Installation Instructions for VUWER

(Secure Copy Data Delivery – Installation Option 2)

 

Option 2 is recommended strictly for advanced users.  If you’ve used the Terminal application on your Mac, are familiar with software such as SSH and SCP, and understand concepts such as firewalls, port forwarding, and dynamic DNS, then you can probably follow this procedure without difficulty.  The main advantage of Option 2 is that you can transfer data much faster via SCP than email.  If your laptop is stolen, it is possible to receive a screen shot every minute, and have a complete minute-by-minute record of what the thief is doing with your computer.  Another advantage is increased data privacy, assuming you own or control the remote computer that VUWER uses.

Unlike Option 1, no VUWER web page or email account is required.  The VUWER control file is placed on a remote computer account, and all files generated by VUWER are uploaded to that same account.  In many respects, this results in a faster and more secure system, but the disadvantage is that the configuration of that remote computer account requires a much greater degree of technical expertise.  Unless you consider data privacy to be paramount (in other words, you don’t want Dropbox to store VUWER screenshots and Facetime images), you should consider using Installation Option 3 instead, which provides similar functionality with much greater ease of use.

 

Part I – VUWER Remote Account Setup

VUWER requires an account on a remote computer configured to control VUWER and receive files from your laptop.  This remote computer does not have to be another Mac, as long as it supports secure shell login (SSH) and secure copy (SCP), and can be accessed over the Internet.  Any networked computer running Linux, UNIX, Solaris, or some other UNIX-like operating system should work fine.  However, the following procedure assumes that the remote computer is another Mac.

 

Š      The Remote Account

Depending on your circumstances, setting up the remote account may be the trickiest part of the VUWER installation.  In general, there are four different approaches you can consider for the remote account:

(1)    You can purchase access to an online account on a remote UNIX system.  Make certain that your account supports SSH and SCP, and has sufficient disk space (at least 500 MB) to be usable with VUWER.  This option costs money, but you’ll be able to access your account from almost anywhere in the world.  One excellent remote system is the SDF Public Access UNIX System.  For a small one-time fee, you can purchase an ARPA member account that provides access to SSH and SCP, and is fully compatible with VUWER.

(2)    You can talk to the IT support people at your school or place of business, and see if they can set up an account for you.  If enough people with Mac laptops ask to install VUWER, your IT department may choose to dedicate a specific computer to hosting everyone’s remote account.

(3)    You can set up the remote account on a second computer that you personally administer, e.g. a home computer or office computer.  The drawback to this option is that you may need to learn details such as how to configure your router, or how to install dynamic DNS software, in order to access the remote account from the Internet.  If you’re not sure what to do, you may want to get help from someone with a better understanding of computer networking.

(4)    If you don’t have access to a second computer, find a friend or colleague who also has a Mac laptop, and configure each of your Macs as the remote computer for the other person’s machine by creating accounts for each other.  As long as you both keep your VUWER activation passwords secret, you will not be able to spy on each other without permission.  If your laptop is stolen, all you have to do is phone your friend, tell him your VUWER activation password, and have him connect his laptop to the Internet.

You’ll need to create a non-administrative (standard) account on the remote computer.  Do not use an existing personal account (if any) or an administrative account for this purpose.  Create a new account instead, and use a strong login password for it.  On a Mac, this account can be created using the Accounts pane under System Preferences.  You can find instructions for this procedure by typing “Create a New User Account” using the Help menu in the OS X Finder.

IMPORTANT:  If the remote computer is a Mac, OS 10.5 and above offers you the option of activating a special “sharing only” guest account.  This special guest account will not work for VUWER, as all user data is deleted on it after logout.  You need to create a standard account as explained above.

 

Š      Installing a Dynamic DNS Client on the Remote Computer

 (Note: The following section assumes the remote computer does not have a static IP address.  If it does, you can skip this section, and use the existing static IP address for the VUWER installation process.)

The next step of Installation Option 2 is to configure the remote computer so that you can dynamically track its IP address. To do this, you must install dynamic DNS client software on the remote computer, and then register it with a dynamic DNS service.  (One popular (and free) DNS service is FreeDNS, although paid services like Dyn DNS are also common.)

