Criminal Charges Finally Dropped Against Security Researchers Who Broke Into An Iowa Courthouse
from the all's-well-that-ends-unceremoniously dept
Security research isn't a criminal activity, no matter how many companies might wish otherwise when their bad security practices are exposed. But a couple of researchers working for Coalfire Security found themselves arrested and charged after performing a physical penetration test of an Iowa courthouse. Testing the physical security boundaries of the courthouse didn't go exactly as planned once the local sheriff showed up.
The two employees, Justin Wynn and Gary De Mecurio, showed Dallas County Sheriff Chad Leonard their credentials and the contract supposedly permitting them to perform a B&E but it didn't matter to Sheriff Leonard.
It did matter to Iowa Court officials, who said the test had been authorized... but perhaps not exactly on those terms. And it mattered to their employer, which wrote an angry letter demanding to know why Coalfire's employees were still locked up even after things had been (mostly) cleared up by courthouse officials.
The sheriff refused to budge, claiming it was his sacred duty to protect taxpayer-funded courthouses from out-of-town interlopers (or words to that effect). Coalfire's CEO, Tom McAndrew, was less than enthused with the sheriff's self-assessment. He said Sheriff Leonard was actually hurting taxpayers more than helping them by locking up people trying to increase courthouse security and prevent unauthorized access to sensitive records and documents.
Nearly three months later, prosecutors have finally backed down. Apparently, enough pressure can result in the prosecutorial discretion we hear so much about when prosecutors and politicians claim broadly-worded laws won't result in a bunch of collateral damage.
Originally charged with third-degree felonies, the charges were reduced to misdemeanor trespassing after the story began gaining traction outside of Iowa. Those charges have now been dropped as well.
Dallas County Attorney Charles Sinnard and Coalfire officials released a joint statement Thursday in which they said they agreed to drop the charges when it became clear the Coalfire employees and the responding law enforcement had the community's safety in mind.
"Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges," they wrote in a statement provided by Sinnard. "Those interests are best served by all the parties working together to ensure that there is clear communication on the actions to be taken to secure the sensitive information maintained by the judicial branch, without endangering the life or property of the citizens of Iowa, law enforcement or the persons carrying out the testing."
This is great but it seems like something that could have been cleared up three months ago and without putting felony arrests on the researchers' permanent records. The testing could have been handled a bit better by everyone involved but it's pretty tough to stress-test physical security measures without utilizing methods targets won't necessarily expect to be used. Breaking into courthouses is certainly unexpected. But once judicial reps made it clear the court system had engaged the service to test security, the researchers should have been released by the sheriff and all charges dropped. Instead, this got dragged out for another three months, providing more evidence there's nothing all that secure about a career in security research.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breaking and entering, chad leonard, charges, courthouse, dallas county, iowa, security, security research
Companies: coalfire security
Reader Comments
Subscribe: RSS
View by: Time | Thread
If nothing else, prosecutors should have given the no-go immediately.
[ link to this | view in chronology ]
Now send the sheriff the bill for the entire time the 2 employees were locked up and dealing with the 3 months or rigamarole.
[ link to this | view in chronology ]
Oh, if only they could. But qualified immunity would take care of that.
[ link to this | view in chronology ]
Re:
Qualified Immunity would probably get the sheriff out of a judificial court case seeking such damages. It doesn't mean Coalfire can't send the bill, and back it up with more pressure in the court of public opinion. They may not succeed, but it's still worth trying.
[ link to this | view in chronology ]
Re: Re:
Coalfire had a contract with the court so the court should get the bill. They can then deal with their own local sheriff for getting the money back.
[ link to this | view in chronology ]
Re:
The testers were acting as agents of state so would they also be entitled to Qualified Immunity?
[ link to this | view in chronology ]
Re:
Depending on how the security test contract was worded, the Sheriff might not be on the hook for three months of extreme overtime, but the court officials that hired Coalfire might be!
[ link to this | view in chronology ]
"you might beat the ticket, but you wont beat the ride."
[ link to this | view in chronology ]
Israeli spies, Silicon Valley
Well, trying to be centrist is appreciated, as long as we talk about the 10000 lb. Golem in the room:
Israeli spies in Silicon Valley:
https://techcrunch.com/2015/03/20/from-the-8200-to-silicon-valley/
[ link to this | view in chronology ]
Joel.Zamel
Maybe, take a look at the types of people who are distributing child pornography in the name of counter-terrorism....
*for the children…
https://en.m.wikipedia.org/wiki/Joel_Zamel
"an agency specializing in counter-extremism activities and social media operations"
[ link to this | view in chronology ]
Are we just replying to random articles in any thread now? OK!
Zoo per bole.
[ link to this | view in chronology ]
You are correct, I put that in the wrong thread.
My bad.
[ link to this | view in chronology ]
Re:
Didn't mean to be insulting, so i am sorry if it came off that way. Just decided to run with it. Obviously, not funny.
[ link to this | view in chronology ]
Re: Re:
Oh no please feel free to insult that shitty lil racist edgelord.
[ link to this | view in chronology ]
Re: Re:
Its ok. Thank you for that.
I have thick skin, and acknowledge when I am wrong, unlike that paper thinskinned, race baiting AC chatbot troll underneath this comment, who, coincidentally will eat shit if I take a dump...
Pucker up Tweedle Dum, here it comes
({⊙})
[ link to this | view in chronology ]
Re: Re:
Pucker up Tweedle Dum, here it comes
({⊙})
[ link to this | view in chronology ]
Look:That doesnt Translate in any knownn language
Try again, AC?
AC indicates is a troll spamming Superbowl shit.
[ link to this | view in chronology ]
Re:
It is a reference to the thread on the superbowl article. It is also perfectly fine english. However, it might be hyphenated.
Thanks, lame excuse for a concern troll.
[ link to this | view in chronology ]
The felony arrest warrants will be a badge of honor for those pen testers CVs.
[ link to this | view in chronology ]
out of our ass
Um, no, AC dumbass.
Getting CAUGHT is FAILURE by definition.
[ link to this | view in chronology ]