Tracking A Thief Via The Sircam Virus?

func writes with a rather strange situation: "Hey, my house was robbed, and they stole my computer, vcr, rc heli, and all my beer (!bastards!). But, on the positive side, the thief has been using the computer, and managed to infect himself with the Sircam virus. Now, some of my friends are getting virii sent to them by my stolen computer! Any way to track this guy via email, or even an ip or something stored in the virus code itself? And if I do find him, do I send the cops, or just my 6-foot-4, 260-lb ex-eastern-block buddy Radek?"

Since this virus' spread (cross fingers) seems to be slowing down a bit, this may take fast work. If you can reply with any suggestions for func, please include "Radek" or "Cops" in your subject line. (Just not the FBI.) Perhaps he could send a friendly letter to the thief offering free tech support?

Headers

Look at the email headers they give a lot of useful info.

Re:Headers

[Alex+Belits]

I forgot -- there are hostnames and IP addresses in the body of the virus, however they are of the destination or a mailserver, not the originator (see my report about it). Headers are more useful.

Re:excuse me...

... and how will that get your software back? Because obviously, the guy wiped your Linux install and installed Outlook instead!

What, you mean you had Windows+Outlook installed to begin with? Then probably your beer was pee^H^H^Hcheap American beer too!

So... is it legal to infect YOUR OWN MACHINE?

Can I write a virus and infect my own machine with it? For property protection of course.

Re:of course now it won't matter

But remember, the guy stole all his beer _and_ managed to infect himself with a virus on a stolen computer! I seriously doubt he reads Slashdot...

And this is supposed to help me how?

My computer is a Powerbook G4 Titanium. If I tear it open and fill it with cement, I might manage to add a whole half pound to it. How is this supposed to help?

Forget "Anti-Virus". . .

Just sent Peter Norton to rough him up a bit

Re:Keep in contact with him!

If you keep posting jokes on slashdot, eventually one will be funny...

Of course, the rest of us will probably all be dead by then...

HTML email?

If he's been emailing your friends, why not setup a quick webserver which hosts a .gif or .jpg and send the guy an HTML email back with an img tag referencing to the website you setup. Turn on logging on the website and you'll have his IP address and the access time. From there you can email the upstream/the cops and you should be set.

Re:what an idiot.

[Nick]

I work at an ISP and I know firsthand, here in Kansas, USA anyway, that we can not by any means give out information. The victim *must* get a subpoena to us. The police and courts must get involved.

If someone roots your box and you wanna know the IP's or even the dates/times it occurred, you can't do much without getting the law involved. In that case all we could tell you was that your machine was accessed by an IP other then the one(s) that were assigned to you.

Re:IP address in mail header

[narf]

Not necessarily true. At my old ISP[1], each dial port was assigned a specific IP. I believe they first used BSDI boxes with multiport cards, and then moved to USR/3Com TotalControl racks.

[1] It was fun to able to say 'I'm a Hooker!'

re car theives

[vipw]

killing someone stealing your car is self defense, they're stealing a very deadly weapon and you would be a fool to let them live long enough to start the engine so they can kill you with it.

Headers

[Alex+Belits]

"Received:" headers in he mail usually contain IP addresses and dates -- when checked against ISP logs they can point to the user, or a phone number if he used a dialup with your account.

Of course, email MUST be copied in the form it was received, not mutilated by Outlook or other kind of garbage. If the recipient is unlucky enough to use Exchange, enable POP or IMAP support and download email from it using fetchmail or pine.

Even easier/quicker

[Tim+Macinta]

If he's running any old binary sent to him, why not have one of your friends send a gift in reply? All it needs to do is grab the IP and timestamp, then email those details to you. Forward that to the police who can get location data from the ISP.

Why not bypass the ISP (and the accompanying red-tape) entirely? If the laptop is using a modem to connect to the net, send the thief a binary which would cause the modem to call your home or work number and immediately play a sound clip that you can identify. When you receive a call that plays the sound clip, look on your caller ID and then use a reverse directory to map the phone number to a physical address.

If the laptop is using ethernet to connect... well, that's a bit tougher. I'm not sure how to track it without the assistance of the ISP it in that case.

Re:Even easier/quicker

[ahrenritter]

Now this is by far the best solution I have seen so far.

We have to assume it is a dial-up, he wouldn't have the right connection to support DSL or cable modem. Write up a juicy sounding e-mail, include a nude picture from alt.nekked.somethingorother and an executable that phones home. I think that would stand a very strong chance of succeeding.

Once you have a tele/address, the police would be much more inclined to pick him up. I've faced the bullshit red tape of trying to get a company to do something to help you bring a criminal to justice.

Great idea Tim!

Me to ISP: "This person did something illegal. Can I have his address to have him arrested?"
ISP to me: No. We can only speak with law enforcement personel."
Me to police: "This person did something illegal, can you contact his ISP and request his records to catch him?"
Police to me: "No, you need to fill out a crime report and we will investigate it from there."

And the story ends there. :/

Re:IP address in mail header

[ptomblin]

PPP gives you the IP to use, but where do you think their PPP deamon gets the IP to give to you? That's right, a DHCP server. Just because you're not running a DHCP client doesn't mean that your IP isn't coming from DHCP.
--

Re:IP address in mail header

[ptomblin]

And you're one of those people who wets yourself every time somebody gets a buzzword slightly wrong. Ok, it's not DHCP, but it is a dynamic method of allocating IP addresses from a pool. Big frigging difference. "DHCP" is a way of saying the same damn thing in 4 letters instead of 9 words. Nobody cares what the internal protocol is, the net result is that you may or may not get a different IP address every time you connect.
--

Nope, no open containers

[marcus]

Not any more. No matter if it's a passenger's or not.

Good judgement comes from experience, and experience comes from bad judgement.

Re:Nope, no open containers

[laxian]

Limousines don't cost much at all!

Limo party! Woo hoo!

Re:excuse me...

[Plutor]

If you had actually done some research, you would know that Outlook is not required for the SirCam virus to replicate. It has its own SMTP capabilities coded in, and it searches the hard drive for files containing email addresses.

Don't be so quick to insult someone for their choice of software when you don't even know what you're talking about.

Re:just a thought?

[VAXGeek]

F word?
------------
a funny comment: 1 karma
an insightful comment: 1 karma
a good old-fashioned flame: priceless

Contact the isp

[laertes]

Here's the deal; he's connecting to the internet somehow, so you have to track him down with that. Mail messages contain, in their headers, the IP address of the sender. Now, it's possible to forge these, but this is an outlook virus, and I imagine that outlook tells the truth about it's IP address.

Now, this device could have a local (192.168.* or 10.*) address, but the address should be your mail provider. Here's to hoping you use somebody's SMTP mail service! Anyway, you need to contact your mail provider, and find out from which IP address he sent the message from. Then, do a reverse name lookup, and contact his ISP.

Now, as someone mentioned earlier, if he is using your dialup service, this is even easier. However, I'm going to guess that he is using something like DSL, where you can connect multiple computers. That is just a guess, I'd just like to show that it is possible even if that is the case.

Regardless or how you find this guy, involve the police. I don't know what country you live in, but most police around here (Minnesota) don't appreciate you doing their job for them. Nor do the courts.

Re:Contact the isp

[13013dobbs]

Here's the deal; he's connecting to the internet somehow, so you have to track him down with that. Mail messages contain, in their headers, the IP address of the sender. Now, it's possible to forge these, but this is an outlook virus, and I imagine that outlook tells the truth about it's IP address.

It is not possible to forge these headers, he may be able to add extra bogus headers, but his IP *will* be in there.

Re:Contact the isp

[S.Lemmon]

SirCam has its own SMTP routines and mails itself directly. It won't use the ISP's mailer regardless of how Outlook is set up, so you should see the PC's actual IP address (or the address of the firewall it was behind) in the email's headers. Still traceable though.

Correct, but make sure police know procedure

[mortonda]

There are certain procedure needed by law to obtain those records. Due to the Electronic Communications Privacy Act, the ISP cannot voluntarily give those records to police (yet to be tried by case law). They probably ought to get a court order before getting that info.

Have your local police look at http://www.cybercrime.gov/searchmanual.htm before proceding.

Re:OTOH...

[mortonda]

If you can find the ISP, they can give you the info, which you can then give to the police. It's a weird law.

Re:IP address in mail header

[bonehead]

Um, no.

Re:heh, tempting...

[bonehead]

Here's how you do it:

Get the cops involved. Track him down, try to recover your possesions, then let the courts have their way with him.

