County Pays $600K to Wrongfully Jailed Pen Testers
These articles are AI-generated summaries. Please check the original sources for full details.
Red Team Nightmare
Gary De Mercurio and Justin Wynn, two white hat hackers, were arrested in 2019 for performing a security evaluation at a Dallas County, Iowa, courthouse, despite having legal clearance from the state and initial clearance from the police. The incident highlights the risks faced by security professionals in red teaming exercises, with De Mercurio and Wynn eventually winning a $600,000 settlement payment six and a half years after the incident.
Why This Matters
The incident underscores the technical reality of penetration testing, where simulations are most realistic when few people know what’s going on ahead of time, but this approach can lead to unexpected responses from those who are not informed. This conflict can result in significant consequences, including legal battles and financial losses, as seen in De Mercurio and Wynn’s case, where they spent years fighting for vindication and ultimately received a settlement that barely covers their career losses.
Key Insights
- $600,000 settlement payment to De Mercurio and Wynn for wrongful arrest and prosecution: a significant financial consequence for the county.
- Red teaming exercises require careful planning and communication to minimize risks: a key concept in penetration testing.
- Recording client interactions and obtaining explicit authorization can help prevent similar incidents: a valuable lesson learned from De Mercurio and Wynn’s experience.
Working Example
No code is applicable in this context, as the incident involves a physical security evaluation rather than a software-related issue.
Practical Applications
- Use Case: Companies like Coalfire and Kaiju Security conduct penetration testing to identify vulnerabilities in physical and digital systems, highlighting the importance of careful planning and communication.
- Pitfall: Failure to inform all relevant parties about a penetration test can lead to unexpected responses, legal issues, and financial losses, as seen in the De Mercurio and Wynn case.
References:
Continue reading
Next article
Daggr Open-Source Python Library for Inspectable AI Workflows
Related Content
cPanel and WHM Patch Critical Vulnerabilities to Prevent RCE and Privilege Escalation
cPanel and WHM released patches for three vulnerabilities, including two CVSS 8.8 flaws, to prevent arbitrary code execution and privilege escalation.
Challenging Google Play Security: A Technical Proposal for Manifest-Level Verification
Developer Indigotime proposes replacing Google's identity verification with technical declarations of public keys and hardcoded web addresses to stop data interception.
I built a local Rust MCP security proxy for AI agents
Armorer Guard provides local Rust-native security for AI agents, scanning MCP tool calls with 0.0247ms latency to block prompt injection and credential leaks.