Andrew Montford has posted briefing materials handed out to the press when Norfolk Police released the decision to close the investigation yesterday. Like everything else with this investigation, the people most in the know (the bloggers) were left out of the loop while the spinners (Richard Black of BBC for example) get this info straight away.
Operation Cabin
Background Information
Introduction
Operation Cabin is the name of Norfolk Constabulary’s investigation into the unauthorised data breach at the Climate Research Unit (CRU) at the University of East Anglia (UEA) in Norwich and the subsequent publication of some of this data on the internet.
The publication of the data in close proximity to the COP 15 and COP17 climate change conferences in Copenhagen and Durban appears to have been done in order to influence global debate around anthropogenic climate change.
The investigation has been undertaken by Norfolk Constabulary, with some support from SO15 (Metropolitan Police Counter Terrorism Command), the National Domestic Extremism Team (NDET) and the Police Central e-Crime Unit (PCeU). Technical support was provided by online security and investigation experts, QinetiQ.
The investigation
The security breach was reported to Norfolk Constabulary by the UEA on 20 November 2009, following publication of CRU data on the internet from 17 November onwards.
An investigation was launched by the joint Norfolk and Suffolk Major Investigation Team (MIT), led by Senior Investigating Officer (SIO) Detective Superintendent Julian Gregory, supported by Detective Inspector Andy Guy as Deputy SIO. Strategic oversight was provided by Gold Group, initially chaired by then ACC Simon Bailey and latterly by ACC Charlie Hall.
Strategy and Parameters
The primary offence under investigation was the unauthorised access to computer material under s.1 Computer Misuse Act 1990.
The aim was to conduct an efficient, effective and proportionate investigation into the circumstances surrounding the unauthorised access with a view to:
- Establishing what data was accessed and/or taken and published
- Establishing who was responsible
- Securing sufficient evidence to mount a successful prosecution if appropriate
Lines of enquiry
At the outset it was not known if there had been a physical breach of security at the UEA or whether the data had been taken as a result of an external attack via the Internet. It was also not known if the offender(s) had connections with or was assisted by members of staff from the UEA and, as a consequence, a number of lines of enquiry were pursued to cater for these eventualities.
Summary of findings
- That the data was taken between September 2009 and November 2009 during a series of remote attacks via the Internet, which accessed an internal back-up server.
- That a large amount of data was taken and subsequently published on the Internet in two separate files in 2009 and 2011. The first was entitled FOIA 2009 and contained 3480 documents, 1000 e-mails and 1073 text files. The second was entitled FOIA 2011 and contained 23 documents, 5292 e-mails and 220,000 files. Much of the data published in FOIA 2011 was protected by an unknown password.
- That the data was not obtained via physical access of the CRU back-up server.
- That there is no evidence to suggest that anyone working at or associated with the University of East Anglia was involved in the crime.
- The offender (s) had used methods common in unlawful internet activity to obstruct enquiries, by planting a false trail and utilising a series of proxy servers located around the world.
- That the attack was highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity.
Limitation on proceedings
The Computer Misuse Act 1990 provides a limitation on commencing criminal proceedings in that criminal proceedings must be brought within six months from the date on which evidence sufficient to bring a prosecution comes to light, and that no such proceedings will be brought more than three years following the commission of the original offence
In relation to Operation Cabin, this means that proceedings would need to be commenced in the autumn of this year. This means that the police investigation would need to have been concluded by late summer in order to prepare a case for prosecution within this time constraint. It has been determined that this is an unrealistic prospect.
Resource and costs
The Constabulary carried out a proportionate investigation led by officers from the joint Norfolk and Suffolk Major Investigation Team, with some additional support internally and some assistance also provided by national and external agencies and services.
Officers assigned to this case worked on a number of other investigations simultaneously and, while specific activities relating to this and other investigations may be recorded in their pocket note books, the exact time spent on each activity is not recorded. It is therefore not possible to isolate accurately the overall hours worked by officers and staff on this investigation nor the total salary cost for this.
Over and above this, the cost for over-time and expenses in relation to this enquiry alone has been recorded against a specific cost-code. For the period December 2009 to March 2012 inclusive, this figure stands at £84,871.77.
Further information
Further information in relation to this enquiry has been published by the Constabulary under the Freedom of Information Act.
This material can be found at:
http://www.norfolk.police.uk/aboutus/yourrighttoinformation/freedomofinformation/disclosurelog.aspx
============================================================
One of the things I find most interesting in that disclosure log page is that for all the caterwauling that went on about “death threats” sent to Phil Jones, and the news repeated worldwide by the spinners that he was “depressed and suicidal”, the Norfolk police provided this statement which tells the real story Bold is mine:
| 69/12/13 (PDF) | Threats to life or threats of bodily harm reported to Norfolk Constabulary by members of the Climatic Research Unit at the University of East Anglia. | No information held |
The PDF reads:
June 2012
Dear whatdotheyknow.com
Freedom of Information Request Reference No: FOI 69/12/13
I write in connection with your request for information received by the Norfolk Constabulary on the 14th May 2012 in which you sought access to the following information:
Please provide a breakdown per month, the number of:
A threats to life
B threats of bodily harm
which were reported to Norfolk Constabulary by members of the University of East Anglia Climatic Research Unit in the period 1st November 2009 to 30th April 2012, inclusive.
Response to your Request
Norfolk Constabulary were made aware of emails that had been received by a member of the staff at the University of East Anglia Climatic Research Unit. No specific complaint or report was made to the Constabulary and no crimes were recorded detailing threats to life or threats of bodily harm.