Once he's back on the streets, keep tabs on him but don't do anything right away. Wait 6 months, maybe even a year. You want to let the situation fade from everyone's mind so that you're not the first name that pops into their heads when the thief turns up in the ER. After sufficient time has passed, sic Radek on the prick. I'd even recommend tagging along and getting a few shots in yourself.

Re:Some laptops phones home

[CMiYC]

That's great as long as someone doesn't get the laptop and re-install right away... which I would assume any intelligent theif would do. Except in this case.

If you stole someone's computer, wouldn't it be somewhat wise to trash the data on it as soon as possible? That way it'd be harder to prove its not yours. Furthermore, why on earth would you start connecting to the internet with someone else's computer? That isn't very smart.

Your idea sounds good except that it'd have to be done in software. Or it'd have to be integrated into the operating system and done every single time the laptop connects. Sounds like a great idea? Sounds just like putting an unquie ID on a Penitum 3.......

---

simple... and laptop tracking

[Oo.et.oO]

that is EXACTLY how simple it is...
if you don't mind possibly not getting the rest of your stuff back, being charged with assault, and possibly assaulting someone who bought (unknowingly) stolen goods.

i say, track the bastard. then contact the cops. if they can't get your stuff back, and you are sure they are the culprit. THEN send in your 6 foot friend to go midievel....

the poor bastards who go to RPI now all have to buy laptops, and you always hear about them getting stolen. i always wonder how easy it would be for RPI or others to track hardware addy and find out where and if someone was using a stolen machine. This could even be automated and log all packets so you could see what they were doing, and who they were. Maybe even take a picture of them in the act with sec. cameras when available.

but that would put the burden on RPI and not the ever reducing intelligence of the incoming students. (don't leave your laptop lying around!!!)

Re:simple... and laptop tracking

[steeljaw]

Good plan, but you haven't accounted for the beer! Track the thief, go to their house (with Radek, and maybe a couple of other buddies) and politely ask for some cash to get some beers, explain that you really need a drink because your machine was stolen and the thief didn't have the decency to leave you any alcohol to cope with your loss. When he/she looks really uncomfortable say "Oh, and this is my bud, Radek"... Shortly after you should recieve your missing goods, along with enough cash for a case of beer..

--jr.

Re:simple... and laptop tracking

[kochsr]

my family rededicated a softball field at RPI a month or two ago, and there was a big hullaballoo because it was already named for some other people. have you heard anything about that?

Jeezus that is a scary thought

[Archfeld]

more than half our corp drones can't remember their own passwords from week to week, imagine the mess if the bone-heads' machines starting bombing themselves out of existence

Re:excuse me...

[sacherjj]

At least my delete key actually deletes characters, Mr. Ctrl H... :)

Re:Hidden radio transmitter instead perhaps?

[sacherjj]

It would be easier to get a real world fix on your stolen goods (laptop or desktop... doesn't matter) with a radio transmitter than it would be with an IP address. And since the goods in question have all the electrical power they would need for that sort of thing, it should be pretty easy.

I would have to seriously disagree. Your radio signal has a very short detectable range. You need a decent signal to DF. The IP address sent with data when the computer gets on-line can be caputured from anywhere (as long as the receiving server is on-line). With a radio transmitter, the theif must live in your neighborhood to even have a chance.

Another idea might be to use GPS if it can be done... Every time you connect to the net, it sends out its GPS coordinates to your favourite web host. :)

Doubtful that the computer would be setup anywhere with a clear view of the GPS satelites.

Both hardware solutions are expensive for that rare theft possibility.

Hidden Bomb?

[sacherjj]

I never thought about this, but it is an interesting idea. Has anyone programmed a hidden bomb that must be disabled every couple times you boot up, by the user. If this disabling action isn't completed after a few boots, it starts sending information to a secure location. Just give them enough leway to hang themselves. (Of course, this assumes they are on the net.)

Although, the first thing I would do if someone handed me a computer is format and reload all the drives...

Re:Hidden Bomb?

[freq]

there's software that accomplishes the same thing although through different means. Every time your PC goes online, the software makes itself known to a central server. If the server gets contacted by a PC on the 'red alert' list, it contacts it and gets more info on it

I thought it was called Windows XP ???

Re:Hidden Bomb?

[Fishtank]

I had one of those for FTP access to a webserver I paid for once, with Planet Online. The device was time synchronised with a similar one in the computer, and in any given 10 second (or so) period, they would both have the same numbers.

Needless to say, the device was small enough that it was always lost when I needed it.

Re:Hidden Bomb?

[gmhowell]

I haven't yet, but was considering it when my company was in takeover talks. A little bit of job security.

Probably a bit illegal as well.

Re:Hidden Bomb?

[brokeninside]

I had an acquaintance that did this many moons ago.

I'm sure you know the type. Paranoid. Into trading illegal files. Heavy into the BBS scene (back in the late nineteen-eighties).

Hitting the power button on the front of his desktop PC powered up an electro-magnet attached to his harddrive.

He never let me look close enough to figure out how to turn the box on.

have a day,

-l

Re:Hidden Bomb?

[Patton]

Yes. That and it proceeds to self destruct afterwards. Total wipeout with multiple passes after encrypting certain parts of the drive (in case the wipes are interrupted somehow). Since critical data is kept in multiple countries I can afford to have it destroy itself outright. It tries to send an SOS first but either way my setup will do its best to make itself pretty useless except for the hardware.

Re:Hidden Bomb?

[szcx]

I was contracted to write one a few years ago for installation onto all of a company's notebooks. Once a week it had to be reset, or the machine would purge documents and lock out.

Re:Hidden Bomb?

[gfxguy]

I thought about doing this at work. Just a simple cron entry to make sure I was logging in on a regular basis. If not, then...well, thinking of what to do at that point is half the fun. It be more fun to slightly disable things, or introduce some buggy versions of my own software so that they'd have to come begging... But I decided not to be that mean, I'm sure if they fire me they have a good reason, right? Like wasting my time posting on /.

Re:Hidden Bomb?

[martin-k]

I was contracted to write one a few years ago for installation onto all of a company's notebooks. Once a week it had to be reset, or the machine would purge documents and lock out.

Yeah, I heard about that program. It's called Microsoft Windows.

-Martin

Re:Hidden Bomb?

[Cheshire+Cat]

Yeah blow up your own computer. What a great way to get it back!

Re:Hidden Bomb?

[stungod]

You mean buy a powerbook or a Dell?

-------------------------------

Re:Hidden Bomb?

[homer_ca]

Or even better than that, find an old 486 laptop as a decoy and rig the power so the battery overloads and explodes spewing toxic chemicals all over the thief. Put the decoy in a conspicuous place.

Re:Hidden Bomb?

[RedOregon]

Several of them out there... this was the first one that came to mind: http://www.absolute-protect.com/index.htm

____

Re:Hidden Bomb?

[Kryptonomic]

Those notebooks and company PHBs must have been a winning combination.

Re:Hidden Bomb?

[Mr+44]

That works well until your sister comes out to visit and tries to turn on your computer :)

Re:Hidden Bomb?

[interstellar_donkey]

Has anyone programmed a hidden bomb that must be disabled every couple times you boot up, by the user. If this disabling action isn't completed after a few boots, it starts sending information to a secure location

I think that's how the new Windows XP works, sans the 'secure location' part.

Re:Hidden Bomb?

[TOTKChief]

Yeah, and if you'll post your resume online, I think the FBI needs a guy just like you...

Re:Hidden Bomb?

[mike260]

I believe there's software that accomplishes the same thing although through different means. Every time your PC goes online, the software makes itself known to a central server. If the server gets contacted by a PC on the 'red alert' list, it contacts it and gets more info on it (although, as someone pointed out, all that's really needed is an IP address and a time), ba-da-bing.

Although, the first thing I would do if someone handed me a computer is format and reload all the drives

Lucky for the poster he got such a stupid thief. I guess a system based on something like CPUID or NIC MAC address would work better; it'd have to be part of the OS though, and pretty well-secured too.

Re:Hidden Bomb?

[cavemanf16]

My stock broker friend had to work out of his home for a while whilst they built his office. During that time in his house, he had to dial-up to his firm to place orders, check stock quotes, etc. Whenever he attempted to dial-up, he had a little pocket sized calculator looking thing that picked 'random' keys for him, that he then had to input within 30 seconds of dialing up, or else (I think the dial-up and key card worked by creating keys based on the time of day). If after 3 tries he failed to authenticate, the computer basically shut off his ability to dial-up his firm, which at that point he would be in big trouble for the inevitable need to ship the laptop back to the home office to get reimaged. Needless to say, he never let this happen.

