What Are the Best Laptop Theft Recovery Measures?

BarlowBrad writes "Yesterday my house was broken into and among other things two laptops were stolen. Getting past the feeling of violation, I am looking to the future and how to both prevent theft and recover computers should it happen again. I have found various services that claim to track and recover stolen laptops such as LoJack for Laptops, Computrace, GadgetTrak and Undercover, but I (obviously) have no experience with any of them. I also know that Intel will be coming out with a new anti-theft technology chip, but that isn't supposed to come out until the fourth quarter and I'll be replacing the laptops before then. Does Slashdot have a recommendation between these services or suggestions for another?" Read on for a related question about automating this process.

BarlowBrad continues: "I have also wondered if there is a 'home brew' solution that I could cook up myself. I'm not an elite programmer, but I am somewhat computer savvy and open to ideas. At least one of the replacement laptops will have to be a Windows machine, but the other may be a Mac or run Linux, so ideally I'd want a solution for multiple platforms. Perhaps a script that sends an email with the IP address every time the computer connects to the internet? Or is there already something out there like that in the Open Source community?"

Dynamic IP script

Just look into one of the scripts to update a dynamic IP address with a dynamic DNS service, and set it up to be automatic. As soon as the computer connects, it will update the address.

Dynamic Waste of Time

Unless you're talking about a casual theft by somebody who intends to sell the laptop on the street, or for their own use, this won't work. If the laptop is fenced, the first thing the fence will do is wipe the hard drive. They do this to remove any trace of the original owner, though it also prevents any phone-home scenario.

Recent products like Computrace/LoJack (same product, different brands) can be installed in the BIOS so a disk wipe doesn't affect them. The catch is that it has to be installed at the factory, so you have to buy the security software (and an annual subscription) when you buy a new laptop. Also, it isn't that hard to reflash a BIOS....

I shouldn't need to point out that you should also have a bare-metal recovery backup. In fact, that's probably more important than any anti-theft measure: paying $1K for a new laptop hurts, but not as much as losing all the work that's on your laptop. A bare-metal solution spares you the hassle of re-installing all your applications and re-applying all the customizations we geeks love to do.

Re:Dynamic Waste of Time

Recent products like Computrace/LoJack (same product, different brands) can be installed in the BIOS so a disk wipe doesn't affect them. The catch is that it has to be installed at the factory, so you have to buy the security software (and an annual subscription) when you buy a new laptop. Also, it isn't that hard to reflash a BIOS....

Not true at all...we install Computrace on all laptops and random desktops/servers in my business....we're a dell shop, so all the new dell laptops have the module for Computrace in the BIOS. Installing computrace activates the "persistence" module in the laptop. The annual subscription that we pay Dell is something like 36/year, so for 3 bucks a month, it's worthwhile.

One thing we found out from experience is you want to followup with Absolute and make sure the machine is calling in daily, or whenever it's on (it tries once a day). If the machine is stolen but it hasn't been called in for 30 days or more, the recovery guarantee is not in place. They'll still try and recover it, but they won't give you the $1000 or whatever if it's not found. Also, you have the option to void the recovery guarantee and instead have a "data delete" option, so that any sensitive data on the machine is wiped with the hard drive.

I've never seen a statistic on wiping the BIOS, but I'd be willing to be it'd be more difficult than beneficial. Besides, if someone's going to be so thorough to wipe the BIOS, they know the software is on there, and will be taking steps to avoid it getting it's beacon out to the net.

Disclaimer: I have no relationship with Absolute (Computrace) other than I am a paying customer.

And then what?

Yup, there are many ways to learn the IP address/addresses of your computer once it has been stolen. Thing is, what can you do about it then? I've read far too many reports about people who know what addresses have been used by their stolen computers, but have been unable to get ISPs and even law enforcement to get involved and track down the stolen hardware. The ISPs simply are not going to co-operate with you, and law enforcement responses can range wildly. While there may be a few exceptional individuals who will help track a stolen laptop, from what I have read one should not be at all surprised to get a less helpful response from law enforcement.

It could be a good idea to hide a little DYNDNS update routine on each of one's computers (and thankfully DYNDNS will even give you multiple IDs that you can update, so you can have a different one for each computer). But I'll want to see a lot more positive feedback by people who did this or similar things before I will think it's very likely to be helpful. Now if you had a GPS in that laptop and sent out it's coordinates when updating, you might be able to do yourself a lot more good (unfortunately, GPS doesn't work well indoors).

