Lenovo Service Disables Laptops With a Text Message

narramissic writes "Lenovo plans to announce on Tuesday a service that allows users to remotely disable a PC by sending a text message. A user can send the command from a specified cell phone number — each ThinkPad can be paired with up to 10 cell phones — to kill a PC. The software will be available free from Lenovo's Web site. It will also be available on certain ThinkPad notebooks equipped with mobile broadband starting in the first half of 2009. 'You steal my PC and ... if I can deliver a signal to that PC that turns it off, hey, I'm good now,' said Stacy Cannady, product manager of security at Lenovo. 'The limitation here is that you have to have a WAN card in the PC and you must be paying a data plan for it,' Cannady added."

Frist psot?

[h4x354x0r]

From a stolen lapt

Interesting

Pretty interesting security feature but not if your buddies get a hold of your cell phone.

Re:Interesting

[sgbett]

I think you need to find different friends

Re:Interesting

[chrb]

Hardly. You can regain access to the laptop just by typing in a recovery password.

Re:Interesting

[theaveng]

Even if they don't, this gives a false sense of security.

"if I can deliver a signal to that PC that turns it off, hey, I'm good now." Um, no, you're not. The thief can remove the hard drive and connect it to another PC to read its content.

Re:Interesting

[RMH101]

Not if you're using the built-in hardware encryption, it can't.
And IBM are not going to give anyone a recovery password without proof of ownership.

Re:Interesting

[efuzed]

Not IBM; Lenovo, and will the Chinese government be able to now stop noisy bloggers better?

Re:Interesting

[poetmatt]

Or there's this "format the hard drive" thing and recover the data after a quick format (incredibly easy). Bios password locks are just as easy to bypass.

Really, this does nothing but enable you to be screwed if someone figures out the number.

I don't think the recovery is the issue here.

Re:Interesting

[Abstrackt]

I think you need to find different friends

I think almost everyone has an asshole "friend" that would pull a stunt like that.

Re:Interesting

[houghi]

The junk that steals my portable is not interested in my data. He is interested in selling the PC for a fix.

This is not about data protection. It is about making the device unusable. Just like you can block your phone when it is stolen.

It will not stop thiefs of stealing your device. It will not protect your data. As far as I read it does not even claim to do that.

Re:Interesting

[neoform]

If you're using hardware encryption.. you don't need useless features like this.

Re:Interesting

[NerdyLove]

Except for the fact that most laptops lock the HDD when you lock the BIOS. A little harder to work around, I think.

Re:Interesting

[AmigaMMC]

>I think almost everyone has an asshole "friend" that would pull a stunt like that.

I think you stopped being my friend a long time ago. :-p

Re:Interesting

[AmigaMMC]

Not if the sms actually tells the laptop to release the bottle of acid located on top of the hard drive :)

Re:Interesting

[poot_rootbeer]

IBM are not going to give anyone a recovery password without proof of ownership.

And even if they did, it wouldn't do the thief much good, as these laptops are sold and supported by Lenovo, not IBM.

Re:Interesting

The junk that steals my portable is not interested in my data. He is interested in selling the PC for a fix.

Nice prejudice you have there - it will be your downfall. Even if the footsoldier that takes your laptop isn't the brightest card in the pack, I can guarantee you that, in some areas, your liberated laptop will more likely than not become part of a collection thoroughly refurbished and restored for sale on markets from Eastern Europe to eBay.

And this won't be done by "junkies", either, you mewling excuse of a sheltered middle-class basement dweller. The operation will be thoroughly organised and involve the employment of paid sysadmins who probably got laid off from a dying Fortune 500 and actually want decent wage, working conditions and respect.

Or so I hear.

Re:Interesting

Lenovo is a Chinese company so what IBM would or wouldn't have done does not come into play AFAIK.

Re:Interesting

No.

Re:Interesting

[HungryHobo]

phone theft has become almost non-existant here simply because you can lock out your phone an hour after it's stolen and you need some high end equipment to unlock them again.

Re:Interesting

[LandDolphin]

IF the person who stole your laptop knows their way around a computer, sure. But the average person still is barely capable of navigating MySpace. If they press the power button, and it does not log on, it is going to be useless to them.

Re:Interesting

[SanityInAnarchy]

Acid?

Real Men use Thermite.

Bonus: If the thief is holding it in their lap at the time, they have been REMOVED from the gene pool.

Re:Interesting

[poetmatt]

Agreed :)

Re:Interesting

[cryptoguy]

If I can remotely turn your laptop into a paperweight, is that a feature or a bug? I suspect someone is vastly overconfident of their ability to secure this feature.

Re:Interesting

[nobodylocalhost]

it is precisely because you are using disk encryption that you need a feature like this to complement it. Disk encryption only works to lock people out when you need to boot. That means if a computer is on because you entered the password at boot time, disk encryption doesn't do anything to protect your data. By forcing it to shutdown using text message, you just made sure others cannot start it without knowing your pass phrase.

Re:Interesting

[redxxx]

This is not about data protection. It is about making the device unusable. Just like you can block your phone when it is stolen.

It will not stop thiefs of stealing your device. It will not protect your data. As far as I read it does not even claim to do that.

So, all the talk about how this forces the drive encryption to activate by requiring a shutdown rather than a suspend/hibernate wasn't about protecting data?

from TFA:

Since hard disk drive encryption will not work properly if the PC is running or in hibernation mode, this disable feature ensures that the data is secure by shutting the machine down and allowing the hard disk drive encryption to work. If and when the ThinkPad laptop is recovered, the user can restore the notebook, its settings and the data contained on the PC by entering a password.

So, there is nothing about protecting the data? Carry on.

Re:Interesting

[smellsofbikes]

I saw that when hackaday originally wrote it up and was curiously intrigued, let's put it that way. Their setup seems to be lit off by hand rather than remotely. (It just says they used sparklers to light it.) It'd be nice if it were A: automated, so it could be triggered by a remote alarm system, and B: pretty foolproof. Were I to do this, one thing I'd consider is using an external hard drive, or at least a bank of relays on the power to the system, that cut out when the thermite dumps, so you wouldn't have live power in the midst of a metal-based fire.

I wonder if an electrical igniter for model rocket engines could start a sparkler on fire... Hm. Tomorrow's a holiday and I have some time to experiment.

Re:Interesting

[supernova_hq]

If you are using encryption (hopefully full-disk encryption), how the bloody hell is this "death by text-message" program supposed to get executed?

Every time something like this shows up, slashdoters always recommend 2 this: encryption and dial-home applications. The problem is, unless your computer has no password, they are not going to be able to use the computer and will shut it down and reinstall as soon as they can't log in! That leaves you about 3 minutes to locate and remotely destroy the laptop. The only other way to do this, would be to send the text-message before they start it, have the computer dial in before the welcome screen even shows up and self-destruct then.

Anyone who gets past your encryption is not going to be executing the programs on your hard drive through the normal startup sequence!

Re:Interesting

[thePowerOfGrayskull]

If you're using hardware encryption.. you don't need useless features like this.

Hahaha, good one. I've seen encrypted laptops at work where people write the password on an index card, and tape the card to the top of the laptop; or store it in their laptop case.

Encryption can't protect against stupid.

Re:Interesting

[Tawnos]

Yes, a rocket igniter can ignite a sparkler when combined with a match. The way I did it was to take the match head, press the rocket igniter on one end and the sparkler on the other. Add a 9V battery to the mix and you get a quick sparkler fuse.

Re:Interesting

[jbb1003]

They don't even need access to your phone. They just need the number - then they can send an SMS through an SMS gateway and specify whatever sender number they like.
--
Airsource - Mobile Software Consultancy

Re:Interesting

[nobodylocalhost]

You obviously didn't read what i said because i specifically stated the system has to be on, thus the text message shutdown program should already be running. Further more, in most cases, your decryption driver loads the key into memory. By forcing shutdown, the driver will remove that key. Your password doesn't stop people from freezing your ram, put them into an analyzer, and dump all data including your disk encryption key. That method has been demonstrated over and over again as the primary method for defeating disk encryption. You are assuming thief only want the hardware, which isn't always the case.

Re:Interesting

Heck, with my work laptop, all I want is the ability to remotely 'turn off' my laptop. Once the Lappy is off, the data is 99.999% secure (looking at you brute force attack).

This 'kill' switch is not an issue for me personally. Give me a remote 'off' button.

Re:Interesting

[feronti]

An Estes igniter probably couldn't do it unless you dipped it in extra pyrogen. A Daveyfire electric match, on the other hand would probably be able to do it, though... they're used to ignite AP composite motors in high power rockets. Or, you could use the exhaust from a small (say a D or an E) AP motor... it has the benefit of lasting a lot longer than the match would, and doesn't need a LEP to get a hold of (Daveyfires are also used to ignite pyrotechnic displays, and other low-explosives, so IIRC, you need a permit to get them).

Re:Interesting

[Retric]

They are trying to solve the it was stolen while you where logged in problem. All the security in the world does not help when someone takes your laptop while you are not looking in a public place.

Re:Interesting

[m50d]

Not if you're using the built-in hardware encryption, it can't.

Yes it can. The key has to be stored somewhere, it might take a bit of effort but you can get it if you're dedicated enough.

Of course, if you're using a strong passphrase with a good encryption scheme, you're safe - but you were anyway.

Re:Interesting

[sumdumass]

The type of people who will be using this are the same types who will have encrypted drives and such. Your not really going to recover much in that case. A lot of times, especially in laptops, the encryption program is actually initiated in the IDE controller which means resting the laptop's bios resets the key, your not even going to find a valid boot partition.

