Tracking A Thief Via The Sircam Virus?

func writes with a rather strange situation: "Hey, my house was robbed, and they stole my computer, vcr, rc heli, and all my beer (!bastards!). But, on the positive side, the thief has been using the computer, and managed to infect himself with the Sircam virus. Now, some of my friends are getting virii sent to them by my stolen computer! Any way to track this guy via email, or even an ip or something stored in the virus code itself? And if I do find him, do I send the cops, or just my 6-foot-4, 260-lb ex-eastern-block buddy Radek?"

Since this virus' spread (cross fingers) seems to be slowing down a bit, this may take fast work. If you can reply with any suggestions for func, please include "Radek" or "Cops" in your subject line. (Just not the FBI.) Perhaps he could send a friendly letter to the thief offering free tech support?

Headers

[Anonymous Coward]

Look at the email headers they give a lot of useful info.

Re:excuse me...

[Anonymous Coward]

... and how will that get your software back? Because obviously, the guy wiped your Linux install and installed Outlook instead!

What, you mean you had Windows+Outlook installed to begin with? Then probably your beer was pee^H^H^Hcheap American beer too!

So... is it legal to infect YOUR OWN MACHINE?

[Anonymous Coward]

Can I write a virus and infect my own machine with it? For property protection of course.

Re:of course now it won't matter

[Anonymous Coward]

But remember, the guy stole all his beer _and_ managed to infect himself with a virus on a stolen computer! I seriously doubt he reads Slashdot...

And this is supposed to help me how?

[Anonymous Coward]

My computer is a Powerbook G4 Titanium. If I tear it open and fill it with cement, I might manage to add a whole half pound to it. How is this supposed to help?

Forget "Anti-Virus". . .

[Anonymous Coward]

Just sent Peter Norton to rough him up a bit

Re:Keep in contact with him!

[Anonymous Coward]

If you keep posting jokes on slashdot, eventually one will be funny...

Of course, the rest of us will probably all be dead by then...

HTML email?

[Anonymous Coward]

If he's been emailing your friends, why not setup a quick webserver which hosts a .gif or .jpg and send the guy an HTML email back with an img tag referencing to the website you setup. Turn on logging on the website and you'll have his IP address and the access time. From there you can email the upstream/the cops and you should be set.

Re:what an idiot.

[Nick]

I work at an ISP and I know firsthand, here in Kansas, USA anyway, that we can not by any means give out information. The victim *must* get a subpoena to us. The police and courts must get involved.

If someone roots your box and you wanna know the IP's or even the dates/times it occurred, you can't do much without getting the law involved. In that case all we could tell you was that your machine was accessed by an IP other then the one(s) that were assigned to you.

Re:IP address in mail header

[narf]

Not necessarily true. At my old ISP[1], each dial port was assigned a specific IP. I believe they first used BSDI boxes with multiport cards, and then moved to USR/3Com TotalControl racks.

[1] It was fun to able to say 'I'm a Hooker!'

re car theives

[vipw]

killing someone stealing your car is self defense, they're stealing a very deadly weapon and you would be a fool to let them live long enough to start the engine so they can kill you with it.

Re:Headers

[Alex Belits]

I forgot -- there are hostnames and IP addresses in the body of the virus, however they are of the destination or a mailserver, not the originator (see my report about it [denver.co.us]). Headers are more useful.

Headers

[Alex Belits]

"Received:" headers in he mail usually contain IP addresses and dates -- when checked against ISP logs they can point to the user, or a phone number if he used a dialup with your account.

Of course, email MUST be copied in the form it was received, not mutilated by Outlook or other kind of garbage. If the recipient is unlucky enough to use Exchange, enable POP or IMAP support and download email from it using fetchmail or pine.

Even easier/quicker

[Tim Macinta]

If he's running any old binary sent to him, why not have one of your friends send a gift in reply? All it needs to do is grab the IP and timestamp, then email those details to you. Forward that to the police who can get location data from the ISP.

Why not bypass the ISP (and the accompanying red-tape) entirely? If the laptop is using a modem to connect to the net, send the thief a binary which would cause the modem to call your home or work number and immediately play a sound clip that you can identify. When you receive a call that plays the sound clip, look on your caller ID and then use a reverse directory to map the phone number to a physical address.

If the laptop is using ethernet to connect... well, that's a bit tougher. I'm not sure how to track it without the assistance of the ISP it in that case.

