Slashdot Mirror
Laptop Thief Caught via AOL Login
Mundocani writes "Yahoo (Reuters) is reporting that the FBI has caught the guy who stole computers from Wells Fargo. The interesting part is that 'Investigators traced the computer to Krastof when he logged onto his own America Online account at home through one of the stolen computers.' Makes you wonder what sort of hooks the FBI has into AOL or other ISPs and what hardware identification is being transmitted at login."
Mac address perhaps ?
There may be some good in the fact that they are able to trace someone like this...but the ramifications make me shudder.
That and make me glad I am in Canada..
"You've got jail!"
1. When you steal computers, don't steal laptops.
2. After stealing a dedsktop PC, even if it has the latest Windows OS and Service Pack, format the disk and load RedHat.
3. If you steal a Linux PC, install Windows on it for a year, then switch back - even AOL can't maintain that big a log!
4. Don't use AOl - switch over to MSN - it's much more secure - instead of the FBI, it'll be the BSA that's after you!
If you keep throwing chairs, one day you'll break windows....
The line between being able to trace crooks and being able to maintain your privacy has always been small. You know what to do if you want privacy, and everyone else should not ever assume they are private just because noone else is in their lounge room.
This is a valuable education, and it will help the regular user understand how unprivate their internet communications are.
No-one loses here. What's the story?
http://pcblues.com - Digits and Wood
Well's Fargo is using some cool 'Phone Home' software that was described on Slashdot several times that MOST everyone thought was a good idea...
Why is it a good idea when it will protect your laptop or employer's laptop, but suddenly, the FBI has some nefarious hooks into AOL when they publish that they captured a laptop thief because the thief logged into AOL?
Anyone care to give that answer that?
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
I hate to say that Slashdot readers have obvious biases, but why is it that when the police do something smart with computers, you get:
Makes you wonder what sort of hooks the FBI has into AOL or other ISPs and what hardware identification is being transmitted at login.
And when they can't solve a computer crime case, you get 100 posts about how the police are computer dummys. I'll be honest, I'm not too worried about my ISP having my MAC address, or even the make and model of my video card if they are interested. It's just nice to see a criminal get busted
How was this thief even able to use this stolen laptop? Were they not running a password protected operating system, at least Windows 2000 or Windows XP?
I know that if ANY of the laptops and roughly ALL of our desktop PC's would be useless to any thieves unless they format each and every machine, since there isn't a single account that doesn't have a password that isn't controlled by our Domain Controller...
I am not so happy about Wells Fargo's apparent disinterest in keeping things secure...
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
Actually, I would say that is less than likely. I haven't heard of any company that installs software like that by default, even on laptops. And it would be much easier for AOL to check for a MAC address Wells Fargo provided.
According to another source "He logged onto an (America Online) account that was registered on that computer and we traced it back to his phone number and address''.
It's the 4th item down on the page, under "Suspected thief arrested".
[Set Cain on fire and steal his lute.]
Actually, the kind of security software implied by the original poster does work on IPs since you can't track a MAC address back across the Internet. When you log in, the laptop transmits its current IP address back to the servers of the "phone home" application vendor along with an ID. If that ID is flagged as belonging to a stolen system, then that IP is used to identify the ISP, who will then be informed of the situation and will hopefully be able to identify which user was using that IP at the time. Tie that user back to a person and contact details through billing records and you can proceed to make an arrest.
UNIX? They're not even circumcised! Savages!
Though why AOL should be tracking mac addresses to user logins is beyond me.
Its called good administration. AOL is a large ISP if you didn't know. They have a lot of members and non-members trying to send Spam threw them, hack other computers threw them, and hack and Spam their own systems. So when someone puts out a complaint that so and so spam them threw AOL or was being tracked threw AOL and you show them proof then they can check the logs to see when they logged in and if they actually did that, at least coinciding with the login times and the times the incident occurred. I am pretty sure that they are also recording your telephone number that you used to call in as well. This is not a part of some Evil scheme or government plot. It is a way that a company the size of AOL uses to protect its butt. Because if they don't track this information and enforce it, (And yes some times they may need to call the police and some times the police asked them for some information) then they will be getting lawsuits left and right saying your servers attacked my computer, and AOL is not even showing good faith to remedy the situation. System Administration is sometimes public administration as well, especially when the public uses your systems.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
The MAC address goes no further than the first router , in this case his broadband modem if thats what he's using.
