Stolen Laptop Calls In! - Will Police Act?

broswell asks: "We rent computer equipment and occasionally our equipment gets stolen. I wrote a little VBS script that calls our webserver every hour (script below) and installed it on our laptops. Sure enough, some laptops went missing. One of the stolen laptops is now calling in from a Verizon Internet account which appears to be in a neighboring town. The Baltimore City Police grudgingly filled out a police report 'so we could collect insurance' but don't seem willing to subpoena Verizon, find the address of the end user, recover tha laptop and prosecute the thief. They seem clueless. The Maryland State police has a computer crimes unit. The have a clue, but they claim they don't have jurisdiction. It is not about the money (our customer signed for the computers and will pay for the stolen items), we just want justice." With all of the necessary information in hand of the proper authorities, how likely is it that the stolen laptop will be recovered?

For those interested, here is the script the laptop used to report itself back to its owners:

Set objShell = CreateObject("WScript.Shell")
Set objScriptExec = objShell.Exec("ipconfig /all")
strIpConfig = objScriptExec.StdOut.ReadAll
myvar = "send=" + strIpConfig

do until 0=1
on error resume next
a=HTTPPost("http://www.yourtrackinghost.com/cgi-bin/locator.pl",myvar)
WScript.Sleep 3600000

LOOP

Function HTTPPost(sUrl, sRequest)
set oHTTP = CreateObject("Microsoft.XMLHTTP")
oHTTP.open "POST", sUrl,false
oHTTP.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
oHTTP.setRequestHeader "Content-Length", Len(sRequest)
oHTTP.send sRequest

HTTPPost = oHTTP.responseText
End Function

Media

[MeanMF]

If the police won't do anything, call the local press.

Re:Media

[Mr.+Byaninch]

I agree. Police aren't very receptive to ordinary citizens solving crimes and then asking the cops to finish the job. I had a friend who had a check stolen from a USPS blue mailbox. The thieves 'washed' the check and rewrote it for enough to cover a bunch of Gateway computers. Gateway had some problem (that I don't recall) with something that was on back order and called the phone number on the order, which (dumb criminals) was the same as on the check. My friend already had found out a check had been hijacked when other stuff started bouncing. So she got the shipping info - address, tracking # and date - and then took it to the cops. All they had to do was go to the address and arrest whoever accepted the package. Guess if they did. NOT. All they did was 'take a crime report'.

Cops are probably offended when citizens bring them solved crimes. They're a strange bunch. Anyone who knows one will confirm that. Unless that someone is dating or married to one, in which case that someone is also a strange one. :)

So I agree. Go the police first, and when they won't 'solve' the crime, tell the media. A local news channel's 'Consumer Watchdog' or whatever they're called in your town is the best bet. It's not really news for the normal broadcast, but it's juicy stuff for those 'we help our viewers' segments.

Re:Media

[Bios_Hakr]

And make sure to tell them something realy important was on there. Like the names and addresses of the people who attended last year's Police Ball.

Or maybe Baltimore police don't have balls?

In all seriousness, file a "John Doe" civil suit in the ISPs district. As part of the action, ask for discovery on a specific IP address. Since you are filing against John Doe, Verizon will most likely consent. Once you have the name and address of the theif, drop the John Doe case and go back to the police with the guy's name, address, phone number, photos of his house and dog. At this point, either the police press charges, or you lodge an official complaint against the cops.

Look at the following article about how the RIAA uses IP addresses to find people. You should be using similar tactics. Do some sleuthing once you have the address. Make sure you aren't going after some poor bastard with an open WAP while the real theif lives right next door.

Going to the press is a bad idea. The theif is very likely to see the story and will move to dispose of the property.

Re:Media

[ryanr]

Yeah, I'm sure no one will mind if Verizon gives out customer info without a subpoena. A phone company would only do that kind of thing under rare circumstances.

Re:Media

Good idea, but wrong order. Give Verizon a chance to be the good guy. Call their publicity department first. If they make excuses, then call local media.

Why do I get the feeling that you think "being the good guy" equates to giving out their customers' private data without a court order? It really isn't their job to substantiate the cover story or judge their customers. We have courts for that.

