Slashdot Mirror
Free Software Tracking a Stolen Computer?
JeffTL asks: "By necessity, I carry around an Apple iBook running OS X Panther. In the event of its theft, I would like to have the thing send me its IP address, not only for the benefit of law enforcement but also so I could SSH in and trash my personal data with srm, while doing an SFTP backup of anything I forgot to back up. I am not really wanting a subscription, so I am looking for a free-as-in-beer (and if anything beyond a shell script is involved, free-as-in-speech would be much preferred to make sure that no one else is getting anything). Currently, I have a bash script that can create a report, and I am thinking about sending it using either e-mail or FTP. I am considering setting it up to where it only starts barraging me if a specific code is posted to an HTML document of my choice. Is there already something like this in existence somewhere for free? If not, does anyone have any pointers on how this can be done?"
... is just what you're looking for. I strongly recommend encryption and backups though.
If you are going to roll your own, I would suggest setting up a script on the laptop so that if it detects it has been stolen (i.e.: by checking if a website has a special message from you), and if so, connect to a secure ssh server as a client (using public key authentication so it can connect without a password), making sure you use the options to set a TCP tunnel going back to your laptop (to port 22, or perhaps VNC port, or multiple ones). In other words, have the laptop automatically ssh to a stationary server, and establish a tunnel back the other way that you can then use to get in. This way if someone runs it behind a nat device, or even installs a firewall, you can still get in.
Another thing you might want to look at is using an IM protocol with the language of your choice, and allowing remote command execution (with certain precautions such as command signing with a private key). For example, grab the Perl AIM module, create a server, add some way to sign commands (i.e.: if ( md5($msg . 'someprivate') eq $msg_key ) { shell($msg); } or something like that -- that's just off the top of my head so it may not be perfect).
_______
2B1ASK1
the client is nice, and works great in os x. one thing you have to consider though is if your laptop gets stolen, there's a very high chance the hard drive will be wiped before the thief even gets a chance to boot your old machine. besides, if you password protect your login (which you should) then they won't get anywhere and will need to format in the first place.
- tristan
cron a bash script. /sbin/ifconfig | mail you@where.com
It will cost $199, but will have very cool design and play beautiful music on your cell phone when the laptop gets stolen.
The odds are maybe 50/50 that a person stealing your laptop would have a clue to avoid something like this. If they do consider this, they'll wipe your disk clean at the earliest possibility, in the absence of a network connection. Get rid of the evidence.
If this is a kid who plans to pawn it or sell it on eBay, or possibly just use it, they might plug it in to make sure the Internet works. What's the first thing they'll run? The web browser. It's just a web browser, that couldn't hurt right?
All you have to do is set the browser's home page to a page on your own site, not linked from anywhere else. If your laptop gets stolen, you could activate some PHP in that page to send you an email or SMS. The IP address will be logged, so you can (maybe) SSH in and do your dirty work. If the user has a firewall, that would be a problem.
But anyway, this is a pretty easy way to do it. You could even just start up the web browser on boot, and if they are on the Internet, they're nailed.
...
How about setting up a cron job that emails the IP address everytime it's turned on? Or, dare I ask if that's a Windows laptop?
Like most people are pointing out there is a good chance the the drive is erased before even being booted. So wouldn't a custom bios be needed with all the reporting tools, dhcp clients, etc? Besides LinuxBIOS anyone have any data about adding custom programs to a BIOS?
A quick search turned up this which seems like a good idea. Also this site discusses varies ideas to make theft and reselling more difficult.
My Hello World is 512 bytes. But it's also a valid Fat12 boot sector, Fat12 file reader, and Pmode routine.
You could always set up a web page that tracks the IP of whoever hits it. Set up the laptop to automatically go to that page when it boots. (Maybe give it a magic forwarder that sends it to Google News or something after it's visited?) Then you at least get the IP. If you wanted to be snazzier, you could also have it read the HTML that comes down and look for a self destruct message. I'm not sure how you'd do this with the Mac, but I imagine it's not too hard. In the Windows world, I'd just write a little VB app to do that, wouldn't take very long.
"Derp de derp."
Not strictly relevant to this poster, and I can't even remember the damned link (hence the uselessness of this post): can anyone remember an article a couple of years back about a guy whose Mac was stolen, and he used script magic, and the fact the thief hadn't wiped the disk, in order to find the guy and get him arrested?
