Software to track stolen laptops
May 28, 2009 5:32 AM   Subscribe

This is great news. I know there was other software that does this, but I'm pretty sure it was free as in you pay them cash.
posted by dunkadunc at 5:37 AM on May 28, 2009 [1 favorite]

Great. I await a Google mashup that also tells you if the beer in the pub where your laptop is currently being sold is any good.
posted by MuffinMan at 5:41 AM on May 28, 2009 [3 favorites]

Pretty nifty. I had a cron wget pointed to a file on my web server. At least I'd be able to get the IP. This looks like a much better idea.
posted by odinsdream at 5:43 AM on May 28, 2009

I just got a Nokia N810, maybe I should run this or something like it. Then again...why? How interested are the police going to be in the (probably incomprehensible to them) evidence of a relatively minor theft like this?
posted by DU at 5:44 AM on May 28, 2009 [1 favorite]

This sounds interesting. I will look into the details now. Thanks for sharing.
posted by LittleMissItneg at 5:45 AM on May 28, 2009

I'd like to see this kind of thing burned into laptop's bioses, so that it can't be gotten rid of even if . The only problem is manufacturers would probably want the data to go through them, rather then letting users setup their own listeners like prey does. I wouldn't want a laptop that 'phone's home' all the time to some random 3rd party.
posted by delmoi at 5:45 AM on May 28, 2009

"Pretty nifty. I had a cron wget pointed to a file on my web server. At least I'd be able to get the IP. This looks like a much better idea."

Unless the thief's a geek or you're running OSX, I would expect any computer thief to wipe any Linux install right fast.
posted by dunkadunc at 5:48 AM on May 28, 2009 [2 favorites]

Since I'm not a programming whiz who can just "check the code" to understand how this program works, as the creators suggest, can anyone tell me just how safe this is? I.e. how (or whether) the data is stored somewhere, whether it's sent by secure means, etc.

Interestingly, in checking up on my current solution for this, Adeona, I found out that that service currently isn't working at all. Wish they'd informed users of that in some way!
posted by limeonaire at 5:49 AM on May 28, 2009 [1 favorite]

If you want to help us out with the code, we host our repo in Github so you can start by forking it and getting your hands dirty.

This just does not translate well. (from the proprietor's native Spanish, I think)
posted by nosila at 5:50 AM on May 28, 2009 [1 favorite]

I would much rather have full disk encryption on my laptop than something like this. And unless it's built into the BIOS, the two are mutually exclusive (in practice).
posted by Flunkie at 5:50 AM on May 28, 2009

No, it's translated perfectly. It's just in Geek, not English.
posted by DU at 6:05 AM on May 28, 2009 [17 favorites]

I can't find the default address Prey sends to, nor can I find any information on how to uninstall.

A program, with an installer in spanish(which I don't speak), that sends screenshots of me and my desktop at 10 minute intervals to a random address i don't know about on the internet...
posted by svenni at 6:13 AM on May 28, 2009

limeonaire, I took a quick glance at the code (but I'm not all that hot with Perl, so take it with a grain of salt).

They seem to be storing the SMTP password (the password used to authenticate yourself to your outgoing mail server) insecurely, though it is on their todo list.

I didn't notice any logging of this data, nor any sending to a third-party, although obviously that would be written specifically hard to notice and as I said I'm not that hot.

Finally, there doesn't seem to be an option for encrypting your email using PGP or anything similar, which is where I'm really surprised. So if you're paranoid about the gov't tracking you, I would make sure that this only runs if you modify a webpage under your control, which they can do.

I would take from everything I said above that it's not perfect, but that the failings are mainly that they haven't gotten around to it, and that they don't seem malicious.
posted by Lemurrhea at 6:15 AM on May 28, 2009 [3 favorites]

How do I download a version that I can install on someone else's computer remotely and track everything that person does?
posted by pracowity at 6:17 AM on May 28, 2009

Should have previewed.

Svenni, the config file implies that the default location is mailbox@domain.com. Ooh, actually, that's a mistake, since domain.com is a real domain. Probably a screwup on their end.

More to the point, during the setup, if you leave a blank email address, you'll be getting an error message about it. So there isn't really a default.
posted by Lemurrhea at 6:19 AM on May 28, 2009

I am definitely not a programmer, but...

What's to stop the individuals who wrote this code from monitoring fully-detailed network and wifi information about my system, screenshots of my running desktop and webcam pictures of me if I install this?

