What is wild about this is the cops showed up, held the guys, they showed them their letter that they were authorized and the cops called the references on the letter and everyone was fine.
Then the Sheriff showed up and insisted they be arrested...
Everything was fine until one person who didn't get it, who happened to be in charge, showed up.
>When Sheriff Leonard arrived, the tone suddenly changed. He said the Dallas County Courthouse was under his jurisdiction and he hadn’t authorized any such intrusion.
Reading only ever so slightly between the lines, it's clear that he probably did get it, just that he either wanted to swing his dick around for its own sake, or, more likely it seems from the dedcription in the article, resented that he was kept out of the loop on "his turf".
Per the legal system, arrested is probably safe course of action until they could verify the authenticity of the letter. It's really the ensuing events after that were abysmally stupid.
They did verify the authenticity. The police won't launch a full investigation for every single possibility and doing so would be a colossal waste of resources. They are, in fact, allowed to make some calls and be satisfied at that point that the letter is authentic without investigating every single fraudulent possibility.
> I think that arrest was warranted until thy could independently confirm the phone numbers…
Your premise is correct, you conclusion is stupid. "hey jon, pull out your phone, is this the same number listed on the county webpage for this office?" - "yeah jack sure is" - "hey thanks for your patience guys, and thanks for your help protecting the court house from the baddies"
Even if you couldn't do that, and couldn't hold them on site. Sure, transport them back to hold while you have the person on the phone drive down to the police station with id. There was NO reason to charge and arraign them.
Is that accurate? Being charged with a crime but then having charges subsequently dropped shouldn't show up in a background check. Plus, given their line of work, I think in their profession it would basically be a badge of honor.
This can happen just being under investigation. Or worse, no arrest, conviction or investigation. Just word of mouth kind of stuff can do it.
Employers also have a convenient privilege to maintain these narratives about a former employee. This is employer to employer confidentiality where they can say almost anything about you to another potential employer and you never have the chance to hear it or correct it.
Everyone should support the ability of even a person with a conviction to continue working and contributing to society. It's kind of a civil death that leads to bad outcomes for those targeted.
>Everyone should support the ability of even a person with a conviction to continue working and contributing to society. It's kind of a civil death that leads to bad outcomes for those targeted.
And not just those targeted either. The communities where those people live are deprived of the higher economic activity of someone with a middle/upper-middle-class income/lifestyle than someone who can only get a job mopping floors or washing cars.
That has a definite downward drag on the economic health of the communities where folks aren't given the opportunity to contribute because of past transgressions or, as we're discussing here, unwarranted criminal charges and investigations.
It's not just sad, it's a disgusting waste of human potential. More's the pity.
Also, I've seen many job applications that ask a question like: "Have you ever been arrested for a crime, regardless of the outcome?" Presumably mere involvement with law enforcement (even if acquitted or charges dropped) is some kind of signal in these guys' risk formulas.
Can confirm. I needed a security clearance for government contracting work when I was in my mid-30s. The background check flagged a dismissed charge from when I was a teenager.
It's hard to say if they would be able to gain security clearances in the future. Not to mention automated application systems will drop them from the system immediately with a prior arrest.
One of them went on to start their own physical pentest firm. I think they're doing fine. I also think if they'd lost clearances, or ran into later clearance problems, that would have made it into their complaint. I don't know, maybe you're right. It's not like I disagree with them about suing.
I mean it was fine for these guys because they got huge press and happen to be in an industry that can handle this. They've got experience, current employment, industry contacts, and there's really barely a functional college curriculum, or certification track for this. You #1 need to be trusted to break in since you know, they teach each other how to break into high-security facilities.
I really just wanna point out that getting contracts for government administrative building is already like, way in and near the top of the game, this could have set them back 9 months or none at all, still, someone has to be held accountable when there is an obvious miscarriage like this.
I mean they called their boss! They had a special letter! Why didn't shitty sheriff just like demand that the security chief come out and make some calls? 600k sounds fair I suppose but 6 years sure doesn't when its an elected official!
THIS should be illegal. If you are arrested and have all charges dropped, you should not show up on any database whatsoever, nor be required to answer “yes” to “gave you been arrested.”
The SF86 has a 7-year lookback on arrests. Clearance is fundamentally discretionary, though; it's a risk assessment. I don't think you have even a due process right to it.
I say all this but --- knowing that the principals in this story might read this thread and drop in and correct me, which would be awesome --- I think it's actually more likely that their careers benefited from this news story, and that they probably didn't lose any cleared business from it. I can't say enough that these two became industry celebrities over this case.
> Clearance is fundamentally discretionary, though; it's a risk assessment. I don't think you have even a due process right to it.
Security clearance is subject to due process protections (at least, insofar as it is a component of government hiring and continuation of employment), because government employment is subject to due process protections and the courts have not allowed security clearance requirements to be an end-run around that.
Navy v. Egan (1988) acknowledges a due process protection but limits it to procedural due process, not review of the merits of the clearance determination (i.e., the due process protection does not extend to substantive due process.)
Subsequent cases (mostly at the Federal Circuit, I can’t find the Supreme Court getting involved much since) like Cheney v. DOJ (2007) and Cruz-Martinez v. DHS (2020) have developed what that requires.
For cases outside of government employment, though the decisions so far are only at the trial level, Perkins Coie LLC vs. DOJ (2025) and Zaid v. Executive Office of the President (2025) are worth checking out in this regard.
pretty sure the companies making money providing this service would bring a freedom of speech defense if you tried to get a law passed keeping the information from showing up in a search, and would win, despite the obvious idiocy of the result.
This isn't a felony case. In fact, I'm not sure it ever was? It's not clear from their amended complaint, but they were ultimately charged with simple trespassing, a misdemeanor. Those trespassing charges were themselves dismissed a few months later.
What we're talking about today is the resolution of what looks to me (not a lawyer) mostly like a defamation case. Were they defamed? Absolutely. The problem is, to get anything useful out of a defamation case, you need to demonstrate damages. They were accused of a crime --- per se defamation --- but the point of the suit is to recover damages.
I don't want to be glib, and I'm very prepared to be wrong, but the Dallas County Courthouse Incident is likely one of the top 3 world events to have happened to both these pentesters. They've been cause celebres in the field for years and years. It might be pretty tricky to actually demonstrate damages.
They were arrested, arraigned and bonded for felony charges. Those were later reduced to misdemeanor charges and the case was eventually dropped/dismissed (can't remember which) - so they were facing felony charges for a while.
I didn’t see how long it took for the charges to change from felony to misdemeanor before being dropped. It would be standard for clearances to be suspended for investigation when you get charged with a felony. (You have to report even an arrest or misdemeanor, but it’s less likely they’ll suspend it while investigating you for those).
In Canada there was a big court case in 2016 over the civil right of "right to a speedy trial" where the courts said it had to be within 18 months for charges in provincial courts, which is where most crime ends up. During COVID there was a giant backlog of trials created and a criminal lawyer I know told me half of her clients in recent years got their cases stayed (thrown out) because of this backlog. This apparently happened all over the country and included tons people who were charged for violent crimes.
I'd call that working as intended. The government is the one who shut down the courts. They could have implemented safety precautions and staffed up to handle the backlog.
Only applies when it’s the state vs you. Whether a crime or a parking ticket (the real kind, not the extrajudicial “administrative penalties” they’re all moving to)
If you want to sue someone in Canada, it can still take years.
When they turn this slowly it's disingenuous to call it justice. Spending 10% of your adult life locked in legal battles is a ridiculous price to pay for something that should be resolved in under a year.
They weren't "locked in a legal battle". Their criminal charges were dismissed within 6 months of the incident happening. What resolved recently was a civil suit they themselves brought for damages from defamation and emotional distress.
I think this is the kind of thing that sounds reasonable until the first time you've sued someone. Resolution in one year? Don't even fantasize about it.
"We" (here in W.Australia) got sued by a US company for doing math once - took six years of legal back and forth to "win", eight years out of people's lives from disruption, and essentially destroyed a company that innovated.
I don't think these are crazy timelines for civil litigation here. I mean, is it worth criticizing? I guess, sure. But: civil suits take for-ev-er. A case is an indeterminate but fairly large number of steps, each of which includes 1d8+4 month next check-in date.
I'd like to see an hour-by-hour breakdown of what labor is actually being done, by which judges, lawyers and clerks, during the course of a 6 year trial, and see how much it adds up to. I wonder if it would even amount to a single, cumulative person-month of work?
The cases to judge and cases to lawyer (government side anyways) is extremely high. I think this is actually a negative a creates waste through context switching with all the delays. Nobody wants to pay to appropriately staff the court system. And frankly they waste money on fancy ornate buildings when they could make them much more plain and efficient.
I remember this story and how dumb I thought it was when it happened. Personally I think the sheriff should be fired, but $100k for every year of incompetency from Dallas county isn’t the worst outcome.
I'll probably get downvoted for even questioning the narrative, but here are some of the nuances that stood out to me:
- When the police contacted someone listed on the authorization letter, that person denied that they had been authorized to conduct physical intrusions. Another contact didn't answer their phone. What are the police supposed to do if the people supposedly authorizing the intrusion are actively denying the authorization?
- The contract had vague language that say they couldn't "force-open doors". The two men told police they had used a tool to open a locked door. The language should have been more specific about what was and was not allowed. (EDIT: This is causing a lot of controversy. The legal definition of "forced entry" in my state does not require literal damage to the property, only a bypassing of barriers. I don't know about the circumstances in this state, but to be clear the term "force-open doors" doesn't necessarily mean using destructive force everywhere)
- The contract said "alarm subversion" was not allowed, but supposedly the police had evidence that they were trying to manipulate the alarm. They deny this.
