Why you don't steal from a hacker.(infosec20.blogspot.com) My flat was raided and ransacked during the London riots, but thanks to tracking software I fed intel to the London Metro police until he was apprehended and my laptop returned. |
Why you don't steal from a hacker.(infosec20.blogspot.com) My flat was raided and ransacked during the London riots, but thanks to tracking software I fed intel to the London Metro police until he was apprehended and my laptop returned. |
I'm impressed that the police dust for prints in England. I've never heard of someone getting that kind of thoroughness for a domestic burglary where I live.
As far as I know, they never caught anybody, but at least they tried. I'm pretty sure it was my drug-dealing neighbors two houses down... especially since the guy three houses down claims the security cameras on his porch showed them taking stuff from our house to theirs. Oh well.
Thorough investigation, dusted for prints, and even took sample of nondescript, possibly bodily fluid (turned out to be non-organic).
Very professional; Though wouldn't get burglarised again.
Problem solved!
Nice story though. And I'm happy another rioting / looting is going to court to answer for there actions.
To me, the hacker/cracker thing is just a lost battle and thus a big waste of time.
That being said, I'd only use "hacker" in the original sense, i.e. the hacker philosophy about exploring, learning and teaching. To me, a person with no clue about cars that learns to fix it themselves is by definition a hacker.
You all too often see people pulling the e-peen thing on the net, which I find sad, as it's also just another waste of time. The "correct" use of the term hacker is just a pretense imho.
In the same vein of whining and bitching: has there been another influx from reddit lately or is the cooling effect (or what it's called) only gradually noticeable? I've noticed that I'm more disappointed with the content and comments on HN lately, even more so on reddit obviously.
>Updated: to quell the comments, I did not choose the title to imply downloading tracking software is hacking, I am a hacker by profession and have been most my life.
If you're a mechanic, you don't brag about calling the AA to home-start your wheels. You would be pretty shocked to see a mechanic post a story about his home-start on a hobby enthusiasts news site and see the community there voting the story up.
I wonder if it's just an illusion or if there really also is an influx in me-too submissions. Not that I'm judging any submission in particular, but there is clearly a difference in usefulness and novelty when you compare them.
I know from experience (not me of course, but that of some kids who stole some stuff from a neighbor) that juveniles who are caught and convicted of petty theft basically get a slap on the wrist, a stern warning about what will happen if they do it again, and sent home.
The story you have just heard is true. The names were changed to
protect the innocent.
On August 12th, trial was held in Department 98, Superior Court of the
State of __London, in and for the County of __London. In a moment the
results of that trial.
Shillip Herbert Keaver was tried and convicted of robbery in the first
degree - five counts - and received sentence as prescribed by
law. Robbery in the First Degree is punishable by imprisonment for a
period of not less than five years in the __London penitentiary. Because
of the viciousness of the suspect, it was decided that the terms would
run consecutively.
You have just heard "DragNet," a series of authentic cases
from official files. Technical advice comes from the
office of Chief Constable, Scotland Yard, __London.It seemed perfectly clear to me that you meant that a hacker is going to have some means of finding his stolen laptop rather than that using Prey makes you some kind of hacker.
And to the criticism that you are running a product, that's ridiculous as well. Do we all solder our own motherboards? Devout Not-Invented-Hereism isn't a prerequisite for being a hacker, and in fact it probably makes you much less effective of one.
Make up your minds. Is it the inclusive, "explorers of technology" meaning where it's more about curiosity and open-mindedness than skill level, or is it your little l337 boys club badge of honor?
Personally, it's not so much using a product, but 1) giving access to a third-party (the Prey server admins) to his laptop and 2) being limited instead of having complete control.
Prey just seems a poor solution if you know what you're doing. For non-computer geeks is excellent, though.
I think you under-estimate the speed and hassle of dealing with insurance.
Also most insurance has a deductible. You're still out typically hundreds of dollars.
I had a macbook pro of one of our employees stolen. We used prey to get it back, with assistance from the police. Yes we have corporate insurance, yes we backup our data; but we were still very pleased to receive our stolen property back.
first to 'somebody who can write a web app', to now 'somebody who can install software'
"Updated: to quell the comments, I did not choose the title to imply downloading tracking software is hacking, I am a hacker by profession and have been all my life."
PICK ONE, GUYS.
The issue is that the article is titled "Why you don't steal from a hacker". This is not actually an appropriate name for the article, because it's not the writer's status as a hacker that leads to the final result. It is the writer's position as an application user that leads to the final result. In that sense, this article be should called, "Why you don't steal from someone that knows how to use an application to track their stolen laptop". Hence, by replacing the the "application user" with "hacker" you are diluting the meaning of hacker that everyone here loves to use. I'm not trying to be critical, just explaining why people are stating this and that they are attempting to express a consistent stance. You may associate this type of activity with a hacker, but understandably, it is not what you'd come up with when you attempted to define a hacker.
