It's extremely important to include a clear statement of work in any pentesting contract exactly for this reason. The contents of the contract will become very important in this case, and depending on whether or not the SOW included physical intrusion into the buildings, one side or the other will end up with egg on their face.
Without the contract and/or other agreements it isn't clear who's at fault here, the pentesting firm involved may very well have been an incompetent one that exceeded their SOW or did not even produce one to be agreed on--and I tend to suspect that this is the case, because physical intrusion testing will almost always include measures to prevent the police being called or make them aware of the test due to both the expense of an intentional false alarm call and the risk involved in triggering a law enforcement response.
This is such an absurd case on so many levels. This miscommunication should have never happened, obviously.
Even if they turn out to be the criminally incompetent party in this relationship, I feel kind of bad for the contractors. They're facing felony charges for making what was clearly a mistake. I can't imagine they're consistently this incompetent - surely one of their previous clients would have noticed if they were physically broken into and didn't anticipate it. So either they've never done this before, or they messed up their contract.
I've seen plenty of similarly boneheaded, incompetent things in Big Tech (losing massive amounts of data, getting systematically defrauded in pretty stupid ways, etc) that resulted in getting fired at worst and a reprimand at best, so I feel kind of bad that these guys face felonies for being bad at their job.
The company in question is Coalfire. This company assesses who can become FedRAMP compliant. They also have their pentesting team in-house, and they are fuckig sharp. They know their contracts, rules of engagement, and exactly what they are and aren't allowed to do.
These folks do this stuff for their livelihood. They test contractor, state, and fed systems at all scopes and levels.
And if 2 broke in (yes, you work in teams ABSOLUTELY onprem), they had the contract explicitly allowing physical penetration ON THEIR BODY. That contract is the difference between felony trespass and 100% legal.
I would LOVE to be a fly on the wall and watching the conversation between State IT and the public safety community there, and especially with the AG, who will have to release them.
That's right. If I had to bet who was incompetent, Coalfire or the state agency, my bet is on the latter. The state agency probably didn't understand/read the full contract or maybe some internal miscommunication through hierarchy lead to confusion about what was or wasn't allowed in the pentest. I'll be waiting for Coalfire's press release who will probably confirm the contract did allow physical pentest...
Ya, I've spoken with Coalfire employees in the past and have respect for them. I'm very curious to follow-up on the outcome of this case, and I feel for the employees sitting in jail right now. Hope it ends well for them
From my background with FedRAMP, a firm's involvement in FedRAMP assessments does not improve my confidence in them. :)
That said, yes, Coalfire is large enough and old enough that I would be very surprised if they made such a mistake - but I still think it's quite possible. Consider that such an established firm would also be absolutely expected to coordinate this kind of testing with the PD beforehand - a blind test of a PD's response on a contract with another agency of the state government is something I have never heard of before and raises huge concerns for personal safety and taxpayer expense. I would consider Coalfire to also be extremely irresponsible for knowingly entering such a situation.
That was my though I suspect some jobsworth promoted above their natural pay grade threw their teddy's out of the pram, when their poor security got penetrated.
They HAD intent - they intended to break into the building, brought the tools, etc. If the contract does not stipulate that they are allowed to break in then they're basically screwed.
"I didn't mean to break in" holds no ground in court if they actually were breaking in.
Here in Canada the prosecution would have quickly withdrawn the charges. It's pretty clear that they were acting under the color of law, given that the State admitted they hired them. If they went beyond the contract, it seems pretty clear they did it under the mistaken but reasonable belief that they had proper authority to enter. I understand ignorance of law isn't a defense but ignorance of the facts is and it seems pretty clear that's what happened here. It seems unreasonable and unnecessary to hold them in jail and unnecessary to take this to trial. I don't see how proceeding with a prosecution like this could be in the public interest.
It's in the interest of the lawyers working for the state to enrich themselves and their lawyer friends who will probably take the other side of the case. Money for lawyers everywhere! America works like this because our laws are written by them.
