Transcription performed by Leah Hervoly www.leahtranscribes.com
DAD: [PHONE RINGING] Hello?
JACK: Hey, Papa Bear.
DAD: Is this Little Boo-Boo Bear?
JACK: Hey, how’s it going? This is my dad and I called him up to have him tell us this story. Do you remember the time when we visited the Dean’s office at my university?
DAD: Oh, that was a nightmare.
JACK: Yeah. First of all, why were we trying to go to see the Dean? I think I got denied for like, taking too many courses at once. [BACKGROUND TALKING] I was trying to take twenty-five credit hours in one semester or something, so my dad was really upset with the school for not letting me do it.
DAD: This is crap; let’s go down there to the Dean. You said really? I said yeah, we’ll get these classes approved.
JACK: Yeah, so I jump in the car with you ‘cause I’m living at home still, so I jump in your car. You drive us down to the school.
JACK: We get to the university. My dad doesn’t know the school layout very well so I have to show him where to go.
DAD: We go into the offices where the Deans are.
JACK: He sees the name on the door that says this is the Dean’s office.
DAD: I kick open the door to make my presence and the man behind the desk – I don’t know if he stood up and then sat back down but he did look a little terrified. I just went into my little tyrant; how dare you stop education? Somebody wants to learn. How can you say no to this?
JACK: This whole time I’m saying dad, dad, dad, and I’m tugging on his shirt. He turns and tells me…
DAD: Quiet, this is how you do it. Then after, I don’t know, five minutes into it, was it you or the Dean?
JACK: I kept telling you – I was like hey, dad, dad, dad.
DAD: I know, and the Dean said I have nothing to do with the IT department. I do anthropology or something. You’re in the wrong office. I went oh, sorry about that.
JACK: Yep, that’s my dad, the guy who busts down a door, yells at a person for five minutes only to realize it’s the wrong door and the wrong guy. I was red from embarrassment but I don’t think my dad gets embarrassed for things like this. It’s weird. The things he gets embarrassed about are wearing glasses or a helmet.
DAD: It didn’t stop me. We went right into the next office unannounced.
JACK: This worked; he ended up sorting it out somehow and the Dean let me take the extra classes. But the point of this story is that breaking down the wrong door to yell at the wrong person is a big misunderstanding. Sometimes hackers also face big misunderstandings, too.
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: Alright, so let’s jump in and meet our guests for this episode.
JUSTIN: My name is Justin Wynn. I’m a senior security consultant with Coalfire Systems. I am an offensive penetration tester who specializes in physical security which often entails social engineering; physical exploits to gain access to facilities.
GARY: My name is Gary De Mercurio and pretty much mirror everything Justin said except I’m a managing senior and I run the Bellevue office in Washington.
JACK: I know they said it quickly but the important part here is that they’re both penetration testers.
GARY: I’ve been at Coalfire for six years and I’ve probably been in the military another three. I’ve got about nine years of experience of physical pen testing.
JUSTIN: I’ve been with Coalfire for [00:05:00] over four years, so physical penetration testing for over four years.
JACK: They’ve come here today to share some penetration testing stories with us. Now, even though these two live on opposite corners of the US, one Florida, one Washington state, they team up together on assignments all over the US. The assignment is typically like this; a company will call up Coalfire, the company that Justin and Gary work for, and ask for a security assessment. They might want someone to test their website to see if it’s secure or do a password assessment to see how strong the user’s passwords in the network are, or conduct some compliance checks. This is all to make the company more secure. But a few years back, a financial institute called up Coalfire to ask for a physical penetration test on their branches basically to test if the building is secure and then if somebody were to get in the building, what kind of things could they take or steal or get access to once inside?
GARY: We had a pen test that was in my home state of Washington and we were working with a financial institution.
JUSTIN: That one may have been up to seven locations; so, different branches of this financial institution where they wanted us to gain physical access. I mean, they wanted kind of everything; full scope, whether it’s during the day or at night. Show us what can you do, what systems and which people can you compromise to gain access to things that you shouldn’t normally be able to touch?
GARY: But the big part about that particular client was they always want a very, I don’t know, I guess blatant or gregarious or outgoing in-your-face kind of social engineering aspect to it every year. They always wanted some – I don’t know….
JUSTIN: Now, a big part of that was testing the employees. Come in here and do social engineering, give our employees the chance to respond to you and see if they’ll follow procedures or pick up on what you’re trying to do and if they’ll shut you down in these situations.
JACK: Now, it’s extremely important to know exactly what the rules of engagement are. What is in scope and what isn’t in scope? What does the client want and what do they not want? Because if there’s a no-holds-barred pen test, you can drive a tractor right in through the front door and scoop up all the computers and take off with them which is something that some criminals actually do. You want to make sure everything is agreed on by everyone.
JUSTIN: Yeah, so with our company, we have the contract, the scope of work, the rules of engagement. It’s kind of like the initial outlay for information that we provide to the client. They’ll fill it out and say generally, this is what we’re looking for. These are things that may be in scope. Locking, things like that, are acceptable but really a lot of the meat and the details comes on the scoping calls that we’ll have with the clients. We’ll hop on the phone with them after they’ve filled this out, we’ll review that contract charter. We’ll go through and we say okay, so you mentioned you do want lockpicking. Let’s explore that a little bit. What are you looking for? What kind of scenarios, what kind of pretext do you want? Do you want us to show up as pest control and see if we can just blatantly lie our way through and get in there or are we doing something really hardcore or is it even less sophisticated than that? Can somebody just walk in and walk behind the teller desk and jack into a USB or something like that?
JACK: This is a really important call because these guys are gonna break into these financial branches which is burglary. But because it’s all been outlined and agreed on, it’s 100% legal. But still, Coalfire has a lot of lawyers that looks over all these contracts to make sure everyone and Coalfire is acting within the law. The scope of work was agreed on and the only people in this financial institute that knew these guys were going to break into the branches were the VP, the head of security, and the head of the physical security team, like the security guard’s big boss. So, Justin flew into Washington to begin the work and they looked over their goals.
GARY: We were trying to get unfettered access to a branch of a financial institution, is what we were trying to do.
JACK: Because if they can get into this branch and start looking around, they might be able to spot any security issues; things like client info exposed on someone’s desk or a computer unlocked when someone’s not there. Or they can look for passwords written on a notepad. If they find any of this, it’ll all go into the report. As they go up to this first branch, they use Google Maps and walk around the building. They notice an air conditioning unit. [MUSIC] So, they decided to exploit the AC to get into the first building. Gary called up the branch.
GARY: We had contacted on the premise that there was some part in the air conditioning that was out of warranty or out of service and that it didn’t cost them anything because it was a known issue with the air conditioning. We were gonna come out and do it for free.
JACK: Now that Gary prepped them, Justin went in.
GARY: Justin actually went in with the outfit, the clipboard, the service order and the whole bit, and he just tried to [00:10:00] get them to tell him to do whatever he needed to do; work on the air conditioning, test the filtration systems, etc, etc.
JACK: They let him in. Man. People ask me all the time if I can send them any hacker tools. A clipboard, man. All you need is a clipboard; that’s your hacker tool. Because imagine if you go into a conference room and see some guy in coveralls with a nametag and a hat and he has a ladder set up like, right behind the door and he’s got tools all over the table. Chances are you’re just gonna leave him alone in that conference room. Justin used this trick to get in and at the very least, now he can wander the halls to get a layout of the place. He can look to see what kind of alarm system they have or what kind of locks on the door they have, or maybe he just unlocks a window or a door so that he can use it later that night. Anything is possible once you get in there and you’re free to walk around, even if you’re acting like you’re just checking the filters. What Justin found out while he was getting into the first branch was that there was daily security codes.
JUSTIN: Every day they rotate this secret phrase that if you’re internal in the company but you can’t verify if somebody’s calling you up over the phone, you can relay this code to them and they know okay, you’re on the internal network, you’re one of the employees, you have access to this code.
JACK: This was good intel collected at the first branch so later on that night they go over to another branch but this time it was at night, after the branch was closed, in the dark.
JUSTIN: We were able to bypass entry into that branch location and gain access to the internal network.
JACK: Now that they had access to this branch and this network, they get access to a computer and start looking for the software that assigned that daily access code. They found it, so they waited in the branch until after midnight for the code to change over to the next day and bingo, now they had the security code for the next twenty-four hours. What might they be able to do with this code in the next branch they tried to get into? Well, the next day they hit up the third branch and this time, they have more knowledge than they had from the first branches because they know the layouts of these places better and they have that magic code. They head in posing as someone there to do work on the building but for some reason, they didn’t act the part well enough and their cover was blown.
