![[info]](http://l-stat.livejournal.com/img/userinfo.gif?v=92.2){kind=small}
![[info]](http://l-stat.livejournal.com/img/community.gif?v=92.2){kind=small}
I'm reposting this now that the situation is officially out of the bag.
The laptop and the iPhone that were stolen have been recovered!!
Details from the San Jose Mercury News:
http://origin.mercurynews.com/opinion/c
----------------------------------------
(Original Post)
Here's an interesting situation:
My friends MacBook was stolen out of her truck last week.
I happen to have a dot.mac account as well as a user account
on her laptop.
I can and have been able to pull up the screen when whomever has
the laptop now is using said laptop and connected to the internet.
(i can also access files without sharing the screen via Finder)
Anyone have any suggestions on ways to locate the laptop without
alerting the person that I am on to them?
I've thought of starting photobooth to have a look at who's at the keyboard,
but that would show my hand right away. The other problem is the damn
criminal is too cheap to have their own internet and is leeching a weak wireless
connection, so screen sharing is hit or miss at best.
I have admin access and I have my friends password (i asked her if she wanted
me to delete any files and thankfully she has nothing to dear, besides photos and the like, on the laptop).
Any suggestions for retrieval, or at the very least, making it more difficult for the thief to use the laptop?
edit - update 4-10-08
So i've been watching this guy, he has managed to change the username and password, but i still have admin access via my account on the computer. this guy has no life and apparently no job because he never seems to leave the computer, but at this point he is mostly running limewire. here's some screenshots:
EDIT - UPDATE
I have his IP address:
67.169.177.49
Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
67.160.0.0 - 67.191.255.255
Comcast Cable Communications, IP Services BAYAREA-8 (NET-67-169-128-0-1)
67.169.128.0 - 67.169.191.255
EDIT - UPDATE
Well, after spending much of the day on the phone with various Santa Cruz Police officers, who while very friendly and professional, sort of listened to me as if I was describing some kind of black voodoo magic, I got a call back from a very enthusiastic detective who realized exactly the repercussions of the info that i was relating to them. In essence, once he gets Comcast to release the physical address related to the IP address (how awesome was it to finally get an officer on the line who actually knew what an IP address is!!), he can call me, have me pull up the screen to confirm the laptop is on and in place, and basically they can go in with a warrant and take the laptop back.
That is if everything goes in a best case kind of scenario (and when does that ever happened?). The biggest bummer is every single person I've talked to has repeated that even on a rush job, it could take a week to get an IP warrant. Well, that's some seriously inefficient red-tape. That being said, this jerk-off with the laptop doesn’t appear to be moving around to much as he has pretty much set up the thing to rip dvds (HandBrake) and run LimeWire. In the meantime, I will continue to post screenshots and continue to update here in this thread. I’m still very much open to ideas that anyone cares to offer and thanks to everyone for their support!!
I’ll be cross posting screenshots here:
http://public.fotki.com/joeyrenza/h
EDIT _ UPDATE 4/11/08
Sometime last night around 10pm EST the laptop went offline and has been offline since.
This could mean several things, it might be as simple as the guy closed the laptop and has been busy doing other things. He may have found an OSX disc and did a clean install, he may have erased my user account, or maybe he got tipped off and realized he was being watched. Hopefully the laptop will pop back up soon, but even if it doesn't we have an IP address which wil hopefully lead to an actual address, and we have a picture of the guy, and Santa Cruz is a very, very small town.
EDIT - UPDATE:
The laptop popped up online briefly this afternoon. Our boy has changed the name of the laptop to DRxFUCKYOU, but thankfully he hasn't deleted my account yet, though he does seem to be getting more savvy, so that could happen soon. I wasn't able to connect to the laptop this afternoon due to shitty internet, but i'll keep an eye this evening and try to get some more screenshots posted.
EDIT - UPDATE 4/12/08
Huge score today!!
For the time being i'm not going to release exact details
because this info i'm finding out is very sensitive and i
want to give the police the best shot they can get at catching
this guy. That being said, today I found out this guy is:
27
an ex-con
i know his DOB
his mom's maiden name (thanks e-bay!!)
