[Full-disclosure] Re: Breaking Computrace LoJack Part II



Maybe, Just maybe. There's a parallel universe with you and a mirror
of your laptop. Of course in the other universe, Somethings would be
different such as the DoD IP address block

On 1/7/06, obnoxious@xxxxxxxx <obnoxious@xxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Breaking Computrace's LoJack Part II
>
> After my first hurried document, I figured I'd offer some follow
> information. An employee from Absolute.com contacted my employer
> rambling on about me being misinformed on their product. The
> employee from Absolute was more than likely a salesman as he
> couldn't answer technical questions so I requested that he send me
> information about my laptop since he was "concerned" that it had
> not "phoned home". But yet he was stating it had "phoned home" and
> Absolute was still able to track my machine.
>
> One thing this person stated was that "my machine was still calling
> in, but not updating their database with information on the state
> of my machine to their front end, but the back end was still
> working". Meaning, although my machine was not phoning home, it was
> phoning home. After a quick chuckle I again iterated that if this
> were the case - that my machine still contacting his company - he
> should be able to provide me with the information my machine was
> supposedly sending. After I received his response I sent off a
> detailed e-mail calling his bluff.
>
> According to the staff at Absolute.com, my machine had called in
> yesterday (January 06th 2006) morning at 9:45am. They even provided
> me with an IP address. I was shocked and ready to throw in the
> towel at that point, but decided to respond right back to them.
>
> Firstly, on January 06th 2005, my machine was powered down.
> Secondly, it was not physically plugged into any network. Thirdly,
> Troppix was running on the machine and the CD was still in its
> drive. Now I wondered what a marvelous feat it would be for 1)
> Absolute to create a kinetic based program to power up my machine
> at will. Such a great feat would bring them millions in revenue
> from people seeking to conserve money on power. I then thought even
> neater of them to have the ability to connect my machine to a
> network without my knowledge. Zeroconf (www.zeroconf.org) must have
> sped up production and given rights to Absolute or something.
> Almost lastly would be the fact that they've ported over Windows
> executable's and DLL's over to Linux.
>
> If that wasn't enough of a slap in the face, Absolute graciously
> provided me with what they labeled an IP address. The address they
> gave me was 485819880. So I wondered? 1CFC05E8?
> 00011100111101010000010111101000? What kind of crap are they giving
> me? If that's a decimal IP that would place me at 28.245.5.232.
> That would mean that my machine was "phoning home" from a
> Department of Defense" network which would probably make me a
> terrorist. Now I informed Absolute that I have a static address at
> home, this I could verify with my company's syslog server as well
> as 4 other (non company) servers which could provide them with my
> IP address if they wanted it for verification purposes. Surely a
> provider wouldn't pull Absolute's chain and give them false
> information so any claims by Absolute of me "fabricating my IP
> address" would be an insult.
>
> [root@imposter security]# echo 485819880 | trans.pl
> [root@imposter security]# 28.245.5.232
>
> [root@imposter security]# whois -h whois.arin.net 28.245.5.232
> [Querying whois.arin.net]
> [whois.arin.net]
>
> OrgName: DoD Network Information Center
> OrgID: DNIC
> Address: 3990 E. Broad Street
> City: Columbus
> StateProv: OH
> PostalCode: 43218
> Country: US
>
> NetRange: 28.0.0.0 - 28.255.255.255
> CIDR: 28.0.0.0/8
> NetName: DSI-NORTH2
> NetHandle: NET-28-0-0-0-1
> Parent:
> NetType: Direct Allocation
> Comment: ARPA DSI JPO
> Comment: 7790 Science Applicationis Crt.,
> Comment: Vienna, VA 22183 US
> RegDate: 1996-03-11
> Updated: 2000-04-13
>
> So now as it stands, Absolute has a kinetic, Zeroconf, password
> cracking, interchangeable (Windows executable to Linux binary)
> product capable of finding anyone anywhere on the planet. For those
> wondering about the password cracking part, how else could it have
> booted up Troppix and logged in - in order to send out information.
>
> To be fair I decided to boot into Windows XP turn on my firewall
> and watch whatever tries to connect to - where and why. Sure enough
> Internet Explorer was trying to send out information to a site that
> just so happened to be owned by Absolute. Packet data anyone?
>
> Protocol : TCP
> Local Address : 10.10.10.10
> Local Port : 1596
> Remote Name : search.namequery.com
> Remote Address : 209.53.113.223
> Remote Port : 80 (HTTP - World Wide Web)
>
> Ethernet packet details:
> Ethernet II (Packet Length: 76)
> Destination: 00-09-5b-6d-a0-9c
> Source: 00-12-f0-44-4e-4b
> Type: IP (0x0800)
> Internet Protocol
> Version: 4
> Header Length: 20 bytes
> Flags:
> .1.. = Don't fragment: Set
> ..0. = More fragments: Not set
> Fragment offset:0
> Time to live: 128
> Protocol: 0x6 (TCP - Transmission Control Protocol)
> Header checksum: 0xa878 (Correct)
> Source: 10.10.10.10
> Destination: 209.53.113.223
> Transmission Control Protocol (TCP)
> Source port: 1596
> Destination port: 80
> Sequence number: 3493489526
> Acknowledgment number: 0
> Header length: 28
> Flags:
> 0... .... = Congestion Window Reduce (CWR): Not set
> .0.. .... = ECN-Echo: Not set
> ..0. .... = Urgent: Not set
> ...0 .... = Acknowledgment: Not set
> .... 0... = Push: Not set
> .... .0.. = Reset: Not set
> .... ..1. = Syn: Set
> .... ...0 = Fin: Not set
> Checksum: 0x1dfd (Correct)
> Data (0 Bytes)
>
> Binary dump of the packet:
> 0000: 00 09 5B 6D A0 9C 00 12 : F0 44 4E 4B 08 00 45 00 |
> ...[m.....DNK..E.
> 0010: 00 30 7E 5B 40 00 80 06 : 78 A8 C0 A8 00 07 D1 35 |
> ..0~[@...x......5
> 0020: 71 DF 06 3C 00 50 D0 3A : 6B 76 00 00 00 00 70 02 |
> q..<.P.:kv....p.
> 0030: 40 00 FD 1D 00 00 02 04 : 05 B4 01 01 04 02 6E 61 |
> @.............na
> 0040: 6D 65 71 75 65 72 79 03 : 63 6F 6D 00 |
> mequery.com.
>
> So what was the best thing to do? Block it via my firewall or play
> with my hosts file:
>
> echo "search.namequery.com 127.0.0.1" >> C:\PATH\TO MY\HOSTS ...
>
> Maybe I could have played with Absolute using Scapy
> (http://www.secdev.org/projects/scapy/):
>
> <Ether dst=00:09:5b:6d:a0:9c src=00:00:00:31:33:17 type=0x800 |<IP
> version=4L
> ihl=5L tos=0x6 len=67 id=1 flags= frag=0L ttl=255 proto=TCP
> chksum=0xa878
> src=3.1.33.7 dst=209.53.113.223 options='' |<TCP sport=1337
> dport=80 seq=0L
> ack=0L dataofs=5L reserved=0L flags=S window=8192 chksum=0xbb39
> urgptr=0
> options=[] |<Raw load='POST /1DJ1TS' |>>>>
>
> Perhaps change IP addressing every 5 minutes on a script, call them
> and ask them "Can you hear me now..." ... "Can you hear me now..."
>
> Anywho(w)...
>
> Now I'd really like to know what Absolute has to say about 1) their
> miraculous methods of finding my machine even when it is booted
> into Windows with me redirecting via my hosts file. I'd also like
> to know why if they were so concerned - as this salesperson's call
> alluded to, why didn't he mention the 3-4 other laptops in my
> stable that haven't "phoned home".
>
> Anyhow, the jury is out on this... Absolute has yet to respond
> (once again). So for those from Absolute reading this (you've done
> so before... Obviously in order to contact me at work) let it be
> known, prior to the original writing being posted, and prior to
> this one being sent, your company was notified.
>
> J. Oquendo
> obnoxious||hush.com
> "Please no tears no sympathy" -- VNV Nation Epicentre
> echo "\$|[\$_-
> >{_,s:.(.).+.(.):print+(\$1..\$2)[15,22,13,4,3]:e}]"|perl
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.4
>
> wkYEARECAAYFAkO//YwACgkQo8cxM8/cskrizgCeOx/r0Q5X+e2sJ375wMnk1qb+ShYA
> nRqFBg14AaunNHf3wVeRLTNjPxd/
> =xTxH
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Instantly send FREE secure email, no account
> required
> http://www.hushmail.com/send?l=480
>
> Get the best prices on SSL certificates from Hushmail
> https://www.hushssl.com?l=485
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