Re:Hidden Bomb?

[jsindell]

We had those for dial-up at a company I worked for. It was called a SecureID card and added an extra level of authentication when RAS'ing in. It kinda sucked to dial up right as the number was changing cause I never knew if I should go really fast putting the current number in or just wait for the next one.

Keep in contact with him!

[mattkime]

You need to give him a reason to keep in contact with someone. I suggest you ask a female friend to take nude pictures of herself which she will send on a regular basis to this guy. Eventually, she will meet him in a sleezy hotel room and crush him between her thighs.

Re:Keep in contact with him!

[teasea]

Eventually, she will meet him in a sleezy hotel room and crush him between her thighs.

I'm gonna have to start stealing computers; this is how I wanna go :) Poor funeral director won't be able to wipe the shit-eating grin off my face.

Re:Keep in contact with him!

[Tricot]

I suggest you ask a female friend to take nude pictures of herself which she will send on a regular basis to this guy.

Oh come on... He's a slashdot reader.. he doesn't have any female friends. He'd be better off snarfing some pr0n from usenet and trying to pass himself off as a woman.

make sure to print full headers

[Barbarian]

Just make sure you got the full headers of the messages that were received...this is easy to do in both Outlook and Netscape.

If files are being attached, print out the messages in their normal format in Outlook/Netscape (i.e. human readable), then view source and print the headers too...

Re:IP address in mail header

[StDave]

For the point of this article, I think this is irrelevant anyway. If the victim can get a couple IP addresses and exact times (probably from an intermediate SMTP host to ensure accuracy) the ISP, if they are cooperative and competent, can probably (with considerable work) get the CID data.

It is not a considerable amount of work. It's almost trivial. The key will be to convince the ISP that you are who you say you are and are looking for the info that you say you are looking for. But if I was the ISP and you asked me, I'd tell you to pound sand.

Suppose that I give you the info and you go over and kill the guy for drinking your beer. I am now liable for that murder. IANAL, but I think the the bad guys family can sue me for wrongful death.

I would call the ISP ASAP and ask them to cull the data and save it for the police. Then call the police and tell them that you have their crook, they just have to go pick him up.

Re:Im not so sure this will help

[nix]

Used computer stores generally reformat hard drives before they resell computers. Imagine the fate of a store that resells a computer loaded with internet porn. *nix

Re:Yes.

[IanCarlson]

First, the ISP is under no obligation to do anything.

Second, the ISP doesn't know what the caller's address is, they could only give the phone number to the police, and the police would have to reverse look-up the number themselves.

Third, finding a caller's phone number from just an IP isn't as easy as everyone thinks it is, even for the ISP. There is still a considerable amount of leg work to be done to find a number, not to mention the red tape that larger ISPs will have to cut through to do so. A case of beer for the inconvenienced tech would be merely a start.

Nothing's that simple.

Re:Yes.

[shri]

Assuming that the poor guy's startup page is not set to slashdot! If thats the case the thief knows whats going on. ;)

Cop paranoia of a lesser kind

[eddy]

Somewhat related...

A long time ago a friend of mine ran a BBS on his Amiga. He had the startup rigged with a boot-meny containing a fake "Start BBS"-entry as a default, which - if chosen - would encrypt the RDB (Rigid Disk-Block) and reset. Or something to that effect.

Hey, don't look at me, it wasn't my computer, nor my idea.

as an IT guy in a stock brokerage...

[No-op]

This product is called SecurID, and it works pretty well. it's typically sold by RSA security or resellers for them. works really nifty with SSH connections, IPSec VPN stuff, etc.

although it's only really useful if you set a hard company policy that not following the usage rules for it will get you spanked. otherwise you have to run around after users trying to fix their stupidity, which is always hopeless :)

Re:as an IT guy in a stock brokerage...

[SumDeusExMachina]

Yeah, 2600 had a nice article on them about a year ago. It was the Spring 2000 issue, I believe.

Oh, and in regards to the adress for your homepage, so did I ;)

My vote

[JoeLinux]

My vote: send buddy.

:)

JoeLinux

What he's really asking

[ugglan]

"I got the diary of this girl emailed to me, I know I shouldn't have but I sortof read it, and now I've completely fallen for her. She doesn't answer to my emails. How do I find out where she lives to get in touch with her?"

Re:Radek!

[MindStalker]

Well this isn't a macro virus, and most users don't have smtp outgoing firewalled to only a certain program. Though I think they should.

SecurID was Re:Hidden Bomb?

[Camarones]

We use these SecurID tokens in my company too. Every remote user (at least 10,000 of them) has one. Its used primarily for VPN and other remote connections to the main corporate network. The six-digit number on the token changes every 60 seconds and the numbers are different with each token. Then only drawback to these that I see is that they tend to fall out of syncronization requiring a call to the helpdesk which is thankfully open 24/7 (we're a major engineering company with offices and projects worldwide). A nifty product for sure.

If it's YOUR ISP...

[SEWilco]

If the thief is still using your service, he's also stealing that. At any rate, as you're the customer, the ISP should be helpful in giving you information about "your" access.

Re:Bear in mind

[Unknown+Poltroon]

Good point. Have raydek ask him questions FIRST!!

it depends

[Unknown+Poltroon]

If it was good beer, leave the cops out of it. If it was bad beer, sic the law on him.
If it was BUD, have Radek slap some sense into you.

Re:Should be pretty easy.

[mefus]

I should think they'd be happy to get this kind of slam dunk to clear a case.

Nope, the FBI is only interested in thought crimes.

This, it's physical.

mefus
--
um, er... eh -- *click*

Re:Bear in mind

[mefus]

That's pretty nifty, but I think it's passive, i.e., it only receives signal but doesn't transmit. Unless you have something in the BIOS (including at least a primitive TCP/IP stack) that'll send the received information over the ethernet/modem link to some way-point for collection, wiping the harddrive and reinstalling will defeat that.

mefus
--
um, er... eh -- *click*

Re:Hold on a minute...

[mefus]

Dude, his friends are getting an Outlook Virus.

Say anything to you?

mefus
--
um, er... eh -- *click*

Re:Should be pretty easy.

[mefus]

where high-dollar == corporate finance numbers dance?

mefus
--
um, er... eh -- *click*

Re:Should be pretty easy.

[mefus]

I don't even think that's true. I was drawing on the irony of the current DMCA actions by the FBI, not sarcastic. And, Adobe has washed its hands of the case, so there is no loss being claimed.

The fact of the matter is the FBI is pursuing this case, and I believe it does have to do with money. But it isn't losses claimed that are the objective of this action. The FBI/DoJ are now the dog of Bush's dark cadre of interests wishing to enslave the American people[1] to its money machine (and hang constitutional law.)

[1] A different way of saying "captive market".

mefus
--
um, er... eh -- *click*

Re:Should be pretty easy.

[mefus]

This is what I was taking issue with

And my meta-commentary was (I thought, very clearly) in response to your comment in light of the FBI's preoccupation especially in view of recent events (viz. The Free Dmitry scandal.)

This didn't "turn into the DMCA" except insofar as that is helpful in conjecture as to what the FBI/DoJ would take an interest in prosecuting.

Sorry if I didn't make that clear


mefus
--
um, er... eh -- *click*

Radek!

[wiredog]

Someone who steals your computer and then disables the security deserves what he gets.

I assume he disabled your security. And not that you forgot to secure it.

Re:Radek!

[Fjord]

At no point does it say the computer is a laptop.

bios password are easy to disable, so they are only good for preventing people who aren't going to steal the computer from accessing it (even then, they can disable it if they don't mind that you will notice it being disabled afterwards). The upshot is that is doesn't help here.

We know this is a windows box, because of the virus it contracted and that his friend's email address were still in the address book (as opposed to wiped when the theif saw linux). Even then, I don't see how drive encryption would prevent contracting a worm.

If the theif saw a login password they could not get by, they would just wipe and reinstall. Then there would be no way to track the theif.

This explanation doesn't fit well with the original posters comments.

Re:Radek!

[Fjord]

What security? Up until a few days ago, there wasn't a virus package that would detect SirCam. Do you expect him to update virus checkers on computers not in his possession? Presumably you don't mean security by disabling the ability to retrieve email, so then what do you mean?

Note: I do disable VBS files (by associating them with notepad) on my home WinME machine, but this isn't common practice. I do it because many people use my home machine. Disabiling VBS files like this isn't considered "security enablement" in the sense of updating patches and locking down ports.

Re:Radek!