(he has been shopping ebay for a police scanner...
i wonder why?)
he belongs to local sex/date hook up site
his email address
and today i snapped a screen shot so clear
that you can read the lettering on his ink
I'm not sure how much more i can do for the SC police
i'm pretty much serving this guy up on a platter...
EDIT - UPDATE - 4/13/08
Well, in a testament to how easy Macs are to use, even this dumbass can firgure out how to delete a user account. So the screen sharing game is up sadly, though i can still connect to the public folders, so that's at least some consolation. Yesterday, despite losing my account on the laptop, was a huge day in terms of finding out info on this guy. I will eventually post the snaps, but I can't stress just how clear of a pic photobooth served up of him.
I'm going to give the SC police a couple days to show some signs of movement on this case, and if there's no development then I'll release all the info I have on this guy and the internets can have it's way with him /chan style. Once again thanks to everyone for their interest, we've had a set-back, but the game is far from up.
EDIT - UPDATE 4-14-08
The warrant / subpoena process has begun...
EDIT - UPDATE 4-23-2008
So Comcast has been served the necessary papers, they should have the address by the end of the week. In the meantime, the police have identified the guy and checked all his known addresses, but alas, he was not present (the police also checked the addresses for the wireless network "GrossNetwork" which is the wi-fi network he is using the laptop on.
Dect. Eveleth received the cdr of screenshots i mailed him (around 100 or so that i took) and he has informed me that he will call as soon as they get the go-ahead to serve the warrant.
So the game is still on!!
----------------------------------------
as always, more to follow.
thanks to everyone for their great suggestions!
-Joey
← Ctrl← Alt
Ctrl →Alt →
April 9 2008, 22:54:35 UTC 4 years ago
April 9 2008, 22:59:32 UTC 4 years ago
Just kidding, thank you for your suggestion, off topic though it may be.
She did in fact contact the police, they were nice enough to fill out a
report and everything. But in a very Lebowski-esque manner, they told
her not to hold her breathe about "the Credence"
apparently the East Bay police have bigger fish to fry than a laptop thief...
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
April 9 2008, 23:00:15 UTC 4 years ago
April 9 2008, 23:02:13 UTC 4 years ago
pull up terminal
and then do...
4 years ago
April 9 2008, 23:09:06 UTC 4 years ago
April 9 2008, 23:13:19 UTC 4 years ago
i'll have to look into the Apple Script/command line ideas
thanks for the suggestions
April 9 2008, 23:31:11 UTC 4 years ago
But please also keep in mind that the person who currently possesses the MacBook might not be the original thief; it could be someone who unknowningly purchased it via eBay, community bulletin board, etc.
Again, good luck.
April 10 2008, 00:41:45 UTC 4 years ago
4 years ago
4 years ago
April 9 2008, 23:38:49 UTC 4 years ago
After that... I'd be tempted to use file sharing to push an Apple Script to the computer. The AppleScript would do nothing except put up a dialog that says the computer is eligible for a free extension to the AppleCare warranty. All the user has to do is take the computer to the following Apple Store. Then you alert the Genius Bar to be on the look out for that serial number... you get the idea.
April 10 2008, 00:42:29 UTC 4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
April 9 2008, 23:59:14 UTC 4 years ago
Not sure how that stuff works, but I'd think you might be able to push the software onto the laptop by using file sharing to copy it on, and then screen sharing to install it...
April 10 2008, 00:48:41 UTC 4 years ago
Looking into that now
April 10 2008, 00:45:20 UTC 4 years ago
get root access and check out what email accounts, ichat friends, signatures he has on it, perhaps.
April 10 2008, 01:33:44 UTC 4 years ago Edited: April 10 2008, 01:53:13 UTC
Also, install this before you boot them out: http://www.macosxhints.com/article.p
Do you have ssh access? And how familiar are you with command line toys?
