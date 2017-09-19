from the check-the-scope dept.
Submitted via IRC for SoyCow3997
Two security contractors were arrested in Adel, Iowa on September 11 as they attempted to gain access to the Dallas County Courthouse. The two are employees of Coalfire—a "cybersecurity advisor" firm based in Westminster, Colorado that frequently does security assessments for federal agencies, state and local governments, and corporate clients. They claimed to be conducting a penetration test to determine how vulnerable county court records were and to measure law enforcement's response to a break-in.
Unfortunately, the Iowa state court officials who ordered the test never told county officials about it—and evidently no one anticipated that a physical break-in would be part of the test. For now, the penetration testers remain in jail. In a statement issued yesterday, state officials apologized to Dallas County, citing confusion over just what Coalfire was going to test:
"The scope is everything," Roseblatt explained. If the scope is only vaguely defined, "you could find yourself exposed to legal liability."
Coalfire's Justin Wynn and Gary Demercurio, who are still in jail [Update: They appear to have made bail on Thursday], have been charged with third-degree burglary and possession of burglary tools. Their bond has been set at $50,000, and they are scheduled to appear for a preliminary hearing on September 23—in the same courthouse they were caught breaking into.
Source: https://arstechnica.com/information-technology/2019/09/check-the-scope-pen-testers-nabbed-jailed-in-iowa-courthouse-break-in-attempt/
(Score: 3, Informative) by NotSanguine on Tuesday September 17, @08:54PM (1 child)
I've done plenty of pentests and we'd *always* make sure that the steps to be taken were *explicitly* agreed upon by the client in the Statement of Work (SOW).
IIUC, the pen testers did not have *explicit* permission to break into the local courthouse.
Even worse, the agency that employed these guys didn't inform anyone in the county that pen testing would be done.
Everyone fucked up here. Although the good news is that this particular portion of the pen test showed the courthouse's security to be adequate, given that they were caught.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by ikanreed on Tuesday September 17, @09:18PM
It's okay, they're disrupting the obeying the law industry.
(Score: 0) by Anonymous Coward on Tuesday September 17, @09:19PM (1 child)
I'll preface this by saying I Am Not A Lawyer.
I do have an amateur interest in law, though, and this is a really interesting hypo(thetical legal situation) for analysis. Several points in this situation I thought mentioning or discussing. It makes me regret that I'm not actually currently in a legal studies course, to which to bring this up with the teacher.
1) Based on the facts as presented, these people obviously do not have mens rea [wikipedia.org]. Therefore they should not be in violation of a criminal act. Of course, the law is an ass [phrases.org.uk], and morality and "should" do not equal legality. Well, maybe possession of burglary tools are a crime per se, not sure about those circumstances.
2) People who talk about "entrapment" are usually wrong, but this is close to a perfect example of it. If Iowa were to have ordered them to break in to the courthouse (which they didn't, but if they had), then it would be a case of ordering a person to break the law. Entrapment isn't "tricking" a person, it is literally putting them in a no-win situation.
3) I'm curious how the jurisdictions play out. Obviously the state (Iowa) courts would not prosecute, in so far as they are the jurisdiction which authorized the action. However, I wonder if the county is subordinate to the state or if it is more of a federalism type idea. In that case, even if everything was fully authorized correctly by the state, they may still have the ability to prosecute and do so. Could Iowa have even legally authorized this action if they wanted to? (For example, if the US Government tried to get the FBI to break into the Iowa governor's house, I think it would still be illegal under Iowa state law.)
4) Regardless of the outcome, these people have already had some punishment doled out upon them by being put in jail, and having records against them. I dislike the legal fiction that accusation, arrest, and detainment are not punishment. Of course if we eliminate that fiction it raises a really thorny issue of how to deal with accused people who haven't been convicted when they can still flee the country or do negative things.
5) I'm glad I'm not working in an industry which has this type of occupational risks. I'm guessing they are both questioning their professional decisions... although in fairness to them, that is a really clever way to do a penetration test which is typically ignored.
(Score: 0) by Anonymous Coward on Tuesday September 17, @09:47PM
Any records should be expunged, and the employees should sue everyone they can get their hands on, except for the company if they want to stay on board.
(Score: 2) by Entropy on Tuesday September 17, @09:56PM
lol.