Geek Avenges Stolen Laptop By Remotely Accessing Thief's Facebook Account

An anonymous reader quotes Hot Hardware: Stu Gale, who just so happens to be a computer security expert, had the misfortune of having his laptop stolen from his car overnight. However, Gale did have remote software installed on the device which allowed him to track whenever it came online. So, he was quite delighted to see that a notification popped up on one of his other machines alerting him that his stolen laptop was active. Gale took the opportunity to remote into the laptop, only to find that the not-too-bright thief was using his laptop to login to her Facebook account.

The thief eventually left her Facebook account open and left the room, after which Gale had the opportunity to snoop through her profile and obtain all of her private information. "I went through and got her phone numbers, friends list and pictures..." Given that Gale was able to see her phone numbers listed on Facebook, he sent text messages to all of those numbers saying that he was going to report her to the police. He also posted her info to a number of Facebook groups, which spooked the thief enough to not only delete her Facebook account, but also her listed phone numbers.
In 2008 Slashdot ran a similar story, where it took several weeks of remote monitoring before a laptop thief revealed his identity. (The victim complained that "It was kind of frustrating because he was mostly using it to watch porn.") But in this case, Gale just remotely left a note on the laptop -- and called one of the thief's friends -- and eventually turned over all the information to the police, who believe an arrest will follow.

Gale seems less confident, and tells one Calgary newspaper "I'm realistic. I'm not going to see that computer again. But at least I got some comic relief."

Security expert?

If he is such a "computer security expert", why did he not have his laptop fully encrypted as well as (naturally) an OS login password? Seems to me that he was either actively trying to bait somebody like this, or he's a complete moron.

Re:Security expert?

[Calydor]

Or maybe it was his "Just surf the news sites and play a game to pass the time" laptop. You know, the one with no reason whatsoever to encrypt anything.

Re:Security expert?

[freeze128]

If he had full disk encryption, the suspect would have to wipe the drive and reinstall to use the system. If the system was wiped, then there is less chance that the victim would be able to track down the laptop.

You seem to think that he is a complete moron, but it seems to me that he made the right decision.

Re:Security expert?

[arglebargle_xiv]

If he is such a "computer security expert", why did he not have his laptop fully encrypted as well as (naturally) an OS login password?

And that would have prevented it from getting stolen how?

Re:Security expert?

[Pax681]

if the laptop has any information about him or his accounts or logins, then the theft of the laptop could lead to identity theft and fraud. Dude didn't encrypt, so he's not a computer expert, so he's probably employed under false precincts, and should be fired.

it's false PRETENCES not precincts..
you are here under the false pretence you know what words mean ;)

Re: Security expert?

never said he was a security expert he just had remote access to his computer. not to mention even some one really good at security may not encrypt or other things its about threat level and the story does not say anything about his own information getting taken so it may have been enough for you run of the mill thief of oportunity or even id thiefs to a degree.

Re:Security expert?

Or maybe it was his "Just surf the news sites and play a game to pass the time" laptop. You know, the one with no reason whatsoever to encrypt anything.

might beg them nicely to give it back pretending you don't know who they are, but only if you don't care much about losing things. When you decide the police might be involved you just do it. Contact the appropriate law enforcement, give them your evidence, work very hard to get the cop to care about it (cops are there for rich corporations, your crime is unlikely to be big enough to breach the minimum value below which they aren't allowed to open investigations). Many reasons for this:

• The person may be completely innocent, having paid for the laptop thinking it was second hand
• if they get warning you are on to them they may destroy evidence
• almost anything you do to the computer may destroy evidence or be used to claim you did
• the cops want to come in and get them by surprise (if you are lucky of course)
• if you do anything beyond the minimum for your investigation, you may be breaking the law yourself

The last one is especially important. Since it's your computer you (mostly) have the right to access it. Probably you can get away with looking at an unknown Facebook account to check who's it is (it's on your computer, you don't know it's not your account till you know who's account it is) certainly you can't get away with using that Facebook account to access something else in most jurisdictions. To actually know exactly what you can and can't do you probably need a lawyer who knows the law both where you are and where the perp is. This is one reason why all corporate machines have notices about remote access being allowed. It's been shown to be useful CYA material.

Re: Security expert?

[rworne]

This is precisely how the anti theft software for my Macs work. For it to be most effective, you should set the firmware password (to prevent booting off other media), encrypt the disk, set a password on your account, and leave the guest account active.

The whole idea is to get the thief to use it so it can phone home. If it is locked up too tight, they'll just be parted out or tossed.

That nifty law they passed for kill switches in cell phones means they no longer steal phones to resell and reactivate, now they just steal them for the the parts.

Re:Security expert?

Regardless, he left it in plain view in his unlocked car.

Re:Security expert?

[jellomizer]

Also you could had called the police with proof of your laptop being stolen. Being a laptop plus the info on it it could be considered grand theft.

Re:Security expert?

[EvilSS]

You know, the one with no reason whatsoever to encrypt anything.

In this day and age there is no such thing.

Re:Security expert?

[EvilSS]

If he is such a "computer security expert", why did he not have his laptop fully encrypted as well as (naturally) an OS login password?

And that would have prevented it from getting stolen how?

Well maybe a security expert would be smart enough to not leave a laptop unattended, much less leave it overnight in his car.

Re: Security expert?

[cyber-vandal]

It's false pretenses as it happens.

Re:Security expert?

It's false PRETENSES not pretences..
you are here under the false pretense you know how to correct a poster ;)

Re: Security expert?

[cyber-vandal]

It says he's a security expert in the article.

Re:Security expert?

Pot, meet kettle. You're obviously American, and don't realize that most of the rest of the world spells it "pretences".

Re:Security expert?

[Calydor]

In my country we spell it 'forudsætninger'. Pretty sure most of the rest of the world don't speak English as their primary language, so they probably call it other things, too.

Re:Security expert?

[allo]

If he's an computer security expert, he knows that there is no such thing as "non security relevant pc", because you always leave traces of your personal data (and if its only your favourite gaming site).

Re:Security expert?

[RevDisk]

I have a number of utility laptops that I use for random stuff. Most of them are not encrypted. They tend to be old laptops I got from work or other places, and saved from the bin. Never underestimate the usefulness of a laptop with an actual serial port. For some reason, USB serial dongles tend to be twitchy. A lot of them are too slow for full disk encryption. And honestly, don't care if even the NSA got their hands on them. I'd barely care if they were stolen.

Admittedly not everyone has a crate of obsolete laptops lying around.

Re:Security expert?

[Highdude702]

Better question. Why was the car left unlocked?! Cars are rather trivial to steal. being unlocked almost multiplys those chances by 10. I know this because i used to associate with low life thieves and have had them tell me "yea i found an unlocked car thats how i got here so quick"

Re:Security expert?

[camg188]

Computer security expert leaves laptop in car overnight. Sounds more like a computer security amateur.

Re:Security expert?

[Osgeld]

+ they left it in a car, so yes either bait or retard

I lean towards retard

Re:Security expert?

[squiggleslash]

Absolutely, he should have encrypted his car like reel computur profeshionals.

Re: Security expert?

[Osgeld]

I have had a window smashed and a lock knocked in (by what looked like a cold chisel), both instances were much more expensive then the stereo + CD's they stole

Re:Security expert?

[BarbaraHudson]

And if he had put an OS login password on it, the thief would have just given it to someone to wipe down. He would still haven't gotten his laptop back, and he would never have known who stole it.

At least mobile phone passwords, the phone can still receive calls, so you can call whoever "found" it and offer a small reward for it's return.

Re:Security expert?

[Shane_Optima]

You seem to think that he is a complete moron, but it seems to me that he made the right decision.

Only if he was planning to have his laptop stolen. I'd rather risk losing the laptop than risk the thief stealing my logins, wagering that he's too lazy/ignorant to bother reinstalling the OS.

I think there might be out of band options for thief tracking if this is really a huge priority, but I think it would be better and simpler to alter one's habits to reduce the risk of theft.

Re:Security expert?

[BarbaraHudson]

Regardless, he left it in plain view in his unlocked car.

"Regardless, she was dressed in a short skirt and top" - and should have expected what happened next.

"Regardless, they left their dog in the back yard alone with a gate that didn't have a padlock" - and should have expected someone to steal their dog.

"Regardless, they were unarmed when they asked a total stranger for directions" - and deserved to be mugged.

Screw your "regardless." Honest people wouldn't have taken it. Same as I should be able to leave my doors unlocked and not have strangers walk into my home and take stuff.

Re:Security expert?

[0100010001010011]

My laptop drops into a mostly Windows desktop after a timeout for exactly above reasons.

autologin-user=[name] - Name of the user
autologin-user-timeout=[value] - Timeout before session is loaded

If my laptop drops into a DOS looking command prompt they'll think the laptop is dead and won't bother trying to use it. If the laptop is usable the thief will probably try to use it as a laptop. It'll be wiped or dumped.

Re: Security expert?

[ChoGGi]

It's the Calgary Sun, as someone who has read both that and the Toronto Sun. I'd imagine anyone who uses more then one password is a security expert in their eyes.

Re:Security expert?

[BarbaraHudson]

Transport companies always leave the loading doors on empty trailers unlocked so that thieves don't cause damage breaking into them. There's a reason for that.

Most kids today wouldn't know how to unlock the steering wheel anyway without a key, so it's not like they can steal the car if you leave it unlocked - and a pro will just buy a device online (watch the first 17 minutes - you'll see homebrew hardware, where to buy the hardware ready made, interviews with hackers and police and a car manufacturer) that lets you open pretty much any car - including the high end models - by reprogramming the car's computer to accept a new key, and just drive away. CBC Marketplace showed how easy it is to do, so your locks are only there to discourage the least motivated., And a $5 device to unlock car doors if you just want to steal a laptop on the front seat.

All your locks are belong to us!

Re:Security expert?

[mattwarden]

No, you actually do have an obligation to not be naive and pretend crime can't happen. Many of the things you list are just outright negligence. If you exhibit many of he negligent behaviors your list, they affect the crime(s) committed and your ability to recover losses. For example, if your home door is unlocked and a theft occurs, the crimes committed are less than if the door was locked, and your ability to recover damages from your insurance will likely be impacted.

Re:Security expert?

[cmuncy]

Exactly what I was thinking..... Regardless if it was a work laptop or gaming laptop, where was his password?

Re: Security expert?

[MichaelJ]

I know relatives who leave their car unlocked but don't store anything of value (apart from a 10kg bag of cat kibble).

That's a horrible idea. Seriously. That's just asking for a mouse infestation. Once they're in the car they'll chew on wires, get into the insulation and if they nest in the heating/ventilation system you'll never get the urine smell out.

Re:Security expert?

[BarbaraHudson]

I never lock my doors when I'm not home, because I'm not worried about theft. Knowing your neighbors and having a dog are much better risk-reduction factors than any lock ever will be. All locks can be bypassed. Watch the link I posted elsewhere which shows where to buy a device that will let you reprogram any car with keyless entry to accept any other key, so you just drive off.

I've had things stolen when I used to lock stuff up - the insurance company will make it as hard as possible to get what you're owed, so why bother? Bank the premiums and self-insure. You'll almost always come out ahead.

And your attitude that how I dress somehow makes it not a crime to sexually assault me (example 1, which happened in a subway station at 10 am) is just typical #rapesplaining.

Re:Security expert?

[BarbaraHudson]

Watch the video, asswipe. Anyone can go on ebay and buy a device that will reprogram any car to accept any key fob code, same as there are devices that let you roll back the electronic odometers on the dash and in the transmission electronics.