For those who, like me, had trouble figuring out the case ID search system:
There are four fields in "case ID". The first is for the county code ("05251"). The second is for city code, which isn't present in these. The third is for the case type, which is FE (felony). The fourth is for the specific case number, which is /CR.*/
EDIT: Sadly, to actually read any of the documents requires a $25/month description.
EDIT2: So apparently those first fields are supposed to be autofilled by the dropdowns, but this doesn't work on my phone. Given the following message on the landing page, this isn't too surprising: "This Web Based Electronic Public Access application requires a 128 bit Cipher Strength on your Internet Explorer. To verify this click on 'Help' menu item and select 'About Internet Explorer'. If it's less than 128 bit click on link 'Update Information' to update Cipher Strength."
Same Dallas County Attorney is taking a dive on my Qui Tam to claw back Apple's brazen $100m property tax abatement vote bribe to the City of Waukee unjustly enriching the city to abate $170m. Tim Cook is a tax crook.
>>> Mr. Demercurio told the deputies that part of the job was to “check out law enforcement response time,” the documents say
HA! There is nothing that cops like more than to participate in random timed response tests. I cannot imagine anything worse that one could ever say to a cop. Even if it is true, do not ever admit that you are "testing" police, not to the overworked, under-staffed and generally frustrated officers who are stuck working the night shift.
Well, it may be necessary to tell them, but there needs to be a backstop in place, a contract to wave around, proper identification, a live phone number to call to get confirmation, etc. The cops will still be pissed, if you weren't careful in following their instructions when they caught you then you might find yourself tasered and soaked in someone's urine (hopefully your own, I guess) But you wouldn't be, as these two are, getting charged with felony burglary.
You're 100% correct. Having done multiple red teams I would never attempt to break into a building without 1) the CEO on call, 2) a notarized statement of work identifying my and the client's identity, and 3) notarized authorization from the landlord.
If a client refuses any of these then the physical pillar is quite simply off the table.
You tell them you were testing security. You tell them you were testing the alarm system. You DO NOT tell them that you are measuring their response time.
They "did not intend, or anticipate, those efforts to include the forced entry into a building"
Isn't that the point of the test? If you thought you were properly anticipated all attack vectors you wouldn't need the test. Or if you did, it would be to find out if you were right.
It will be interesting to see what the actual RFP or statement of work said on the matter though. If it was specific in mentioning only electronic methods, that's a problem. It doesn't seem like it should be a "Charge them with felony burglary" problem though. More like "make them pay damages" (if any)
The court is claiming it wasn't a prearranged part of the test that they were aware of. It will be up to the company to prove that it was.
> But it added that the administration “did not intend, or anticipate, those efforts to include the forced entry into a building.”
It's possible they misunderstood something in the contract such as what physical entry means and the scope of red teaming.
In the article it said they were aware of a forced entry made at another court house, but I'm assuming it was after the fact and the security company told them they did it before? If it was before the test then that changes the story but I dont know why they'd admit it to the press otherwise.
> Iowa’s State Court Administration also said in the statement that it had been made aware of a break-in at the Polk County Historic Courthouse in nearby Polk County on Sept. 9 that was similar in nature to the break-in at the Dallas County Courthouse.
The fact they courts aren't fully supporting the guys raises a lot of questions.
It's not like the guys were caught doing anything for personal gain. But there's a small possibility they wanted to show off their ability and keep it hyper realistic, and crossed a lined that should have been better communicated.
The court is claiming it wasn't a prearranged part of the test that they were aware of. It will be up to the company to prove that it was
It should be pretty straightforward to determine if the contract explicitly specified electronic penetration or left some ambiguity. Unfortunately it looks like they won't release the contract so we won't know. (I'm sure the defense will get to see it, unless they go to Kafka land, though presumably they also wouldn't have charged these guys if there was such a large hole in the contract language.)