More evilly, I'd email/contact everyone he does to say 'Did you know your friend is using my stolen laptop? I've alerted him and tried to get it back and he's not playing nice.' A good one for this is gmail, which leaves you logged in until you specifically log out, so you can have all kinds of fun with that.
Another idea - I don't know if Apple stores still do, but it used to be possible to report your stolen Macs to Apple so long as you have both the mac address and the serial number of the machine. Both of them are in System Profiler (About this Mac> More Info) or, alternatively, if you have the serial number elsewhere, you can get the mac address through Terminal over ssh using ifconfig -a. You'll need the en1 ether address. Back in the day, Apple kept this as a database, and if you could somehow convince them to take the computer to an Apple store, the Geniuses get alerted when it hops on the store wifi. Even if they no longer do the wifi-alerting, it'll mean they can't get anything fixed. For what that's worth.
April 10 2008, 06:20:35 UTC 4 years ago
i don't have any command line experience,
but i'm a quick learner.
i'm looking into al these option.
(see above for a snap i took of the guy)
4 years ago
April 10 2008, 03:36:38 UTC 4 years ago
which will tell you what their external IP is. From that you can do a dig -x $IP and a whois -h whois.arin.net $IP to find out where that IP is and the owner.
You can then turn on photobooth and do screen shots on your machine showing the person. Present this all to the police and tell them to get the laptop back.
April 10 2008, 06:31:51 UTC 4 years ago
4 years ago
April 10 2008, 04:04:27 UTC 4 years ago
If you're interested in learning about the thief, the suggestions earlier in the thread about http://whatismyip.com and the command-line iSightCapture tool are great bets. You can use a combination of the Network System Preferences pane and the whatismyip website to figure out whether the machine is behind a firewall; if the IP address you discover is "external" (basically, anything that doesn't start with 192.168.something, 172.16.something, or 10.something is accessible from the Internet) and matches the IP on the Network pane, then you can go into the Sharing preferences pane and enable Remote Login (SSH). Then you can use another Mac to connect to the Terminal of the stolen MacBook (ssh username@IP_address), and work just like you were sitting in front of it using the Terminal program on that machine, without the thief's knowledge.
However, if you decide to tip your hand, may I suggest the Terminal command "say"? It takes whatever you put on the command line and uses the Mac's text-to-speech software to render it audibly through the speakers. Something like, "This computer is stolen! Please call XXX-XXX-XXXX to report it!" would get some attention at a Starbucks. ;-) Just don't forget to unmute the speakers first with osascript.
April 10 2008, 06:07:03 UTC 4 years ago
I don't know of any tools offhand to do this via the command line, but it could prove useful if the laptop hasn't been shipped to another city yet, as a way of proving that a laptop has/is being used in a certain physical vicinity.
April 10 2008, 06:30:56 UTC 4 years ago
4 years ago
April 10 2008, 08:19:17 UTC 4 years ago
open http://whatismyip.org
Get the ip to give to the police.
And then run:
rm -rf /
If you're logged in as administrator, it should delete the OS and make it unbootable.
April 10 2008, 18:14:25 UTC 4 years ago
sudo rm -rf /
Though you have more chance of getting the machine back if he keeps using it and you can track him.
April 10 2008, 18:19:57 UTC 4 years ago
Some people have given you some great ideas and some have given you terrible ideas (sorry terrible idea posters). It is my opinion that you do NOT want the theif/new-owner to know that you know the machine is stolen and you have access to it.
Why?
Because it increases the chances of other changes that may weaken your ability to recover it. Don't jeopardize this for being cool with a "gotcha!" message. Not yet anyways.
Here is what I would suggest doing:
1. Change the .mac password or any other passwords that may have been saved.
2. If your friend has any credit card info saved in any auto-form filler things). contact the credit card company and explains what is happening. You have a good chance of disputing any unauthorized charges that came from that laptop. From the background picture you posted it looks like some email confirmation about a charge to a credit card.
