Comment by jcrawfordor
6 years ago
It's extremely important to include a clear statement of work in any pentesting contract exactly for this reason. The contents of the contract will become very important in this case, and depending on whether or not the SOW included physical intrusion into the buildings, one side or the other will end up with egg on their face.
Without the contract and/or other agreements it isn't clear who's at fault here, the pentesting firm involved may very well have been an incompetent one that exceeded their SOW or did not even produce one to be agreed on--and I tend to suspect that this is the case, because physical intrusion testing will almost always include measures to prevent the police being called or make them aware of the test due to both the expense of an intentional false alarm call and the risk involved in triggering a law enforcement response.
This is such an absurd case on so many levels. This miscommunication should have never happened, obviously.
Even if they turn out to be the criminally incompetent party in this relationship, I feel kind of bad for the contractors. They're facing felony charges for making what was clearly a mistake. I can't imagine they're consistently this incompetent - surely one of their previous clients would have noticed if they were physically broken into and didn't anticipate it. So either they've never done this before, or they messed up their contract.
I've seen plenty of similarly boneheaded, incompetent things in Big Tech (losing massive amounts of data, getting systematically defrauded in pretty stupid ways, etc) that resulted in getting fired at worst and a reprimand at best, so I feel kind of bad that these guys face felonies for being bad at their job.
Amazed they are charged. Any good lawyer should be able to get them off on mistake of fact, of simply lacking the elements of the crime.
Yeah, not a lawyer outside of my armchair, but I don't really see how they could ever be convicted of any of this. It sounds like there's a very good chance they were contracted by a legitimate security auditing firm to do a job of a nature they had no reason to believe was not already outlined some statement of work agreed upon by all parties. Even if there was some misunderstanding, it sounds like the fault lies with the firm rather than with the contractors themselves. Obviously there are more facts that would need to be reviewed to come to definitively arrive at a conclusion like this, but at a glance this whole thing seems ridiculous.
3 replies →
Well, as long as there was an agreement to do pen testing, the criminal portion should be pretty much dropped.
Caveat emptor
The company in question is Coalfire. This company assesses who can become FedRAMP compliant. They also have their pentesting team in-house, and they are fuckig sharp. They know their contracts, rules of engagement, and exactly what they are and aren't allowed to do.
These folks do this stuff for their livelihood. They test contractor, state, and fed systems at all scopes and levels.
And if 2 broke in (yes, you work in teams ABSOLUTELY onprem), they had the contract explicitly allowing physical penetration ON THEIR BODY. That contract is the difference between felony trespass and 100% legal.
I would LOVE to be a fly on the wall and watching the conversation between State IT and the public safety community there, and especially with the AG, who will have to release them.
That's right. If I had to bet who was incompetent, Coalfire or the state agency, my bet is on the latter. The state agency probably didn't understand/read the full contract or maybe some internal miscommunication through hierarchy lead to confusion about what was or wasn't allowed in the pentest. I'll be waiting for Coalfire's press release who will probably confirm the contract did allow physical pentest...
This is dealing directly with the government. I doubt we ever hear of this again if the government screwed up.
No way coalfire would embarrass a client if they can avoid it.
I feel bad for the contractors who now have arrest records. They are the victims here.
1 reply →
How long will you be waiting for their Press Release? This was first reported 5 days ago, presumably it happened before that even...
https://arstechnica.com/information-technology/2019/09/check...
Coalfire just released their statement and, yup, I was right: «Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work. Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement» https://finance.yahoo.com/news/coalfire-comments-penetration...
Ya, I've spoken with Coalfire employees in the past and have respect for them. I'm very curious to follow-up on the outcome of this case, and I feel for the employees sitting in jail right now. Hope it ends well for them
They posted bail
From my background with FedRAMP, a firm's involvement in FedRAMP assessments does not improve my confidence in them. :)
That said, yes, Coalfire is large enough and old enough that I would be very surprised if they made such a mistake - but I still think it's quite possible. Consider that such an established firm would also be absolutely expected to coordinate this kind of testing with the PD beforehand - a blind test of a PD's response on a contract with another agency of the state government is something I have never heard of before and raises huge concerns for personal safety and taxpayer expense. I would consider Coalfire to also be extremely irresponsible for knowingly entering such a situation.
That was my though I suspect some jobsworth promoted above their natural pay grade threw their teddy's out of the pram, when their poor security got penetrated.
This kind of smells like a classified intelligence op
r/conspiracy amirite?
1 reply →
Shame on the prosecutors. Burglary requires intent. By all appearances, these guys thought they had permission.
They HAD intent - they intended to break into the building, brought the tools, etc. If the contract does not stipulate that they are allowed to break in then they're basically screwed.
"I didn't mean to break in" holds no ground in court if they actually were breaking in.
This isn't how the law works for intent. Google "mens rea", in particular, the "knowing" part. Under your definition, every locksmith is engaging in felony break and enter on a daily basis.
Criminal intent.
You don't understand the level of local corruption in Iowa. To be effective the State couldn't tip off County security.
Love to hear about the level of corruption in Iowa. Grew up there and left...
So dirty the AG's Chief of Staff Eric Tabor has his sister on the Iowa Court of Appeals Mary Tabor who corruptly fails to recuse herself on his cases. Usually she is impartial, but when Eric gets caught in shenanigans she has went so far as to commit fraud (literally lying about the facts of cases in the appellate record she prosecuted to invent case law) to cover his ass.
Fun fact, Mary's son Ollie works for Nate Silver.
1 reply →