The "Hacking" Incident

Hillyard claims that I "hacked" his web site to "steal" his checkbook records. The word he seems to mean is "cracked," as "hacked" doesn't actually mean anything negative. Whatever words one uses, I've never done anything that was in the least bit unethical, nor have I ever made any attempt to break through any sort of security on his or any other site or system. I do not have the knowledge or skills needed to actually break through any significant sort of system security, and I have never made any attempt at gaining that knowledge or skills. What actually happened was quite simple, and far less ominous than Hillyard claims.

While I have done periodic searches of the Internet throughout this ordeal, both in an attempt to spot any messages forged in my name or to find any further information on Hillyard's plans, I do very thorough searches to update information after each of his obvious attacks. On Wednesday, March 27, 1997 Hillyard posted replies in atl.general to posts I'd made in the mindspring.local.atlanta newsgroup—a newsgroup to which he no longer had access. It was obvious that someone with access to mindspring.* hierarchy groups was forwarding posts to him. Over the next couple of days I started looking around, and found that fingering one of his known accounts, afn30721@afn.org, provided the following information:

finger afn30721@afn.org
Response from host:
Login name: afn30721                    In real life: Richard M. Hillyard
Directory: /freenet4/afn30721           Shell: /depot/freenet/lib/shells/startup.sh

No mail.
Mail forwarded to hillyard@vaca.net.

No plan.

I made an educated guess and checked the URL http://www.vaca.net/~hillyard - bingo. Because there wasn't a file named index.html (or one of the other defaults for the main page in a directory), I saw the following directory listing:

Index of /~hillyard/

     Name                   Last modified     Size  Description


     Parent Directory
     atn/                   02-Mar-97 22:04     0K
     christ.htm             02-Mar-97 23:50     8K
     data/                  02-Mar-97 22:10     0K


The atn/ directory only one file, which contained the text "We have moved to Great Long Distance Values!" with a link to Hillyard's new site at http://www.atlga.com/atn/index.html. I went back to see what was in the data directory out of natural curiosity, and found the following listing:

Index of /~hillyard/data/

     Name                   Last modified     Size  Description


     Parent Directory
     EXPENSE.XLS            19-Feb-97 17:52    21K
     MISSIN~1.xls           19-Feb-97 17:52    34K
     NEW.ABD                28-Mar-97 13:03     2K
     NEW.EML                28-Mar-97 13:04     8K
     NEW.QDB                28-Mar-97 13:04   173K
     NEW.QEL                28-Mar-97 13:04    25K
     NEW.QMD                28-Mar-97 13:04    22K
     NEW.QSD                28-Mar-97 13:04    10K
     PL020897.xls           19-Feb-97 17:52    14K
     Q3.DIR                 19-Feb-97 17:52     1K
     atlga.zip              02-Mar-97 22:12   316K
     moaccomp.xls           19-Feb-97 17:52    16K
     quick96.zip            19-Feb-97 17:52   127K
     ~QW~LINK.QDT           19-Feb-97 17:52     1K

I downloaded those files-they were in a publicly accessible directory and not password protected, so by standard internet practice they were intended for viewing by anyone who cared to see them (and one cannot be said to "steal" files that are publicly available). I haven't looked into anything but the .zip and .xls files—the others are from an accounting program, Quicken, and I have yet to be curious enough to install the software to see what was in those files. The .xls files seem to be work-related expense reports and the like—nothing exciting. The .zip files simply contain other copies of most of the .xls and Quicken files, along with copies of the files used to create the new web site (which are viewable by anyone who visits that site).

So, I went back and followed the link to Hillyard's new site. It was boring and most of its links didn't work at all, so I tried popping in the URL (web page address) http://www.atlga.com/data/ just to see if he'd put a data directory on this site, too—and he had. I didn't save the directory listing, but I did download and save the files there. Most of them looked to be the same as the ones in the data directory on his old site, but he'd added Quicken files called Pack590.*—the Cub Scout troop for which he claimed to be Cubmaster is Pack 590. As the regional director of the Boy Scouts of America had said back in October 1996 that Hillyard had been removed from all involvement with Scouting, the presence of that file would seem to indicate some ongoing involvement with the pack. Of more immediate interest to me was the fact that he had a file called cyn1.doc sitting there. Opening it, I found that it contained copies of many posts I'd made to MindSpring discussion groups over the past few months that Hillyard apparently considered damaging—nothing but another flame war, nothing new on the net. He'd only collected my posts, without bothering to collect those of the men participating in the thread—except for those of someone using the name "J. Stuart McElhinney" who'd made threats to get my phone number and street address and post them for Hillyard.

