A turf war and a botched contract landed two pentesters in Iowa jail

I think redteam physical security is a necessary practice, and it’s a fun career for people I know in the industry, but you wouldn’t ever be able to convince me to break into a facility with an armed response without first telling the actual security on site (in this case the police, and all of them at that) that there would be a red team test between a specific set of dates and NOT TO SHOOT. This could have gone much worse for the poor bastards who got arrested.<p>edit: not that that justifies at all the absurd response of the sheriff in this case.

&gt; <i>on September 11, no less. We have two unknown people in our courthouse—in a government building—carrying backpacks that remind me and several other deputies of maybe the pressure cooker bombs.</i><p>What a sad existence to be ruled by such fear, living out some constant delusion of being attacked like the mass media spectacles. Then trying to push that fear onto everyone else to validate their own overreactions.

Every time I read an article about this spectacle, I can&#x27;t help but think of Sheriff Buford T. Justice. Some rinky dink sheriff pulling up his britches and making some statement about how these boys must not know who the law is around these parts.

I find this is absolutely shocking. The Iowa Supreme Court chief justice apologized for the mess, how have charged not been dropped?<p>Malicious prosecution or 1983 action?

So... they’re trying to prosecute two guys and have not only zero evidence of, but an awful lot of counter-evidence of mens rea.<p>America has a serious problem with prosecuting people it’s pretty sure are innocent.

It sounds like one of the author&#x27;s main questions is the valid time window for intrusion testing. They make much of the fact that the contract is apparently inconsistent in stating &quot;6AM to 6PM mountain time&quot; in one place and &quot;day and evening&quot; in another. To me, this doesn&#x27;t sound inconsistent at all: six mountain time is seven central, which is clearly in the evening. I&#x27;m having a very hard time seeing the contradiction there.

I tend to think the term “victimless crime” is almost never applicable, but I’m really struggling to see an injured party here.

TL;DR pentesting company gets a poorly defined and contradictory contract from the state judiciary the county uses it as an opportunity to pick a fight by pressing charges against two pen tester that were trying to break into the court house.

Sad news. Iowa Chief Justice Cady who headed the illegal pen test died last night of a heart attack.

Botched contract? The testers were told to do a &#x27;social engineering&#x27; attack during the daytime. They subverted locks during the night. It was botched execution, by men who had had a few drinks apparently.

I think this type of pen-testing is asinine. A big part of why is that they are providing information that isn’t actionable, and it isn’t necessary to burgle a building — just do an audit.<p>The other is that the many of the companies in the space suck. Coalfire didn’t have an attorney worth a nickel. No competent organization in their right mind would accept a contract that includes illegal entry into another party’s property.<p>Maybe if the people who hired the per-testers were interested in an outcome (good security practices), instead of attention and shaming a business partner, you’d have a different outcome.