Submitted via IRC for SoyCow3997
Two security contractors were arrested in Adel, Iowa on September 11 as they attempted to gain access to the Dallas County Courthouse. The two are employees of Coalfire—a "cybersecurity advisor" firm based in Westminster, Colorado that frequently does security assessments for federal agencies, state and local governments, and corporate clients. They claimed to be conducting a penetration test to determine how vulnerable county court records were and to measure law enforcement's response to a break-in.
Unfortunately, the Iowa state court officials who ordered the test never told county officials about it—and evidently no one anticipated that a physical break-in would be part of the test. For now, the penetration testers remain in jail. In a statement issued yesterday, state officials apologized to Dallas County, citing confusion over just what Coalfire was going to test:
"The scope is everything," Roseblatt explained. If the scope is only vaguely defined, "you could find yourself exposed to legal liability."
Coalfire's Justin Wynn and Gary Demercurio, who are still in jail [Update: They appear to have made bail on Thursday], have been charged with third-degree burglary and possession of burglary tools. Their bond has been set at $50,000, and they are scheduled to appear for a preliminary hearing on September 23—in the same courthouse they were caught breaking into.
Related Stories
The document showed that the state authorized Coalfire's team to "perform lock-picking activities to attempt to gain access to locked areas." But the document also stated the testers should "talk your way into areas" and allowed for "limited physical bypass."
The rules of engagement also dictated that the state authorities said they would not notify law enforcement of the penetration test.
[...] At 12:30am on the morning of September 11, penetration testers Justin Wynn and Gary Demercurio were caught with lock picks inside the Dallas County courthouse by Dallas County Sherriff's Department officers. They presented documents showing they had authorization from the state; the officers contacted state officials on the document, who verified that the test was authorized. But they arrested Wynn and Demurcurio anyway and charged them with burglary.
Wynn and Demurcurio are free on bail and have waived an initial hearing. They still face charges, despite state officials' apology to county officials.
Related: https://soylentnews.org/article.pl?sid=19/09/17/0641246
Coalfire's Comments:https://www.coalfire.com/News-and-Events/Press-Releases/Coalfire-Comments-on-Pen-Tests-for-Iowa-Judicial
According to The Des Moines Register, the Coalfire penetration testers, Justin Wynn and Gary Demercurio, have had their charges reduced to Trespass (Iowa Code § 716.8(a)(1)) from the previous charges of third-degree burglary and Possession of Burglary Tools (Iowa Code § 713.7). This whole case may hinge on the penetration testers mistake in their authorization (if not actual authorization) to enter under Iowa Code § 701.6 or, as the model jury instructions put it:
The defendant claims that at the time of the act in question, he was acting under a mistake of fact as to (element of crime to which mistake of fact is directed). When an act is committed because of mistake of fact, the mistake of fact must be because of a good faith reasonable belief by the defendant, acting as a reasonably careful person under similar circumstances.
The defendant must inquire or determine what is true when to do so would be reasonable under the circumstances.
The State has the burden of proving the defendant was not acting under mistake of fact as it applies to the question of (element).
To editorialize, it seems to this humble submitter that the county better take their ball and go home, as they have quite the hill to climb against defendants with almost unlimited money. But then again, both sides are acting out of righteous indignation at this point.
Previously: Authorised Pen-Testers Nabbed, Jailed in Iowa Courthouse Break-in Attempt
Iowa Officials Claim Confusion Over Scope Led to Arrest of Pen-Testers
(Score: 4, Informative) by NotSanguine on Tuesday September 17 2019, @08:54PM (2 children)
I've done plenty of pentests and we'd *always* make sure that the steps to be taken were *explicitly* agreed upon by the client in the Statement of Work (SOW).
IIUC, the pen testers did not have *explicit* permission to break into the local courthouse.
Even worse, the agency that employed these guys didn't inform anyone in the county that pen testing would be done.
Everyone fucked up here. Although the good news is that this particular portion of the pen test showed the courthouse's security to be adequate, given that they were caught.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Funny) by ikanreed on Tuesday September 17 2019, @09:18PM
It's okay, they're disrupting the obeying the law industry.
(Score: 0) by Anonymous Coward on Wednesday September 18 2019, @02:32AM
The Iowa Judicial Branch has repeatedly failed to disclose what the scope of work was to multiple FOIA requests and Coalfire isn't commenting at all. Coalfire isn't some small player either. My guess is that this really did get the permission to do so, or Coalfire drastically misunderstood the structure of Iowa's Court system.
