The Khaki Bandit Strikes At IT - 130 Stolen Laptops

destinyland writes "'The khaki bandit' posed as an office worker at several corporations and successfully stole over 130 laptops which he later sold on eBay. The ease of theft from the corporate offices (including FedEx and Burger King) shows just how bad corporate security can be. In some cases, the career thief just walked into the office behind an employee with a security badge. Two million laptops were stolen just in 2004, and of those 97 percent were never recovered. Ultimately it was the corporate headquarters of Outback Steakhouse who caught the thief with a bugged laptop that notified them when he re-connected it to the internet."

Look at the way many people treat their laptops

[elrous0 (869638)]

Considering the cavalier way many people treat laptops and projectors, I'm not surprised. No one would think of leaving $3000-$4000 in cash just laying around in the open. But I've seen plenty of people where I work leave brand new laptops and projectors sitting out in the open, unattended for long periods.

In fact, just a couple of weeks ago, one of our directors went on vacation and left his laptop and projector just sitting on the conference room where he had last used it (a large, wide-open conference room used by hundreds of outside people each week). They sat there for several days before anyone noticed.

Re:Look at the way many people treat their laptops

[tommeke100 (755660)]

people don't care when they don't have to pay for it.
It's the same at our company. You wouldn't believe the state some of our laptops are after just a couple of months. cracked screens, missing keyboard keys, full of spyware, coffee spilled all over it, ....
I don't think ppl would treat their laptops that poorly if they had to pay for it.

Re:

[vivian (156520)]

Mabey you want to consider changing the powerdown options n your laptop's BIOS.

Re:Look at the way many people treat their laptops

[beef curtains (792692)]

He did fix the problem in a way that was suitable to him. And he's the guy who uses the laptop and must've been happy with his cheap fix.

In this scenario, it doesn't matter that his solution was "suitable to him", or that "he's the guy who uses the laptop"...the fact of the matter is that he doesn't OWN the laptop, the university does. So basically he borrowed the laptop and broke it to suit his whims. That's generally not acceptable.

If you lent your laptop to a friend, and he brought it back with buttons crudely torn out because they were getting in his way, would you commend him on his clever workaround? Likely not (unless you have very little regard for your valuable belongings).

I'm sure that in whatever field he's a professor in, he probably doesn't make fun of you for not understanding something.

It sounds like the GP understands quite clearly: this professor damaged university property. If I was a student in this professor's class, and decided one day to demolish his overhead projector because it was blocking my view of the whiteboard (assuming professors still use overhead projectors & whiteboards...if not, substitute your own analogy ;) ), would he be wrong to be upset with me? Or would his displeasure merely demonstrate his lack of understanding?

He probably wouldn't even make fun of your poor choice of words with "Gods know".

Ah, the ad hominem attack...I now feel that I might be feeding a troll. Oh well, I've typed too much to delete it all, so I soldier on....

Yours is a problem that many people have. Once you understand something, you can't understand how someone else doesn't understand that problem. Different strokes for different folks.

Once again, I fail to see the GP's "problem"...he's stating that this professor damaged university property. Are either one of us missing something? "Different strokes for different folks" is completely invalid in this situation; the professor's "strokes" violated the ownership rights (and probably the terms of use) of the "folks" who owned the laptop.

Re:

[cayenne8 (626475)]

"We had a user check it with her luggage on a flight. She was shocked when it didn't come around on the conveyor belt with her suitcase. :-)"

Now while I wouldn't every check mine, due to concerns over damage/rough handling, and the fact that I like to 'play' with my laptop while flying....I'd not automatically think it would be quickly stolen as checked luggage.

I'm hoping stolen luggage is a fairly rare thing? I've had luggage lost, but, never had anything permanently taken from me.

This is a pretty sad

Re:Look at the way many people treat their laptops

[Four_One_Nine (997288)]

Apparently in most business we trust most people to not steal laptops, projectors, LCD monitors, etc.

However it seems that NOWHERE in corporate America does any company trust it's employees (at least the male ones) to not steal the paper towels out of the mens room. The dispenser is ALWAYS locked up !

