What is wild about this is the cops showed up, held the guys, they showed them their letter that they were authorized and the cops called the references on the letter and everyone was fine.
Then the Sheriff showed up and insisted they be arrested...
Everything was fine until one person who didn't get it, who happened to be in charge, showed up.
Per the legal system, arrested is probably safe course of action until they could verify the authenticity of the letter. It's really the ensuing events after that were abysmally stupid.
They did verify the authenticity. The police won't launch a full investigation for every single possibility and doing so would be a colossal waste of resources. They are, in fact, allowed to make some calls and be satisfied at that point that the letter is authentic without investigating every single fraudulent possibility.
>When Sheriff Leonard arrived, the tone suddenly changed. He said the Dallas County Courthouse was under his jurisdiction and he hadn’t authorized any such intrusion.
Reading only ever so slightly between the lines, it's clear that he probably did get it, just that he either wanted to swing his dick around for its own sake, or, more likely it seems from the dedcription in the article, resented that he was kept out of the loop on "his turf".
This isn't a felony case. In fact, I'm not sure it ever was? It's not clear from their amended complaint, but they were ultimately charged with simple trespassing, a misdemeanor. Those trespassing charges were themselves dismissed a few months later.
What we're talking about today is the resolution of what looks to me (not a lawyer) mostly like a defamation case. Were they defamed? Absolutely. The problem is, to get anything useful out of a defamation case, you need to demonstrate damages. They were accused of a crime --- per se defamation --- but the point of the suit is to recover damages.
I don't want to be glib, and I'm very prepared to be wrong, but the Dallas County Courthouse Incident is likely one of the top 3 world events to have happened to both these pentesters. They've been cause celebres in the field for years and years. It might be pretty tricky to actually demonstrate damages.
When they turn this slowly it's disingenuous to call it justice. Spending 10% of your adult life locked in legal battles is a ridiculous price to pay for something that should be resolved in under a year.
They weren't "locked in a legal battle". Their criminal charges were dismissed within 6 months of the incident happening. What resolved recently was a civil suit they themselves brought for damages from defamation and emotional distress.
I'll probably get downvoted for even questioning the narrative, but here are some of the nuances that stood out to me:
- When the police contacted someone listed on the authorization letter, that person denied that they had been authorized to conduct physical intrusions. Another contact didn't answer their phone. What are the police supposed to do if the people supposedly authorizing the intrusion are actively denying the authorization?
- The contract had vague language that say they couldn't "force-open doors". The two men told police they had used a tool to open a locked door. The language should have been more specific about what was and was not allowed. (EDIT: This is causing a lot of controversy. The legal definition of "forced entry" in my state does not require literal damage to the property, only a bypassing of barriers. I don't know about the circumstances in this state, but to be clear the term "force-open doors" doesn't necessarily mean using destructive force everywhere)
- The contract said "alarm subversion" was not allowed, but supposedly the police had evidence that they were trying to manipulate the alarm. They deny this.
- The men had been drinking alcohol before the break-in. By the time they were breathalyzed it was at 0.05, meaning the number was even higher when they started the break-in. Drinking alcohol before you do a professional job guaranteed to get the police responding is a terrible idea.
- After they tripped the alarm and the police showed up, they didn't immediately identify themselves and end the exercise. They hid from the police, claiming that they were "testing the authorities' response" which seems obviously out of scope for their agreement.
So I agree that the charges were excessive and the Sheriff was in the wrong on a lot of things, but after reading the details this wasn't really a clear cut case. The pentesters weren't really doing everything "by the book" if they thought that testing the police response by hiding was in scope of their contract and doing this job after a few alcoholic beverages is a bizarre choice.
I performed these types of physical pen tests years ago. If we were testing security for something like a courthouse we would've had a card on each of us with the personal cell phone number of the county clerk along with a statement of work that described exactly what we were authorized to do, with signatures. In some cases we'd have a backup contact number for more dangerous stuff. The idea that the emergency contact would not answer the phone would've seemed ludicrous. They were always aware of where we were and what we were doing at all times.
