Notes on the AC-EMWIN Hacking
At his own admission later, the GARC member had at some previous point sat down at the server, located inside the GARC club's fenced cage on the 11th floor of the Dental Science Wing, and after using simple home-made batch file, was able to crack encrypted passwords in the system's Windows registry, allowing him access whenever he wanted. At about 12:30am, on February 14, 2009, he was then able to utilize the passwords that he had gleaned earlier to remote into the system that night. During that event, files containing Personally Identifiable Information (PII) containing names and telephone numbers had been accessed. It was done without any prior knowledge, permission, or authorization. I saw it happen with my own eyes that night, as I completely lost control of my mouse when I tried to remote access the system myself to make some adjustments to the software. It was a definite computer crime. I watched as he went into DOS, navigated and hunted through various subdirectories, and even accessed some files before I was finally able to kick him off. I then called UPD and filed a complaint. But UPD's subsequent bad handling ended up allowing the perpetrator (and others) post-crime access to all of the equipment and logfiles, and anything he so wished - which then led to the destruction that evidence, which prevented any chance of an investigation from occuring after that. During all of that, my key to the room was confiscated from me, and I was denied access to the room containing the EMWIN server and equipment. The perpetrator himself, because he worked in UF IT, was then assigned (by Faculty Administrator of the club, Dr. Jay Garlitz) to "handle" the gathering of the equipment for me. That should not have been allowed to happen. The perpetrator was the one being accused and regardless of what position he held inside UF, and also ESPECIALLY because of the position he held within UF, he should not have been allowed access. Then suddenly GARC started giving me a hard time about taking possession of the equipment back. They held on to it and threatened to give it to the Alachua County Office of Emergency Managament unless I signed a promise not to sue or file any complaints or charges. I tried to complain to UPD about this. They did nothing. You know what UPD told me? They actually told me that since the equipment didn't actually belong to the University of Florida and it was not "stickered" to the UF that it was thus not UPD's jurisdiction. (Every piece of equipment owned by the UF has a sticker affixed somewhere to it which contains an ID number that is logged by the UF. Mine had no such stickers affixed to it because the equipment did not belong to the UF - it belonged to Alachua County SKYWARN - and they were allowing us the use of our own equipment on UF property by prior permission.) But the idea that wasn't UF's responsibility is actually incorrect. Anything that happens on UF property is UPD's responsibility. Period. It's certainly not GPD's. GPD doesn't have any jurisdiction on UF property. Neither does ASO. It was a total guess on the part of one of the officers who had said that to me, and it was wrong. And once voiced it was picked up by every other officer in the room. In actuality, this thought violated due process. It prevented our ability to have the crime investigated, to have evidence gathered, to find out who did it, and to render any justice. With UPD brushing off responsibility, this effectively put the responsibility into no one's hands then, while blocking all other possible entities (such as GPD) from involvement by flying their flag of jurisdictional territoriality over it. And that wasn't right. The officers offered no additional information was offered to clue me in as to who then did have actual "justidiction". As far as they were concerned, this was a done deal. It was over. That was that. ...And it was wrong. At that moment, UPD and the University of Florida had became responsible and liable for a sabotaged case...whether they like that description or not. The University Police Department was negligent in the handling of the case. After all of that, I removed the equipment to a location where I could keep a better eye on it, myself. At first it was removed to my own home. Later it was placed at a different location which had a backup generator and a second backup Internet line in case the satellite downlink and/or the primary Internet ingest failed. On the day that the equipment was being removed from the DSB rooftop, the perpetrator actually admitted to me that it was indeed he who had broken into the system that night, and with a hint of sadistic joy, and making a point to stare straight into my eyes, he even repeated back four of the passwords that we had rotated the system through over the past two years. My jaw dropped. He was obviously quite very proud of himself. I was standing there on the top of the Dental Science Building rooftop with this guy standing right next to me while I stood just a couple feet away from the railing which prevented a 163-foot fall and suddenly I began to realize that and I shiver went up my spine. I stepped away from it and stood putting him between me and that railing. This is a guy who once pretended to me my friend, and now he was turning on me in a sinister way, and whom I now realized he was making NO attempts anymore to hide it, and who was openly admitting to crimes he had just committed. I no longer trusted him now with his veil removed. I suddenly began to see him as a very dark-hearted soul. And now in fact, he scares the living hell out of me. Meanwhile, I was shocked at the Gator Amateur Radio Club's lack of concern, help, or any serious response. I used to work with these people. And now that I'd started an investigation into one of their members, they'd turned on me. They had deliberately interfered with a criminal investigation. ...As did UPD, apparently as a favor. The officer in charge of my complaint was Michael Metz. On later attempting to file a complaint