Please note that there were no passwords on any of the Internet sites or files mentioned here. There was, therefore, no hacking involved in accessing them and nothing in the least underhanded or ethically questionable about viewing them. There is no private information on the Internet unless access to it is restricted by password and/or more stringent measures.

Any time I find evidence of Hillyard's Internet activity, I watch the forum in which I found him for a few days, at least, to see if he says anything regarding this case. I checked the http://www.atlga.com/ site again Friday, and found that he'd password-protected the data directory. I mentioned it in a public message in mindspring.local.atlanta discussing the posts that were being forwarded outside MindSpring.

When I next checked Hillyard's site, I found that he'd added a banner that said "Hi Cyn!" linked to a page at http://www.atlga.com/cyn.htm claiming "Following are the logs where she kept digging in my website until she was successful in getting into a password protected directory." The data he provided as "proof" follows:

1.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:54:25 -0500] "GET /data HTTP/1.0" 302 -
   2.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:54:27 -0500] "GET /data/ HTTP/1.0" 200 2042
   3.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:54:33 -0500] "GET /data/Hillyard%20Technical%20Services.doc
   4.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:55:02 -0500] "GET /data/cyn1.doc HTTP/1.0" 200 49664
   5.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:55:22 -0500] "GET /data/info HTTP/1.0" 200 163
   6.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:57:10 -0500] "GET /data/NEW.ABD HTTP/1.0" 200 2270
   7.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:57:14 -0500] "GET /data/NEW.EML HTTP/1.0" 200 8931
   8.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:57:48 -0500] "GET /data/NEW.QDB HTTP/1.0" 200 177152
   9.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:58:51 -0500] "GET /data/NEW.QEL HTTP/1.0" 200 25600
  10.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:58:55 -0500] "GET /data/NEW.QMD HTTP/1.0" 200 23384
  11.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:58:59 -0500] "GET /data/NEW.QSD HTTP/1.0" 200 10984
  12.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:59:02 -0500] "GET /data/PACK590.ABD HTTP/1.0" 200 326
  13.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:59:08 -0500] "GET /data/PACK590.QDB HTTP/1.0" 200 72704
  14.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:59:10 -0500] "GET /data/PACK590.QEL HTTP/1.0" 200 25600
  15.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:59:13 -0500] "GET /data/PACK590.QMD HTTP/1.0" 200 6413
  16.user-207-69-140-46.dialup.mindspring.com - - [27/Mar/1997:22:59:17 -0500] "GET /data/PACK590.QSD HTTP/1.0" 200 14745

The GET command is the request a visitor's browser sends to any web server for a particular file, named afterwards—for instance, GET /data/PACK590.QSD shows a request for the file PACK590.QSD in the data directory. The HTTP:/1.0 portion shows the version of the HTTP protocol in use. I'm not entirely sure what the numbers after indicate—probably the file size.

In any case, those web server logs are correct, but his claims are very much wrong, as he knows—they do not show any request for a password by the web server, and if there had been such a request, it would be in the logs. Also, had I attempted to guess a password to get past such a request, it would invariably have taken repeated attempts to get the password—and the web logs would show repeated failed password attempts and "access denied" or a similar message. Therefore his own "evidence" shows that he is deliberately lying in an attempt to portray me as some evil hacker. He did add password protection to the page on Friday, so unless he has altered them (and he may well have the capability to do so, depending on who hosts his web site) the only time there has been so much as an attempt to view the http://www.atlga.com/data/ directory would be sometime Saturday. And I did not attempt to get past the password—I am not a cracker or a hacker and, as I've stated publicly, have never had any desire to learn to crack into anything.

I mentioned the changes to his site in another public post Saturday morning. He then recorded another routine visit I made on Saturday to check on the site, and claimed that me visiting his pages was "stalking." That's a very interesting claim, as later posts (that claim to be from his wife and his son) state that they've been keeping an eye on my own web site, visiting it frequently—by his definitions, that would be stalking. Of course, he also made a great many other false accusations on pages on his web site during that time period, and blaming others for his problems is also a common tactic, so I'm not terribly surprised that he'd blame me for his failure to secure files he wanted kept private.

If any of Hillyard's claims were true, at the very least my MindSpring account would have been led. I would have also been in violation of Georgia laws regarding criminal trespass into computer systems, and he could have gotten me arrested (or at least filed a civil suit). None of that happened.

Hillyard's "Cyn" pages were pulled off his site immediately after the prosecutor in the stalking case contacted Hillyard's attorney. If there'd been any truth to Hillyard's claims, the prosecutor wouldn't have cared about the web pages at all—in fact, in all likelihood he would have already dropped the case.