Slashdot Mirror
Geek Avenges Stolen Laptop By Remotely Accessing Thief's Facebook Account (hothardware.com)
An anonymous reader quotes Hot Hardware:
Stu Gale, who just so happens to be a computer security expert, had the misfortune of having his laptop stolen from his car overnight. However, Gale did have remote software installed on the device which allowed him to track whenever it came online. So, he was quite delighted to see that a notification popped up on one of his other machines alerting him that his stolen laptop was active. Gale took the opportunity to remote into the laptop, only to find that the not-too-bright thief was using his laptop to login to her Facebook account.
The thief eventually left her Facebook account open and left the room, after which Gale had the opportunity to snoop through her profile and obtain all of her private information. "I went through and got her phone numbers, friends list and pictures..." Given that Gale was able to see her phone numbers listed on Facebook, he sent text messages to all of those numbers saying that he was going to report her to the police. He also posted her info to a number of Facebook groups, which spooked the thief enough to not only delete her Facebook account, but also her listed phone numbers.
In 2008 Slashdot ran a similar story, where it took several weeks of remote monitoring before a laptop thief revealed his identity. (The victim complained that "It was kind of frustrating because he was mostly using it to watch porn.") But in this case, Gale just remotely left a note on the laptop -- and called one of the thief's friends -- and eventually turned over all the information to the police, who believe an arrest will follow.
Gale seems less confident, and tells one Calgary newspaper "I'm realistic. I'm not going to see that computer again. But at least I got some comic relief."
The thief eventually left her Facebook account open and left the room, after which Gale had the opportunity to snoop through her profile and obtain all of her private information. "I went through and got her phone numbers, friends list and pictures..." Given that Gale was able to see her phone numbers listed on Facebook, he sent text messages to all of those numbers saying that he was going to report her to the police. He also posted her info to a number of Facebook groups, which spooked the thief enough to not only delete her Facebook account, but also her listed phone numbers.
In 2008 Slashdot ran a similar story, where it took several weeks of remote monitoring before a laptop thief revealed his identity. (The victim complained that "It was kind of frustrating because he was mostly using it to watch porn.") But in this case, Gale just remotely left a note on the laptop -- and called one of the thief's friends -- and eventually turned over all the information to the police, who believe an arrest will follow.
Gale seems less confident, and tells one Calgary newspaper "I'm realistic. I'm not going to see that computer again. But at least I got some comic relief."
If he is such a "computer security expert", why did he not have his laptop fully encrypted as well as (naturally) an OS login password? Seems to me that he was either actively trying to bait somebody like this, or he's a complete moron.
So this "computer security expert" had a laptop without even a basic password authentication, yet alone a encrypted system. It would be nice to know which company does he work for and where that kind of people are the experts.
In general, the various 'identity theft' type laws which make it illegal to access others accounts don't have exceptions because it's a stolen computer.
A "computer security expert" would not leave their laptop in their car overnight.
Sleep your way to a whiter smile...date a dentist!
a thief able to log on a SECURITY EXPERT's laptop ?
the password was QWERTY1234 ?
i'm not a security expert, just an IT.
my password is not QWERTY1234
you will not able to log on
you will not able to access the hard drive
This is a dickish move. What if the thief sold the computer and someone else is new the new owner who actually paid for the computer? Vigilantism is bad.
I'm going to bet he was using chrome remote desktop or some such. That's not "security software". Jeez, this reeks of incompetence if he's a "security expert".
Real remote monitoring software for these purposes would silently mirror the screen on a remote system and not ask for permission. "The original owner is attempting to connect to this laptop. [A]ccept or [D]eny?
"Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
More likely is that the laptop got converted for cash at a pawn shop and later bought in good faith, which means he's humiliated a poor girl who had nothing to do with the theft.
dox her already.
> In 2008 Slashdot ran a similar story, where it took several weeks of remote monitoring before a laptop thief revealed his identity. (The victim complained that "It was kind of frustrating because he was mostly using it to watch porn.")