> In the article it said they were aware of a forced entry made at another court house, but I'm assuming it was after the fact and the security company told them they did it before? If it was before the test then that changes the story but I dont know why they'd admit it to the press otherwise.
It isn't clear at all. Perhaps Coalfire informed the Iowa State Court Administration of the Polk county break in when this came to light to avoid further misunderstandings? Who knows what "similar in nature" actually means in this context.
It's not clear exactly what happened here, but hypothetically...
If the state/public office did _not_ agree to it in contract, but if the individuals doing the breaking in a) do it for a living, and b) were operating under the knowledge that they had a contract enabling them to do so legally... what happens to them?
In this case they committed a crime, to them everything including past experience led them to believe it was explicitly not a crime. Obviously the contracting company would be ultimately at fault (at least morally so), but the person messing up the contract isn't going to go to prison for burglary.
How would this likely be resolved? Would the burglary case be dropped and it be turned into a criminal negligence case against the company? If not, how do we effectively protect physical penetration testers like this?
`the administration “did not intend, or anticipate, those efforts to include the forced entry into a building.”`
It seems a little crazy they went so far as to break into the building when it looks like what was actually wanted was just do a few things and sign off on our security. You know, things we "anticipate" (doesn't that defeat the entire purpose?).
Contractors seem like they went above and beyond really. Bureaucrats don't appear to like that.
Kevin mitnick's business card has a popout lockpick in it. He came to give us a talk, and gave out cards afterward. Later, I learned we all committed crime that day.
Depends on the state. I believe in some states it's legal so long as you're not actively engaged in a crime, but becomes illegal if you get caught with them in a criminal act, even if they weren't directly related to the criminal act?
Edit: People REALLY like answering this question, apparently. :D
I do locksport and breaching for fun (in a safe, legal manner) and I live here in NY.
Certain tools only have a purpose for forced entry, like the shove it tool and halligan bar. If you are caught with such tools and are not a first responder, you will be treated as a burglar and in all likelihood successfully prosecuted.
Oh yeah the law has all sorts of things to increase charges.
In some jurisdictions having a crowbar while “committing a crime” turns the crowbar into a burglary tool. Better yet: having a burglary tool can count as evidence you were committing a crime (see an interesting bit of logic there?)
Or CA using possession of condoms as evidence women were sex workers. Immediately resulting in a reduction in use of protection (remember the anti-prostitution laws are all in the interests of “public safety”). Literally the interpretation of reality chosen was one where if a woman in a specific location had a condom they were automatically a sex worker, carrying evidence of sex work.
In some states it's legal to own them, but if you are caught using them or being somewhere you shouldn't be while carrying them it can be tacked onto your charges.
Other states it's totally illegal to own or carry them.
In some states I feel like they just thought “well we can’t just keep letting these guys off when we catch them before actually picking the lock” so they made the lock picks illegal.
In most states, no, it is not a crime unless intent to burglarize can also be demonstrated. Simply having them or using them where you have permission is fine.
I don't understand all the secrecy in doing these types of pen-testing. Why wouldn't you just tell the cops what you intend to do and make sure everyone involved has a clear understanding of what is going to be done and what not. Personally, there is NO WAY I would have tried to break into a court for a pen-test without the cops and a representative from the state right there while I'm doing it.
Sorry everyone, but as you can see, now these employees risk criminal records and prison over something stupid. And if you think some over zealous prosecutor isn't going to see this to the end, you have another thing coming.
And the worst part about it, I highly doubt the company does ANYTHING to help these dudes. I feel so bad for them.
> I don't understand all the secrecy in doing these types of pen-testing. Why wouldn't you just tell the cops what you intend to do and make sure everyone involved has a clear understanding of what is going to be done and what not.
It's not really an accurate measure of response time if the responding parties are told ahead of time. That said, I would imagine the benefit of an accurate measurement vs. the cost of a heads-up is vastly different when you're dealing with first responders as opposed to a vendor.
