This ruby code hurts my brain, mostly because it tries to be too cute (if you want to do configuration in a ruby script, aren't you supposed to use yaml or something?). Why not just a shell script?
Great little trick, unfortunately most laptops are formatted right after being stolen to be re-sold. Unless your laptop was stolen with the express purpose of blackmailing you or because it is known to have juicy data on it the chances of it coming alive long enough for you to connect back to it are slim to none.
Even so every little bit helps, if this aids in the recovery of a few laptops and apprehension of the perps then so much the better.
If your laptop does get stolen keep a close eye on auction sites, ebay, craigs list and the like, chances are it will turn up there within hours of being stolen.
I have a particularly ingenious defense to prevent reformatting: I have a 3,1 Macbook Pro with a Superdrive. Not only is it incapable of reading any optical media, but getting your disc back from the furry recesses of its lair is almost impossible.
Ha! I understand entirely. I have the same hardware, and I'm replacing the (now broken) optical drive with an MCE OptiBay and an SSD currently in the mail.
I did the same. Watch out for 1.7 fw upgrade for the sata bus. My mbp couldn't handle the amount of data sent and as a result would crash every time I would install os x. Downgrading the firmware to only allow for 1.5Mbps worked well and it is what I am currently running. Email me if you need a link to the downgrade.
I think the ideal setup would be to have your laptop boot into a decoy "usable" install boot by default (autologin to admin, adjustable network settings), and have your actual install encrypted and completely locked down (i.e, have GRUB boot the decoy install without showing the menu, so you'd have to press Esc to show your other install).
That way, the tunnel wouldn't be running all the time, but if someone were to steal your computer, it would be available right away. For travelers, it'd also be useful at customs, since you could just show them your decoy install without raising any suspicion.
And of course, having regular offsite backups is a necessity regardless of what approach you take. This should only be a method of getting your hardware back, not your data.
My Cr-48 works like this now that I installed Ubuntu on it. Outside of developer mode, it only boots ChromeOS, in developer mode, I've set it up to still boot ChromeOS by default and I've got to run a pretty cryptic command to set the boot priority to Ubuntu. To the layman, the machine wouldn't appear to be anything but ChromeOS. Being cloud based, it's a great decoy OS (but provides no theft recovery options).
This is actually surprisingly hard to do with Macbooks. TrueCrypt currently only supports whole disk encryption for OSX and PGP Whole Disk Encryption's partition encryption is still somewhat experimental. Even if one does get this working, one needs to chain load PGP's BootGuard decrypter after one selects the alternate partition using the default EFI Boot screen when holding the option key - which the relevant bits for EFI configuration are for the most part undocumented and chainloading is not "supported" by the official PGP tools.
The next best option seems to replace EFI Boot with rEFIt and clone the behavior...
I can go on, but maybe you're beginning to see why this quickly turns into a bit of a rabbit hole.
Well, I was thinking of doing this with Linux, since that's what I use. I'd have Windows be the decoy install and use LUKS for dm-crypt to encrypt the Linux install at the system level. And setting up the default boot with no countdown in GRUB is trivial. All the pieces are there, and while there's no definitive guide on how to do it, I don't reckon it would be very difficult. Since I don't use Macs, I have no idea whether this approach would be feasible for them as well.
The main thing holding me back is that now that I've moved to an SSD, my laptop only 64 GB of space, so I'd rather not waste 10 GB on a decoy Windows install. Perhaps once I get a bigger SSD.
I'd think that the abuse of a backdoor into your computer is more likely than your laptop being stolen. Would anyone else be uncomfortable installing this on your machine, or am I a little paranoid?
Regardless, I think it's a neat idea. I'm no security expert, by any stretch.
All this does is make an already available service (SSH) available at a predictable location. You still need to use a password, RSA/DSA keys, or other methods to log in.
Right, but you're connected to a "known" host you need to keep secure as well. So you have two machines to worry about, right? I also am not one to keep more sshds running than I need to—but I guess the chances of this being exploited are slim. Are they as slim as having your laptop stolen, though? (Genuinely curious—this seems like something you'd want to consider before using something like this.)
But absolutely, it isn't like you've left an open door into your computer.
Is it more likely? That depends on how often you leave your laptop unattended. :)
I, and pretty much every hacker I know, have some machine they can SSH to on the internet, somewhere. The only added risk is exposing your laptop to an attack against the SSH daemon, which involves either weak passwords, weak/unsecured keys, or an SSH server vulnerability. The first two are easily mitigated. The third is incredibly infrequent, and when it does happen, you've got bigger problems to worry about.
Almost all SSH attacks target port 22, not a random high port, so you're unlikely to even see connections to that tunnel in the first place.