with UPD's IAD department about the handling and in describing what had happened over the phone, they told me that they saw nothing wrong in what Officer Metz or any of the involved officers had done, and that they would likely call my complaint "unfounded" if filed. So there was no point in even filing. The perpetrator was Jeffrey Donald Capehart, W4UFL, who at the time was actually the President of both the Gator Amateur Radio Club AND of the Gainesville Amateur Radio Society. Jeff and his wife Susan Tipton both had prior past histories. In the mid-80s, the two, along with three other male friends, had hacked into the UF's IFAS computer system before. So they were ex-cons with a criminal history of this kind of stuff. On that day on the DSB rooftop, on asking him why he had done that, Jeff yelled back that I wouldn't do what he wanted. Actually, what he wanted wasn't possible with the software at the time. And really there was just no obligation to do anything for him, anyway. (I remember that Jeff had been pushing me to make adjustments to make the system do...something...which I can't now remember. But at that time, it wasn't possible to do those things and I'd discussed it with the software author even, and even he told me it asn't possible to do that yet Maybe in the future, but that he had otehr more important things to take care of before he could get to that. I remember that I'd tried to explain this to Jeff...numerous times. He wouldn't listen to me. He refused to believe me and insisted that I was just being lazy and refusing to cooperate with him. I asked him to download the software himself and try it himself so that he would understand. He wouldn't. It's all besides the point, though. Because at the time, Jeff's Asst. Coordinator status had been personally removed by me some two years earlier for insubordination and for causing repeated problems - especially with how he incites people to bully me, and to stalk my friends. So he was not part of the program anymore. The system did not belong to him. He thus did not have any right, permission, or authority to be accessing that system for any reason whatsoever. It was password-protected - in the remote access software, at the desktop level, and at the EMWIN server software level. He utilized means to bypass all of the security systems to gain unauthorized access to everything, during a time when he thought everyone would be asleep and wouldn't know. I later discovered that whenever he'd access the GARC radio room, he'd sit down at the EMWIN server where he'd turn on the Windows Remote Desktop radio button to give himself a back door in whenever I'd lock him out using every other means. I remember turning it off numerous times in previous months. I thought it was me. I'd turn it off. He'd just go back to the club station later and sit down at the computer and turn it right back on again. I had no clue he was doing this. It would happen months apart...with enough time to make me question, "Hey. Didn't I turn that off already?" Everything he had done was done with calculation, planning, and aforethought, and it was most definitely not an "accident". He did it using disguised, surreptitious methodology. On complaining to UPD, to protect Mr. Capehart, Faculty Advisor Dr. Jay Garlitz interfered with the investigation by implying to UPD investigators that I was a "problem" and that Jeff was actually innocent and had done no wrong. Dr. Garlitz actually had no real proof to substantiate this. He'd pulled it out of his ass. On his word alone (and his title, apparently), UPD believed the Faculty Advisor over the complainant, and pretty much abandoned the investigation after that. The keys to the club room were then taken away from me, preventing access by me or anyone in Alachua County SKYWARN to our own equipment, while at the same time allowing the perpetrator and anyone else uninhibited, unsupervised access to the scene of the crime and to the hacked equipment. With the criminals now having unfettered access to the scene and the evidence, and the owners having been denied access, the investigation was irreparably damaged. The entire case was utterly destroyed by interference on the part of GARC, and an unbelievable amount of irresponsibility on the part of UPD. Later, we even had to fight to get our own equipment back because in the meantime the Alachua County Office of Emergency Management had heard about the situation and, at the request of another ham operator who suggested to Dave Donnelly that they obtain the equipment for use in the new Alachua Co. Office of Emergency Management's ham radio club, ACOEM then sent an email to the GARC Faculty Advisor demanding that GARC hand the equipment over to them. But the equipment didn't belong to either of them. On threat of a lawsuit by Alachua County SKYWARN, and a criminal investigation of ACOEM's illicitly-attempted policy to use the power of it's name to intimidate and bully an organization into turning equipment over that didn't belong to them (as well as a concurrent attempt to ussurp the name of that organization from underneath it, which is discussed elsewhere), and a threat to take it to TV-20 News, David Donnelly suddenly backed down and recanted his demand. But before we could go and get our equipment back, GARC refused us access until we signed a promise not to sue written up by UF lawyers. In other words, our equipment was held hostage (a "duress") and we would not be allowed access to it - until we signed the document. So I signed. They still owe us 200' each of 9913 coax and RG-8U, and a Cushcraft 4-bay antenna that goes with our 50-watt transmitter. That's hundreds of dollars worth of stuff. I took what we could get and got the hell out of there. And I suspect, that's exactly what they wanted. It was a time of great shock, disappointment, and disillusionment - in people who were supposed to be there to protect and serve; in people who were supposed to be the best leaders and examples in a good cause; in people who were supposed to know better. |