Then the Sheriff showed up and insisted they be arrested...
Everything was fine until one person who didn't get it, who happened to be in charge, showed up.
For reference, here is the HN thread shortly after the arrest: https://news.ycombinator.com/item?id=21000273
The initial charges against them were initially dropped to misdemeanors and then dismissed entirely, but that was a separate matter resolved earlier.
It shows up in his background report and no company has cared (or taken the time to notice) that they are dropped charges and not convictions.
He's basically treated like a felon and effectively got bumped out of his career.
I say all this but --- knowing that the principals in this story might read this thread and drop in and correct me, which would be awesome --- I think it's actually more likely that their careers benefited from this news story, and that they probably didn't lose any cleared business from it. I can't say enough that these two became industry celebrities over this case.
Security clearance is subject to due process protections (at least, insofar as it is a component of government hiring and continuation of employment), because government employment is subject to due process protections and the courts have not allowed security clearance requirements to be an end-run around that.
(I'm going to keep saying: this is just an abstract argument; I don't think there's any evidence these two pentesters had any clearance issues.)
Subsequent cases (mostly at the Federal Circuit, I can’t find the Supreme Court getting involved much since) like Cheney v. DOJ (2007) and Cruz-Martinez v. DHS (2020) have developed what that requires.
For cases outside of government employment, though the decisions so far are only at the trial level, Perkins Coie LLC vs. DOJ (2025) and Zaid v. Executive Office of the President (2025) are worth checking out in this regard.
What we're talking about today is the resolution of what looks to me (not a lawyer) mostly like a defamation case. Were they defamed? Absolutely. The problem is, to get anything useful out of a defamation case, you need to demonstrate damages. They were accused of a crime --- per se defamation --- but the point of the suit is to recover damages.
I don't want to be glib, and I'm very prepared to be wrong, but the Dallas County Courthouse Incident is likely one of the top 3 world events to have happened to both these pentesters. They've been cause celebres in the field for years and years. It might be pretty tricky to actually demonstrate damages.
Split 2 ways, that is still 300k.
Parked in an investment at 5% a year, that's an easy +$15,000/year for the rest of your life.
https://decisions.scc-csc.ca/scc-csc/scc-csc/en/item/16057/i...
By the way, I dont know who you are quoting as that is not my exact wording.
https://en.wikipedia.org/wiki/LizardTech,_Inc._v._Earth_Reso....
Also public service sector: this right here.
Besides, let me guess, that sheriff is elected?
Frankly, I would not have taken this gig unless you had verbal confirmation that the Sheriff knows about it and has signed off. If you're entering a red team situation where the State wants to assess the security of their county courthouses, but doesn't want the local authorities to know its happening because they don't trust them: That is not a situation you want to be in the middle of, they gotta sort that out.
Iowa is small enough that it looks like the Iowa Judicial Branch just runs everything directly. Every county seat in Iowa has a courthouse, but the county probably doesn’t really have any control of it.
My guess is that the sheriff had an ego and may not have wanted a finding against him.
> I would not have taken this gig unless you had verbal confirmation that the Sheriff knows about it and has signed off.
We don't know that! We don't know what we would have done in that scenario, especially in the context of a thread about the very outcome one's supposed foresight would have prevented.
From https://en.wikipedia.org/wiki/Hindsight_bias#Attempts_to_red... :
> Research suggests that people still exhibit the hindsight bias even when they are aware of it or possess the intention of eradicating it. [...] The only observable way to decrease hindsight bias in testing is to have the participant think about how alternative hypotheses could be correct.
So here's an alternative hypothesis:
"Hey, do you reckon we should clear this with the county first? The sheriff might come and arrest us on the basis that nobody told him we were going to break into the courthouse"
"Nah, don't worry about it, I've done this sort of thing hundreds of times. And besides, the state has superiority over the county anyway, so even if we get caught which let's face it we won't because we're leet hackers and very incognito... the sheriff won't have any power to do anything to us as soon as we tell him it's authorised by the state"
"SGTM"
And, by the way: The Sheriff was in the wrong and some of what happened to these pentesters should never have happened. But, this case is not nearly as clear-cut as some one-sided storytelling suggests it is. When the Sheriff called the contact numbers at the State of Iowa, one person didn't answer, and a second person said that they "did not believe the men had permission to conduct physical intrusion." One of the pentesters also blew lightly positive for alcohol. One of the men was from Florida, and the second from Seattle, working for a security firm out of Colorado. That's suspicion enough to end up in jail overnight.