When you do recovery on these drives, you have to run the recovery through a program capable of applying the encryption scheme just to get anything usable so that the key can be applied to and decrypt.

And yes, I'm speaking from experience here. It ended up costing us around 15k to recover about 30 megs of pictures and videos.

Re:Interesting

Doesn't the Chinese intel organization only require a name and an address for them to give you your password? Even if the drive is lost, I'm sure they have a complete backup of all its contents.

Re:Interesting

[RMH101]

OK: it's impractical unless, maybe, you're a three letter agency. Read up on built-into-the-drive-encryption to see how hard this problem is...

Re:Interesting

[Erikderzweite]

But can you still do the old "remove BIOS battery and plug it back again" trick?

Re:Interesting

[kill+-9+$$]

And then like any good thief they'll go and throw out or use your laptop for target practice. I think laptop LoJack for Laptop would probably be a better service if they're going through the trouble of putting a WAN card in and what not.

They must have something like that already, right?

Re:Interesting

[danieltdp]

I don't have such a friend! Oh, BTW, I loved the prank idea. I have to get some of my friends with it.

Re:Interesting

[DimmO]

Then, you shouldn't tell your asshole friend the secret sms kill-word. He can text away at the laptop all he wants then. (I'm making the assumption here that the laptop requires a specific sms message to be shutdown. TFA doesn't mention what the sms message has to say. surely Lenovo wouldn't allow their machines to shutdown with *any* sms msg.)

Re:Interesting

[Mozk]

But the average person still is barely capable of navigating MySpace.

Is anybody capable of navigating MySpace? I have never seen such a crudely designed website in my life. Perhaps it has gotten slightly easier to use over the past year, but only by adding a metric fuckton (approx. 4481.099526 avoirdupois lb) of unnecessary JavaScript. Honestly, I'm not trying to troll here. The code looks like a bunch of people decided "Hey, your team develop half the site in Dreamweaver, and we'll do half in FrontPage" and threw the result together.

Re:Interesting

[Tubal-Cain]

I haven't seen a BIOS battery in a laptop. I have seen certain desktops (Dell Optiplex comes to mind) that don't clear the BIOS just because you removed the battery. I had to use the jumper instead. (I haven't seen those in laptops, either)

Re:Interesting

[quantumphaze]

Those jumper pins do exist in laptops too. They are smaller than conventional jumper pins and difficult to notice.

Consult your service manual for your laptop (not the user guide, you may have to search for a while if it's a non-common laptop).

Re:Interesting

[m50d]

Hardware encryption is never as effective as claimed - and even in the highly unlikely event they've gotten the algorithm right, as I said, the key has to be somewhere. It's not a hard problem.

Re:Interesting

Shades of 9/11. Thermite did not exist in the public knowledge prior to 9/11.

Re:Interesting

[danieltdp]

...yet

Re:Interesting

[bandmassa]

Interesting definition for "buddies" there. I wouldn't have thought a "buddy" would think it was funny to toast his "buddy's" laptop.

reinstall?

[simcop2387]

and what happens if they just reinstall the OS?

Re:reinstall?

[chrb]

TFA says the disabling is handled in the BIOS - so it would be independent of the OS.

Re:reinstall?

[morgan_greywolf]

Of course it requires the use of a cellular network. That means that if the would-be thief really wants to steal your notebook with data intact, all he or she needs to do is either A) pull out the cellular card or B) if the cellular card is built-in, encase the laptop in a carefully-crafted metal box to designed to block the cell signal.

Either way, it's only a deterrent to people who don't know what they're doing.

Re:reinstall?

[NovaHorizon]

and dismantling the entire laptop to reset the BIOS is actually FASTER than an OS reinstall..

Re:reinstall?

[chrb]

It isn't quite that simple on a ThinkPad - the BIOS password is tied in to the TPM chip. And I really doubt your average thief is going to be building custom hardware and soldering it to the laptop mainboard...

Re:reinstall?

It isn't quite that simple on a ThinkPad.

Bingo - Thinkpad BIOS security has been seriously thought-out since their 486 models. Screwing around by second and third owners is notorious for virtually bricking the machine to all but real techs. This Lenovo service is just the latest variant.

Wish I could find a good overview of Thinkpad security over the years. It's interesting stuff. Anyone have such a link?

Useless

[mentaldingo]

Things a thief can still do:

• Jammers
• Reflash the BIOS
• Remove the GSM chip
• Or if they're after your data, open it up and take out the HDD

Honestly, this is completely useless against even a moderately sophisticated thief.

Re:Useless

[sgbett]

Depends what you mean by useless.

Having been in this position, the thing that bother me is not the material loss of the laptop (though It would be nice to know they stole junk) but the data contained on it. So long as your drive is encrypted, then this thing is a bonus

Re:Useless

[chrb]

The vast majority of thieves aren't even going to realise that this service is enabled. They certainly won't be deploying GPS jammers or reflashing the BIOS or opening the laptop up. And TFA article mentions that the whole point is to protect data by allowing users to shutdown access to an encrypted HDD that might still be open.

Re:Useless

[Lumpy]

Thieves typically dont have the IQ to do any of that. When I was robbed, we nailed the thief not only from the video cameras that he looked right at to give us a awesome face shot, but he stole my daughters cellphone. He left it on all the time reporting his position. The cops had his ass in less than 24 hours.

Honestly thieves barely know how to use a screwdriver outside of prying a door or window with it. You seriously think one would do the delicate task of opening a laptop or flashing the bios? That's plain old funny.

Re:Useless

[digitalchinky]

While it may be some comfort that ones encrypted data gets to stay secret, and this might be enough for many, I'm on the side of the fence where I'd want to tasar the theif, in the neck, in the guts, in the arm pits, in the groin, in the mouth, and so on and so forth. Even if it is just a crappy old work laptop.

Maybe there's some way to rig it up so that the phone call can activate a bit of a hot power button, push it and it triggers the zapping goodness.

Re:Useless

If this sort of feature becomes common, you can bet they'll get around it.

Car alarms used to actually do something; now, thieves can disable them fast enough to steal cars. Same thing with car keys - hotwiring is a common skill in the underworld, despite any IQ disadvantages.

Re:Useless

[srothroc]

Seems like it would be easier to just take out the mobile broadband card.

Re:Useless

[elrous0]

Yeah, but the important thing is that the cell modem providers are making money, which was no doubt the intention of this whole security plan all along.

Re:Useless

he stole my daughters cellphone. He left it on all the time reporting his position. The cops had his ass in less than 24 hours.

You don't live in Sweden, do you? The cops here don't bother with a thief even if they are given his name, social security number and GPS coordinates. They don't even bother stopping a car thief unless it's a politician's car. Personal experience...

Re:Useless

[billcopc]

I realize I'm the most jaded guy on /. but do you honestly believe the average laptop thief cares about your data ?

These aren't corporate spies, these are half-brained teenagers and/or urban trash who probably run home, hook it up to the internet and hit MySpace to tell all their peeps about their "new" laptop.

Hanlon said it best: "Never attribute to malice that which can be adequately explained by stupidity."

Re:Useless

[billcopc]

Just use a Sony battery. It will explode in their lap, sooner or later!

Re:Useless

[Thelasko]

Thieves typically dont have the IQ to do any of that.

Remember, there are two kinds of thieves. There are amateurs and there are pros.

Amateurs are desperate people, usually because of an addiction of some sort, who steal whenever an opportunity presents itself. They see a car with an unlocked door, or an open window and they act. These people are the most common type of thieves, and will be caught with this technology.

Professionals steal things for a living. They are very calculated and know all of the security measures people use, and how to avoid them. This technology will not stop a professional. In fact, nothing will stop a professional. Professionals are why you buy insurance.

Fortunately, there aren't many professional thieves. When you think about it, it's very difficult to become a professional thief. This is because a pro cannot be desperate. They need to have time to study their target and come up with a plan of attack. This requires a person with a certain personality, that doesn't steal out of last resort, but steals for some other reason. There aren't many people like this in the world, and most of them are caught before they become very good at stealing.

My favorite piece of information about stopping thieves can be found here. (Warning, link contains flash video)

Re:Useless

[RulerOf]

Yeah, but the important thing is that the cell modem providers are making money, which was no doubt the intention of this whole security plan all along.

What's worse is that TFS implies you use SMS messages to disable the laptop. For those of you that have been keeping track, SMS isn't covered under data plans on the US carriers I've used. It's billed separately, and is less expensive assuming you only need the ability to send/receive a single text message.

Re:Useless

[Sinbios]

You think thieves are stupid because only the stupid ones get caught.

Re:Useless

A thief that steals a laptop because it is a laptop is going to be an idiot, yes. But, a thief who steals a laptop because it is your laptop and he is interested in the data(and knows what to do with it) would most likely be able to flash the BIOS.

This isn't meant to protect against the smash and grab thief.

The guy who stole your laptop wouldn't know what to do with your information even if it was sitting in front of him. But, if he was smart enough to know that, perhaps he could sell it to someone with a little more knowledge who would know what to do with it.

Re:Useless

[dstones]

Or... Hmmm. One of those new Thinkpads, I'll just rip the WAN card out.

Re:Useless

[Valacosa]

That video link doesn't work outside of the United States. Do you have another?

Re:Useless

[Thelasko]

That video link doesn't work outside of the United States. Do you have another?

Sorry, I don't.

Re:Useless

And Warning: Cannot see it outside US!!

