Re: LoJack for Laptops

[Dustin]

"FromTheRafters" <erratic.howard@gmail.com> wrote in
news:j4opi6$3is$1@dont-email.me:

> I'm okay, mom's in a nursing home for the time being. The level of
> care she needs right now is beyond our capability. They estimate
> about a month and she'll be able to come back home.

Sorry to hear that. I hope it works out for the better.

> As for LoJack, they claim that the software will *heal* the firmware
> if it is flashed, and that the firmware will reinstate the software
> if it is removed. They don't specifically state that removing *both*
> will defeat the system although that looks to be the case.

Yes, if you remove both systems it's as if it never happened. They
won't outright say that, nor are they going to admit how easy it is to
remove for someone who knows what they're doing. It's payware and
offers Security by obscurity; which as you know, is really no security
at all.

They've made a pretty good size business milking the sheep. I finally
heard back from a contact of mine with Lenovo, he tells me the extra
chip is indeed a database, and the software has an api it uses to read
data from it. So it's far from impossible for me to do the same. He
isn't sure if it's using public/private key crypto to protect itself,
but he doesn't believe it is. it cannot be changed once installed, it
isn't writable.

It contains a serial number specific to that model laptop which when
registered by the customer ties it to that customer for life,
unless/until said customer contacts lenovo in the event of a sale and
transfers it over. This information is transmitted to computrace in the
event of a reported theft. It allows them to positively identify your
machine when the case goes to court. leaving no wiggle room for the
defendant who stole it.

Lenovo has partnered with them and as a result, the software comes
preinstalled on the bios as an optionrom. All bios revisions for these
models all contain lojack. When you update the bios rom, it will update
your lojack version if it's behind.

So, if a wouldbe thief takes one of these machines, delojacks it, and
forgets, and a customer eventually updates the bios; they won't know
it, but they've reinstalled lojack and thanks to the extra chip, it's
going to report itself stolen and they're going to be sorry. Unless
they're running linux of course. But, most people probably will run
windows, at some point. If they run it in a vm, that's enough to
relojack [g]

Now that I understand what's going on with the partnership program, I
can see how this could be a huge hassle for stealing laptops. [g].

--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

[FromTheRafters]

"Dustin" <bughunter.dustin@gmail.com> wrote in message
news:Xns9F5FCFC3BEC63HHI2948AJD832@no...
> "FromTheRafters" <erratic.howard@gmail.com> wrote in
> news:j4opi6$3is$1@dont-email.me:
>
>> I'm okay, mom's in a nursing home for the time being. The level of
>> care she needs right now is beyond our capability. They estimate
>> about a month and she'll be able to come back home.
>
> Sorry to hear that. I hope it works out for the better.
>
>> As for LoJack, they claim that the software will *heal* the firmware
>> if it is flashed, and that the firmware will reinstate the software
>> if it is removed. They don't specifically state that removing *both*
>> will defeat the system although that looks to be the case.
>
> Yes, if you remove both systems it's as if it never happened. They
> won't outright say that, nor are they going to admit how easy it is to
> remove for someone who knows what they're doing. It's payware and
> offers Security by obscurity; which as you know, is really no security
> at all.

Another case of marketing 'allowing' a misunderstanding of capability
in order to boost sales.

> They've made a pretty good size business milking the sheep. I finally
> heard back from a contact of mine with Lenovo, he tells me the extra
> chip is indeed a database, and the software has an api it uses to read
> data from it. So it's far from impossible for me to do the same. He
> isn't sure if it's using public/private key crypto to protect itself,
> but he doesn't believe it is. it cannot be changed once installed, it
> isn't writable.

As I suspected, but I couldn't understand why they wouldn't protect the code
itself rather than just a 'configuration block' as that Ortega (IIRC) fella
calls it.

> It contains a serial number specific to that model laptop which when
> registered by the customer ties it to that customer for life,
> unless/until said customer contacts lenovo in the event of a sale and
> transfers it over. This information is transmitted to computrace in the
> event of a reported theft. It allows them to positively identify your
> machine when the case goes to court. leaving no wiggle room for the
> defendant who stole it.

So it *is* effectively tagged.

> Lenovo has partnered with them and as a result, the software comes
> preinstalled on the bios as an optionrom. All bios revisions for these
> models all contain lojack. When you update the bios rom, it will update
> your lojack version if it's behind.

Ah.

> So, if a wouldbe thief takes one of these machines, delojacks it, and
> forgets, and a customer eventually updates the bios; they won't know
> it, but they've reinstalled lojack and thanks to the extra chip, it's
> going to report itself stolen and they're going to be sorry. Unless
> they're running linux of course. But, most people probably will run
> windows, at some point. If they run it in a vm, that's enough to
> relojack [g]

That's an interesting aspect.

> Now that I understand what's going on with the partnership program, I
> can see how this could be a huge hassle for stealing laptops. [g].