The fact that it went on longer than that more-so gets at the real story. The State was exercising an authority they had, maybe for the first time, against a security force that not only didn't know they were exercising it, but didn't realize they even had the authority in the first place. These guys got caught in the middle. The distribution of blame is pretty significant: The State should have informed the local security, but didn't. The State should have had contacts on-call during the intrusion, but didn't. Coalfire should have confirmed all of this in the interest of protecting their employees, but didn't. The testers shouldn't have been drinking beforehand, but did. The Sheriff should have dropped the matter the next day, but didn't. Sure, some of this is 20-20 hindsight, but taken in its entirety there were a lot of balls dropped, and it paints a picture of a state government that has some box to check for compliance, doesn't care how it gets checked or what gets found, and a security firm that isn't conducting their penetration tests responsibly.
It is through this simple system that I can confidently say that the content of this article that I am reading today in 2026 had/will have an impact on what I would have done in 2019
That’s not legally obvious. State v county control over courthouses creates fights over everything from Aesbestos to parking to security. The legal answers lie in state constitutional provisions that nobody ever reads and aren’t particularly helpful.
The article says they did have an authorization letter from the state court officials (the people running the building) and they were released right after the letter was verified with the court officials.
At least from what I can see, the police officers involved were doing the right thing. They detained the suspects, made a proper effort to listen to them and validate their story, and then released them.
It was the Sheriff who showed up and didn't like it who then hassled them further.
They basically had a no-objection letter from the people in charge of the building and the police officers were onboard. It was one person who tried to turn it into something else.
I bought property with a shooting range years ago from a retired SWAT officer with the county. He mentioned that “he always calls the sheriff’s office to let them know if he was doing anything.” Now I’d never owned a private range and am not from this county.
I called up the sheriff’s office and asked for clarification. I was advised that no such policy / program exists or is required and if the officer must have had is own internal policies and chain o command and that is irrelevant to me as a random citizen. In short, if a call is made about a shooter they will have to respond and so long as I’m not doing anything stupid, dangerous, or outright illegal I have nothing to worry about. The same goes for any other type of call.
You’re trying to see what can be done and what the response is from the current security practices and the police showing up seems like an important part of that.
I'll probably get downvoted for even questioning the narrative, but here are some of the nuances that stood out to me:
- When the police contacted someone listed on the authorization letter, that person denied that they had been authorized to conduct physical intrusions. Another contact didn't answer their phone. What are the police supposed to do if the people supposedly authorizing the intrusion are actively denying the authorization?
- The contract had vague language that say they couldn't "force-open doors". The two men told police they had used a tool to open a locked door. The language should have been more specific about what was and was not allowed. (EDIT: This is causing a lot of controversy. The legal definition of "forced entry" in my state does not require literal damage to the property, only a bypassing of barriers. I don't know about the circumstances in this state, but to be clear the term "force-open doors" doesn't necessarily mean using destructive force everywhere)
- The contract said "alarm subversion" was not allowed, but supposedly the police had evidence that they were trying to manipulate the alarm. They deny this.
- The men had been drinking alcohol before the break-in. By the time they were breathalyzed it was at 0.05, meaning the number was even higher when they started the break-in. Drinking alcohol before you do a professional job guaranteed to get the police responding is a terrible idea.
- After they tripped the alarm and the police showed up, they didn't immediately identify themselves and end the exercise. They hid from the police, claiming that they were "testing the authorities' response" which seems obviously out of scope for their agreement.
So I agree that the charges were excessive and the Sheriff was in the wrong on a lot of things, but after reading the details this wasn't really a clear cut case. The pentesters weren't really doing everything "by the book" if they thought that testing the police response by hiding was in scope of their contract and doing this job after a few alcoholic beverages is a bizarre choice.
Damaging property was never approved. Drinking alcohol before a test would never happen. The insurance risk alone would've been nuts, not to mention the reputational damage if someone smelled it on your breath. Hiding from law enforcement? I'd need to know more about that. If a cop shows up with a gun you absolutely do not hide. If it's a security guard on rounds and you're waiting for them to move on... sure.
It was often dangerous though. Some security and law enforcement types take it personally that they're being "tested" and do not react well. We always tried to have some former law enforcement or military with us because they were less likely to be targeted for abuse than us hackers/nerds.
