back to article Ever wonder how a pentest turns into felony charges? Coalfire duo explain Iowa courthouse arrest debacle

The two penetration testers whose arrest and imprisonment made headlines last year are finally sharing their story, and it is a doozy. Florida man Justin Wynn and Seattle resident Gary DeMercurio, both pentesters at infosec shop Coalfire Systems, said the ordeal they experienced in Iowa last September could have been avoided …

  1. Anonymous Coward
    Anonymous Coward

    Firewalls needed

    Y'all barely alluded to the politics behind the sheriff's antics. Local vs. state vs. other locals vs. personal vendettas, etc.

    What is *really* important to get in writing is not merely the complete scope of testing authorized, but what organization - what specific people - will take a bullet for the testers.

    Oh wait, saying that is in very bad taste given the mentioned country. Sorry.

    1. J. Cook Silver badge

      Re: Firewalls needed

      Nope, not at all- This is a text book example of some county level staff being irritated that they were either not informed of, or given the chance to have any say in, how the state decided to conduct their testing.

      1. JCitizen Bronze badge
        Meh

        Re: Firewalls needed

        Currently in the US is a polarizing mistrust between state entities because of the political climate now. I'm big on pen-testing, so don't get me wrong, but it is just common sense to alert as many of the heads of each level that the testing is going on, and document it; which they admit should have been done.

        Many of our friends across the pond may find this climate distasteful, but in America we find it healthy to trust the powers that be only so far and so much. It is the historical way in the US. I do believe there should be a law allowing persons that are victims of false arrest to expunge such records, and some states may have that in place already.

  2. HereIAmJH

    Authority to hire services

    Something else you might want to get in writing, if you are doing physical break-ins, is an affidavit stating that the person hiring you has the authority to hire the services you are selling. It should have been a big red flag in contract negotiations that a State official was hiring you to pen test a County building.

    1. Claptrap314 Silver badge

      Re: Authority to hire services

      Except that in every state with which I am familiar, counties are units of the state government. Counties have no sovereignty with respect to the states.

      1. amusedscientist

        Re: Authority to hire services

        You might want to study up on the powers of a County Sheriff. The rules go back to before Magna Carta. The office of sheriff is unique in that he is directly responsible to the people of his county, not the government or the courts. Sheriffs are elected, not appointed, and they have complete authority to reject the acts of any agency of the government if those acts violate the rights of the people.

        1. Toolman83

          Re: Authority to hire services

          The Magna Carta was signed in 1215, America was discovered a few hundred years after that, you might want to check your dates :-)

          1. Claptrap314 Silver badge

            Re: Authority to hire services

            You might want to study the evolution of law. He's correct in the facts that he states.

        2. LDS Silver badge

          Re: Authority to hire services

          Yes, it's thinking that structures built for the XIII century could work without changes in the XXI the issue.

          And it looks some sheriffs are more interested to assert their power than protecting citizens' rights.

        3. Claptrap314 Silver badge

          Re: Authority to hire services

          I am not an expert in that quirk in the law, although I am aware of it. However, even if we accept that the sheriff has some sort of broad authority independent of the state which sets the physical boundaries of that authority, it remains that the courthouse county courthouse is the property of the county _as an administrative subunit of the state_. The sheriff is as free to assert his superior jurisdiction there as he is anything else, but that does not make it the truth. Moreover, whatever authority of the sheriff has in the face of state authority is about preventing abuse of the local population by state authorities. (And, if the "No More Wacos" Act passed, also the Feds.) Sheriffs who go around saying, "I am the Law" are themselves abusing whatever authority they have, not exercising it.

      2. HereIAmJH

        Re: Authority to hire services

        I'm not sure what US states you are familiar with then. Around here county (and city) governments are distinct entities from the state governments. With their own elected officials and charters. I live in my county seat, and I can assure your that our courthouse is owned by the county and secured by our sheriff.