You may consider using something like ddclient and dyndns.org. You can setup ddclient to check the state of the machine's IP address at any interval you want. When the IP address changes ddclient notifies dyndns.org to update DNS records. It runs as a daemon so it shouldn't be too hard to make it start up everytime your machine boots. When running you can monitor the machine's IP address from the dyndns.org website.
Of course, this doesn't do anything to help you get into the machine if it's behind a NAT or other barrier. It could help with spotting the IP, though.
Here is a novel idea... set your laptop to not show user icons(and thus give the person your screenname) and not auto login... THEN, set your home directory to be encrypted using a strong(STRONG!) password using... YUP, the builtin File Vault technology. Make a good backup before you encrypt, then setup regular off-laptop backups while it is encrypted.
If that isn't good enough for you, and i don't see why it wouldn't be, have your web browser's home page(or an applescript that runs every time it verifies a network connection) to post to a 'secret' webpage you have on your site... have it post its information(ip, blah blah) and timestamp it... this way, you have a clear record every time the laptop has a connection, and you can just take note whenever it has an entry while NOT in your posession.
If you really want to be secure pack the free space in your laptop with sealed plastic bags of thermite. Wire a detonation circuit to recognise a special code from spare pins on the inside of the parallel port (basically, an electronic hardware interlock so it can't possibly go off accidentally) and have it read from a special URL every time the network comes up. If the correct code is present your laptop becomes worthless to the thief in very short order. With a bit of luck, he's got it on his lap at the time and won't be stealing any more laptops for a while.
Or you could just use a crypto filesystem to protect your data, and claim the stolen laptop on your household insurance..
455fe10422ca29c4933f95052b792ab2
Create a cronjob for root:
/usr/local/bin/checkWeb.sh
/usr/local/bin/checkWeb.sh could contain:
crontab -e
0 * * * *
The file
#!/usr/bin/bash
wget http://your.host.name/stolenweb.html
if grep "It is stolen" stolenweb.html ; then
[generatereports and send it off]
fi
rm stolenweb.html
It's a really rather simple setup that checks the webpage once each hour. If the webpage contains "It is stolen", then you do the reports-generating and whatever.
"Rune Kristian Viken" - http://www.nwo.no - arca
Expecting that whomever steals it will merrily go home and plug it into an ethernet jack is a bit too much, I think.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
So does this mean that your laptop is set to auto log-in?
Anyone who get's their hands on your laptop can just access your info with no safeguards? If so, then keep nothing on your laptop.
OR,
You could go into Open Firmware, set a password so as the machine can not be booted from a CD or firewire drive (without the pw of course), set a decent password for your log in, and the forget about worrying whether your laptop gets stolen. Because the only way that some form of script is going to work for you is if they can log in. Accept your loss, curse the vile stinking theives and move on.
I would rather lose my laptop than have anyone be able to get at my data.
If you are one in a million, then there are six thousand people who are just like you.
I'd like to suggest that 'having linux do that' or even 'have windows do that' is quite.. (stupid). That person that stole it is most likely that will NOT connect to a network that easily.
:/
The BEST guess is to run DHCP so when it adds it to a LAN will get a connection. But even then you are not absolutely sure it would work that way.
I suggest do all that you can from what is described in this topic and be warned it will not work.. most likely.
Maybe we need some king of international wireless internet triggered from BIOS or sth to have that kind of feature. Even then hacks would exist, but it's still better.
to send the email to an account that is not configured on the laptop. Or be sure to change all your passwords.
If the thief reads the email s/he can delete it from the server. Not to mention all the other stuff they can do to cause you problems.
One of my servers at very remote location is connected to ADSL with dynamic IP address. Simple cronjob reports its IP-address every ten minutes. It is wget requesting special CGI-script which writes remote IP-address to text file.
This scheme should work fine for stolen computer unless they disable this cronjob (or whatever in other OSes) or reinstall software completely.
the first thing I would do if I had a stolen laptop would be open it, check for extra gadgets (like active gps receivers), then fsck the hard drive. Then I might decide to plug it to the internet.
If, on the other hand, I am interested in the data it contains, I'd remove the hard driver and dd it somewhere else.
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
...but if i was to steal a computer i would reformat it as soon as i get it. oh well, but who knows, there are a lot of stupid people out there.
ssh user@somewhere.com "ssh `gethostip -d [machine name]`"
Set up your keys correctly, of course.
Of course, this can cause problems if the thief is clueful and bothers to poke around.
Netcat could also be very helpful here.
