Why you don't steal from a hacker. (infosec20.blogspot.com)

272 points by gregcmartin ↗ HN
My flat was raided and ransacked during the London riots, but thanks to tracking software I fed intel to the London Metro police until he was apprehended and my laptop returned.

165 comments

[ 0.22 ms ] story [ 229 ms ] thread
using a laptop recovery service to do exactly what it was intended to do. sweet hack, bro!
You're missing the point. To paraphrase: "As a hacker, I had the good sense to make sure I had tracking software installed. I take security seriously."
(comment deleted)
Thank you for pursuing this enlightening thread further.
(comment deleted)
My mom is a hacker too. She hacked her own gmail account the other day by recovering her password, she even had to remember the name of her first pet!
(comment deleted)
the word 'hacker' has been diluted to a new low

first to 'somebody who can write a web app', to now 'somebody who can install software'

The thief did more "hacking" by using the OSX install CD than him.
From his LinkedIn profile: "Greg Martin is a recognized Information Security professional with over 12 years experience and considered an industry expert in Network Security and SIEM technology." Sounds like the word hacker could very well apply. I think he used it in relationship to his profession, not to his installation skills.
I've read some really great stories in which real hackers used SSH to log in to their stolen computers, install key loggers, and custom tools. This obviously isn't one of those stories though.

I think it is great that the average person can now do all those things from a web app. It is funny though that they still consider themselves to be hackers because they can use that web app. Another example of misuse of the term hack that I see all the time is when people use someone else's logged in Facebook session and then claim they "hacked their Facebook" because that person left their session logged in. Silly...

Reading comprehension fail. Just because the title asserts that the poster is a hacker doesn't mean that the post justifies why he is one. If I write something about "Why you don't steal from a Texan" I'm going to talk about you digging lead out of your derriere, not about where I was born.
If the title was "You don't steal from a hacker," you might have a point, but "Why you don't steal from a hacker" implies the reason for that is exposed in the post.
A story entitled: "Why you don't steel from a Texan" would generally entail the thief getting shot. Shooting a thief doesn't make one a Texan, but it is the kind of thing a Texan would do. (Gross generalization for illustrative purposes only.) In the same way, having a software program installed on one's computer in case of theft does not make one a hacker, but it is in the spectrum of things a hacker might do. So I think that the title is plenty accurate.

That said, the title does prime one for an epic tail of recovery and revenge involving spoofed IP addresses and total identity theft. This story is a little bit of a letdown, but I doubt he meant for it to get the attention it got.

Yeah, if you dig through his blog, he has some really cool model train stuff.
hilarious!
MIT hackers back in the day had quite a lot of crossover with model train enthusiasts.
In fact, he's updated his post to reflect this kind of comment:

"Updated: to quell the comments, I did not choose the title to imply downloading tracking software is hacking, I am a hacker by profession and have been all my life."

(comment deleted)
Next would be "Somebody who can use a computer"
Semantics is one of the least interesting things to argue about on the Internet.
No it isn't! /python

;0)>

Sorry couldn't resist.

...says a guy who submits non-hacker news to Hacker News. =)
Is this one of those viral marketing campaigns again? Yesterday, there was a popular thread on Reddit about some guy who retrieved his stolen Macbook by using the exact same software that's being mentioned here. And not to mention the several other threads here on HN a few months ago that are suspiciously similar.

Or maybe it's just really useful.

no it's not. and please don't start with this over again.

we (the Prey team) don't have the time or the interest to pay people, thieves or whomever to build and publish these elaborate stories.

I spent almost all afternoon yesterday on Reddit -- where some guy published a similar story -- trying to make it clear that we had nothing to do with it (besides having developed the software).

I'd be happy to answer any questions regarding Prey, but please don't make me go repeating today the same thing all over again.

