Daniel Eran Dilger in San Francisco
Random header image... Refresh for more!

Using Back to My Mac… to Catch a Thief!

Back to my Mac to catch a theif
Daniel Eran Dilger
After a burglar broke into her truck and stole her iPhone and MacBook, a woman in Santa Cruz teamed up with a friend to use Mac OS X Leopard’s “Back to My Mac” screen sharing feature to track and identify the thief for the police.


Back to My Mac
The owner had multiple accounts on the MacBook, and at least one of the administrator accounts was tied to Apple’s .Mac service. That enabled the pair to locate the stolen MacBook using Leopard’s new Back to My Mac, a feature that advertises the location of a registered machine to its owner whenever it is connected to the Internet, enabling easy remote access.

The stolen laptop has popped up several times as the thief has connected to various WiFi signals. Even without an ideal network connection, the owners have been able to start screen sharing sessions, access their files, remove sensitive data, change passwords, and even take pictures of the thief using Photo Booth.

It seems the stolen laptop user has a lot of time on his hands, as he sits in front of the laptop for hours on end, and keeps himself busy ripping DVDs and browsing Limewire for downloads, ranging from Apple’s Final Cut Pro to Adobe Photoshop. Despite his changing the primary account and password on the laptop, the owners were able to continue tracking it using a secondary account linked to .Mac.

Ten Myths of Leopard: 5 “Back To My Mac” Security Panic!
A Global Upgrade for Bonjour: AirPort, iPhone, Leopard, .Mac

Thief Identity
Within a couple days, the owners were able to assemble a full profile of information on the stolen laptop user as he signed into a hookup sites, read his Gmail messages, and shopped on eBay for… a police scanner. They discovered his birth date, mother’s maiden name, email address, Comcast IP address, and were able to use Photo Booth to take a snapshot that was clear enough to read the lettering of his tattoos.

Santa Cruz police have initiated a warrant and subpoena process, and hope to bag the burglar and return the stolen equipment shortly. A detailed accounting of the their progress is being documented by Joey, the laptop tracker, in a LiveJournal blog.

macosx: Interesting Situation

I really like to hear from readers. Comment in the Forum or email me with your ideas.

Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!

Technorati Tags: , , ,

40 comments

1 BigDan { 04.15.08 at 5:28 pm }

Brilliant story!

2 Michael { 04.15.08 at 6:05 pm }

woah, that sounds really crazy… haha. i wonder how the guy managed to delete the account if they could just lock him out from using it? well, that sounds like another great reason to get .mac… even though it’s likely that the thiefs will eventually catch on. well, i hope those owners do get their macbook back… it sure would be a booster shot story to apple to get that on the front page of a major newspaper haha.

3 droughtquake { 04.15.08 at 6:58 pm }

He was smart enough to create a new User, but not smart enough to reformat the hard drive?

4 miggyb89 { 04.15.08 at 7:15 pm }

droughtquake, I have my macbook pro with a firmware password. If they wanted to erase the hard drive, they would have to know that password. At least I don’t know any workarounds.

5 WebManWalking { 04.15.08 at 7:56 pm }

I once had a “phone home” type of idea to track my Mac if it were ever stolen. I could write a script that e-mails my current IP address to a special e-mail account set up for only that purpose. It gets a bit trickier with a broadband router, as the Mac’s IP is a NAT address (192.168.1.x). You have to grab the router’s status page and parse the actual IP out of it. And what if the thief is using a different router, whose admin interface is unknown to you? In other words, it can be done, and it can be deeply hidden in Unix via scripts and cron jobs that the unwashed, unlearned thief would never, ever suspect. But it’s a LOT of work.

This is so much easier. Thanks for the info.

6 msilverman { 04.15.08 at 8:02 pm }

pretty cool…you might be interested to know this isn’t the first time that this has been done. A few years ago someone used a similar screen sharing product called Timbuktu to do the same thing:

http://www.wired.com/gadgets/mac/news/2002/01/50025

…kind of funny, the more things change…

7 OldMan { 04.15.08 at 8:12 pm }

Okay. That’s wild. I took the easy route and Lojack for Laptops but I’m pretty impressed. Hope she gets her stuff back.