JUSTIN: They call our bluff and they say hey, you’re not really with Trane. This wasn’t according to our processes. What’s going on? We’re like okay, we’re gonna come clean; we’re with the security team. Here’s the code of the day. We write it down; we slide it over to them. They say okay great and they take their time, they verify it. Yes, this is the code of the day that we’re using. We understand, believe that you’re part of the security team here, so we’re going off that text. At that point we had relinquished one level of our social engineering attack and at that point we were identified as internal security teams.
JACK: This is common with pen testers; if they get caught, they don’t just give up everything and say okay, you got me. They try to figure out a lie to stay in the building and keep doing their assessment or they might just lie to try to get away without being caught; actually caught, right? Like, you’re stopped but not caught. These guys weren’t with the internal security team but because they had that code, that was enough to believe they were.
JUSTIN: [MUSIC] From there, Gary was great. He occupied the employees and he’s talking about security and great processes; congratulations guys, while I was going around the rest of the branch and plugging in devices, taking pictures, and had unfettered access to some of the private areas inside that branch.
GARY: We would definitely do the magician where we want you to look one way and the hand that you’re not paying attention to is doing something totally different. I was like well here, let me tell you about what I did and how we were able to do this and how we were able to do that. The entire time I was talking to them, I corralled them all; oh hey, can we get some of the tellers in here so I can show you guys some of our techniques so somebody else doesn’t do this to you? They’re like oh, absolutely. They had bought it hook, line, and sinker and I just had them in a big group, basically. The whole time I was in the group, Justin was walking around taking pictures and videos and getting, you know, what model of alarm systems that they had and what the types of safes that they were that they were using. Every bit of information you could possibly need in order to hit the bank at night if you were an actual criminal, all the information that you would need to do something nefarious after hours. We’re obviously not gonna steal money from them.
JACK: They successfully got out of there without giving their real names or identities and with all the intel they needed.
JUSTIN: Then we were progressing onto the next branch. We’d been in constant contact with the client. They understood; they’re like okay, you know, they’re taking some pictures here and there. They’re like well, we want you to do an overt test and just kind of see if this other branch will catch it and catch onto you. We pulled the same pretext, went onsite with you know, your air-cooling unit [00:15:00] has a failing part that’s gonna pump carcinogens throughout the air vents unless we get in there soon. They’re like okay, on the phone. As soon as I hang up the phone, I talked to Gary. I’m like dude, she said yes but it was a no. It’s not gonna work out.
[MUSIC] We go onsite. We know we’re probably pretty much already burned. Gary was in the car. He was gonna act as a regular bank user and I’d gone in just a little bit before in my vest. They kind of shut me down so I go in, I’m like hey, I’m here to replace your air conditioning stuff, I’m the guy. She’s like no you’re not, so please leave the building. Okay, we’ll see you later. Gary had some pretty funny insight into what happened as soon as I let the doors close and I left that branch.
GARY: I got to hear everything that they said before I actually approached. They’re like, what’s that guy’s license plate? He’s a criminal, etc, etc. The gig was up, 100%. They sniffed him out from the get-go. I was like well, alright, let’s give it a shot here. I walked up to her and I said hey, we’re from the internal security team, we’re just doing an internal audit. She had none of it, none. She’s like, I don’t care who you say you’re with, I don’t believe anything you’re about to say.
JUSTIN: I had come back in. We knew we were burned. Gary was in there and he’s like, he texted me, he’s like yo, come back inside. So, I come back inside and the lady’s on the phone with the police and it was pretty obvious ‘cause I’m like hey, just want to talk to you again. She’s like mm-hm, mm-hm, and talking to the police and the police on the other end of the line are like, are they in there right now? She’s like uh, mm-hm, and going through those motions, right. I’m waiting for her to hang up on the call and within five minutes police had responded to the scene. Police, at that point, walk into the branch building, confront us and at that point we come completely clean and we give out our get-out-of-jail-free card.
GARY: Mostly, mostly clean. I tried what we had, one last trick up our sleeve, which is we still had the code of the day. I walked up and I said hey, you know, I do have the code of the day. I actually am employed by the bank. Would you like to check my code of the day? She looked at me and she goes, I don’t care if you have the code of the day. I don’t want you in my branch. You guys need to leave, etc, etc, etc, and she just went on this rant about she didn’t give two flying leaps about what identification we have. We could have had legitimate ID. We could have worked for the actual bank. She did not care. She did not want us in there. She wanted nothing to do with us.
Then while we’re having a conversation with her, the police show up. She was a, well, we’re again, we’re guessing here ‘cause we don’t know her actual thought process but she was the assistant branch manager and the branch manager was gone so she took her job very seriously, being in charge of the bank, and she just didn’t trust anybody. She was just one of those people that you actually want working for you that was highly paranoid.
JUSTIN: Right, she did a great job handling that security incident. At that point, after she had gone through the couple layers, we presented the get-out-of-jail-free card. She ended up calling one of the point of contacts and she did great. She looked up his information in the internal systems, gave him a ring.
GARY: She said do you know these people, or she said are you performing a test at our facility, is what she said. He said no, I’m not. She said that’s what I thought. She hung up the phone and then as we – we’d already handed over our identification and stuff to the police officers and showed him the get-out-of-jail-free card, and she said I just talked to my boss, or the head of security. He says he has no idea who you guys are. I said you better call him back and let me talk to him because that is absolutely not true. We started sweating a little bit.
[MUSIC] Immediately, the phone rang. She answered her phone and what had happened is he had a brain fart or he forgot or something, and he just said – he was doing something else. I think he was preoccupied. He just said no, completely forgetting we were onsite and that’s why he called back immediately. He was like oh, wait, wait, wait, no, no, no, yes. We have contractors onsite, they’re on a test. Yes, they work for me, their names are Justin and Gary. They’re absolutely supposed to be there, and then her demeanor completely changed after she got the okay from them. But the part that I think that’s important here is the entire time, the officers on scene, they never overreacted, never freaked out.
They never actually really questioned us. They were just like okay; something isn’t quite right and I think there’s a miscommunication. But they never overreacted and were like, these guys are trying to rob a bank, these guys shouldn’t be here. There was never any worry or doubt that we were actually doing something wrong. The entire time and the way they portrayed themselves was there’s obviously some confusion here. Let’s see what the confusion is.
JACK: After the head of security vouched for them and told the police that it’s their job to test their security by breaking in, everything calmed down. The branch manager was happy and because of that the police were [00:20:00] happy and everyone was free to leave.
GARY: More often than not, a police officer can look at you and tell if you’re up to no good. It’s what they do every single day and they can, in my opinion, I think they’re really good at telling somebody who’s trying to get away with something and somebody who’s being dishonest with them. Every scenario we’ve ever been in where we’ve talked to police officers, they’ve been extraordinarily professional and actually really helpful. After they find out what we’re doing and the job that we do, they usually have a lot of questions for us, like oh hey, this is really kind of cool. Tell me a little bit about it.
Then we’ll usually ask them questions such as hey, did we handle everything okay? Is there anything we could have done a little bit better? If we run on this scenario again, where could we improve our interaction? More often than not, the cops are like actually no, you guys did really well, you were very professional. I guess the most important feedback I’ve gotten from a police officer is no, you did exactly what you should be doing. Don’t ever let us come in and get you. The fact that you came to us and you presented yourselves to us before we had to come get you is exactly what you should do in every scenario.
JACK: That was it for their penetration test engagement. The client was happy with all the findings they dug up and was impressed with how clever they got into different branches. The client did what they could to fix all these problems and even invited them back a year later to do it again. [MUSIC] But that was not the last time they had a run-in with the police. When we come back from the break, we’re gonna hear about what happened to them at the Iowa Courthouse. The Iowa Judicial Branch is a state department of Iowa. It’s a government facility and specifically they handle the court cases and such within the state of Iowa. It was the Iowa Judicial Branch that called up Coalfire and asked the company to come and do a penetration test on the courthouses themselves.