Damaging property was never approved. Drinking alcohol before a test would never happen. The insurance risk alone would've been nuts, not to mention the reputational damage if someone smelled it on your breath. Hiding from law enforcement? I'd need to know more about that. If a cop shows up with a gun you absolutely do not hide. If it's a security guard on rounds and you're waiting for them to move on... sure.
It was often dangerous though. Some security and law enforcement types take it personally that they're being "tested" and do not react well. We always tried to have some former law enforcement or military with us because they were less likely to be targeted for abuse than us hackers/nerds.
> If we were testing security for something like a courthouse we would've had a card on each of us with the personal cell phone number of the county clerk along with a statement of work that described exactly what we were authorized to do, with signatures.
You mean... the thing that they had? FTA:
"Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a “get out of jail free card” in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building."
There's also no indication that they damaged property (they used a UDT to trip a sensor to bypass the door). Neither of us were there, but based on the actual reporting it sounds like the worst anyone could accuse these people of being is stupidly unprofessional and bad communicators, which if you worked with pentesters shouldn't seem like an unprecedented aberration.
> Hiding from law enforcement? I'd need to know more about that. If a cop shows up with a gun you absolutely do not hide. If it's a security guard on rounds and you're waiting for them to move on... sure.
According to the article, they were hiding from the police who showed up, not security guards.
Testing the police is undeniably out of scope in a situation like this. If the police show up, the exercise needs to be over. You announce your presence and de-escalate, not try to outmaneuver the police.
These two guys only look like heroes in contrast to the over zealous sheriff. Everything else about their operation ranges from amateur hour to complete incompetence, such as drinking before a job.
IIRC they had permission from the state court administrator, but not the county. The building is a county building. And, as it does in all sorts of jurisdictions with a similar setups, pissing contests arise over various issues.
I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand.
Regarding force, this article says:
> The rules of engagement for this exercise explicitly permitted “physical attacks,” including “lockpicking,” against judicial branch buildings so long as they didn’t cause significant damage.
And later that they entered through an unlocked door, which they (it sounds like) kept unlatched by inserting something between the latch and the doorjamb. Not unreasonable.
> I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand.
This is a job where having impaired judgment is a terrible idea.
If someone needs alcohol to do a job that involves taking the role of a criminal and summoning the police, drinking alcohol before it is a terrible choice no matter how you look at it. If they can't do the job without alcohol, they shouldn't be doing the job at all. Maintaining unimpaired judgment is a baseline expectation for a job like this.
Is drinking common for physical pentesters? I just do boring software stuff but I’m pretty sure drinking on the job would be a fireable offense for me.
And even if their BAC was technically under the legal limit, their ability to e.g. drive was impaired. So it seems unprofessional.
> I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand.
I feel like if you do something for a living, you shouldn't need to calm your nerves for it.
I'd have more "eager" than "anxious" nerves, and I wouldn't need a beer for that. The fun thing about pentesting is that it doesn't matter if you get caught, although it's more fun if you don't.
Hard agree about "forcing", though. The very word implies, you know, non-trivial amounts of force. Like technically walking toward a door in a normal human room at standard temperature and pressure means you're applying non-zero amounts of force to it, so arguments like "they applied any force at all" can be ignored as goofy.
Seems reasonable to assume some blame from the pentesters, but neither are police known to be faithful and honest presenters of the truth. I'm not firmly convinced that the police story isn't exaggerated or embellished.
All of that is true, but it only means that it should have taken a few hours to sort out instead of 15 minutes. It became a pissing match between the courts and the county and these guy got squeezed. As a lawyer, I can't believe that there wasn't a lawyer for the county telling them that night that this was going to cost them.
For someone who is in such a position in the future, always notify the local police in writing and by phone call, if not also in person, before starting such an exercise. Make sure they have the get-out-of-jail documentation in advance of the exercise. If the police doesn't approve, don't do it. It would be better to get a no-objection letter from the police in advance. Make sure an attorney is aware of the activities and all documentation. Do not take any chances. You don't live in a kind or forgiving world. Handling unknown unknowns is the point.
