County Pays $600K to Wrongfully Jailed Pen Testers
These articles are AI-generated summaries. Please check the original sources for full details.
Red Team Nightmare
Gary De Mercurio and Justin Wynn, two white hat hackers, were arrested in 2019 for performing a security evaluation at a Dallas County, Iowa, courthouse, despite having legal clearance from the state and initial clearance from the police. The incident highlights the risks faced by security professionals in red teaming exercises, with De Mercurio and Wynn eventually winning a $600,000 settlement payment six and a half years after the incident.
Why This Matters
The incident underscores the technical reality of penetration testing, where simulations are most realistic when few people know what’s going on ahead of time, but this approach can lead to unexpected responses from those who are not informed. This conflict can result in significant consequences, including legal battles and financial losses, as seen in De Mercurio and Wynn’s case, where they spent years fighting for vindication and ultimately received a settlement that barely covers their career losses.
Key Insights
- $600,000 settlement payment to De Mercurio and Wynn for wrongful arrest and prosecution: a significant financial consequence for the county.
- Red teaming exercises require careful planning and communication to minimize risks: a key concept in penetration testing.
- Recording client interactions and obtaining explicit authorization can help prevent similar incidents: a valuable lesson learned from De Mercurio and Wynn’s experience.
Working Example
No code is applicable in this context, as the incident involves a physical security evaluation rather than a software-related issue.
Practical Applications
- Use Case: Companies like Coalfire and Kaiju Security conduct penetration testing to identify vulnerabilities in physical and digital systems, highlighting the importance of careful planning and communication.
- Pitfall: Failure to inform all relevant parties about a penetration test can lead to unexpected responses, legal issues, and financial losses, as seen in the De Mercurio and Wynn case.
References:
Continue reading
Next article
Daggr Open-Source Python Library for Inspectable AI Workflows
Related Content
Web Security Fundamentals for Engineers: 2026 Implementation Guide
Implement the 20% of security practices that prevent 80% of common web attacks through rigorous input validation and session management.
Security Tool Benchmarking: Debuggix vs Snyk vs Semgrep vs GHAS
A 100-repo technical comparison reveals Debuggix reduces triage time to 5 minutes per repo using AI filtering and 9 parallel engines.
Hardware Transaction Verification: Eliminating Software Vulnerabilities with FPGA-Based 2PC
A hardware-implemented transaction system utilizing a 64-bit password generator and Two Phase Commit to eliminate software-based replay attacks.