top | item 46816741

(no title)

bink | 1 month ago

I performed these types of physical pen tests years ago. If we were testing security for something like a courthouse we would've had a card on each of us with the personal cell phone number of the county clerk along with a statement of work that described exactly what we were authorized to do, with signatures. In some cases we'd have a backup contact number for more dangerous stuff. The idea that the emergency contact would not answer the phone would've seemed ludicrous. They were always aware of where we were and what we were doing at all times.

Damaging property was never approved. Drinking alcohol before a test would never happen. The insurance risk alone would've been nuts, not to mention the reputational damage if someone smelled it on your breath. Hiding from law enforcement? I'd need to know more about that. If a cop shows up with a gun you absolutely do not hide. If it's a security guard on rounds and you're waiting for them to move on... sure.

It was often dangerous though. Some security and law enforcement types take it personally that they're being "tested" and do not react well. We always tried to have some former law enforcement or military with us because they were less likely to be targeted for abuse than us hackers/nerds.

discuss

rainonmoon|1 month ago

> If we were testing security for something like a courthouse we would've had a card on each of us with the personal cell phone number of the county clerk along with a statement of work that described exactly what we were authorized to do, with signatures.

You mean... the thing that they had? FTA:

"Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a “get out of jail free card” in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building."

There's also no indication that they damaged property (they used a UDT to trip a sensor to bypass the door). Neither of us were there, but based on the actual reporting it sounds like the worst anyone could accuse these people of being is stupidly unprofessional and bad communicators, which if you worked with pentesters shouldn't seem like an unprecedented aberration.

Aurornis|1 month ago

Read the article further. When the police called the phone number on the document, the person on the other end denied that they were authorized to be in the building.

Aurornis|1 month ago

> Hiding from law enforcement? I'd need to know more about that. If a cop shows up with a gun you absolutely do not hide. If it's a security guard on rounds and you're waiting for them to move on... sure.

According to the article, they were hiding from the police who showed up, not security guards.

Testing the police is undeniably out of scope in a situation like this. If the police show up, the exercise needs to be over. You announce your presence and de-escalate, not try to outmaneuver the police.

These two guys only look like heroes in contrast to the over zealous sheriff. Everything else about their operation ranges from amateur hour to complete incompetence, such as drinking before a job.

bink|1 month ago

I completely agree. Hiding from the cops puts everyone in danger. But to be clear I wouldn't be hiding from the security guards either once they had found evidence of our test. It was really only if they were nearby and unaware anything was happening that we found it OK to hide from them.

The whole point is to test security. Ideally you want to be found because that means that they have reasonable security in place and you can attest to that.

tiahura|1 month ago

IIRC they had permission from the state court administrator, but not the county. The building is a county building. And, as it does in all sorts of jurisdictions with a similar setups, pissing contests arise over various issues.