Going through the police is the right way. If they're not doing their job, then publicise that fact. If the shop wants an alternative then they should talk to a lawyer about the possibility of suing the John Doe for something (trespass to property?) and getting a court to order Verizon to provide details that way.

Re:Media

[jamesh]

I'd be calling your insurance company next. They have an interest in getting the stolen goods back too, in that then they don't have to make a claim.

The whole situation is pretty silly though. You're basically handing the police a solution on a plate. They won't have to do too much detective work to get a result, and even if it doesn't end in a conviction, at least they's be showing you that 'the system works', and on a slow news day they might even get a _positive_ write up in the local media.

Re:Media

[log0n]

It's most likely Baltimore Police. There was a big expose here about the BCPD forging or failing to take reports, browbeating victims to not press charges... a lot of really heinous stuff. Apparently it was done to try to keep reported crime levels artificillay low to help the mayor get elected to governor. There's been a lot of stink about it in certain news organizations.

(tired - can't spell)

Re:Media

I work for a major PD as a Specialist Reserve Officer. My thing is breaking into computers to obtain evidence when the casual attempts fail. After a couple of conversations with a deputy city attorney , it appears that it is extremely difficult to obtain a filing, much less a conviction, unless the suspect is caught in an illegal act and seen doing so by the eyes of several officers. The greatest cases I've seen were never even filed. I've worked with the feds on some cases and we've been extremely careful not to pollute the original hard drives, but our cases don't even get filed because there's an element of doubt in someone's mind, somewhere along the line. We've handed felony cases to the DA that could be called Silver Platter, but they were not filed because they have higher priorities. Their focus is on violent crime, at least where I do this stuff. If you're just an average Joe like me, I think the police don't give a high enough priority on your loss to give you a second thought. I'm sorry for those in your shoes, but I tend to agree with their priorities.

Re:Media

[bluprint]

Follow the money. There isn't any money in solving such crimes. They are too busy generating profits via traffic and parking tickets and such. Why bother with an actual crime that will use resources when they can target basically good people for cash?

Re:Media

[julesh]

As other posters have said, verizon will need a court order before they can hand out this information.

But: there's little to stop you from getting one yourself. File a claim for recovery of property against an unknown party. Put a motion before the judge asking for an order that verizon disclose any and all information they have about that IP address, including an explanation of how you know that the IP address is involved. This is as much information as the RIAA have when they make their claims -- you should be able to do exactly the same thing as they're doing.

Then, once the party is identified, they'll be served with all the relevant documentation. You go to court, claim they have property that belongs to you, and request an order that it is returned, along with compensation for your loss of use of it in the interrim.

If you do your homework, you shouldn't even need a lawyer for a case this simple.

Disclaimer: I know little about US civil procedure. What I describe would be possible in the UK, and I understand based on a little reading that procedure is roughly similar in US courts.

RIAA

[the+eric+conspiracy]

Your best hope is that now that you have the IP you can hack into the laptop and install a BT server with lots of nice pop music and videos. Then report the sharing site to the RIAA and watch them take this sucka down.

Re:RIAA

[MBCook]

Receiving stolen property, they are guilty. If they bought a nice laptop for $200 then they had to know it was stolen (especially since it probably had tons of business documents on it, if it's phoning home it hasn't been wiped). I doubt they bought it in good faith. If they DID (say they paid a decent amount that would buy them such a laptop) then they could get out of the charges by pointing out where they got it. I doubt the DA would press charges on them if they pointed out where they got it from and would testify to that fact.

If they bought it from a pawn shop or used computer shop or something, that shop is liable (I think) and they may still not have claim to the laptop. Both should have questioned the sale of this laptop with all the business stuff still on it (and even more.. selling it like that).

Still, crooks are, by and large, idiots. I would bet the original thief (or a direct relative/girlfriend/boyfriend) has the thing.

Either way, you would think the cops would be all over this one. Grand theft (the laptop cost over $1000 new, right?), known location (more or less, but it keeps phoning home), easy catch, and 100:1 odds that this is NOT the first/only crime the guy has committed (probably has a few other hot items near him).

