Steal laptops for class credit?
Summary: 30 laptops are stolen on campus - do you punish or reward the thieves?
Students at the University of Twente stole 30 laptops from university staff across campus. Were they prosecuted? No -- instead, they received extra credit.
As part of a scientific research project, UT researcher Trajce Dimkov requested that the students attempt to steal the devices from campus -- and it seems to have been a very simple task to ask of them.
The researcher's PhD thesis, entitled "Alignment of Organizational Security Policies, Theory and Practice" explored the ways in which security practices can be thwarted by human behaviour and habits, such as forgetting to lock a door or not completing tasks due to the effort involved.
Under the guise of conducting a user survey, Dimkov loaned out the laptops to university staff members that were selected randomly. These members of staff were asked to make sure that the machines were chained to their desks, to secure them with a password, and to lock the door when they left their office.
In anticipation of the student thefts, university security were informed so that the research participants wouldn't find themselves in jail for taking part in the experiment.
The students were then asked to steal the laptops.
In total, sixty documented attempts were made, half of which were successful. Dimkov concluded that no matter how watertight a security system appears to be, its effectiveness is determined by human behaviour. The researcher said:
"Some people forgot to lock their door. In other cases, the students were able to think up a cover story that was sufficiently convincing to get a cleaner or caretaker to open the door for them. Other students were able to obtain the laptops by posing as technicians. Some claimed to have left their laptop in their supervisor's office, and that they needed it urgently, to complete an assignment. People tend to make an effort to be helpful, and a good cover story often does the trick."
In an attempt to thwart such 'thefts', Dimkov has developed a prototype navigation system which identifies the ways in which such devices can be stolen. Once data is submitted into the system, including data concerning location, rules, security locks and codes, the prototype uses algorithms to generate a number of sequences in order to find any weak spots in security protocol.
Image credit: University of Twente
Related:
- 'Hard work' turns students away from science, tech?
- Bizarre apps for your iPad and iPhone
- Decade old virus harvests information from college computers
- How do universities use social media successfully?
- Father puts .45 through teen daughter's laptop over Facebook post
- Memes that describe the student experience
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
If "ethics" are to be valued, it is abhorrent to congratulate them,
Do we want thieves and other unethical sorts running our society?
Given that this was a class assignment, the usual talk of ethics can't be strictly applied, but...
* put in a new HDD and you've got a free expensive toy
* if the BIOS/EFI is locked, if there is a way to unlock it them it will be found
etc
And the solution is regardless - have ID badges, wear them at all times, and be prepared to show them. There's nothing intimidating about living in such a secure paradigm, yes? Nothing that might wear people down over time, no?
RE: Steal laptops for class credit?
In plain sight opportunity for data theft is a bigger problem vs. viruses
" This is a suitable example as to why having a soft briefcase to carry your laptop with you at all times is the only way to go. All it takes to walk off with an expensive computer and make it your own is a $100 o.e.m. copy of Windows7 from an online retailer and removing the hard drive for a delete and reformat using any desktop computer."
RE: Steal laptops for class credit?
Most verification systems that depends on humans will fail in the end if people don't feel that they are important.
RE: Steal laptops for class credit?
RE: Steal laptops for class credit?
It was an experiment on the flaws of security systems. Presumably, the students have to give the laptops back.
I'm wondering if these two read the entire article.
RE: Steal laptops for class credit?
RE: Steal laptops for class credit?
RE: Steal laptops for class credit?
RE: Steal laptops for class credit?
It is not illegal if you have permission. And that the key here - the students were *given the assignment* to get one of the computers *by the owners*. The computers were stored in secure places, and the affected people were notified about the assignement given to the students in advance.
So no laws has been broken.
Also, how the **** can you properly understand security if you never try to break it yourself? These guys are supposed to learn how security works and should work, and if you never have learned to spot weaknesses, you can never create a secure system.
RE: Steal laptops for class credit?
This exercise sounds like it was carefully planned and controlled will have succeeded in proving to the students how they cannot assume that standard human behaviour is secure enough and should have highlighted very well to the campus staff how lax they are in their practices.
Sure, it's a bit unorthodox, but I bet the lesson was learned well and the memory will last.
RE: Steal laptops for class credit?
RE: Steal laptops for class credit?
But thanks to Charlie Osborne for using such a catchy title. Good Journalism! At least you people were drawn here to read the title. Too bad you wasted your time commenting rather than reading.
RE: Steal laptops for class credit?
RE: Steal laptops for class credit?
RE: Steal laptops for class credit?
RE: Steal laptops for class credit?
You can't fix what you don't know is wrong.
RE: Steal laptops for class credit?
The university should also have a follow up with their own security and cleaning crews to review procedure. I am hoping that it isn't standard practice to open someone's door for a student without permission. It might be a better learning experience for the University staff than for the "students".
Some people here don't get it