Yeah, it *could* be a good thing - needs work though.

[Dustin]

"FromTheRafters" <erratic.howard@gmail.com> wrote in
news:j4ot4l$nkc$1@dont-email.me:

> "Dustin" <bughunter.dustin@gmail.com> wrote in message
> news:Xns9F5FCFC3BEC63HHI2948AJD832@no...
>> "FromTheRafters" <erratic.howard@gmail.com> wrote in
>> news:j4opi6$3is$1@dont-email.me:
>>
>>> I'm okay, mom's in a nursing home for the time being. The level of
>>> care she needs right now is beyond our capability. They estimate
>>> about a month and she'll be able to come back home.
>>
>> Sorry to hear that. I hope it works out for the better.
>>
>>> As for LoJack, they claim that the software will *heal* the
>>> firmware if it is flashed, and that the firmware will reinstate
>>> the software if it is removed. They don't specifically state that
>>> removing *both* will defeat the system although that looks to be
>>> the case.
>>
>> Yes, if you remove both systems it's as if it never happened. They
>> won't outright say that, nor are they going to admit how easy it is
>> to remove for someone who knows what they're doing. It's payware
>> and offers Security by obscurity; which as you know, is really no
>> security at all.
>
> Another case of marketing 'allowing' a misunderstanding of
> capability in order to boost sales.

Yes. AFAIK, It's perfectly legal as they don't have to explain what's
really going on, as that could be trade secrets... I suppose. It's
sneaky, in any event.

> As I suspected, but I couldn't understand why they wouldn't protect
> the code itself rather than just a 'configuration block' as that
> Ortega (IIRC) fella calls it.

The code has to be updated from time to time. As it does drop the main
executable which they will have to mod from time to time. If they store
it in a non flashable chip and later need to revise it, they have no
way of updating said chip with the revisions.

I've noticed that none of the major Antivirus programs seem to be
detecting the exe it drops, or the optionrom code when rebuilt with a
valid exe header. I'm unsure if it's because of the way in which I
rebuilt the header in both cases.

If it is, that doesn't say much for the progress of the AV...And if
not, it's intentionally being ignored by them?

Strangely enough tho, if I submit it to virustotal I do get hits...

> So it *is* effectively tagged.

Yep. The chip is tied into the power mosfets which regulate voltage,
that's why it dies if I snip it free. he said if I get my electronics
tools out, I could probably find the pins to alter. He wouldn't get
specific. LOL.

I need to find another laptop with this chip and an owner that doesn't
care if it dies as a result of experimentation... Hmm..../me thinks a
bit.

> Ah.

Sneaky of them, me thinks.

>> So, if a wouldbe thief takes one of these machines, delojacks it,
>> and forgets, and a customer eventually updates the bios; they won't
>> know it, but they've reinstalled lojack and thanks to the extra
>> chip, it's going to report itself stolen and they're going to be
>> sorry. Unless they're running linux of course. But, most people
>> probably will run windows, at some point. If they run it in a vm,
>> that's enough to relojack [g]
>
> That's an interesting aspect.

The vm will let that copy of windows run as it normally should. So,
that includes dropping an exe and installing it as a system service;
and running it. as some configure the vm to have internet for various
reasons (these days, a box without net is... handicapped, imo) that
service can call home and function just like it would, had it really
been on a real install of windows.

So.. while it won't natively run on linux, under the right conditions,
you can still run it. [g] And, if you don't know it's in the BIOS in
the first place, that could be very bad... Especially if it's really
stolen.

> Yeah, it *could* be a good thing - needs work though.

There's still the issue of trust. This program can outright take
control of your computer, with the assistance of other executables it
downloads from them. Those are subject to updates at anytime as well.

So hashing this set is pointless if your intentions are to detect it on
a wild set of systems. All it takes is one rogue employee and your data
could be compromised, at the worst. At the least, you could find
yourself locked out of your own machine. Both scenarious mean two
entirely different things to you, depending on whether or not you're a
business user with a business computer or a home user with personal
files.




--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

[M.L.]

>So, if a wouldbe thief takes one of these machines, delojacks it, and
>forgets, and a customer eventually updates the bios; they won't know
>it, but they've reinstalled lojack and thanks to the extra chip, it's
>going to report itself stolen and they're going to be sorry. Unless
>they're running linux of course. But, most people probably will run
>windows, at some point. If they run it in a vm, that's enough to
>relojack [g]
>
>Now that I understand what's going on with the partnership program, I
>can see how this could be a huge hassle for stealing laptops. [g].

Huge? Given the slight chance of the latest buyer updating the BIOS,
the victim will still need the help of police to retrieve the stolen
laptop. Many large city PDs won't be bothered. And if too much time
has passed, the victim likely won't be bothered either.

There could be even more hassle for the victim if the laptop is
located far away or in another country.

