Slashdot Mirror
Another Stab at Laptop Security
kogus writes "LoJack is licensing its brand name to Absolute Software, which provides Computrace -- soon to be known as the 'LoJack for Laptops' line of computer theft recovery systems. When a stolen Computrace-equipped system is connected to the Internet, it automatically and silently sends locating data to Absolute Software, which then calls out the law. In some cases, Absolute Software customers are eligible for a $1,000 guarantee payment when a stolen system is not recovered within 60 days.
From TFA:
Unless you:
and/or
Nice illusion of security....wonder how many people will fall for it.
____
~ |rip/\/\aster /\/\onkey
If the person who steals the computer just reformats the hard drive?
1. Purchase $500 laptop
2. Purchase $100 security
3. Purchase $100 spyware remover
4. "Lose" laptop
5. Wait 60 days
6. Profit $300 for 60 days work
7. GOTO 1 (I never spaced lines by 10, what was up with that)
How would one report if a laptop is stolen? How easy would it be for a thief to remove this after stealing said laptop (before connecting it to the computer)? How will the law know where to go (geographic IP location can't be THAT accurate, can it?) How much of a performance hit will this add to normal use?
TFA is remarkably lacking in technical details, so I looked at LoJack's site, which doesn't mention a thing about this. So - is this a hardware solution, or a program that gets installed into an existing OS? If the latter, well, how useful is that? While the slashdot crowd and the laptop-stealing crowd probably don't have a whole lot of overlap, I can't see someone not just re-installing the OS to wipe the system in any case.
The spyware and firewall questions seem important as well - if this is just a "Hey, this is box XYZ and I'm at this IP address", talking to lojack's servers, well, fine, but how does the end-user know that they haven't blocked that with their firewall?
I'd love to see something technical on this, rather than some stock-tip-guy's interpretation.
which then calls out the law
What does that mean?
Is there some law organisation in the USA that you can call saying "my laptop has been stolen and it is now on the internet at address 333.444.555.666" which will then go out to locate your laptop and return it to you??
If you don't have physical control, you don't have security. Okay, strong encrypted data may be safe from prying eyes but how many people, after getting a stolen laptop back, boot it immediately and "check" everything? Can you say keylogger trojan?
o rm.asp
/dev/hda1"? How about booting from alternate media like a USB key, floppy or CD?
Computrace is a piece of client software that "phones home" on a regular basis. It provides NO protection against things like formatting the hard drive before connecting to the Internet. http://www.absolute.com/Public/products/techplatf
Oooo... it uses an ENCRYPTED connection. Explain to me how this stops "fdisk; format c:" or "fdisk; mkfs
This must be designed to nab the stupid criminal, who jacks in as soon as they boot.
On the other hand, with the prevalence of open WAPs, it is quite possible a laptop with a built-in wireless NIC will connect and phone home before the hapless thief realizes it.
-Charles
Learning HOW to think is more important than learning WHAT to think.
..then use fdisk to wipe the disk. Really, am I missing something here? (Other than a possible BIOS setting to force boot from internal HD in preference to CD/USB/Floppy/LAN, which can always be gotten around). ;o)
Oh, I get it - it's just designed to recover stolen laptops from non-slashdot readers
It's not just stolen laptops that send information to their servers. Any laptop with this software installed sends periodic heartbeats to the computrace people.
Our PHB ordered it installed after getting a call from a golf buddy. It was ripped out a week later. The heartbeats contain enough [cleartext] information that the increased chance of the laptop being broken into, or the salesguy socially engineered using the info was deemed higher than the chance it'd ever be stolen.
However even the young kids who casually steal cell phones appear to have some sophistication, and are able to reprogram or wipe phones for resale.
Given that wiping and reinstalling the OS for laptop is trivial compared to reprogramming a phone, I do not see how this would stop anyone but the most casual of laptop thief.
I would like to see how easy it is to get the $1000. If the service was cheap enough, it would be valuable merely as $1000 insurance policy.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
I've been doing this for years using DynDNS's free dynamic DNS service. I run a client on all my machines that updates their IPs with dyndns's database. If my laptop disappears, I just look to see what mylaptop.dyndns.org resolves to.
--
watch funny commercials
How does the stolen computer know it's time to transmit the homing signal... unless it's always transmitting anytime you're connected to the internet?
I'm not entirely sure how the LoJack on cars works, but I seem to recall it requires you to report the theft, and then the cops/LoJack have some means for tracking the car's device. With a physical device, this might not require an always-transmitting approach so much as always-ready-to-transmit - that is, it could have enough battery power to start transmitting once it's hit with a request for broadcast. But for a software solution, how would you ping the stolen computer? (You need routing information in addition to the MAC address, right?)
Fortunately, there's a good chance that anyone booting up your stolen WinXP laptop will quickly be caught and arrested for connecting to the nearest WiFi network.
Did I say overlords? I meant protectors.
Literally. 10 years ago. I called them up and asked if they did laptops. They did not.
A better solution is to make it work like the car LoJacks - when the unit receives an "I'm stolen" message it replies with its location. Only major problem would be power - if a theif removed the batteries it could be a long time before some sucker replaced the batteries, and by then LoJack might've stopped broadcasting.
Of course, any kind of security won't work well if it can be disabled or removed without disabling the PC.
If LoJack or any other company wants to make a killing, license their technologies to motherboard manufacturers.
Hmm, if I could get LoJack-on-a-motherboard, I'd like it in my TV, my VCR/PVR, my CD player, and anything else likely to wind up in a pawn shop.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It is outright bullshit!
We had a laptop stolen and called it in.
"Oh, you need to file a police report"
Fine, so we get the numbnuts who lost it to file the report and give us the report number.
"Okay, yes... we have recieved a call home from the laptop, and we know where it is!"
Great! Now when do we get it back?
"Wellll, you cant..."
and it just got worse from there. The police wouldn't retrieve the laptop, and these clowns wouldn't tell us where the machine was. But at least we knew:
- it was in fact stolen and not in the hands of the numbnuts employee
- it was in fact connected to the internet, being used, right then
- we couldn't get it back
- someone was at least enjoying their brand new laptop...
damnnit! This shit just annoys me. I'm going home.