I like thought of a dude watching another dude endlessly watch porn, and being like, why can't you say your name!!!
- Why did this "expert" leave his laptop in his car?
- Why was this "expert"'s laptop not encrypted?
- Why does this "expert" assume the woman in possession of his laptop is the thief... or that she even knows the laptop was stolen?
#DeleteChrome
What happened in a similar case in my country - the thief successfully sued the geek for damage to his reputation, and was awarded a compensation an order of magnitude higher than what was the value of the laptop.
How do I hire this guy, he sounds like a real security genius /s
What good is a "computer security expert" who doesn't understand that there is no computer security without physical security? Leaving a laptop in the car? Overnight?
Does Canada have strong UK-style defamation laws? Even in the United States, a publication wouldn't call someone a "thief" prior to conviction. And in this case it's more likely that the "thief" is (unwittingly or not) a receiver of stolen goods rather than the person who broke into this guy's car.
Man I totally read that as if someone stole a laptop that later let them access Peter Thiels Facebook account.
I guess I've been upt a bit too long at this point.
Even when the laptop is stolen, "hacking" the thiefs facebook account and monitoring the computer usage of other people (without some work contract allowing this) is a crime.
In many cases, it is better to encrypt files for each account separately, rather than full-disk encryption. This is partly because most full-disk encryption sucks in one of two ways. (Google "ecb penguin" for an example.)
Along with avoiding technical problems with full-disk encryption modes, this improves security because the user of one account can't access files owned (and encrypted) by another account. You can even have a "guest" account for a houseguest to use, and guest can't access your files.
Since you have a guest account anyway, the guest account might also be configured appropriately given the knowledge that a thief might one day use it.
If you go a bit beyond the corporate-mandated annual security training, most information security curriculum says that step one is identifying the assets at risk and their value. It would be silly to spend $50,000 turning your garage into a vault to protect a $15,000 car, and similarly for information security the value of the asset determines the maximum effort you should put into protecting it. This not only avoids wasting more time/money/hassle than the asset is worth, but it allows you to spend your efforts on the most valuable assets. Any time/money spent on a low-value asset is time NOT spent protecting a higher-value asset.
The identity of your favorite gaming site is worth about 5 cents US, so it is error to spend more than 5 cents worth of time trying to protect that information.
Additionally, in most cases it is better to protect and encrypt data on a per-account basis, for both technical and practical reasons. On a laptop, that means you encrypt the home directory, not the system. Multiple user logins have separate encryption, and one account can't access the encrypted files of another account. If you want to take it a step further, you can have a work account on the machine and a separate account for checking personal email, etc. Along with the obvious security benefits, that avoids having the browser or search engine auto-complete a URL based on *personal* browsing history in the middle of a presentation.
Given per-account security, a guest account with restrictions on it is quite feasible, and a theif would likely click the guest account.
Wow. Some obviously clueless thief manages to log in into his computer without re-installation? Doesn't he use LUKS/Bitlocker?
My Laptops are encrypted. I dont plan to change that for the slim change of catching a hardware thief by installing a tracking SW, which requires the OS to boot up unencrypted.
If this guy were American he'd be getting his butt pounded in federal prison for 10-20. They love the fat ones.
Isn't entrapment a thing where you make somebody do something they wouldn't normally do so that you can slap some cuffs on them?
"Go on, take the laptop!", "No, it's not mine to take", "What are you? A wuss? Just take it! What can happen?" "No, man, now leave me the fuck alone!" "Take it, come on..." "OK, OK, I'll take it..." "Busted! You're going to prison bitch!"
What he did to the alleged thief looks like it's illegal to me.
Hopefully the 'geek' will be tried and condemned for his spying, invasion of privacy, blackmailing and identity theft.
I see a lot of comments in here criticizing the guy for not having his laptop encrypted, or leaving it in his car, or whatever. Sounds like some of you are pretty jealous that the guy had a positive article written about him, and yet nobody's ever heard of y'all.
