Hacker News new | past | comments | ask | show | jobs | submit login
A turf war and a botched contract landed two pentesters in Iowa jail (arstechnica.com)
124 points by chha on Nov 16, 2019 | hide | past | favorite | 81 comments



I think redteam physical security is a necessary practice, and it’s a fun career for people I know in the industry, but you wouldn’t ever be able to convince me to break into a facility with an armed response without first telling the actual security on site (in this case the police, and all of them at that) that there would be a red team test between a specific set of dates and NOT TO SHOOT. This could have gone much worse for the poor bastards who got arrested.

edit: not that that justifies at all the absurd response of the sheriff in this case.


Why would anyone shoot an intruder on commercial premises? Is that ever legal? I know homes are different in the US, but would a security guard ever literally see someone they didn’t recognise, draw their gun, and just execute them like that?


They wouldn't shoot someone because that person is an intruder. They would shoot that person because they think that person has a weapon and is about to harm them. The article says there was suspicion that the men's backpacks contained pressure cooker bombs, and they were doing it on September 11.

Consider Daniel Shaver, he was crawling on the floor with no weapon, but the police suspected he had a gun and was about to shoot them, so they shot him. The courts found the police not guilty.


> Why would anyone shoot an intruder on commercial premises?

The article is about government property (a courthouse) not commercial property.


It happens regularly enough that searching 'security guard shoots man' turns up applicable stories on the first page.

For example: https://www.sltrib.com/news/2018/06/20/security-guard-shoots... (slightly more elaborate, but still a man shot in the back and and killed when peacefully leaving an area)


There is no basis for use of lethal force other than self defense against a threat to life. That seems to get lost in the US all too frequently.


I think US law considers being on someone else’s property to be an inherent threat to life, in cases like a home.

Also defending another person against a threat to life is a basis for the use of legal force everywhere - that’s pretty uncontroversial I think.


Defence of others is indeed covered in self defence. But the threat response has to be proportional -- you can't shoot someone in the head because they look menacing or said you had an ugly dog.

The 'castle doctrine' you refer to is a perversion peculiar to some US states, but it still has to be your home and you still have to have a reasonable belief your life is threatened. Strangely, although you can use lethal force on an intruder/trespasser, if you shoot a police officer about to conduct a lawful no-knock raid, I think you could get convicted.

https://www.texasmonthly.com/news/a-no-knock-raid-in-houston...


"Lawful no-knock raid" is a basic contradiction. If there is no notice that the home invaders are police, then they're actually just home invaders. It's unfortunate that so many will have to die before a sympathetic enough casualty comes along to end the practice.


It is certainly the case that, statistically, no-knock raids are unjustified. The idea that losing a dime bag of drug evidence is sufficient basis seems absurd. If it's a Hell's Angels clubhouse full of weapons or a Sinaloa cartel abduction site I can see the necessity, i.e. to reduce the risk to the community of high powered weapons use by the suspects. But judges in the US see to give out no-knock warrants like candy.


> I think US law considers being on someone else’s property to be an inherent threat to life, in cases like a home.

Only a few states have castle doctrine laws in effect, and there are restrictions on when they apply.


> Why would anyone shoot an intruder on commercial premises?

When all you have is a gun, everything is a nail that can be shot at.


people panic -- if you've got a gun and are having an emotional response of some kind, anger, fear, what-have-you, someone could easily get shot when otherwise they wouldn't


This is why mall cops and speeding fine issuers should not be armed like they are about to raid an organised crime hiding spot. It's astounding that some countries allow random security guards to have guns. Unless you are highly trained and entering a very dangerous situation you should not have any guns at all.



NRA website with some questionable and some nonsensical info graphics.


Not NRA. Sources are hyperlinked at the bottom. Which do you question?


Just to take one example: The UK records violent crimes that are not violent crimes in the US. So yes, violent crimes are higher in the UK. But they’d soar in the US if they’d use the same definition.


Possible! Source please.

Ref:

https://americangunfacts.com/pdf/www-telegraph-co-uk.pdf

"2034[1] vs 466 Violent Crimes UK vs US per 100k people"

[1] The July 2009 Telegraph article says "over 2000"



Excellent, thank you.


Generally speaking commercial security will not shoot you unless they have no other option. When you start talking courthouses and other government facilities where the people carrying guns more or less have government granted immunity if they use them in questionable circumstances all bets are off. You could get a normal security guard or you could get the ex-police officer who got kicked out of real policing for being too violent too often (whereas that guy would never be able to maintain employment in private security).