I agree with one of the other comments. Go to the media. "His laptop was stolen, and he knew where it was... but the police wouldn't do a thing. Why your stuff isn't safe... tonight at 10." Or sue the department (that always gets things moving, just the threat with a nasty-gram should do). Or go talk to the DA. A case like this (likely a slam dunk) you would think they would want to take. They probably don't know about it and could get the police to go do something.

Re:RIAA

[arpy]

Yeah - watch out for these dodgy people!

good luck with that

[grapeape]

I had a laptop and 2 desktops stolen from my van in the parking lot next to the police station in downtown KC. One of my side windows as well as the windows of 3 other vehicles were broken out. The police department couldnt even be bothered to walk downstairs to file a report and told me I would need to phone it in, I called and the detective said I wasnt likely to get it back but he would get back to me. Later that night after I was home my work aim account logged itself online. I got the IP called the police department with the info, was called back the next day and reprimanded for "interfering in police work". Anyway I stopped interfering, 2 years later and I guess they are still busy doing "police work" because I have never heard back from them. I guess I learned my lesson, dont bother. Now when I have to be downtown I just leave the doors unlocked, its alot cheaper than replacing the windows. I've actually managed to make a game out of it, I no longer have to take old computers to the salvage place, I just load them in the van and take them downtown.

Explained it wrong

[Geoffreyerffoeg]

Think they understood the VBS? Now I know that you didn't directly throw that VB at them, but still.

Explain that your computers connect to the work network and log in, and you noticed that there was a computer trying to "hack in" from another town. Your security people found that the computer was your own computer, one that had been reported stolen.

Spin it in a way they'll understand.

Re:Explained it wrong

[plover]

Hate to disappoint you, but no cop will bother with fingerprints for a simple auto burglary. It's a simple matter of priorities. There are way too many things for the police to do than track down petty criminals.

The biggest reason is that even if they did pull good fingerprints from your window, tracked them to a known criminal, got a warrant, entered his place, and found him along with your stereo in his bedroom, the criminal would get an average sentence of a few days to a few weeks, (most likely suspended,) plus probation and possibly reparations.

But that entire scenario is highly unlikely, from the first assumption to the last. Too many people see smeary fingerprints taken on CSI and assume that every precint has a "Bat Computer" sitting in the back where they can just upload a print and out pops a name and an arrest warrant. And every one of those people expects the same care devoted to catching a car-stereo thief.

There's just nothing in it for the lesser crimes. No real punishments, just a lot of work for absolutely nothing resembling justice. Someone might take pity on you if you didn't have insurance, but even that's highly unlikely unless the value of the stolen merchandise was high.

The cops will definitely take it seriously if there's been a violent crime (again, keep in mind the difference between what you'd consider a serious assault and what they'd consider serious.) And even then, the backlog clogging the BCA labs usually runs over a year before forensic evidence is processed! There are simply too many criminals and too many crimes at this point in history.

Stolen Sidekick Part 2: The Missing Laptop

[SocialEngineer]

Start a blog. Link to it from /. (just post a comment). Get worldwide exposure. Post the IP address and whatever information you can find on the user (without resorting to illegal means). Get people interested in your cause, and get your local paper to publish something. It may piss the police off, but they'll actually do something by then, hopefully.

Make Some Noise.

[themassiah]

First, try and verify that the police department isn't doing anything about it. Talk to a supervisor in a day or two and see where this case is going. Then, if nothing is being done, consult an attorney and ask what your options are. I know that most police forms have complain forms to fill out if you want to start making a stink. Work your way up the ladder, their IS a chain of accountability and if you're persistant and cause enough pain, someone will make the phone call to Verizon or whomever and get the name and address on the account.

If that fails to produce justice, follow up with the attorney and file civil suit against the police agency. You handed them about 3/4 of the case when you produced an IP address, they should have been willing and capable of filling in the missing paperwork and whatnot.

Nothing new

[dusanv]

I had my car stolen when I was in school. 12 year old Honda Accord. Didn't think anyone would bother to steal the POS so I didn't insure against theft (money saving student). After it got stolen I called the cops and the first thing they asked me was whether the car was insured against theft. Since it wasn't, they wouldn't even take a report! Can you believe that? Anyway, I found the car a couple of days later 5 parking spots away from where I left it. The steering column was busted. There was a pair of size 9 rollerblades in the trunk (thief with size 9 feet?) and six jugs of bleach (???).

