CEO Of Security Company Behind Unorthodox Penetration Tests Wants To Know Why His Employees Are Still Being Criminally Charged
from the sheriff-determined-to-show-state's-court-who-the-biggest-dick-is dept
A couple of months ago, security researchers performing a very physical penetration test of an Iowa courthouse were arrested for breaking and entering. They were also charged with possessing burglar’s tools, which they did indeed possess.
The employees of Coalfire Security said they had been employed by the state’s judicial branch to test physical accessibility of courthouses. They had paperwork granting them permission to perform “physical security assessments” at multiple locations. While nothing specifically instructed the security testers to break into buildings, nothing in the documents suggested this was forbidden either. All it told the testers to do was to attempt to gain access to documents, internal systems, and areas closed off to the public.
A statement from the judicial branch suggested there had been some sort of misunderstanding and it apologized to the law enforcement officers for the “confusion” caused by this unorthodox penetration test. That apparently wasn’t enough for sheriff’s department and local prosecutors who moved ahead with felony charges.
Coalfire Security didn’t have much to say when the news first broke, but the company has now issued a lengthy statement [PDF] that accuses the Dallas County Sheriff of turning a routine security test into a battle of wills between his office and the state’s judicial branch.
[Coalfire Security employees Gary] Demercurio and [Justin] Wynn proceeded to purposefully trip the alarm to test law enforcement’s response time. When they arrived, [Coalfire CEO Tom] McAndrew said, the deputies seemed delighted to be shown the tools and tactics the Coalfire employees used to enter the building.
McAndrew blamed the men’s arrest on the arrival of Dallas County Sheriff Chad Leonard on the men’s arrest, saying he failed to “de-escalate” the situation, as the deputies already on site were ready to let the men go.
“Sheriff Leonard failed to exercise common sense and good judgment and turned this engagement into a political battle between the State and the County.” McAndrew wrote. “I was stunned that the next morning the issues were not resolved and were actually amplified when bail was set as $100,000.”
Prosecutors have performed a slight bit of de-escalation, at least. The felony charges have been dropped, but the researchers are still facing misdemeanor trespassing charges. This prosecution continues despite the judicial branch’s statement backing up the arrested men’s story that they were hired to test courthouse security.
Sheriff Leonard’s needless escalation began during the arrest and continued forward past that point. Emails obtained by the Des Moines Register show Sheriff Leonard refused to release the security employees when their story checked out and further aggravated the situation by promising to give a heads up to other law enforcement agencies who might be interested in capitalizing on some trouble-free arrests.
A police sergeant called one of the state employees, who confirmed what the men said: that this was a legitimate contract and that the men should be let go, according to the email.
“I advised them that this building belonged to the taxpayers of Dallas County and the State had no authority to authorize a break-in of this building,” [Sheriff] Leonard wrote in the email.
Leonard wrote that he then called the state employee to tell him his contractors had been arrested and that he didn’t have the authority to authorize this.
The state employee disagreed and asked Leonard not to tell other sheriffs, wrote Leonard, who said he responded by saying he was going to tell every sheriff.
It sounds like some “law is the law” bullshit being pushed by Sheriff Leonard, who isn’t going to let anyone get away with security research in his jurisdiction. Coalfire’s CEO wants to know if Iowans are OK with this.
If what is happening in Iowa begins to happen elsewhere, who will keep those who are supposed to protect citizens honest? This is setting a horrible precedent for the millions of information security professionals who are now wondering if they too may find themselves in jail as criminals simply for doing their job. I believe that citizens of Iowa would benefit from using their resources to fix vulnerabilities, protect their data, and secure their public buildings rather than waste time and taxpayer money on this criminal pursuit.
Joke’s on all of us. This is already happening elsewhere. Security researchers constantly face the possibility of arrest, prosecution, or civil lawsuits just for doing their jobs. That this penetration test involved a physical break-in doesn’t make it any less legitimate. The court system apologized for the misunderstanding, but good deeds apparently aren’t going to go unpunished in this county.
Filed Under: breaking and entering, courthouse, iowa, penetration testing, security researchers
Companies: coalfire security
Comments on “CEO Of Security Company Behind Unorthodox Penetration Tests Wants To Know Why His Employees Are Still Being Criminally Charged”
'Oh, would you look at that, I'm busy. Forever.'
Do you want to ensure that only the least skilled, most desperate people are willing to perform security tests that will allow you to see how secure your systems/buildings are before you have to find that out the hard way that they aren’t, because anyone sane will refuse to answer your calls or sign a contract to do that for you?
Because this is how you ensure that that happens.