        1. Claptrap314 Silver badge

          Re: Authority to hire services

          Certainly--as it is true everywhere. But the claim that "the state cannot tell the county what to do" is farcical. The counties exist as administrative subdivisions of the state. When I moved to Texas, it took approval by the people of the entire state to change the form of government in any county. That was 1994. Of course, the history of Texas is peculiar, but the principle remains. Off the Eastern seaboard, the states were created first, and these states created counties so that the locals could handle their local business locally. The powers granted to the counties were (and remain) whatever the state says, and the states can change that at any time.

          1. Donn Bly

            Re: Authority to hire services

            The powers granted to the counties were (and remain) whatever the state says, and the states can change that at any time

            Actually, you will find that once authority is delegated it is not so easily withdrawn, and states CANNOT just change it at any time. The same principle exists between the states and the Federal government.

            In the United States the power trickles from the bottom up, not from the top down, and the power of county officials over certain things, such as county buildings and infrastructure, is almost absolute. The State's control in those areas is pretty limited, and then usually by controlling how much in the way of tax dollars flows back into the county. It would usually require a subpoena for the state to reassert control.

            1. Claptrap314 Silver badge

              Re: Authority to hire services

              Do a recheck. Power flow from the states. Up to the Feds, and down to the counties. Whenever a state law is passed, the counties MUST comply.

  3. Edwin
    Facepalm

    legislation??

    Sounds like the contract was not very good and the testers blindly accepted a scope change without confirmation in writing.

    Not to say the various officials weren't being deliberately disagreeable, but I think this is a case of less commercial naiveté and not more legislation...

    1. Claptrap314 Silver badge

      Re: legislation??

      One of the basic rules of security is that you don't relying on just one thing doing its job.

      That sheriff needs tarring & feathering. But the way the law is, he's untouchable. Changing the law would help with that.

      1. teknopaul Silver badge

        Re: legislation??

        Vote Chad Leonard - tough on innocents, weak on security.

    2. JCitizen Bronze badge
      Stop

      Re: legislation??

      The only new law I see in this instance that may be wise, is an expungement right to those who fall victim of false arrest.

  4. williamsth

    I'm not a pentester by any means, but surely, the contract detail is extremely important in these situations. It is literally the only thing stopping you going to prison.

    These guys were really unfortunate, but also very lucky to have their charges dropped. I just think, speaking as a non-pentester, these lessons were already learnt within the community and they didn't have to learn the lesson themselves to know this?

    1. teknopaul Silver badge

      I have been asked to pentest as part of building new systems. In addition to pentest tools it's worth having a human take a look, try something unexpected. I have found big ol holes with more consequence than a jira ticket.

      Lesson learned: people who are more concerned with _who_ secures the system and going by the book, instead of how secure it is, should be be given no more responsibility than the cleanliness of a public toilet.

  5. Mike 137 Silver badge

    "...had they just done a better job of documenting the scope of their audit"

    Lack of attention to detail, which is unforgivable in a pen tester. One time when selecting a pen testing service for a client, I failed an otherwise perfectly respectable service because their technical representative answered a critical question incorrectly. The question was "what is your first step on receiving the list of IP addresses to be tested against?" I forget his exact answer, but it wasn't "check that they're all really yours".

  6. chivo243 Silver badge
    Coat

    Perfect shit storm

    When does the movie come out? You know Deliverance, with Hackers!

    Where's my banjo?

    1. lglethal Silver badge
      Thumb Up

      Re: Perfect shit storm

      Sell it like that and Hollywood will eat your hand off!

      (I'd watch it!)

      1. My other car WAS an IAV Stryker Bronze badge

        Re: Perfect shit storm

        Make the movie, then call Ryan George (YouTuber) to make the corresponding episode of "Pitch Meetings": "So, this Sheriff? He's just the *worst*."

        1. JCitizen Bronze badge
          Devil

          Re: Perfect shit storm

          I can just hear it now, " Yo's in a heap a trubba boy!"

  7. Symon Silver badge
    Headmaster

    "the team said the plod were actually rather cordial"

    This is what happens when someone from the west coast of America tries to 'speak British'! There's no definite article when referring to Plod and the word is capitalised because it's a proper noun, coming from politically incorrect* author Enid Blyton's Noddy stories. "Halt, in the name of Plod!"

