Followup on the guys arrested for a legal physical pentest of a courthouse + some ranting

(I suppose this topic applies more for physical penetration testing than "hacking" per se but is good information for anyone that wants to have a legitimate career hacking stuff ethically for money - nuke if inappropriate mods)

For those that remember the story, there were a pair of pentesters doing work on some county buildings. They had authorization to do a physical security assessment, but despite this fact got thrown in jail by an over-zealous local sheriff. These guys from the article had a contract, authorized contact, and air-tight get-out-of-jail-free card and still got hosed by the sheriff. The article below (podcast+transcript) is the follow-up and review of that incident:

https://www.darkreading.com/vulnerabilities-threats/dark-reading-confidential-pen-test-arrests-five-years-later

As a former pentester myself I can totally empathize with those poor dudes. It could have happened to me. I remember one time I was doing a physical security pentest - we were going into offices claiming to be consultants doing inventory on behalf of the company but in the process plugging in flash drives to run some quick code - and the person that authorized the work straight up refused to admit that he had hired us when the secretaries called him on the phone about it. The pussy just wussed out and wouldn't admit that he authorized us to do it. Fortunately we didn't get arrested, we just left quickly, but you can bet I didn't want to do any more physical security for that guy.

P.S. having sheriffs be elected officials, without any real qualifications and with major intelligence/ethics/anger issues in the United States is simply criminal IMO. They are literally enforcing the law (supposedly) with absolutely no law enforcement training, background checks, etc. This is especially a problem in very conservative jurisdictions. I don't know if the sheriff in this case was elected and/or competent as a law enforcement officer, but there are plenty of bad ones out there that aren't.

P.P.S. And don't get me started on as prosecuting attorneys being elected officials... They will take bullshit cases in order to get media exposure so they can then get better elected positions, and drop cases where people were truly harmed because it won't help their political career (or worse). Let me tell you about this one time a PA refused to prosecute a guy I caught red-handed with CSAM as well as concrete evidence of them hacking multiple organizations.... Well, I guess that's the whole story, but it was utter bullshit.

submitted by /u/venerable4bede
[link] [comments]

from hacking: security in practice https://ift.tt/T6b8r7H

Comments