There's apparently a safari browser-only mode which can be activated from the login screen there.
This would create the ideal scenario for the stolen laptop: Thief without the knowledge or ability to reformat (particularly if you've slowed them down further with a firmware password) can only use the safari-browsing guest mode; can't get to your full encrypted drive, and Prey is recording and sending off everything they're doing.
In other words, they would probably just wipe the computer and install Windows, and I wouldn't hear about the machine. I guess I could have a Windows install ready with a guest account and sneaky tracking software just for the benefit of an hypothetical thief, but it doesn't seem worth the effort.
So why did he rely on luck instead of SSHing to the laptop and unlocking the machine?
>I cranked up the frequency of reports to one in every five minutes to try to get a screen capture of him using gmail or facebook so I could snag a name or login credentials.
Hmm, start a keylogger (and a sniffer) in the background and then scp the logs a couple hours later?
I don't know of a single person who directly connects their laptop to the internet. This would have been sitting behind a NAT device which, unless port 22 was explicitly forwarded to the IP address that his laptop happened to get via DHCP, would have stopped him from SSHing in :)
I mean, basically doing what Prey does, but without relying on a third-party service and having much more control over the machine.
* Reverse SSH: if wget http://myserver.com/sshreverse; then ssh -R 2900:localhost:22 User@myserver.com; fi
Stick this in a file, chmod +x, then add an entry in cron to run it every hour or so. After that, you just need to create a file in your web server called "sshreverse" and you'll have an SSH tunnel to your laptop.
Skip to 3:15 http://www.youtube.com/watch?v=OAI8S2houW4
Or maybe it's just really useful.
we (the Prey team) don't have the time or the interest to pay people, thieves or whomever to build and publish these elaborate stories.
I spent almost all afternoon yesterday on Reddit -- where some guy published a similar story -- trying to make it clear that we had nothing to do with it (besides having developed the software).
I'd be happy to answer any questions regarding Prey, but please don't make me go repeating today the same thing all over again.
I set it up so if this file ever disappears http://iamnotaprogrammer.com/prey.html it starts sending me alert messages like the one below:
Good news my friend, it seems we found it.
Here's the report from your computer:
######################################################## # geo ########################################################
:: lat=(deleted)
:: lng=(deleted)
:: accuracy=33.0
######################################################## # network ########################################################
:: public ip=(deleted)
:: internal ip=192.168.8.121
:: gateway ip=192.168.8.1
:: mac address=34:15:9e:07:af:86
######################################################## # session ########################################################
:: logged user=sudonim
:: uptime=14:21 up 3:12, 6 users, load averages: 2.12 1.91 2.06
Happy hunting!
-------
Then it attaches a picture taken with my camera and a screenshot. All in all, pretty handy to have running.
If someone steals my laptop I wouldn't care about the cost of lost hardware. Instead I'd care more about my private data that now is in the hands of someone else.
It's kind of a problem, if you have all your other data stored using something like 1Password.
I know for sure I have a tracker installed on my laptop, but since it's running in "stealth" mode, I have no clue what it is or where to find it. I guess I am not hacky enough.
I think it is great that the average person can now do all those things from a web app. It is funny though that they still consider themselves to be hackers because they can use that web app. Another example of misuse of the term hack that I see all the time is when people use someone else's logged in Facebook session and then claim they "hacked their Facebook" because that person left their session logged in. Silly...
Others take a pitchforks and torches approach. I recall people saying, “publish and let him sue if he doesn’t like it,” which is pretty much the same thing as saying “it might be wrong, but thanks to the difficulties of suing for libel, we can get away with it.”
I guess this is where we peel away all of our nobility and reveal the savages underneath. Some of us strongly believe in the justice system and the importance of treating the accused extremely fairly in theory, but in practice "we know the bastard did it, so there."
How about this: it's my laptop, and I reserve the right to use it to take pictures any time I see fit?
I'm okay with running the picture of the guy, and publishing the data, as long as there's a clear disclaimer that this is just information pulled from your own laptop, not presented as evidence in some kind of criminal proceeding. We do this all the time with videos on the news that show crimes in progress. Heck, we did it with the rioters. Local papers ran big pictures of them on the front page. Simply making public video and data that you have every right to have and use isn't the same as calling the guy a crook and demanding he be hanged.
Now yes, the mob will probably take over from there, but that's because the net is full of mobs, not because you've somehow made a mistake in publishing the data. I am very concerned about folks taking justice into their own hands, but I don't think that my concern somehow changes the right of this guy to publish his own data.
There's no "we know the bastard did it, so there" that has to be involved. I load my laptop up with whatever legal programs I like, and I choose to publish the data from those programs any time I feel like it.
As for his privacy, he surrendered that voluntarily when he stole the laptop; the government didn't impose that sentence on him.
http://www.guardian.co.uk/commentisfree/2011/aug/10/uk-riots...
