Stealing Laptops For Class Credit

First time accepted submitter core_tripper writes "Students at the University of Twente have stolen thirty laptops from various members of the university's staff. They were not prosecuted for this, so they could just get on with their studies. Indeed, these students even received ECTS credits for these thefts. UT researcher Trajce Dimkov asked the students to steal the machines as part of a scientific experiment. Stealing these laptops turned out to be a pretty simple matter."

Looks like a familiar contest.

[sethstorm]

This sounds like Pwn2Own taken to the next (and otherwise illegal) level. In this case, it looks like they were auditing physical security amongst other things.

Re:Looks like a familiar contest.

[daedae]

Two relevant anecdotes from when I was in college:

1) In an artificial life course we got to propose our own semester project. One guy wanted to write a worm, but the professor was afraid that his tenure would not be enough to protect his job if the worm got out of hand.

2) One faculty member that taught a computer security course used to make the offer that anybody who could successfully access his gradebook and change their grade could have the higher grade. He stopped doing this after students switched from trying to electronically break in to just casing his house.

Re:Looks like a familiar contest.

[stephanruby]

This sounds like Pwn2Own taken to the next (and otherwise illegal) level .

They did not do anything illegal. They technically didn't trespass, they had prior permission from the University Security office. And they technically didn't steal anything but loaner laptops that had been loaned out to staff for the express purpose of this experiment.

The only reason you think they might have done something illegal is because of this phrase in the summary: "They were not prosecuted for this, so they could just get on with their studies." And the fact is, this sentence is just poorly worded (by the original non-native English author), and they were not prosecuted for this, not because of some weird altruist reason given by the University. The real reason they were not prosecuted is because they were given prior permission to do this experiment by the University Security office itself (and furthermore, the laptops they were stealing had been supplied by the grad student who wanted them stolen in the first place).

So in all regards, this seems like this was a well executed experiment. And it goes without saying that you should get prior permission before doing any kind of penetration testing or security audit. And ideally, such a permission should be clearly spelled out and obtained in writing, since executives have been known to go back on their word with security auditors once they find out how bad their security really is.

Also note that sometimes, con artists will recruit people to steal things for them under the guise of having them doing a security audit, so if you're going to participate in such an audit yourself, you better be damn sure that the person who's asking you to do such an audit is really the person they're claiming to be (and even if they are, that they're not setting you up for a theft that they've already committed themselves).

Re:Looks like a familiar contest.

[LocalH]

The person you responded to said "otherwise illegal". Not that it was illegal as done here, but that it would otherwise be illegal without collusion with those being "stolen" from.

Re:Looks like a familiar contest.

[stephanruby]

Ah ok, now I see what you're saying! Yes, it could be interpreted that way too. Please ignore my previous anonymous reply.

The original parent will have to clarify what he meant, because in my personal opinion, it could still be interpreted either way.

Re:Looks like a familiar contest.

[1u3hr]

In this case, it looks like they were auditing physical security amongst other things. "Looks like"?

If you'd bothered to read the fucking article instead of racing to make a first post, you'd know that was exactly what it was about.

Re:Looks like a familiar contest.

[JustOK]

The University Security office does not have the authority to allow people to break the law.

Re:Looks like a familiar contest.

[Zero__Kelvin]

No. It can only properly be interpreted one way. Taken to an otherwise illegal level means taking it to a level that is (still) not illegal. The reason it is not illegal is presumably and by implication extenuating circumstance.

Re:Looks like a familiar contest.

[flappinbooger]

The University Security office does not have the authority to allow people to break the law.

No but the campus cops can choose whether to involve the actual cops or not. Crimes committed on campus don't always leave campus.

Also certain crimes committed OFF campus by students are given back to the campus cops, particularly the stupid stuff.

TFA seems to be describing something along the lines of a "security audit" or a "pen test" which would be illegal except when they are .... not.

Um, English fail

[tautog]

Even if the submitter speaks another language, couldn't Timmy at least READ the summary before posting it??

In the other news

[roman_mir]

In the other news, 30 new government positions have been allocated as part of a "job program" to 30 soon to be graduates out of University of Twente. Seems like all of them will be IRS related jobs.

Re:"Human behavior"

[arth1]

It doesn't mention whether the cleaners or caretakers knew the people they were letting in or not.

