from Hacker News

Charges dropped against pentesters paid to break into Iowa courthouse

by froindt on 1/30/20, 11:55 PM with 114 comments

by irjustin on 1/31/20, 1:54 AM
At first, I assumed I was going to be only angry at the justice system, but after understanding the contract document was split in 3 with very wishy/washy language, part of the problem is on the contracted company.
This is why you have explicit language in your documents. It's not there for when things go well - it's when things go bad like this situation. In fact, I argue this is an expected outcome. How can you run a security contract that does explicitly illegal things w/o having clear language about what is supposed to happen.
FWIW:
- The pen testers should be ready to spend time in jail and be compensated as such. A piece of paper should not get you off free immediately. That thing needs to be verified, so expect it to take time.
- Language in your doc needs to be clear exactly what will happen. The whole fiasco afterwards should not needed to have taken place. If the customers want 'more pen testing' charge them for it.
Overall this is a great outcome. Just need to clean up the edges a bit.
by guug on 1/31/20, 3:04 AM
About 10 years ago, I stumbled across a local government website that leaked personal information about all registered citizens (including full names, civil id numbers, dates of birth, academic grades, etc). I didn't report it because I knew they would try to go after me.
Fast forward to last year, the government decided to double down on their stance by making punishments harsher than most crimes of violence without carving exemptions for white hat researches.
Unsurprisingly, my country's infrastructure was shown to be completely compromised by Snowden's (or Manning's) leaks.
by LeonB on 1/31/20, 1:43 AM
This has been quite a wild ride.
Part of me says Wynn and De Mercurio could try to sue someone -- either their initial customer for not giving them sufficient safety, or people responsible for them being charged -- but then I consider that suing "The law" is such a famously bad idea that it's celebrated in song ("I fought the law and the law won.")
Ultimately, I think they'll get some good conference talks out of it.
by exabrial on 1/31/20, 3:04 AM
Lesson here is don't embarrass the prosecutor's office. These people aren't held accountable to anyone and they don't want that to change.
by Pyxl101 on 1/31/20, 3:20 AM
Why did it take so long to dismiss the charges? Wasn’t it obvious from the beginning that they had no criminal intent? (Or is criminal intent not necessary for this crime?)
I would love to read some reporting about what was going on behind the scenes. Anyone have a link?
by korethr on 1/31/20, 6:23 PM
So, are these guys going to be at DefCon, with a presentation about their experience, and lessons to share with the wider security community? Because I would be interested in watching said presentation.
by lightedman on 1/31/20, 3:21 PM
Charges dropped? Time to file for malicious prosecution against the DA's office.
by cartothemax on 1/31/20, 4:07 PM
That county had a breach in late November of last year too. https://www.kcci.com/article/dhs-data-breach-in-dallas-count...
by lasky on 1/31/20, 4:52 AM
And once again, any US organization allowed to use a .gov domain loses yet ANOTHER notch of credibility, and confidence in their competence.
by qaq on 1/31/20, 2:57 AM
Might be safer to work for larger outfit with good legal department?
by auiya on 1/31/20, 3:08 PM
Last I heard the attrition rate at Coalfire was quite high. Issues like these I'm sure aren't helping.
by fyfy18 on 1/31/20, 7:10 AM
Nobody here has mentioned the fact that they went through a locked door (well supposedly it was unlocked, they closed it, and they broke in to test it) even though their 'get-out-of-jail-free' letter explicitly said that was not permitted. I agree it took embarrassingly long to get the case dropped, but it seems like if they hadn't done this there wouldn't have been a problem in the first place.