alt Hacker NewsCounty pays $600k to pentesters it arrested for assessing courthouse security
Comments
This happened in 2019. The wheels of justice turn very slowly.
Public service sector: we can't find employees and contractors willing to work for us!
Also public service sector: this right here.
Besides, let me guess, that sheriff is elected?
Not bad bug bounty if you ask me
I'm glad the charges were dismissed, but to be honest the original reporting shows the story was actually more nuanced than this article led me to believe. 2019 article: https://arstechnica.com/information-technology/2019/11/how-a...
I'll probably get downvoted for even questioning the narrative, but here are some of the nuances that stood out to me:
- When the police contacted someone listed on the authorization letter, that person denied that they had been authorized to conduct physical intrusions. Another contact didn't answer their phone. What are the police supposed to do if the people supposedly authorizing the intrusion are actively denying the authorization?
- The contract had vague language that say they couldn't "force-open doors". The two men told police they had used a tool to open a locked door. The language should have been more specific about what was and was not allowed. (EDIT: This is causing a lot of controversy. The legal definition of "forced entry" in my state does not require literal damage to the property, only a bypassing of barriers. I don't know about the circumstances in this state, but to be clear the term "force-open doors" doesn't necessarily mean using destructive force everywhere)
- The contract said "alarm subversion" was not allowed, but supposedly the police had evidence that they were trying to manipulate the alarm. They deny this.
- The men had been drinking alcohol before the break-in. By the time they were breathalyzed it was at 0.05, meaning the number was even higher when they started the break-in. Drinking alcohol before you do a professional job guaranteed to get the police responding is a terrible idea.
- After they tripped the alarm and the police showed up, they didn't immediately identify themselves and end the exercise. They hid from the police, claiming that they were "testing the authorities' response" which seems obviously out of scope for their agreement.
So I agree that the charges were excessive and the Sheriff was in the wrong on a lot of things, but after reading the details this wasn't really a clear cut case. The pentesters weren't really doing everything "by the book" if they thought that testing the police response by hiding was in scope of their contract and doing this job after a few alcoholic beverages is a bizarre choice.
For someone who is in such a position in the future, always notify the local police in writing and by phone call, if not also in person, before starting such an exercise. Make sure they have the get-out-of-jail documentation in advance of the exercise. If the police doesn't approve, don't do it. It would be better to get a no-objection letter from the police in advance. Make sure an attorney is aware of the activities and all documentation. Do not take any chances. You don't live in a kind or forgiving world. Handling unknown unknowns is the point.
So... the county sheriff showed up, decided he needed to be a big boss man, and made everything worse for everyone. Sounds pretty typical.
I kinda hate that it settled. I fully understand the plaintiffs not wanting to proceed, but i really wish the sheriff was actually punished for what he did. This sort of power tripping should be a fireable offence
Should have been at least 6 mln for each, and 15+ years of max security jail for those who abuse power, including those who "just followed orders".
I remember reading about this when it first happened. Glad there was at least a somewhat positive outcome.
For reference, here is the HN thread shortly after the arrest: https://news.ycombinator.com/item?id=21000273