This was in local papers: a woman here in town (Ottawa, ON) had her house repeatedly broken into. After reporting to the cops and complaining that she has to buy a new lock each time they told her to leave the door unlocked!

This could be fun

[RealityMogul]

First off, nice job with the script. Now, take it a few steps further. Let that script connect as it is, but let the server return a status indicator as to whether or not the machine is stolen. If it is - let the script modify IE, Opera, and Firefox configuration settings to use a proxy installed on a server you own. Preferably a proxy that can be set to log EVERYTHING. Just wait for them to log into something with clear text username/password, like most e-mail accounts from major providers use. Shouldn't be much of a leap to get enough info on him/her to pinpoint their street address.

Cheap != stolen

[davidwr]

It's urban legend but I'm sure similar things happen in real life:
Disgruntled soon-to-be-ex-wife sells husband's car or other stuff for pennies on the dollar.

Unless you are a pawn shop owner or otherwise "knowledgable," the fact you bought it cheap is not evidence you "knowingly" received stolen goods. However, you are still in possession of them and that's usually a misdemeanor. At best, you will be out whatever you paid the real crooks.

BTW, I've received working electronic goods for a very small fraction of their street value, usually because the owner wanted to do me a favor or he just wanted to get rid of the stuff. Now only if I could get a $1,000 laptop for 80% off :).

Re:Good luck

[kfg]

I know it was the Bahamas but isn't that technically part of the US?

Yeah, but only in the same sense that Cuba and Panama are technically part of the US. Something about being independant nations makes them pissy about our law enforcement mucking around inside their borders for some reason.

Hell, Cuba and Panama have been know to shoot at mainland cops. What's with that?

KFG

Re:Tort: Conversion

[grolaw]

Conversion is a start. 18 U.S.C. 2510 et seq., the Electronic Communication Privacy
Act; 18 U.S.C. 1030 et seq., the Computer Fraud and Abuse Act as amended
by the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984,
specifically including 18 U.S.C. 1030(a)(5)(B) would be a far better choice for a causes of action.

You get attorney's fees, compensatory damages and, there is a collateral criminal charge available. Once your attorney has nailed the defendant the U.S Attorney's office will have some oung turk who will come in and pick up a slam dunk for a notch in his/her belt.

Conversion is a common law action and it is a reasonable cause - but Trover would be a better action as it reaches the cognizable personal property (data) as well as the machine.

This is not a difficult cause to pursue. I've done it several times myself. My first was in 1993 and last was 2002. This is neither rocket science nor high-dollar litigation.

Act fast before the thief kills the script.

OH, don't forget to ask for injunctive relief - like a LIFETIME BAN ON INTERNET ACCESS.

It won't take very many lifetime bans before the cost of a stolen laptop gets around....

Baltimore police: laptop theft... try kiddnapping

[Tronster]

My current situation: http://www.tronster.com/missing/

My friend's 3 kids was "kidnapped" yesterday by their father here in Baltimore, their location is unknown.

After a 4 day custody trial, which ended Friday, he was orded to turn them over at a Police station at 8pm on 8/18/06. He neve showed.

I've spent the day riding with her to and from multiple Police stations as well as the Towson commissioner's office. Everywhere we go we hear the same thing, "Without a bench warrant our hands are tied."

Today I learned 2 things:

1. It's nearly impossible to get a hold of a judge on a Saturday
2. Commissioner's can be downright cruel and unhelpful

While working with the Baltimore police, most all have been very friendly (many have agreed with us about Commissioner's!) but none of them are able to do more than write down what we say. We're quickly losing hope; and even if an amber alert goes out... it may be too late if he has left the country. I have almost no faith in the Baltimore legal system and how it interacts with the police is non-existant. (Note: I blame this interaction between the two, not the Police themselves.)

Regardless, I wanted to tred on the border of being on topic as the Baltimore police and their inability to act on this may cause us to lose 3 children to an unstable man. If any Slashdoter's have 5 seconds, please click on the web-page below I made, and let me know if you see him or the kids.

