My flat was raided and ransacked during the London riots, but thanks to tracking software I fed intel to the London Metro police until he was apprehended and my laptop returned.
You're missing the point. To paraphrase: "As a hacker, I had the good sense to make sure I had tracking software installed. I take security seriously."
From his LinkedIn profile:
"Greg Martin is a recognized Information Security professional with over 12 years experience and considered an industry expert in Network Security and SIEM technology." Sounds like the word hacker could very well apply. I think he used it in relationship to his profession, not to his installation skills.
I've read some really great stories in which real hackers used SSH to log in to their stolen computers, install key loggers, and custom tools. This obviously isn't one of those stories though.
I think it is great that the average person can now do all those things from a web app. It is funny though that they still consider themselves to be hackers because they can use that web app. Another example of misuse of the term hack that I see all the time is when people use someone else's logged in Facebook session and then claim they "hacked their Facebook" because that person left their session logged in. Silly...
Reading comprehension fail. Just because the title asserts that the poster is a hacker doesn't mean that the post justifies why he is one. If I write something about "Why you don't steal from a Texan" I'm going to talk about you digging lead out of your derriere, not about where I was born.
If the title was "You don't steal from a hacker," you might have a point, but "Why you don't steal from a hacker" implies the reason for that is exposed in the post.
A story entitled: "Why you don't steel from a Texan" would generally entail the thief getting shot. Shooting a thief doesn't make one a Texan, but it is the kind of thing a Texan would do. (Gross generalization for illustrative purposes only.) In the same way, having a software program installed on one's computer in case of theft does not make one a hacker, but it is in the spectrum of things a hacker might do. So I think that the title is plenty accurate.
That said, the title does prime one for an epic tail of recovery and revenge involving spoofed IP addresses and total identity theft. This story is a little bit of a letdown, but I doubt he meant for it to get the attention it got.
In fact, he's updated his post to reflect this kind of comment:
"Updated: to quell the comments, I did not choose the title to imply downloading tracking software is hacking, I am a hacker by profession and have been all my life."
Is this one of those viral marketing campaigns again? Yesterday, there was a popular thread on Reddit about some guy who retrieved his stolen Macbook by using the exact same software that's being mentioned here. And not to mention the several other threads here on HN a few months ago that are suspiciously similar.
no it's not. and please don't start with this over again.
we (the Prey team) don't have the time or the interest to pay people, thieves or whomever to build and publish these elaborate stories.
I spent almost all afternoon yesterday on Reddit -- where some guy published a similar story -- trying to make it clear that we had nothing to do with it (besides having developed the software).
I'd be happy to answer any questions regarding Prey, but please don't make me go repeating today the same thing all over again.
yup that's right, at least me and most of the guys that work for Fork (the company I founded after Prey took off). however there's lots of contributors from Europe, the US and Asia.
I've been thinking about that video... the guy says it started connecting to the network over 2 years after it was stolen. It seems unlikely (or at least plausible) that the guy who had it was the guy who stole it... or did I miss a key bit of info that justified it all?
This is why I have file vault + password screensaver on my MacBook Pro + insurance. I'd sooner have to wait a few days to get a new laptop than rely on: a) the user not instantly formatting the computer, b) prey finding my laptop, c) the police doing something about it.
... why not do exactly that; but ALSO have a guest account, and prey installed. (Also re: not instantly formatting; put firmware and/or hard drive passwords on to slow them down -- most thieves are not computer experts)
I think you under-estimate the speed and hassle of dealing with insurance.
Also most insurance has a deductible. You're still out typically hundreds of dollars.
I had a macbook pro of one of our employees stolen. We used prey to get it back, with assistance from the police. Yes we have corporate insurance, yes we backup our data; but we were still very pleased to receive our stolen property back.
If you have a guest account you can't encrypt your whole harddisk. And if my laptop gets stolen I don't care about the money but about my data falling into the wrong hands.
Set up a honeypot account 'm[ou]m', with a visible password hint to the tune of 'Dammit m[ou]m, THE PASSWORD IS "Susan"'.
Make sure it has no access to the filesystem outside of its homedir, and you could even set some login items to watch for net access and push a notification.
The honeypot account still needs access to the operating system, and thus to the harddisk password if you use full-disk encryption.
Full disk encryption is more or less default for most Linux distributions and OS X Lion. In addition, it's the only sane solution if you want to securely encrypt your data.
>Luckily the thief was a smart little bugger and he was able to bypass the password by using an OSX install CD to create a new admin account.