- The men had been drinking alcohol before the break-in. By the time they were breathalyzed it was at 0.05, meaning the number was even higher when they started the break-in. Drinking alcohol before you do a professional job guaranteed to get the police responding is a terrible idea.
- After they tripped the alarm and the police showed up, they didn't immediately identify themselves and end the exercise. They hid from the police, claiming that they were "testing the authorities' response" which seems obviously out of scope for their agreement.
So I agree that the charges were excessive and the Sheriff was in the wrong on a lot of things, but after reading the details this wasn't really a clear cut case. The pentesters weren't really doing everything "by the book" if they thought that testing the police response by hiding was in scope of their contract and doing this job after a few alcoholic beverages is a bizarre choice.
I performed these types of physical pen tests years ago. If we were testing security for something like a courthouse we would've had a card on each of us with the personal cell phone number of the county clerk along with a statement of work that described exactly what we were authorized to do, with signatures. In some cases we'd have a backup contact number for more dangerous stuff. The idea that the emergency contact would not answer the phone would've seemed ludicrous. They were always aware of where we were and what we were doing at all times.
Damaging property was never approved. Drinking alcohol before a test would never happen. The insurance risk alone would've been nuts, not to mention the reputational damage if someone smelled it on your breath. Hiding from law enforcement? I'd need to know more about that. If a cop shows up with a gun you absolutely do not hide. If it's a security guard on rounds and you're waiting for them to move on... sure.
It was often dangerous though. Some security and law enforcement types take it personally that they're being "tested" and do not react well. We always tried to have some former law enforcement or military with us because they were less likely to be targeted for abuse than us hackers/nerds.
> If we were testing security for something like a courthouse we would've had a card on each of us with the personal cell phone number of the county clerk along with a statement of work that described exactly what we were authorized to do, with signatures.
You mean... the thing that they had? FTA:
"Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a “get out of jail free card” in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building."
There's also no indication that they damaged property (they used a UDT to trip a sensor to bypass the door). Neither of us were there, but based on the actual reporting it sounds like the worst anyone could accuse these people of being is stupidly unprofessional and bad communicators, which if you worked with pentesters shouldn't seem like an unprecedented aberration.
Read the article further. When the police called the phone number on the document, the person on the other end denied that they were authorized to be in the building.
But I’m responding to the notion that they should’ve had signed documentation with the scope with them. They did. The fact that their own company hung them out to dry by not informing everyone on that list is not the pentesters’ fault.
I wasn't trying to suggest they did or didn't have the right documentation. I honestly don't know. I was just explaining how we normally operated. The idea that the emergency contact wouldn't answer, or even worse deny we had authority seems impossible to me... At least if you're doing things the way we did.
> The idea that the emergency contact wouldn't answer...seems impossible to me
I can’t understand how you think this is impossible if you do things “the right way”.
Phones gets stolen or dropped in the toilet. Your contact has been taken to the hospital. Bad cell service. And so on.
These episodes of Darknet Diaries were my favorite. Very suspenseful. I also always thought the people doing the testing were insane for assuming a piece of paper keeps them from getting dragged to jail or worse.
I mean this is stuff the security people tell you not to do. If you get an email from “your bank” saying “call us at this number”, you're supposed to independently verify by calling the main number, not the number they give you, right?
Those were always my favourite episodes too! Enough to get into a career doing social engineering and physical intrusions. It's very tense! You're right to think it's insane; the nature of these jobs is that unlike most kinds of pentesting, very few people are aware that a test is occurring. We will sometimes bring a fake "get out of jail free" card to test the very thing you mention, whether people will actually verify out of band. I've been on jobs where we've been called out and they've checked our fake details and you see people's whole body language change in those moments between them figuring out you're not who you say you are and figuring out what they're willing to do about it. You absolutely see the thought "Do I need to hurt these guys? Are they going to hurt me?" go through someone's mind. It's never come to anything truly harrowing in my experience, professionalism and good communication skills go a long way, but they also can only go so far. It's much more common to have zero issues though, because as you can surmise, social engineering is extremely effective, so getting challenged at all is pretty rare.
> Hiding from law enforcement? I'd need to know more about that. If a cop shows up with a gun you absolutely do not hide. If it's a security guard on rounds and you're waiting for them to move on... sure.
According to the article, they were hiding from the police who showed up, not security guards.
Testing the police is undeniably out of scope in a situation like this. If the police show up, the exercise needs to be over. You announce your presence and de-escalate, not try to outmaneuver the police.
These two guys only look like heroes in contrast to the over zealous sheriff. Everything else about their operation ranges from amateur hour to complete incompetence, such as drinking before a job.
I completely agree. Hiding from the cops puts everyone in danger. But to be clear I wouldn't be hiding from the security guards either once they had found evidence of our test. It was really only if they were nearby and unaware anything was happening that we found it OK to hide from them.
The whole point is to test security. Ideally you want to be found because that means that they have reasonable security in place and you can attest to that.
IIRC they had permission from the state court administrator, but not the county. The building is a county building. And, as it does in all sorts of jurisdictions with a similar setups, pissing contests arise over various issues.
I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand.
Regarding force, this article says:
> The rules of engagement for this exercise explicitly permitted “physical attacks,” including “lockpicking,” against judicial branch buildings so long as they didn’t cause significant damage.
And later that they entered through an unlocked door, which they (it sounds like) kept unlatched by inserting something between the latch and the doorjamb. Not unreasonable.
> I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand.
This is a job where having impaired judgment is a terrible idea.
If someone needs alcohol to do a job that involves taking the role of a criminal and summoning the police, drinking alcohol before it is a terrible choice no matter how you look at it. If they can't do the job without alcohol, they shouldn't be doing the job at all. Maintaining unimpaired judgment is a baseline expectation for a job like this.
I doubt judgement is heavily impaired at 0.05 BAC. That is at or below the legal limit to drive a car.
And it really is more of a red herring since they were obviously not visibly intoxicated and they didn't actually do anything illegal. Their BAC is more of an issue between them and their employer, and has no bearing on their false arrest.
> I doubt judgement is heavily impaired at 0.05 BAC. That is at or below the legal limit to drive a car.
0.05% BAC will result in a DUI in many countries. Regardless, any impairment on a job where you're doing things guaranteed to summon the cops is a very bad idea.
BAC also declines linearly over time. I doubt (hope?) they weren't drinking on the job, but a 0.05% BAC measured after their arrest means their BAC would have been higher when they started breaking into the building earlier in the night.
Maybe? Virtually everywhere in the US is 0.08. I don't think it's a good idea for physical pentesters to drink anything before a gig, for whatever that's worth, so hopefully we're just shooting the shit about different countries rules.
The "legal limit" is terribly misunderstood, but 0.08% is just legal threshold where the state doesn't need to prove impairment and the offense is upgraded to an automatic criminal DUI. A driver in an accident with a BAC of 0.03% could still be charged with a DUI if impairment can be proven but most prosecutors' offices have more important things to work on.
It's also terribly misunderstood by pedants since you can be charged with a DUI with a 0.00 BAC by doing drugs. The point isn't that it's a definitive line in the sand between impairment and not, but if people are trusted to drive a car (generally or broadly speaking, not pedantically speaking), being above or below said limit is a reasonable litmus test for "visibly/obviously impaired" or not.
The level of impairment doesn't matter. They are impaired. There is no standard or testing which reveals the minimum level of impairment that one can safely do the job. So, you don't do it impaired, at any level, period.
> and has no bearing on their false arrest.
Two people that have obviously been drinking, hiding from police, and then making up fantastic sounding stories as to why they're in a tax payer owned facility outside of working hours. The police had good reason to effect an arrest so it can't be "false arrest."
I don't see how that relates to, say, software engineering or physical pentesting though. And 1/3 people is still a fairly significant number that do not suffer ill effects. I also said heavily impaired—not that they were categorically not suffering from any effect of the alcohol.
My point is not that they definitely should have done it. It is simply that, in this context, it's really not a big deal & is not really germane to the discussion at all. They did nothing wrong, stone cold sober or not.
That’s not what your link says; impairment at 0.02 BAC is measurable, but a fraction of standard day-to-day variation for a person. It’s roughly equivalent to missing coffee at breakfast.
Is drinking common for physical pentesters? I just do boring software stuff but I’m pretty sure drinking on the job would be a fireable offense for me.
And even if their BAC was technically under the legal limit, their ability to e.g. drive was impaired. So it seems unprofessional.
Their ability to drive being impaired is somewhat dubious since they are under the legal limit in all of the states I have heard of.
W/r/t drinking and working, I personally dislike the puritanical zero tolerance for alcohol approach that people here in the US seem to take by default. Most people can have one or two drinks and work just fine, with obvious exceptions.
I don't think we should judge people who have to travel to a boring small town in Iowa and have to go to work in the middle of the night for having a drink or two.
If you can't have just a drink or two, or have to do it every day, that's a bigger issue that goes beyond work vs. simply having a drink and doing work on occasion.
Physical pentest scenarios are highly likely to end with an alarm tripping and the police arriving, except in cases where the alarm wasn't armed, didn't have connectivity, or was broken.
An encounter with the police was virtually guaranteed in this case. Drinking before the job was highly unusual and irresponsible.
> I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand.
I feel like if you do something for a living, you shouldn't need to calm your nerves for it.
I'd have more "eager" than "anxious" nerves, and I wouldn't need a beer for that. The fun thing about pentesting is that it doesn't matter if you get caught, although it's more fun if you don't.