.. this security expert is getting his revenge on. But someone who bought a cheap laptop at a pawn shop.
If you have high-end pricey laptop, do not bother to install all the fancy tracking software, becouse the first thing a thinking thief does is ether wiping the harddrive in a different desktop computer or installing a new clean harddrive. Harddrive prices are so low, that installing a new harddrive and afterwards selling the machine makes probably profit.
It isn't entrapment, but more like unauthorized access to a computer system (felony is most jurisdictions). My guess is that he's at least looking at a civil charges for posting her personally identifiable information as well. If he had just given it to the police, he may have been ok. Well intentioned, but this guy opened a can of worms.
Comment removed based on user account deletion
Entrapment only applies to law enforcement. You're free to "entrap" anyone you wish if you're not a cop.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Or maybe it was his "Just surf the news sites and play a game to pass the time" laptop. You know, the one with no reason whatsoever to encrypt anything.
The only reason to even consider "not to encrypting anything" is if your processor doesn't support AES instruction sets.
I mean, are you actually proposing that he was likely to have a dedicated machine for gaming/browsing that had no Steam logins, no news site logins, no forum logins, in fact no logins or personal information of any kind and was never used as a backup machine to check email, etc. in a pinch?
Just encrypt. It requires less consideration, and it removes the need to shred a drive before selling it.
unauthorized access to a computer system
It's his computer. I don't see how the access can be unauthorized.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
"I'm realistic. I'm not going to see that computer again..."
The victim stated he went through her Facebook profile when she "left the room", implying he might have also had remote control of the camera. Is a picture of her face along with an entire Facebook profile and IP address somehow not enough gift-wrapped evidence to provide to the authorities for them to execute a simple knock on a fucking door to recover stolen property? What the hell...
The thief is going to sue that the fact he is a thief is factually disseminated?
This is a dickish move. What if the thief sold the computer and someone else is new the new owner who actually paid for the computer? Vigilantism is bad.
This was the only 'dickish' move I saw:
He also posted her info to a number of Facebook groups, which spooked the thief enough to not only delete her Facebook account, but also her listed phone numbers.
He should not have done that bit. But the rest of it--sending texts to her phone numbers, calling the friend (âoeI called one of them and told her the thief was on a stolen laptop and told her Iâ(TM)d give her the opportunity to return it.â), and sending all of the information to the police--are all entirely reasonable.
We don't even know the timescales involved here. If this login happened mere hours after the theft, it's reasonable to assume the thief was doing it, with the possibility that the thief immediately gave it to a significant other or close relative being less likely, but still much more likely than an unconnected third party using it.
She did not delete her Facebook account. She simply took her account offline and Facebook told her it was "deleted".
#DeleteFacebook
Well maybe a security expert would be smart enough to not leave a laptop unattended, much less leave it overnight in his car.
Unless said expert deliberately set it up as a honey pot so he could track down the thief and boast online about how good he is at catching thieves.
"not the government"
tftfy
Hacking? The thief willfully opened the web site on his computer. There is no expectation to privacy if you are using a device other than your own. User beware I guess. He accessed his own computer, nothing shady about that. The thief should have done her private activities on her own device if she didn't want any of this to happen.
His computer, but her facebook account.
Of course if he'd just screen grab whatever shows up on his computer then I assume that would be fine, after all he wouldn't be the one accessing facebook.
From what anecdotal evidence I have myself, he is right. Even if police do find the asshole-thief and take the laptop from him, the victim is not going to receive it. They'll keep it "for the duration of the investigation" and then it might just "disappear" from the evidence room.
And the next asshole-thief (this one with a police ID) will be smart enough to wipe it so as not get caught the same way. And, even if he does not, calling police again will not be fruitful — police protect their own, "because no one else would".
Oh, and the original thief will not do any actual time either (much less have his hand chopped-off) — unless, maybe, this is his third offense in a "three strikes" state.