8 IainW { 04.15.08 at 8:25 pm }

@WebManWalking

You’re script could simply hit http://www.whatsmyipaddress.com/ to get the pre-NAT’d address…

Might be wise anyway, some routers won’t let BacktomyMac broadcasts out, so if you have the direct IP address, there is a small chance you can make a direct ScreenSharing connection using the IP address.

This is an utterly brilliant and heartwarming story. I have been on the victim end of a house burglary, and I would have gleefully enjoyed an outcome like this.

9 unscriptable { 04.15.08 at 8:28 pm }

@WebManWalking: try traceroute (e.g. traceroute roughlydrafted.com or any other host / domain)

10 WebManWalking { 04.15.08 at 9:15 pm }

Thanks IainW and unscriptable.

I’ve been programming in Unix for over 12 years, but my job responsibilities don’t include network analysis, so I totally forgot about traceroute. I’m thinkin’, the entire traceroute should be the body of the e-mail. It’s really easy to capture everything, and I’d be able find machine within broadband router within proxy server, etc. Figure it all out by eyeball at the special phone home e-mail account.

This seems so easy to do now. All you have to do is not send the SMTP as a server, so that the ISP doesn’t raise hell that you seem to be a spammer and block the e-mail. Send it as a client instead, as a human would.

Thanks again.

11 gus2000 { 04.15.08 at 9:36 pm }

OMG PWNED!!! LOLBBQ

12 davebarnes { 04.15.08 at 9:49 pm }

What is the point of a link to http://community.livejournal.com/macosx/5713803.html if I can not view it?

13 WillisWasabi { 04.15.08 at 10:17 pm }

Router configs? That’s just not doable. Even if you had some magical way to use every config (Linksys vs. OpenWRT vs. a PIX?), you still don’t have credentials to log in. And if the local WiFi connections near my house are anything to go by, normal people are putting on WEP/WPA and that means they’re probably setting passwords.

Traceroute is better, but still not perfect. How can you know which one to pick? Ok, you can send them all, but it’s still not guaranteed to leave a network if they brought it to work or a cafe.

Why not just ipchicken.com or whatismyip.com? Has to be a lot easier to parse. Web access is going to work for sure (proxy authentication might get in the way, though) and you’re guaranteed the public facing IP.

14 ericdano { 04.15.08 at 11:48 pm }

Seriously. Where is the proper link? It would be great to know how they set it up.

15 WholesaleMagic { 04.16.08 at 12:05 am }

Perhaps some of you guys should check out this program. I don’t have a laptop, but if I did, I’d get this brilliant app. It’s called Undercover, and it uses a number of excellent techniques to learn the thief’s identity and recover your laptop.

16 WholesaleMagic { 04.16.08 at 12:05 am }

Sorry, didn’t include the link, here it is:

http://www.orbicule.com/undercover/

17 Mundo Mac » Recupera tu Mac robado con Back to my Mac { 04.16.08 at 12:12 am }

[...] historia me he encontrado hoy: a una mujer de Santa Cruz, California le robaron su MacBook y decidió no quedarse con las manos [...]

18 atomj { 04.16.08 at 4:14 am }

I can see that you could learn a lot just by activating screen sharing and observing what the thief does to your machine … but I don’t realistically see how the owner could access her files, change passwords, and even run Photo Booth. I have two iMacs side by side. When I allow BTMM on iMac A, and from iMac B I connect to iMac A and start screen sharing, then I see everything that happens on A (cursor movements, programs opening and closing, text being typed). But likewise, if from iMac B I open a program on iMac A, a person seated at iMac “magically” sees their cursor move, open the Applications folder, run Photo Booth, and click the button to snap a picture. How could the thief, sitting at Laptop A in this case, not be alerted that the owner was doing something? Would a thief, or any person, of average intelligence not realize something was going on as they watched Photo Booth open “magically”? This story is hard to believe.

It’s not hard at all to believe that you might learn something about the thief by just activating screen sharing and WATCHING ONLY. Take snapshots of your own screen, with the stolen laptop’s screen front and center. But this would really only catch a picture of the thief if he was playing around with Photo Booth on his own right when you happened to be screen sharing.

