Moral of the story, first wipe the HDD and re-install the OS before re-using a stolen laptop.

The geek shall inherit the earth.

The Little Brother wonders how secure Back to My Mac is. How easily can it be compromised so that the laptop owner is the one being monitored and having photos taken of her?

Thanks Cory, I enjoyed the book.

IPv6 FTW!

techbuzz - depends.

How easily can you guess the owner's .mac password?

There are lots of more complicated things you could try, but why bother?

@3: "The Little Brother wonders how secure Back to My Mac is. How easily can it be compromised so that the laptop owner is the one being monitored and having photos taken of her?"

Very very easily. Back to My Mac is incredibly secure as long as you have both physical security of the computers in question and your .Mac password is absolutely secure.

The thief could just as easily surveilled any BtMM enabled computer the owner was using!

(I'm writing a book about Back to My Mac, so I'm pretty keyed up on its encrypted goodness and security model weakness.)

Moral of the story - don't have parties where friends of friends of friends can case the joint =p

@ Comment #1:

You can prevent that by launching the Open Firmware Utility and setting it to require a password before modifying the startup disk (and hence preventing a HDD wipe.)

Downside to that: forget the password, need to reinstall the OS, and you're SOL.

Amnyc, how would that prevent modification of the startup disk? The removal of hard drives isn't that hard, and external enclosures are quite inexpensive. I am also almost certain that OF passwords can be reset in the hardware.

Many of us have stuff like IM clients, browsers (with cookies), software that "phones home", etc, that leaves the IP address in the logs of some server somewhere. I run the servers for my office, where some of these services keeps these logs. So assuming we have this list of IP addresses, I am wondering how feasible is it for us (or the police) to approach the ISP to trace their logs with this IP address and comes up with a physical address of the thief. I have not actually tested this because, well, none of our computers have been stolen yet. Not that I'm actually hoping for it to happen. Just wondering how effective this method would be as a defense against theft.

@8: "You can prevent that by launching the Open Firmware Utility and setting it to require a password before modifying the startup disk (and hence preventing a HDD wipe.)"

Except that changing system parameters (modifying amount of RAM) on system disables Open Firmware password, I discouragingly found out (not through a theft) recently.

build in a taser

Ah, yes, your friend's friends...typical.

@10

I recently had an experience where i was emailing a person back and forth regarding the sale of a very expensive item i once owned... Needless to say, when we met up for the sale, the item was stolen from me, with force. I ended up checking out the source code of the emails received from the thief, and got the originating ip addresses. I tracked the ip addresses and found 3 different locations were used out of the 7 emails (some locations were repeated and all were local). This might be extremely off topic, but im wondering, can the police issue a court order to the ISP used (which i also have) to obtain the exact physical address?

Where does "alleged" stop and "actual" begin. Makes one wonder why the "pc" reference has to used. Thieves like these should be tattooed (branded) and publicized so the rest of us can make sure they don't get near our "stuff". Guess we'll just put them on probation and a slap on the hand and they will be a little wiser for the next time they want something, how to get it and wipe the HD.

can the police issue a court order to the ISP used (which i also have) to obtain the exact physical address?

A judge can. Whether you can get the police interested enough to pursue it is another matter. Did you file a police report? Perhaps more importantly, was it a bag of crack? Because, if it was, don't call the cops.

@14

"...can the police issue a court order to the ISP used (which i also have) to obtain the exact physical address?"

You can turn over the information to the district attorne's office to see if they would be interested in pursuing the case.

If the D.A.'s office is not interested, file a civil suit naming the defendant as a Doe until you can ascertain the name. Then, you can issue your own subpoena to the ISP to find out the physical address and the name of the person who owns the account.

Keep in mind, if the D.A. is not interested, it can be very costly to file a lawsuit, even without an attorney, although if this is an item covered by a small claims action, then you can do it in small claims court and it won't cost as much.

@ comments 1, 8, and 9:
Yes, the Open Firmware Utility will allow you to do this. Three caveats:
1. Most people don't know this and will never bother
2. Most thieves are dumb, so it's OK. They won't even think of wiping the hard drive.
3. MacBook Air does not have this feature, as there was not, last time I checked, an OFU available for the MBA.

If the solution described in the post sounds way too complicated, check out Undercover.

OK, a built-in taser would be difficult. How about molding C-4 into the case with a coded detonator?

Dainel @ 10: There is an anti-theft program that does exactly that -- Orbicule's Undercover. If you report your Mac stolen (to the cops and to Orbicule), the next time it's connected to the internet, it'll send its IP to Orbicule, as well as secretly take iSight pics and screenshots and send those to Orbicule. Orbicule gets in touch with the ISP and gets them to send the physical address to the cops, and also sends all the pictures and screenshots to the cops.

It costs money and you have to consider whether you trust the program to only "phone home" after you have reported your computer stolen. I've decided I trust it and have it installed on mine. YMMV.

It's pretty slick that they were able to recover their stuff, but really, where's the outrage over the fact that the victim had to investigate the crime themeselves? Where the hell are the police, and why aren't they doing their job?

Sorry, this one gets me steamed, I had a car stolen and recovered recently, and thought the thief left a tire iron covered in fingerprints in the back seat and blood all over the driver's seat when he cut himself breaking the window, the police refused to do anything more than take a report.

But I guess if they're too lazy to investigate something like grand theft auto, they'll never do anything remotely technical to recover expensive stolen property. I'm so glad my taxes pay for this shit.

It's pretty slick that they were able to recover their stuff, but really, where's the outrage over the fact that the victim had to investigate the crime themeselves? Where the hell are the police, and why aren't they doing their job?
===============
There's no mention that she reported the theft to the police prior to solving it. She may have traced the perps, then called the cops to apprehend them.

@15: "Where does "alleged" stop and "actual" begin. Makes one wonder why the "pc" reference has to used."

Well...I don't know that these two guys stole the stuff. I only know that a news report states that the police state that they found the stuff in an apartment that the police told the reporters was rented by the fellows. That's a lot of supposition.

In our criminal justice system, those accused aren't considered guilty until so proven. I try to give people the benefit of the doubt until that point, no matter how stupid nor how obviously guilty they may appear to be because we usually don't have first-hand knowledge. You're apparently willing to accept one or more reporters' accounts of police statements, in fact made by a police spokesperson who I believe didn't actually visit the apartment where the policy say the stolen goods were found.

That is a long chain of belief.

Also, litigation is rampant. If you write, "this guy stole this thing," and he did not, and he says it damages his reputation, he could conceivably successful win a lawsuit against you. Even if the lawsuit isn't successful, you might still be in a position of spending thousands or even tens of thousands of dollars to defend yourself over a single comment on a Web site that Google indexes and which haunts someone's future rightly or wrongly.

Lot of weight attached to "alleged."

They had to use "alleged" because style guidelines require it when the claim is an obvious fake, as this one is.

I mean, come on... IPv6 worked? Over a network? What sort of gullible suckers do these fraudsters take us for? This ain't the Ann Landers column here.