At first, I assumed I was going to be only angry at the justice system, but after understanding the contract document was split in 3 with very wishy/washy language, part of the problem is on the contracted company.
This is why you have explicit language in your documents. It's not there for when things go well - it's when things go bad like this situation. In fact, I argue this is an expected outcome. How can you run a security contract that does explicitly illegal things w/o having clear language about what is supposed to happen.
FWIW:
- The pen testers should be ready to spend time in jail and be compensated as such. A piece of paper should not get you off free immediately. That thing needs to be verified, so expect it to take time.
- Language in your doc needs to be clear exactly what will happen. The whole fiasco afterwards should not needed to have taken place. If the customers want 'more pen testing' charge them for it.
Overall this is a great outcome. Just need to clean up the edges a bit.
> - The pen testers should be ready to spend time in jail and be compensated as such. A piece of paper should not get you off free immediately. That thing needs to be verified, so expect it to take time.
Sure, that might explain the 12 hours in jail. It does NOT explain why the county attorney continued with prosecution well after it was clear the men had no criminal intent and were acting on the direction of the state of Iowa. That was a pissing contest, full stop, and the men caught in the middle should be pursuing legal action against the county.
"The justice system ceases to serve its crucial function and loses credibility when criminal accusations are used to advance personal or political agendas."
Sheriffs being elected is actually extremely important. A sheriff is a constitutional entity who has far more influence than a typical police officer. Having the public choose such an official, rather than having them be hired by a city commission is very preferable - because they can be removed by the people.
This isn't to say everything sheriff's do is good, they're obviously just people and prone to corruption like anyone else. That said, sheriffs who refuse to arrest people for certain things (such as marijuana, or for their sexuality) has been a significant force in protecting people from unjust laws. [0]These days, that same power is being used to try to protect the 2nd amendment.
But doesn't that redefine "legal" into whatever is in vogue? I understand the appeal of having "direct" control, but I would think the law should be impartial to popularity - sometimes the police officers have to be the guy standing in the way of the angry mob.
The pro of refusing to arrest people also isn't solely in the domain of a public official - regular police offers can do that as well.
Also, what are the laws in regards to firing said elected official? I was trying to look up recall laws, but couldn't find anything definitive. How long can someone be bad before the people are able to act, compared to a hired office where the mayor could fire or suspend them in short order?
There's a few points here so I'll try to unpack them in order.
Historically, and still today, sheriffs tend to be very picky about when they choose to mandate non-enforcement in their jurisdictions. The most recent examples are the 2nd amendment sanctuaries, the refusals to comply with federal laws regarding marijuana, and refusals to detain illegal immigrants. The cases where they exercise this power are very often extreme, and unpopular. And as the sheriff is a real public servant and not a hired gun (which I mean literally, in the case of most police departments) they serve at the pleasure of the people.
If the police chief orders a police officer to make an arrest, the officer will be fired if he doesn't comply. A sheriff can't be fired as they are a constitutionally protected official. Further, a sheriff (this varies state by state) can often go so far as to effectively eradicate the existence of a law in their jurisdiction - this is what's happening with 2nd amendment sanctuaries now. Basically, it works because unlike a police officer, a sheriff can say 'I'm not using any resources to enforce this law, period. Oh and you can't do anything about it.'
Lastly, removing elected officials varies from place to place. It's universally easier than removing a sitting president and has the advantage that it's actually possible which isn't always the case for typical police (who are almost universally loathed for their lack of accountability and public recourse options).
The accountability issue swings both ways. If a sheriff's office has problems with certain enforcement issues (i.e. profiling, not taking domestic violence allegations seriously, etc.) and the electorate is not immediately interested in these issues, there's no other mechanism to encourage behavior changes - elections are fundamentally a binary state for an individual candidate. There's no nuance to the accountability, and the voting public is often ill informed on relevant policy problems and issues - there's been plenty of coverage about poor fiscal accountability, selective enforcement, etc. that illustrate the dangers with solely relying on the electorate as a quality control mechanism.
