Notes on the AC-EMWIN Hacking
At the culprit's own admission later, the GARC member had at some previous point sat down at the server, located inside the GARC club's fenced cage on the 11th floor of the Dental Science Wing, and after using simple home-made batch file, was able to crack encrypted passwords in the systems registry, allowing him access whenever he wanted. At about 12:30am, on February 14, 2009, he was then able to utilize the passwords that he had gleaned earlier to remote into the system that night. During the event, Personally Identifiable Information (PII) containing names and telephone numbers had been accessed. It was done without prior knowledge, permission, or authorization. I saw it happen with my own eyes, as I completely lost control of my mouse that night when I tried to remote access the system myself to make some adjustments to the software. It was a definite computer crime. I watched as he went into DOS, navigated and hunted through various subdirectories, and even accessed files before I was finally able to kick him off. I then called UPD and filed a complaint.
But UPD's subsequent bad handling ended up allowing the criminals post-crime access to the equipment and logfiles, and anything they so wished - which then led to the destruction of evidence, and destroyed any chance of an investigation from occuring. You know what they told me? Thay actually told me that since the equipment didn't actually belong to the University of Florida and it was not stickered to the UF that it was thus not UPD's jurisdiction. This is actually incorrect. Anything that happens on UF property is UPD's responsibility. It's not GPD's. GPD doesn't have jurisdiction on UF property. Neither does ASO. It was a total guess on the part of one of the officers, and it was wrong; and once voiced it was picked up by every other officer in the room. In actuality, this thought violated our due process. It violated our ability to have the crime investigated, to have evidence gathered, to find out who did it, and to render any justice. With UPD brushing off responsibility, this effectively put the responsibility into no one's hands then, while blocking all other possible entities from involvement by flying their flag of territoriality. And that wasn't right. No additional information was offered to clue us in as to who then had "justidiction". As far as they were concerned, this was done. It was over. That was that. ...And it was wrong. At that moment, UPD and the UF became responsible/liable for a sabotaged case.
After that, we were forced to remove the equipment to a location where we could keep a better eye on it, ourselves. At first it was removed to my own home. Later it was placed at a different location which had a backup generator and a second backup Internet line in case the satellite downlink and/or the primary Internet ingest failed.
On the day that the equipment was being removed from the DSB rooftop, the perpetrator admitted to me that it was indeed he who had broken into the system that night, and with a hint of sadistic joy even repeated back four of the passwords that we had rotated the system through over the past two years. My jaw dropped. He was obviously quite very proud of himself. Meanwhile, we were shocked at the Gator Amateur Radio Club's lack of concern, help, or any serious response. They had deliberately interfered with a criminal investigation. ...And so did UPD, apparently as a favor. The officer in charge of my complaint was Michael Metz. On later attempting to file a complaint with UPD's IAD department and describing what had happened over the phone, they told me that they saw nothing wrong in what Officer Metz or any of the involved officers had done, and that they would likely call my complaint "unfounded" if filed. So there was no point in even filing.
The perpetrator was Jeffrey Donald Capehart, W4UFL, who at the time was actually the President of both the Gator Amateur Radio Club AND of the Gainesville Amateur Radio Society. Jeff and his wife Susan Tipton both had prior past experience at this. In the mid-80s, the two, along with three other male friends, had hacked into the UF's IFAS computer system before. So they were ex-cons with a criminal history of this kind of stuff. On asking him why he had done that, Jeff yelled back that I wouldn't do what he wanted. Actually, what he wanted wasn't possible with the software at the time. Other than that, there was no obligation to do anything for him, anyway. (I remember that Jeff had been pushing me to make adjustments to make the system do...something...which I can't now remember. But it wasn't possible, then. I remember that I'd tried to explain, and he wouldn't listen. I asked him to download the software himself and try it himself so that he would understand. He wouldn't. It's all besides the point, though. At the time, his Asst. Coordinator status had been personally removed by me some two years earlier for insubordination and for causing problems. So he was not part of the program anymore. The system did not belong to him. He thus did not have any right, permission, or authority to be accessing that system for any reason whatsoever. It was password-protected - in the remote access software, at the desktop level, and at the EMWIN server software level. He utilized means to bypass all of the security systems to gain unauthorized access to everything, during a time when he thought everyone would be asleep and wouldn't know. I later discovered that he was also turning on the Windows Remote Desktop radio button to give himself a back door. I remember turning it off numerous times in previous months. I thought it was me. I'd turn it off. He'd just go back to the club station later and sit down at the computer and turn it right back on again. I had no clue. It would happen months apart...with enough time to make me question, "Hey. Didn't I turn that off already?" Everything he had done was done with calculation, planning, and aforethought, and it was most definitely not an "accident". He did it using disguised, surreptitious methodology.
On complaining to UPD, to protect Mr. Capehart, Faculty Advisor Dr. Jay Garlitz interfered with the investigation by implying to UPD investigators that I was a "problem" and that Jeff was actually innocent and had done no wrong. Dr. Garlitz had no actual proof to substantiate this. On his word alone (and his title, apparently), UPD believed the Faculty Advisor over the complainant, and pretty much abandoned the investigation after that. The keys to the club room were taken away from the me, preventing access by me or anyone in Alachua County SKYWARN to our own equipment - while at the same time allowing the criminal and anyone else uninhibited, unsupervised access to the scene of the crime and to the hacked equipment. With the criminals now having unfettered access to the scene and the evidence, and the owners having been denied access, the investigation was irreparably damaged. The entire case was utterly destroyed by interference on the part of GARC, and an unbelievable amount of irresponsibility on the part of UPD.
Later, we even had to fight to get our own equipment back because in the meantime the Alachua County Office of Emergency Management had heard about the situation and, at the request of another ham operator who suggested to Dave Donnelly that they obtain the equipment for use in their new ham radio club, ACOEM then sent an email to the GARC Faculty Advisor demanding that GARC hand the equipment over to them. But the equipment didn't belong to either of them. On threat of a lawsuit by Alachua County SKYWARN, and a criminal investigation of ACOEM's illicitly-attempted policy to use the power of it's name to intimidate and bully an organization into turning equipment over that didn't belong to them, David Donnelly suddenly backed down and recanted his demand. But before we could go and get our equipment back, GARC refused us access until we signed a promise not to sue written up by UF lawyers. In other words, our equipment was held hostage (a "duress") and we would not be allowed access to it - until we signed the document. So I signed.
They still owe us 200' each of 9913 coax and RG-8U, and a Cushcraft 4-bay antenna that goes with our 50-watt transmitter. That's hundreds of dollars worth of stuff. I took what we could get and got the hell out of there. And I suspect, that's exactly what they wanted.
It was a time of great shock, disappointment, and disillusionment - in people who were supposed to be there to protect and serve; in people who were supposed to be the best leaders and examples in a good cause; in people who were supposed to know better.