Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Running a hackathon and someone's laptop got stolen, what should we do?
92 points by pulakm on Sept 7, 2013 | hide | past | favorite | 58 comments
I'm one of the organizers of PennApps, which takes place in our university building. Someone left a laptop unattended, and it was stolen. This is unprecedented - we've never had any thefts in the previous 6 iterations of the hackathon. However, it's a lot bigger this time around (1000+ students), and people are a bit more spread out. We have security measures in places and guards around the building, but there are definitely entrances to the building where people can get in when someone is leaving, without having access.

My question is - what is the appropriate response to something like this happening? We want to help the person who had their computer stolen have a positive experience, but we also don't want to create adverse incentives.

Unless I was specifically informed that it would be safe to leave my belongings in any area, I would assume that it is not safe to do so, and if I left my laptop unattended and it were stolen under these circumstances I'd be pissed off, but I wouldn't expect the event organizers to take any responsibility for it at all.

The idea being kicked around to take a collection from attendees is okay in theory but I'm not convinced having to file a police report is a sufficient barrier to future attendees claiming lost laptops in the hopes of getting $1000 from random strangers. Also you'd have to be really careful to make sure it was well understood the collection is totally optional, and not set it up in such a way that people who didn't want to participate for whatever reason weren't made to look like asses in public. Put in that situation I'd have no problem dropping $1 or $20 into a collection hat, but expecting everyone (especially students) to have such disposable income isn't fair.

you could build a venmo collection jar!

hackathon idea there. pivot!

I'd suggest a offering a significant reward for information leading to the return of the laptop. This signifies that it's a matter that you take seriously, without claiming responsibility for protecting others' property. Choose an amount that is comparable to the street value of the laptop. Take up a collection to pay it if ends up being paid.

This motivates anyone who has suspicions or inside information to come forward. If it's a theft by a student, it's quite possible that someone besides the thief knows what happened, but doesn't want to appear 'uncool' by expressing their disgust. A monetary reward may overcome this, and potentially makes them into a hero rather than a coward.

I would not offer any sort of amnesty or no-questions-asked policy. If you end up finding the thief, prosecute them. If someone claims to have 'found' the laptop in the the bushes, seems very interested in the reward, and you are suspicious, turn the matter over to the police and let them decide if the story holds up.

Specifically, I don't think you should offer warnings to others to take greater steps to protect their property. This has the appearance of blaming the victim, and potentially helps the thief (and potential friends) justify their actions to themselves as something the victim deserved for their negligence. Making it known the crime occurred is sufficient warning. It's in each individual's interest to protect their personal property, but not in the group's interest to create a 'fend for yourself' attitude.

Reward sounds like a good idea. If you're planning to pay for the laptop you'll be spending the money anyways. This way you might catch the thief as well.

Two choices IMO, 1) if you can afford it, replace the laptop. 2) If you can't afford it, then take up a collection from the attendees. As for adverse incentives, you should always presume that people are honest and good. However, to cover yourself (and it is a good idea anyways), make them fill out a police report. Keep a copy on file for yourself. This would give any would be profiteer pause, as there are real consequences to filing a false police report.

Taking up a collection is a good idea, gets everyone on their toes about watching each other's backs, and puts the responsibility on the entire community. If each participant threw in a buck or two, that's a new MacBook Pro.

My personal feeling is that a collection is more appropriate with an emergent problem "has no ride home and is stranded".

Once your laptop is stolen it's more of an issue of all your stuff being stolen as well (that is on the laptop) as opposed to just a piece of hardware. How are you supposed to do your thing if your laptop which is setup just for you has been stolen and you are at a hackathon?

(As a side note when I travel I travel with a cloned hard drive (encrypted) that can be used to boot another laptop.) Hard drive is always on carry on luggage as well. Cloning tool that I use is "super duper" (that's the name)).

Sure, there's a lot more pain than just the cost of replacing the laptop itself.

That said, the laptop cost is a big expense for many people (especially students), so it's helpful. Also it's a nice gesture. (“Look, the community cares about you.”)

I think this is close to a "teach a man to fish" situation. If the community really cares shouldn't they be proactive in some way to work to prevent this from happening instead of reacting? And it seems that (from what others have said) from the behavior of participants (someone who replied to a comment I made) that this could easily happen many more times as the crowd increases in size.

