Where'd Todd Go?...
On Dealing With Psychopaths and Stalking
Chapter 13 - "...I HAVE NOTHING OFFICIAL TO GIVE YOU" DETECTIVE MICHAEL METZ
UNIVERSITY POLICE DEPARTMENT
UNIVERSITY OF FLORIDA
On February 15, 2009, at about 12:30am, I logged into the AC-EMWIN server to make some program adjustments. The system is used to download weather bulletins and graphics from the GOES weather sats and to redistribute them for free to local area users as a public service. Some of the users included not just the general public, but people in fire/rescue, various police departments, emergency management, etc - not just in Alachua County but counties surrounding us, too. As soon as the screen finished painting, it became frighteningly apparent in all but a split-second's time that the server was being hacked by someone. "What the...", I said to myself as my jaw dropped. Whenever I tried to move the mouse around, it was extremely sluggish. And when I stopped, it began moving around the screen on it's own, with seeming intelligence, to specific places. I realized I was fighting another user. Thinking quickly, I stopped before the other person noticed what was going on. Instead, I just watched to quickly try to gather some intel on what exactly the hacker was trying to do.
I glanced at the web camera screen in the upper right corner of the desktop, which is always on. The web camera was placed high atop the station equipment rack and it overlooked the entire club station room, which itself was enclosed within a locked fence. The club station room was dark. There was no one physically there. The main door was closed. The lights were off. You could see a crack of light beneath the main door beyond the closed fence gate. The inside of the room was dimly lit by the light of the monitor, which was on due to the activity on the screen. Normally it would go into screen saver mode without any activity, but in the light of the monitor there was no one visible sitting in the chair in front of the monitor. And yet, the mouse continued to move around on the screen.
I had no idea how long the hacker had been in the system before I logged on, but while I was logged on he went into the EMWIN program itself and looked around a bit, seemingly confused. He moused over various pull-down menus and clicked on various tabs and examined various screens, not seeming to know just exactly what he was looking for or what he wanted to do. Then he clicked on the MS-DOS icon and went into DOS. He began moving around to various directories. He entered into the EMWIN software directories. He opened up, examined, and closed various files. When he found and opened up and started examining files containing names and phone numbers of actual users, which is considered PII (or Personally Identifiable Information), that's when I'd had enough. I logged off immediately so as to bump him off...
At the time, we were using a remote access program called RealVNC. A remote access program was used to access the server because the server was located about 10 miles away from me, and eleven stories up inside the Dental Science Wing of the J.H. Miller Health Sciences Center adjacent to (at the time) Shands Teaching Hospital on the University of Florida campus. It was locked behind a door which required a specialized key, and then further behind a chain link fence, which was locked with a heavy-duty padlock. Whenever something went wrong, it required a long drive, parking in a parking garage across the street (sometimes paying a parking fee if it occurred during normal daytime hours), and then a long walk from the parking garage to the building, and up 11 stories either by elevator or - if the elevators were down - by walking up the stairs. It took a long time to get there. And if a problem occurred at 3am, I certainly didn't want to get up and drive all that distance there if it simply required a software shutdown and restart, or a reboot, which could be done remotely much more easily and quickly. It was so much easier to remote in and see what was wrong and, if no physical presence was needed, fix whatever the problem was online. On rare occasion there might be a system lockup and no remote access would then be possible and it would require a mandatory trip to the site to get hands-on. But in most cases, remotely accessing the server allowed fixing whatever problem there might be.
Now...with RealVNC, we had the settings set such that if a second person logged on while someone else was also logged on, and then either person logged off, BOTH parties would be logged out at the same time. I knew about that particular setting and I tried to use it to regain control.
At this point I immediately logged right back on again and went straight into the settings for RealVNC and the first thing that I did was change the setting that allowed simultaneous logins; and then I changed the access password to prevent the hacker from being able to log back in again. I did this as fast as I could, typing as fast as I could, in order to beat the hacker before he could figure out what was going on. I had no further problems with control after that.
Immediately after that I went into Windows setup and checked the Remote Desktop settings. Something odd that I'd been noticing over the past year finally hit me hard now that I'd just caught someone actually in the machine. Sure enough, the radio box turning it on had been checked ON yet again. Over the past year, I kept noticing that the Windows Remote Desktop radio button would be checked on. I kept turning it off, and then I'd question myself. "I coulduh swore I turned that damned thing off!", I'd say. First couple of times, I didn't think much of it - though I do remember wondering if maybe it might have been Jeff Capehart trying to leave himself a backdoor way in past my password protections. And I also remember shaking my head and telling myself that "No way! That's just ridiculous!". We'd never been hacked before. You just don't expect it. Why would someone want to do that to THIS system? Well...
