I was wondering about that. If it is the county courthouse I'm not sure a state employee necessarily can authorize something like a break in.
if the courthouse receives resources from the state; it has statewide terminals; etc. access points where criminal records can be modified or updated then it's still the states responsibility to verify the physical security.
If Eve wants to issue an arrest warrant for bob and alice; or have them "SWATTED" and locked up; changing records in a court house is a straightforward way to do that.
If this was done as part of a statewide voting system and the courthouse is a polling place then the state should have type of imminent domain; or other statewide drill then it would be included. If they participate in any of those systems then depending on the nature of the agreement, they're consent maybe implicit.
Obviously; nobody loves the idea of breaking into a courthouse at night.
I'd wager that could even extend to adjacent buildings; and I know federal investigators who request (and then intimidate & insist) that a business owner let them do xyz type operation .. but in a lot of cases; if there is a chance of collusion then they don't even ask for that permission.
I suppose that requires a warrant; so perhaps #red_team warrants issued by a higher level judge; ultimately it's a future area of legislation.
I guess it's going to trial, unless the prosecutors drop the case. The waiting continues.
PenTesters for the state/government cybersecurity require a special designation #red_team that allows for incursion and flag dropping; 'tracepoints' -- public disclosure. There are a lot of steps and often it involves writing out a clear mission scope/goals to avoid this type of circumstance.
This includes progress reports to their organizational handler announcing the intentions/progress .. progressive research. Introductions by state employees, informing the law enforcement.
OFTEN ..
I find myself informing the officials & administrators during normal business hours, etc. "people who may be affected" that could be conducting an exercise that involves your building in [timeframe] you have until then to prepare; readiness drills etc. bring it.
Afaik getting caught is part of the fun (how far can I get before you catch me?) but there's always a point of no return where it's not fair; never typing the rm -Rf or "encrypt *" commands but you never actually do if you're a good person; I know I had a lot of interesting "oops" moments in my early career where I accidentally embarrassed somebody and made an enemy.
IT Departments are run by normal people who have limited budgets and time; and I like to point out that a failure usually means a better budget justification to fix it; and assurance that anything we break we'll fix; but how confident are they in their backups and how easily I can get to them.
So fuck that cowboy pen testing bullshit, a great hacker will only use that as a last resort and then EVERYBODY should know it's happening so there is less risk. This is why "this is a test" is played during military exercises; because it's about the readiness drill. I will take your system down; with or without you -- do you want to watch?
I've had new guys on teams suggest cutting primary wires; to trigger failures i.e. "video camera feeds" etc to demonstrate coverage lapses in physical security. if they did any property damage; they are liable for that.
If the building administrators decline the #red_team audit; then we submit that back into the report and put them on our "naughty list"; which means well try 2x harder to embarrass that particular person; shame on them.... it needs to be clear that a failure does not necessarily reflect badly on them in our report; unless they were blocking the audit; that is bad. that's all you can do; they don't want to engage -- forward it to the foreign upper bureaus who don't need to follow the same disclosure rules as a good place to train recruits.
As a hacker; pen-tester #red_team I make it clear that's exactly what I'm going to do if they don't personally cooperate; usually they'd rather be helpful than risk pissing me off and being the subject of my wrath - we work together to fix it. It's a bit heavy handed; .. 2020 election security is going to suck donkey balls btw.
/ #red_team
You sound quite unprofessional :/
my best approach -- marking people "declined to participate" and naughty list; or for shaming them for not participating in the drill?
?? as i see it; i'm a good guy by paying them a courtesy by informing them of the intentions; working with them; they are the unprofessional ones. perhaps this is my low EQ; and it's why I have assistants.
I have no patience for bureaucrats (i.e. election officials) telling me their system is secure while I know damn well they aren't .. usually I suspect corruption/secrets they would rather not be public ... and the funny thing is ... most of the time I'm right and they turn out to be real pieces of shit that I just happened to get caught on my boot.
Too many of our systems relying on closed source software vendors hiding behind the law pretending (i'm looking at you Oracle) .. ignoring that 90% of North Koreas income comes from hacking; cyber-terrorism cyber-ransom funding radical terrorism scares me.
the small terrorists cells usually don't have a hypermind *(180+ IQ); but nation state [even small ones] probably have at least one or two on the payroll.
iran is a good example of this; we've been talking about these types of attacks "in theory" for years; literally 10 years -- more importantly; due to the success how long before this type of guerilla warfare expands to schools in the USA.