Sounds like a hacker's dream. Perhaps we are the prey?
posted by LakesideOrion at 6:29 AM on May 28, 2009 [1 favorite]

Because it sends the data to an email address of your choice, not to them. Did you read the article?
posted by dunkadunc at 6:33 AM on May 28, 2009

macosxhints has a more hands on solution with more options, but this one seems cleaner. A better transport for geeks might be ssh using a restricted password-less key which also forwarded local port 22, thus allowing an ssh connection back into the machine. Btw, his english is fine and it's bash, not perl. lol
posted by jeffburdges at 6:39 AM on May 28, 2009 [1 favorite]

The nice thing about opensource software is that it has a built in peer review cycle in what is essentially an honor culture. A university professor might not do much more than scan the paper he's supposed to be reviewing. A teenage hacker? Some sort of software development version of a knife fight in a pit is what gets him out of bed in the morning.

That's not to say that this sort of thing is flawless, but blatant malware is going to be tough to sneak through.
posted by Kid Charlemagne at 6:43 AM on May 28, 2009 [1 favorite]

It doesn't have to take pictures of you every ten minutes. You could set it to run only if you don't provide some code word/action on bootup, for instance. That would reduce network and battery usage as well.
posted by DU at 6:44 AM on May 28, 2009

That's not to say that this sort of thing is flawless, but blatant malware is going to be tough to sneak through.

Tough but not Impossible
posted by delmoi at 6:59 AM on May 28, 2009

No eponysterical comments yet?
posted by Halloween Jack at 7:13 AM on May 28, 2009

Awesome! I downloaded and unpacked the Linux package, and I'm looking at prey.sh.

It's got a feature that you can enable to change the desktop background, alerting anyone nearby that THIS IS A STOLEN LAPTOP.

I wonder how hard it would be to encrypt the SMTP password. The default SMTP server is gmail (which means it should be accessible as long as the stolen laptop is connected to the Internet).

Looks like they haven't gotten any English-language media coverage yet.
posted by russilwvong at 7:26 AM on May 28, 2009

I heard of another program, Undercover (mac only) a while back, and I was amazed at some of their testimonials. I too thought, any computer thief would start wiping the hard drive right away.

Most thieves are pretty dumb. Like this guy, he's just deleting everything. While sitting on a toilet, apparently. And then goes on to play some WoW.

Undercover has a nice plan B. They actively try to catch the thief, but also understand that the laptop is going to change hands, possibly to an upstanding citizen who thought they were buying a legit laptop. It simulates a hardware failure, prompting a sale or return to Apple, and then "Screams and Shouts" that this is a stolen laptop, there will be a finders reward, and all the contact info of the company.
posted by fontophilic at 7:37 AM on May 28, 2009 [5 favorites]

and it's bash, not perl. lol

"#!/usr/bin/perl -w [...]
use strict;
use IO::Socket; [...]
eval { require IO::Socket::SSL; };
if ($@) { $conf{'tls_client'} = 0; }
else { $conf{'tls_client'} = 1; } [...] "

From sendEmail. lol.
posted by Lemurrhea at 7:45 AM on May 28, 2009

Btw, his english is fine and it's bash, not perl. lol

sendEmail is a 2200-line(!) perl script. The rest of it is a few bash scripts.

The OS X installer is a native app, which I don't see in the source tree. Given that it's running as root, it would have been nice if they'd used a less opaque .pkg installer.
posted by Combustible Edison Lighthouse at 7:58 AM on May 28, 2009 [1 favorite]

dunkadunc: I'd be happy to hold on to your bank account info and pictures of your family. I promise to only send them back to the email address you specify. : )
posted by LakesideOrion at 8:03 AM on May 28, 2009

Well, isightcapture is written in C, but that isn't his program either. Btw, SendEmail even has a wikipedia entry, so swap in the original if your worried about it. I see nothing new here except for bash scripts.
posted by jeffburdges at 8:12 AM on May 28, 2009

I'm not sure why he credits Michal Ludvig for the SMTP client rather than Brandon Zehm's SendEmail, but likely just outdated.
posted by jeffburdges at 8:14 AM on May 28, 2009

A friend of mine got his laptop stolen this past weekend. The thief proceeded to upload pictures to his picasa account. He is trying to get the IP from google and then hand it over to the cops.

In this case he didn't need to phone home, the dumb thief did it for him...
posted by SirOmega at 8:23 AM on May 28, 2009 [1 favorite]

I appears Undercover has all the associated side risks that are worrying people here, by virtue of being a commercial product, but they provide the added feature that they figure out if their in an Apple Store before telling the user the computer is stolen. A nice compromise is this fake error message used by the "raw" script I linked up thread, which is designed to get the laptop into the store and out of the users hands before anyone figures out that the machine is stolen.
posted by jeffburdges at 8:31 AM on May 28, 2009

Unless the thief's a geek or you're running OSX, I would expect any computer thief to wipe any Linux install right fast.

