Men Arrested at Courthouse Say They Were Sent to Test Its Security (opens in new tab)

Each state is different: https://toool.us/laws.html

Depends on the state. I believe in some states it's legal so long as you're not actively engaged in a crime, but becomes illegal if you get caught with them in a criminal act, even if they weren't directly related to the criminal act?

Edit: People REALLY like answering this question, apparently. :D

It's a crime if you're found in possession with intent to commit a crime: https://aizmanlaw.com/possession-of-burglary-tools/

Depending on the state, owning lock picking equipment without a licence is also illegal.

Oh yeah the law has all sorts of things to increase charges.

In some jurisdictions having a crowbar while “committing a crime” turns the crowbar into a burglary tool. Better yet: having a burglary tool can count as evidence you were committing a crime (see an interesting bit of logic there?)

Or CA using possession of condoms as evidence women were sex workers. Immediately resulting in a reduction in use of protection (remember the anti-prostitution laws are all in the interests of “public safety”). Literally the interpretation of reality chosen was one where if a woman in a specific location had a condom they were automatically a sex worker, carrying evidence of sex work.

That varies by state and circumstance.

In some states it's legal to own them, but if you are caught using them or being somewhere you shouldn't be while carrying them it can be tacked onto your charges.

Other states it's totally illegal to own or carry them.

In some states I feel like they just thought “well we can’t just keep letting these guys off when we catch them before actually picking the lock” so they made the lock picks illegal.

Anything used to commit burglary is a burglary tool. A hammer, screwdriver, picks, etc.

In most states, unless you are a locksmith, yes it is a crime.

This is such an absurd case on so many levels. This miscommunication should have never happened, obviously.

Even if they turn out to be the criminally incompetent party in this relationship, I feel kind of bad for the contractors. They're facing felony charges for making what was clearly a mistake. I can't imagine they're consistently this incompetent - surely one of their previous clients would have noticed if they were physically broken into and didn't anticipate it. So either they've never done this before, or they messed up their contract.

I've seen plenty of similarly boneheaded, incompetent things in Big Tech (losing massive amounts of data, getting systematically defrauded in pretty stupid ways, etc) that resulted in getting fired at worst and a reprimand at best, so I feel kind of bad that these guys face felonies for being bad at their job.

The company in question is Coalfire. This company assesses who can become FedRAMP compliant. They also have their pentesting team in-house, and they are fuckig sharp. They know their contracts, rules of engagement, and exactly what they are and aren't allowed to do.

These folks do this stuff for their livelihood. They test contractor, state, and fed systems at all scopes and levels.

And if 2 broke in (yes, you work in teams ABSOLUTELY onprem), they had the contract explicitly allowing physical penetration ON THEIR BODY. That contract is the difference between felony trespass and 100% legal.

I would LOVE to be a fly on the wall and watching the conversation between State IT and the public safety community there, and especially with the AG, who will have to release them.

Shame on the prosecutors. Burglary requires intent. By all appearances, these guys thought they had permission.

You don't understand the level of local corruption in Iowa. To be effective the State couldn't tip off County security.

Here in Canada the prosecution would have quickly withdrawn the charges. It's pretty clear that they were acting under the color of law, given that the State admitted they hired them. If they went beyond the contract, it seems pretty clear they did it under the mistaken but reasonable belief that they had proper authority to enter. I understand ignorance of law isn't a defense but ignorance of the facts is and it seems pretty clear that's what happened here. It seems unreasonable and unnecessary to hold them in jail and unnecessary to take this to trial. I don't see how proceeding with a prosecution like this could be in the public interest.

For those who, like me, had trouble figuring out the case ID search system:

There are four fields in "case ID". The first is for the county code ("05251"). The second is for city code, which isn't present in these. The third is for the case type, which is FE (felony). The fourth is for the specific case number, which is /CR.*/

EDIT: Sadly, to actually read any of the documents requires a $25/month description.

EDIT2: So apparently those first fields are supposed to be autofilled by the dropdowns, but this doesn't work on my phone. Given the following message on the landing page, this isn't too surprising: "This Web Based Electronic Public Access application requires a 128 bit Cipher Strength on your Internet Explorer. To verify this click on 'Help' menu item and select 'About Internet Explorer'. If it's less than 128 bit click on link 'Update Information' to update Cipher Strength."

Bobby Rehkemper and Lindholm are the shit. They caught a dirty prosecutor a few years back on tape: https://whotv.com/2012/02/20/open-records-sonya-heitshusen-l...

Same Dallas County Attorney is taking a dive on my Qui Tam to claw back Apple's brazen $100m property tax abatement vote bribe to the City of Waukee unjustly enriching the city to abate $170m. Tim Cook is a tax crook.

Well, it may be necessary to tell them, but there needs to be a backstop in place, a contract to wave around, proper identification, a live phone number to call to get confirmation, etc. The cops will still be pissed, if you weren't careful in following their instructions when they caught you then you might find yourself tasered and soaked in someone's urine (hopefully your own, I guess) But you wouldn't be, as these two are, getting charged with felony burglary.

And the police just throw them into the system and say not my problem

>I cannot imagine anything worse that one could ever say to a cop.

From the physical pentests I've heard about (never done it myself), they tend to get cordial with LE if they get caught.

This might change that if we find out that the cops were less than friendly even after they showed the get-out-of-jail-free card/pentesting contract.

The court is claiming it wasn't a prearranged part of the test that they were aware of. It will be up to the company to prove that it was.

> But it added that the administration “did not intend, or anticipate, those efforts to include the forced entry into a building.”

It's possible they misunderstood something in the contract such as what physical entry means and the scope of red teaming.

In the article it said they were aware of a forced entry made at another court house, but I'm assuming it was after the fact and the security company told them they did it before? If it was before the test then that changes the story but I dont know why they'd admit it to the press otherwise.

> Iowa’s State Court Administration also said in the statement that it had been made aware of a break-in at the Polk County Historic Courthouse in nearby Polk County on Sept. 9 that was similar in nature to the break-in at the Dallas County Courthouse.

The fact they courts aren't fully supporting the guys raises a lot of questions.

It's not like the guys were caught doing anything for personal gain. But there's a small possibility they wanted to show off their ability and keep it hyper realistic, and crossed a lined that should have been better communicated.

The police aren't supposed to be shooting unarmed people.

IANAL, especially in American law, but mens rea is usually a neccessary element for criminal liability.

Pentesting works the other way, you need to scope things in, not out. Otherwise you'll get into all sort of legal and ethical issues.

You know one of the best ways to get access to electronic systems is to get physical access, a "hardcore" run to borrow a term from Gibson.

I'd be very interested to learn who hired them / their firm. Hope we find out!

> I don't understand all the secrecy in doing these types of pen-testing. Why wouldn't you just tell the cops what you intend to do and make sure everyone involved has a clear understanding of what is going to be done and what not.

It's not really an accurate measure of response time if the responding parties are told ahead of time. That said, I would imagine the benefit of an accurate measurement vs. the cost of a heads-up is vastly different when you're dealing with first responders as opposed to a vendor.

What's more likely, a big pentesting company messed up this one engagement, or the state is incompetent and doesn't understand pentesting? I'm leaning towards the latter.