Thanks for your software, i think u guys are latin-americans? ...
yup that's right, at least me and most of the guys that work for Fork (the company I founded after Prey took off). however there's lots of contributors from Europe, the US and Asia.
Hey, just wanted to say thank you.
you're welcome Greg! really glad to know you got your laptop back. :)
Here is a much funnier and more technical account of someone retrieving their stolen computer. In video form!

Skip to 3:15 http://www.youtube.com/watch?v=OAI8S2houW4

I've been thinking about that video... the guy says it started connecting to the network over 2 years after it was stolen. It seems unlikely (or at least plausible) that the guy who had it was the guy who stole it... or did I miss a key bit of info that justified it all?
That's true. He did say that he gave up looking for it on Craigslist and eBay after a while, so it may have changed hands after he gave up the search.
This is why I have file vault + password screensaver on my MacBook Pro + insurance. I'd sooner have to wait a few days to get a new laptop than rely on: a) the user not instantly formatting the computer, b) prey finding my laptop, c) the police doing something about it.
... why not do exactly that; but ALSO have a guest account, and prey installed. (Also re: not instantly formatting; put firmware and/or hard drive passwords on to slow them down -- most thieves are not computer experts)

I think you under-estimate the speed and hassle of dealing with insurance.

Also most insurance has a deductible. You're still out typically hundreds of dollars.

I had a macbook pro of one of our employees stolen. We used prey to get it back, with assistance from the police. Yes we have corporate insurance, yes we backup our data; but we were still very pleased to receive our stolen property back.

If you have a guest account you can't encrypt your whole harddisk. And if my laptop gets stolen I don't care about the money but about my data falling into the wrong hands.
Set up a honeypot account 'm[ou]m', with a visible password hint to the tune of 'Dammit m[ou]m, THE PASSWORD IS "Susan"'.

Make sure it has no access to the filesystem outside of its homedir, and you could even set some login items to watch for net access and push a notification.

The honeypot account still needs access to the operating system, and thus to the harddisk password if you use full-disk encryption.

Full disk encryption is more or less default for most Linux distributions and OS X Lion. In addition, it's the only sane solution if you want to securely encrypt your data.

>Luckily the thief was a smart little bugger and he was able to bypass the password by using an OSX install CD to create a new admin account.

So why did he rely on luck instead of SSHing to the laptop and unlocking the machine?

>I cranked up the frequency of reports to one in every five minutes to try to get a screen capture of him using gmail or facebook so I could snag a name or login credentials.

Hmm, start a keylogger (and a sniffer) in the background and then scp the logs a couple hours later?

Consumer routers will typically have port 22 firewalled for incoming trafic.
Run SSH on a non-standard port. Or you can have your laptop set to open a reverse ssh tunnel to another trusted machine on some event, like a file changed on your website, etc.
Ok, I'll rewrite: Why wouldn't he use his reverse SSH connection* to do that stuff?

* Reverse SSH: if wget http://myserver.com/sshreverse; then ssh -R 2900:localhost:22 User@myserver.com; fi

Stick this in a file, chmod +x, then add an entry in cron to run it every hour or so. After that, you just need to create a file in your web server called "sshreverse" and you'll have an SSH tunnel to your laptop.

Id do one thing slightly different.

I would set up an icmp proxy with ssh on top of that. And there would be a few good reasons for that. 1: it bypasses a whole lot of firewalls and captive gateways. 2: few hackers would expect such a communication mechanism like that.

Of course, this solution works only if the computer isnt reformatted, as i would do if i ever got into petty theft. So one would need the computer to have an open and easy to get into account. If you use linux, have home directory encryption on and the account called "Administrator".

You forgot the part where you ensure that the ssh-key for user@myserver.com can only be used for this particular reverse-tunnel and not to, say, login to myserver.com...
>So why did he rely on luck instead of SSHing to the laptop and unlocking the machine?

I don't know of a single person who directly connects their laptop to the internet. This would have been sitting behind a NAT device which, unless port 22 was explicitly forwarded to the IP address that his laptop happened to get via DHCP, would have stopped him from SSHing in :)

That's why I have a two line shell script that creates an SSH tunnel to my server if I put a file called 'reversessh' on my webserver.