I forget what 8 was for.
System: Apple iBook running OS X Panther.
... also so I could SSH in and trash my personal data with srm, while doing an SFTP backup of anything I forgot to back up.
Start by checking the apple.com website and see what options you should begin with. One observation above is to use File Vault to secure your personal data. This is all well and good, but it makes it tough to take one of the later steps.
In the event of its theft, I would like to have the thing send me its IP address
As has been noted this is not difficult. Set up a cron job, or even a boot job to find out the laptop's IP address (ifconfig |grep inet |mail me@myisp.com -s 'iBook's IP") and you get the ip on the lan in the body of the e-mail, and the external IP in the headers. Presuming smtp is not blocked. If you install the perl libraries for Jabber, you could even send a jabber message via a similar process.
Note that if you have been rsync on a regular basis to backup your personal data, which can be done across an ssh session, you may not need to do any sftp backups, and you could have a cron job take care of this so you are covered.
Several of the posters above have noted that you could use wget to pull down a "hidden" page on your personal web server with instructions. For that matter you could build a script that would be posted to that page, perhaps with a marker character before each line, (such ah $) that you grep out of the downloaded page, cut the first character out of the line, then save it with a random name, chmod the file to executable, then execute it. At that point the script could be doing anything you ask of such a script. Including downloading executables, and even running 'dd -if=/dev/null -of=/dev/disk0' to wipe the hd yourself.
Elsewhere others have noted that if the thief wipes your hard drive before they re-boot it, none of this works. That's as good of a reason as any to schedule backups of your personal data. It won't help you recover the laptop, or tell the police where the laptop is, but at least you have your personal data.
This also won't help if your laptop is not connected to a network of some sort. If they pull your HD and toss it into a second computer as a secondary drive, then you will want to have all of your data in a 'file vault' to restrict access. Sure with enough time they can break the encryption, and ultimately start performing identity theft on you, but the time involved is unlikely to be worth it to such a person. It's far more likely that they will wipe the drive, pawn the laptop, and hunt for another laptop that is not going to take so much effort to access the user information on.
Then again, these are just my opinions. I have been known to be wrong, so I do wish you good luck.
-Rusty
You never know...
I wrote a little app that first checked for an active network connection (we can't assume they are using ethernet. They might be using dial-up and we don't want to trigger a dial-up connection prompt if they aren't expecting it by trying to send data). If the machine was connected to the network it then visited a specific web page where I could post commands. The HTML document was in the form of:
CMD: NONE (if I didn't want it to do anything at all. This was the normal state of the page) CMD: whatever (this was whatever command I wanted to machine to execute. It could be any valid DOS command including Format C: or DelTree C:\, etc).
I also had a CMD: CHT if I wanted the machine to enter an interactive text chat session with me where I could take a finer control of what it would do.
Luckily, my machine was never stolen. But I felt confident that, if it had been, my data would have ben protected. Encryption would have been much better too but I didn't think of it at the time.
This was done in VB so it wasn't cross platform at all. But this would be an ideal job for Perl with its powerful Regex's and the ability to shell execute.
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"
Open Firmware is programmable and network-capable. I suspect you could set it to phone home on boot.
But I'm pretty sure that 99% of stoeln laptops are just erased then sold.
I don't think it's realistic to assume you will get your machine back.
:)
1. Perform regular backups. You'll have all your data, so you don't care about getting that back.
2. Use filsystem encryption software. Built-in, aftermarket, whatever. Ensures they can't put your hard drive in another machine. If you're that worried about it, use VNC or remote desktop to control a system at your office/house and never store any information on your local machine.
3. Have insurance on it. Homeowners, business, whatever, just so you don't have to pay to buy another one.
Otherwise, I say they can keep it and I'll just get another one. I wouldn't mind having a faster laptop anyway.
One question for everyone out there, do you know the serial number of your laptop? I can't imagine anyone has that written down somewhere safe. How can the police prove the laptop is yours if you only know it's your because it has a SuSE sticker on the lid?
It doesn't hurt to have BIOS and power-on passwords either. The casual theif will not be able to get past them and will probably dump the unit somewhere or possibly try to return it saying "they found it" somewhere. Never use auto-login and use good passwords on your account.
IBM has some good laptop security features out there now. I believe part of it is some sort of hardware encryption for your hard drive. Not sure what Apple has, but IBM has definately stepped up to the plate.
Good luck.
