Settlement comes more than 6 years after Gary DeMercurio and Justin Wynn's ordeal began:
Two security professionals who were arrested in 2019 after performing an authorized security assessment of a county courthouse in Iowa will receive $600,000 to settle a lawsuit they brought alleging wrongful arrest and defamation.
The case was brought by Gary DeMercurio and Justin Wynn, two penetration testers who at the time were employed by Colorado-based security firm Coalfire Labs. The men had written authorization from the Iowa Judicial Branch to conduct "red-team" exercises, meaning attempted security breaches that mimic techniques used by criminal hackers or burglars.
[...] Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a "get out of jail free card" in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building. DeMercurio and Wynn spent the next 10 or 20 minutes telling what their attorney in a court document called "war stories" to deputies who had asked about the type of work they do.
When Sheriff Leonard arrived, the tone suddenly changed. He said the Dallas County Courthouse was under his jurisdiction and he hadn't authorized any such intrusion. Leonard had the men arrested, and in the days and weeks to come, he made numerous remarks alleging the men violated the law. A couple months after the incident, he told me that surveillance video from that night showed "they were crouched down like turkeys peeking over the balcony" when deputies were responding. I published a much more detailed account of the event here. Eventually, all charges were dismissed.
Previously:
• Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security
• Coalfire Pen-Testers Charged With Trespass Instead of Burglary
• Iowa Officials Claim Confusion Over Scope Led to Arrest of Pen-Testers
• Authorised Pen-Testers Nabbed, Jailed in Iowa Courthouse Break-in Attempt
Related Stories
Submitted via IRC for SoyCow3997
Two security contractors were arrested in Adel, Iowa on September 11 as they attempted to gain access to the Dallas County Courthouse. The two are employees of Coalfire—a "cybersecurity advisor" firm based in Westminster, Colorado that frequently does security assessments for federal agencies, state and local governments, and corporate clients. They claimed to be conducting a penetration test to determine how vulnerable county court records were and to measure law enforcement's response to a break-in.
Unfortunately, the Iowa state court officials who ordered the test never told county officials about it—and evidently no one anticipated that a physical break-in would be part of the test. For now, the penetration testers remain in jail. In a statement issued yesterday, state officials apologized to Dallas County, citing confusion over just what Coalfire was going to test:
"The scope is everything," Roseblatt explained. If the scope is only vaguely defined, "you could find yourself exposed to legal liability."
Coalfire's Justin Wynn and Gary Demercurio, who are still in jail [Update: They appear to have made bail on Thursday], have been charged with third-degree burglary and possession of burglary tools. Their bond has been set at $50,000, and they are scheduled to appear for a preliminary hearing on September 23—in the same courthouse they were caught breaking into.
The document showed that the state authorized Coalfire's team to "perform lock-picking activities to attempt to gain access to locked areas." But the document also stated the testers should "talk your way into areas" and allowed for "limited physical bypass."
The rules of engagement also dictated that the state authorities said they would not notify law enforcement of the penetration test.
[...] At 12:30am on the morning of September 11, penetration testers Justin Wynn and Gary Demercurio were caught with lock picks inside the Dallas County courthouse by Dallas County Sherriff's Department officers. They presented documents showing they had authorization from the state; the officers contacted state officials on the document, who verified that the test was authorized. But they arrested Wynn and Demurcurio anyway and charged them with burglary.
Wynn and Demurcurio are free on bail and have waived an initial hearing. They still face charges, despite state officials' apology to county officials.
Related: https://soylentnews.org/article.pl?sid=19/09/17/0641246
Coalfire's Comments:https://www.coalfire.com/News-and-Events/Press-Releases/Coalfire-Comments-on-Pen-Tests-for-Iowa-Judicial
According to The Des Moines Register, the Coalfire penetration testers, Justin Wynn and Gary Demercurio, have had their charges reduced to Trespass (Iowa Code § 716.8(a)(1)) from the previous charges of third-degree burglary and Possession of Burglary Tools (Iowa Code § 713.7). This whole case may hinge on the penetration testers mistake in their authorization (if not actual authorization) to enter under Iowa Code § 701.6 or, as the model jury instructions put it:
The defendant claims that at the time of the act in question, he was acting under a mistake of fact as to (element of crime to which mistake of fact is directed). When an act is committed because of mistake of fact, the mistake of fact must be because of a good faith reasonable belief by the defendant, acting as a reasonably careful person under similar circumstances.
The defendant must inquire or determine what is true when to do so would be reasonable under the circumstances.
The State has the burden of proving the defendant was not acting under mistake of fact as it applies to the question of (element).
To editorialize, it seems to this humble submitter that the county better take their ball and go home, as they have quite the hill to climb against defendants with almost unlimited money. But then again, both sides are acting out of righteous indignation at this point.
Previously: Authorised Pen-Testers Nabbed, Jailed in Iowa Courthouse Break-in Attempt
Iowa Officials Claim Confusion Over Scope Led to Arrest of Pen-Testers
On Sept. 11, 2019, two security experts at a company that had been hired by the state of Iowa to test the physical and network security of its judicial system were arrested while probing the security of an Iowa county courthouse, jailed in orange jumpsuits, charged with burglary, and held on $100,000 bail. On Thursday Jan. 30, prosecutors in Iowa announced they had dropped the criminal charges. The news came while KrebsOnSecurity was conducting a video interview with the two accused (featured below).