Re:

[j-pimp (177072)]

It seems that NOWHERE in corporate America does any company trust it's employees (at least the male ones) to not steal the paper towels out of the mens room. The dispenser is ALWAYS locked up !

It really comes down to the fact that paper towel technology has reached the point that the right balance of security and usability has been achieved. In IT we have to pick an extreme.

Re:Look at the way many people treat their laptops

[Hoi Polloi (522990)]

We must keep paper towels out of the hands of terrorists. Even the janitor's closet has better security than most offices.

Seriously though, companies will take you to court over stealing a few hundred bucks worth of equipment but if you rob the company blind with sleazy accounting, incompetence, and outright robbery as an executive you get let go with millions in severance.

Re:

[Psmylie (169236)]

Absolutely true, the main point of it is to add some extra difficulty to stealing it. It's hard to pretend to be "the IT guy" when you actually have to physically damage the laptop's case to remove it. Also, you can tell your insurance company that it was locked to the desk, and the thief must have broken the case to remove it, so you might get a break there (We do... our company premiums have gone down more than enough to cover the cost of the locks)

Speaking of being "the IT guy", I am so very rarely stopp

$150 a laptop?

[andy.ruddock (821066)]

From the article "Over the years he'd pocketed at least $20,000", which comes to a mere $153.85.
No wonder eBay shoppers were happy with the deals they got.

Re:$150 a laptop?

[Funkcikle (630170)]

Oh dear. Who will lead the OLPC initiative now that Nicholas Negroponte is in jail?

Re:$150 a laptop?

[Artifakt (700173)]

I like it: "Stealization". Let's spredulate this meme.
 

Laptops are easy

[necro81 (917438)]

For the bold and motivated thief, walking in and then out with a laptop is easy. Just look like you are supposed to be there. Slipping it into a briefcase helps with the illusion.

On the other hand, someone waltzed off with a 24" LCD monitor from the desk of a co-worker not long ago. His office was the furthest in from the door, so someone needed to be particularly bold to go all the way in, disconnect the monitor, and walk back out. No one saw him either, which is impressive considering the size of the load he was carrying. It's a lot harder to look and act natural about carrying a large monitor than a laptop.

Re:

[crafton (1166353)]

are you sure it wasn't the co-worker that stole it?

Re:Laptops are easy

[oyenstikker (536040)]

Walk in, slap a big yellow sticker on it that says "Repair Ticket" in big letters, and carry it out.

Try airport mainframes

[Simon (815)]

Laptops are for pussies. Try mainframes from international airports:

The brazen airport computer theft that has Australia's anti-terror fighters up in arms [smh.com.au]

--
Simon

Thieves aren't that smart...

[Tastecicles (1153671)]

...I work in a shop on occasion, and the number of stolen laptops that come through with people trying to sell them to us is simply mind-boggling. I'm not talking about pissy little Pentiums, either, these are the latest, greatest in portable number crunching. Some have passwords on them as their only real identifying feature (the serial numbers and Microsoft licenses are usually scratched off), which I tell the seller is not possible to circumvent (in some cases they're not, being on the BIOS rather than the OS). Other tricks they have is coming in claiming they've lost or wrecked the power adapter (how convenient) and need a cheapo universal one. Sure, I'll sell them the universal brick but they're not testing the thing in the store.

Net bugs are a good thing to have, I think (got one on here), particularly given the plentiful supply of open wireless points in most large cities now. Turn on machine, bug sends data burst, thief is cornered. Hell, he doesn't even need to physically connect to a network these days.

Re:

[deftcoder (1090261)]

Other people who aren't smart: those who don't realize it's possible to bypass "BIOS passwords".

Re:Thieves aren't that smart...

[dintech (998802)]

It's a bit unfair to see he's not smart. It's just a piece of knowledge you have that he doesn't. And yes, I know knowledge is power...

Re:

[idontgno (624372)]

It wasn't just smarts he had but a lack of shame and empathy for others.

There's a phrase that's rattled around in my (mostly empty) head. It was used in some piece of literature I read a mammal's age ago, describing the nature of such a person. In lieu of, or in addition to, what we've been calling "smarts".