I'm curious, couldn't they have warned the police or alarm security company ahead of time so they dont get accidentally shot by confused responding police? Or were they so confident/cocky that they assumed this wasn't a possible outcome? At a minimum you could warn the top managers the night in question.
Especially at a serious government building that's typically always has law enforcement during the day as security there in important. As opposed to some mid-level corporation office which they'd normally hit up.
Some precautions in the situation just sound prudent.
So from the sounds of it the courts hired coalfire to do pen testing but neglected to mention it should be electronic only so they attempted physical access?
So now, next question. Have they done anything in there. They've caught the intruders, good on them. But as a security guy myself I am asking: did they check ALL electronics for tampering as well as do a basic bug sweep.
I am not saying it was, in fact I don't think the courthouse who let's them rot in jail now gives a damn, but a thorough test could also test whether after catching intruders the court bothers to check their equipment. Something added/manipulated is sometimes worse than something stolen.
"The State Court Administration hired Coalfire Labs to test the security of the court’s electronic records, said Steven Davis, a spokesman for the state judicial branch."
Mr Demercurio's LinkedIn page appears state that he employed by that organisation.
I understand that hubris is followed by nemesis...
i can just imagine the scene:
cops: you are under arrest for breaking and entering.
pentester: we were just checking your security. you passed! congratulations!
What sort of pentesters was that who didn't specify and get a signed off code of conduct before they did a physical pentest? Having a paper to wave in front of the arresting cops is more important than the promise of money. Jesus. Amateurs.
What's more likely, a big pentesting company messed up this one engagement, or the state is incompetent and doesn't understand pentesting? I'm leaning towards the latter.
It's extremely important to include a clear statement of work in any pentesting contract exactly for this reason. The contents of the contract will become very important in this case, and depending on whether or not the SOW included physical intrusion into the buildings, one side or the other will end up with egg on their face.
Without the contract and/or other agreements it isn't clear who's at fault here, the pentesting firm involved may very well have been an incompetent one that exceeded their SOW or did not even produce one to be agreed on--and I tend to suspect that this is the case, because physical intrusion testing will almost always include measures to prevent the police being called or make them aware of the test due to both the expense of an intentional false alarm call and the risk involved in triggering a law enforcement response.
This is such an absurd case on so many levels. This miscommunication should have never happened, obviously.
Even if they turn out to be the criminally incompetent party in this relationship, I feel kind of bad for the contractors. They're facing felony charges for making what was clearly a mistake. I can't imagine they're consistently this incompetent - surely one of their previous clients would have noticed if they were physically broken into and didn't anticipate it. So either they've never done this before, or they messed up their contract.
I've seen plenty of similarly boneheaded, incompetent things in Big Tech (losing massive amounts of data, getting systematically defrauded in pretty stupid ways, etc) that resulted in getting fired at worst and a reprimand at best, so I feel kind of bad that these guys face felonies for being bad at their job.
Amazed they are charged. Any good lawyer should be able to get them off on mistake of fact, of simply lacking the elements of the crime.
4 replies →
Well, as long as there was an agreement to do pen testing, the criminal portion should be pretty much dropped.
Caveat emptor
The company in question is Coalfire. This company assesses who can become FedRAMP compliant. They also have their pentesting team in-house, and they are fuckig sharp. They know their contracts, rules of engagement, and exactly what they are and aren't allowed to do.
These folks do this stuff for their livelihood. They test contractor, state, and fed systems at all scopes and levels.
And if 2 broke in (yes, you work in teams ABSOLUTELY onprem), they had the contract explicitly allowing physical penetration ON THEIR BODY. That contract is the difference between felony trespass and 100% legal.
I would LOVE to be a fly on the wall and watching the conversation between State IT and the public safety community there, and especially with the AG, who will have to release them.