[...] Under the terms of their contract (PDF), DeMercurio and Wynn were permitted to impersonate staff and contractors, provide false pretenses to gain physical access to facilities, "tailgate" employees into buildings, and access restricted areas of those facilities. The contract said the men could not attempt to subvert alarm systems, force-open doors, or access areas that require protective equipment.
When the duo's early-morning Sept. 11 test of the security at the courthouse in Dallas County, Iowa set off an audible security alarm, they followed procedure and waited on-site for the police. DeMercurio and Wynn said when the county's sheriff deputies arrived on the scene just a few minutes later, they told the officers who they were and why they were there, and that they'd obtained entry to the premises via an unlocked door.
(Score: 2, Informative) by Anonymous Coward on Saturday January 31, @01:08AM (2 children)
Sounds like the sheriff is a little bitch, high on his own power.
(Score: 3, Touché) by Anonymous Coward on Saturday January 31, @01:44AM
Are you implying that there's another type?
(Score: 2) by owl on Saturday January 31, @07:24PM
Yes, and sadly, the 600k court judgement will be paid out by the taxpayers, instead of coming out of that Sherrif's salary like it should have.
(Score: -1, Troll) by Anonymous Coward on Saturday January 31, @02:11AM (9 children)
It was bullshit, no doubt. The reward, however, is way too much.
6k? each? that makes sense. 600k? Omfg.
They should have had a representative *on-site*, should have verified that all external alerting agencies had been notified, or that there were agreements in place that their responses may be checked without notice by the court; they should have verified that their employer had done these things, or they simply should have refused to do the job.
It's BS that it happened. It's NOT OK how the sheriff handled the situation. 600k, though? that's a BS award that doesn't help anyone. It's not worth 20-whole-hours in jail, boo-hoo. This *will not* hurt your job or prospects, it's a known risk of the job, it made news and headlines for them personally, etc etc.
guh. what a waste.
---
I bet the same people would have picked up a sensitive, sealed document off a court desk and walked out with it, to show what they'd achieved, rather than putting a colored sticky-note on various things, to identify what they'd been able to access during their test. The other side of this is: things go missing, as part of a test, and the organization is fined millions for their loss. Ugh.
(Score: -1, Troll) by Anonymous Coward on Saturday January 31, @04:01AM
... and if you don't agree with this comment, then you're probably the type of person who will find yourself in exactly the circumstance that these two people did.
Spoiler: it usually doesn't end so well.
(Score: 3, Touché) by khallow on Saturday January 31, @07:12AM (4 children)
It helps the plaintiffs who went through a lot more than just 20 hours in jail.
So you're saying these guys would have stolen sensitive documents so that their employer could be fined lots of money?
(Score: 5, Insightful) by owl on Saturday January 31, @07:27PM (3 children)
In legal circles, this size judgement is meant to be a deterrent judgement. It is meant to be large enough that the next Sheriff, in the next county over, begins to think twice before being an identical massive dick-wad.
(Score: 0) by Anonymous Coward on Sunday February 01, @03:31AM (2 children)
The fine was not paid by the sheriff right?
(Score: 2) by owl on Sunday February 01, @04:13AM (1 child)
Most likely not (although, honestly, all of it should have been paid by the sheriff), but what we were not told was whether the town that just paid out $600k fired their dick-wad of a sheriff that caused them to have to pay out $600k.
Most likely some of the "shit flows down hill" due to this payout spilled over onto the dick-wad of a sheriff.
(Score: 0) by Anonymous Coward on Sunday February 01, @03:57PM
Is it this guy? Is he really looking after his dad or being forced to retire early? I actually doubt it's a forced "early retirement".
https://www.desmoinesregister.com/story/news/2022/08/29/dallas-county-iowa-sheriff-chad-leonard-retires-early-term/7927264001/ [desmoinesregister.com]
Anyway the details in the original story: https://soylentnews.org/article.pl?sid=20/02/01/0229235 [soylentnews.org]
(Score: 4, Insightful) by GloomMower on Saturday January 31, @04:47PM (1 child)
What about the 6 years of dealing with this court case, and the bail money they had to put up?
Did this case prevent them or ruin their reputation and stop them from getting or working with other customers including the government?
(Score: 2) by PiMuNu on Sunday February 01, @12:22PM
> What about the 6 years of dealing with this court case
Exactly. For whatever local government, they just have to pay an extra person to shuffle some more papers.
For the defendants, they lose sleep, stay up late fretting over documents, meetings with lawyers... its not just loss of earnings, it can have a major personal impact.
(Score: 3, Insightful) by Whoever on Monday February 02, @01:37PM
What about the lifetime of reduced employment opportunities, now that they have an arrest record? That's probably worth far more than $600k.
(Score: 4, Informative) by Mojibake Tengu on Saturday January 31, @02:41AM
Real hacker never cooperates with law enforcement or other criminals.
Rust programming language offends both my Intelligence and my Spirit.