3. Find out what the network settings of the machine are. There are different ways of finding this out. If you can access the machine via ssh (which is nice if you have it enabled) then you can get the current network information out of the machine simply with the command:
system_profiler (to save it in your Documents use system_profiler > /Users/yourname/Documents/systeminfo ) This will give you the current IP address of the machine. If it is connected to a wireless network it will give that name too. If this is the case you are likely to get some address like 192.168.0.something. This is of course the router IP. You will need to get more information about the connection that router is on. You could get this by visiting http://www.ipchicken.com .
This IP address is very important.
If you CAN'T get into the machine via ssh then you may have to look to another way.
5. Once you know the real IP address the laptop is connecting from, visit http://whois.arin.net and input the IP address into the WHOIS search field. This will tell you which IP address belongs to what ISP.
6. Contact your local law enforcement immediately and tell them the laptop is stolen, you have a connection back to the laptop via the Internet. Give them the IP address and name of the ISP you got out of the WHOIS server.
7. Contact the ISP and do the same thing.
8. Do it quickly cause those IP addresses do change and you may have to do it all over again.
April 10 2008, 19:29:09 UTC 4 years ago
i believe you are spot on
4 years ago
4 years ago
April 10 2008, 22:07:20 UTC 4 years ago
* * * * * root curl -s http://thewebsitedomain/macbook.htm
Probably the easiest way to edit the file from command line is
sudo pico /etc/crontab
pico is a relatively user friendly text editor. If you do that then once every minute the laptop will attempt to retrieve the page http://thewebsitedomain/macbook.htm
You may also want to try grabbing a copy of the contents of ~/Library/Safari from the guys account to look where he's been. If you're feeling really vindictive you could look in to installing a keylogger. Hypothetically such a thing could be used to obtain usernames and passwords for social networking site which could then be used months later from an anonymous internet access point to seek subtle revenge if it was felt appropriate, albeit almost certainly in violation of local laws.
April 11 2008, 12:30:20 UTC 4 years ago
April 10 2008, 23:25:48 UTC 4 years ago
command line is
"wget http://IPADDRESS"
Im pretty sure that wget is installed on bsd based system's
April 11 2008, 08:39:30 UTC 4 years ago
curl http://IPADDRESS -o blah.html
will save the contents of the webpage at http://IPADDRESS to the file blah.html
wget can be installed via MacPorts.
April 11 2008, 00:18:33 UTC 4 years ago
get this goofball, the only thing that could make this better is a happy ending
April 11 2008, 20:06:38 UTC 4 years ago
April 23 2008, 22:19:55 UTC 4 years ago
i'm a tour manager,
all in a days work ;)
April 11 2008, 20:51:35 UTC 4 years ago
April 13 2008, 02:36:59 UTC 4 years ago
GOODLUCK!
April 23 2008, 22:18:57 UTC 4 years ago
and the San Jose Mercury News contacted me today...
so who knows
this story may have legs
April 13 2008, 08:05:28 UTC 4 years ago
This is pretty much the best entry I've ever seen on LJ. Hell, it's right there in league with my many Agatha Christie books.
April 13 2008, 15:36:51 UTC 4 years ago
April 13 2008, 16:34:00 UTC 4 years ago
4 years ago
Anonymous
April 15 2008, 21:56:49 UTC 4 years ago
Very interesting...
this is all really interesting but should you really be posting any of this right now? I think it would be safer if you just blogged this but kept everything private until the thief is caught or until you get closer to catching the thief. He could very easily figure out he's being watched...April 16 2008, 04:38:24 UTC 4 years ago
April 16 2008, 12:23:05 UTC 4 years ago
April 23 2008, 22:15:52 UTC 4 years ago Edited: April 23 2008, 22:16:53 UTC
i will post a detailed follow up
of the proceedings, including
the process.
the super short answer is
1) dot.mac account
2) enable "back to my mac"
3) ??????
4) Profit
April 16 2008, 14:29:21 UTC 4 years ago
April 23 2008, 22:05:24 UTC 4 years ago
comcast has been served
and the SC police have identified the guy
and are looking for him....
1 year ago
← Ctrl← Alt
Ctrl →Alt →