[StormRider01]

He means Laptop security, I.E. bios password, drive encription (NTFS or Linux Variant), login password to os, ect.

Re:Bear in mind

[M-G]

something i`ll be employing when GPS systems become small and cheap enough to fit inside tv`s and computers.

Is this small enough for you?

Re:Bear in mind (Cops)

[darkonc]

I don't think you can get charged for theft for taking what's legally yours.

You CAN, however, be charged with Break and Enter for getting in to take what's legally yours.

Of course, if you grab the wrong hot computer, you're in double doo-doo. Best to let the cops handle it for you. 4 times out of 5, the crook will cop a plea bargin and your stuff will be available to you before the CPU is completely obsolete.

If you want the data off of the laptop, it may be possible to get permission from the police to make a backup. (this is a guess. I've never tried it).
--

Re:just a thought?

[tapiwa]

Hey, old ladies can be guilty as well.

There was a case in the paper a couple of days ago, about a 60+ year old woman who was caught in the act, after a few months worth of investigation by the cops.

Seems she used to go around scratching/etching the F word on cars, and managed to cause just under £10 000 worth of damage.

Send Radek with a blowtorch and pliers!! Time to get medieaval on her ass!

Re:Fuck the police, get some vengence

[Tackhead]

> The cops will just get snitty with you cuz you solved the crime.

If you walk in to your local PD and say "I 0wn h1m! j00 cl00less fux0rz list3n 2 m33!", yeah, they'll get snitty.

If you walk in, and behind closed doors (or cubicles :), outline how you solved it, in such a way that the officer you're talking to also has enough of an understanding on how to solve it, you've just taught a cop a new way to solve crime that none of his buddies know, and you've probably just made a friend.

Beat a man over the head with a fish, and he'll slap you across the face with one. Teach a man to fish and you're both fed for life.

Re:Im not so sure this will help

[Tackhead]

> This probibly wont help you get right to your robber, he probibly sold all your stuff. And if he was smart he probibly sold it to a used computer store that would resell it. Although most pilfers arent the smartest bunch, good luck ;)

IANAL, but ISTR that in these cases, the used computer store (pawnshop) is guilty of "posession of stolen property". As is, for that matter, the innocent sucker who walks in off the street and buys it. As such, you can still get your computer back.

Option 1: (There's only one bad guy, the thief.) The guy who bought the computer will be pissed, he'll be pissed at the computer store. The guy who runs the computer store will be really pissed, and he'll be pissed at the guy who sold it to him. End result -- the thief loses his ability to sell stuff at that store.

Option 2: (There's another bad guy, in that there's a store or pawnshop operating as a "fence", that is, reselling goods they know are stolen). The guy who bought the computer will be pissed. The cops will have evidence to use in their (likely ongoing) case against the fencing operation. End result -- the thief may get away, but the fencing operation goes down.

Either way, by providing evidence to the cops, you increase the odds of getting your stuff back and cleaning up your town.

Re:Cops can help...

[Tackhead]

> ...if they are willing to look at technical details.

Very true, the trick is to get someone at your local PD interested in the case. Routine burglaries are, well, routine. Just as the FBI laughs if the losses are less than $BIGNUM, your local cops generally don't give a damn about property theft, because the odds are slim and the cases are boring as hell.

1) So don't call - show up in meatspace at your local police department. (Or if you've filed a police report on the burglary, you probably have an officer's business card. In that case, call and try to set up a 15-minute appointment.)

2) You may want to talk to a detective, rather than the beat cop. Dunno how lucky you'll be at finding one. Might be worth a shot. Go through channels.

3) (Here's the kicker). YOU know how to solve the crime. The cops don't. So YOU explain it to the cop or detective - in detail. Bring printouts. Use highlighters. Emphasize the point that even though you did the legwork, you don't want credit - you want the cop to get credit for solving the "high-tech" case. This means career advancement to the cop/dick, and ought to interest him, even if the dollar value of the case is peanuts.

"My house was broken into and bad guys stole my stuff" - a boring case, like dozens of others, involving all the paperwork with no chance of recovering the goods.

"Here's an open-and-shut case on how to track a thief through cyberspace" - something new, possibly a promotion for finding a new way to solve cases, and a reputation within the department as "the guy who knows how to track criminals through cyberspace, he's even smarter than that moron the Feds send us every few months".

If you're helpful your local cops, they just might be able to help you.

Re:Fuck the police, get some vengence

[cobar]

That's cause he ain't got no thumbs to press space with.

It's funny, but it sucks.

[thetechweenie]

I would contact your local PD, and do a little investigating on your own. First, I'm assuming that he configured his own mail account on the computer. If you have his name, try locating him. Then late at night, sneak into his home, and steal everything back. Leave a note, saying that he was too stupid to be able to keep the computer. Then poop on his rug for taking your beer. Oh, don't forget to unplug your VCR, that will really piss him off.

Best of luck to you. This guys should also get extra time for stupidity.

Re:Trace account, then trace to phone #

[thetechweenie]

First of all, this ISP won't give out any info on their customers. Unless, you pursue this through legal channels. Secondly, most ISP's use PRI's and the caller ID info comes along the pipe. So chances are the ISP has their phone number in their Radius logs already...

Re:Bear in mind (Radek)

[reflector]

That's a dumb law. How can a buyer be positively sure that something they're buying secondhand is not stolen?

Forget Radek. . .

[fizik]

Send him Norton Anti-Virus, Poor Chap

Re:what an idiot.

[wumingzi]

I work at an ISP and I know firsthand, here in Kansas, USA anyway, that we can not by any means give out information. The victim *must* get a subpoena to us. The police and courts must get involved.

I work as a systems administrator at a company in Seattle, and I have on more than one occasion gotten the dialup number from tech support at a national ISP of users who have attempted (not suceeded, but attempted) to break into our systems through the network.

The policy is as you say, but it's amazing what a recipe of one part sugar-and-spice and two parts firm-and-authoratative will do to work around that policy.

Re:Use his stupidity against him...

[BlueUnderwear]

> All it needs to do is grab the IP and timestamp, then email those details to you.

Not even necessary. That info is in the e-mail header anyways, unless your friends goofed and saved the mails without their headers.

Re:Should be pretty easy.

[BlueUnderwear]

> Worst case, the current user is somebody who bought the computer from your thief and not the thief her- or himself, but it still gets you close.

No, that's not the worst case. Worst case is that the virus didn't actually infect the stolen computer, but rather the replacement computer that you're using now...

Re:Fuck the police, get some vengence

[BlueUnderwear]

> Send you friend over and tell him to bring back both the thief's thumbs.

Nowthat'sacruelandunusualpunishment!

Re:Bear in mind (Radek)

[Phork]

It is the same in the USA, except here you can end up in jail for it. it is called "possesion of stolen property".

Re:IP address in mail header

[poptix_work]

Err, you're one of those people who go around
spewing out buzzwords. Most dial-up terminal systems have a pool of IP addresses that are assaigned to the unit itself, when someone dials
in their username/password is checked against a radius server, if it is correct the same packet
contains information about their IP address, static or dynamic, if it is dynamic then the terminal server will look at its pool, pick one, send an ARP request to the network to make sure another unit/machine/etc is not using it, then give it to the client and reply to any ARP requests for it on the lan side. None of this involves DHCP.

FYI, I know the previous to be true on Ascend and Livingston equipment, others are unknown, but likely the same or similar.

Re:you were warned.....

[Lxy]

look through the discussion... the site went down shortly after due to being /.ed. Someone posted a mirror in the comments, just browse them.

you were warned.....

[Lxy]

How quickly we forget. Or was I the only one who ran out and filled my computer with cement?

Re:you were warned.....

[wedg]

How quickly we forget. Or was I the only one who ran out and filled my computer with cement?


One comment from the article about filling your computer with cement:
Not to break our sense of humor but... let's consider some REAL ides:

hidden background scripts that run at random times and "phone home", so you get the theif's IP address. ...

Now *that's* some irony!
.

Re:you were warned.....

[picoears]

The story link doesn't work, does any one have a link for the site or a mirror? Thanks.

Use his stupidity against him...

[szcx]

If he's running any old binary sent to him, why not have one of your friends send a gift in reply? All it needs to do is grab the IP and timestamp, then email those details to you. Forward that to the police who can get location data from the ISP.

Re:Use his stupidity against him...

[bluetoad]

No need to send a binary to him. You should be able to see the IP address in the mail headers.
Get one of your friends who reads their mail on a reader where you can view the complete mail headers take a peek at the IP address (people tell me you can't do that on some popilar mail readers - puzzles me...)

