HARVARD GAZETTE ARCHIVES

Computer Hacker Case Shows Limits of Safety

At a Washington, D.C., press conference last Friday, U.S. Attorney General Janet Reno announced that the first use of a court-ordered wiretap on a computer had led to charges against an Argentine man accused of breaking into Harvard's computers, which he then used as a staging point to crack into numerous governmental computer sites, including those at the Department of Defense and NASA.

The wiretap, on a computer within the Faculty of Arts and Sciences system during the last two months of 1995, resulted in the filing of a criminal complaint against 21-year-old Julio Cesar Ardita of Buenos Aires. An arrest warrant was issued for Ardita, who has no known Harvard connection.

Ardita also was believed to have illegally entered computer systems at additional U.S. universities, including Cal Tech, the University of Massachusetts, and Northeastern University, as well as sites in Korea, Mexico, Taiwan, Chile, and Brazil.

Reno stressed that the government used the trace only to identify the illegal intruder. News reports said that only two messages not related to the intruder were read due to painstaking effort to filter out information that was not relevant to the investigation. "This is an example of how the Fourth Amendment and a court order can be used to protect rights while adapting to modern technology," said Reno. "This is doing it in the right way."

"This is a case of cyber-sleuthing, a glimpse of what computer crime fighting will look like in the coming years," said U.S. Attorney Donald K. Stern. "We have made enormous strides in developing the investigative tools to track down individuals who misuse these vital computer networks."

The news created lots of media attention at the Science Center, where the FAS system is located, as local and national television crews arrived on campus. Frank Steen, director of Harvard Arts and Sciences Computer Services, wished he could have been more helpful.

Government agencies are not allowed to eavesdrop on the FAS system without a court order because, unlike some other institutions, FAS does not monitor for security purposes except in extreme cases, such as when a court order requires it.

Steen said a few people he spoke with incorrectly assumed that the government was poking around in their e-mail accounts. "No, no, they distinctly did not do this here. Everyone made sure that the tap intercepted only the communication of the intruder. We were ensured by the government that they were proceeding in the most narrow way," Steen said. "The investigators prided themselves in doing it this way.

"They devised an automatic way to search for patterns. It turns out that the hacker used a very consistent pattern. When the investigators found that pattern, they looked for a few words to see if it was from the hacker."

Steen said there is an inherent conflict between making systems usable and keeping them more secure. "If we had a true 'firewall' like those at industrial sites, it would be very difficult for people to use our system. We have other security measures in place that are appropriate for our kind of open environment. One example is the passwords. One thing any user can do to protect themselves is to change their password frequently.

"There's an expectation that there are security holes in every system and hackers try to exploit these holes. Our professional staff read hacker bulletin boards and other sources. And when they find a hole, they close down those holes. And we've closed down a lot of holes. We have very good people," said Steen.

Despite security systems and the effort and talent directed toward foiling hackers, Steen emphasizes that, like phone conversations, no computer communication should be regarded as truly confidential. "It is possible that unscrupulous individuals will try to listen in on computer conversations like they do with phone conversations. Such listening is illegal and requires technical knowledge and equipment. We hope the kind of investigation and enforcement action that the government undertook in this case will help make the computing environment more secure.

"So we advise people not to send confidential communications on the computer. There will always be some better form of security on a computer. And just as fast as they put one up, someone else will be out there trying to crack it," Steen said.