Re:IP address in mail header

[ptomblin]

PPP gives you the IP to use, but where do you think their PPP deamon gets the IP to give to you? That's right, a DHCP server. Just because you're not running a DHCP client doesn't mean that your IP isn't coming from DHCP.
--

Re:IP address in mail header

[ptomblin]

And you're one of those people who wets yourself every time somebody gets a buzzword slightly wrong. Ok, it's not DHCP, but it is a dynamic method of allocating IP addresses from a pool. Big frigging difference. "DHCP" is a way of saying the same damn thing in 4 letters instead of 9 words. Nobody cares what the internal protocol is, the net result is that you may or may not get a different IP address every time you connect.
--

Nope, no open containers

[marcus]

Not any more. No matter if it's a passenger's or not.

Good judgement comes from experience, and experience comes from bad judgement.

Re:excuse me...

[Plutor]

If you had actually done some research, you would know that Outlook is not required for the SirCam virus to replicate. It has its own SMTP capabilities coded in, and it searches the hard drive for files containing email addresses.

Don't be so quick to insult someone for their choice of software when you don't even know what you're talking about.

Contact the isp

[laertes]

Here's the deal; he's connecting to the internet somehow, so you have to track him down with that. Mail messages contain, in their headers, the IP address of the sender. Now, it's possible to forge these, but this is an outlook virus, and I imagine that outlook tells the truth about it's IP address.

Now, this device could have a local (192.168.* or 10.*) address, but the address should be your mail provider. Here's to hoping you use somebody's SMTP mail service! Anyway, you need to contact your mail provider, and find out from which IP address he sent the message from. Then, do a reverse name lookup, and contact his ISP.

Now, as someone mentioned earlier, if he is using your dialup service, this is even easier. However, I'm going to guess that he is using something like DSL, where you can connect multiple computers. That is just a guess, I'd just like to show that it is possible even if that is the case.

Regardless or how you find this guy, involve the police. I don't know what country you live in, but most police around here (Minnesota) don't appreciate you doing their job for them. Nor do the courts.

Re:Some laptops phones home

[CMiYC]

That's great as long as someone doesn't get the laptop and re-install right away... which I would assume any intelligent theif would do. Except in this case.

If you stole someone's computer, wouldn't it be somewhat wise to trash the data on it as soon as possible? That way it'd be harder to prove its not yours. Furthermore, why on earth would you start connecting to the internet with someone else's computer? That isn't very smart.

Your idea sounds good except that it'd have to be done in software. Or it'd have to be integrated into the operating system and done every single time the laptop connects. Sounds like a great idea? Sounds just like putting an unquie ID on a Penitum 3.......

---

Jeezus that is a scary thought

[Archfeld]

more than half our corp drones can't remember their own passwords from week to week, imagine the mess if the bone-heads' machines starting bombing themselves out of existence

Hidden Bomb?

[sacherjj]

I never thought about this, but it is an interesting idea. Has anyone programmed a hidden bomb that must be disabled every couple times you boot up, by the user. If this disabling action isn't completed after a few boots, it starts sending information to a secure location. Just give them enough leway to hang themselves. (Of course, this assumes they are on the net.)

Although, the first thing I would do if someone handed me a computer is format and reload all the drives...

Keep in contact with him!

[mattkime]

You need to give him a reason to keep in contact with someone. I suggest you ask a female friend to take nude pictures of herself which she will send on a regular basis to this guy. Eventually, she will meet him in a sleezy hotel room and crush him between her thighs.

make sure to print full headers

[Barbarian]

Just make sure you got the full headers of the messages that were received...this is easy to do in both Outlook and Netscape.

If files are being attached, print out the messages in their normal format in Outlook/Netscape (i.e. human readable), then view source and print the headers too...

Re:Keep in contact with him!

[teasea]

Eventually, she will meet him in a sleezy hotel room and crush him between her thighs.

I'm gonna have to start stealing computers; this is how I wanna go :) Poor funeral director won't be able to wipe the shit-eating grin off my face.

Re:Yes.

[shri]

Assuming that the poor guy's startup page is not set to slashdot! If thats the case the thief knows whats going on. ;)

Cop paranoia of a lesser kind

[eddy]

Somewhat related...