That phrase seemed to perfectly capture the essence of such a person.

"Low animal cunning."

I like it.

Re:

[antifoidulus (807088)]

Is the real money nowadays even in just pawning the computer as quick as you can? I would guess that nowadays, esp. in the corporate world, the data is often worth more than the device itself. I'm surprised more enterprising thieves haven't either held the data ransom or sold it to someone else. But then again, as you point out, thieves aren't necessarily the brightest bulbs in the box....

Re:

[Ours (596171)]

They are smart. Image the complexity of ransom. How do you get paid without getting traced? Who do you contact (1800-OUTBACKRAMSON)? How do you know what's important and what's not?
It's probably safer to steal bigger volume for a small profit. People watch too much TV.

absolute crap

[RMH101 (636144)]

...this is categorically NOT possible on any significant number of laptops manufactured in the last 10 years. Modern BIOS passwords are secure enough to effectively brick any device where the password is lost, without significant expertise or specialist kit to bypass. Ric

Re:

[Ravenscall (12240)]

Actually, if you open up the laptop, there is still a reset button, not to mention a factory override password.

Re:

[antifoidulus (807088)]

Or you could set your wallpaper to the goatse man, get a custom goatse case mod, goatse keyboard...Nobody will want to touch that laptop!

Re:

[Calinous (985536)]

CMOS battery on a laptop? I haven't seen one (but on the other side, I haven't opened a laptop until all his internals were visible)

LoJack for laptops

[Fezmid (774255)]

The article says it's Computrace's LoJack for Laptops. We looked into the corporate version awhile ago due to the remote-wipe feature.

If the laptop has the proper version of TPM, it will even automatically re-install itself if the thief reinstalls Windows. Not sure if that's a good thing or a bad thing, having the BIOS infecting the machine... If it's stolen though, it's a good thing.

To quote discworld...

[Tacobowl8 (1175465)]

"If the theives guild invested in blue overalls with Al on them, they could get away with anything." Social engineering IS one of the easiest to exploit security holes. It isn't much of a surpise that laptops were stolen using this technique.

check sunnyvale

[pak9rabid (1011935)]

This sounds like something Ricky and Julian, er, I mean Cory and Trevor would pull

ID cards...

[Veetox (931340)]

...are really not enough for security. I work at a building that I need keycard access to, but cards eventually become worn and some break so that they cannot be displayed anymore, and the company won't pay for a new one every time that happens. So there are two results: People don't wear them explicitly, and people don't question who they are letting into the front door behind them. I'm personally in favor of having a guard stationed at a single entry, at least for larger buildings; someone who can recognize people's faces and can be held responsible for stopping people he doesn't know. ...There's the danger of him being an asshole, but I'd be willing to take that chance.

Not really news

[Opportunist (166417)]

I was working in a high security environment. You know, the whole thing with magnetic cards, guards sitting there and watching people going in and out of the building, timestamps everywhere, in short, the company knew down to a second where you've been all day.

Or rather, where your key card has been.

You guess what happened? Exactly. One of those cards was stolen, one of the high level IT cards to boot, and the thief just waltzed in and went out with 2 servers. Nobody bothered to ask him what he's doing there. He has access to highly sensitive areas, so why bother asking why he's hauling around servers. That's his job, you know?

When nobody is supposed to do something, nobody expects anything's wrong when someone does what isn't supposed to be done. Especially in a high rotation hire and fire environment. Do you think anyone would question it when you put on a uniform and a trainee button and just go behind the counter of some fast food restaurant? Just tell everyone you're the new guy and avoid the manager.

It works.

Re:

[everphilski (877346)]

I was working in a high security environment. You know, the whole thing with magnetic cards, guards sitting there and watching people going in and out of the building, timestamps everywhere, in short, the company knew down to a second where you've been all day.

A couple of things:
1) add a photo.
2) add name, company affiliation and division.
2) add personal information on the flipside. My badge has my height / eye color / hair color.
(Back when I worked for the Army, it also had things like the contract

Re:

[everphilski (877346)]

Only helps the thief knowing where to go and what security level he has.

