We still have no final report from the Norfolk police on whether the ClimateGate files were a hack, or an inside job by a whistleblower. However, we do have another example emerging today that illustrates that it seems rather easy for a hacker to gain access. What’s worse, security problems have apparently been pointed out, and ignored.
This part caught my eye:
A 2011 Inspector General’s report on the agency’s computer network found that it was fraught with security holes, many of which have been known about for months without being fixed.
I wonder if CRU had the same sort of security holes and if NASA GISS suffers from some of the same issues as the rest of the agency?
Full story here.
No need to wonder. The team are obviously computer illiterate, as they are statistically wanting also.
Sigh, I get so depressed when I think of what NASA has become.
Well, I shouldn’t be so harsh, I know there’s never been a horse that couldn’t be rode and there’s never been a cowboy that couldn’t be throwed. But I’d expect some pretty good security there.
Thinkode should put the IPCC’s servers and e-mail system in his crosshairs. Knowing that a lone sniper can bring them all down with one clean shot, those guys at the IPCC must be getting very nervous.
Information security has three basic components; Confidentiality, Integrity and Availability (CIA).
Since NASA is a publicly funded body and disaster relief is not exactly a national secret (usually front page news), and since the information is on a ftp site; it can be expected that the information is already published beyond the walls of the building, so there are likely people outside NASA that are privy to the information and could, if they so choose, re-publish their permitted downloads. So the Confidentiality aspect of the breach is not really significant. It is not on par, for example, with satellite control codes and frequencies or personal banking information being held by a trusted party and being accessed through an unpublished or covert channel.
Availability is fine since the system was up when the user tried to get the information.
Integrity is what concerns me in this instance. If the user was able to update or alter any data then that would be a significant problem. However I do not see any evidence of a ‘put’ or an ‘update’ in the information provided by the user so the Integrity of the data, although suspect, may have been maintained.
Unfortunately, given all that has gone on in the past I can think of reasons why the data owner may wish to maintain a situation of plausible deniability for anonymous un-documented changes to the data. That I would even think such a thought, is troubling.
LOL. Inside job. More “adjustments” being found necessary.
That ftp in itself means nothing. NASA has zillions of GB on public servers and it is a great service to the public. From the news, an ftp screen capture, does not really mean anything
How could you assure a person that someone (perhaps a Greenpeace activist) was not hacking into the climate records and tampering with them? Oh, wait, forgot about Hansen.
The following is interesting. It was November last year there was a surge in police spending on the “hack” – then nothing then followed a month or two later by a moderate spending and then nothing.
Except for the use of the past tense there was nothing to explain this surge in the police press release released around this time.
However, various suggestions were made as to why there was this massive surge, and one I suggested was that the “hack” had been identified as actually being a leak, the offender had been identified and that for obvious reasons given the illegal actions thwarting UK FOI law the UEA were keen to do a deal not to press charges if the individual involved didn’t throw them deeper in the shite by going public.
Well a few days ago, it was pointed out that one of the pro-warmist news outlet (nature?) had stopped talking about a “hack” and started talking about a “leak”. As it had always hitherto been reported as a “hack”, this seemed to suggest it derived from some kind of inside knowledge. So, wouldn’t it be extremely interesting to find out what staffing changes happened at the UEA at the end of last year – who’ll bet with me that if we dig deeper we’ll find that someone responsible for FOI departed suddenly from the UEA?
David Falkner says:
May 19, 2011 at 12:19 am
“How could you assure a person that someone (perhaps a Greenpeace activist) was not hacking into the climate records and tampering with them?”
Wouldn’t that be a very handy way to explain away inconvenient things if needed.
A hacker did it! Snuck in and biased everything, made adjustments, created crazy samples, even inserted complete nonsense, yet did it so brilliantly that even recognized climate experts were fooled. Leaving these totally innocent victims with results, models, and predictions that they are, of course, not accountable for. Could take a few years for some predictions to be so wrong that this hacking is discovered.
A computer expert could investigate this, unless something was lost or deleted to save file space or something. Things happen. You know those absent-minded professor types.