Re:Useless

[JasterBobaMereel]

The main thing to remember is in most news stories about stolen laptops, they contain highly sensitive data, are left on trains/buses etc and are not encrypted at all .... this would not help

For the security conscious who have already encrypted their harddrive, always lock their PC and do not leave it lying around, this is an extra layer of security if it gets stolen...

Re:Useless

[MrNaz]

Yea but that's getting dated these days. Virus writers write viruses just because they can, and kids these days are so morally bankrupt they'll steal something just for the thrill. It's time for a new razor:

Never attribute to stupidity that which can be adequately explained by boredom.

Re:Useless

[Kent+Recal]

Exactly. Smart thieves perform a thorough risk/reward calculation and a lot of planning before they go for target. They are near impossible to catch.

I, for one, regularly steal rolls of toilet paper from work.
I'll never get caught because I put a lot of forethought into each coup and perfectionized my strategy over years. I only lift one roll at a time so it doesn't get noticed and so I can at any time pretend to be just carrying it around because I need to "clean my desk or something". Plus, I always drop the roll into my bag while sitting at my desk and without looking down. Eyes must be focussed on screen, innocent facial expression - nobody would ever notice from a distance that I'm performing a felony under the table in just that moment!

Bare the occassional accident (when I miss the bag and have to crawl under the table to recover the loot) I think I can safely claim that the perfect crime is possible and I have mastered it.

Re:Useless

[MrNaz]

That's because in Sweden the cops know that you were probably using the laptop to download from The Pirate Bay. The RIAA has convinced then that theft of the laptop is a lesser crime.

Re:Useless

FYI to all, the link appears to be an episode of a show called "Burn Notice" about "How to protect your home from thieves", apparently they ask a thief to get advice. (i've got no sound or interest to watch the whole thing)

Re:Useless

[jonaskoelker]

They need to have time to study their target and come up with a plan of attack.

Time means living expenses. That means a job, unless you're independently wealthy.

This means that to try once and fail, and then be able to try again, you have to:

- not be identified in your first attempt; or
- escape the force of law [including extradition laws]
- do the jail time

Escaping the force of law probably makes it untenable to have a job, so that one is only available to people who are independently wealthy. Doing the time means the rate of professional theft gets lowered by a huge bit.

Not succeeding the first time and also not being identified... I have no idea how likely this is, it's not *that* kind of security I try to break professionally ;)

Re:Useless

"There aren't many people like this in the world,"

This is because most of them eventually land in business. Looking at you Enron, AIG, etc.

Re:Useless

Wow. We have a real mastermind amongst us! I doubt anyone would EVER suspect you.

I'm surprised that you don't take the copy paper as well? Or would that make it too easy to track you down and convict you?

Re:Useless

[...]I'll never get caught because I [...] perfectionized my strategy over years. I [...] pretend to be just carrying it around because I need to "clean my desk or something". Plus, I always drop [it] into my bag while sitting at my desk and without looking down. Eyes must be focussed on screen, innocent facial expression - nobody would ever notice from a distance that I'm performing a felony under the table in just that moment!
Bare the occassional accident (when I miss the bag and have to crawl under the table to recover the loot) I think I can safely claim that the perfect crime is possible and I have mastered it.

Re:Useless

[Missing_dc]

Young Padewan, you have much to learn about the use of the Force.

Re:Useless

[vertinox]

This technology will not stop a professional. In fact, nothing will stop a professional.

Professional? Who pray tell defines a professional thief?

Is there a guild? A union?

Have you ever met one in person and he showed you his business card?

And then... If such a person was so intelligent and so skilled, would he be so interested to go after your laptop for a few paltry hundred dollars? He's going after bulk shipments or valuables worth thousands. If he is smart, he is going after something that is worth his jail time if he gets caught (otherwise he wouldn't be smart would he?)

Seriously, there are only two types of professional thieves:

People who are that skilled tend to actually work as security persons or they are going after bigger stuff.

If you are going to run into a thief, statically its going to be the dumb one.

The smart ones think you aren't worth their time.

Re:Useless

No, no, there's another. Opportunistic thieves which, I'm sorry to say, I was once. If it wasn't screwed down, there was minimal risk and I could get a few quid for it, I'd take it. I would have had the ability to remove this sort of anti-theft shit as would a lot of my friends. We all worked; decent jobs for most of us. It wasn't just about the money, there was a buzz that came with it. It wasn't about getting drug money, we all worked for our weekend pills and powder.

Posted as AC from work. I don't need the karma anyway.

Re:Useless

Jammers? What the fuck do you plan on jamming?

Also, if you know anything about Lenovo they typically have their security in hardware form, so unless you remove your motherboard then good luck. This isn't something you can disable using msconfig or in the BIOS by the way.

Re:Useless

[jonaskoelker]

this is completely useless against even a moderately sophisticated thief.

Let's just take that at face value. I'm not sure I agree with the words "completely" and "moderately", but I certainly agree with the general sentiment here: unlike Boris Ivanovich Grishenko, it's not invincible.

But let's all stand back and consider the big picture: what are the security objectives, what are the threats, and what are the risks?

The primary main objective is to prevent unauthorized access to data.

The threats are: negligent laptop possessors losing the laptop; incompetent thieves stealing it for profit; competent thieves stealing it for profit; competent thieves stealing it for data.

In the first three cases, you're probably well served by this: you're likely to lock down the laptop before people access the data. In the fourth case, you may be as well; depends on exactly how the theft takes place.

I think I've listed the four scenarios in decreasing frequency. So only for the most unlikely case is this technology maybe going to suck ass.

I've also had my own ideas about why I wouldn't need to purchase anything from anyone to get the same.

Encrypt your disk, first of all; I assume you already do if you care about your data not being accessed if your laptop gets stolen. Have a bluetooth phone.

Whenever the laptop loses contact with the bluetooth phone, activate the screen saver and log out of all VTs.

When the phone has been gone for too long [tune this parameter according to paranoia], shred the master key required to decrypt the disk* and then shut down.

[* assumption: each user u has a password pu, a key ku = pbkdf(p), and an encrypted copy of the master key E_ku(km); the disk, except a small bootstrapping OS in the front, is encrypted with km; you have stored a copy of the master key in your secure backup vault, so that you can easily restore this].

Every so often, download a file at a fixed URL; If it's signed by the correct signing key [your laptop holds the corresponding verification key], run the file as a shell script.

Let's see: against loss and for-money theft, this should work just as well. In fact, even better: once the laptop possessor gets too far away from the laptop, it gets "soft locked". You can do a hard lock straight away if the machine is connected to the internet (by putting the signed shutdown command on your server), or you can the the "soft lock" time expire and have the machine "hard lock" itself.

You can do this yourself. You just need a competent sysadmin. IBM sales people wear nicer ties than your manager's competent sysadmins, though ;)

Re:Useless

[_Sprocket_]

FYI to all, the link appears to be an episode of a show called "Burn Notice" about "How to protect your home from thieves", apparently they ask a thief to get advice. (i've got no sound or interest to watch the whole thing)

Just to clarify... Burn Notice is actually about a former spy. One of the mechanics of the show is the main character (shown in this clip) explaining some spy-related concept via voice-over as it is being implemented. These monologues are of an instructional style similar to the linked video. They talk a good talk - I couldn't say how accurate the are.

That said - its a fun show. I'd recommend it.

Re:Useless

Honestly, this is completely useless against even a moderately sophisticated thief.

I would even say: the less sophisticated the thief, the more useless. Unless he is so unsophisticated as to return the disabled laptop to its owner :-)

Re:Useless

[FoeQueue]

I'm ok with that class because I don't let shitbags like you in my house in the first place.

Re:Useless

[MBGMorden]

Remember, there are two kinds of thieves. There are amateurs and there are pros.

True, but even "professional thieves" are not what movies and TV make them out to be. I think there are a lot of people walking around visualing heists like those in "Entrapment", "The Italian Job", or "Oceans Eleven" happening every day. There's a limit to even "professional" theives' skills.

Re:Useless

[Thelasko]

There's a limit to even "professional" theives' skills.

You have never seen the TV show Masterminds have you? It's all risk vs. reward. If the reward is high enough, professional thieves will go to great lengths. Howstuffworks has an interesting article about the biggest diamond heists in history.

The important thing is to make sure the risk vs. reward is in your favor. A pro will do the homework and realize it's not worth his/her time and energy defeat all kinds of security measures to sell your laptop for $500 on the street.

Re:Useless

Linking to sites that only play in the U.S. is bad mmmmkay.

Re:Useless

[Ninth+Marion]

Most importantly, people with the personality of professional thieves realise that it's just as easy to work within the law as it is outside of it, if you're willing to be educated about it in the first place. I don't feel I even need to give examples, we all know them. These are the people to be truly afraid of.

Re:Useless

[quantumphaze]

But it is worth the risk if that laptop contains sensitive data on some big new technology that could be sold or some incriminating pictures that can be used for blackmail.

A 'professional' thief could actually be hired by Evil Corporation A to steal Evil Corporation B's sensitive data. I wouldn't put it past some companies to deal with this kind of thing.

Re:Useless

[Thelasko]

Exactly!

Re:Useless

[Thelasko]

I don't feel I even need to give examples, we all know them. These are the people to be truly afraid of.

Lawyers?

Re:Useless

[SGT.Jarhead]

as my daddy always said locks are made to keep honest people honest a good thief will get through it

Re:Useless

[Geminii]

Right up until your employment record gets wiped.