I rather suspect that this isn’t a case of ‘the law is the law’ and more a case of the sheriff being all stoked that he’d found him some criminals to prosecute to make himself look better finding out that they were nothing of the sort being utterly incapable of admitting that he was wrong, because if you’ve got a badge you don’t make mistakes, ever.
The court case
Prosecutor:
Judge:
Re: The court case
Prosecutor: We did not invite them. They invited them. And they don’t have the right to invite people to break into our courthouse.
Judge: Oh yeah, there’s actually laws that I have to use to justify my decisions. Guess I’ll have to actually do my job, darn!
The legal question at hand is who has the authority to order that kind of trespass on a county courthouse. The state should not be messing with county property without the explicit knowledge and consent of the county, and they sure as heck know that.
Re: Re: The court case
Under established U.S. Federalism rule of law, subordinate governments (ie, counties) have no seperate soverignty apart from their state. The State is soverign, and the subordinate government (ie, counties) are delegated that soverignty at the direction of, and for the convenience of, the state.
A prosecution of a violation of a state law fails when it’s pointed out that the state very much does have the right to do with any county property as it sees fit.
(All of the above often does not apply in states where the state constraints its soverignty in "home rule" municipalities. But even in those states, that doesn’t apply to entire counties.
Re: Re: Re: The court case
Citation needed. I’d like to see any legal precedent showing a state can make use of county property as it sees fit. Everything you’ve said flies in the face of my direct experience working for state and municipal agencies.
Re: Re: Re:2 The court case
If you were correct, then a town or city would be able to ignore county laws. For that matter, a neighborhood within a city would be able to hold a vote and ignore city laws. A household could unanimously vote that city laws don’t apply to their house.
While it might be a fun idea to contemplate that you could get your wife, children and dog to all agree that none of your household owes any taxes to the city, county, state or nation, it’s not likely to end well if you actually tried it.
Re: Re: Re:3 The court case
Not hardly. There’s a difference between property ownership and legal jurisdiction to pass statutes and ordinances.
The county owns the building and enjoys all the rights and privileges of property ownership that anyone else does. That doesn’t mean the county can also ignore all duly passed laws passed by the state legislature. The two things have nothing to do with one another.
Re: Re: The court case
Going by this logic, the state deputies that arrived first should be arrested too. They are not invited, and are not county agents.
More seriously, this building is used for official state business, and who "paid" for the building doesn’t matter. It is only fitting that the state can invite anyone they need to do their state business, including validating their security.
If not, anyone could technically be considered trespassing arbitrarily, including the judges, lawyers and parties to suits being judged in this courthouse. I’m pretty sure that’s not how the law works.
Finally, the researchers had proof that they were invited in by someone who, by all appearances, had authority over the premise. More so than a case of murder by cop, I would say that "good faith exception" should apply here. They did everything right, except that they were tricked into thinking that state judicial authorities had authority over a building used for official state judicial business. Ah yes, how could anyone make such a rookie mistake?
Re: Re: Re: The court case
They are county sheriff’s deputies, not state law enforcement.
Again, it’s a county courthouse, used for county judicial business. This is not to defend the sheriff or prosecutors – their actions were stupid and unjust.
Re: Re: Re:2 The court case
Counties aren’t allowed to be independent of the state. That’s part of the stupidity in the argument. All counties are part of the state or they’re not a county. All county employees are state employees. They are not separate legal entities.
Re: Re: Re:3 The court case
Yeah they are separate legal entities. A county is part of a state, but that doesn’t mean they’re the same thing. Counties have courts and law enforcement and all sorts of functions that the state doesn’t have anything to do with. A county is not part of its state in the same way that a department is part of a company. It’s closer to the way that a US state is part of the US, though counties have less autonomy than states.
For example, if you were to sue your county government, the defense would be handled by the county, not the state. There are some exceptions to all this, for example a handful of states (two I think) where counties are strictly a geographic boundary and have no governmental function at all. But Texas (the state in question) is not one of those states.
Re: Re: Re:4 The court case
I understand the situation is that many states give counties significant autonomy but as I noted above, this question has been decided by the federal courts as a federal constitutional issue. Constitutionally counties are subdivisions of states, not separate entities.
Re: Re: Re:5 The court case
In what case(s)?
Re: Re: Re:6 The court case
Okay, there have been many many many cases
Here is the first court case that came up in the Justia search engine when I searched: "county subdivision of state"
https://law.justia.com/cases/federal/appellate-courts/F3/299/1077/521697/
Re: Re: Re:7 The court case
So that states the county is a subdivision of the state. That doesn’t mean it isn’t its own entity, with its own employees, organizations, and so on.
