Yesterday, I wrote about two employees of CoalFire who were arrested for performing a physical pen test of various courthouses in Iowa. The article focused on the need to have a well-defined Statement of Work and contract.
Well, guess what.
The State of Iowa Judicial Branch released exactly these documents. And guess what? Page 12 of the Rules of Engagement state that there are three physical locations within the scope of the physical pen test — precisely the Courthouses that the men were arrested for “breaking in” to. And the permission went further. It specifically gave Coalfire employees permission to engage in “tailgating” (that is, following authorized individuals into the building), to pick locks to break into the buildings or portions thereof, and defined which parts of the building were IN scope and which were OUT of scope (e.g., in one Courthouse, floors 3 & 4 were out of scope, but Coalfire could do a “proof of concept” to show that entry could be obtained.). Coalfire was specifically authorized to install hardware within the buildings (e.g., wireless routers, mice, USB drives, etc.)
Seems pretty comprehensive. Now maybe the judiciary was just confused by what “lock picking” meant. Or what physical access meant. Or maybe they never read the Rules of Engagement. Again, we had a failure to communicate or a failure to understand. Nevertheless, the agreements did have the right language in them. Sure, maybe there could have been a bold warning banner, “CRUNCHY RAW UNBONED REAL DEAD FROG!” (at 1:35). But at the end of the day, Coalfire did have an agreement to allow them to break in, and authorization to do so.
Of course, this doesn’t mean that the Coalfire employees won’t still be prosecuted. After all, they embarrassed the powers that be. They have meddled with the primary forces of nature (at 0:41). For that, they need to be punished.
It’s not the first time. When Stephan Puffer showed reporters at the Houston Chronicle that the Harris County Wi-Fi networks were “wide open,” even though he did not access the network, he was prosecuted for hacking. The jury acquitted him in a few hours.
When Scott Moulton was hired to do a ping sweep of a network by a municipality, he was similarly prosecuted under both federal and Georgia law — not because he exceeded the scope of the pen test agreement, but because he found that the network was wide open.
When Bret McDanel demonstrated that a secure email service he worked for was not secure, and that the company continued to make erroneous claims about the security, he quit, and later sent emails to the users telling them that they had been lied to. He was similarly prosecuted (and convicted) for “hacking” by sending the emails, although the case was later not only overturned, but the government admitted that no crime had occurred.
These are all cases where security researchers, doing their jobs, were prosecuted. No good deed goes unpunished. So remember that advice I gave you about getting everything in writing? To quote Emily Litella, never mind.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.