The document showed that the state authorized Coalfire's team to "perform lock-picking activities to attempt to gain access to locked areas." But the document also stated the testers should "talk your way into areas" and allowed for "limited physical bypass."
The rules of engagement also dictated that the state authorities said they would not notify law enforcement of the penetration test.
[...] At 12:30am on the morning of September 11, penetration testers Justin Wynn and Gary Demercurio were caught with lock picks inside the Dallas County courthouse by Dallas County Sherriff's Department officers. They presented documents showing they had authorization from the state; the officers contacted state officials on the document, who verified that the test was authorized. But they arrested Wynn and Demurcurio anyway and charged them with burglary.
Wynn and Demurcurio are free on bail and have waived an initial hearing. They still face charges, despite state officials' apology to county officials.
Related: https://soylentnews.org/article.pl?sid=19/09/17/0641246
Coalfire's Comments:https://www.coalfire.com/News-and-Events/Press-Releases/Coalfire-Comments-on-Pen-Tests-for-Iowa-Judicial
Related Stories
Submitted via IRC for SoyCow3997
Two security contractors were arrested in Adel, Iowa on September 11 as they attempted to gain access to the Dallas County Courthouse. The two are employees of Coalfire—a "cybersecurity advisor" firm based in Westminster, Colorado that frequently does security assessments for federal agencies, state and local governments, and corporate clients. They claimed to be conducting a penetration test to determine how vulnerable county court records were and to measure law enforcement's response to a break-in.
Unfortunately, the Iowa state court officials who ordered the test never told county officials about it—and evidently no one anticipated that a physical break-in would be part of the test. For now, the penetration testers remain in jail. In a statement issued yesterday, state officials apologized to Dallas County, citing confusion over just what Coalfire was going to test:
"The scope is everything," Roseblatt explained. If the scope is only vaguely defined, "you could find yourself exposed to legal liability."
Coalfire's Justin Wynn and Gary Demercurio, who are still in jail [Update: They appear to have made bail on Thursday], have been charged with third-degree burglary and possession of burglary tools. Their bond has been set at $50,000, and they are scheduled to appear for a preliminary hearing on September 23—in the same courthouse they were caught breaking into.
According to The Des Moines Register, the Coalfire penetration testers, Justin Wynn and Gary Demercurio, have had their charges reduced to Trespass (Iowa Code § 716.8(a)(1)) from the previous charges of third-degree burglary and Possession of Burglary Tools (Iowa Code § 713.7). This whole case may hinge on the penetration testers mistake in their authorization (if not actual authorization) to enter under Iowa Code § 701.6 or, as the model jury instructions put it:
The defendant claims that at the time of the act in question, he was acting under a mistake of fact as to (element of crime to which mistake of fact is directed). When an act is committed because of mistake of fact, the mistake of fact must be because of a good faith reasonable belief by the defendant, acting as a reasonably careful person under similar circumstances.
The defendant must inquire or determine what is true when to do so would be reasonable under the circumstances.
The State has the burden of proving the defendant was not acting under mistake of fact as it applies to the question of (element).
To editorialize, it seems to this humble submitter that the county better take their ball and go home, as they have quite the hill to climb against defendants with almost unlimited money. But then again, both sides are acting out of righteous indignation at this point.
Previously: Authorised Pen-Testers Nabbed, Jailed in Iowa Courthouse Break-in Attempt
Iowa Officials Claim Confusion Over Scope Led to Arrest of Pen-Testers
(Score: 4, Insightful) by Anonymous Coward on Friday September 20 2019, @08:22AM (14 children)
The testers did everything right, and the state apparently did too. The problem, as usual, is with the local cops. Not sure why prosecutors haven't dropped all charges. They're clearly in the wrong and doubling down is just going to make the upcoming lawsuit worse.
(Score: 5, Funny) by Rosco P. Coltrane on Friday September 20 2019, @09:22AM (2 children)
Maybe the courthouse building was less than 18 years old. Even if you get explicit consent for the penetration, it's still a felony.
