
Gift HN: tund - SSH to your stolen laptop - aphyr
https://github.com/aphyr/tund
======
leif
This ruby code hurts my brain, mostly because it tries to be too cute (if you
want to do configuration in a ruby script, aren't you supposed to use yaml or
something?). Why not just a shell script?

    
    
        #!/bin/sh
        LOCAL_HOST=localhost
        LOCAL_PORT=22
        HOST=remote.com
        USER=tunnel
        SSH_PORT=22
        FWD_PORT=2222
        OPTS=-gN
        INTERVAL=300
        IDENTITY=/etc/tund/key
        
        while true
        do
          ssh ${OPTS} \
            -p "${SSH_PORT}" \
            -i "${IDENTITY}" \
            -R "${FWD_PORT}:${LOCAL_HOST}:${LOCAL_PORT}" \
            "${USER}@${HOST}"
          sleep ${INTERVAL}
        done

~~~
aphyr
'Cuz I plan on separating the config into YAML later.

~~~
leif
fair enough

------
jacquesm
Great little trick, unfortunately most laptops are formatted right after being
stolen to be re-sold. Unless your laptop was stolen with the express purpose
of blackmailing you or because it is known to have juicy data on it the
chances of it coming alive long enough for you to connect back to it are slim
to none.

Even so every little bit helps, if this aids in the recovery of a few laptops
and apprehension of the perps then so much the better.

If your laptop does get stolen keep a close eye on auction sites, ebay, craigs
list and the like, chances are it will turn up there within hours of being
stolen.

~~~
aphyr
I have a particularly ingenious defense to prevent reformatting: I have a 3,1
Macbook Pro with a Superdrive. Not only is it incapable of reading any optical
media, but getting your disc back from the furry recesses of its lair is
almost impossible.

~~~
timdoug
Ha! I understand entirely. I have the same hardware, and I'm replacing the
(now broken) optical drive with an MCE OptiBay and an SSD currently in the
mail.

~~~
weaksauce
I did the same. Watch out for 1.7 fw upgrade for the sata bus. My mbp couldn't
handle the amount of data sent and as a result would crash every time I would
install os x. Downgrading the firmware to only allow for 1.5Mbps worked well
and it is what I am currently running. Email me if you need a link to the
downgrade.

------
w1ntermute
Reminds me of a talk from this year's Defcon:
<http://www.youtube.com/watch?v=U4oB28ksiIo>

~~~
aphyr
That's exactly my motivation. I've been using these tunnels for a while, but
I've never seen it packaged up neatly for anyone to use.

~~~
w1ntermute
I think the ideal setup would be to have your laptop boot into a decoy
"usable" install boot by default (autologin to admin, adjustable network
settings), and have your actual install encrypted and completely locked down
(i.e, have GRUB boot the decoy install without showing the menu, so you'd have
to press Esc to show your other install).

That way, the tunnel wouldn't be running all the time, but if someone were to
steal your computer, it would be available right away. For travelers, it'd
also be useful at customs, since you could just show them your decoy install
without raising any suspicion.

And of course, having regular offsite backups is a necessity regardless of
what approach you take. This should only be a method of getting your hardware
back, not your data.

~~~
paulgerhardt
This is actually surprisingly hard to do with Macbooks. TrueCrypt currently
only supports whole disk encryption for OSX and PGP Whole Disk Encryption's
partition encryption is still somewhat experimental. Even if one does get this
working, one needs to chain load PGP's BootGuard decrypter _after_ one selects
the alternate partition using the default EFI Boot screen when holding the
option key - which the relevant bits for EFI configuration are for the most
part undocumented and chainloading is not "supported" by the official PGP
tools.

The next best option seems to replace EFI Boot with rEFIt and clone the
behavior...

I can go on, but maybe you're beginning to see why this quickly turns into a
bit of a rabbit hole.

~~~
w1ntermute
Well, I was thinking of doing this with Linux, since that's what I use. I'd
have Windows be the decoy install and use LUKS for dm-crypt to encrypt the
Linux install at the system level. And setting up the default boot with no
countdown in GRUB is trivial. All the pieces are there, and while there's no
definitive guide on how to do it, I don't reckon it would be very difficult.
Since I don't use Macs, I have no idea whether this approach would be feasible
for them as well.

The main thing holding me back is that now that I've moved to an SSD, my
laptop only 64 GB of space, so I'd rather not waste 10 GB on a decoy Windows
install. Perhaps once I get a bigger SSD.

------
ihodes
I'd think that the abuse of a backdoor into your computer is more likely than
your laptop being stolen. Would anyone else be uncomfortable installing this
on your machine, or am I a little paranoid?

Regardless, I think it's a neat idea. I'm no security expert, by any stretch.

Thanks for the utility!

~~~
aphyr
All this does is make an already available service (SSH) available at a
predictable location. You still need to use a password, RSA/DSA keys, or other
methods to log in.

~~~
ihodes
Right, but you're connected to a "known" host you need to keep secure as well.
So you have two machines to worry about, right? I also am not one to keep more
sshds running than I need to—but I guess the chances of this being exploited
are slim. Are they as slim as having your laptop stolen, though? (Genuinely
curious—this seems like something you'd want to consider before using
something like this.)

But absolutely, it isn't like you've left an open door into your computer.