Get Creative

Perhaps a script that sends an email with the IP address every time the computer connects to the internet?

Dude, the scumbag just stole your laptop. Get creative. Instead of just having the a bot or something send you an email so you can identify them, go this route. Have it send an email to a bunch of .mil and .gov addresses that reads like this:

ALLAH ALLAH!!! I want to NUCLEAR BOMB the white house!!! I have a sleeper cell that already has a plan in place to kidnap beautiful AMERICAN CHILDREN and teach them ISLAM!!! DEATH TO GEORGE BUSH!!!

You could add in whatever else you feel like. That stuff was just off the top of my head.

Re:Get Creative

I'm pretty sure the submitter wants his laptop back in addition to catching the perpetrator.

Re:Get Creative

Hey, let's do this right. The language you use sounds like a prank. The government probably gets hundreds of similar messages every day. You need to troll some Islamist web sites and copy some standard rants. Lots of "in the name of Allah the merciful" and stuff like that.

Also copy some Arabic text. It doesn't matter what, since very few of our intrepid warriors against terrorism speak any foreign languages. The text could say, "Gilligan's Island reruns (dubbed in Arabic) will appear on Tripoli TV Thursdays at 6" and it will still come across as a hate message from Osama himself.

Re:Get Creative

I think most of thieves won't even turn the laptop on, mostly because they don't need to, and in part because they may not know what to do next. A typical install of any OS these days is protected with a user name and a password; they may be weak, but what's the upside for the thief to waste time trying to get to that user's typically useless data?

If the thief is any good in his trade, instead of leaving his fingerprints all over the notebook he should place it in a bag and deliver directly to a reseller of such goods. The said reseller knows what to do - to immediately format the HDD, for example. Or, if the reseller is smart, to boot from a CD and make a backup, then explore the contents using a different OS. In either case, none of owner's scripts will run.

The best practice I could think of is to set up a full disk encryption, and a BIOS password, just to make those guys work hard (and in vain) if they want to get to your data or even to resell the laptop. But once they have your hardware, they will keep it or trash it if it's too much trouble; the owner won't be getting it back.

Nonstandard Look might help

I have a big self-printed Linux Sticker on top, with clear foil on top of it and 2cm over the edges. While it is possible to remove it without trace, any thief will not know that and there is a reasonable chance they will stay away. At least if they are competent thieves. People that break into flats typically are not.

Better Sticker:

"Cellular GPS LoJack Id: 81231982
  If found contact: 123-456-7890"

If you are savy enough, hack BIOS to display the same message at boot time (some BIOSes allow you to add your own images - thats one way, or add message to MBR)

Better yet, on boot print "GPS position is acquired and transmitted."

Probably won't get your laptop back, but may mess with their heads and make them wonder if they are being tracked by hardware. ;-)

-Em

DIY solution

a) run an openSSH or VNC server, and
b) write a cronjob/Scheduled Task to shoot a ping at some IP address you control periodically whenever IP connectivity is present.

This will only work if your computer appears to be usable by a thief without wiping the OS. If the thief is dumb, he'll at least try and get on the Internet with it, and then you can swoop in and pwn him.

Glue

Glue your laptop to your desk. I won't guarantee that it will not get stolen, but it is a lot harder to steal an entire desk than a single laptop.

Re:Glue

Yes, I do it all the time with my car. TRY STEALING IT NOW!!

Recovery, Not. Denial, Maybe.

Forget recovery. If you had color glossy photos with circles and arrows the cops will STILL not bust into someone's home to recover your laptop.

You can't get them to stop crime in progress, let alone last week's crime.

Denial of use of stolen laptops is the best bet. Not only denial of access to the data, but denial of use of the hardware, or making it very expensive and suspect when trying to get a stolen box running.

This means encrypting drives, biometric readers, or any number of additional features, most of which are expensive, some of which do impose a hurdle for the thief.

Encrypted drives are becoming mainstream and easily affordable, and generally do work to keep your data safe.

But none of this will prevent you from losing the box to a thief. They will steal it anyway, even if they dump it in the trash because they can't make it work.

Sending an email with an IP does nothing. Installing dyndns.org IP updater software would work just a well. It leaves a record in a remote place, but savvy thief would know how to erase that, just as they would know how to prevent your email from going out.

Even if you find the IP of the stolen box, the ISP will need a court order to reveal the location to you. Good luck with that. Cops won't take action. They will tell you to file an insurance claim and move on.

Side note: Thieves are seldom savvy. If they had any brains they would get a less risky job. So chances of them disabling any counter measures are fairly slim.