Re:Use his stupidity against him...

[Ethidium]

I would discuss this with a lawyer before trying it if I were you. IANAL, but consider that in some jurisdictions that could be borderline criminal in itself, never mind the fact that it is your property you're breaking into!

Re:Use his stupidity against him...

[SuiteSisterMary]

On outlook (even through exchange MAPI!) to view SMTP headers open the mail, and in the mail windows, select 'options' from the 'view' menu. The headers will be displayed on the resulting dialog box, amoung other things.

Re:Use his stupidity against him...

[squeegee-me]

Like I said in another post, NAT may be an issue if he has access to Cable or DSL. A possible trick would be to run Tracert asking it to hit some random site like www.fish.com and pipe the results into an email with a time stamp. Then you see a lot more and possibly even get which hub at the ISP he is using. May even speed up the whole process.

Otherwise there is alwas VNC. If you know the IP, and you know your password, connect in and have some fun first.

Re:Use his stupidity against him...

[kilgore_47]

Since that information is every email sent, why bother writing a program to gather it? Glancing at the email headers should do the trick. ;-)

___

Well...

[Wind_Walker]

First you should contact the authorities, as they would know more about the legal proceedings than you. It's not as simple as extracting vengance, you know...

------
That's just the way it is

Re:Well...

[wateronthebrain]

No way. five-oh won't understand the nature of this. Beer theives are to be punished the old testament way. It's how God would want it.

Re:excuse me...

[passion]

Open source beer!

RE: Tracking A Thief Via The Sircam Virus?

[SuperguyA1]

And if I do find him, do I send the cops, or just my 6-foot-4, 260-lb ex-eastern-block buddy Radek?"

Given what I know from my own Eastern block friends.
If you ever want to see your beer again... send the cops:)

Re:Bear in mind (Radek)

[TheCarp]

Its generally been my experience that people who buy stolen goods know that they have bought stolen goods.

Sure, they don't know how it was stolen, or who it was stolen from. However, there is never any doubt that this "great deal" is a "hot deal".

-Steve

Re:Bear in mind (Cops)

[Fjord]

That's the way the law works here in the states too, but you still have to consider that the person using it bought the computer and didn't know it was stolen. In the Radek situation, to them, a big Eastern block guy is coming over and demanding them to give the computer. This can get Radek in a lot of trouble. In the case where the cops are involved, you'll get it back legally.

Plus, you'll probably need the cops involved anyways, to get the location of the person in possession of the computer.

Re:Bear in mind (Cops)

[Fjord]

As others have said, it's okay to take back what is yours, but Radek could still be arrested and detained while the cops are sorting everything out. If you fail to prove the computer is yours, then he could end up convicted. Even in the best case, he ends up with an arrest on his record, which is still not a good thing.

heh, tempting...

[bencc99]

it'd be tempting to send Radek round, but you've got the problem of finding them in the first place. Get in touch with the police, and get your friends to note down the message headers of the emails. Then with a selection of times and IP's the police should be able to contact the ISP, and find out what phone number the theif is dialling from. Of course, this hinges on the chances of you finding a cop with a clue ;)

Re:Hold on a minute...

[DangerTenor]

WRONG! You can't protect it if it's physically in the thief's hands. Even if you make it so the password can't be changed in single-user mode, they can just boot a floppy. Even if you put a password on the BIOS and disable the use of the floppy drive, they can still short the clear-BIOS jumper and dump the password. Physical security is paramount with PCs. No OS is safe.

Re:Hold on a minute...

[DangerTenor]

Well the quote I was replying to was "If he was using linux, the theif couldn't have been able to even use the computer"

No sh*t that he was using Windows, and that's the only thing that's giving him a chance to get the machine back. However, it's not like if he had stolen a Linux box it would have been a brick to him - he could still get root and do whatever he pleased with the computer.

Re:Cops can help...

[errxn]

Yeah, God forbid that they should do it because its their FREAKIN' JOB!

I knew there was a reason they called these guys 'dicks'.

virus

[zerocool^]

If he's opening stuff with viruses in it, why not just send him bo2k and bo-peep.
You'll be able to watch what he's doing, it will send you an email everytime he gets on with his IP address in the email, etc.

i mean your right to not have people spy on you ends when you steal someone's beer... er, computer.

~zero

Re:just a thought?

[zulux]

Then the old lady should have the crap beat out of her for raising such theaving scum and making the rest of us suffer because she wanted an orgasm and dident take responsibility for the spawn she produced.

Re:Yes.

[swordgeek]

Incorrect on one point.

If the ISP has logs, then they are legally required to participate fully in any investigation. Furthermore, in Canada at least they would be REQUIRED BY LAW to go to the police if they had evidence or reason to believe that a crime had occurred. (In this case, phoning the ISP and explaining the thing would qualify) Not doing so is considered Aiding and Abetting.

Don't know if the same law exists in the US, but I suspect that an ISP that refused to help you would face charges.

[COPS}Re:Another approach...

[13013dobbs]

He will need to do both. Once he has an IP and the timestamp from the headers, he will need a subpoena top get the account that was used. With any luck, he will also be able to get the ANI of the phone line that was used. Once he has the ANI, he will need to contact the phone company to get the address of the guy, which might also require a subpoena.

Re:tracking machines

[frost22]

then contact that ISP, and give them your MAC address

There is no such thing as a MAC address on a dialup line. MAC adresses are strictly LAN items.

f.

IP address in mail header

[djn]

Well, your best bet may be to simply check the mail headers of the emails your friends are receiving. Check out the Received: lines and trace it back to the originating computer. Chances are the IP he's operating from will be right there... Track down the ISP who owns the IP, and you may be on to something.

-Dan

Re:IP address in mail header

[Beckman]

Your'll need the time too. Most of the ISP's are working via DHCP, but should have a record of which MAC goes to which IP at a given time.

Re:IP address in mail header

[kilgore_47]

DHCP? I've had several ISPs, and I don't think I've ever used DHCP over a ppp connection (all the dsl users with pppoe might use dhcp though, i dont know...)

___

Re:IP address in mail header

[kilgore_47]

DHCP is a specific protocol. There are certainly others. The protocol used is certainly an important fact! It's not like saying "that got photoshopped out" and meaning it could have been done with any graphics program; saying it was configured with DHCP means it was specifically done with a certain protocol a certain way. Its not a general term!

___

Re:IP address in mail header

[kilgore_47]

the parent post got modded down but shouldn't have. Some moderators don't know the difference between having an opinion and trolling. The post should've gotten modded up as funny anyway!
Here is a repost (orriginally by user poptix@work):

You were pretty clear about 'DHCP Client' and 'DHCP Server', FYI a DHCP server is quite different, and uses different protocols than a PPP+Radius+Ascend connection.. You don't see me calling you a dog or cat simply because you're a carbon based lifeform that eats vegetables and meat.

As a side note, if you don't know what the word means either look it up (http://www.dictionary.com) or just don't use it.

___

Re:IP address in mail header

[jrp2]

It is not a considerable amount of work. It's almost trivial

Depends on how well their systems are setup, and whether they considered CID info important. With the exception of this kind of situation, the need for that is rare. Most ISPs have no interest in cluttering up their billing databases with irrelevant stuff like CID. If it is logged at all, it is often kept in a separate logs that are FIFOd rather rapidly. Even in these days of cheap HDs, this stuff adds up fast, and only the critical stuff is kept (for billing, spam research, etc.).

I would call the ISP ASAP and ask them to cull the data and save it for the police.

Good advice, I should have stated that (I was THINKING it).

Re:IP address in mail header

[jrp2]

PPP gives you the IP to use, but where do you think their PPP deamon gets the IP to give to you? That's right, a DHCP server. Just because you're not running a DHCP client doesn't mean that your IP isn't coming from DHCP.

Not in any commercial dialup gear I have used. Generally, the PPP termination gear in a rack is assigned a pool of addresses to assign, or in some cases an IP is assigned to each modem. IP addresses for those with static IPs on a dialup (sort of rare) is generally obtained from a RADIUS server.

I can't even see why anyone would want to add the overhead of DHCP to this scenario. It would be a pretty precarious situation where a modem rack would not be assigned enough IPs to handle maxed out capacity, and this would be best handled internally within the concentrator's PPP termination s/w, why throw another protocol and server into the fray.

I am not real sure how a typical Linux PPP daemon handles this, but that would be kind of irrelevant to this topic as few ISPs of any size use a Linux based PPPd, they use dedicated racks like 3Com, Lucent or Cisco primarily.

