For someone who is in such a position in the future, always notify the local police in writing and by phone call, if not also in person, before starting such an exercise. Make sure they have the get-out-of-jail documentation in advance of the exercise. If the police doesn't approve, don't do it. It would be better to get a no-objection letter from the police in advance. Make sure an attorney is aware of the activities and all documentation. Do not take any chances. You don't live in a kind or forgiving world. Handling unknown unknowns is the point.
They had written authorization from the state court and verbal confirmation from state court officials. They didn't know there would be a pissing match between the judicial branch and the sheriff.
But afaik this wasn't a state courthouse; it's a county courthouse. Legally, obviously, the state has authority and they were in the right, but functionally this is really good advice: if you're doing a penetration test of a space, you functionally need to clear it with the people who are responsible for the security of that space, and whom you might encounter defending it.
Frankly, I would not have taken this gig unless you had verbal confirmation that the Sheriff knows about it and has signed off. If you're entering a red team situation where the State wants to assess the security of their county courthouses, but doesn't want the local authorities to know its happening because they don't trust them: That is not a situation you want to be in the middle of, they gotta sort that out.
This really depends on how a state structures this, but “county courthouse” is not necessarily a meaningful statement. The judiciary is a state function and it has been delegated to county for purposes of logistics. In larger states, each county gets to set its own court rules, fee schedules, etc. because it would be maddening otherwise. They still ultimately answer to the state judiciary.
Iowa is small enough that it looks like the Iowa Judicial Branch just runs everything directly. Every county seat in Iowa has a courthouse, but the county probably doesn’t really have any control of it.
My guess is that the sheriff had an ego and may not have wanted a finding against him.
Hindsight's how we all learn. Doing it over again, I'm sure those guys would have done things differently. Any team would be crazy today to not be more prudent in how they operate.
Sure, the part I thought was "easy to say in hindsight" was:
> I would not have taken this gig unless you had verbal confirmation that the Sheriff knows about it and has signed off.
We don't know that! We don't know what we would have done in that scenario, especially in the context of a thread about the very outcome one's supposed foresight would have prevented.
> Research suggests that people still exhibit the hindsight bias even when they are aware of it or possess the intention of eradicating it. [...] The only observable way to decrease hindsight bias in testing is to have the participant think about how alternative hypotheses could be correct.
So here's an alternative hypothesis:
"Hey, do you reckon we should clear this with the county first? The sheriff might come and arrest us on the basis that nobody told him we were going to break into the courthouse"
"Nah, don't worry about it, I've done this sort of thing hundreds of times. And besides, the state has superiority over the county anyway, so even if we get caught which let's face it we won't because we're leet hackers and very incognito... the sheriff won't have any power to do anything to us as soon as we tell him it's authorised by the state"
This is not an "obvious in hindsight" thing, and its also something that was discussed in the physical penetration testing community long before 2019 when this happened. Everyone makes mistakes, and they were legally in the right, but most in physical pentesting know: You're probably going to make someone look like a fool during your work, and your CYA needs to be rock solid to not just absolve the illegality of what you're doing, but the immediate consequences of that newly minted fool also having an ego and authority. A piece of paper will not save your life against a trigger-happy rookie cop in a dark hallway at 2am, even if it might ruin his after you're already dead.
And, by the way: The Sheriff was in the wrong and some of what happened to these pentesters should never have happened. But, this case is not nearly as clear-cut as some one-sided storytelling suggests it is. When the Sheriff called the contact numbers at the State of Iowa, one person didn't answer, and a second person said that they "did not believe the men had permission to conduct physical intrusion." One of the pentesters also blew lightly positive for alcohol. One of the men was from Florida, and the second from Seattle, working for a security firm out of Colorado. That's suspicion enough to end up in jail overnight.
The fact that it went on longer than that more-so gets at the real story. The State was exercising an authority they had, maybe for the first time, against a security force that not only didn't know they were exercising it, but didn't realize they even had the authority in the first place. These guys got caught in the middle. The distribution of blame is pretty significant: The State should have informed the local security, but didn't. The State should have had contacts on-call during the intrusion, but didn't. Coalfire should have confirmed all of this in the interest of protecting their employees, but didn't. The testers shouldn't have been drinking beforehand, but did. The Sheriff should have dropped the matter the next day, but didn't. Sure, some of this is 20-20 hindsight, but taken in its entirety there were a lot of balls dropped, and it paints a picture of a state government that has some box to check for compliance, doesn't care how it gets checked or what gets found, and a security firm that isn't conducting their penetration tests responsibly.