A long time ago a friend of mine ran a BBS on his Amiga. He had the startup rigged with a boot-meny containing a fake "Start BBS"-entry as a default, which - if chosen - would encrypt the RDB (Rigid Disk-Block) and reset. Or something to that effect.

Hey, don't look at me, it wasn't my computer, nor my idea.

Re:Hidden Bomb?

[gmhowell]

I haven't yet, but was considering it when my company was in takeover talks. A little bit of job security.

Probably a bit illegal as well.

it depends

[Unknown Poltroon]

If it was good beer, leave the cops out of it. If it was bad beer, sic the law on him.
If it was BUD, have Radek slap some sense into you.

Radek!

[wiredog]

Someone who steals your computer and then disables the security deserves what he gets.

I assume he disabled your security. And not that you forgot to secure it.

Re:Bear in mind (Cops)

[darkonc]

I don't think you can get charged for theft for taking what's legally yours.

You CAN, however, be charged with Break and Enter for getting in to take what's legally yours.

Of course, if you grab the wrong hot computer, you're in double doo-doo. Best to let the cops handle it for you. 4 times out of 5, the crook will cop a plea bargin and your stuff will be available to you before the CPU is completely obsolete.

If you want the data off of the laptop, it may be possible to get permission from the police to make a backup. (this is a guess. I've never tried it).
--

Re:Fuck the police, get some vengence

[Tackhead]

> The cops will just get snitty with you cuz you solved the crime.

If you walk in to your local PD and say "I 0wn h1m! j00 cl00less fux0rz list3n 2 m33!", yeah, they'll get snitty.

If you walk in, and behind closed doors (or cubicles :), outline how you solved it, in such a way that the officer you're talking to also has enough of an understanding on how to solve it, you've just taught a cop a new way to solve crime that none of his buddies know, and you've probably just made a friend.

Beat a man over the head with a fish, and he'll slap you across the face with one. Teach a man to fish and you're both fed for life.

Re:Im not so sure this will help

[Tackhead]

> This probibly wont help you get right to your robber, he probibly sold all your stuff. And if he was smart he probibly sold it to a used computer store that would resell it. Although most pilfers arent the smartest bunch, good luck ;)

IANAL, but ISTR that in these cases, the used computer store (pawnshop) is guilty of "posession of stolen property". As is, for that matter, the innocent sucker who walks in off the street and buys it. As such, you can still get your computer back.

Option 1: (There's only one bad guy, the thief.) The guy who bought the computer will be pissed, he'll be pissed at the computer store. The guy who runs the computer store will be really pissed, and he'll be pissed at the guy who sold it to him. End result -- the thief loses his ability to sell stuff at that store.

Option 2: (There's another bad guy, in that there's a store or pawnshop operating as a "fence", that is, reselling goods they know are stolen). The guy who bought the computer will be pissed. The cops will have evidence to use in their (likely ongoing) case against the fencing operation. End result -- the thief may get away, but the fencing operation goes down.

Either way, by providing evidence to the cops, you increase the odds of getting your stuff back and cleaning up your town.

Re:Cops can help...

[Tackhead]

> ...if they are willing to look at technical details.

Very true, the trick is to get someone at your local PD interested in the case. Routine burglaries are, well, routine. Just as the FBI laughs if the losses are less than $BIGNUM, your local cops generally don't give a damn about property theft, because the odds are slim and the cases are boring as hell.

1) So don't call - show up in meatspace at your local police department. (Or if you've filed a police report on the burglary, you probably have an officer's business card. In that case, call and try to set up a 15-minute appointment.)

2) You may want to talk to a detective, rather than the beat cop. Dunno how lucky you'll be at finding one. Might be worth a shot. Go through channels.

3) (Here's the kicker). YOU know how to solve the crime. The cops don't. So YOU explain it to the cop or detective - in detail. Bring printouts. Use highlighters. Emphasize the point that even though you did the legwork, you don't want credit - you want the cop to get credit for solving the "high-tech" case. This means career advancement to the cop/dick, and ought to interest him, even if the dollar value of the case is peanuts.

"My house was broken into and bad guys stole my stuff" - a boring case, like dozens of others, involving all the paperwork with no chance of recovering the goods.

"Here's an open-and-shut case on how to track a thief through cyberspace" - something new, possibly a promotion for finding a new way to solve cases, and a reputation within the department as "the guy who knows how to track criminals through cyberspace, he's even smarter than that moron the Feds send us every few months".