That's right. If I had to bet who was incompetent, Coalfire or the state agency, my bet is on the latter. The state agency probably didn't understand/read the full contract or maybe some internal miscommunication through hierarchy lead to confusion about what was or wasn't allowed in the pentest. I'll be waiting for Coalfire's press release who will probably confirm the contract did allow physical pentest...
4 replies →
Ya, I've spoken with Coalfire employees in the past and have respect for them. I'm very curious to follow-up on the outcome of this case, and I feel for the employees sitting in jail right now. Hope it ends well for them
1 reply →
From my background with FedRAMP, a firm's involvement in FedRAMP assessments does not improve my confidence in them. :)
That said, yes, Coalfire is large enough and old enough that I would be very surprised if they made such a mistake - but I still think it's quite possible. Consider that such an established firm would also be absolutely expected to coordinate this kind of testing with the PD beforehand - a blind test of a PD's response on a contract with another agency of the state government is something I have never heard of before and raises huge concerns for personal safety and taxpayer expense. I would consider Coalfire to also be extremely irresponsible for knowingly entering such a situation.
That was my though I suspect some jobsworth promoted above their natural pay grade threw their teddy's out of the pram, when their poor security got penetrated.
1 reply →
This kind of smells like a classified intelligence op
2 replies →
Shame on the prosecutors. Burglary requires intent. By all appearances, these guys thought they had permission.
They HAD intent - they intended to break into the building, brought the tools, etc. If the contract does not stipulate that they are allowed to break in then they're basically screwed.
"I didn't mean to break in" holds no ground in court if they actually were breaking in.
2 replies →
You don't understand the level of local corruption in Iowa. To be effective the State couldn't tip off County security.
Love to hear about the level of corruption in Iowa. Grew up there and left...
2 replies →
https://www.coalfire.com/Solutions/Coalfire-Labs/Red-Team-Ex... does list physical testing, but who knows what the agreement was.
The case numbers are 05251 FECR042175 and 05251 FECR042176 if anyone's interested: https://www.iowacourts.state.ia.us/ESAWebApp/DefaultFrame. The latest appears to be that this guy is representing them: http://www.grllaw.com/blog/attorneys/Matthew-Lindholm-A3.asp...
Here in Canada the prosecution would have quickly withdrawn the charges. It's pretty clear that they were acting under the color of law, given that the State admitted they hired them. If they went beyond the contract, it seems pretty clear they did it under the mistaken but reasonable belief that they had proper authority to enter. I understand ignorance of law isn't a defense but ignorance of the facts is and it seems pretty clear that's what happened here. It seems unreasonable and unnecessary to hold them in jail and unnecessary to take this to trial. I don't see how proceeding with a prosecution like this could be in the public interest.
> Here in Canada the prosecution would have quickly withdrawn the charges
There in Canada, prosecutors are not elected, because that would be completely batshit insane.
14 replies →
It's in the interest of the lawyers working for the state to enrich themselves and their lawyer friends who will probably take the other side of the case. Money for lawyers everywhere! America works like this because our laws are written by them.
1 reply →
For those who, like me, had trouble figuring out the case ID search system:
There are four fields in "case ID". The first is for the county code ("05251"). The second is for city code, which isn't present in these. The third is for the case type, which is FE (felony). The fourth is for the specific case number, which is /CR.*/
EDIT: Sadly, to actually read any of the documents requires a $25/month description.
EDIT2: So apparently those first fields are supposed to be autofilled by the dropdowns, but this doesn't work on my phone. Given the following message on the landing page, this isn't too surprising: "This Web Based Electronic Public Access application requires a 128 bit Cipher Strength on your Internet Explorer. To verify this click on 'Help' menu item and select 'About Internet Explorer'. If it's less than 128 bit click on link 'Update Information' to update Cipher Strength."
Bobby Rehkemper and Lindholm are the shit. They caught a dirty prosecutor a few years back on tape: https://whotv.com/2012/02/20/open-records-sonya-heitshusen-l...