Here’s how dynamic DNS works:  every computer accesses the Internet through a router or modem with a specific numeric IP address.  In turn, Domain Name System (DNS) servers are used to assign a particular domain name (e.g. cnn.com) to a particular fixed IP address (or block of addresses).  The problem is that the IP addresses of many computers do not remain fixed, but instead are dynamic (constantly changing) as ISPs refresh router or modem connections.  This is particularly true for most cable modem connections.  If you want to remotely connect to a computer with a dynamic IP address, you have to somehow determine that IP address first.

A dynamic DNS client solves this problem by configuring the remote computer to determine its IP address and forward that information to a central dynamic DNS server.  In turn, the dynamic DNS server can associate a custom domain name (e.g. mylaptop.afraid.org) with that computer, no matter how often the IP address changes.

To configure the remote computer, first register for a free account at FreeDNS.  Next, download and install the appropriate FreeDNS client software on the remote machine.  (You’ll need administrative access to do this.)  The client will run as a background process and automatically communicate with the FreeDNS server.  You can then log in to your FreeDNS account over the web and see the IP address that is being reported by the client.

 

Š      Activating SSH on the Remote Computer

The next step is to activate the SSH protocol on the remote computer, if it is not already available.  In OS 10.5 and above, this is accomplished by checking the Remote Login box under the Sharing panel of System Preferences.  (You’ll need an administrative password to do this.)  If necessary, SSH access can be limited strictly to the standard account created for VUWER, instead of all accounts on the remote computer.

If the remote computer is connected to the Internet behind a router with a hardware firewall, you’ll need to open TCP port 22 (or whichever port you are using for SCP / SSH) on that device as well, so that an outside SSH connection can reach the remote machine.  This procedure will vary depending on the type and manufacturer of the router, and is beyond the scope of this documentation.

 

AppleMark

Fig. 1.  Activating Remote Login via the Sharing panel.

 

Once you’ve installed the dynamic DNS client and enabled SSH on the remote computer, you should confirm that your laptop can connect to it.  (For the following example, the remote account is called lapmon, and it’s located on the remote machine zzzzz.afraid.org.)  Take your laptop somewhere outside of the network in which the remote computer resides, connect to the Internet, start the Terminal application in the Utilities folder, and use the SSH command as shown:

 

 

Priscilla:~ holman$ ssh lapmon@zzzzz.afraid.org

Password:

Last login: Sun Jan 20 13:22:05 2008

[zzzzz:~] lapmon%

 

(Note that if you’ve never connected your laptop to the remote machine via SSH before, you’ll be prompted to verify the remote account fingerprint the first time you login.  Just answer “yes” at the prompt and you’ll never need to do this again once VUWER is installed.)

Once you successfully connect to the remote account, type ‘exit’ to log out from SSH.  If you are unable to connect, you’ll need to find out why, and correct the problem, before you move on.  It may be possible that the remote computer’s ISP is blocking the port normally used for SSH connections, and in that case you may need to configure a different port for SCP / SSH, or find another machine you can use on a different network or ISP.

 

Part II – Installing VUWER

 

Š      Configuring the Remote Account

The next step in the installation process is to configure the remote account you’ve just created.  The following procedure will create and transfer an SSH key to the remote account, and place the VUWER control file (named vuwercontrol.txt) in a folder named after your computer.  (Your computer’s name can be found in the System Preferences panel under Sharing.)

 

In general, this configuration process only needs to be performed once.  If you are upgrading a older VUWER installation, or re-running the VUWER installer to change the program settings, you can skip to the “Installing VUWER Application” section.

 

(1)   Download the VUWER disk image to your laptop.  Double-click the VUWER.dmg file, and a disk image will mount on the desktop.  Double-click and run VUWER Setup.app.

 

 

(2)   The first two screens show the copyright notice.  By clicking “Agree”, you agree to the usage and distribution terms for VUWER.

 

AppleMark

 

(3)   Choose the “Run SSH/SCP setup” option.

 

AppleMark

 

(4)   If VUWER detects an existing SSH key, it can be re-used for a new installation.