At the end of the day, this comes down to where you personally fall on the federalization debate.
>Lastly, removing elected officials varies from place to place. It's universally easier than removing a sitting president and has the advantage that it's actually possible which isn't always the case for typical police (who are almost universally loathed for their lack of accountability and public recourse options).
In theory this sounds great, but in practice I'm not so sure. The average person seems to get stonewalled at best, harassed or targeted at worst, when trying to file formal complaint against an officer. I can't imagine trying this against a sheriff that is popular with the police unions.
> The cases where they exercise this power are very often extreme, and unpopular. And as the sheriff is a real public servant and not a hired gun (which I mean literally, in the case of most police departments) they serve at the pleasure of the people.
Federally, marijuana is very illegal. However, it is very popular, and almost nobody is still supporting its criminalization. So, many sheriffs decided to basically refuse to enforce the laws. IIRC there were also cases of interferance with enforcement by federal agencies. This protected the citizens from what is seen as a severe overreach by the federal government.
To me, that is the essence of serving the will of the people.
The war on drugs, which led to extraordinary harm to many people and communities, could certainly be categorized as extreme and unpopular. Could you elaborate on what you mean?
I just realize you mean that they use their power to not enforce something when that thing is "very often extreme, and unpopular. " The way you said it "The cases where they exercise this power are very often extreme, and unpopular." seemed to me to indicate that their choice to enforce their action was extreme or unpopular.
How are you going to avoid this? You either elect the sheriff directly, or you elect the people who appoint the sheriff. Either way, they are going to be subject to political whims.
Fair enough, although there might be SOME benefit to having separate election systems for the two roles; it might provide some check against one of the election systems being compromised.
This sounds great in theory, but in practice the results seem to be that Sheriffs obtain enormous amounts of power without the (sometimes still insufficient) checks and balances that traditional police departments have. It turns out that when you have something as powerful and capable of abuse as a police force, you want lots of experienced people overseeing it, and (most importantly) subjecting it to routine investigation. A popularity contest every few years doesn’t accomplish this well.
The problem arises, however, that everything becomes about re-election, rather than, say, policing.
The candidate with the biggest marketing budget, the most bluster, the lowest common denominator support base, wins - not the candidate who would make the best sheriff.
It’s a stepping stone. You go for sheriff, then assemblyman, then congress, then the senate. Your performance in the job doesn’t matter - just how many donors you can attract by pandering to their interests.
I entirely agree. Unfortunately, this issue rests with democracy as a whole. I once tried to promote the idea of performance reviews for candidates and blind elections based only on experience and presented plans/documentation. Unfortunately, I think that even that system would fail because voter participation is abysmally low.
Hey, uhm not arresting people for drugs is probably because they are in the pocket of drug dealers or politicians who are in the pocket of dealers.
Anyways sheriffs do shady things all the time, like money seizures and home foreclosures and tenet eviction. All of which are typically tied to shady business practices, unethical eviction, robber baron rent hikes.
Not sure about most of the US (well I kind of am) but in New York that is how it is. Everything is corrupt when elections and money and power is involved and sometimes the wrong people have injustice strikes against them.
Unfortunately public elections don’t mean much as to convince a populous of people to elect the right way is an impossible task by two fold.
A) any candidate you elect will have to succumb to tradition and president set by the office previously, especially when finances are considered.
B) even if the running platform is maintained getting a candidate who can do such and getting the populous to back the candidate will be an arduous task.
I live in a country where law enforcement isn't an elected position.
Not once have I heard anyone from any political camp argue that it would be better if it was. And yes, it's not totally unknown that this is how it is in america, and therefore an option.
Sure, this isn't much of an argument against elected law enforcement, but calling it "extremely important" is a bit of a stretch...
