from the all's-well-that-ends-unceremoniously dept

Criminal Charges Finally Dropped Against Security Researchers Who Broke Into An Iowa Courthouse

by

Security research isn't a criminal activity, no matter how many companies might wish otherwise when their bad security practices are exposed. But a couple of researchers working for Coalfire Security found themselves arrested and charged after performing a physical penetration test of an Iowa courthouse. Testing the physical security boundaries of the courthouse didn't go exactly as planned once the local sheriff showed up.

The two employees, Justin Wynn and Gary De Mecurio, showed Dallas County Sheriff Chad Leonard their credentials and the contract supposedly permitting them to perform a B&E but it didn't matter to Sheriff Leonard.

It did matter to Iowa Court officials, who said the test had been authorized... but perhaps not exactly on those terms. And it mattered to their employer, which wrote an angry letter demanding to know why Coalfire's employees were still locked up even after things had been (mostly) cleared up by courthouse officials.

The sheriff refused to budge, claiming it was his sacred duty to protect taxpayer-funded courthouses from out-of-town interlopers (or words to that effect). Coalfire's CEO, Tom McAndrew, was less than enthused with the sheriff's self-assessment. He said Sheriff Leonard was actually hurting taxpayers more than helping them by locking up people trying to increase courthouse security and prevent unauthorized access to sensitive records and documents.

Nearly three months later, prosecutors have finally backed down. Apparently, enough pressure can result in the prosecutorial discretion we hear so much about when prosecutors and politicians claim broadly-worded laws won't result in a bunch of collateral damage.

Originally charged with third-degree felonies, the charges were reduced to misdemeanor trespassing after the story began gaining traction outside of Iowa. Those charges have now been dropped as well.

Dallas County Attorney Charles Sinnard and Coalfire officials released a joint statement Thursday in which they said they agreed to drop the charges when it became clear the Coalfire employees and the responding law enforcement had the community's safety in mind.

"Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges," they wrote in a statement provided by Sinnard. "Those interests are best served by all the parties working together to ensure that there is clear communication on the actions to be taken to secure the sensitive information maintained by the judicial branch, without endangering the life or property of the citizens of Iowa, law enforcement or the persons carrying out the testing."

This is great but it seems like something that could have been cleared up three months ago and without putting felony arrests on the researchers' permanent records. The testing could have been handled a bit better by everyone involved but it's pretty tough to stress-test physical security measures without utilizing methods targets won't necessarily expect to be used. Breaking into courthouses is certainly unexpected. But once judicial reps made it clear the court system had engaged the service to test security, the researchers should have been released by the sheriff and all charges dropped. Instead, this got dragged out for another three months, providing more evidence there's nothing all that secure about a career in security research.