If you're helpful your local cops, they just might be able to help you.

Forget Radek. . .

[fizik]

Send him Norton Anti-Virus, Poor Chap

Re:Hidden Bomb?

[Patton]

Yes. That and it proceeds to self destruct afterwards. Total wipeout with multiple passes after encrypting certain parts of the drive (in case the wipes are interrupted somehow). Since critical data is kept in multiple countries I can afford to have it destroy itself outright. It tries to send an SOS first but either way my setup will do its best to make itself pretty useless except for the hardware.

Re:Use his stupidity against him...

[BlueUnderwear]

> All it needs to do is grab the IP and timestamp, then email those details to you.

Not even necessary. That info is in the e-mail header anyways, unless your friends goofed and saved the mails without their headers.

Re:Should be pretty easy.

[BlueUnderwear]

> Worst case, the current user is somebody who bought the computer from your thief and not the thief her- or himself, but it still gets you close.

No, that's not the worst case. Worst case is that the virus didn't actually infect the stolen computer, but rather the replacement computer that you're using now...

Re:Fuck the police, get some vengence

[BlueUnderwear]

> Send you friend over and tell him to bring back both the thief's thumbs.

Nowthat'sacruelandunusualpunishment!

Re:IP address in mail header

[poptix_work]

Err, you're one of those people who go around
spewing out buzzwords. Most dial-up terminal systems have a pool of IP addresses that are assaigned to the unit itself, when someone dials
in their username/password is checked against a radius server, if it is correct the same packet
contains information about their IP address, static or dynamic, if it is dynamic then the terminal server will look at its pool, pick one, send an ARP request to the network to make sure another unit/machine/etc is not using it, then give it to the client and reply to any ARP requests for it on the lan side. None of this involves DHCP.

FYI, I know the previous to be true on Ascend and Livingston equipment, others are unknown, but likely the same or similar.

Re:you were warned.....

[Lxy]

look through the discussion... the site went down shortly after due to being /.ed. Someone posted a mirror in the comments, just browse them.

you were warned.....

[Lxy]

How quickly we forget. Or was I the only one who ran out and filled my computer with cement [slashdot.org]?

Use his stupidity against him...

[szcx]

If he's running any old binary sent to him, why not have one of your friends send a gift in reply? All it needs to do is grab the IP and timestamp, then email those details to you. Forward that to the police who can get location data from the ISP.

Re:Hidden Bomb?

[szcx]

I was contracted to write one a few years ago for installation onto all of a company's notebooks. Once a week it had to be reset, or the machine would purge documents and lock out.

Re:excuse me...

[passion]

Open source beer! [umich.edu]

RE: Tracking A Thief Via The Sircam Virus?

[SuperguyA1]

And if I do find him, do I send the cops, or just my 6-foot-4, 260-lb ex-eastern-block buddy Radek?"

Given what I know from my own Eastern block friends.
If you ever want to see your beer again... send the cops:)

Re:Bear in mind (Radek)

[TheCarp]

Its generally been my experience that people who buy stolen goods know that they have bought stolen goods.

Sure, they don't know how it was stolen, or who it was stolen from. However, there is never any doubt that this "great deal" is a "hot deal".

-Steve

Re:Bear in mind (Cops)

[Fjord]

That's the way the law works here in the states too, but you still have to consider that the person using it bought the computer and didn't know it was stolen. In the Radek situation, to them, a big Eastern block guy is coming over and demanding them to give the computer. This can get Radek in a lot of trouble. In the case where the cops are involved, you'll get it back legally.

Plus, you'll probably need the cops involved anyways, to get the location of the person in possession of the computer.

Re:Bear in mind (Cops)

[Fjord]

As others have said, it's okay to take back what is yours, but Radek could still be arrested and detained while the cops are sorting everything out. If you fail to prove the computer is yours, then he could end up convicted. Even in the best case, he ends up with an arrest on his record, which is still not a good thing.

Re:Radek!

[Fjord]

What security? Up until a few days ago, there wasn't a virus package that would detect SirCam. Do you expect him to update virus checkers on computers not in his possession? Presumably you don't mean security by disabling the ability to retrieve email, so then what do you mean?

Note: I do disable VBS files (by associating them with notepad) on my home WinME machine, but this isn't common practice. I do it because many people use my home machine. Disabiling VBS files like this isn't considered "security enablement" in the sense of updating patches and locking down ports.