-m
http://www.invisik.com
Put a small HTML Doc on the web, protected by a password (ala .htaccess)
write a simple script in bash, using wget, to fetch the document (wget can supply the password)
the password keeps anyone else from hitting the url
Any other information you want sent, have wget stuff into the referer header
Have init run the script (don't put it in your profile, cause then a login will be necessary to run the script)
Now, if your laptop gets stolen, just check the logs!
cmon who wouldn't format that piece?
this sig limit is too small to put anything good h
setup a cron job to post the IP to a ftp/web site every so often. then just check the ftp/web site when you need the ip.
I've done that for just keeping track of computers with static ips.
In addition to one of these "mailer" ideas, might I suggest having some "hard" evidence that it is, indeed, your computer (besides it having gone to the page that you asked it to or whatever).
:) My iBook is insured with the rental company where I got it (I'm poor, but I still gotta have a mac!). The first thing they ask for on a claim is "serial number", so this may be perfect, really.
0 330144040245#comments
Make it send you the serial number
Check out this link on macosxhints: http://www.macosxhints.com/article.php?story=2004
It describes how to write a bash script to get your machine serial number! Very, very cool.
BOL
Bard
I never stole anything in my life, but for a while a few years ago I was helping some 'questionable' friends wipe out machines of 'questionable' origin. At the time it was a way to feed myseld and get deals on hardware, I'm not into that sort of thing anymore.
You can be SURE that if a laptop gets stolen, the kids that wiped it are going to take it straight to their local geek who will boot the machine off a CD and wipe the drive. Usually stolen goods go right into local low-level organized-crime units for 'laundering' and appraisal.
My advice is to not allow your iBook to get stolen in the first place. I tote my PBG4 AL with me everywhere I go, it's never out-of-sight, not even when I hit the bathroom at my local coffee joint. Do backups and get homeowners/renters insurance on it and encrypt your home folder.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
If your laptop gets stolen by some kid who wants to play around, then a shell script/cron job would probably be good enough. But let's take someone like myself for example. You don't have to worry about someone like me stealing your laptop, but let's say that you forget it on the bus or in a lobby, or in a restaurant and I or someone like me stumbles across it. The first thing I'm going to do is check it for good pr0n, but without connecting it to my network. The second thing I'm going to do is wipe the drive and reinstall the OS.
A better option for you is to make sure that no one who shouldn't gets access to your machine.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Wasn't there a story on /. where someone lost their PC as part of a burlary and within the next two weeks or so, all of his address book members started getting spam payloads indicating the loser absorbed a virus?
Did anyone find out exactly what happened out of that? (or was it FOAF/UL?)
You could just set up a guest user with autologin, and put some nasty file on the desktop with a name like "my_credit_card_informaion.txt.exe" =). Odds are they will try to log in and check the laptop for personal information at least once before wiping the drive.
If you are 31337, you can also make the nasty-file check for some conditions to be true before doind its dirty work, like an "omg it is S7013n!!1" message on your webserver for instance.
Many ppl have commented that having one's comp auto-login is just being mentally defficient. On the other hand, it's hard(er) to make something auto-run if it never actually gets loged-in. Intrestingly enough, OSX supports the disconnection of your login and the program/file that stores all your passwords. (keychain) Thus you can still have your login auto-login, yet still not have any access to the stored passwords untill they enter the keychain password. If I recall correctly, the password file is encrypted permenently, and is only readable by the keychain app when it has the proper password or key. I'm not positively sure, but I think that the filevault system can also be set up like this. Essentially meaning your acount has multple levels of access. The main "you're into the acount and can do stuff", then needing second and possibly third passwords to access keychains and files. Much more secure. This could be used to have your comp login automatically and run any programs or whatever, without compromising your data or passwords. And on a side note, how many ppl actually log out their laptop every time they tuck it away in their carry bag, or even every time they set it down and look the other way? In all likelyhood, (for most ppl), the login isn't an issue, since it'll already be loged in and running when the thieves steal it. This also means that said tracking apps can't/shouldn't be on startup ones, but general background ones that check said server every so often. All in all, I think some of the physical security devices, such as good old lock and cable ones that most laptops, and actually many comps in general can accomodate (good for places you'll be for a while like hotel rooms), or the above mentioned motion sensor type thing. Best security of all: Keep it attached to you, and don't leave it lying around anywhere.
Z
I think a really sneaky way for a laptop to "phone home" would be to run your own time server and configure the laptop to use it to set its clock. (On OS X it's in System Prefs/Date and Time/Set Date and Time automatically). Then watch the logs for the time server for where the requests come from.
