Remember that security probe that ended with a sheriff cuffing the pen testers? The contract is now public so you can decide who screwed up

it's a test of law more than penetration

clearly, the contracted pentest-testers did their work.

the arresting officer has issue with the authority that authorised the pentesting.

thats between the police and the law makers to decide.

the duo are vindicated. i wouldn't be surprised if they sued for loss of earnings and defamation of charater!

sounds to me...

Like the Iowa courthouse officer performed his job admirably. He caught them, refused to co-operate with what could have been a spoofed authority, and handed the matter over to the justice department to deal with. I hope Justin and Gary are well paid; in many a jurisdiction they would have received a thorough beating for resisting arrest, then treated to a new perspective on penetration testing.

Pentesting

Most likely this will be sorted out, but still a bit mean to detain the pair for essentially doing a job too well.

One wonders how far they got, and did they get their "sneaky device" plugged into the network before being caught?

Not sure what this would be termed, would it be a "Brown bag operation" or a "Blue Light Special" ?

passed the test

Looks like the courthouse passed the physical part of the pen test. What a collosal fuckup though...

You know, our local media does such a lovely job on news coverage... I live in Iowa and this is the first I've heard of this!

#semantics

It's always between 0600 and 1800 somewhere in the world...

Did they specify a timezone in the contract...?

"Loopholery" for the win...!

I think if nothing else...

On the positive, it sounds as though these guys are genuine, and not paid-up members of the Oceans eleven team. I think if nothing else the client-supplier lessons learned and PIR should definitely include "actually talking to each other in detail" to agree the terms, scope, approach and plan prior to the statement or work being signed.

Reading the Rules of Enagements (https://www.iowacourts.gov/static/media/cms/Rules_of_Engag_E9D807B3D13D3.pdf). It states

"Attempt to gain physical documentation at three locations ... Can be during the day and the evening ... " so far so good.

But the Social Engineering authorization (https://www.iowacourts.gov/static/media/cms/Social_Engr_D58D70423AAF3.pdf) states that

"Tasks that shall not be performed include - Alarm subversion and Force open doors"

One of the main purposes

of my proposed solution to Accountablity Theatre is to provide cover for just such legitimate operations.

Clearly what they omitted (and what was obviously omitted from their contract) was the step of informing a trusted confidante who was NOT a member of the client organisation nor the pen testing organisation but was trusted by both (eg a Lawyer) - of what they're plans were. The other step that they should have taken was to ensure a full digital record of every relevant action they took (whether through body cams for the on site "break in" or digital recording of their discussions, conclusions and plans and how/when those were shared with the T3P); and, of course, the routine digital capture and multiply redundant storage of all their evidence, together with regular snapshot hashes stored on an immutable audit trail (public hash-chain or block chain)

And although it obviously fits this case, it should apply not just to undercover surveillance activities, but ALL the activities carried out by anyone whose activities have - or could have - significant effect on the lives of others. None of the evidence is public by default. Only the proof that the evidence exists (the hash-chain) needs to be public. Then, in the event of reasonable challenge, the defendent has proof of their valid behaviour and decision making process. That "proof of proof" needs to be mandatory. And if in the event of challenge, if they can't prove that they kept the evidence, they're automatically guilty. And if they have the proof but choose not to present it, we're entitled to reach the same conclusion.

Citizens: Innocent until proven guilty

Authority: Guilty until proven innocent

What Charge?

Around here, there is nothing they could be charged with that has any reasonable chance of success. They weren't stealing anything. "Breaking and entering" is only "for the purposes of committing an offence". "Unlawfully on premises" has a defence of "honest and reasonable mistake of belief". Different locations have different rules, but unless it was a defence establishment or a bathroom I'm not seeing anything.

It's already being played out In public: I don't think it will go to court, and I don't think anything new will come out in court. Possible penalties include getting the men fired, and the company going out of business.

Cojones

You could not pay me enough to break in to a courthouse at midnight in a country where even security guards carry guns. Were these guys bravely taking their responsibilities seriously, forced into it by their employer, macho idiots?

Dumb testers

This was stupid move on the part of the pentesters. When I saw it was Coalfire, I was not surprised. Ive heard a lot of stories of their pentesters pulling these kind of stunts.

None of this is helped by the USA's (in)famous Federal vs State vs County vs City legal system. For all I know, there may be even more competing legal groups.

Sheriff hears from state that the guys are legit, but instead of letting them go and raising his issue with state, he has to act a dickless twat and hold them at the taxpayer's expense because he's in a huff