It is also worth noting that there has been one other confirmed break in and their devices have been found on judicial property.
(Score: 0) by Anonymous Coward on Tuesday September 17 2019, @09:19PM (13 children)
I'll preface this by saying I Am Not A Lawyer.
I do have an amateur interest in law, though, and this is a really interesting hypo(thetical legal situation) for analysis. Several points in this situation I thought mentioning or discussing. It makes me regret that I'm not actually currently in a legal studies course, to which to bring this up with the teacher.
1) Based on the facts as presented, these people obviously do not have mens rea [wikipedia.org]. Therefore they should not be in violation of a criminal act. Of course, the law is an ass [phrases.org.uk], and morality and "should" do not equal legality. Well, maybe possession of burglary tools are a crime per se, not sure about those circumstances.
2) People who talk about "entrapment" are usually wrong, but this is close to a perfect example of it. If Iowa were to have ordered them to break in to the courthouse (which they didn't, but if they had), then it would be a case of ordering a person to break the law. Entrapment isn't "tricking" a person, it is literally putting them in a no-win situation.
3) I'm curious how the jurisdictions play out. Obviously the state (Iowa) courts would not prosecute, in so far as they are the jurisdiction which authorized the action. However, I wonder if the county is subordinate to the state or if it is more of a federalism type idea. In that case, even if everything was fully authorized correctly by the state, they may still have the ability to prosecute and do so. Could Iowa have even legally authorized this action if they wanted to? (For example, if the US Government tried to get the FBI to break into the Iowa governor's house, I think it would still be illegal under Iowa state law.)
4) Regardless of the outcome, these people have already had some punishment doled out upon them by being put in jail, and having records against them. I dislike the legal fiction that accusation, arrest, and detainment are not punishment. Of course if we eliminate that fiction it raises a really thorny issue of how to deal with accused people who haven't been convicted when they can still flee the country or do negative things.
5) I'm glad I'm not working in an industry which has this type of occupational risks. I'm guessing they are both questioning their professional decisions... although in fairness to them, that is a really clever way to do a penetration test which is typically ignored.
(Score: 0) by Anonymous Coward on Tuesday September 17 2019, @09:47PM
Any records should be expunged, and the employees should sue everyone they can get their hands on, except for the company if they want to stay on board.
(Score: 4, Insightful) by PartTimeZombie on Tuesday September 17 2019, @10:09PM (2 children)
I am currently "in possession of burglary tools" as I have a screwdriver in my drawer. That seems like one of those "we're going to add a bunch of charges" type laws to me.
I promise not to steal your TV however.
(Score: 1, Insightful) by Anonymous Coward on Tuesday September 17 2019, @11:15PM (1 child)
Your id card and credit card are "burglery tools". Once they ban cash and make it illegal to not have your papers on you, then you will always be suitable for arrest.
(Score: 0) by Anonymous Coward on Wednesday September 18 2019, @07:03AM
This is already the case in the Netherlands. Here everyone at the age of 14 and above has to be able to hand over their ID when law enforcement asks for it (there needs to be a good reason for it though). If you can't do this, you can get fined.
(Score: 2) by NotSanguine on Tuesday September 17 2019, @10:16PM (5 children)
IANAL either. However, i do know that some laws have "strict liability" [wikipedia.org] which does not require mens rea to be proven.
The laws in question:
Burglary in the Third Degree [iowa.gov] [PDF]
Possession of Burglar's Tools [iowa.gov] [PDF]
do not state whether strict liability is in play for these offenses. Which probably means it is not. Then again, IANAL. YMMV.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 4, Informative) by sjames on Tuesday September 17 2019, @11:24PM (4 children)
The possession of Burglar's tools explicitly states with the intent to use it in the perpetration of a burglary. They can't make it strict liability without outlawing hammers, screw drivers, tire irons, and other common tools.
Iowa defines Burglary as:>/p>
Since Burglary in the 3rd degree incorporates that definition by reference, it too hinges on the intent.
(Score: 3, Insightful) by mhajicek on Wednesday September 18 2019, @12:35AM (3 children)
So what they're really banning is intent to burglarize.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 2) by sjames on Wednesday September 18 2019, @12:49AM
Exactly..
(Score: 2) by DeathMonkey on Wednesday September 18 2019, @05:42PM (1 child)
Means (tools), motive (intent) and opportunity. [ipfs.io]
(Score: 2) by mhajicek on Wednesday September 18 2019, @09:24PM
And yet having the means, motive, and opportunity does not ensure that one will commit the crime.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 2) by All Your Lawn Are Belong To Us on Tuesday September 17 2019, @10:44PM
Interesting questions. IANAL also.
