County pays 600000 to pentesters it arrested for assessing courthouse security Ars Technica
p
Settlement comes more than 6 years after Gary DeMercurio and Justin Wynns ordeal began
ppTwo security professionals who were arrested in 2019 after performing an authorized security assessment of a county courthouse in Iowa will receive 600000 to settle a lawsuit they brought alleging wrongful arrest and defamationppThe case was brought by Gary DeMercurio and Justin Wynn two penetration testers who at the time were employed by Coloradobased security firm Coalfire Labs The men had written authorization from the Iowa Judicial Branch to conduct redteam exercises meaning attempted security breaches that mimic techniques used by criminal hackers or burglarsppThe objective of such exercises is to test the resilience of existing defenses using the types of realworld attacks the defenses are designed to repel The rules of engagement for this exercise explicitly permitted physical attacks including lockpicking against judicial branch buildings so long as they didnt cause significant damageppThe event galvanized security and law enforcement professionals Despite the legitimacy of the work and the legal contract that authorized it DeMercurio and Wynn were arrested on charges of felony thirddegree burglary and spent 20 hours in jail until they were released on 100000 bail 50000 for each The charges were later reduced to misdemeanor trespassing charges but even then Chad Leonard sheriff of Dallas County where the courthouse was located continued to allege publicly that the men had acted illegally and should be prosecutedppReputational hits from these sorts of events can be fatal to a security professionals career And of course the prospect of being jailed for performing authorized security assessment is enough to get the attention of any penetration tester not to mention the customers that hire themppThis incident didnt make anyone safer Wynn said in a statement It sent a chilling message to security professionals nationwide that helping a government identify real vulnerabilities can lead to arrest prosecution and public disgrace That undermines public safety not enhances itppDeMercurio and Wynns engagement at the Dallas County Courthouse on September 11 2019 had been routine A little after midnight after finding a side door to the courthouse unlocked the men closed it and let it lock They then slipped a makeshift tool through a crack in the door and tripped the locking mechanism After gaining entry the pentesters tripped an alarm alerting authoritiesppWithin minutes deputies arrived and confronted the two intruders DeMercurio and Wynn produced an authorization letterknown as a get out of jail free card in pentesting circles After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit the deputies said they were satisfied the men were authorized to be in the building DeMercurio and Wynn spent the next 10 or 20 minutes telling what their attorney in a court document called war stories to deputies who had asked about the type of work they doppWhen Sheriff Leonard arrived the tone suddenly changed He said the Dallas County Courthouse was under his jurisdiction and he hadnt authorized any such intrusion Leonard had the men arrested and in the days and weeks to come he made numerous remarks alleging the men violated the law A couple months after the incident he told me that surveillance video from that night showed they were crouched down like turkeys peeking over the balcony when deputies were responding I published a much more detailed account of the event here Eventually all charges were dismissedppDeMercurio and Wynn sued Dallas County and Leonard for false arrest abuse of process defamation intentional infliction of emotional distress and malicious prosecution The case dragged on for years Last Thursday five days before a trial was scheduled to begin in the case Dallas County officials agreed to pay 600000 to settle the caseppIts hard to overstate the financial emotional and professional stresses that result when someone is locked up and repeatedly accused of criminal activity for performing authorized work thats clearly in the public interest DeMercurio has now started his own firm Kaiju SecurityppThe settlement confirms what we have said from the beginning our work was authorized professional and done in the public interest DeMercurio said What happened to us never should have happened Being arrested for doing the job we were hired to do turned our lives upside down and damaged reputations we spent years buildingppArs Technica has been separating the signal from
the noise for over 25 years With our unique combination of
technical savvy and wideranging interest in the technological arts
and sciences Ars is the trusted source in a sea of information After
all you dont need to know everything only whats importantpp
p
Settlement comes more than 6 years after Gary DeMercurio and Justin Wynns ordeal began
ppTwo security professionals who were arrested in 2019 after performing an authorized security assessment of a county courthouse in Iowa will receive 600000 to settle a lawsuit they brought alleging wrongful arrest and defamationppThe case was brought by Gary DeMercurio and Justin Wynn two penetration testers who at the time were employed by Coloradobased security firm Coalfire Labs The men had written authorization from the Iowa Judicial Branch to conduct redteam exercises meaning attempted security breaches that mimic techniques used by criminal hackers or burglarsppThe objective of such exercises is to test the resilience of existing defenses using the types of realworld attacks the defenses are designed to repel The rules of engagement for this exercise explicitly permitted physical attacks including lockpicking against judicial branch buildings so long as they didnt cause significant damageppThe event galvanized security and law enforcement professionals Despite the legitimacy of the work and the legal contract that authorized it DeMercurio and Wynn were arrested on charges of felony thirddegree burglary and spent 20 hours in jail until they were released on 100000 bail 50000 for each The charges were later reduced to misdemeanor trespassing charges but even then Chad Leonard sheriff of Dallas County where the courthouse was located continued to allege publicly that the men had acted illegally and should be prosecutedppReputational hits from these sorts of events can be fatal to a security professionals career And of course the prospect of being jailed for performing authorized security assessment is enough to get the attention of any penetration tester not to mention the customers that hire themppThis incident didnt make anyone safer Wynn said in a statement It sent a chilling message to security professionals nationwide that helping a government identify real vulnerabilities can lead to arrest prosecution and public disgrace That undermines public safety not enhances itppDeMercurio and Wynns engagement at the Dallas County Courthouse on September 11 2019 had been routine A little after midnight after finding a side door to the courthouse unlocked the men closed it and let it lock They then slipped a makeshift tool through a crack in the door and tripped the locking mechanism After gaining entry the pentesters tripped an alarm alerting authoritiesppWithin minutes deputies arrived and confronted the two intruders DeMercurio and Wynn produced an authorization letterknown as a get out of jail free card in pentesting circles After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit the deputies said they were satisfied the men were authorized to be in the building DeMercurio and Wynn spent the next 10 or 20 minutes telling what their attorney in a court document called war stories to deputies who had asked about the type of work they doppWhen Sheriff Leonard arrived the tone suddenly changed He said the Dallas County Courthouse was under his jurisdiction and he hadnt authorized any such intrusion Leonard had the men arrested and in the days and weeks to come he made numerous remarks alleging the men violated the law A couple months after the incident he told me that surveillance video from that night showed they were crouched down like turkeys peeking over the balcony when deputies were responding I published a much more detailed account of the event here Eventually all charges were dismissedppDeMercurio and Wynn sued Dallas County and Leonard for false arrest abuse of process defamation intentional infliction of emotional distress and malicious prosecution The case dragged on for years Last Thursday five days before a trial was scheduled to begin in the case Dallas County officials agreed to pay 600000 to settle the caseppIts hard to overstate the financial emotional and professional stresses that result when someone is locked up and repeatedly accused of criminal activity for performing authorized work thats clearly in the public interest DeMercurio has now started his own firm Kaiju SecurityppThe settlement confirms what we have said from the beginning our work was authorized professional and done in the public interest DeMercurio said What happened to us never should have happened Being arrested for doing the job we were hired to do turned our lives upside down and damaged reputations we spent years buildingppArs Technica has been separating the signal from
the noise for over 25 years With our unique combination of
technical savvy and wideranging interest in the technological arts
and sciences Ars is the trusted source in a sea of information After
all you dont need to know everything only whats importantpp
p