Hard agree about "forcing", though. The very word implies, you know, non-trivial amounts of force. Like technically walking toward a door in a normal human room at standard temperature and pressure means you're applying non-zero amounts of force to it, so arguments like "they applied any force at all" can be ignored as goofy.
Seems reasonable to assume some blame from the pentesters, but neither are police known to be faithful and honest presenters of the truth. I'm not firmly convinced that the police story isn't exaggerated or embellished.
All of that is true, but it only means that it should have taken a few hours to sort out instead of 15 minutes. It became a pissing match between the courts and the county and these guy got squeezed. As a lawyer, I can't believe that there wasn't a lawyer for the county telling them that night that this was going to cost them.
For someone who is in such a position in the future, always notify the local police in writing and by phone call, if not also in person, before starting such an exercise. Make sure they have the get-out-of-jail documentation in advance of the exercise. If the police doesn't approve, don't do it. It would be better to get a no-objection letter from the police in advance. Make sure an attorney is aware of the activities and all documentation. Do not take any chances. You don't live in a kind or forgiving world. Handling unknown unknowns is the point.
They had written authorization from the state court and verbal confirmation from state court officials. They didn't know there would be a pissing match between the judicial branch and the sheriff.
But afaik this wasn't a state courthouse; it's a county courthouse. Legally, obviously, the state has authority and they were in the right, but functionally this is really good advice: if you're doing a penetration test of a space, you functionally need to clear it with the people who are responsible for the security of that space, and whom you might encounter defending it.
Frankly, I would not have taken this gig unless you had verbal confirmation that the Sheriff knows about it and has signed off. If you're entering a red team situation where the State wants to assess the security of their county courthouses, but doesn't want the local authorities to know its happening because they don't trust them: That is not a situation you want to be in the middle of, they gotta sort that out.
This really depends on how a state structures this, but “county courthouse” is not necessarily a meaningful statement. The judiciary is a state function and it has been delegated to county for purposes of logistics. In larger states, each county gets to set its own court rules, fee schedules, etc. because it would be maddening otherwise. They still ultimately answer to the state judiciary.
Iowa is small enough that it looks like the Iowa Judicial Branch just runs everything directly. Every county seat in Iowa has a courthouse, but the county probably doesn’t really have any control of it.
My guess is that the sheriff had an ego and may not have wanted a finding against him.
Hindsight's how we all learn. Doing it over again, I'm sure those guys would have done things differently. Any team would be crazy today to not be more prudent in how they operate.
Sure, the part I thought was "easy to say in hindsight" was:
> I would not have taken this gig unless you had verbal confirmation that the Sheriff knows about it and has signed off.
We don't know that! We don't know what we would have done in that scenario, especially in the context of a thread about the very outcome one's supposed foresight would have prevented.
> Research suggests that people still exhibit the hindsight bias even when they are aware of it or possess the intention of eradicating it. [...] The only observable way to decrease hindsight bias in testing is to have the participant think about how alternative hypotheses could be correct.
So here's an alternative hypothesis:
"Hey, do you reckon we should clear this with the county first? The sheriff might come and arrest us on the basis that nobody told him we were going to break into the courthouse"
"Nah, don't worry about it, I've done this sort of thing hundreds of times. And besides, the state has superiority over the county anyway, so even if we get caught which let's face it we won't because we're leet hackers and very incognito... the sheriff won't have any power to do anything to us as soon as we tell him it's authorised by the state"
This is not an "obvious in hindsight" thing, and its also something that was discussed in the physical penetration testing community long before 2019 when this happened. Everyone makes mistakes, and they were legally in the right, but most in physical pentesting know: You're probably going to make someone look like a fool during your work, and your CYA needs to be rock solid to not just absolve the illegality of what you're doing, but the immediate consequences of that newly minted fool also having an ego and authority. A piece of paper will not save your life against a trigger-happy rookie cop in a dark hallway at 2am, even if it might ruin his after you're already dead.
And, by the way: The Sheriff was in the wrong and some of what happened to these pentesters should never have happened. But, this case is not nearly as clear-cut as some one-sided storytelling suggests it is. When the Sheriff called the contact numbers at the State of Iowa, one person didn't answer, and a second person said that they "did not believe the men had permission to conduct physical intrusion." One of the pentesters also blew lightly positive for alcohol. One of the men was from Florida, and the second from Seattle, working for a security firm out of Colorado. That's suspicion enough to end up in jail overnight.
The fact that it went on longer than that more-so gets at the real story. The State was exercising an authority they had, maybe for the first time, against a security force that not only didn't know they were exercising it, but didn't realize they even had the authority in the first place. These guys got caught in the middle. The distribution of blame is pretty significant: The State should have informed the local security, but didn't. The State should have had contacts on-call during the intrusion, but didn't. Coalfire should have confirmed all of this in the interest of protecting their employees, but didn't. The testers shouldn't have been drinking beforehand, but did. The Sheriff should have dropped the matter the next day, but didn't. Sure, some of this is 20-20 hindsight, but taken in its entirety there were a lot of balls dropped, and it paints a picture of a state government that has some box to check for compliance, doesn't care how it gets checked or what gets found, and a security firm that isn't conducting their penetration tests responsibly.
Exactly. If I were in that position I would have simply learned from what happens in the future. In the rare instance that there was a negative outcome, I would just inform my previous self so that I could retroactively ensure that that outcome had not occurred.
It is through this simple system that I can confidently say that the content of this article that I am reading today in 2026 had/will have an impact on what I would have done in 2019
That’s not legally obvious. State v county control over courthouses creates fights over everything from Aesbestos to parking to security. The legal answers lie in state constitutional provisions that nobody ever reads and aren’t particularly helpful.
> If the police doesn't approve, don't do it. It would be better to get a no-objection letter from the police in advance.
The article says they did have an authorization letter from the state court officials (the people running the building) and they were released right after the letter was verified with the court officials.
At least from what I can see, the police officers involved were doing the right thing. They detained the suspects, made a proper effort to listen to them and validate their story, and then released them.
It was the Sheriff who showed up and didn't like it who then hassled them further.
They basically had a no-objection letter from the people in charge of the building and the police officers were onboard. It was one person who tried to turn it into something else.
That simply is not how the police work. If they get a call about a break in they’re going to respond and assess.
I bought property with a shooting range years ago from a retired SWAT officer with the county. He mentioned that “he always calls the sheriff’s office to let them know if he was doing anything.” Now I’d never owned a private range and am not from this county.
I called up the sheriff’s office and asked for clarification. I was advised that no such policy / program exists or is required and if the officer must have had is own internal policies and chain o command and that is irrelevant to me as a random citizen. In short, if a call is made about a shooter they will have to respond and so long as I’m not doing anything stupid, dangerous, or outright illegal I have nothing to worry about. The same goes for any other type of call.
Wouldn’t that in a lot of ways invalidate the test?
You’re trying to see what can be done and what the response is from the current security practices and the police showing up seems like an important part of that.
It is not clear what as the defined purpose of the test, if it was to measure a successful entry+exit, or measure police response, or both. If measuring the police response was a purpose, the police should still have been notified, just not of the exact date when it would happen. Executing it on a random day should offset the prior awareness of the police. Secondly, it is up to the police leadership to keep it quiet.
If the state wants to verify the counties are doing an adequate job, then tipping them off could result in an invalid assessment. The sheriff's reaction raises suspicion that there are deficiencies he doesn't want found
I kinda hate that it settled. I fully understand the plaintiffs not wanting to proceed, but i really wish the sheriff was actually punished for what he did. This sort of power tripping should be a fireable offence
Makes sense to me. County Sheriffs are elected by the residents of the county that they will serve. If you get a bad one then it’s your own fault for choosing poorly.
Anyway, not all states elect their sheriffs, or even have sheriffs at all. States that appoint their sheriffs don’t appear to have a noticeably lower level of incompetents.
Appointments are a whole other issue (see the extreme turnover in the American executive branch every 4 years). Id rather the head of my local police dept be significantly supported by the populating instead of an appointment from a governor, mayor, ... whose entire schtick can change on a dime.
Independent elections are a good thing. Bundling offices together under a single election that appoints the rest of the world is terrible and only leans further into the two party see-saw that exists in the USA.
I really wish for proportional representation. Not that it really applies to your local police force, but we need to break apart the complete A-or-B nature of American politics. Form coalitions, not monoliths that trade off earning 51% of the electorate every cycle that the completely repoints the entirety of the govt for the next 4 years.
In larger counties, the elected Sherrif is usually more managerial and less hands on. If not elected directly, the Sherrif would likely be chosen by the elected County Board of Supervisors. Which I guess gives you more ability to fire, but also means more indirection from the will of the people.
My other comment has more details, but a summary is that they the pentesters had been drinking before breaking into the building, were doing things that could be interpreted as being forbidden by their own contract, and the big one: The person listed on their authorization letter denied that they were approved to enter the building when called.
That last one is a big deal. If your own authorization contacts start telling the police you're not authorized to be in the building, you're in trouble.
Yeah I think that’s pretty useful context. I can understand arresting them and clearing it up with a judge in the morning. I can’t understand continuing to defame them as the lawsuit alleged.
If that’s all that had happened I’m guessing it would’ve avoided a lawsuit, since their purpose was to restore their reputational damage.
This seems to be on par for this Iowa county which their ignorance sadly has painted a major target on their innocent citizens- related article:
"Dallas County Attorney Matt Schultz told KCCI: "I want to be clear that the decision to dismiss the criminal charges that resulted in this civil case against Dallas County was made by a previous County Attorney. I am putting the public on notice that if this situation arises again in the future, I will prosecute to the fullest extent of the law."