I believe some IBM Thinkpads can be setup so that without the correct BIOS passwd the drive is encrypted, the HD's data is unaccessable with any other machine, and the motherboard will be useless for parts too (ok, just some chips but hard to resolder)
LapCop. http://homepage.mac.com/sweetcocoa/lapcop/ And it doesn't use SMTP, which, only works with your network settings. For 25 bucks, it's one hell of a deal. LapCop 2.0 summary: LapCop continuously monitors your mac's network and printer settings. When any of the monitored settings change, LapCop goes into alert mode. As soon as your stolen mac is hooked up to the internet via modem, ethernet or airport, LapCop gathers all necessary information for the alert e-mail. This includes the owner's name and address, the serial number of the stolen mac, its internal and external IP address and the IP address of the network router the stolen mac is connected to. When all this information is available, LapCop sends it to our dedicated LapCop monitoring server. Our server then compiles the alert e-mail and sends it to the e-mail address you have specified during setup. Because the alert e-mail is sent by our server, and not by the stolen mac itself, it does not rely upon SMTP and the delivery is guaranteed. You send us the alert e-mail and we will analyze it using IP to geography tools to trace the network your stolen mac is connected to. We will contact the network administrator or ISP and based on the IP addresses from the alert e-mail and the time the mail was sent, the user that was connected using your mac can be traced. Once a message is received from a stolen computer, it generally takes a very short time to get enough information to contact the ISP the thief is using and to provide the police with the information necessary for them to recover your laptop.
I have a friend who has a Mac running OS X and he got a virus on the thing which inserted itself into the very beginning of the harddrive so even if they booted the machine to format the drive still gets read and the virus still gets executed. The moral of the story here is that as long as he does not put the machine on a network he is fine. So if you want to get into low level stuff then even if they try and format the drive your security measures will still be there. Sorry I don't know the name of the Virus.
When they remove the mobo battery and the memory is erased. BIOS passwords are useless when the person has extended time with the physical machine.
Creative Demolition
How childish. Both verbally, and by mindset. Open your eyes, my friend, Mac users don't use PC's for MANY reasons, and I would rather kill myself than associate myself with a Windows or Linux or whatever user like you. I'm sorry we have a better OS, more power, and have a more close-knit community than you, but, it just goes to show how our computers have changed our lives for the better, and yours for the worst.
Just get a big vinyl sticker that says "Protected With GPS Tracking by GPSecure" even though this company doesnt exist, anyone scoping your laptop would think twice about it. They would only steal it if they wanted your data for some special purpose.
"The stupider people think you are, the more surprised they will be when you kill them..."
Well they have already got one charge of theft so why not keep Kazaa running in the background and get them on a second charge of piracy. The FBI will surely catch them then.
...on *no* recent laptops will removing a CMOS battery cause it to lose its BIOS password. there wouldn't be a whole lot of point having one if it did, would there? *sometimes* there are other ways around (toshiba's parallel dongle or keydisk, dell's resoldering the BIOS chip) etc but almost all modern laptops are a *bitch* to remove passwords from by their very design. particularly IBM - if their hard disk is locked then only a clean room and a few hundred times the worth of that hard disk is getting the data back.
Something tells me this is the perfect use of palladium. If there were something in the hardware that was attached to all web traffic (sort of like a VIN on a car) then it would become pointless to steal a laptop. At least near pointless. As it would require a lot of work to chop the computer.
Of course this has horrible implications for privacy. So choose your poison.
I tried for 5 years to come up with a clever sig...only to realize that I am not clever.
If there's a firewall, or a NAT device in the way, chances are you'll not get into your laptop even if you know the IP address.
A better solution would be to create a server in a fixed location (with a fixed IP address) which a script on the laptop periodically polls.
If your laptop is stolen, you flag the server with some message. When the script on the laptop polls the server, if it sees the flag, the script knows to start trashing stuff.
As for backing up stuff, well, you should be doing that before the fact. Don't rely on being able to get to your laptop remotely.
Throw in some spyware that will report back to you information that could be useful in recovering the laptop. Since it's your laptop anyway, this custom spyware will be revealing YOUR information to... you.
You server/script should use several different common ports (80, 443, 25, 22, 23, etc.) and perhaps even different protocols in case a proxy server is in use. For example, in addition to the obvious flagged web page, you could have a SMTP server that gives a response like "250 laptop stolen". Most SMTP clients will ignore the textual part of that response, but you script will know. You could have a DNS server that responds with some particular (yet bogus) address to a particular address query.