Does it matter? A lot of thefts are inside jobs.

outsourced cleaners with poor English don't know a

[Joe_Dragon]

outsourced cleaners with poor English don't know any better and a good story is all it takes to get past them.

Security without security?

[Dahamma]

"The university’s security staff were informed in advance, to make sure that the students involved did not end up in jail."

Physical security is a lot harder to enforce when you tell the physical security not to do their job...

Re:Security without security?

[RyuuzakiTetsuya]

They were testing whether or not the staff followed good practices with physical security.

Re:Security without security?

[Telvin_3d]

From the description, I suspect the notification was more along the lines of "If you catch a student stealing a laptop, see if they are on this list before you call the cops" and not "sure, they can take whatever they want"

Re:Security without security?

[KevMar]

I think its just the opposite. They didn't tell them to let the students steal the laptops, they let them know in advance that if they catch someone taking the laptop that it may be legit. Just by mentioning this would have made it harder because laptop theft would be on the security teams mind making it easier to spot.

Re:Security without security?

[Darinbob]

Of course, it would be a good scam to tell security that it's a class project anyway. Then after all the laptops are missing and don't show up again, they look up your name and find out you're not a professor and are nowhere to be found.

Re:Security without security?

[Dahamma]

Of course, if your theory is true that could skew it the other way, which still affects the outcome ;)

I assume those students had a list of the exact faculty with said laptops, etc. It's a *bit* more than random theft when you have a coordinated effort to take something *knowing* that you would never be punished for it in the end. Still an interesting study and hopefully provided useful data, but it's still fairly contrived...

Re:Security without security?

[Dahamma]

Yes, and you are an expert from all of the cop dramas you watch on TV? Or are you an AC because you are actually a master thief giving us your secrets?

Your example is not really relevant, I doubt any college students *mugged* their teachers. And 30 laptops from one imaginary project stolen in short order? Sure it's all speculation, but the security guys had 2 choices: 1) report the thefts and point out the connection that they already knew 2) ignore it because a teacher specializing in social engineering security told them not to harass his students. How do we have any idea what they would have decided if they weren't given prior knowledge? (which was basically my original point)

Re:Security without security?

[Dahamma]

Yeah, that's all I was saying... maybe if they called the cops after the first few the next 25+ would have been a bit harder :)

Re:Security without security?

[Teun]

I am fairly sure the information was not to the individual security persons but more to their manager(s).
Besides, as others already stated they were not testing the security department.

Re:Security without security?

[KevMar]

I would find that is a perfect opportunity for security to practice protocol. Do everything except report it to the authorities. Even do the data loss analysis.

In the case where the doors were locked, hunt everyone down that had a key and question them. Track each breach down.

I would love to attempt stuff like this at work.

Very cool research!

[gweihir]

Seems there are still scientists out there that know how to do something both spectacular and scientifically valuable. Impressive! I wish there were a lot more that can do things like this.

Laptops are easy.

[MrQuacker]

At the UofMN people walk out with entire desktops; while the people are still in their office. We had one person who was at her desk talking on the phone, with her back to the door, looking behind her out the window. Someone walked in, unplugged her iMac, and walked out with it.

Re:Laptops are easy.

[Skyshadow]

I work for a large company, large enough that I see people I don't recognize on our campus every single day.

Two years ago this weekend (Presidents Day, which is a holiday at our office) we had an enterprising thief roll a cart around our office around 5 PM on Friday, loading up laptops. Of course, by then most everyone had skipped out for their long weekend, but if someone was in the office he'd tell them it was for the "weekend virus scanner upgrade", promising people that their machines would be back on Tuesday morning.

I don't know this part for a fact -- our security people and management don't talk about this at all -- but I've heard it enough that I believe it: When someone objected to having their laptop taken, he'd act irritated and ask why they "didn't reply to any of the emails about the upgrade" and then make a show of updating his clipboard -- he'd collect the asset tag from the machine, office number and actually get the person to sign on the line.

I have no idea how many machines he made off with, but it was enough that we all had to suffer new BS security procedures for a year afterword. I would imagine that you could do this at pretty much any big office and get away with it.

Re:Laptops are easy.

[The+Wild+Norseman]

At the UofMN people walk out with entire desktops; while the people are still in their office. We had one person who was at her desk talking on the phone, with her back to the door, looking behind her out the window. Someone walked in, unplugged her iMac, and walked out with it.

