Steal laptops for class credit?

Steal laptops for class credit?

Summary: 30 laptops are stolen on campus - do you punish or reward the thieves?

SHARE:
30

Students at the University of Twente stole 30 laptops from university staff across campus. Were they prosecuted? No -- instead, they received extra credit.

As part of a scientific research project, UT researcher Trajce Dimkov requested that the students attempt to steal the devices from campus -- and it seems to have been a very simple task to ask of them.

The researcher's PhD thesis, entitled "Alignment of Organizational Security Policies, Theory and Practice" explored the ways in which security practices can be thwarted by human behaviour and habits, such as forgetting to lock a door or not completing tasks due to the effort involved.

Under the guise of conducting a user survey, Dimkov loaned out the laptops to university staff members that were selected randomly. These members of staff were asked to make sure that the machines were chained to their desks, to secure them with a password, and to lock the door when they left their office.

In anticipation of the student thefts, university security were informed so that the research participants wouldn't find themselves in jail for taking part in the experiment.

The students were then asked to steal the laptops.

In total, sixty documented attempts were made, half of which were successful. Dimkov concluded that no matter how watertight a security system appears to be, its effectiveness is determined by human behaviour. The researcher said:

"Some people forgot to lock their door. In other cases, the students were able to think up a cover story that was sufficiently convincing to get a cleaner or caretaker to open the door for them. Other students were able to obtain the laptops by posing as technicians. Some claimed to have left their laptop in their supervisor's office, and that they needed it urgently, to complete an assignment. People tend to make an effort to be helpful, and a good cover story often does the trick."

In an attempt to thwart such 'thefts', Dimkov has developed a prototype navigation system which identifies the ways in which such devices can be stolen. Once data is submitted into the system, including data concerning location, rules, security locks and codes, the prototype uses algorithms to generate a number of sequences in order to find any weak spots in security protocol.

Image credit: University of Twente

Related:

Topics: Hardware, Laptops, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

30 comments
Log in or register to join the discussion
  • If "ethics" are to be valued, it is abhorrent to congratulate them,

    or to give extra credit to them.

    Do we want thieves and other unethical sorts running our society?

    Given that this was a class assignment, the usual talk of ethics can't be strictly applied, but...

    * put in a new HDD and you've got a free expensive toy
    * if the BIOS/EFI is locked, if there is a way to unlock it them it will be found

    etc

    And the solution is regardless - have ID badges, wear them at all times, and be prepared to show them. There's nothing intimidating about living in such a secure paradigm, yes? Nothing that might wear people down over time, no?
    HypnoToad72
    • RE: Steal laptops for class credit?

      @HypnoToad72 <br>Best ask the Google worshipers. They think Google can take anything it wants, and should not suffer any consequencies. That's their ethics!!
      eargasm
    • In plain sight opportunity for data theft is a bigger problem vs. viruses

      @HypnoToad72

      " This is a suitable example as to why having a soft briefcase to carry your laptop with you at all times is the only way to go. All it takes to walk off with an expensive computer and make it your own is a $100 o.e.m. copy of Windows7 from an online retailer and removing the hard drive for a delete and reformat using any desktop computer."
      Zurk_Orkin
    • RE: Steal laptops for class credit?

      @HypnoToad72: Who should be allowed to check those ID:s and when? Especially in public places.

      Most verification systems that depends on humans will fail in the end if people don't feel that they are important.
      Natanael_L
  • RE: Steal laptops for class credit?

    so.... iGeneration is ok with stealing stuff to get credit for school assignment... This so called PhD researcher should end up in jail.
    pupkin_z
    • RE: Steal laptops for class credit?

      @pupkin_z

      It was an experiment on the flaws of security systems. Presumably, the students have to give the laptops back.
      intman
      • I'm wondering if these two read the entire article.

        @intman: Seemed pretty obvious to me.
        ye
      • RE: Steal laptops for class credit?

        @intman you do not get it, don't you. HOw is stealing stuff is ok even if you have to return it?
        pupkin_z
      • RE: Steal laptops for class credit?

        @intman if the person cannot design an experiment that is is not criminal this person should not do science. End of story.
        pupkin_z
      • RE: Steal laptops for class credit?