This is ridiculous – have they learned nothing from past events? What is it with climate “scientists” just lazily dumping material on ftp servers? If I was footprinting a site for penetration that would be one of the first things I’d look for.
and predictions that they are, of course, not accountable for. Could take a few years for some predictions to be so wrong that this hacking is discovered.
This is not your father’s NASA.
Lest we forget, the people responsible for the CRU security policy were also responsible for the software which inspired Harry_Read_Me.
http://wattsupwiththat.com/2009/11/25/climategate-hide-the-decline-codified/
Utter bumbling incompetents, the lot of them.
Climategate should never be described as a “hack”. It was a leak.
http://thepointman.wordpress.com/2010/12/17/why-climategate-was-not-a-computer-hack/
Pointman
“Hackers” these days are usually some 17 year-old Russian who never sleeps. They sign it as this one did (Tinkode) with an anonymous but consistent handle to link all their works to the same person or group of people. No one took credit for the CRU “hack” which tends to make it look like an inside job. Either that or someone unwittingly left the file in a directory legally accessable by anonymous FTP or HTTP.
Either of the latter two are neither hacking nor theft. If the file in question contained any copyrights then making copies for distribution would certainly be a crime but I don’t recall anyone mentioning the CRU file contained any copyrights.
Bob: It is not my NASA either.
Geez, this figures. I’m still stunned by this little bit of NASA IT idiocy:
http://www.npr.org/templates/story/story.php?storyId=106637066
Obviously, we aren’t dealing with rocket scientists!
It has always been clear to me that Climategate was a leak and not a hack. The information released told too good a story- it reads as though the material was deliberately collected over time with the purpose of telling the story. Particularly of the “trick”.
Much more likely to be an inside job and not a hack.
I’ve thought exactly the same thing for some time now. I always felt that it was released by someone at UEA whose job it was to collect and turn over FOIA documents. He just became so frustrated with the clearly illegal obstruction of turning over the documents that had already been collected that he released them himself. And I agree, I’d be willing to bet he doesn’t work there anymore. He was, no doubt. shown the door. Or in the, oh so polite, British phraseology – made redundant.
I’ve found that security in general is rather poor on many large networks – ones that you would expect to be much better. By that, I mean large companies, including banks and such, as well as government agencies. Far too often, it seems that I.T. departments are staffed either by older workers who simply aren’t keeping up with modern security issues, or by incompetents. And AWARENESS of security issues in these organizations is dismally low.
ignore – forgot to check “notify” on last post
Last Tuesday, this was posted here: http://bishophill.squarespace.com/blog/2011/5/17/sir-john-b-and-the-ipcc.html concerning Andrew Mountford’s recent obtenting of some of Sir John Beddington’s correspondence. Among the notes taken of a meeting between Sir John and Chris Field, the head of IPCC Working Group II. was the following:
“JB updated CF about the enquiries following the leaking of emails from the University of East Anglia’s Climate Research Unit, that is the enquiry led by Sir Muir Russell and a review of the science being led by Lord Oxburgh. (…)”
I thought it was significant that between themselves, they seemed to be using the word “leaking” rather the than one of their public labels such as “hacked” or “stolen”. Fellow commenters on the site apparently did not see much significance in this this but I still do.
I am still convinced CRU was an insider job, probably with malicious intent, unlike the NASA case which appears to be to expose security issues, but both cases suggest that the “hacker” knew what he was looking for.
Sorry, I meant “obtention” of course
Nothing to see here. GISS modeling shows no security holes. Your observations are wrong.
Off-topic, but related by computer security, or the lack thereoff:
“Coming soon to a Mac near you: serious malware”, at http://www.zdnet.com/blog/bott/coming-soon-to-a-mac-near-you-serious-malware/3212?tag=nl.e589
Ed Bott starts a series of articles that prove nobody is safe by obscurity.
Doesn’t so much security just depend on anonymity? ‘… everybody knows that “nobody knows” this password, and it’ll be so much easier to remember if we don’t have to change it.’. A common feature of multi-user passwords.