Ever wonder how a pentest turns into felony charges? Coalfire duo explain Iowa courthouse arrest debacle

Re: Firewalls needed

Nope, not at all- This is a text book example of some county level staff being irritated that they were either not informed of, or given the chance to have any say in, how the state decided to conduct their testing.

Re: Authority to hire services

Except that in every state with which I am familiar, counties are units of the state government. Counties have no sovereignty with respect to the states.

Re: legislation??

One of the basic rules of security is that you don't relying on just one thing doing its job.

That sheriff needs tarring & feathering. But the way the law is, he's untouchable. Changing the law would help with that.

I have been asked to pentest as part of building new systems. In addition to pentest tools it's worth having a human take a look, try something unexpected. I have found big ol holes with more consequence than a jira ticket.

Lesson learned: people who are more concerned with _who_ secures the system and going by the book, instead of how secure it is, should be be given no more responsibility than the cleanliness of a public toilet.

Re: "the team said the plod were actually rather cordial"

Guess what? Different terms are used in different places, and sometimes the same term in a slightly different way. "The plod" may well be standard usage in SF, rather than the author "tries to 'speak British'".

Re: "the team said the plod were actually rather cordial"

I'm sure it's been pointed out before, and should be left well alone for the purposes of irony, but 'n' in the 'grammar nazi' icon text should really be capitalised too.

'round here we say "the dibble" which suffers the same syntactic indignity as "the plod" but lacks a reference text for people to wave in your face. Grammar is the first casualty of slangification, and how could it be otherwise?

Re: "the team said the plod were actually rather cordial"

"There's no definite article when referring to Plod and the word is capitalised because it's a proper noun"

Wrong and wrong. Two minutes googling would show you that "The plod" is equally and frequently used.

The arrest shouldn't matter on record at all.

(Note: below is assuming US law.)

If it's a misdemeanor, most won't care.

If it's a felony, wouldn't that require a grand jury for an indictment? The indictment matters -- the arrest, not so much.

In the opposite direction, non-arrest traffic violations are of great interest to many jobs, particular gig delivery such as GrubHub, DoorDash, and Uber Eats. Only when driving do you interact with other members of the public at such a high frequency (every adjacent vehicle) and can have more impact to public safety than the statistically rarer arrest-worthy crimes.

Yeah, that part of the article is super-sketchy.

If you are applying for a security clearance, these things matter. Otherwise, the "not guilty" covers a lot of ground. Their defense attorney should press to get the record expunged.

Potemkine!

I had the same initial reaction as you everything should be erased. But I am not so sure now. Just because someone has been arrested and then released without charge if the case is still open do you delete everything e.g. the interview. Do you delete everything when the case is closed and say someone else is convicted. Surely you still have to keep the info just in case there has been a miscarriage of justice.

Personal information like photo/mugshot finger prints dna should be deleted.

Also the arrest should not be stored in a way that makes it searchable on police computers or any other system.

Of course there is bugger all you can do if it is reported in the press.

Re: There's more..

While I'm not a big fan of lawyers, it's really only lawyers and doctors - rather than *every* professional - that has the status of being considered above reproach in the matter of seeing and preserving someone's secrets.

I don't think it would be easy to extend this status. It's pretty hard to justify keeping for them, given the number of cases where it's seen to be broken.

You're probably better off getting yourself uniquely qualified as a pentesting lawyer rather than declaring all pentesters guilt-free..

Re: There's more..

"It would be good if security auditors could get the status of lawyers re. client confidentiality. Now I'm the first to admit I havent' quite worked through all the negative implications of that (after all, you could be hired by what turns out to be the front of something rather dodgy), but I think security people could do with more protection."

If you are a pentester for hire, you should seriously look into ensuring that you are directly hired by a law-firm acting for the corporation you are to test. That can provide, in some circumstances, complete confidentiality as your work, is legal work-product. If the corporation has no ongoing litigation, or problems with its security, this may not work. But even the fact of being hired by the lawyers, with sign-off from the corporation to be tested (warranty and indemnity agreements, contractual scope of work etc), will be a big CYA in the case of problems.

Long ago, I was present, as a very junior not-to-be-heard-from minion, when a 'pentester' stated that he could get from the outside hall, to the President's office in less than 3 minutes, without tripping the existing alarm. (30th floor of office tower). The President told him to do ahead, so he did. What he did, was to kick a hole in the drywall from the hall, into, as it happened, a storage room, and then mosey down the hall to an office just outside of the range of the motion detecting alarms in reception, and proceed to kick his way through 3 more walls to the President's office. Made it by about 6 seconds.

Took about 2 weeks to get everything repaired. The building management was NOT amused. A LOT of finger pointing and recriminations ensued. He was not hired. But the alarm system was somewhat enhanced thereafter!