(Score: 2) by DannyB on Friday September 20 2019, @04:43PM (1 child)
Back in the 1980's, "pen tester" would have meant something completely different.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 3, Insightful) by driverless on Friday September 20 2019, @07:25PM
Back then it was something dodgy, now it just means you work in quality control for Pen Island pens [penisland.net], makers of fine artisanal wood pens.
(Score: 3, Insightful) by Common Joe on Friday September 20 2019, @10:40AM (4 children)
Well, I wouldn't go that far. The state and the penetration testers should have had an explicit contract, but from what I'm reading in TFS, they both know they messed. Ok. Mistakes happen. Annoying, but live and learn. These two sods get locked up for a couple of days while things get sorted out then they should be let out. Things like happen.
There are two things I don't understand: 1) If the state can control who gets to break into the building for testing purposes, the state should be able to say "My bad, but they were from us. Let them go." 2) Even if the state remains mum on the whole deal, it's going to be pretty hard to convince a jury beyond a reasonable doubt that these guys were there maliciously and breaking laws for their own gain. The prosecutors and local cops have got to know this. Pursuing this means costing money. If I were a tax payer in that country, I'd be pretty pissed that my money was being thrown away to feed these guys in jail when they obviously should be out and about paying for their own food. If this continues, then it looks like these two guys who don't deserve to be locked up will be caught in the middle of a political game between the country and state. And then we'll see another blatant example of our constitution with its reasonable punishments and trials chucked right out the window and stepped on in a mud puddle again.
(Score: 0) by Anonymous Coward on Friday September 20 2019, @01:45PM (1 child)
It doesn't cost the prosecutors any money.
(Score: 1) by nitehawk214 on Friday September 20 2019, @04:02PM
But if they are elected or appointed by an elected official, it could cost them their jobs.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 0) by Anonymous Coward on Saturday September 21 2019, @07:04AM
This is totally a power play. The sheriff of Dallas County said as much because the Judicial Branch didn't tell him in advance (despite the fact that sort of defeats the purpose of the test). Also, he is one of those right-winger types that doesn't like the State pushing its weight around "local" issues. Part of the problem is that he may be technically correct, because if they took one step out of the court's area of the building they did enter into County Property without County permission and the state permission isn't good enough for non-court areas.
(Score: 0) by Anonymous Coward on Saturday September 21 2019, @07:09AM
I should also point out that the power to prosecute crimes has been almost fully delegated to the Counties. There is little that Iowa can do to stop this. The only real option I see if Dallas County doesn't want to play is that the Attorney General's office can take over the prosecution using the Area Prosecutions Division process by claiming there is a conflict of interest in the prosecution, since the County itself is one of the alleged victims of the crime.
(Score: 2) by VLM on Friday September 20 2019, @11:16AM (1 child)
My guess would be, given these guys were security theater practitioners and those are hard to get along with, that we're looking at a failure of social skills more so than legal contracts.
Possibly, they pissed off the cops (tried to run, told the cops to F themselves, maybe other stuff?) in addition to attempted burglary.
Then it turns out to be he-said-she-said no-recording type of BS WRT resisting arrest or disturbing the peace or whatever, but they CAN go forward with the burglary charges because they have formal evidence, so the cops are doing the judge and jury thing and giving them a couple days in a cell for running or being disrespectful or whatever, until the judge laughs the burglary charge out of court.
(Score: 4, Informative) by sjames on Friday September 20 2019, @04:38PM
Actually, pen testers are the opposite of security theater. They're the ones that go in after the security theater is in place and reveal the man behind the curtain.
Depending on their organization, they might then make sensible suggestions for improvement, or someone else on their team may suggest crazy amounts of theater. but it won't likely be the pen testers themselves doing that part.
