This is why you have explicit language in your documents. It's not there for when things go well - it's when things go bad like this situation. In fact, I argue this is an expected outcome. How can you run a security contract that does explicitly illegal things w/o having clear language about what is supposed to happen.
FWIW:
- The pen testers should be ready to spend time in jail and be compensated as such. A piece of paper should not get you off free immediately. That thing needs to be verified, so expect it to take time.
- Language in your doc needs to be clear exactly what will happen. The whole fiasco afterwards should not needed to have taken place. If the customers want 'more pen testing' charge them for it.
Overall this is a great outcome. Just need to clean up the edges a bit.
Sure, that might explain the 12 hours in jail. It does NOT explain why the county attorney continued with prosecution well after it was clear the men had no criminal intent and were acting on the direction of the state of Iowa. That was a pissing contest, full stop, and the men caught in the middle should be pursuing legal action against the county.
Or in legalese as written by the men's lawyer:
"The justice system ceases to serve its crucial function and loses credibility when criminal accusations are used to advance personal or political agendas."
Things get stupidly petty when politics are involved.
Someone dared challenge his fiefdom and that cannot be allowed to stand uncontested so he played the "be a pain in their ass" card by prosecuting as long as he could.
This a thousand time! Put another way (via one of my lawyers): Contracts are for all times when you aren't happy with each other.
In fact, I argue this is an expected outcome. How can you run a security contract that does explicitly illegal things w/o having clear language about what is supposed to happen.
Completely agree. I would never send a pen-test team/red team/whatever into an engagement without a detailed rules of engagement, an escalation path and a get-out-of-jail-free proviso. A bit crazy these folks didn't pay attention to the details.
Like if my neighbour hires some random to pentest my house for kicks, it doesnt make it ok for pentester to break into my house because they signed a contract with my neighbour
There's an ongoing political dispute in Iowa over the extent to which the court system controls court buildings. The courts maintain they have full control (and thus can legally authorise, eg, pen testing), and (perhaps unsurprisingly) they keep winning court cases about it.
Some of the criticism of Coalfire, DeMercurio, and Wynn was about how they were pentesting buildings their client did not control, but it's worth noting that this is 1) disputed and 2) almost certainly wrong (at least from a legal realism point of view).
It's worth emphasising, I think, how much this story had to do with jurisdictional fights between different branches and levels of the Iowa state government, and how little it had to do with Coalfire, DeMercurio, Wynn, or pentesting.
I can't fathom how that wasn't the end of the conversation right there. "Who granted you permission to do this?" "A whole buildingful of judges." "Oh. Sorry, we'll take this up with them."
We had a legal matter with a county commissioner requesting the MSP use an external harddrive to transfer documents for which the commissioner had no right to access.
This happened in broad daylight.
But if your neighbour lied and falsified documents to the point reasonable due diligence would have been fooled, perhaps the pentesters can be considered not at fault?
And here we end up back with irjustin's proposal that if pentesters are doing things that would be illegal without proper permission, they need to be prepared to spend some time in jail. Their risks there for which they need to be compensated include their own organisation failing in their due diligence and sending them into a test for which they're genuinely not legally authorised.
I feel like an alternative take on this is “inform the local police department of your plans”
Many actions are very illegal without permission yet we find it very unreasonable to spend time in prison if permission was given. Use sex for example. If you had permission you shouldn't spend any time in prison for it. If the police think you didn't have permission, they should establish that without enough confidence before acting upon it. It is one thing to open an investigation, but the point of arresting people should only be once it has been determined they didn't have permission.
>A piece of paper should not get you off free immediately.
Only once the police have reason to believe it was fake should you be arrested. Arrest first and ask questions later is a dystopian legal tactic.
It's also the only practical tactic when there's a chance of the targets of an investigation hiding evidence, fleeing, or otherwise hindering that investigation.
You let go of the police and the gov lawyer bit by bit you lost your liberty. Make them pay! At least there is a negative feedback loop. Otherwise you end up with police state. Or gov lawyer state. Or worst like hk both.
The county sheriff's ego.
I suspect (with zero evidence) that an over-eager sales rep or sales management booked a deal without contract due-diligence and a pen-test team trusted that the due-diligence had been done.
Could you point me to them? Who sets them? Is there some kind of industry body?
Fast forward to last year, the government decided to double down on their stance by making punishments harsher than most crimes of violence without carving exemptions for white hat researches.
Unsurprisingly, my country's infrastructure was shown to be completely compromised by Snowden's (or Manning's) leaks.
It will simply lead to everything getting leaked and sold underground.
Don't make baseless assumptions.
The only good alternative is to keep quiet, and pray that nobody else finds it and anonymously report it to the press before the logs containing your IP address are rotated and deleted.
Part of me says Wynn and De Mercurio could try to sue someone -- either their initial customer for not giving them sufficient safety, or people responsible for them being charged -- but then I consider that suing "The law" is such a famously bad idea that it's celebrated in song ("I fought the law and the law won.")
Ultimately, I think they'll get some good conference talks out of it.
But that song is about armed robbery being punished by the law, not suing anyone. The lyrics aren't subtle:
> Robbin' people with a six-gun
> I fought the law and the, the law won
Fighting the law outside the system by disobeying it is a totally different concept from fighting the law within the system by suing over it.
Iowa can go tuck themselves in.
I would love to read some reporting about what was going on behind the scenes. Anyone have a link?