You don't need a dent puller or a big hammer to pop the lock and a screwdriver to turn the ignition on any more (the old skool way, which I had to use twice on old cars. The little pin at the bottom of the lock casting breaks, leaving the lock freewheeling without actually turning on the switch in the steering column. Unlike you, I know how to do this stuff because I've had to do it. Same as I've had to use slim jims and other tools to break into cars that others have locked their keys in.

Even managed to get into a VanDura that the toolkit warned was almost impossible to get into because of guards the manufacturer had installed to make it really really hard to get into without breaking the windshield - but the engine was running and time was awasting, so it took me over an hour, but I did it.

How many cars and vans have you broken into to help the legal owner? My guess is none.

Re:Security expert?

[ArmoredDragon]

Watch the video, asswipe.

Well, asswipe (my apologies, I meant to say asshole, because you get insecure when somebody misidentifies you) the point for most people is that by locking their cars, they can somewhat secure the possessions inside from a run of the mill thief, essentially treating it like a mobile locker. For a transport companies, they don't store personal items in their vehicles, so there's little point to locking them.

I realize that you want to ban things like having anonymous speech on the internet and lockable doors on cars, houses, and bedrooms, because you believe that the government should totally own you, but not everybody thinks that way.

Re:Security expert?

[BarbaraHudson]

One of my examples was about sexual assault - and your response to those examples was "No, you actually do have an obligation to not be naive and pretend crime can't happen." So you did say something about those examples, which did include sexual assault. Read what you wrote, instead of what you think you wrote.

Re:Security expert?

[Baloroth]

Screw your "regardless." Honest people wouldn't have taken it. Same as I should be able to leave my doors unlocked and not have strangers walk into my home and take stuff.

Yeah, and the world should be full of unicorns that poop gummydrops. However, here in the real world, if you leave your doors unlocked and something gets stolen, I, and every other reasonable person on the planet, will call you an idiot (because that is an idiotic thing to do). Not that you are the one to blame for the crime. That's not what's happening in any of those cases (well, there are a few people who really do blame the victim, but they're also idiots). No, you'd be an idiot because you failed to take reasonable precautions to prevent yourself from becoming a victim.

Re:Security expert?

[www.sorehands.com]

And where did you go to law school?

First, your statement regarding negligence and criminal law for negligence shows that you don't know the difference between criminal law and civil law.

Second. If a woman is drunk, does that mean you can rape her? She was negligence by becoming drunk near you and that there is a high probability that you would rape her if she was drunk.

Third, if there is an insurance policy, that would be controlled by the policy, which probably has an exclusion for items stolen from an unlocked car.

As far as negligence, if he left your laptop in the car, he may be liable to you, under your theory -- in a civil case. Never to a thief, except possibly in the case of a minor. But we have not covered that yet in my class.

Re:Security expert?

[BarbaraHudson]

A dog IS a reasonable precaution. Far better than an alarm - even one connected to the internet with cameras. You should have no problem finding videos of people stealing all sorts of stuff from homes with internet security systems. The video is usually of crappy quality, and the alarm doesn't connect to the police station, but to a monitoring station, so you have 3 to 5 minutes after you break in to steal everything you want, even if the police station is on the next block.

A dog, they'll just move on to the next house

No neighborhood is absolutely safe, no alarm system absolutely foolproof. The more precautions taken by the wary homeowner, the more irresistible the challenge.

Only one thing will deter most burglars: a dog.

Such is the picture that emerges from a Sun-Sentinel survey of state prison inmates serving time for Palm Beach County and Broward County burglaries.

An ounce of prevention ...

Re:Security expert?

[BarbaraHudson]

And Advice from a criminologist

Having a dog is a huge deterrent. Ironically, burglars are far more likely to avoid a house with a small dog than a big one — small dogs tend to be nervous and less easy to trick into calming down. They’re less trustful and bark louder and longer.

A lock is there for prevention. It doesn't deter most burglars. A video surveillance system is also there for prevention. It doesn't deter most burglars. A dog is there for whatever reason. It deters burglars better than a lock (which you might have forgotten to lock - many burglars just walk right in) or a surveillance system.

Re:Security expert?

[BronsCon]

No, you actually do have an obligation to not be naive and pretend crime can't happen.

That's not quite the same as saying dressing a certain way makes sexual assault not a crime; in fact, it states quite the opposite! Read the statement again, with your head located outside your rectum. When a rapist rapes, it is the rapists fault, as the rapist should not rape; when a rapist rapes YOU, however, you must ask yourself why that rapist (who would have raped anyway and is still full at fault for the actual rape) chose you and not someone else.

Is it okay for a rapist to rape you if you dress a certain way? Oh hell no, and nobody said it was. But, just knowing that the rapist is there and that the rapist will rape, regardless of you, you have a responsibility to acknowledge that fact and make yourself less of a target. Will that prevent the rape? No, because, and I'll repeat this again so you can't get confused and think I'm victim blaming, the rape is the rapist's fault. What it will prevent is your rape.

Now, let's apply that logic to a less sensitive subject so you can see how things work in the real world. If you, knowing that people steal shit from cars, leave a laptop sitting on the passenger seat of your unlocked car over night and it gets stolen, it is the thief's fault a laptop was stolen, but it is your fault it was your laptop that was stolen.

How does this work? It's quite simple, really.

The thief is going to steal a laptop, that is a decision the thief made and the thief is completely responsible for that decision. Neither you, nor me, nor the police, nor the thief's parents, nor anyone else holds any responsibility for that decision. However, you know that there exist people who make such decisions and it is up to you to protect yourself from them. If you do not, that is a decision you made and you are completely responsible for that decision. Neither the thief, nor me, nor the police, nor your parents, nor anyone else holds any responsibility for that decision.

If you didn't leave the laptop in plain view, would a laptop still have been stolen? Yes, because the thief decided they were going to steal a laptop. Wold it have been yours? No, because you decided not to allow it to happen.

As a victim of both theft and rape (among other various crimes) in my younger, more naive, years, I quickly developed an understanding of this concept. Perhaps not quickly enough, but I did develop it, nonetheless, where you (and many others) still seem to have not figured it out.

Is it my fault my rape occurred? No, but it is my fault I was chosen over someone else. Is it my fault an MP3 player was stolen from me? No, but it is my fault I left it unattended so that it may be stolen. Is it my fault I was robbed at gunpoint twice? No but, in both cases, it is my fault I was unarmed and alone in a high-crime area late at night.

Should I have been able to trust my rapist not to rape me? Should I have been able to leave my MP3 player (back when those were a new thing, mind you) at my desk for 5 minutes? Should I have been able to safely walk around, alone and unarmed, at night? In an ideal world, yes.

We, however, do not live in an ideal world, and you're not doing yourself, or anyone else, any favors by ignoring that fact while you insist that we should.

One thing we agree on, though, is that we should live in an ideal world. Our main point of contention is how to reconcile the fact that we do not. My belief is that we should not let ourselves be attractive victims to the crimes we know will be committed anyway. You seem to believe the exact opposite, for which I suppose I should thank you, as you make it that much easier to do what I believe is right when you set the bar so low for criminals.

You can have the crime and victimhoood, I've been done with it for over a decade.

Re: Security expert?

[BronsCon]

What car do you drive that can fit a normal sized laptop in the glove box? Or, perhaps, what tiny-ass laptop do you use that can fit in the average glove box?

Re:Security expert?

[BronsCon]

Got proof? I sure do, it's in the fine print of my insurance policy. Yours, too, if you have comprehensive coverage; I suggest you go read it.

Re:Security expert?

[BarbaraHudson]

I take my own advice- I self-insure. The savings pay for the dog food and then some :-) Plus, I get along well with my neighbors. Consider that "added insurance."

Re:Security expert?

[BarbaraHudson]

Your insurance company will pay in cases of negligence. There's a difference between negligence and gross negligence. They can only hide behind gross negligence, intentional acts, or undeclared risks.

Re:Security expert?

[fuzzyfuzzyfungus]

It probably helps that the techniques for neutralizing locks and cameras, while typically not legal if used during a burglary, aren't all that interesting to a potential jury; while the techniques for neutralizing dogs are either rather unreliable or deeply unsympathetic. Some dogs will roll right over for a charm offensive and a treat; but you can't rely on that; and if you kill a dog you've probably made yourself less popular than at least half of the actual murders on the docket, which isn't a good plan for a relatively petty property crime.

Re:Security expert?

[thegarbz]

Screw your "regardless." Honest people wouldn't have taken it.

That doesn't change the fact that the world isn't made up exclusively of honest people and a "security expert" would have known better. No one's excusing the thief or blaming the victim, they are just calling bullshit that an "expert" can be so stupid.

Re: Security expert?

[guruevi]

No, rape is still illegal as is being drunk in public (although if both of you are drunk, your "rape" could've just as well been a crime). The point is that you have a duty to yourself and others not to get blacked out drunk, not to get in a car or bed with someone when you're drunk, not to leave your car unlocked with valuables in a shady neighborhood because even though you could always become a victim of a crime the repercussions to the criminal and the legal and civil recourses available will differ - walking into an unlocked house is trespassing, not breaking and entering; using consent as a defense becomes easier to prove; insurances won't cover your losses and civil suits will have lower or no awards and serious doubt can be cast on the accuracy of your statements.

Re:Security expert?

[elgatozorbas]

Screw your "regardless." Honest people wouldn't have taken it. Same as I should be able to leave my doors unlocked and not have strangers walk into my home and take stuff.

Yes and no. You are right in that the victim of these offenses is not guilty of these offenses.
The OP is right in that a security expert should typically not be the type of person to rely on the honest intentions of others. On the contrary: these people's work is exactly to anticipate criminal behaviour and try to prevent it as much a possible. This is the very reason "security" was invented in the first place.

So you are comparing apples and oranges here.

Re:Security expert?

[mattwarden]

No, sorry, something about your reading comprehension is broken. Maybe you are more familiar with the law and the word "negligence" triggered the more narrow meaning in civil law. But nothing in my comment suggested I meant that, and quite the opposite. I think I was pretty clearly talking about home burglary, which would apply when the door is open, whereas a separate crime over and above that would apply (e.g., breaking & entering) if the door were locked.

Regarding the insurance policy, you're not countering my point. I'm explaining WHY the insurer generally excludes covering items stolen from unlocked homes or cars. NEGLIGENCE.

Re:Security expert?

[mattwarden]

I ignored your injection of the sexual assault example. I thought it was dumb for you to include that as an example, suggesting it was somehow akin to leaving your door unlocked.

Re:Security expert?

[BarbaraHudson]

It wasn't always like that, and it still isn't like that in many places. Depends on how you're brought up I guess. Maybe you should move.

Re:Security expert?

[BarbaraHudson]

Everyone, unless they are rabid paranoids, trusts some people. Without that, you can't get anything done.

Re:Security expert?

[BarbaraHudson]

You wrote, and I quote: "No, you actually do have an obligation to not be naive and pretend crime can't happen." That dismissive attitude applies to every one of the examples I gave, and it has been used quite often - especially lately here on slashdot, where one poster claims that if you are sexually assaulted you shouldn't be walking around bare assed down dark alleys, and that someone who is repeatedly sexually assaulted has only themselves to blame for allowing it. Blaming the victim is one of the hallmarks of libertarian and/or extreme right-wing thinking, and slashdot is crawling with them.

Re:Security expert?

[MoaDweeb]

A large part of insurance is to protect you from the consequences of your negligence.

E.g. Ooops I just drove into the back of another car 'cos reasons...

Your insurance company pays out for that and your premiums go up.

Re: Security expert?

[BronsCon]

How is this flamebait? I've never owned a car that could fit a laptop in its glovebox and I'm curious what models can do this.

Re:Security expert?

[BarbaraHudson]

"Regardless, she was dressed in a short skirt and top" - and should have expected what happened next.

