in ,

Exonerated: Charges dropped against pentesters paid to break into Iowa courthouse, Ars Technica

Exonerated: Charges dropped against pentesters paid to break into Iowa courthouse, Ars Technica



Dismissal is a victory for the security industry and the customers who rely on it.


       Jan , 01575879 : (UTC UTC)   


The dismissal, which was announced on Thursday, is a victory not only for Coalfire Labs, the security firm that employed the two penetration testers, but the security industry as a whole and the countless organizations that rely on it. Although employees Gary DeMercurio and Justin Wynn had written authorization to test the physical security of the Dallas County Courthouse in Iowa, the men spent more than hours in jail on felony third-degree burglary charges. The charges were later lowered to misdemeanor trespass.

“I’m very glad to hear this,” said a professional pentester when I told him the charges were dropped (he prefers to use only his handle: Tink). “Clients and security firms have an obligation to protect their pentesters and consultants. Pentesters are not criminals. Pentesters help organizations protect against criminals. ”

Attempts to reach Dallas County Attorney Charles Sinnard after hours were unsuccessful. DeMarcurio and Wynn declined to speak with me.

Get out of jail free

DeMercurio and Wynn were arrested in the early hours of September

When Sheriff Chad Leonard arrived on the scene, things took a decidedly more adversarial tone. Leonard said he was unaware of any such arrangement and, furthermore, he said the State Court Administration lacked the authority to permit the after-hour entry of county property. The pentesters spent more than 12 hours in the county jail until they were released on $ 728, (0 bail) $ , (0 for each). In the days to follow officials discovered that the pentesters had also performed physical penetration tests on the Polk County Courthouse and Judicial Building.

The turf war between Dallas County and state officials was only one of the things complicating the case. The other issue was the legal agreement Coalfire signed with the State Court Administration. The full agreement was broken into three separate documents that contained confusing and contradictory terms describing the work to be performed. An initial service order outlined a plan to conduct “Physical Attacks” against the Dallas County courthouse and two other buildings, but in later forms, the pentesting activities were described as “Social Engineering.” There was also conflicting language about whether the pentesters were authorized to use lock-picking gear and whether they were permitted to test physical security after hours.

After learning of the pentesting contract, Dallas County Attorney Charles Sinnard reduced the charges, but despite there being no support for criminal intent, he continued to prosecute the two men. In a statement Coalfire issued on Thursday, officials wrote:

Following discussions between representatives of Coalfire, the Dallas County Sheriff and the Dallas County Attorney, it was the decision of the Dallas County Attorney to dismiss trespass charges against the Coalfire employees. It is clear that on September 10, 2020 it was the intention of the Dallas County Sheriff to protect the citizens of Dallas County and the State of Iowa by ensuring the integrity of the Dallas County Courthouse. It was also the intention of Coalfire to aid in protecting the citizens of the State of Iowa, by testing the security of information maintained by the Judicial Branch, pursuant to a contract with State Court Administration.

Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges. Those interests are best served by all the parties working together to ensure that there is clear communication on the actions to be taken to secure the sensitive information maintained by the Judicial Branch, without endangering the life or property of the citizens of Iowa, law enforcement or the persons carrying out the testing. It is the hope of Dallas County and Coalfire that the Judicial Branch will work with them so that any issues carrying out such vital testing can be avoided in the future.

Coalfire CEO Tom McAndrew added, “With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement. We’re grateful to the global security community for their support throughout this experience. ”


What do you think?

Leave a Reply

Your email address will not be published.

GIPHY App Key not set. Please check settings

Browser review: Microsoft’s new “Edgium” Chromium-based Edge, Ars Technica

Browser review: Microsoft’s new “Edgium” Chromium-based Edge, Ars Technica

Shooter was livestreaming just before attack at Jamia – Times of India, The Times of India

Shooter was livestreaming just before attack at Jamia – Times of India, The Times of India