If security were perfect, we wouldn't need pentesters in the first place.


Armed responders are human. Humans make mistakes. Drop guns aren’t unheard of when a bad officer decides to cover up a mistake.


Why do they arm normal police officers and security guards? Why not leave the armed response to specialist officers with much higher levels of training and accountability?


Violent criminals don't break for tea time while everyone waits for the "armed response" people to show up. Cops and security guards are armed because they encounter situations where they have to defend themselves against someone who wants to kill them. If a criminal is pulling a gun out of his waistband, suggesting that the cop or security guard should have to be a defenseless sitting duck while screaming into the radio for "armed response" is an utterly silly proposition.


Are most criminals really carrying guns? It seems like a bad trade-off to arm everyone all the time just for the one in a billion case that a criminal is armed.


First of all, there are more ways than just guns for a criminal adversary to kill someone, including knives, hammers, baseball bats, pounding a person's head into the sidewalk using bare hands only, etc. Secondly, a cursory glance at crime statistics ought to dispossess you of the notion that criminals are only armed every "one in a billion" cases. Thirdly, if you really think this only happens "one in a billion" cases, why would you bother standing up an armed response team at all?


Police and security in the UK manage just fine without guns. I think arming the police means criminals feel the need to be armed in response.


The United States isn't the UK. That aside, considering the UK's recent surge in knife violence, I'm not sure your assertion that armed police cause criminals to arm themselves can be substantiated.


In my current state almost everyone has a weapon. My neighbor (legally) owns a fully automatic gun. I have had a gun pointed at me twice during two separate crimes when I lived in another state. That state has extremely harsh gun laws, one year minimum for every bullet in a illegal weapon.

Just last week there was a home invasion robbery and the mans guard dog was shot and killed in my current city.

Slightly more than one in a billion chance.

Guns can’t be taken out of citizens’ hands. Teach responsible use and double down.


They only make mistakes when the other party isn’t white.


Police murder plenty of white people.


Guns are a lot more accepted in the us and its unlikely that a UK site would have any armed guards - places like Sellafield and other nuke sites do, but you would have an order of magnitude of difference in the sort of organisations that do hardcore (red) pentesting

But it does seem that the Sheriff is acting out the stereotype of the local and incompetent sheriff ala J.W. Pepper in the bond films.


I actually find physical security pentesting kind of lame but I guess everyone has there own opinion. I find fiddling around with door locks and stuff just takes more time and boredom rather than significant intelligence like cybersecurity


> on September 11, no less. We have two unknown people in our courthouse—in a government building—carrying backpacks that remind me and several other deputies of maybe the pressure cooker bombs.

What a sad existence to be ruled by such fear, living out some constant delusion of being attacked like the mass media spectacles. Then trying to push that fear onto everyone else to validate their own overreactions.


TBH. It’s more the governments fault. These local jurisdictions are constantly undergoing terrorism training from the state and federal governments. When I was a firefighter we constantly trained for NBC and other types of terrorist attacks and were required to have a mandatory amount training regarding other types of incidents that could all be caused by terrorism. It’s been a basically constant drumbeat by the state and federal governments since September 11.

And honestly the pentest company should have thought twice before conducting this type of test on September 11th. Any anniversary date of a major terrorist attack is a potential day of a second copycat attack.


I agree it's a much bigger problem than just the boots on the ground watching too much 24. But the "September 11" focus in the latter half of your comment is itself part of that problem. If you're talking about historical effects, at least refer to the date with the year attached.

FWIW "copycat attack" is just yet another minimally-plausible scenario that propagates fear.


> If you're talking about historical effects, at least refer to the date with the year attached.

That seems unnecessary, I don't think there's a person alive unaware of the year he's referring to.

No one in the comments here is "worshipping" 9/11 but the GP is correct in saying Coalfire should have thought twice about a redteam pentest on a date that puts law enforcement on high alert.


Clearly he's referring to the 1973 coup d'etat in Chile, the start of 2 decades of torture and disappearances in that country.


The point is to avoid magnifying the one-time tragedy onto a calendar day that happens every year. Your comment suffers from this, implying that it's the public's job to be sensitive to when law enforcement comes up with a reason to have a paranoia party. I would imagine it's possible to come up with a similar justification for "high alert" for at least a quarter of the year - and none of it should be accepted by Free society.


