| ▲ | Aurornis 5 hours ago |
| I'm glad the charges were dismissed, but to be honest the original reporting shows the story was actually more nuanced than this article led me to believe. 2019 article: https://arstechnica.com/information-technology/2019/11/how-a... I'll probably get downvoted for even questioning the narrative, but here are some of the nuances that stood out to me: - When the police contacted someone listed on the authorization letter, that person denied that they had been authorized to conduct physical intrusions. Another contact didn't answer their phone. What are the police supposed to do if the people supposedly authorizing the intrusion are actively denying the authorization? - The contract had vague language that say they couldn't "force-open doors". The two men told police they had used a tool to open a locked door. The language should have been more specific about what was and was not allowed. (EDIT: This is causing a lot of controversy. The legal definition of "forced entry" in my state does not require literal damage to the property, only a bypassing of barriers. I don't know about the circumstances in this state, but to be clear the term "force-open doors" doesn't necessarily mean using destructive force everywhere) - The contract said "alarm subversion" was not allowed, but supposedly the police had evidence that they were trying to manipulate the alarm. They deny this. - The men had been drinking alcohol before the break-in. By the time they were breathalyzed it was at 0.05, meaning the number was even higher when they started the break-in. Drinking alcohol before you do a professional job guaranteed to get the police responding is a terrible idea. - After they tripped the alarm and the police showed up, they didn't immediately identify themselves and end the exercise. They hid from the police, claiming that they were "testing the authorities' response" which seems obviously out of scope for their agreement. So I agree that the charges were excessive and the Sheriff was in the wrong on a lot of things, but after reading the details this wasn't really a clear cut case. The pentesters weren't really doing everything "by the book" if they thought that testing the police response by hiding was in scope of their contract and doing this job after a few alcoholic beverages is a bizarre choice. |
|
| ▲ | bink 4 hours ago | parent | next [-] |
| I performed these types of physical pen tests years ago. If we were testing security for something like a courthouse we would've had a card on each of us with the personal cell phone number of the county clerk along with a statement of work that described exactly what we were authorized to do, with signatures. In some cases we'd have a backup contact number for more dangerous stuff. The idea that the emergency contact would not answer the phone would've seemed ludicrous. They were always aware of where we were and what we were doing at all times. Damaging property was never approved. Drinking alcohol before a test would never happen. The insurance risk alone would've been nuts, not to mention the reputational damage if someone smelled it on your breath. Hiding from law enforcement? I'd need to know more about that. If a cop shows up with a gun you absolutely do not hide. If it's a security guard on rounds and you're waiting for them to move on... sure. It was often dangerous though. Some security and law enforcement types take it personally that they're being "tested" and do not react well. We always tried to have some former law enforcement or military with us because they were less likely to be targeted for abuse than us hackers/nerds. |
| |
| ▲ | rainonmoon 4 hours ago | parent | next [-] | | > If we were testing security for something like a courthouse we would've had a card on each of us with the personal cell phone number of the county clerk along with a statement of work that described exactly what we were authorized to do, with signatures. You mean... the thing that they had? FTA: "Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a “get out of jail free card” in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building." There's also no indication that they damaged property (they used a UDT to trip a sensor to bypass the door). Neither of us were there, but based on the actual reporting it sounds like the worst anyone could accuse these people of being is stupidly unprofessional and bad communicators, which if you worked with pentesters shouldn't seem like an unprecedented aberration. | | |
| ▲ | Aurornis 3 hours ago | parent [-] | | Read the article further. When the police called the phone number on the document, the person on the other end denied that they were authorized to be in the building. | | |
| ▲ | rainonmoon 3 hours ago | parent [-] | | But I’m responding to the notion that they should’ve had signed documentation with the scope with them. They did. The fact that their own company hung them out to dry by not informing everyone on that list is not the pentesters’ fault. | | |
| ▲ | bink 2 hours ago | parent [-] | | I wasn't trying to suggest they did or didn't have the right documentation. I honestly don't know. I was just explaining how we normally operated. The idea that the emergency contact wouldn't answer, or even worse deny we had authority seems impossible to me... At least if you're doing things the way we did. | | |