If he's using dialup the MAC address doesn't even come into it.
Avantslash - View Slashdot cleanly on your mobile phone.
I found this version posted on www.securityfocus.com. It says the thief used the laptop owner's dial-up AOL account, which the FBI had asked AOL to monitor.
- Use WHOIS to find out which ISP owns the IP address
- Get the ISP to look at their logs to determine which dial-up session was assigned that IP at the time.
- Look at the logs for the access platform to identify the caller's line ID. This is usually the same as the telephone number, but not necessarily, and is *always* known to the remote system, even if you withhold you phone number because it's used in call setup.
- Take that number to the Telco that owns it and look at *their* logs to give you the physical location of the phone that made the connection (or owner of the mobile).
- Arrest the perp.
While that glosses over the paperwork, and assumes that the ISP maintain sufficiently details logs of calls and authentication, which many small ones don't, that's pretty much it.UNIX? They're not even circumcised! Savages!
Why make it so complex? The computer was reported stolen by Wells Fargo with all the information, so the FBI issued a request to AOL to notify them if anybody logs into such and such accounts. Once it happens, the FBI simply had to check the phone records to know what is the number of the guys connected and voila!
I work at a phone company in a country without secret services and sophisticated hooks into any ISP and we would be able to pull that out in a matter of minutes.
Makes you wonder what sort of hooks the FBI has into AOL or other ISPs and what hardware identification is being transmitted at login.
i bet it wasn't that complicated.
fbiAgentd00d99: Yo man, what's up?
LaptopThief2310: Not much, i just ripped off some computers! HA HA WOOT!
fbiAgentd00d99: SWEET!
LaptopThief2310: Yeah I rockxxorz. Now I'm takin' a pic of me, an all the computers i stoled w/ a sony cybershot i "found".
fbiAgentd00d99: You pwn3! Send me that pic! I'm gonna put it on my website!
There we have it folks, probable cause, as well as an IP address.
There are several software packages including Ztrace and Absolute Software's Computrace which deal with the issue of laptop theft directly. It seems very likely that these computers were protected with one of these type of programs.
Were they not running a password protected operating system, at least Windows 2000 or Windows XP?
You must be kidding, but I'm not sure.
It takes only a few minutes to change the administrator password on a Windows box with a Linux boot floppy.
Done it a couple of times (on Windows 2000), for users who didn't know the admin password.
I agree with you that a laptop with the sort of sensitive data that this one contained should never be connected directly to a public network - but such is the state of data security these days.
[Set Cain on fire and steal his lute.]
I kind of get the impression, that with this being a laptop and all, it would have been using a modem to connect. Last I heard a modem does not actually have a static MAC address in firmware like a network card. Since this is Slashdot, we might as well blame Microsoft for this confusion since they gernerate a MAC with the vendor ID of 44:45:53 to "internal adapters" such as modems.
UNIX? They're not even circumcised! Savages!
The Yahoo statement:
and the Herald statement:
I felt that the direct quote of Chief White was more credible, and less likely to be subject to an error of interpretation on the part of the reporter.
[Set Cain on fire and steal his lute.]
If this is anything like 95% of the windows laptops I know of, it was littered with bonsai buddy and RealPlayer and Windows Update and tons of other calling home crap. And more than likely, this bozo didn't format the PC or anything else. All the FBI would have to do is find out whats on the PC, and contact these companies for that software's unique IDs.
There is no need for any "Phone Home" software or anything sending the CPUID to AOL. The story is much simpler than that and rather low-tech:
Nothing exceptional here. The FBI does not need any strange hooks into AOL. They only need stupid thieves. Case closed.
-Raphaël
It's simple. Everybody wants thieves to be locked up, but nobody wants to live in a police state. This means that we applaud whenever the authorities apprehend a baddie, but we boo whenever they give themselves even more powers and so bring the darker possibilities one step closer. There is nobody to guard the guardians, so we defend ourselves as best we can, by trying to postpone the day when their control might become total.