Similar thing happened at a uni I had attended. Someone walked in while the prof was in the office, unplugged the laptop and walked out.

When the thief found out he had just stolen an Acer though, he just quietly returned to the office and plugged it back in.

Re:Laptops are easy.

[tsa]

I would have just dropped it on the spot and walked on :).

Re:Laptops are easy.

[Vijaysj]

Similar stuff happened in my campus :) Student had access to all the labs throughout the night and some mornings we would find equipment missing.
1. We had someone walking out with a few sun workstations
2. All the hard disks from one lab went missing one fine morning.
This was with posted guards on all entrance/exits.

More details on the marking scheme please!

[martin-boundary]

Suppose one of the students followed his friend around to see how he stole a laptop, and then later copied the method? Would he get credit, or be marked down for plagiarism?

Re:More details on the marking scheme please!

[BenihanaX]

And then suppose that student was not part of the research group (the "thieves"). Hope they had a backup security method.

Why stop?

Just specify some boundaries. Where was the imagination that birthed the idea in that decision?

And what do you mean casing the house, like attempting to break in or simply gathering information like the names of his children, their birthdays, he wife's name, etc.

Shoot, all anyone would need to get into my dad's laptop is his current dog's name. (Useful for my mom, but not exactly top notch security.)

Re:Why stop?

[OhSoLaMeow]

That's an odd name for a dog.

Re:Why stop?

[sexconker]

Shoot, all anyone would need to get into my dad's laptop is his current dog's name. (Useful for my mom, but not exactly top notch security.)

One of the many reasons I prefer dogs over cats.
Dogs can learn their name.

Re:Why stop?

Cat's are perfectly capable of learning their own names. They simply don't give a fuck when you use it.

Re:Why stop?

[MightyYar]

Of course cats can learn their name! How else would they be able to spitefully ignore you?

Re:Why stop?

[aztracker1]

My girlfriend's cat plays fetch... doesn't so much respond to his name though...

Re:Why stop?

[daedae]

My understanding was he meant casing in the sense of wanting to break in while he was gone, since to some extent once you give up physical security all bets are off.

Re:Why stop?

[SydShamino]

Several of our cats have recognized their names (as distinct from the names of our other cats) and come when called.

Re:Why stop?

[tchuladdiass]

Our dog doesn't call when called, but knows the cat's name. Every time the cat is called for dinner, dog comes running.

Re:Why stop?

[Anarchduke]

Try using a name that doesn't involve a curse word.

Re:Why stop?

"Cat's are perfectly capable of learning their own names."

Now if you only would be able to comprehend the use of apostrophes, then you would be almost as clever as a cat.

Re:Why stop?

[NotQuiteReal]

...speaking of food, I still think that as long as there are hungry people in the world, there is no such thing as an unwanted pet.

Re:Why stop?

[JustOK]

that was no dog, that was his wife.

Re:Why stop?

[DrSkwid]

>Dogs can learn their name.

making them easier to steal

Re:Why stop?

[Zero__Kelvin]

"Several of our cats have recognized their names (as distinct from the names of our other cats) ..."

Using disctinct names to identify a series of cats is a technique I highly recommend. I don't remember where I learned this practice, but it has been invaluable to me in my life. I have had nothing but good experiences following this practice. My friend has two cats named Daryl, and they aren't even brothers. It's a nightmare!

Re:Why stop?

[tsa]

So do my rabbits.

Re:Why stop?

[SydShamino]

My wife's step-granddad has a lifetime of dogs, everyone one of which he called "dog". But you know what I meant.

Re:Why stop?

[vandamme]

Yeah, but the shipping costs to Africa or wherever are the problem. It's bad enough with non-perishables. Too bad we couldn't ship them our old TV sets. I saw some in Nicaragua that I would have thrown out 20 years ago.

Re:Why stop?

[Zero__Kelvin]

"But you know what I meant."

Well then, you told me!, then, didn't you ;-)

Who was really at fault?

[Obfuscant]

From TFA:

The members of staff who had loaned the laptops were asked to make sure that these machines were always chained to their desks.

So the fault was with the people who loaned the laptops for not keeping them chained up. It's hard to loan someone something if you've chained it to your desk, but that's the best security if you don't trust the people you loan things to, I guess.

