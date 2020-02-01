 Skip to content
(The Register)   Remember those courthouse burglars that turned out to just be infosec pen testers and a lot of farkers said they screwed up and were wrong? Charges were dropped
    Des Moines, Iowa, Police, Computer security, Dallas County, Iowa, Criminal charges, Coalfire employees Gary DeMercurio, third-degree burglary  
Sid_6.7 [TotalFark]
‘’ 2 hours ago  
I haven't followed this story too closely, nor have I kept track of every nuance, but studying physical security is a hobby of mine, in a non-criminal fashion, and my basic impression of the entire story is:

1. There's this company called Coalfire. They perform physical and electronic penetration testing services. It's a legitimate industry, but they're trying to expand, so maybe they're hiring lots of people. Rapid hiring has implications, if you know what I mean.

2. So these two employees are meant to test the security for a government building.

3. In the course of performing the testing these employees exceeded the boundaries specified in the scope document, i.e. the paperwork that says "you're allowed to do A, but not allowed to do B". A crude example of such an agreement would be "You're allowed to pick locks to enter the building, but you're not allowed to break glass". The scope document is pretty f*cking important, because it's what separates legitimate consulting work from criminal activity.

To quote from another El Reg article linked in TFA:

Coalfire said it believed, from the wording of its contract, that its employees were allowed to physically break into the courthouse as part of the $75,000 IT penetration test Iowa had commissioned. However, the court officials said they had a different interpretation of the penetration test contract: while it was agreed that physical penetrations were authorized, officials didn't agree with Coalfire on the scope of these probes.

The primary rub right now seems to be that the contract states that all tests must be carried out during business hours - 6am to 6pm Mountain Time, Monday to Friday - though this can be varied with a change order. There is no sign of such a change order in the released paperwork, though all of the appendices are missing from the bundle, so if one exists, it may be in there somewhere. Remember that Wynn and Demercurio were nabbed at shortly after midnight.

Maybe they didn't exceed the scope document, maybe they did. MSM hasn't covered this story much if at all, and the media that does care about stories like this have been kind of polarized. I generally admire El Reg, but they tend to write for their audience, so I don't consider them entirely neutral.

Worst case scenario story of the events I've heard: one of them gained physical access to the target building, despite physical access being explicitly forbidden. I've also heard a version involving physical access being allowed, but only during certain hours, and he went in outside of those hours. Or he went in during allowed hours, but someone caught him and arrested him, which happens in that line of work, but if the scope is properly documented then you typically don't end up with charges.

I have no idea what the real story is, but I'd guess they acted in good faith, even if they screwed up a bit on legal technicality. I'm glad they're getting off, even if it sucks that they had to deal with all the BS in the meantime. 99% of the time security is bullsh*t and it all needs to be improved, and there are far too many overconfident 'professionals' with an interest in maintaining the status quo.

Also there was at least one charge involving "burglary tools". As someone who studies and picks locks as a hobby, making owning small pieces of metal shaped in a certain non-sharp fashion a crime is bullsh*t.
 
Neondistraction
‘’ 7 minutes ago  

It sounds to me like the county sheriff got all butthurt and decided to turn the whole thing into a dick measuring contest.
 
Resident Muslim
‘’ 2 minutes ago  

Isn't that like laws against "drug paraphernalia"?
IIRC, there are some states with laws against carrying a Slim Jim.
 
Report