from the caught-between-a-rock-and-a-hard-place dept.
The case has become a cause célèbre that has galvanized a variety of different interests. For Coalfire and professional pentesters around the world, the charges are an affront that threatens their ability to carry out what has long been considered a key practice in ensuring clients’ systems are truly secure.
[...] “This does affect my job directly,” said a penetration tester who asked to be identified only by his handle @Tinker. “This affects physical pentesting in general and it really affects government pentesting when the state government can’t provide protection and you can’t trust the state government to stand behind its own laws.”
[...] No one has more stake in the controversy than Wynn and De Mercurio, who risk being convicted of criminal charges that among other things could jeopardize government clearances and future job prospects. Coalfire CEO Tom McAndrew said in a statement last month that Leonard “failed to exercise commonsense and good judgement and turned this engagement into a political battle between the State and the County.” McAndrew also noted that Coalfire conducted an engagement for Iowa’s SCA in 2015 without incident.
[...] The employees, McAndrew said, intentionally tripped the alarm and then proceeded to the third floor to test the response. Crouching on floors or otherwise trying to be covert is standard practice after alarms are tripped to further test authorities’ response and see what surveillance cameras can detect.
Previously:
Coalfire Pen-Testers Charged With Trespass Instead of Burglary
Related Stories
According to The Des Moines Register, the Coalfire penetration testers, Justin Wynn and Gary Demercurio, have had their charges reduced to Trespass (Iowa Code § 716.8(a)(1)) from the previous charges of third-degree burglary and Possession of Burglary Tools (Iowa Code § 713.7). This whole case may hinge on the penetration testers mistake in their authorization (if not actual authorization) to enter under Iowa Code § 701.6 or, as the model jury instructions put it:
The defendant claims that at the time of the act in question, he was acting under a mistake of fact as to (element of crime to which mistake of fact is directed). When an act is committed because of mistake of fact, the mistake of fact must be because of a good faith reasonable belief by the defendant, acting as a reasonably careful person under similar circumstances.
The defendant must inquire or determine what is true when to do so would be reasonable under the circumstances.
The State has the burden of proving the defendant was not acting under mistake of fact as it applies to the question of (element).
To editorialize, it seems to this humble submitter that the county better take their ball and go home, as they have quite the hill to climb against defendants with almost unlimited money. But then again, both sides are acting out of righteous indignation at this point.
Previously: Authorised Pen-Testers Nabbed, Jailed in Iowa Courthouse Break-in Attempt
Iowa Officials Claim Confusion Over Scope Led to Arrest of Pen-Testers
(Score: 0) by Anonymous Coward on Thursday November 14 2019, @04:49AM (3 children)
We've been saying much the same for almost forever.
(Score: 3, Interesting) by Anonymous Coward on Thursday November 14 2019, @05:08AM (2 children)
https://www.alternet.org/2016/12/texas-jury-sends-message-swat-raid-cops-finds-man-not-guilty-shooting-three/ [alternet.org]
(Score: 2, Interesting) by Anonymous Coward on Thursday November 14 2019, @06:40AM (1 child)
https://www.nbcnews.com/news/us-news/home-invader-fatally-shot-florida-pregnant-woman-ar-15-n1076026 [nbcnews.com]
(Score: 0) by Anonymous Coward on Thursday November 14 2019, @07:58AM
https://timesofsandiego.com/crime/2019/07/16/son-of-stabbed-lake-murray-homeowner-fatally-shot-intruder-police-say/ [timesofsandiego.com]
(Score: 3, Interesting) by Anonymous Coward on Thursday November 14 2019, @11:17AM (5 children)
My day job employer hired these guys a few a years ago. The Coalfire guys stayed within the scope of the contract. Justin Wynn was one of the guys that showed up. At one point a vulnerability scanner they were using caused us a minor problem (the system was within the scope of the test). Wynn owned up to it and stopped immediately. I have very little doubt that there was any malicious criminal activity. If anything the county should file a civil case against the state if they were actually harmed. At least with a civil case they get something out of it. With a criminal case they get to use up their resources to try to punish two guys for doing their jobs. The police always get the right address, so why can't these guys /s? I think this is about someone in the county either trying to save face or feeling small. Even if convicted, I bet an appeals court or the state governor will undo it. The sad thing is, the county government is ruining its reputation in the process.
(Score: 1, Informative) by Anonymous Coward on Thursday November 14 2019, @11:20AM
Correction, I have little doubt that there was no criminal activity.
(Score: 1, Interesting) by Anonymous Coward on Thursday November 14 2019, @12:08PM
The reason the govt pulls stunts like this is b/c there are NO CONSEQUENCES for them.
They are a bully who knows he will get away with picking on the small kid.
Absent any consequences, expect crap like this to happen again and again.
(Score: 3, Informative) by theluggage on Thursday November 14 2019, @02:57PM (2 children)
In this case, though, it is pretty clear that they didn't. The terms of engagement were very clearly limited to "social engineering" techniques between 6AM and 6PM - instead, they picked a lock at midnight. Wearing backpacks - on September the 11th! (not strictly a breach of the contract, but still fucking stupid and hardly a sign of good judgement unless you like getting shot).
Its important to the professional security testing industry that they can be trusted to follow the terms of engagement and they're working against their own interest by trying to defend a clear breach of contract. The way not to get a criminal charge for "legitimate" penetration testing is to stick like glue to the rules of engagement and not pretend you're on an episode of McGyver.
A certain amount of silly red herrings in TFA, too: Mountain Time vs. Central Time doesn't turn 12:30 AM into 6AM-6PM - and 12:30AM isn't "evening" by any stretch of the imagination. Whether or not they actually tried to tamper with the alarm might have been significant if they'd got in by tailgating the janitor at 6AM.
(Score: 0) by Anonymous Coward on Thursday November 14 2019, @04:23PM
And furthermore they contracted with the State. The building is owned and patrolled by the County. It's hardly a "turf war" - even if they had been doing their activities at 12 noon they didn't have a contract with the people responsible for security of the physical plant (County Sheriff in anyplace I've ever lived provides courthouse security). At barest minimum the State CIS should have briefed the Sheriff that such activities would be going on and cleared it with them that these activities are OK even during daylight hours. Sounds more like to me that the pentesters didn't really think about whose jurisdiction they were operating in.
(Score: 0) by Anonymous Coward on Thursday November 14 2019, @06:05PM
I meant they stayed in scope when they pen tested my company.