Not really, in my case anyways, I'm a contractor so I work in a mixed facility with a bunch of other companies on several projects. It's easy for a guard to flip over the badge and interrogate you. Knowing the contract and company name will not help you find my desk :) In a smaller company setting, which I guess you were percieving, you would have more limited data. to work with, but there is still data to be had. Title, tenure, etc.

And here's how he was caught:

[farker haiku (883529)]

I couldn't find the post asking how the guy was caught (i.e. what software), but here you go.
FTA:
Larry Brass, the Tampa Police detective who arrested Eric Almly this spring, says he's not permitted to endorse a particular product. But he says if Outback's laptops were not outfitted with software called Computrace LoJack for Laptops, made by Absolute Software, there is "no question" Almly would be walking free today.

Here is how it works: after a computer is stolen, the victim notifies Absolute's recovery team. When the thief accesses the Internet via that computer, the Computrace software on his computer silently broadcasts information that allows the team to determine his physical location.

With a street address in hand, police can make an arrest. The corporate version of the software gives subscribers the ability to remotely delete sensitive information from a computer.

Re:And here's how he was caught:

[Anne_Nonymous (313852)]

>> how the guy was caught

It was an Outback Steak-Out.

Re:

[madigan82 (1179493)]

We have Computrace installed on over 5,000 laptops in the field. It is installed in the BIOS so a simple format won't get rid of it. In fact, if they format it, the BIOS agent actually reinstalls the OS agent. One thing they don't mention is that you need to file a police report on the stolen laptop first before you can track it. But it works nice. We've had several that were "stolen" to wind up at the user's house or a friend's house. Not sure if any were actually ever stolen though since I don't han

Re:And here's how he was caught:

[jollyreaper (513215)]

With a street address in hand, police can make an arrest. The corporate version of the software gives subscribers the ability to remotely delete sensitive information from a computer.

Laptops are only worth a few thousand bucks, a reputation is priceless. I say put Sony batteries in the fuckers. Once you have the thief pegged, send a remote command to detonate. Nobody but nobody is going to steal from you after you blow up a thief. And if you've got a webcam built into the thing, put his final moments on youtube.

Ahh... the power of money

[sootman (158191)]

Ultimately it was the corporate headquarters of Outback Steakhouse who caught the thief with a bugged laptop that notified them when he re-connected it to the internet.

Which is funny as hell, because I've read several times on Slashdot (sorry, no time to search) about people who have their laptops set to do just that, but when they inform the police that their laptop is in use by a customer of this ISP with that IP address, they're told to go pound sand, that the police don't have time to go catch criminals that you can lead them to. It's trivial--especially with MacBooks--to have it send you not only the IP address but a picture of the theif if you want--but it seems to do no good.

Maybe the thing to do would be to get laptop insurance and then have the info emailed to the insurance company.

Re:

[anticypher (48312)]

Which goes to show the difference in professionalism between an individual with l33t hacking skills and a corporation that does bugging/tracking as a business model.

The tracking companies hire ex-police detectives to speak "cop" when asking for an investigation to be opened with a police force. They are experienced in providing testimony before a court, filing paperwork, and saying the right thing to the right person to start a case. You, and all of slashdot, really, REALLY, want to maintain the current sit

Security at my company is good!

[internetcommie (945194)]

It consists of never buying new equipment unless it is absolutely necessary, and then buying second-hand if at all possible.
If a thief made it into the building and walked out with all the computers here, he might make $150 on ebay if lucky.
But he'd be more likely to just get a hernia.

Two million in one year?

[LoudMusic (199347)]

Somehow I have a hard time believing 2,000,000 laptops were stolen in a single year. That's nearly 5,500 per DAY. I don't think Dell even move than many laptops in a day. And I don't know a single person, personally, who had their laptop stolen. Ever. Where do these numbers come from? Are people just reporting stolen laptops for insurance claims? And now they have two laptops?

Re:

[Joe the Lesser (533425)]

My bad. My friend and I have a competition to see how many times we steal this one laptop from each other. Everytime he goes to the bathroom I grab it from his cubicle...that's probably throwing the numbers off.