For the point of this article, I think this is irrelevant anyway. If the victim can get a couple IP addresses and exact times (probably from an intermediate SMTP host to ensure accuracy) the ISP, if they are cooperative and competent, can probably (with considerable work) get the CID data. You want multiples as you want to see the same CID info from several calls. There is a high risk of this not being fruitful though, as many ISPs do not log CID (or don't even get it), and it is often in a different log (call logs vs. radius) so they need to be cross-referenced.

This is way easy...

[pi_rules]

You really think that the guy stole the computer, then changed the dialup settings to use a legit account? Heck no, he's using the account that the computer was already configured to use -- assuming that the password was set to saved. Contact the ISP, tell them the box is stolen, and find out the phone number that has been dialing in on -your- account. Yes, you may need to get the police involved. Checking the headers to verify that he's using your account is also a good idea though.

Re:Bear in mind (Cops)

[markbthomas]

I thought that if someone stole something of yours, then you take it back, then that's stealing too. I thought it was dumb too, but apparently, it's true.

Re:Trace account, then trace to phone #

[SuiteSisterMary]

I think the assumption here is that the thief is using the ISP account that is already on the machine; i.e. func's. Therefore, it should be no problem for func to call up and say 'who's dialed into my account right now, cuz it sure isn't me?'

of course now it won't matter

[MousePotato]

after the guy goes and reads the story on slashdot and realizes Radeck is on the way.

Re:of course now it won't matter

[ArtEnvironment]

Maybe he DOES read Slashdot... and was thinking... "Free Software... Free Beer!"
"Hey, Free Hardware, too!!" :)

Re:Bear in mind

[pallex]

so, hes still got someones computer, and, under uk law at least, its still yours (possession may have changed hands, but ownership hasnt).

i still vote for the eastern block buddy...something i`ll be employing when GPS systems become small and cheap enough to fit inside tv`s and computers.

civil court

[Beckman]

Unless he stole enough to be grand thief you're wasting your time with the police. Find who he is and visit him with your friend. If he wouldn't return your stuff via negotiation then hire a lawyer and take him to civil court.

In this country Justice is for those who can afford it.

Nobody ever went broke...

[laymusic]

There was a story in the Boston Globe recently about a woman whose purse containing her cellphone was snatched. The police officer she reported it to called the cellphone and said he was the owners brother, asked the thief to meet him in a parking lot to return the cellphone for a reward. And he did. (meeting a couple of police officers with handcuffs in the parking lot.)

So maybe some email to the perp offering a reward would produce similar results.

Hidden radio transmitter instead perhaps?

[edunbar93]

It would be easier to get a real world fix on your stolen goods (laptop or desktop... doesn't matter) with a radio transmitter than it would be with an IP address. And since the goods in question have all the electrical power they would need for that sort of thing, it should be pretty easy.

This method is actually used by some R/C aircraft enthusiasts to locate their aircraft after they lose control of them, although they generally use small, low-range transmitters. (range of about a mile or so... they don't need much) Except they have to rely on on-board batteries rather than 120VAC.

Another idea might be to use GPS if it can be done... Every time you connect to the net, it sends out its GPS coordinates to your favourite web host. :)

The sad fact is, without a big break like this the likelihood that you'll ever get your stuff back is pretty much nil.
---

Bear in mind

[michaelsimms]

It MAY be an innocant person that bought a second hand computer. Id go with the cop method, not the Radek method.

Re:Bear in mind

[Frank+T.+Lofaro+Jr.]

Some idiot who doesn't even know about accounts and the like, thinks the Internet is magical and the only thing he notices or cares about is that Internet Exploder and Outlook work.

Never underestimate stupidity.

Re:Bear in mind

[bentini]

Dude, that's my sig too! Did you steal it or find it somewhere else?

Re:Bear in mind

[neo-phyter]

"It MAY be an innocant person that bought a second hand computer. Id go with the cop method, not the Radek method." That's not an innocent person, that's a person in posession of stolen property--9/10 of the law, my friend! Allan

Re:Bear in mind

[sensate_mass]

D'oh! Good one.

Re:Bear in mind

[ahrenritter]

If you did this, I believe it would run afoul all sorts of FCC restrictions on class D(?) items..

Re:Bear in mind

[SlamMan]

An innocent person who's using your email account? Not too likely.

Re:Bear in mind

[DBett]

Actually the 9/10 is "possession." It's the 1/10 about stolen property that matters here.

Re:Bear in mind

[terrymah]

How about a GPS unit that recieves, and a radio transmitter that gives out it's location. No need to involve anything with the computer components itself.

Re:Bear in mind

[terrymah]

Oh come on, they have homing beacon type stuff in movies all the time.

Re:Bear in mind

[masoncooper]

Who buys a computer that has a full address book, and doesn't suspect that it's stolen?

Fake contest/prize sting operation

[Frank+T.+Lofaro+Jr.]

Get someone to register a domain (or do it yourself in a way that won't be obvious to the thief), and have an email get sent to him saying he won something (money, car, etc) and just needs to reply to the email with his full name, address, phone number, SSN# (for tax purposes makes a good excuse). You get the mail, you call the cops and off he goes to prison! ;)

Cable companies do something related to combat illegal access to cable service. They broadcast an ad that only the illegal boxes can get which says send in for a prize, says you won a contest, etc. Those that reply are prosecuted.

It is like a social engineering hack right on the thief's mind.

Re:Bear in mind (Radek)

[Frank+T.+Lofaro+Jr.]

That's about all a Cray is even worth today. ;)

Im not so sure this will help

[king_]

This probibly wont help you get right to your robber, he probibly sold all your stuff. And if he was smart he probibly sold it to a used computer store that would resell it. Although most pilfers arent the smartest bunch, good luck ;)

Re:what an idiot.

[don_carnage]

Hmmm...guess it would be a different story if the guy had his own DSL/cable connection. Tracking an IP address back through an ISP's "abuse" department doesn't seem to get anywhere, even when it's more than just spam (ie: crack).

Mental Note: if I ever get desperate enough to steal someone's computer and use it, be sure to reformat the HD.

--

About Ztrace

[Radium_]

Ztrace seems to be an exe.

Either its loaded itself after Windows and then it's ll be erased if the FAT/NTFS partition is deleted, or it installs in the MBR, and then it's deleted if LILO or whatever erase the bootloader.

Anyway, since it's a *software* protection it is very likely to be circumvented (IMHO), by reinstalling Windows or installing Linux.

Cops can help...

[Martin+Blank]

...if they are willing to look at technical details.

If your friends are using any e-mail program that allows one to see the headers without opening the message itself, then tracing the Receiving headers back to the IP of origin should be able to help. Contact the owner of the original server, find out how the person connected, and see if that connection can be traced back to an ISP login. It's not perfect, but it's a start.

Re:Cops can help...

[Martin+Blank]

Something else to consider is that the detective could well get some press coverage for both him and the department, and that may turn into dollars from various government agencies to help them boost their technical abilities.

Re:Cops can help...

[Soaponarope123]

code red spread through an attachment, so the headers can be safely viewed without opening the attached files.

will be widely used in the future

[STREMF]

IN A.D. 2101 WAR WAS BEGINNING.

(we all know by now that it must have been a stolen ship)

SOMEONE SET UP US THE BOMB

(and about transmitting and collecting information)

WE GET SIGNAL

CATS was probably just trying to get his stolen ship back. It was about time it caught up to OPERATOR that he bought stolen goods.

Re:Yes.

[TotallyUseless]

yes. The ISP can contact the police, and send them to the address of the phone number. Easily

Check the headers

[Friendly]

The most info I think you can get from the emails is to check the header info. The only info you can get from there, at least when I checked the headers on some of my mail, is the mail servers that the thief is using. Also is this dumbass using your account info or did they go through the trouble of reconfiguring Outlook to use their ISP and their email info. If so may be you can pull an email address and combined with the mail server info you could possibly track the guy (or girl) down.

Another trick is to write a VBS script to figure out a computers IP and email the info back to another address. Then send the message to this guy, since it is obvious he/ she is prone to opening unknown attachments they will run it. Then if they are using DSL or cable you have their asses. If they use dial up then you can only get modem pool they are dialed into, but that is better then nothing.

Re:Your ISP??

[IronChef]

I can imagine having this conversation with ATT tech support... the pain! I think I'd rather just buy a new computer. Once a company gets past a certain size, it is like a black hole -- no customer service can escape.

For all intents and purposes, customer service is dead.

Re:Should be pretty easy.

[IronChef]

Sacrasm aside, I think the FBI is only interested in high-dollar cases. On GRC.com the dude talks about how he couldn't get the FBI interested in the DoS attacks on him -- the damages weren't high enough to matter to them.

