Hello All,

Just wondering if there'd be any interest in a lojack-like app for Maemo that could assist in recovering lost/stolen tablets?

Here's what I'm thinking it would need-
1. A centralized web server that users can register on and report their tablets as missing/stolen. The same server would receive data from said tablets and forward it to users via email, SMS/MMS or web interface.
2. A daemon that runs on the tablet and if tablet is reported missing, forwards data to the web server.

Here's how it might work-
1. Users register on website. If the lose their tablet or it is stolen, they log in to the website and report tablet as MIA.
2. Daemon periodically (i.e. several times a day or upon connecting to Internet) checks the website to see if the tablet has been reported as MIA by owner. If so it triggers the daemon to periodically attempt a location fix (for n810) and take periodic snapshots with camera when tablet is being used. Then IP address, MAC address of tablet(for ID), location data and pictures are forwarded to webserver whenever tablet is connected to Internet.
3. Webserver receives data and logs external IP address data was received from, gets a rough location of the tablet via that external IP and notifies the user via email/SMS/etc. that their tablet is reporting in.

That's a very simplified outline and security (perhaps via RSA key?) would need to be added to prevent abuse. But it might be kinda cool. One would not only know where their tablet was but also who was in possession of it. (Or at least what they look like...)

Anyone with ideas please post back. I may start working on this soon if I've the time. Most of the code is already out there. My only real concern is that if not designed properly it could be abused by a third party.

Cheers,
kernelpanic

That sounds interesting, Kernelpanic.

I wonder how many thieves would simply reflash the device. (I guess you could have this installed as part of a major 3rd party library with 3rd party (opt-in community) apps enforcing it as an install.)

But hey - it'd definitely catch out the non-tech savvy bunch!

Dude, I'd definitely be interested

If you have a linux computer, you don't even need to reflash

I figured out how to retrieve the lock code thanks to a post on here and it's very easy to disable the lock code prompt on startup.

kernelpanic... I wouldn't mind helping out with the web front-end. That'll take the load off you. And I've got a server online anyway. PM me and we'll discuss further

Of course a reflash would circumvent this. However I still think this would be effective as-
1. Tablets, like cellular handsets are small and easy to steal. Most thefts of such devices are either crimes of opportunity, or are committed by someone who knows the owner. (In which case even one picture from the camera would be priceless)
2. Even if the thief is tech-savvy enough to reflash the device, unless they immediately turn it off there will still be a window of opportunity to recover the device or at the very least gather evidence that could be given to the police. All they have to to is yield to the temptation to play with it online ONCE. By the time they realize that it's got someone else's stuff on it and decide to reflash it you've got them.
3. It's unlikely that the thief would steal such a device then keep it. More likely it would be sold to a third party that may not even know it was stolen and hence would have no reason to reflash.

As an aside- I've known several people who have had their cell phones stolen in a restaurant or other public place. In almost every case, they called their number and the thief actually answered! Mostly they either soon hung-up or they taunted the owner of the handset. One friend had her phone stolen in a bar and after calling her number (from my phone) was actively taunted in this way over and over (i.e.- the thief called back to laugh at her more.) We went and found a cop, then she called her number from my phone and let the officer listen. Then she let the cop talk to the thief. Strangely enough he was able to B.S. the thief into thinking they would be caught(call tracing, e911, cooperate and I can help you, don't and you'll be a felon soon...), the thief met the cop and my friend, returned the phone and the officer arrested the thief (a drunken college girl) on the spot. Total time my friend was without her phone- 2.5 hours!

A relative (who shall remain nameless) had his phone stolen, called his number and the thief actually met him and returned the phone (after having made several international long distance calls to Mexico).

The point I'm making here is that crime is mostly caused by two things- youth and stupidity. Most people who know what an IT is and how to flash it already own one(or more). They would be far more likely to pick it up and baggy-pants you, then put it down right where they found it...

Yeah I noticed that also. Though a 4 digit lock code is easy to brute force by hand anyway. But one could get a lot of nice pics in the time it took to do so.

As I said, if I have time I'll code some of this, play with it, and see what happens. I just thought it was a neat idea.

cheers,
kernelpanic

auyongtc,

That might work for development/testing. But for an actual working service, it would have to be a commercial service set up as a company or Corporation that is Bonded/Insured, in a country with adequate privacy laws, that can offer REAL assurances of privacy to users. (This is due to the security implications of such an app. Without technological and legal protection IT user could be surveilled.)

If you are interested in helping develop the front-end, I'm all ears. But I'd rather keep the discussion public for transparency's sake.

I think we need to design the system so that a user would need to have a password protected RSA key that not even we knew on the server side. The daemon should be open source to prevent backdoors and should not start monitoring unless it receives a properly signed message to do so.

That way, whomever runs the server can't use the daemon to spy on the user or be forced to do so by a third party. The idea being that the user shouldn't have to trust the intent of the service provider. (as is currently the situation with services like On-Star, which HAS been used to spy on people.)

As I said, it's a neat idea, but if it can't be done in a way that assures privacy to the end-user I'd rather sh**can it.

cheers,
kernelpanic

Great idea. If all you want is for the tablet to 'call back' with whatever its current ip is, I think it can be implemented as a unique web address, and have the page opened\refreshed via widgets. This should be quite easily implemented on any platforms, maybe even hidden in an RSS app (have it load a unique feed.xml which you can get access information from).

But to fully utilize the platform, why not give the RED ALERT option (however it's triggered, maybe via a timer or a 'switch') that takes picture thru the webcam, take the location via GPS, do a wifi scan, bluetooth scan and email the package back to you?

Since a tablet is generally going to access the Internet from behind a firewall or AP of some sort, it has to initiate the connection for sure. The server side must log and trace the external IP to maximize useable info.
If you read my previous posts above you'll see that's exactly what I was thinking, except for the email. I'd much rather see this info sent encrypted to the main server. The server can then email a copy of the data to the user should they wish, or they could get it via web interface. (IANAL but email has chain of custody issues that could prevent data received that way from being used in court. A bonded insured legitimate company that receives data directly from the stolen device and saves the entire TCP/IP exchange verbatim including traceroute, etc. would be better.) My main concern is the 'trigger' As I posted previously, I think that PKI is the way to go. That way only the user can trigger 'find-me' mode by signing a message with their private key which then waits on the server for when the tablet next checks in. This would be to prevent the operator of the server activating the daemon without the user's consent. On the daemon side most of the code is trivial. But security of the authentication handshakes and trigger mechanism is crucial to a successful service and prevention of abuse. It is MANDITORY that the server not have access to the user's private key so as not to be able to activate the daemon without user consent. It is also MANDITORY that the privacy policy of the service be such that any data gathered during the course of normal check-in not be cached OR shared with any third party AT ALL. It is MANDITORY that the daemon be open-source to assure users there's no 'back-door' into their tablet that could allow abuse.

Still, though there are some real non-trivial privacy concerns to address, I'm starting to get inspired here...

As for the actual triggers and such. Once reported stolen The tablet should take a picture periodically when it senses it is being used and should stop when it is not. If reported lost or stolen it should try to get a GPS fix on a schedule and if GPS is started by the 'thief' or person in possession it should log it. It should also try to connect aggressively to any unencrypted Internet connection it can to phone home and ignore normal WLAN connection settings also on a schedule.

cheers,
kernelpanic

p.s.- I was thinking of calling this I.T. Phone Home, but PC and Mac phone home would sue the pants off of me (Not to mention Spielberg, Ouch!). So for now this project will have a working name of Sheep Dog It will likely not be a garage project, at least until there's a working framework in which any privacy issues have been worked out and tested.