Re:Recovery, Not. Denial, Maybe.

You would be surprised. Cops LOVE computrace. The know that generally when they go to find a laptop using this service, they will find OTHER criminal activity in the process.

One example computrace boasts is the chop shop that was inadvertantly raided thanks to a computrace recovery.

Besides, Computrace makes it easy on the cops. they get directions to the loot. No real investigative hassle on thier part.

Re:Recovery, Not. Denial, Maybe.

Agree. This is probably why it makes sense to go ahead and pay for this service rather than try to go it alone. If you write some fancy script then the GP is right--there isn't much you can do from there short of getting a court order.

In the longer run it will make sense to have a dedicated service provider who has existing contacts within law enforcement.

Layers of security

The old standby goes -- there's no one security measure that's perfect, but you can make it a lot easier.

The first and most obvious layer is physical access. Don't leave your laptop visible in your car when you park. Lock your office doors. Don't leave it at a coffee house when you go to the bathroom.

The second is physical security. Invest in a laptop leash and chain it down if you work in a shared office space environment.

The third layer is physical deterrence. Customize the heck out of your computer. A big engraved security mark (be it your driver's license #, your name, your cell #, your email address, whatever) will turn off thieves. Same if you've got anything else that's obviously unique and can't easily be removed.

The fourth layer is electronic deterrence. A boot password and a screensaver password will deter unskilled theives. There are plenty of skilled thieves who plan to reformat the drives, but a few will be deterred by not being able to sell the laptop on the corner without a password. (If you don't believe me, hang out in midtown NYC long enough and you can get offers to sell hot laptops in the $100 range).

The fifth layer is tracking. Things like LoJack and all the other services. If they boot your laptop it'll contact the network and you can at least have a shot at getting it back. (Note, some of these are not compatible with a boot password). Of course, record your Windows serial # (if you run Windows) and your Dell quick service code (if you use a Dell) or the equivalent for your system. These are uploaded.

The sixth layer is luck. Sometimes people catch theives by webcam, sometimes by stupid emails, sometimes by pure random encouters. You gotta get lucky.

No one of these layers is sufficient and it's silly to talk about LoJack for Laptops if you leave your laptop sitting in the open for somebody to grab it. LoJack is most useful to break open crime rings, not to actually get your laptop back -- by the time the police get around to subpoenaing the ISPs your laptop is gone, but the thieves might not be. I run it, but I don't expect it to save my butt.

Computrace

At my school, all students are provided with a laptop. All computers come loaded with Computrace, and it has never failed to recover a stolen laptop...even ones that have ended up overseas after being wiped and sold on eBay. The only time Computrace fails is if a) the CMOS is physically replaced or b) the laptop never sees an internet connection again.

Undercover (Orbicule)

I have a Macbook Pro and decided to get Undercover for it. It's easy to set up and doesn't require a subscription, unlike some of the other programs out there. I'd read a bit about it before getting it, and the thing that really helped me in the end were the success stories that they have posted on their website [orbicule.com]. The fact that it makes use of the MacBook's built-in video camera to snap pictures of whoever is using it really impressed me.

Now why would I buy this?

I hadn't heard of Computrace / Absolute until about two weeks ago, when we found two computers at my office talking to "search.namequery.com" several times a second. What I find is interesting: A program that installs without my permission or knowledge, takes orders from a 3rd party (up to and including "wipe the hard drive"), and actively resists removal.

One computer was brand-new (MPC/Gateway M685), the other just over a year old (MPC/Gateway E475). The first one they claim was "accidentally" activated at the factory, the second got a motherboard replacement that had this little program "activated" from its prior owner.

The sales rep at MPC/Gateway got the Absolute/Computrace rep on the phone and they both claim that it isn't a virus. Okay, fine, it doesn't self-replicate. Seems to fit darn near every other part of the definition! Their tech-support guy ordered the two computers to disable their BIOS component and uninstall, which THEY DID! The files in C:\Windows\System32 vanished before my eyes.

They were back the next day.

Gateway/MPC doesn't seem to understand my frustration. We spend so much time and money securing our computers and making sure they run only the software we WANT them to run. Now you want me to feel safe with a BIOS-level program that copies itself to FAT32/NTFS partitions and tricks Windows OSes into executing it? This same program that calls a 3rd party and requests instructions? I know of only three instructions it can accept, but what if there are others? ("Stolen, check in every 15 minutes", "Stolen, wipe hard drive", "Disable and uninstall" we know of)

I asked how they secure the disk-wiping function and was not impressed with the answer. They use an RSA token to verify that the right customer called in. I said 'Ok, what about the link to the computer? Is it signed or encrypted?' No answer, they just went back to the RSA token.

