Couple Can Sue Laptop-Tracking Company (LoJack) for Spying on Sex Chats

[FromTheRafters]

"Dustin" <bughunter.dustin@gmail.com> wrote in message
news:Xns9F599A8B67C4BHHI2948AJD832@no...
> "FromTheRafters" <erratic.howard@gmail.com> wrote in
> news:j47o8d$utf$1@dont-email.me:
>
>> "Dustin" <bughunter.dustin@gmail.com> wrote in message
>> news:Xns9F58E660F562EHHI2948AJD832@no...
>>> "FromTheRafters" <erratic.howard@gmail.com> wrote in
>>> news:j3uamv$94a$1@dont-email.me:
>>>
>>>> "Dustin" <bughunter.dustin@gmail.com> wrote in message
>>>> news:Xns9F558CA9A208AHHI2948AJD832@no...
>>>>> "David W. Hodgins" <dwhodgins@nomail.afraid.org> wrote in
>>>>> newsp.v07k0xqda3w0dxdave@hodgins.homeip.net:
>>>>>
>>>>>> On Fri, 02 Sep 2011 18:50:54 -0400, Dustin
>>>>>> <bughunter.dustin@gmail.com> wrote:
>>>>>>
>>>>>>> Oh, and switching to linux still ****s you, when the optionrom2
>>>>>>> calls home on your internet connection and finds out she's
>>>>>>> stolen. Which it will do, when it cannot drop the exe file.
>>>>>>> LOL. Whan happens next is a
>>>>>>
>>>>>> If it's using a windows executable, to phone home, that won't
>>>>>> work.
>>>>>
>>>>> You seem to be missing something important. It can use the
>>>>> windows executable, but in the event it cannot drop it in a
>>>>> specified amount of time, it halts the boot process.
>>>>>
>>>>>> Are you saying the option rom can establish an internet
>>>>>> connection before the operating system boots?
>>>>>
>>>>> I'm not only saying that, but, being as I've extracted a viable
>>>>> sample of the option rom and have since learned how to remove it,
>>>>> I *know* the company is lying about the products limitations and
>>>>> abilities.
>>>>
>>>> Have you been analyzing the OEM partnered persistence version or
>>>> just the software CD loadable version?
>>>
>>> One from CD loading, one from OEM. They don't have much difference
>>> in code, and both can be remotely updated.
>>
>> Hmmm ... if it is all software and flashable firmware, then why is
>> there any need to partner with the manufacturer? Surely they don't
>> need any such partnership to make use of the 'guest room' on the
>> BIOS chip.
>
> Customized hardware options. They don't need the partnership, as long
> as your bios as the room. But, from a would be purchasing point of view
> ; it gives them credibility.
>
>> I read a little on the Toshiba forums where there is expressed
>> concern over the ability of black hats to use this as their own
>> personal rootkit by changing the 'phone home' address. Computrace's
>> reply was that they have firmware installed by the manufacturer.
>
> Yes, in some systems they do.
>
>> http://forums.toshiba.com/t5/Satelli...r/LoJack-vulne
>> rability/td-p/45947
>>
>> Why would they need the manufacturer to do something that they can
>> do from the software environment (i.e., flashing)?
>
> Depending on the expense of the product (The high end stuff only,
> basically); it actually has an extra chip soldered onto the mainboard;
> and you can see this was added later, not part of the original design.
> That chip I can do nothing with. If I remove it, the laptop dies.

If it can be made unusable by a thief, that is a small measure of success.

The possibility of subversion is worrying though.

> However, if I am able to reflash the main bios AND the optionrom2 code,
> I can still disable lojack. The chip contains code the system won't be
> able to use, because I turned it "back off" in the bios config. It's
> not a clean situation as I'd prefer, but it works still.

Well, I never thought the software version was worth anything anyway.
If you can remove the code, you can defeat the 'protection'. My take
was that they were able to put the essential code in a non-flashable
location.

