Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday September 17 2019, @08:41PM   Printer-friendly
from the check-the-scope dept.

Submitted via IRC for SoyCow3997

Two security contractors were arrested in Adel, Iowa on September 11 as they attempted to gain access to the Dallas County Courthouse. The two are employees of Coalfire—a "cybersecurity advisor" firm based in Westminster, Colorado that frequently does security assessments for federal agencies, state and local governments, and corporate clients. They claimed to be conducting a penetration test to determine how vulnerable county court records were and to measure law enforcement's response to a break-in.

Unfortunately, the Iowa state court officials who ordered the test never told county officials about it—and evidently no one anticipated that a physical break-in would be part of the test. For now, the penetration testers remain in jail. In a statement issued yesterday, state officials apologized to Dallas County, citing confusion over just what Coalfire was going to test:

"The scope is everything," Roseblatt explained.  If the scope is only vaguely defined, "you could find yourself exposed to legal liability."

Coalfire's Justin Wynn and Gary Demercurio, who are still in jail [Update: They appear to have made bail on Thursday], have been charged with third-degree burglary and possession of burglary tools. Their bond has been set at $50,000, and they are scheduled to appear for a preliminary hearing on September 23—in the same courthouse they were caught breaking into.

Source: https://arstechnica.com/information-technology/2019/09/check-the-scope-pen-testers-nabbed-jailed-in-iowa-courthouse-break-in-attempt/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday September 17 2019, @09:19PM (13 children)

    by Anonymous Coward on Tuesday September 17 2019, @09:19PM (#895362)

    I'll preface this by saying I Am Not A Lawyer.

    I do have an amateur interest in law, though, and this is a really interesting hypo(thetical legal situation) for analysis. Several points in this situation I thought mentioning or discussing. It makes me regret that I'm not actually currently in a legal studies course, to which to bring this up with the teacher.

    1) Based on the facts as presented, these people obviously do not have mens rea [wikipedia.org]. Therefore they should not be in violation of a criminal act. Of course, the law is an ass [phrases.org.uk], and morality and "should" do not equal legality. Well, maybe possession of burglary tools are a crime per se, not sure about those circumstances.

    2) People who talk about "entrapment" are usually wrong, but this is close to a perfect example of it. If Iowa were to have ordered them to break in to the courthouse (which they didn't, but if they had), then it would be a case of ordering a person to break the law. Entrapment isn't "tricking" a person, it is literally putting them in a no-win situation.

    3) I'm curious how the jurisdictions play out. Obviously the state (Iowa) courts would not prosecute, in so far as they are the jurisdiction which authorized the action. However, I wonder if the county is subordinate to the state or if it is more of a federalism type idea. In that case, even if everything was fully authorized correctly by the state, they may still have the ability to prosecute and do so. Could Iowa have even legally authorized this action if they wanted to? (For example, if the US Government tried to get the FBI to break into the Iowa governor's house, I think it would still be illegal under Iowa state law.)

    4) Regardless of the outcome, these people have already had some punishment doled out upon them by being put in jail, and having records against them. I dislike the legal fiction that accusation, arrest, and detainment are not punishment. Of course if we eliminate that fiction it raises a really thorny issue of how to deal with accused people who haven't been convicted when they can still flee the country or do negative things.

    5) I'm glad I'm not working in an industry which has this type of occupational risks. I'm guessing they are both questioning their professional decisions... although in fairness to them, that is a really clever way to do a penetration test which is typically ignored.

  • (Score: 0) by Anonymous Coward on Tuesday September 17 2019, @09:47PM

    by Anonymous Coward on Tuesday September 17 2019, @09:47PM (#895372)

    Any records should be expunged, and the employees should sue everyone they can get their hands on, except for the company if they want to stay on board.

  • (Score: 4, Insightful) by PartTimeZombie on Tuesday September 17 2019, @10:09PM (2 children)

    by PartTimeZombie (4827) on Tuesday September 17 2019, @10:09PM (#895377)

    I am currently "in possession of burglary tools" as I have a screwdriver in my drawer. That seems like one of those "we're going to add a bunch of charges" type laws to me.

    I promise not to steal your TV however.