--
Article:
-
And an unknown college dropout named Bill Gates, together with his
partner Paul Allen, wrote a version of the programming language BASIC
for the Altair, forming a company called Micro-Soft in the process. He
would later drop the hyphen and the capital S, and make billions of
dollars.
--
Comment:
+++
Dammit Slashdot! If you would just drop the capital S, you could be
making billions of dollars too!
+++++
http://slashdot.org/comments.pl?sid=171335&cid=14270286
+++++++
www.opensource.or.ke
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [Full-disclosure] Breaking Computrace LoJack Part II
    ... An employee from Absolute.com contacted my employer ... Absolute was still able to track my machine. ... Meaning, although my machine was not phoning home, it was ... Ethernet packet details: ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Breaking LoJack for Laptops
    ... >> LAPTOP SECURITY PREVENTS LAPTOP THEFT. ... >> confuse Absolute with Absolut and snicker at it. ... >> more than a refund for Computrace. ... >> For customers with the recovery guarantee: ...
    (Full-Disclosure)
  • [Full-disclosure] Breaking LoJack for Laptops
    ... Computrace ?Lojack for Laptops? ... LAPTOP SECURITY PREVENTS LAPTOP THEFT. ... markings on my own laptop that state "Protected by Absolute" or ... For customers with the recovery guarantee: ...
    (Full-Disclosure)
  • WTD - Laptop for 250-300 2nd hand for running music creation programme
    ... looking to spend between £250 to £300, the latter being the absolute ... max for a laptop that would run the following programmes comfortably ... sony acid pro ...
    (uk.adverts.computer)
  • Re: [Legacy] Sync-ing on 2 PCs
    ... laptop, create the new data base and be finished with absolute ... accuracy long before you can do the same thing with Intellishare. ...
    (soc.genealogy.computing)