> However, anybody good with cmos coding can always flip the bit and turn
> it back on, without the user knowing. When that ******* is re-
> activated, my work gets undone pretty quick.
>
>> I can't help thinking that there must be *something* that is
>> untouchable from the software environment.
>
> That chip. You can see if your box might have it, by entering cmos
> setup and looking for lojack options.

I'll have to look on my Toshiba.

[Dustin]

"FromTheRafters" <erratic.howard@gmail.com> wrote in
news:j4fksv$5c3$1@dont-email.me:

> If it can be made unusable by a thief, that is a small measure of
> success.

I don't think like a thief. The laptop dying as a result of mod chip
removal counts to me, as a discovery of how not to do something. To
less enthusiastic people, it means a failure. [g]

> The possibility of subversion is worrying though.

Well, you literally are trusting the company not to do anything nasty
to your machine. And, if it has a working internet connection and you
have the bios code running, and you allowed the exe to drop and install
as a service, you do understand it can download more software anytime
they like. The initial dropper doesn't do all the dirty work on it's
own. A few more executables are required, depending on computrace's
intentions. The fact it allows them to access *almost everything* on
your pc tho, is worrying to me.

I personally wouldn't use the software.

>> However, if I am able to reflash the main bios AND the optionrom2
>> code, I can still disable lojack. The chip contains code the system
>> won't be able to use, because I turned it "back off" in the bios
>> config. It's not a clean situation as I'd prefer, but it works
>> still.
>
> Well, I never thought the software version was worth anything
> anyway. If you can remove the code, you can defeat the 'protection'.
> My take was that they were able to put the essential code in a
> non-flashable location.

It's all software. The chip I can't physically remove doesn't
contain the same code as the optionrom which is flashed with your
permission (I hope you know it's being done). That flashing is seperate
from a bios update from manufacturer. That only deals with the main
section code block, not your optionroms. Optionroms don't have to
physically exist on the bios chip either, they can be present on cards
present in the computer. I have a secondary pci controller card with
it's own bios. As it presently has no drives connected, it's bios
doesn't remain in memory. However, a bios dump does reveal my system
considers it's bios to be an optionrom.

computrace occasionally releases updates; they have to be able to
reflash on occasion. The modified chip on the high end stuff isn't
writable, afaik, it's read only code. Likely a permanent serial number
and such for lojack tracing purposes. My method for disabling still
works on these systems.

It's just not clean from my hardass point of view, as the chip is still
present and I can't just snip it free. Yes, it's dead, yes lojack's
nothing but a memory now, but the chip is still physically present and
that irks me. [g]

>> That chip. You can see if your box might have it, by entering cmos
>> setup and looking for lojack options.
>
> I'll have to look on my Toshiba.

See above tho. the chip is hardcoded read only things, likely serial
number and manufactuer special configuration options. It cannot reload
lojack in the event i remove it, and it doesn't do the file dropping
either. It's a permanent non alterable storage site for lojack/hardware
configuration. And as I said, the higher end stuff has it.


--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

[FromTheRafters]

"Dustin" <bughunter.dustin@gmail.com> wrote in message
news:Xns9F5C60324EBB9HHI2948AJD832@no...
> "FromTheRafters" <erratic.howard@gmail.com> wrote in
> news:j4fksv$5c3$1@dont-email.me:
>
>> If it can be made unusable by a thief, that is a small measure of
>> success.
>
> I don't think like a thief. The laptop dying as a result of mod chip
> removal counts to me, as a discovery of how not to do something. To
> less enthusiastic people, it means a failure. [g]

Thomas Edison said something similar.

>> The possibility of subversion is worrying though.
>
> Well, you literally are trusting the company not to do anything nasty
> to your machine. And, if it has a working internet connection and you
> have the bios code running, and you allowed the exe to drop and install
> as a service, you do understand it can download more software anytime
> they like. The initial dropper doesn't do all the dirty work on it's
> own. A few more executables are required, depending on computrace's
> intentions. The fact it allows them to access *almost everything* on
> your pc tho, is worrying to me.