Schultz (a ‘tough on crime Republican’) is the prosecutor who filed charges when this thing happened originally, so no surprise he still defends his decision.
You don't know the man, and you don't know all of the details and nuances of the situation he was called into. How then do you think to judge him like that? You're just stereotyping.
Those "details and nuances of the situation he was called into" become completely irrelevant once one is presented with irrefutable evidence that their actions were completely legal. What matters is his conduct after that happened, which was blatant and persistent abuse of power.
Stop justifying and excusing abuse of power, he hurt innocent people, cost the taxpayers $600k in a single incident of abusive and wrongful conduct, and he's now enjoying taxpayer-funded retirement without facing any accountability.
What jury? The payment happened before the trial: "five days before a trial was scheduled to begin in the case, Dallas County officials agreed to pay $600,000 to settle the case".
I might be mistaken, but it sounds like these guys showed up at a facility and did the classical "breaking and entering" thing. The onsite (terrified) staff called 911, the police showed up and arrested them. The perps said that they were hired to do this (they were), but nobody told the Sheriffs office or the staff about it.
So yeah, it sucks for these guys' reputations and criminal histories, but... what? The onsite staff didn't know what was going on, the Sheriffs didn't know what was going on.
The county basically said: "We want you to go try to break into this government building. We aren't going to tell the staff or the local police about it. Tell us what you find."
Did you even read the article or review the story? The police showed up, reviewed and even verified their documents (called the numbers on the form to confirm their authorization) and we're seemingly satisfied all was in order.
Only once the sheriff himself arrived on scene did he order the arrest that caused all the issues. If that didn't happen it wouldn't have been a story other than "security professionals doing their authorized job".
> Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn’t answer the deputies’ calls, while another said he didn’t believe the men had permission to conduct physical intrusions.
It's actually kind of amazing that the police first let them go after the official contact on the form said they were not authorized to intrude in the building.
If the sheriff had found out what was going on and then let them go, this wouldn't be news.
If the sheriff had arrested them and found out in the morning what was going on and then let them go, this wouldn't be news.
If the sheriff had arrested them and brought them before a judge who let them go, this wouldn't be news.
What actually happened is the sheriff found out what was going on, decided it was still criminal anyway, arrested them, and then the county charged and prosecuted them. The charges were eventually dismissed. That is why it's news.
Definitely some things could have been done a bit differently. I get that they want to keep staff in the dark, and even beat cops, but it seems reasonable and prudent to have the highest level of local law enforcement brought into the loop in planning red team exercises. The likelihood is high that the team will interface with law enforcement. The escalation path within the enforcement side of the state regulatory machine should be cleared in advance.
I think the takeaway for security teams is that you shouldn't let the customer "authorize" what is otherwise criminal activity warranting a police response without getting some air cover from the enforcement side. Coordinating that is the customer's burden to bear and that cover should be secured before letting them hand-wave away the risks with a "just have the police call me and I'll clear it all up". In hindsight only, when you look at it like that, the security team was not covering their ass appropriately. In a perfect world, you'd assume there's some better planning and communication going on behind the curtain. In the real world, you need more than the flimsy "guarantee" of calling a guy who knows a guy in the middle of the night. At the very least, that get out of jail free card should have had as signatories judiciary representation and enforcement representation (e.g. sheriff).
Sure, but that's different than not telling the local police department. Because they will show up with K9s and guns. And then it becomes a very dangerous situation.
That sounds like a problem with police procedures and accountability. It's weird to blame potential victims for that.
And in this case, notifying the police would have seemingly affected the test. Based on the reaction they did have, I would guess such notification would have resulted in the police doing many more drive-bys of the courthouse and generally being alert.
> "That sounds like a problem with police procedures and accountability"
It would be supremely stupid to not plan and account for these kind of systemic social problems when you're planning out your contract to break into a building. "But they're the ones who suck, I did nothing wrong" won't bring you back from the dead.
Sure, in the pragmatic sense I agree. If I was going to put myself in this type of situation, and the agency authorizing the test did not want to bring the agency that would be responding into the fold, I'd be contemplating things like having an employee or even some state official be physically present at the police station / dispatch when I was actually doing the pentest.
But the commenter I was responding to seemed to be leaning on the territory of what ought to be, in which case it's good to not normalize those societal problems.
They broke in and set off an alarm, the local cops responded, the pentesters showed their credentials, and there was no issue.
Then the sheriff arrived, was butthurt because he felt left out and wanted to show his authority, and caused these guys 6 years of grief for literally no reason at all.
What is wild about this is the cops showed up, held the guys, they showed them their letter that they were authorized and the cops called the references on the letter and everyone was fine.
Then the Sheriff showed up and insisted they be arrested...
Everything was fine until one person who didn't get it, who happened to be in charge, showed up.
Oh I'm sure the sheriff got it, he just wanted to get in a pissing match with the people who signed the letter.
The sheriff felt like he had "egg on his face", and responded like a child.
>When Sheriff Leonard arrived, the tone suddenly changed. He said the Dallas County Courthouse was under his jurisdiction and he hadn’t authorized any such intrusion.
Reading only ever so slightly between the lines, it's clear that he probably did get it, just that he either wanted to swing his dick around for its own sake, or, more likely it seems from the dedcription in the article, resented that he was kept out of the loop on "his turf".
Per the legal system, arrested is probably safe course of action until they could verify the authenticity of the letter. It's really the ensuing events after that were abysmally stupid.
They did verify the authenticity. The police won't launch a full investigation for every single possibility and doing so would be a colossal waste of resources. They are, in fact, allowed to make some calls and be satisfied at that point that the letter is authentic without investigating every single fraudulent possibility.
So you read this:
> the cops showed up, held the guys
> they showed them their letter that they were authorized
> the cops called the references on the letter
> Then the Sheriff showed up and insisted they be arrested...
and your response is:
> Per the legal system, arrested is probably safe course of action until they could verify the authenticity of the letter.
?
Anyone can write a letter and the police shouldn’t have called the numbers on the letter until they verified the numbers were legit.
This is the equivalent of a phishing email providing you a phone number.
I think that arrest was warranted until thy could independently confirm the phone numbers…
> I think that arrest was warranted until thy could independently confirm the phone numbers…
Your premise is correct, you conclusion is stupid. "hey jon, pull out your phone, is this the same number listed on the county webpage for this office?" - "yeah jack sure is" - "hey thanks for your patience guys, and thanks for your help protecting the court house from the baddies"
Even if you couldn't do that, and couldn't hold them on site. Sure, transport them back to hold while you have the person on the phone drive down to the police station with id. There was NO reason to charge and arraign them.
It's the irresistible taste of boot.
If they know who they are, what's the point? You can track them down later and throw on ~fraud charges if the letter ends up fake.
I remember reading about this when it first happened. Glad there was at least a somewhat positive outcome.
For reference, here is the HN thread shortly after the arrest: https://news.ycombinator.com/item?id=21000273
$600k for 6 years of legal battle and facing felony charges? no bueno
The 6 year, $600K lawsuit was something they initiated against the county.
The initial charges against them were initially dropped to misdemeanors and then dismissed entirely, but that was a separate matter resolved earlier.
Even being charged without conviction can result in a serious reduction in job opportunities.
Is that accurate? Being charged with a crime but then having charges subsequently dropped shouldn't show up in a background check. Plus, given their line of work, I think in their profession it would basically be a badge of honor.
Yes it absolutely matters. My brother was charged with three felonies in his only arrest, all of them dropped.
It shows up in his background report and no company has cared (or taken the time to notice) that they are dropped charges and not convictions.
He's basically treated like a felon and effectively got bumped out of his career.
This can happen just being under investigation. Or worse, no arrest, conviction or investigation. Just word of mouth kind of stuff can do it.
Employers also have a convenient privilege to maintain these narratives about a former employee. This is employer to employer confidentiality where they can say almost anything about you to another potential employer and you never have the chance to hear it or correct it.
Everyone should support the ability of even a person with a conviction to continue working and contributing to society. It's kind of a civil death that leads to bad outcomes for those targeted.
>Everyone should support the ability of even a person with a conviction to continue working and contributing to society. It's kind of a civil death that leads to bad outcomes for those targeted.
And not just those targeted either. The communities where those people live are deprived of the higher economic activity of someone with a middle/upper-middle-class income/lifestyle than someone who can only get a job mopping floors or washing cars.
That has a definite downward drag on the economic health of the communities where folks aren't given the opportunity to contribute because of past transgressions or, as we're discussing here, unwarranted criminal charges and investigations.
It's not just sad, it's a disgusting waste of human potential. More's the pity.
Also, I've seen many job applications that ask a question like: "Have you ever been arrested for a crime, regardless of the outcome?" Presumably mere involvement with law enforcement (even if acquitted or charges dropped) is some kind of signal in these guys' risk formulas.
How fortunate to not live in China with its dystopian "social credit" system!
You'd have to get it expunged for it to not show up. Even then, it will still show up for security clearances and such.
Can confirm. I needed a security clearance for government contracting work when I was in my mid-30s. The background check flagged a dismissed charge from when I was a teenager.
It’s an absolute pain if you ever need to apply for a security clearance, or a visa for a foreign country.
It does show up in background checks unfortunately, and it is considered.
Probably not in this case though.
It's hard to say if they would be able to gain security clearances in the future. Not to mention automated application systems will drop them from the system immediately with a prior arrest.