You mean... the thing that they had? FTA:
"Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a “get out of jail free card” in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building."
There's also no indication that they damaged property (they used a UDT to trip a sensor to bypass the door). Neither of us were there, but based on the actual reporting it sounds like the worst anyone could accuse these people of being is stupidly unprofessional and bad communicators, which if you worked with pentesters shouldn't seem like an unprecedented aberration.
According to the article, they were hiding from the police who showed up, not security guards.
Testing the police is undeniably out of scope in a situation like this. If the police show up, the exercise needs to be over. You announce your presence and de-escalate, not try to outmaneuver the police.
These two guys only look like heroes in contrast to the over zealous sheriff. Everything else about their operation ranges from amateur hour to complete incompetence, such as drinking before a job.
The whole point is to test security. Ideally you want to be found because that means that they have reasonable security in place and you can attest to that.
Regarding force, this article says:
> The rules of engagement for this exercise explicitly permitted “physical attacks,” including “lockpicking,” against judicial branch buildings so long as they didn’t cause significant damage.
And later that they entered through an unlocked door, which they (it sounds like) kept unlatched by inserting something between the latch and the doorjamb. Not unreasonable.
This is a job where having impaired judgment is a terrible idea.
If someone needs alcohol to do a job that involves taking the role of a criminal and summoning the police, drinking alcohol before it is a terrible choice no matter how you look at it. If they can't do the job without alcohol, they shouldn't be doing the job at all. Maintaining unimpaired judgment is a baseline expectation for a job like this.
And it really is more of a red herring since they were obviously not visibly intoxicated and they didn't actually do anything illegal. Their BAC is more of an issue between them and their employer, and has no bearing on their false arrest.
0.05% BAC will result in a DUI in many countries. Regardless, any impairment on a job where you're doing things guaranteed to summon the cops is a very bad idea.
BAC also declines linearly over time. I doubt (hope?) they weren't drinking on the job, but a 0.05% BAC measured after their arrest means their BAC would have been higher when they started breaking into the building earlier in the night.
Australia, scotland and france are also 0.05.
There are quite a few countries where the limit is less than that.
The level of impairment doesn't matter. They are impaired. There is no standard or testing which reveals the minimum level of impairment that one can safely do the job. So, you don't do it impaired, at any level, period.
> and has no bearing on their false arrest.
Two people that have obviously been drinking, hiding from police, and then making up fantastic sounding stories as to why they're in a tax payer owned facility outside of working hours. The police had good reason to effect an arrest so it can't be "false arrest."
Physical coordination becomes an issue. 70% of subjects tested struggled to maintain lane position at 0.02%.
My point is not that they definitely should have done it. It is simply that, in this context, it's really not a big deal & is not really germane to the discussion at all. They did nothing wrong, stone cold sober or not.
I feel like if you do something for a living, you shouldn't need to calm your nerves for it.
And even if their BAC was technically under the legal limit, their ability to e.g. drive was impaired. So it seems unprofessional.
W/r/t drinking and working, I personally dislike the puritanical zero tolerance for alcohol approach that people here in the US seem to take by default. Most people can have one or two drinks and work just fine, with obvious exceptions.
I don't think we should judge people who have to travel to a boring small town in Iowa and have to go to work in the middle of the night for having a drink or two.
If you can't have just a drink or two, or have to do it every day, that's a bigger issue that goes beyond work vs. simply having a drink and doing work on occasion.
People drive on prescription drugs like it's nothing. But a beer? Haha.
For context, I've been sober for a decade. I don't mind if people have a beer. I get it.
I've never worked a software job where I wasn't provided free alcohol at work.
Absolutely not.
Physical pentest scenarios are highly likely to end with an alarm tripping and the police arriving, except in cases where the alarm wasn't armed, didn't have connectivity, or was broken.
An encounter with the police was virtually guaranteed in this case. Drinking before the job was highly unusual and irresponsible.
Note that Monroe's number for the peak (0.13%) is significantly higher than legal limit for driving, and than these guys recorded here.
What?? For real?
Hard agree about "forcing", though. The very word implies, you know, non-trivial amounts of force. Like technically walking toward a door in a normal human room at standard temperature and pressure means you're applying non-zero amounts of force to it, so arguments like "they applied any force at all" can be ignored as goofy.
They brought a separate case against the police and were awarded $600K
Two separate legal matters for the same event.