Yes, it is a complete and utter compromise and you are expected to
trust them - in fact *pay* them - for the service. )

If you can make known that a device is useless to a thief, the thief
will be less likely to steal it. It would be better if we could cut out the
middleman and activate the self-destruct ourselves.

> I personally wouldn't use the software.
>
>>> However, if I am able to reflash the main bios AND the optionrom2
>>> code, I can still disable lojack. The chip contains code the system
>>> won't be able to use, because I turned it "back off" in the bios
>>> config. It's not a clean situation as I'd prefer, but it works
>>> still.
>>
>> Well, I never thought the software version was worth anything
>> anyway. If you can remove the code, you can defeat the 'protection'.
>> My take was that they were able to put the essential code in a
>> non-flashable location.
>
> It's all software. The chip I can't physically remove doesn't
> contain the same code as the optionrom which is flashed with your
> permission (I hope you know it's being done). That flashing is seperate
> from a bios update from manufacturer. That only deals with the main
> section code block, not your optionroms. Optionroms don't have to
> physically exist on the bios chip either, they can be present on cards
> present in the computer.

I believe that was the usual case, this 'guest space' on the main BIOS
chip is relatively new to me.

> I have a secondary pci controller card with
> it's own bios. As it presently has no drives connected, it's bios
> doesn't remain in memory. However, a bios dump does reveal my system
> considers it's bios to be an optionrom.

This was how the PCI "rootkit" was suggested, expansion (or option)
ROM gets included in the BIOS image. I had no idea that the main
BIOS chip had extra space to accomodate additional firmware until
recently.

Did you write your own BIOS and Expansion ROM dumping tool? I found
one for each, but not one for both.

> computrace occasionally releases updates; they have to be able to
> reflash on occasion. The modified chip on the high end stuff isn't
> writable, afaik, it's read only code. Likely a permanent serial number
> and such for lojack tracing purposes. My method for disabling still
> works on these systems.
>
> It's just not clean from my hardass point of view, as the chip is still
> present and I can't just snip it free. Yes, it's dead, yes lojack's
> nothing but a memory now, but the chip is still physically present and
> that irks me. [g]

So, you're sure it's only "data" but you just don't like loose
ends?

Is there anything unusual about outgoing packets? Are packets tagged
with that data?

That would suck.

[Dustin]

"FromTheRafters" <erratic.howard@gmail.com> wrote in
news:j4h24t$qoe$1@dont-email.me:

> I believe that was the usual case, this 'guest space' on the main
> BIOS chip is relatively new to me.

I've known about it for a really long time. Prior to retiring, I was
experimenting with malicious code for this purpose... ;p I believe I've
been honest on how I know this stuff tho. I've always said my past had
a lot to do with it.

> This was how the PCI "rootkit" was suggested, expansion (or option)
> ROM gets included in the BIOS image. I had no idea that the main
> BIOS chip had extra space to accomodate additional firmware until
> recently.

A lot of people don't know the BIOS has more than just one section.
It's why people are so shocked when I tell them....

> Did you write your own BIOS and Expansion ROM dumping tool? I found
> one for each, but not one for both.

Yes, but the tool is very old and wasn't intended for the legit side of
bios alteration. [g] It just happens to work in this case too. The
technology behind it tho was for another project...

> So, you're sure it's only "data" but you just don't like loose
> ends?

I need another laptop with the extra chip to verify my theory. I
think!? i found the hardware calls the rom image makes to talk to it.
If it can talk to it, so can I.

> Is there anything unusual about outgoing packets? Are packets tagged
> with that data?

You'd see an SSL connection if you packet sniffed. Nothing more. Yea,
you could figure out the destination IP is computrace if you wanted to
bother. But you wouldn't be able to see what the discussion itself is.




--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.