Countries are package deals. You get different election mechanisms, political structures, cultures, laws, and so forth. In the context of American history specifically, sheriffs have played an important role in balancing power within our political system. Your country, being different, has different ways of handling the issues it has faced. I'm sure in some ways it has been better, but in others, it may have been worse at various times.
Ultimately, countries are straight-up complicated. Nobody has solved how to do government in a way that doesn't screw over somebody. And every time people have tried, you could count on some human being in the system to screw it up.
Just for clarity, I've lived in Sweden and Germany and operate a company in the UK. I've tried several times to make an honest holistic comparison of everywhere I've worked or lived. My conclusion is that nowhere is perfect, and that whether the place you live is good, bad, or neutral is really a matter of time more than anything else. Looking at [0]pictures from the middle east in the 1960s and 70s drives this point home.
Honestly, the American way of doing elections is awful by any objective standard. It systematically homogenizes the political positions into two camps where neither camp actually reflects the will of the people. In every election the most common phrase I hear is 'lesser of two evils' because nobody believes that a candidate really represents their interests.
That said, I can't recall ever hearing of a sheriff with a single-digit approval rating, unlike [0[Congress.
After it became clear they had no criminal intent, they decided to change the crime to one that doesn't require criminal intent. The initial charges were on "third-degree burglary", but then changed to "misdemeanor trespassing".
Exactly, DAs and prosecutors in this country have WAY to much leeway to:
1. Make a huge mistake (failing to immediately drop the charge)
2. Brush it under the rug (do nothing)
3. When caught pressing a nonsense charge with no good explanation, change the charges to something else unilaterally (!!)
4. When finally pressured enough by the public, drop the charges entirely.
This case should result in D.A. / prosecutor review. The cops have an excuse but this person does not. There is no room for ego like this when people’s lives are on the line. Being charged with a crime would ruin most anyone’s life for anywhere between a few days and many years, they need to be much more careful than this.
> DeMercurio and Wynn were arrested in the early hours of September 11 after a dispatcher with the Dallas County sheriff’s department observed the men wandering through the closed county courthouse with dark backpacks.
I understand that they didn't resist arrest:
> Deputies were friendly and interested as DeMercurio and Wynn explained how they used a lock-picking device to bypass a locked front door.
Looks like all participating in that initial encountered were having a laugh about this (while the dispatch center of course was running the check/authenticity of the claim). And then the politics/pissing contest started.
It would have been better if they (pentesters) had bodycams to have the evidence of the whole attempt. That would give them extra defensive points in court.
>It does NOT explain why the county attorney continued with prosecution
Things get stupidly petty when politics are involved.
Someone dared challenge his fiefdom and that cannot be allowed to stand uncontested so he played the "be a pain in their ass" card by prosecuting as long as he could.
This is why you have explicit language in your documents. It's not there for when things go well - it's when things go bad like this situation.
This a thousand time! Put another way (via one of my lawyers): Contracts are for all times when you aren't happy with each other.
In fact, I argue this is an expected outcome. How can you run a security contract that does explicitly illegal things w/o having clear language about what is supposed to happen.
Completely agree. I would never send a pen-test team/red team/whatever into an engagement without a detailed rules of engagement, an escalation path and a get-out-of-jail-free proviso. A bit crazy these folks didn't pay attention to the details.
Also make sure the people who hire you actually own the system being tested.
Like if my neighbour hires some random to pentest my house for kicks, it doesnt make it ok for pentester to break into my house because they signed a contract with my neighbour
> Also make sure the people who hire you actually own the system being tested.
There's an ongoing political dispute in Iowa over the extent to which the court system controls court buildings. The courts maintain they have full control (and thus can legally authorise, eg, pen testing), and (perhaps unsurprisingly) they keep winning court cases about it.
Some of the criticism of Coalfire, DeMercurio, and Wynn was about how they were pentesting buildings their client did not control, but it's worth noting that this is 1) disputed and 2) almost certainly wrong (at least from a legal realism point of view).