Re:Useless

[TheStonepedo]

Felony petty theft due to priors? If you manged to reach grand theft value in toilet paper you've been with your employer long enough that he or she would not sweat you for a few rolls of toilet paper.

how long till...

someone figures out the "secret" signal to send to a PC to disable it?

Superficial?

[DigitalisAkujin]

How exactly are they disabling the laptop? It can't be something superficial but with the amount of time a program has to work it probably has to be superficial to work. Will a program have enough time to do anything more then clear the cmos or erase the drive mbr? Even if it's a hardware disable the whole thing becomes parts worthy and the data on the hard drive essentially remains in it's entirety.

Re:Superficial?

[chrb]

The shutdown is supposed to be utilised with hard disk encryption - the whole point is that your data is better protected. The disabling is carried out by the BIOS; presumably it checks the disable bit before booting the OS and allows the legal user to enter a recovery password.

of course

[WindBourne]

it would NEVER make sense to part out their new brick into say a cheap display, harddisk, dvd drive, ram, cpu, etc. on ebay.

Re:of course

[maxume]

True enough, but my impression is that most thieves are not yet this sophisticated.

(More, the intent of the feature seems to be disabling access to secure data more than it is theft deterrence)

Re:of course

[crimperman]

what makes you think they wouldn't just put the dead laptop itself on eBay? They claim it is "recently untested but worked a while ago" and some sucker buys it. I mean we're not talking about honest people here are we?

To the guy who just stole my laptop...

[hyades1]

I've got a pretty good idea what that message would likely be. Or at least the general sentiments expressed (hopefully on the screen) right before its tiny heart goes pfft.

Hmmm

[TheSpoom]

My normal Slashdot cynicism wants to find a problem with this technology, but I can't so far, other than that a smart thief would just make sure to remove the WAN card and flash the BIOS (possibly with a new serial number or the remote disable, uh, disabled).

You win this time, Lenovo. *shakes fist*

Re:Hmmm

So...you can't find anything wrong with it except this huge problem you just talked about?

Re:Hmmm

[TheSpoom]

I don't think it's a huge problem.

I don't put too much stock into the thinking of people who would steal laptops like this. If the fix was something simple, like a software disable that depended on the OS, I'd say the technology was useless. But until someone comes up with this new BIOS with the appropriate section disabled, I'd say it's still a pretty decent technology.

Re:Hmmm

What about Lenevo being able to remotely disable your laptop if they feel so inclined? Or compelled. But I haven't read the article, so never mind if that doesn't apply. :)

Re:Hmmm

[trogdor8667]

One immediately pops into mind for me... Wouldn't this just open up a new means for exploitation?

How to beat this idea...

[Drakkenmensch]

Steal the laptop, remove the WAN card before turning it on, and go to hack forum to find out how to remove or disable the process that makes this killswitch possible. Only slightly inconvenient.

Re:How to beat this idea...

[Veamon]

Hell, just use ghost or acronis, save it as in image, and restore it inside vmware. fail

Re:How to beat this idea...

[Random+Destruction]

meh, let's just steal a dell instead.

Re:How to beat this idea...

[dave420]

This is supposed to be used with disk encryption, and all it does is turn off the computer should it be stolen when the hard disk is open, thereby reverting it to being protected. It's not about locating the notebook as much as protecting the data on it. 100% inconvenient in that case.

Implementation?

[number17]

The article is pretty slim on how this is actually going to work. Do I assume that I make the phone call once and Lenovo will constantly try to connect with it until it is successful? If not, how many times do I call it until I cut off my data plan?

I would like to be able to turn this off in the future when attempting to sell the laptop as well.

Re:Implementation?

[chrb]

It looks like the disable is handled in the BIOS, so either the GPS hardware is capable of receiving SMS texts while the laptop is hibernating, or the text is received when the BIOS boots up. Either way, you just have to send one text - your cell network provider will store and forward it to the receiver, it's just a regular text.

Re:Implementation?

[duguk]

Good point, though most text messages expire after two weeks (configurable on most phones), and there is Delivery Reports* if the message failed to be sent.

Presumably though, the message is sent through Lenovo and they deal with this sort of delaying problem.

* (If your operator supports them, if not try *0# at the beginning of your message, no space required. This works on UK O2 at least)

Meh...

[Lurker2288]

This would excite me more if I could send a remote command that would detonate a small brick of C4 in the laptop. Why disable the computer when you can disable the thief?

Re:Meh...

[mentaldingo]

You could always mod your laptop to generate a spark when the kill signal is received. Then all you need to do is pack it with C4.

Re:Meh...

You were probably going for the (+5, Funny), but seriously, how long before this is classified as a "terrorist threat"?

Re:Meh...

[Coolpup]

That is going to make it slightly difficult to travel by air, which is where most laptops are lost/stolen anyway. Thus, partially eliminating the need for the C4 brick.

Re:Meh...

I doubt the TSA would notice... they're probably busy looking at old men's shoes and young ladies' xrays.

Re:Meh...

...Only to find it was your little brother borrowing your laptop to work on a school project *BOOM!* Then again, he must have deserved it then.

Re:Meh...

[tfmachad]

And another life is saved by the phone's keyboard locking feature.

Re:Meh...

[couchslug]

"You could always mod your laptop to generate a spark when the kill signal is received. Then all you need to do is pack it with C4."

So much for being allowed to carry lappies on airliners, thank you very much! :)

Re:Meh...

[Kjella]

I think someone has thought of the same basic concept before. Personally I wouldn't want to have a bomb ready to go off at any time on my lap, the C4 is relatively stable but the detonator really isn't and would have to be in place. A spark, a battery on fire and boom goes you. The collateral damage could be pretty nasty too, even if the charge is small. If you want the James Bond solution, I'd go with poisonous darts on the front, open it up and you get a nasty surprise. That way you can carry an antidote in case of malfunction, plus the laptop is unharmed and can be returned to you. Well maybe, after a friendly chat with the local police.

Re:Meh...

You don't need C4 for this. Some kind of remotely actuated solenoid to short out the battery posts combined with a bit of thermite would be much more entertaining.

Re:Meh...

[icebrain]

Man-traps are generally (unfortunately?) illegal. And in some countries, even putting up barbed wire after experiencing break-ins is illegal--cause the poor innocent thieves might get hurt trying to cross it.

That said, my non-computer-person's suggestion for a really secure laptop:
- deep encryption of data
- non-standard hardware (so it can't be sold easily)
- lock system like in TFA
- dead-man switch that physically destroys HD and RAM if not reset in a certain period of time, or if unauthorized access is attempted, using corrosives, deliberate shorts, etc.

Re:Meh...

[kimvette]

Don't worrry, you're not allowed to joke about explosives or express any interest in them. "Homeland Security" now has you on the watch and no-fly lists. Don't you feel safer now?

Re:Meh...

[noidentity]

This would excite me more if I could send a remote command that would detonate a small brick of C4 in the laptop. Why disable the computer when you can disable the thief?

And as a thief, why just steal a laptop like this when you can instead leave it somewhere, let the owner "disable" it, then watch owner get sent to Guantanamo Bay?

Re:Meh...

"You could always mod your laptop to generate a spark when the kill signal is received. Then all you need to do is pack it with C4."

c4 won't detonate with sparks, its made to detonate only with special detonators

Re:Meh...

[speculatrix]

Me, I just use a Sony battery and hope the thief doesn't know they explode spontaneously!

Always assuming ...

[overshoot]

that the thief doesn't reimage the thing first off.

It's like the "LoJack for Laptops" that they'll sell you -- strictly part of the installed Microsoft setup.

Re:Always assuming ...

[mentaldingo]

The killswitch is implemented in the BIOS. Reflashing that is somewhat more difficult than just wiping the disk and installing an OS.

Re:Always assuming ...

[RMingin]

Yes, it'll probably be as secure as the Lenovo BIOS supervisor passwords.

(Hint: Supervisor password? Get a paperclip. The data pin goes to ground, boot laptop. Enter bios. Remove paperclip, set [new] supervisor password. It overwrites the old one. Which chip to mess with and which pins are which I leave to you and Google. Shouldn't take long.)

Re:Always assuming ...

[mentaldingo]

Haha nice, I'll have to remember that next time I nick a Lenovo...

Re:Always assuming ...

computrace is a bitch to remove, it lives in the BIOS and the hdd. if one goes the other freaks out. you have to uninstall the software and flash the bios multiple times, without being hooked up to any network. a simple format will not work.

Re:Always assuming ...

[Caetel]

When have BIOS passwords been meant as an actual security device? At least in older IBM notebooks, the BIOS battery has been easily removable, resetting the entire CMOS after a while.

Re:Always assuming ...

[RMingin]

IBM/Lenovo's passwords aren't set in the CMOS, they are stored in a single purpose non-volatile flash. They've been a serious security device ever since IBM started doing it that way, back around 2000-2001 or so.

Hmm

[saintm]

'You steal my PC and ... if I can deliver a signal to that PC that turns it off, hey, I'm good now,'

Apart from not having a laptop or your data anymore.

I'm not sure that can be described as being 'good'.

Re:Hmm

'You steal my PC and ... if I can deliver a signal to that PC that turns it off, hey, I'm good now,'

Apart from not having a laptop or your data anymore.

I'm not sure that can be described as being 'good'.

Depends on your definition of good. Losing your laptop means 3 things:

1. loss of the hardware, so you need to buy a new one
2. loss of the data - I hope you made a backup
3. the value of the data to someone else

This remote kill service only resolves problem #3, but you can insure against problem #1, and if you have cellular broadband on the laptop backups are reasonably easy.

