Weekly Edition
Return to the Front page
| |||||||||||||
Prey: Open source theft recoveryChances are, you know someone who has lost a laptop or smartphone, or had one stolen outright. Although preventing the theft itself would be the most satisfying outcome, there is little a software developer can do on that front (although one might consider proximity-monitoring over Bluetooth to be a step in the right direction). Full-disk encryption and password-protection for the BIOS are common strategies, but another approach — device tracking — has never enjoyed a high level of popularity in open source. The Prey project offers one open source device tracking solution, with a small range of options — including self-hosting or using the company's online monitoring service. Device tracking optionsAll software-based device tracking systems share one common element: they periodically record data about the machine and its surroundings, including location, IP address, and network settings, or perhaps even a photo taken with an on-board camera. Where they differ is in how and when that information is transmitted to the device owner, and how the application detects whether or not it has been lost or stolen. Some upload their periodically-collected data sets to a remote server on every run, others simply "phone home" to perform a status check, and only record and report information if they get the appropriate signal. Proprietary solutions like GadgetTrak or LoJack for Laptops tend to rely on a central server run by the software provider, who waits for the device owner to report the loss or theft. The first widely-deployed open source device tracker was Adeona, which took a different approach: it uploaded its reports to a remote storage location at every snapshot period. That eliminated the need to maintain a central database of tracked devices, which is what the proprietary companies charged their recurring fees to maintain. Sadly, Adeona is currently offline, as the storage service used, OpenDHT, has been deactivated. Prey operates more like the proprietary services. The default behavior is for the Prey script to wake up periodically and make an HTTP request to a preconfigured URL. The response code sent tells the script what to do next: a 200 (the "OK" status code) will shut the script down normally. Only a 404 "Not Found" code (which requires making a successful connection to the web server) will trigger the script's theft response. Prey can be configured only to send reports about its status and whereabouts, or to trigger local actions, such as an audible alarm, flashing an alert notification on screen, or locking the system. ![[Prey control panel]](/images/2011/prey-control-sm.png)
Fork Ltd., the company behind Prey's development, offers two administration options. Users can configure Prey to use the "Prey Control Panel" site as the pre-shared URL, or to run in standalone mode. Control Panel users can configure device-reporting settings and actions through the web site, as well as mark a device as missing (which removes the URL requested by the script's heartbeat-checking routine) and view any reports it sends. Standalone users must manually edit the Prey configuration file, supplying their own heartbeat URL, and provide valid SMTP and email configuration details — in standalone mode, the script emails its reports rather than posting them to the Control Panel server. Fork recently started offering paid "Pro" accounts, which allow simultaneous tracking of more devices and additional configuration options, but says it will always offer free accounts. Stalking Prey![[Prey configuration]](/images/2011/prey-config-sm.png)
The current release of Prey is version 0.5.3, and is available for Linux, Mac OS X, Windows, and Android. An iPhone/iPad version is presently in private beta testing. On Linux, the application itself is a collection of Bash scripts and support files (such as the audio file played as an alarm). The source bundle can be installed on any modern distribution, requiring only the set up of a cron job to run the main script at the desired interval. It depends on cURL to make its HTTP requests, the streamer utility from xawtv to capture webcam images, and Python to run a small GUI configuration tool. There is also a Debian package available on the download page, which is compatible with Debian and Ubuntu distributions. The actual setup process is simple, but the Prey project's web site suffers from severe documentation drought. There are no step-by-step guides suitable for new users (much less for configuring Prey in standalone mode): the necessary information is split up between the README file in the code bundle, the FAQ page, the "Knowledgebase," and the mailing list. If all you are interested in doing is signing up for the free Control Panel service, you will probably muddle through without too many hiccups, but I found it difficult to track down the answers to many of the questions I would want to know before I embarked on installing it. For example, the site's splash page, FAQ, and README all discuss adding a "valid web URL" as the means of enabling Prey in standalone mode, but the example they give is a URL on one's own domain or blog. In the prey configuration file, there are no client-side settings to control the actions (alarm, lock, etc.) performed or the data gathered when Prey sends a report — all of which are settings exposed on the Prey-hosted Control Panel site. If you read through the mailing list archives, though, you discover