Heck, we have BlackBerries that can wipe themselves on remote command but RIM makes a big deal of how the communications are encrypted between the BB and my server. I know that J. Random Cracker isn't going to trick my BB into nuking itself. But what if he spoofs "search.namequery.com" and returns the code for "Nuke HD"? Will their little 200kb program accept the order?

I read that someone found and disabled Computrace/Absolute's BIOS code in a firmware dump and then re-flashed his machine. If I can't pull that off with Gateway/MPC I will have to recommend that we find a vendor that does NOT pre-infect the computers we purchase.

*grumble*

It's too bad that Lojack for Laptops isn't

The real Lojack system, for cars, predates the Internet and GPS. It's pretty good. About 90% of Lojack-equipped cars are recovered when stolen. When you buy Lojack, an installer comes out and installs a little box somewhere on your car. You don't know where, and they have many alternative locations. It gets power from the car, so it keeps itself charged.

The unit finds an FM broadcast station with the Lojack subcarrier and listens for a message with its serial number. If your car is stolen in an area with Lojack coverage (which includes most major US cities), a police stolen car report is copied to Lojack's computers, which then tell the subcarrier transmitter at the broadcast stations to start broadcasting messages with the unit's serial number. The unit in the car then starts emitting a beacon signal.

Lojack has good integration with big-city police departments. They equip police cars with Lojack receivers at Lojack's expense. Any Lojack receiver that's emitting turns on indicators in police cars, showing direction and approximate range. When you see a police car with four antennas in a square on the roof, that car has a Lojack receiver.

In Los Angeles, the LAPD's air force, both rotary and fixed-wing, has Lojack receivers. This has resulted in some dramatic stolen car recoveries. [wsati.org] Cops like the system, because not only do they get cars back, they often find someone they want driving the stolen car.

But "Lojack for Laptops" doesn't use that system. It just reports IP addresses when the unit connects to the Internet. A company called Absolute Software seems to have just licensed the Lojack name; it's apparently not part of Lojack Corporation at all.

Avoid US Airports

I fully encrypt my laptop drive, since it carries lots of secret corporate data and IP, and fully back it up at the office, so I am not too worried about theft of the hardware.

I am however scared that at an US airport, or at the airport of some other repressive regime, I may be forced to hand over my laptop, and then detained for not providing the decryption password. Keep in mind that if I am forced to reveal the contents of my laptop, that I can be sued by shareholders (for leaking IP) and business partners (for breaking NDA), I can lose my business relationships and hence my income, and I potentially be charged for breaking EU (and other) directives on data protection.

The problem is that I work extensively with banks and I cannot allow banking data to be leaked, nor can I allow sensitive and very valuable corporate IP to be given to potential competitors of a country that I am visiting or passing through.

Unfortunately, I need to have all of the IP on the laptop, since I often work on the data-centers of various banks worldwide, behind all of the firewalls, and these data-centers do not typically allow any type of Internet access. In addition, I would not feel safe putting 100% of the corporate IP and banking data on a public Internet server in my office, just so I can remote download 200GB or so onto a blank laptop, using a slow and/or expensive hotel Internet connection, everytime I fly, just so I can work in a remote location.

It is bad enough that countries (US, UK, Japan, ...) are already fingerprinting foreigners. It looks like the days of international business travel will soon be over.

Best home theft deterrent?

Can't help you with getting your laptops back, but I can give you a suggestion on how to force lowlife scum to pick your neighbor's house next time:

Dogs.

Not necessarily big, but loud. Most fucksticks who want your stuff don't want to deal with dogs, as there are far easier pickings right down the road. We have three. Homes have been broken into on either side of me, multiple times. I don't believe it's luck. Two border collies and a lab are simply a wrench in the works of a simple-minded shithead.

Believe me, someone wants in your house badly enough, no number of dogs, alarms, etc. will stop them. But the chances of someone wanting your stuff that badly are probably nil, and if they are willing to kill your dogs to get your stuff, they'll probably kill you too.

Dogs are the ticket. Think about it.

PARENT POST LINKS TO MALWARE

do not click.

Re:Laptop Stolen by Baggage Handlers

NorthWest Airlines DOES have a web address where you can get your luggage back:

http://www.ebay.com/ [ebay.com]