It's worth emphasising, I think, how much this story had to do with jurisdictional fights between different branches and levels of the Iowa state government, and how little it had to do with Coalfire, DeMercurio, Wynn, or pentesting.
A huge part of this comes down to Coalfire having a good faith belief that they were acting on the lawful instructions of the rightful authority. Putting myself in their position, I honestly can't think of who I would ask for clarification if the judiciary says it's OK. If there was any hint of a legal question in advance, these are exactly the people you would be asking for a ruling. By seeking the contract, they effectively gave a ruling: this is OK for you to do.
I can't fathom how that wasn't the end of the conversation right there. "Who granted you permission to do this?" "A whole buildingful of judges." "Oh. Sorry, we'll take this up with them."
Seriously, stay out if politics are involved as a pentester, or even as an MSP.
We had a legal matter with a county commissioner requesting the MSP use an external harddrive to transfer documents for which the commissioner had no right to access.
I really wish people naturally had the habit to spell out their initialisms or acronyms the first time they use it in a post (if it is not used in previous posts), and then use that shorthand for the rest of the post.
I would even request that this be done even for something as obvious as DMV (Department of Motor Vehicles). Making this common practice removes the guess work of whether an initialism is sufficiently obvious enough to the average reader. For some media forms, I do not have the luxury to comment or ask the original poster to explain what an initialism stands for.
Trying to find out what an initialism stands for is even harder when you try to search for it on Google and many other versions of it exists in different contexts.
> I would even request that this be done even for something as obvious as DMV (Department of Motor Vehicles)
Literally a day or three ago I saw someone in a HN thread asking what "DMV" means, so yes, I strongly second that request. HN has an international userbase.
This was drilled into me from a very early age but I do have a habit of not being consistent with it. I often take for granted that there's those who don't have English as a first language and may not know the most common acronyms and initialism of WTF, AFK and otherwise. I'd have put MSP in that category and assumed it was more common.
Acronyms are more than just language specific. I live in England and many of my non-IT friends wouldn't know what AFK means. My mum wouldn't even know what WTF means. And I knew the former two (though it took me a second to remember AFK because it's not one I use personally) but hadn't heard of MSP before.
Sometimes it's not even just a case people not coming across acronyms before but rather those acronyms could be short for terms that aren't even used in other English-speaking countries (never mind non-English speaking). The DMV is a great example because in the UK they're called the DVLA.
It gets worse still because even people working in different industries in the same country might have come across different meanings for the same acronyms. For example I once worked with an ex-military officer who would get confused every time we'd talk about ISO (in terms of burning a Debian CD image) because he'd been used to the term used in a different context (I forget exactly what it meant to him but I think it was something to do with temporary buildings -- maybe someone else on here might know?)
So it should never be taken for granted that a "common" acronym is universally understood.
> And how can you and the parent comment bang on about it in this context and not think to spell it out?
>
> Pretty amusing!
The conversation wasn't about any context in relation to AFK (away from keyboard) but rather about the trouble with using acronyms. Not knowing what that acronym means doesn't alter the readability of the comment (in fact ironically it actually helps hammer home the point I was making).
This is also why I didn't spell out DVLA (UK Driver and Vehicle Licensing Agency) despite introducing a new acronym to the conversation; and why I did explain which "ISO" I was referring to because the context there did matter to explain my point.
This is a very important bit of insight. Thanks for this perspective. My comments about contractual protections aren't nearly as strong in light of this.
Depends, if the pentesters didn't ask for any proof that your neighbour owned and occupied the house then sure, the neighbour and the pentesters should be prosecuted.
But if your neighbour lied and falsified documents to the point reasonable due diligence would have been fooled, perhaps the pentesters can be considered not at fault?
> But if your neighbour lied and falsified documents to the point reasonable due diligence would have been fooled, perhaps the pentesters can be considered not at fault?