(Score: 0) by Anonymous Coward on Friday September 20 2019, @03:03PM
Can the state agency give consent for a county courthouse to get broken into? That would be like catching the janitor going through your purse, and the janitor says "It's ok, your boss told me I could."
(Score: 2) by hwertz on Friday September 20 2019, @04:41PM (2 children)
Dallas County really needs to argue with the state and not the people they hired who were doing their jobs.
BUT, in Dallas County's view, they are not in the wrong... the county sherriff pointed out that the county courthouse is not state property, the state did not pay for it, so the state can hire people to break into it, but they cannot give them PERMISSION to do so since it's not their property.
(Score: 0) by Anonymous Coward on Friday September 20 2019, @10:05PM (1 child)
Not wrong.
But look to who got embarrassed and who is over-reacting, the sheriff. This should be along the lines of 'misunderstanding we will however be suing someone, free to go'. To keep them in Jail this long is just grand standing. But why? Because guess who's job it is to keep that building secure and just got a double black eye? He is trying to deflect blame on his shitshow job of protecting that building.
(Score: 2) by Spamalope on Saturday September 21 2019, @01:02AM
The state got embarrassed. The sheriff actually caught the intruders so the security worked in this case.
I want to know if the sheriff had a beef with the state beforehand. i.e. is the incident at hand the whole situation or not
(Score: 1, Insightful) by Anonymous Coward on Friday September 20 2019, @10:59AM
They will make you suffer as an example, thus reestablishing who is on top.
(Score: 3, Interesting) by RamiK on Friday September 20 2019, @11:21AM (3 children)
What stops the state from sending personal to destroy or modify court documents while carrying pen-testing credentials in case they get caught? This procedure needs rethinking... No?
compiling...
(Score: 0) by Anonymous Coward on Saturday September 21 2019, @08:07AM (2 children)
Iowa is 100% electronic filing now. If they wanted to change court documents, a simple SQL statement would work much better, if not the high-level credentials the clerks and administrators have. Besides, the courts are state run anyway. All court personnel are state employees, only the security and maintenance people work for the County because the law says they have to provide a place for the courts and the security for them.
(Score: 0) by Anonymous Coward on Saturday September 21 2019, @11:30AM (1 child)
the chain of custody for hard evidence disappearing is reasonable doubt.
(Score: 0) by Anonymous Coward on Saturday September 21 2019, @07:31PM
Which is why evidence is kept at the sheriff's office or DCI and not the courts. Good luck breaking into either of those without some insider.
(Score: -1, Offtopic) by Anonymous Coward on Friday September 20 2019, @02:40PM
I found something unusual in a Windows programs .ini file... My personal email address and logon credentials. The thing that confused me is that the (well known) program was registered with my other email address. I went to Windows forums and asked why, and immediately got banned from them. I asked the same question on the programs help forum and it got deleted.
Don't trust Windows. Ever.
(Score: 2) by DannyB on Friday September 20 2019, @04:46PM (1 child)
Just imagine for a second.
Suppose that all pen testers were to turn down this courthouse, or anything connected with the local jurisdiction -- forever.
No more pen testing or security assessments for you.
But I can daydream.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 0) by Anonymous Coward on Saturday September 21 2019, @12:10AM
No what will happen is some other political critter will overreact and pass another law so they have to put up with it. Then someone else will find a way to abuse *that* law. *sigh*
(Score: 0) by Anonymous Coward on Saturday September 21 2019, @10:57PM
Looks like both people got one of the top criminal defense firms in the state, Gourley, Rehkemper & Lindholm. Not exactly cheap either, but I'm willing to bet they are giving some sort of discount for getting mentioned in the news in upcoming updates. They also haven't waived speedy yet but did waive the preliminary hearing, which means there should be the presentment of the trial information within 45 days from their arrest (since they won't do so at the preliminary hearing) or they get dismissed by the court automatically. Usually, defendants like this will waive speedy but do so at the arraignment, which is supposed to happen after the presentment (usually happens between a hour and a week later).