Re:Who was really at fault?

[Osgeld]

every laptop for decades has a kingston lock on it, which is a little tiny lock with steel rope that loops around anything you feel is too heavy to lift with your laptop

If I loaned you my laptop I would be pretty fucking pissed if it got stolen even after my specific requirements to prevent such an action, and lastly for some odd reasons people often view laptops as valueless tools, which has always baffled me.

  I watched a co-worker one day get seriously irate cause someone stole all the pens off of her desk, and while bitching and moaning about it got up and went to go have a hissfit in the middle of lunch... leaving a brand new macbook behind in a not well known but still public area.

Re:Who was really at fault?

[duk242]

I've had a few laptops stolen from a computer lab that were chained down with kensington locks.. They managed to get the window off its rails, then reach in and pull 3 laptops out, all 3 of them the locks weren't strong enough to survive them pulling them hard enough. Maybe it was because I used a cheaper brand lock or something, but still kinda annoying :(

Re:Who was really at fault?

[Osgeld]

yea but (and there is always a but) if you had loaned the laptop and told you specifically to lock it down in a locked room, which would you be more mad about when it was stolen?

"they broke into though the window and used all their might to rip the lock out of the laptop"

or

"I left it in the wide open, only tethered by its power cord"

An iMac doesn't exactly fit under the coat...

Did they find the person who did it or are you confessing?

Re:An iMac doesn't exactly fit under the coat...

[Anarchduke]

Of course not. why would anyone confess to a crime? Coincidentally, is anyone looking to purchase a completely legitimate iMac? Only thing wrong with it is that its serial numbers seem to have fallen off.

It wasnt stealing

[nurb432]

If they had permission..

Re:outsourced cleaners with poor English don't kno

[EdIII]

outsourced cleaners with poor English don't know any better and a good story is all it takes to get past them.

Being a janitor does not mean you can use social engineering to get past them. Even with a good story. It depends on the janitors.

I have used social engineering to get past people that can speak the English real good, get paid many times more than a janitor, and have college degrees.

Social engineering works on people that are not always considering security around them, and to a large extent, those that are not cynical and suspicious of others by nature. It's much harder to get past assholes with the best stories and a lot easier to get past a cute secretary that is outgoing and bubbly.

You get a 60 year old janitor who has seen it all and heard it all, and believes there are aliens at Area 51, and you have somebody with a finely tuned bullshit detector. Those are the equivalent of landmines in social engineering.

Re:outsourced cleaners with poor English don't kno

[mooingyak]

I have used social engineering to get past people that can speak the English real good,

Have you used it on anyone who could speak English really well?

trust

[Walt+Dismal]

Seems like a douche move rather than a fair one. A university is a place of somewhat more trust in others than the outside, because in academia you share knowledge with others, the spirit is a bit different, you don't take others' tools.

Taking advantage of that to run a test of whether it's easy to steal laptops is not entirely ethical.

Not to say that people shouldn't be careful, but exploiting them isn't cool either.

When I was in school, someone hacked my student account and framed me for downloading and piracy. I didn't have to go to court, but if I ever found out who did it, I'd gladly have caused them serious injury.

Re:trust

[sexconker]

Seems like a douche move rather than a fair one. A university is a place of somewhat more trust in others than the outside, because in academia you share knowledge with others, the spirit is a bit different, you don't take others' tools.

Taking advantage of that to run a test of whether it's easy to steal laptops is not entirely ethical.

Not to say that people shouldn't be careful, but exploiting them isn't cool either.

When I was in school, someone hacked my student account and framed me for downloading and piracy. I didn't have to go to court, but if I ever found out who did it, I'd gladly have caused them serious injury.

LOL.
Welcome to the real world. Protip: Academia, as much as it tries not to, does lie within the realm of the real world.
And anyone with a brain would be as untrusting, or more untrusting, of a university student/professor than they would of a random stranger.