They had written authorization from the state court and verbal confirmation from state court officials. They didn't know there would be a pissing match between the judicial branch and the sheriff.
But afaik this wasn't a state courthouse; it's a county courthouse. Legally, obviously, the state has authority and they were in the right, but functionally this is really good advice: if you're doing a penetration test of a space, you functionally need to clear it with the people who are responsible for the security of that space, and whom you might encounter defending it.
Frankly, I would not have taken this gig unless you had verbal confirmation that the Sheriff knows about it and has signed off. If you're entering a red team situation where the State wants to assess the security of their county courthouses, but doesn't want the local authorities to know its happening because they don't trust them: That is not a situation you want to be in the middle of, they gotta sort that out.
> If the police doesn't approve, don't do it. It would be better to get a no-objection letter from the police in advance.
The article says they did have an authorization letter from the state court officials (the people running the building) and they were released right after the letter was verified with the court officials.
At least from what I can see, the police officers involved were doing the right thing. They detained the suspects, made a proper effort to listen to them and validate their story, and then released them.
It was the Sheriff who showed up and didn't like it who then hassled them further.
They basically had a no-objection letter from the people in charge of the building and the police officers were onboard. It was one person who tried to turn it into something else.
That simply is not how the police work. If they get a call about a break in they’re going to respond and assess.
I bought property with a shooting range years ago from a retired SWAT officer with the county. He mentioned that “he always calls the sheriff’s office to let them know if he was doing anything.” Now I’d never owned a private range and am not from this county.
I called up the sheriff’s office and asked for clarification. I was advised that no such policy / program exists or is required and if the officer must have had is own internal policies and chain o command and that is irrelevant to me as a random citizen. In short, if a call is made about a shooter they will have to respond and so long as I’m not doing anything stupid, dangerous, or outright illegal I have nothing to worry about. The same goes for any other type of call.
Wouldn’t that in a lot of ways invalidate the test?
You’re trying to see what can be done and what the response is from the current security practices and the police showing up seems like an important part of that.
It is not clear what as the defined purpose of the test, if it was to measure a successful entry+exit, or measure police response, or both. If measuring the police response was a purpose, the police should still have been notified, just not of the exact date when it would happen. Executing it on a random day should offset the prior awareness of the police. Secondly, it is up to the police leadership to keep it quiet.
If the state wants to verify the counties are doing an adequate job, then tipping them off could result in an invalid assessment. The sheriff's reaction raises suspicion that there are deficiencies he doesn't want found
My other comment has more details, but a summary is that they the pentesters had been drinking before breaking into the building, were doing things that could be interpreted as being forbidden by their own contract, and the big one: The person listed on their authorization letter denied that they were approved to enter the building when called.
That last one is a big deal. If your own authorization contacts start telling the police you're not authorized to be in the building, you're in trouble.
Yeah I think that’s pretty useful context. I can understand arresting them and clearing it up with a judge in the morning. I can’t understand continuing to defame them as the lawsuit alleged.
If that’s all that had happened I’m guessing it would’ve avoided a lawsuit, since their purpose was to restore their reputational damage.
You don't know the man, and you don't know all of the details and nuances of the situation he was called into. How then do you think to judge him like that? You're just stereotyping.
I might be mistaken, but it sounds like these guys showed up at a facility and did the classical "breaking and entering" thing. The onsite (terrified) staff called 911, the police showed up and arrested them. The perps said that they were hired to do this (they were), but nobody told the Sheriffs office or the staff about it.
So yeah, it sucks for these guys' reputations and criminal histories, but... what? The onsite staff didn't know what was going on, the Sheriffs didn't know what was going on.
The county basically said: "We want you to go try to break into this government building. We aren't going to tell the staff or the local police about it. Tell us what you find."
Did you even read the article or review the story? The police showed up, reviewed and even verified their documents (called the numbers on the form to confirm their authorization) and we're seemingly satisfied all was in order.
Only once the sheriff himself arrived on scene did he order the arrest that caused all the issues. If that didn't happen it wouldn't have been a story other than "security professionals doing their authorized job".