And here we end up back with irjustin's proposal that if pentesters are doing things that would be illegal without proper permission, they need to be prepared to spend some time in jail. Their risks there for which they need to be compensated include their own organisation failing in their due diligence and sending them into a test for which they're genuinely not legally authorised.
>And here we end up back with irjustin's proposal that if pentesters are doing things that would be illegal without proper permission, they need to be prepared to spend some time in jail.
This sounds very unreasonable once you start applying it to other actions in life. For example, picking up someone's kids so they can go on a play date with your own kids. That's kidnapping without permission. Should everyone who picks up another person's kids need to be prepared to spend time in jail for kidnapping?
This is an issue in schools today regarding after-school care and custody handoffs, with the liberty/efficiency-oriented people battling the law&
order/safety/think-of-the-children people. They both have valid perspectives, as is usually case in matters of statistically danger.
Yes. I don’t understand why this isn’t part of the game plan. I understand not informing the patrol level of the police dept, but I do t see how informing the admin above does. The deputy chief is not involved in the management of an enforcement patrol/stop.
Unless you're hired by the chief of police, that sounds very close to testing a system - the police - without the permission of the owner?
And there are safer ways to find the police's reaction time than having them turn up with guns drawn, finding signs of forced entry, and finding you - a non-employee - sneaking around with burglary tools.
For example, you could make a FOIA request for their internal records, ask a local journalist - or if you insist on a real-world test, have the alarm 'accidentally' tripped by a legitimate employee arriving for work early.
>How can you run a security contract that does explicitly illegal things w/o having clear language about what is supposed to happen.
Many actions are very illegal without permission yet we find it very unreasonable to spend time in prison if permission was given. Use sex for example. If you had permission you shouldn't spend any time in prison for it. If the police think you didn't have permission, they should establish that without enough confidence before acting upon it. It is one thing to open an investigation, but the point of arresting people should only be once it has been determined they didn't have permission.
>A piece of paper should not get you off free immediately.
Only once the police have reason to believe it was fake should you be arrested. Arrest first and ask questions later is a dystopian legal tactic.
> Arrest first and ask questions later is a dystopian legal tactic.
It's also the only practical tactic when there's a chance of the targets of an investigation hiding evidence, fleeing, or otherwise hindering that investigation.
None of which was involved in this case. You don’t arrest people for minor traffic violations for example. You detain them to collect relevant information aka pull them over, then let them go.
You're missing the point... it's not possible to tell in advance whether someone should be arrested or not, you have to follow a standard procedure for a lot of reasons, not the least of which is that doing so safeguards everyone's rights.
In the case of traffic violations, the decision to not arrest by default is made far in advance as a matter of policy. When someone at a traffic stop gets arrested, it's not for the traffic violation, it's for another crime they're wanted for, and the standard process for that overrides the traffic stop process.
"arrest" is a vague term. There is a gap between "detaining" someone while investigating the situation, and "jailing" them. Note that if
jails were designer according to "innocent until proven guilty" as legally required, then being jailed temporarily wouldn't be so bad.
yeah, but the problem is this shouldn't have taken months to be dropped - the full info about the contract was available by the end of that week, and should have results in the charges being dropped then and there.
I do not agree. Investigation is needed as the doc can be fake. But charge ? Psychological pressure ? What harm they do, any broken things? Compensation not chasing after the minor contract issue.
You let go of the police and the gov lawyer bit by bit you lost your liberty. Make them pay! At least there is a negative feedback loop. Otherwise you end up with police state. Or gov lawyer state. Or worst like hk both.
I realize we're in the wild west still with the industry, but I disagree that pen-testers should be ready to spend time in jail. A far better solution, it seems to me, would be to make sure all police and security officers are trained to be aware that A) penetration tests exist and may occur and B) a process to authenticate a pen-tester when they're discovered.
We aren't in the wild west. I've been doing these engagements for more than 20 years. There are well worn guidelines for how to structure the contracts and other rules of engagement to prevent or mitigate this sort of overreaction.
