Comment by crankylinuxuser
6 years ago
The company in question is Coalfire. This company assesses who can become FedRAMP compliant. They also have their pentesting team in-house, and they are fuckig sharp. They know their contracts, rules of engagement, and exactly what they are and aren't allowed to do.
These folks do this stuff for their livelihood. They test contractor, state, and fed systems at all scopes and levels.
And if 2 broke in (yes, you work in teams ABSOLUTELY onprem), they had the contract explicitly allowing physical penetration ON THEIR BODY. That contract is the difference between felony trespass and 100% legal.
I would LOVE to be a fly on the wall and watching the conversation between State IT and the public safety community there, and especially with the AG, who will have to release them.
That's right. If I had to bet who was incompetent, Coalfire or the state agency, my bet is on the latter. The state agency probably didn't understand/read the full contract or maybe some internal miscommunication through hierarchy lead to confusion about what was or wasn't allowed in the pentest. I'll be waiting for Coalfire's press release who will probably confirm the contract did allow physical pentest...
This is dealing directly with the government. I doubt we ever hear of this again if the government screwed up.
No way coalfire would embarrass a client if they can avoid it.
I feel bad for the contractors who now have arrest records. They are the victims here.
> This is dealing directly with the government. I doubt we ever hear of this again if the government screwed up.
Exactly. We won't hear of it. They do work all across the US in the state and federal space. It's too lucrative to give up to shame them into submission publicly. Privately, sure.
> I feel bad for the contractors who now have arrest records. They are the victims here.
Well, they've been arrested. So their clearances have been yanked already, as per standard for Confidential/TS/SCI. Unless they can get complete restoration, including expungement of the arrest, and admission of unlawful arrest, they're done in federal/state infosec.
How long will you be waiting for their Press Release? This was first reported 5 days ago, presumably it happened before that even...
https://arstechnica.com/information-technology/2019/09/check...
Coalfire just released their statement and, yup, I was right: «Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work. Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement» https://finance.yahoo.com/news/coalfire-comments-penetration...
Ya, I've spoken with Coalfire employees in the past and have respect for them. I'm very curious to follow-up on the outcome of this case, and I feel for the employees sitting in jail right now. Hope it ends well for them
They posted bail
From my background with FedRAMP, a firm's involvement in FedRAMP assessments does not improve my confidence in them. :)
That said, yes, Coalfire is large enough and old enough that I would be very surprised if they made such a mistake - but I still think it's quite possible. Consider that such an established firm would also be absolutely expected to coordinate this kind of testing with the PD beforehand - a blind test of a PD's response on a contract with another agency of the state government is something I have never heard of before and raises huge concerns for personal safety and taxpayer expense. I would consider Coalfire to also be extremely irresponsible for knowingly entering such a situation.
That was my though I suspect some jobsworth promoted above their natural pay grade threw their teddy's out of the pram, when their poor security got penetrated.
This kind of smells like a classified intelligence op
r/conspiracy amirite?
Don't feed them, just Flag (or downvote if you're able) and move on.