Re:Hidden Bomb?

[martin-k]

I was contracted to write one a few years ago for installation onto all of a company's notebooks. Once a week it had to be reset, or the machine would purge documents and lock out.

Yeah, I heard about that program. It's called Microsoft Windows.

-Martin

heh, tempting...

[bencc99]

it'd be tempting to send Radek round, but you've got the problem of finding them in the first place. Get in touch with the police, and get your friends to note down the message headers of the emails. Then with a selection of times and IP's the police should be able to contact the ISP, and find out what phone number the theif is dialling from. Of course, this hinges on the chances of you finding a cop with a clue ;)

Re:Yes.

[swordgeek]

Incorrect on one point.

If the ISP has logs, then they are legally required to participate fully in any investigation. Furthermore, in Canada at least they would be REQUIRED BY LAW to go to the police if they had evidence or reason to believe that a crime had occurred. (In this case, phoning the ISP and explaining the thing would qualify) Not doing so is considered Aiding and Abetting.

Don't know if the same law exists in the US, but I suspect that an ISP that refused to help you would face charges.

[COPS}Re:Another approach...

[13013dobbs]

He will need to do both. Once he has an IP and the timestamp from the headers, he will need a subpoena top get the account that was used. With any luck, he will also be able to get the ANI of the phone line that was used. Once he has the ANI, he will need to contact the phone company to get the address of the guy, which might also require a subpoena.

Re:Contact the isp

[13013dobbs]

Here's the deal; he's connecting to the internet somehow, so you have to track him down with that. Mail messages contain, in their headers, the IP address of the sender. Now, it's possible to forge these, but this is an outlook virus, and I imagine that outlook tells the truth about it's IP address.

It is not possible to forge these headers, he may be able to add extra bogus headers, but his IP *will* be in there.

This is way easy...

[pi_rules]

You really think that the guy stole the computer, then changed the dialup settings to use a legit account? Heck no, he's using the account that the computer was already configured to use -- assuming that the password was set to saved. Contact the ISP, tell them the box is stolen, and find out the phone number that has been dialing in on -your- account. Yes, you may need to get the police involved. Checking the headers to verify that he's using your account is also a good idea though.

Re:Trace account, then trace to phone #

[SuiteSisterMary]

I think the assumption here is that the thief is using the ISP account that is already on the machine; i.e. func's. Therefore, it should be no problem for func to call up and say 'who's dialed into my account right now, cuz it sure isn't me?'

Re:Use his stupidity against him...

[SuiteSisterMary]

On outlook (even through exchange MAPI!) to view SMTP headers open the mail, and in the mail windows, select 'options' from the 'view' menu. The headers will be displayed on the resulting dialog box, amoung other things.

of course now it won't matter

[MousePotato]

after the guy goes and reads the story on slashdot and realizes Radeck is on the way.

Re:Bear in mind

[pallex]

so, hes still got someones computer, and, under uk law at least, its still yours (possession may have changed hands, but ownership hasnt).

i still vote for the eastern block buddy...something i`ll be employing when GPS systems become small and cheap enough to fit inside tv`s and computers.

Bear in mind

[michaelsimms]

It MAY be an innocant person that bought a second hand computer. Id go with the cop method, not the Radek method.

Fake contest/prize sting operation

[Frank T. Lofaro Jr.]

Get someone to register a domain (or do it yourself in a way that won't be obvious to the thief), and have an email get sent to him saying he won something (money, car, etc) and just needs to reply to the email with his full name, address, phone number, SSN# (for tax purposes makes a good excuse). You get the mail, you call the cops and off he goes to prison! ;)

Cable companies do something related to combat illegal access to cable service. They broadcast an ad that only the illegal boxes can get which says send in for a prize, says you won a contest, etc. Those that reply are prosecuted.

It is like a social engineering hack right on the thief's mind.

Re:Bear in mind (Radek)

[Frank T. Lofaro Jr.]

That's about all a Cray is even worth today. ;)

Re:Bear in mind

[Frank T. Lofaro Jr.]

Some idiot who doesn't even know about accounts and the like, thinks the Internet is magical and the only thing he notices or cares about is that Internet Exploder and Outlook work.

Never underestimate stupidity.

Re:what an idiot.