In the USofA, he would've wound up doin' hard time in the big house.

Are you kidding me? Brock Turner raped an unconscious woman, claimed the sex was consensual (how can you consent if you're passed out), his father said he will "pay a high price for 20 minutes of action", and he spent 3 months in the county jail, not a state or federal prison.

The 1% don't live under the same rules as you or I.

Re:Security expert?

[mattwarden]

What others say on slashdot has no relevance to what I say on slashdot.

Re: Security expert?

[antdude]

I noticed guest accounts don't work with Mac OS' File Vault to phone home because they have to boot into their own areas. :(

Re: Security expert?

[rworne]

Even if the software runs as a system service?

Just logged in as guest to check and it's there and running. Guest account runs fine too.

Re: Security expert?

[antdude]

Do you use FileVault on the drive?

Re: Security expert?

[rworne]

I just saw what you are talking about. Guest does not work with the software. Bummer, it worked with the original Filevault, but not Filevault 2.

Re: Security expert?

[antdude]

Yeah, it only works without FileVault's encryption. It is useless. FV's guest account is very limited. Even sandboxxed on drive. :(

Re: Security expert?

[rworne]

There's a possible solution:

An application that replaces FileVault called Espionage 3 is compatible. It looks good, but I'm leery of 3rd party solutions and my data.

Re: Security expert?

[antdude]

I have not heard of it. I did try Prey, but it has the same problem. It seems like if we secure too much, we can't have these extras. :(

Re: Security expert?

[BarbaraHudson]

"Locking a door costs nothing" - yeah, right. Ever lose your keys or lock yourself out accidentally? Have fun getting in. A locksmith visit is over $100.00. And alarm systems don't discourage thieves. Even those that are centrally monitored, you know you have a MINIMUM of 3 to 5 minutes before the police show up, especially since calls from alarm companies about residential alarms going off are really low priority, and if there have been 3 false alarms at the same address, they will simply not respond to a call from an alarm company because your address has been blacklisted - and you have no civil recourse because each response to a false alarm puts people at risk, so not responding to a place with a history of false alarms is perfectly acceptable to the courts.

Re:Security expert?

[cwsumner]

What others say on slashdot has no relevance to what I say on slashdot.

Someone mod this up, I'm out of points. ;-)

Re:Security expert?

[cwsumner]

A dog IS a reasonable precaution. ...

The word around here, is that the best dog for that is not the big dogs, but rather the small terriers. They are small, but they can be very fast, very loud and very nasty, when they believe it is necessary. They were originally bred to be hunter/killers of big rats, going down into dark rat-tunnels underground.

Yet when they are not in defence mode, they are "cute lapdogs", quite smart and friendly (in their own way). ;-)

(And, learn how to safely and accuratly handle a gun.)

Re: Security expert?

[david_thornley]

A somewhat more extreme example: a relative of mine lived alone and came home to his house in a rural area in the winter. The front steps had slanted away from the porch over time, and he dropped his keys into the crack. He couldn't get them back, he couldn't get to someone safe (his car keys were on the same ring), and as it turned out he couldn't survive the night without shelter. I don't know that he'd be alive today (he was fairly old), but he'd have lived a lot longer had he not locked his door.

Re:Security expert?

[thegarbz]

Maybe you should move.

Not sure what you're talking about. Should I move because we're calling security experts out on being stupid, or are you suggesting you know a place in the world where only honest people live? Because if you do I have a bridge to sell you. It's good and you'll make your money back quickly. Honestly! :-)

Re: Security expert?

[david_thornley]

I believe walking into an unoccupied house has been held to be breaking and entering by at least some courts. "Breaking" doesn't apparently have to leave anything broken (just as well, or picking the lock to get into the house wouldn't be breaking and entering). (I already posted how I had a relative die because he locked his house, although it also involved dropping his keys.)

Your idea of "duty" seems similarly off. I don't have a duty to lock a car, and last time I had a locked car broken into there was damage, which I would have probably avoided by leaving the car unlocked. Whether I leave my car unlocked or not, it is illegal and wrong to steal a laptop that might be there, and hassling the thief seems justified to me.

Re:Security expert?

[david_thornley]

I think you'll find that the conviction rate for rape tends to be horrifyingly low for the 99%, also. Turner was an egregious example, but there's been lots of cases of people getting away with minimal punishment for sex crimes.

Re:Security expert?

[BarbaraHudson]

And that's what the article recommends - smaller dogs, the yappers. However, I can tell you from experience that big dogs also work, if they have the right character. I had a Newfoundland (think "looks like a black St. Bernard if you're too lazy to click on the link.) I went to visit some friends, and the dog knew them, and was very friendly with them. That night, he was staying in the van, with the window open, while I went inside. He turned on the interior dome light jumping from the back seat into mine, and one of those friends came in and mentioned it.

I asked why he didn't just reach in and turn it off himself. "I tried. I want to keep my hand." Very protective dog most of the time, took me years to get him to learn that when there's a confrontation, don't get involved, let me handle it.

Re: Security expert?

[BarbaraHudson]

I'm sorry to hear that. That's an awful way to go. In the winter it's hard to find something to move under a window to break in, hard to find something to force the window with, and once your hands are too cold, you can't even undo your jeans to squat and pee (or stand and write your name in the snow - YMMV).

Re:Security expert?

[BarbaraHudson]

Okay, I'll clue you in. You should move to a place where you can leave your door unlocked when you go for a walk with the dog, shopping, or out all day.

I was broken into once, almost 40 years ago, by a neighbor's kid. It happens. Since then, front door unlocked, nobody has come in and stolen anything. I did have one woman I didn't know enter unannounced, but she was in a panic after a car accident and was looking for help. I have no problem with that.

Re:Security expert?

[BarbaraHudson]

No question about it - the conviction rate is stupidly low for all economic classes. But 3 months in the local jail, instead of a state or fed pen? Where your old man can ensure you get whatever you want, because $$$ and influence? It's a joke. Or a tragedy. :-(

Re:Security expert?

[thegarbz]

Okay, I'll clue you in. You should move to a place where you can leave your door unlocked when you go for a walk with the dog, shopping, or out all day.

I live in a shitty immigrant neighbourhood. I leave my door unlocked all the time. Front doors are not crimes of opportunity, they are pre-meditated followed by luck of the draw for the theif. Being able to leave your front door unlocked doesn't mean you're in an awesome safe crime free place, it just means you don't live in the shittiest worst place in the world.

Now go leave your laptop on the sidewalk overnight and let me know if in your perfect neighbourhood its still there in the morning.

Re:Security expert?

[BarbaraHudson]

I've had my dogs, which I value a hell of a lot more than any laptop, returned to me twice even though they don't have name tags. Being friendly with everyone in the neighborhood is better protection than any security system. And, as I said, I haven't been robbed in 35 years of leaving my doors unlocked. Again, be friendly with your neighbors.

Re:Security expert?

[david_thornley]

The case of the schoolteacher and the female students I know about didn't involve any imprisonment, and the guy was not one of the 1%.

Re:Security expert?

[thegarbz]

I've had my dogs, which I value a hell of a lot more than any laptop,

Again completely irrelevant. Unless it's a pure bread that shits gold, why wouldn't someone return a dog? Hell I've returned dogs to people I've never met before.

Also you have dogs? That makes the whole house being locked comment even less relevant now.

Re:Security expert?

[BarbaraHudson]

I don't lock the place when I take the dog with me, even if I'm gone for hours. You're better off depending on getting along with your neighbors than a security system. Experts say the same thing.

Re:Security expert?

[BronsCon]

Cleveland and Detroit.

Re:Security expert?

[BronsCon]

"that's the way things are. Theft happens so live with it"

Huh, funny, i never said that. I said don't make yourself the victim of choice. You know, if everyone chose to not make themselves the victim of choice, it would be much more difficult to make a living as a thief and, yes, we'd have less theft.

Move to Japan or Singapore and suddenly you realize it's not the way things are rather it's the way we let them be because we assume it's the way it is.

Except that theft still occurs in those places. You've never been to either of them, so you simply assume that's the way it is.

Yes, there's a fair bit less theft there, but there's still plenty; usually at the expense of American tourists with their "thieves just shouldn't steal" attitudes, who think they have no personal responsibility to protect themselves.

Re:Security expert?

[RockDoctor]

The person may be completely innocent, having paid for the laptop thinking it was second hand

Is it physically possible for people to be that stupid?

What did your Mummy beat into you as she pulled the nipple from your lips? "If it sounds too good to be true, it is too good to be true." Nobody this side of a Victorian morality play can be so stupid as to believe that a cheap [anything] on sale is anything other than stolen.

Re:Computer security expert?

[Visarga]

Honeytrap?

'computer expert'.

[queazocotal]

In general, the various 'identity theft' type laws which make it illegal to access others accounts don't have exceptions because it's a stolen computer.

Re:'computer expert'.

[dwywit]

So who brings the criminal suit for identity theft? The thief would have to swear out a complaint in which she admits theft - or that fact would come out in court. Even if hard evidence of identiy theft was available, a half-decent lawyer would have the case dismissed after a chat to the thief via the prosecutor: "If you proceed with this case, you'll face criminal and civil proceedings for theft, loss of income, etc, etc, etc. You'll be so in debt with legal bills, and a criminal conviction will be your legacy. Do you really want to proceed?"

Re:'computer expert'.

[jbolden]

It doesn't have to be a suit. There are federal laws. Once the process starts the federal attorney can bring the charges, getting both the thief (though that's only a state charge) and the revenge seeker.

Re:'computer expert'.

[Dog-Cow]

I wonder if stealing someone's laptop and then using it for your own stuff could be argued to be giving implicit permission to access whatever the thief is doing. This guy didn't steal any identity. He just used Facebook.

Re:'computer expert'.

[queazocotal]

Hence in quotes. 'unauthorised access to a computer' type statutes.

Re:'computer expert'.

[Registered+Coward+v2]

In general, the various 'identity theft' type laws which make it illegal to access others accounts don't have exceptions because it's a stolen computer.

I agree, and think the smartest thing to do is gather the info on thief and report it to the police. IANAL, but I would guess there is no presumption of privacy if you are using a stolen laptop and that the owner has a right to access their machine remotely; a similar situation might be you steal my car and i see it, use a key to drive off and then go through your wallet and papers which were left in the car. I can turn that over to the police but not use your credit card to charge something or post pictures of your d/l online. Either way, I doubt a thief would get much sympathy from a prosecutor; although I'm sure they'd be more than happy to take a segment on how they stole the item as part of the decision on what to do.

Re:'computer expert'.

[queazocotal]

He is allowed to. However, simply because he owns the computer doesn't give him the rights to use other connected computers. (facebook et al)
Any more than customer support would have the right to post on your social media or go through it if you happen to leave a tab open.

Re:'computer expert'.

[jbolden]

The thief didn't engage in identity theft, the victim did. The thief engaged in burglary however. Dwywit was claiming the case against the victim would fall apart because the thief during the suit would have incriminate themselves in a larger tort. I disagree with the larger claim, that's unclear.. But my main point I was commenting this isn't just a tort its a crime on both sides which means there is a 3rd party (the state) which might be happy to go after both of them if this starts getting reported. For a tort they might cancel out for different crimes they don't.

Re:'computer expert'.

[jbolden]

You aren't allowed to use your computer to commit fraud. The thief didn't give permission to the victim to impersonate him. The victim's type of usage was fraudulent.

Re:'computer expert'.

[jbolden]

Didn't realize this was Canada. The same structure applies there however: http://www.cbc.ca/news/canada/...

Re:'computer expert'.

[thegarbz]

The crime of theft is nothing compared to reputational damage. We're talking a several hundred dollar fine vs a many 10s of thousands of dollar lawsuit here. The odds favour the thief in the US legal system.... By a really large margin.