Some of the spectacular data thefts have involved problem #3, so there is a market for this kind of thing. Personally, I prefer RSA key dongles and encryption.

Incidentally, Dell offers a similar remote kill laptop service.

Re:Hmm

"I'm not sure that can be described as being 'good'."

No, you're right, instead of shutting down the laptop, Lenovo should have put in telescopic legs with wheels on the bottom so that it could make its way home to its rightful owner.

Shared responsibility

[overshoot]

TFA says the disabling is handled in the BIOS - so it would be independent of the OS.

The "I'm dead" bit is in the BIOS, but the trigger is in the operating system. For many good and sufficient reasons, they can't have the BIOS hogging the wireless 100% of the time.

Re:Shared responsibility

[chrb]

Where does it say the trigger is in the OS? It would make less sense to do it that way, since you'd have to write a new driver for each OS. Since TFA says "Phoenix Technologies, developed this security feature and embedded the technology within the notebookâ(TM)s BIOS" I would assume that means it is OS independent.

Why do you think the BIOS would hog the wireless 100% of the time? The architecture would obviously be interrupt driven - the BIOS doesn't hog any other piece of hardware whilst waiting for an event.

Re:Shared responsibility

[billcopc]

If you think Phoenix is that smart, well I have a bunch of bridges to sell you.

This isn't the first security gimmick they've deployed. They've had the internet version of this sort of thing for years now (Computrace / Lojack). It's a software client that runs in the taskbar, Windows-only, that triggers the BIOS kill bit.

I wouldn't be surprised if this "new" cell-based feature were just a new client app working with the same kill bit as the old ones. That makes it easier to develop and deploy, since it would only require trivial changes in the BIOS code that can be implemented on any machine, regardless of vintage.

Nearly there

[Henry+V+.009]

I would pay for the version that explodes with maximum anti-personnel affect.

Bizarre that Lenovo is considering this instead of an el-cheapo GPS phone-home device.

Re:Nearly there

[Henry+V+.009]

God damn it. Did I write affect there?

Re:Phreaking just got popular again

[Drakkenmensch]

A remotely accessible killswitch that could be fired even against the legitimate owner's consent... hey, isn't that exactly what Orrin Hatch has been requesting that the Righteous Inquisition Army of Autocrats be able to do to file sharers a few years back???

Nice till ...

... your best enemy learns about caller ID spoofing.

Don't disable it, track it!

This is stupid, disabling the device will only cause either physical attempts to remove the protections (bad for the hardware if done improperly) or disposing of the laptop in the first dumpster. The owner gets nothing.

I think the best idea is to start tracking the laptop. Send out GPS coordinates, send out IP addresses, send out _fingerprints_, take screen shots, etc.

Re:Don't disable it, track it!

[zymurgyboy]

I think the best idea is to start tracking the laptop. Send out GPS coordinates, send out IP addresses, send out _fingerprints_, take screen shots, etc.

If it has a webcam, add mugshot. Compare the image on a local mugshot database, get some likely culprits and their last known address. Then maybe automate the search warrant, police report, and insurance claims process and you've got a real solution. Of course, the search warrant part is now optional, I believe.

Re:Don't disable it, track it!

[springbox]

Maybe we should also have robots to automate the arrest too?

Wait, What?

[meist3r]

So you're telling me there will be a GSM module in the laptop that is constantly connecting to my network to wait for such a kill signal? Like say, a tracing bug? I know it'll be a pain for the thief but what about me? What a craptacular idea. Having my laptop become my personal GSM tracking device. Where have I been? Wait lets ask my "anti theft"-device.

Re:Wait, What?

So you're telling me there will be a GSM module in the laptop that is constantly connecting to my network to wait for such a kill signal? Like say, a tracing bug?

Better put on your tinfoil hat - here's something you don't know: the cellular network knows where devices on the cellular network are and which cellular towers the devices are talking to. That is how the cellular network knows to send your phone calls to your phone.

Also, it's not your network - it's the cellphone company's network.

Having my laptop become my personal GSM tracking device. Where have I been? Wait lets ask my "anti theft"-device.

There is a big difference between a GSM device and a GPS device. The laptop doesn't know where it is, the cellular network knows where the laptop is.

And most people already have a tracking device - it's called a cell phone. Many cell phone companies already offer a tracking service for parents/employers to see where the phones are.

Re:Wait, What?

I am sure that if the government wanted to track you, they would use your cell phone which is on GSM/CDMA network nearly-100% of the time, or iPhone which has the added flexibility of GPS. If you are the type of person to care about you being tracked here or there, than don't purchase a Lenovo laptop with this feature.

However what all the tin-foil crowd seems to forget is one fact: No one cares about 99.999% of you to date you, much less follow your every movement. Especially a Chinese laptop manufacturer.

I would figure you would support this, since your super secret, AES-256 encrypted collection of blurry UFO pictures could be safe from the prying eyes of Joe the Laptop Thief.

Re:Wait, What?

[Abcd1234]

So you're telling me there will be a GSM module in the laptop that is constantly connecting to my network to wait for such a kill signal? Like say, a tracing bug? I know it'll be a pain for the thief but what about me? What a craptacular idea.

Yes, because this kind of enterprise-level hardware management feature is targeted at you, the loner Slashdot basement dweller...

Re:Wait, What?

[meist3r]

Better put on your tinfoil hat - here's something you don't know: the cellular network knows where devices on the cellular network are and which cellular towers the devices are talking to. That is how the cellular network knows to send your phone calls to your phone.

Also, it's not your network - it's the cellphone company's network.

Having my laptop become my personal GSM tracking device. Where have I been? Wait lets ask my "anti theft"-device.

There is a big difference between a GSM device and a GPS device. The laptop doesn't know where it is, the cellular network knows where the laptop is.

And most people already have a tracking device - it's called a cell phone. Many cell phone companies already offer a tracking service for parents/employers to see where the phones are.

I know how a GSM network works and by "my network" I meant "the GSM network responsible for covering my area". What I'm trying to say is now after laptops have been almost invisible from a connectivity point of view (if you log into a random unsecure Wi-Fi nobody knows where/who you are -done right) and now they all get this IMEI/GSM combination of unique identification. Targetted at business customers or not this is a new step in interleaving networks to control/monitor movement. Spare me your cries of conspiracy theorist and the like. You really want to argue with me that technology can be abused by authorities? To be honest I am actually in the least bit afraid of what criminals might do with these technologies, everyday I open the newspaper it goes to show that the real threats sit in my government and their pets the big tax-payer corporations (or is the government the corp's pet? Depends on where you live).

I want to be able to use my laptop without it or anyone else knowing where it is. That's all.

some kind of revenge system.

[Jessta]

Seems to be some kind of revenge system.
"hey you stole my laptop, so now I've made it useless"
This doesn't prevent theft and because it's not likely to be the default behaviour of the laptop it doesn't even discourage theft.

Re:some kind of revenge system.

[Aladrin]

Exactly. For it to be effective, it would have to be foolproof, and the crook would have to -know- it would happen before he considered stealing it.

The first is impossible. Since the first is impossible, the second would tell the thief exactly what he needed to do to steal the laptop successfully.

Ugh.

Re:some kind of revenge system.

[schnikies79]

It's not meant to discourage theft, it's meant to protect your data.

If the HDD is encrypted, you can lock the thief out.

Re:some kind of revenge system.

[Aphoxema]

Yeah, malice towards the 'thief' really pisses me off. I can understand businesses wanting to protect their private information (which they can accomplish with encryption), but this idea of "If I can't have it then no one can" is just ridiculous.

I've had things stolen from me, nice expensive things, but my reaction was never once anger, never feeling I need to chase down the thief and kick their asses. It was, "Oh well, tough shit, life goes on and I hope they do something meaningful with what they took."

A waste of any resource is a crime against humanity.

Re:some kind of revenge system.

I have to disagree with you on this point. Nothing, I repeat, nothing, pisses me off more than a thief. 90% of the time they no have no interest in what they stole, they just want money for it.

If I can catch you, I will beat your ass. You have a duty to protect your property.

Re:some kind of revenge system.

[Aphoxema]

90% of the time? And how exactly do you collect these statistics?

Just because that thing gets ripped off and sold to someone else, someone somewhere might make good use of it. It might just be someone's child they wanted to get a decent present for their birthday and for all they knew that the person they bought it from had never stolen it.

It's a waste, trying to catch the thief is one thing, destroying it so it's no good for anyone is just plain selfish and it proves who the real monster is.

Re:some kind of revenge system.

Oh I get it. The thief stealing it isn't selfish, I am! It makes sense now, the thief is the victim and I'm the monster for caring.

Fuck you.

Re:some kind of revenge system.

[springbox]

So I guess you have a large amount of disposable income? Other people are angry when their stuff is stolen because they aren't running charities for people committing crimes against them.

Re:some kind of revenge system.

[Aphoxema]

You can say all sorts of things when you don't want to have a reputation to uphold, huh?

The thief has made a decision that hurts someone else, and as human as it is to desire to retaliate, it's wasteful and it ultimately doesn't help anyone in the end, it just hurts more people.

I suppose the exception would be weapons, though.

Re:some kind of revenge system.

[Aphoxema]

I have very little income, I have very little property. I'm not exactly enlightened, but I've lost so much damn stuff in my life it's just hard to feel like I can ever really lose something again.