If the sheriff had found out what was going on and then let them go, this wouldn't be news.
If the sheriff had arrested them and found out in the morning what was going on and then let them go, this wouldn't be news.
If the sheriff had arrested them and brought them before a judge who let them go, this wouldn't be news.
What actually happened is the sheriff found out what was going on, decided it was still criminal anyway, arrested them, and then the county charged and prosecuted them. The charges were eventually dismissed. That is why it's news.
Definitely some things could have been done a bit differently. I get that they want to keep staff in the dark, and even beat cops, but it seems reasonable and prudent to have the highest level of local law enforcement brought into the loop in planning red team exercises. The likelihood is high that the team will interface with law enforcement. The escalation path within the enforcement side of the state regulatory machine should be cleared in advance.
I think the takeaway for security teams is that you shouldn't let the customer "authorize" what is otherwise criminal activity warranting a police response without getting some air cover from the enforcement side. Coordinating that is the customer's burden to bear and that cover should be secured before letting them hand-wave away the risks with a "just have the police call me and I'll clear it all up". In hindsight only, when you look at it like that, the security team was not covering their ass appropriately. In a perfect world, you'd assume there's some better planning and communication going on behind the curtain. In the real world, you need more than the flimsy "guarantee" of calling a guy who knows a guy in the middle of the night. At the very least, that get out of jail free card should have had as signatories judiciary representation and enforcement representation (e.g. sheriff).
They broke in and set off an alarm, the local cops responded, the pentesters showed their credentials, and there was no issue.
Then the sheriff arrived, was butthurt because he felt left out and wanted to show his authority, and caused these guys 6 years of grief for literally no reason at all.
I kinda hate that it settled. I fully understand the plaintiffs not wanting to proceed, but i really wish the sheriff was actually punished for what he did. This sort of power tripping should be a fireable offence
What is wild about this is the cops showed up, held the guys, they showed them their letter that they were authorized and the cops called the references on the letter and everyone was fine.
Then the Sheriff showed up and insisted they be arrested...
Everything was fine until one person who didn't get it, who happened to be in charge, showed up.
Oh I'm sure the sheriff got it, he just wanted to get in a pissing match with the people who signed the letter.
The sheriff felt like he had "egg on his face", and responded like a child.
Per the legal system, arrested is probably safe course of action until they could verify the authenticity of the letter. It's really the ensuing events after that were abysmally stupid.
They did verify the authenticity. The police won't launch a full investigation for every single possibility and doing so would be a colossal waste of resources. They are, in fact, allowed to make some calls and be satisfied at that point that the letter is authentic without investigating every single fraudulent possibility.
So you read this:
> the cops showed up, held the guys
> they showed them their letter that they were authorized
> the cops called the references on the letter
> Then the Sheriff showed up and insisted they be arrested...
and your response is:
> Per the legal system, arrested is probably safe course of action until they could verify the authenticity of the letter.
?
1 reply →
If they know who they are, what's the point? You can track them down later and throw on ~fraud charges if the letter ends up fake.
>When Sheriff Leonard arrived, the tone suddenly changed. He said the Dallas County Courthouse was under his jurisdiction and he hadn’t authorized any such intrusion.
Reading only ever so slightly between the lines, it's clear that he probably did get it, just that he either wanted to swing his dick around for its own sake, or, more likely it seems from the dedcription in the article, resented that he was kept out of the loop on "his turf".
I remember reading about this when it first happened. Glad there was at least a somewhat positive outcome.
For reference, here is the HN thread shortly after the arrest: https://news.ycombinator.com/item?id=21000273
$600k for 6 years of legal battle and facing felony charges? no bueno
The 6 year, $600K lawsuit was something they initiated against the county.
The initial charges against them were initially dropped to misdemeanors and then dismissed entirely, but that was a separate matter resolved earlier.
20 replies →
This isn't a felony case. In fact, I'm not sure it ever was? It's not clear from their amended complaint, but they were ultimately charged with simple trespassing, a misdemeanor. Those trespassing charges were themselves dismissed a few months later.