While it may seem petty, theft costs humanity immensely — if you count the things we all have to do to keep it under control...
In Soviet Washington the swamp drains you.
... why not do both ?
and you make mistakes when you're tired. Finish off a 12 hour shift and then get stuck in traffic for 2 hours because of a pile up on the freeway? Yeah, you're gonna do dumb stuff.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
If you had remote access, you should have put BitLocker on it, or encrypted it with your Open OS version.
Or installed a dialler to call 911 repeatedly from the laptop. Eventually the police will go to their house and find oh wow, there's lots of stolen property here.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
The owner of the laptop missed his opportunity to recover his property by trying to publicly shame the woman into returning it. That was a counterproductive waste of time. She could just claim she bought it from someone, and how could he, or the police, prove otherwise?
Anti-theft software should be designed to allow the thief to use the laptop on a guest account, while password protecting your personal account. You want the thief to use the laptop. Locking it remotely will only ensure that it is immediately disposed of, or sold for parts.
So, assume your laptop is stolen and you've activated the remote tracking software: immediately call the police and file a report. The police won't do a thing unless you take that first step. Next, start collecting data on the thief: home address, work/school address, phone numbers, images of the thief using it, etc. Organize all of that data into a folder and take it, along with a copy of your police report, to the local police station. Show them that you know exactly who has the laptop, that person's address, the location of the laptop, etc. Also point out that if this person was the thief, there is an excellent chance that additional stolen property will be found at their residence.
The police now have the justification they need to go knock on that person's door, or possibly get a search warrant. Granted, the person who has it may still claim it was purchased from some third party, but when police are standing in someone's home, showing them pictures of their own faces taken through the laptop camera, and saying, "Give us the laptop now, or we'll come back with a search warrant", the chances are excellent that it will be handed over.
No one may be prosecuted, but you'll at least have your property back. Of course, this scenario presumes that the police care enough to follow through with the information you provide. In larger cities, they may not bother, but in smaller towns and rural areas, they may be very happy to assist when you present all the evidence they need on a silver platter.
This Stu Gale person is probably going to end up in more trouble than the theif. Just set himself up as a target both for police and for the theif to get further revenge.
If it's one thing I know, it's the LAW, and that's ENTRAPMENT!
If the one thing you think you know is the law, I have some bad news for you. First off, only the police can entrap, (from a legal point of view). Secondly, setting bait does not equal entrapment. And that isn't even what happened here. In short, the one thing you thought you knew, you don't know. That would make you, by your own admission, a know-nothing.
-- sudon't
Air-ride Equipped
What kind of software would one use to do this?
Virtually every top comment is a victim-blaming shitfest.
"Ooooh CRIME he's a hacker! Arrest the victim!"
"Every security expert encrypts every piece of technology they own regardless of circumstances! It's his own fault!"
".. and they ALWAYS take every possession with them everywhere they go, and never lock anything in their vehicle, because they're infallible! Clearly he's not an expert!"
"That poor thief. ;("
Ugh.
A government is a body of people notably ungoverned - AC
"Stu Gale, who just so happens to be a computer security expert" There is no way a 'security expert' left their laptop in a state where a random thief could log into it. Password on sleep, password on screen saver, full-disk encryption, no guest account... These are thing EVERY 'security expert' has configured. If you stole my laptop, you'd have to wipe it and install a new OS, and then I'm not going to be able to remote into it anymore.
-- This sig is only a test. If this were a real sig it would say something witty. --
FYI I've been a fulltime security professional for 20 years. My advice is based on what I actually do when your bank hires me to test their security, how I can actually hack your accounts.
> No, the problem is, you try to seperate, what seems important and confidential to you. And there is the mistake. ...
> Because it requires you to think about what's confidential all the time.
> reading some private e-mails won't hurt now, because if they are left in the cache in your firefox profile
I never said "encrypt one file at a time". I said encrypt YOUR files separate from your (soon to be ex-) wife's files. That includes /home/allo/.cache/mozilla/firefox/
Obviously you might *also* separately encrypt your most important files, such as a password manager datastore, a second time. But no you don't have to think about what to encrypt, all of your personal files are encrypted, including your browser cache.