Furthermore, I don't see how putting someone's information on the internet is comparable to physically depriving someone of their property. The latter has obvious effects, and the former may not even cause much harm. It would have never happened had the thief not stolen the laptop, so I'd say the ultimate blame rests on them anyway.
Why should I respect his privacy when he has absolutely abused mine?
Honestly, I see your point, and both sides. I've just met a few people that have a similar service installed onto their phones, and I certainly would not call them hackers. Similarly, if someone told me they had this installed on their computer, I wouldn't think, "Oh, cool! S/he's a hacker!" On the other hand, if I saw someone starting "Learn Python the Hard Way" I _would_ think, "Oh shit, s/he's becoming a hacker!". Anyway, I don't really care too much. You do make a good point though. In general, a hacker might be more likely to aggressively try to track you down :)
That said, the title does prime one for an epic tail of recovery and revenge involving spoofed IP addresses and total identity theft. This story is a little bit of a letdown, but I doubt he meant for it to get the attention it got.
I would set up an icmp proxy with ssh on top of that. And there would be a few good reasons for that. 1: it bypasses a whole lot of firewalls and captive gateways. 2: few hackers would expect such a communication mechanism like that.
Of course, this solution works only if the computer isnt reformatted, as i would do if i ever got into petty theft. So one would need the computer to have an open and easy to get into account. If you use linux, have home directory encryption on and the account called "Administrator".
"Autossh is a program to start a copy of SSH and monitor it, restarting it as necessary should it die or stop passing traffic."
Make sure it has no access to the filesystem outside of its homedir, and you could even set some login items to watch for net access and push a notification.
Full disk encryption is more or less default for most Linux distributions and OS X Lion. In addition, it's the only sane solution if you want to securely encrypt your data.
I think among people who do use the word "hacker" to mean someone skilled with computers, it's considered poor form to call yourself a hacker but high praise to be named a hacker. Eric Raymond wrote long screeds about this way back in the 90s when people still gave a damn about him.
Personally, I call somebody who is skilled at breaking systems a hacker. The guy who discovers how to Man-in-the-middle attack an SSL connection is a hacker. The morons in black trenchcoats and leather fedoras who then download a .EXE to automatically do just that and harvest passwords at Starbucks... are fucking scum of the earth script kiddies.
Real answer: I did actually attend Def Con this year, with the intent of learning about hacking, possibly from hackers. I wouldn't call myself a hacker, I just went because I wanted to learn about the subject. Really the whole topic is not something I worry much about... in my line of work we don't compliment people by saying "he's a good hacker", we just say "he's brilliant" or "she does really great work", which to my mind is a better and less ambiguous compliment.
That statement is like saying “This is my gun, I reserve the right to shoot bullets from it any way I like.” Obviously every action we take with our person and our property has consequences and we are responsible for those consequences we can reasonably foresee.
Clearly there is a continuum of choices from sharing the pictures with law enforcement but not publishing them, to publishing them but being careful to disclaim that this person has not been convicted of committing a crime, to publishing them and asserting this is the thief. You pick where you feel comfortable on that line, I pick where I feel comfortable.
Looking at the commentary here and the last two similar things to hit HN, you must accept that regardless of where you or I might place ourselves, there are definitely people to the far right of the line. You can see people talking about this person as “the thief” without bothering with the inconvenience of a trail. You can see people discussing the publicity as a pubnishment. One comment talks about “naming and shaming” as a deterrant.
You may not consider yourself part of a lynch mob, but seriously, can you deny that such an element is present?
No, and I'm very concerned about it. But the only choices are the ones I have to make. I can't start worrying about everybody else. In fact, once I let the threat of a mob start swaying my decisions, I've already lost. The mob has won. (ugh. hated doing that, but it was too rhetorically easy.)
You get my drift. I think, for me, that I need to think long and hard about what the consequences might be. But quite honestly, here's some guy I don't know using my computer. Anybody know this guy? Perhaps he's being held hostage for all I know. The more information I get out there, the sooner we can have this thing resolved. I don't have to jump all the way to some conclusion simply because I need to solicit information about the location of my laptop. After all, I'm the innocent guy here.
I didn't read the other articles, but it sounds like you are reacting against the mob mentality found here and elsewhere. Yes, this concerns me a great, great deal. The internet was supposed to bring equality and democracy. It's done that, but it's also brought flash mobs robbing stores, riots, and vigilante justice. Not good. We should all speak out against that -- especially when it's a cause that sounds "right" to us.
Prey is a polished product that you can trust to work. If you are into this sort of thing, certainly you can achieve more functionality and better security by rolling your own, but I don't consider it a prerequisite to hackerdom anymore than soldering your own motherboards. How often do you expect your laptop to be stolen anyway?
Just because you've already done it and you have a pre-rolled solution doesn't mean you didn't invest that time, and don't fool yourself.
Kids these days :) :)
It's one or two lines of configuration.