My other comment has more details, but a summary is that they the pentesters had been drinking before breaking into the building, were doing things that could be interpreted as being forbidden by their own contract, and the big one: The person listed on their authorization letter denied that they were approved to enter the building when called.
That last one is a big deal. If your own authorization contacts start telling the police you're not authorized to be in the building, you're in trouble.
If that’s all that had happened I’m guessing it would’ve avoided a lawsuit, since their purpose was to restore their reputational damage.
"Dallas County Attorney Matt Schultz told KCCI: "I want to be clear that the decision to dismiss the criminal charges that resulted in this civil case against Dallas County was made by a previous County Attorney. I am putting the public on notice that if this situation arises again in the future, I will prosecute to the fullest extent of the law."
https://www.kcci.com/article/coalfire-contractors-settle-dal...
What jury? The payment happened before the trial: "five days before a trial was scheduled to begin in the case, Dallas County officials agreed to pay $600,000 to settle the case".
So yeah, it sucks for these guys' reputations and criminal histories, but... what? The onsite staff didn't know what was going on, the Sheriffs didn't know what was going on.
The county basically said: "We want you to go try to break into this government building. We aren't going to tell the staff or the local police about it. Tell us what you find."
If the sheriff had arrested them and found out in the morning what was going on and then let them go, this wouldn't be news.
If the sheriff had arrested them and brought them before a judge who let them go, this wouldn't be news.
What actually happened is the sheriff found out what was going on, decided it was still criminal anyway, arrested them, and then the county charged and prosecuted them. The charges were eventually dismissed. That is why it's news.
And icing on the cake, the current county attorney disagrees with the dismissal done by his predecessor, and says that he will prosecute any future incidents of this nature. https://www.kcci.com/article/coalfire-contractors-settle-dal...
Only once the sheriff himself arrived on scene did he order the arrest that caused all the issues. If that didn't happen it wouldn't have been a story other than "security professionals doing their authorized job".
Apparently there's more to this story. From the original article https://arstechnica.com/information-technology/2019/11/how-a...
> Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn’t answer the deputies’ calls, while another said he didn’t believe the men had permission to conduct physical intrusions.
It's actually kind of amazing that the police first let them go after the official contact on the form said they were not authorized to intrude in the building.
I think the takeaway for security teams is that you shouldn't let the customer "authorize" what is otherwise criminal activity warranting a police response without getting some air cover from the enforcement side. Coordinating that is the customer's burden to bear and that cover should be secured before letting them hand-wave away the risks with a "just have the police call me and I'll clear it all up". In hindsight only, when you look at it like that, the security team was not covering their ass appropriately. In a perfect world, you'd assume there's some better planning and communication going on behind the curtain. In the real world, you need more than the flimsy "guarantee" of calling a guy who knows a guy in the middle of the night. At the very least, that get out of jail free card should have had as signatories judiciary representation and enforcement representation (e.g. sheriff).
FTFY
Also - a red-team exercise doesn't work if you tell the targets that they're about to be tested.
And in this case, notifying the police would have seemingly affected the test. Based on the reaction they did have, I would guess such notification would have resulted in the police doing many more drive-bys of the courthouse and generally being alert.
It would be supremely stupid to not plan and account for these kind of systemic social problems when you're planning out your contract to break into a building. "But they're the ones who suck, I did nothing wrong" won't bring you back from the dead.
They broke in and set off an alarm, the local cops responded, the pentesters showed their credentials, and there was no issue.
Then the sheriff arrived, was butthurt because he felt left out and wanted to show his authority, and caused these guys 6 years of grief for literally no reason at all.
Extremely dangerous and irresponsible for the county not to alert the local police and Sheriffs office that this operation was taking place.
I'm glad these guys got their money.
see https://www.desmoinesregister.com/story/news/2022/08/29/dall...
Most countries appoint law enforcement officers who are qualified for the job.
We had a problem last year here in San Mateo County, California where our sheriff was corrupt but we had to pass a ballot measure because we couldn't just fire them: https://calmatters.org/justice/2025/10/san-mateo-sheriff-rem...
Independent elections are a good thing. Bundling offices together under a single election that appoints the rest of the world is terrible and only leans further into the two party see-saw that exists in the USA.
I really wish for proportional representation. Not that it really applies to your local police force, but we need to break apart the complete A-or-B nature of American politics. Form coalitions, not monoliths that trade off earning 51% of the electorate every cycle that the completely repoints the entirety of the govt for the next 4 years.