> Why would you encrypt /home and not /? Is there any reason preventing / encryption? No. ...
> So you install your system, make a checkmark at "full encryption"
That SEEMS like a good idea, if your understanding of encryption is checking a box. As one of the guys who implements what happens when you check that box, I think maybe we should remove that checkbox so it doesn't mislead you. It LOOKS like it makes your system secure, right? Unfortunately, it mostly just makes your system slower. I can still see your ECB penguin. :)
There are both practical and technical problems with full-disk as opposed to per-user. The biggest practical problem is easily summarized as:
Do you want your files to be accessible to your soon to be ex- wife?
Generally, no, users should not have access to another user's files. When your visiting step-brother asks to borrow your laptop, he should not be handed an unencrypted copy of all of your personal and business files.
There is also a fundamental technical problem with full-disk encryption such that full-disk can either either be weak, or ridiculously slow, in most cases. It has to do with what are called "cipher modes". ECB is reasonably fast, but provides little security. CBC is secure, but modifying one sector requires updating every sector on the disk which follows it (meaning it takes a few minutes to save 1KB). Other modes are in between the two. We think that we *might* have that problem beat with a new approach, but I don't trust it yet.
> If you need to decide what ends up in your backup, you may forget something important. If you backup everything, you will have everything and cannot forget something important. The same applies for encryption.
That's absolutely true for backup, definitely. The only backup systems I recommend backup the whole damn machine. The system I designed makes *bootable* backups, that can be booted in-place as virtual machines. For encrypting and otherwise securing confidential data, there's a fundamental conflict between availability vs confidentiality and integrity. You may want to make your mp3 files openly available on your network, so you can play them with any device in the building. You might even store them in the cloud, easily accessible over the internet. You should NOT make your most confidential data readily accessible to every device on your network, including your IP camera and other cheap IoT devices with a thousand vulnerabilities each. If you're serious about security, you DO need to think about which items should be easily accessible to everyone in the company/house and which should be locked down tight.
I'll give you an extreme example of identifying the most confidential data and a very common example of failing to do so. The Coca-Cola company has perhaps a million documents that shouldn't be published on their web site, documents for employees only. Only their 146,000 employees have access to those documents, because they have s
The person using the laptop usually isn't the one who stole it. There's a thief, a fence, and a sucker who buys the stolen goods.
When this happened to my friend, the sucker who buys the stolen goods doesn't get to keep them. The police tell them to hand it over and give it back to the rightful owner. The sucker who buys the goods is the only party to lose anything after the police intervene. It's likely a mistake to pursue vigilante justice against this person.
"Stu Gale, who just so happens to be a computer security expert,"
...and we're done.
Okay...I'm listening...
"...had the misfortune of having his laptop stolen from his car overnight."
I'd have messaged all her friends and email contacts about how she heartlessly stole the laptop from my suffering mother who only has a few months left to live and that all her grandchildren's pictures are on that laptop.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
You certainly can do both. There will be a performance hit, small or large depending on cipher mode. You should double-test your backups in case either layer of encryption fails. I would recommend using a fast mode for the full-disk, keeping in mind it won't be NSA secure. So thinking about privacy, you'd pretend the full-disk isn't there - it's just a backup just in case.
> Your thought process is akin to saying it makes no sense to spend $5k to patch a 2" crack in a dam because the crack is only 2".
No, the dam is extremely high value, therefore you pay attention to it. When the Banqiao hydroelectric dam failed, it killed hundreds of thousands of people. So the dam is at the top of your "most protected" list. What I'm saying is this:
There's a 2 inch crack in the dam, and a 2 inch crack in the parking lot. What's your first step? Your second step?