Re:'computer expert'.

[BarbaraHudson]

He most certainly had authorized access to the computer - he's still the legal owner, even if it's in the hands of a thief.

Re:'computer expert'.

[ChoGGi]

Obtaining and possessing identity information with the intent to use the information deceptively, dishonestly or fraudulently in the commission of a crime.
Trafficking in identity information, an offence that targets those who transfer or sell information to another person with knowledge of, or recklessness as to, the possible criminal use of the information.
Unlawfully possessing or trafficking in government-issued identity documents that contain the information of another person.

That bill seems to just apply to criminal use of stolen identities, but you're welcome to quote the relevant parts
http://www.parl.gc.ca/HousePub...

Re:'computer expert'.

[Shane_Optima]

In general, the various 'identity theft' type laws which make it illegal to access others accounts don't have exceptions because it's a stolen computer.

That doesn't necessarily mean the courts wouldn't create an exception based on some "no expectation of privacy" principle. Common law can be fun.

Re:'computer expert'.

[Trailer+Trash]

In general, the various 'identity theft' type laws which make it illegal to access others accounts don't have exceptions because it's a stolen computer.

True, but look up the "clean hands doctrine". Criminals can't use the courts to get relief.

Re:'computer expert'.

[jbolden]

He has authorized access to the computer (maybe that's even ambiguous) but not to the facebook account.

Re:'computer expert'.

[jbolden]

No it doesn't. The law does not want private revenge.

  For example you stole my car, I know you stole it and while you have it you put a painting in it. I take the car back the painting is still yours and I'm obligated to return it.

Re:'computer expert'.

[BarbaraHudson]

So what. Is the going to call the cops over it? That would be like the crackhead going to the cops to complain their dealer shorted them on a rock. Also, she was the one who logged into her account and set the cookie, not him. He didn't "hack" her account - she gave him access.

Re:'computer expert'.

[Hognoxious]

Painting? What painting?

He's hardly going to press the matter, is he?

Re:'computer expert'.

[jbolden]

See my post 3 up.

Re:'computer expert'.

[jbolden]

The situation above was the complaint is made by the victim who is admitting they did it. To use your analogy (though it doesn't quite fit) this would be like the dealer going to police admitting he shorted the crackhead because he is being threatened by him.

As for giving him access. No the thief did not give the victim access. Granting access is an act of intent. You don't grant me access to your house because your front door has bad locks that I know how to pick.

Re:'computer expert'.

[BarbaraHudson]

As if the perp would ever be able to go to trial ... get real. That's one of the problems of the internet - too many people living in their own little bubbles that have zero correspondence to the real world. You'd have to find a cop who would take the complaint (not going to happen). You left your Facebook account accessible to the original owner that you stole the laptop from? You left THEIR door wide open (it's their laptop) and they walked right in.

Re:'computer expert'.

[BarbaraHudson]

This took place in Canada. In Quebec, Ontario, and any other province with a provincial police presence, you report federal crimes to either the local or provincial police - not directly to the RCMP (feds), except where the feds have jurisdiction (airports, etc).

Context matters - and in this case, the context is that it's not in the USA.

Re:'computer expert'.

[gordguide]

This took place in Canada. In Quebec, Ontario, and any other province with a provincial police presence, you report federal crimes to either the local or provincial police - not directly to the RCMP (feds), except where the feds have jurisdiction (airports, etc).

Context matters - and in this case, the context is that it's not in the USA.

You must be from Ontario; people there like to speak for all of Canada, despite not knowing a thing about anywhere outside of Ontario. The list of "any other province with a provincial police" would be the two you cited and Newfoundland.

In the other seven provinces and two territories that comprise Canada, you can either form and fund your own local police (whether rural or urban), or you can contract with the RCMP to provide local policing. (Not having one or the other is not an option).

For example in the province of British Columbia, municipal forces are the rarity, not the norm. Outside of the City of Vancouver, chances are you will be dealing with RCMP everywhere you go. In Manitoba, Saskatchewan, and Alberta, even Rural Municipalities may have their own local police force.

However, in every province and territory of Canada, including Ontario, Quebec, and Newfoundland, it is the RCMP whom are charged with dealing with cyber crime. So you may still contact them should the theft of a laptop result in certain crime(s) that are not simply the original crime of theft.

Specifically, in this particular case, the computer owner is in Calgary, Alberta. Calgary has a municipal police force.

Re:'computer expert'.

[BarbaraHudson]

And how does that change the fact that you do NOT report such crimes as theft to the RCMP directly in Cochrane, Alberta? It's Canada, not the US. You report to your local municipal cops (even in provinces that have provincial services) unless the population is under the threshold for having municipal services, or has contracted out municipal services directly to the RCMP for a fee in those provinces with no provincial police service where the municipality exceeds the population threshold entitled to free coverage - such individual municipal contracts are negotiated under the umbrella of provincial agreements with the RCMP, but any municipality is free to set up their own public police force instead.

Re:'computer expert'.

[BarbaraHudson]

Also, you are wrong to claim that the RCMP are charged with dealing with cyber crime. A lot of the stuff (cybertheft, online bullying, internet kiddie porn, etc.) is handled either by the municipal or provincial forces, though the option always exists to call in the RCMP if needed - for example, when the crime crosses borders.

Oxymoron

[davester666]

A "computer security expert" would not leave their laptop in their car overnight.

Re:Oxymoron

[Razed+By+TV]

Not only that, he left his car unlocked.

Needless to say, Gale probably won't be leaving his car unlocked again - especially with high-priced items in plain view of thieves.

I can appreciate that in an ideal society, people wouldn't steal, and you should be able to leave your valuables unsecured and in plain sight. However, this man was a victim of a crime that he could have easily prevented.

An acquaintance of mine performed the same mistake as this man. He left his laptop visible in the back seat of his unlocked car, which he knew was unlocked, because he thought it should be safe there. The next morning the laptop was gone, and he accused his friends (who had been to visit him) of stealing the laptop. He lived in the duplexes by the shopping mall. I could never figure out 1) what lead him to believe it was a good idea to leave it out in the open of an unlocked car, and 2) why he didn't suspect that the thief came from the duplex or mall traffic.

Re: Oxymoron

[davester666]

No. There have been WAY too many reports of computers with valuable data being stolen from vehicles in the past 10+ years for him to be able to claim "I didn't realize computers get stolen from vehicles". Physical security of the computer has been part of computer security for a long time.

imho

This is a dickish move. What if the thief sold the computer and someone else is new the new owner who actually paid for the computer? Vigilantism is bad.

Re: imho

Potentially could be that. When my laptop was stolen it was sold in a few hours. New owner had no idea when the police visited him in the local Starbucks. (Well I bet they had a fair idea it was legit, regardless I got my laptop back)

Re:imho

[gnasher719]

This is a dickish move. What if the thief sold the computer and someone else is new the new owner who actually paid for the computer? Vigilantism is bad.

Someone else is _not_ the new owner. You can't become the owner of a laptop by buying it from a thief. If you knew it was stolen you are a criminal buying stolen goods. If you didn't know you are an idiot who will be parted from his money.

The guy is still the _owner_ of the laptop and can do what he can to recover the stolen laptop from whoever has it now.

Re: imho

[BarbaraHudson]

Doesn't make a difference. Just because you paid for stolen property doesn't mean it's now legally yours. The thief who sold it to you didn't have legal title to it, so your only legal recourse if the laptop is returned to the rightful owner is against the thief.

You're an idiot if you buy stolen goods. The thief knows where to go the next time they need to steal them for a new customer, and they also know you can't file a complaint - even if you catch them in the act.

Re:imho

[MiniMike]

There is no new owner, there is only a different person in possession of stolen property. It doesn't matter if the buyer doesn't know it's stolen.

Re: imho

[BarbaraHudson]

The attack on the facebook account was against someone completely guilty. If they had been innocent - for example, buying the laptop used without knowing it was stolen - the fact that the sign-in account is not connected to the seller should have been a give-away. Willful ignorance makes you guilty of receiving stolen goods.

All the person with the laptop had to do was post a message back on their stupid Facebook account saying that they bought the laptop from $PERSON instead of guiltily closing all their accounts after getting caught. They sure didn't act like they were innocent, did they?

If I had bought something used in good faith and it turned out to be stolen, I'd be naming and shaming the seller as well as getting in touch with the police. So would any other honest person - because the seller ripped them off. In this case, there was no seller - just the thief, and she got caught out.

Re:imho

[sexconker]

Not only is he a dumbass for leaving an unsecured laptop in his car, what he did (tracking, spying, remotely monitoring via the web cam, accessing accounts that aren't his, etc.) is criminal and carries far more punishment than stealing a laptop from a car.

Re:imho

[thegarbz]

The guy is still the _owner_ of the laptop and can do what he can to recover the stolen laptop from whoever has it now.

Doing what he can does not make him immune from slander charges. If someone bought this laptop and they suffered this fate they would have every legal standing to completely ruin the "expert" in court. The owner may still own it but he doesn't have carte blanche right to do whatever he wants to recover it.

Re: imho

[BarbaraHudson]

It is obvious the computer is stolen if you boot it up and the user isn't the person who sold it to you. The original OS was on it. The thief knew.

Re:imho

[david_thornley]

Such things as tracking and spying are simply somebody using the computer, and since that person is the legitimate owner it's authorized use. Accessing the thief's accounts might or might not get him in trouble. I'd ask a lawyer before doing anything like that.

Re:imho

[sexconker]

If he recorded video (or audio, which is somehow worse), if it crossed state lines, etc. he's all sort of fucked should it come down to it. He also went to great lengths exposing the person's PII in a harassment campaign.

If it weren't so common for "security experts" to be so fucking stupid I'd write the whole thing off as a farce.

She kept closing the remote login request

[Pikoro]

I'm going to bet he was using chrome remote desktop or some such. That's not "security software". Jeez, this reeks of incompetence if he's a "security expert".

Real remote monitoring software for these purposes would silently mirror the screen on a remote system and not ask for permission. "The original owner is attempting to connect to this laptop. [A]ccept or [D]eny?

More likely scenario

[StickyKeys]

More likely is that the laptop got converted for cash at a pawn shop and later bought in good faith, which means he's humiliated a poor girl who had nothing to do with the theft.

Re: More likely scenario

Buying stolen goods is as bad as stealing it in the first place and should be punished accordingly.

Re: More likely scenario

[Zontar+The+Mindless]

In your zeal to punish, you managed to miss the "good faith" part.

Re: More likely scenario

[Highdude702]

You are why they need to create a Physical protocol for the internet so i can beat your lilly ass

Re:More likely scenario

[Registered+Coward+v2]

More likely is that the laptop got converted for cash at a pawn shop and later bought in good faith, which means he's humiliated a poor girl who had nothing to do with the theft.

In which case the pawn shop owner would be in trouble. Many locales have laws to make it harder to fence stolen property; if she bought it off of Craig's List cheap it would be hard to make a good faith argument.

Re: More likely scenario

[Zontar+The+Mindless]

"[In] good faith" has nothing to do with religion. But you quite possibly knew that already and were merely trolling.

Re:More likely scenario

[wvmarle]

Maybe the laptop was like two years old already, which makes it rather low value in the second hand market, like 10-20% of the new value. Thief lists it at the low end of normal prices for such laptops, makes a quick sale, and for the buyer the good faith argument is easy enough to defend.

Re:More likely scenario

[Shane_Optima]

More likely is that the laptop got converted for cash at a pawn shop and later bought in good faith, which means he's humiliated a poor girl who had nothing to do with the theft.

Without knowing the time scales involved, that seems very unlikely. Unless he waited weeks to do this.