JUSTIN: It was full-scope for a team penetration test. It included things like external pen testing, web application testing, internal testing which was to be done after we had gone onsite to see if we could gain access into their internal network and do a real-life scenario; can you gain access to our facilities? Can you plug in a what we call a drone or remote device to be able to access that network later once we’re off-site, and then conduct the internal network penetration test from there? Throughout the whole time, we’re contacting with the guys at iowacourts.gov.
JACK: Justin and Gary get assigned to conduct the physical penetration test on the courthouses together. They’ve been working together for four years on doing physical penetration tests just like this. They’re used to each other and do good work together. Actually, I have a copy of the rules of engagement here in front of me, so let’s see. Okay yeah, so this is for the Iowa Judicial Branch and they’re specifically asking for a physical penetration test at five locations. There’s a judicial branch, the Polk County Courthouse, the Dallas County Courthouse, a juvenile justice center, and the Criminal Court Area. Five locations and the window to test the security on these buildings is between Sunday, September 8th and Friday, September 13th.
They had a week to do this assessment and this was last year in 2019. The rules of engagement list out a ton of things. Do they have permission to tailgate behind someone to get in? Yes. Do they have permission to dig in the dumpsters? Yes. Does Coalfire have permission to use lockpicks to get in? Yes. Does Coalfire have permission to plug USB drives into computers that they get access to? Yes. Does Coalfire have permission to disable alarms? No. The goal here looks like they’re trying to get into the building, plant rogue devices, look around to see if there’s any security problems like unlocked computers, passwords written down, that kind of thing. So, okay; the rules of engagement seem [00:25:00] pretty clear.
JUSTIN: That gets filled out before we’re on the call and then as we’re going through that with the client, the project manager’s taking notes in there. You may see things like okay, at the JB building, we discussed with the client floors three and four are specifically off-limits during daytime hours because there was gonna be the Supreme Court convening and they obviously didn’t want us interrupting that. Part of that we’re discussing with the client on the phone; yeah, during the daytime do not touch, do not go on floors three and four. Then we enumerate with them; we’re like okay, well, what if we’re in there after-hours?
What do you want to see from there? Is that open-access? They’re like ah, yeah, that’d be more acceptable but you know what? Let’s play it safe and just show us to see if you can breach the doors that enter on that floor. The contract will say something like okay, JB building floors three and four are off-limits and you see how big those fields are in that table, so it’s really the bare information that the project manager wants to put in there. Then we have a good understanding of what the client – of what they’re actually looking for.
JACK: Actually, this rules of engagement document I’m looking at is twenty-eight pages long. This field he’s talking about is super small. All these things you cover on the call in great detail only get jotted down with a couple words. It’s not fully documented in the scope of work or rules of engagement.
GARY: These conversations are so granular; if we were to take and actually take the conversation that we had on the phone and write it out and put it in a contract, the contract would be a hundred pages long.
JUSTIN: A week of work, yeah.
GARY: The amount of discussion that we have on what it is exactly they want us to do, it would be unfeasible as far as a rules of engagement would be concerned. Again, that’s why we have the phone call, that’s exactly why we have, so we can say this is what we understand. What exactly do you guys want? Then we’re all on the same page when we show up.
JUSTIN: They’re like, we’re gonna be there at night and the client was like yes, we want you to focus on after-hours testing. A lot of that stuff unfortunately, which we never would have predicted or seen coming at us, we didn’t capture in that document which would have been great if we did, but.
JACK: The Iowa Judicial Branch has actually worked with Coalfire before to do other penetration tests so everyone seems to agree on what should be conducted and what’s expected here, and an agreement was made. They create what’s called a get-out-of-jail-free card. This is a slip of paper that lists all the people who hired Coalfire to do this penetration test. This is their information security officer, their chief information officer, and the infrastructure manager. These are three people who worked in Iowa’s Judicial Branch who contracted Coalfire to do these tests. This get-out-of-jail-free card has their names and phone numbers listed with their signatures. If these guys get caught, they can ultimately show this to get out of any real trouble.
JUSTIN: We touched down Sunday night. We entered in a facility. I don’t want to provide too many details that haven’t been already disclosed.
JACK: Alright, fine. Unfortunately, we’re not going to be able to go into every detail of what happened because I don’t want to expose any actual vulnerabilities over there at the Iowa County Courthouses. But let me give you an idea of what they’re capable of. [MUSIC] First of all, these guys mentioned that they sometimes use an under-the-door tool. Let me tell you what this tool does; it almost looks like a bent fishing rod. It’s long, four feet, metal rod, and it has a string on the end. This is for doors that have a handle that when you push down, it opens the door.
You try to slide this tool under the door and then you pull it up using that string to get it close to the handle. You try to hook it onto the handle from on the other side of the door. When you do get it hooked on there, you pull down with both the string and the rod, and it pulls the handle down and it opens the door. It’s actually pretty simple. On top of this, Gary is also really good at lockpicking so he’ll certainly have these in his pockets and ready to use them whenever he needs to. But with lockpicking, it might take you a while, maybe ten minutes, maybe thirty minutes to get a lock open. It just takes more skill and time.
GARY: If you’re talking about my favorite, because I find this a lot in commercial buildings, is going to be crash bar doors, right? Either the ones that come down like the old high school gym-type doors or the ones that you just push and go into the door itself.
JUSTIN: A Von Duprin.
GARY: Thank you. They’ll have the latch on the inside of the door so you can’t really use an under-the-door tool. They make some tools if you have double doors that come together without the – what’s it called in the middle there?
JUSTIN: The mullion.
GARY: Mullion, is that what it is?
JUSTIN: Yeah, there’s another term for it too, but there’s a bar that runs in-between the doors where you’re not supposed to be able to insert tools.
GARY: You’ll see a lot of those doors that don’t have that bar that separates the doors. Those are really easy to get into. You stick a tool inside, you turn it to the left or the right, and then you pull and it opens the door. What we’ve come up with that we like to [00:30:00] use that’s absolutely my favorite tool that is literally in my backpack right now, is a cutting board. It’s a really, really thin, plastic cutting board that I bought from Amazon. I cut a notch in this cutting board.
For crash bar doors especially, the single ones where you can’t see anything, you stick it through the door, on the edge of the door, and then once you feed it through the door, you pull it down until that cutting board rests on top of the latch. Then you’ll apply pressure down on that latch and you start pulling the cutting board towards you outward from the door until that notch that you cut falls on top of the latch. Now what you’ve got is you’ve got the back half of that cutting board on the other side of the latch, on the inside of the door and you pull. If that latch doesn’t have the deadlatch latching it properly, you will open the door every time.
JUSTIN: Typically, when we’re talking about door bypasses, we’re inserting a tool through whatever method that we can, whether it’s in the interleaving double door system so you can go in-between the doors, or if there’s a gap underneath the door, insert a tool there and start manipulating some mechanisms on the other side of the door. Whether that’s the Von Duprin crash bar or the latching mechanism itself or some peripherals like a request-to-exit sensor.
GARY: I can what, 80%, if you had to put a number on it, 80% of doors can be bypassed by bypassing the latch.
GARY: Just by manipulating the latch itself you can get into 80% of facilities.
JACK: Just coincidentally, can you tell us where you guys are – or what you guys are doing this week?
JUSTIN: This week we’re doing three two-day courses comprised of physical access control systems, alarm bypass techniques, and then safe manipulation. Really an action-packed week for us. That’s all the juicy James Bond-style stuff.
JACK: You can imagine what kind of bag of tools these guys have to break into buildings to carry out assessments like this, right? I mean, they’ve got so many things, I’m surprised the TSA even allowed them on the plane. Even though they can’t get into specifics about what tricks they used to bypass the doors of these buildings, you can take a pretty good guess that they’ve got many options they can use to get into each door that they run into.
JUSTIN: It’s pretty much we walked up, assessed the perimeter and matched it up with what we were seeing on Google Maps, things like that, and gain entry to that first facility on Sunday night to Monday morning.
GARY: When we get into a place, it also depends on who is attacking, right? If Justin is attacking, for instance, and he gets into the door and he’s able to get in really, really quick, there’s a certain like, you know, he’s your team mate so you’re proud. You’re like wow, that was really fast. Like, that was really, really fast. Justin and I have been working together since he’s been here so you get to see this progression of somebody when he’s on his first Red Team or second Red Team I think it was, with the guy and then when he’s on his fifteenth Red Team and you’re like dude, you’re getting really, really, really good at this. But you get to see that progression. It’s a lot more personal, if you will, when you’re on a Red Team with somebody that you’ve been working with for years and years and years.