I mean, basically doing what Prey does, but without relying on a third-party service and having much more control over the machine.

Now that's hack-zore :).
(comment deleted)
I've been wondering about these services. Not having more information about the inner-workings of a monitoring/recovery service, I'm concerned about the company's ability to spy on me the same way I could spy on anyone who uses my stolen laptop. What prevents this from happening?
Prey is open source so, if you knew how to, you could add some monitoring capabilities to Prey to make sure it isn't doing anything it shouldn't.
I suppose if you are worried about it you can use Wireshark or some other similar network traffic inspection tool to watch your traffic for suspicious communications you didn't authorize.
"Hacking" is now referred to, someone posting on anothers facebook, since they were still logged in. /facepalm
Why didn't a real hacker have a keylogger installed on his machine instead of just the webcam thing? You could have gotten the guys' password to his facebook
In my experience, hackers don't normally keylog themselves. That's the kind of thing they'd rather avoid — it could be especially disastrous if your computer were stolen like this.
Obviously I mean a remotely activated keylogger - the computer goes online and checks a website to see if it should start the keylogging
Encrypt the logs with your public key. Do not keep the private key anywhere near the machines, containing the encrypted logs. Move logs to a remote secure storage (co-located or home-hosted) as soon as Internet connection's available. Assure reasonable amount of electronic and physical security of the storage servers.

Problem solved!

Sorry I wasn't implying that the software I used made me a hacker, that is simply just my profession... I use the term very widely to be someone who codes, pentests, reverses malware or jailbreaks iphones...
Yes, I'm saddened by all the responses here making the basic logical fallacy of affirming the consequent.

It seemed perfectly clear to me that you meant that a hacker is going to have some means of finding his stolen laptop rather than that using Prey makes you some kind of hacker.

And to the criticism that you are running a product, that's ridiculous as well. Do we all solder our own motherboards? Devout Not-Invented-Hereism isn't a prerequisite for being a hacker, and in fact it probably makes you much less effective of one.

>And to the criticism that you are running a product, that's ridiculous as well.

Personally, it's not so much using a product, but 1) giving access to a third-party (the Prey server admins) to his laptop and 2) being limited instead of having complete control.

Prey just seems a poor solution if you know what you're doing. For non-computer geeks is excellent, though.

That's a value judgement. As a hacker you can't do everything.

Prey is a polished product that you can trust to work. If you are into this sort of thing, certainly you can achieve more functionality and better security by rolling your own, but I don't consider it a prerequisite to hackerdom anymore than soldering your own motherboards. How often do you expect your laptop to be stolen anyway?

The thing is: rolling my own takes less time than installing Prey. Of course, it won't have bells and whistles, but it'll be much less limited.
I'm sorry but that claim has no credibility with me. Setting up the proper cron jobs, server-side components, and verifying that everything is working under a variety of circumstances will take much more than the 5 mins it takes to install Prey.

Just because you've already done it and you have a pre-rolled solution doesn't mean you didn't invest that time, and don't fool yourself.

You only need to set up a cron job to create a reverse SSH tunnel into your home server. That way from your home server you could SSH into the machine, no matter where it is.

It's one or two lines of configuration.

If it doesn't work when you really need it though, you can't fix it.
It's sad that many of the people who say the word "hacker" means all these positive and inclusive things are often the same people who lambast someone for actually using the word that way to refer to themselves.

Make up your minds. Is it the inclusive, "explorers of technology" meaning where it's more about curiosity and open-mindedness than skill level, or is it your little l337 boys club badge of honor?

It's highly desirable to be called a genius, but in general people calling themselves geniuses are looked down upon.

I think among people who do use the word "hacker" to mean someone skilled with computers, it's considered poor form to call yourself a hacker but high praise to be named a hacker. Eric Raymond wrote long screeds about this way back in the 90s when people still gave a damn about him.