One of them went on to start their own physical pentest firm. I think they're doing fine. I also think if they'd lost clearances, or ran into later clearance problems, that would have made it into their complaint. I don't know, maybe you're right. It's not like I disagree with them about suing.
I mean it was fine for these guys because they got huge press and happen to be in an industry that can handle this. They've got experience, current employment, industry contacts, and there's really barely a functional college curriculum, or certification track for this. You #1 need to be trusted to break in since you know, they teach each other how to break into high-security facilities.
I really just wanna point out that getting contracts for government administrative building is already like, way in and near the top of the game, this could have set them back 9 months or none at all, still, someone has to be held accountable when there is an obvious miscarriage like this.
I mean they called their boss! They had a special letter! Why didn't shitty sheriff just like demand that the security chief come out and make some calls? 600k sounds fair I suppose but 6 years sure doesn't when its an elected official!
Civil litigation takes for-ev-er.
THIS should be illegal. If you are arrested and have all charges dropped, you should not show up on any database whatsoever, nor be required to answer “yes” to “gave you been arrested.”
The SF86 has a 7-year lookback on arrests. Clearance is fundamentally discretionary, though; it's a risk assessment. I don't think you have even a due process right to it.
I say all this but --- knowing that the principals in this story might read this thread and drop in and correct me, which would be awesome --- I think it's actually more likely that their careers benefited from this news story, and that they probably didn't lose any cleared business from it. I can't say enough that these two became industry celebrities over this case.
> Clearance is fundamentally discretionary, though; it's a risk assessment. I don't think you have even a due process right to it.
Security clearance is subject to due process protections (at least, insofar as it is a component of government hiring and continuation of employment), because government employment is subject to due process protections and the courts have not allowed security clearance requirements to be an end-run around that.
Are you sure about this? I looked into it, but only for about 45 seconds, and there are cases like Navy v. Egan that basically say the opposite.
(I'm going to keep saying: this is just an abstract argument; I don't think there's any evidence these two pentesters had any clearance issues.)
Navy v. Egan (1988) acknowledges a due process protection but limits it to procedural due process, not review of the merits of the clearance determination (i.e., the due process protection does not extend to substantive due process.)
Subsequent cases (mostly at the Federal Circuit, I can’t find the Supreme Court getting involved much since) like Cheney v. DOJ (2007) and Cruz-Martinez v. DHS (2020) have developed what that requires.
For cases outside of government employment, though the decisions so far are only at the trial level, Perkins Coie LLC vs. DOJ (2025) and Zaid v. Executive Office of the President (2025) are worth checking out in this regard.
pretty sure the companies making money providing this service would bring a freedom of speech defense if you tried to get a law passed keeping the information from showing up in a search, and would win, despite the obvious idiocy of the result.
It seems like a lot. It's not like they were in court full time.
This isn't a felony case. In fact, I'm not sure it ever was? It's not clear from their amended complaint, but they were ultimately charged with simple trespassing, a misdemeanor. Those trespassing charges were themselves dismissed a few months later.
What we're talking about today is the resolution of what looks to me (not a lawyer) mostly like a defamation case. Were they defamed? Absolutely. The problem is, to get anything useful out of a defamation case, you need to demonstrate damages. They were accused of a crime --- per se defamation --- but the point of the suit is to recover damages.
I don't want to be glib, and I'm very prepared to be wrong, but the Dallas County Courthouse Incident is likely one of the top 3 world events to have happened to both these pentesters. They've been cause celebres in the field for years and years. It might be pretty tricky to actually demonstrate damages.
They were arrested, arraigned and bonded for felony charges. Those were later reduced to misdemeanor charges and the case was eventually dropped/dismissed (can't remember which) - so they were facing felony charges for a while.
Lost clearances at least must count for something.
Did they lose clearances? If they did, it's not in their civil complaint.
I didn’t see how long it took for the charges to change from felony to misdemeanor before being dropped. It would be standard for clearances to be suspended for investigation when you get charged with a felony. (You have to report even an arrest or misdemeanor, but it’s less likely they’ll suspend it while investigating you for those).
Their lawyers issued a press release that sketched out the timeline.
I'd gladly take such a payout.
Split 2 ways, that is still 300k.
Parked in an investment at 5% a year, that's an easy +$15,000/year for the rest of your life.
Once the lawyers take their cut, you could probably split a ham sandwich between the two of you.
Don't forget Uncle Sam's cut as well
Compensatory damages aren't taxable income.
Bzzt.
Generally taxable unless exclusion applies. Main exclusion is personal injury.
Why isn't regular income compensatory damage then?
Which investment is that?
There are plenty of stocks, REITs, or ETFs that offer such returns.
Me, personally, I'd dump it into $O aka Realty Income or JEPI or JEPQ.
If you are risk adverse, just park it in VOO or SCHD.
World stock index funds yield something like that
Are you actually Michael from the channel?
How much did they spend on lawyers?
I would guess this would be a contingency case, which would typically be 40%.
What about the criminal lawyers that they needed when they charged with crimes? Did they get any money?
Darknet Diaries did an interview with the two pentesters: https://darknetdiaries.com/episode/59/
I really hope he brings them back for a follow-up now that it's settled. (And I've requested it on fedi.)
Great episode, but infuriating at the same time
... six years ago!
This happened in 2019. The wheels of justice turn very slowly.
Certainly the wheels of civil suits do.
My state, like many, defines a speedy criminal trail as the trial commencing any time within 5 years of being charged...
In Canada there was a big court case in 2016 over the civil right of "right to a speedy trial" where the courts said it had to be within 18 months for charges in provincial courts, which is where most crime ends up. During COVID there was a giant backlog of trials created and a criminal lawyer I know told me half of her clients in recent years got their cases stayed (thrown out) because of this backlog. This apparently happened all over the country and included tons people who were charged for violent crimes.
https://decisions.scc-csc.ca/scc-csc/scc-csc/en/item/16057/i...
I'd call that working as intended. The government is the one who shut down the courts. They could have implemented safety precautions and staffed up to handle the backlog.
Only applies when it’s the state vs you. Whether a crime or a parking ticket (the real kind, not the extrajudicial “administrative penalties” they’re all moving to)
If you want to sue someone in Canada, it can still take years.
Do you have a source for that? I can't find anything online about a state with a definition that long.
Justice delayed is justice denied.
Two people for six years in that industry they probably lost a lot more than $600k.
I doubt they were out of work for that whole time.
Particularly not with the free advertising they got from this.
They were held for a total of 20 hours.
Not relevant to the reputational damage which is particularly punishing in their line of work.
I wonder how much stigma contractors carry for being successful at filing lawsuits, no matter how legitimate the claim.
What reputational damage?
When they turn this slowly it's disingenuous to call it justice. Spending 10% of your adult life locked in legal battles is a ridiculous price to pay for something that should be resolved in under a year.
They weren't "locked in a legal battle". Their criminal charges were dismissed within 6 months of the incident happening. What resolved recently was a civil suit they themselves brought for damages from defamation and emotional distress.
Yes, civil suits are also legal battles. There's no reason it should have taken more than a year to resolve.
By the way, I dont know who you are quoting as that is not my exact wording.
I think this is the kind of thing that sounds reasonable until the first time you've sued someone. Resolution in one year? Don't even fantasize about it.
"We" (here in W.Australia) got sued by a US company for doing math once - took six years of legal back and forth to "win", eight years out of people's lives from disruption, and essentially destroyed a company that innovated.
https://en.wikipedia.org/wiki/LizardTech,_Inc._v._Earth_Reso....
I don't think these are crazy timelines for civil litigation here. I mean, is it worth criticizing? I guess, sure. But: civil suits take for-ev-er. A case is an indeterminate but fairly large number of steps, each of which includes 1d8+4 month next check-in date.
I'd like to see an hour-by-hour breakdown of what labor is actually being done, by which judges, lawyers and clerks, during the course of a 6 year trial, and see how much it adds up to. I wonder if it would even amount to a single, cumulative person-month of work?
The cases to judge and cases to lawyer (government side anyways) is extremely high. I think this is actually a negative a creates waste through context switching with all the delays. Nobody wants to pay to appropriately staff the court system. And frankly they waste money on fancy ornate buildings when they could make them much more plain and efficient.
I assure you they are doing a shitload of work. They're just not doing it on your case.
I'm not disagreeing on the time frame, just bitching about the impact and the cold truth that often no one wins (save for lawyers).
No, of course, believe me I understand viscerally.
Except for the wealthy, who can dial it up or down
I remember this story and how dumb I thought it was when it happened. Personally I think the sheriff should be fired, but $100k for every year of incompetency from Dallas county isn’t the worst outcome.
This is the kind of hacker news I'm here for
I'm glad the charges were dismissed, but to be honest the original reporting shows the story was actually more nuanced than this article led me to believe. 2019 article: https://arstechnica.com/information-technology/2019/11/how-a...
I'll probably get downvoted for even questioning the narrative, but here are some of the nuances that stood out to me:
- When the police contacted someone listed on the authorization letter, that person denied that they had been authorized to conduct physical intrusions. Another contact didn't answer their phone. What are the police supposed to do if the people supposedly authorizing the intrusion are actively denying the authorization?
- The contract had vague language that say they couldn't "force-open doors". The two men told police they had used a tool to open a locked door. The language should have been more specific about what was and was not allowed. (EDIT: This is causing a lot of controversy. The legal definition of "forced entry" in my state does not require literal damage to the property, only a bypassing of barriers. I don't know about the circumstances in this state, but to be clear the term "force-open doors" doesn't necessarily mean using destructive force everywhere)
- The contract said "alarm subversion" was not allowed, but supposedly the police had evidence that they were trying to manipulate the alarm. They deny this.