Re:Should be pretty easy.

[IronChef]

No no, this thread was about the guy with a stolen computer. The FBI doesn't care about THAT. How did this turn into the DMCA?

This is what I was taking issue with:

Yeah -- just get the full headers to your local police and/or the FBI. I should think they'd be happy to get this kind of slam dunk to clear a case.

Re:You sound like PD telling us "comply with robbe

[Redbird79]

Texas does officially consider fenced land the same as being in your house, but lately there have been some new twists on the law ... You can't shoot someone who's running away (except maybe if they have your stuff ... I'm unclear on that.) Of course, it's still legal in to drive around Texas with an open bottle of beer in your pick-up, so what did you expect, really?

Lead the cops to his front door

[squeegee-me]

If I'm not mistaken, the Emails being sent should have some information as to the originating IP address that the messages were sent from. You could figgure out which ISP owns them, and find out if they would provide law inforcement the phone number that was dialed in and assigned the IP at the time. Otherwise, they may have a record of the account that was used at that time, on that IP. You would need to look at the fun header info on the email and go from there. The only problem I could see is if he/she was using it over a cable/DSL modem and has NAT setup. 10.x.x.x would do you no good to my knowledge, nor the other private class A or clas B range.

Looking at home....

[squeegee-me]

Have you checked your roomates' room yet?

Re:Bear in mind (Cops)

[daveisoverlord]

IANAL, but IIRC from my (US) criminal law classes, it was lawful to take back property that was stolen but you couldn't violate any other laws to do so.

Call Microsoft

[Captain+Pooh]

Call Microsoft and say that your computer was stolen and now someone is running MS software on it without the proper license. They should track the bastard down.

Re:wait a min

[WebBug]

PS How the hell are my posts rated at 0 even when when i amlogged in? /., that's how . . . BTW: you're right as well, and your message should be at least a 2, however, all is not fair in /. and love. 8^)

Another approach...

[xjosh]

Of course, everyone and their brother is saying to get the header information from the messages and track down the IP.

I say you contact the police, and (get this) help them find the guy. Generally they are pretty receptive to any help they can get in "busting a perp". An officer was tickled that I was able to produce hard copies of my Caller ID logs when I was getting threatening phone calls.

It could also help to tell them that if they don't find him quick, Radek will. :)

Re:Should be pretty easy.

[jdunlevy]

Yeah -- just get the full headers to your local police and/or the FBI. I should think they'd be happy to get this kind of slam dunk to clear a case.

Worst case, the current user is somebody who bought the computer from your thief and not the thief her- or himself, but it still gets you close.

Good luck.

Maybe through IP

[Vain]

A lot of email programs allow you to view the properties of a message. This gives you access to see first off, the IP address of the SMTP server which you received your message from, and secondly, the address of the person who sent it to that server.

If you can get the IP of the guy, I'm sure you can just do a lookup and find out who his ISP is, if you get lucky. Otherwise, just run a traceroute on it too.

Re:just a thought?

[linzeal]

4 cases of cigs? What about in prisons where they don't allow smoking? I always wondered if the prison barter economy broke down at that point or they found something else cheap and plentiful yet valuable enough to trade.

Re:what an idiot.

[BluedemonX]

My wife had her computer stolen - and her old ICQ popped up. Someone traced the computer to an IP and an ISP, and we called the cops.

Did they act on this? No way.

The thief was basically handed to the OTTAWA POLICE on a silver platter, but apparently donut eating and beating defenceless women's heads against cars was more important.

I'd say send Radek, that is if the ISP will tell you who it is...

Re:Yes.

[11223]

Aah, but what do you do if he's using your account? Should the ISP turn over the number he's calling from? Will that help?

maybe you lost it?

[maddogsparky]

Are you sure you aren't missing any closets, too?

Re:maybe you lost it?

[Dunfall]

or your garage? http://news.excite.com/news/abc/010724/20/crime-bl otter:-pig

Re:what an idiot.

[abolith]

if your ISP gives you the info, don't bother with the cops, use Radek OR just wait unitl he/she has left the location you compter is residing at and then STEAL IT BACK !! What thief would belive that the Original owner tracked him/her down and did the same thing right back.
besides if you have home owners insurance you could still collect the value of the computer, then use that cash to upgrade to a better system, or use it to put out a contract on the thiefs head. either way.

Your ISP??

[QwkHyenA]

Odds are good he's using YOUR ISP seeing how you probably checked that 'remember password' box. If that's the case, I'd take a copy of the police report and goto your ISP (assuming it IS your ISP the dude dialed into, which is easily checked by looking at the header of the email message) and talk to management right-a-way!

If it was one of my local ISP's I'd take about 1 case of beer with you as a small incentive.

Re:Your ISP??

[bark76]

And then call Fox and see if you can get this on there next installment of 'World's Dumbest Criminals'

Re:Bear in mind (Cops)

[feorlen]

>In the case where the cops are involved,
>you'll get it back legally.

Yes, but only after the case is closed. When he does finally get out of the evidence locker, he can donate it to a museum.

Re:Bear in mind (Radek)

[Crizp]

Yeah at least here in Norway it's illegal to buy stolen goods, the buyer must be sure it's not stolen. You can get fines for buying stolen goods...

radek.

[gagganator]

send radek. post pictures. also quicktime movie

better yet

[unformed]

Call the BSA

Radek for Rent?

[Bahamuto]

Hey is Radek for rent? I might have some uses for him too. I havn't been robbed yet, but its also good to have some prevention. Or maybe the same thing would work if I had a sign out in my yard that said "Beware of Radek"

Ok I'll admit it, I set you up the bomb

DON'T DO THAT!!

[canning]

I wouldn't wish Microsoft on my worst enemy. *shudder*

Advice:

[gwizah]

Should have used the ol' Concrete Computer...

Anyone thought about "who" the theif actually is?

[gwizah]

What if the person using the PC is not the theif? What if they purchased the PC from said theif and are blind to the fact that it is stolen property? Im sure sending Radek wouldnt do too much good then...

what an idiot.

[rigor6969]

all the major isp's now record your DNR phone # per call. Easy to trace via the ip and date and time. You'll need to get the isp and police involved.

Yeah-- we could call it CoJak!

[delorean]

Or Kojak.

I oughta register that site and make webpage with a big bald guy to do just this.

vengance.

[bellers]

Send the Kossack. Stomp him.

You are standing in an open field west of a white house, with a boarded front door.

NOT Re:Maybe through IP

[samjam]

I used to run an ISP (a small one) and was trying to track down some particular spammer idiot from the U.S. I forget why this one was so important, but I learned that it can be hard to track down a user based on IP address and date/time without also having a warrant.

Some laptops phones home

[AdamInParadise]

One day I was sitting and thinking about ways to recover a stolen laptop. One idea would be that each time the laptop connects to the internet, it would check a global database of stolen laptops (preferably in hardware).
If so, it will just silently alert someone. It is pretty easy to trace an IP to a location, if you've got the cops with you.

Re:Some laptops phones home

[AdamInParadise]

That's great as long as someone doesn't get the laptop and re-install right away... which I would assume any intelligent theif would do. Except in this case.

That's why a hardware solution is better. Check the story on Phoenix Bioses phoning home.

If you stole someone's computer, wouldn't it be somewhat wise to trash the data on it as soon as possible? That way it'd be harder to prove its not yours. Furthermore, why on earth would you start connecting to the internet with someone else's computer? That isn't very smart.


To begin with, thieves are usually not smart, because if they were, they wouldn't be thieves in the first place.

Remember that we are talking about laptops. Usually the manufacturer of a laptop has a much greater controller over the hardware than with common desktops. I'm pretty sure that we will see more of this in the future.

Re:Some laptops phones home

[AdamInParadise]

Actually I was quite sure that I've seen some company actually doint that. Here is a story on The Register:
http://www.theregister.co.uk/content/archive/20026 .html

And a link to the company doing it: http://www.ztrace.com/

Fuck the police, get some vengence

[Ryokos_boytoy]

The cops will just get snitty with you cuz you solved the crime. Send you friend over and tell him to bring back both the thief's thumbs. Maybe go with him. You can get a lot of satisfaction out of kicking somebody in the head repeatedly.

I got no love for any thief. Just remember, no matter what you do to him, he brought it on himself.

Re:What adventure game did you get your sig from

[ceesco]

If memory serves, it's Zork I, the original. HTH.

Re:Yes.