"King County filed suit against the Rasmussens"
The county can take actions on its own.
"Because we conclude that no genuine issues of material fact exist for trial and that King County holds the strip in fee simple, we affirm."
The county can own property. Note the court doesn’t say the state holds the land in fee simple (whatever that is), but the county.
Nobody is saying counties aren’t subordinate to or part of their states, but I haven’t seen anything indicating there’s no such thing as a county employee as you claimed. What do you get when you search "county employees"?
Re: Re: Re:8 The court case
A large portion of the thread is arguing about whether counties are a part of the state or an independent entity of some kind. That argument has actually gone on for a while.
Others were arguing that the county is somehow not a state government body.
My view is that the county is the state so it by definition can’t take independent actions because every county government action is a state government action.
County employees are real. They all are just described equally well as state employees.
Re: Re: Re:9 The court case
So far I have not seen any supporting evidence that:
I have never heard anyone claim any of that before today. I enjoy learning new things however and if someone has a reference explaining how any of that is true I would be happy to read about it.
Re: Re: Re:2 The court case
Ok, I reread both articles.
My mistake. It’s indeed a county courthouse, though it seems to fall under the authority of the state. I might be wrong about the level of autonomy of county versus state.
So, either state has authority over county, in which case the case is null because the researchers had proper authorization… or they didn’t, in which case the state made the mistake of authorizing an operation it didn’t have authority to. Still doesn’t seem like a mistake on the researchers’ side. The county sheriff even had confirmation of the whole story. He just wants to change someone for… something? And he knows the individuals are easier targets than the state.
Re: Re: Re: The court case
They were NOT state deputies. They were Dallas County Deputies
Re: The court case
Time to escalate
I would sue the sheriff personally for the deprivation of rights.
This is a tricky area of law.
https://biotech.law.lsu.edu/map/LiabilityofStateContractors.html
It could honestly go either way but acting in good faith should at least count in their favor.
purposefully trip the alarm to test law enforcement’s response time
Let’s just point out that the guy making all of the noise here was also the one with the response time that was so horrible that other officers arrived, found the suspects, identified they were not actually burglars, and were talking with them about how the broke in and they tools they use.
Can we start by firing him for being incompetent at his actual job?
Re: Re:
Only if you expect all the officers to arrive at the same time for some reason. Why should the sheriff have to arrive as quickly as the closest deputy to the call?
Please correct me if I’m wrong, but aren’t counties part of the state, and therefore, wouldn’t county property would be state property?
Re: Re:
You’d be wrong. Counties own county property, cities own city property, and states own state property. The State can’t tell the County what to do with its property, they had no authority to authorize a break-in, or any of the other penetration testing that they ordered, without the consent of the County. That’s why this is still an issue.
The Sheriff is basically telling the State to stay in its lane, and the State is claiming it can do whatever it wants cause it’s a judicial building. The contractors are caught up in the middle.
Personally I think the contractors should have done a lot more due diligence, but it’s ultimately on the people that ordered the testing.
Re: Re: Re:
No, counties are subdivisions of the state. However, it’s up to the states internal politics to decide who gets their way in these circumstances.
One easy way to tell is that a county courts cases may be appealed to the Iowa Supreme Court
Re: Re: Re: Re:
Counties are subdivisions of the state in the same way that states are subdivisions of the USA.
They operate independently and hold their own property, which the state can’t take or use without county permission.
Re: Re: Re:2 Re:
The county is the state. You are simply wrong on this.
Re: Re: Re:3 Re:
The county is not the state. You are simply wrong on this.
Re: Re: Re:4 Re:
Well, this is actually a federal constitutional issue and the courts have already ruled that counties are subdivisions of states. Also you’re an idiot.
Re: Re: Re:5 Re:
Well, if name-calling settled arguments, we’d have an idiot for a president. .. oh, wait…
The counties are creatures of the state in the same way as an incorporated private company. The state has certain rights and certain limitations, as prescribed by law and the state constitution. they cannot override these laws except as allowed by those same laws. they cannot dictate county actions, except by a judicial order that cites the law which allows this.
So yes, a county can charge and maybe even convict a state contractor of violating the state law on trespass; then the defendant can appeal that to the state court of appeals. how will that turn out? or the county judge might put the law ahead of urinary competition and say without the intent, and with the honest impression they had permission, they are not guilty.
So the county has every right to do what they do, but depending on what the local laws are on intent, it may or may not be malicious prosecution. Certainly the comments of the sheriff are pretty good evidence that it is.
