Another Stab at Laptop Security 316
kogus writes "LoJack is licensing its brand name to Absolute Software, which provides Computrace -- soon to be known as the 'LoJack for Laptops' line of computer theft recovery systems. When a stolen Computrace-equipped system is connected to the Internet, it automatically and silently sends locating data to Absolute Software, which then calls out the law. In some cases, Absolute Software customers are eligible for a $1,000 guarantee payment when a stolen system is not recovered within 60 days.
Not secure at all. (Score:5, Interesting)
From TFA:
Unless you:
and/or
Nice illusion of security....wonder how many people will fall for it.
what happens? (Score:1, Interesting)
Ah... (Score:3, Interesting)
2. Purchase $100 security
3. Purchase $100 spyware remover
4. "Lose" laptop
5. Wait 60 days
6. Profit $300 for 60 days work
7. GOTO 1 (I never spaced lines by 10, what was up with that)
Questions (Score:3, Interesting)
Hardware, or software? (Score:5, Interesting)
The spyware and firewall questions seem important as well - if this is just a "Hey, this is box XYZ and I'm at this IP address", talking to lojack's servers, well, fine, but how does the end-user know that they haven't blocked that with their firewall?
I'd love to see something technical on this, rather than some stock-tip-guy's interpretation.
Call out the law?? (Score:3, Interesting)
What does that mean?
Is there some law organisation in the USA that you can call saying "my laptop has been stolen and it is now on the internet at address 333.444.555.666" which will then go out to locate your laptop and return it to you??
First law of data security... (Score:3, Interesting)
Computrace is a piece of client software that "phones home" on a regular basis. It provides NO protection against things like formatting the hard drive before connecting to the Internet. http://www.absolute.com/Public/products/techplatf
Oooo... it uses an ENCRYPTED connection. Explain to me how this stops "fdisk; format c:" or "fdisk; mkfs
This must be designed to nab the stupid criminal, who jacks in as soon as they boot.
On the other hand, with the prevalence of open WAPs, it is quite possible a laptop with a built-in wireless NIC will connect and phone home before the hapless thief realizes it.
-Charles
Boot any one of the many live *nix distro's (Score:2, Interesting)
Oh, I get it - it's just designed to recover stolen laptops from non-slashdot readers
Not just stolen! (Score:5, Interesting)
Our PHB ordered it installed after getting a call from a golf buddy. It was ripped out a week later. The heartbeats contain enough [cleartext] information that the increased chance of the laptop being broken into, or the salesguy socially engineered using the info was deemed higher than the chance it'd ever be stolen.
like cell phones (Score:2, Interesting)
However even the young kids who casually steal cell phones appear to have some sophistication, and are able to reprogram or wipe phones for resale.
Given that wiping and reinstalling the OS for laptop is trivial compared to reprogramming a phone, I do not see how this would stop anyone but the most casual of laptop thief.
I would like to see how easy it is to get the $1000. If the service was cheap enough, it would be valuable merely as $1000 insurance policy.
Re:Not secure at all. (Score:2, Interesting)
Nice marketing idea, but... (Score:5, Interesting)
--
watch funny commercials [tubespot.com]
How does the computer know it's stolen? (Score:2, Interesting)
I'm not entirely sure how the LoJack on cars works, but I seem to recall it requires you to report the theft, and then the cops/LoJack have some means for tracking the car's device. With a physical device, this might not require an always-transmitting approach so much as always-ready-to-transmit - that is, it could have enough battery power to start transmitting once it's hit with a request for broadcast. But for a software solution, how would you ping the stolen computer? (You need routing information in addition to the MAC address, right?)
Fortunately, there's a good chance that anyone booting up your stolen WinXP laptop will quickly be caught and arrested for connecting to the nearest WiFi network [slashdot.org].
Re:Not secure at all. (Score:2, Interesting)
you just fdisk
Re:Not secure at all. (Score:4, Interesting)
You probably want http, so the firmware could do http://www.laptopjack.com/report.pl?laptopid=AF31
The whole logic could be embedded in a boot rom on the card, with DHCP and all. Or, if you custom-made the ethernet card, it could even store the last IP address and gateway, and use that next time you boot if DHCP failed. You could even theoretically set it to do this every few hours or something when the network is idle-ish, so that if someone nabs it while its running and keeps it on all the time, it still gets a chance to report.
If you wanted to be REALLY tricky, you could hit other sites first and test for the presence of proxies or what not, then go through a few options, like SSL client authentication using a stored certificate to identify the laptop if a direct connection can be established. Or using just normal client SSL if a proxy that will allow it is detected. Or last ditch, http:
I asked for this 10 years ago (Score:2, Interesting)
A better solution is to make it work like the car LoJacks - when the unit receives an "I'm stolen" message it replies with its location. Only major problem would be power - if a theif removed the batteries it could be a long time before some sucker replaced the batteries, and by then LoJack might've stopped broadcasting.
Of course, any kind of security won't work well if it can be disabled or removed without disabling the PC.
If LoJack or any other company wants to make a killing, license their technologies to motherboard manufacturers.
Hmm, if I could get LoJack-on-a-motherboard, I'd like it in my TV, my VCR/PVR, my CD player, and anything else likely to wind up in a pawn shop.
Worse than just an illusion... (Score:5, Interesting)
We had a laptop stolen and called it in.
"Oh, you need to file a police report"
Fine, so we get the numbnuts who lost it to file the report and give us the report number.
"Okay, yes... we have recieved a call home from the laptop, and we know where it is!"
Great! Now when do we get it back?
"Wellll, you cant..."
and it just got worse from there. The police wouldn't retrieve the laptop, and these clowns wouldn't tell us where the machine was. But at least we knew:
- it was in fact stolen and not in the hands of the numbnuts employee
- it was in fact connected to the internet, being used, right then
- we couldn't get it back
- someone was at least enjoying their brand new laptop...
damnnit! This shit just annoys me. I'm going home.
Re:Not secure at all. (Score:3, Interesting)
- How many corporations continue to run MS IIS to drive their corporate websites?
- How many people continue to run IE?
- How many people continue to run Windows and download the latest spyware infected software because it's trendy, even after they've had their computers infected countless times?
Your right, security is an illusion, and some people prefer to turn a blind eye rather than look at the root cause.
IIS 6 (3 advisories)http://secunia.com/product/1438/ [secunia.com]
IIS 5 (11 advisories) http://secunia.com/product/39/ [secunia.com]
IIS 4 (6 advisories) http://secunia.com/product/38/ [secunia.com]
Apache 2 (24 advisories) http://secunia.com/product/73/ [secunia.com]
Apache 1.3 (15 advisories) http://secunia.com/product/72/ [secunia.com]
Apache - 29 Advisories
IIS - 20 Advisories
Did I miss something?
Re:Worse than just an illusion... (Score:5, Interesting)
and Computrace wouldn't share the location of the stolen laptop, she was nice to tell me that they were online with it right now though.
Jesus Christ, it was a waste of money
Re:Not secure at all. (Score:3, Interesting)
I just did that for real last week. Some guy came over and wanted to know how to tweak