- The men had been drinking alcohol before the break-in. By the time they were breathalyzed it was at 0.05, meaning the number was even higher when they started the break-in. Drinking alcohol before you do a professional job guaranteed to get the police responding is a terrible idea.
- After they tripped the alarm and the police showed up, they didn't immediately identify themselves and end the exercise. They hid from the police, claiming that they were "testing the authorities' response" which seems obviously out of scope for their agreement.
So I agree that the charges were excessive and the Sheriff was in the wrong on a lot of things, but after reading the details this wasn't really a clear cut case. The pentesters weren't really doing everything "by the book" if they thought that testing the police response by hiding was in scope of their contract and doing this job after a few alcoholic beverages is a bizarre choice.
I performed these types of physical pen tests years ago. If we were testing security for something like a courthouse we would've had a card on each of us with the personal cell phone number of the county clerk along with a statement of work that described exactly what we were authorized to do, with signatures. In some cases we'd have a backup contact number for more dangerous stuff. The idea that the emergency contact would not answer the phone would've seemed ludicrous. They were always aware of where we were and what we were doing at all times.
Damaging property was never approved. Drinking alcohol before a test would never happen. The insurance risk alone would've been nuts, not to mention the reputational damage if someone smelled it on your breath. Hiding from law enforcement? I'd need to know more about that. If a cop shows up with a gun you absolutely do not hide. If it's a security guard on rounds and you're waiting for them to move on... sure.
It was often dangerous though. Some security and law enforcement types take it personally that they're being "tested" and do not react well. We always tried to have some former law enforcement or military with us because they were less likely to be targeted for abuse than us hackers/nerds.
> If we were testing security for something like a courthouse we would've had a card on each of us with the personal cell phone number of the county clerk along with a statement of work that described exactly what we were authorized to do, with signatures.
You mean... the thing that they had? FTA:
"Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a “get out of jail free card” in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building."
There's also no indication that they damaged property (they used a UDT to trip a sensor to bypass the door). Neither of us were there, but based on the actual reporting it sounds like the worst anyone could accuse these people of being is stupidly unprofessional and bad communicators, which if you worked with pentesters shouldn't seem like an unprecedented aberration.
Read the article further. When the police called the phone number on the document, the person on the other end denied that they were authorized to be in the building.
But I’m responding to the notion that they should’ve had signed documentation with the scope with them. They did. The fact that their own company hung them out to dry by not informing everyone on that list is not the pentesters’ fault.
I wasn't trying to suggest they did or didn't have the right documentation. I honestly don't know. I was just explaining how we normally operated. The idea that the emergency contact wouldn't answer, or even worse deny we had authority seems impossible to me... At least if you're doing things the way we did.
> The idea that the emergency contact wouldn't answer...seems impossible to me
I can’t understand how you think this is impossible if you do things “the right way”.
Phones gets stolen or dropped in the toilet. Your contact has been taken to the hospital. Bad cell service. And so on.
These episodes of Darknet Diaries were my favorite. Very suspenseful. I also always thought the people doing the testing were insane for assuming a piece of paper keeps them from getting dragged to jail or worse.
I mean this is stuff the security people tell you not to do. If you get an email from “your bank” saying “call us at this number”, you're supposed to independently verify by calling the main number, not the number they give you, right?
Those were always my favourite episodes too! Enough to get into a career doing social engineering and physical intrusions. It's very tense! You're right to think it's insane; the nature of these jobs is that unlike most kinds of pentesting, very few people are aware that a test is occurring. We will sometimes bring a fake "get out of jail free" card to test the very thing you mention, whether people will actually verify out of band. I've been on jobs where we've been called out and they've checked our fake details and you see people's whole body language change in those moments between them figuring out you're not who you say you are and figuring out what they're willing to do about it. You absolutely see the thought "Do I need to hurt these guys? Are they going to hurt me?" go through someone's mind. It's never come to anything truly harrowing in my experience, professionalism and good communication skills go a long way, but they also can only go so far. It's much more common to have zero issues though, because as you can surmise, social engineering is extremely effective, so getting challenged at all is pretty rare.
> Hiding from law enforcement? I'd need to know more about that. If a cop shows up with a gun you absolutely do not hide. If it's a security guard on rounds and you're waiting for them to move on... sure.
According to the article, they were hiding from the police who showed up, not security guards.
Testing the police is undeniably out of scope in a situation like this. If the police show up, the exercise needs to be over. You announce your presence and de-escalate, not try to outmaneuver the police.
These two guys only look like heroes in contrast to the over zealous sheriff. Everything else about their operation ranges from amateur hour to complete incompetence, such as drinking before a job.
I completely agree. Hiding from the cops puts everyone in danger. But to be clear I wouldn't be hiding from the security guards either once they had found evidence of our test. It was really only if they were nearby and unaware anything was happening that we found it OK to hide from them.
The whole point is to test security. Ideally you want to be found because that means that they have reasonable security in place and you can attest to that.
IIRC they had permission from the state court administrator, but not the county. The building is a county building. And, as it does in all sorts of jurisdictions with a similar setups, pissing contests arise over various issues.
I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand.
Regarding force, this article says:
> The rules of engagement for this exercise explicitly permitted “physical attacks,” including “lockpicking,” against judicial branch buildings so long as they didn’t cause significant damage.
And later that they entered through an unlocked door, which they (it sounds like) kept unlatched by inserting something between the latch and the doorjamb. Not unreasonable.
> I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand.
This is a job where having impaired judgment is a terrible idea.
If someone needs alcohol to do a job that involves taking the role of a criminal and summoning the police, drinking alcohol before it is a terrible choice no matter how you look at it. If they can't do the job without alcohol, they shouldn't be doing the job at all. Maintaining unimpaired judgment is a baseline expectation for a job like this.
I doubt judgement is heavily impaired at 0.05 BAC. That is at or below the legal limit to drive a car.
And it really is more of a red herring since they were obviously not visibly intoxicated and they didn't actually do anything illegal. Their BAC is more of an issue between them and their employer, and has no bearing on their false arrest.
> I doubt judgement is heavily impaired at 0.05 BAC. That is at or below the legal limit to drive a car.
0.05% BAC will result in a DUI in many countries. Regardless, any impairment on a job where you're doing things guaranteed to summon the cops is a very bad idea.
BAC also declines linearly over time. I doubt (hope?) they weren't drinking on the job, but a 0.05% BAC measured after their arrest means their BAC would have been higher when they started breaking into the building earlier in the night.
Only Utah has a 0.05 standard. (I think drinking before a nighttime physical pentest is a bad idea).
Is USA the outliner here? In (most of) canada 0.05 will get your license suspended (but you dont go to jail unless its 0.08).
Australia, scotland and france are also 0.05.
There are quite a few countries where the limit is less than that.
Maybe? Virtually everywhere in the US is 0.08. I don't think it's a good idea for physical pentesters to drink anything before a gig, for whatever that's worth, so hopefully we're just shooting the shit about different countries rules.
The "legal limit" is terribly misunderstood, but 0.08% is just legal threshold where the state doesn't need to prove impairment and the offense is upgraded to an automatic criminal DUI. A driver in an accident with a BAC of 0.03% could still be charged with a DUI if impairment can be proven but most prosecutors' offices have more important things to work on.
It's also terribly misunderstood by pedants since you can be charged with a DUI with a 0.00 BAC by doing drugs. The point isn't that it's a definitive line in the sand between impairment and not, but if people are trusted to drive a car (generally or broadly speaking, not pedantically speaking), being above or below said limit is a reasonable litmus test for "visibly/obviously impaired" or not.
Sure, I don't disagree.
Washington might be moving to 0.05 too. (A bill just narrowly passed the state Senate; still has to clear the state house)
> heavily impaired
The level of impairment doesn't matter. They are impaired. There is no standard or testing which reveals the minimum level of impairment that one can safely do the job. So, you don't do it impaired, at any level, period.
> and has no bearing on their false arrest.
Two people that have obviously been drinking, hiding from police, and then making up fantastic sounding stories as to why they're in a tax payer owned facility outside of working hours. The police had good reason to effect an arrest so it can't be "false arrest."
> I doubt judgement is heavily impaired at 0.05 BAC
Physical coordination becomes an issue. 70% of subjects tested struggled to maintain lane position at 0.02%.
https://pmc.ncbi.nlm.nih.gov/articles/PMC102344
I don't see how that relates to, say, software engineering or physical pentesting though. And 1/3 people is still a fairly significant number that do not suffer ill effects. I also said heavily impaired—not that they were categorically not suffering from any effect of the alcohol.
My point is not that they definitely should have done it. It is simply that, in this context, it's really not a big deal & is not really germane to the discussion at all. They did nothing wrong, stone cold sober or not.
That’s not what your link says; impairment at 0.02 BAC is measurable, but a fraction of standard day-to-day variation for a person. It’s roughly equivalent to missing coffee at breakfast.
Is this something that has been rigorously studied? Like multiple follow-ups?
This article is from 2002 - twenty years ago. It cites several other studies, which seem not great overall.
One studied a driving simulator, the others looked at deaths in the single year after lowering blood alcohol.
The one about minors in Maryland seemed especially strange, as minors are usually required to have 0% BAC.
It sounds like cherry picking.
Is drinking common for physical pentesters? I just do boring software stuff but I’m pretty sure drinking on the job would be a fireable offense for me.
And even if their BAC was technically under the legal limit, their ability to e.g. drive was impaired. So it seems unprofessional.
Their ability to drive being impaired is somewhat dubious since they are under the legal limit in all of the states I have heard of.