(Recall something similar I heard of – professor back in the good old days (late 80’s) challenged students in his Computer Science class that if they could break into the system and change their mark they could have that mark. One clever student went through the ceiling tiles and got into the glass room where the console was logged on to change his mark. The prof had him expelled and charged with trespassing – sore loser)
Re: Re: Re:6 Re:
Wow. Seems like it’d be easy to beat the trespassing charge, since he was given permission in front of dozens of witnesses. The expulsion might be harder to fight because universities usually have wide latitude to decide those things on their own, but again, permission was given for him to do what he did and there’d have been ample evidence of it to use in any kind of expulsion hearing.
Re: Re: Re:7 Re:
Yeah, the prof was being a dick because he overlooked one simple trick and so appeared to be stupid. (more than "appeared") He was so proud of his software security enhancements he overlooked simple physical security. I’m sure he told the admin that he said "break in with software" even if he didn’t; if you’re already a major dick, what’s a little lying to compound it?
Re: Re: Re:2 Re:
Is every state the same?
Re: Re: Re:3 Re:
Given some of the "local control" fights the past few years, I would say no.
Re: Re: Re:2 Re:
State constitutions likely dictate the bounds of political subdivisions within the state, just as the federal constitution dictates the bounds of states within the US.. in theory..
Re: Re: Re:2 About that...
Hi! Actual County employee here, though not in Iowa. This will be written from the perspective of my County.
Good news, everything you said here is accurate! County owns the courthouse, and the state can’t just take it or do with it as they please on a whim.
Bad news is that they 100% can do those things, just not on a whim. There are a couple different things in play here, and I’ll start with the most broad:
The County has no valid argument here. I say that as an employee of a County with >$1B in yearly revenue who regularly takes issue with how the state treats us.
So your statements are factually correct, up until the state exercises any of its power. The other poster’s statements are just as factually correct and address a different argument than the one you’re using. Neither of you is more correct than the other, and that’s simply a matter of framing and perspective.
I hope this both clarified the issue at hand and made everybody feel better about themselves.
Re: Re: Re:3 About that...
I appreciate your corrections, and your civility. Thank you.
Why "unorthodox"?
Nondestructive physical bypass of building security systems is a completely normal part of a penetration test. The only unusual thing is the lack of explicitness in the paperwork. If you watch talks by penetration testers, for example Deviant Ollam, they describe bypassing locks all the time—with lockpicks and other tools, even elevator fire service modes. They’re paid to do it and give detailed reports to the companies operating the facilities. Often the doors and locks have major problems, and they need to know about it.
Re: Why "unorthodox"?
If it’s completely normal then why did nobody except the contractors know they were going to be performing a physical break-in on the property?
Penetration testers should be doing only what is specifically ordered in their contracts, anything else is outside scope and probably illegal.
Re: Re: Why "unorthodox"?
Penetration testers have the same right to tinker as any other engineer. Badly worded or non controlling contracts aren’t binding anyway.
Re: Re: Re: Why "unorthodox"?
They don’t have the right to trespass on physical property that doesn’t belong to them or the people who hired them. The bull-headed sheriff was actually right when he said the state has no authority to authorize break-ins of buildings that don’t belong to the state.
Re: Re: Re:2 Why "unorthodox"?
Ownership isn’t necessarily what matters. For example, if I rent a house or some commercial property, I can authorize people to enter it, and those people would not be trespassing. I probably can’t authorize them to damage that property without permission from the owner (but if they reasonably thought they had proper authorization, it shouldn’t be criminal for them). Non-destructive lockpicking might be a gray area and depend on jurisdiction, but it wouldn’t be surprising if a non-owner had authority to allow that.
Re: Re: Why "unorthodox"?
In the work of a penetration tester, there is also the issue of companies regularly writing invalid TOS. Usually companies have managed to take consideration before their is an overt contract agreement so they are illegal. (ie google and microsoft track you before you even know what a TOS is)
Re: Re: Why "unorthodox"?
"We are going to try to break into the property by the way of the east side entrance, on February 21, 2019, at exactly 6:38 p.m."
[Fast-forward to 2019-02-21 @ 1838h]
"Wow, the east side entrance is really secure! They’ve stationed about two hundred cops outside of it! Penetration test passed!"
Re: Re: Re: Why "unorthodox"?
The guards are not parties to these contracts. If the official signing the contract wanted to sabotage the test, they could, but then they’d just be wasting their money.
Re: Re: Re:2 Why "unorthodox"?
And we know that never happens.
Re: Re: Why "unorthodox"?
