Slashdot Mirror
Geek Avenges Stolen Laptop By Remotely Accessing Thief's Facebook Account (hothardware.com)
An anonymous reader quotes Hot Hardware:
Stu Gale, who just so happens to be a computer security expert, had the misfortune of having his laptop stolen from his car overnight. However, Gale did have remote software installed on the device which allowed him to track whenever it came online. So, he was quite delighted to see that a notification popped up on one of his other machines alerting him that his stolen laptop was active. Gale took the opportunity to remote into the laptop, only to find that the not-too-bright thief was using his laptop to login to her Facebook account.
The thief eventually left her Facebook account open and left the room, after which Gale had the opportunity to snoop through her profile and obtain all of her private information. "I went through and got her phone numbers, friends list and pictures..." Given that Gale was able to see her phone numbers listed on Facebook, he sent text messages to all of those numbers saying that he was going to report her to the police. He also posted her info to a number of Facebook groups, which spooked the thief enough to not only delete her Facebook account, but also her listed phone numbers.
In 2008 Slashdot ran a similar story, where it took several weeks of remote monitoring before a laptop thief revealed his identity. (The victim complained that "It was kind of frustrating because he was mostly using it to watch porn.") But in this case, Gale just remotely left a note on the laptop -- and called one of the thief's friends -- and eventually turned over all the information to the police, who believe an arrest will follow.
Gale seems less confident, and tells one Calgary newspaper "I'm realistic. I'm not going to see that computer again. But at least I got some comic relief."
The thief eventually left her Facebook account open and left the room, after which Gale had the opportunity to snoop through her profile and obtain all of her private information. "I went through and got her phone numbers, friends list and pictures..." Given that Gale was able to see her phone numbers listed on Facebook, he sent text messages to all of those numbers saying that he was going to report her to the police. He also posted her info to a number of Facebook groups, which spooked the thief enough to not only delete her Facebook account, but also her listed phone numbers.
In 2008 Slashdot ran a similar story, where it took several weeks of remote monitoring before a laptop thief revealed his identity. (The victim complained that "It was kind of frustrating because he was mostly using it to watch porn.") But in this case, Gale just remotely left a note on the laptop -- and called one of the thief's friends -- and eventually turned over all the information to the police, who believe an arrest will follow.
Gale seems less confident, and tells one Calgary newspaper "I'm realistic. I'm not going to see that computer again. But at least I got some comic relief."
If he is such a "computer security expert", why did he not have his laptop fully encrypted as well as (naturally) an OS login password? Seems to me that he was either actively trying to bait somebody like this, or he's a complete moron.
In general, the various 'identity theft' type laws which make it illegal to access others accounts don't have exceptions because it's a stolen computer.
A "computer security expert" would not leave their laptop in their car overnight.
Sleep your way to a whiter smile...date a dentist!
This is a dickish move. What if the thief sold the computer and someone else is new the new owner who actually paid for the computer? Vigilantism is bad.
More likely is that the laptop got converted for cash at a pawn shop and later bought in good faith, which means he's humiliated a poor girl who had nothing to do with the theft.
> In 2008 Slashdot ran a similar story, where it took several weeks of remote monitoring before a laptop thief revealed his identity. (The victim complained that "It was kind of frustrating because he was mostly using it to watch porn.")
I like thought of a dude watching another dude endlessly watch porn, and being like, why can't you say your name!!!
- Why did this "expert" leave his laptop in his car?
- Why was this "expert"'s laptop not encrypted?
- Why does this "expert" assume the woman in possession of his laptop is the thief... or that she even knows the laptop was stolen?
#DeleteChrome
What happened in a similar case in my country - the thief successfully sued the geek for damage to his reputation, and was awarded a compensation an order of magnitude higher than what was the value of the laptop.
How do I hire this guy, he sounds like a real security genius /s
Even when the laptop is stolen, "hacking" the thiefs facebook account and monitoring the computer usage of other people (without some work contract allowing this) is a crime.