~~~
aphyr
Is it more likely? That depends on how often you leave your laptop unattended.
:)

I, and pretty much every hacker I know, have _some_ machine they can SSH to on
the internet, _somewhere_. The only added risk is exposing your laptop to an
attack against the SSH daemon, which involves either weak passwords,
weak/unsecured keys, or an SSH server vulnerability. The first two are easily
mitigated. The third is incredibly infrequent, and when it does happen, you've
got bigger problems to worry about.

Almost all SSH attacks target port 22, not a random high port, so you're
unlikely to even see connections to that tunnel in the first place.

Finally, you don't even need to trust the remote machine, since SSH will
authenticate the laptop's host key through the tunnel. MITM attacks are
possible against SSHv1, but pretty much everyone is on v2 these days.

~~~
ihodes
Those are good points. I appreciate your responses—I definitely don't want to
be seen as putting your program down, and I'm genuinely curious about what I
was asking.

I suppose the increased risk is small, and probably nothing to worry about.
Cheers!

------
thwarted
My laptop runs openvpn as a daemon using key authentication connected to my
home network. Thisis mainly so I can access my home network remotely, but it
works the other way also, letting me in to my laptop when its not in front of
me. Openvpn as a daemon can also be configured to reconnect when it detects
that network configuration has changed, so it is completely, transparently
portable between whatever network my laptop is on, as long as that network has
internet access.

If I loose the laptop, I can just revoke the key it uses to connect.

------
samuel1604
hey this is just a ruby wrapper to ssh -R or am I missing something ?

~~~
rw2-
Yeah. It's yet another newbie script hyped@HN. :-(

~~~
aphyr
Heh, point taken--I banged it out in 3 hours this morning. Though I must admit
laughing a little about being called a newbie! Not like I'm hard to find on
github or freenode... :-)

I only submitted because a.) it takes advantage of some non-obvious ssh
features I have to look up _every bloody time_ , b.) friends have asked for
it, and c.) yesterday's front-page submission about theft made it seem apropos
to remind people how easy this is to accomplish.

~~~
kunley
Yeah but why Ruby? It's what shell scripting has been invented for :)

While I admit many looong shell monstrosities are better implemented in
something like Ruby, and I myself use Ruby as a scripting language of choice
for anything longer that a one screen of text, this time looks like it's kind
of - excuse my language - overrubyism. I understand there's a tendency of
rewriting everytning in The One Beloved Language and I'm a victim of this
approach myself occasionally. But seriously, this could be a shell few-liner!

Anyway thanks for advertising the idea of ssh -R tunnels, they are a neat
trick!

------
bcl
And how is this supposed to get launched when you've encrypted your laptop's
harddrive? ;)

------
dotBen
This is a great hack/proof-of-concept but for anyone remotely concerned about
the integrity of their data in the event of a theft, I can't recommend
something like PGP Whole Disk Encryption
(<http://www.symantec.com/business/whole-disk-encryption>) enough.

There are other options, including free ones on Linux, but for Mac I think
this is the best implementation.

With my laptop insured and my data unrecoverable the package gives me total
piece of mind.

------
rlpb
I wouldn't trust this for security reasons. You're relying on the "allow
everything except for what I thought of to lock down that an attacker might
do" principle, instead of the "deny everything except what I explicitly allow"
security principle.

For example: in addition to allowing you to tunnel into your stolen laptop,
you're also giving the thief permission (and the key) to use your server as a
proxy.

ssh can be locked down further than in your instructions, but I wouldn't rely
on it.

------
chrisbroadfoot
These seem to do the same (or thereabouts) thing:

<http://www.harding.motd.ca/autossh/>

<http://freshmeat.net/projects/rstunnel/>

~~~
leif
Not the same thing. This is meant as an initscript to set up a port forward,
autossh/rstunnel just watch an ssh connection you initiate and restart it as
needed. You could use autossh/rstunnel to implement this though.

------
borism
I have installed Adeona (<http://adeona.cs.washington.edu>) too previously,
but I don't exactly understand how will my laptop connect to the internet when
stolen?

~~~
aphyr
This tool won't handle the connection management for you. You could scan for
unsecured wifi networks periodically and connect to them. I'm just presuming a
thief will log into my laptop's passwordless account, and network-manager will
handle the rest.

~~~
borism
Well, disabling passwordless accounts is one of the first things I do with my
computer.

I wonder if there are scripts that will connect to unsecured networks, whether
it's a good idea and how good electronics thieves are at countermeasuring such
tools (which is pretty trivial).

~~~
aphyr
I should clarify: the passwordless account is a honeypot. It's isolated from
my personal account and everything important. The only point is to encourage
the attacker to use the computer instead of reformatting it, so I have a
chance of recovering the hardware.

------
rorrr
Is there anything like this for Windows? I already installed Prey and LogMeIn,
but there's no way to silently execute commands remotely.

~~~
Vivtek
I think you'd need to write your own shell-like daemon for Windows. I've
considered doing that for my home network just so I could use some of the
family's machines when they're away, etc. But since Windows doesn't come with
a real shell built in, rolling your own would be your only real recourse.

~~~
nitrogen
When I was in high school, people used a tool for Windows called Fictional
Daemon to get a remote telnet server that could access a command prompt,
start, stop, and list running tasks, etc.