> That seems unnecessary, I don't think there's a person alive unaware of the year he's referring to.

Yes but explicitly stating the year emphasizes that you're talking about an event the better part of two decades ago. A "copycat" of something that happened when one of these guys was about 11 years old. It's farcical and stating the year emphasizes that. If they'd done it on December 7th, "the date that will live in infamy", would a copycat attack on Pearl Harbor be suspected? Give me a break.


We did not get the Patriot Act from Pearl Harbor.


That's an inane and irrelevant point to make. More than 100,000 Japanese Americans were interned in the aftermath so in either case there was an extreme reaction from the US government, but that's not relevant because it's no more plausible that two guys creeping around a courthouse at night were trying to torpedo battleships than they were trying to fly airplanes into skyscrapers.


I respectfully disagree.

It took almost 50 years for the US government to acknowledge the extreme reaction to Pearl Harbor and provide reparations.

If that is any indication, 9/11, will remain in the zeitgeist for at least another 30 years.


But we did murder millions of innocent people because of it. Whether that’s on par with the Patriot Act is up to you.


I'm curious where you're getting that figure. Somewhere in the neighborhood of 550,000 - 800,000 Japanese civilians died during WWII (those figures includes both atomic bombings.) More than two million Japanese military personnel were killed, but those obviously don't count as "innocent people murdered".



Every time I read an article about this spectacle, I can't help but think of Sheriff Buford T. Justice. Some rinky dink sheriff pulling up his britches and making some statement about how these boys must not know who the law is around these parts.


The sheriff was 100%. The State Court Administrator and Chief Justice orchestrates an illegal break in of a county property in violation of Iowa Code 721. Chief Justice Cady died last night of a heart attack.


> The State Court Administrator and Chief Justice orchestrates an illegal break in of a county property in violation of Iowa Code 721.

That's a very open question. Under Iowa law, the counties have to provide the buildings to the state, but the state controls them. The position of the state court is that this control is total when it comes to security, and thus they can authorize whatever they like. (And their are court decisions supporting this view.)

Ultimately this is a legal question, which will be answered by the courts. But uh, the smart money is that the Iowa state courts will decide that the Iowa state courts were correct the first time, have lots of power, and didn't break any laws. But hey, anything could happen...


Chief Justice Cady admitted he was in the wrong before his death Friday. It won’t be revisited.


You might want to consider citing some evidence.


Excerpt from the article:

‘In October, Iowa Supreme Court Chief Justice Mark Cady, who oversees the state’s judicial branch including all judicial officers and court employees, apologized for the incident before the state’s Senate Government Oversight Committee, according to the Des Moines Register, which has been closely following developments in the case.

“In our efforts to fulfill our duty to protect confidential information of Iowans from cyberattacks, mistakes were made,” he said, using the passive voice that’s so common in leaders’ admissions of responsibility. “We are doing everything possible to correct those mistakes, be accountable for the mistakes and to make sure they never, ever occur again.” He declined to comment for this story.’


I find this is absolutely shocking. The Iowa Supreme Court chief justice apologized for the mess, how have charged not been dropped?

Malicious prosecution or 1983 action?


The Chief Justice died last night of a heart attack. 1983 would be against Chief Justice and State Court Administrator for setting them up.


1983 would be against the Sherrif for false arrest and imprisonment. As soon as it became clear that they did not have the appropriate mens rea for any of the crimes holding them in jail was blatantly illegal. Even if you somehow manage to misinterpret the law to not require mens rea, as soon as it became clear that it was entrapment it became illegal to continue to hold them.

There is no reasonable legal theory in which they are not innocent, unless there are substantial non public facts.

That's whether or not you think that the state has the authority to authorize this.


It was a clear breakin. The 99 County Courthouses are County owned and operated buildings. Iowa fully localized building control in the 1970s.


> He also noted that a provision in the contract required the SCA to secure all necessary permission for the execution of the contract.

Therefore it seems to me that if anything illegal was done, it was SCA failing to acquire permission the pentest.


And none of that matters, so even though I think your wrong I didn't dispute it.


So... they’re trying to prosecute two guys and have not only zero evidence of, but an awful lot of counter-evidence of mens rea.

America has a serious problem with prosecuting people it’s pretty sure are innocent.


They broke into a county building with no authorization. Even the purported state authorization didn't permit any of the activities they performed (defeating locks; operating at night; interfering with the alarm).

'Zero' is hyperbole, since 4 significant charges is greater than zero.