Everything I have in my life is on loan from circumstance and as much as I can appreciate the material niceties I don't subject myself to some ridiculous idea that these things are meant to be mine forever.

It's just dust in the wind, take some time to enjoy it while you have it and have hope that whoever your belongings pass to, by choice or by chance, will become a better person through the experience.

LEGO?

[shivamib]

Duh, I read the summary as Lego novo service disables laptops with a text message

Well, back to the brute-force approach, minions. Go for the outlet! Go!

Awesome!!!!!!

[decalod85]

Is there a laughing animated skull on the screen when this goes off? If aliens stole your laptop, would it shut down their computer network, shields, and weapon systems? Do I need Jeff Goldblum to configure it for me?

Re:Awesome!!!!!!

[Coraon]

sorry, doesn't work with Mac, not even Jeff Goldblum's power book.

not only thing wrong with this...

[hesaigo999ca]

The network card is not the only thing that is wrong with this, the fact that you now turned off the machine, states the machine will not turn back on...to give you a location of where it is.
Someone will open it up...change the network card with another...or just add a usb one...and there you go...problem solved.

Re:not only thing wrong with this...

[bws111]

How is this insightful? It doesn't even show a basic understanding of the problem they are trying to solve. They are not claiming to protect your laptop, make it easier to get back, or make it harder for a thief to use. All they are claiming to do is protect your DATA from being used, by forcing a power off so you need to re-enter the hard disk encryption password. If the thing is already powered off there is no need to kill it. So exactly what 'problem' have you solved by changing the network card or adding a USB one?

Re:not only thing wrong with this...

[hesaigo999ca]

I am talking about the clod who stole the laptop to use himself, and not the clod who stole the laptop to get info on it....he would use a tool that reads the cache to retrieve the unencrypted version of the password, and decrypt the whole drive....such as linked How to decrypt a disk

There are many ways to decrypt encryption, of which I am sure you know everything about...so I will let you ponder while I create my steganographized matter.

Someone hacks the disable and .... bzzt....

[ACK!!]

I can see the funny hacks on this where some numbnut starts sending the disable code to everyone's laptop in the room. Sounds cute but ain't practical. Track it? Practical. Disable it? Limited use.

Lojack it instead

[jassa]

I would have thought it'd be more sensible to just have some sort of lojack equivilent. It'd be much more useful - you could find & recover your laptop (hopefully with your data still on it) and probably locate the criminal as well.

Re:Lojack it instead

[cdrguru]

Do you think you want to confront someone that either (a) just stole your laptop or (b) paid for a stolen laptop? I would suggest that you should expect to be confronted with deadly force should you try to separate them from their acquisition. Lack of preparedness on your part may cause your next of kin to receive a financial windfall - your life insurance.

Law enforcement? Sorry, they aren't going to care. You should have insurance against such trivial losses. If you don't you are making a mistake in assuming that anyone is out to really punish criminals.

Re:Lojack it instead

[jassa]

Well aren't you bitter and jaded.

(a) Lojack is routinely used by the police (who, despite your opinion, do actually care about theft).
(b) I wasn't suggesting people track down the thieves and confront them themselves.
(c) I think you'll find the average laptop thief doesn't turn into a murderer as soon as they're confronted by someone about it.
(d) Insurance is good to have, but it's not going to get you your data back.

Re:Lojack it instead

[John+Hasler]

> Do you think you want to confront someone that either (a) just stole your laptop or (b)
> paid for a stolen laptop?

Yes.

> I would suggest that you should expect to be confronted with deadly force should you try
> to separate them from their acquisition.

They will be confronted with seadly force when I find them.

Most criminals are stupid anyway

[hellion0]

This feature doesn't seem to be aimed at stopping blackhats or organized criminals, two of the more "intelligent" varieties. No, this thing is meant to royally screw Joe Crackhead.

The feature doesn't appear as if it's ever going to stop a sophisticated high-tech criminal, naturally. Nor does this seem the intent. Identity thieves and data miners don't even need possession of the laptop, so no good there. Even then, the new feature is easily defeated. Organized criminals tend to know what they're doing as well, and any safety measure can be defeated by competence and planning. Still, they're both rare enough.

No, this sounds perfect for the two-bit junkie, the most common of criminals. Brick the laptop, especially remotely, and suddenly it's worthless for him to offload for his fix.

Re:Most criminals are stupid anyway

[gknoy]

this sounds perfect for the two-bit junkie, the most common of criminals. Brick the laptop, especially remotely, and suddenly it's worthless for him to offload for his fix

In the meantime, your laptop has still been stolen. As soon as they see it doesn't work, some thieves might even decide that they may as well scrap it for parts (screen, drives, etc) on EBay. I don't see this as helping to prevent thefts, but rather as a way to mitigate the damage of losing your data. Only after many of these are stolen (and bricked) will there be a deterrent effect ... and junkies are likely to be the ones who don't know about it anyway.

Re:Most criminals are stupid anyway

[dave420]

This technology is supposed to protect your data, that's all. It turns the computer off if it was stolen while the hard disk's encryption is bypassed, forcing the user to re-enter the password. It's not to protect the laptop or get it recovered, just to stop people having access to your data.

Better things to do than shutdown

How about a text message that causes the system to monitor the cameras output until it detects a face, takes a picture. Monitors the fingerprint sensor (if one is present) and waits for a fingerprint and then gets it gps position and finally sends email to 911@-current county-.gov

What happens if someone steals the cellphone?

Is that a new kind of denial of service?

Perfect.

[GWLlosa]

This is exactly what we need in terms of laptop security. To you nay-sayers out there spinning doom and gloom scenarios about friends pranking your laptop with text messages, I can only assume that there is some secret passcode that you must send as part of the text-message to disable the machine. In fact, it should be convoluted, and hard to remember. Fortunately, as the proud owner of a brand-new Lenovo laptop, you can keep information like that stored right on the laptop, which you take everywhere.

Re:Perfect.

[token_username]

This is a decent idea in theory as a simple theft deterrent, but it makes me ask two questions:

• Does this allow my laptop tracked in any way? Probably if you know what you're doing.
• Can this connection do anything besides receiving a kill command? I'm skeptical.

Another question you have to ask is how fast and how completely word will spread about this feature on Lenovo laptops. That's what its success depends on. If a potential thief doesn't know about the feature and steals your laptop, he's not going to give it back because it doesn't work. Is this where the tracking come in?

Nice DoS attack vector

So, as long as I know your cellphone number, I can remotely disable your laptop. Nice!

(n.b. it's easy to send a text message with a forged number as the sender, it's part of the message, comparable to the 'from' header in an email)

You _do_ know...

That most intelligent OSes do _not_ use the BIOS, don't you?
Like, Linux/BSD/MacOSX... they all bypass the BIOS. Once the laptop has booted, no BIOS code is ever executed again?!

Re:You _do_ know...

[lysergic.acid]

why is it always the clueless ones who try to act like smartasses?

the whole point of remotely forcing the laptop to shutdown is so that it triggers the full disk encryption, which is OS independent and done from the BIOS.

it doesn't matter how "intelligent" your OS is. once the laptop has been shutdown, you're going to need the recovery password to get it to even boot up the OS. it doesn't matter if the OS doesn't execute any BIOS code. the BIOS runs before the OS. it's called Pre-boot authentication for a reason.

DIY

[wytcld]

How about setting up a simple script that periodically polls a remote site - say a web page under your control? If it can't reach it, or it reaches it and gets a default response, no action's taken. If on the other hand the page returns an innocuous looking kill code, a small program is run that disables the BIOS? On the server side, you'd be mailed the IP your stolen laptop connected from, which might give you some location info.

Re:DIY

[cvd6262]

How about setting up a simple script that periodically polls a remote site - say a web page under your control? If it can't reach it, or it reaches it and gets a default response, no action's taken. If on the other hand the page returns an innocuous looking kill code, a small program is run that disables the BIOS? On the server side, you'd be mailed the IP your stolen laptop connected from, which might give you some location info.

I've done the calling home part of this - as I'm sure many here have. It's trivial, but I didn't do it to prevent theft; I did it so I could tunnel to my laptop in my office even when DHCP rotated to another public address.

It's one line of PHP, a really simple db table (though a text file would do). Use crontab and curl to hit the page every hour with a get variable IDing the laptop, so you can use the same script for multiple boxes. It wasn't until a month later when I was doing some DB maintenance that I realized I could use it for theft prevention.

Caller-ID

[mnordstr]

I hope they are not using caller-id to "pair" the devices... Actually, that might be kinda fun :)

Even better

[horza]

Why not install Windows Vista, iTunes and the game Spore. That way you don't even need to send an SMS, just wait until code is activated progressively making the computer useless.

Phillip.

Why des this require "special" software?

[The+Cisco+Kid]

write a script so anytime your laptop connects automatically reports its ip to a home machine

if your laptop is stolen, wait for it to connect, then ssh to it and do 'rm -rf /', or maybe `dd if=/dev/zero of=/dev/[s|h]hda`. Or for that matter, anything else you want, like perhaps instead of disabling it, monitor what the thief does with it, assuming he can get around the login prompt.

(Oh, what? Oh, this is for laptops running that toy OS platform that only the ignorant masses and corporate sycophants use? Oh, nevermind then. they are stupid enough to actually *pay* for a service like this - go ahead and make money off them - but I wonder, why post news about something like this to a site intended for non-morons?)

Re:Why des this require "special" software?

how about biases asshats? Tech is tech. Some good some bad. Happens that the same can be said for users some good some bad. People in general some good some asshats like yourself.

