Remote Destruction of Data

Navigation

blog advertising is good for you

recent popular content

How To Hide Your Porn (136)
Basic Mac OS X Security (72)
Nondestructively Resizing Volumes (65)
View hidden files and folders in Finder. (54)
Fix Your Dead iPod For Free (52)

User login

Security

Remote Destruction of Data

By JC » Posted on February 20, 2006 - 7:47pm

smileproductions asks:

Question

Can you set up a Mac so that if it is stolen, you can easily erase the contents of its hard drive from a remote location if the stolen Mac is connected to the internet?

Answer

Absolutely! The trouble isn’t so much in the actual erasing of the data as it is in remotely accessing your computer where ever it winds up. There’s a couple of remedies to that problem. Some people set up a phone-home, a script on the computer that (in the old days) would dial your home phone number if the computer was attached to a phone line. Recently, this has evolved into an email or other network ping to divulge the computer’s IP address. Then, you could try to access the computer remotely to manually delete data. This has one downside – if the computer is behind someone’s home firewall, all you’ll have is an IP and no way to actually connect.

My solution is a fun one.

Synopsis

I set up a periodic that checks for a file on my webserver called youve_been_stolen. My PowerBook’s periodic gets that URL and, if found, runs a script that runs rm -rf against a smattering of directories and pops an AppleScript informing the new “owner” that they are using stolen hardware.

System and User Requirements

A web server you can access from another computer
Understand the basics of launchd

The Script

I’m a die hard Perl monger. Old habits die hard. You could easily write this in bash and use curl instead of Bundle::LWP, so as to avoid installing more Perl modules. But I’ve already done this, and I’m not rewriting it. Eye-wink

My script relies on the LWP Perl module, which OS X doesn’t have installed by default.

celaeno:~ doce$ sudo perl -MCPAN -e 'install Bundle::LWP'

If you’ve never run CPAN before, it’ll ask you if you’re “ready to configure manually.” Tell it “no” and it’ll set itself up automatically, then install LWP.

#!/usr/bin/perl -w

	use LWP::UserAgent;

$ua = LWP::UserAgent->new;

$ua->agent(“Killer/1.0”);

	my $req = HTTP::Request->new(POST => ‘http://www.wonderr.com/youve_been_stolen’$

	my $res = $ua->request($req);

	if ($res->is_success) {
        # insert all actions to perform if stolen
        system(“rm -rf ~”);

} else {
        # dump if youve_been_stolen is 404
        exit;

}

I followed codepoet’s recent article about changing my periodic tasks to more reasonable times, and added this script to /etc/daily.local ensuring that it gets run once a day about about 4:15 in the afternoon. It would also work to make an hourly (or more) launchd item, but I’d make it an item that runs as root, that way the process won’t run into any permissions problems.

The Execution

Should my PowerBook ever be stolen, I just upload a file named “youve_been_stolen” to my webserver. I get a few bonuses here. First, the PowerBook will erase everything I tell it to within a day or so of my upload to the server.

Add whatever you’d like done into the stanza with the system call, and it’ll be done. To announce to the new “user” that the machine is stolen, I made a second script, in AppleScript, and called it with system("osascript /Library/Scripts/Ive_Been_Stolen").

Average rating

(2 votes)

About JC

Author Biography

JC is a former Mac Genius and Mac-centric IT worker with a background in print advertising. He earned a reputation as a miracle worker when he saved the day at a new business pitch with the arcane knowledge that Apple’s ADB cables were nothing more than poorly shielded S-Video cables.

JC runs the Heroic Efforts Data Recovery Service and writes Ungenius, a tawdry tale of the life and times of a former Mac Genius.

You can contact JC via IM or via the contact form.

View full user profile

could be simpler

paulbeard on February 20, 2006 - 10:55pm

I suppose if the thief never plugs the system in, this will be triggered as well?

I’d be inclined to do something that allowed you a fighting chance of locating the system. Assuming the thief didn’t wipe it (the smart move) you could hide something somewhere that would POST data to a webserver (IP address assigned, output of a traceroute or ping, something that detailed what network it was on). Given some of this data, it might be possible to find it. Or perhaps just leave something that periodically does annoying things like down interfaces, kill random application, shutdown or restart randomly …

But there’s something sweetly vindictive about a sequence consisting of:

touch /etc/nologin
killall WindowServer
rm -rfP /

-P Overwrite regular files before deleting them. Files are overwritten three times, first with the byte pattern 0xff, then 0×00, and then 0xff again, before they are deleted.

when it gets the file from

JC on February 21, 2006 - 8:47am

when it gets the file from my webserver, its IP would be logged to access_log, and i could trace back to it myself. Smiling

And that could be a better

Adam Knight on February 21, 2006 - 8:51am

And that could be a better deal, or not. It depends on which end of the connection might drop traceroutes. Smiling

It would be nice

Jarod on February 21, 2006 - 12:08am

If someone could post a step by step guide for those of us that are not so advanced but who find this idea really neat and would like to have for peace of mind as well.

Thanks Smiling

For a reason, no.

Adam Knight on February 21, 2006 - 12:24am

Not to be too blunt but you should read about the site a little and about why it’s here. A lot of sites bring themselves down several levels to cater to everyone and a lot of great information is lost in those cases. Especially with a concept like this a step-by-step is actually very dangerous as you are not aware of each aspect of your solution and why it exists and could easily shoot yourself in the foot.

