Jul 15, 2008 Open source and free: Adeona’s software is licensed under GPLv2. While your locations are secret, the tracking system’s design is not. The Mac OS X version can capture pictures of the laptop user or thief using the built-in iSight camera. Mented the Adeona system and some of its extensions as user applications for Linux and Mac OS X. Moreover, we conducted a short trial in which the system was de-ployed on real users’ systems, including a number of lap-tops. Our experience suggests that the Adeona system provides an immediate solution for privacy-preserving device tracking.
With isightcapture incorporated, the Mac OS X version of Adeona gives you the option to capture pictures of the laptop user or thief. Rest assured that images are also privacy-protected; only the laptop owner (or the owner's agent) can access them ( Figure 2).According to the project lead's paper from 17th USENIX Security Symposium 8, the. Global Nav Open Menu Global Nav Close Menu; Apple; Shopping Bag +. To install Adeona, run: $ tar xzf adeona-0.2.1.tar.gz $ cd adeona/ $./configure $ sudo make install. By default, the installer script will install Adeona in /usr/local/adeona. To make sure it runs during system startup, the Adeona client program relies on cron: $ sudo crontab -e.
| Click here to return to the 'An advanced script/web solution to track stolen Macs' hint |
So.. what happens if the thief is smart and just nukes whatever is on the computer to factory settings and then sells it?
This is always the first thing said when a post like this is written.
The majority of people don't know how or why to do that. Setting up something like this at least will put the odds in your favor.
Most thieves are not smart enough to figure out what to do. If they were they would probably not be thieves. If they were smart any thief worth their salt would check out the hard-drive for personal information they could use. The last thing they would think of....even more so if they are windoze users are unix scripts running in the background. Also if they are windows users they should be use to seeing error messages on a computer. Also is they are Windoze users I don't think they would have the system discs to nuke the current OS.
Besides doing nothing pretty much means you are never going to get your computer back.
You can also use your most colorful permanent markers and draw all over the outside of the laptop. Then anyone who even glances at it knows that that colorful computer belongs to you, and a thief will have a hard time selling a laptop that draws so much attention.
Great idea, draw on 1500 macs! Why not stick them shut with super glue, then no one would want to steal them right?
The only real way to stop theft is for Apple to build GPS trackers that can't be circumvented, but how will they be powered when the battery is dead?
This is otherwise an interesting solution.
Its a very nice idea. There is lot of opportunities to make improvements such as using SSH instead of FTP and maybe a database on the web server to keep track of the clients. A registration, allowed the clients to register themselves would be a nice idea as well.
There is of course the obvious flaw in that simply re-installing the OS will circumvent this ? I wonder what can be done about this. Maybe one could disable (password protect) booting from the DVD / CD / FIREWIRE / USB ? Any idea if this can be achieved on Macs ?
Unfortunately, it's trivial to disable the firmware password. If you add or remove RAM from the system, the firmware password will become unset. I still use the firmware password, in the hope that it would foil non-Mac-savvy thieves from wiping the hard drive and give my anti-theft solution a chance to kick in.
BTW, I use Orbicule's Undercover to protect my Macs. It's a commercial app, but it's relatively inexpensive and easy to set up.
There is lot of opportunities to make improvements such as using SSH instead of FTP and maybe a database on the web server to keep track of the clients.Another idea would be to post data via http using curl.
Thanks Mr Engelby for taking the time to share this with all of us. It is very interesting, and quite simple to implement, thus its beauty!
One comment to other commenters about a thief re-installing the OS: I imagine that most thieves will at least try to turn on a computer to 'see what's inside' as soon as they can. And since many many people use auto-login for their accounts (much to our chagrin as IT folks, I know), thieves will often have a fun time looking around to see what pictures, movies, and so on a user has. Then, after the fun wears off, they might re-install the OS or whatever. I suspect many of them wouldn't know how to do even that, frankly. They'd have it up for sale after a quick trashing and deleting of user files. I'd be willing to bet that most computer theives are not terribly Mac-savvy.
Finally, a question for James: Since you say you wrote this after the two school break-ins, has your script been used sucessfully since with any stolen Macs? Just wondering if you have any good stories.
In order to maximise the chance of recovery, you'll have to ensure the thief will actually use the Mac.
If you don't use autologin (for obvious security reason), you might want to enable the guest account on Leopard. So that the thief can use the Mac even without autologin.
---
http://www.patpro.net/
http://adeona.cs.washington.edu/
It is cross platform and on the Mac it is also capable of using Isight.
The only real thing that I don't think is good about this, is that it uses the MAC address... that means you need one for ethernet, and one for wifi. And the mac addresses can be spoofed/messed with, if they have enough time, or an external usb wifi card.