Exactly. If I were in that position I would have simply learned from what happens in the future. In the rare instance that there was a negative outcome, I would just inform my previous self so that I could retroactively ensure that that outcome had not occurred.
It is through this simple system that I can confidently say that the content of this article that I am reading today in 2026 had/will have an impact on what I would have done in 2019
That’s not legally obvious. State v county control over courthouses creates fights over everything from Aesbestos to parking to security. The legal answers lie in state constitutional provisions that nobody ever reads and aren’t particularly helpful.
> If the police doesn't approve, don't do it. It would be better to get a no-objection letter from the police in advance.
The article says they did have an authorization letter from the state court officials (the people running the building) and they were released right after the letter was verified with the court officials.
At least from what I can see, the police officers involved were doing the right thing. They detained the suspects, made a proper effort to listen to them and validate their story, and then released them.
It was the Sheriff who showed up and didn't like it who then hassled them further.
They basically had a no-objection letter from the people in charge of the building and the police officers were onboard. It was one person who tried to turn it into something else.
Wouldn’t that in a lot of ways invalidate the test?
You’re trying to see what can be done and what the response is from the current security practices and the police showing up seems like an important part of that.
It is not clear what as the defined purpose of the test, if it was to measure a successful entry+exit, or measure police response, or both. If measuring the police response was a purpose, the police should still have been notified, just not of the exact date when it would happen. Executing it on a random day should offset the prior awareness of the police. Secondly, it is up to the police leadership to keep it quiet.
That simply is not how the police work. If they get a call about a break in they’re going to respond and assess.
I bought property with a shooting range years ago from a retired SWAT officer with the county. He mentioned that “he always calls the sheriff’s office to let them know if he was doing anything.” Now I’d never owned a private range and am not from this county.
I called up the sheriff’s office and asked for clarification. I was advised that no such policy / program exists or is required and if the officer must have had is own internal policies and chain o command and that is irrelevant to me as a random citizen. In short, if a call is made about a shooter they will have to respond and so long as I’m not doing anything stupid, dangerous, or outright illegal I have nothing to worry about. The same goes for any other type of call.
If the state wants to verify the counties are doing an adequate job, then tipping them off could result in an invalid assessment. The sheriff's reaction raises suspicion that there are deficiencies he doesn't want found
It's not like Tesla actually has functional FSD technology. If a ten year staged rollout of "transportation as a service" is the way to get there, then Waymo has a substantial leg up. Either way it is a lose-lose for Tesla. They failed to continue innovating on the EV and battery fronts as well.
Huh. The whole point is to worry and take action to prevent them, no matter their source.
> the water you have been drinking
From the link you shared, the supplied water contains endocrine-disrupting chemicals. Drinking water indeed is one source of xenoestrogens (that disrupt the endocrine system). There exist other sources, like plastics in contact with food and soil, also thermal receipt paper. It doesn't make any sense to ignore a subset of the major sources.
Don't be fooled into thinking only BPA has this effect. All xenoestrogens, including numerous BPA substitutes, and various plastics in general as their sources, would have this effect.
It's not just metabolic effects. It contributes to PCOS in women (as noted in the article) which is a cause of infertility. In short, BPA and other xenoestrogens cause diminished fertility in the next generation.
its not even about the ingest, every major semver change now is a problem because now LLMs will need to contextually distinguish whether or not they are expected to output Pandas 2 or 3, unless ofc you explicitly prompt it.
I wouldn't worry about it because over a longer period, this automatically leans toward the more recent versions. There are multiple forces that exist to make this happen.
The main exception is for legacy code requiring maintenance when they are unwilling to upgrade Pandas.
Walking as a profession absolutely is dead. Unless you're a dog walker, you don't get paid just to walk something from A to B. Coding as a profession can similarly reach its end. Coding is not dead, but don't expect to get paid for it. Don't be the one in denial because your paycheck depends on preaching denial.
reply