What we're talking about today is the resolution of what looks to me (not a lawyer) mostly like a defamation case. Were they defamed? Absolutely. The problem is, to get anything useful out of a defamation case, you need to demonstrate damages. They were accused of a crime --- per se defamation --- but the point of the suit is to recover damages.
I don't want to be glib, and I'm very prepared to be wrong, but the Dallas County Courthouse Incident is likely one of the top 3 world events to have happened to both these pentesters. They've been cause celebres in the field for years and years. It might be pretty tricky to actually demonstrate damages.
5 replies →
I'd gladly take such a payout.
Split 2 ways, that is still 300k.
Parked in an investment at 5% a year, that's an easy +$15,000/year for the rest of your life.
13 replies →
Darknet Diaries did an interview with the two pentesters: https://darknetdiaries.com/episode/59/
I really hope he brings them back for a follow-up now that it's settled. (And I've requested it on fedi.)
Great episode, but infuriating at the same time
... six years ago!
This happened in 2019. The wheels of justice turn very slowly.
Certainly the wheels of civil suits do.
My state, like many, defines a speedy criminal trail as the trial commencing any time within 5 years of being charged...
1 reply →
Justice delayed is justice denied.
Two people for six years in that industry they probably lost a lot more than $600k.
3 replies →
When they turn this slowly it's disingenuous to call it justice. Spending 10% of your adult life locked in legal battles is a ridiculous price to pay for something that should be resolved in under a year.
They weren't "locked in a legal battle". Their criminal charges were dismissed within 6 months of the incident happening. What resolved recently was a civil suit they themselves brought for damages from defamation and emotional distress.
8 replies →
Except for the wealthy, who can dial it up or down
This is the kind of hacker news I'm here for
I'm glad the charges were dismissed, but to be honest the original reporting shows the story was actually more nuanced than this article led me to believe. 2019 article: https://arstechnica.com/information-technology/2019/11/how-a...
I'll probably get downvoted for even questioning the narrative, but here are some of the nuances that stood out to me:
- When the police contacted someone listed on the authorization letter, that person denied that they had been authorized to conduct physical intrusions. Another contact didn't answer their phone. What are the police supposed to do if the people supposedly authorizing the intrusion are actively denying the authorization?
- The contract had vague language that say they couldn't "force-open doors". The two men told police they had used a tool to open a locked door. The language should have been more specific about what was and was not allowed. (EDIT: This is causing a lot of controversy. The legal definition of "forced entry" in my state does not require literal damage to the property, only a bypassing of barriers. I don't know about the circumstances in this state, but to be clear the term "force-open doors" doesn't necessarily mean using destructive force everywhere)
- The contract said "alarm subversion" was not allowed, but supposedly the police had evidence that they were trying to manipulate the alarm. They deny this.
- The men had been drinking alcohol before the break-in. By the time they were breathalyzed it was at 0.05, meaning the number was even higher when they started the break-in. Drinking alcohol before you do a professional job guaranteed to get the police responding is a terrible idea.
- After they tripped the alarm and the police showed up, they didn't immediately identify themselves and end the exercise. They hid from the police, claiming that they were "testing the authorities' response" which seems obviously out of scope for their agreement.
So I agree that the charges were excessive and the Sheriff was in the wrong on a lot of things, but after reading the details this wasn't really a clear cut case. The pentesters weren't really doing everything "by the book" if they thought that testing the police response by hiding was in scope of their contract and doing this job after a few alcoholic beverages is a bizarre choice.
I performed these types of physical pen tests years ago. If we were testing security for something like a courthouse we would've had a card on each of us with the personal cell phone number of the county clerk along with a statement of work that described exactly what we were authorized to do, with signatures. In some cases we'd have a backup contact number for more dangerous stuff. The idea that the emergency contact would not answer the phone would've seemed ludicrous. They were always aware of where we were and what we were doing at all times.
