Comment by QuercusMax
15 hours ago
So... the county sheriff showed up, decided he needed to be a big boss man, and made everything worse for everyone. Sounds pretty typical.
15 hours ago
So... the county sheriff showed up, decided he needed to be a big boss man, and made everything worse for everyone. Sounds pretty typical.
That was my first impression, but reading the original story from 2019 has a much less one-side pictures: https://arstechnica.com/information-technology/2019/11/how-a...
My other comment has more details, but a summary is that they the pentesters had been drinking before breaking into the building, were doing things that could be interpreted as being forbidden by their own contract, and the big one: The person listed on their authorization letter denied that they were approved to enter the building when called.
That last one is a big deal. If your own authorization contacts start telling the police you're not authorized to be in the building, you're in trouble.
Yeah I think that’s pretty useful context. I can understand arresting them and clearing it up with a judge in the morning. I can’t understand continuing to defame them as the lawsuit alleged.
If that’s all that had happened I’m guessing it would’ve avoided a lawsuit, since their purpose was to restore their reputational damage.
This seems to be on par for this Iowa county which their ignorance sadly has painted a major target on their innocent citizens- related article:
"Dallas County Attorney Matt Schultz told KCCI: "I want to be clear that the decision to dismiss the criminal charges that resulted in this civil case against Dallas County was made by a previous County Attorney. I am putting the public on notice that if this situation arises again in the future, I will prosecute to the fullest extent of the law."
https://www.kcci.com/article/coalfire-contractors-settle-dal...
1 reply →
Exactly. A fragile man needed assert his authority.
You don't know the man, and you don't know all of the details and nuances of the situation he was called into. How then do you think to judge him like that? You're just stereotyping.
Those "details and nuances of the situation he was called into" become completely irrelevant once one is presented with irrefutable evidence that their actions were completely legal. What matters is his conduct after that happened, which was blatant and persistent abuse of power.
Stop justifying and excusing abuse of power, he hurt innocent people, cost the taxpayers $600k in a single incident of abusive and wrongful conduct, and he's now enjoying taxpayer-funded retirement without facing any accountability.
https://arstechnica.com/information-technology/2019/11/how-a...
I do know the details of the situation. And so did the jury who awarded them $600k.
6 replies →
I might be mistaken, but it sounds like these guys showed up at a facility and did the classical "breaking and entering" thing. The onsite (terrified) staff called 911, the police showed up and arrested them. The perps said that they were hired to do this (they were), but nobody told the Sheriffs office or the staff about it.
So yeah, it sucks for these guys' reputations and criminal histories, but... what? The onsite staff didn't know what was going on, the Sheriffs didn't know what was going on.
The county basically said: "We want you to go try to break into this government building. We aren't going to tell the staff or the local police about it. Tell us what you find."
you are mistaken. There was no (terrified) staff present. The building was empty and they tripped an alarm on entry.
Did you even read the article or review the story? The police showed up, reviewed and even verified their documents (called the numbers on the form to confirm their authorization) and we're seemingly satisfied all was in order.
Only once the sheriff himself arrived on scene did he order the arrest that caused all the issues. If that didn't happen it wouldn't have been a story other than "security professionals doing their authorized job".
> reviewed and even verified their documents (called the numbers on the form to confirm their authorization)
Apparently there's more to this story. From the original article https://arstechnica.com/information-technology/2019/11/how-a...
> Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn’t answer the deputies’ calls, while another said he didn’t believe the men had permission to conduct physical intrusions.
It's actually kind of amazing that the police first let them go after the official contact on the form said they were not authorized to intrude in the building.
If the sheriff had found out what was going on and then let them go, this wouldn't be news.
If the sheriff had arrested them and found out in the morning what was going on and then let them go, this wouldn't be news.
If the sheriff had arrested them and brought them before a judge who let them go, this wouldn't be news.
What actually happened is the sheriff found out what was going on, decided it was still criminal anyway, arrested them, and then the county charged and prosecuted them. The charges were eventually dismissed. That is why it's news.
And icing on the cake, the current county attorney disagrees with the dismissal done by his predecessor, and says that he will prosecute any future incidents of this nature. https://www.kcci.com/article/coalfire-contractors-settle-dal...
Definitely some things could have been done a bit differently. I get that they want to keep staff in the dark, and even beat cops, but it seems reasonable and prudent to have the highest level of local law enforcement brought into the loop in planning red team exercises. The likelihood is high that the team will interface with law enforcement. The escalation path within the enforcement side of the state regulatory machine should be cleared in advance.
I think the takeaway for security teams is that you shouldn't let the customer "authorize" what is otherwise criminal activity warranting a police response without getting some air cover from the enforcement side. Coordinating that is the customer's burden to bear and that cover should be secured before letting them hand-wave away the risks with a "just have the police call me and I'll clear it all up". In hindsight only, when you look at it like that, the security team was not covering their ass appropriately. In a perfect world, you'd assume there's some better planning and communication going on behind the curtain. In the real world, you need more than the flimsy "guarantee" of calling a guy who knows a guy in the middle of the night. At the very least, that get out of jail free card should have had as signatories judiciary representation and enforcement representation (e.g. sheriff).
> I might be mistaken [snip].
FTFY
Also - a red-team exercise doesn't work if you tell the targets that they're about to be tested.
Sure, but that's different than not telling the local police department. Because they will show up with K9s and guns. And then it becomes a very dangerous situation.
3 replies →
why even bother commenting if you didnt even read the article. You just spewed out a bunch of bullshit nonsense of nothing that happened lol
Did you read the article?
They broke in and set off an alarm, the local cops responded, the pentesters showed their credentials, and there was no issue.
Then the sheriff arrived, was butthurt because he felt left out and wanted to show his authority, and caused these guys 6 years of grief for literally no reason at all.
> the local cops responded
Extremely dangerous and irresponsible for the county not to alert the local police and Sheriffs office that this operation was taking place.
I'm glad these guys got their money.