Mac Thief Caught Thanks To Applescript & Timbuktu

el.cerrito.slasher sent in an amusing bit found on MacSlash. This story is a tale of a stolen iMac that just happened to be running Timbuktu (a remote control program like VNC I believe). Well the stolen box kept getting used, and the owner was able to track it down through a variety of amusing Timbuktu Fu. Funny story.

Reminds me of Cuckoo's Egg

[Tony.Tang]

For those of you who got a real kick out of this thing, you may want to read Cuckoo's Egg [amazon.com]. Cuckoo's Egg is a little older (he talks about using the teletype), and follows a real life story of an admin who went and tracked a bad hacker (or thief? -- sorry it's been a while). It has the same sort of "you out-think me, i'll out-think you!" back and forth flavour to it. Give it a read, you won't be disappointed.

Google Groups Archive

[k-flex$]

FYI:

http://groups.google.com/groups?q=Bridges+myers+ap plescript+imac+timbuktu&num=20&hl=en&sa=N&tab=wg [google.com]

Cliff Stoll flashback|easy tagging scritps forunix

[wildcard023]

I had flashbacks to reading "The Cuckoo's Egg" while reading this transcription. Does anyone else remember reading the commands listed in the book and quickly running over to a unix box to play?

Honestly, I'm not -too- surprised that this happened. My machine runs:

/bin/date | mail
/sbin/ifconfig -a | mail

(Running dyndns would be interesting also.)

on bootup. I originally did this so that I could keep track of my box and identify when it went down and what the current IP was so I could ssh in and look around more comprehensively, although it has crossed my mind that if my machine were to get stolen it might report back to me where it was. I'd happy to see that it's worked out at least once for someone.

Most ISPS keep logs of usernames and passwords on certain ips (especially if they're static/near static as in a cable modem or dsl connection). From there, it's fairly easy for the ISP for connect that back to a real name.

I'd be very intrested to see if this is enough information to get a search warrent.

No, the thief wasn't caught.

[rleyton]

The article doesn't say the thief was caught. To quote the guy himself: "So the conclusion to the story is: iMac and Lexmark printer recovered, one female pled out to possession of stolen property and got a year's probation.".

Possession of stolen property is very different to theft. She claims to have bought the imac from "some guy". Ok, she might be complicit, but we won't ever know.

Re:applescript strikes back

[smagoun]

Not only is Applescript unbelievably easy to write, it's easy to execute, too - drop an Applescript or three into the "Speakable Items" folder on the Mac, and your Applescripts are suddenly voice commands for your computer. This brings you a long way toward full voice command of your computer, depending on what you need.

"Computer, update website" (computer executes the 'update website' applescript, which would probably be very similar to the parent post's Applescript"

Since Applescript is easy, powerful, and voice-activated like this, you can do some amazing stuff on the mac with very little effort. It impresses the hell out of other people, too.

(FWIW, the PC emulator VirtualPC is Applescriptable - you can have a LOT of fun with that: imagine the above Applescript, but add the part where the script fires up VirtualPC and loads your webpage in IE for Windows to make sure it looks good on that platform too. All this while you're playing Oni)

Re:The scary thing is, it works....

[bsartist]

Wouldn't it be great if every Mac/WinTel computer came with a stripped-down, Timbuktu-like program as part of the operating system?

Ummm... every Mac now comes with cron and sshd already installed. What more do you need?

Re:Record 'em!

[Anonymous Coward]

You can use "Coaster" to record with applescript. it is about the only recording program that is scriptable...
http://www.versiontracker.com/moreinfo.fcgi?id=9 59 &db=mac

I use it with applescript to record sales phonecalls automatically. cool stuff.

Windows-based mailer

[pilsen]

What I did on my Windows machine to record the IP address was use a *very* simple set of tools.
1. I wrote a one-line .bat file, which runs and ends very quickly at startup:
ipconfig > c:\windows\system32\ip_ADDR_resolv.sys
to make it look like a system file. All it is really is an output of my local IP address.
2. I used the free StealthMailer program at: http://www.amecisco.com/stealthmail.htm to mail my .sys file to my hotmail account. And it does so periodically.
3. For added cool, you can use low-level key-logging software [amecisco.com] and mail out everything that use types and mail it to yourself. Cost is about $79/license.
You can't beat that for peace of mind.
.p.

Re:Can I do this with my laptop?

[Graff]

Now if only I could have it run in the BIOS. Imagine if on the bios level, without a proper key or password or whatever, if the hard drive was removed and replaced, it would then call a panic number whenever connected. That'd be neat.

Actually you can most likely do that on a Mac. All of the Macs in the past 5 - 8 years use a BIOS-like system called called Open Firmware. Open Firmware basically sets up the machine to load up the operating system and it does other initialization tasks. It is also used by some other computer manufacturers as it is an open standard.

The neat thing about Open Firmware is that it is programmable. It is written in Forth and you can write additions to it and install them. These additions are persistent across power-downs and can be password protected. So it is possible that you can write some sort of network notification into Open Firmware, I do know that it is aware of TCP and such because you can remotely operate the machine if it crashes in open firmware and you can also use Open Firmware to network boot the machine.

The other cool thing about Open Firmware is that you can set it to require a password at boot. If the password is not entered then the machine will not load ANY drive. This password is much harder to disable than an operating system password or hard drive password lock, although there are a few obscure and involved ways of bypassing it if you are extremely familiar with the system.

This page [openfirmware.org] has some good links on Open Firmware. This site [sun.com] is hosted by Sun and has a ton of very specific and detailed information on Open Firmware. And lastly, Open Firmware is the only firmware standard in existence to have its own song [sun.com]!

here's how da penguin does it

[Anonymous Coward]

First you set the bios password. I know it can be removed, but thieves are idiots afterall and this might take them a good deal of time.