I like the collecting idea, especially if you couple it with a message to raise awareness.

Something like a little talk about HDD encryption, kensington locks, hidden softwares calling home, webcam taking pictures every 10 seconds and destroyed after a while unless asked to, etc.

I like the collection idea as well. However, I'd also lend them my laptop so they can still participate.


I like this approach from beginning to end. It spreads the financial hit amongst the group, spreads awareness and addresses the possibility of adverse effects of folks trying to take advantage of the effort and good will.

As much as it sucks to have a laptop stolen if you're hosting an event with 1000+ people I think you need to adapt the policy of not being responsible for lost or stolen items.

Many of the comments here mention a certain level of trust in the [hacker] community...sorry but not every single developer is a saint who would never consider stealing someone's laptop. The larger the group the more people you'll have willing to steal if the opportunity arises.

Also don't forget that at an event that size outsiders could potentially get in or maybe some staff/security did it.

Best bet is to think about it as being a completely public place at that point. Would you leave your laptop unattended at the corner of a busy street?

Hopefully the laptop ends up being misplaced or reported to lost&found and the organizers just don't know about it yet.

Relying on perimeter security is a folly. Believe it or not, there's an intersection of people who are are interested in both the hackathon and opportunistically stealing laptops. As your event scales, the chance of having these people increases while group-wide empathy decreases.

If it were a company sponsored hackathon, I'd probably just pay for the laptop. Probably wouldn't publicize the whole thing, and if it happened a second time, would seriously re-evaluate security.

A school or community hackathon is a much more ambiguous situation. Get a police report, and see if you have event insurance or something to cover it.

I never leave stuff unattended in public, but things like hackerspaces, YC's office, etc. feel different. I do screenlock always, but I can't say I'd never leave a machine unattended in a semi-public environment.

I've never been to a PennApps Hackathon, but from what you describe (1000+ people), I'd imagine that it's pretty much impossible for event organizers to prevent this. I think the key here is the 'left unattended' part of the scenario. The solution would be to tell the teams not to leave the equipment unattended. It's unfortunate, but a reality of life (even at a Hackathon with a great community); There are bad people out there. I've been to quite a few Hackathon / Startup Events (granted, much smaller), but I've never left my equipment unattended. I consider it a part of Teamwork, Communication, and Organization. If someone from the Team isn't there to watch the equipment, then it comes with me or gets packed up and put away somewhere safe.

> The solution would be to tell the teams not to leave the equipment unattended

Please no. Don't contribute to this cover-your-ass culture of information clutter by disclaiming the obvious with braindead notices that nobody is expected to read. It's common sense to maintain responsibility for your stuff to the extent you'd like to avoid having it mucked with through malice or ignorance.

Most hackakthons are at the pro level, so it's industry peers and security for this is never a concern.

When you have 1000 students in a hackathon, then yeah it's a good idea to point out the difference.

Having something rammed down your neck like you're a 10 year old never really helps. Being a victim helps people remember the basic things. Have a couple of people walking around placing stickers on laptops that are unattended. When the owner returns they'll see a sticker saying something along the lines of "your laptop has been stolen", and they'll quickly feel foolish for dropping their guard.

That sticker solution is much more '10 year old' than a general warning to watch out for your own stuff. It gamifies the situation, rather than being direct about it.

Security is always an individual's concern, and to the extent one does not think about it just means they are unconcerned. Are bad neighborhoods supposed to have warning signs? Or maybe city-wide address systems should be used to warn people of increased crime every time it gets dark?

Unfortunately, not everyone has common sense. Stating the obvious seems like a simple solution. Sorry for the Clutter.

Agreed, but there's a way to do it and there's a way to do it.

There's a world of difference between: "Don't leave your equipment unattended, boys and girls" and "heads-up: we've had stuff go missing in the past."

It's common sense for hot beverages to be hot. But alas, we've crossed that line as well. This one seems less ridiculous, though it's never too let to attempt to reverse the trend I suppose.

The appropriate response is to as much as possible help them contact the authorities and/or to keep a lookout for the laptop and the thief. But, you also have a hackathon to run, so you cannot inconvenience others just because someone was thoughless enough not to take their laptop with them when they went to the bathroom without someone they trust watching it for them.

As someone currently attending PennApps, I'd be happy to chip in a few bucks to support the person who had their laptop stolen.