    • (Score: 1, Insightful) by Anonymous Coward on Tuesday September 17 2019, @11:15PM (1 child)

      by Anonymous Coward on Tuesday September 17 2019, @11:15PM (#895402)

      Your id card and credit card are "burglery tools". Once they ban cash and make it illegal to not have your papers on you, then you will always be suitable for arrest.

      • (Score: 0) by Anonymous Coward on Wednesday September 18 2019, @07:03AM

        by Anonymous Coward on Wednesday September 18 2019, @07:03AM (#895523)

        and make it illegal to not have your papers on you

        This is already the case in the Netherlands. Here everyone at the age of 14 and above has to be able to hand over their ID when law enforcement asks for it (there needs to be a good reason for it though). If you can't do this, you can get fined.

  • (Score: 2) by NotSanguine on Tuesday September 17 2019, @10:16PM (5 children)

    by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Tuesday September 17 2019, @10:16PM (#895378) Homepage Journal

    1) Based on the facts as presented, these people obviously do not have mens rea [wikipedia.org]. Therefore they should not be in violation of a criminal act. Of course, the law is an ass [phrases.org.uk], and morality and "should" do not equal legality. Well, maybe possession of burglary tools are a crime per se, not sure about those circumstances.

    IANAL either. However, i do know that some laws have "strict liability" [wikipedia.org] which does not require mens rea to be proven.

    The laws in question:
    Burglary in the Third Degree [iowa.gov] [PDF]
    Possession of Burglar's Tools [iowa.gov] [PDF]

    do not state whether strict liability is in play for these offenses. Which probably means it is not. Then again, IANAL. YMMV.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    • (Score: 4, Informative) by sjames on Tuesday September 17 2019, @11:24PM (4 children)

      by sjames (2882) on Tuesday September 17 2019, @11:24PM (#895404) Journal

      The possession of Burglar's tools explicitly states with the intent to use it in the perpetration of a burglary. They can't make it strict liability without outlawing hammers, screw drivers, tire irons, and other common tools.

      Iowa defines Burglary as:>/p>

      Any person, having the intent to commit a felony, assault or theft therein, who, having no right, license or privilege to do so, enters an occupied structure, such occupied structure not being open to the public, or who remains therein after it is closed to the public or after the person’s right, license or privilege to be there has expired, or any person having such intent who breaks an occupied structure, commits burglary.

      Since Burglary in the 3rd degree incorporates that definition by reference, it too hinges on the intent.

      • (Score: 3, Insightful) by mhajicek on Wednesday September 18 2019, @12:35AM (3 children)

        by mhajicek (51) on Wednesday September 18 2019, @12:35AM (#895438)

        So what they're really banning is intent to burglarize.

        --
        The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
        • (Score: 2) by sjames on Wednesday September 18 2019, @12:49AM

          by sjames (2882) on Wednesday September 18 2019, @12:49AM (#895446) Journal

          Exactly..

        • (Score: 2) by DeathMonkey on Wednesday September 18 2019, @05:42PM (1 child)

          by DeathMonkey (1380) on Wednesday September 18 2019, @05:42PM (#895749) Journal

          Means (tools), motive (intent) and opportunity. [ipfs.io]

          In U.S. criminal law, means, motive, and opportunity is a common summation of the three aspects of a crime that must be established before guilt can be determined in a criminal proceeding. Respectively, they refer to: the ability of the defendant to commit the crime (means), the reason the defendant committed the crime (motive), and whether the defendant had the chance to commit the crime (opportunity).

          • (Score: 2) by mhajicek on Wednesday September 18 2019, @09:24PM

            by mhajicek (51) on Wednesday September 18 2019, @09:24PM (#895848)

            And yet having the means, motive, and opportunity does not ensure that one will commit the crime.

            --
            The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
  • (Score: 2) by All Your Lawn Are Belong To Us on Tuesday September 17 2019, @10:44PM

    by All Your Lawn Are Belong To Us (6553) on Tuesday September 17 2019, @10:44PM (#895387) Journal

    Interesting questions. IANAL also.

