[ltp] Don't trust the kensington lock socket

Bill Hudacek linux-thinkpad@linux-thinkpad.org
Fri, 8 Feb 2008 14:21:09 -0500 

This is a multipart message in MIME format.
--=_alternative 00692F9E852573E9_=
Content-Type: text/plain; charset="US-ASCII"

Interesting idea, I like it, but /etc/iftab is deprecated.  In Ubuntu 
7.10, use /etc/udev/rules.d/70-persistent-net.rule , for example.

Note that the file format is different, though the script only requires 
minor adjustment...

HH=www.MYSERVER.com; wget -qO /dev/null http://$HH/$(echo 
$(hostname)_$(grep eth0 /etc/udev/rules.d/70-persistent-net.rules | awk 
-F\" '{print $6}') |tr -c [:alnum:] _)

Note that at least on my box, I have eth0 and ath0, so I chose to use 
eth0.  Stylistic only, I think.  The request goes out over any interface 
that's "up".

One more downside: proxies.  Anon or authenticated.  But not much you can 
do about that.

Regards,
Bill Hudacek 
Senior IT Architect 
877.815.2008 
IBM Certified IT Architect 
Master Certified IT Architect (The Open Group) 



Richard Neill <rn214@hermes.cam.ac.uk> 
Sent by: linux-thinkpad-admin@linux-thinkpad.org
02/08/2008 12:21 AM
Please respond to
linux-thinkpad@linux-thinkpad.org


To
linux-thinkpad@linux-thinkpad.org
cc

Subject
Re: [ltp] Don't trust the kensington lock socket






>> Marius Gedminas wrote:
>> > On Thu, Feb 07, 2008 at 11:19:18PM +0000, Richard Neill wrote:
>> >> Some slimebag just stole one of our company laptops, which was an 
R60e

In future, I shall be adding this to rc.local:

HH=www.MYSERVER.com; wget -qO /dev/null http://$HH/$(echo
`hostname`_`grep mac /etc/iftab`|tr -c [:alnum:] _)

with the aim being to catch whoever boots up a stolen machine. Before I
deploy it, does anyone have any thoughts?  In particular, is there an
easy distro-independent way to trigger an event when an interface comes
up, or when the device is otherwise online?


The above is deliberately obfuscated, so to clarify, it does:

FILENAME =  concatenate the mac addresses and the hostname, then replace
weird characters by underscore.

Silently do a wget of this file, from the Home Host (assumed to be
running httpd).

The wget will fail, but apache will log the source IP address and
timestamp, and which machine. That should be enough to locate it. Even
if it's behind DHCP or NAT, law-enforcement can track it.



Downsides:
  - it assumes the thief is stupid enough to plug in the lan
  - it assumes the thief doesn't boot into Windows, or immediately 
reformat
  - it assumes the thief boots with lan already connected
  - genuine owner risks minor privacy loss.




Thanks for your thoughts,

Richard






-- 
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad


--=_alternative 00692F9E852573E9_=
Content-Type: text/html; charset="US-ASCII"


