They had written authorization from the state court and verbal confirmation from state court officials. They didn't know there would be a pissing match between the judicial branch and the sheriff.
But afaik this wasn't a state courthouse; it's a county courthouse. Legally, obviously, the state has authority and they were in the right, but functionally this is really good advice: if you're doing a penetration test of a space, you functionally need to clear it with the people who are responsible for the security of that space, and whom you might encounter defending it.
Frankly, I would not have taken this gig unless you had verbal confirmation that the Sheriff knows about it and has signed off. If you're entering a red team situation where the State wants to assess the security of their county courthouses, but doesn't want the local authorities to know its happening because they don't trust them: That is not a situation you want to be in the middle of, they gotta sort that out.
This really depends on how a state structures this, but “county courthouse” is not necessarily a meaningful statement. The judiciary is a state function and it has been delegated to county for purposes of logistics. In larger states, each county gets to set its own court rules, fee schedules, etc. because it would be maddening otherwise. They still ultimately answer to the state judiciary.
Iowa is small enough that it looks like the Iowa Judicial Branch just runs everything directly. Every county seat in Iowa has a courthouse, but the county probably doesn’t really have any control of it.
My guess is that the sheriff had an ego and may not have wanted a finding against him.
Hindsight's how we all learn. Doing it over again, I'm sure those guys would have done things differently. Any team would be crazy today to not be more prudent in how they operate.
Sure, the part I thought was "easy to say in hindsight" was:
> I would not have taken this gig unless you had verbal confirmation that the Sheriff knows about it and has signed off.
We don't know that! We don't know what we would have done in that scenario, especially in the context of a thread about the very outcome one's supposed foresight would have prevented.
> Research suggests that people still exhibit the hindsight bias even when they are aware of it or possess the intention of eradicating it. [...] The only observable way to decrease hindsight bias in testing is to have the participant think about how alternative hypotheses could be correct.
So here's an alternative hypothesis:
"Hey, do you reckon we should clear this with the county first? The sheriff might come and arrest us on the basis that nobody told him we were going to break into the courthouse"
"Nah, don't worry about it, I've done this sort of thing hundreds of times. And besides, the state has superiority over the county anyway, so even if we get caught which let's face it we won't because we're leet hackers and very incognito... the sheriff won't have any power to do anything to us as soon as we tell him it's authorised by the state"
This is not an "obvious in hindsight" thing, and its also something that was discussed in the physical penetration testing community long before 2019 when this happened. Everyone makes mistakes, and they were legally in the right, but most in physical pentesting know: You're probably going to make someone look like a fool during your work, and your CYA needs to be rock solid to not just absolve the illegality of what you're doing, but the immediate consequences of that newly minted fool also having an ego and authority. A piece of paper will not save your life against a trigger-happy rookie cop in a dark hallway at 2am, even if it might ruin his after you're already dead.
And, by the way: The Sheriff was in the wrong and some of what happened to these pentesters should never have happened. But, this case is not nearly as clear-cut as some one-sided storytelling suggests it is. When the Sheriff called the contact numbers at the State of Iowa, one person didn't answer, and a second person said that they "did not believe the men had permission to conduct physical intrusion." One of the pentesters also blew lightly positive for alcohol. One of the men was from Florida, and the second from Seattle, working for a security firm out of Colorado. That's suspicion enough to end up in jail overnight.
The fact that it went on longer than that more-so gets at the real story. The State was exercising an authority they had, maybe for the first time, against a security force that not only didn't know they were exercising it, but didn't realize they even had the authority in the first place. These guys got caught in the middle. The distribution of blame is pretty significant: The State should have informed the local security, but didn't. The State should have had contacts on-call during the intrusion, but didn't. Coalfire should have confirmed all of this in the interest of protecting their employees, but didn't. The testers shouldn't have been drinking beforehand, but did. The Sheriff should have dropped the matter the next day, but didn't. Sure, some of this is 20-20 hindsight, but taken in its entirety there were a lot of balls dropped, and it paints a picture of a state government that has some box to check for compliance, doesn't care how it gets checked or what gets found, and a security firm that isn't conducting their penetration tests responsibly.
Exactly. If I were in that position I would have simply learned from what happens in the future. In the rare instance that there was a negative outcome, I would just inform my previous self so that I could retroactively ensure that that outcome had not occurred.
It is through this simple system that I can confidently say that the content of this article that I am reading today in 2026 had/will have an impact on what I would have done in 2019
That’s not legally obvious. State v county control over courthouses creates fights over everything from Aesbestos to parking to security. The legal answers lie in state constitutional provisions that nobody ever reads and aren’t particularly helpful.
The best tech writers I've known have been more like anthropologists, bridging communication between product management, engineers, and users. With this perspective they often give feedback that makes the product better.
> bridging communication between product management, engineers, and users.
Thank you for putting this so eloquently into words. At my work (FAANG) tech writers are being let go and their responsibilities are being pushed on developers, who are now supposed to “use AI” to maintain customer facing documentation.
Is this the promise land? It sure doesn’t feel like it.
AI can help with synthesis once those insights exist, but it doesn't naturally occupy that liminal space between groups, or sense the cultural and organizational gaps
Several maps created to assist the agency with decisions — like where to open new offices and allocate certain resources — were made public through incorrect privacy settings between 2021 and 2025 ... the mapping website was unable to identify who viewed the maps ... implemented a secure map policy that prohibits uploading customer data to public mapping websites.
So a state employee/contractor (doesn't say) uploaded unaggregated customer records to a mapping website hosted on the public internet?
iCloud sync is a nice feature too. I use the Mac app mostly for adding feeds and the iOS app for reading. Anytime I read an interesting web post, I pop its url into the app to see if it has a RSS feed.
Speaking of industry wide shift, how many companies has FB fucked up by proxy?
I refer to the video metrics scandal. How many video autoplay and other things has everyone felt obliged to copy because Zuckerberg (who seems to care about nobody) made FB into a fradulent company?
Remember when Facebook was an application development platform? And people built businesses on that, and then they just kind of stopped allowing that? Good times.
More annoying is that it's really difficult for me to unlock the phone with the side button without activating Siri. Seems like there's often a lag when waking the phone that causes a long press to be detected even with a short press.
Loved Bluebeard as well. A mature Vonnegut who knew how to use motifs from his earlier work. And for an old guy, he kept his writing fresh and energetic. The miniature story of the dog without a tail always comes back to me.
Thank you for your comment. I like Vonnegut (my favorite is Hocus Pocus) but hadn't read Bluebeard. I only started it and I'm already enjoying it significantly.
GTA Vice City was released for iOS devices in 2012, and IIRC it ran pretty well. Not surprising that it runs well with WASM/WebGPU, given the massive increase in GPU performance. I'd imagine that the CPU-bound paths are well-optimized for 2002 Pentiums.
I just re-downloaded Vice City on my iPhone yesterday. It runs well, but the on-screen controls are, well, on-screen controls. That limits how much I actually want to play it.
I just tried an 8bitdo controller I had lying around. It does work, but the controls seem all wrong and need to be remapped. I may do that.
I never carry a controller with me. I'd love to just be able to pick up and play in a waiting room or something without needing to plan for it or having an awkward setup. The MCON looked promising, but still probably bigger than what I'd want to carry around.
reply