JUSTIN: I was gonna say I’m tearing up over here ‘cause Gary, honestly, I do need to take a moment to thank him. He taught me so much of what I know. Yeah, of course Deviant and some huge stars in the industry that you can learn so much by watching YouTube and learn how to assess the security of your facilities, but Gary was the first guy who handed me the under-the-door tool and taught me how to use this when I didn’t even know which end of the stick to be holding onto which is a very common thing when people are given an under-the-door tool.
JACK: So, they get in, they look around for ways to plug in a drone and to take any photos of security problems that they want to put in their report. They even found the desk of the person who hired them for this engagement, so they leave a little present on his desk to prove that they got in overnight and got access to his desk.
JUSTIN: But we gained access and we left a calling card. I just left a business card on one of the point-of-contact’s desks, to the point where the next day he had e-mailed me and said I guess I owe you a congratulations. We’re going back and forth over e-mail. I’m like yeah, we found some really severe vulnerabilities that, you know, minor fixes that you guys can use to dramatically improve the security of this facility. So, going back and forth through things like that; already in contact with the client going through things like that. Then yeah, Tuesday rolls around.
JACK: [MUSIC] So, it’s Tuesday night after the courthouse has closed for the day. They get up to the building and see it has two sets of locked doors to get into.
GARY: We make it through the first door really easy and then the second door, we could have used the same attack but we were trying other things. We weren’t having a lot of luck with the other things but we didn’t really want to try the first attack ‘cause we wanted to see if we could use different techniques to get in. We found other areas that we could attack so we went around a different area and we were working on – Justin was working on one door and I was working on another. I don’t know, did you ever get that door open?
JUSTIN: I picked the lock each way and no, just something else was going on. There was a [00:35:00] secondary latching mechanism that…
GARY: That we couldn’t see or something. I ended up picking two doors in a row to a court room and then we ended up making it in. We ended up getting in, we saw the security cameras.
JACK: Now, when they say they found the security cameras, what they mean is they found the room that you can sit in to watch all the security cameras and what’s going on in the whole building.
GARY: Guard desk; it wasn’t really a room. It’s just, they had all the security cameras at the guard desk which was right – which was actually the sheriff’s desk during the day that sits there. They’ve got a sheriff or a deputy sheriff that monitors, or that’s there on duty for the courthouse that sits in this, it’s almost like a…
JUSTIN: Front desk, almost.
GARY: Yeah, front desk type thing where a receptionist would sit in a company. The deputy sheriff sits there that has access to all these different cameras which show the courtrooms, their office areas. At night when you’ve got your security guard there who isn’t a deputy sheriff, they will also use those same cameras that the deputy sheriff normally sits at to check the different offices to make sure that nobody’s in there, the lights aren’t on, and stuff.
JACK: One of the first things they do is look at all the cameras to see if anyone was there. They did in fact see someone in the building; somebody was making the rounds, checking on the place. It looked like a security guard. They made sure to keep a close eye on him while sneaking around this building and at the same time, they took careful notes on what blind spots there were with the security cameras so when the guard got back, they could stay in those blind spots. As the guard went to a far end of the building, they started exploring around, looking for security problems and being careful to stay very quiet. As the two of them wandered around this courthouse, they opened a door which tripped an alarm. [ALARM RINGING] Suddenly, the doors were buzzing and the alarms were sounding.
GARY: [MUSIC] What had happened is they basically have a holding room next to the court room and both doors lock in that room so whether or not that is for criminals that are in there to see if they can get released for jail or if it’s for somebody that’s accused of a crime, whatever, not sure what it’s for. But both doors are locked. So, because I didn’t want to have to pick the door on the way out in case it locked behind me, I propped it open. Because of the again, an assumption, because the people that work there, they make sure that that if door’s left open, that an alarm sounds. When I made it through both doors and I went to the next room which had the guard post in it, that’s when I heard the alarm and then we ended up figuring out oh, it’s because we propped the doors open. Let’s close that; duh.
JACK: They were able to complete their security assessment and get out of there. The guard never found them and maybe didn’t even hear that alarm at all. But another successful mission for these two.
GARY: That was fun.
JUSTIN: Oh, it was a great time.
GARY: We were poopin’ and snoopin’ and we were dodging the security guards and he was looking at the cameras and we were hiding under stuff. That was good stuff.
JACK: They got through the courthouse pretty quick and the night was still young so they decided to hit up a second courthouse that night. This one was actually the Dallas County Courthouse in Adel, Iowa. Let me describe the scene to you. [MUSIC] The town of Adel is small. It has like, five thousand people living there at most. It’s cute, though. It has a historic main street USA type of feel to it and their downtown area, the roads are covered in a red cobblestone brick which gives it a more rustic feel. All the buildings downtown look like they could all be historic buildings.
The most prominent building in all of Adel is the Dallas County Courthouse, their target. It was a built in 1902 which absolutely makes it historic. Three stories with those pointy spires on the top of each corner, and there’s a large clock tower on top with a beautiful rotunda towering way up high over the whole town. This is their target; to get into that historic courthouse in this sleepy little town in the middle of nowhere. The two head on over to the courthouse.
GARY: Well, we stopped and got the Bomb Burrito at the gas station. That’s important.
JUSTIN: Yeah, that does come up later.
GARY: We did have a snack. [LAUGHING] We did have a snack. We took like, a thirty-minute break and just hung out at the gas station talking to the clerk that was there. He was a nice guy.
JUSTIN: He was a nice guy. He gave us free donuts.
GARY: Yeah, he did give us free donuts. Instead of throwing them out, he just gave us some free donuts. Yeah, so we had our break which was literally, I mean, the gas station was across the street from…
JUSTIN: Just about, yeah.
GARY: Yeah, like, almost across the street from the courthouse. We sat there for thirty minutes, we kind of scoped the place out just to make sure that they didn’t have some sort of patrol or something, city cops or deputy sheriffs that were patrolling the courthouse. We parked at the courthouse and again, we’ve got a get-out-of-jail-free card and every other time – we don’t have to be ultra-sneaky typically in situations like this where they just want to see if Joe Public can get in the building. We don’t have to be super sneaky. [00:40:00] So, this is one of those instances that if you look at the contract that we have, it specifically stated we were not allowed to bypass the alarm on this building. They did not want us to bypass the alarm. In the conversation we had on the phone; hey guys, don’t circumvent the alarm, don’t bypass it. Just…
JUSTIN: Right. Don’t degrade our security. Like, don’t disable a sensor so that anybody could go up, bypass the store, and gain entry without an alarm going off. That’s a pretty common theme with a lot of our clients. We’re not trying to degrade the security of their facility so we can gain access because it also allows potential for other threat actors to gain access covertly or without setting off alarms.
GARY: Right, so in this instance we walked up to the north door, I think it was.
JUSTIN: [MUSIC] We go up to this courthouse. We jiggled the door; there’s a little technique that you just see if the latch is engaged, and pop the door real quick. Much to my surprise, the door was open.
JACK: At this point it’s like, midnight. Why in the heck is the front door open on this historic courthouse with all the lights off inside? Freaky for sure, but Justin thought someone must have tried to close it at night and it just didn’t shut all the way. Now, this courthouse has an alarm system because it’s a historic courthouse building so yeah, it should, right?
GARY: When he opened the door, the alarm did not go off. Our assumption was there was a fault setting in this alarm system for the front door. They armed it anyway. Again, this is our professional guess of what happened. They armed it anyway even with that fault or they armed it, it counts down, they go out, and they didn’t close the door all the way and then it armed anyway without that front door being fully closed. When Justin grabbed that front door, he opened it, what, two or three inches and the alarm didn’t go off. Then I tried a badge we had cloned from another building just to see if they had multi-building access. That didn’t work; it’s kind of like well, should we give them the benefit of the doubt or should we just use this? So, we elected to basically close the front door and say okay, well, let’s start over.
JACK: They both stepped back outside. This time, they closed the door all the way. It latches shut. This must have been a fluke for the door to be accidentally left open or something so they wanted to break in properly. Now the door is locked and sealed properly. Okay, so they begin again. These two being masters at getting in through these doors, they have no trouble getting the door back open. [BEEPING] Now, as they get this door open, they immediately hear the alarm is beeping.
GARY: Just like in your home security system when you walk through the door and it starts beeping to let you know that you’ve got X amount of seconds to put in your code before the actual alarm goes off. It was beeping really loud.