You just need to think creatively.
Give me my freedom, and I'll take care of my own security, thank you.
It has been mentioned several times that many people would be smart enough not to plug the thing in to the net, but with wireless they don't need to. So many people have open access nodes, i know in my house i can log in to my neighbors wireless just as easy as my own. Some sort of snooping would be a nice little perk for this type of program, seeing the common occurance of wireless. my 2 cents
So what if the system's behind NAT? Why not just have the system mail the contents of a good old fashioned tracert to the host of your choice--it'd get you all the ip information you'd need to subpoena the last known host.
:)
Last but not least, you could write a pseudo-"spam" script to hit all the major DNSBL, spamtraps, and maybe a few hundred innocent people with viagra adverts when it's determined it's stolen--this way their ISP gets complaints and pulls the plug on them wherever the laptop's moved to
Can anybody tell me if FileVault is solid yet? I recall disasters on 10.3.0...
I gather there's no data loss any longer -- however, I still hear reports of periodic loss of app settings and the like.
Can anybody tell me their experiences? Is it worth taking the plunge? I like the idea -- if anything because it would make homedir backups to my iPod quite painless.
lorem ipsum, dolor sit amet
Whenever I log in in X11, my setup scripts ask me for my ssh passphrase (with ssh-askpass). Three bad attempts and, well, bad things happen.
The trick is ssh-askpass. I had to call it myself in a Perl script and count the bad logins, otherwise it'd just let you try forever until your army of infinite monkeys with infinite copies of my thinkpad's hard drive eventually got ahold of my pr0n.
Of course, if your monkeys had copies of my hard drive, it'd be kind of pointless anyway. It's late! I'm sober! Leave me alone!
Assume I was drunk when I posted this.
OK, so it doesn't cross subnet boundaries, and some of them can be changed, but it is supposed to be unique (modulo some cheap NIC vendors).
It's a feaking miracle that these people wipe their own ass, not to mention a hard drive.
w ith a fake page to be displayed.
Curiosity will kill the cat. Who can't resist seeing what's on there. ID Theft freaks would have a feild day! Maybe something of value to your competition? It's a treasure trove of intelectual property.
The easiest thing to do is to boot it up. Bingo. if they plugged into net or wifi or dialup you can get SOME information. Dialup is hard to do, since most things don't get a phone line. But someone intrested in pulling info off would go wifi or network. Plus there's the whole dialing delay.
Another reason to boot it up is to see how you used it, like what is installed. Desktop icons are key to understanding your user.
The flaw with these phone-home and set-a-flag on-a-website approaches so far website is big: they may get to the internet before you, pillage and then wipe. By the time you set your flag, they've already presented all the evidence they'd give you - and you weren't listening! All you have is an IP address. Which may or may not be enough.
So it comes about that you always have to assume your laptop is stolen. Have it phone home all the time. Anyone know how to hook the interrupt of the machine coming out of suspend?
Of course, the smart crooks ones out there will just take the HD out and plus it into a 3.5" adapter and mount it on thier desktop computer. This way, you never have to run a single program (even unknowingly!) from the laptop. Mounting it r/o with minimal (read) permissions is a good idea.
The smart victims ones out there will add some bait. Maybe a sticker with a filename called "passwords.txt" in there, put some porn sites. Look at spam for idea on what bait to use. Maybe a "MyViagra" subscription/reorder numner. But change your browser via HOSTS file to take fake.site.com and associate it with www.yourtrackeingservice.com.
You did remember to make a shortcut on the desktop, right? This shortcut runs a program that generates the a base64 encoded report string and then submits your info, then invokes a browser to submit it like: fake.site.com/members.php?member=yourmembername
You also set it to run at start up (and coming out of hybernate)(though after a few seconds to get an IP) but you set '-q' which doesn't start the browser.
If you want to get your laptop back, you have to make it usable for them, and give them reason to run your laptop as you left it. Putting up barriers to that (boot passords, encypted filesystems) just means they'll give up sooner and they won't give you trail to follow. And you'll loose your data sooner. You best bet is they like it and keep using it, so the trail grows and you can dicern a pattern of activity.
Of course doing this in the bios is even better, but this is a start.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
then I'd say just leave it unpatched. when the thief plugs it into an unfirewalled network the worms will erase the data for you.