Sorry that you have to deal with this Pulak :(

First thing to install on any devise : Prey. http://preyproject.com

It's great to track your hardware, it can event take screenshot of the screen and pictures with the camera.

any professional cannot allow/afford/stomach the idea of even having their device boot if stolen.

something like this written as a hardware/bios/whatever malware is more interesting

Honey pot user or operating system? A major drawback to prey is that it only works when the thief logs into the account.

If I was the participant with the stolen laptop, I'd first of all be really bummed out over not having the opportunity to participate in the hackathon because of stolen gear. I'd try to find them a computer they can use to hack on, and hopefully they didn't lose any work.

I don't know what to say about the stolen gear itself. People should take responsibility for protecting their own stuff, but that's a real challenge over a weekend non-stop sort of event, especially of that size. People need to eat, sleep, etc. I guess it's a lesson learned to have clear disclaimers of responsibility for future ones, and I'm not sure what to say about replacing that participant's computer. Not a fun situation, and it's hard to find fault on anyone (except the thief, of course).

On a community-basis, reporting widely and promptly about unfortunate events via your typical channels is important and a strong community-safety-measure, as well as an opportunity for safety-awareness and for participants and others to make-whole and contribute toward the losses that one or more community- or event-participants have had.

It is not so great that the possibility of the difficulty described by the original poster had not been thought of in advance, and that a clue and a policy is now needed after the fact.

Standard cautions to participants as a matter of policy are appropriate for all public events and occasions.

This is because no project or event can afford to suggest or create a culture that implies that the project is able to assume that participating individuals will be made whole from failing to attend to their valuable assets, whether they be computers, mobile phones, wallets, coats, hats or their bodies; further it is appropriate to warn all participants that civil authorities may be called upon to intervene or participate when inappropriate activity is discovered or reported.

A project or event code-of-conduct is appropriate, and having a policy guiding organizers and empowering all volunteers and participants to act against against miscreants with inappropriate behaviors is also a community-building and safety-building experience, in addition to the event's particular mission.

More generally, as a community-empowering project and event, an important measure, towards community-building, safety, and inclusiveness includes noticing populations that are desired and not always well-recognized, and dedicating your event toward providing a harassment-free conference experience (since property-stealing is a harassment) for all individuals, regardless of gender, sexual orientation, gender identity, disability, physical appearance, body size, race, or religion. This invites all participants to act individually when inappropriate behavior occurs.

This is a typical class of policy and notice that universities resort to, in anticipation of an occasion when a member of its population of students, staff, or professors is discovered to be acting beyond social, legal or ethical norms.

... or you could focus your effort on productive things instead of dedicating an ever-growing amount of resources coming up with copy to appease feel-good busybodies. The map is not the territory, and overemphasizing the map's importance is a great way to kill any organization's spirit. As organizations scale, it's inevitable that they will eventually fall victim to red-tape-promoting leeches, but that doesn't mean you should seek to actively court them.

What should we as a community do about this? Honeypot Laptops.

Laptops modded specifically as honeypots. They could be modified to maximize battery life, and pass muster as an ordinary laptop under casual observation. However, their real purpose is to sit there in extremely low power mode, waiting for someone to move them, at which point, they fire up their radio and gps, and signal cameras and security personnel on-site to start watching.

Are onboard accelerometers good enough to do dead reckoning positioning of the device within the building, provided they have good data to work from?

>Are onboard accelerometers good enough to do dead reckoning positioning of the device within the building, provided they have good data to work from?

Sort of. Dead reckoning with accelerometers is only as good as the error correction. Accelerometers tend to gain error factor very quickly without using a form of sensor fusion such as a partnership with a magnetometer to cross reference things like yaw with.

"indoor gps" is a point of intense interest right now it seems like for in-shop marketing and other (evil) things.

That's arguably entrapment, and not your job.

Leave the detective work to the cops, Bruce.

I had heard that the police in Washington state in the 90's used to leave sets of rims in the back of pickup trucks parked on the side of the road as a means of honey-trapping thieves. I also heard the cops referred to it as a time-saving measure. "Entrapment?" That's stealing, plain and simple!

Anyhow, how would that be different than someone walking out of a building with any other piece of a school's or a hackerspace's equipment? What are they going to tell a judge: "It was an unattended laptop. I had to steal it!"

The key word in your first sentence was "the police".