    It you really want to use an article, may I suggest 'the filth', 'the old bill' or 'the rozzers'? Or even 'the labdicks' if you're in Edinburgh.

    * FFS :- "No single author has caused more controversy among librarians, literary critics, teachers, and other educationalists and parents during the last thirty years, than Enid Blyton. How is it that the books of this tremendously popular writer for children should have given rise to accusations of censorship against librarians in Australia, New Zealand, and the United Kingdom?"

    https://en.wikipedia.org/wiki/Enid_Blyton#Critical_backlash

    p.s. Interesting story, thanks!

    1. Anonymous Coward
      Anonymous Coward

      Re: "the team said the plod were actually rather cordial"

      Guess what? Different terms are used in different places, and sometimes the same term in a slightly different way. "The plod" may well be standard usage in SF, rather than the author "tries to 'speak British'".

    2. Blazde

      Re: "the team said the plod were actually rather cordial"

      I'm sure it's been pointed out before, and should be left well alone for the purposes of irony, but 'n' in the 'grammar nazi' icon text should really be capitalised too.

      'round here we say "the dibble" which suffers the same syntactic indignity as "the plod" but lacks a reference text for people to wave in your face. Grammar is the first casualty of slangification, and how could it be otherwise?

      1. Symon Silver badge
        Happy

        Re: "the team said the plod were actually rather cordial"

        "Grammar is the first casualty of slangification, and how could it be otherwise?" Are you new around here? ;-) Maybe Nazi has gone the way of the hoover, tannoys and braille?

      2. Andy Landy

        Re: "the team said the plod were actually rather cordial"

        'round here we say "the dibble" which suffers the same syntactic indignity as "the plod" but lacks a reference text for people to wave in your face.

        that would be Officer Dibble from Top Cat...

        1. John 110

          Re: "the team said the plod were actually rather cordial"

          What? Not fireman Dibble from Camberwick Green?

      3. Paul Donnelly

        Re: "the team said the plod were actually rather cordial"

        Uh Dibble is from Top Cat, in the exact way Plod is from Noddy. PC Plod, Officer Dibble.

        Both should be capitalised. Neither should be preceded by a 'the'.

    3. dak
      Headmaster

      Re: "the team said the plod were actually rather cordial"

      Roon' aboot here, it's "ra polis".

    4. Just Enough

      Re: "the team said the plod were actually rather cordial"

      "There's no definite article when referring to Plod and the word is capitalised because it's a proper noun"

      Wrong and wrong. Two minutes googling would show you that "The plod" is equally and frequently used.

      1. Dyspeptic Curmudgeon

        Re: "the team said the plod were actually rather cordial"

        Yup. Just like 'the hoi polloi' is equally and frequently used (and abused).

      2. Paul Shirley
        Happy

        Re: "the team said the plod were actually rather cordial"

        ....because us ordinary folk steal their words and do whatever we want with them.

        If it annoys grammar or spelling pedants we score bonus points ;)

  8. CrazyOldCatMan Silver badge

    Lesson for life..

    (and not just support - from my IT experience of 35 years):

    *Always* have your CYA material prepared.

  9. Potemkine! Silver badge

    " charges ultimately being dropped when common sense prevailed, both DeMercurio and Wynn now have a felony arrest record that shows up during background checks"

    So when somebody is declared innocent, there are still records he/she was arrested? It's shocking to me. If charges are dropped, everything should be erased, period. Especially when keeping this fallacious record has consequences for his/her future life.

    1. My other car WAS an IAV Stryker Bronze badge

      The arrest shouldn't matter on record at all.

      (Note: below is assuming US law.)

      If it's a misdemeanor, most won't care.

      If it's a felony, wouldn't that require a grand jury for an indictment? The indictment matters -- the arrest, not so much.