W/r/t drinking and working, I personally dislike the puritanical zero tolerance for alcohol approach that people here in the US seem to take by default. Most people can have one or two drinks and work just fine, with obvious exceptions.
I don't think we should judge people who have to travel to a boring small town in Iowa and have to go to work in the middle of the night for having a drink or two.
If you can't have just a drink or two, or have to do it every day, that's a bigger issue that goes beyond work vs. simply having a drink and doing work on occasion.
Agreed about the puritanical stance here in the US.
People drive on prescription drugs like it's nothing. But a beer? Haha.
For context, I've been sober for a decade. I don't mind if people have a beer. I get it.
> I just do boring software stuff but I’m pretty sure drinking on the job would be a fireable offense for me.
I've never worked a software job where I wasn't provided free alcohol at work.
> Is drinking common for physical pentesters?
Absolutely not.
Physical pentest scenarios are highly likely to end with an alarm tripping and the police arriving, except in cases where the alarm wasn't armed, didn't have connectivity, or was broken.
An encounter with the police was virtually guaranteed in this case. Drinking before the job was highly unusual and irresponsible.
Obligatory XKCD: https://xkcd.com/323/
Note that Monroe's number for the peak (0.13%) is significantly higher than legal limit for driving, and than these guys recorded here.
> I just do boring software stuff but I’m pretty sure drinking on the job would be a fireable offense for me.
What?? For real?
> I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand.
I feel like if you do something for a living, you shouldn't need to calm your nerves for it.
I'll note 0.05 means you can't legally drive in Australia and would be issued a DUI.
I'd have more "eager" than "anxious" nerves, and I wouldn't need a beer for that. The fun thing about pentesting is that it doesn't matter if you get caught, although it's more fun if you don't.
Hard agree about "forcing", though. The very word implies, you know, non-trivial amounts of force. Like technically walking toward a door in a normal human room at standard temperature and pressure means you're applying non-zero amounts of force to it, so arguments like "they applied any force at all" can be ignored as goofy.
Seems reasonable to assume some blame from the pentesters, but neither are police known to be faithful and honest presenters of the truth. I'm not firmly convinced that the police story isn't exaggerated or embellished.
The police settled for $600k, it wasn't dismissed.
The original charges against them were dismissed.
They brought a separate case against the police and were awarded $600K
Two separate legal matters for the same event.
Ok that makes much more sense
All of that is true, but it only means that it should have taken a few hours to sort out instead of 15 minutes. It became a pissing match between the courts and the county and these guy got squeezed. As a lawyer, I can't believe that there wasn't a lawyer for the county telling them that night that this was going to cost them.
Public service sector: we can't find employees and contractors willing to work for us!
Also public service sector: this right here.
Besides, let me guess, that sheriff is elected?
For someone who is in such a position in the future, always notify the local police in writing and by phone call, if not also in person, before starting such an exercise. Make sure they have the get-out-of-jail documentation in advance of the exercise. If the police doesn't approve, don't do it. It would be better to get a no-objection letter from the police in advance. Make sure an attorney is aware of the activities and all documentation. Do not take any chances. You don't live in a kind or forgiving world. Handling unknown unknowns is the point.
They had written authorization from the state court and verbal confirmation from state court officials. They didn't know there would be a pissing match between the judicial branch and the sheriff.
But afaik this wasn't a state courthouse; it's a county courthouse. Legally, obviously, the state has authority and they were in the right, but functionally this is really good advice: if you're doing a penetration test of a space, you functionally need to clear it with the people who are responsible for the security of that space, and whom you might encounter defending it.
Frankly, I would not have taken this gig unless you had verbal confirmation that the Sheriff knows about it and has signed off. If you're entering a red team situation where the State wants to assess the security of their county courthouses, but doesn't want the local authorities to know its happening because they don't trust them: That is not a situation you want to be in the middle of, they gotta sort that out.
This really depends on how a state structures this, but “county courthouse” is not necessarily a meaningful statement. The judiciary is a state function and it has been delegated to county for purposes of logistics. In larger states, each county gets to set its own court rules, fee schedules, etc. because it would be maddening otherwise. They still ultimately answer to the state judiciary.
Iowa is small enough that it looks like the Iowa Judicial Branch just runs everything directly. Every county seat in Iowa has a courthouse, but the county probably doesn’t really have any control of it.
My guess is that the sheriff had an ego and may not have wanted a finding against him.
Easy to say in hindsight.
Hindsight's how we all learn. Doing it over again, I'm sure those guys would have done things differently. Any team would be crazy today to not be more prudent in how they operate.
Sure, the part I thought was "easy to say in hindsight" was:
> I would not have taken this gig unless you had verbal confirmation that the Sheriff knows about it and has signed off.
We don't know that! We don't know what we would have done in that scenario, especially in the context of a thread about the very outcome one's supposed foresight would have prevented.
From https://en.wikipedia.org/wiki/Hindsight_bias#Attempts_to_red... :
> Research suggests that people still exhibit the hindsight bias even when they are aware of it or possess the intention of eradicating it. [...] The only observable way to decrease hindsight bias in testing is to have the participant think about how alternative hypotheses could be correct.
So here's an alternative hypothesis:
"Hey, do you reckon we should clear this with the county first? The sheriff might come and arrest us on the basis that nobody told him we were going to break into the courthouse"
"Nah, don't worry about it, I've done this sort of thing hundreds of times. And besides, the state has superiority over the county anyway, so even if we get caught which let's face it we won't because we're leet hackers and very incognito... the sheriff won't have any power to do anything to us as soon as we tell him it's authorised by the state"
"SGTM"
This is not an "obvious in hindsight" thing, and its also something that was discussed in the physical penetration testing community long before 2019 when this happened. Everyone makes mistakes, and they were legally in the right, but most in physical pentesting know: You're probably going to make someone look like a fool during your work, and your CYA needs to be rock solid to not just absolve the illegality of what you're doing, but the immediate consequences of that newly minted fool also having an ego and authority. A piece of paper will not save your life against a trigger-happy rookie cop in a dark hallway at 2am, even if it might ruin his after you're already dead.
And, by the way: The Sheriff was in the wrong and some of what happened to these pentesters should never have happened. But, this case is not nearly as clear-cut as some one-sided storytelling suggests it is. When the Sheriff called the contact numbers at the State of Iowa, one person didn't answer, and a second person said that they "did not believe the men had permission to conduct physical intrusion." One of the pentesters also blew lightly positive for alcohol. One of the men was from Florida, and the second from Seattle, working for a security firm out of Colorado. That's suspicion enough to end up in jail overnight.
The fact that it went on longer than that more-so gets at the real story. The State was exercising an authority they had, maybe for the first time, against a security force that not only didn't know they were exercising it, but didn't realize they even had the authority in the first place. These guys got caught in the middle. The distribution of blame is pretty significant: The State should have informed the local security, but didn't. The State should have had contacts on-call during the intrusion, but didn't. Coalfire should have confirmed all of this in the interest of protecting their employees, but didn't. The testers shouldn't have been drinking beforehand, but did. The Sheriff should have dropped the matter the next day, but didn't. Sure, some of this is 20-20 hindsight, but taken in its entirety there were a lot of balls dropped, and it paints a picture of a state government that has some box to check for compliance, doesn't care how it gets checked or what gets found, and a security firm that isn't conducting their penetration tests responsibly.
Exactly. If I were in that position I would have simply learned from what happens in the future. In the rare instance that there was a negative outcome, I would just inform my previous self so that I could retroactively ensure that that outcome had not occurred.
It is through this simple system that I can confidently say that the content of this article that I am reading today in 2026 had/will have an impact on what I would have done in 2019
Considering today's world, they're lucky they didn't get shot dead with an entire clip.
If the goal is to test for vulnerabilities under real-world conditions, they probably should have bribed the sheriff to stay away.
Legally, obviously, the state has authority
That’s not legally obvious. State v county control over courthouses creates fights over everything from Aesbestos to parking to security. The legal answers lie in state constitutional provisions that nobody ever reads and aren’t particularly helpful.
> If the police doesn't approve, don't do it. It would be better to get a no-objection letter from the police in advance.
The article says they did have an authorization letter from the state court officials (the people running the building) and they were released right after the letter was verified with the court officials.
At least from what I can see, the police officers involved were doing the right thing. They detained the suspects, made a proper effort to listen to them and validate their story, and then released them.
It was the Sheriff who showed up and didn't like it who then hassled them further.
They basically had a no-objection letter from the people in charge of the building and the police officers were onboard. It was one person who tried to turn it into something else.
That simply is not how the police work. If they get a call about a break in they’re going to respond and assess.
I bought property with a shooting range years ago from a retired SWAT officer with the county. He mentioned that “he always calls the sheriff’s office to let them know if he was doing anything.” Now I’d never owned a private range and am not from this county.
I called up the sheriff’s office and asked for clarification. I was advised that no such policy / program exists or is required and if the officer must have had is own internal policies and chain o command and that is irrelevant to me as a random citizen. In short, if a call is made about a shooter they will have to respond and so long as I’m not doing anything stupid, dangerous, or outright illegal I have nothing to worry about. The same goes for any other type of call.
Wouldn’t that in a lot of ways invalidate the test?
You’re trying to see what can be done and what the response is from the current security practices and the police showing up seems like an important part of that.
It is not clear what as the defined purpose of the test, if it was to measure a successful entry+exit, or measure police response, or both. If measuring the police response was a purpose, the police should still have been notified, just not of the exact date when it would happen. Executing it on a random day should offset the prior awareness of the police. Secondly, it is up to the police leadership to keep it quiet.