Re:Why des this require "special" software?

Or you could try not being such a douche...

Re:Why des this require "special" software?

>Oh, what? Oh, this is for laptops running that toy OS platform that only the ignorant masses and corporate sycophants use?

Oh my, youre just a little rebel arent you!

You need to grow up. A lot.

Re:Why des this require "special" software?

[jonaskoelker]

write a script so anytime your laptop connects automatically reports its ip to a home machine. [...] then ssh to it

Except it may be behind a NAT. To do it right, I think you need to do the following:

1. Generate a pair of cryptographic keys; store the private at home, the public on the laptop.
2. Every so often (tune this to your liking), download http://www.home-server.net/i-am-stolen
3. If it's 404 or not validly signed, do nothing;
4. If it's "shutdown", signed, then shut down.
5. If it's "ssh user@host:port <key>", signed, then ssh into the host using the given key, with reverse port forwarding such that it can ssh back to you.

When it's stolen, you do this:

1. Generate an ssh key pair and a dummy account with "sleep inf" as its login shell [tie down sshd a bit if you feel like it].
2. Run ssh on the given port in a chroot jail inside a virtual machine on a diskless spare laptop on the outside of your firewall [take extra security precautions according to your own needs].
3. Put the ssh file on your home server.
4. Let the stolen laptop connect.
5. Then ssh into the laptop.
6. There is no step 6.

Re:Why des this require "special" software?

[The+Cisco+Kid]

Obviously you spent a lot more time thinking about this then I did, but you've got the right idea.

My laptop rarely leaves my desk, and if it does I'm pretty damn attentive to keeping possession of it (Oh, and it doesnt have any cellular wireless connectivity anyway, just plain wifi, which isn't set to activate automatically, because I'm normally on a wired link.), so my post was more about the concept, and also the fact that there are so many special paid-for 'services' that are absolutely irrelevant to someone not drinking the kool-aid that is the elixir of the ignorant masses.

Use the Accelerometer

While of course this won't stop everyone stealing laptops out there, it might help in conjunction with the other antitheft devices like Kensington locks (but they are easily broken), and the alarm software that uses the accelerometer (http://www.musatcha.com/software/LaptopTheftPrevention/)

caller id spoofing

Couple this technology with the "caller id spoofing" company that's been mentioned here a few times and you have an interesting situation!

hackjob

[p51d007]

Oh the hackers will have a field day with this!

And when a war with China starts

[bdsesq]

they disable every laptop and pc sold in the US.
There goes our military capability.

OUCH!

I can see it now

China starts cyberwar by remotely shutting off all Gov laptops

Alcatel-Lucent has a similar product

[shakuni]

http://www.internetnews.com/infra/article.php/3679026

Devils advocate.

[cemaco]

Any time you provide a tool like this, it has the potentiall to be used against the owner as well, especially if someone else with access to the equipment understands the tool better than the owner does.

I can see several scenarios, some more plausible than others where another party might be inclined to use it to lock the owner out of access to his own data.

Yes if the other party has access to the machine, they can always cripple it by other means but the beauty of this is that it can be used even after that party apparently no longer has access.

Quick Questions

[LatencyKills]

Umm, how does this get you your laptop back? Or does it simply become a case of I don't have it and he can't use it? Useful perhaps if you want to keep the data on it from prying eyes, but wouldn't just encryption solve the same problem?

Re:Quick Questions

[Dahan]

Useful perhaps if you want to keep the data on it from prying eyes, but wouldn't just encryption solve the same problem?

Yes, I do want to keep my data from prying eyes. I couldn't care less what happens to the laptop itself--my insurance company will give me money to buy another one. And encryption doesn't do much if the laptop was on and logged in when it got stolen... which is the entire point of this service. Turn the computer off and all the encryption keys are gone.

Re:Obligatory Simpsons

[TheSpoom]

(The phone rings.)
Frink: Lab.
Homer's Message: Greetings, friend. Do you wish to look as happy as me?...
Frink: Why it's the AT-5000 Auto-Dialer! My very first patent. Aw, would you listen to the gibberish they've got you saying, it's sad and alarming. You were designed to alert schoolchildren about snow days and such! Well, let's get you home to Frinky. Hope your wheels still work, bw-hey.
(Frink dials a code into the phone, and the AT-5000 grows legs with wheels and attempts to escape.)
Homer: Oh no, you don't!
(Homer chases down the machine, removes its legs, and takes it back inside.)

Don't read that article title too quickly

Well I was gently perusing the interweb this afternoon on my Thinkpad until suddenly this article smacks up in my face and, reading it too quickly, I interpreted it as some kind of government remote control thing and it scared the living daylights out of me!

A reread calmed the nerves.

The drugs don't work, you know. The tinfoil hat types will get to you in the end, if you use F/OSS and read this.

Good Thinkpad. You'd never disable yourself without my permi-

A GSM Tracking Device....

You say... like a cellphone?

Computrace?

so it's just a really elaborate, DIY version of computrace?

What's the benefit? I work for a university in the IT department, and we've been able to recover several stolen laptops using computrace, including one that some dumbass stole from the ROTC.

It's not about the laptop! It's about security!

The laptop itself is irrelevant and easily replaceable, at least for the target customer of this feature. This is not for people who play games on their computer and only care about getting back the hardware and software. This is for people who have corporate or government data on their machine, which exists somewhere else on some backup or some file server or wherever. They don't care about getting anything back, they only care about preventing it from getting out.

If you have (say) all your customers personal information on your laptop (not necessarily a good idea in the first place, but believe me: it happens) then you don't want a thief to have that. If he wipes the hard drive you could care less. Compare a $1000 hardware loss to at least a $1,000,000 loss due to damaged image, lawsuits, etc.

I'm not defending this feature as well-conceived or impenetrable or fool-proof, but just pointing out that most of the criticisms are missing the point.

Of course we all know that...

[hAckz0r]

That SMS text messages are completely unforgeable and also ultra ultra reliable in delivery. I am sure that the thief will also be so kind as to send a reply back to let you know it was received correctly so you will know it was not garbled or dropped in transit. And nobody would ever dream of hacking or moding a cell phone for spoofing, or even think of installing software on your phone would they? That kind of thing just could never happen these days.

Seriously, perhaps next time you get spammed via an SMS text message you will also get a "buy my product or else" message included if they know you own a laptop.

Re:Of course we all know that...

[multipartmixed]

SMS text messages are certainly forgeable, however hacking the telco's SS7 network to disable an arbitrary laptop is probably much, much harder than simply smashing it with a hammer.

SMS text messages are quite reliable in their delivery, assuming the cellular carrier is competent. If you really wanted to know if a message is delivered, just turn on the registered delivery bit at send time to request a message delivery report from the short message service center.

Additionally, I'm fairly certain it's impossible for an SMS message to get garbled.

And why would you hack a cell phone for spoofing? Human engineering is almost certainly easier. Get a replacement SIM for your target victim and pop it into a untraceable, disposable phone.

Re:Of course we all know that...

SMS can and do occasionally garble. Posting anon because I work for one of the major US players.

Re:Of course we all know that...

[multipartmixed]

Interesting. I don't suppose you'd be willing to share how/where?

FWIW I work in the same neighbourhood, but deliver as an ESME.

Re:Of course we all know that...

[hAckz0r]

And why would you hack a cell phone for spoofing?

Because if done properly the phone can emulate any SIM you like, on demand. Phones get rooted and bugged all the time, you just have no way of knowing its been done. Ever seen a root-kit scanner for your model cell phone? Even software applets can be installed to put back door in them. There is even a market for hacked phones to give as "a gift" to your loved one or business competition at work, just in case you are sadistically and totally insane about/over them. With a properly hacked phone you can even listen in on their conversations, even when their phone supposedly is turned off. Keep a field strength meter handy if you care to really know that answer. Watching the battery level is a poor mans way to know something is not quite right, as any cell phone will suck much more power when it is transmitting. And now days with the addition of GPS's you can even tell where they were when they said something, within just a few meters.

Did you know that many phones automatically download and update software on demand? It gets updated when someone else wants it to just not by you. The telco can do it, and the Government can do it. The question is who else knows how to do it. I don't know about you but I would not trust a cell phone in this particular instance unless you don't care about having your laptop 'bricked' at the worst possible moment.

JanSchotsmans

The best thing for a stolen laptop to do is getting online preferably with all sorts of user installed call home apps installed on it (or like the famous case have Seti@Home on it), not getting shut down.

I don't even see how this is really legal.

When they were releasing the last spat of gaming consoles, they were delayed in the US because the US govt found that there was a possibility for some of the hardware to be used as a guidance system for rockets.

With this Lenovo plan, you get a ready made world wide capable remote detonation trigger in a great disquise for easy infiltration and deployment.

You're all looking at this wrong.

This is targeted at IT purchasing managers, NOT people who know why it's technically a bad idea.

You're an IT manager, you're hearing about data theft all the time, you're getting pressure from the board to secure all the data on every laptop (as if that was possible).

This is a godsend to you. Sure, it probably won't work. Sure, it might mess up and cost you your data. But IF a laptop goes missing, and you lose data, all of a sudden it's not YOUR fault.

Technological boondoggle or not, this will sell. Tragically, most IT corporate purchasing people I'm aware of aware of will buy this. They need to answer the people screaming "What are you doing about IT theft?" at them. The boss is perfectly happy to sign up for "it will cause problems" if he can think he's solved the issue. After all, the issue are tech support's problem, and that's a different department.