Illegal wiretap

[SnarfQuest (469614)]

This is another case of an illegal wiretap of American citizens! They did not get a warrent from the FISA court before installing the software on his laptop, making it completely illegal. This is an abuse of private citizens by an overzealous government! This poor fellow should be immediately freed, his criminal history cleared, and an apology with monetary reimbursements for his trouble! The owners of the Outback Steakhouse should immediately be imprisoned for casuing this travesty of justice!

Re:if he was so smart

[$RANDOMLUSER (804576)]

...after taunting his victim from a payphone, the victim dialed *69, and Almly was arrested...

Yeah, smart.

Re:if he was so smart

[eldavojohn (898314)]

why did he not blow away the HDD and reload before putting the thing on the internet?

Well, I believe he was doing that, from the article:

Later, at his $1,800-a-month apartment along Miami Beach, the burglar erased the laptops' hard drives and began selling them via services like eBay, where he had earned a 99.4 percent customer-satisfaction rating and tens of thousands of dollars in profit.

And then later:

Thanks in part to the company's use of a clever antitheft device...

They don't really go into details about it, but this might be something in the NIC chip or something else ingeniously specific to the hardware. They probably don't want to give out details as this was the only way to catch and stop this kind of outfit.

Re:

[by Anonymous Coward]

They don't really go into details about it, but this might be something in the NIC chip or something else ingeniously specific to the hardware.

I doubt it. Most likely they got lazy and just cleaned XP without reinstalling leaving the rooted snitchkit to do it's thing. I guess if large access provider like T-Mobile's Hotspot had the MAC Address of a taken machine and a process to report to the right person it's presence on the network it could be traced. I also don't think MS is checking MAC addresses gather

Re:if he was so smart

[Bender0x7D1 (536254)]

I believe most tracking software creates a separate partition that would survive a standard reinstall, but not a complete reformatting of the disk.

What I think would be very effective would be a laptop, created explicitly for businesses, that would implement the tracking system in hardware. If you added it to the integrated wireless networking, you wouldn't be able to shut it off, and you could track it whenever you needed to. If you are concerned about battery life, you could allow someone to shut it off, but have it wake-up every few hours just to check in. When it checks in, if it's labeled as stolen, the networking stays on, allowing for constant tracking.

There are some privacy concerns with a tracking device that can't be turned off, but that's why I said it would be explicitly for businesses, (or people who want that feature explicitly). For many businesses, the loss of privacy is less important that the ability to track their assets.

Re:It's in the BIOS

[InvisiBill (706958)]

http://news.thomasnet.com/companystory/471725 [thomasnet.com]

VANCOUVER, Dec. 13 /PRNewswire-FirstCall/ -- Absolute(R) Software ("Absolute") (TSX: ABT), the leading provider of computer theft protection and secure asset tracking solutions, today announced a milestone in the company's efforts to drive the standard for PC theft recovery and Secure Asset Tracking(TM) - the availability of Computrace support in the BIOS across all four of the top tier PC manufacturers' commercial notebook lines.

Absolute first announced BIOS support for its theft protection technology with IBM/Lenovo on February 1, 2005; followed by announcements with Gateway on August 9th and HP on October 4th. Today, Dell announced a set of customer solutions that leverages Dell's embedded BIOS support for Computrace allowing customers to address issues of regulatory compliance, data protection and PC theft recovery.

We don't use it here, but I believe once you enable it in the BIOS, it can't be disabled. Obviously, there's always a way to disable everything, but it's not a matter of formatting a drive or changing a BIOS setting. It comes down to hex-editing the BIOS data or replacing the BIOS chip or something.

Wrong P

[stomv (80392)]

United Parcel Service [wikipedia.org].

Re:

[Hoi Polloi (522990)]

I knew a woman who was a researcher at MIT in a biochem lab. Before MIT refurbished its biochem labs they were wide open. Anyone could walk into almost any room. Grad students were notorious for being lax about security. The local bums and thieves also knew this and would wander in and steal student's purses, wallets, laptops, etc. One day she came in and found that someone had rifled through a fridge full of bacteria in liquid media. Good thing for them they didn't think it was free Hi-C and guzzle i