How to protect my laptop when it is stolen

I've had a laptop stolen! It was a long time ago, I'd paid thousands for it (over £3000, it was a long time ago when laptops were a lot more expensive than now) and I was gutted. To make matters worse I'd not put a BIOS password on it and also this is when I discovered my mis-sold insurance policy only covered £1200. Thank you Skipton Building Society - not. I took it in to work to show a colleague Linux on it and made the mistake of leaving it in my bosses car whilst we went for a drink before going home. Someone got in to the underground car park, broke the window and made off with it - thief - sorry for your window boss. If I'd installed a BIOS password then at least I would have had the small comfort that although not impossible to get around, it would have made matters difficult.

So when I saw Prey I was very interested. You install some software on your laptop that monitors the existence or not of a URL and when it appears/disappears you laptop knows it is stolen. This sets off a sequence of events which leads to your laptop taking a screen image, activating the inbuilt webcam, if you have one, and taking a picture of the thief, optionally displaying a message window on the laptop saying is is stolen and providing an email address to contact and collecting useful info about IP address etc which is posted to the prey website (if you register) or mailed to you otherwise. Sounded good and although I rarely take my laptop out of the house these days I though it was worth investigating. However, before I installed it on my laptop I installed it on my work machine (Ubuntu).

There is an Ubuntu/Debian package available and installing from this was trivial. Registering on the Prey website was also trivial providing an API key and a machine name which you use to identify the laptop in question via the Prey system config GUI app. This also installs a root crontab job which by default runs Prey once very 20 minutes to check for the existence (or not depending on how it is configured) of the defined URL used to specify whether the laptop is stolen.

Things were looking good but then I logged into the Prey control panel and set the flag saying the machine was stolen/missing - nothing. The control panel is supposed to show reports from the stolen laptop but I saw nothing. Further investigation showed that Prey is basically a large set of Bash scripts run under a cron job using curl to post the data to the Prey control panel. I finally discovered that prey.sh is installed in /usr/share/prey/prey.sh (contrary to the FAQ) and running this as root does the equivalent of what cron will do but obviously some output is available on the terminal. It looked like everything was running ok and then I found the -t switch which appears to do a run without posting the data - this didn't help. Further investigation and I finally located the code actually doing the curl post to Prey and narrowed the problems down. The first problem is my work machine sits behind an HTTP proxy which for some reason I will investigate later does not like curl's default HTTP 1.1 requests. Adding "-0" (to force HTTP 1.0) to the curl command line got me a lot further - I could now see reports on the Prey control panel but they were missing detail for the network connections and generating glob warnings from curl.

After more investigation it turns out Prey attempts to post form data for the captured screen dump and webcam via the @ input to curl (signifying a file) but the netstat output and the remainder of the recorded data is passed on the command line. The netstat output in particular is not liked by curl leading to the glob warnings and changing the netstat output to change [, -, ., * etc to something else made the warnings go away. However, the netstat output in the Prey control panel still only showed the first line of output from netstat (why?).

So it appeared with a few modifications Prey basically worked. Declaring my machine stolen resulted in reports on the Prey control panel and optionally a warning dialogue on the stolen machine saying it was stolen and suggesting to contact my email address (this message is configurable on the Prey control panel). I then moved on to the actual laptop in question which predominantly runs Windows. This is where I hit a brick wall - yet to be resolved. All attempts to install Prey for Windows resulted in a dialogue saying Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item. I stopped here and will investigate further.

Before coming across Prey and since having a laptop stolen I changed my strategy to install a BIOS password. Of course, if someone does not make it past the BIOS password, the OS does not boot and Prey does not come in to play. I'm left wondering that if I could get prey to work for Windows what the best strategy is. Install a BIOS password which will make it hard for the thief to use the stolen laptop of leave off the BIOS password and hope Prey comes into effect and post data about the location of the thief - hmm.

Comments

Prey and Windows/Kaspersky

Further to this I've now had a more determined attempt at installing Prey on Windows XP running Kaspersky Internet Security Suite 2010.

Firstly, you cannot install Prey whilst Kaspersky is running. You can exit Kaspersky and the install works ok but some time later Kaspersky spots Prey's cron.exe and thinks it contains a virus. After this happens I've not successfully managed to persuade Kaspersky cron.exe is ok. I tried making cron.exe a trusted application and also tried adding all exclusions possible but Kaspersky just insists that cron.exe contains a virus and my machine needs rebooting so it can be removed. On reboot, it is removed.

If I disable Kaspersky then we get a lot further but marking my laptop as missing on the Prey control panel still does not work properly. Yes, I get the alarm signal (assuming I enable it) on my laptop and the message saying contact me (assuming I enable it) but the code to grab an image via the webcam fails with a "snapshot.exe has encountered a problem and needs to close.". The end result is the report submitted to the Prey control panel is virtually empty.

I've reported the false positive on cron.exe to Kaspersky so we'll wait and see what happens there but even if this is resolved Prey is not working properly on my laptop. Great idea but so far not a lot of luck getting it working - I'm still sticking in there to get this working and will look into why snapshot is failing.

snapshot.exe access violations

Prey is working for me fine on Linux but on Windows the snapshot.exe gets an access violation. I'm looking for the source code for it so I can fix the problems but so far no one can tell me where it is - see Where is the source for snapshot.exe.

cron.exe false positive as virus in Kaspersky

Since posting the above I reported the false positive on cron.exe to Kaspersky and I see that todays database update for Kaspersky no longer reports cron.exe as a virus - result.