Obviously your first step is "fix the crack in the *dam*". The correct second step is less obvious - look for more cracks in the dam. You shouldn't worry about the 2" parking lot crack until you've double checked everything about the dam. Again, see Banqiao.
Ok, so this is a "security expert". Yet somehow this thief person is using his computer. How? I know my computer is encrypted. BitLocker comes with Windows. Not hard to use. So this person has either no password, no encryption, or has a password but has it set to auto-logon. That's the only way his remote software lived through. Sure, someone can wipe the machine and install a fresh instance of Windows, Linux, whatever. And that BIOS based tracking software he might have had lives through that. But very unlikely his Windows or Linux based stuff lives through (especially if the user who imaged it blocks certain sites where the BIOS stuff tries to download from at their router). So how are these people getting logged on to security researcher's machines? How? I've love to see someone try it with one of ours from work. Boot to WinPE or something and you cannot read / write to the partition since it is encrypted. So no password reset utility without first hacking the encryption. Lots of luck. Boot to the actual partition and you find yourself unable to logon without a Smart Card. So tell me - are these researchers just lazy? Or what?
"computer security expert" would know even if you don't believe there is anything interesting on a specific PC, there is.
Every portable device needs to be whole disk encrypted. PERIOD.
There's a video out about some Dutch security people trying to get a cell phone full of spyware stolen in/around Amsterdam. They videoed much of the experience. It was oddly difficult to even get the phone stolen. They should have just gone into Central and acted like a tourist - 10min and it would have been gone.
The videos of the poor pitiful man who stole the phone were funny. No job. Hanging out with hookers, not able to pay his rent or buy food, but he had a smartphone full of tracking stuff that would survive an OS reset. He had money to refill the SIM card, but not to eat? Guess his priorities were to appear well off to get the babes!
At 1 point, the security people felt bad eating all his data for the audio, video and photos they captured, so they put some money on his SIM card.
A friend had 2, unlocked, smart phones stolen in Barcelona in 2 days a few years ago. The first, he didn't realize. The 2nd, they ran into the back of the restaurant, made a commotion and stole it off the table (also near the back of the restaurant (30ft from any door) as they ran out. The next day, his wallet was stolen on the subway.
Basically, Barcelona cost him about $2.5K between travel cash and 2 high-end smart phones.
After that happened, I started encrypting everything I have that is portable with a non-trivial unlock code (not a pattern or fingerprint).
Even access to something as stupid as twitter or facebook would be a hassle to clean up. Not worth it. Don't be stupid.
Computer security expert does not seem to be much of an automobile security expert.
Only problem is, what he wrote was in response to what he thought you wrotes, and more to the point he said some. Long story short, people are sloppy and he didn't appear to mean to refer to that particular example.
I prefer the term sloppy in this case,an I don't think that makes me unreasonable.
Until you discover you've locked yourself out of all your stuff.
yeah dude your awesome and probably never made a mistake. we get it. all the fllawless computer experts hang out on slashdot to gloat about their 100% perfect security record. , hey dude do you need me to jack you off? I haven't ever made a mistake either, id like to cum in your hand.
I would have done worse probably. At least he had the satisfaction to teach a lesson to idiots. That has not a price.
Regardless of who owns the machine, he logged into Facebook using unauthorised credentials. Having the password pre-filled, or having the system previously logged in is no defence.
I think using the facebook account might be unauthorized, though.
"First they came for the slanderers and i said nothing."
Because vigilante justice?
Or maybe the story is fake.
Instead of using his backdoor to track and retrieve his laptop via legal means he acts like a fucking moron and gets 5 minutes of petty revenge that could potentially land him in jail. He's a fucking moron.
I would have doxxed the crap out of her. He name, address, phone number, everything would be online for all to see. I'd make sure I'd make her life as much of a living hell as possible. By the end of it all she may have a restraining order against me, but I'll be content with making her life a living hell and smile at the idea of her living in fear. Steal my stuff, you're going down...
What I'm saying is this:
There's a 2 inch crack in the dam, and a 2 inch crack in the parking lot. What's your first step? Your second step?