Same Dallas County Attorney is taking a dive on my Qui Tam to claw back Apple's brazen $100m property tax abatement vote bribe to the City of Waukee unjustly enriching the city to abate $170m. Tim Cook is a tax crook.
>>> Mr. Demercurio told the deputies that part of the job was to “check out law enforcement response time,” the documents say
HA! There is nothing that cops like more than to participate in random timed response tests. I cannot imagine anything worse that one could ever say to a cop. Even if it is true, do not ever admit that you are "testing" police, not to the overworked, under-staffed and generally frustrated officers who are stuck working the night shift.
Well, it may be necessary to tell them, but there needs to be a backstop in place, a contract to wave around, proper identification, a live phone number to call to get confirmation, etc. The cops will still be pissed, if you weren't careful in following their instructions when they caught you then you might find yourself tasered and soaked in someone's urine (hopefully your own, I guess) But you wouldn't be, as these two are, getting charged with felony burglary.
You're 100% correct. Having done multiple red teams I would never attempt to break into a building without 1) the CEO on call, 2) a notarized statement of work identifying my and the client's identity, and 3) notarized authorization from the landlord.
If a client refuses any of these then the physical pillar is quite simply off the table.
1 reply →
You tell them you were testing security. You tell them you were testing the alarm system. You DO NOT tell them that you are measuring their response time.
And the police just throw them into the system and say not my problem
>I cannot imagine anything worse that one could ever say to a cop.
From the physical pentests I've heard about (never done it myself), they tend to get cordial with LE if they get caught.
This might change that if we find out that the cops were less than friendly even after they showed the get-out-of-jail-free card/pentesting contract.
... especially when they are trigger happy and don’t experience consequences for shooting people
you didn’t need to take it there
6 replies →
They "did not intend, or anticipate, those efforts to include the forced entry into a building"
Isn't that the point of the test? If you thought you were properly anticipated all attack vectors you wouldn't need the test. Or if you did, it would be to find out if you were right.
It will be interesting to see what the actual RFP or statement of work said on the matter though. If it was specific in mentioning only electronic methods, that's a problem. It doesn't seem like it should be a "Charge them with felony burglary" problem though. More like "make them pay damages" (if any)
The court is claiming it wasn't a prearranged part of the test that they were aware of. It will be up to the company to prove that it was.
> But it added that the administration “did not intend, or anticipate, those efforts to include the forced entry into a building.”
It's possible they misunderstood something in the contract such as what physical entry means and the scope of red teaming.
In the article it said they were aware of a forced entry made at another court house, but I'm assuming it was after the fact and the security company told them they did it before? If it was before the test then that changes the story but I dont know why they'd admit it to the press otherwise.
> Iowa’s State Court Administration also said in the statement that it had been made aware of a break-in at the Polk County Historic Courthouse in nearby Polk County on Sept. 9 that was similar in nature to the break-in at the Dallas County Courthouse.
The fact they courts aren't fully supporting the guys raises a lot of questions.
It's not like the guys were caught doing anything for personal gain. But there's a small possibility they wanted to show off their ability and keep it hyper realistic, and crossed a lined that should have been better communicated.
The court is claiming it wasn't a prearranged part of the test that they were aware of. It will be up to the company to prove that it was
It should be pretty straightforward to determine if the contract explicitly specified electronic penetration or left some ambiguity. Unfortunately it looks like they won't release the contract so we won't know. (I'm sure the defense will get to see it, unless they go to Kafka land, though presumably they also wouldn't have charged these guys if there was such a large hole in the contract language.)
2 replies →
> In the article it said they were aware of a forced entry made at another court house, but I'm assuming it was after the fact and the security company told them they did it before? If it was before the test then that changes the story but I dont know why they'd admit it to the press otherwise.
It isn't clear at all. Perhaps Coalfire informed the Iowa State Court Administration of the Polk county break in when this came to light to avoid further misunderstandings? Who knows what "similar in nature" actually means in this context.