So why did he rely on luck instead of SSHing to the laptop and unlocking the machine?
>I cranked up the frequency of reports to one in every five minutes to try to get a screen capture of him using gmail or facebook so I could snag a name or login credentials.
Hmm, start a keylogger (and a sniffer) in the background and then scp the logs a couple hours later?
Run SSH on a non-standard port. Or you can have your laptop set to open a reverse ssh tunnel to another trusted machine on some event, like a file changed on your website, etc.
Stick this in a file, chmod +x, then add an entry in cron to run it every hour or so.
After that, you just need to create a file in your web server called "sshreverse" and you'll have an SSH tunnel to your laptop.
I would set up an icmp proxy with ssh on top of that. And there would be a few good reasons for that. 1: it bypasses a whole lot of firewalls and captive gateways. 2: few hackers would expect such a communication mechanism like that.
Of course, this solution works only if the computer isnt reformatted, as i would do if i ever got into petty theft. So one would need the computer to have an open and easy to get into account. If you use linux, have home directory encryption on and the account called "Administrator".
You forgot the part where you ensure that the ssh-key for user@myserver.com can only be used for this particular reverse-tunnel and not to, say, login to myserver.com...
>So why did he rely on luck instead of SSHing to the laptop and unlocking the machine?
I don't know of a single person who directly connects their laptop to the internet. This would have been sitting behind a NAT device which, unless port 22 was explicitly forwarded to the IP address that his laptop happened to get via DHCP, would have stopped him from SSHing in :)
I've been wondering about these services. Not having more information about the inner-workings of a monitoring/recovery service, I'm concerned about the company's ability to spy on me the same way I could spy on anyone who uses my stolen laptop. What prevents this from happening?
I suppose if you are worried about it you can use Wireshark or some other similar network traffic inspection tool to watch your traffic for suspicious communications you didn't authorize.
Quick look at the source code (https://github.com/tomas/prey) seems to show that if you wipe the HD you're SOL. I'm still waiting for Apple to release Find My Mac (similar to Find My IPhone), which will withstand a hard drive reformat.
Why didn't a real hacker have a keylogger installed on his machine instead of just the webcam thing? You could have gotten the guys' password to his facebook
In my experience, hackers don't normally keylog themselves. That's the kind of thing they'd rather avoid — it could be especially disastrous if your computer were stolen like this.
Encrypt the logs with your public key. Do not keep the private key anywhere near the machines, containing the encrypted logs. Move logs to a remote secure storage (co-located or home-hosted) as soon as Internet connection's available. Assure reasonable amount of electronic and physical security of the storage servers.
Sorry I wasn't implying that the software I used made me a hacker, that is simply just my profession... I use the term very widely to be someone who codes, pentests, reverses malware or jailbreaks iphones...
Yes, I'm saddened by all the responses here making the basic logical fallacy of affirming the consequent.
It seemed perfectly clear to me that you meant that a hacker is going to have some means of finding his stolen laptop rather than that using Prey makes you some kind of hacker.
And to the criticism that you are running a product, that's ridiculous as well. Do we all solder our own motherboards? Devout Not-Invented-Hereism isn't a prerequisite for being a hacker, and in fact it probably makes you much less effective of one.
>And to the criticism that you are running a product, that's ridiculous as well.
Personally, it's not so much using a product, but 1) giving access to a third-party (the Prey server admins) to his laptop and 2) being limited instead of having complete control.
Prey just seems a poor solution if you know what you're doing. For non-computer geeks is excellent, though.
That's a value judgement. As a hacker you can't do everything.
Prey is a polished product that you can trust to work. If you are into this sort of thing, certainly you can achieve more functionality and better security by rolling your own, but I don't consider it a prerequisite to hackerdom anymore than soldering your own motherboards. How often do you expect your laptop to be stolen anyway?
I'm sorry but that claim has no credibility with me. Setting up the proper cron jobs, server-side components, and verifying that everything is working under a variety of circumstances will take much more than the 5 mins it takes to install Prey.
Just because you've already done it and you have a pre-rolled solution doesn't mean you didn't invest that time, and don't fool yourself.
You only need to set up a cron job to create a reverse SSH tunnel into your home server. That way from your home server you could SSH into the machine, no matter where it is.
It's sad that many of the people who say the word "hacker" means all these positive and inclusive things are often the same people who lambast someone for actually using the word that way to refer to themselves.
Make up your minds. Is it the inclusive, "explorers of technology" meaning where it's more about curiosity and open-mindedness than skill level, or is it your little l337 boys club badge of honor?