| ▲ | halfcat 5 minutes ago | parent [-] | | > The idea that the emergency contact wouldn't answer...seems impossible to me I can’t understand how you think this is impossible if you do things “the right way”. Phones gets stolen or dropped in the toilet. Your contact has been taken to the hospital. Bad cell service. And so on. These episodes of Darknet Diaries were my favorite. Very suspenseful. I also always thought the people doing the testing were insane for assuming a piece of paper keeps them from getting dragged to jail or worse. I mean this is stuff the security people tell you not to do. If you get an email from “your bank” saying “call us at this number”, you're supposed to independently verify by calling the main number, not the number they give you, right? |
|
|
|
| |
| ▲ | Aurornis 4 hours ago | parent | prev | next [-] | | > Hiding from law enforcement? I'd need to know more about that. If a cop shows up with a gun you absolutely do not hide. If it's a security guard on rounds and you're waiting for them to move on... sure. According to the article, they were hiding from the police who showed up, not security guards. Testing the police is undeniably out of scope in a situation like this. If the police show up, the exercise needs to be over. You announce your presence and de-escalate, not try to outmaneuver the police. These two guys only look like heroes in contrast to the over zealous sheriff. Everything else about their operation ranges from amateur hour to complete incompetence, such as drinking before a job. | | |
| ▲ | bink 2 hours ago | parent [-] | | I completely agree. Hiding from the cops puts everyone in danger. But to be clear I wouldn't be hiding from the security guards either once they had found evidence of our test. It was really only if they were nearby and unaware anything was happening that we found it OK to hide from them. The whole point is to test security. Ideally you want to be found because that means that they have reasonable security in place and you can attest to that. |
| |
| ▲ | tiahura 4 hours ago | parent | prev [-] | | IIRC they had permission from the state court administrator, but not the county. The building is a county building. And, as it does in all sorts of jurisdictions with a similar setups, pissing contests arise over various issues. |
|
|
| ▲ | arcfour 5 hours ago | parent | prev | next [-] |
| I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand. Regarding force, this article says: > The rules of engagement for this exercise explicitly permitted “physical attacks,” including “lockpicking,” against judicial branch buildings so long as they didn’t cause significant damage. And later that they entered through an unlocked door, which they (it sounds like) kept unlatched by inserting something between the latch and the doorjamb. Not unreasonable. |
| |
| ▲ | Aurornis 5 hours ago | parent | next [-] | | > I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand. This is a job where having impaired judgment is a terrible idea. If someone needs alcohol to do a job that involves taking the role of a criminal and summoning the police, drinking alcohol before it is a terrible choice no matter how you look at it. If they can't do the job without alcohol, they shouldn't be doing the job at all. Maintaining unimpaired judgment is a baseline expectation for a job like this. | | |
| ▲ | arcfour 5 hours ago | parent [-] | | I doubt judgement is heavily impaired at 0.05 BAC. That is at or below the legal limit to drive a car. And it really is more of a red herring since they were obviously not visibly intoxicated and they didn't actually do anything illegal. Their BAC is more of an issue between them and their employer, and has no bearing on their false arrest. | | |
| ▲ | Aurornis 5 hours ago | parent | next [-] | | > I doubt judgement is heavily impaired at 0.05 BAC. That is at or below the legal limit to drive a car. 0.05% BAC will result in a DUI in many countries. Regardless, any impairment on a job where you're doing things guaranteed to summon the cops is a very bad idea. BAC also declines linearly over time. I doubt (hope?) they weren't drinking on the job, but a 0.05% BAC measured after their arrest means their BAC would have been higher when they started breaking into the building earlier in the night. | | |
| ▲ | tptacek 5 hours ago | parent [-] | | Only Utah has a 0.05 standard. (I think drinking before a nighttime physical pentest is a bad idea). | | |
| ▲ | bawolff an hour ago | parent | next [-] | | Is USA the outliner here? In (most of) canada 0.05 will get your license suspended (but you dont go to jail unless its 0.08). Australia, scotland and france are also 0.05. There are quite a few countries where the limit is less than that. | | |
| ▲ | tptacek an hour ago | parent [-] | | Maybe? Virtually everywhere in the US is 0.08. I don't think it's a good idea for physical pentesters to drink anything before a gig, for whatever that's worth, so hopefully we're just shooting the shit about different countries rules. |
| |
| ▲ | shawn_w 4 hours ago | parent | prev [-] | | Washington might be moving to 0.05 too. (A bill just narrowly passed the state Senate; still has to clear the state house) |
|
| |
| ▲ | themafia 4 hours ago | parent | prev | next [-] | | > heavily impaired The level of impairment doesn't matter. They are impaired. There is no standard or testing which reveals the minimum level of impairment that one can safely do the job. So, you don't do it impaired, at any level, period. > and has no bearing on their false arrest. Two people that have obviously been drinking, hiding from police, and then making up fantastic sounding stories as to why they're in a tax payer owned facility outside of working hours. The police had good reason to effect an arrest so it can't be "false arrest." | | | |