Re:trust

[Xeno+man]

Where exactly does this sense of trust come from? Because you were a student and you trusted other students? You trust the faculty because they wouldn't risk their jobs?
That's great you have that much faith in your friends and such but that is not everyone that is in a university. Most schools have wide open doors most of the day where anyone can come and go as they please. Strangers are welcomed daily from delivery people, maintenance specialists, tour groups and friends of students and staff. It doesn't take much for someone to walk past an open door with a laptop sitting on the desk. It only take a few seconds for someone to throw it in their bag all because of an opportunity. Some people have the mentality that if something expensive isn't locked down, it means they don't want it so it might as well have a free sign on it.

Re:trust

[EvanED]

Know how I can tell you didn't RTFA?

No, it's not because this is slashdot. It's because the profs who were involved all agreed to it, and in fact didn't involve their normal machines. They didn't just go steal laptops and go "ha ha only kidding" after.

Re:trust

Actually, from a security perspective, Universities tend to be "hostile environments." You get a lot of bright, young minds all in the same place with relatively little to lose (compared to later adult life), a wide variety of background skills and you have a recipe for mischief.

Re:trust

[Walt+Dismal]

I went to a science and technology school that had an honor system, and not a ghetto university. We respected each other, whether graduate or undergraduate. Perhaps you should go back to Digg or 4chan where your background and level of intelligence are more appropriate?

Re:trust

[rally2xs]

Someone frames someone for a crime and you think they should just get away with it? Sure, I think most people would injure someone over that. What good would it do? It would greatly deter that person from doing that or anything else against that person, and it would show the rest of those privy to the situation that it is an extremely poor idea to cross that individual. It's the way things work in the real world. Don't want to get the holy S*** beat out of you? Then don't F with this guy...

Re:outsourced cleaners with poor English don't kno

[EdIII]

It's woooshhh in the English right?

The gateway experiment.

[rykin]

Interestingly enough, many of these students may never have attempted to steal a laptop because of the legal consequences. Now that they were given permission to become comfortable with the idea, it is more possible that one of them would be inclined to steal a laptop at a later point. After all, they now know how to get past security (assuming nothing is beefed up after the experiment).

Re:The gateway experiment.

[Teun]

People don't engage in criminal acts because they can but because they have a lacking sense of morality and honesty, tests like these aren't going to change their moral outlook to accept dishonesty.

Re:outsourced cleaners with poor English don't kno

[similar_name]

So the social engineering aspect made me think of William James Clark.

From Amarillo Globe News.

... he impersonated an army officer to take command of the launch site for nearly two days after 14 people were killed when an Interstate 40 bridge fell in eastern Oklahoma...

Re:The Dutch ...

[Darinbob]

And blackjack!

Re:outsourced cleaners with poor English don't kno

[MightyYar]

William of Ockham had no beard. The most likely explanation is that it was chewed off by squirrels every morning.

Love that sig - is that of your mind?

Re:"Human behavior"

[stephanruby]

It doesn't mention whether the cleaners or caretakers knew the people they were letting in or not.

Given that the University has 9,000 students and 3,300 faculty/staff, and that they were 60 attempts of thefts (only 30 of which succeeded). And given that this experiment was conducted in the context of a security audit, I doubt that the successful cases were all due the cleaners actually knowing the student (may be some of them knew some of the students, but surely not all of them did, and in at least one case, the student got to the laptop just because the door was found unlocked when the door was supposed to be locked).

Besides, "knowing" someone and building rapport can be faked in an extremely short amount of time. For instance, when Steven Spielberg was still a teenager, he got into the Universal Studios through a guided tour, but when he left the Studio that night, he escaped from the guided tour, he dressed himself up in a suit, and he made a point to address the guard on his way out by his first name. After that night, he was able to go back and forth through that security checkpoint as long as that same guard was there, no questions asked. He was wearing the right uniform, a suit, plus the guard "knew" him from the previous day.

Re:outsourced cleaners with poor English don't kno

[mooingyak]

Yeah that's an original.

Having 3 kids who love Dr. Suess in his many and varied forms, I've always appreciated your sig when I've spotted one of your comments.

How far can this go?

[Tablizer]

"We only looted, raped, and plundered for science." - Vikings

Re:outsourced cleaners with poor English don't kno

[mooingyak]

First time through I actually didn't notice the word 'the' in front of English.

hehe...

[hitmark]

Reminds me of the early days of computing, where often a student that was found able to break school system security was often given tasks by the IT admin.

IRB?

[DuranDuran]

Hard to see how a university ethics IRB (Institutional review board) could approve something like this.