that the URL Prey checks for is intended not merely to return a valid HTTP response code, but to serve up an XML configuration file. There is still no documentation for the syntax and options of the file, but evidently if one first sets up an account with the Prey service, one can download and save the file to then use later in standalone mode. I would also like to see more thorough disclosure of what machine information Prey sends to the Control Panel server. Because the Prey script makes an HTTP request, presumably a fair portion of the information could simply be gathered from the request headers, but any time an application "phones home" I prefer to see what it is going to say before I install it the first time. After initially adding a device, the Control Panel has a detailed hardware information section disclosing more about the system configuration than I generally like strangers to be able to access. For non-Pro accounts, the connection to the Control panel site is not sent over SSL, which makes it vulnerable to eavesdropping. There are scattered references to Prey using Amazon S3 to store its webcam report snapshots, rather than sending them directly to the Prey site, but here again the documentation is sparse. From a user standpoint, though, Prey works quite well. On Linux, the Bash scripts run with root privileges, which might concern those of a high-security mindset. Prey can gather an impressive set of information about your machine for the reports it sends back if the machine goes missing. In addition to webcam snapshots and the standard geolocation and WiFi-triangulation options, it can complete a traceroute, capture a desktop screenshot, log any recently-modified files, and log running applications. The Control Panel interface is easy to understand, with newbie-friendly explanations of the various settings and options. Even the setup tool does a good job of outlining the difference between Control Panel and standalone mode. I am not sold on the value of playing an MP3 alarm file, but the ability to lock down the currently-running session (with password-protection) is a necessity when dealing with theft. The Prey team also deserves kudos for explaining the value of encrypting the hard disk and password-protecting the BIOS; those measures may be the only means to prevent attackers from wiping a machine entirely. If you are not patient enough to wait until someone steals your laptop, you can dry-run Prey by running the /usr/share/prey/prey.sh script with the --check option. This will test the network connection, the crontab entry, and the validity of the API key and device ID for your hardware. Testing actual report generation is harder; for non-pro accounts the only option appears to be marking your device as "missing" in the Control panel interface. Prey forward technologiesTaking a look at the configuration file (which on Linux systems is installed at /usr/share/prey/config), there are some tantalizing options that do not yet seem to be active in the 0.5.3 code, including SSH tunneling and SCP/SFTP file transfer, both with support for RSA key-based authentication instead of passwords. There are also some experimental options for modifying the HTTP request in order to get around firewalls and other attempts to block Prey. Here, too, my hope is that we will see further details documented on the site, rather than have them buried in the comments of the configuration file alone. One final concern for potential Prey users is whether the three-device limit imposed on non-Pro accounts is genuinely enough. Even a single individual is likely to hit the three-device limit these days, and although each member of a family could set up his or her own Control panel account, I suspect that in most families a single family member will end up bearing the burden of keeping tabs on the portable electronics. The limit will, of course, help sell Pro subscriptions — or push users into setting up their own standalone server. To me, that makes the need for better documentation of standalone mode configuration all the more important. While an enterprising developer could craft a homemade equivalent to the Prey Control Panel and serve up a valid XML file to clients, all indications are that the Prey project wants to operate as a true open source citizen — the source code is available on GitHub and the mailing list is public. It just has a little bit further to go. If you are looking for an open source alternative to the proprietary device tracking products on the market, Prey is worth examining. Because it is based on standard Linux system tools, it ought to run on any distribution — perhaps even including Maemo and MeeGo handsets, although they do not have Bash installed by default. You just might have some hoops to jump through if you are intent on running your own device-tracking server. (Log in to post comments)
Prey: Open source theft recovery Posted Jul 7, 2011 9:05 UTC (Thu) by pcampe (guest, #28223) [Link]
Maybe I've read it too fast, but I don't find an answer to the fundamental question: how this anti-theft system avoids being deactivated by the thief?
From the point of view of the thief, this software is a trojan, and so the very first thing that (s)he has to do is disable it: if such only requires rm-ing some bash scripts it's a way too easy.
Prey: Open source theft recovery Posted Jul 7, 2011 9:33 UTC (Thu) by akumria (subscriber, #7773) [Link]
Or, just as simple, ensure that the target domain never resolves to anything useful.