| ▲ | janalsncm 5 hours ago | parent | prev [-] | | > I doubt judgement is heavily impaired at 0.05 BAC Physical coordination becomes an issue. 70% of subjects tested struggled to maintain lane position at 0.02%. https://pmc.ncbi.nlm.nih.gov/articles/PMC102344 | | |
| ▲ | arcfour 4 hours ago | parent | next [-] | | I don't see how that relates to, say, software engineering or physical pentesting though. And 1/3 people is still a fairly significant number that do not suffer ill effects. I also said heavily impaired—not that they were categorically not suffering from any effect of the alcohol. My point is not that they definitely should have done it. It is simply that, in this context, it's really not a big deal & is not really germane to the discussion at all. They did nothing wrong, stone cold sober or not. | |
| ▲ | lux-lux-lux 4 hours ago | parent | prev [-] | | That’s not what your link says; impairment at 0.02 BAC is measurable, but a fraction of standard day-to-day variation for a person. It’s roughly equivalent to missing coffee at breakfast. |
|
|
| |
| ▲ | bawolff an hour ago | parent | prev | next [-] | | > I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand. I feel like if you do something for a living, you shouldn't need to calm your nerves for it. | |
| ▲ | technion 4 hours ago | parent | prev | next [-] | | I'll note 0.05 means you can't legally drive in Australia and would be issued a DUI. | |
| ▲ | janalsncm 5 hours ago | parent | prev | next [-] | | Is drinking common for physical pentesters? I just do boring software stuff but I’m pretty sure drinking on the job would be a fireable offense for me. And even if their BAC was technically under the legal limit, their ability to e.g. drive was impaired. So it seems unprofessional. | | |
| ▲ | arcfour 4 hours ago | parent | next [-] | | Their ability to drive being impaired is somewhat dubious since they are under the legal limit in all of the states I have heard of. W/r/t drinking and working, I personally dislike the puritanical zero tolerance for alcohol approach that people here in the US seem to take by default. Most people can have one or two drinks and work just fine, with obvious exceptions. I don't think we should judge people who have to travel to a boring small town in Iowa and have to go to work in the middle of the night for having a drink or two. If you can't have just a drink or two, or have to do it every day, that's a bigger issue that goes beyond work vs. simply having a drink and doing work on occasion. | | |
| ▲ | chneu 3 hours ago | parent [-] | | Agreed about the puritanical stance here in the US. People drive on prescription drugs like it's nothing. But a beer? Haha. For context, I've been sober for a decade. I don't mind if people have a beer. I get it. |
| |
| ▲ | kube-system 3 hours ago | parent | prev | next [-] | | > I just do boring software stuff but I’m pretty sure drinking on the job would be a fireable offense for me. I've never worked a software job where I wasn't provided free alcohol at work. | |
| ▲ | Aurornis 3 hours ago | parent | prev | next [-] | | > Is drinking common for physical pentesters? Absolutely not. Physical pentest scenarios are highly likely to end with an alarm tripping and the police arriving, except in cases where the alarm wasn't armed, didn't have connectivity, or was broken. An encounter with the police was virtually guaranteed in this case. Drinking before the job was highly unusual and irresponsible. | |
| ▲ | mandevil 3 hours ago | parent | prev | next [-] | | Obligatory XKCD: https://xkcd.com/323/ Note that Monroe's number for the peak (0.13%) is significantly higher than legal limit for driving, and than these guys recorded here. | |
| ▲ | IshKebab 4 hours ago | parent | prev [-] | | > I just do boring software stuff but I’m pretty sure drinking on the job would be a fireable offense for me. What?? For real? |
| |
| ▲ | kstrauser 5 hours ago | parent | prev [-] | | I'd have more "eager" than "anxious" nerves, and I wouldn't need a beer for that. The fun thing about pentesting is that it doesn't matter if you get caught, although it's more fun if you don't. Hard agree about "forcing", though. The very word implies, you know, non-trivial amounts of force. Like technically walking toward a door in a normal human room at standard temperature and pressure means you're applying non-zero amounts of force to it, so arguments like "they applied any force at all" can be ignored as goofy. |
|
|
| ▲ | ottah 4 hours ago | parent | prev | next [-] |
| Seems reasonable to assume some blame from the pentesters, but neither are police known to be faithful and honest presenters of the truth. I'm not firmly convinced that the police story isn't exaggerated or embellished. |
|
| ▲ | 1970-01-01 5 hours ago | parent | prev | next [-] |
| The police settled for $600k, it wasn't dismissed. |
| |
| ▲ | Aurornis 5 hours ago | parent [-] | | The original charges against them were dismissed. They brought a separate case against the police and were awarded $600K Two separate legal matters for the same event. | | |
|
|
| ▲ | tiahura 4 hours ago | parent | prev [-] |
| All of that is true, but it only means that it should have taken a few hours to sort out instead of 15 minutes. It became a pissing match between the courts and the county and these guy got squeezed. As a lawyer, I can't believe that there wasn't a lawyer for the county telling them that night that this was going to cost them. |
