How secure is Prey?

[X]

This website says not to use Prey, because people could intercept your communications and hijack Prey to run any code they want on your computer.  Is this true?  What are you doing to prevent vulnerabilities like this?  Getting my laptop stolen would suck, but getting it hacked would also suck.

[Drew Reece]

The issue he references is now at…
https://github.com/prey/prey-bash-client/issues/85

Which says it has been fixed & shouldn't happen on the 0.5.3 version, so install Prey & set it up as Sharph says & see if it still works.
https://github.com/prey/prey-bash-client/issues/85#issuecomment-641509

Don't install Prey if you are at all worried about it. I think there are probably more thieves than hackers in the world, so I think Prey is a reasonable precaution to use against theft.

Drew

On 21 Jul 2012, at 17:25, X wrote:

> This website says not to use Prey, because people could intercept your communications and hijack Prey to run any code they want on your computer. Is this true? What are you doing to prevent vulnerabilities like this? Getting my laptop stolen would suck, but getting it hacked would also suck.
>

> --
> ------------
> Want to help translating Prey to your language?
> Write us: transl...@preyproject.com
> ------------
> You received this message because you are subscribed to the Google
> Groups "Prey" group.
> To post to this group, send email to prey-s...@googlegroups.com
> To unsubscribe from this group, send email to
> prey-securit...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/prey-security?hl=en_US?hl=en

[Mika Suomalainen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 21.07.2012 23:26, Drew Reece wrote:
> The issue he references is now at…
> https://github.com/prey/prey-bash-client/issues/85
>
> Which says it has been fixed & shouldn't happen on the 0.5.3
> version, so install Prey & set it up as Sharph says & see if it
> still works.
> https://github.com/prey/prey-bash-client/issues/85#issuecomment-641509
>
> Don't install Prey if you are at all worried about it. I think
> there are probably more thieves than hackers in the world, so I
> think Prey is a reasonable precaution to use against theft.
>
> Drew
>
> On 21 Jul 2012, at 17:25, X wrote:
>
>>> This website says not to use Prey, because people could
>>> intercept your communications and hijack Prey to run any code
>>> they want on your computer. Is this true? What are you doing
>>> to prevent vulnerabilities like this? Getting my laptop stolen
>>> would suck, but getting it hacked would also suck.
>>>

You didn't reply to

```
2011-06-02: It's been suggested to me that standalone mode might be
safe to use. Standalone mode allows the same level of remote control
that the paid Prey server mode allows. Further, if you use this mode,
your API key is likely a zero length string, which means that the AES
key is predictably one value.
```

- --
Mika Suomalainen

NOTICE! I am on mobile broadband with very limited time, so I cannot
read emails very much.
The best time to contact me is probably weekends when I have better
connectivity with good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Homepage: http://mkaysi.github.com/
Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728
Comment: Public key: http://mkaysi.github.com/PGP/key.txt
Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728
Comment: Why do I (clear)sign emails? http://git.io/6FLzWg
Comment: Please send plaintext instead of HTML. http://git.io/TAc0cg
Comment: Please don't toppost. http://git.io/7-VB3g
Comment: Please remove PGP lines in replies. http://git.io/nvHrDg
Comment: Charset of this message should be UTF-8.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJQC6FsAAoJEE21PP6CpGcoUMMQAMaP9vH9pmMLqnjSjFrdzwsb
lCcqB9JXKa1vsfhqQDbikXyHQ0eUwj4if5VHRceEeCQB+qXhE7Es4yxG7F9S5CGl
X99l2lOnb/rGk0M2SG6YBBNAwfiWKaHXdFl+ARqnb2hHf+2DC2MW7ogDtTsYGmcP
iT6IkzwGJckux0YpZ5xtS4FhrVAC6vW/wiwbQvNSARJnZ0GNjehVav5Or8ZvMVUO
xbTuFC0QO4+PXHgifzohJg8dOuLvsjB12zMYvAOxaflbEwjmR4xctRYmadwoQwYP
IiNk+hTyd1LNWUoJGqlK+3iDq3rk9BBYb4BFown7cL2KA4Gtfo7MiJbuWvwVitV+
WI7TCj0/G6raIi3XhojJjC5LUE0+8/izgYbbkLSxWisk5uc12DJAtwwLvkICpDkd
ETTSzlIhpWxmqjFLrNluW/AIxdh66F5A3K/jJCyqYqUopZuKvBWc6ouh++Kdi2eI
R0Tmn06IMaLyGEm4DzIgag2T4gO1xs6GegWTKEtCbQDvGE831y7M5Z7e0mta8C4R
ds+7v9OgL+dta/X+dnio5Ijj+7t3nRXK7FI8WZZ89vMKXbE1vZjZpVPsYv3A/h7P
heuWdAK3G/L4do+oAekirYGgb3sKlt32Sit2NcyTurTSK1PXvNIJ8zicDjunM+mT
pxlMBMZhIBzcbwMJusx9
=KP6i
-----END PGP SIGNATURE-----

[X]

On Saturday, July 21, 2012 4:26:13 PM UTC-4, Drew wrote:

The issue he references is now at…
https://github.com/prey/prey-bash-client/issues/85

Ok, but that response doesn't really inspire confidence.  One thing is fixed, but are there lots of others?
 

Don't install Prey if you are at all worried about it. I think there are probably more thieves than hackers in the world, so I think Prey is a reasonable precaution to use against theft.

Yeah, I think I agree, but I'm being careful.

On Sunday, July 22, 2012 2:45:02 AM UTC-4, Mkaysi wrote:

2011-06-02: It's been suggested to me that standalone mode might be
safe to use. Standalone mode allows the same level of remote control
that the paid Prey server mode allows. Further, if you use this mode,
your API key is likely a zero length string, which means that the AES
key is predictably one value.

I don't understand what this means.   Can someone explain?

[Drew Reece]

If you use your own server (standalone mode) instead of the control panel the issue you mentioned is less likely to allow remote code to be run on the machine in question. I think this may not be the case now though (there is a rails control panel that allows modules & actions to be configured in standalone mode).
https://github.com/prey/prey-standalone-control-panel

Standalone mode didn't allow you to change what the device did when missing, the modules & actions were basically fixed on the computer.

Drew