Prey: Open source theft recovery Posted Jul 7, 2011 10:26 UTC (Thu) by pcampe (guest, #28223) [Link]
Title: Prey disabling howto
1. rm -f usual_path_of_prey/usual_file_1
It's also true that, before issuing 1. and 2., the system is up and running, and so there is a small window of opportunity for Prey to call the target domain and downloading instructions (if there is some network connectivity, and it's a big if) but it's not bullet-proof; so it seems to me that some kind of obfuscating executables is worth of; am I missing something?
Prey: Open source theft recovery Posted Jul 7, 2011 19:55 UTC (Thu) by n8willis (editor, #43041) [Link]
That's precisely why Prey takes pains to educate people on the value of disk encryption, password-protected BIOS, and other security measures.
Nate
Prey: Open source theft recovery Posted Jul 8, 2011 7:55 UTC (Fri) by pcampe (guest, #28223) [Link]
If the hard disk is encrypted, the system won't boot without a legitimate password (that should be in the exclusive knowledge of the owner) and so the phone home anti-theft system won't start.
Prey: Open source theft recovery Posted Jul 8, 2011 15:16 UTC (Fri) by n8willis (editor, #43041) [Link] You seem to fundamentally misunderstand what Prey, Adeona, and the proprietary offerings actually are. They are not anti-theft systems.
Is it useful? Posted Jul 7, 2011 11:13 UTC (Thu) by NAR (subscriber, #1313) [Link]
I always thought that the first thing a thief does is to install a brand new (cracked) version of Windows 7 on the laptop and doesn't bother with what's already installed... Especially because I guess most laptops are stolen with the screen locked (I mean the laptop has to be left alone to be stolen and we all lock our screen when we leave our computers, aren't we?), so the thief would need to crack it in the first place.
Is it useful? Posted Jul 9, 2011 8:20 UTC (Sat) by shane (subscriber, #3335) [Link]
A friend of mine just got his stolen laptop back using Prey. The thief was arrested. Yay!
The thief was a thief of convenience, not a professional, as I suspect most are. This particular one mostly used the laptop for surfing porn, and did not wipe anything.
Prey is no guarantee, but it has saved thousands of euros of MacBook Pro and put a bad guy behind bars.
Prey: Open source theft recovery Posted Jul 7, 2011 11:42 UTC (Thu) by dany (guest, #18902) [Link]
There is relevant story on http://thisguyhasmymacbook.tumblr.com/, even is not about opensource technology.
Idea is to have guest account enabled (or not locked account), so thief is actually using computer for some time. Spying software is hidden, so thief doesnt know about its existence. So they are counting on fact, that thief is not clever and doesnt reinstall OS right away.
Prey: Open source theft recovery Posted Jul 7, 2011 13:45 UTC (Thu) by alex (subscriber, #1355) [Link]
<em>"So they are counting on fact, that thief is not clever and doesnt reinstall OS right away."</em>
Which is probably a fair assumption with most thieves.
Prey: Open source theft recovery Posted Jul 8, 2011 9:11 UTC (Fri) by dsommers (subscriber, #55274) [Link]
There are two types of thieves, clever ones and stupid ones. It's amazing how many there are of the latter ones.
What if an extended grub boot loader would do dhcp and phone home ... then if missing, it would boot up a special "fake" OS installation, which would harvest the needed info and the thief itself would believe it was a "good" theft - and s/he might miss the encrypted harddrive. This "fake" OS could even be instructed to wipe the encrypted drive(s), all based on the initial grub call.
Of course, the challenge is how to tackle wireless networks, where some require authentication, some networks are hidden/no ESSID broadcast ... and when the rightful owner tries to boot the laptop on a plane, where there are no networking available, what to do here?
Anti-theft, not impossible, but darn hard to do without a secure and non-interactive way of communication to the "controller", which, ideally, is activated before BIOS passwords are entered.
Prey: Open source theft recovery Posted Jul 8, 2011 12:16 UTC (Fri) by ndye (subscriber, #9947) [Link] could even be instructed to wipe the encrypted drive(s), all based on the initial grub call Here I suggest a number of grace reboots before wiping the owner's data, supporting the next suggestion. the challenge is how to tackle wireless networks, where some require authentication, some networks are hidden/no ESSID broadcast ... and when the rightful owner tries to boot the laptop on a plane, where there are no networking available How about a special, hidden key sequence (controlled by the owner) that opens a backdoor in the "fake" OS, to authenticate the owner when phone-home fails?
