author photo
By Bruce Sussman
Fri | Jan 31, 2020 | 8:18 AM PST

For nearly five months, pentesters Gary DeMercurio and Justin Wynn had been waiting. And wondering.

Will we go to jail for doing the job we were hired to do?

Officials in Dallas County, Iowa, just answered that question by finally dismissing charges against the men.

Iowa pentester case update: charges finally dropped

The local sheriff ordered the arrest of the pentesters on September 11, 2019, after they intentionally set off an alarm by going inside the Dallas County courthouse around midnight.

This was the physical part of the testing they were hired to perform, to probe judicial cyber and physical security. 

But there was a problem no one saw coming: the Iowa Judicial Branch hired the pentesters to check security at the county courthouse.

The local courthouse, however, is under the jurisdiction of the county sheriff. He knew nothing about the testing and declared it illegal.

It was a jurisdictional nightmare, with DeMercurio and Wynn caught in the middle and facing jail time.

The stakes were also significant for the pentesters' employer, Coalfire, which feared a conviction of their employees could have a chilling effect on pentesting and Red Teams everywhere.

Pentester charges dropped, Coalfire reaction

Coalfire issued a statement that placated all sides in the jurisdictional fight, which must have been part of the agreement needed to drop the charges:

"It is clear that on September 11, 2019 it was the intention of the Dallas County Sheriff to protect the citizens of Dallas County and the State of Iowa by ensuring the integrity of the Dallas County Courthouse. It was also the intention of Coalfire to aid in protecting the citizens of the State of Iowa, by testing the security of information maintained by the Judicial Branch, pursuant to a contract with State Court Administration."

In plain English, the statement seems to say, "no worries, everyone's a good guy in this fight." Even the county officials who refused to drop the charges for almost five months.

Then the statement goes on with more of what must have been required language as part of the dismissal. It indicates that surprise pentesting put law enforcement, the lives of citizens, and property at risk.

This is a far cry from what the Coalfire CEO had said previously, as covered in our story, Pentesters Are Heroes Not Criminals.

"Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges.

Those interests are best served by all the parties working together to ensure that there is clear communication on the actions to be taken to secure the sensitive information maintained by the Judicial Branch, without endangering the life or property of the citizens of Iowa, law enforcement or the persons carrying out the testing.

It is the hope of Dallas County and Coalfire that the Judicial Branch will work with them so that any issues carrying out such vital testing can be avoided in the future."

In other words, hopefully next time the state will notify the sheriff there is going to be testing. This might defeat the purpose of the test, but hey, we're all friends here.

"We are pleased that all charges are dropped in the Iowa incident," said Coalfire CEO Tom McAndrew, calling it an "exoneration."

The arrests and ensuing drama raise national awareness of the quiet war being waged against cybercrime, and the critical role Red Team penetration testing plays in defending the integrity of public and private sector commerce.

"With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement," said McAndrew. "We're grateful to the global security community for their support throughout this experience."

Pentesters respond to charges being dropped

The pentesters themselves were more direct, and you can sense both their anger and relief about what happened.

The attorney for the pentesters released this statement:

"Mr. Wynn and De Mercurio are relieved that the accusations have been dismissed but are frustrated with the entirety of the process. Law enforcement and prosecutors should appreciate the fact that an arrest for a criminal offense can never be undone, even after the charge is dismissed.

The justice system ceases to serve its crucial function and loses credibility when criminal accusations are used to advance personal or political agendas. Such a practice endangers the effective administration of justice and our confidence in the criminal justice system.

This entire ordeal could have been avoided by simply respecting the fact finding that the responding law enforcement officer conducted which verified the work was authorized by the Judicial Branch.

Unfortunately, the lack of communication between government entities, an ignorance of the law, personal pride and politics overrode the objective investigation conducted by responding law enforcement.

Mr. Wynn and De Mercurio would like to thank the responding sheriff deputies and City of Adel Police Department officers for their professionalism.

They would also like to thank Coalfire for the unconditional support they received especially from CEO Tom McAndrew and Vice President Mike Weber. Finally, they would like to thank the Cyber Security family for the immense amount of support they provided."

For more on what happened in this case, including the original contracting documents, read New Documents About Pentesters Jailed for Courthouse Break-In.

[RESOURCE: Connect and learn with your cybersecurity peers at SecureWorld regional conferences.]

Comments