Milburn’s biggest concern was that the hackers seemed to be trying to hit the heart of his business. The lawsuit months earlier had brought a rush of publicity for CYBERsitter, and Milburn released a new version of the software. That combination would normally boost sales.
While bulk sales and orders over the phone were up, 60 percent of Solid Oak’s business depended on users buying the US$39.95 program directly from the Web site. As the network problems continued, so did the fall in sales. Milburn would not provide month-to-month sales figures, saying it could aid competitors, but he says the normally profitable company dipped into the red after a big drop in Web sales the month the lawsuit was filed. Net losses averaged US$58,000 a month after that, even as Milburn slashed expenses, he says.
Tracing the drop, he could see that customers were coming to the Web site to buy the software like always. They would type in credit card numbers and click submit, but most of the orders — on some days 98 percent — were not going through, Milburn says. He replaced servers and tried other fixes. Nothing worked.
As his income dried up, Milburn kept the company afloat in part with insurance proceeds from the loss of two properties in the November 2008 Tea Fire in the hills of Santa Barbara that burned 210 homes over three days.
He went without pay, and DiPasquale agreed to forgo her salary for a few months too. She and her husband, a professional chef, drew down their savings, but by the summer of 2010, the money was running out.
Some tough conversations played out at home, DiPasquale says. She argued that what was going on was wrong; quitting would mean the hackers had won.
Her husband wondered exactly what they had gotten into and where it would end.
“He was saying: ‘What are we up against? Is there going to be someone sitting outside the house?” she says.
Because she was working alone at home, he made sure the house alarm was on every day before leaving for work.
In his own battle, Milburn became more obsessed. He would get up by 5am, work until 7pm grab something to eat, then sign on from home to check his servers again. Constantly missing meals, Milburn began subsisting on pre-packaged sandwiches from a convenience store close to the office.
“It would be ten o’clock at night and I’d get an idea, ‘Huh, let me just check this,’” Milburn says. “That would lead to another hour of frustration trying to figure something out.”
Examining the script that controlled the payment processing function in November that year, he noticed that a single character was missing from the string — an apostrophe. That was enough to cause the page to time out, rather than to complete the credit card transaction. Customers were leaving in frustration.
The apostrophe was sometimes there and sometimes not, so some payments went through. There may have been other ways that the hackers were sabotaging his sales, but Milburn was sure he had found at least one.
“A hacker could certainly edit the script and break it so it would not work,” says Stewart, the Dell SecureWorks threat expert. “That would be a great way to do it without calling attention to the fact that they were in the system.”