Personally, I call somebody who is skilled at breaking systems a hacker. The guy who discovers how to Man-in-the-middle attack an SSL connection is a hacker. The morons in black trenchcoats and leather fedoras who then download a .EXE to automatically do just that and harvest passwords at Starbucks... are fucking scum of the earth script kiddies.

But is "hacker" really analogous to "genius"? I mean, we have a bunch of annual hacker conferences. If "hacker" isn't something you can call yourself, who is going to all of these things?
Joke answer: Have you ever been to Def Con? People who wear utilikilts and dyed mohawks unironically probably have no qualms about calling themselves hackers, deservedly or un-.

Real answer: I did actually attend Def Con this year, with the intent of learning about hacking, possibly from hackers. I wouldn't call myself a hacker, I just went because I wanted to learn about the subject. Really the whole topic is not something I worry much about... in my line of work we don't compliment people by saying "he's a good hacker", we just say "he's brilliant" or "she does really great work", which to my mind is a better and less ambiguous compliment.

"took a report and dusted for prints, performed typical forensics"

I'm impressed that the police dust for prints in England. I've never heard of someone getting that kind of thoroughness for a domestic burglary where I live.

When my house was burgled, the cops sent out 3 cars, did a thorough inspection, took inventory of what had been stolen, and dusted for prints in places we indicated were likely to have been touched (the windowframe where they came in, some doorknobs, and the box fan they had moved). This was in Rochester's 19th Ward (New York), possibly the most dangerous and high-crime part of town.

As far as I know, they never caught anybody, but at least they tried. I'm pretty sure it was my drug-dealing neighbors two houses down... especially since the guy three houses down claims the security cameras on his porch showed them taking stuff from our house to theirs. Oh well.

Same in Paris when my brother's apartment was burgled a few months ago... 2 members of the French Scientific Police took pictures / fingerprints. I didn't think they'd go that far, having read countless stories on how this is usually handled in the US.
Can confirm of similarly good service in Vienna, Austria;

Thorough investigation, dusted for prints, and even took sample of nondescript, possibly bodily fluid (turned out to be non-organic).

Very professional; Though wouldn't get burglarised again.

Glad the person got their Mac back, but why does this story and ones like it always end at the recovery of the property? Could we get an update on the punishment of the criminal? I'd like to know what kind of repercussions the criminals suffer--do they get prosecuted? I'm just curious if these software tracking systems have been used in court as evidence to convict any of these criminals.
I'm not sure if it's that easy for the victim to find that information. My family was robbed several years ago and while the police eventually reported that they caught the perps, that was all of the detail they left. Similarly, my girlfriend had credit cards stolen once and neither the police nor the credit card company gave any information except that they had found the people who stole the card. Perhaps this discretion is to prevent people from attempting vigilante followup actions?
I'm almost certain that (in the States at least) that information would be public record. After all, the person has to be arraigned and go to trial. Police reports are almost always public information, even reports that don't involve you personally. You just have to go to the station sometimes.
The police aren't going to report to you every step of the way, (why would they?), but that does not mean you can't find that info out. You could even talk to the police officers involved, they would be happy to tell you, if they know.
I was wondering that too. I was thinking that perhaps this guy had gone and screwed around with his social network given the facebook screen cap at the end. Of course if someone steals your laptop, and using software you've installed you keylog all their secrets and you use their credit card to buy themselves a hundred pizzas each from 10 stores around town, that would be a bit much perhaps.

I know from experience (not me of course, but that of some kids who stole some stuff from a neighbor) that juveniles who are caught and convicted of petty theft basically get a slap on the wrist, a stern warning about what will happen if they do it again, and sent home.

Yes, that is usually the punishment that these kids gets, usually the victim knows the kid and did not put charges.
the police probably haven't done anything yet

  The story you have just heard is true. The names were changed to
  protect the innocent.
  
  On August 12th, trial was held in Department 98, Superior Court of the
  State of __London, in and for the County of __London. In a moment the 
  results of that trial.
  
