was released that would have indicated the judicial branch wished the tests be carried out at night."
My guess is the state will shortly remind the county about government hierarchy.
I think that's only true for a few old states with some oddities dating back to grants from The Crown.
For everybody else, I'm pretty sure the local government is mostly at the whim of the state government.
Now most states don't do that because it screws things up badly. However, there have been some high profile cases in Texas, for example, where a state judge comes with the Rangers, displaces the local judge and starts arresting everybody.
The fault seems to be with the person who authorized the physical portion in the contract not actually having the authority. And unfortunately that means Coalfire employees are caught in the crossfire.
If someone from craigslist give me a contract to break into a house to test their security system, but it turns out the owner of the house did not know about the contract, who is at fault for the break-in?
I do think that Coalfire acted in good faith here, but it is a complicated situation.
No, the question is whether the prosecutor believes beyond a shadow of a doubt that the accused had the requisite intent to be committing burglary. If not, the they have an ethical obligation to drop the prosecution.
Incarceration is a tool for over-zealous prosecutors, not a terminal goal. That tool won't help them advance their actual goals in this case.
(Of course, tools that get used a lot can accidentally become terminal goals if a non-self-reflective agent gets too cognitively lazy. Still, the intelligence bar for "prosecutor" is probably high enough we should credit them with generally knowing what they're doing. And even if they were being this lazy, their full attention would be brought to this case when it first hit the media.)
It's empathically not "we contracted with these people to do security work for us", it's that "our enemies from the Iowa state contracted these people to try and screw us".
They succeeded in getting some of these enemies caught, so they will make a point to their local voters as "we sure showed those bastards from the state agencies that they have no right to come here and shove their noses in our business" (which they've already explicitly stated to local press in pretty much the same words), that's a win already for a certain class of the local voters.
Their goals explictly include making it harder for 'enemy agents' to operate. If they use every technicality within the bounds of the law to make it as prolonged and difficult as possible, they're making a statement that attempting to attack them in this manner will result in retailiation - if it makes it hard for Iowa state to employ other pentesters in the future, excellent, mission accomplished, that fits the goals of these local agencies very well. They treat this mission as an explicit attack against them, and they want to deter attacks like these with whatever power they've got - which includes the ability to arrest people.
Wouldn't it just piss off (among others) the very people who have the authority to promote the prosecutor to a higher office?
The "very people who have the authority to promote the prosecutor" are the voters, who, for the most part, do not understand what pen-testing is, or that it exists, or that it is (or can be, when done correctly) a legitimate thing.
ELI5 A person is smart, people are stupid. Voters are people, and details get lost in campaigns.
This usually means the trainee failed the exercise.
But think about this from the perspective of the cops. The contract can get coalfire out of any liability for damage done to the building and any potential break and enter. That is consent between contracting parties. But an alarm was set off. The police were called. This isn't exactly a case of them filing a false police report, but the police were indeed called under false pretenses.
I used to work in a building with remote monitoring and extensive security, including armed response (military). We did these tests monthly. But as soon as the alarm was triggered, someone was on the phone to the military police. If their supervisor decided to roll the cars and test his officer's response time that was with his permission. We would never, ever, have insist that cops stop what they were doing, possibly something dangerous/real/important, and physically respond to our not-real security test.
"In the criminal justice system, the people are represented by two separate, yet equally important, groups: the police, who investigate crime; and the district attorneys, who prosecute the offenders. These are their stories."