    1) First of all, if the hiring agency (apparently the state) has the authority to test the local agency (the county's) security, there is no crime at all. Mens rea wouldn't enter into it. Although there might be a question as to what burglary tools they possessed and whether they were in fact authorized to be in possession of them. A licensed locksmith is expected to own a lockpick set. I'd imagine in some jurisdictions a private investigator might have cause. We used to have them when I worked in security in the truck. But under what color of authority were the pen testers authorized to possess them? (And yeah, free country and all. But possession of burglary tools without a compelling reason is often a crime. And yes, locksport would be a defense to have them in your home or in a car if you're traveling to a competition IMVVVHO). If they're in possession of contracts authorizing them to physically penetrate even then they can at least have a reason, if not then not. There might be some level of thinking that they were in fact authorized when they weren't but I don't think that quite gets to mens rea. I could be wrong. And I also wonder what kind of burglary tools they were.

    2) Entrapment is the enticement to break the law when the defendant would not otherwise have done so. Holding themselves out to be penetration experts (even white hat) is not a defense, any more than a prescriber who deals opioids on the side gets off the hook because they're a prescriber - if anything it should make them know better. This either isn't a crime because they had sufficient authorization to do so or it is one.

    3) I'm curious to know that myself. A little research says that Dallas County is within the statewide fifth district court jurisdiction. I could easily see someone at the state level hiring a firm to test security and then the security firm doing the physical work where the circuit court judges are - at the county courthouses. (But there may be other entities there as well like Federal or municipal courts who haven't authorized the work.)

    4) Very true.

    5) Physical penetrations are part of many testers' offered services. However, as noted by someone else who has done the work, it should have been very clearly defined in their scope of work that they would carry out physical penetrations and where those would be and a time range of when they would be. It should also have had a officials listed as a contact person who knew of the penetration dates and times, and also preferably someone with enforcement as well (aka State Police or the equivalent) that could be called by the sheriffs or bailiffs - whomever is responsible for law enforcement in the court building itself - to verify the bona fides. That way they might not have seen any jail time at all. This sounds more like a firm that wanted to play cops and robbers and got surprised when the real cops took them seriously.

    --
    This sig for rent.
  • (Score: 3, Insightful) by sjames on Tuesday September 17 2019, @11:01PM

    by sjames (2882) on Tuesday September 17 2019, @11:01PM (#895393) Journal

    Entrapment doesn't have to involve a no-win situation. Any inducement to get someone to commit an act they wouldn't otherwise have done is sufficient. Since these guys do it for a living, I don't imagine they'd do a free pen-test, so paying them to do it should count.

    As for the fiction that accusation, arrest, and detainment are not punishmen, eliminating that would create a duty to make it as little punishing as possible. For example using an ankle bracelet rather than incarceration, and at least if found not guilty, paying all legal costs, lost wages, etc and prominently publishing an apology.

  • (Score: 1, Insightful) by Anonymous Coward on Wednesday September 18 2019, @04:38AM

    by Anonymous Coward on Wednesday September 18 2019, @04:38AM (#895494)

    1) They do have the requisite mens rea. The purposefully breached the building and had the tools. What is arguably missing is the "specific intent," which is actually considered an "attendant circumstance" and not a part of the mens rea.

    2) Entrapment in Iowa is an "Affirmative Defense" and the Court has repeatedly ruled that it only applies to law enforcement and those properly deputized, not agents of the State in general. So, no luck there.

    3) Only Executive and Legislative power has been delegated in Iowa to the Counties. Any judicial decisions in the State MUST be made by the Judicial Branch (even things like whether they can put down your dog, order you to cut your grass, or if you are speeding). Also, the Court personnel are all employed by the State directly. However, the physical court buildings (other than the Iowa Judicial Branch Building and a few others) are actually owned by the County. Dallas County's facilities, in particular, are in property owned by Dallas County that would have to be breached to reach the Court. With that in mind, the Iowa Judicial Branch cannot authorize a third party to breach a subdivision's property via contract directly. However, a contract like this may fall under their delegated power as a party authorized by the Judicial Branch for official business, but I'd really have to dive in to the actual scope of work and supporting law get there because the AG's office isn't talking either.

    4) In Iowa, you can get the charges expunged after six months after dismissal, as long as the County Attorney does not object on disqualifying grounds. After that, you can get the filing sealed by filing that proper application.

    5) Probably not. If this is literally what they were hired for and they knew the risks, then this might boost to their carriers, thanks to the notoriety. Especially given the other break ins where they weren't caught.