[don_carnage]

Hmmm...guess it would be a different story if the guy had his own DSL/cable connection. Tracking an IP address back through an ISP's "abuse" department doesn't seem to get anywhere, even when it's more than just spam (ie: crack).

Mental Note: if I ever get desperate enough to steal someone's computer and use it, be sure to reformat the HD.

--

About Ztrace

[Radium_]

Ztrace seems to be an exe.

Either its loaded itself after Windows and then it's ll be erased if the FAT/NTFS partition is deleted, or it installs in the MBR, and then it's deleted if LILO or whatever erase the bootloader.

Anyway, since it's a *software* protection it is very likely to be circumvented (IMHO), by reinstalling Windows or installing Linux.

Re:Hidden Bomb?

[Kryptonomic]

Those notebooks and company PHBs must have been a winning combination.

Re:Your ISP??

[IronChef]

I can imagine having this conversation with ATT tech support... the pain! I think I'd rather just buy a new computer. Once a company gets past a certain size, it is like a black hole -- no customer service can escape.

For all intents and purposes, customer service is dead.

Re:Should be pretty easy.

[IronChef]

Sacrasm aside, I think the FBI is only interested in high-dollar cases. On GRC.com the dude talks about how he couldn't get the FBI interested in the DoS attacks on him -- the damages weren't high enough to matter to them.

Re:Should be pretty easy.

[IronChef]

No no, this thread was about the guy with a stolen computer. The FBI doesn't care about THAT. How did this turn into the DMCA?

This is what I was taking issue with:

Yeah -- just get the full headers to your local police and/or the FBI. I should think they'd be happy to get this kind of slam dunk to clear a case.

Call Microsoft

[Captain Pooh]

Call Microsoft and say that your computer was stolen and now someone is running MS software on it without the proper license. They should track the bastard down.

Re:what an idiot.

[BluedemonX]

My wife had her computer stolen - and her old ICQ popped up. Someone traced the computer to an IP and an ISP, and we called the cops.

Did they act on this? No way.

The thief was basically handed to the OTTAWA POLICE on a silver platter, but apparently donut eating and beating defenceless women's heads against cars was more important.

I'd say send Radek, that is if the ISP will tell you who it is...

Re:Hidden Bomb?

[interstellar_donkey]

Has anyone programmed a hidden bomb that must be disabled every couple times you boot up, by the user. If this disabling action isn't completed after a few boots, it starts sending information to a secure location

I think that's how the new Windows XP works, sans the 'secure location' part.

Re:Yes.

[11223]

Aah, but what do you do if he's using your account? Should the ISP turn over the number he's calling from? Will that help?

Re:what an idiot.

[abolith]

if your ISP gives you the info, don't bother with the cops, use Radek OR just wait unitl he/she has left the location you compter is residing at and then STEAL IT BACK !! What thief would belive that the Original owner tracked him/her down and did the same thing right back.
besides if you have home owners insurance you could still collect the value of the computer, then use that cash to upgrade to a better system, or use it to put out a contract on the thiefs head. either way.

Your ISP??

[QwkHyenA]

Odds are good he's using YOUR ISP seeing how you probably checked that 'remember password' box. If that's the case, I'd take a copy of the police report and goto your ISP (assuming it IS your ISP the dude dialed into, which is easily checked by looking at the header of the email message) and talk to management right-a-way!

If it was one of my local ISP's I'd take about 1 case of beer with you as a small incentive.

Re:Hidden Bomb?

[TOTKChief]

Yeah, and if you'll post your resume online, I think the FBI needs a guy just like you...

Re:Bear in mind

[SlamMan]

An innocent person who's using your email account? Not too likely.

Re:Hidden Bomb?

[mike260]

I believe there's software that accomplishes the same thing although through different means. Every time your PC goes online, the software makes itself known to a central server. If the server gets contacted by a PC on the 'red alert' list, it contacts it and gets more info on it (although, as someone pointed out, all that's really needed is an IP address and a time), ba-da-bing.

Although, the first thing I would do if someone handed me a computer is format and reload all the drives

Lucky for the poster he got such a stupid thief. I guess a system based on something like CPUID or NIC MAC address would work better; it'd have to be part of the OS though, and pretty well-secured too.

better yet

[unformed]

Call the BSA

what an idiot.