2 replies →
It's not clear exactly what happened here, but hypothetically...
If the state/public office did _not_ agree to it in contract, but if the individuals doing the breaking in a) do it for a living, and b) were operating under the knowledge that they had a contract enabling them to do so legally... what happens to them?
In this case they committed a crime, to them everything including past experience led them to believe it was explicitly not a crime. Obviously the contracting company would be ultimately at fault (at least morally so), but the person messing up the contract isn't going to go to prison for burglary.
How would this likely be resolved? Would the burglary case be dropped and it be turned into a criminal negligence case against the company? If not, how do we effectively protect physical penetration testers like this?
IANAL, especially in American law, but mens rea is usually a neccessary element for criminal liability.
Hadnt heard of the term before:
https://en.m.wikipedia.org/wiki/Mens_rea
3 replies →
Reminds me of that time I hired a boxing coach and he punched me in the face, what a jerk!
Well, I guess the (physical) security has been tested and found acceptable.
Moving on to phase 2 of the test: Jail containment capabilities.
What a surreal article.
`the administration “did not intend, or anticipate, those efforts to include the forced entry into a building.”`
It seems a little crazy they went so far as to break into the building when it looks like what was actually wanted was just do a few things and sign off on our security. You know, things we "anticipate" (doesn't that defeat the entire purpose?).
Contractors seem like they went above and beyond really. Bureaucrats don't appear to like that.
> and possession of burglary tools
Is that a crime? Like picks and stuff?
Each state is different: https://toool.us/laws.html
Kevin mitnick's business card has a popout lockpick in it. He came to give us a talk, and gave out cards afterward. Later, I learned we all committed crime that day.
Depends on the state. I believe in some states it's legal so long as you're not actively engaged in a crime, but becomes illegal if you get caught with them in a criminal act, even if they weren't directly related to the criminal act?
Edit: People REALLY like answering this question, apparently. :D
I do locksport and breaching for fun (in a safe, legal manner) and I live here in NY.
Certain tools only have a purpose for forced entry, like the shove it tool and halligan bar. If you are caught with such tools and are not a first responder, you will be treated as a burglar and in all likelihood successfully prosecuted.
2 replies →
LOL yea I noticed that too and took a screen shot of all of us with "0 minutes ago"
It's a crime if you're found in possession with intent to commit a crime: https://aizmanlaw.com/possession-of-burglary-tools/
Depending on the state, owning lock picking equipment without a licence is also illegal.
Oh yeah the law has all sorts of things to increase charges.
In some jurisdictions having a crowbar while “committing a crime” turns the crowbar into a burglary tool. Better yet: having a burglary tool can count as evidence you were committing a crime (see an interesting bit of logic there?)
Or CA using possession of condoms as evidence women were sex workers. Immediately resulting in a reduction in use of protection (remember the anti-prostitution laws are all in the interests of “public safety”). Literally the interpretation of reality chosen was one where if a woman in a specific location had a condom they were automatically a sex worker, carrying evidence of sex work.
That varies by state and circumstance.
In some states it's legal to own them, but if you are caught using them or being somewhere you shouldn't be while carrying them it can be tacked onto your charges.
Other states it's totally illegal to own or carry them.
In some states I feel like they just thought “well we can’t just keep letting these guys off when we catch them before actually picking the lock” so they made the lock picks illegal.
Anything used to commit burglary is a burglary tool. A hammer, screwdriver, picks, etc.
In most states, unless you are a locksmith, yes it is a crime.
>In most states, unless you are a locksmith, yes it is a crime.
This is not true. Only nine of forty one states make lockpicks illegal. https://tihk.co/blogs/news/116232133-lock-pick-legality
In most states, no, it is not a crime unless intent to burglarize can also be demonstrated. Simply having them or using them where you have permission is fine.