 

AppleMark

 

(5)   By default, SSH and SCP use port 22.  If the remote computer uses different ports, you can specify them here.

 

(6)   Enter the IP address and user account name for the remote VUWER account (in this example, stumpy.vuse.vanderbilt.edu and vuwermonitor, respectively).

 

AppleMark

AppleMark

 

(7)   Enter the password for the remote VUWER account.

 

 

(8)   VUWER will activate the Terminal application if it is not already running.

 

AppleMark

 

(9)   Confirm that the secure copy operation was successful, and that no error messages appear in the Terminal window.

 

AppleMark

 

(10)       The Terminal window should show that you have successfully logged in to the remote account.

 

AppleMark

 

(11)       You may prefer to delete the existing SSH directory on the remote account, which will ensure that only your computer can access it without a password, but this is not required.  If you intend to control more than one computer via the remote account, then you should keep the directory.

 

 

(12)       Enter your administrative password to complete the SSH account configuration.

 

AppleMark

 

(13)       You’re now ready to install the VUWER application on your computer.

 

 

 

Š      Configuring the Remote Account Manually

If the previous configuration procedure fails for any reason, the remote account can be manually configured instead.  Note that most of the following commands will require sudo or root access:

 

(1)   Check to see if the SSH key files /usr/bin/.vuwer_dsa and /usr/bin/.vuwer_dsa.pub already exist.  If not, create a new key by typing the following (note that –P is followed by two single quotes):

 

ssh-keygen –t dsa -P ‘’ -f /usr/bin/.vuwer_dsa

chmod 644 /usr/bin/.vuwer_dsa

 

(2)   Use secure copy to transfer the SSH public key to the remote account (note that remotecomputeraccount and remotecomputeraddress must be replaced with the account name and address of your remote computer):

 

scp /usr/bin/.vuwer_dsa.pub remotecomputeraccount@remotecomputeraddress:tempkey

 

(3)   Login to the remote account via SSH and add the new SSH key to both authorized keys files:

 

cat tempkey >> ~/.ssh/authorized_keys

cat tempkey >> ~/.ssh/authorized_keys2

 

(4)   From the main directory of the remote account, create a subdirectory and the VUWER control file within it.  The subdirectory should have the same name as your computer name, except that all spaces or characters other than a-z, A-Z, 0-9, -, and _ are replaced with an underscore.  For example, if your computer is named Tim’s MacBook then enter:

 

mkdir Tim_s_MacBook

echo 15 360 15 15 ok > ~/Tim_s_MacBook/vuwercontrol.txt

 

(5)   Cocatenate the local ~/.ssh/known_hosts file for your current account to the global /etc/ssh_known_hosts file.  This will allow all other user accounts on your computer to connect to the remote account.  For OS X versions 10.10.x and earlier, use the following commands:

 

cat ~/.ssh/known_hosts >> /etc/ssh_known_hosts

cp /etc/ssh_known_hosts ~/.ssh/known_hosts

 

For OS X versions 10.11 and later, use these commands instead:

 

cp /etc/ssh/ssh_known_hosts ~/.ssh/vusshtemp

cat ~/.ssh/known_hosts >> ~/.ssh/vusshtemp

cp ~/.ssh/vusshtemp ~/.ssh/known_hosts

cp ~/.ssh/vusshtemp /etc/ssh/ssh_known_hosts

rm ~/.ssh/vusshtemp

 

 

Š      Installing the VUWER Application

 

(1)   Choose the “Install / re-install / upgrade VUWER” option.

 

AppleMark

 

(2)   Type in your administrative password to begin the installation.

AppleMark

 

(3)   Select Installation Option 2.

 

 

(4)   If you haven’t performed the SSH/SCP setup for the remote account (see previous section in this documentation), stop and do it now.

 

 

(5)   VUWER setup will use the previously stored configuration (if one exists) unless you specify the default configuration instead.  Note: If you are installing VUWER for the first time, you will get a warning message that the configuration file does not exist, and VUWER will automatically use its default values.