<br><font size=2 face="sans-serif">Interesting idea, I like it, but /etc/iftab
is deprecated. &nbsp;In Ubuntu 7.10, use </font><tt><font size=2>/etc/udev/rules.d/70-persistent-net.rule</font></tt><font size=2 face="sans-serif">
, for example.</font>
<br>
<br><font size=2 face="sans-serif">Note that the file format is different,
though the script only requires minor adjustment...</font>
<br>
<br><tt><font size=2>HH=www.MYSERVER.com; wget -qO /dev/null </font></tt><font size=2 face="sans-serif">http://$HH/$(echo
$(hostname)_$(grep eth0 /etc/udev/rules.d/70-persistent-net.rules | awk
-F\&quot; '{print $6}') |tr -c [:alnum:] _)</font><tt><font size=2><br>
</font></tt>
<br><font size=2 face="sans-serif">Note that at least on my box, I have
eth0 and ath0, so I chose to use eth0. &nbsp;Stylistic only, I think. &nbsp;The
request goes out over any interface that's &quot;up&quot;.</font>
<br>
<br><font size=2 face="sans-serif">One more downside: proxies. &nbsp;Anon
or authenticated. &nbsp;But not much you can do about that.</font>
<br><font size=2 face="sans-serif"><br>
</font><font size=2 face="Arial">Regards,</font>
<br>
<hr><font size=2 face="Arial">Bill Hudacek</font><font size=3> </font><font size=2 face="Arial"><br>
Senior IT Architect</font><font size=3> </font><font size=2 face="Arial"><br>
877.815.2008</font><font size=3> </font><font size=2 face="Arial"><br>
IBM Certified IT Architect</font><font size=3> </font><font size=3 color=blue><b><u><br>
</u></b></font><a href="https://www.opengroup.org/itac/cert/cert_prodlist.tpl?cp_status=S&amp;rp_company=ibm&amp;rp_sname=hudacek&amp;pubkey=Hudacek.OSU.BGSU&amp;CALLER=cert_prodlist.tpl_"><font size=3 color=blue><b><u>Master
Certified IT Architect</u></b></font></a><font size=3> (</font><a href=http://www.opengroup.org/><font size=3 color=blue><b><u>The
Open Group</u></b></font></a><font size=3>) </font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Richard Neill &lt;rn214@hermes.cam.ac.uk&gt;</b>
</font>
<br><font size=1 face="sans-serif">Sent by: linux-thinkpad-admin@linux-thinkpad.org</font>
<p><font size=1 face="sans-serif">02/08/2008 12:21 AM</font>
<table border>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to<br>
linux-thinkpad@linux-thinkpad.org</font></div></table>
<br>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td><font size=1 face="sans-serif">linux-thinkpad@linux-thinkpad.org</font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">Re: [ltp] Don't trust the kensington
lock socket</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><tt><font size=2>&gt;&gt; Marius Gedminas wrote:<br>
&gt;&gt; &gt; On Thu, Feb 07, 2008 at 11:19:18PM +0000, Richard Neill wrote:<br>
&gt;&gt; &gt;&gt; Some slimebag just stole one of our company laptops,
which was an R60e<br>
<br>
In future, I shall be adding this to rc.local:<br>
<br>
HH=www.MYSERVER.com; wget -qO /dev/null http://$HH/$(echo<br>
`hostname`_`grep mac /etc/iftab`|tr -c [:alnum:] _)<br>
<br>
with the aim being to catch whoever boots up a stolen machine. Before I<br>
deploy it, does anyone have any thoughts? &nbsp;In particular, is there
an<br>
easy distro-independent way to trigger an event when an interface comes<br>
up, or when the device is otherwise online?<br>
<br>
<br>
The above is deliberately obfuscated, so to clarify, it does:<br>
<br>
FILENAME = &nbsp;concatenate the mac addresses and the hostname, then replace<br>
weird characters by underscore.<br>
<br>
Silently do a wget of this file, from the Home Host (assumed to be<br>
running httpd).<br>
<br>
The wget will fail, but apache will log the source IP address and<br>
timestamp, and which machine. That should be enough to locate it. Even<br>
if it's behind DHCP or NAT, law-enforcement can track it.<br>
<br>
<br>
<br>
Downsides:<br>
 &nbsp;- it assumes the thief is stupid enough to plug in the lan<br>
 &nbsp;- it assumes the thief doesn't boot into Windows, or immediately
reformat<br>
 &nbsp;- it assumes the thief boots with lan already connected<br>
 &nbsp;- genuine owner risks minor privacy loss.<br>
<br>
<br>
<br>
<br>
Thanks for your thoughts,<br>
<br>
Richard<br>
<br>
<br>
<br>
<br>
<br>
<br>
-- <br>
The linux-thinkpad mailing list home page is at:<br>
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad<br>
</font></tt>
<br>
--=_alternative 00692F9E852573E9_=--