If they get past that, and boot, they'll be confronted with a password prompt to mount your /home filesystem through the crypto loop back (you *do* mount your /home dir through the crypto loop device in Linux, right???). Obviously, they won't be able to guess this password (hell, my password to do this consists soley of 9 digits).

So they will have to remove somehow repartition the drive and install another operating system. Can a thief do that too? This causes the thief precious time and effort... more and more the machine becomes a less interesting proposition.

Between boot and trying to mount your sensitive crap in /home, a sweet little /etc/init.d/ script you made sends your IP address via email to you. Then you can SSH on in do whatever you like.

BTW, I can't spel.

Re:Record 'em!

[gordguide]

" ... Probably not admissible in court, I guess. Although using a stolen device for surveillance really *should* be a legal means of admissible evidence, in a perfect world :-) ..."

I'm not so sure it wouldn't be admissable in court. Unauthorized taps are illegal in some, but not all jurisdictions. Also, illegaly obtained evidence is admissible under some conditions; in particular when the illegal evidence is obtained by someone who is NOT a police officer, etc.

Finally, consider this: if you use the phone or use the bathroom, this is an illegal tap. Phones are not recorders and bathrooms are not cameras, there is an expectation of privacy. But a computer can be and is an audio and video recording device, as well as a network data collector. Many computers have built-in microphones and network devices; no reasonable person should assume they don't work. In other words, there is no expectation of privacy; especially if the lawful owner has configured it to act as a remote device.

I'm sure the laywers will eventually hash this out, but I can assure you the evidence would be admissible in my jursdiction; legal or not, because I am not a cop.

Erase the HD...

[gordguide]

Some people have suggested a "real" thief would just erase the HD and start over. And, some might.
But most thieves are dumb, or at least cheap; do you think they are going to erase PhotoShop, etc and go out and buy a copy, and then do that 20 or 50 more times? It isn't much use without apps.

If you don't leave your SW about in an obvious place, they won't have an OS install CD (to boot an iMac or any Mac made since about 1996. A boot floppy is useless; most won't boot with System 7.1, which did fit on a floppy. And if your floppy collection is anything like most people's, there won't be a decent label on it anyway. x86 is, of course, different; boot floppies are pretty easy to come by and they work).

Auto-dial 911 is A Bad Idea; they have enough trouble with users who can't figure out why the cellphone called 911 from a football game cuz the guy sat on it and it auto-dialed with "quick 911" enabled.

A periodic eMail to your own account sounds good; there is plenty of evidence there and, properly done, it doesn't compromise your own security (or risk your own life w/electric keyboards... YIKES! -I don't trust any computer that far).

Re:applescript strikes back

[Melantha_Bacchae]

nzhavok wrote:

> Of course no self-respecting programmer would ever code in
> applscript, not even to see what it was like. Why anyone would like to
> code like this when they can use more cryptic languages like perl or
> haskall is beyond me.
>
> The scary thing is I'm not sure if I'm being sarcastic or not at this
> point.

Well, in case you are not being sarcastic, and for the benefit of those who seriously believe the above quote: AppleScript is not a programming language for serious applications. It is a macro language, for everybody to use. The thing that AppleScript does (and what computers were designed for) is to automate repetitive tasks. It isn't just for coding either. You can push the old record button, and record your actions as AppleScript. You can then use the recorded script as the start of your own script, customizing it easily, because it is easy to understand. AppleScript is there so graphics professionals, video professionals, scientists, etc. can automate their work and make their jobs easier and more productive.

Apple has released AppleScript Studio for OS X, which allows one to create real applications with the Aqua GUI in AppleScript. While this is nice for entering data for and controlling your AppleScript, you are still not going to see a lot of software on the store shelves written in AppleScript. AppleScript Studio is to AppleScript what Perl/Tk is to Perl.

Though it would be nice if we had a Cocoa/Perl wrapper thingie to let us write Perl apps for Aqua.

OS X: the Apple of Mothra's Aqua eye.

Issues with potentially stolen computers.

[Restil]

IANAL, but I have previous experience with issues like this as I used to sell used computers, and I didn't always purchase my stock from the most reputable sources.

If you buy from a store, or from an auction, you're probably safe. But if you buy from an individual, especially from someone you don't know, you might want to do some sanity checks. First, check for serial numbers. If there aren't any, DON'T BUY IT. This can be tough if the computer was self assembled as some clone cases don't have serial numbers on them, but practically all OEM computers will.

After purchasing it, WIPE IT. Reinstall the operating system from scratch at the very least. If you're a good samaritan, you might want do back up the system, especially if there seems to be any personal information on it. But you want the system itself to be clean.

Take the serial number on the computer and any other equipment you bought, and report it to the police. Pawn shops do this all the time. First of all, if any equipment you report comes back stolen, you can't be prosecuted for possession of stolen property, even if you had a pretty good idea it was stolen. Secondly, I'm not sure about every state, but in Texas even if it IS reported stolen, you're still the rightful owner of it and its the responsibility of the original owner to prove in court that they are the rightful owner before being able to reclaim it. Pawn shops usually get around this by offering to return the equipment for the price they paid for it (which is generally a small fraction of what the equipment is really worth). In many cases the equipment is insured and the original owner would easier collect on the insurance rather than spend a couple years in court trying to get a computer back that by the time they finally get it would need to be replaced anyways.

As for the lady in the article, it was probably one of those "look the other way" things. I'll get a good deal on a computer and I just won't pay attention to how I got it. If there was even the slight bit of legitimacy to her purchase she wouldn't have been so eagar to take a plea agreement.

-Restil