[Shoten]

Ah, no...it won't work out that way. I've actually seen something somewhat similar to this. The police probably have no experience with this, and will be lost ("what's a header?") unless you do enough of the leg work for them that it's plain and simple in a realm that is more familiar to them. In other words, instead of time GMT and an IP address, a physical address and user's real name.

Re:Yes.

[Shoten]

120 years, yes, idealism, duty, etc...whatever. I'm speaking from experience, and it doesn't always work out that way. When it comes to computers and things technical, the flow chart goes like this:

Do I understand this well? If so...proceed.
If not...

Is this big enough that we need to ram it over to the couple of computer guys we have? (child porn, theft, hacking...ohh, if it's hacking, we'd better set up a big stake and some firewood too) If so, send it over...
If not...

If not, then it gets stale. I know that the cops are SUPPOSED to represent the public, but let's be realistic. I've seen cops unwilling to even make a report of a crime, a multi-thousand dollar property crime, even just for the sake of a number that was needed by the victim to file an insurance claim. And it's clear common knowledge that even the FBI doesn't want to hear about hacking cases unless the damage caused exceeds a rather large sum, typically about $10K now.

The bottom line is, this is the real world, and most cops are intimidated by technology. They are also not willing to admit to that in front of civilians. And I'm willing to bet that the sort of person who would think to trace a thief by taking advantage of a SirCam infection is also quite computer literate. I bet dollars to doughnuts (no pun intended ) that he can get this accomplished in far less time than it would take a police officer. If I were him, I'd do it out of civic duty, just to make it easier on the already-overloaded police force where I live (in Washington, DC).

Yes.

[Shoten]

Ok, here's what you do. The emails he's sending contain a few bits of data that are critical. One is the IP address that he is using at the time he sends the email, and the other is the time (according to the mail server; both bits are in the header of the email) at which the mail is sent.

Get an attorney, and file a "John Doe" lawsuit against the thief...the goal here is to get a lawsuit, so that you can get a subpoena. And who are you subpoena'ing, and for what? The ISP the thief uses, for the logs of the phone number that was connected at that time, and the account information of the owner of that account. Turn that over to the police, and you should be good to go. That information is sufficient (explain it well to them) to get a search warrant and...voila! He's crispy.

Happy hunting!

Re:Yes.

[blair1q]

Skip the lawsuit part.

Take the method outlined in that well-modded-up post to the police. Tell them that this guy stole your computer and these emails are proof. The Authorities can deal with the supboenas, warrants, etc., and you won't have to pay a lawyer.

--Blair
"Or explain layer-3 semantics to him."

Re:Yes.

[blair1q]

Wait. There's been 120 years of cops and robbers, and you don't think the cops understand "there's this guy stole my stuff; I don't know his name, but I know how to find him"?

Don't talk to the desk sargeant. Ask to talk to a detective. They certainly have heard about tracing people on the net, and if they're the first in their jurisdiction to succeed at it, all the better.

The point is, when you are the victim of criminal acts, the state is your lawyer. You shouldn't investigate your own case until after the state tells you to get lost.

--Blair

Re:Cops

[kilgore_47]

If I had mod points, I mod the above post "Funny". Did someone say Computer Crimes Division and local police department in the same sentance?

Kind of reminds me of in Big Lebowski when The Dude asks the cop of they have any 'leads' about who stole his car. The cop custs up laughing and says "leads? not yet. the chief has us working in shifts to solve this one though!"

seriously, how many local police depts have a computer crimes division?

___

tracking machines

[CTho9305]

anyone with a half-decent network could find it... what you need to do is get the IP the mail came from (through the headers). then contact that ISP, and give them your MAC address. next time the theif logs on, you could get him. of course, this requires knowing your MAC address...

Re:tracking machines

[CTho9305]

yeah i realized that after i posted it

Trace account, then trace to phone #

[moosesocks]

Call the isp to trace when your account was last used, and what phone number he is using (caller id or call trace or *69...call trace is what is used by authorities, and is most likely what they are using)

If your isp doesnt keep these records, wait for the next time he dials in, and trace the call.

Shame on you! You didnt fill your case with cement!

Re:Bear in mind (Cops)

[EulerX07]

Actually I was watching Judge Joe Brown the other day and that point came up. The judge said it's not stealing, it's reposessing.

just a thought?

[3am]

what if it's an elderly woman who's son bought her a fenced computer?

radek, however appealing his deadly skills may be, is not the right answer. get the cops. if it is the thief, have him taken out in prison for 4 cases of cigarettes :)

Re:Cops

[Chakat]

seriously, how many local police depts have a computer crimes division?

Depends on the location/size of the city. If you're talking about some small town in the middle of nowhere, then no, there probably won't be a computer crimes division. But if you're talking about a larger metro area or a technically savvy area, then you'll probably have at least a few knowledgable officers, or access to such.

D - M - C - A

Should be pretty easy.

[Chakat]

All you should have to do is check the headers and to standard spamcopesque ip tracing. At that point, you have an IP address. Take that info to the ISP the crook is using, and ask for the dialup node log. You'll probably need at the very least a subpoena to get the cid logs, but you should have no problem as long as you can prove that it is coming from your property.

If you could post the Headers of the offending emails, I'll bet most people here could tell you where the thief is in 5 minutes.

D - M - C - A

Re:Should be pretty easy.

[PW2]

No, that's not the worst case. Worst case is that the virus didn't actually infect the stolen computer, but rather the replacement computer that you're using now...

Or the thief is a career Slashdot first poster and reads this discussion, feels proud for a few minutes, and then destroys the evidence. :)

Just charge him with the DMCA...

[Tricolor+Paulista]

say that the document he is sending your friends is DeCSS!

The RIAA, the feds and just about world+dog will be searching for him! Nice distributed seeking, right?

Re:Hold on a minute...

[damiam]

If he's dumb enough to get Outlook viruses, would he know how to use Linux? I don't think so.

Cops

[Anixamander]

You might want to try contacting the computer crimes division of your local police department. they may be able to take the emails, look at the headers for the ip it was sent from, determine which isp (unless they are using yours) it came from, and see if the isp has either a) a caller id number for the time the email was sent or b) the username on the account (assuming it wasn't yours). Of course, all this requires warrants and such (rightfully so), so you probably won't get too far. But it would be worth a phone call to find out IMO.
--

wait a min

[sgups]

wait a min. Isnt this the same paranoid crowd that is ready to go to war when some third party (law enforcement) gets hold (or wants to get hold)of their own info.
oh wait its only when some other party wants to use the info for the same shit u r suggesting

No its not a troll or flamebait. I am indeed curious. How easy it is to jump fences

PS How the hell are my posts rated at 0 even when when i amlogged in?

Re:excuse me...

[freerangegeek]

You get the beer back with dextrous use of your fingers in someone's mouth, or by being patient and REALLY loving recycling.

Hold on a minute...

[communist+rabbi]

If he was using linux, the theif couldn't have been able to even use the computer. This being a "help me" story, it would have been nice if the writer would have included his os.

Already widely available.

[Lordship]

Has anyone programmed a hidden bomb that must be disabled every couple times you boot up?

Yeah, it's called Windows.

Re:You sound like PD telling us "comply with robbe

[Unknown+Bovine+Group]

. I think a couple states consider anyone uninvited on your fenced land the same as if they were in your home and you can legally shoot them (TX, and VT).

Wow, does this include Jehovah's Witnesses? People selling magazines "just working my way through college"? People distributing those annoying pizza flyers always stuck in my door?

MMmm. My lawn will be littered with bodies.

Re:You sound like PD telling us "comply with robbe

[prdugan]

Absa-frickin-lutely!!!!

"Check it out! I am the ultimate bad-ass. State of the bad-ass art...not one to mess with me! Check it out, Ripley! Me and my squad of ultimate bad-asses will protect you. Check it out: Independently-targetting particle-beam phalanx. Whram! Fry half a city with this puppy. We got tactical smart missiles, phased-plasma pulse rifles, RPGs, we got sonic ee-lec-tronic BALL-BREAKERS! We got nukes, we got knives, sharp sticks..."
-- Hudson, Aliens

Lojac for computers

[selway]

For those who don't know, Lojac is a homing device placed in your car that the police can use to find it in case it is stolen. This same idea could be used for computers, especially laptops. Just have the computer check a website every time it connects to the net to find out if it has been reported stolen. You could even write the Lojac virus to include the IP number in the e-mail.

Too bad it wouldn't be cost effective for beer...

excuse me...

[dermotfitz]

just how will that get your beer back?

either way...

[linsalad]

Keep us updated, will you? (maybe send a followup to AskSlashdot)