[rigor6969]

all the major isp's now record your DNR phone # per call. Easy to trace via the ip and date and time. You'll need to get the isp and police involved.

Re:Some laptops phones home

[AdamInParadise]

Actually I was quite sure that I've seen some company actually doint that. Here is a story on The Register:
http://www.theregister.co.uk/content/archive/20026 .html [theregister.co.uk]

And a link to the company doing it: http://www.ztrace.com/ [ztrace.com]

Re:Yes.

[Shoten]

Ah, no...it won't work out that way. I've actually seen something somewhat similar to this. The police probably have no experience with this, and will be lost ("what's a header?") unless you do enough of the leg work for them that it's plain and simple in a realm that is more familiar to them. In other words, instead of time GMT and an IP address, a physical address and user's real name.

Re:Yes.

[Shoten]

120 years, yes, idealism, duty, etc...whatever. I'm speaking from experience, and it doesn't always work out that way. When it comes to computers and things technical, the flow chart goes like this:

Do I understand this well? If so...proceed.
If not...

Is this big enough that we need to ram it over to the couple of computer guys we have? (child porn, theft, hacking...ohh, if it's hacking, we'd better set up a big stake and some firewood too) If so, send it over...
If not...

If not, then it gets stale. I know that the cops are SUPPOSED to represent the public, but let's be realistic. I've seen cops unwilling to even make a report of a crime, a multi-thousand dollar property crime, even just for the sake of a number that was needed by the victim to file an insurance claim. And it's clear common knowledge that even the FBI doesn't want to hear about hacking cases unless the damage caused exceeds a rather large sum, typically about $10K now.

The bottom line is, this is the real world, and most cops are intimidated by technology. They are also not willing to admit to that in front of civilians. And I'm willing to bet that the sort of person who would think to trace a thief by taking advantage of a SirCam infection is also quite computer literate. I bet dollars to doughnuts (no pun intended ) that he can get this accomplished in far less time than it would take a police officer. If I were him, I'd do it out of civic duty, just to make it easier on the already-overloaded police force where I live (in Washington, DC).

Yes.

[Shoten]

Ok, here's what you do. The emails he's sending contain a few bits of data that are critical. One is the IP address that he is using at the time he sends the email, and the other is the time (according to the mail server; both bits are in the header of the email) at which the mail is sent.

Get an attorney, and file a "John Doe" lawsuit against the thief...the goal here is to get a lawsuit, so that you can get a subpoena. And who are you subpoena'ing, and for what? The ISP the thief uses, for the logs of the phone number that was connected at that time, and the account information of the owner of that account. Turn that over to the police, and you should be good to go. That information is sufficient (explain it well to them) to get a search warrant and...voila! He's crispy.

Happy hunting!

Re:IP address in mail header

[kilgore_47]

DHCP? I've had several ISPs, and I don't think I've ever used DHCP over a ppp connection (all the dsl users with pppoe might use dhcp though, i dont know...)

___

Re:Cops

[kilgore_47]

If I had mod points, I mod the above post "Funny". Did someone say Computer Crimes Division and local police department in the same sentance?

Kind of reminds me of in Big Lebowski when The Dude asks the cop of they have any 'leads' about who stole his car. The cop custs up laughing and says "leads? not yet. the chief has us working in shifts to solve this one though!"

seriously, how many local police depts have a computer crimes division?

___

Re:Use his stupidity against him...

[kilgore_47]

Since that information is every email sent, why bother writing a program to gather it? Glancing at the email headers should do the trick. ;-)

___

Re:IP address in mail header

[kilgore_47]

DHCP is a specific protocol. There are certainly others. The protocol used is certainly an important fact! It's not like saying "that got photoshopped out" and meaning it could have been done with any graphics program; saying it was configured with DHCP means it was specifically done with a certain protocol a certain way. Its not a general term!

___

Re:IP address in mail header

[kilgore_47]

the parent post got modded down but shouldn't have. Some moderators don't know the difference between having an opinion and trolling. The post should've gotten modded up as funny anyway!
Here is a repost (orriginally by user poptix@work):

You were pretty clear about 'DHCP Client' and 'DHCP Server', FYI a DHCP server is quite different, and uses different protocols than a PPP+Radius+Ascend connection.. You don't see me calling you a dog or cat simply because you're a carbon based lifeform that eats vegetables and meat.

As a side note, if you don't know what the word means either look it up (http://www.dictionary.com) or just don't use it.