The two things are directly related, inasmuch as in a police state there would certainly be much less crime, since freedom cuts both ways. What you see as a conflict is just a reflection of this inter-relationship. We have to do both if we wish to safeguard both our present and our future.
Companies server receives the unique ID. Sysadmin: "Hey, Fred just logged in, but his machine was stolen. WTF? Hmm.. what IP did his request come from? Aaaah.. 69.69.69.69. Let's do a lookup.. hey.. it seems to be an AOL modem-pool". Company goes to police, policy goes to judge, police show credible evidence that a crime was committed, judge gives warrant, AOL gives info (login account or the phonenumber that was dialed in from) on who was logged in at that time on that modem in that modempool. Police goes to address, takes laptop, returns it to Fred, jails crook. Fred: "1337!".
karma capped
I had one of my notebooks stolen at the LA airport. I had one in my suitcase (there's only so many I can carry) because of a conference. One of the baggage handlers must have helped himself to my notebook.
...
The funny thing is that the notebook was my personal, and because I did travel a lot at the time, I had an AOL account for convenience. Out of a whim, I called AOL and asked them for a log of my sign-ins. Lo and behold, turns out whoever stole my notebook was using my AOL account to surf! I pleaded with the tech person to at least give me the IP address so I can track the thief down. He sympathized with my problem and passed me to one of the network engineers who was very keen on helping me. I got the IP address and the phone number that he used to dial-in. He said that the Telecom department could give me the number that was used to dial in to AOL but I would have to get law involved as certain FCC regulations prevented him from sharing that info.
So I collected all the info and sent the report to the security officer at the Airport, a copy to the LA sherrif's dept and another one to my insurance company (who I had hoped would be keen to solve the problem). After a few calls, I got nothing. Turns out that theft like that happens a lot at the LAX and the LAPD is way too busy with serious crime to investigate a crime committed to an out-of-towner.
The good thing is, my home insurance covered the theft, so I got a better model for basically the amount I paid for my notebook a year prior (minus deductible).
This was pre-2001 btw
Wearing pants should always be optional.
Contrary to the Luddite tone of most reaction here, I suspect the only "hooks" the FBI had into AOL was a subpoena. I lived for several years near AOL in Loudoun County, Virginia. Law enforcement officials looking for info from AOL routinely sought subpoenas from judges in that jurisdiction. Sometimes they got them, sometime they didn't.
Of course, AOL can tell that a customer is dialing in from a computer with legitimate AOL account info and software on it. If a court tells them to, they'll record that info and release it to the people who got the subpoena. This time it was the FBI. Next time, it might be you and your lawyer chasing down someone defaming you online.
The assumption that the FBI has "hooks" into AOL is simple bush-league cynicism from the wanna-be poseurs. Why would anyone decide that it's wrong for AOL not to help capture this thief?
-- Slashdot: When Public Access TV Says "No"
Machines which dial in don't use ARP. ARP only applies to Ethernet
. Nontheless, I can easily see a machine with sensitive information wanting to report it's IP address to a central location whenever it connects. Cookies in the web browser might also help identify a stolen machine.
Using the default account and password stored on a machine seems stupid at first, until you consider that the guy had ID theft equipment... I don't use AOL, but I wouldn't be to surprised if you could fetch some ID-associated info by logging into the account of a stolen computer. In this case, the computer was of special interest, so the guy was picked up.
I wouldn't be surprised if more people could be caught by this same method, it's just that police aren't interested enough in following such tracks for 'normal' owners.
Free Software: Like love, it grows best when given away.
Nah.. I have a copy of the evidence right here....
Subject: ME TOO
From: Krastof (Krastof@AOL.com)
Reply-To: Krastof@AOL.com
Newsgroups: comp.laptops.stolen
Date: Wed, 26 Nov 2003 09:18:22 -0500
I have done something similar with yahoo auctions. At auction end I type the seller's name into my IM client. It registers that name under all IM clients.
I always request a phone number and email address if I pay by Paypal or PayDirect. If they don't give it to me and I can't validate it, I don't send the money.
I have sent money in the past; rather blindly. I have been able to catch two sellers by just pretending to be girls interested in them, through IM. I got their actual phone numbers and even got one ready to pick me up and meet me for a "date" LOL.
