State employees authorized courthouse 'penetration,' records show
desmoinesregister.comThis seems silly. The state clearly authorized the operation. The contractor acted in good faith. Yes some mistakes may have been made on both sides but it serves no one to prosecute these guys and label them burglars.
yes your correct
>"I advised them that this building belonged to the taxpayers of Dallas County and the State had no authority to authorize a break-in of this building," Leonard wrote in the email.
I was wondering about that. If it is the county courthouse I'm not sure a state employee necessarily can authorize something like a break in.
If the courthouse "belonged to the taxpayers of Dallas County", who could authorize the break in? This was a really confusing/nuanced piece of the story and I'm not sure what's correct on it.
It read it as him asserting his jurisdiction over the county, and this whole case seems to boil down to an implied conflict between the county and the state over that jurisdiction. I’m not a lawyer, but it doesn’t look like there’s a very strong mens rea component to this accusation. I imagine they’d have to prove that the accused acted negligently, supposing it is in fact true that the state didn’t have the authority to authorise the test. But then who else is also culpable? Coalfire? The state of Iowa? The particular state official involved in this engagement?
It's not remotely that simple; (I think; IANAL) there's lots of exceptions to this rule:
if the courthouse receives resources from the state; it has statewide terminals; etc. access points where criminal records can be modified or updated then it's still the states responsibility to verify the physical security.
If Eve wants to issue an arrest warrant for bob and alice; or have them "SWATTED" and locked up; changing records in a court house is a straightforward way to do that.
If this was done as part of a statewide voting system and the courthouse is a polling place then the state should have type of imminent domain; or other statewide drill then it would be included. If they participate in any of those systems then depending on the nature of the agreement, they're consent maybe implicit.
Obviously; nobody loves the idea of breaking into a courthouse at night.
I'd wager that could even extend to adjacent buildings; and I know federal investigators who request (and then intimidate & insist) that a business owner let them do xyz type operation .. but in a lot of cases; if there is a chance of collusion then they don't even ask for that permission.
I suppose that requires a warrant; so perhaps #red_team warrants issued by a higher level judge; ultimately it's a future area of legislation.
I guess the county government could authorize them to break into a county courthouse.
The right to bring in a 3rd party for security assessment is sometimes part of an IT service contract; the state might have had this (or thought they had this) as part of its electronic records integration with the county.
I don't doubt you're right, I do wonder to what extent everyone would understand something that looks like a physical break in might be part of that.
This is going to be state specific. Generally courthouses are built by county boards, paid for with county bonds, and under the control and management of the local county sherriff. Counties are creatures of the state, but that doesnt mean any random state employee with a similar sounding adjective in their title have any authority over a county institution; it will all depend on the authority granted by legislation and constitutions.
Document links 404, this article has working links: https://www.weareiowa.com/news/local-news/state-court-admini...
I guess it's going to trial, unless the prosecutors drop the case. The waiting continues.
..
PenTesters for the state/government cybersecurity require a special designation #red_team that allows for incursion and flag dropping; 'tracepoints' -- public disclosure. There are a lot of steps and often it involves writing out a clear mission scope/goals to avoid this type of circumstance.
This includes progress reports to their organizational handler announcing the intentions/progress .. progressive research. Introductions by state employees, informing the law enforcement.
OFTEN ..
I find myself informing the officials & administrators during normal business hours, etc. "people who may be affected" that could be conducting an exercise that involves your building in [timeframe] you have until then to prepare; readiness drills etc. bring it.
Afaik getting caught is part of the fun (how far can I get before you catch me?) but there's always a point of no return where it's not fair; never typing the rm -Rf or "encrypt *" commands but you never actually do if you're a good person; I know I had a lot of interesting "oops" moments in my early career where I accidentally embarrassed somebody and made an enemy.
IT Departments are run by normal people who have limited budgets and time; and I like to point out that a failure usually means a better budget justification to fix it; and assurance that anything we break we'll fix; but how confident are they in their backups and how easily I can get to them.
So fuck that cowboy pen testing bullshit, a great hacker will only use that as a last resort and then EVERYBODY should know it's happening so there is less risk. This is why "this is a test" is played during military exercises; because it's about the readiness drill. I will take your system down; with or without you -- do you want to watch?
I've had new guys on teams suggest cutting primary wires; to trigger failures i.e. "video camera feeds" etc to demonstrate coverage lapses in physical security. if they did any property damage; they are liable for that.
If the building administrators decline the #red_team audit; then we submit that back into the report and put them on our "naughty list"; which means well try 2x harder to embarrass that particular person; shame on them.... it needs to be clear that a failure does not necessarily reflect badly on them in our report; unless they were blocking the audit; that is bad. that's all you can do; they don't want to engage -- forward it to the foreign upper bureaus who don't need to follow the same disclosure rules as a good place to train recruits.
As a hacker; pen-tester #red_team I make it clear that's exactly what I'm going to do if they don't personally cooperate; usually they'd rather be helpful than risk pissing me off and being the subject of my wrath - we work together to fix it. It's a bit heavy handed; .. 2020 election security is going to suck donkey balls btw.
/ #red_team
> If the building administrators decline the #red_team audit; then we submit that back into the report and put them on our "naughty list"; which means well try 2x harder to embarrass that particular person
You sound quite unprofessional :/
is there a better technique? please share. independent cyber-merc "white hat; with blood stains"
my best approach -- marking people "declined to participate" and naughty list; or for shaming them for not participating in the drill?
?? as i see it; i'm a good guy by paying them a courtesy by informing them of the intentions; working with them; they are the unprofessional ones. perhaps this is my low EQ; and it's why I have assistants.
I have no patience for bureaucrats (i.e. election officials) telling me their system is secure while I know damn well they aren't .. usually I suspect corruption/secrets they would rather not be public ... and the funny thing is ... most of the time I'm right and they turn out to be real pieces of shit that I just happened to get caught on my boot.
Too many of our systems relying on closed source software vendors hiding behind the law pretending (i'm looking at you Oracle) .. ignoring that 90% of North Koreas income comes from hacking; cyber-terrorism cyber-ransom funding radical terrorism scares me.
the small terrorists cells usually don't have a hypermind *(180+ IQ); but nation state [even small ones] probably have at least one or two on the payroll.
iran is a good example of this; we've been talking about these types of attacks "in theory" for years; literally 10 years -- more importantly; due to the success how long before this type of guerilla warfare expands to schools in the USA.
Get hired by someone who has the authority to instruct building services to cooperate.is there a better technique? please share.If the person hiring you doesn't have the authority to do that, they certainly don't have the authority to get your guys out of jail.