It's highly desirable to be called a genius, but in general people calling themselves geniuses are looked down upon.
I think among people who do use the word "hacker" to mean someone skilled with computers, it's considered poor form to call yourself a hacker but high praise to be named a hacker. Eric Raymond wrote long screeds about this way back in the 90s when people still gave a damn about him.
Personally, I call somebody who is skilled at breaking systems a hacker. The guy who discovers how to Man-in-the-middle attack an SSL connection is a hacker. The morons in black trenchcoats and leather fedoras who then download a .EXE to automatically do just that and harvest passwords at Starbucks... are fucking scum of the earth script kiddies.
But is "hacker" really analogous to "genius"? I mean, we have a bunch of annual hacker conferences. If "hacker" isn't something you can call yourself, who is going to all of these things?
Joke answer: Have you ever been to Def Con? People who wear utilikilts and dyed mohawks unironically probably have no qualms about calling themselves hackers, deservedly or un-.
Real answer: I did actually attend Def Con this year, with the intent of learning about hacking, possibly from hackers. I wouldn't call myself a hacker, I just went because I wanted to learn about the subject. Really the whole topic is not something I worry much about... in my line of work we don't compliment people by saying "he's a good hacker", we just say "he's brilliant" or "she does really great work", which to my mind is a better and less ambiguous compliment.
"took a report and dusted for prints, performed typical forensics"
I'm impressed that the police dust for prints in England. I've never heard of someone getting that kind of thoroughness for a domestic burglary where I live.
When my house was burgled, the cops sent out 3 cars, did a thorough inspection, took inventory of what had been stolen, and dusted for prints in places we indicated were likely to have been touched (the windowframe where they came in, some doorknobs, and the box fan they had moved). This was in Rochester's 19th Ward (New York), possibly the most dangerous and high-crime part of town.
As far as I know, they never caught anybody, but at least they tried. I'm pretty sure it was my drug-dealing neighbors two houses down... especially since the guy three houses down claims the security cameras on his porch showed them taking stuff from our house to theirs. Oh well.
Same in Paris when my brother's apartment was burgled a few months ago... 2 members of the French Scientific Police took pictures / fingerprints. I didn't think they'd go that far, having read countless stories on how this is usually handled in the US.
Glad the person got their Mac back, but why does this story and ones like it always end at the recovery of the property? Could we get an update on the punishment of the criminal? I'd like to know what kind of repercussions the criminals suffer--do they get prosecuted? I'm just curious if these software tracking systems have been used in court as evidence to convict any of these criminals.
I'm not sure if it's that easy for the victim to find that information. My family was robbed several years ago and while the police eventually reported that they caught the perps, that was all of the detail they left. Similarly, my girlfriend had credit cards stolen once and neither the police nor the credit card company gave any information except that they had found the people who stole the card. Perhaps this discretion is to prevent people from attempting vigilante followup actions?
I'm almost certain that (in the States at least) that information would be public record. After all, the person has to be arraigned and go to trial. Police reports are almost always public information, even reports that don't involve you personally. You just have to go to the station sometimes.
The police aren't going to report to you every step of the way, (why would they?), but that does not mean you can't find that info out. You could even talk to the police officers involved, they would be happy to tell you, if they know.
I was wondering that too. I was thinking that perhaps this guy had gone and screwed around with his social network given the facebook screen cap at the end. Of course if someone steals your laptop, and using software you've installed you keylog all their secrets and you use their credit card to buy themselves a hundred pizzas each from 10 stores around town, that would be a bit much perhaps.
I know from experience (not me of course, but that of some kids who stole some stuff from a neighbor) that juveniles who are caught and convicted of petty theft basically get a slap on the wrist, a stern warning about what will happen if they do it again, and sent home.
The story you have just heard is true. The names were changed to
protect the innocent.
On August 12th, trial was held in Department 98, Superior Court of the
State of __London, in and for the County of __London. In a moment the
results of that trial.
Shillip Herbert Keaver was tried and convicted of robbery in the first
degree - five counts - and received sentence as prescribed by
law. Robbery in the First Degree is punishable by imprisonment for a
period of not less than five years in the __London penitentiary. Because
of the viciousness of the suspect, it was decided that the terms would
run consecutively.
You have just heard "DragNet," a series of authentic cases
from official files. Technical advice comes from the
office of Chief Constable, Scotland Yard, __London.