Damaging property was never approved. Drinking alcohol before a test would never happen. The insurance risk alone would've been nuts, not to mention the reputational damage if someone smelled it on your breath. Hiding from law enforcement? I'd need to know more about that. If a cop shows up with a gun you absolutely do not hide. If it's a security guard on rounds and you're waiting for them to move on... sure.
It was often dangerous though. Some security and law enforcement types take it personally that they're being "tested" and do not react well. We always tried to have some former law enforcement or military with us because they were less likely to be targeted for abuse than us hackers/nerds.
> If we were testing security for something like a courthouse we would've had a card on each of us with the personal cell phone number of the county clerk along with a statement of work that described exactly what we were authorized to do, with signatures.
You mean... the thing that they had? FTA:
"Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a “get out of jail free card” in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building."
There's also no indication that they damaged property (they used a UDT to trip a sensor to bypass the door). Neither of us were there, but based on the actual reporting it sounds like the worst anyone could accuse these people of being is stupidly unprofessional and bad communicators, which if you worked with pentesters shouldn't seem like an unprecedented aberration.
5 replies →
> Hiding from law enforcement? I'd need to know more about that. If a cop shows up with a gun you absolutely do not hide. If it's a security guard on rounds and you're waiting for them to move on... sure.
According to the article, they were hiding from the police who showed up, not security guards.
Testing the police is undeniably out of scope in a situation like this. If the police show up, the exercise needs to be over. You announce your presence and de-escalate, not try to outmaneuver the police.
These two guys only look like heroes in contrast to the over zealous sheriff. Everything else about their operation ranges from amateur hour to complete incompetence, such as drinking before a job.
1 reply →
IIRC they had permission from the state court administrator, but not the county. The building is a county building. And, as it does in all sorts of jurisdictions with a similar setups, pissing contests arise over various issues.
I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand.
Regarding force, this article says:
> The rules of engagement for this exercise explicitly permitted “physical attacks,” including “lockpicking,” against judicial branch buildings so long as they didn’t cause significant damage.
And later that they entered through an unlocked door, which they (it sounds like) kept unlatched by inserting something between the latch and the doorjamb. Not unreasonable.
> I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand.
This is a job where having impaired judgment is a terrible idea.
If someone needs alcohol to do a job that involves taking the role of a criminal and summoning the police, drinking alcohol before it is a terrible choice no matter how you look at it. If they can't do the job without alcohol, they shouldn't be doing the job at all. Maintaining unimpaired judgment is a baseline expectation for a job like this.
15 replies →
Is drinking common for physical pentesters? I just do boring software stuff but I’m pretty sure drinking on the job would be a fireable offense for me.
And even if their BAC was technically under the legal limit, their ability to e.g. drive was impaired. So it seems unprofessional.
6 replies →
> I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand.
I feel like if you do something for a living, you shouldn't need to calm your nerves for it.
I'll note 0.05 means you can't legally drive in Australia and would be issued a DUI.
I'd have more "eager" than "anxious" nerves, and I wouldn't need a beer for that. The fun thing about pentesting is that it doesn't matter if you get caught, although it's more fun if you don't.
Hard agree about "forcing", though. The very word implies, you know, non-trivial amounts of force. Like technically walking toward a door in a normal human room at standard temperature and pressure means you're applying non-zero amounts of force to it, so arguments like "they applied any force at all" can be ignored as goofy.
Seems reasonable to assume some blame from the pentesters, but neither are police known to be faithful and honest presenters of the truth. I'm not firmly convinced that the police story isn't exaggerated or embellished.
The police settled for $600k, it wasn't dismissed.
The original charges against them were dismissed.
They brought a separate case against the police and were awarded $600K
Two separate legal matters for the same event.
1 reply →
All of that is true, but it only means that it should have taken a few hours to sort out instead of 15 minutes. It became a pissing match between the courts and the county and these guy got squeezed. As a lawyer, I can't believe that there wasn't a lawyer for the county telling them that night that this was going to cost them.
Public service sector: we can't find employees and contractors willing to work for us!
Also public service sector: this right here.
Besides, let me guess, that sheriff is elected?
