SoylentNews is people
SoylentNews
from the maybe-they-should-have-tried-pencil-testing,-instead? dept.
On Sept. 11, 2019, two security experts at a company that had been hired by the state of Iowa to test the physical and network security of its judicial system were arrested while probing the security of an Iowa county courthouse, jailed in orange jumpsuits, charged with burglary, and held on $100,000 bail. On Thursday Jan. 30, prosecutors in Iowa announced they had dropped the criminal charges. The news came while KrebsOnSecurity was conducting a video interview with the two accused (featured below).
[...] Under the terms of their contract (PDF), DeMercurio and Wynn were permitted to impersonate staff and contractors, provide false pretenses to gain physical access to facilities, "tailgate" employees into buildings, and access restricted areas of those facilities. The contract said the men could not attempt to subvert alarm systems, force-open doors, or access areas that require protective equipment.
When the duo's early-morning Sept. 11 test of the security at the courthouse in Dallas County, Iowa set off an audible security alarm, they followed procedure and waited on-site for the police. DeMercurio and Wynn said when the county's sheriff deputies arrived on the scene just a few minutes later, they told the officers who they were and why they were there, and that they'd obtained entry to the premises via an unlocked door.
"They said they found a courthouse door unlocked, so they closed it from the outside and let it lock," Dan Goodin of Ars Technica wrote of the ordeal in November. "Then they slipped a plastic cutting board through a crack in the door and manipulated its locking mechanism. (Pentesters frequently use makeshift or self-created tools in their craft to flip latches, trigger motion-detected mechanisms, and test other security systems.) The deputies seemed impressed."
To assuage concerns they might be burglars, DeMercurio and Wynn produced an authorization letter detailing the job they'd been hired to do and listing the names and mobile phone numbers of Iowa state employees who could verify their story.
After contacting some of the court officials listed in the letter, the deputies seemed satisfied that the men weren't thieves. That is, until Dallas County Sheriff Chad Leonard showed up.
"The pentesters had already said they used a tool to open the front door," Goodin recounted. "Leonard took that to mean the men had violated the restriction against forcing doors open. Leonard also said the men attempted to turn off the alarm—something Coalfire officials vehemently deny. In Leonard's mind that was a second violation. Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn't answer the deputies' calls, while another said he didn't believe the men had permission to conduct physical intrusions."
DeMercurio and Wynn were arrested, jailed, and held for nearly 24 hours before being released on a $100,000 bail. Initially they were charged with felony third-degree burglary and possessing burglary tools, although those charges were later downgraded to misdemeanor trespass.
-- submitted from IRC
(Score: 3, Insightful) by bzipitidoo on Sunday February 02 2020, @01:41PM
The problem wasn't doubt about the purposes of the intruders. The cops got that all sorted out, contacting officials to verify that the intruders weren't making up a story.
Things got weird when the sheriff decided to play lawyer and come up with his own dubious interpretations of clauses in the contract. Not his business to do that. There was no doubt that they were employees of a security business that had been contracted to test government security. Clearly, they had not put anyone in harm's way. Nor had they damaged any property. There was no reason to throw the men in jail. Any problems with misunderstandings of the methods and scope of their activities should have been left to higher authorities. What the heck was the sheriff thinking, that this was a chance to indulge in a little personal vendetta against nerds?
It got weirder when politicians jumped in with accusations of endangering public safety. What were they thinking? Likely that this was an opportunity to score some points with those constituents who are scared stupid of criminals, and evil hackers. Real scummy and stupid thing to try, fanning irrational fears. Politicians do that all the time, the fools.
I know all too well how easily hysteria against hackers can be ginned up. One time a fellow who'd had his account hacked and his files deleted decided that I not only could have done it, but that I did do it when he came up accusing me of it and decided that my protestations of not even knowing of the system he was talking about let alone that he had an account there, was playing dumb and was therefore further evidence of my guilt. I denied having any interest whatsoever in his files. I had no motive, I am not a vandal, nor a "data kidnapper" (datanapper?) holding files for ransom. The dude actually assaulted me. Put me in a headlock. Took a few minutes for the half dozen others present to talk him down and get him to let go. I suppose I could have pressed charges against him, but I was not hurt. He already had a lousy reputation anyway, and further damaged it with that act. His general behavior was such that he might have been autistic. He certainly was severely unsocial.
Smart people are one of the major groups that suffer discrimination, as every nerd who survives high school learns. It's pretty unfair to be suspected and even accused every time anything happens with their rickety, aged computer systems with pathetic security, just because you might be able to do it, and they know that. The focus is all on racial and sexual discrimination, and maybe smart people don't need as much help because they are smart enough to help themselves and avoid pointless trouble for the most part. Yet I should like to see those state senators face an inquiry about having possibly committed a hate crime. Why, if the senators said the same thing about "endangering public safety" and "committing crimes" because those security testers had, say, entered a courthouse while black, social justice warriors would be all over them.