This is a parody of an old TV show called "Dragnet". Each episode ended with a dramatic narrator reading something 99.9% similar to the comment you replied to. Same fixed format, everything.
still a burglary is when stuff is stolen when no one is there (as in the fine article). A robbery is when something is stolen from your person (like you are help up at gun point for you wallet).
Maybe the criminal was a minor.
At least in my country (Bolivia) if he is a minor almost nothing is done, he'll walk out free.
I'm sure this is not the case in every country.
I don't think there is a need to use the tracking software to build a case against the burglar. They caught him with stolen property and have fingerprints. No need to go high-tech here.
You say "professional hacker" to refer to yourself a lot, but as far as I can tell all you did was use someone else's product.
Where is the hacking in that?
Hacking is creative problem solving. You used a product for its intended purpose.
That's called being a consumer, not a hacker.
lame.
self masturbatory. grow up.
You say "professional hacker" to refer to yourself a lot, but as far as I can tell all you did was use someone else's product.
Where is the hacking in that?
Hacking is creative problem solving. You used a product for its intended purpose.
That's called being a consumer, not a hacker.
lame.
self masturbatory article.
What about "Hacker News"?, some of the news here are not Hacker specific. In the guidelines of this site, it says, that here can be posted articles that comply with this: "anything that gratifies one's intellectual curiosity" So, this site could have be named "Intellectual's News", and not Hacker News?
I'm not a hacker, and love to read the stories here, this is my favorite site to read news every morning.
Yes, you are all right, the term Hacker is misused everyday, and the tendency is growing.
The guy browsed the internet for muslim revelation videos. I could have give him 1 tip to be in God/Allah's good Grace: Don't steal other people's stuff.
Did Sam Odio's blog get hacked? Because I refuse to believe that the Sam whose comments I've been reading on HN would steal from someone. Sam how is what you're doing different from what Anonymous et al are doing? However irritating Jonathan's experiment is, it doesn't give you the right to impose you idea of morality on them.
165 comments
[ 0.22 ms ] story [ 229 ms ] threadfirst to 'somebody who can write a web app', to now 'somebody who can install software'
I think it is great that the average person can now do all those things from a web app. It is funny though that they still consider themselves to be hackers because they can use that web app. Another example of misuse of the term hack that I see all the time is when people use someone else's logged in Facebook session and then claim they "hacked their Facebook" because that person left their session logged in. Silly...
That said, the title does prime one for an epic tail of recovery and revenge involving spoofed IP addresses and total identity theft. This story is a little bit of a letdown, but I doubt he meant for it to get the attention it got.
"Updated: to quell the comments, I did not choose the title to imply downloading tracking software is hacking, I am a hacker by profession and have been all my life."
;0)>
Sorry couldn't resist.
Or maybe it's just really useful.
we (the Prey team) don't have the time or the interest to pay people, thieves or whomever to build and publish these elaborate stories.
I spent almost all afternoon yesterday on Reddit -- where some guy published a similar story -- trying to make it clear that we had nothing to do with it (besides having developed the software).
I'd be happy to answer any questions regarding Prey, but please don't make me go repeating today the same thing all over again.
Skip to 3:15 http://www.youtube.com/watch?v=OAI8S2houW4
I think you under-estimate the speed and hassle of dealing with insurance.
Also most insurance has a deductible. You're still out typically hundreds of dollars.
I had a macbook pro of one of our employees stolen. We used prey to get it back, with assistance from the police. Yes we have corporate insurance, yes we backup our data; but we were still very pleased to receive our stolen property back.
Make sure it has no access to the filesystem outside of its homedir, and you could even set some login items to watch for net access and push a notification.
Full disk encryption is more or less default for most Linux distributions and OS X Lion. In addition, it's the only sane solution if you want to securely encrypt your data.
So why did he rely on luck instead of SSHing to the laptop and unlocking the machine?
>I cranked up the frequency of reports to one in every five minutes to try to get a screen capture of him using gmail or facebook so I could snag a name or login credentials.
Hmm, start a keylogger (and a sniffer) in the background and then scp the logs a couple hours later?
* Reverse SSH: if wget http://myserver.com/sshreverse; then ssh -R 2900:localhost:22 User@myserver.com; fi
Stick this in a file, chmod +x, then add an entry in cron to run it every hour or so. After that, you just need to create a file in your web server called "sshreverse" and you'll have an SSH tunnel to your laptop.
I would set up an icmp proxy with ssh on top of that. And there would be a few good reasons for that. 1: it bypasses a whole lot of firewalls and captive gateways. 2: few hackers would expect such a communication mechanism like that.
