Spyware Horror Story: Duped by remote control

Editor's note: Last week's story on spyware as a form of domestic abuse ('Do you know your hacker?') generated much response, including very personal stories from women whose lives were at one point dominated by the kind of controlling abuse described last week. Because of the deep personal, as well as technological, impact on these users' lives, one story is featured here today. Scroll below for the editor's response or click to jump ahead.

Published by Elissa; Michigan, U.S.

Shortly after a nasty custody battle erupted with my network-hobbyist ex-husband, my once efficiently reliable technological life mysteriously spiraled literally out of my control. Suddenly all tools upon which I had relied, as a 5-year veteran remote-based sales person, ceased normal function. Subtle changes to fonts and settings followed restricted permissions and aggravated my connectivity. Disabled features suddenly enabled themselves and I could not click them back to normal. Calls to tech support offered no solution, especially since "it doesn't seem to be a problem impacting the PC," ended the troubleshooting. As the situation worsened, phone calls dropped, voice mails disappeared, and e-mails did not go through. I lost administrator privileges to access certain key words online. Hours spent writing summary reports resulted in blank or lost documents, each mishap sharing only one common variable: relative importance to the custody battle or my personal life.

It was mid-2003, we were all just switching to SIM cards. Antivirus software was for businesses, hackers were corporate threats, "spyware" was either James Bond's stuff or that pop-up we got from Kazaa, and remote access to a PC was still assumed a highly visible, labor-intensive process. Though the "coincidences" of my misfortunes were growing remarkably consistent and predictable alongside the psychic ability of my ex-husband's legal team, I was assured by various technical support folks that "no one can break into the phone's software or voice mail" and "someone would need physical access to a PC to install hacking software." I worried I was being paranoid and dismissed my concerns accordingly.

That is, until one evening, after being out all day, my 12-year-old son complained "Mom, someone turned on my computer game without resetting it because the helicopter already took off when I turned on." The innocent nature of his complaint brought just enough legitimacy to my concerns for me to leave a recorder hidden in the cookie jar for my next departure. Sure enough, within 20 minutes, I heard footsteps, clicks on my desktop keyboard, and the audio chime of Windows start-up, followed by a few exclamation/error warning tones, then footsteps down the hall. Someone was clearly at my house and on my computer.

My first thoughts were "Ah-ha! Good, I got 'em." My suspicions were now valid and I knew I wasn't paranoid. Unfortunately, by police standards, there was no proof of a crime and they "could not do anything" about computer problems then, or any of the many times that followed. Nothing was stolen. My slightly broken door jam just looked a little worse each time the cops came, and the more I explained the worsening tech nightmare, the more paranoid I looked.

To make matters worse, the timing of my ex-husband's motion to suspend parenting time coincided nicely with the Freedom of Information Act's (full text) turn-around time for the public record of police reports. To my horror, the police reports only stated I had called because I was worried someone was breaking in to alter the computer and spy on me, but the officer "found no evidence of foul-play," failing to mention that nobody ever actually looked at the computer or for evidence therein.

So the police did not have the tools, brains, drive, or compassion to do anything. My ex-husband's court custody battle plan was an acute attack on my stability, so my unprovable nightmare had to be endured or resolved silently. I am not a programmer, but since I'm also not devoid of brains, I knew what was happening, but not how. Incrementally, I added the layers of security from software to hardware, per the advice of various retail technicians, to no avail. I bought and returned and rebought phones and computers which all worked for 2-4 days until, suddenly, I could not get or complete key calls on my phone, lost "sufficient privileges" to use my computer, and my e-mail was a mess of undelivered errors.

During the 2-4 days of computer lucidity, I printed whatever log I could find to benchmark "the fresh start" and spent the time after things changed trying to extract whatever information remained for comparison. It is in this fashion that I learned about partition schemes, privilege hierarchies, OOBE (which I now hate with every fiber of my being), set-up calls and answer files, and directory services, just to name a few. Though I had been repeatedly told there was no way to administer a computer remotely without impossible hacking skills, and there was no software that could be installed quickly or incrementally over an IP connection, all the configuration changes I was discovering suggested otherwise. And my ex is not that smart.

Over the course of the two-and-a-half years I went through 30 computer hard drives across the 15 or so different computers I bought and returned, each excising my administrative privileges with days. The same fate awaited the 7 cell phone numbers 20+ phones' performance deterioration to malfunction. With each new hard drive or PC, I got closer and closer to figuring out how to articulate what I needed to have investigated and where. There was a prohibitive vicious circle in the balancing act between trying to figure out why I could not connect basic technology without adding fuel to my ex-husband's routine court filing of motions to restrict my access to my child due to delusions of being spied on. Further confounding the situation, I was unemployed. The only communication with and subsequent offers from prospective employers came from face-to-face application. I never received one call or e-mail response to my posted resume on any site or forum.

It is impossible to underestimate the significance of this virtual isolation from human kind. The psychological toll is tantamount to imprisonment. The financial toll exceeded the value of each and every one of my assets including my 401(k), home, car, and employability. I spent tens of thousands of dollars trying to protect my child, equipment, home, and self. I spent thousands more trying to find someone who could figure out what was happening. I failed on all fronts for, sadly, I ran out of money before I knew to ask someone to check for a rootkit. It was like learning about 9-1-1 after watching the house burn down. The only good thing is that I maintained my sanity as I figured out piece by piece how things were happening. Having discovered the word "rootkit" last night reading this article, I am pleased to see slowly the world is catching on to this unimaginable horror. I hope my story will help prevent this from happening to anyone else.

Editor's response

In most cases, spyware criminals target their victims in the abstract sense, as nameless piggy banks ripe for the slaughter. We can think of this as uncomplicated theft, as an unlucky offspring of bad code that mingled with your system and now squats your bandwidth and maybe banking, but is nothing personal, really. Elissa, however, endured the intentional, methodical destruction of the technological lifeline connecting her to economic and emotional success; namely, her job and her son. This was technology as an assault weapon.

Elissa's story isn't the first we've received that underscores the crippling effects of technological abuse. Spyware is always invasive, and shattering to our sense of physical security. For Elissa, it was also isolating and financially ruinous.

Thankfully, 2008 has brought greater recognition of spyware injustices, and more high-tech solutions victims can use to fight beleaguerment. In addition to filing a police report, enacting a camera plant, or changing the locks, you can attempt to cut off the perpetrator's power supply. Stop using your possibly-tapped home computer to send correspondence and use free computer labs at the public library. Start a new e-mail account and create a strong, hard-to-guess password that contains characters and capitol letters. Forward yourself e-mails from the old account to keep records.

Also, refrain from typing password--any installed keylogger will be able to trace it--and copy-paste logins instead. A password generator, such as RoboForm will help generate and paste passwords for you, thus escaping a keyloggers' grip. Finally, transfer your data from the computer to an online backup or other online storage facility and begin to wipe the hard copy records from your computer. Your job is to create a data fortress whose contents you can then transfer to a different, safer computer when you've ensured that your home network is untapped and secure.

Not all these measures will be free, and this is by no means an exhaustive list of the options available to shield yourself from assault, but it can help secure your freedom, and can save you from overspending on hardware kludges.