back to article Communication, communication – and politics: Iowa saga of cuffed infosec pros reveals pentest pitfalls

It has been six weeks since Coalfire's Gary Demercurio and Justin Wynn were arrested in Dallas County, Iowa, while performing a paid-for security penetration test at a courthouse. Despite everyone acknowledging there was no foul play, the pair still face criminal charges. They deny any wrongdoing. The Des Moines Register (no …

  1. Sir Runcible Spoon Silver badge
    Thumb Up

    Due diligence

    Perhaps next time the pen test team might want to verify that their client actually has the authority to give them the go-ahead to break in. Not an easy one to solve however, and I can't see them being found guilty (the pen testers that is, not the court house people who authorised the test).

    Still, it's a topsy turvy world so best of luck to them from across the pond.

    1. My other car WAS an IAV Stryker
      FAIL

      Re: Due diligence

      It shouldn't be the pen tester's job to have to worry about political jurisdictions. The contract was with the State of Iowa (government body) and they were within the state of Iowa (geophysical region). One county's beef with the State shouldn't matter. Since when does the State not have jurisdiction within any/every county in said state?

      1. Mark 85 Silver badge

        Re: Due diligence

        Well, that's not uncommon as local county cops usually have big egos and hate the city and state police and governments. One can almost hear the sheriff saying "Boys, you in a heap of trouble."

        1. Doctor Syntax Silver badge

          Re: Due diligence

          One can almost hear the sheriff saying "Boys, you in a heap of trouble."

          Until the writ for malicious prosecution lands.

      2. DougS Silver badge

        Re: Due diligence

        So you think the US government should be able to sign a contract that allows a private company to break into every state's governmental offices, or into every city's governmental, including local jails? I'm sure that would go over well with a Trump administration contract into New York, or if Obama's administration did that in Alabama.

        Just because the counties are inside the state doesn't give the state COMPLETE jurisdiction over the counties. Should the state of Iowa also be able to allow private parties to break into the private homes of Iowa residents? Maybe the state thinks their security should be tested as well?

        1. Claptrap314 Silver badge

          Re: Due diligence

          The states are the original sovereignties in this nation. They created the federal government to handle certain matters, and ceded certain authority to do so. In most states, counties are created by the state, and are a localized extension of it. In particular, no state needs the permission of the US government to sue the US government, but a county may well need the permission of the enclosing state to sue that state.

          In other words, there is a REALLY good chance that the sheriff is full of it.

          But in any event, arresting an individual and charging them with a crime that you KNOW will not stick is the very definition of oppression. This sheriff is on the wrong side of the bars.

      3. veti Silver badge

        Re: Due diligence

        "The state of Iowa" can't just grant permission to break into anything they like, just because it happens to be in Iowa. If I were an Iowan householder (read: voter), I'd want to be very clear about that.

        In this case, it seems pretty clear that the sheriff's real target is the state-level officials who authorised the test. If he can establish that the guys who did the breaking-in were doing something illegal, then it follows that the people who commissioned them to do it were, at the very least, accessories to that. I don't know what local politics are in play, but I'm pretty sure that's the goal here.

        1. kmedcalf

          Re: Due diligence

          Apparently a Judge will decide whether or not the State has the authority to authorize the break-in. This is as it should be. The Sheriff is absolutely correct that he does not have the authority to make the decision. His job is to bring conflicts requiring adjudication before a competent Judge. As the breakers-in were unable to provide valid (in the Sheriffs opinion) authority for their actions, the matter should be referred to a Judge.

          The Sheriff should get a medal!

          1. Intractable Potsherd Silver badge

            Re: Due diligence

            The fact that the Sheriff seems to be so well clued-up suggests that he has been wound up and let loose by someone else. In my experience, plod wouldn't know the difference between a county and a state building if he had the definitions in front of him, and he'd care even less. This is a turf-war with innocent people caught in the middle, no different from gangs.

      4. mmccul

        Re: Due diligence

        Tell that to Nixon. Couldn't he authorize a breakin in the country of the United States?

        County and state are different jurisdictions, and state governments do not own county buildings.

        1. Claptrap314 Silver badge

          Re: Due diligence

          In many or most states, the counties are extensions of the state. While the county might own the building, the state "owns" the county.

    2. STOP_FORTH
      Terminator

      Caper movie

      Sounds like a good plot for a novel or film?

      Probably needs a cyborg from the future.

  2. Yet Another Anonymous coward Silver badge

    Hoodie stock image drinking game

    Every takes a shot

  3. 0laf Silver badge
    Holmes

    Hard to have a contingency for politics and bloody-mindedness. But the testers shouldn't be caught in the middle.

    I would hope in the UK the Courts or the Procurator would have sense to see there would be no public interest in pursuing a case like this.

    1. AVee

      There was very little reason to cuff them and drag them into jail. And even less reason to keep them there, once the situation was clear. As such they where unfairly caught in the middle.

      However, if the situation indeed is that they signed a contract with someone not allowed to authorize that test there is a public interest in pursuing it further. The question is if the pen-testers should have known this and/or had the obligation to make sure the people they where dealing with had proper authority. This is a very interesting one, you can't have random people be allowed to break in anywhere just because another random person signed a piece of paper. But there (probably) also is a limit to the amount of research you can reasonably expect a pen-tester to do before signing a contract. And behind that there is the question if the testers are personally responsible or if their employer is (as they signed the contract).

      Having a judge rule on that might actually provide a clear framework which I'd say is useful for the pen-testers mostly.

  4. Anonymous Coward
    Anonymous Coward

    It's all government politics and asshole cops

    The article makes it pretty clear, and from my experience in government, including with cops and courts (not as a criminal, mind), I have no trouble at all believing that this is all political, and these poor guys are caught up in bullshit not of their devising.

    As another poster pointed out, since when does the state not have jurisdiction in a county? Also, under what statute were they charged? Probably the Iowa Criminal Code or some such which is, oh yeah, STATE law.

    Hopefully this will end with the judge dismissing the charges and giving the idiot cop a good talking to from the bench.

    Anonymous because I know too much about this kind of crap.

  5. chivo243 Silver badge

    petty skirmish

    Just a bunch of willy wagging between the state and the county. Too bad these guys got caught in the crossfire.

  6. david 12 Silver badge

    can't find the iowa code

    I haven't read the Iowa law. It's normally a defence against this offense that the persons had or reasonably believed that they had permission.

    So... the prosecution knows they can't win this -- on appeal it will go to the state court that sent the men in. They aren't trying for a conviction. They are just trying to be assholes.

  7. iron Silver badge

    > clear communication, clear guidelines, and clear plans for what to do in any scenario

    Except none of that helps when you come up against a backwoods cop who wants to wave his gun and his dick around. Like the poor guys in question.

  8. Anonymous Coward
    Anonymous Coward

    Mens rea?

    If this goes to court, wouldn't the prosecutor have to prove that the testers intended to commit a crime?

  9. Eclectic Man

    Conspiracy

    I do hope the State Official(s) who signed the contract and set up the test have also been arrested for conspiracy to break into the court house. If not, then the local Sheriff would seem to be acting rather inconsistently.

  10. Grinning Bandicoot

    Where there's a will

    If someone at the state level thought the situation out, the Sheriff's office after the alarm would have either stand by or assist in the testing. The people performing the test be deputized as special officers authorized to serve warrants and the department wishing the test gets a search warrant for some suspected violation that requires a no-knock stealth approach.

    A legal break in!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019