Comment by rainonmoon
12 hours ago
> If we were testing security for something like a courthouse we would've had a card on each of us with the personal cell phone number of the county clerk along with a statement of work that described exactly what we were authorized to do, with signatures.
You mean... the thing that they had? FTA:
"Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a “get out of jail free card” in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building."
There's also no indication that they damaged property (they used a UDT to trip a sensor to bypass the door). Neither of us were there, but based on the actual reporting it sounds like the worst anyone could accuse these people of being is stupidly unprofessional and bad communicators, which if you worked with pentesters shouldn't seem like an unprecedented aberration.
Read the article further. When the police called the phone number on the document, the person on the other end denied that they were authorized to be in the building.
But I’m responding to the notion that they should’ve had signed documentation with the scope with them. They did. The fact that their own company hung them out to dry by not informing everyone on that list is not the pentesters’ fault.
I wasn't trying to suggest they did or didn't have the right documentation. I honestly don't know. I was just explaining how we normally operated. The idea that the emergency contact wouldn't answer, or even worse deny we had authority seems impossible to me... At least if you're doing things the way we did.
2 replies →