For someone who is in such a position in the future, always notify the local police in writing and by phone call, if not also in person, before starting such an exercise. Make sure they have the get-out-of-jail documentation in advance of the exercise. If the police doesn't approve, don't do it. It would be better to get a no-objection letter from the police in advance. Make sure an attorney is aware of the activities and all documentation. Do not take any chances. You don't live in a kind or forgiving world. Handling unknown unknowns is the point.
They had written authorization from the state court and verbal confirmation from state court officials. They didn't know there would be a pissing match between the judicial branch and the sheriff.
But afaik this wasn't a state courthouse; it's a county courthouse. Legally, obviously, the state has authority and they were in the right, but functionally this is really good advice: if you're doing a penetration test of a space, you functionally need to clear it with the people who are responsible for the security of that space, and whom you might encounter defending it.
Frankly, I would not have taken this gig unless you had verbal confirmation that the Sheriff knows about it and has signed off. If you're entering a red team situation where the State wants to assess the security of their county courthouses, but doesn't want the local authorities to know its happening because they don't trust them: That is not a situation you want to be in the middle of, they gotta sort that out.
9 replies →
> If the police doesn't approve, don't do it. It would be better to get a no-objection letter from the police in advance.
The article says they did have an authorization letter from the state court officials (the people running the building) and they were released right after the letter was verified with the court officials.
At least from what I can see, the police officers involved were doing the right thing. They detained the suspects, made a proper effort to listen to them and validate their story, and then released them.
It was the Sheriff who showed up and didn't like it who then hassled them further.
They basically had a no-objection letter from the people in charge of the building and the police officers were onboard. It was one person who tried to turn it into something else.
That simply is not how the police work. If they get a call about a break in they’re going to respond and assess.
I bought property with a shooting range years ago from a retired SWAT officer with the county. He mentioned that “he always calls the sheriff’s office to let them know if he was doing anything.” Now I’d never owned a private range and am not from this county.
I called up the sheriff’s office and asked for clarification. I was advised that no such policy / program exists or is required and if the officer must have had is own internal policies and chain o command and that is irrelevant to me as a random citizen. In short, if a call is made about a shooter they will have to respond and so long as I’m not doing anything stupid, dangerous, or outright illegal I have nothing to worry about. The same goes for any other type of call.
Wouldn’t that in a lot of ways invalidate the test?
You’re trying to see what can be done and what the response is from the current security practices and the police showing up seems like an important part of that.
It is not clear what as the defined purpose of the test, if it was to measure a successful entry+exit, or measure police response, or both. If measuring the police response was a purpose, the police should still have been notified, just not of the exact date when it would happen. Executing it on a random day should offset the prior awareness of the police. Secondly, it is up to the police leadership to keep it quiet.
If the state wants to verify the counties are doing an adequate job, then tipping them off could result in an invalid assessment. The sheriff's reaction raises suspicion that there are deficiencies he doesn't want found
So... the county sheriff showed up, decided he needed to be a big boss man, and made everything worse for everyone. Sounds pretty typical.
That was my first impression, but reading the original story from 2019 has a much less one-side pictures: https://arstechnica.com/information-technology/2019/11/how-a...
My other comment has more details, but a summary is that they the pentesters had been drinking before breaking into the building, were doing things that could be interpreted as being forbidden by their own contract, and the big one: The person listed on their authorization letter denied that they were approved to enter the building when called.
That last one is a big deal. If your own authorization contacts start telling the police you're not authorized to be in the building, you're in trouble.
Yeah I think that’s pretty useful context. I can understand arresting them and clearing it up with a judge in the morning. I can’t understand continuing to defame them as the lawsuit alleged.
If that’s all that had happened I’m guessing it would’ve avoided a lawsuit, since their purpose was to restore their reputational damage.
2 replies →
Exactly. A fragile man needed assert his authority.
You don't know the man, and you don't know all of the details and nuances of the situation he was called into. How then do you think to judge him like that? You're just stereotyping.
7 replies →
I might be mistaken, but it sounds like these guys showed up at a facility and did the classical "breaking and entering" thing. The onsite (terrified) staff called 911, the police showed up and arrested them. The perps said that they were hired to do this (they were), but nobody told the Sheriffs office or the staff about it.
