Communication, communication – and politics: Iowa saga of cuffed infosec pros reveals pentest pitfalls It has been six weeks since Coalfire's Gary Demercurio and Justin Wynn were arrested in Dallas County, Iowa, while performing a paid-for security penetration test at a courthouse. Despite everyone acknowledging there was no foul play, the pair still face criminal charges. They deny any wrongdoing. The Des Moines Register (no …
Perhaps next time the pen test team might want to verify that their client actually has the authority to give them the go-ahead to break in. Not an easy one to solve however, and I can't see them being found guilty (the pen testers that is, not the court house people who authorised the test).
Still, it's a topsy turvy world so best of luck to them from across the pond.
It shouldn't be the pen tester's job to have to worry about political jurisdictions. The contract was with the State of Iowa (government body) and they were within the state of Iowa (geophysical region). One county's beef with the State shouldn't matter. Since when does the State not have jurisdiction within any/every county in said state?
That’s right and it’s crying shame not one cop in Iowa has any guts or balls to take the Dallas county sheriff to jail and book him in for what he done. This is another perfect example of how all cops are trash and we’re all human might I add so let’s hold the cops accountable for their misbehavior same as we would any human.
So you think the US government should be able to sign a contract that allows a private company to break into every state's governmental offices, or into every city's governmental, including local jails? I'm sure that would go over well with a Trump administration contract into New York, or if Obama's administration did that in Alabama.
Just because the counties are inside the state doesn't give the state COMPLETE jurisdiction over the counties. Should the state of Iowa also be able to allow private parties to break into the private homes of Iowa residents? Maybe the state thinks their security should be tested as well?
The states are the original sovereignties in this nation. They created the federal government to handle certain matters, and ceded certain authority to do so. In most states, counties are created by the state, and are a localized extension of it. In particular, no state needs the permission of the US government to sue the US government, but a county may well need the permission of the enclosing state to sue that state.
In other words, there is a REALLY good chance that the sheriff is full of it.
But in any event, arresting an individual and charging them with a crime that you KNOW will not stick is the very definition of oppression. This sheriff is on the wrong side of the bars.
"The state of Iowa" can't just grant permission to break into anything they like, just because it happens to be in Iowa. If I were an Iowan householder (read: voter), I'd want to be very clear about that.
In this case, it seems pretty clear that the sheriff's real target is the state-level officials who authorised the test. If he can establish that the guys who did the breaking-in were doing something illegal, then it follows that the people who commissioned them to do it were, at the very least, accessories to that. I don't know what local politics are in play, but I'm pretty sure that's the goal here.
There was very little reason to cuff them and drag them into jail. And even less reason to keep them there, once the situation was clear. As such they where unfairly caught in the middle.
However, if the situation indeed is that they signed a contract with someone not allowed to authorize that test there is a public interest in pursuing it further. The question is if the pen-testers should have known this and/or had the obligation to make sure the people they where dealing with had proper authority. This is a very interesting one, you can't have random people be allowed to break in anywhere just because another random person signed a piece of paper. But there (probably) also is a limit to the amount of research you can reasonably expect a pen-tester to do before signing a contract. And behind that there is the question if the testers are personally responsible or if their employer is (as they signed the contract).
Having a judge rule on that might actually provide a clear framework which I'd say is useful for the pen-testers mostly.
The article makes it pretty clear, and from my experience in government, including with cops and courts (not as a criminal, mind), I have no trouble at all believing that this is all political, and these poor guys are caught up in bullshit not of their devising.
As another poster pointed out, since when does the state not have jurisdiction in a county? Also, under what statute were they charged? Probably the Iowa Criminal Code or some such which is, oh yeah, STATE law.
Hopefully this will end with the judge dismissing the charges and giving the idiot cop a good talking to from the bench.
Anonymous because I know too much about this kind of crap.
I haven't read the Iowa law. It's normally a defence against this offense that the persons had or reasonably believed that they had permission.
So... the prosecution knows they can't win this -- on appeal it will go to the state court that sent the men in. They aren't trying for a conviction. They are just trying to be assholes.
If someone at the state level thought the situation out, the Sheriff's office after the alarm would have either stand by or assist in the testing. The people performing the test be deputized as special officers authorized to serve warrants and the department wishing the test gets a search warrant for some suspected violation that requires a no-knock stealth approach.
A legal break in!
In the United States of America’s, it is illegal for any officer of the law to arrest anyone that they know is innocent. This is a prime example of this law and that sheriff should be made an example out of. Don’t let that sheriff get away with trampling your rights. Sue his sorry tail and the other officers who booked you in. Any officer in Iowa can make the arrest on that sheriff because what that sheriff did affects all Iowa residents. Shame on Iowa police for not doing their duty.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