If you go a bit beyond the corporate-mandated annual security training, most information security curriculum says that step one is identifying the assets at risk and their value. It would be silly to spend $50,000 turning your garage into a vault to protect a $15,000 car, and similarly for information security the value of the asset determines the maximum effort you should put into protecting it. This not only avoids wasting more time/money/hassle than the asset is worth, but it allows you to spend your efforts on the most valuable assets. Any time/money spent on a low-value asset is time NOT spent protecting a higher-value asset.
The identity of your favorite gaming site is worth about 5 cents US, so it is error to spend more than 5 cents worth of time trying to protect that information.
Additionally, in most cases it is better to protect and encrypt data on a per-account basis, for both technical and practical reasons. On a laptop, that means you encrypt the home directory, not the system. Multiple user logins have separate encryption, and one account can't access the encrypted files of another account. If you want to take it a step further, you can have a work account on the machine and a separate account for checking personal email, etc. Along with the obvious security benefits, that avoids having the browser or search engine auto-complete a URL based on *personal* browsing history in the middle of a presentation.
Given per-account security, a guest account with restrictions on it is quite feasible, and a theif would likely click the guest account.
Entrapment only applies to law enforcement. You're free to "entrap" anyone you wish if you're not a cop.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
unauthorized access to a computer system
It's his computer. I don't see how the access can be unauthorized.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
"I'm realistic. I'm not going to see that computer again..."
The victim stated he went through her Facebook profile when she "left the room", implying he might have also had remote control of the camera. Is a picture of her face along with an entire Facebook profile and IP address somehow not enough gift-wrapped evidence to provide to the authorities for them to execute a simple knock on a fucking door to recover stolen property? What the hell...
His computer, but her facebook account.
Of course if he'd just screen grab whatever shows up on his computer then I assume that would be fine, after all he wouldn't be the one accessing facebook.
From what anecdotal evidence I have myself, he is right. Even if police do find the asshole-thief and take the laptop from him, the victim is not going to receive it. They'll keep it "for the duration of the investigation" and then it might just "disappear" from the evidence room.
And the next asshole-thief (this one with a police ID) will be smart enough to wipe it so as not get caught the same way. And, even if he does not, calling police again will not be fruitful — police protect their own, "because no one else would".
Oh, and the original thief will not do any actual time either (much less have his hand chopped-off) — unless, maybe, this is his third offense in a "three strikes" state.
While it may seem petty, theft costs humanity immensely — if you count the things we all have to do to keep it under control...
In Soviet Washington the swamp drains you.
The owner of the laptop missed his opportunity to recover his property by trying to publicly shame the woman into returning it. That was a counterproductive waste of time. She could just claim she bought it from someone, and how could he, or the police, prove otherwise?
Anti-theft software should be designed to allow the thief to use the laptop on a guest account, while password protecting your personal account. You want the thief to use the laptop. Locking it remotely will only ensure that it is immediately disposed of, or sold for parts.
So, assume your laptop is stolen and you've activated the remote tracking software: immediately call the police and file a report. The police won't do a thing unless you take that first step. Next, start collecting data on the thief: home address, work/school address, phone numbers, images of the thief using it, etc. Organize all of that data into a folder and take it, along with a copy of your police report, to the local police station. Show them that you know exactly who has the laptop, that person's address, the location of the laptop, etc. Also point out that if this person was the thief, there is an excellent chance that additional stolen property will be found at their residence.
The police now have the justification they need to go knock on that person's door, or possibly get a search warrant. Granted, the person who has it may still claim it was purchased from some third party, but when police are standing in someone's home, showing them pictures of their own faces taken through the laptop camera, and saying, "Give us the laptop now, or we'll come back with a search warrant", the chances are excellent that it will be handed over.
No one may be prosecuted, but you'll at least have your property back. Of course, this scenario presumes that the police care enough to follow through with the information you provide. In larger cities, they may not bother, but in smaller towns and rural areas, they may be very happy to assist when you present all the evidence they need on a silver platter.
If it's one thing I know, it's the LAW, and that's ENTRAPMENT!
If the one thing you think you know is the law, I have some bad news for you. First off, only the police can entrap, (from a legal point of view). Secondly, setting bait does not equal entrapment. And that isn't even what happened here. In short, the one thing you thought you knew, you don't know. That would make you, by your own admission, a know-nothing.
-- sudon't
Air-ride Equipped
Virtually every top comment is a victim-blaming shitfest.
"Ooooh CRIME he's a hacker! Arrest the victim!"
"Every security expert encrypts every piece of technology they own regardless of circumstances! It's his own fault!"
".. and they ALWAYS take every possession with them everywhere they go, and never lock anything in their vehicle, because they're infallible! Clearly he's not an expert!"
"That poor thief. ;("
Ugh.
A government is a body of people notably ungoverned - AC
FYI I've been a fulltime security professional for 20 years. My advice is based on what I actually do when your bank hires me to test their security, how I can actually hack your accounts.
> No, the problem is, you try to seperate, what seems important and confidential to you. And there is the mistake. ...
> Because it requires you to think about what's confidential all the time.
> reading some private e-mails won't hurt now, because if they are left in the cache in your firefox profile
I never said "encrypt one file at a time". I said encrypt YOUR files separate from your (soon to be ex-) wife's files. That includes /home/allo/.cache/mozilla/firefox/
Obviously you might *also* separately encrypt your most important files, such as a password manager datastore, a second time. But no you don't have to think about what to encrypt, all of your personal files are encrypted, including your browser cache.
> Why would you encrypt /home and not /? Is there any reason preventing / encryption? No. ...
> So you install your system, make a checkmark at "full encryption"
That SEEMS like a good idea, if your understanding of encryption is checking a box. As one of the guys who implements what happens when you check that box, I think maybe we should remove that checkbox so it doesn't mislead you. It LOOKS like it makes your system secure, right? Unfortunately, it mostly just makes your system slower. I can still see your ECB penguin. :)
There are both practical and technical problems with full-disk as opposed to per-user. The biggest practical problem is easily summarized as:
Do you want your files to be accessible to your soon to be ex- wife?
Generally, no, users should not have access to another user's files. When your visiting step-brother asks to borrow your laptop, he should not be handed an unencrypted copy of all of your personal and business files.
There is also a fundamental technical problem with full-disk encryption such that full-disk can either either be weak, or ridiculously slow, in most cases. It has to do with what are called "cipher modes". ECB is reasonably fast, but provides little security. CBC is secure, but modifying one sector requires updating every sector on the disk which follows it (meaning it takes a few minutes to save 1KB). Other modes are in between the two. We think that we *might* have that problem beat with a new approach, but I don't trust it yet.
> If you need to decide what ends up in your backup, you may forget something important. If you backup everything, you will have everything and cannot forget something important. The same applies for encryption.
That's absolutely true for backup, definitely. The only backup systems I recommend backup the whole damn machine. The system I designed makes *bootable* backups, that can be booted in-place as virtual machines. For encrypting and otherwise securing confidential data, there's a fundamental conflict between availability vs confidentiality and integrity. You may want to make your mp3 files openly available on your network, so you can play them with any device in the building. You might even store them in the cloud, easily accessible over the internet. You should NOT make your most confidential data readily accessible to every device on your network, including your IP camera and other cheap IoT devices with a thousand vulnerabilities each. If you're serious about security, you DO need to think about which items should be easily accessible to everyone in the company/house and which should be locked down tight.
I'll give you an extreme example of identifying the most confidential data and a very common example of failing to do so. The Coca-Cola company has perhaps a million documents that shouldn't be published on their web site, documents for employees only. Only their 146,000 employees have access to those documents, because they have s
> Your thought process is akin to saying it makes no sense to spend $5k to patch a 2" crack in a dam because the crack is only 2".
No, the dam is extremely high value, therefore you pay attention to it. When the Banqiao hydroelectric dam failed, it killed hundreds of thousands of people. So the dam is at the top of your "most protected" list. What I'm saying is this:
There's a 2 inch crack in the dam, and a 2 inch crack in the parking lot. What's your first step? Your second step?
Obviously your first step is "fix the crack in the *dam*". The correct second step is less obvious - look for more cracks in the dam. You shouldn't worry about the 2" parking lot crack until you've double checked everything about the dam. Again, see Banqiao.