JUSTIN: Yeah, and we already had an idea before that. We kind of expected that alarm to go off so just, again, a little bit of precursor to that. The other locations, nobody had showed up. Nobody responded so we’d been gaining access to government facilities without any alarms going off, without central dispatch showing up, without police presence showing up. This location, we’re coming up here and we’ve been there throughout the day and we had seen the alarm panel. It said OK, disabled. That night it said OK, armed. We expected it to go off. We’re coming up to this facility hoping for once, this final facility, the alarm would go off at this location. It was almost like bittersweet but good. Okay, great, the alarm’s going. It’s beeping at least, once we go in there.
GARY: At least it’s armed.
JUSTIN: Right? So, eventually the alarm counts down and then it starts sounding. [LOUD ALARM RINGING] Very audible at this point. The entire downtown of Adel is going off and you can hear the sounders going off.
JACK: The sleepy town of Adel is now being woken by these alarms coming from their precious, historic, iconic courthouse building in the middle of town.
JUSTIN: [MUSIC] At that point, alarms are blaring throughout downtown. We decide to go up to the third floor. We’re very well aware at that point; it’s very audible that the alarms have been activated. They’ve been tripped. At this point we go up to the third floor and get a vantage point and hoping that police presence responds to the incident, to the alarm going off ‘cause it’s not uncommon; I’ve been in banks in the past literally a hundred feet from a police station where they either were not paying for the service or it wasn’t connected or configured properly, where it didn’t dial out and call police to respond to the incident. Yeah, so it’s not terribly uncommon for that to happen. We go up to the third floor, get a vantage point, and at this point for our reporting purposes hoping that police respond to the alarms going off. It was extremely quick response time.
[00:45:00] Within five minutes, I think it was a sheriff’s deputy had showed up to the scene and we see him and he’s going around the building. Gary and I are conferring with each other. Okay man, what’s the next plan? What are we doing here? There are police; it’s a very – not a high-stress situation but you have to handle it professionally and properly otherwise there always is risk in those types of situations. We’re discussing our game plan, what we want to do. Within a short while, another couple minutes, we go out on the main floor and Gary’s calling out commands; is there an officer in the building? Being very verbal, trying to get in communication with police. At that point it didn’t sound like anybody else was in the building. We didn’t hear any doors opening or closing so we start proceeding downstairs.
JACK: As they go downstairs, they don’t see anyone in the building. They don’t hear anyone in the building, but they can tell there’s a police officer right outside the door they came in on. They spot each other and Justin and Gary come to the door.
JUSTIN: The officer, he’s on the other side of the door. He was actually, we found out afterwards, was not able to gain access inside the building. We’re communicating with him. He’s like so, what’s up, fellas? We’re like, hey man, we’re here testing the security. Do you want to talk? Can I open this door? Just keeping my hands static, not moving anything. He’s like yep, go ahead, open the door. I’m like okay, I’m gonna open up the door now, so pushed the crash bar, we walk outside, and we greet him. At that point, just start conversing with him; officer, we’re here, we were hired by Iowa State Courts.
We’re assessing the security of various government facilities including this courthouse. We have documentation, this is all above-ground. Would you like to see our paperwork? He responds yes, say okay, it’s in my back pocket, do you mind if I make a move and pull that out of my pocket? Sure, go ahead. Then at that point, present our paperwork. From there, he asked for our IDs. At that point I think somebody else had shown up right at that point so they were escorting us, they had hunkered down with us while somebody else had taken the IDs and the paperwork away and started verifying our information.
GARY: At some point I think the sergeant even told us to relax ‘cause we were trying to be ultra-careful and professional and every time we wanted to move our hands, we were like hey, is it alright? We okay to get our wallets? At some point he’s like hey man, you guys can relax. We just want to verify that you’re doing what you should be doing. You don’t have to be that paranoid. We are pretty sure that you’re not doing anything nefarious here. They were ultra-professional. They handled themselves perfectly.
JUSTIN: Yeah, those guys were great.
GARY: They were nice, they were professional, they were doing the whole Ronald Regan trust-but-verify type thing. Yeah, we’re pretty sure you guys are on the up-and-up because you came out to us and you did what you were supposed to do but we’re just gonna make sure. We’re gonna verify that you are really supposed to be here. If nothing else, we can’t thank the deputies enough because they were ultra-professional and just really, really standup people.
JACK: They immediately gave the police their get-out-of-jail-free card. You don’t want to mess around and lie to the police. You want to come clean because this is not someone you want to try to trick. This is not part of the scope. You want to tell them look, we’re here on official business. The paper has the names and phone numbers of the state employees that hired Coalfire to do this penetration test. The police call the first number. No answer. They called the second number. The line was disconnected. They called the third number. Someone picks up. The police ask if they knew that these guys were trying to break into the courthouse. They said…
JUSTIN: Yeah, we’re doing security testing. Those guys are supposed to be there. They’re testing the security of the courthouse. This is my story of what happened ‘cause I’m not on that call there with them. They’d walk away a little bit from us.
GARY: This is what the sergeant, the deputy sheriff who was a sergeant, told us. He spoke to our contact. He’s like well, this is what your contact said.
JUSTIN: They run our credentials, everything on spec. They have our names and our driver’s license. They do get ahold of our point of contacts. They’d say yes, these guys are here testing security. At that point the sergeant, the guy in charge or head in charge…
GARY: The ranking officer on the scene.
JUSTIN: Ranking officer, thank you. That’s what I was trying to get to. Had come back to us, handed us back our IDs and he’s like yeah, as far as I’m concerned, you guys should be good to go. Everything’s all clear here. At that point things get really jovial. We’re laughing, joking around with the officers. They’re asking us man, this job’s crazy. Like, you guys break into buildings. How does this go? How’d you get jobs like this? How can we test security? How do we get a job like that?
JACK: [MUSIC] Just as Gary and Justin were about to leave another squad car pulls up. This one has Sheriff written on the side. The guy gets out and walks up.
GARY: The sheriff shows up; he’s visibly upset. From our perspective the mood completely changed. Prior to him showing up, everybody was happy and smiling and we were – there had to be eight deputies that responded. All of us standing on the courthouse steps and then there was one [00:50:00] City of Adel officer there as well, so there was at least nine people there including us.
JUSTIN: There’s not a lot going on in Adel, Iowa at 2:00 in the morning.
GARY: When the sheriff shows up, all the smoking and joking stops. This giant fun-sponge walks in the room and everybody just stops talking. Everything just goes silent. He walks up, he has some choice words to say to us that we didn’t necessarily agree with, kinda talking down to us in a certain respect.
JUSTIN: To put it mildly.
GARY: To put it mildly, and basically tells us that we don’t have authorization to do what we’re doing and asks us if we knew that. We told him our perspective which was hey, we’re under contract, we’re working for these people. His response to that was well, they don’t own this courthouse and I don’t care if you’re under contract; they don’t own this courthouse.
JACK: Whoa, what? The state doesn’t own the courthouse? Uh, did they get authorization from someone who didn’t have authorization to break in the building? Uh, I would start to get worried at this point but Gary wasn’t worried at all.
GARY: Nah, you know? No, because this has never happened before in history as far as we know or any of the other people that we know in the industry, it’s never happened. People get taken away or they get held until situations resolve themselves. Not frequently, but it happens. If that happened in this case, we were fine with it ‘cause we know that the truth’s gonna come out, they’re gonna realize we’re actually working for a company and that we were really contracted by the state so worst case scenario, we got to spend an hour or two in a holding cell. Not that big a deal. [MUSIC] The sheriff tells everybody that was there and says well, we’re gonna arrest these guys for trespassing. Hold them; I’m gonna go make a phone call. So, in our minds he’s gonna go talk to our contacts. At least in my mind that’s what he was doing. In that time that he was gone, ‘cause he was gone for like, a good ten minutes it felt like.
JUSTIN: Yeah, it seemed like he was, for sure.
GARY: In that time he was gone, the mood went right back to what it was before he was there which was everybody was asking us questions, asking us how we did stuff. What’s the craziest thing we’ve ever seen or heard about in our line of work? It went right back to that. One of the officers was super interested on how we got in, so we showed him our tools, we showed him how we got in, we showed him the technique that we used. We troubleshot how we think that front door got left open. They gave us their ideas. We talked about card entry on why they originally couldn’t get into the building. Everything just went back to normal.
