County pays $600k to pentesters it arrested for assessing courthouse security
by MBCook on 1/29/2026, 6:48:09 PM
Comments
by: ricree
I remember reading about this when it first happened. Glad there was at least a somewhat positive outcome.<p>For reference, here is the HN thread shortly after the arrest: <a href="https://news.ycombinator.com/item?id=21000273">https://news.ycombinator.com/item?id=21000273</a>
1/29/2026, 7:29:47 PM
by: rappatic
This happened in 2019. The wheels of justice turn very slowly.
1/29/2026, 7:45:36 PM
by: Aurornis
I'm glad the charges were dismissed, but to be honest the original reporting shows the story was actually more nuanced than this article led me to believe. 2019 article: <a href="https://arstechnica.com/information-technology/2019/11/how-a-turf-war-and-a-botched-contract-landed-2-pentesters-in-iowa-jail/" rel="nofollow">https://arstechnica.com/information-technology/2019/11/how-a...</a><p>I'll probably get downvoted for even questioning the narrative, but here are some of the nuances that stood out to me:<p>- When the police contacted someone listed on the authorization letter, that person denied that they had been authorized to conduct physical intrusions. Another contact didn't answer their phone. What are the police supposed to do if the people supposedly authorizing the intrusion are actively denying the authorization?<p>- The contract had vague language that say they couldn't "force-open doors". The two men told police they had used a tool to open a locked door. The language should have been more specific about what was and was not allowed.<p>- The contract said "alarm subversion" was not allowed, but supposedly the police had evidence that they were trying to manipulate the alarm. They deny this.<p>- The men had been drinking alcohol before the break-in. By the time they were breathalyzed it was at 0.05, meaning the number was even higher when they started the break-in. Drinking alcohol before you do a professional job guaranteed to get the police responding is a terrible idea.<p>- After they tripped the alarm and the police showed up, they didn't immediately identify themselves and end the exercise. They hid from the police, claiming that they were "testing the authorities' response" which seems obviously out of scope for their agreement.<p>So I agree that the charges were excessive and the Sheriff was in the wrong on a lot of things, but after reading the details this wasn't really a clear cut case. The pentesters weren't really doing everything "by the book" if they thought that testing <i>the police response</i> by hiding was in scope of their contract and doing this job after a few alcoholic beverages is a bizarre choice.
1/29/2026, 8:38:32 PM
by: QuercusMax
So... the county sheriff showed up, decided he needed to be a big boss man, and made everything worse for everyone. Sounds pretty typical.
1/29/2026, 7:44:30 PM
by: OutOfHere
For someone who is in such a position in the future, always notify the local police in writing and by phone call, if not also in person, before starting such an exercise. Make sure they have the get-out-of-jail documentation in advance of the exercise. If the police doesn't approve, don't do it. It would be better to get a no-objection letter from the police in advance. Make sure an attorney is aware of the activities and all documentation. Do not take any chances. You don't live in a kind or forgiving world. Handling unknown unknowns is the point.
1/29/2026, 7:45:00 PM
by: samrus
I kinda hate that it settled. I fully understand the plaintiffs not wanting to proceed, but i really wish the sheriff was actually punished for what he did. This sort of power tripping should be a fireable offence
1/29/2026, 7:50:36 PM
by: zerr
Should have been at least 6 mln for each, and 15+ years of max security jail for those who abuse power, including those who "just followed orders".
1/29/2026, 8:00:41 PM