Just read this really interesting article on the idea of the Kobayashi Maru Test. Gregory Conti and James Caroland describe a test they gave to 20 students which encouraged the students to cheat in devious and creative ways. Drawn from the TV show Star Trek, the Maru Test applied by the authors was intentionally unfair and given with very little warning. The test: write the first 100 digits of pi (3.14159…) from memory. The students were informed that they were expected to cheat and the most innovative techniques would be awarded a prize, but if they were caught they would immediately fail. No one failed.
I thought this article and the experiment it described was a breath of fresh air and something that should’ve been explored a long time ago. The basic point is that in the real world, and especially in human security systems, our adversaries rarely obey all the rules and the best way to stop them is to learn to think like them. The major thing this test taught was to not play by the rules. In fact, it encouraged changing the rules, exploiting the system, and thinking outside the box. I love the way this test was set up and all the before and after activities they included, which you can read about in the full article.
The techniques used by the students varied, but I especially liked one student who only memorized the first 10 digits of pi, assuming the teachers wouldn’t bother to read past that. He was right. Another students created his own version of the test booklet with the answers already in it and handed it in instead. Although the rules around the test were more loose than a regular classroom and the proctors weren’t obsessively trying to catch them, that wasn’t the point. The point was to encourage students to think creatively about the system and how to best exploit it. I think this quote says a lot:
“We must not tie our hands, and our intellects, at the same time. If we truly wish to create the best possible information security professionals, being able to think like an adversary is an essential skill.”
I could write more, but I don’t want to merely repeat the whole article. You can read the whole thing here.