Also, pretty sure all the savvy thieves use Craigslist these days, not pawn shops. But either way, the chances of a buyer pouncing very quickly is pretty low unless he was selling at a very steep discount.

The "more likely" claim really makes me pause.... why would you say this? Does this have something to do with the alleged thief being female?

Re:More likely scenario

[grep+-v+'.*'+*]

which means he's humiliated a poor girl who had nothing to do with the theft.

Which means it should be easy enough for her to prove that to the cops. "Here's the receipt -- go see who sold it to the shop to begin with."

She might be the poor girl, she might be the thief. In any case she's in possession of a stolen computer. I wouldn't stop to stay "Excuse me , miss, you happen to be operating a computer of mine that has gone missing. Perhaps you would be so good as to inform me how you are in possession of such a thing?"

My first reaction would be she's the actual thief as well, which may easily NOT be correct. On the other hand she physically has a random computer which I *CAN* produce a receipt and a serial number for.

Possession may be 9/10 of the law, but not when it can call home and tattle.

Re:More likely scenario

[nyet]

Rubbish.

Re:More likely scenario

[gordguide]

More likely is that the laptop got converted for cash at a pawn shop and later bought in good faith, which means he's humiliated a poor girl who had nothing to do with the theft.

In which case the pawn shop owner would be in trouble. Many locales have laws to make it harder to fence stolen property; if she bought it off of Craig's List cheap it would be hard to make a good faith argument.

In Canada you need to provide Photo ID to pawn anything, the Pawn Shop must record the information related to the transaction, and that record is submitted electronically to Police once a week, where it is checked against police reports of theft. Plus, it's a common sight to see detectives visiting all the Pawn Shops in the city; it's a routine part of their duty.

Re:More likely scenario

[gordguide]

More likely is that the laptop got converted for cash at a pawn shop and later bought in good faith, which means he's humiliated a poor girl who had nothing to do with the theft.

Without knowing the time scales involved, that seems very unlikely. Unless he waited weeks to do this.

Also, pretty sure all the savvy thieves use Craigslist these days, not pawn shops. But either way, the chances of a buyer pouncing very quickly is pretty low unless he was selling at a very steep discount.

The "more likely" claim really makes me pause.... why would you say this? Does this have something to do with the alleged thief being female?

Nobody in Canada uses Craigslist much. Kijiji rules that space.

Tired of this pussy footing

[nyet]

dox her already.

dude

[Noah+Haders]

> In 2008 Slashdot ran a similar story, where it took several weeks of remote monitoring before a laptop thief revealed his identity. (The victim complained that "It was kind of frustrating because he was mostly using it to watch porn.")

I like thought of a dude watching another dude endlessly watch porn, and being like, why can't you say your name!!!

Security expert, or blowhard?

[93+Escort+Wagon]

- Why did this "expert" leave his laptop in his car?
- Why was this "expert"'s laptop not encrypted?
- Why does this "expert" assume the woman in possession of his laptop is the thief... or that she even knows the laptop was stolen?

Re:Security expert, or blowhard?

[epine]

Why did this "expert" leave his laptop in his car?

You've never parked your car overnight A) at a job site (last minute state of emergency) or B) in front of a woman's house, one you don't yet know all that well?

Possible answer is that he has a life.

Re:Security expert, or blowhard?

[thegarbz]

You've never parked your car overnight

You may have missed a key word in the article. Let me quote it for you here:

unlocked

Re:Security expert, or blowhard?

[david_thornley]

I lock my car by pushing the little button on the key as I walk away. If I'm distracted by something, and don't hit the right button, I could easily leave it unlocked.

Re:Security expert, or blowhard?

[thegarbz]

Are you claiming to be a security expert? I'm not, so I could also leave my car unlocked. I actually did one day, some guy even broke in and stole $2.50 from my glovebox.

But I don't hold myself or you to high standards. I only do that to self proclaimed experts.

Re:Security expert, or blowhard?

[david_thornley]

Experts aren't perfect, and I don't think you have any indication that he's a "self-proclaimed" expert.

I'm not a security expert, just enough of one to recognize some dumb things I've done now and then.

Re:Security expert, or blowhard?

[thegarbz]

No they aren't. But when we have multiple cases of experts doing non-expert things in one big row combined with incredible unluckiness I'm still questioning if they are an expert.

To be clear this security expert:
a) left a laptop in his car
b) left it in plain view / didn't know someone knew he left his laptop in his car
c) left the car unlocked
d) had no encryption on his laptop
e) actually got his laptop stolen (which by extension makes people wonder if he's the unluckiest man in the world, or if he's done this more often and just got hit by probabilities)

Any one of those things is dumb, any 2 or 3 things probably as well. But this case shows an epic pattern of failure for an "expert" to make.

Re:Security expert, or blowhard?

[gordguide]

I once owned a truck that I bought with just an ignition key (GM, so two keys needed). I never did bother to remove the glove box lock and pay the $50 the locksmith wanted to create a new key which would work for the door.

For eight years, I never once locked the truck. I parked it numerous times overnight in some rather dubious locations (dive bar parking lots, for example) and no-one ever took a single thing from inside that vehicle.

I also own a convertible. You never lock a convertible; thieves will just knife the top to get in. So as of today it's been about seven years without ever being locked.

Now, I wouldn't leave a laptop, or anything tempting like a shopping bag with new items in it, on the front seat. For some reason people do get inside and rifle through it; change disappears from time to time. Now, the trunk isn't big, but it works just fine, and that's where valuables go if I leave it unattended.

Re:Security expert, or blowhard?

[gordguide]

No they aren't. But when we have multiple cases of experts doing non-expert things in one big row combined with incredible unluckiness I'm still questioning if they are an expert.

To be clear this security expert:
a) left a laptop in his car
b) left it in plain view / didn't know someone knew he left his laptop in his car
c) left the car unlocked
d) had no encryption on his laptop
e) actually got his laptop stolen (which by extension makes people wonder if he's the unluckiest man in the world, or if he's done this more often and just got hit by probabilities)

Any one of those things is dumb, any 2 or 3 things probably as well. But this case shows an epic pattern of failure for an "expert" to make.

The Calgary Sun said he was a "computer expert". You don't believe everything you read in any of the numerous Canadian city "Sun" newspapers. For all we know, the reporter asked him if he was familiar with computers, he answered yes, and they ran with it.

Can backfire

What happened in a similar case in my country - the thief successfully sued the geek for damage to his reputation, and was awarded a compensation an order of magnitude higher than what was the value of the laptop.

Re:Can backfire

[BarbaraHudson]

What happened in a similar case in my country - the thief successfully sued the geek for damage to his reputation, and was awarded a compensation an order of magnitude higher than what was the value of the laptop.

So what you're saying is that after the thief paid his lawyer, he ended up losing 10 orders of magnitude more than the compensation he was awarded. Because a lawyer is going to charge 10,000 to win a 1000 award over a 100 laptop.

Re:Can backfire

[BarbaraHudson]

Opps - an order of magnitude more than he was awarded, and 2 orders of magnitude more than the value of the laptop. Sorry about that, chief.

Re:Can backfire

[VAXcat]

References, or it did't happen.

He left an unencrypted laptop in an unlocked car

[cyber-vandal]

How do I hire this guy, he sounds like a real security genius /s

Re:seriously ?

[spiritplumber]

Dammit! That's the same combination as my luggage!

"Thief"?

Does Canada have strong UK-style defamation laws? Even in the United States, a publication wouldn't call someone a "thief" prior to conviction. And in this case it's more likely that the "thief" is (unwittingly or not) a receiver of stolen goods rather than the person who broke into this guy's car.

Joke's on you

[allo]

Even when the laptop is stolen, "hacking" the thiefs facebook account and monitoring the computer usage of other people (without some work contract allowing this) is a crime.

Re:Joke's on you

[Highdude702]

OK. Here we will go over this once again. for slashdot this should be a known fact. you've been around a while would figure you know this. walking up to a computer, oh look facebook is open.. type message "facebook hacked" THATS NOT FUCKING HACKING!!!!

Re:Joke's on you

[allo]

What's your point? It's not legal either. Call it what you like. Hacking or similiar verbs are what judges say, when they hear, that somebody does this remotely.

Re:Joke's on you

[Highdude702]

The way i see it as the laws are written is that technically, If you leave your facebook open you - Authenticated through a SECURITY portal, Then you walked away, Leaving the computer authenticated. Meaning that the next person to have access to that computer you have authenticated to use your account. no hacking. just stupidity. As others have pointed out Security starts at the Physical entry point.

Re:Joke's on you

[allo]

i set the "hacking" in quotes, but the important part is, that you're not allowed to use the account. Just because i don't lock my door, you are still not allowed to steal my stuff.

Re:Joke's on you

[allo]

> You see it doesn't matter that it is a crime, for most people it only matters if you will be persecuted for the crime, which is not a problem here.
This may be true, but what they are doing is still illegal and there is no minus by minus is plus rule for crimes.

> Stealing the laptop is a crime. Remotely accessing the thief's facebook account is a crime.
This.

> So my next thought was perhaps you are just morally against crimes being committed as the basis for your post.
I am against using one crime to justify another and i am against self-justice. I am not against the prosecution of any of the two crimes.

> Perhaps you feel it is to take place of a warning to the laptop owner, although I think we both know he will not actually see your post most likely.
People, who may think they do the same, when their laptop is stolen may read it. But this doesn't really matter, we're here for discussion, not for personal advice. Most the time.

> So could you enlighten us on the actual purpose of your post, so assumptions don't need to be made?
If you want enlightement, i recommend being religious ;-)

Re:Joke's on you

[Registered+Coward+v2]

Even when the laptop is stolen, "hacking" the thiefs facebook account and monitoring the computer usage of other people (without some work contract allowing this) is a crime.

Not necessarily. They still own the computer so there is no unauthorized access to the computer; just don't then use information gleaned to login to the account from another machine. The problem is geeks then think it's cool and OK to use the information to strike back, at which point they cross the line into criminal behavior. Real world rules still apply.

Re:Joke's on you

[Highdude702]

Well with how youre defending the perp in this one. i would say yes because they stole the laptop from an OPEN car. then used the laptop and left facebook OPEN. The "posession is 9/10 of the law" is a false premise. If you break into my house and leave $100 on the table. its still illegal for you to break in, but that money is actually lawfully mine now.

Re:Joke's on you

[allo]

It's a bit complicated depending on what and how it is done and what the intention is. For example if somebody checks his e-mails on your pc, that's no argument that you may log his password. Even when it's your pc.

Re:Joke's on you

[Shane_Optima]

Even when the laptop is stolen, "hacking" the thiefs facebook account and monitoring the computer usage of other people (without some work contract allowing this) is a crime.

Citation needed.

Even if the text of a law supports that, I suspect that the courts would be eager to apply some red letter duct tape that would specify that no one has a reasonable expectation of privacy whilst using a stolen laptop.

He didn't "hack the account" as far as I could tell, by the way. It sounded more like a remote desktop thing.

Re:Joke's on you

[BarbaraHudson]

You're wrong. Otherwise, a thief can successfully recycle stolen cars just by parking them in the fence's driveway. If you knew the $100 wasn't yours, you are required to turn it in to the local authorities. If, after a delay (here it's 30 days) it's unclaimed, the money is yours.

Re:Joke's on you

[allo]

> He didn't "hack the account" as far as I could tell, by the way. It sounded more like a remote desktop thing.
And exactly this is something, you are not allowed to do. Even at the workplace, this is only allowed, if it is explicitely stated in your contract. Else you have an expectation of privacy.

And the court ... i guess the thief will not try to sue you, but he could.
Another thought ... if you use this sessions as proof, aren't they fruit of the poisoned tree? I am not that used to this.

