Hired By The State to Hack, Then the State Arrested Them

0
632
hack

The state of Iowa did a nasty thing to some cybersecurity researchers. They hired them to do a “white-hat” hack attack then arrested them for it. They were totally deceived by the state’s judicial branch.

Hack the courthouse

Back in 2019, Gary DeMercurio and Justin Wynn were working for cybersecurity firm Coalfire. They got a call from Iowa’s state judicial branch, who wanted a security audit style hack attack on purpose, to find their flaws.

The men soon found themselves hired to “break into courthouses across the state.” They were assured “that this was entirely legal and that they would not go to jail if they were somehow caught.” Then they got caught. They went to jail. And sat there. Now they’re suing.

DeMercurio and Wynn filed for damages “after they were arrested and charged with felony burglary for doing exactly what the government wanted them to do.” Breaking into the Dallas County Courthouse showed that security there was pretty tight. The hack team found out real fast that just because they had permission doesn’t mean you don’t get punished.

Security was definitely not clued in on the project. The contract clearly said they were to conduct “cybersecurity testing activities, including physical penetration” on “five different buildings.” It was that physical penetration part which got them in hot water.

On September 10, 2019, the hack team was “conducting a series of ‘physical attacks,’ like picking locks and attempting to gain entry into the building.” They made entry, but not as successfully as they believed.

“As Wynn and DeMercurio successfully broke in, they tripped a motion alarm inside triggering a response from the local sheriff’s department.” They were prepared for that. They thought. Then, it turned “into an argument between the sheriff’s office and the Iowa Judicial Branch, and it became a territorial dispute between the two of them.”

Get out of jail free

The hack attack experts weren’t alarmed when the law arrived. They were carrying the “literal ‘get out of jail free’ letter which stated their purpose for being there and which told authorities not to arrest them.”

As police arrived, “the pair did not run and instead attempted to calmly explain to responding officers why they were there, showing them the authorization letter.”They weren’t ready for what happened next.

Sheriff Chad Leonard didn’t believe it. Any hack attacker can print up a letter. Official seals and letterhead aren’t that hard to duplicate. “Though the first officers on the scene believed them,” Sheriff Leonard wasn’t having it.

Instead of “abiding by the agreement letter carried by the duo, the sheriff arrested them.” Most citizens can see the reasonableness of an arrest under the circumstances but it should be something easily resolved with some phone calls. It wasn’t. The permission slip wasn’t good enough.

“Leonard refused to recognize the authority of the Iowa Judicial Branch to permit plaintiffs to perform testing on the Dallas County Courthouse.” They sat behind bars nearly 20 hours before they were bailed out. It took a full five months to get the charges dropped. They still have the bogus felony arrest on their records too.

They may hack into things and places for a living but it’s not good to have black marks on your record if you happen to be a cybersecurity researcher. “It clearly has hampered their ability to consider if they were interested in going someplace else to work. That creates a problem,” their lawyer said. “It has a significant impact on the value of their service.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here