The point in using the Mac Adress is only to share a string between you (the server) and the Mac.
You know the Mac Adress of the ethernet card (en0).
The script knows it too.
The script ask for the $macaddress html page on the server.
If the page exists (you put it there), then the Mac is stollen, and the script continues.
have you read the script?
---
http://www.patpro.net/
Thank you pat for clearing that up!
The reason I chose MAC address is because it is unique and it is hardware. And this uses system profiler to pull the MAC address of your built-in Ethernet. So even if the computer is on wireless (which I was assuming for most of the time) it will always check to see if the webpage exists using the built-in MAC address.
by the way, you could have used the serial number.
---
http://www.patpro.net/
Some service procedures leave the electronically readable serial number blank on some models.
Which is actually why I didn't do serial. I changed out the logic board on too many iBooks without doing that serial number reset utility. Don't tell Apple....
I tried phase1 and 2. It worked except:
1. The FTP root folder needs to allow write privilege for 'steal' user account. This is missing in the instruction.
2. The screengrab sent to the server only contains black image.
So, engelby, can you fix your script?
Mac Os Download
jyu: send us your login and password for the FTP account, and we will fix the script.
Otherwise, you can change the script accordingly by yourself :)
---
http://www.patpro.net/
what was the fix for the black screen, mine is black as well.
You might note that for those who don't have a root password setup on their machine, sudo works just as well for those root-level commands, or sudo -s if you really feel the need for a root shell.
My thought was to maintain an optional list of trusted gateways and to only 'phone home' when on an untrusted network. To get the currently active gateway (which also suggests internet access):
We've used a similar sort of home-grown tracker for a few years now. I haven't had the chance yet to compare the author's solution to ours, but I can report that our method for finding the serial number is faster than either the original code, or your improved version:
serialnumber=`ioreg -c 'IOPlatformExpertDevice' awk 'BEGIN{FS=''}; /IOPlatformSerialNumber/ {print $4}'`
Nice one!
In fact there is so much room for improvement in that script :)
---
http://www.patpro.net/
Indeed there is. This is actually a version 2 of my script. The first was much smaller than this, so this is a huge improvement over it. I know there is a lot more that could be done to it.
I'm an amateur at this, but it appears to only work on an Apple Server. If this isn't true, then where do I put the file on a hosted server?
Thanks
---
Hermosa Beach, CA USA
It can be hosted on any computer actually. The MACADDRESS.html goes in the root of your web directory. I am not sure where it is on your system, but any server OS that can host webpages will be able to hold these files.
Actually, all of this can be done from a Mac OS X client computer too if you want. You would just have to modify parts of the script.
- Set a firmware password. Without breaking open the laptop the thief can't bypass the OS.
- Set a login password. Don't auto-login.
- Create a guest account with no password. A way in for use by the thief.
Does anyone know if or how I can use MobileMe as the server that the script reports to? I am just one person and have no access to a server. Would I be able to see all the logs? How would the script log in to mobileme?
lostInSpace commented on using another protocol. One thing I thought of, is that if the person is using from a port restricted wifi connection (like a lot of coffee shops, airports, etc) it may not work to ssh or ftp the image file or ip address back to the server. I think a thread to lostInSpace's comment noted using curl instead. Either way I think this is a great hint and really an excellent way to monitor this activity. With an obscure name to the daemon, it would nearly be impossible for even a fairly advanced mac user to know what is going on before its too late. They would have to systematically look in the activity monitor utility and find any daemons non-standard to the os install. I don't know if I could do it.
Also, how robust would this script be for using a url as opposed to an IP address? I would think it wouldn't matter. I have an account at no-ip.com to monitor and switch my dynamic ip at home. using the domain name would ensure that the ip information always made it back to the log, even if Time Warner decides to reset my non-static IP.
Finally, a comment on the isight; some isight cameras, i dont know which ones, have a flash on them (iMacs, perhaps). It would be a good idea to disable the flash or the thief might figure out what is going on, a little faster.
This will work with IPs or a DNS name. In my environment and for at home, I use an IP so thats why it's based around that. A normal web address will work fine too though, just make sure it fits in the script.
As far as isight goes, this does not flash the screen when it takes a picture, however...the green light does flash on for a second. I could never find a way around the green flash. That's why I wouldn't start phase 2 until you need to and only run it until you get the picture you want.
I'm a pretty experienced user and I found this confusing. Nowhere is it stated explicitly that you have to create the tracking files after you notice that the computer has been stolen. Also, we're told to create a 'steal' account 'on the computer,' when 'on the server' would have saved me some futzing around. Another commenter noted the permissions issues with ftp uploading. A clear, concise overview of how the whole scheme works would have been greatly appreciated; as it was, I had to painstakingly work my way through the 'phone' script to figure out what was happening.