___

Re:Hidden Bomb?

[cavemanf16]

My stock broker friend had to work out of his home for a while whilst they built his office. During that time in his house, he had to dial-up to his firm to place orders, check stock quotes, etc. Whenever he attempted to dial-up, he had a little pocket sized calculator looking thing that picked 'random' keys for him, that he then had to input within 30 seconds of dialing up, or else (I think the dial-up and key card worked by creating keys based on the time of day). If after 3 tries he failed to authenticate, the computer basically shut off his ability to dial-up his firm, which at that point he would be in big trouble for the inevitable need to ship the laptop back to the home office to get reimaged. Needless to say, he never let this happen.

Re:Yes.

[blair1q]

Skip the lawsuit part.

Take the method outlined in that well-modded-up post to the police. Tell them that this guy stole your computer and these emails are proof. The Authorities can deal with the supboenas, warrants, etc., and you won't have to pay a lawyer.

--Blair
"Or explain layer-3 semantics to him."

Re:Yes.

[blair1q]

Wait. There's been 120 years of cops and robbers, and you don't think the cops understand "there's this guy stole my stuff; I don't know his name, but I know how to find him"?

Don't talk to the desk sargeant. Ask to talk to a detective. They certainly have heard about tracing people on the net, and if they're the first in their jurisdiction to succeed at it, all the better.

The point is, when you are the victim of criminal acts, the state is your lawyer. You shouldn't investigate your own case until after the state tells you to get lost.

--Blair

just a thought?

[3am]

what if it's an elderly woman who's son bought her a fenced computer?

radek, however appealing his deadly skills may be, is not the right answer. get the cops. if it is the thief, have him taken out in prison for 4 cases of cigarettes :)

Should be pretty easy.

[Chakat]

All you should have to do is check the headers and to standard spamcopesque ip tracing. At that point, you have an IP address. Take that info to the ISP the crook is using, and ask for the dialup node log. You'll probably need at the very least a subpoena to get the cid logs, but you should have no problem as long as you can prove that it is coming from your property.

If you could post the Headers of the offending emails, I'll bet most people here could tell you where the thief is in 5 minutes.

D - M - C - A

Re:Your ISP??

[bark76]

And then call Fox and see if you can get this on there next installment of 'World's Dumbest Criminals'

Re:Bear in mind

[masoncooper]

Who buys a computer that has a full address book, and doesn't suspect that it's stolen?

Re:IP address in mail header

[jrp2]

PPP gives you the IP to use, but where do you think their PPP deamon gets the IP to give to you? That's right, a DHCP server. Just because you're not running a DHCP client doesn't mean that your IP isn't coming from DHCP.

Not in any commercial dialup gear I have used. Generally, the PPP termination gear in a rack is assigned a pool of addresses to assign, or in some cases an IP is assigned to each modem. IP addresses for those with static IPs on a dialup (sort of rare) is generally obtained from a RADIUS server.

I can't even see why anyone would want to add the overhead of DHCP to this scenario. It would be a pretty precarious situation where a modem rack would not be assigned enough IPs to handle maxed out capacity, and this would be best handled internally within the concentrator's PPP termination s/w, why throw another protocol and server into the fray.

I am not real sure how a typical Linux PPP daemon handles this, but that would be kind of irrelevant to this topic as few ISPs of any size use a Linux based PPPd, they use dedicated racks like 3Com, Lucent or Cisco primarily.

For the point of this article, I think this is irrelevant anyway. If the victim can get a couple IP addresses and exact times (probably from an intermediate SMTP host to ensure accuracy) the ISP, if they are cooperative and competent, can probably (with considerable work) get the CID data. You want multiples as you want to see the same CID info from several calls. There is a high risk of this not being fruitful though, as many ISPs do not log CID (or don't even get it), and it is often in a different log (call logs vs. radius) so they need to be cross-referenced.

Re:You sound like PD telling us "comply with robbe

[Unknown Bovine Group]

. I think a couple states consider anyone uninvited on your fenced land the same as if they were in your home and you can legally shoot them (TX, and VT).

Wow, does this include Jehovah's Witnesses? People selling magazines "just working my way through college"? People distributing those annoying pizza flyers always stuck in my door?

MMmm. My lawn will be littered with bodies.

excuse me...

[dermotfitz]

just how will that get your beer back?