Re:IRB?

[phantomfive]

"Why? It doesn't hurt anyone, after all." -Albert Einstein

Re:IRB?

[Teun]

Because they too found this an interesting experiment, maybe even more so than others?

The same counts for the security dept, it would be a valid learning point.

Re:IRB?

[Sigg3.net]

There is no contradiction between theft and being ethical (or moral, rather) provided your ethical ground does not respect property, property rights aso.

In example, utilitarianism is perfectly compatible with any conceivable horror, as long as the net pleasure outweighs the pain. (Most utilitarianist will not agree, and they are wrong.)

However, the story in casu is a competition not a crime.

Re:outsourced cleaners with poor English don't kno

[MagusSlurpy]

You get a 60 year old janitor who has seen it all and heard it all, and believes there are aliens at Area 51, and you have somebody with a finely tuned bullshit detector.

A guy that believes there are aliens in a hangar in Nevada has a finely-tuned bullshit detector?

Hell, all you'd have to do is tell him the G-men are coming to destroy the evidence of aliens on the laptop ("You always thought Dr. Smith was a bit off, didn't you?"), and he'll help you get it out of the building.

Actually, I'm pretty sure that happened in The X-Files.

what happens if the things go wrong?

[Joe_Dragon]

Like Someone picks up the wrong item?

Other laws are broken in the course of doing the test.

Some harass cop busts some one and let's say try to hit them with raising arrest or other charges like braking and entering or some other law.

Let's say you miss a test or class sitting in lock up waiting for it to be cleared up?

some chains the laptop to a weak point and the person trying to take it end ups makes a big mess by pulling on it.

What if some posing a technicians give fake advice ends and that turns in to a big mess or end's giving a fake name that ends' up with some taking the heat just as some named there name.

Re:what happens if the things go wrong?

[TheLink]

Then they fail to get the class credits?

Well done

[PopeRatzo]

I once gave my undergrad students a similar assignment where they had to each score an ounce of weed for me.

It was also a great success and provided them with an important life lesson about society and individual liberty. Or something.

The Dean of my department at the time was not amused, though he did think the sticky red bud was the bomb.

Re:outsourced cleaners with poor English don't kno

[MightyYar]

Can't claim any originality, though!

Re:outsourced cleaners with poor English don't kno

[mooingyak]

It's geek porn and you love it.

Well obviously

[Anarchduke]

Political science majors would get extra credit for theft.

I had

heard of laptops being stolen from large businesses by people dressed and acting like UPS/delivery/IT personel. These types of people are generally ignored. Act as if you belong there and people will think you do, even though they have never seen you before.

The most sucessful ones that I had heard of had dressed themselves as delivery people and walked in with a 2 wheel cart with empty boxes on it. The boxes were not empty when the walked out again.

Re:"Human behavior"

[AnotherAnonymousUser]

I'm really curious, but is there a citation or place you read this? I want to find out more :)

Re:outsourced cleaners with poor English don't kno

[MartinSchou]

Thankfully the cleaners spoke perfect Dutch, which was a good thing, as the University of Twente is in the Netherlands.

Dumbass.

Twente

[andersh]

Hehe, but it's pronounced twent-eh in Dutch, sounds nothing like twenty ;)

http://www.forvo.com/word/twente/#nl

Re:The Dutch ...

[Teun]

We don't pay for grass and hookers, as your posting just confirmed those sort of things are for foreign visitors and tourists.

Re:What a crying SHAME!!

[Teun]

there were no controls and everyone was in on it.

Who told you?

Re:outsourced cleaners with poor English don't kno

[MartinSchou]

Yes. [sarcasm]

But more to the point - who cares if janitorial employees in the Netherlands speak English?

Re:"Human behavior"

[mattie_p]

I assume you mean a citation for the Spielburg anecdote. Unfortunately, it is exaggerated. Read more here: http://www.snopes.com/movies/other/spielberg.asp

Re:outsourced cleaners with poor English don't kno

[MightyYar]

Boom chicky boom boom

Three little words

[slick7]

Lojack for Laptops.

Re:"Human behavior"

[stephanruby]

Actually on second thought, I wonder if the offices of the targets were far enough away from each other and if the same cleaners didn't get far many more requests for opening doors that they usually did on a given night -- thus raising their suspicions a little bit.