About ten minutes later, again, what we’re thinking, he came back in and he was just like, you need to arrest these guys for burglary. All the sheriff’s deputies kind of looked at each other. The sheriff turned around and said do I need to do it myself? Or something to that effect. I don’t remember his exact words but he said something like do I need to do it myself? I told you guys to arrest them for burglary. I don’t know what Justin’s – who the sheriff or the deputy sheriff was that arrested Justin, but the guy that grabbed me, he puts his hand on my shoulder and says hey man, I’m really sorry about this. You’re gonna…
JUSTIN: I think something very similar happened with me, as well.
GARY: Yeah, he goes, you turn around. I’m gonna have to put these cuffs on you.
JUSTIN: Right, and I totally understand. Like, okay, man. I get it. I see where you’re coming from.
GARY: Yeah, and both our responses are like hey man, it’s okay. You’re just doing your jobs. It’s not a big deal. This won’t be the last time this happens, I’m sure.
JACK: So, both of them get handcuffed. They had their rights read to them and the police started escorting them away. But still, even though they now have handcuffs on and the police are escorting them, they still weren’t nervous about the situation.
JUSTIN: ‘Cause think about it from our perspective; we had done nothing wrong. We have all the paperwork in the world. I’m from Florida, Gary’s from Seattle. It’s not like we flew out to Adel Iowa to start breaking into courthouses on our [inaudible] paths. We knew we had every shred of evidence in our favor. We knew that this was totally above-ground. It’s not totally uncommon for law enforcement to respond to an incident. It does happen. It is extremely rare, I’d say, for somebody to get detained or furthermore arrested. That’s as far as it had ever got and as far as we’re aware, nobody’s ever been actually formally arrested and pressed with charges.
GARY: Charged, nobody’s ever been actually charged, yeah.
JUSTIN: Right, so we’re thinking okay, we’re gonna go down to the station. We’ll work this out, not a big deal.
JACK: Now, because this is Adel, a small town, the jailhouse was literally across the street from the courthouse. They both get walked to the jailhouse with handcuffs on. Stay tuned ‘cause when we come back from the break, we’ll hear what happens to Gary and Justin. Gary and Justin are now both at the jailhouse and they have been separated. The police are questioning them and processing them separately.
GARY: That’s when the aggravation started to kick in a little bit [MUSIC] because we were going through the entire process [00:55:00] which is empty out all your pockets, give us all your gear, give us your backpacks. I don’t know if you ever did, but I interacted with the sheriff a couple of times.
JUSTIN: No, I never talked to the sheriff.
GARY: Yeah, so I interacted with the sheriff a couple of times and it was like hey sheriff, are you just gonna hold us or are you actually gonna charge us? It was later discussed during that conversation that I won’t really go into ‘cause it’ll just aggravate me, was yes, we’re going to charge you. There was multiple times I tried to – I don’t want to say talk my way out of it…
GARY: Yeah, that’s a better term, de-escalate the situation. Like hey, maybe you could contact one of our contacts. Talk to somebody at Iowa State Court and talk to somebody because we’re legitimately just working here, sir. We were ultra-polite. There’s multiple videos out there that show that I don’t think we were ever unprofessional. We were just like hey sir, could you possibly do this or check with this person? Maybe this is a big misunderstanding. It was always met with nope; you’re going to jail. Nope, you’re getting arrested.
JUSTIN: I mean, at some point along that process it became very clear that regardless of any amount of paperwork that we would have had on us…
GARY: It did not matter, yeah.
JUSTIN: …or anything that we could have said, there was something else going on. It wasn’t about that. We had the paperwork; the deputies already verified, cleared, identified us but let us go, essentially. Despite all that, there was something else going on that regardless of what we could have said, done, or shown, there was no getting out of an arrest at that point. We’re both being very professional throughout the entire process. But I’m a very big privacy advocate and as we’re going through this, they’re asking what’s your marital status? What’s your highest level of education? I’m very understanding at this point, we’re being wrongfully arrested because we’re here for a job. This isn’t something that needs to be dragged through a criminal process.
At most, if there’s contract discrepancies or issues with the state-first county level, this is something that gets handled in a civil courtroom. At that point I didn’t want to provide my social security number. It’s not like we’re resisting arrest or anything like that, but unwilling to give up a lot of personal details at that point which a lot of people in the booking or reception room, however you want to call it, got very upset with that. We have to give up all of our tools, all of our gear. We go through the process of explaining what these tools are ‘cause we’re being booked not only for burglary but possession of burglary tools. They want to have circumstantial evidence of us having tools that are used typically in burglary trade but obviously in a security setting at this point.
JACK: They finally get to make some phone calls but at this point it’s like, 2:00 a.m.
GARY: I had about thirty but unfortunately everybody was sleeping and no one would answer my call, even my wife slept through all of the phone calls that I sent her. I sent all sorts of messages to people. The only person I was able to actually get ahold of was one of our contacts and I said hey, are you aware that we got arrested? Yeah, yeah, we’re aware. Such-and-such told me. Are you doing anything to get us out? He said well, yeah, we’re gonna be there first thing in the morning. We’re gonna talk to X, Y, and Z. I don’t remember who he said we’re gonna talk to. We’re gonna smooth this all over; it’s one big misunderstanding. I believe almost verbatim his thing was you’d think that the sheriff would be a little more understanding of what we’re trying to do. I said well, guess what? He’s not. He said yeah, I can see that. Again, we’ll be there first thing in the morning. We’re gonna hammer this out. There was a lot more to that conversation but that’s the gist of it.
JACK: Now, for me, my first call would have been to my boss. I would have called Coalfire right away and told them hey, get some lawyers. We’re in jail. We need help right now because they’re operating in capacity of Coalfire, so Coalfire should be capable of helping them out.
GARY: Yeah, and we tried to get ahold of Coalfire. We just couldn’t get ahold of anybody just because of the late hour. I think most people when they sleep, they put their phone on vibrate. Because again, we’re talking about a scenario that has never happened before. Maybe you want to say some complacency, whatever you want to put in there. Who knows what it was? But most people were like okay, two or three in the morning, not really that big of a deal. What’s the worst that could happen? Well, we figured out what the worst that could happen was.
JACK: By 2:30 a.m. the police finished processing them and gave them both orange jumpsuits to change into, the kind you see prisoners wear. The police took all their belongings, even their shoes. Gary got a pair of Crocs. Justin got some sandals that were too small and they were put in a cell for the night with other criminals and cell mates. They tried to lay down and sleep but the beds were really hard and cold, so they didn’t get much sleep that night. [MUSIC] The next day they had an appointment to see the judge in the very courthouse [01:00:00] they broke into. The officers escort them to the courthouse.
GARY: When we walked over there in the morning, although it was incredibly uncomfortable and embarrassing that we were over there in literally shackles, right, the whole around-your-wrists and then tied around your waist and then the chain that goes from your wrist through your waist all the way to your ankles. Then you’re attached to the guy in front of you, and you do the – what is it? The railroad gang or whatever, across the street with deputies in front of you, in the back of you, and I was like you gotta be kidding. We get over there and the whole time I’m thinking we just gotta make it to nine in the morning. The state’s gonna be here, they’re gonna explain everything, and then the judge is gonna be like, this is silly. Why are you guys here? Go ahead, issue[LH1] on your own recognizance, you can go home.
JACK: They get to the courthouse, they sit down in the courtroom, and await their names to be called by the judge. It boggles my mind still that this is the very courthouse that they broke into last night and now they’re sitting in the courthouse waiting to see the judge.
GARY: I was first. There was a gentleman that was sitting next to the sheriff. The sheriff was in the gallery, I guess you could say. There was only one man standing next to him. My thought was good, that is the court representative from the state court, right? He’s talking to the sheriff, they’ve talked about this, they realize this is just a big misunderstanding. Everything’s gonna be good, they’re gonna let us go, is what’s still playing in my mind. I sit there, I go in front of the judge. They ask your name; they say what’s your name? Yeah, my name’s Gary De Mercurio. How much money do you make? I make X amount of money. Who do you work for? I work for a company called Coalfire. At that point, they decide whether or not you can qualify for a public defender.
JUSTIN: Legal representation.
