I'm a new user - very cool project, cool people so it seems, I like the stealthy tool, the idea, the functionality, I like the open source. Proprietary server, well ... that's life I guess. Great so far.
But my enthusiasm very quickly cooled down to subzero levels. When setting up Prey, all it asked was a login and password. Great for the average user. But considering the very intrusive features of Prey, I may want to have a say in what it can do. Instead, there is nothing you can opt in or out from, at least not for the regular user. Only expert tweaking could change that, so it seems.
Quickly looking at the source code - I might be wrong and I've only spent few time looking at it - I discovered even more worrying stuff. For example, the fact the client agent also seems to have remote desktop/vnc/tunnel and terminal capabilities, which if activated effectively result in full control of any aspect of the device it is installed on. It further seems the only thing needed to gain access is the device key and API key, both of which are stored in Prey Inc.'s infrastructure and obviously on the device.
Full power is great if your device is stolen. But what if it's not? What would that mean 99.999% of the time it is sitting on your own desk instead? A giant security hole into your machine, waiting to be exploited?
Assuming for a second you'd have blind trust in the fine people running this project at Prey Inc., which I'm sure they are, and you assume they'll never covertly mess with your device. Great. But what if their infrastructure was hacked one day? What if they receive a gag order from government agencies? They'd have a highway straight into your device at zero effort, zero cost. And you will never know they were there.
Frankly, it's a trade-off I'm not willing to take currently. I'd rather encrypt my device as I do today and loose its value when stolen, than leaving a giant open backdoor on my device anytime.
I may consider installing it, but then again only after tweaking the sources or removing parts of it as to limit its capabilities. And even then.
If you guys are serious about putting this as a service into the market, the least a regular user should be offered upon setup, is a simple yet complete choice of all the agent's capabilities which can be turned on or off. Both the information it sends as well as the actions allowed. And that decision should only be stored on the client side, making sure the user has the final say in it, not the infrastructure. As a matter of fact, the software might currently be on a shaky legal basis in various countries due to the absence of this vs. privacy laws.
For example, a neat fix to this would be the use of an additional key for critical actions such as file wiping, vnc/terminal access, and so on. This key could then be generated and presented by the client installer only and would only be known to the user of the device, not Prey Inc.'s infrastructure. If the user then desires execution of such critical actions, the agent on the client side would only accept those when transmitted along with the correct key. A simple option to easily regenerate this key any time the user wishes, would safeguard the cycle.
To sum up, to me it seems the basic flaw with this software is a well-known one: blind trust in the infrastructure and total absence of infrastructure authentication. As such, it seems the first prey might be you ... .
Looking forward to your opinions, suggestions and workarounds.