Yes, it's OSX.
posted by odinsdream at 8:50 AM on May 28, 2009

LakesideOrion: That analogy makes no sense. This program runs on your computer. Its source is completely open, and in fact the program is the source, since it's all script based.

Do you run Quicken or something like it? A photo manager? They're "holding on" to your information as much as this program is.
posted by kmz at 9:55 AM on May 28, 2009

They seem to be storing the SMTP password (the password used to authenticate yourself to your outgoing mail server) insecurely, though it is on their todo list.

There's not really a good way to get around that. At some point the program needs to access the password in plain form.
posted by kmz at 10:04 AM on May 28, 2009

LakesideOrion: "dunkadunc: I'd be happy to hold on to your bank account info and pictures of your family. I promise to only send them back to the email address you specify. : )"

This is idiotic. The program is open source. Do you know what open source means? Did you actually RTFA?

I hate it when people come in blathering without even having read the article.
posted by dunkadunc at 10:23 AM on May 28, 2009

I think they could go a step further than using iSight by putting in OpenCV image face recognition to get a better chance of getting the face of a user.
posted by plinth at 10:41 AM on May 28, 2009

Undercover also sends you screenshots of what the thief is doing, photos of the thief via iSight, and a Skyhook-based approximation of their physical location. It's well worth the money if you have a Mac.

(If you do install one of these applications, you should enable a guest account, so the thief can get on the internet without your password. You can also make it harder for them to wipe the hard drive by setting up a firmware password.)
posted by designbot at 11:10 AM on May 28, 2009 [1 favorite]

I'd avoid Undercover for exactly all the privacy, banking, etc. reasons that worried people upthead. Prey is easy to install and screen for malicious code, plus the author can't later abuse it. If your geeky, then you'd benefit more from using an ssh for the transport layer, but still.
posted by jeffburdges at 12:15 PM on May 28, 2009

"There's not really a good way to get around that. At some point the program needs to access the password in plain form."

It can be encrypted on the computer and decrypted on the fly as needed, which is how email clients do it. However, it can't be a one-way hash as is used mostly for server session logins, because the client program couldn't actually use that to login.
posted by krinklyfig at 1:14 PM on May 28, 2009

Yes, but in an open-source program, the decryption method is easily available. As you said, you can't use hashes or other non-symmetric encryption methods. At some point, the program has to have the password in plain form. And that means that you too can find the password in plain form, assuming you have access to the same things the program does.

I suppose the real solution would be something like SSH keys, but I don't know of any email servers that support that.
posted by kmz at 1:27 PM on May 28, 2009

This is genius. Except one little thing. The first thing a thief does after stealing a laptop is to format it.
posted by dearsina at 2:49 PM on May 28, 2009

Dearsina, that may well be the case for informed thieves, but many laptop thefts are thefts of opportunity by people who are not necessarily deeply technical. Bike locks are genius except for the 'one little thing' that dedicated bike thieves carry bolt cutters.
posted by Fraxas at 4:55 PM on May 28, 2009

They claim it runs on all operating systems, but there are alternatives to Linux, OS X and Windows (all of which have installation instructions there).
posted by spaceman_spiff at 8:35 PM on May 28, 2009

I'm hoping they start running this stuff in the BIOS on startup.
posted by BrotherCaine at 10:23 PM on May 28, 2009

They claim it runs on all operating systems, but there are alternatives to Linux, OS X and Windows (all of which have installation instructions there).

It appears to be a shell script that ties together some Perl scripts. Therefore the Linux version will run on anything reasonably UNIX-like, which along with the Windows and OSX versions covers all the operating systems anyone would be likely to run. I guess it wouldn't run on, like, an Amiga or something, but neither will anything else.
posted by DecemberBoy at 10:24 PM on May 28, 2009

Nice find. I rolled my own when SP1 was out,with a kludge vbscript. But since then I just went for whole drive encryption. I won't get my laptop back, but it's a brick without the password. I use trucrypt. I've often thought about starting an ASM project that runs when an incorrect password is used at the trucrypt prompt. But never looked into it. Something that looks for connectivity and sends an external ip address via smtp or something. I don't even know if that is feasible though.
posted by kapu at 10:00 PM on May 31, 2009

I've installed Prey 0.2 on my EEE and added an enhancement: execute the downloaded URL.

If I lose the EEE, the next time it connects to the Internet, I can tell it to delete all my files. Or download more files (using wget) and do pretty much anything--turn up the volume and play an arbitrary sound file, for example.
posted by russilwvong at 3:57 PM on June 13, 2009