GARY: Right, public defender. She says you do not qualify for a public defender. Would you like to defend yourself or would you rather get outside counsel? I’m like well, I’m hoping outside counsel isn’t necessary because ma’am, I believe this is just a big misunderstanding. I launch into my reason why I think this is a misunderstanding. I explain to her what it is that we do, what we were doing that night, who we work for. She looks at me and she says you must think I’m stupid. [MUSIC] At that point I’m like, oh, Lord. You’ve got to be kidding me. This is not happening. She launches into this, I don’t know, diatribe, just like I’m the biggest idiot that she has ever seen step in front of her in her entire life. That is not the way that things happen. She is a state employee, she works for the state. If the state was doing this, she would know about it and this is not the way that things happen at the state, etc, etc, etc. I just went from being hopeful to just seeing red. I was just irate.
JACK: Keep in mind that both Gary and Justin barely slept the night before and they’re in these orange jumpsuits with shackles on. They aren’t presenting themselves as best they could given the situation but when the judge said this to Gary, he couldn’t believe it. He stood there totally shocked. Tons of rebuttals are going through his head but he wanted to be courteous so all he could do is stand there and be quiet. But he was thinking things like…
GARY: You are a judge. You are literally – the point of your position is to be able to look at someone and have some semblance of an idea whether or not that person is telling the truth or not and the only thing I can think of is you’ve been dealing with people and liars for so long, you can no longer tell the difference between somebody who is innocent and telling the truth wholeheartedly and somebody who is a liar.
JUSTIN: Which obviously, he’s not saying that to the judge but that’s going through both of our…
GARY: Yeah, that’s obviously what we’re thinking.
JACK: The judge charged him with burglary and possession of burglary tools, then went on to say a bail is set for $5,000. Justin couldn’t believe the judge was saying this, either.
JUSTIN: Same deal; I’m like, as not the person on front stage but obviously still in the same boat, I’m like oh no, there’s no way. This is like a bad joke. You gotta be kidding me. Not a chance in hell this is how this is going down. I’m just kind of like sitting on the stand in awe. My jaw has dropped to the floor looking at the situation transpire in front of us.
GARY: There’s still this gentleman sitting next to the sheriff. I’m like, okay; I’m like well, again, internal monologue, well hah, joke’s on you judge, this guy’s from the state and he’s gonna explain everything. This guy walks up next to me and says excuse me ma’am, I’m the county prosecutor and we think these guys are a flight risk. We would like to increase their bail. I’m like, oh Lord. Are you kidding me? I literally start looking around the courtroom looking for somebody else. I’m like where is our state representation? They told us they were going to be here. Where are they? They were nowhere to be found. They told us they were gonna show up. They ghosted us. [01:05:00] 100% ghosted us.
JACK: There was nobody there to defend Justin or Gary. The three contacts on their get-out-of-jail-free card did not come like they said they would. This was just too soon for anyone from Coalfire to be able to come down and help, either. So, they were just standing there completely baffled and irate that this was happening.
JUSTIN: I will say at one point during this exchange, the judge is looking at Gary and she’s like, you need to come up with a better story because nobody here is believing this, to which Gary retorts well, you should talk to the sheriff because the deputies last night had verified us. Everyone believed us until we’re here sitting in front of this courtroom. He looks over at the sheriff and the sheriff is just kind of like…
GARY: He just smiled and shrugged. He didn’t say anything. Again, in our minds, we’re like don’t you have some sort of ethical responsibility to say actually ma’am, we did verify with someone that worked for the state. However, we haven’t fully confirmed that or something of that nature.
JUSTIN: Sure, yeah, anything.
GARY: Not a word.
JACK: What a frustrating situation. Yes, they broke into the courthouse but they had 100% permission to do so by the information officer, the director, and the head of infrastructure for the Iowa State Judicial Branch, the very state department that runs these courthouses.
GARY: Then she read the address of where we broke in. She realized that it was her courthouse and her courtroom and she was mad.
GARY: She was like, how dare you break into my courthouse and my courtroom at this address? She just went off. Then she’s like, bail is set for $50,000. Our bail originally was $5,000.
JUSTIN: Ten, ten times [inaudible] bail for burglary.
GARY: Yeah, ten times the amount.
JACK: That’s just how much bail was set for Gary.
JUSTIN: I go up shortly thereafter. That’s pretty much the end of the exchange. I go up and same deal, I don’t believe this. I’m like well, we were authorized by the state to perform this testing. After seeing what Gary had gone through, I’m like, there’s no point. Don’t open your mouth and say something that could be potentially incriminating here. I’m like okay, we’re gonna do this, I suppose. Gary and I again trudged back across the street, back into our holding cells where Gary has cell mates of a wide variety. But one says to him, he’s like man, I can’t believe that. You went up there as professional as could be and she disrespected you. Even the inmates just looked at us. They were like man, you guys are so innocent. They didn’t even have to listen to our story. They were like, just the way you guys talk and the way you carry yourselves and the way you look, they’re like man, you don’t look like you belong here. What are you doing here?
JACK: Justin’s bail was also set for $50,000. The way bail works in the US is that you can either sit in jail until your court case or you can pay this amount to get out of jail and come back for court.
JUSTIN: At that point we’re facing felony charges. We’re facing felony burglary charges and felony possession of burglary tools. We’re in a criminal trial at that point.
GARY: And looking at seven years in prison as well, seven.
JACK: Still, they hoped any moment their point of contacts would come and sort everything out. But the situation was becoming less hopeful so Gary and Justin got some more phone calls and eventually got Coalfire on the phone and tell them everything. Coalfire immediately started working to bail them out and to get help. So, about twenty hours after going to jail, the $100,000 in bail money came through and they were let go. At this point it’s Thursday and their return flight is on Saturday.
JUSTIN: Yeah, Coalfire gave us permission. They’re like, do whatever it takes. Get out of that state. Come back home, boys.
GARY: Leave that place.
JUSTIN: We booked earlier flights.
JACK: [MUSIC] Both Gary and Justin go back home and get individual lawyers to help them with this. Something had gone terribly wrong but they still weren’t sure what. Why was nobody listening to reason here? Why are they even being blamed for this? This should be a contract dispute, not fall on these two guys. Felony charges? The local news ran a story.
REPORTER: Two men arrested for breaking into the Dallas County Courthouse say they were hired to do it by the state. Justin Wynn and Gary De Mercurio are both now charged with third-degree burglary and possession of burglary tools. They were taken into custody around 12:30 Wednesday morning. As KCCI’s Alex Schuman shows us now, the men say they were doing cyber-security work.
ALEX: The state court administration says they did hire this company to test the security of their electronic records but did not intend for them to physically break into the courthouse. Not many have yet heard what happened but once they learned, people had plenty of opinion.
INTVW: They need to be arrested. There’s no trying to break in, period. Lock ‘em up. Throw away the key. I don’t care.
JACK: Well, that bystander they interviewed, I guess didn’t like them for some reason. But you might have caught in this [01:10:00] news clip where they said the Judicial Branch did not intend for these two to break in. Well, the next few months of this ordeal were painful and grueling for many people involved. The news reports I read said they interviewed the State Judicial Branch who claimed that they didn’t know a physical assessment was gonna happen, but then Coalfire outlined in the contract to show them that a physical assessment was approved. Then the state changed their mind and said well yeah, we knew that was happening but this was happening outside the hours described in the contract. But then Coalfire said we left a calling card on your desk overnight and you e-mailed us saying congratulations. Why didn’t you tell us to stop then?
The state went on to say okay, sure, but we didn’t know you were going to break into courthouses. But yet again, Coalfire showed them the contract and showed them the exact locations of the addresses of each building intended to be tested which included a few courthouses. Eventually the State Judicial Branch ran out of fingers for pointing at Coalfire as the problem. But while that certainly fanned the flames of this problem, it wasn’t the main fuel source. See, this was a county courthouse and it was a state department that hired them. State and county are two different things so the sheriff, judge, and county prosecutor were sticking with the story that the state had no authorization to conduct a physical penetration test on this building.
This was the main crux of the issue and if the county was not aware that this was going on, then they had to assume that Gary and Justin were actual criminals. If the state had no authorization to conduct these tests on this building, then it would be the same as if that gas station attendant across the street sort of paid them to go break into the building. From the prosecutor’s perspective, they thought these two guys were actual criminals.