Prey: Open source theft recovery Posted Jul 11, 2011 15:38 UTC (Mon) by ssam (subscriber, #46587) [Link]
The issue that puts me off installing something like this (or even just a cron script that pings my webserver) is the problem needing to allow the thief to log in enough to connect to the internet. I'd rather have screen lock after suspend, and password log in.
so in order to do this securely it really ought to run during GDM. but for that to work it would need to automatically connect to networks. or to have a guest login.
Prey: Open source theft recovery Posted Jul 12, 2011 22:11 UTC (Tue) by n8willis (editor, #43041) [Link]
It has an "autoconnect" option that will attempt to connect to open WiFi access points whenever the Prey cron job executes. Obviously that is not 100% reliable, since "open" APs could also be captive portals, but it does run even when no user is logged in, at least on OSX and Linux. Though that feature is turned off by default (perhaps because they have yet to get it working for Windows; that part's not clear).
Nate
Prey: Open source theft recovery Posted Jul 12, 2011 22:44 UTC (Tue) by mjg59 (subscriber, #23239) [Link]
Captive portals will typically still provide working DNS, so you could probably trickle some amount of information over that...
Prey: Open source theft recovery Posted Jul 12, 2011 15:03 UTC (Tue) by bredelings (subscriber, #53082) [Link]
So, are there any actual examples of lost or stolen devices being recovered this way?
I'm curious about what happens after you (ideally) determine the location of the computer and get the thief's e-mail address and photograph. Is it actually true that you can simply go to the police, and they will make the thief give the computer back to you? I seem to recall vaguely hearing of cases where someone identified the thief, but still couldn't recover their computer.
In short, perhaps this software should be called "Prey: computer locator and thief identifier". Actual recovery of the stolen device is beyond the capabilities of the software. Or is it?
Prey: Open source theft recovery Posted Jul 14, 2011 3:34 UTC (Thu) by grg (guest, #76756) [Link]
A few years ago I had a laptop stolen by someone I knew. We lived together in a share house and he took my laptop with him when he moved out. He ignored requests to return it.
When reporting it stolen, I gave the police his full name, his mobile phone number and his Dad's full name and mobile number. As far as I know, they made no attempt to follow this up.
So the moral of the story is: don't bother, if you know where the thief is, "send the boys around" instead.
Prey: Open source theft recovery Posted Jul 14, 2011 16:21 UTC (Thu) by Zizzle (guest, #67739) [Link]
The thing that stopped me installing this is that I expect the typical thief to not be able to log in to or operate a Linux environment.
He will just wipe it and install Windows.
Prey: Open source theft recovery Posted Jul 14, 2011 20:37 UTC (Thu) by bronson (subscriber, #4806) [Link]
Not sure about that... Do you realize how difficult and time-consuming it is to install Windows when you don't have the vendor's install and driver disks?
Prey: Open source theft recovery Posted Jul 15, 2011 1:57 UTC (Fri) by grg (guest, #76756) [Link]
Why would a laptop thief attempt to install a legit copy of windows? Its widely recognised that installing illegal copies is less hassle. I've been known to install cracked copies on friends'/family members' computers who have valid licenses.
Prey: Open source theft recovery Posted Jul 15, 2011 3:47 UTC (Fri) by Hausvib6 (guest, #70606) [Link]
And the cool (and ironic) thing is those pirated Windows installer image often include slipstreamed updates, drivers for various common devices (from nvidia, realtek, amd, intel, etc.), alternative applications (Firefox, Chrome, etc.), even latest Microsoft Office, and no need to activate Windows. Usually the torrent name is something something AIO (All in One).
So, being a thief (of physical thing), comitting copyright infringement is surely guilt-free.
Prey: Open source theft recovery Posted Jul 15, 2011 15:41 UTC (Fri) by bronson (subscriber, #4806) [Link]
That's good to know. I've never used a torrented copy of Windows but that sounds waaay easier than MSDN or original install disks.
As always, pirate user experience FTW!
|
|||||||||||||