      In the opposite direction, non-arrest traffic violations are of great interest to many jobs, particular gig delivery such as GrubHub, DoorDash, and Uber Eats. Only when driving do you interact with other members of the public at such a high frequency (every adjacent vehicle) and can have more impact to public safety than the statistically rarer arrest-worthy crimes.

      1. HellDeskJockey

        Federal law requires a grand jury but this is the state of Iowa. Each state has it's own rules on that.

        They should be able to get things expunged. But they need a lawyer for that.

      2. JCitizen Bronze badge
        Megaphone

        Oh, an arrest record is serious in the US.

        Especially if you ever expect to purchase a firearm; just the arrest record will stop the process right there, and it doesn't have to be a felony, if it is related to domestic violence. I agree with this procedure as long as it isn't false arrest, and if charges are dropped in the case of domestic violence the suspect should be allowed an expungement after a set amount of time. How many states have this system I wouldn't know, but I'm in favor of people being able to clean up their records at a minimum time factor.

        A big case that comes to mine is New York City vs. Kalief Browder; which was a particularly egregious act of the state, and he should be the poster child for the Black Lives Matter movement.

    2. Claptrap314 Silver badge

      Yeah, that part of the article is super-sketchy.

      If you are applying for a security clearance, these things matter. Otherwise, the "not guilty" covers a lot of ground. Their defense attorney should press to get the record expunged.

    3. Falmari

      Potemkine!

      I had the same initial reaction as you everything should be erased. But I am not so sure now. Just because someone has been arrested and then released without charge if the case is still open do you delete everything e.g. the interview. Do you delete everything when the case is closed and say someone else is convicted. Surely you still have to keep the info just in case there has been a miscarriage of justice.

      Personal information like photo/mugshot finger prints dna should be deleted.

      Also the arrest should not be stored in a way that makes it searchable on police computers or any other system.

      Of course there is bugger all you can do if it is reported in the press.

      1. doublelayer Silver badge

        "Just because someone has been arrested and then released without charge if the case is still open do you delete everything"

        In this case, charges were dropped. This basically means that the case isn't open. It's possible for someone to decide to file new charges, but unless that happens, the people concerned are not subjects of any charges and not arrested. The case is effectively closed, not open.

        "do you delete everything e.g. the interview. Do you delete everything when the case is closed and say someone else is convicted. Surely you still have to keep the info just in case there has been a miscarriage of justice."

        You can keep that if you need to. The point under dispute is whether you keep a public record of an arrest. You can keep the interviews and evidence in private without allowing the names of the people who were released without charges to be inextricably linked to something that is now viewed as not criminal.

        "Personal information like photo/mugshot finger prints dna should be deleted."

        I agree, but when they don't do so, they will use the same argument you have just made.

        "Of course there is bugger all you can do if it is reported in the press."

        Well, you can do some things. In Europe, this is where the right to be forgotten might be used. People will argue about that, but we can skip it for now since this is in America. Still, a newspaper story making clear what happened offers more context than a record that simply says "arrested on felony charge, no trial occurred". Someone doing a background check who reads the article and understands the context is more likely to make a reasonable decision than an automatic system that looks for felony charges in a database and counts people out on that basis.

        1. Falmari

          "You can keep that if you need to. The point under dispute is whether you keep a public record of an arrest. You can keep the interviews and evidence in private without allowing the names of the people who were released without charges to be inextricably linked to something that is now viewed as not criminal."

          That's what I meant with this

          "Also the arrest should not be stored in a way that makes it searchable on police computers or any other system."

          Just did not say it very well :(

  10. Anonymous Coward
    Anonymous Coward

    There's more..

    One of the problems I have come across is that you inevitably learn something about the person or company you're auditing or testing. It's something I work very hard at to avoid (for example, I will *never* open any files I have gained access to, even when authorised by the client, I always let client staff do that), but sometimes, well, clients can be quite messy.

    The problem is that it puts me and the company I work for in the cross hairs of any government official who wants to find out information about the client, and they're not always terribly subtle in indicating how far they're willing to go to get what they have basically no right to.