Re:Joke's on you

[Shane_Optima]

And the court ... i guess the thief will not try to sue you, but he could.

Wait, sue? Are you saying tort or crime? In the case of suing, the thief has to claim damages, but given existing slander/libel caselaw it seems like the "telling the truth" defense[1] would apply.

And exactly this is something, you are not allowed to do. Even at the workplace, this is only allowed, if it is explicitely stated in your contract. Else you have an expectation of privacy.

Expectation of privacy is, I believe, a red letter concept. So, do you or don't you have any cases to cite where a thief was deemed to have an expectation of privacy whilst using stolen goods? If not, I suspect a lawyer arguing by analogy that a burglar has no expectation of privacy in someone else's living room might find a sympathetic ear.

I'm not saying he definitely would get off, but I don't think it's cut and dry.


1. A defense that, incredibly, doesn't exist in the UK. Or so I've heard.

Re:Joke's on you

[ruir]

Exactly what i was saying some threads bellow. Some idiots are confusing hacking something with remotely accessing his own computer.

Re:Joke's on you

[thegarbz]

THATS NOT FUCKING HACKING!!!!

Nope, but it doesn't make it any less of a crime.

Re:Joke's on you

[Highdude702]

So because it's still a crime it's still ok to incorrectly use the word? That's ridiculous. Also I don't feel as that should be a crime because you're too fucking stupid to log out of your accounts on a public accessable system. Whether it be a pc at your friends house, library, or the laptop you've stolen.

Per-account encryption is often better than full-d

[raymorris]

In many cases, it is better to encrypt files for each account separately, rather than full-disk encryption. This is partly because most full-disk encryption sucks in one of two ways. (Google "ecb penguin" for an example.)

Along with avoiding technical problems with full-disk encryption modes, this improves security because the user of one account can't access files owned (and encrypted) by another account. You can even have a "guest" account for a houseguest to use, and guest can't access your files.

Since you have a guest account anyway, the guest account might also be configured appropriately given the knowledge that a thief might one day use it.

Security 102, chapter 1 - Risk Analysis

[raymorris]

If you go a bit beyond the corporate-mandated annual security training, most information security curriculum says that step one is identifying the assets at risk and their value. It would be silly to spend $50,000 turning your garage into a vault to protect a $15,000 car, and similarly for information security the value of the asset determines the maximum effort you should put into protecting it. This not only avoids wasting more time/money/hassle than the asset is worth, but it allows you to spend your efforts on the most valuable assets. Any time/money spent on a low-value asset is time NOT spent protecting a higher-value asset.

The identity of your favorite gaming site is worth about 5 cents US, so it is error to spend more than 5 cents worth of time trying to protect that information.

Additionally, in most cases it is better to protect and encrypt data on a per-account basis, for both technical and practical reasons. On a laptop, that means you encrypt the home directory, not the system. Multiple user logins have separate encryption, and one account can't access the encrypted files of another account. If you want to take it a step further, you can have a work account on the machine and a separate account for checking personal email, etc. Along with the obvious security benefits, that avoids having the browser or search engine auto-complete a URL based on *personal* browsing history in the middle of a presentation.

Given per-account security, a guest account with restrictions on it is quite feasible, and a theif would likely click the guest account.

Re:Security 102, chapter 1 - Risk Analysis

[allo]

No, the problem is, you try to seperate, what seems important and confidential to you. And there is the mistake. Because it requires you to think about what's confidential all the time.

Why would you encrypt /home and not /? Is there any reason preventing / encryption? No.

So you install your system, make a checkmark at "full encryption" and enter a reasonable password (here you can make tradeoffs and choose one you can remember without tools). Next you don't need to think too much while using it. Your top-secret documents stay at your most secure system, but that's obvious. But reading some private e-mails won't hurt now, because if they are left in the cache in your firefox profile or in the swap space or in some automated backups ... they are all equally on an encrypted disk.

Good security lowers the amount you need to think about it. If you need to decide what ends up in your backup, you may forget something important. If you backup everything, you will have everything and cannot forget something important. The same applies for encryption.

Re:Security 102, chapter 1 - Risk Analysis

[BarbaraHudson]

If you are storing sensitive personal information on a laptop or phone, you should already know that the question is not if, but when, it is going to leak out.

So have a plan for cases such as bank account info, and for the rest, it's not important enough to give a sh*t about anyway. There was an article about the risks of families, friends, and others snooping around your Facebook account. If you're posting stuff on Facebook, even using their privacy settings, that you don't want to get out there, you're a moron. The default should be public, so you don't get sucked into a false sense of security.

"But my private pictures!!!" If they're private, why are they on a portable electronic device or on a server run by someone else? Besides, unless you're so ugly that you'll replace the next goat guy or tubgirl, so what? The best you can hope for is your 15 minutes of notoriety.

Re:Security 102, chapter 1 - Risk Analysis

[mattwarden]

This is an artificial and silly way to view security. Nobody gives a shit about your gaming site, but the data I obtain from your gaming site will be useful in obtaining more valuable accounts or real life threats. For example, if the gaming site shows you how much you play and when, I can be pretty sure you're not going to be home during the hours when you've never played except for national holidays. If it shows in-game "friends", I can contact them saying I know you from the game and haven't seen you on lately, etc etc etc and obtain additional information through social eng.

Your thought process is akin to saying it makes no sense to spend $5k to patch a 2" crack in a dam because the crack is only 2".

Re:Security 102, chapter 1 - Risk Analysis

[allo]

the point is: Try to minimize the amount of mistakes you can do. Defaults of "encrypt everything" and "backup everything" do not hurt. And security experts should have considered this.

Re:Security 102, chapter 1 - Risk Analysis

[BarbaraHudson]

If you (1) don't do sh*t you don't want people to know about, you (2) don't have to worry about anything leaking. See the DNC and Clinton as an example.

Re:Security 102, chapter 1 - Risk Analysis

[allo]

you do never want people to know your private stuff. And if it's only, that you're utterly boring.

Re:Security 102, chapter 1 - Risk Analysis

[BarbaraHudson]

If all your private stuff is boring, it means you're not doing stupid things that people would be interested in gossiping about. Boring is better than stupid.

Re:Security 102, chapter 1 - Risk Analysis

[david_thornley]

A long time ago, I had a company-issued laptop with full disk encryption. They did an overnight download of software I needed to do my job, and something got hosed, and it wouldn't boot up. Suddenly, there was absolutely no way to get the data off the drive. As a complicating factor, it was at a financial institution, and they couldn't discard a computer or drive without positively destroying the data on it, so they couldn't just wipe and restore.

Last week, my son's laptop drive failed and he couldn't boot up. He had the important stuff backed up, but realized that there was gaming-related stuff on there he wanted to have back. He removed the drive from the laptop and stuck it into, I really don't remember what it's called, but it's a USB device that fakes being an internal drive mount, and was able to get all the data he wanted and set up his backups better. If that would have been possible if he'd had full-disk encryption, we would have at least had to figure out how rather than plugging in the disk and copying.

So, full-disk encryption does have its downsides.

Re:seriously ?

[pslytely+psycho]

Nonsense, I know your password.
It's **********.

Security expert?

[drolli]

Wow. Some obviously clueless thief manages to log in into his computer without re-installation? Doesn't he use LUKS/Bitlocker?

My Laptops are encrypted. I dont plan to change that for the slim change of catching a hardware thief by installing a tracking SW, which requires the OS to boot up unencrypted.

Re:That's ENTRAPMENT!

Isn't entrapment a thing where you make somebody do something they wouldn't normally do so that you can slap some cuffs on them?

"Go on, take the laptop!", "No, it's not mine to take", "What are you? A wuss? Just take it! What can happen?" "No, man, now leave me the fuck alone!" "Take it, come on..." "OK, OK, I'll take it..." "Busted! You're going to prison bitch!"

Illegal

[loufoque]

What he did to the alleged thief looks like it's illegal to me.
Hopefully the 'geek' will be tried and condemned for his spying, invasion of privacy, blackmailing and identity theft.

Re:Illegal

[ruir]

He did it to his own computer that a non-authorized person is using illegally. Would you care to explain me what expectation of privacy should expect someone using stolen goods?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:That's ENTRAPMENT!

[BarbaraHudson]

Entrapment only applies to law enforcement. You're free to "entrap" anyone you wish if you're not a cop.

"No reason whatsoever to buy a car with doorlocks"

[Shane_Optima]

Or maybe it was his "Just surf the news sites and play a game to pass the time" laptop. You know, the one with no reason whatsoever to encrypt anything.

The only reason to even consider "not to encrypting anything" is if your processor doesn't support AES instruction sets.

I mean, are you actually proposing that he was likely to have a dedicated machine for gaming/browsing that had no Steam logins, no news site logins, no forum logins, in fact no logins or personal information of any kind and was never used as a backup machine to check email, etc. in a pinch?

Just encrypt. It requires less consideration, and it removes the need to shred a drive before selling it.

Re: That's ENTRAPMENT!

[jcr]

unauthorized access to a computer system

It's his computer. I don't see how the access can be unauthorized.

-jcr

Uh, can't recover hardware? Why?

[geekmux]

"I'm realistic. I'm not going to see that computer again..."

The victim stated he went through her Facebook profile when she "left the room", implying he might have also had remote control of the camera. Is a picture of her face along with an entire Facebook profile and IP address somehow not enough gift-wrapped evidence to provide to the authorities for them to execute a simple knock on a fucking door to recover stolen property? What the hell...

A rather low threshhold for "vigilantism"

[Shane_Optima]

This is a dickish move. What if the thief sold the computer and someone else is new the new owner who actually paid for the computer? Vigilantism is bad.

This was the only 'dickish' move I saw:

He also posted her info to a number of Facebook groups, which spooked the thief enough to not only delete her Facebook account, but also her listed phone numbers.

He should not have done that bit. But the rest of it--sending texts to her phone numbers, calling the friend (âoeI called one of them and told her the thief was on a stolen laptop and told her Iâ(TM)d give her the opportunity to return it.â), and sending all of the information to the police--are all entirely reasonable.

We don't even know the timescales involved here. If this login happened mere hours after the theft, it's reasonable to assume the thief was doing it, with the possibility that the thief immediately gave it to a significant other or close relative being less likely, but still much more likely than an unconnected third party using it.

Really?

[DontBeAMoran]

which spooked the thief enough to not only delete her Facebook account

She did not delete her Facebook account. She simply took her account offline and Facebook told her it was "deleted".

PR stunt?

[tomhath]

Well maybe a security expert would be smart enough to not leave a laptop unattended, much less leave it overnight in his car.

Unless said expert deliberately set it up as a honey pot so he could track down the thief and boast online about how good he is at catching thieves.

Re:PR stunt?

[EvilSS]

That seems unlikely. If you wanted to do that you would leave it somewhere you are certain it will be stolen. Even laying out in a car you can't be sure. Leave it on a bus on the other hand....

Re: That's ENTRAPMENT!

[ChoGGi]

His computer, but her facebook account.

Of course if he'd just screen grab whatever shows up on his computer then I assume that would be fine, after all he wouldn't be the one accessing facebook.

Broken law enforcement

[mi]

"I'm realistic. I'm not going to see that computer again"

From what anecdotal evidence I have myself, he is right. Even if police do find the asshole-thief and take the laptop from him, the victim is not going to receive it. They'll keep it "for the duration of the investigation" and then it might just "disappear" from the evidence room.

And the next asshole-thief (this one with a police ID) will be smart enough to wipe it so as not get caught the same way. And, even if he does not, calling police again will not be fruitful — police protect their own, "because no one else would".

Oh, and the original thief will not do any actual time either (much less have his hand chopped-off) — unless, maybe, this is his third offense in a "three strikes" state.

While it may seem petty, theft costs humanity immensely — if you count the things we all have to do to keep it under control...

Re:Broken law enforcement

[thegarbz]

They'll keep it "for the duration of the investigation" and then it might just "disappear" from the evidence room.

It may be worth noting that this didn't happen in the USA. The rest of the world does not have the same fucked relationship as you do with your police.

Re:Broken law enforcement

[mi]

The rest of the world does not have the same fucked relationship as you do with your police.

And yet, for some reason, the victim in TFA does not expect to see his laptop ever again anyway... Maybe, in his country the relationship between police and the policed is even worse than in the US, uhm?..

Re:Broken law enforcement

[thegarbz]

the victim in TFA does not expect to see his laptop ever again anyway

If I chose vigilante justice in the form of online slander, I wouldn't want to see the laptop either. I do note that at no time he said he approached the police. Maybe, just maybe the person isn't a security expert but instead a major cock.

Re:Broken law enforcement

[mi]

I do note that at no time he said he approached the police

Wow... Let's see (emphasis mine):

The Slashdot write-up says: turned over all the information to the police TFA says: Gale did take all the information to Cochrane RCMP who says they are confident an arrest will follow.

Fake News much?

Re:Broken law enforcement

[thegarbz]

Now re-read the summary and both articles. He did turn it over to police AFTER exerting his own vigilante justice.

Don't claim the moral high ground with bullshit arguments like that.

Re:Broken law enforcement

[mi]

You claimed, the victim never contacted police. Not before, not after. Your precise words were:

I do note that at no time he said he approached the police.

See? "At no time". Your inability to read fed back to you, you now claim — as if it mattered — that, because he only did it after his own investigation (contrary to your earlier claim, he never did it at all), it is Ok for him to never receive his stolen property back...

I wish, all America-haters were as obviously dishonest as you... I'm done here.

Re:Broken law enforcement

[thegarbz]

The exact wording "never / after" and my point "he's morally in the wrong" were two different things. It's quite telling that you attack the wording and not the point. It's like you gave up defending your earlier position and are now just arguing semantics.

Not really surprising.

I formally apologize for using the wrong word. Will you apologize for being completely wrong and trying to derail the conversation to hide the fact?

Everybody gets tired

[rsilvergun]

and you make mistakes when you're tired. Finish off a 12 hour shift and then get stuck in traffic for 2 hours because of a pile up on the freeway? Yeah, you're gonna do dumb stuff.

Re:Everybody gets tired

[EvilSS]

Hrm. I've worked 32 hours shifts and still remember to bring my bag in. It's habit. Muscle memory. I don't need to think about it.

Re:Everybody gets tired

[david_thornley]

I had a foolproof method for remembering my ID badge by attaching it to something I'd automatically bring in to work in the morning. Then, one day, I had to do something else in the morning, so I came in for the afternoon. Guess what I didn't have.

Re:Everybody gets tired

[EvilSS]

Guess what I didn't have.

An erection?

Could have done something more practical.

[Beardo+the+Bearded]

If you had remote access, you should have put BitLocker on it, or encrypted it with your Open OS version.

Or installed a dialler to call 911 repeatedly from the laptop. Eventually the police will go to their house and find oh wow, there's lots of stolen property here.

Re:Er right

[allo]

> There is no expectation to privacy if you are using a device other than your own.
This isn't true. Of course you have a way worse standing on a stolen laptop than when you use another pc without commiting a crime first, but the owner is still not allowed to do this.

Doing all the wrong things

[timholman]

The owner of the laptop missed his opportunity to recover his property by trying to publicly shame the woman into returning it. That was a counterproductive waste of time. She could just claim she bought it from someone, and how could he, or the police, prove otherwise?

Anti-theft software should be designed to allow the thief to use the laptop on a guest account, while password protecting your personal account. You want the thief to use the laptop. Locking it remotely will only ensure that it is immediately disposed of, or sold for parts.

So, assume your laptop is stolen and you've activated the remote tracking software: immediately call the police and file a report. The police won't do a thing unless you take that first step. Next, start collecting data on the thief: home address, work/school address, phone numbers, images of the thief using it, etc. Organize all of that data into a folder and take it, along with a copy of your police report, to the local police station. Show them that you know exactly who has the laptop, that person's address, the location of the laptop, etc. Also point out that if this person was the thief, there is an excellent chance that additional stolen property will be found at their residence.

The police now have the justification they need to go knock on that person's door, or possibly get a search warrant. Granted, the person who has it may still claim it was purchased from some third party, but when police are standing in someone's home, showing them pictures of their own faces taken through the laptop camera, and saying, "Give us the laptop now, or we'll come back with a search warrant", the chances are excellent that it will be handed over.

No one may be prosecuted, but you'll at least have your property back. Of course, this scenario presumes that the police care enough to follow through with the information you provide. In larger cities, they may not bother, but in smaller towns and rural areas, they may be very happy to assist when you present all the evidence they need on a silver platter.

Re:That's ENTRAPMENT!

[sudon't]

If it's one thing I know, it's the LAW, and that's ENTRAPMENT!

If the one thing you think you know is the law, I have some bad news for you. First off, only the police can entrap, (from a legal point of view). Secondly, setting bait does not equal entrapment. And that isn't even what happened here. In short, the one thing you thought you knew, you don't know. That would make you, by your own admission, a know-nothing.

Software?

[WillyWanker]

What kind of software would one use to do this?

Re:Software?

[Motherfucking+Shit]

Windows Remote Desktop/Assistance, AnyDesk, TightVNC, Bomgar, ScreenConnect, Teamviewer, LogMeIn... There are probably a dozen more.

What happened to slashdot?

[nightfire-unique]

Virtually every top comment is a victim-blaming shitfest.

"Ooooh CRIME he's a hacker! Arrest the victim!"

"Every security expert encrypts every piece of technology they own regardless of circumstances! It's his own fault!"

".. and they ALWAYS take every possession with them everywhere they go, and never lock anything in their vehicle, because they're infallible! Clearly he's not an expert!"

"That poor thief. ;("

Ugh.

Re:What happened to slashdot?

[thegarbz]

Virtually every top comment is a victim-blaming shitfest

Nope, not a single comment "blamed" the victim for having their laptop stolen.
Every single comment is however calling out that someone who leaves their laptop in an unlocked car can not in any way be called a "security expert".

"Ooooh CRIME he's a hacker! Arrest the victim!"

Nope, not a single person is calling for his arrest.
Most comments are pointing out that in his efforts of vigilante justice he's committed slander and accessed someone's account in an unauthorised way. Someone who he never confirmed committed any crime, was never charged or prosecuted.

"Every security expert encrypts every piece of technology they own regardless of circumstances! It's his own fault!"

Not a single person here has tied the word "fault" to his lack of encryption. They are just rightfully questioning the "security expert's" credentials given the circumstances. In fact several comments here even say if he encrypted it, then it would be his fault.

".. and they ALWAYS take every possession with them everywhere they go, and never lock anything in their vehicle, because they're infallible! Clearly he's not an expert!"

Well yeah. We hold "experts" to the standards set by their titles. Unlocked, and left valuable items, that's multiple concurrent failures for an "expert".

"That poor thief. ;("

And just like that poor thief who's so quick to vilify an unknown person in possession of his laptop and slander them as a thief, you too have not stopped to even properly read let alone think about the posts of the people you are criticising.

Ugh.

I know right!

Re:What happened to slashdot?

[david_thornley]

Every single comment is however calling out that someone who leaves their laptop in an unlocked car can not in any way be called a "security expert".

In the first place, this is like telling the owner he shouldn't have worn that dress. In the second place, you're implying that one mistake revokes your security expert card forever. I don't have the rules to hand here, but I think it takes more than that. Also, security experts don't necessarily encrypt what the average /. poster expect them to.

And just like that poor thief who's so quick to vilify an unknown person in possession of his laptop and slander them as a thief,

In most places, it isn't libel (you can't slander someone by posting on their Facebook account) if it's true. In the US (and I know this incident happened in Canada, but I don't know Canadian law), it isn't libel if you had good reason to think it true.

I call bullshit!

[ChrisKnight]

"Stu Gale, who just so happens to be a computer security expert" There is no way a 'security expert' left their laptop in a state where a random thief could log into it. Password on sleep, password on screen saver, full-disk encryption, no guest account... These are thing EVERY 'security expert' has configured. If you stole my laptop, you'd have to wipe it and install a new OS, and then I'm not going to be able to remote into it anymore.

One of us is misunderstanding the other

[raymorris]

FYI I've been a fulltime security professional for 20 years. My advice is based on what I actually do when your bank hires me to test their security, how I can actually hack your accounts.

> No, the problem is, you try to seperate, what seems important and confidential to you. And there is the mistake.
> Because it requires you to think about what's confidential all the time. ...

> reading some private e-mails won't hurt now, because if they are left in the cache in your firefox profile

I never said "encrypt one file at a time". I said encrypt YOUR files separate from your (soon to be ex-) wife's files. That includes /home/allo/.cache/mozilla/firefox/

Obviously you might *also* separately encrypt your most important files, such as a password manager datastore, a second time. But no you don't have to think about what to encrypt, all of your personal files are encrypted, including your browser cache.

> Why would you encrypt /home and not /? Is there any reason preventing / encryption? No. ...
> So you install your system, make a checkmark at "full encryption"

That SEEMS like a good idea, if your understanding of encryption is checking a box. As one of the guys who implements what happens when you check that box, I think maybe we should remove that checkbox so it doesn't mislead you. It LOOKS like it makes your system secure, right? Unfortunately, it mostly just makes your system slower. I can still see your ECB penguin. :)

There are both practical and technical problems with full-disk as opposed to per-user. The biggest practical problem is easily summarized as:
Do you want your files to be accessible to your soon to be ex- wife?
Generally, no, users should not have access to another user's files. When your visiting step-brother asks to borrow your laptop, he should not be handed an unencrypted copy of all of your personal and business files.

There is also a fundamental technical problem with full-disk encryption such that full-disk can either either be weak, or ridiculously slow, in most cases. It has to do with what are called "cipher modes". ECB is reasonably fast, but provides little security. CBC is secure, but modifying one sector requires updating every sector on the disk which follows it (meaning it takes a few minutes to save 1KB). Other modes are in between the two. We think that we *might* have that problem beat with a new approach, but I don't trust it yet.

> If you need to decide what ends up in your backup, you may forget something important. If you backup everything, you will have everything and cannot forget something important. The same applies for encryption.

That's absolutely true for backup, definitely. The only backup systems I recommend backup the whole damn machine. The system I designed makes *bootable* backups, that can be booted in-place as virtual machines. For encrypting and otherwise securing confidential data, there's a fundamental conflict between availability vs confidentiality and integrity. You may want to make your mp3 files openly available on your network, so you can play them with any device in the building. You might even store them in the cloud, easily accessible over the internet. You should NOT make your most confidential data readily accessible to every device on your network, including your IP camera and other cheap IoT devices with a thousand vulnerabilities each. If you're serious about security, you DO need to think about which items should be easily accessible to everyone in the company/house and which should be locked down tight.

I'll give you an extreme example of identifying the most confidential data and a very common example of failing to do so. The Coca-Cola company has perhaps a million documents that shouldn't be published on their web site, documents for employees only. Only their 146,000 employees have access to those documents, because they have s

Seriously?

[Timothy2.0]

"Stu Gale, who just so happens to be a computer security expert,"

Okay...I'm listening...

"...had the misfortune of having his laptop stolen from his car overnight."

...and we're done.

He's nicer than I would have been

[grasshoppa]

I'd have messaged all her friends and email contacts about how she heartlessly stole the laptop from my suffering mother who only has a few months left to live and that all her grandchildren's pictures are on that laptop.