AppleMark

 

(6)   SCP should use the port number that you specified during SSH/SCP setup.  However, you can change it here if necessary.

 

(7)   Enter the IP address and user account name for the remote VUWER account (in this example, stumpy.vuse.vanderbilt.edu and vuwermonitor, respectively).

 

AppleMark

AppleMark

 

(8)   Test the SCP connection to confirm that it works.  If it fails, make sure that you entered the remote account name and computer address correctly.

 

(9)   Next, you have the option to turn on VUWER desktop notifications.  As long as VUWER is in standby mode, you will see a brief desktop notification every time VUWER updates its status, even if you log out of the VUWER Dropbox account.

(10)       Enter a password to activate VUWER in case your laptop is stolen (the default value is ihavebeenstolen).  The password should not contain spaces or quotation marks.  Don’t use the same password you use for your email, or for the administrative account on your laptop.

AppleMark

 

(11)       If you want VUWER to capture iSight/FaceTime camera images, click “Yes” on this window.

 

AppleMark

 

(12)       VUWER will save a test image to the desktop to confirm that the camera is working.

AppleMark

 

(13)       You have the option of setting VUWER to transmit a set of images and IP geolocation data at every login.  I personally recommend this, as it might get you at least one image of a thief before you realize your laptop is stolen.  Furthermore, this option will help confirm that VUWER continues to function properly.

 

AppleMark

 

(14)       If you have not previously done so, you can now enable various user accounts on your computer to run VUWER.  (You can enable or disable user accounts from the main menu at any time.)

 

AppleMark

 

(15)       Set the enable / disable status of the user accounts on your computer, then click ‘Done’.

 

AppleMark

 

(16)       You must log out, then log in, (or restart) to complete the VUWER installation process.

 

AppleMark

 

Š      Completing the Installation

Restart the computer (or log out and then log in to the user account), and VUWER should now be running.  If VUWER is working properly, the vuwerstatus.txt file (located in the remote account folder with your computer’s name) should be updated within a few minutes.  Click here for more information about testing and using VUWER, and for more detailed information about setting values for the control text string.  This page provides information about VUWER geolocation, and the format of the image and data files created by VUWER.

(a)  To test VUWER after installation, “15 15 15 15 ok” can be used to tell VUWER to check the web page every 15 minutes, and update the vuwerstatus.txt file every 15 minutes.

(b)  During normal operation, “15 360 15 15 ok” tells VUWER to check the web page every 15 minutes, and update the vuwerstatus.txt file every 360 minutes.  For a desktop computer that is always left turned on, “15 1440 15 15 ok” sends a status update once a day, while “15 10080 15 15 ok” sends an update once a week.

(c)  If your laptop is ever lost or stolen, “5 5 15 15 ihavebeenstolen” tells VUWER to send a screen capture image every 5 minutes, a camera image every 15 minutes, and IP geolocation information every 15 minutes to the remote account.  (Replace ‘ihavebeenstolen’ with whatever activation password you chose during installation.)

(d)  Once you have some good photos of the thief, “5 5 60 60 ihavebeenstolen” sends camera images and IP geolocation data only once an hour (so the thief is less likely to notice the blinking camera light), but a screen capture image every 5 minutes.

The same VUWER remote computer can be easily shared in situations where multiple laptops must be monitored and controlled, just by creating a separate standard account for each laptop.  Alternatively, multiple laptops can be monitored and controlled from a single VUWER remote account, since each laptop has its own separate folder.  However, managing multiple computers from one account presents an elevated security risk, since a clever thief who learned about VUWER could possibly erase the control and data files for multiple laptops, instead of just the one he had stolen.  While this is probably not a likely scenario for the average laptop thief, it is a risk that should be kept in mind.

 

Part III – Securing Your Computer

Once VUWER has been installed and tested, your last task is to secure your laptop.  At the very least, you should create a firmware password for your computer (by default it does not have one) so that a thief cannot erase the internal drive and remove VUWER.  If you want to protect your personal data, you should also add a guest account for the thief to use, and use a login password for your personal account.

Click here for more information on how to set a firmware password, create a guest account for your laptop, and implement password protection for your personal account.

 

Main