I dunno

[Alanonfire]

I'm not sure this is to detour people from stealing your top secret data.

I think this is aimed at stopping the average junkie from stealing a laptop from a college campus or coffee shop. If he hears "They can just disable it with a text message." No one is gonna wanna buy it if he can't turn it on. So he'll just steal your ipod instead.

But I don't think this is done well, because the average person does not use a ThinkPad, that's more geared at business and industry people. To really detour crime on that level, Dell would have to implement this.

This won't do anything for the corporate world unless they can track it, because someone stealing corporate data was hired and knows what he's doing. He's not just taking your laptop to reuse or resell it.

I think it's good intentions, but a waste of money and time if they release it like this. But then again, I don't really know anything to begin with.

Re:Don't be so sure, l4m3r n00b.

[Goaway]

My honk botnet will crush your lame encryption in less than a day;

No, it won't. It won't crush it in a thousand years, either.

gov nuke

It's winnuke all over again.
And I bet the gov gets a masterkey.

Seems like a bad idea, but...

[imkonen]

So does storing 1000's of customer/student/employee records unencrypted on a laptop just waiting to be stolen at the airport, and yet we have to read about one of those incidents every month or so. If you're too retarded to protect other people's data, you deserve to have a system that errs on the side of being too easy to lock down. If I sound bitter, it's because I've been informed twice in the last year that my personal information (including SSN) has been compromised on a stolen laptop.

Won't help

[PPH]

The laptop will get stolen and traded for crack before you realize it and can shut it down. The junkie isn't dealing with sophisticaed buyers, so as long as he demonstrates that the laptopn actually works 'now', the deal will be done.

So how much...

So how much will it cost a shady gov't organization to turn off any computer with this feature they want?

If I want to remote control my laptop, I'll figure out my own way that doesn't involve trusting any large corporations with the controls....

most thieves are dumb and high

[peter303]

They are just looking quick buck which lazy laptop owners provide. People leave their laptops in hotel rooms and cars, which thieves know.

pfft.

So you're telling me there will be a GSM module in the laptop that is constantly connecting to my network to wait for such a kill signal? Like say, a tracing bug? I know it'll be a pain for the thief but what about me?

What a craptacular idea. Having my laptop become my personal GSM tracking device. Where have I been? Wait lets ask my "anti theft"-device.

What, you don't already have a cell phone? You stay indoors all the time to avoid satellites? You don't have a car or a credit card?

You're 100% tracked already if anyone wants to bother. The trick is to make sure you don't seem worth paying attention to. And, fill the system with as much noise as possible if you care about individual freedom...

Re:pfft.

[meist3r]

Gosh, why isn't anyone seeing this?

You are right about being tracked all the time but at least now you've got "some" options left. If I don't want to be tracked via cellphone I take out the battery. Now I have to unplug my laptop too everywhere I want to be private? What the hell? This isn't about being spied on this is about these trends erasing more and more of these options. Once we've done enough nothing, everything will have some tracking device in it and then? Call me whatever you want but if my government can use their "terrorism" excuse to get all these laws through I believe I'm entitled to say that I don't want them because of MY "1984" excuse, thank you.

Write down a fake password that disables laptop

[KWTm]

I've seen encrypted laptops at work where people write the password on an index card, and tape the card to the top of the laptop; or store it in their laptop case.

Encryption can't protect against stupid.

Your post gave me an idea. What if I pretend to be stupid and write down a fake password? Then I configure the computer so that, when the fake password is entered, the data is scrambled. (The real password is the fake password backwards, or every other letter, or something else.)

I wonder if there are any programs with this feature? If the disk is encrypted, writing a small bit of random data to the header should render the rest of the disk undecryptable. If we want it separate from any disk encryption (or are not using disk encryption) then we'd have to find some other setup.

Re:Write down a fake password that disables laptop

[Lost+Race]

Strong encryption is not practically breakable, so you don't need to overwrite the header unless you expect the thief to be able to discover your password somehow. How about instead the alternate password activates an alternate partition, so the computer is able to boot up and act normally but with none of your private data available, and various tracking features enabled? Maybe a timeout or remote self-destruct feature too in case you're unable to catch the thief and just want to take away his prize.

Re:Write down a fake password that disables laptop

[argiedot]

TrueCrypt (and I assume many other cryptography tools) allow you to create a 'hidden volume'. What happens is you have one password load the real volume and the other load the hidden volume. I don't know if you can set your computer to run a program when a partition is mounted, but you could write a trivial script to watch the folder where your encrypted stuff is loaded by default and then dd your main drive if it sees a file from that hidden volume.

Will this all work? I don't know. There are probably better ways.

Re:Write down a fake password that disables laptop

[thePowerOfGrayskull]

Your post gave me an idea. What if I pretend to be stupid and write down a fake password? Then I configure the computer so that, when the fake password is entered, the data is scrambled. (The real password is the fake password backwards, or every other letter, or something else.)

Hah, I think that would be remarkably effective. When faced with stupidity, most people are going to make the obvious assumption (ie, the owner is stupid).

Police caught your robber in 24h?

[KWTm]

When I was robbed, we nailed the thief not only from the video cameras that he looked right at to give us a awesome face shot, but he stole my daughters cellphone. He left it on all the time reporting his position. The cops had his ass in less than 24 hours.

Interesting. From time to time we hear about how the police won't try too hard to catch thieves because they have bigger fish to fry. Seems that in your case the cops were fairly efficient. Any ideas about why? Maybe it was because yours was more than just a theft, but direct robbery (which I would guess constitutes violent crime)?

Summary of Hulu clip for non-US

Summary of the clip: The best way to protect something from pro thieves is to put the item where it is hard for even you to get, e.g. seal behind drywall near an outlet in case they use a metal detector (and the item you are hiding is metal).

Sprints doing something similar.

[SMS_Design]

Sprint offers a similar service with some of their WAN cards. The difference is that the Sprint card acts as a key to full-drive crypto. No card, no data. If the card is remotely disabled, no data. Really seems like a great way to lock down your laptops containing sensitive info.

And Knowing

[kilodelta]

How generally easy it is to spoof a mobile number, I think I'll pass on this Lenovo trick.

Re:Interesting ... I know of a better failsafe:

[davidsyes]

Periodic "Prove It" prompts. When it's on, you have to every (user-set period; for enhanced security, periodicity not displayed) period, enter (user-set-number of various-password-levels) passwords, and if you miss a level (due to some interruption), it suspends/snapshots & shuts down. On reboot, if you enter a duress code ONCE or a wrong password (user set-number) a number of times, then it implodes.

If you have on it something worth DYING FOR, then a duress code would be useful. Just have subcutaneous or anal-activated cyanide capsule to avoid enduring torture, and, have no loved ones in your life who's be your torture proxy.

Robert Eringer's Manchurian Microchip Article

[verschk]

Does anyone else remember this article posted less than a month ago? http://cryptome.info/0001/manchu-chip.htm

Good but...

[gobbligook]

Text messages are unreliable. You may think you've disabled the machine, but you'll never know if you actually did.

That was almost a really neat idea

[Minwee]

...until I read the headline again and found that it didn't actually say "Lenovo Service Disassembles Laptops With a Text Message".

Being able to remotely pop out all of the screws, clips and other fiddly bits would have been much cooler than just shutting it down.

Does it work with Linux?

[JacobSteelsmith]

We reviewed a similar, web-based product here at my place of employment that provides similar features such as tracking and remote "bricking." The rep claimed, like their website, "Most Computer manufacturers also provide embedded support for Computrace in the BIOS or Firmware of the notebook computer" which would indicate that any BIOS updates would include the firmware. The firmware rebuilds the client software on the machine so it may "phone home" and enable deletion of files and the OS. However, the software is dependent on Windows. The representative conceded that installing Linux renders the firmware useless.

Yes, but...

[gillbates]

A thief looking to offload your laptop to get his fix is likely going to sell it as soon as possible. So it will be the naive kid or pawn shop owner who gets burned by this long after the thief has burned up his money in drugs.

A good thief might be able to unload your laptop before you even realize its gone. Think about how much time you spend buying groceries or eating lunch, etc...

Wow

[WindBourne]

THis is kind of wicked. SO&SO decides to buy one of these laptops. Person sends it, gets the money. Several days later, SO&SO finds the system dead. Calls original seller and finds out that it will take another 500 to undo it. Nice way to black mail ppl.

On behalf of all hackers

[WillAffleckUW]

I'd like to thank Lenova for making our mischief-making even easier than it was before.

Silent non-trackable audit system that responds to a text message by allowing tracking data to be found by the cops - good idea. Even if it could be used - and will be used - for nefarious reasons ("wonder where Cindy is?" thinks stalker fanboi ...)

Text-enabled shutdown exploit - priceless!

DOS attack

[flyingfsck]

Hmm, a remote DOS attack would be interesting.

Hmm...Chinese Made Laptops

Hmm..A Chinese made laptop with an online kill switch. I'm quite sure that that wouldn't bite the military in the ass if we got into a conflict with China.

How do I know if it worked?

[GrahamCox]

If I'm worried enough about someone accessing my data to use this service, then sending the text isn't going to set my mind at rest, since there's no way to know if it worked or not. So I'd still be worrying "did it work?". Once the laptop is shut down it can't send an acknowledgement that it did so, can it?

IP shut downs

[nurb432]

"we have detected an unauthorized copy of file xyz, your laptop is now being disabled".

Or "file with forbidden knowledge of the day"

hm

[GregNorc]

my macbook has ssh too