My Authors
Read all threads
Last year, the information security world was baffled and frustrated by the tale of Justin Wynn and @Ainchant, penetration testers who were hired to break into a Des Moines courthouse by its managers, then arrested for fulfilling their contract.

1/
Penetration testers evaluate the security of physical and digital systems by breaking into them, with permission from their owners, as a way of identifying and shoring up weaknesses. Wynn and DeMercurio work for @CoalfireSys, a leading pen-tester company.

2/
The state of Iowa hired Coalfire to break into its Dallas County courthouse. Wynn and DeMercurio picked the locks, entered the building, and, as instructed, they left the alarm armed, and set out to see how much data they could get before it brought a response.

3/
The tale of how they landed in jail for doing their jobs is a taut technothriller-cum-legal-thriller, narrated by @a_greenberg for @wired.

wired.com/story/inside-c…

4/
Greenberg describes how the testers waited for the police to arrive, presented themselves to the officers, identified themselves, and explained that they were supposed to be doing this, showing them an official letter from the State of Iowa authorizing them.

5/
But the Dallas County Sheriff Chad Leonard didn't care: the courthouse was county property, not state property, so the pen-testers were trespassing. He ordered their arrest on trespassing and felony burglary charges.

6/
The "Kafkaesque small-town politics" mired Wynn and DeMercurio in a long legal wrangle - but the real story is how easy it was for them to break into all five of the buildings they'd been hired to investigate, and how easy it would have been for them to subvert justice.

7/
"We could have fixed a case... corrupted evidence... identified jurors. You name it." -DeMercurio

Some of their tactics were cool and high-tech - using compressed air to trick an infrared sensor and open a door.

8/
But a lot of the time, security was much simpler to defeat some doors were so flimsy they could be opened by pushing them until they flexed enough to reach around them and push the crash-bar.

9/
But that wasn't Sheriff Leonard's concern: he was more worried about his turf, defying state orders to let the pen-testers go and telling state officials he considered them "accessories" to a crime.

10/
To make things worse, the magistrate who arraigned them, Judge Andrea Flanagan, refused to believe their story, despite their official letters from her own employer, Iowa's judiciary: "You’re going to have to come up with a better story than that."

11/
And the prosecutor successfully argued that because they were out-of-staters, they needed high bail. The fact that none of the Iowa officials who'd hired them bothered to show up did not help - the state was now "disavowing" the contract

12/
The state issued a release apologizing to the counties, saying that they hadn't "intended, or anticipated, [Coalfire’s] efforts to include the forced entry into a building." Later, it claimed it hadn't even been aware of parts of the op, that it has explicitly authorized.

13/
All of this was bullshit. An outside law-firm hired to investigate the matter concluded that Iowa explictly hired Coalfire to perform "physical attacks" on its buildings and to "focus on breaking in after hours."

14/
To its credit, Coalfire ignored legal advice to throw Wynn and DeMercurio under the bus, and continued to work in their defense.

15/
Meanwhile, Iowa officialdom arranged a circular firing squad, with apologies from the Chief Justice of its Supreme Court, angry grandstanding from state senator Tony Bisignano, and threats of charges against the state officials that hired Coalfire.

16/
(It may be that the only thing that saved those officials from arrest was the sudden death of the Supreme Court's Chief Justice and the chaos that ensued).

17/
Iowa prosecutors offered Wynn and DeMercurio the chance to plea down to misdemeanors. They refused. Finally, the charges were dropped. State senators are still calling pen-testers "bandits" in public.

18/
It's not clear whether any of the vulnerabilities Wynn and DeMercurio identified have been addressed.

They gave a presentation on their order at last week's Black Hat:

blackhat.com/us-20/briefing…

eof/
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Cory Doctorow #BLM

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!