Home > Articles > Security > General Security and Privacy

  • Print
  • + Share This

HotterthanMojaveinmyheart:(2) The Case of Julio Cesar Ardita

On March 29, 1996, the U.S. Justice Department announced it had charged Julio Cesar Ardita (a.k.a. “El Griton”), a 21-year-old Argentine, with breaking into Harvard University’s computer network and using it as a staging platform for many other hacks into sites throughout cyberspace. Like Kuji and the Datastream Cowboy, Ardita targeted sites belonging to NASA, DoD, several American universities, and those in other countries (for example, Korea, Mexico, Taiwan, Chile, and Brazil). Like Kuji and the Datastream Cowboy, Ardita gained unauthorized access to important and sensitive information in his explorations. In Ardita’s case, the research information that was compromised involved satellites, radiation, and energy-related engineering.

Peter Garza of Evidentdata (Ranchero Cucamonga, California) was a special agent for the Naval Criminal Investigative Services. He led the digital manhunt that ended in Buenos Aires.

Garza described Ardita as a dedicated hacker. “Ardita was no ordinary script kiddie,” Garza tells me. “He didn’t run automated hacking scripts downloaded from someone else’s site. He did his hacking the old-fashioned way. He used a terminal emulator program, and he conducted manual hacks. He was prodigious. He had persistence and stamina. Indeed, I discovered records of ten thousand sessions on Ardita’s home computer after it was seized. During the technical interviews we did of Ardita in Argentina (after his arrest), he would describe all-night sessions hacking into systems all over the Internet.

“Early on in the investigation,” Garza adds, “I had guessed this would be a solvable case because of this persistence. I had guessed that because this was such a prolific hacker, he had to use the same file names, techniques, and hiding places just so that he would be able to remember where he left collected userids and passwords behind on the many hacked systems. Also, I hoped the hacker was keeping records to recall the hacked sites. Records that would help further the investigation if we were successful in tracking the hacker down. It was gratifying that I was right on both counts. Records on his seized computer, along with his detailed paper notes, helped us reconstruct much of what he had done.”

Like the investigation that led to the identification and arrest of the Rome Labs hackers, the pursuit that led to the identification and arrest of Ardita accelerated the learning curve of those responsible for tracking down cybercriminals and bringing them to justice.

The following account, drawn from my interview with Garza and the court affidavit written by Garza himself in support of the criminal complaint against Ardita, sheds light on the details of the investigations and the groundbreaking work that the case required.

How the Search for “El Griton” Began

Sysadmins at a U.S. Navy research center in San Diego detected that certain system files had been altered. Taking a closer look, they uncovered certain files, including a sniffer he left behind, the file that contained the passwords he was logging, and a couple programs he used to gain root access and cover up his tracks.

This evidence enabled Garza to construct a profile of the hacker.

Coincidentally, and fortuitously, Garza and other naval security experts happened to be at the San Diego facility for a conference on the day that the intrusion was detected. They worked late into the night.

They succeeded in tracking the as-yet-unidentified hacker to a host system administered by the Faculty of Arts and Sciences (FAS) at Harvard University, Cambridge, Massachusetts. The hacker was making unauthorized use of accounts on the FAS host and trying to access other systems connected to Harvard’s network via the Internet.

(As early as July 1995, host computers across the United States as well as in Mexico and the United Kingdom reported both successful and unsuccessful hacking attempts seeming to originate from the FAS Harvard host. But this U.S. Navy investigation that commenced in late August would lead to Ardita’s arrest.)

Although it was impossible at first to determine the hacker’s true identity because he was using the legitimate account holders’ identities as his aliases or covers, investigators could distinguish the hacker from other users of the FAS Harvard host and the Internet through certain distinctive patterns of illicit activity. But to track the hacker all the way back to his point of origination, Garza was going to need a court order for a wiretap.

Figure 6.2 The hacker’s path.

Source: U.S. Justice Department

“I called the U.S. Attorney’s office in Boston on a Thursday and asked if we could have the court order in place by Monday,” Garza recounts. “They laughed. Six months was considered the ‘speed of light’ for wiretap approval. But we started to put the affidavit together anyway, and got it okayed in only six weeks, which at that time was unheard of.”

Indeed, the work of Garza and the others to obtain a wiretap in the 1995 Ardita case laid a lot of the groundwork that made it possible for investigators in the 1999 “Solar Sunrise” case (which I describe later in this chapter) to obtain wiretap approval in one day.

Ardita’s Biggest Mistake

By the end of September, as Garza explains, the investigators detected a change in the hacker’s behavior. “He had been dialing into the Harvard network via telephone lines. But by September, he had stopped dialing in, yet he was still active on the network. Our investigation revealed that in the beginning, he had been breaking into a PBX of an off-shore company, located in Argentina, and from there dialing into Harvard, and then from Harvard hacking elsewhere around the Internet. The change came when he broke into Telecom Argentina to get free Internet access. He would tel-net from there to Harvard and then from Harvard keep hacking other sites.