I still haven't actually seen it work, but maybe with the permissions (hopefully) fixed, it will now.
Mac Os Mojave
OK, this is good stuff. There are several issues several people have mentioned and I hope to add my 2 cents worth. First of all I had difficulty getting the script started until I noticed that the LaunchDaemon script had /private/etc/.cuploader/... in it. Change this to /etc/.cuploader/...
Now someone else said that that the screencapture section gave black screens and indeed this is true. To solve do the following.
Add in the line just above the macaddress line.
userpid=`(ps ax grep loginwindow head -1 tail -1 awk '{ print $1 }')`
(Yes I know it has some redundant commands in it...)
Then change the screencapture line to...
sudo launchctl bsexec $userpid /usr/sbin/screencapture -x -m '/Library/ColorSync/s'$safedate'.png'
Note that I have shortened the screengrab name to just s because the final dated name that was produced was too long. Likewise change the names below to just s. Similarly I changed the isightcapture picture name to just p for the same reason. Be careful and change ALL references to screengrab and picture.
Finally I personally feel that we don't need the touch commands as they leave a trace that can be seen. Also the screengrabs and picture can be hidden in say /tmp rather than /Library/ColorSync or /Library/Preferences. But the script will have to be rewritten. I will try if version 3 doesn't come out soon!!
Finally, you need suitable server and not everyone has access to such resources. If there is a demand, I don't mind setting up a server and the necessary Mac Address files for interested users to use as long as the process is not abused. The ftp services can also be provided. If anyone has their machine stolen, a quick email can get their MAC.html files changed. Of course you will need your MACX address.
I also changed the echo IP command to
echo 'IP: $externalipnDate: $thedatenComputerName: $computernamenSerial: $serialnumbernBuiltInEthernet: $macaddressnWhoIsLoggedIn: $whoisitnUsers: $lastusers' >> '/Library/'$externalip
Note the backslash n n to push everything to newlines... more readable.
All in all this is good stuff and is a very powerful concept.
The file system is corrupt.
Please take this computer to the nearest Apple Store to repair this for free.
This seems more like typical dialogs on the Mac (except for the content, of course). Also, I remove the button from the dialog, since it won't pulse anyway and can't be clicked. Maybe it would even be possible to use AppleScript to make it a real, dragable dialog.
If you're really sneaky, you maybe could even type in a phone number for them to call, which would somehow alert the authorities or you.
I'd like it to simulate a kernel panic. After several reboots the thief will figure that something is seriously wrong with the computer.
display alert 'The file system is corrupt.' message 'Please take this computer to an Apple Authorised Service Provider for a free repair.' as warningI am just throwing this on here since someone took time to find my email address back and let me know that he had success with this.
---------------------------------------------------------------
James,
How have you been, I would like to thank you once again on this
excellent set of scripts. I don't see your website online anymore. I
hope all is well. But I am emailing you because I have a success
story.
I had a laptop iBook G4 on a media cart with a Projector and Califone
speaker. My principal called me over and asked if I had the
laptop.... I told him 'NO'... We asked around to make sure a teacher
did not borrow it or something. So once we decided that it is missing
we both got bummed out that someone would do this. I told my
principal that there might be a way to see if it is stolen or not. I
went to the web server and checked the logs and saw a different IP
that was not ours. I told him that I think we might be able to
recover this. So I looked at the logs to see how long its been gone,
and saw that it has been 4 months gone. I told him that the machine
is being used frequently and that I would initiate phase 1 to collect
data. A few days passed and saw the perp online and connected to the
laptop and started my investigation of who had it ( this is after I
contacted our school police and started the process of a police
report) to see if maybe he had documents that would give a name to the
perp while we waited for a subpoena from the ISP. I got lucky and
found some of his homework that he had done on the laptop. So the
next day I talked to detective and said that I have a name and a
possible address because I had several docs with his name. He was
very amazed on being able to do this. So the next business day the
detective moved forward to obtain a search warrant and then went to
the home and found the laptop. So after the laptop was noticed
missing. Recovery took about 4 days!!!
I hope you are doing well. Also I would wonder if there is something
similar for our windows machines. The detective told me that in our
district computers are being stolen almost on a daily basis with low
recovery possibilities and having this really helped the
investigation.
I am also going to add this to get wifi info on the machine and what is around.
/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport --scan
Thanks buddy for this little gem.
-----------------------------------------------
This is a neat solution but I have concerns about the use of the ftp user & password in the script. It's possible that the thief could use these to remove uploaded files & data. Depending on your hosting setup they could potentially meddle with your website, or use the access to try other attacks.
I think a simple php script on the server that accepts post data could reduce the risk a little, by at least removing the ability for the thief to gain access to the server if they are smart enough.