An unattended laptop in such an environment is not an inducement to steal. All that's happening is that a particular piece of equipment is secured a bit more than usual.

Was it a Mac? I'm sure MacBooks have the ability to be tracked if the owner allowed it. I have a MacBook pro and the guest account allows a thief to login and I can track them through the guest account.

I didn't realize that Find My Mac works with the guest user under FileVault 2 (full disk encryption built into OS X — the guest user boots into a unencrypted partition that only runs Safari).

Source: Glenn Fleishman http://www.macworld.com/article/1163387/can_filevault_2_and_...

Unfortunately, some of the side-effects of experience are distrust and paranoia. These are very effective experiences in software development.

If this theft happened to an experienced pro, then their data is encrypted and backed up, so all they've lost is hardware, and that's probably covered by insurance.

If the theft happened to a student, then maybe they're not the most experienced engineer. They might not have backups, and their data might not have been encrypted. They might not be ensured. The hardware cost is still - comparatively - cheap. But they might have to rewrite their thesis from scratch. Or risk having their personal data exposed to the public.

But at this point, the only help that financial aid can give, is restoration of the physical loss - i.e. a new laptop. In most cases, that wouldn't compare to the loss. But it might help, a little.

"Someone left a laptop unattended, and it was stolen."

Never been to one of these so could you elaborate as to how a laptop was left (and for how long) so that it was stolen? (I'm curious about the details).

As an example is this like being at an airport terminal with your laptop, turning around for a second, and turning back to see your laptop missing?

Or more like leaving the laptop and going to the bathroom?

Or leaving the laptop for a minute while you go two tables over to chat with someone?

Do you know the exact circumstances?

On hackathons it's quite common. You leave a laptop on your workplace, go for lunch, or for a walk, or whatever. Usually there are only other hackers there, few bystanders, so the environment is quite secure.

That's why it's so sad when situations like those happen - it undermines the trust within the community. On Airport, or at the coffee place I wouldn't expect my laptop to be there if I left for an hour. On a hackathons I left my laptop for hours at a time. The only problem was that with the amount of MB Airs laying around, unless you had some stickers, it might take more than a moment to find yours :)

This attitude that "hackers" are all virtuous is a bit naive. I've known talented hackers who were not above taking advantage of another's misplaced trust. Would you leave $1000 in cash unattended on a table at a hackathon? Why would you leave your laptop?

If your observation is typical (and I will assume that it is) then if it's so common for people to leave something like that un attended then I would think there is an obligation on the part of the organizers to provide some type of security for the laptops because from what you are saying there is a defacto assumption of security by the way people seem to behave.

That could be as simple as something that would allow someone to easily lock the device to the desk and include providing the lock cable (depending on the cost).

Because from what you are saying it is not practical for a participant (and almost expected) that the laptop will be left unattended.

Edit: Defacto assumption of security or safety by virtue of the type of attendees and the venue.

You have a point, but in this case it's a hackathon with over 1000 people. It can hardly be called a "community" thing.

Tough call.

Definitely add a new section to the promo materials / introduction talk to remind people to watch their stuff, and that you're not responsible.

It's the person's fault for leaving their stuff unattended (everybody should know not to do that in a university building, even during special event). But you might chip in and help/replace it, as long as its just this once.


I agree, Storage isn't that much of an issue these days and six web cams around the place feeding into portable USB drives is pretty simple to set up with a RasPi these days. Then you have the chance of adding a face to the police report as well.

WTF? There are systems for doing that task specifically, why would you want to build one from scratch?

Well assuming the Hackathon is on a razor thin budget (which I grant you it may not be) might be able to support adding some equipment which can be tasked to other things when not hackathoning and can be installed/removed in a variety of venues. The WebCam/Pi/Disk system is about $100 (less if you use the Pi's camera module).

You absolutely could go out and buy a video surveillance system of course.

So that you can incorporate plausible deniability, selective disclosure, and secret-sharing based quorum. Do you really want to have created a system that gets subpoenaed for automated guilt-by-association when it turns out that one of the participants is being investigated for thoughtcrimes?

FWIW, building this out with a Pi is a trivial task and would probably end up much cheaper/more flexible in the long run.

Collect $2 each from the 1000 participating students... and buy the guy a new laptop. I am sure they would not mind ... and for those who do there will be others who will put in some cash.

What kind of computer was it ? What OS ?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact