Slashdot Mirror
Distributed.net Captures Laptop Thieves.
Octal writes "According to this story, there is a little-known advantage to running a distributed.net client from your start-up script. On two separate occasions, laptops have been stolen, and then returned, by tracing the IPs of rc5des clients that criminals forgot to remove."
Microsoft GPS Computer Locater v2.xx . . .
Initializing GPS . .
Connecting . .
Transmitting computer location . . . .
Location transmitted to database.
The dots were timed out randomly, and for the version info I just copied something from a real Microsxxx driver, so it looked pretty real to those who didn't know better (like most of the people in my office). Obviously this would never get back a stolen computer, but thinking of the reaction of anyone who stole the computer and saw this when they turned it on was enough.
M
Anyone running distrubted.net software on a laptop most likely installed it themselves, and is fully aware that it sends information back over the network.
Choosing to do something it totally different then software that does something you're not even aware of without your consent. THAT is a privacy violation.
>They wouldn't have to crack your Linux password, >they would just have to boot off a Linux
>boot floppy,
Maybe on yours, but mine is configured to boot only from the hard drive, and changing *this* requires a password stored in flash memory (or whatever it is). Eliminating *that* can be done, but iirc, it's going to take special equipment (remove chip from board & flash) or a dealer.
Wow! The found the thieves because the stolen laptops had an application that contained a unique UID, and sent periodic network announcements to a centralised body.
:-)
Gosh, if everyone had one of those on their computer, computer crime would be greatly reduced! And if it was built into the OS or even the firmware, it would be hard for thieves to remove.
So, let's petition Intel and AMD and MS to get together so that all new computers report in a unique ID to a central body over the network whenever they have a live net connection.
Yeah! That'd be great..
giggle
-----
It seems to me that this would be an ENORMOUS performance impact on the clients as they are. People keep shouting for them to code it "right", and do it only in the True Method of All Things Coded: OpenSource, but what they don't realize is that in order to beef it up cryptographically to ensure that results are indeed calculated and not forged, you'd have to take an incredible performance hit.
Now would you honestly prefer that D.net progress be *halved* as a result of them turning to the Good Side of the Force? C'mon..
I completely agree with D.net's reasoning and their decision to remain closed for now.
I'm not "bashing" OpenSource. I simply feel that there are certain times when keeping your source code closed and proprietary is perfectly justifiable. This is one such case.
And yes, performance will be *drastically* reduced. Perhaps not halved, but at least on the order of 20% or more.
All of these calculations have been optimized to an obscene degree. It's all done down to the assembly code level. Taking and storing mid-calculation data and performing a checksum/cryptographic hash/whatever on it will be an *enormous* performance hit, relative to the highly optimized calculation loop that's being performed on the data.
Now I have no actual numbers to base this on, but I believe the D.net crew said almost as much (with a number in the same range) on their web site, or in some message someplace. Check out their FAQ or something for details. They explain why they remain OpenSource, and I think their explanation is perfectly adequate.
You're totally right. All closed source software is inherently EVIL, and all companies who release closed-source software are themselves spawns of satan.
Who cares if we have to make all of our software cryptographically secure if we want to be able to trust their output? Who cares if this security HALVES the performance of CPU-critical tasks like D.net? OpenSource is always good, and if making programs cryptographically secure is the only way for OpenSource programs to give us trustable, reliable results, then by golly that's the way it must be done, because OpenSource is the True Path. OpenSource is the Light. Programming to pay bills is the path of the Dark. Fear the Dark. Oppress the Dark. Closed-source programming is the path of Evil. All evil must be destroyed.
The distributed.net client takes active effort to set up. The Microsoft tracker is enabled by default, and takes active effort to disable. That distinction makes all the difference in the world.
Blah. So what? With local console access I could break into any x86 machine I've ever seen. Sometimes it taks a lot of effort, but if the machine is stolen and I have the time to open it I can get into it. No x86 box I've ever seen stores passwords anywhere other then CMOS, that is erasable via a jumper on the motherboard or removing the battery for a while. Even in the off chance it were FLASH, just call arround a bit. There are always chips available. Not to mention most Flashable BIOS units have a special key combo you can use to initialize the FLASH sequence, used in case you try to update your FLASH and it doesn't work right and kills your box. It just loads the flash image from floppy.
;) Of course the image name could be different, hit tab. ;) I believe there is even a key combo to get the lilo prompt if it's set to not show it.
As for getting into Linux, how do you boot? LILO probably, most people running Linux use it. At the prompt just type "linux single" sometime and see what it does.
Or I could just take out the HD and put another one in. Most systems are set to autodetect the HDs on bootup, and will change the config automaticly without needing BIOS config.
Of course, the point of this message is that nothing is secure if the attacker has physical access to it. Crackers have broken hardware security many times in the past, and probably will continue to. Most dongles are crackable, Playstation, DVD Region codes, Computers, Networks, and probably a ton of other stuff I haven't thought of.
You know, tracking computers after they've been stolen is really simple. You don't even need a internet connection. There are companies out there selling anti-cartheft chips that are basically minature transmitters. When the vehicle is stolen, you call up the company, and they activate the chip via a satellite downlink, and then it's a simple matter of tracking down the signal.
Similar technology could easily be implemented for computers without all the privacy hoopla surrounding software or the "UID" stuff intel would have you believe is really there for your own good.
--
The SB1200 doesn't store the MAC address. Even if it did, all you need to do is open your browser and click on this link, which will reset your modem to it's factory defaults. This is also useful when the modem periodically fouls up and garbles all your configuration information (usually resulting in a "serial port error" whenever you try to connect).
--
Several reasons:
.doc format without informing you, and without giving you a chance to opt out.
- You install distributed.net expressly to send stuff back. Distributed.net tells you explicitly that it is doing so.
- Distributed.net only sends things back that are related to its mission.
- You install Microsoft Office to do word processing, create spreadsheets or run a database. None of these missions require an ongoing information exchange with Microsoft.
- Microsoft includes this information in their
- Microsoft is a large company that many people distrust becuase of similar fiascos in the past. As a result, our comfort level with giving them information is likely to be lower than with distributed.
D
----
I disagree. The way I see it, is that it's very simmilar to slashdot logging your IP address when you connect. Pretty much everything on the internet will log your IP address when you connnect to it. Also, rc5 is completely optional, it's not like windows logging your IP everytime you connect to the internet without your knowledge or concent.
-matt
I do understand their reasoning for keeping it closed though. The way the current system is setup it's very open to people writing hacked clients to skew the results. Right now, it would require someone with some technical expertise to write said client. If they open sourced it, any idiot with a little C knowledge could write a hacked client. It's security through obscurity, but it's still some security. I think the real answer to this, however, is that they impliment some checking on the server end to verify the results so people can hack their client all they want.
-matt
I think most non-intel systems have power on passwords that are stored in PROM. These things don't need a battery to survive, and if you forget it you better hope you have a PROM programmer ready.
-matt
They wouldn't have to crack your Linux password, they would just have to boot off a Linux boot floppy, mount your partition and edit your /etc/passwd or /etc/shadow to delete your password altogether.
I personally use a BIOS password, but then I'm sure there's a jumper I could short inside the damn thing to get rid of it. What we need is encrypted file systems, non-overidable BIOS passwords and the like, (but then what do we do when we really forget the password???)
When someone steals your cell phone, and then they answer the phone before the number is changed.
Anyway, this could be a good way to sell distributed.net to companies. I know big corps would trade their extra cpu cycles for the safety of their most expensive machines. Oh, well. Just a thought
geach
Which "them" is that? HNN, mindsec, d.net, Microsoft?
I remember reading about someone recovering his PC the same way coz the lamebrain who had bought it from the thieves just plugged it in, connected to the net and ICQ connected to ICQ server. The owner discovered his ICQ account was active, tracerouted back, and called the ISP.
Can anyone find a link to that story?
---
On the surface, this might appear to be the same kind of thing. But there's a pretty big difference on serveral points.
First, the intent of d.net software is not to indentify and track an individual. Logging IP addresses, and consequently being able to convince an ISP to identify that address to a customer account, is a byproduct of system logs. Its a common convention to the net. I'm accepting of this since, generally, such logs are used for administrative purposes and discarded after a period of time. A smart business will have a policy to ensure these logs are dropped as soon as they become obsolete to avoid legal hassles ("Sure, we'd like to provide you that information and get caught up in your litigation... but we have a long-standing policy to delete logs after X days."). Less-intelligent companies use them as gimmicks. In this case, everyone was able to act fast enough on a good enough reason to track down a theif. Its a byproduct, not the origional intent.
Secondly, it is a software mechanism and not non-removable firmware. If, today, you decide you're just too uncomfortable with the whole idea of being able to be tracked via your d.net client... you can remove it. Delete it. It's gone. The PIII ID code could not be removed. And, furthermore, it could be activated without the user's knowlege.
Finally, as stated by other people... d.net software is an "opt in" system. The PIII ID origionally shipped activated; you had to run specialized code to deactivate it. The implication is that it required prior knowlege as well as additional effort to NOT report your identity and invade your privacy. The d.net client requires prior knowledge and additional effort to activate - by default it will never report your existance.
The whole idea of invasion of privacy is NOT the ability to be identified. The distinction is whether you consent to that identification.
>but then what do we do when we really forget the password???
Restore from backups?
Ale