Obviously your first step is "fix the crack in the *dam*". The correct second step is less obvious - look for more cracks in the dam. You shouldn't worry about the 2" parking lot crack until you've double checked everything about the dam. Again, see Banqiao.
You're wrong. Your FIRST step should have been to look for more cracks in the dam.
Since you didn't, you failed to warn people about the imminent dam collapse, and thus tens of thousands of people died before they could be evacuated since you fixed the crack in the dam instead of realizing that the dam was doomed.
On the other hand, the parking lot, since it was upstream of the dam, is just fine.
No, you're not getting it. Let's try to improve my analogy so you can. Let's say that the dam is concrete and the concrete continues into an adjacent parking lot as one contiguous pour. Now let's assume there is a crack in the parking lot immediately next to the foot of the dam. Nobody gives a shit about the crack in the parking lot, except that if you don't fix it, it will spread to the dam.
The point is, if you think throwaway accounts at gaming sites, etc. are not valuable to hackers, you have not followed any security news in the last decade. When bullshit websites are hacked and user databases dumped with md5 hashed passwords, what happened? The hackers didn't jump for joy for their ability to steal cat memes. No, they took the passwords, cracked them, and tried to use the credentials at the major bank websites. Most people use the same damn password for everything and chances are a good % of the users in the hacked site will have a bank account at one of those majors.
There are hundreds more examples of this sort of thing. If identity were siloed, your logic would be sound. But your siloed view of identity is incredibly naive.
... or this story never happened.
The link claims this happened in Canada.
Nothing so unkind as this would ever happen in Canada.
Fake news.
Plus, Gale is not a law enforcement officer, or other government agent...
/hacks your laptop /takes your picture
'Hello, officer? I'd like a SWAT team at 123 Bumblefuck Drive. Somebody has stolen my laptop! Proof? Why yes, here's a picture!'
I see the study (analysis of a poll) is titled "The TCO of Software vs. Hardware-based Full Disk Encryption". Shockingly, the poll determined that the products sold by it's sponsors are percieved to have an advantage over the competing approach, defined as full-disk encryption in software. I don't think that touches the issue discussed here. I think the conclusion of that study is "if you're going to do full-disk encryption, our customers think you should do it the expensive way".
Well frankly, I hack their customers 40 hours a week. If their customer encrypts the hardware bits as they suggest, making it completely unencrypted once I have any access to the running system, that makes my job that much easier. In other words, hardware full-disk encryption essentially means "only encrypt it when it's turned off". Does that *really* sound like a good idea? Because that's what hardware full-disk is, once it's booted and running, anyone who gets any access to the system has access to *all* of the data. There are no encrypted files I can't read, on a hw full-disk system, because files aren't encrypted.
If I'm understanding you right, your point can be summarized as "password reuse." Is that correct? You're talking about the PASSWORD someone might use on a gaming site or whatever, right?
In that case, yes I agree passwords are important, in general, due to password reuse. The post that started this discussion about gaming sites said "browser history would reveal your favorite gaming site". My followup said "the identity of your favorite gaming site."
The identity of Trump's favorite gaming site*, from his browser history, is worth roughly nothing. His PASSWORDS he uses while playing would be worth quite a bit.
* In case anyone finds it interesting, Trump's favorite places to play his favorite game, where he's one of the all-time point leaders are ... ...
[Drum roll]
Atlantic City and New York City.
In the game he likes to play, he buys Boardwalk and Virginia Ave and builds a hotel, but he doesn't build three houses first. His hotel on Virginia Ave is called Trump Taj Mahal.
A) Entrapment only applies to the police, not to private citizens.
B) Leaving items in plain view where they can be stolen is not entrapment. E.g. Bait cars. You have to actively encourage or incite someone to engage in illegal behavior that they wouldn't have otherwise for it to be entrapment.
C) Clearly you don't know the law as well as you thought.