  Shillip Herbert Keaver was tried and convicted of robbery in the first
  degree - five counts - and received sentence as prescribed by
  law. Robbery in the First Degree is punishable by imprisonment for a
  period of not less than five years in the __London penitentiary. Because
  of the viciousness of the suspect, it was decided that the terms would
  run consecutively.

  You have just heard "DragNet," a series of authentic cases
  from official files. Technical advice comes from the
  office of Chief Constable, Scotland Yard, __London.
This can't be the same person. The laptop was stolen from his house while he was away. This would mean it would be a burglary charge, not robbery.
This is a parody of an old TV show called "Dragnet". Each episode ended with a dramatic narrator reading something 99.9% similar to the comment you replied to. Same fixed format, everything.

Kids these days :) :)

In the US, the perp probably always pleads guilty, so there ends up not being a trial where the victim would be able to learn more about the case.
Maybe the criminal was a minor. At least in my country (Bolivia) if he is a minor almost nothing is done, he'll walk out free. I'm sure this is not the case in every country.
I don't think there is a need to use the tracking software to build a case against the burglar. They caught him with stolen property and have fingerprints. No need to go high-tech here.
So now everyone who installs a "tracking software" on his laptop is a hacker. Really, the internet has changed.
You say "professional hacker" to refer to yourself a lot, but as far as I can tell all you did was use someone else's product. Where is the hacking in that? Hacking is creative problem solving. You used a product for its intended purpose. That's called being a consumer, not a hacker. lame. self masturbatory. grow up.

also I'm not anonymous you dipshit

You say "professional hacker" to refer to yourself a lot, but as far as I can tell all you did was use someone else's product. Where is the hacking in that? Hacking is creative problem solving. You used a product for its intended purpose. That's called being a consumer, not a hacker. lame. self masturbatory article.
I am sorry, but mere mortals have not heard of and don't use prey project. Hackers use prey project. Professional ones.
I just installed Prey. Ignoring the OP's use of the word "Hacker", you don't have to pay them anything to get good value from the software.

I set it up so if this file ever disappears http://iamnotaprogrammer.com/prey.html it starts sending me alert messages like the one below:

Good news my friend, it seems we found it.

Here's the report from your computer:

######################################################## # geo ########################################################

:: lat=(deleted)

:: lng=(deleted)

:: accuracy=33.0

######################################################## # network ########################################################

:: public ip=(deleted)

:: internal ip=192.168.8.121

:: gateway ip=192.168.8.1

:: mac address=34:15:9e:07:af:86

######################################################## # session ########################################################

:: logged user=sudonim

:: uptime=14:21 up 3:12, 6 users, load averages: 2.12 1.91 2.06

Happy hunting!

-------

Then it attaches a picture taken with my camera and a screenshot. All in all, pretty handy to have running.

(comment deleted)
6 users! wow.
A single terminal session counts as a user, probably has a few open, plus the system login etc.
Selling corporate firewall hardware doesn't make you a hacker
Well, who knows - maybe he has a life outside his job?
What about "Hacker News"?, some of the news here are not Hacker specific. In the guidelines of this site, it says, that here can be posted articles that comply with this: "anything that gratifies one's intellectual curiosity" So, this site could have be named "Intellectual's News", and not Hacker News?

I'm not a hacker, and love to read the stories here, this is my favorite site to read news every morning.

Yes, you are all right, the term Hacker is misused everyday, and the tendency is growing.

The guy browsed the internet for muslim revelation videos. I could have give him 1 tip to be in God/Allah's good Grace: Don't steal other people's stuff.
Did Sam Odio's blog get hacked? Because I refuse to believe that the Sam whose comments I've been reading on HN would steal from someone. Sam how is what you're doing different from what Anonymous et al are doing? However irritating Jonathan's experiment is, it doesn't give you the right to impose you idea of morality on them.
Maybe this guy IS a hacker, or maybe he's NOT, I don't care, but the word hacker is worthless using in this story, didn't see any hack involved...