CEO Of Security Company Behind Unorthodox Penetration Tests Wants To Know Why His Employees Are Still Being Criminally Charged

from the sheriff-determined-to-show-state's-court-who-the-biggest-dick-is dept

A couple of months ago, security researchers performing a very physical penetration test of an Iowa courthouse were arrested for breaking and entering. They were also charged with possessing burglar's tools, which they did indeed possess.

The employees of Coalfire Security said they had been employed by the state's judicial branch to test physical accessibility of courthouses. They had paperwork granting them permission to perform "physical security assessments" at multiple locations. While nothing specifically instructed the security testers to break into buildings, nothing in the documents suggested this was forbidden either. All it told the testers to do was to attempt to gain access to documents, internal systems, and areas closed off to the public.

A statement from the judicial branch suggested there had been some sort of misunderstanding and it apologized to the law enforcement officers for the "confusion" caused by this unorthodox penetration test. That apparently wasn't enough for sheriff's department and local prosecutors who moved ahead with felony charges.

Coalfire Security didn't have much to say when the news first broke, but the company has now issued a lengthy statement [PDF] that accuses the Dallas County Sheriff of turning a routine security test into a battle of wills between his office and the state's judicial branch.

[Coalfire Security employees Gary] Demercurio and [Justin] Wynn proceeded to purposefully trip the alarm to test law enforcement's response time. When they arrived, [Coalfire CEO Tom] McAndrew said, the deputies seemed delighted to be shown the tools and tactics the Coalfire employees used to enter the building. McAndrew blamed the men's arrest on the arrival of Dallas County Sheriff Chad Leonard on the men's arrest, saying he failed to "de-escalate" the situation, as the deputies already on site were ready to let the men go. "Sheriff Leonard failed to exercise common sense and good judgment and turned this engagement into a political battle between the State and the County." McAndrew wrote. "I was stunned that the next morning the issues were not resolved and were actually amplified when bail was set as $100,000."

Prosecutors have performed a slight bit of de-escalation, at least. The felony charges have been dropped, but the researchers are still facing misdemeanor trespassing charges. This prosecution continues despite the judicial branch's statement backing up the arrested men's story that they were hired to test courthouse security.

Sheriff Leonard's needless escalation began during the arrest and continued forward past that point. Emails obtained by the Des Moines Register show Sheriff Leonard refused to release the security employees when their story checked out and further aggravated the situation by promising to give a heads up to other law enforcement agencies who might be interested in capitalizing on some trouble-free arrests.

A police sergeant called one of the state employees, who confirmed what the men said: that this was a legitimate contract and that the men should be let go, according to the email. "I advised them that this building belonged to the taxpayers of Dallas County and the State had no authority to authorize a break-in of this building," [Sheriff] Leonard wrote in the email. Leonard wrote that he then called the state employee to tell him his contractors had been arrested and that he didn't have the authority to authorize this. The state employee disagreed and asked Leonard not to tell other sheriffs, wrote Leonard, who said he responded by saying he was going to tell every sheriff.

It sounds like some "law is the law" bullshit being pushed by Sheriff Leonard, who isn't going to let anyone get away with security research in his jurisdiction. Coalfire's CEO wants to know if Iowans are OK with this.

If what is happening in Iowa begins to happen elsewhere, who will keep those who are supposed to protect citizens honest? This is setting a horrible precedent for the millions of information security professionals who are now wondering if they too may find themselves in jail as criminals simply for doing their job. I believe that citizens of Iowa would benefit from using their resources to fix vulnerabilities, protect their data, and secure their public buildings rather than waste time and taxpayer money on this criminal pursuit.

Joke's on all of us. This is already happening elsewhere. Security researchers constantly face the possibility of arrest, prosecution, or civil lawsuits just for doing their jobs. That this penetration test involved a physical break-in doesn't make it any less legitimate. The court system apologized for the misunderstanding, but good deeds apparently aren't going to go unpunished in this county.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breaking and entering, courthouse, iowa, penetration testing, security researchers

Companies: coalfire security