“We were able to look at where he was coming from on the Internet,” he explains, “and we saw a cluster of connections from different universities and other organizations in Argentina. We hadn’t tracked it back to his residence yet, but at least we knew he was either coming in through Argentina or he actually was someone living in Argentina.”

Breaking into Telecom Argentina turned out to be Ardita’s biggest mistake.

“We had been trying to get the phone company down there to do a phone trace because we follow the trail to a bunch of dial-ups,” Garza tells me. “But each one we tracked back to Argentina ended up in a modem pool, so we needed somebody down there to trace it the next step back. We couldn’t get them to act fast enough until he broke into the phone system, then they acted because they were afraid of what he could do. So, in just a couple of days, they got a court order and traced the calls back to Ardita’s residence.”

The investigation had begun in August; Ardita was identified as the suspect in December.

On December 28, 1995, acting on information supplied by Telecom Argentina, Argentine law enforcement seized Ardita’s computer files and equipment at his home in Buenos Aires.

No Ordinary Wiretap

“This is a case of cyber-sleuthing, a glimpse of what computer crime fighting will look like in the coming years,” said U.S. Attorney Donald K. Stern in the official U.S. DoJ statement announcing the criminal charges filed against Ardita. “We have made enormous strides in developing the investigative tools to track down individuals who misuse these vital computer networks.”

He was not indulging in hyperbole. The wiretap used in the Ardita was no ordinary wiretap. Intruder Watch was a specialized module of a Network Intrusion Detector, developed at Lawrence Livermore Lab in California. And, as Garza explains, it was the first of its kind.

“There had been four other wiretaps on a computer crime case,” Garza says, “but they weren’t tapping the network, they were tapping a modem line. In that instance, what was captured had to be manually reviewed and filtered, then only what was relevant to the case agents.”

But with a thousand users online simultaneously, Garza insisted, they just couldn’t do it that way. Practicality demanded that they quickly filter what was happening on the network. Legal considerations demanded that they minimize the intrusion on the privacy of authorized users.

Intruder Watch provided the answer to the dilemma. It intercepted only those communications that fit the patterns identified as the hacker’s. “Even when communications contained the identifying patterns of the intruder,” Stern observed, “we limited our initial examination to 80 characters around the tell-tale sign to further protect the privacy of innocent communications.”

Although Ardita’s hack of Telecom Argentina had identified him without evidence supplied through Intruder Watch, the breakthrough wiretap provided plenty of evidence on his activities. For example, as Garza recollects, Ardita got online with some of his hacker buddies on what turned out to be a bulletin board near Carnegie Mellon and gave them the phone number to his bulletin board down in Argentina.

Debriefing “El Griton”

Tracking down Ardita, and putting an end to his hacking adventures, took four months. But, as Garza relates, almost an entire year passed before U.S. investigators could actually interview the now-infamous young man.

“It took us a while to go through the mutual legal assistance treaty process,” Garza explains. “Hacking wasn’t illegal in Argentina. Interruption of telecommunications was, however, illegal under their penal code. So we went with that, and they agreed to hold all of his computers and everything until we got down there. But it took a while to go through our State Department and their equivalent. We finally got down there in October 1996.”

Garza and other U.S. officials conducted six sessions with Ardita going into detail about his activities. These in-depth discussions allowed Garza to size up “El Griton.”

“He claimed, as many hackers do, that he was doing it simply because he could,” Garza tells me. “He said he was inquisitive. He claimed he was researching security. He kept insisting that he was just hacking for the good of mankind. But we walked him through what he had done. He had been phone-phreaking from the PBX of that multinational corporation. He was making calls to his girlfriend. He was making calls into Harvard. To the tune of approximately $15,000.

“We asked him, ‘Isn’t that just plain theft?’ It had shattered his self-image of the ‘White Hat Hacker.’ He broke down in tears. I didn’t get the sense from talking to him that he was very sophisticated people-wise. He wasn’t a genius either, he was just talented and very persistent.”

Of course, there is a lingering question in the minds of some regarding the Ardita case because his father just happened to be a retired Argentine military colonel “assigned” to the Argentine legislature. Could “El Griton” have been the pawn of some larger online intelligence-gathering operation? No such evidence has been produced. But it’s one of those “coincidences” that just kind of gnaws at you.

In December 1997 (yes, another year later), the Ardita case was finally brought to conclusion. Because hacking wasn’t a crime in Argentina, it wasn’t covered under the existing extradition treaty with Argentina. But Ardita agreed to waive extradition. His father, after all, was in the Argentine military, and the case was probably something of an embarrassment.

He voluntarily traveled to the United States and pleaded guilty. The agreement worked out between the U.S. Attorney’s office in Boston and Mario Crespo, Ardita’s lawyer, recommended that Ardita receive a three-year probation and a fine of $5,000.

Considering the resources that went into the case, Garza acknowledges, “Ardita got off with pretty light sentence. There was criticism. But the U.S. prosecutors felt that in this case, since they could not extradite him, the stalemate would have just dragged on.”

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020