I suspect (with zero evidence) that an over-eager sales rep or sales management booked a deal without contract due-diligence and a pen-test team trusted that the due-diligence had been done.
About 10 years ago, I stumbled across a local government website that leaked personal information about all registered citizens (including full names, civil id numbers, dates of birth, academic grades, etc). I didn't report it because I knew they would try to go after me.
Fast forward to last year, the government decided to double down on their stance by making punishments harsher than most crimes of violence without carving exemptions for white hat researches.
Unsurprisingly, my country's infrastructure was shown to be completely compromised by Snowden's (or Manning's) leaks.
I was a normal user who made a mistake when entering my own information. Government employees who think like you are the reason why security issues don't get reported.
If you "stumbled across a local government website", you cannot "anonymously leak" it anymore, since your IP address is already on the web server's logs. After an "anonymous leak", it's the first place they'll look.
The only good alternative is to keep quiet, and pray that nobody else finds it and anonymously report it to the press before the logs containing your IP address are rotated and deleted.
Part of me says Wynn and De Mercurio could try to sue someone -- either their initial customer for not giving them sufficient safety, or people responsible for them being charged -- but then I consider that suing "The law" is such a famously bad idea that it's celebrated in song ("I fought the law and the law won.")
Ultimately, I think they'll get some good conference talks out of it.
Well, fighting the law outside the system is actually a bit more complicated. See civil disobedience, the civil Rights movement, etc as examples where laws were.deliberately broken to successfully fight against and change those laws.
Yeah, I agree that that's fighting the law outside the system. I don't think it's different from robbery in the same way that fighting the law from within the system is, I think they're similar in that regard. They're different in that robbery commands nearly zero popular support, making it a bad candidate for change through civil disobedience.
They look great from my perspective. Coalfire will be able to hire on this event in a field with a -15% unemployment rate. If they’re smart they’ll both work this into lucrative speaking arrangements.
There are multiple laws. This issue was a dispute between two branches of government. That's a scenario where you can win. NYC /NYPD has a large budget for police brutality settlements.
Wouldn’t the lesson here be don’t perform any penetrates for courthouses in Iowa? They’ve shown themselves to be vindictive and petty, why exactly is their security worth risking my freedom?
That's why companies that don't pay and even sometimes prosecute white hats basically paint a giant target on their backs. All they've accomplished is ensuring that future security practices will be worse and they'll be less secure.
Why did it take so long to dismiss the charges? Wasn’t it obvious from the beginning that they had no criminal intent? (Or is criminal intent not necessary for this crime?)
I would love to read some reporting about what was going on behind the scenes. Anyone have a link?
It was a pissing contest amongst two sheriffs. The original first responders were going to let them go, and a new sheriff arrived on the scene and said the original state administrative office had no authority to authorize it for _his_ courthouse.
So, are these guys going to be at DefCon, with a presentation about their experience, and lessons to share with the wider security community? Because I would be interested in watching said presentation.
Nobody here has mentioned the fact that they went through a locked door (well supposedly it was unlocked, they closed it, and they broke in to test it) even though their 'get-out-of-jail-free' letter explicitly said that was not permitted. I agree it took embarrassingly long to get the case dropped, but it seems like if they hadn't done this there wouldn't have been a problem in the first place.
This is why you have explicit language in your documents. It's not there for when things go well - it's when things go bad like this situation. In fact, I argue this is an expected outcome. How can you run a security contract that does explicitly illegal things w/o having clear language about what is supposed to happen.
FWIW:
- The pen testers should be ready to spend time in jail and be compensated as such. A piece of paper should not get you off free immediately. That thing needs to be verified, so expect it to take time.
- Language in your doc needs to be clear exactly what will happen. The whole fiasco afterwards should not needed to have taken place. If the customers want 'more pen testing' charge them for it.
Overall this is a great outcome. Just need to clean up the edges a bit.