Of course, this solution works only if the computer isnt reformatted, as i would do if i ever got into petty theft. So one would need the computer to have an open and easy to get into account. If you use linux, have home directory encryption on and the account called "Administrator".
I don't know of a single person who directly connects their laptop to the internet. This would have been sitting behind a NAT device which, unless port 22 was explicitly forwarded to the IP address that his laptop happened to get via DHCP, would have stopped him from SSHing in :)
I mean, basically doing what Prey does, but without relying on a third-party service and having much more control over the machine.
"Autossh is a program to start a copy of SSH and monitor it, restarting it as necessary should it die or stop passing traffic."
Problem solved!
It seemed perfectly clear to me that you meant that a hacker is going to have some means of finding his stolen laptop rather than that using Prey makes you some kind of hacker.
And to the criticism that you are running a product, that's ridiculous as well. Do we all solder our own motherboards? Devout Not-Invented-Hereism isn't a prerequisite for being a hacker, and in fact it probably makes you much less effective of one.
Personally, it's not so much using a product, but 1) giving access to a third-party (the Prey server admins) to his laptop and 2) being limited instead of having complete control.
Prey just seems a poor solution if you know what you're doing. For non-computer geeks is excellent, though.
Prey is a polished product that you can trust to work. If you are into this sort of thing, certainly you can achieve more functionality and better security by rolling your own, but I don't consider it a prerequisite to hackerdom anymore than soldering your own motherboards. How often do you expect your laptop to be stolen anyway?
Just because you've already done it and you have a pre-rolled solution doesn't mean you didn't invest that time, and don't fool yourself.
It's one or two lines of configuration.
Make up your minds. Is it the inclusive, "explorers of technology" meaning where it's more about curiosity and open-mindedness than skill level, or is it your little l337 boys club badge of honor?
I think among people who do use the word "hacker" to mean someone skilled with computers, it's considered poor form to call yourself a hacker but high praise to be named a hacker. Eric Raymond wrote long screeds about this way back in the 90s when people still gave a damn about him.
Personally, I call somebody who is skilled at breaking systems a hacker. The guy who discovers how to Man-in-the-middle attack an SSL connection is a hacker. The morons in black trenchcoats and leather fedoras who then download a .EXE to automatically do just that and harvest passwords at Starbucks... are fucking scum of the earth script kiddies.
Real answer: I did actually attend Def Con this year, with the intent of learning about hacking, possibly from hackers. I wouldn't call myself a hacker, I just went because I wanted to learn about the subject. Really the whole topic is not something I worry much about... in my line of work we don't compliment people by saying "he's a good hacker", we just say "he's brilliant" or "she does really great work", which to my mind is a better and less ambiguous compliment.
I'm impressed that the police dust for prints in England. I've never heard of someone getting that kind of thoroughness for a domestic burglary where I live.
As far as I know, they never caught anybody, but at least they tried. I'm pretty sure it was my drug-dealing neighbors two houses down... especially since the guy three houses down claims the security cameras on his porch showed them taking stuff from our house to theirs. Oh well.
Thorough investigation, dusted for prints, and even took sample of nondescript, possibly bodily fluid (turned out to be non-organic).
Very professional; Though wouldn't get burglarised again.
I know from experience (not me of course, but that of some kids who stole some stuff from a neighbor) that juveniles who are caught and convicted of petty theft basically get a slap on the wrist, a stern warning about what will happen if they do it again, and sent home.
Kids these days :) :)
also I'm not anonymous you dipshit
I set it up so if this file ever disappears http://iamnotaprogrammer.com/prey.html it starts sending me alert messages like the one below:
Good news my friend, it seems we found it.
Here's the report from your computer:
######################################################## # geo ########################################################
:: lat=(deleted)
:: lng=(deleted)
:: accuracy=33.0
######################################################## # network ########################################################
:: public ip=(deleted)
:: internal ip=192.168.8.121
:: gateway ip=192.168.8.1
:: mac address=34:15:9e:07:af:86
######################################################## # session ########################################################
:: logged user=sudonim
:: uptime=14:21 up 3:12, 6 users, load averages: 2.12 1.91 2.06
Happy hunting!
-------
Then it attaches a picture taken with my camera and a screenshot. All in all, pretty handy to have running.
I'm not a hacker, and love to read the stories here, this is my favorite site to read news every morning.
Yes, you are all right, the term Hacker is misused everyday, and the tendency is growing.