Jeff at one time used to be the Assistant Coordinator of Alachua County SKYWARN, and in the last few years he'd become quite a real insubordinate problem and two years previously I was actually forced to remove his Assistant Coordinator status. He wanted to do things his own way and when I wouldn't do them his way he would argue, and insult, and do things to try to humiliate me in front of other people. He'd do things behind my back without my knowledge or permission - including setting me up for appointments with officials to begin projects that I hadn't approved so as to try to force me to do things his way, for example. It had the side effect of making the public service officials think I wasn't responsible, or like I was fickle of mind, and they had no clue what was going on. (I would later discover in quite a freakishly eerie way that this was actually Jeff, and that it was yet another one of his attempts to get his own way. This guy was a bonafide hardcore asshole.) I'd also banned him from touching the EMWIN server or any of it's related equipment.
At the time, I figured maybe it was just that the system had had a sudden fatal crash and auto-rebooted or something (it was programmed to auto-reboot the EMWIN software) and in so doing perhaps the old settings got reset when it pulled from a previous registry settings save. This is actually kinda common with Windows. But I do remember that numerous times I'd noticed that that damned Windows Remote Desktop button had been reset back to ON again and I thought I was going nuts. It now suddenly became quite obviously apparent that I wasn't nuts. It was actually happening. Obviously, a hacker had changed that setting repeatedly and I hadn't noticed it for what it was, because you just don't want to believe that someone would actually victimize you like that. You say to yourself, "That only happens in the movies." Right? (sigh) I again reset it back to OFF.
But how the hell was this person repeatedly gaining access to the system? I was constantly changing the passwords to both the EMWIN software and to the remote access software every six months!
...Had to be a GARC member. The server sat inside the Gator Amateur Radio Club's club station by agreement with the club and with the University. The equipment was the property of Alachua County SKYWARN. The server only served weather bulletins to people. It served no other purpose. It wasn't used in any other way by the UF or anyone else and it had no other useful programs installed upon it which would have interested anyone else. Whoever was accessing it must have wanted to make it do something for them, personally. Only ACS and GARC people had keys to physically access it. And since I was the only one in ACS who had a key, it must have been someone in GARC who was doing it.
After regaining control, I sent an email right then to Dr. Garlitz advising him of the situation that I had encountered and requesting that he ask Ray Strubinger (the GARC sysop) if he could find the IP address of the individual who accessed the system last night.
Early the following morning, I called the University Police Department and filed a hacking complaint with them. The complaint was received by Officer Baxter.
- Detective Baxter handed me over to Detective Michael Metz.
- Numerous email and phone exchanges between Detective Metz and I.
- Met Detective Metz at station.
- Detective Metz took my station key, preventing me from any further unsupervised access to GARC club station, and thus of any access to my EMWIN equipment, nearly resulting in the loss of my equipment to someone making false claims to it.
- It felt like the Mayo situation. Didn't feel confident with Detective Metz. Metz seemed to be largely ignoring anything that I was saying, and was instead cooperating with the Gator Amateur Radio Club, in particular, paying attention to its Faculty Advisor, Dr. Jay Garlitz, and ONLY the Faculty Advisor and not the victim who had actually filed the complaint.
- Nothing was getting done.
- Told UPD not to include Jeff in any decision-making, not to cooperate with him in investigation of computer or network or anything related to this case.
- UPD ignored me, went to Jeff anyway, gave him full cooperation in fact, allowing for the contamination of ALL evidence by allowing the suspect complete and unsupervised access to the scene and all equipment related to the crime. Left me out of the loop of discussions. Dr. Garlitz vouched for Jeff, causing prejudice in the PD. UPD cooperated with Jeff for all investigating of the hacking, even though they'd been told he was probably the guy who did it. They asked him if the computer or the system had logs. They asked HIM about the computer, the software, the network, how things work. I'd told both Dr. Garlitz and UPD to keep Jeff out and both were not listening to me.
- UPD refused to do an official investigation, citing that even though on UF property, if the equipment belonged to me, then that meant that it was not UF's jurisdiction. So then, whose was it? So there is no record of any interaction between me, GARC, and UPD except for what little I have in email conversations. And usually, they were one way: me...to them. Everything else was handled over the phone, or in person at the station.