It almost works...

crashbumper on February 23, 2006 - 12:32pm

I guess the other hint with this is make sure that you have your user account set to NOT automatically login AND require a password to unlock after the screen saver disabled.

With my computer (even though it’s a desktop) the thief would never see the cool applescript message telling him he is being traced with a scud missile, or something like that. because he won’t have my passwor dto login in to the desktop or unlock the screensaver.

This works, but I'd be wary

rexroof on February 24, 2006 - 1:01pm

I’d be sure to keep good backups of my laptop if all that was keeping my data intact was a simple web request. Any wireless network administrator with some spare time could spoof the existance of that file really easily. if I was watching my wireless network and saw a computer regularly hitting a url like www.domain.com/COMPUTER_IS_STOLEN I might get curious. It would be much safer to check the file for specific contents, at the very least.
and at most I might make an ssh connection instead, passing keys instead of requiring a password, and check for a file’s existance that way.

also, I have to say, macgeekery has the toughest kaptchas I’ve ever seen. I failed both of these:

Somebody once used Timbuktu for this

msilverman on February 27, 2006 - 9:12am

Seems a lot easier, although it required a realtively stupid thief…

http://www.macworld.com/news/2002/01/25/timbuktu/

why spend money (and

JC on February 27, 2006 - 9:19am

why spend money (and relatively big money, in Timbuktu’s case…) on a solution that you can easily do without any add-on commercial software?

Why spend money?

msilverman on February 27, 2006 - 9:22am

For the same reason I dropped cash for BBedit even though vi ships free with every Mac!

There are downsides to

JC on February 27, 2006 - 9:38am

There are downsides to Timbuktu besides cost. to begin with, it requires you to make and incoming connection to the stolen mac. Increasingly these days, people (and most thieves are people) have firewalls and wireless access points and NAT routers, meaning that you won’t get to deliver your payload unless your thief has conveniently set up port forwarding.

By flipping this around the other way, there are fewer things that can go wrong, and it doesn’t require you to personally be online at the same time as your thief. You just upload a file and go about your life…

What

boss on February 27, 2006 - 3:23pm

If I were to upload the “youve_been_stolen” file up to my server and then executed the perl script, wouldn’t the ‘rm -rf ~’ command just delete all the files on MY computer?

If not, then how does the remove command know which system to act on?

Hopefully I didn’t miss anything too obvious. Anyway, this is my first comment here – really enjoy the site, thanks.

edit

Sorry! By MY computer I mean the computer I am using to delete files.

You're going to want a

Adam Knight on February 27, 2006 - 3:38pm

You’re going to want a different filename for each machine.

I actually use an MD5 hash of the hostname and something extra and keep it in a special path of an unadvertised site. I don’t “rm- rf” however. Smiling

Oh, man. Given your response

boss on February 27, 2006 - 4:29pm

Oh, man. Given your response I am assuming that there is a huge chuck of code missing from that script – probably the code used to connect to the stolen computer?

Luckily I have read your reply to Jarod’s request and will not push this any further.

Although maybe you can at least give us a Google query to work with. Eye-wink

No code is missing. What I

Adam Knight on February 27, 2006 - 4:33pm

No code is missing. What I mean is that instead of using the URL http://www.wonderr.com/youve_been_stolen I use something like http://www.wonderr.com/MIA/e823d80b106824-Phobos as the URL and set each script on each computer to check a different URL.

But I will say that if you don’t completely understand what this is doing, it’s best not to.

Re: Remote Destruction of Data

epoxy (not verified) on April 9, 2007 - 12:41pm

Awesome… another security measure would be to set up a “special” account which would wipe your hard drives in case of emergency (theft, got fired, whatever).

When I began to be suspicious of a previous employer, I set up an “Administrator” account on my mac, and left a sticky under my keyboard with the account name and password. The next week when they eliminated my department and fired us all with no notice, and instantly confiscated our systems I felt quite vindicated.

http://www.fif3.com/2005/10/03/emergency-disk-format/

Here’s the how-to for the emergency disk wipe user.

Post new comment

Your name: *

E-mail: *

The content of this field is kept private and will not be shown publicly.

Homepage:

Subject:

Comment: *

Input format

Textile

You can use Textile markup to format text.
SmartyPants will translate ASCII punctuation characters into “smart” typographic punctuation HTML entities.
Textual smileys will be replaced with graphical ones.

Markdown

You can use Markdown syntax to format and style the text.
SmartyPants will translate ASCII punctuation characters into “smart” typographic punctuation HTML entities.
Textual smileys will be replaced with graphical ones.

Plain Text/HTML

Web page addresses and e-mail addresses turn into links automatically.
Lines and paragraphs break automatically.
Allowed HTML tags: <a> <cite> <code> <ul> <ol> <li> <blockquote> <pre>
SmartyPants will translate ASCII punctuation characters into “smart” typographic punctuation HTML entities.
Textual smileys will be replaced with graphical ones.

More information about formatting options

Math Question: * 1 + 1 =

Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Mac Geekery

Get your geek on.

Remote Destruction of Data

Question

Answer

Synopsis

System and User Requirements

The Script

The Execution