No. That is one example of how you can leverage information on a low value account to obtain higher value items.
Stu Gale made the mistake of thinking he was smart, because he was a so-called security expert, and had installed tracking software. He decided to play games and taunt the thief. He gave the thief ample opportunity to hide the crime. Once he had her phone numbers he should have immediately contacted the police with all the details. The thief would be in jail, and he'd have his laptop back.
Okay so maybe walk me through it. So you find out from my browser history that I visited Kongregate, a gaming site. Now what?
1) Kongregate
2) ?
3) ?
4) Damage!
I'm very curious how this is going to be of any real importance, be worth more than a nickle to protect.
two problems, first why was his laptop stolen from his car (which makes me believe he left it on a seat and not secured in the trunk (as most employers and insurancecompanies demand), second, how did he know that person was actually the one who stole the laptop, maybe she just got it as a present not knowing it was stolen. So why posting her name/info on other boards and friends before just actually getting her information and giving it to the police..
If she didn't steal the laptop, he might even be sued by her for doing what he did. So next time before you go publicly accusing someone, you must make sure you're 100% sure the other person was actually the one who stole the device.
And then also, if he's a security expert, how could that person even log into his laptop.
who the fuck leaves a laptop in a car overnight? Take it inside!!
Even if you do it to a thief you feel has done you wrong.
It's not unauthorized for him to remotely access his own computer. Don't be retarded. She failboated.
Go back to 5th grade and learn reading comprehension again.
/hacks your laptop /takes your picture
'Hello, officer? I'd like a SWAT team at 123 Bumblefuck Drive. Somebody has stolen my laptop! Proof? Why yes, here's a picture!'
Officer: "Uh, do you have any documentation that shows this person has your property? A receipt perhaps?"
Much like accusing someone of rape, proof is rather fucking relevant.
Let's do some threat analysis. Who's after your stuff? Let's try getting more specific.
How adept are these hackers? The more adept are probably going to be going for high-value targets, which really doesn't include me. If the NSA is after me, I'm not even going to try to stop them, but they have no interest in me.
What are they going for? Are they targeting you in particular (in which case you have to outrun the bear), or accounts in general (so you just have to outrun your hiking companion)? If they're after accounts in general, they're probably looking for people who don't have good passwords on their bank accounts, a set of people that I am not a member of. Somebody wants to break into my bank account and its $2-5K, they're going to have to do some work. It's almost certainly going to be easier to break into the account of the guy who uses his Slashdot password for his online banking.
There seems to be a tendency to give out security advice based on the idea that there are competent people interested in hacking the target specifically, but not so competent that they can't be stopped. This may be suitable for the average guy, but someone who thinks security is going to come to more individualized conclusions.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
He didn't log into Facebook, so I don't know how that would come out in the courts.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
So he just magicked the person's facebook friends details? Just luckily guessed their numbers and texted them that their facebook friend is a criminal? The act of logging in is irrelevant. It's "access" and "authorisation" that people care about.
A few off the top of my head thoughts. First, the "victim" in this story:
- Some security expert. Leaving an unencrypted and not even secured with a login laptop in an unsecured place like that.
- OTOH, look at him. He's easily 50 pounds overweight and is wearing a cheap, ill fitting shirt so he at least looks legit.
Then we come to the criminal. I would put that in quotes too, but if you're stealing physical property from a car, there is no doubt that you are in fact a criminal:
- If you're lucky enough to have grabbed an unencrypted computer, good for you, but don't EVER boot it up and go online with it. Image the drive and sift through the data for stuff you can make use of or post because it's too funny not to share.
- WIPE THE FUCKING DRIVE and install your preferred OS before any attempts at usage. I really can't stress enough how important it is to do this. You don't need any OEM shit, and all that might do is provide a way to track you anyway. If you don't do this, there's no guarantee the computer won't phone home to somewhere.
Finally, since her information has been posted in a public place (FB) why not post it here? I for one am curious about her and I'd love to at least see some these pics that the story references.