So yeah, it sucks for these guys' reputations and criminal histories, but... what? The onsite staff didn't know what was going on, the Sheriffs didn't know what was going on.
The county basically said: "We want you to go try to break into this government building. We aren't going to tell the staff or the local police about it. Tell us what you find."
They broke in and set off an alarm, the local cops responded, the pentesters showed their credentials, and there was no issue.
Then the sheriff arrived, was butthurt because he felt left out and wanted to show his authority, and caused these guys 6 years of grief for literally no reason at all.
Extremely dangerous and irresponsible for the county not to alert the local police and Sheriffs office that this operation was taking place.
I'm glad these guys got their money.
Only once the sheriff himself arrived on scene did he order the arrest that caused all the issues. If that didn't happen it wouldn't have been a story other than "security professionals doing their authorized job".
Apparently there's more to this story. From the original article https://arstechnica.com/information-technology/2019/11/how-a...
> Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn’t answer the deputies’ calls, while another said he didn’t believe the men had permission to conduct physical intrusions.
It's actually kind of amazing that the police first let them go after the official contact on the form said they were not authorized to intrude in the building.
FTFY
Also - a red-team exercise doesn't work if you tell the targets that they're about to be tested.
I think the takeaway for security teams is that you shouldn't let the customer "authorize" what is otherwise criminal activity warranting a police response without getting some air cover from the enforcement side. Coordinating that is the customer's burden to bear and that cover should be secured before letting them hand-wave away the risks with a "just have the police call me and I'll clear it all up". In hindsight only, when you look at it like that, the security team was not covering their ass appropriately. In a perfect world, you'd assume there's some better planning and communication going on behind the curtain. In the real world, you need more than the flimsy "guarantee" of calling a guy who knows a guy in the middle of the night. At the very least, that get out of jail free card should have had as signatories judiciary representation and enforcement representation (e.g. sheriff).
If the sheriff had arrested them and found out in the morning what was going on and then let them go, this wouldn't be news.
If the sheriff had arrested them and brought them before a judge who let them go, this wouldn't be news.
What actually happened is the sheriff found out what was going on, decided it was still criminal anyway, arrested them, and then the county charged and prosecuted them. The charges were eventually dismissed. That is why it's news.
And icing on the cake, the current county attorney disagrees with the dismissal done by his predecessor, and says that he will prosecute any future incidents of this nature. https://www.kcci.com/article/coalfire-contractors-settle-dal...
My other comment has more details, but a summary is that they the pentesters had been drinking before breaking into the building, were doing things that could be interpreted as being forbidden by their own contract, and the big one: The person listed on their authorization letter denied that they were approved to enter the building when called.
That last one is a big deal. If your own authorization contacts start telling the police you're not authorized to be in the building, you're in trouble.
Frankly, I would not have taken this gig unless you had verbal confirmation that the Sheriff knows about it and has signed off. If you're entering a red team situation where the State wants to assess the security of their county courthouses, but doesn't want the local authorities to know its happening because they don't trust them: That is not a situation you want to be in the middle of, they gotta sort that out.
You’re trying to see what can be done and what the response is from the current security practices and the police showing up seems like an important part of that.
The article says they did have an authorization letter from the state court officials (the people running the building) and they were released right after the letter was verified with the court officials.
At least from what I can see, the police officers involved were doing the right thing. They detained the suspects, made a proper effort to listen to them and validate their story, and then released them.
It was the Sheriff who showed up and didn't like it who then hassled them further.
They basically had a no-objection letter from the people in charge of the building and the police officers were onboard. It was one person who tried to turn it into something else.
Most countries appoint law enforcement officers who are qualified for the job.
We had a problem last year here in San Mateo County, California where our sheriff was corrupt but we had to pass a ballot measure because we couldn't just fire them: https://calmatters.org/justice/2025/10/san-mateo-sheriff-rem...
Independent elections are a good thing. Bundling offices together under a single election that appoints the rest of the world is terrible and only leans further into the two party see-saw that exists in the USA.
I really wish for proportional representation. Not that it really applies to your local police force, but we need to break apart the complete A-or-B nature of American politics. Form coalitions, not monoliths that trade off earning 51% of the electorate every cycle.
see https://www.desmoinesregister.com/story/news/2022/08/29/dall...
I'll probably get downvoted for even questioning the narrative, but here are some of the nuances that stood out to me:
- When the police contacted someone listed on the authorization letter, that person denied that they had been authorized to conduct physical intrusions. Another contact didn't answer their phone. What are the police supposed to do if the people supposedly authorizing the intrusion are actively denying the authorization?
- The contract had vague language that say they couldn't "force-open doors". The two men told police they had used a tool to open a locked door. The language should have been more specific about what was and was not allowed.
- The contract said "alarm subversion" was not allowed, but supposedly the police had evidence that they were trying to manipulate the alarm. They deny this.
- The men had been drinking alcohol before the break-in. By the time they were breathalyzed it was at 0.05. Drinking alcohol before you do a professional job guaranteed to get the police responding is a terrible idea.
- After they tripped the alarm and the police showed up, they didn't immediately identify themselves and end the exercise. They hid from the police, claiming that they were "testing the authorities' response" which seems obviously out of scope for their agreement.
So I agree that the charges were excessive and the Sheriff was in the wrong on a lot of things, but after reading the details this wasn't really a clear cut case. The pentesters weren't really doing everything "by the book" if they thought that testing the police response by hiding was in scope of their contract and doing this job after a few alcoholic beverages is a bizarre choice.
Regarding force, this article says:
> The rules of engagement for this exercise explicitly permitted “physical attacks,” including “lockpicking,” against judicial branch buildings so long as they didn’t cause significant damage.
And later that they entered through an unlocked door, which they (it sounds like) kept unlatched by inserting something between the latch and the doorjamb. Not unreasonable.
This is a job where having impaired judgment is a terrible idea.
If someone needs alcohol to do a job that involves taking the role of a criminal and summoning the police, drinking alcohol before it is a terrible choice no matter how you look at it. If they can't do the job without alcohol, they shouldn't be doing the job at all.
Hard agree about "forcing", though. The very word implies, you know, non-trivial amounts of force. Like technically walking toward a door in a normal human room at standard temperature and pressure means you're applying non-zero amounts of force to it, so arguments like "they applied any force at all" can be ignored as goofy.
They brought a separate case against the police and were awarded $600K
Two separate legal matters for the same event.
ricree•1h ago
For reference, here is the HN thread shortly after the arrest: https://news.ycombinator.com/item?id=21000273
lgats•1h ago
Aurornis•29m ago
The initial charges against them were initially dropped to misdemeanors and then dismissed entirely, but that was a separate matter resolved earlier.
unsnap_biceps•1h ago
formerly_proven•48m ago