19 BlogD { 04.16.08 at 6:27 am }

Yep, same here–proper link or warning, please. In fact, I went through a bit of trouble to create a LiveJournal account thinking that would enable me to view the site, then am told the page is protected and cannot be viewed. A little heads up by the link here would not be too much to ask for.

20 info-dave { 04.16.08 at 6:32 am }

Forgive me for being cynical, but what is a computer with multiple accounts doing with administrative access open to the world?

I did laugh out loud when I read the part about taking pictures of the thief. That’s precious!

The whole story just smells funny to me.

21 ebob { 04.16.08 at 12:23 pm }

I know this thief probably qualifies as a Darwin Award entrant, but honestly. If he saw Photo Booth take his picture on its own, wouldn’t it alarm him? Very stupid or as info-dave says, smells funny.

OTOH, most people using Back to My Mac will have linked an admin account. It’ll be the default privs for their default account. Multiple doesn’t matter, I think.

22 johnnyapple { 04.16.08 at 1:18 pm }

Oh, this is good! Hahaha.

23 elppa { 04.16.08 at 8:01 pm }

@miggyb89 — I hate to rain on your parade, but the firmware password is fairly trivial to get around.

Generally you only need to change the RAM configuration (either add a stick, take one out) and then reset the PRAM a few times.

Fortunately most theives may not know this, so your probably fairly secure.

Unfortunately, anyone who knows what they’re doing could be at your data in a few minutes.

24 tvopdx { 04.16.08 at 9:23 pm }

Really great (and compatible) solution for missing Visio (which sucks by the way) is Omnigraffle. Omnigraffle makes much more visually pleasing charts and diagrams and is at least two orders of magnitude easier to use.

25 Cult of Mac » Blog Archive » California Woman Uses Remote Control Software To Track Stolen MacBook { 04.17.08 at 10:22 am }

[...] Via Roughly Drafted. [...]

26 Back to My Mac la aiuta a beccare il ladro - TheAppleLounge { 04.18.08 at 10:00 am }

[...] [RoughlyDrafted] [...]

27 WebManWalking { 04.18.08 at 1:35 pm }

Here’s a way to do a phone home without understanding Unix, SMTP, etc, quite so much, if you don’t mind running servers: Download ColdFusion 8 from Adobe. Install it to be used under Apache using the developer or 30-day trial options, both of which allow localhost requests in perpetuity. Learn CFML. Then do something like the following. I don’t know how angle brackets are handled here, so using parens instead of angle brackets:

(cfexecute name=”/bin/bash”
arguments=” -c ‘/usr/sbin/traceroute’ ”
timeout=”60″
variable=”Variables.ResultsOfTraceroute”)
(cfmail
to=”myphonehomeaccount@yahoo.com”
server=”smtp.myisp.com”
from=”fromaccountusername@myisp.com”
username=”fromaccountusername”
password=”fromaccountpassword”
subject=”Where my Mac is now”)
Traceroute for #Now()#:

#Variables.ResultsOfTraceroute#
(/cfmail)

NOTE: this assumes that bash is in /bin/bash and that traceroute is in /usr/sbin/traceroute, which is where they are on a non-Mac Unix machine here at work. To find out where they are on your Mac, open Applications > Utilities > Terminal and type “which bash” and “which traceroute” from the command line (without quotes). Then “exit” and File > Quit. You have to give full file system path and utility names for bash and traceroute, because they’re cfexecuted using the login of the Web Server, which may or may not have the same path defaults that you do.

Save your CFML code as, say, phonehome.cfm under the document root of the Apache Web Server.

Then, in ColdFusion Administrator, go to Scheduled Tasks and set

http://localhost/phonehome.cfm

to run once a day, once an hour, once every 5 minutes, or however often you like.

If your Mac is ever stolen, monitor myphonehomeaccount@yahoo.com for e-mails. If you see new ones, you have evidence of where your Mac is now. If not, periodically delete phone-home e-mails from your special account anyway, so that you don’t overflow your account limits and get the account terminated. Also, periodically emptying reminds you that the account’s there.

Of course, the downside is that you have to run the built-in Apache Web Server, JRun J2EE server and ColdFusionServer all the time, which eats up memory, but the upside is that you don’t have to learn how to send an e-mail client request from the Unix command line. CFML is much easier, as you can see.