If the state wants to verify the counties are doing an adequate job, then tipping them off could result in an invalid assessment. The sheriff's reaction raises suspicion that there are deficiencies he doesn't want found
I kinda hate that it settled. I fully understand the plaintiffs not wanting to proceed, but i really wish the sheriff was actually punished for what he did. This sort of power tripping should be a fireable offence
Sheriff Chad Leonard (queue chad references...) retired in 2022.
see https://www.desmoinesregister.com/story/news/2022/08/29/dall...
It's a pity the $600k won't be deducted from his retirement income.
An elected officer. So punishment by ballot box?
That thing where law enforcement officers can be elected is such a weird American oddity.
Most countries appoint law enforcement officers who are qualified for the job.
We had a problem last year here in San Mateo County, California where our sheriff was corrupt but we had to pass a ballot measure because we couldn't just fire them: https://calmatters.org/justice/2025/10/san-mateo-sheriff-rem...
Makes sense to me. County Sheriffs are elected by the residents of the county that they will serve. If you get a bad one then it’s your own fault for choosing poorly.
Anyway, not all states elect their sheriffs, or even have sheriffs at all. States that appoint their sheriffs don’t appear to have a noticeably lower level of incompetents.
Appointments are a whole other issue (see the extreme turnover in the American executive branch every 4 years). Id rather the head of my local police dept be significantly supported by the populating instead of an appointment from a governor, mayor, ... whose entire schtick can change on a dime.
Independent elections are a good thing. Bundling offices together under a single election that appoints the rest of the world is terrible and only leans further into the two party see-saw that exists in the USA.
I really wish for proportional representation. Not that it really applies to your local police force, but we need to break apart the complete A-or-B nature of American politics. Form coalitions, not monoliths that trade off earning 51% of the electorate every cycle that the completely repoints the entirety of the govt for the next 4 years.
On the other hand, look at our current appointed DoJ and FBI leadership. No solution is foolproof.
In larger counties, the elected Sherrif is usually more managerial and less hands on. If not elected directly, the Sherrif would likely be chosen by the elected County Board of Supervisors. Which I guess gives you more ability to fire, but also means more indirection from the will of the people.
Since when are elected officials immune from prosecution for crimes?
Nobody was pressing (or even alleging) crimes by the sheriff AFAIK.
So... the county sheriff showed up, decided he needed to be a big boss man, and made everything worse for everyone. Sounds pretty typical.
That was my first impression, but reading the original story from 2019 has a much less one-side pictures: https://arstechnica.com/information-technology/2019/11/how-a...
My other comment has more details, but a summary is that they the pentesters had been drinking before breaking into the building, were doing things that could be interpreted as being forbidden by their own contract, and the big one: The person listed on their authorization letter denied that they were approved to enter the building when called.
That last one is a big deal. If your own authorization contacts start telling the police you're not authorized to be in the building, you're in trouble.
Yeah I think that’s pretty useful context. I can understand arresting them and clearing it up with a judge in the morning. I can’t understand continuing to defame them as the lawsuit alleged.
If that’s all that had happened I’m guessing it would’ve avoided a lawsuit, since their purpose was to restore their reputational damage.
This seems to be on par for this Iowa county which their ignorance sadly has painted a major target on their innocent citizens- related article:
"Dallas County Attorney Matt Schultz told KCCI: "I want to be clear that the decision to dismiss the criminal charges that resulted in this civil case against Dallas County was made by a previous County Attorney. I am putting the public on notice that if this situation arises again in the future, I will prosecute to the fullest extent of the law."
https://www.kcci.com/article/coalfire-contractors-settle-dal...
Schultz (a ‘tough on crime Republican’) is the prosecutor who filed charges when this thing happened originally, so no surprise he still defends his decision.
Exactly. A fragile man needed assert his authority.
You don't know the man, and you don't know all of the details and nuances of the situation he was called into. How then do you think to judge him like that? You're just stereotyping.
Those "details and nuances of the situation he was called into" become completely irrelevant once one is presented with irrefutable evidence that their actions were completely legal. What matters is his conduct after that happened, which was blatant and persistent abuse of power.
Stop justifying and excusing abuse of power, he hurt innocent people, cost the taxpayers $600k in a single incident of abusive and wrongful conduct, and he's now enjoying taxpayer-funded retirement without facing any accountability.
https://arstechnica.com/information-technology/2019/11/how-a...
I do know the details of the situation. And so did the jury who awarded them $600k.
> And so did the jury who awarded them $600k
What jury? The payment happened before the trial: "five days before a trial was scheduled to begin in the case, Dallas County officials agreed to pay $600,000 to settle the case".
In fairness, people don't generally give 6 figure settlements if they think the jury will agree with them
You're confusing your own assumptions with knowledge.
Are they or are you? How have you determined that they don't understand the details?
Being flat wrong is a subtle hint.
The detail that there was no jury?
I might be mistaken, but it sounds like these guys showed up at a facility and did the classical "breaking and entering" thing. The onsite (terrified) staff called 911, the police showed up and arrested them. The perps said that they were hired to do this (they were), but nobody told the Sheriffs office or the staff about it.
So yeah, it sucks for these guys' reputations and criminal histories, but... what? The onsite staff didn't know what was going on, the Sheriffs didn't know what was going on.
The county basically said: "We want you to go try to break into this government building. We aren't going to tell the staff or the local police about it. Tell us what you find."
you are mistaken. There was no (terrified) staff present. The building was empty and they tripped an alarm on entry.
Did you even read the article or review the story? The police showed up, reviewed and even verified their documents (called the numbers on the form to confirm their authorization) and we're seemingly satisfied all was in order.
Only once the sheriff himself arrived on scene did he order the arrest that caused all the issues. If that didn't happen it wouldn't have been a story other than "security professionals doing their authorized job".
> reviewed and even verified their documents (called the numbers on the form to confirm their authorization)
Apparently there's more to this story. From the original article https://arstechnica.com/information-technology/2019/11/how-a...
> Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn’t answer the deputies’ calls, while another said he didn’t believe the men had permission to conduct physical intrusions.
It's actually kind of amazing that the police first let them go after the official contact on the form said they were not authorized to intrude in the building.
If the sheriff had found out what was going on and then let them go, this wouldn't be news.
If the sheriff had arrested them and found out in the morning what was going on and then let them go, this wouldn't be news.
If the sheriff had arrested them and brought them before a judge who let them go, this wouldn't be news.
What actually happened is the sheriff found out what was going on, decided it was still criminal anyway, arrested them, and then the county charged and prosecuted them. The charges were eventually dismissed. That is why it's news.
And icing on the cake, the current county attorney disagrees with the dismissal done by his predecessor, and says that he will prosecute any future incidents of this nature. https://www.kcci.com/article/coalfire-contractors-settle-dal...
Definitely some things could have been done a bit differently. I get that they want to keep staff in the dark, and even beat cops, but it seems reasonable and prudent to have the highest level of local law enforcement brought into the loop in planning red team exercises. The likelihood is high that the team will interface with law enforcement. The escalation path within the enforcement side of the state regulatory machine should be cleared in advance.
I think the takeaway for security teams is that you shouldn't let the customer "authorize" what is otherwise criminal activity warranting a police response without getting some air cover from the enforcement side. Coordinating that is the customer's burden to bear and that cover should be secured before letting them hand-wave away the risks with a "just have the police call me and I'll clear it all up". In hindsight only, when you look at it like that, the security team was not covering their ass appropriately. In a perfect world, you'd assume there's some better planning and communication going on behind the curtain. In the real world, you need more than the flimsy "guarantee" of calling a guy who knows a guy in the middle of the night. At the very least, that get out of jail free card should have had as signatories judiciary representation and enforcement representation (e.g. sheriff).
> I might be mistaken [snip].
FTFY
Also - a red-team exercise doesn't work if you tell the targets that they're about to be tested.
Sure, but that's different than not telling the local police department. Because they will show up with K9s and guns. And then it becomes a very dangerous situation.
That sounds like a problem with police procedures and accountability. It's weird to blame potential victims for that.
And in this case, notifying the police would have seemingly affected the test. Based on the reaction they did have, I would guess such notification would have resulted in the police doing many more drive-bys of the courthouse and generally being alert.
> "That sounds like a problem with police procedures and accountability"
It would be supremely stupid to not plan and account for these kind of systemic social problems when you're planning out your contract to break into a building. "But they're the ones who suck, I did nothing wrong" won't bring you back from the dead.
Sure, in the pragmatic sense I agree. If I was going to put myself in this type of situation, and the agency authorizing the test did not want to bring the agency that would be responding into the fold, I'd be contemplating things like having an employee or even some state official be physically present at the police station / dispatch when I was actually doing the pentest.
But the commenter I was responding to seemed to be leaning on the territory of what ought to be, in which case it's good to not normalize those societal problems.
why even bother commenting if you didnt even read the article. You just spewed out a bunch of bullshit nonsense of nothing that happened lol
Did you read the article?
They broke in and set off an alarm, the local cops responded, the pentesters showed their credentials, and there was no issue.
Then the sheriff arrived, was butthurt because he felt left out and wanted to show his authority, and caused these guys 6 years of grief for literally no reason at all.
> the local cops responded
Extremely dangerous and irresponsible for the county not to alert the local police and Sheriffs office that this operation was taking place.
I'm glad these guys got their money.
Not bad bug bounty if you ask me
Good god I'm so glad I left dallas. I grew up there. What an awful dump of a city.
Should have been at least 6 mln for each, and 15+ years of max security jail for those who abuse power, including those who "just followed orders".