Finally, you don't even need to trust the remote machine, since SSH will authenticate the laptop's host key through the tunnel. MITM attacks are possible against SSHv1, but pretty much everyone is on v2 these days.
Those are good points. I appreciate your responses—I definitely don't want to be seen as putting your program down, and I'm genuinely curious about what I was asking.
I suppose the increased risk is small, and probably nothing to worry about. Cheers!
If you're running Linux, chances are you already have an ssh daemon running. All this script does is keep a connection active to a known host. Your primary concern at that point would be securing the known host.
My laptop runs openvpn as a daemon using key authentication connected to my home network. Thisis mainly so I can access my home network remotely, but it works the other way also, letting me in to my laptop when its not in front of me. Openvpn as a daemon can also be configured to reconnect when it detects that network configuration has changed, so it is completely, transparently portable between whatever network my laptop is on, as long as that network has internet access.
If I loose the laptop, I can just revoke the key it uses to connect.
Yup, coupled with a little init script and instructions for use. Oh, and this particular method can't be used to log into your forwarding host, due to the construction of the public key.
Only wrote the script so I could add network topology reporting as well, so it can submit local MACs. Oh, and maybe automatic wifi scans. Figure you could plug those into google's geolocation services for street-level accuracy.
1. The forwarding user has no group access, and not even write permission for its own home directory.
2. Shell is /bin/false, password is disabled.
3. The SSH public key format actually takes options (man ssh-keygen, -O) which allow it to only be used for port forwarding.
Usually I go through the whole chroot rigamarole, and you certainly could here, but I got lazy and I think these directions will suffice for most people.
This makes me reasonably happy about having a passwordless login to one of my servers.
Heh, point taken--I banged it out in 3 hours this morning. Though I must admit laughing a little about being called a newbie! Not like I'm hard to find on github or freenode... :-)
I only submitted because a.) it takes advantage of some non-obvious ssh features I have to look up every bloody time, b.) friends have asked for it, and c.) yesterday's front-page submission about theft made it seem apropos to remind people how easy this is to accomplish.
Yeah but why Ruby? It's what shell scripting has been invented for :)
While I admit many looong shell monstrosities are better implemented in something like Ruby, and I myself use Ruby as a scripting language of choice for anything longer that a one screen of text, this time looks like it's kind of - excuse my language - overrubyism. I understand there's a tendency of rewriting everytning in The One Beloved Language and I'm a victim of this approach myself occasionally. But seriously, this could be a shell few-liner!
Anyway thanks for advertising the idea of ssh -R tunnels, they are a neat trick!
This is a great hack/proof-of-concept but for anyone remotely concerned about the integrity of their data in the event of a theft, I can't recommend something like PGP Whole Disk Encryption (http://www.symantec.com/business/whole-disk-encryption) enough.
There are other options, including free ones on Linux, but for Mac I think this is the best implementation.
With my laptop insured and my data unrecoverable the package gives me total piece of mind.
I wouldn't trust this for security reasons. You're relying on the "allow everything except for what I thought of to lock down that an attacker might do" principle, instead of the "deny everything except what I explicitly allow" security principle.
For example: in addition to allowing you to tunnel into your stolen laptop, you're also giving the thief permission (and the key) to use your server as a proxy.
ssh can be locked down further than in your instructions, but I wouldn't rely on it.
Not the same thing. This is meant as an initscript to set up a port forward, autossh/rstunnel just watch an ssh connection you initiate and restart it as needed. You could use autossh/rstunnel to implement this though.
I have installed Adeona (http://adeona.cs.washington.edu) too previously, but I don't exactly understand how will my laptop connect to the internet when stolen?
This tool won't handle the connection management for you. You could scan for unsecured wifi networks periodically and connect to them. I'm just presuming a thief will log into my laptop's passwordless account, and network-manager will handle the rest.
Well, disabling passwordless accounts is one of the first things I do with my computer.
I wonder if there are scripts that will connect to unsecured networks, whether it's a good idea and how good electronics thieves are at countermeasuring such tools (which is pretty trivial).
I should clarify: the passwordless account is a honeypot. It's isolated from my personal account and everything important. The only point is to encourage the attacker to use the computer instead of reformatting it, so I have a chance of recovering the hardware.
I think you'd need to write your own shell-like daemon for Windows. I've considered doing that for my home network just so I could use some of the family's machines when they're away, etc. But since Windows doesn't come with a real shell built in, rolling your own would be your only real recourse.
When I was in high school, people used a tool for Windows called Fictional Daemon to get a remote telnet server that could access a command prompt, start, stop, and list running tasks, etc.