[G. Morgan]

M.L. wrote:

>Huge? Given the slight chance of the latest buyer updating the BIOS,
>the victim will still need the help of police to retrieve the stolen
>laptop. Many large city PDs won't be bothered. And if too much time
>has passed, the victim likely won't be bothered either.

I wonder if they tell the customer what information they have so the
owner can take matters into his own hands?

[Betty]

FromTheRafters wrote:
> "Betty" <howdy@all.y'all> wrote in message news:j4ons0$f10$1@dont-email.me...
>> ~BD~ wrote:
>>> G. Morgan wrote:
>>>> ~BD~ wrote:
>>>>
>>>>>> Yes, if there *is* BIOS persistence. Without BIOS persistence it
>>>>>> is still possible to persist if the code in the partition gaps isn't
>>>>>> defeated.
>>>>>>
>>>>>>
>>>>> I agree.
>>>> I'm sure he's happy you concur!
>>>>
>>> FTR has gone rather quiet of late.
>>>
>>> I hope all is well with him at home.
>> I hope so too. I was thinking about that today. I've noticed that he hasn't
>> said much lately.
>
> I'm okay, mom's in a nursing home for the time being. The level of
> care she needs right now is beyond our capability. They estimate
> about a month and she'll be able to come back home.

<snip>

Thanks for the update, FTR. I hope your mom is well taken care of, and
recovers as quickly as possible.

[~BD~]

Betty wrote:
> FromTheRafters wrote:
>> "Betty" <howdy@all.y'all> wrote in message
>> news:j4ons0$f10$1@dont-email.me...
>>> ~BD~ wrote:
>>>> G. Morgan wrote:
>>>>> ~BD~ wrote:
>>>>>
>>>>>>> Yes, if there *is* BIOS persistence. Without BIOS persistence it
>>>>>>> is still possible to persist if the code in the partition gaps isn't
>>>>>>> defeated.
>>>>>>>
>>>>>>>
>>>>>> I agree.
>>>>> I'm sure he's happy you concur!
>>>>>
>>>> FTR has gone rather quiet of late.
>>>>
>>>> I hope all is well with him at home.
>>> I hope so too. I was thinking about that today. I've noticed that he
>>> hasn't said much lately.
>>
>> I'm okay, mom's in a nursing home for the time being. The level of
>> care she needs right now is beyond our capability. They estimate
>> about a month and she'll be able to come back home.
>
> <snip>
>
> Thanks for the update, FTR. I hope your mom is well taken care of, and
> recovers as quickly as possible.

I concur.

I hope all goes well for mum - and for your sisters.

[~BD~]

M.L. wrote:
>
>
>> So, if a wouldbe thief takes one of these machines, delojacks it, and
>> forgets, and a customer eventually updates the bios; they won't know
>> it, but they've reinstalled lojack and thanks to the extra chip, it's
>> going to report itself stolen and they're going to be sorry. Unless
>> they're running linux of course. But, most people probably will run
>> windows, at some point. If they run it in a vm, that's enough to
>> relojack [g]
>>
>> Now that I understand what's going on with the partnership program, I
>> can see how this could be a huge hassle for stealing laptops. [g].
>
> Huge? Given the slight chance of the latest buyer updating the BIOS,
> the victim will still need the help of police to retrieve the stolen
> laptop. Many large city PDs won't be bothered. And if too much time
> has passed, the victim likely won't be bothered either.
>
> There could be even more hassle for the victim if the laptop is
> located far away or in another country.

My understanding is that the LoJack staff liaise with and help the
police to recover a stolen laptop.

Read the FAQ - http://www.absolute.com/Shared/FAQs/L4L-FAQ-E.sflb.ashx


What do you mean by “Theft Recovery”?

Exactly what it says – we will help to recover your computer if it is
stolen. If this happens, the Absolute Theft Recovery Team will work with
local police to locate it and return it to you. We recover thousands of
stolen computers each year.

How does this work?

If your computer is stolen, contact us. The next time your computer
connects to the internet it will silently switch to theft mode with
Agent contact increasing from once per day to every 15 minutes. This
increased contact will allow the Absolute Theft Recovery Team to
forensically mine your computer using a variety of procedures including
key captures, registry and file scanning, geolocation, and other
investigative techniques to determine who has your computer and what
they’re doing with it.

Most importantly, we will use our technology to pinpoint the physical
location of your computer and work closely with local law enforcement to
recover it.

[Dustin]

~BD~ <~BD~@nomail.afraid.org> wrote in
news:j4qmol$ugj$1@dont-email.me:

> My understanding is that the LoJack staff liaise with and help the
> police to recover a stolen laptop.

Yep. they do...



--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

[~BD~]

Dustin wrote:
> ~BD~<~BD~@nomail.afraid.org> wrote in
> news:j4qmol$ugj$1@dont-email.me:
>
>> My understanding is that the LoJack staff liaise with and help the
>> police to recover a stolen laptop.
>
> Yep. they do...
>
>
>

Thanks for confirming, Dustin.