So yeah, it sucks for these guys' reputations and criminal histories, but... what? The onsite staff didn't know what was going on, the Sheriffs didn't know what was going on.
The county basically said: "We want you to go try to break into this government building. We aren't going to tell the staff or the local police about it. Tell us what you find."
you are mistaken. There was no (terrified) staff present. The building was empty and they tripped an alarm on entry.
Did you even read the article or review the story? The police showed up, reviewed and even verified their documents (called the numbers on the form to confirm their authorization) and we're seemingly satisfied all was in order.
Only once the sheriff himself arrived on scene did he order the arrest that caused all the issues. If that didn't happen it wouldn't have been a story other than "security professionals doing their authorized job".
1 reply →
If the sheriff had found out what was going on and then let them go, this wouldn't be news.
If the sheriff had arrested them and found out in the morning what was going on and then let them go, this wouldn't be news.
If the sheriff had arrested them and brought them before a judge who let them go, this wouldn't be news.
What actually happened is the sheriff found out what was going on, decided it was still criminal anyway, arrested them, and then the county charged and prosecuted them. The charges were eventually dismissed. That is why it's news.
And icing on the cake, the current county attorney disagrees with the dismissal done by his predecessor, and says that he will prosecute any future incidents of this nature. https://www.kcci.com/article/coalfire-contractors-settle-dal...
Definitely some things could have been done a bit differently. I get that they want to keep staff in the dark, and even beat cops, but it seems reasonable and prudent to have the highest level of local law enforcement brought into the loop in planning red team exercises. The likelihood is high that the team will interface with law enforcement. The escalation path within the enforcement side of the state regulatory machine should be cleared in advance.
I think the takeaway for security teams is that you shouldn't let the customer "authorize" what is otherwise criminal activity warranting a police response without getting some air cover from the enforcement side. Coordinating that is the customer's burden to bear and that cover should be secured before letting them hand-wave away the risks with a "just have the police call me and I'll clear it all up". In hindsight only, when you look at it like that, the security team was not covering their ass appropriately. In a perfect world, you'd assume there's some better planning and communication going on behind the curtain. In the real world, you need more than the flimsy "guarantee" of calling a guy who knows a guy in the middle of the night. At the very least, that get out of jail free card should have had as signatories judiciary representation and enforcement representation (e.g. sheriff).
> I might be mistaken [snip].
FTFY
Also - a red-team exercise doesn't work if you tell the targets that they're about to be tested.
4 replies →
why even bother commenting if you didnt even read the article. You just spewed out a bunch of bullshit nonsense of nothing that happened lol
Did you read the article?
They broke in and set off an alarm, the local cops responded, the pentesters showed their credentials, and there was no issue.
Then the sheriff arrived, was butthurt because he felt left out and wanted to show his authority, and caused these guys 6 years of grief for literally no reason at all.
1 reply →
Not bad bug bounty if you ask me
I kinda hate that it settled. I fully understand the plaintiffs not wanting to proceed, but i really wish the sheriff was actually punished for what he did. This sort of power tripping should be a fireable offence
Sheriff Chad Leonard (queue chad references...) retired in 2022.
see https://www.desmoinesregister.com/story/news/2022/08/29/dall...
It's a pity the $600k won't be deducted from his retirement income.
An elected officer. So punishment by ballot box?
That thing where law enforcement officers can be elected is such a weird American oddity.
Most countries appoint law enforcement officers who are qualified for the job.
We had a problem last year here in San Mateo County, California where our sheriff was corrupt but we had to pass a ballot measure because we couldn't just fire them: https://calmatters.org/justice/2025/10/san-mateo-sheriff-rem...
3 replies →
Since when are elected officials immune from prosecution for crimes?
1 reply →
Good god I'm so glad I left dallas. I grew up there. What an awful dump of a city.
Should have been at least 6 mln for each, and 15+ years of max security jail for those who abuse power, including those who "just followed orders".