GARY: Well, so, here’s the caveat; is after all this was said and done and we were bailed out, the state ordered a third-party investigation into this scenario. There was a lawyer, well, a law firm that performed the investigation. The final findings which are public, the very end of those findings, that lawyer is looking at some sort of precedence, right, all law is based on a case before. That’s where you get your legal precedence. Well, in a similar scenario, what was the judge? Because this has very little precedent associated with this, it’s up for interpretation of the law. During this third-party investigation, that lawyer’s interpretation of the law was the state had legal authority to authorize a test on county property because they are technically the tenants of that property.
JUSTIN: It’s their authority to protect that courthouse and administer security for it.
GARY: Right, and the things within that courthouse.
JACK: But the prosecutors held their position. They started looking through the contract to try to find anything that wasn’t right. Justin and Gary both went back to work for Coalfire during all this but they weren’t able to really focus that well. I mean for one, they had long talks with lawyers and going over tons of evidence and documents with them. This is hard to find time to do when you’re typically spending a week at a client’s site doing a penetration test. This news made its way around, so if Gary or Justin got on a call with a client to do a pen test, some clients wanted to hear the whole story about what happened in Iowa. It was just really distracting. Of course, they were arrested with felony charges, so some clients have sensitive buildings and they do background checks on the penetration testers.
But with felony charges, they weren’t able to do these assignments. They spent months battling this out with the prosecutors and a lot of what I know about this story was through documents published by the Iowa State Courts. There was some great journalism work by Ars Technica which got a lot of the documents and posted them publically. Here is where I see the rules of engagements and the positions that the state took on various things and how they broke into different buildings. In fact, somebody even interviewed the Iowa senators to see what they had to say about this. Senator Amy Sinclair said quote, “The hiring of an outside company to break into the courthouse in September created significant danger not only to the contractors but to local law enforcement and members of the public.” End quote.
Also, Senator Zach Whiting had something to say. He said quote, “Essentially, a branch of government has contracted with a company to commit crimes and this is very troubling. I want to find out who needs to be held accountable for this and how we can do that.” End quote. Eventually when the third-party investigation was complete which said that the state had jurisdiction to hire Coalfire to run these tests and the state point-of-contacts all approved that Coalfire was hired to do it, all this came together and was given to the county prosecutor.
JUSTIN: All that comes to light and [01:15:00] eventually, I think it was a month after the state had, or sorry, the county had the opportunity to either drop charges or to continue pressing charges; at which point they decided okay, felony charges aren’t really relevant here but we’re gonna drop this down to misdemeanor trespassing charges which I think they expected us to immediately say yep, yep, we’re guilty, we’ll take that, which of course from our perspective, we’re legally hired for this job. No chance in hell we’re gonna plead guilty to misdemeanor trespassing charges even though it’s essentially a traffic ticket violation or something similar at that point. We weren’t going to go along with that so we’re still fighting that. That fight took place over the next four months.
GARY: All sorts of fights between our lawyer and the prosecutor.
JUSTIN: Oh, constantly.
GARY: To even get to the point where the prosecutor’s like okay, well, maybe we’ll drop it down to criminal trespassing. Our lawyer was like look, man, in order for there to be burglary, they have to have criminal intent to commit a felony after entry. These guys were working. There is no way that you can prove criminal intent. So, they did everything in their power. They’re like well, if they dropped a key logger on one of the systems, then we might be able to prove – I mean, they were grasping at straws to do anything and everything in their power to try to hopefully make that stick for some reason, and they knew at that point; they knew we were under contract. They knew that we were asked by the state to be in that courthouse and they still were pushing for these felony charges, these Class C felony charges with seven years of prison time behind it for I don’t even – I still to this day have no idea why they kept pushing so hard for this stuff.
JACK: Eventually the Dallas County prosecutors in Iowa came to an understanding and on January 30th, 2020 they dropped all charges against Gary and Justin. The case is now over and they’re free men once again. But what still lingers is their criminal record still shows that they were arrested for burglary and were given felony charges.
JUSTIN: That’s kind of like why we’re still so upset at this point. We’re gonna carry this for the rest of our lives. We have felony arrest records. Even though charges are dismissed, everything’s been dropped at this point, anytime we get pulled over, if we ever try to apply for a job in the future, security clearances, and any number of things; volunteer work, it’s gonna show we’ve been arrested on felony charges. We’ve been stripped of rights with no due process on wrongful arrest.
JACK: Yeah, it’s a shame. Any traffic stops these guys get; when the police look up their record, it’s gonna show that they were once arrested with felony charges. Any time in the future where they’re on a physical assessment and the cops come, they’ll see that they have burglary charges on their record which might make the cops think like yeah, these are real burglars. Look, they have real charges. Any background checks that someone does on these two is gonna show their criminal history. I mean, what do you write when you’re applying for a job and it asks you have you ever been arrested? What do you put? Yes, but it was wrongful? It doesn’t sound fair to me.
GARY: Big things, little things. It just affected our lives for the last six months. All the time.
JUSTIN: And honestly, will still continue to do. Like yeah, with the arrest charges but man, just honestly, I know a lot of people that say a lot stuff; oh, damages, I’m so stressed out over this and they want to do a counter-lawsuit. No, I think my physical brain chemistry has changed over this, being so stressed out. I sound like a wimp about it but man, you wouldn’t believe it until you’re in it and going through something like this how stressful and traumatic. I don’t even want to use that term but it is a traumatic experience to go through something like this and have it held over your head for such a long time when you know you’re in the right, and then to see the legal system fail you repeatedly. There were so many opportunities and avenues for the county to understand or get more information and then drop the charges and it just never happened.
GARY: I think that was the – that’s the biggest detractor from all of this and the point that was so aggravating is so many times, everybody had every opportunity to do the right thing and they just continually didn’t. It was just – for the lack of a better term, it was like I was flabbergasted, like totally old school, right? It’s just, how can you do this to someone? You know, you know that we weren’t there doing anything malicious. You know we weren’t actually breaking in to do – to create some sort of crime or to have some sort of crime. You know we were there doing our job.
Why are you still pushing seven years of prison time? Why are you still pushing this on us? It’s like, they had absolutely no mindset, for lack of a better term or maybe it is the best term, destroying [01:20:00] two professionals who have absolutely sparkling clean records who’ve never even been in trouble for jay-walking before. They’re just like oh, no, yeah, no big deal. We’ll just keep throwing these Class C felony charges at them. Yeah, you know, if we drop it later, whatever. It doesn’t affect us. It doesn’t harm us, what do we care? Just like, the – what do I want to say? The lack of sympathy or empathy…
JUSTIN: Professionalism, empathy.
GARY: Professional, whatever term you want to throw there, just for – not even for us, but just another human being.
JUSTIN: For doing what’s right. If you’re representing the law, it’s a failure of the legal system which I had no idea America worked that way. It’s just not the America that I was brought up in. I thought innocent until proven guilty and just to see us stripped of so many rights and to go through this, it was just such an awful experience, to be thrown into this mix.
GARY: It was terrible. That was the hardest part, was watching people do the wrong thing repeatedly and thinking it was not a big deal because to them, it wasn’t. The only big deal was to us but no one seemed to care.
JACK: Even though the charges was dropped and they’re free, there’s no legal way for them to get a wrongful arrest removed from their records entirely. Their mugshots will forever be out there with arrest records and all. I think what baffles me the most still is that these two guys were the ones who faced the most trouble, not Coalfire. I’ve said this before how I always find it strange when the FBI charges individual hackers who conduct a hack on behalf of another country. Like, hackers working for the Russian government or the Chinese government have been indicted. Why? They were just doing what they’re told by their commanders, their generals, their leaders. Why not indict the commanders and generals or leaders or even the president? This is a glaring example of why it makes no sense to go after the little foot soldiers who are just doing what they’re told. This really should have been a matter for Coalfire, the company, to deal with but instead Gary and Justin got hit with the worst of it.
JACK (OUTRO): [OUTRO MUSIC] A big thanks to our guests Gary De Mercurio and Justin Wynn for sharing this story. You guys aren’t strangers to trouble so you’ll probably get in trouble again but better luck next time, eh? Hey, have you checked out the Darknet Diaries shop lately? New shirts keep coming in periodically and they look sick. You have to take a look at these shirts and stickers. There’re hats that are gonna be in there soon. Visit shop.darknetdiaries.com and yes, I do ship worldwide. This show is made by me, the local ghost, Jack Rhysider, and our theme music is by the chromatic Breakmaster Cylinder. Even though I have to re-update the keys on my license to hack every time I say it, this is Darknet Diaries.
[OUTRO MUSIC ENDS]
[END OF RECORDING]