1) First of all, if the hiring agency (apparently the state) has the authority to test the local agency (the county's) security, there is no crime at all. Mens rea wouldn't enter into it. Although there might be a question as to what burglary tools they possessed and whether they were in fact authorized to be in possession of them. A licensed locksmith is expected to own a lockpick set. I'd imagine in some jurisdictions a private investigator might have cause. We used to have them when I worked in security in the truck. But under what color of authority were the pen testers authorized to possess them? (And yeah, free country and all. But possession of burglary tools without a compelling reason is often a crime. And yes, locksport would be a defense to have them in your home or in a car if you're traveling to a competition IMVVVHO). If they're in possession of contracts authorizing them to physically penetrate even then they can at least have a reason, if not then not. There might be some level of thinking that they were in fact authorized when they weren't but I don't think that quite gets to mens rea. I could be wrong. And I also wonder what kind of burglary tools they were.
2) Entrapment is the enticement to break the law when the defendant would not otherwise have done so. Holding themselves out to be penetration experts (even white hat) is not a defense, any more than a prescriber who deals opioids on the side gets off the hook because they're a prescriber - if anything it should make them know better. This either isn't a crime because they had sufficient authorization to do so or it is one.
3) I'm curious to know that myself. A little research says that Dallas County is within the statewide fifth district court jurisdiction. I could easily see someone at the state level hiring a firm to test security and then the security firm doing the physical work where the circuit court judges are - at the county courthouses. (But there may be other entities there as well like Federal or municipal courts who haven't authorized the work.)
4) Very true.
5) Physical penetrations are part of many testers' offered services. However, as noted by someone else who has done the work, it should have been very clearly defined in their scope of work that they would carry out physical penetrations and where those would be and a time range of when they would be. It should also have had a officials listed as a contact person who knew of the penetration dates and times, and also preferably someone with enforcement as well (aka State Police or the equivalent) that could be called by the sheriffs or bailiffs - whomever is responsible for law enforcement in the court building itself - to verify the bona fides. That way they might not have seen any jail time at all. This sounds more like a firm that wanted to play cops and robbers and got surprised when the real cops took them seriously.
This sig for rent.
(Score: 3, Insightful) by sjames on Tuesday September 17 2019, @11:01PM
Entrapment doesn't have to involve a no-win situation. Any inducement to get someone to commit an act they wouldn't otherwise have done is sufficient. Since these guys do it for a living, I don't imagine they'd do a free pen-test, so paying them to do it should count.
As for the fiction that accusation, arrest, and detainment are not punishmen, eliminating that would create a duty to make it as little punishing as possible. For example using an ankle bracelet rather than incarceration, and at least if found not guilty, paying all legal costs, lost wages, etc and prominently publishing an apology.
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 18 2019, @04:38AM
1) They do have the requisite mens rea. The purposefully breached the building and had the tools. What is arguably missing is the "specific intent," which is actually considered an "attendant circumstance" and not a part of the mens rea.
2) Entrapment in Iowa is an "Affirmative Defense" and the Court has repeatedly ruled that it only applies to law enforcement and those properly deputized, not agents of the State in general. So, no luck there.
3) Only Executive and Legislative power has been delegated in Iowa to the Counties. Any judicial decisions in the State MUST be made by the Judicial Branch (even things like whether they can put down your dog, order you to cut your grass, or if you are speeding). Also, the Court personnel are all employed by the State directly. However, the physical court buildings (other than the Iowa Judicial Branch Building and a few others) are actually owned by the County. Dallas County's facilities, in particular, are in property owned by Dallas County that would have to be breached to reach the Court. With that in mind, the Iowa Judicial Branch cannot authorize a third party to breach a subdivision's property via contract directly. However, a contract like this may fall under their delegated power as a party authorized by the Judicial Branch for official business, but I'd really have to dive in to the actual scope of work and supporting law get there because the AG's office isn't talking either.
4) In Iowa, you can get the charges expunged after six months after dismissal, as long as the County Attorney does not object on disqualifying grounds. After that, you can get the filing sealed by filing that proper application.
5) Probably not. If this is literally what they were hired for and they knew the risks, then this might boost to their carriers, thanks to the notoriety. Especially given the other break ins where they weren't caught.
(Score: 2) by Entropy on Tuesday September 17 2019, @09:56PM
lol.