    It would be good if security auditors could get the status of lawyers re. client confidentiality. Now I'm the first to admit I havent' quite worked through all the negative implications of that (after all, you could be hired by what turns out to be the front of something rather dodgy), but I think security people could do with more protection.

    I'd welcome a discussion - I know it's not really black and white (or binary, to stay with the digital theme :) ) and I"m sure I missed a lot here. Opinions?

    1. Adrian 4 Silver badge

      Re: There's more..

      While I'm not a big fan of lawyers, it's really only lawyers and doctors - rather than *every* professional - that has the status of being considered above reproach in the matter of seeing and preserving someone's secrets.

      I don't think it would be easy to extend this status. It's pretty hard to justify keeping for them, given the number of cases where it's seen to be broken.

      You're probably better off getting yourself uniquely qualified as a pentesting lawyer rather than declaring all pentesters guilt-free..

      1. doublelayer Silver badge

        Re: There's more..

        But in order to make that decision, we have to ask why those professions get those privacy benefits. Lawyers make sense, since they are ostensibly the protection layer between people and their accusers. How about doctors? Why do they get that protection? According to this article on the subject, it's designed to ensure that patients tell medical professionals enough information that they are treated properly. On that basis, you can make an argument that security testing is similar to medical--they are also ensuring that the person or organization who is using their services is healthy, and you can draw coherent though tenuous connections between tasks performed by security testers and doctors. The argument isn't the easiest to make, but in my opinion the argument for medical privilege isn't particularly convincing either.

    2. Dyspeptic Curmudgeon

      Re: There's more..

      "It would be good if security auditors could get the status of lawyers re. client confidentiality. Now I'm the first to admit I havent' quite worked through all the negative implications of that (after all, you could be hired by what turns out to be the front of something rather dodgy), but I think security people could do with more protection."

      If you are a pentester for hire, you should seriously look into ensuring that you are directly hired by a law-firm acting for the corporation you are to test. That can provide, in some circumstances, complete confidentiality as your work, is legal work-product. If the corporation has no ongoing litigation, or problems with its security, this may not work. But even the fact of being hired by the lawyers, with sign-off from the corporation to be tested (warranty and indemnity agreements, contractual scope of work etc), will be a big CYA in the case of problems.

      Long ago, I was present, as a very junior not-to-be-heard-from minion, when a 'pentester' stated that he could get from the outside hall, to the President's office in less than 3 minutes, without tripping the existing alarm. (30th floor of office tower). The President told him to do ahead, so he did. What he did, was to kick a hole in the drywall from the hall, into, as it happened, a storage room, and then mosey down the hall to an office just outside of the range of the motion detecting alarms in reception, and proceed to kick his way through 3 more walls to the President's office. Made it by about 6 seconds.

      Took about 2 weeks to get everything repaired. The building management was NOT amused. A LOT of finger pointing and recriminations ensued. He was not hired. But the alarm system was somewhat enhanced thereafter!

  11. Anonymous Coward
    Anonymous Coward

    I have been following this story with interest. This from the perspective of the county IT director that does the hands on work defending the networks.

    Most news stories get the details wrong so I won't comment on Dallas County point on but I gotta say that if the state sent someone to our county to break into the systems, physical or electronic, there would be hell to pay.

    Congratulations to that small Dallas county and their sheriff's deputies for fending off the attack. Now walk through the courthouse and other offices and look under the mouse pads and staplers.

  12. Anonymous Coward
    Anonymous Coward

    Liability

    I manage the 3rd party PEN testing contract within our organisation.

    It took six months to finalise the liability clauses, so that the PEN testers were covered (as long as they stayed within scope, and use the methods agreed in the statement of works) and that we were covered if they go off piste.

    If the PEN testers did something that they weren't meant to, but we told them to, the liability is with us.

    If the PEN testers did something that they weren't meant to, and it wasn't in the scope, then the liability is with them.

    We also sign each engagement advising that we have authority over the systems being tested.

    These are fairly standard clauses, but the wording needs paying close attention to.

    Anon, because....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020