EXTENSIONS

Undercover : The case of the stolen Mac

Police team comes close to nabbing a thief, but better processes could help fight crime in future

GRAHAM K. ROGERS

My own complacency with regard to home security caused the loss of my PowerBook last month, when late one night thieves forced the front door while I was asleep. But the security software I had on the Mac almost paid off.

When I first wrote about the theft in Post Database recently, I did not mention that it was being tracked: I had both the IP number of its location and several screen shots.

I had installed Orbicule's Undercover, but of course I hoped I would never have to use it. The opportunity to test it for real came when my house was burgled and several items were taken, including my 12-inch PowerBook. My emotions in the next weeks ranged from initial disbelief through anger, incredulity, relief and - above all - frustration.

Around the time Orbicule told me the IP address, Captain Mongkol Puvaphrapachat of Thammasala police station and his officers joined the discovery process.

Rightly, ISPs in Thailand will not reveal information about an IP address without the correct documentation. Unfortunately, the time taken to reveal the location was too long.

When Undercover was installed, I had followed the suggestions carefully. While there is always an Administrator account with OS X, I always work in a separate User account. Both have password protection. I also created an account with no password: a "honey trap".

The thief is drawn to that unprotected account. Using parental controls, I limited some functions of the operating system, and set it up so that some programs could not be used. I installed Open Firmware Password, to lock the system: with this the computer cannot be started with external disks.

The way I had the Mac locked up may be inconvenient for many people, though what is more inconvenient than a stolen computer? Like insurance, you hope you never need it, but when you do, you are glad you made the effort.

I notified Orbicule of the theft within a few hours and the database was activated. If my PowerBook was used online, it would send signals and the tracking process would begin. Peter Schols of Orbicule warned me, however, not to get my hopes up early: most connections do not occur for a couple of weeks. That comment was almost a prediction: on day 13, he sent me and the police the IP number.

Subsequently, I saw screenshots that the installation had taken. On the latest Macs with iSight cameras, Undercover also takes pictures of the user, "in the act."

Although there was no information that identified the user, I was able to build a profile:

- He (and I was certain it was "He") had a power supply. The thief forgot that;

- At the time, my accounts were intact, as was data;

- The user could see account names, so knew the machine was illegally acquired, especially as accounts could not be entered;

- He used WiFi, although the signal was weak;

- The PowerBook was restarted several times in a short period. He was attempting to break in.

Whoever was using the PowerBook watched the movie Crank, as well as country style karaoke (I made a note to delete that account), and had imported several megabytes of music and movies. He also contacted the iTunes shop in Japan.

During five days, the computer stayed in the same location with external and internal IP numbers unchanged. This indicated a manual setup, not DHCP, which the Mac has to use in certain situations. He too was probing: trying applications, examining the directories where my folders were still locked. Free space on my hard disk was diminishing.

I was watching a stranger tamper with my carefully maintained computer. Then it stopped.

Information about the location was not available until three weeks had passed. Then there was a burst of activity from the police who, like me, could sense a result and perhaps even the return of the loot.

Sergeant Wanchai Ackrawong visited my home and requested extra information, which I was able to provide. He also asked me to go along as I could positively identify the computer.

On the following Monday, Wanchai and his enthusiastic team of Prateep Sophee, Teerasak Sudtanin and Veerapong Korseay ferried me to an establishment in the Din Daeng area. Sergeant Wanchai had the foresight to bring his English-speaking son, Joe, as a translator.

Initially, Wanchai negotiated with officials to confirm IP details and other information. As it was not possible to conclude the business, we returned the following morning.

Despite cooperation, the computer had probably not been there for several days. Although I was allowed to link to the network and I was able to confirm the settings, there was no trace of my computer. At this stage, I do not expect to see it again.

That Undercover did manage to track the computer is positive. I immediately bought another licence for the replacement MacBookPro. That the police cooperated as much as they could was also a plus. We hear negative reports, but the officers I came into contact with were helpful and keen within the limits of what they were able to do.

A lack of security in the home lost me my computer, but good software (plus cooperation from my local police) almost got it back.

This theft was a minor event when compared with other crime that takes place. It is clear that, while this suburban police station was more used to traditional types of behaviour, computer crime will increase. Officers must be able to deal with this. A three-week wait for an address is unacceptable.

When serious crimes involve computer-use, swift identification of suspects is essential, particularly when considering the mobility of a notebook computer and modern connections.

Better liaison between the relevant agencies, including ISPs, with perhaps even the creation of a specialised (but independent) unit for the purpose, would remove such delays, otherwise the authorities' hands are tied.

Bangkok Post

Last Updated : Sunday April 08, 2007