They're not illegal in any state. They become illegal when used in a crime, but then so does a crowbar.
A few states consider them evidence of criminal intent, so you'd have to provide evidence to the contrary.
I don't understand all the secrecy in doing these types of pen-testing. Why wouldn't you just tell the cops what you intend to do and make sure everyone involved has a clear understanding of what is going to be done and what not. Personally, there is NO WAY I would have tried to break into a court for a pen-test without the cops and a representative from the state right there while I'm doing it.
Sorry everyone, but as you can see, now these employees risk criminal records and prison over something stupid. And if you think some over zealous prosecutor isn't going to see this to the end, you have another thing coming.
And the worst part about it, I highly doubt the company does ANYTHING to help these dudes. I feel so bad for them.
> I don't understand all the secrecy in doing these types of pen-testing. Why wouldn't you just tell the cops what you intend to do and make sure everyone involved has a clear understanding of what is going to be done and what not.
It's not really an accurate measure of response time if the responding parties are told ahead of time. That said, I would imagine the benefit of an accurate measurement vs. the cost of a heads-up is vastly different when you're dealing with first responders as opposed to a vendor.
I'm curious, couldn't they have warned the police or alarm security company ahead of time so they dont get accidentally shot by confused responding police? Or were they so confident/cocky that they assumed this wasn't a possible outcome? At a minimum you could warn the top managers the night in question.
Especially at a serious government building that's typically always has law enforcement during the day as security there in important. As opposed to some mid-level corporation office which they'd normally hit up.
Some precautions in the situation just sound prudent.
The police aren't supposed to be shooting unarmed people.
That's never stopped them before
6 replies →
And cars aren't supposed to crash, but you still wear your seatbelt.
9 replies →
So from the sounds of it the courts hired coalfire to do pen testing but neglected to mention it should be electronic only so they attempted physical access?
Pentesting works the other way, you need to scope things in, not out. Otherwise you'll get into all sort of legal and ethical issues.
You know one of the best ways to get access to electronic systems is to get physical access, a "hardcore" run to borrow a term from Gibson.
UPDATE: https://news.ycombinator.com/item?id=21012191
Reminds me of this story posted a while ago:
Story of a failed pentest https://news.ycombinator.com/item?id=18475438
So now, next question. Have they done anything in there. They've caught the intruders, good on them. But as a security guy myself I am asking: did they check ALL electronics for tampering as well as do a basic bug sweep.
I am not saying it was, in fact I don't think the courthouse who let's them rot in jail now gives a damn, but a thorough test could also test whether after catching intruders the court bothers to check their equipment. Something added/manipulated is sometimes worse than something stolen.
They appear to be employees of Coalfire Labs.
"The State Court Administration hired Coalfire Labs to test the security of the court’s electronic records, said Steven Davis, a spokesman for the state judicial branch."
Mr Demercurio's LinkedIn page appears state that he employed by that organisation.
I understand that hubris is followed by nemesis...
i can just imagine the scene: cops: you are under arrest for breaking and entering. pentester: we were just checking your security. you passed! congratulations!
sorry couldn't resist /getscoat
Successful test!!
This shows such a comical level of incompetence from Iowa's state admin that it borders on malicious.
Sounds like they were authorized and the court administration just made a mistake in the contract.
It is confirmed(allegedly) they also broke into Polk County Courthouse two days earlier -
https://www.desmoinesregister.com/story/news/crime-and-court...
I'd be very interested to learn who hired them / their firm. Hope we find out!
We know who hired them. Read the article. Iowa’s State Court Administration contracted with Coalfire, of which the two men are employees.
1 reply →
What sort of pentesters was that who didn't specify and get a signed off code of conduct before they did a physical pentest? Having a paper to wave in front of the arresting cops is more important than the promise of money. Jesus. Amateurs.
What's more likely, a big pentesting company messed up this one engagement, or the state is incompetent and doesn't understand pentesting? I'm leaning towards the latter.