>>42
Sales Dive
While bulk sales and orders over the phone were up, 60 percent of Solid Oak’s business depended on users buying the $39.95 program directly from the website. As the network problems continued, so did the fall in sales. Milburn wouldn’t provide month-to-month sales figures, saying it could aid competitors, but he says the normally profitable company dipped into the red after a big drop in web sales the month the lawsuit was filed. Net losses averaged $58,000 a month after that, even as Milburn slashed expenses, he says.

Tracing the drop, he could see that customers were coming to the website to buy the software like always. They’d type in credit card numbers and click submit, but most of the orders -- on some days 98 percent -- weren’t going through, Milburn says. He replaced servers and tried other fixes. Nothing worked.

As his income dried up, Milburn kept the company afloat in part with insurance proceeds from the loss of two properties in the November 2008 Tea Fire in the hills of Santa Barbara that burned 210 homes over three days.

Foregoing Salaries
He went without pay, and DiPasquale agreed to forego her salary for a few months too. She and her husband, a professional chef, drew down their savings, but by the summer of 2010, the money was running out.

Some tough conversations played out at home, DiPasquale says. She argued that what was going on was wrong; quitting would mean the hackers had won.

Her husband wondered exactly what they had gotten into and where it would end. “He was saying, ’What are we up against? Is there going to be someone sitting outside the house?’” she says. Because she was working alone at home, he made sure the house alarm was on every day before leaving for work.

In his own battle, Milburn became more obsessed. He’d get up by 5 a.m., work until 7 p.m. grab something to eat, then sign on from home to check his servers again. Constantly missing meals, Milburn began subsisting on pre-packaged sandwiches from a convenience store close to the office.

Sabotage Evidence
“It would be ten o’clock at night and I’d get an idea, ’huh, let me just check this,’” Milburn says. “That would lead to another hour of frustration trying to figure something out.”

Examining the script that controlled the payment processing function in November that year, he noticed that a single character was missing from the string -- an apostrophe. That was enough to cause the page to time out, rather than to complete the credit card transaction. Customers were leaving in frustration.

The apostrophe was sometimes there and sometimes not, so some payments went through. There may have been other ways that the hackers were sabotaging his sales, but Milburn was sure he had found at least one.

“A hacker could certainly edit the script and break it so it wouldn’t work,” says Stewart, the Dell SecureWorks threat expert. “That would be a great way to do it without calling attention to the fact that they were in the system.”

No one ever told Milburn that he was facing, not amateurs but professionals who had ransacked secure U.S. government networks, until the results of Stewart’s analysis last August.