Comment by 827a
17 hours ago
But afaik this wasn't a state courthouse; it's a county courthouse. Legally, obviously, the state has authority and they were in the right, but functionally this is really good advice: if you're doing a penetration test of a space, you functionally need to clear it with the people who are responsible for the security of that space, and whom you might encounter defending it.
Frankly, I would not have taken this gig unless you had verbal confirmation that the Sheriff knows about it and has signed off. If you're entering a red team situation where the State wants to assess the security of their county courthouses, but doesn't want the local authorities to know its happening because they don't trust them: That is not a situation you want to be in the middle of, they gotta sort that out.
This really depends on how a state structures this, but “county courthouse” is not necessarily a meaningful statement. The judiciary is a state function and it has been delegated to county for purposes of logistics. In larger states, each county gets to set its own court rules, fee schedules, etc. because it would be maddening otherwise. They still ultimately answer to the state judiciary.
Iowa is small enough that it looks like the Iowa Judicial Branch just runs everything directly. Every county seat in Iowa has a courthouse, but the county probably doesn’t really have any control of it.
My guess is that the sheriff had an ego and may not have wanted a finding against him.
Easy to say in hindsight.
Hindsight's how we all learn. Doing it over again, I'm sure those guys would have done things differently. Any team would be crazy today to not be more prudent in how they operate.
Sure, the part I thought was "easy to say in hindsight" was:
> I would not have taken this gig unless you had verbal confirmation that the Sheriff knows about it and has signed off.
We don't know that! We don't know what we would have done in that scenario, especially in the context of a thread about the very outcome one's supposed foresight would have prevented.
From https://en.wikipedia.org/wiki/Hindsight_bias#Attempts_to_red... :
> Research suggests that people still exhibit the hindsight bias even when they are aware of it or possess the intention of eradicating it. [...] The only observable way to decrease hindsight bias in testing is to have the participant think about how alternative hypotheses could be correct.
So here's an alternative hypothesis:
"Hey, do you reckon we should clear this with the county first? The sheriff might come and arrest us on the basis that nobody told him we were going to break into the courthouse"
"Nah, don't worry about it, I've done this sort of thing hundreds of times. And besides, the state has superiority over the county anyway, so even if we get caught which let's face it we won't because we're leet hackers and very incognito... the sheriff won't have any power to do anything to us as soon as we tell him it's authorised by the state"
"SGTM"
1 reply →
Exactly. If I were in that position I would have simply learned from what happens in the future. In the rare instance that there was a negative outcome, I would just inform my previous self so that I could retroactively ensure that that outcome had not occurred.
It is through this simple system that I can confidently say that the content of this article that I am reading today in 2026 had/will have an impact on what I would have done in 2019
Considering today's world, they're lucky they didn't get shot dead with an entire clip.
If the goal is to test for vulnerabilities under real-world conditions, they probably should have bribed the sheriff to stay away.
Legally, obviously, the state has authority
That’s not legally obvious. State v county control over courthouses creates fights over everything from Aesbestos to parking to security. The legal answers lie in state constitutional provisions that nobody ever reads and aren’t particularly helpful.