With luck and more leg work, we'll get the amber alert up ASAP.

http://www.tronster.com/missing/

ThatScript v2.0

[entendre+entendre]

Phoning home is one thing, but even better would be to phone home and then download any little executable that it finds there. These could do a variety of things:

• Upload any non-trivial IP from the laptop to the server, since that's probably the last chance you have to keep it.
• Taunt your local police. ("Hi, I'm sending this email from a stolen computer and i just wanted you to know that you're never going to catch me because you're all a bunch of fat lazy slobs. Crime does pay, bitches!")
• Taunt the theives' local police. ("Wanna buy a laptop? I got three more just like this one, ready to go, super cheap.")
• Install a key logger, get his credentials. Post things all over the internet with the theif's ID (e.g. his next MySpace diary entry will be "so my friends and I stole some computer gear last week...")
• Append random obscenities into every email that exits the computer ("P.S. I fucked your mom too.")
• Random pseudo-malware "attacks" on police station web servers - nothing that would bring the server down, but enough to take the IT department's attention. It is possible that their heads are so far up there asses that nothing can reach their brains, but I think there's a fair chance that their IT depeartment can still get through to them.
• To be continued...

Surely there is more to add to that list. Remember - you have plausible deniability. Your computer was stolen by an egomaniac hacker who loves to taunt police and do unspeakable things to sheep.

However I do recommend against the P2P thing suggested earlier. That might just move your computer from the theif to an evidence locker while the RIAA does their paperwork. That sounds counterproductive.

John Doe Lawsuit can get you subpoena

[billstewart]

If Verizon requires a subpoena to justify violating the privacy of the person whose IP address you're interested in, and the police won't push the case enough to get you one, you've still got a tort action against the people who ripped you off. You don't know who they are, but you can generally file a civil lawsuit against "John Doe", similar to the way the RIAA files them against John Doe file sharers. That'll let you get the court to give you a subpoena, which should be good enough for Verizon's lawyers. You might or might not be able to do that in small claims court, depending on your local rules and the value of the computers; otherwise it'll probably cost you lawyer money, and therefore might or might not be worth it.

Do move fast - if the thief sold it to somebody, it might stay there a while, but if they're just checking whether it works or seeing what they can find, they may fence it or pawn it.

Re:laughable hypocrisy

[penix1]

Yet you would be the first one screaming if Verizon did just hand over the info to an unverified accuser (BTW; IIRC, Verizon was cleared of the allegation you are thinking of AT&T who is still under the gun). That is the whole point of doing "John Doe" suits by the **AA first. This guy should contact a lawyer to handle this correctly. That is what they get paid for. As for the police, that can be handled by filing a complaint then letting your lawyer handle that situation.

This case aside, jurisdiction is tough to set in computer related crimes because of locations involved. Usually it is the FBI who handles them because they have jurisdiction across state lines.

B.

Then file a writ of replevin

[Savantissimo]

Your linked-to post is quite right, and worth a repost. IANAL but used to just about everything but appear in court working in a small law office in Maryland about 15 years ago. I believe specifically what this guy needs after getting a subpoena for the John Doe's ID is a "writ of replevin" in which the court may order the Sheriff to seize the property after an ex-parte pre-trial show-cause hearing.
See:
http://www.courts.state.md.us/district/forms/civil /dccv04br.html - for specific MD instructions and http://www.courts.state.md.us/district/forms/civil /dccv04.pdf - the form.

If you are not in MD you may make a federal case out of it; the U.S. Marshals serve these writs, too. You might find that has drawbacks - you really need a lawyer's advice, not Slashdot's.

>>anagama (611277) Sunday August 20, @01:07AM (#15943034) wrote:
If the cops won't help, see the tort of conversion [wikipedia.org]. File a "john doe" civil suit. Once filed, your attorney would have subpoena power -- use it with Verizon to get the name, address, and phone number of the user associated with the IP. Verizon will have an entire department devoted to processing these types of requests -- you'll have no problem except figuring out what their number is. If you represent yourself, you may have to ask the court to issue the subpoena on your behalf. Once you have the identifier, amend your suit to name that party (probably keep the "john does" at least till you're certain you have all the people involved). Also check your states statutes, there may be something specifically related to your situation. The statutes are certainly available online free -- start at your state's homepage (somewhere burried of course).