"If it’s completely normal then why did nobody except the contractors know they were going to be performing a physical break-in on the property?"
Someone wasn’t listening to what the physical aspect of the contract was actually referring to, or the wrong person was left uninformed by one of the parties.
"Penetration testers should be doing only what is specifically ordered in their contracts"
Apart from the fact that they seemed to believe that this was part of their contract – that’s a risky move. Sure, if you’re pen testing a particular environment, you don’t want them messing with environments other than the one specified. But, you also don’t want an incomplete pen test because you didn’t allow the testers to take a particular path that any would-be attacker would use. It might feel safer during the test, but you have also possibly stopped testing of your most vulnerable spots.
Re: Re: Why "unorthodox"?
That’s not exactly true. They had a document giving them permission to do penetration testing, including physical access, and they told the guards who caught them whom to contact about the test. That person confirmed to the guard that the testers had permission. But they got arrested anyway.
Yes, those documents and the statement of work should have been more detailed. The test was completely normal; the paperwork was unorthodox.
Re: Re: Re: Why "unorthodox"?
Actually, if they expected a police response, that could be unorthodox. I don’t know how this works with courthouses, but in a private setting, the police would not be a party to the contract and would not appreciate someone triggering an alarm just to test them.
Re: Re: Re:2 Why "unorthodox"?
True, but at court houses in the US, internal security is provided by the Sheriff’s department. There are usually deputies manning the metal detectors at entrances, at least .
So, its less trigger the alarm and see how long squad cars arrive, but more time the Sheriff’s deputies’ response time from their normal post in the building to the affected area.
The analogy to a private setting (say an office building) would be how long would it take for security personal to arrive.
it's more than just common sense
There was a time when mens rea ("guilty mind") weighed heavily in determining whether to arrest, detain, and prosecute. Sadly, the sheriff has chosen to ignore this and has played a game of "gotcha". And since bail was set absurdly high, the judge is operating on the same pathetic level.
Sheriff Chad Leonard’s official webpage ends with a list of organizational goals, one of which is "Educate the communities at large as to its role in establishing order and reversing moral decay." This sort of sanctimonious horseshit, certainly seems in keeping with this guy’s approach to the Coalfire Security case.
• https://www.dallascountyiowa.gov/government/public-safety/sheriff
I’m pretty sure that, unless you’re actually LEO – with a badge and everything – then you need that paperwork to specifically list which laws you can break in the process of testing.
Now, I’m not saying these guys should be prosecuted – this is obviously a case of (fairly) innocent mistakes.
But they got permission to do penetration testing on facilities that the people giving them permission didn’t have the authority to permit them to test and then they went and exceeded the limits of the written permissions.
Re: Re:
That is horribly backwards. You don’t sign a contract to break laws. That would never be a valid contract no matter how it was worded.
I would bet they get off if they can afford the legal fight. Either way, they will now get to sue the state for either recruiting a legitimate business to break laws for them or false arrest/deprivation of liberty for the sheriffs idiotic response.
Nothing better than a Sheriff on a power trip. Sheriff Chad Leonard must have a pretty negative view of himself since he has such a huge need to show how powerful he is.
Leonard may have started the escalation, but anything occurring at this point is out of his hands. If they’re still facing charges and prosecution, that’s all on the county attorney’s office now. They could easily drop the case altogether and the sheriff wouldn’t have any say in the matter.
He’s actually right about that even if he is addressing it in a less than ideal way.
Re: Re:
Is the county the occupiers, or are they only the landlords, because if the latter, the occupants can invite other into the building.
Governor?
Really the governor should try writing a few quick pardons at this point just to quickly resolve this stupid bueracratic issue and save significant expenses.
Re: Governor?
Governors grant pardons to the already convicted. They can’t waive pending charges.
Re: Re: Governor?
Yes, they can. Just like Ford proactively pardoned Nixon. Absent specific Iowa state law to the contrary, the pardon power works the same on the state level.
Re: Re: Re: Governor?
Some state pardon powers work the same way and some don’t. I haven’t read the Iowa Constitution recently but a lot of states have a bunch of constraints on their pardons that the federal government doesn’t.
The contract should have included
CLIENT represents and warrants without limitation that it has the authority to execute this agreement and to agree to all provisions contained herein.
@Techdirt…
You include a link to "techdirt articles tagged ‘shoot the messenger’ ". This article is not so tagged.
This article is tagged (company) "Coalfire security". Previous articles about this story were not so tagged.
Should your tagging become a bit more standardized, perhaps? Or maybe go back and add tags to relevant previous stories?
Of course they possessed burglar tools.