- UPD contaminated the situation by cooperating with Jeff and giving him full access to the computer and asking HIM about whether or not there were logs, and left it up to HIM to check. (WHY...does everybody keep going to Jeff? WHY...does everybody keep taking Jeff's word over mine? Would someone explain this?) This meant that I was now no longer able to take any of this into ANY courtroom, or into any "proper" jurisdiction. UPD now joined GPD in fumbling/bungling/interfering with my cases, to the point of now not being able to take ANY action at all due to incompetent contamination of suspect handling, evidence handling, and witness handling. There is now no way that I can bring the bad guy to justice, or for me to receive any justice, because of what UPD - and the Gator Amateur Radio Club - did.
- Along with UPD, Dr. Garlitz inappropriately interfered, refused to heed my advice, ignored the complaints of a victim, put the victim's complaints off to the side, aided in helping a hacker escape arrest, placed the reputation of GARC, the UF, and UPD in jeopardy in so doing. (...Which, ironically, was the exact opposite result of what he was actually trying to do.)
- Contacted Detective Metz by email, requesting information about conversations with Jeff Capehart and Dr. Garlitz. What did they say about Jeff? What did they say about me? Was UPD's attitude towards me prejudiced by anything that the Faculty Advisor had said? I wanted the officer to write down and put it into the official record what Dr. Garlitz had told him about Jeff Capehart, about me. Detective Mayo wanted me to "come to the station to discuss it." The detective refused to discuss it over email or over the phone. He would only discuss it behind the locked doors at the station, sitting in the interrogation room, with no one else around. I asked the detective why he insisted on only talking about it behind closed doors. I asked him why he couldn't just tell me. He responded that there was "nothing to say". Which begs the obvious question: If there's 'nothing to say', then why ask me to come down to the station to 'talk' about it at all, then? The detective was refusing to cooperate, and I think he knew where I intended to go with it. He didn't want any witnesses or any recorded statements (i.e., in email copies, or in possibly recorded telephone conversations) used against him. You ever heard about that, before? ...A COP...not wanting to do the real homework in a HACKING investigation?...actually trying to cover UP it's existence? ...Why? - Almost a year later, discovered Gainesville Sun archive in Google search engine regarding Jeff Capehart/Susan Tipton hacking of UF/IFAS computer back in 1985, showing propensity for the very thing he'd done to the AC-EMWIN server.12
Jeff Capehart has an uncanny, unbelievable power within UF, within Emergency Management, and within police circles and I'd like an explanation for this. Why am I continually being blown off and ignored?
Here's an interesting "Question of Law" that just popped into my head:
If a man goes to all the proper authorities, has taken all the proper steps, has done everything possible to try to call attention to all of the stalking and harassing and abuse that has been occurring to him; and where at every step he has been ignored and/or sabotaged by same, and the actions of those who ignored or sabotaged him PREVENTED him from taking advantage of the "Statutes of Limitations", and from being able to protect or defend himself; can "Statutes of Limitations" still be held to that person - that victim, regardless...even though to do so would be obviously unfair?
- When I was finally allowed access to the club station and rooftop to gather the AC-EMWIN equipment, Jeff admitted to me that it was him and that he had hacked the four password changes that I had rotated through over the previous two years by cracking the Windows registry encryption. This required sitting down in front of the server desktop multiple times and going into the Windows registry and copying it so that he could apply a batch file that he had written which he used to crack the encryption, which according to him isn't very strong at all and, as he bragged, was "easy" to decrypt. He even repeated the four passwords that I had rotated through in the previous two years and grinned proudly as he did so.
I'd actually seen Jeff write such a batch file before and use it when I needed to figure out some passwords that I'd set myself and forgotten in some web pages that I'd created a long time ago. The web pages utilized some ".htaccess" files that forced users to enter a password before they could enter the web pages. They were used in some "Jammer Hunter" web pages that I had created when we were having to deal with a rogue ham radio operator who happened to be a trucker and who was accessing our local UHF and VHF repeaters to make harassing autopatches to 911, calling in false emergencies, interfering with conversations, and causing a lot of other havoc. We were trying to coordinate with other people to try to track the guy down and we used the web site to contain our sensitive gathered knowledge and to share it with the RDF team. When Jeff pulled that thing out and used it the first time I remember seeing the look on his face and how beamingly proud he was of himself over being so smart as to know how to do things like that. ...And I remember having an uneasy feeling about that batch file even then, and I wondered if Jeff would be capable of using something like that for more illicit purposes.