It might seem that hardcoding your ISP e-mail account’s username and password in the cfmail call is giving the thief too much information, but if they have your Mac, they already have that account configured in Mail or Entourage or whatever anyway. (The thief can already access all your past and current e-mails.) But if it bothers you, you can always just set up a special e-mail account with your ISP for just for outgoing e-mails from cfmail calls. You can also configure it as the default in ColdFusion Administrator and leave the username and password attributes off of the cfmail call.

I composed the CFML above off the top of my head, so no guarantees that it works, not responsible for errors, your mileage may vary, etc.

28 WebManWalking { 04.18.08 at 1:42 pm }

P.S.: The parens on Now() are actual parens, not angle brackets.

29 WebManWalking { 04.18.08 at 3:08 pm }

And (cfexecute …) requires a closing (/cfexecute).

30 Using Back To My Mac, to catch a thief | Stan's List { 04.19.08 at 6:02 pm }

[...] Roughly Drafted has a story about tracking down a thief using .Mac’s “Back to My Mac”. The thief did not reformat the MacBook and thus an admin account that connects to .Mac was still available. This made it easy to see the IP address and even take a picture of the thief sitting in front the MacBook. If you need a reason to subscribe to .Mac this is certainly it. Especially if you have an Apple laptop .Mac | Oodles | trackback No Responses to ‘Using Back To My Mac, to catch a thief’ [...]

31 Using Back to My Mac… to Catch a Thief! « Breezeblog { 04.21.08 at 2:41 pm }

[...] Using Back to My Mac… to Catch a Thief! Using Back to My Mac… to Catch a Thief! [...]

32 All Things Dork » Blog Archive » Use Back to My Mac to Catch a Thief! { 04.23.08 at 12:21 pm }

[...] Full Article Here [...]

33 Can your access point help arrest a thief? - The Network Hub: A SearchNetworking.com blog { 07.09.08 at 9:02 am }

[...] “phone home” capabilities are going to become more common, and already stories of cameras and laptops photographing perps and posting their pictures are common. While maybe not a deal sealer, [...]

34 Recupera tu Mac robado con Back to my Mac - Foros Omegave { 10.15.08 at 9:46 pm }

[...] que la polic

35 Stolen Mac Helps Find Burglars « Library Technology in Texas { 11.09.08 at 1:57 pm }

[...] the burglar was not aware of this, so the Mac owner was able to watch where he went and found information like his birthdate and email address.  The owner was also able to remotely take pictures of the burglar.  It wasn’t long before [...]

36 AppleFront » AppleInsider | iPhone 3.0 to offer MobileMe users “Find My iPhone” feature { 03.18.09 at 7:06 pm }

[...] “When activated, the phone opens an alert that says, “this enables the “Find my iPhone” service on your MobileMe account at me.com.” It would appear that the service obtains the iPhone’s location and makes it available to the MobileMe user on request if the unit is lost or stolen. [...]

37 iPhone 3.0 to offer MobileMe users “Find My iPhone” feature | MyTriniPhone.com { 03.18.09 at 9:38 pm }

[...] When activated, the phone opens an alert that says, “this enables the “Find my iPhone” service on your MobileMe account at me.com.” It would appear that the service obtains the iPhone’s location and makes it available to the MobileMe user on request if the unit is lost or stolen. [...]

38 iPhone 3.0 to offer MobileMe users “Find My iPhone” feature — RoughlyDrafted Magazine { 03.19.09 at 5:52 pm }

[...] When activated, the phone opens an alert that says, “this enables the ”Find my iPhone“ service on your MobileMe account at me.com.” It would appear that the service obtains the iPhone’s location and makes it available to the MobileMe user on request if the unit is lost or stolen. [...]

39 Remote access for mobile lawyers | Laptop Legal { 09.24.09 at 5:34 am }

[...] allows for remote access to your machine and apparently it can even be used to catch a thief. My rough impression is that it seems like it is a lighter version of Apple Remote Destop or [...]

40 MobileMe findet gestohlenes MacBook wieder | Basic Thinking Blog { 10.16.09 at 7:50 am }

[...] die Geschichte ein gutes Ende nehmen, wäre dies der zweite mir bekannte Fall, bei dem MobileMe aufwändige Polizeiarbeit [...]

You must log in to post a comment.