Of course it was a lot of hassle.
If you can catch a criminal at their own game - that's justice.
I wish eBay wouldn't have eliminated the contact information request without having a transaction with the othert party. Most sellers that cheat me on Yahoo, also have aliases identical on eBay.
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
I bet the machine had some email software on it (Outlook?) that checked for new mail once an internet connection was available. The mail server logs would show the IP address.
Fred sets his laptop up to log into AOL with a default account and password. The crook seals the laptop. Fred calls AOL asking what ANI-reported telephone number his account has logged in on since the theft. AOL tells Fred the phone number. Fred reports the number to the cops. The cops get reverse directory information from the phone company (without a warrant unless the number is unlisted.) The cops ask Fred to ask AOL to inform the cops upon the next login. The crook logs in again. AOL calls the cops. The phone numbers match. Cops bust down Crook's door without a warrant because they have knowledge that a crime is taking place. The crook is busted.
Its ok to point out the mistake, IMO, but FGS, tell him what he is doing wrong.
If he never took the time to do highschool, is he even going to bother looking up why you advised him to change the word?
Grandparent:
Threw is the past tense (means you already did it) of throw, as in PReD threw a brick at the parent.
Through means to pass between the inner restrictions of something, as in go through a tunnel.
No, that's OK, don't mod me up +5 informative, I don't need the Karma, but all donations are gratefully accepted.
Do not meddle in the affairs of geeks for they are subtle and quick to anger
Really.
To the rest: Offering complete goofball theory after complete goofball theory, briefly resting only to scream 'violation of privacy' then going back and suggesting another goofball theory impresses nobody. CPUID/NIC MAC/Windows/Office/[you-name-it] identifers or serial numbers are not immediately accesssible just because you have a PPP sesion going over your modem. If a phone-home feature was installed, then fine, but that's a completely different story.
Another hilarious example was the the default-route theory, which someone suggested as a 'dead giveaway' to the feds. Hello!? Even if the routing table was accessible, routes associated with a NIC wouldn't be *in* the table unless the NIC was active, and the setting would only be visible in the registry, not typically accessible to the world, nor routinely queried by an ISP. And never mind the statistical probability that a corporate NIC is configured for DHCP, thus it wouldn't have a default route to begin with.
I simply can't believe the amount of idiotic pseudo-techies posting and feeling BIG because they could incorrectly apply page 254 of the MSCE prep guide to formulate a crackpot theory.
Bleeeeeeeeeeeechhhh.
Known stolen AOL account + phone number recorded by any ISP (radius does it by default) + call to phone comany by FBI = physical location.
No magic.
He tried to kill me with a forklift!
Modems don't have MAC addresses.
And, btw, tracing MAC addresses across the Internet is not "almost impossible" but "by definition impossible". Traffic on any internet (but especially The Internet) crosses routers (that's what the "inter" part refers to). Routers kill OSI Level 2 identifiers, like hardware addresses.
All's true that is mistrusted
I work at Wells Fargo and there is a pile of 8 laptops on my desk and the images I apply to them don't have any "call home" software. FYI.
Not so easy as pulling out batteries on laptops.
If you lose the CMOS/Bios password you usually have to RMA the laptop back for a new bios (unless you can find it and solder or replace it yourself). Thus requiring receipt or tracking of serial numbers of which any big company can cross reference against service contracts.
I downloaded onto floppy disc the program here and had reset the admin password on my Win XP box within seconds. Never seen anything so simple in my life. Though others recommend LC4 which also works.
Phillip.
Property for sale in Nice, France
Seems Reuters screwed up on the facts.
http://www.sfgate.com/cgi-bin/article.cgi?file=/ne ws/archive/2003/11/26/financial1853EST0113.DTL
http://www.crime-research.org/news/2003/11/Mess270 2.html
Check the above article. They say he logged into AN account registered on that computer. It could have been that he logged onto the Wells Fargo guy's account (with password saved). After all, he is a data thief, and not a very smart one apparently. If the FBI had AOL watching that guy's account, then they could have simply traced the IP Address. No big deal...if that's the case. It would help if the articles would be little more specific.
If you mod me down, I shall become less powerful than you could possibly imagine.