Doesn't hurt, besides performance and trust

[raymorris]

You certainly can do both. There will be a performance hit, small or large depending on cipher mode. You should double-test your backups in case either layer of encryption fails. I would recommend using a fast mode for the full-disk, keeping in mind it won't be NSA secure. So thinking about privacy, you'd pretend the full-disk isn't there - it's just a backup just in case.

The dam is valuable, the parking lot crack not muc

[raymorris]

> Your thought process is akin to saying it makes no sense to spend $5k to patch a 2" crack in a dam because the crack is only 2".

No, the dam is extremely high value, therefore you pay attention to it. When the Banqiao hydroelectric dam failed, it killed hundreds of thousands of people. So the dam is at the top of your "most protected" list. What I'm saying is this:
There's a 2 inch crack in the dam, and a 2 inch crack in the parking lot. What's your first step? Your second step?

Obviously your first step is "fix the crack in the *dam*". The correct second step is less obvious - look for more cracks in the dam. You shouldn't worry about the 2" parking lot crack until you've double checked everything about the dam. Again, see Banqiao.

Re:Er right

[allo]

Your argument is about security, not what's permitted. You do not KNOW, if there is a keylogger, so you cannot be secure, if you're paranoid (possibly for a reason).
But this does not mean, that the keylogger is legal, either. Indeed it isn't as you have the expectation of privacy when using a computer, where you were not warned, that your actions are monitored to the level of logging passwords.

Re:What was written

[hackwrench]

Only problem is, what he wrote was in response to what he thought you wrotes, and more to the point he said some. Long story short, people are sloppy and he didn't appear to mean to refer to that particular example.

Idiot is a harsh term

[hackwrench]

I prefer the term sloppy in this case,an I don't think that makes me unreasonable.

Until....

[hackwrench]

Until you discover you've locked yourself out of all your stuff.

Re:Until....

[allo]

Yep, take precautions. Write down your seldom used passphrases (and put the paper somewhere, where nobody finds it, not under your mousepad)

Re:not a petty crime expert

[ruir]

The sucker usually knows what is buying. Someone I knew, once tried to sell me a computer "from his cousin", and once I saw pictures of the rightful owner there, I told them to keep it, and get out of there.

Re:Gloating baby gets news article posted to slash

[ruir]

I would have done worse probably. At least he had the satisfaction to teach a lesson to idiots. That has not a price.

Re: That's ENTRAPMENT!

[thegarbz]

Regardless of who owns the machine, he logged into Facebook using unauthorised credentials. Having the password pre-filled, or having the system previously logged in is no defence.

Re:If this guy were American

[ruir]

I really do not understand what part you do not understand that I logged remotely in his own computer. MAybe you should learn English?

Re: That's ENTRAPMENT!

[phantomfive]

I think using the facebook account might be unauthorized, though.

Re:Oh please.

[thegarbz]

The thief is going to sue that the fact he is a thief is factually disseminated?

Sure. That's the wonderful thing about the legal system. The person who was accused is innocent until proven guilty, and even if he is guilty there's every chance he may not be charged, or that the charges will be dropped.

Reputational damage on the other hand can carry some quite severe civil penalties and the truth is not necessary an absolute defence. The "expert" here decided to effectively slander the person to his contacts, telling them that he's guilty of something he's been neither charged, nor convicted of. Quite interestingly this "expert" at no point confirmed that the person was infact the thief, and didn't just acquire the laptop through some other lawful means (e.g. thrift shop). Vigilante justice is frowned upon for a reason.

Re:Uh, can't recover hardware? Why?

[thegarbz]

Because vigilante justice?

Or maybe the story is fake.

Re:The dam is valuable, the parking lot crack not

[mattwarden]

No, you're not getting it. Let's try to improve my analogy so you can. Let's say that the dam is concrete and the concrete continues into an adjacent parking lot as one contiguous pour. Now let's assume there is a crack in the parking lot immediately next to the foot of the dam. Nobody gives a shit about the crack in the parking lot, except that if you don't fix it, it will spread to the dam.

The point is, if you think throwaway accounts at gaming sites, etc. are not valuable to hackers, you have not followed any security news in the last decade. When bullshit websites are hacked and user databases dumped with md5 hashed passwords, what happened? The hackers didn't jump for joy for their ability to steal cat memes. No, they took the passwords, cracked them, and tried to use the credentials at the major bank websites. Most people use the same damn password for everything and chances are a good % of the users in the hacked site will have a bank account at one of those majors.

There are hundreds more examples of this sort of thing. If identity were siloed, your logic would be sound. But your siloed view of identity is incredibly naive.

Re:steal

[Miamicanes]

Don't forget the cost of an OEM copy of Windows, which will likely exceed the cost of the hard drive itself...

Poll compared software vs hardware full-disk

[raymorris]

I see the study (analysis of a poll) is titled "The TCO of Software vs. Hardware-based Full Disk Encryption". Shockingly, the poll determined that the products sold by it's sponsors are percieved to have an advantage over the competing approach, defined as full-disk encryption in software. I don't think that touches the issue discussed here. I think the conclusion of that study is "if you're going to do full-disk encryption, our customers think you should do it the expensive way".

Well frankly, I hack their customers 40 hours a week. If their customer encrypts the hardware bits as they suggest, making it completely unencrypted once I have any access to the running system, that makes my job that much easier. In other words, hardware full-disk encryption essentially means "only encrypt it when it's turned off". Does that *really* sound like a good idea? Because that's what hardware full-disk is, once it's booted and running, anyone who gets any access to the system has access to *all* of the data. There are no encrypted files I can't read, on a hw full-disk system, because files aren't encrypted.

Oh, you're assuming browser history includes passw

[raymorris]

If I'm understanding you right, your point can be summarized as "password reuse." Is that correct? You're talking about the PASSWORD someone might use on a gaming site or whatever, right?

In that case, yes I agree passwords are important, in general, due to password reuse. The post that started this discussion about gaming sites said "browser history would reveal your favorite gaming site". My followup said "the identity of your favorite gaming site."

The identity of Trump's favorite gaming site*, from his browser history, is worth roughly nothing. His PASSWORDS he uses while playing would be worth quite a bit.

* In case anyone finds it interesting, Trump's favorite places to play his favorite game, where he's one of the all-time point leaders are ...
[Drum roll] ...
Atlantic City and New York City.

In the game he likes to play, he buys Boardwalk and Virginia Ave and builds a hotel, but he doesn't build three houses first. His hotel on Virginia Ave is called Trump Taj Mahal.

Re:That's ENTRAPMENT!

[Anubis+IV]

A) Entrapment only applies to the police, not to private citizens.

B) Leaving items in plain view where they can be stolen is not entrapment. E.g. Bait cars. You have to actively encourage or incite someone to engage in illegal behavior that they wouldn't have otherwise for it to be entrapment.

C) Clearly you don't know the law as well as you thought.

Re:Oh, you're assuming browser history includes pa

[mattwarden]

No. That is one example of how you can leverage information on a low value account to obtain higher value items.

Okay so maybe walk me through it

[raymorris]

Okay so maybe walk me through it. So you find out from my browser history that I visited Kongregate, a gaming site. Now what?

1) Kongregate
2) ?
3) ?
4) Damage!

I'm very curious how this is going to be of any real importance, be worth more than a nickle to protect.

Re:Okay so maybe walk me through it

[mattwarden]

I never mentioned browser history, and I already walked you through it higher up in the thread.

hmmm..

[SuperDre]

two problems, first why was his laptop stolen from his car (which makes me believe he left it on a seat and not secured in the trunk (as most employers and insurancecompanies demand), second, how did he know that person was actually the one who stole the laptop, maybe she just got it as a present not knowing it was stolen. So why posting her name/info on other boards and friends before just actually getting her information and giving it to the police..
If she didn't steal the laptop, he might even be sued by her for doing what he did. So next time before you go publicly accusing someone, you must make sure you're 100% sure the other person was actually the one who stole the device.

And then also, if he's a security expert, how could that person even log into his laptop.

Re:hmmm..

[david_thornley]

Not all cars have a trunk. About half the vehicles I've owned didn't.

I don't know how it is in Canada, but in the US having good reason to think the statements true is a defense against libel. I'd probably post that stuff was posted from a stolen laptop myself, but that's me.

Being a real security expert isn't a matter of going through a one-size-fits-all procedure. Don't be too quick to say what a security expert would do. A security expert, for example, might allow a guest login for a variety of reasons.

Re:Oh please.

[Gilgaron]

But isn't is only slander if it isn't true? And using someone else's property to interact with your personal accounts does get fuzzy with using work computers and so on.

Victim blaming but...

[norweeg]

who the fuck leaves a laptop in a car overnight? Take it inside!!

Re:Uh, can't recover hardware? Why?

[geekmux]

/hacks your laptop /takes your picture

'Hello, officer? I'd like a SWAT team at 123 Bumblefuck Drive. Somebody has stolen my laptop! Proof? Why yes, here's a picture!'

Officer: "Uh, do you have any documentation that shows this person has your property? A receipt perhaps?"

Much like accusing someone of rape, proof is rather fucking relevant.

Re:Oh please.

[thegarbz]

But isn't is only slander if it isn't true?

No. Never has been. There's all sorts of public interest clauses that need to be satisfied. Being false is just a cherry on top. Not to mention that in many countries it's actually illegal to identify a person even if they have broken the law, even if they have been convicted. People have the right to receive punishment inline with the law without mob justice on top. If the punishment here was a fine, or even being let off for a first offence, and the "victim" (using the term loosely) lost their job as well, they would have good standing to sue their accused for that harm.

And using someone else's property to interact with your personal accounts does get fuzzy with using work computers and so on.

Indeed, but using your property to interact with someone else's personal accounts is clear as day against the law. (See every article covered by Slashdot about a rogue / angry recently fired system admin ever run).

Re:The dam is valuable, the parking lot crack not

[david_thornley]

The point is, if you think throwaway accounts at gaming sites, etc. are not valuable to hackers,

Let's do some threat analysis. Who's after your stuff? Let's try getting more specific.

How adept are these hackers? The more adept are probably going to be going for high-value targets, which really doesn't include me. If the NSA is after me, I'm not even going to try to stop them, but they have no interest in me.

What are they going for? Are they targeting you in particular (in which case you have to outrun the bear), or accounts in general (so you just have to outrun your hiking companion)? If they're after accounts in general, they're probably looking for people who don't have good passwords on their bank accounts, a set of people that I am not a member of. Somebody wants to break into my bank account and its $2-5K, they're going to have to do some work. It's almost certainly going to be easier to break into the account of the guy who uses his Slashdot password for his online banking.

There seems to be a tendency to give out security advice based on the idea that there are competent people interested in hacking the target specifically, but not so competent that they can't be stopped. This may be suitable for the average guy, but someone who thinks security is going to come to more individualized conclusions.

Re:Er right

[david_thornley]

I'd rather hear a lawyer's opinion on this. In the US, privacy rights on a computer are pretty scanty, and I have even less idea what Canadian law would say about this. There's also the question of what the user's legal expectation of privacy on someone else's computer is, which I'd also run by a lawyer if I needed to know.

Re: That's ENTRAPMENT!

[david_thornley]

He didn't log into Facebook, so I don't know how that would come out in the courts.

Re:Er right

[allo]

I guess no sane thief would sue anyway ... but don't overdo it, they might finally think you're gone too far and have done more damage to them ... not that they won't get into trouble, but when you do stupid things like "trying to destroy their life", it will probably backfire.

Re: That's ENTRAPMENT!

[thegarbz]

So he just magicked the person's facebook friends details? Just luckily guessed their numbers and texted them that their facebook friend is a criminal? The act of logging in is irrelevant. It's "access" and "authorisation" that people care about.