        @ye: I was wondering the same thing. They've clearly not read it. How are you else supposed to show how security is easy to bypass? The UT researcher clearly never once said stealing is acceptable and to say he should be in jail is rather strong.
        bradavon
      • RE: Steal laptops for class credit?

        @pupkin_z:

        It is not illegal if you have permission. And that the key here - the students were *given the assignment* to get one of the computers *by the owners*. The computers were stored in secure places, and the affected people were notified about the assignement given to the students in advance.

        So no laws has been broken.

        Also, how the **** can you properly understand security if you never try to break it yourself? These guys are supposed to learn how security works and should work, and if you never have learned to spot weaknesses, you can never create a secure system.
        Natanael_L
    • RE: Steal laptops for class credit?

      @pupkin_z too many people ignore security issues until they are hurt by their lack of security. I work in It security from the OS and application configuration perspective and have lost count of the times I've been faced with senior directors deciding to ignore the problems because they've never been hurt by it before. There are also those that will throw huge amount of money to close the hole after they've been stung.

      This exercise sounds like it was carefully planned and controlled will have succeeded in proving to the students how they cannot assume that standard human behaviour is secure enough and should have highlighted very well to the campus staff how lax they are in their practices.

      Sure, it's a bit unorthodox, but I bet the lesson was learned well and the memory will last.
      nemesis-t-warlock
    • RE: Steal laptops for class credit?

      @pupkin_z The researcher owned (or at least had responsibility for) the laptops he directed the students to 'steal.' He'd loaned them out specifically for this purpose. It's not unethical to take something if the owner asks you to do it, with the understanding that it's to be returned to him at the end of the exercise!<br><br>That said, I hope he did make a point of telling the students it's never okay to actually take something for gain without the owner's permission. (I also hope all the laptops were accounted for by the end of the experiment.)
      Ginevra
  • RE: Steal laptops for class credit?

    As @intman said... read the article. No laptops were stolen. The laptops belong to the PhD student. That student lent them to people and gave them specific instructions to protect these laptops. Then the class went into the field to test how many of these instructions were followed.<br><br>It is no different than asking my children to lock the door. Then, I ask a friend to come and 'check' if the door is locked. Is that friend breaking and entering into my house? I asked that friend to enter my house and, therefore, no law was broken. Or even ethically challenged!

    But thanks to Charlie Osborne for using such a catchy title. Good Journalism! At least you people were drawn here to read the title. Too bad you wasted your time commenting rather than reading.
    adamman
    • RE: Steal laptops for class credit?

      @adamman Pupkin's reading comprehension is just sufficient enough for him to start a pointless rant. I would imagine he has never been employed in any field more mentally challenging than mattress testing.
      thetwonkey
      • RE: Steal laptops for class credit?

        @thetwonkey: "mattress testing" - Uhm... That would still require objective comparisons.
        Natanael_L
  • RE: Steal laptops for class credit?

    Why is this question even being ask? It sounds like the class could have been held at the Joliet Correctional Facility (a prison here in Illinois).
    kitkimes419
    • RE: Steal laptops for class credit?

      @kitkimes41: I'm not sure if you understood the purpose of the assignment, but it was to train the students to spot security holes so that they later can learn how to fix them.

      You can't fix what you don't know is wrong.
      Natanael_L
  • RE: Steal laptops for class credit?

    They should have a mandatory follow up class where half the students must now safeguard the laptops while not in their control, and the other half try to retrieve them (i.e. steal). That might give them a better idea of what businesses must do to control resources from theft. Social engineering is usually the weak point in any security system.

    The university should also have a follow up with their own security and cleaning crews to review procedure. I am hoping that it isn't standard practice to open someone's door for a student without permission. It might be a better learning experience for the University staff than for the "students".
    Silent Observer
  • Some people here don't get it

    This experiment had nothing to do with stealing laptops. It dealt with exposing the vulnerabilities of the security system in place to protect the computers. These laptops weren't stolen. The owner of the computers in essence said to get his computers back from the careless people he lent them to. This was similar to white hat hacking.
    mark16_159