Its true they have no evidence of intent to harm. But its hardly a harmless mistake that they, after a few drinks, broke into the wrong building without permission. During the night (supposed to be during the day). A judicial building.


The contract is published online. It certainly describes "circumventing physical security measures", such as locks. The contract is signed by an authority for which there was no reasonable doubt that they were not authorized to approve the work. The signatures are on the contract describing the scope and type of work performed.


‘Even the purported state authorization didn't permit any of the activities they performed (defeating locks; operating at night; interfering with the alarm).’

This is incorrect.

One of the three documents indicated this, however, the other documents allowed those tactics.

Are the documents in conflict? Yes.


The documents prepared before the contract supported all sorts of activities.

But the contract signed by the state, did not. It spelled out exactly what was allowed. That the organization advertises it is capable of other physical testing is interesting, but not relevant.


The prosecutors could have laid down 1,000 charges and they still would have no evidence that the people concerned didn’t think they had authorisation.

And, ironically since I’m usually pointing out the opposite, just because it’s serious doesn’t mean it’s criminal.


It sounds like one of the author's main questions is the valid time window for intrusion testing. They make much of the fact that the contract is apparently inconsistent in stating "6AM to 6PM mountain time" in one place and "day and evening" in another. To me, this doesn't sound inconsistent at all: six mountain time is seven central, which is clearly in the evening. I'm having a very hard time seeing the contradiction there.


I tend to think the term “victimless crime” is almost never applicable, but I’m really struggling to see an injured party here.


A police response costs money.

But generally would trespassing be considered a victimless crime? If you find out that someone trespassed, that might cause psychological harm. But if someone trespasses and no one notices, I guess that might be victimless. If a tree falls in the forest and no one is around, does it make a sound?


> A police response costs money.

Police is already paid for with taxes. Writing bills for police responses not only creates wrong incentives, it's also redundant.

There can be fines for calling the police frivolously, but that's a different matter.


If the state 'authorized' someone to break into your home, maybe we'd see an injured party?


TL;DR pentesting company gets a poorly defined and contradictory contract from the state judiciary the county uses it as an opportunity to pick a fight by pressing charges against two pen tester that were trying to break into the court house.


No, Chief Justice and State Court Administrator dupe them into conducting an illegal pen test. Prosecutor is an ass by not dropping charges on pen testers if they testify against state court admin. Chief Justice died last night of a heart attack so not an issue.


Sad news. Iowa Chief Justice Cady who headed the illegal pen test died last night of a heart attack.


Botched contract? The testers were told to do a 'social engineering' attack during the daytime. They subverted locks during the night. It was botched execution, by men who had had a few drinks apparently.


I think this type of pen-testing is asinine. A big part of why is that they are providing information that isn’t actionable, and it isn’t necessary to burgle a building — just do an audit.

The other is that the many of the companies in the space suck. Coalfire didn’t have an attorney worth a nickel. No competent organization in their right mind would accept a contract that includes illegal entry into another party’s property.

Maybe if the people who hired the per-testers were interested in an outcome (good security practices), instead of attention and shaming a business partner, you’d have a different outcome.


Pentesting can be about highlighting poor budgets and security practices - I’ve had clients basically hand me findings because they just want a report that says how crap they are.

I’m not a huge fan of physical breaches purely because they’re not a realistic threat model - maybe in the case of larger court houses that house evidence in cases where people might have the resources to do such a breach, but in most situations no decent attacker would risk their face on camera when malware.docx.exe would suffice


It seems like physical pentesting is more about putting on a show. If you can break into the network remotely, most people have a hard time understanding the technical details. But if you can break into a courthouse undetected, now you have something everyone understands.


If what you describe had been done, this wouldn’t be news.

If I were the CIO or CISO of the state court, I would want to audit a few courts, and work with them to test those controls. That’s where you work with the county to test their controls - just like your scenario.

Then the test is a tool that can be used to get funds from the state, county and federal government to fix the problems.


Well, I have to say the restricted parameters they gave them weren’t worth a damn.


Fwiw real breaches don’t care about parameters. I know the law doesn’t see it that way, and the pentesters probably should have cared a bit more but most contracts I see basically caveats reports to say ‘and any related systems’ which gives something that will cover basically anything that would be considered ‘reasonable’ in the court of law.

The purpose isn’t to be an asshole, it’s to actually raise issues when you’re otherwise limited by sleazy performance-paid project managers trying to limit your scope to basically nothing.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: