Mac Thief Caught Thanks To Applescript & Timbuktu

el.cerrito.slasher sent in an amusing bit found on MacSlash. This story is a tale of a stolen iMac that just happened to be running Timbuktu (a remote control program like VNC I believe). Well the stolen box kept getting used, and the owner was able to track it down through a variety of amusing Timbuktu Fu. Funny story.

Can I do this with my laptop?

[bildstorm]

Personally, I'm slightly security paranoid, but I don't believe that anyone who steals my machine is going to care what's on it, but more likely swap drives. Ok, that's what I'd do, at least.

But, looking at this, I'd love to have something like this running. Are they any current security programs that do things like this? I would need it for Windows and Linux.

Now if only I could have it run in the BIOS. Imagine if on the bios level, without a proper key or password or whatever, if the hard drive was removed and replaced, it would then call a panic number whenever connected. That'd be neat.

Re:Can I do this with my laptop?

[MaxH01]

Isn't that what Windows XP does - except it phones Bill Gates?

Re:Can I do this with my laptop?

[athmanb]

Rule Nr. 1 in criminology: 95% of criminals are idiots. If they weren't, they would risk a year long jail term e.g. by robbing a liquor store for 100$.

You would be smart enough to swap hard drives to evade detection, but you'd also be smart enough to not steal a computer...

Re:Can I do this with my laptop?

[Graff]

Now if only I could have it run in the BIOS. Imagine if on the bios level, without a proper key or password or whatever, if the hard drive was removed and replaced, it would then call a panic number whenever connected. That'd be neat.

Actually you can most likely do that on a Mac. All of the Macs in the past 5 - 8 years use a BIOS-like system called called Open Firmware. Open Firmware basically sets up the machine to load up the operating system and it does other initialization tasks. It is also used by some other computer manufacturers as it is an open standard.

The neat thing about Open Firmware is that it is programmable. It is written in Forth and you can write additions to it and install them. These additions are persistent across power-downs and can be password protected. So it is possible that you can write some sort of network notification into Open Firmware, I do know that it is aware of TCP and such because you can remotely operate the machine if it crashes in open firmware and you can also use Open Firmware to network boot the machine.

The other cool thing about Open Firmware is that you can set it to require a password at boot. If the password is not entered then the machine will not load ANY drive. This password is much harder to disable than an operating system password or hard drive password lock, although there are a few obscure and involved ways of bypassing it if you are extremely familiar with the system.

This page has some good links on Open Firmware. This site is hosted by Sun and has a ton of very specific and detailed information on Open Firmware. And lastly, Open Firmware is the only firmware standard in existence to have its own song!

Re:Can I do this with my laptop?

[Courageous]

With most 'criminal' actions, the belief is that you won't get caught.

An apt insight. If you were to take a look at the mind of a developing criminal, you will often find someone who, after one or two several nervous crimes, discovers that getting caught is actually indeed quite rare. After this discovery, they become increasingly brazen, disregarding basic precaution. This is how most criminals actually get caught.

C//

Neat! But . . .

[Selanit]

All it would take to permanently disable this sort of thing would be to format the hard drive and reinstall the OS. And that would be very likely to happen on a Linux box. I mean seriously, how many thieves are going to be willing to sit and work at a Linux box till they come up with a valid Username/Password combo?

With a Windows box, on the other hand, you could easily write a program to verify the computer's IP address at boot time, and if it doesn't match, send an email to you reporting the unusual IP address and any other useful info you can think of. At each boot thereafter (common with Windows, of course) it checks a particular file on a particular server for instructions on what else to do, such as activating auto-destruct. That way you never auto-destruct your own computer by accident, since it requires permission first.

If you were particularly ambitious, you could have it activate a keystroke logger and email the recorded info to you each time it boots.

Cliff Stoll flashback|easy tagging scritps forunix

[wildcard023]

I had flashbacks to reading "The Cuckoo's Egg" while reading this transcription. Does anyone else remember reading the commands listed in the book and quickly running over to a unix box to play?

Honestly, I'm not -too- surprised that this happened. My machine runs:

/bin/date | mail
/sbin/ifconfig -a | mail

(Running dyndns would be interesting also.)

on bootup. I originally did this so that I could keep track of my box and identify when it went down and what the current IP was so I could ssh in and look around more comprehensively, although it has crossed my mind that if my machine were to get stolen it might report back to me where it was. I'd happy to see that it's worked out at least once for someone.

Most ISPS keep logs of usernames and passwords on certain ips (especially if they're static/near static as in a cable modem or dsl connection). From there, it's fairly easy for the ISP for connect that back to a real name.

I'd be very intrested to see if this is enough information to get a search warrent.

No, the thief wasn't caught.

[rleyton]

The article doesn't say the thief was caught. To quote the guy himself: "So the conclusion to the story is: iMac and Lexmark printer recovered, one female pled out to possession of stolen property and got a year's probation.".

Possession of stolen property is very different to theft. She claims to have bought the imac from "some guy". Ok, she might be complicit, but we won't ever know.

Reminds me of Distributed.net

[realdpk]

Wired Article on how d.net helped someone track down their stolen computer.

Re:applescript strikes back

[gazbo]

set AppleScript's text item delimiters to {""}

Yikes! That is some urglee code. I mean come on, since when has code used a possessive apostrophe? It's just......wrong.

I'll grant it's wonderfully readable, but in people's experience, is it actually easy to write? I can imagine having difficulty remembering all of the exact 'easy-to-use' identifiers. Also, in some cases it seemed to match good grammar, whereas in other cases parts of verbs, plurals etc. were not used correctly. Is there a set of special cases you have to remember or what?

lamers

[Rinikusu]

Seriously.

If you were really serious about inflicting pain, how about:

setting up one of those $125 per call phone lines in the bahamas and then having the imac call it every 2 minutes...

repeatedly call 911 and play recorded message: "help! I've fallen and I can't get up!" over and over again

install a keylogger so you can post their most intimate conversations on your website.

those are just a few ideas that have popped in my head.. Hell, you could do that with VB email virii and make a mint with the first one...

Re:lamers

[buckrogers]

I like your idea of having the iMac call the 900 number for cash. If it called enough times you could buy a brand new computer.

I'm thinking that you need to turn off the speakers, turn off the modem sound and if there has been no activity for a few hours, at 4am have the system call that $125 number about 20 times in just a few hours.

With this scheme you could sell reconditioned iMacs setup with this software out of the back of a van for about $100 apeice and just sit back and rake in the cash. The people who bought what they thought was stollen property will never say a word as long as you only ripped them off for a couple of thousand dollars.

So, people, if you buy computers from the back of a van, don't complain when you get ripped off. :) You were warned!

Re:lamers

[petej]

"Hello, Miss Cleo? My name is Eliza."

Re:applescript strikes back

[Alan+Partridge]

AppleScript is UNBELEIVABLY easy to write. If you have any kind of logic in your soul and speak English, you can automate your plastic pal to death. We actually run our business on .as, it's just great to have a script that runs when you drop a video capure file on a folder, runs Cleaner to compress it, BBEdit to knock up some HTML, DeBabelizer to cobble together some GIF thumbnails, Fetch to upload it and IE to spring open to look at the site. All while preparing coffee or beating the crap out of some guards in Oni.

Re:applescript strikes back

[Morth]

Yikes! That is some urglee code. I mean come on, since when has code used a possessive apostrophe?

Since AppleScript was invented, obviously. (90-91?)
IIRC, set text item delimiters of AppleScript to {":"} works just as well. It's the versatility and its way of knowing where to put parentheses that makes AppleScript easy.

Record 'em!

[PhotoGuy]

Recovering the iMac at all is very cool. Every PC and Mac should have some "phone home" program installed; I bet most stolen computers aren't wiped. Anyone buying a Mac/PC on the super-cheap, is unlikely to buy or dig up a copy of the OS to start fresh.

The lack of a prosecution for the theft is disappointing. (As someone who has had their place robbed twice in the past two years, I find the low capture/prosecution rates depressing; it just doesn't seem to be a priority with law enforcement. Sigh. Oh well, if anyone tries to hit me again, they'll be on candid camera :-)

What might also have been cool, would be to use AppleScript to flip on the microphone, record the sound in the room, and send the recordings now and then, when connected. (Or use AppleScript to download a program that does the same; I don't know AppleScript.) That would potentially allow more "evidence" to be collected. If the lady didn't steal it, there's a chance you'd record something that would be useful. (Her thanking her brother-in-law for the Mac, or the like.) Having the Mac copy you on all incoming and outgoing mail may also be useful. (Not sure if the Mac could do it; Outlook almost does this by itself, with all the viruses it accepts :-)

Probably not admissible in court, I guess. Although using a stolen device for surveillance really *should* be a legal means of admissible evidence, in a perfect world :-)

-me

Re:Can I do this with my laptop? ... Yes, In theor

[Anne+Thwacks]

Don't bother with BIOS Passwords - that would require a bios hack, to say the least.

The boot sector is replaced with a BSD style boot selector, set to boot from the "stolen" partition by default (ie if you are using the machine yourself, you select BSD or Windows - thief has 5 secs to figure out what is wrong, and cant, so gets default behaviour.

After the initial boot sector process, control passes to a next stage, "Stolen" ... This displays a message "Unable to start Windows ... perhaps modem cable is not connected to the phone? ... Please connect cable to phone, and press return"

The average thief will understand this, and connect the phone cable. The real owner would press CTL-ALT-DEL.

When the thief connects the cable and presses "enter" the phone dials the owner, his mates, his mobile, his dog, cat, ma, pa, and the 911, 999 (in case its in Europe), FPI's private number, SWAT, the US Marines, Bin Laden, the Mafia hit-man hot line, and that number the Gas Company reserves for reporting leaking gas mains.

Not only that, the boot sequence will auto-hack so this is the ONLY boot option, and disable CTL-ALT-DEL. The dialling sequence will repeat till the battery runs out.

Someone will be pissed enough to find out who owns the unlisted number and send the boys with big sticks round for a visit.

Re:applescript strikes back

[smagoun]

Not only is Applescript unbelievably easy to write, it's easy to execute, too - drop an Applescript or three into the "Speakable Items" folder on the Mac, and your Applescripts are suddenly voice commands for your computer. This brings you a long way toward full voice command of your computer, depending on what you need.

"Computer, update website" (computer executes the 'update website' applescript, which would probably be very similar to the parent post's Applescript"

Since Applescript is easy, powerful, and voice-activated like this, you can do some amazing stuff on the mac with very little effort. It impresses the hell out of other people, too.

(FWIW, the PC emulator VirtualPC is Applescriptable - you can have a LOT of fun with that: imagine the above Applescript, but add the part where the script fires up VirtualPC and loads your webpage in IE for Windows to make sure it looks good on that platform too. All this while you're playing Oni)

Re:applescript strikes back

[melatonin]

Yikes! That is some urglee code. I mean come on, since when has code used a possessive apostrophe? It's just......wrong.

Uh, no, it just makes sense. Possessive apostrophes are awesome for programming languages.

c++/java:
foo->bar()

AppleScript:
foo's bar()
bar() of foo

It's a hell of a lot easier to type.

PHP:
$myArray[3]

WebSiphon:
myArray'3

It's not wrong, it makes sense. Just try typing those lines of code there. I wish more programming languages used it.

And ya, it's very easy to write. That is, once you understand that it is a programming language which has its own way of forming meaningful statements, so that something that makes sense in English doesn't necessarily mean it will make sense to AppleScript :)

AS is best for making objects from different programs work together. It's a solution to the interoperability problem. Each program can describe itself with verbs and nouns, and AppleScript's syntax is very good at mashing those things from different programs together.

It's not so great for coding intense algorithms, as it tends to be verbose.

set foo to 5
foo = 5

When you do have to make programs talk to each other, AS makes wonderful glue. AS is intended to exploit logic in other code, so rather than running awk/sed to munge my text, or use the language's text manipulation expressions (as you would in Perl), I'll get BBEdit to open the text file, and use all it's insanely powerful multi-file regex features. Apps in OS X are supposed to support opening files and doing operations on them without presenting a user interface specifically for this purpose.

No need for CORBA to solve those problems :P