This response will be published on the Norfolk Constabulary’s web-site www.norfolk.police.uk under the Freedom of Information pages at Publication Scheme – Disclosure Logs.
================================================================
Bottom line- Phil Jones and UEA weren’t concerned enough with these “death threats” to bother filing a police report or complaint, but they sure talked it up in the press, just like the whiners at ANU and those supposed “death threats” that never materialized.
But when the police say:
No specific complaint or report was made to the Constabulary and no crimes were recorded detailing threats to life or threats of bodily harm.
It rather deflates the whole episode.
I’m sure David Appell will get right on this to prove otherwise.
The best comment I’ve seen is by jferguson @ The Bish’s: ‘Iplod battery ran down?’
===================================
LOL, I think that they have a problem with their findings
That the attack was highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity.
That there is no evidence to suggest that anyone working at or associated with the University of East Anglia was involved in the crime.
These two ‘findings’ mean that, if there was an ‘insider’, that they were ‘highly sophisticated, highly competent and knew how to conceal their identity’.
I’m also curious about the meaning of this finding – “That the data was not obtained via physical access of the CRU back-up server.” If the finding ‘That the attack was highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity.’ is true, then how do the police know that the data was not obtained by physical access?
Ooooh, “Operation Cabin”…
Very James Bondish.
By the way, many of the people (and newspapers) angry about this leak were only too happy to publish the WikiLeaks documents from all over the world.
I guess this means the way is clear for the trilogy of climategate emails to leak out?
Next round, come on down …
@MrV I expect that if “FOIA” is going to release the remainder, he/she will do so right around November 19th, 2012, and perhaps even reveal him/herself since the statute of limitations will have expired. – Anthony
I notice that plod specifies and concentrates on the CRU back-up server, could this information have come from any of the other computers in the CRU?
Let’s just say, if I WAS to pursue a life of cyber-crime, I’d be wise to set up shop where any investigations would be handled by the Norfolk Constabulary. I’d mention the Keystone Cops, but… oh, someone needs to make a modern day equivalent.
dccowboy hit the exact lines that jumped out at me. “Highly Sophisticated” appears to be a phrase that means “anything we can’t figure out”. I’m wondering if their electric razors and iPods also rate as “highly sophisticated”.
So yeah, do tell: how are the concepts of “we can’t figure out who did it” and “it wasn’t anyone local” anything other than mutually exclusive? It’s one or the other, NOT both.
Dccowboy basically took the words out of my mouth. Funny how, in announcing their ‘findings’ they seem to know more than their findings should have revealed. I think they need to hire a spin doctor. Sorry, Dr. Phil, for your abject failure at squeezing a bit of sympathy from CNN.
I may be part of the identity concealment. I bought a T-Shirt saying “I’m FOIA.” Highly sophisticated, indeed.
“FOIA” release in november, yes perhaps, but revealing him/herself? I doubt that very much. Not in a few more years at least.
So Anthony, does this mean that these documents, after all, were simply a fake?
http://wattsupwiththat.com/2012/06/13/foi-reveals-nasty-hateful-emails-sent-to-phil-jones-right-after-climategate/
REPLY:
Please don’t put words in my mouth…I simply said they were “deflated” in importance when they don’t even bother to file a police report. – Anthony
I would think someone considering suicide is mentally ill. If I were his employer I would put him on sick leave and make sure he gets psychiatric help!
Access from the outside to the backup server via the Internet suggest a lack of a skilled firewall setup and intrusion detection or a deliberate gap. It also means such an attack would have had to trace the backup regime of the email system to the backup servers, which means that multiple servers had to be intruded into at administrator level to obtain the information. That suggests gross incompetence on behalf of the UEA IT staff or an inside man that knew where to look and how to get in from an external IP past the network’s defense.
1. The anti-terrorist mob seem to be very competent when it comes to anticipating, thwarting and prosecuting crimes in their baileywick so had they been truly involved in this affair, they’d have solved the crime.
2. I have no doubt that they did succeed, at least to the point of balancing the embarrassment of failure against the further embarrassment of UEA/CRU and their apologists, including Lord whatshis name. So what did we expect?
“The security breach was reported to Norfolk Constabulary by the UEA on 20 November 2009, following publication of CRU data on the internet from 17 November onwards.”
HMMMmmmm I smell a pack of madly scurrying of rats as they dump all the data related to the climate temperatures that Steve M’s FOIA was aimed at BEFORE calling in the cops three days later. Makes for an interesting timeline for The Dog Ate Global Warming and explains why Phil Jones said he even considered suicide over the “climategate” scandal. Also explains why CRU was not exactly cooperative.
All they are telling the public is that anyone in the world, inside or outside of UEA, could have pulled it off if they had the requisite skills. What they should say if they want to be candid and open with the public is:
“It could be anyone skilled enough to leave no clues that we could pick up on. Therefore, we cannot speculate about the location of ‘FOIA’ or the meaning of these events, beyond that someone wanted these documents released and found a way to release them.”
It’s a pity the plods didn’t succeed in their aim of “Establishing who was responsible” – when it comes to the New Year’s Honours List, Sir or Dame FOIA won’t carry the same cachet as a proper identity.
Still, all in all, I think they played a blinder.
Since it was a “highly sophisticated” remote intrusion by someone who knew how to conceal their identify we can rule out Peter Gleick.
I’ve said it before, I’ll say it again. Given the information the Climategate leaks exposed about how Jones, Mann and company operated, and given the tremendous economic and human damage done by these so called “scientists”, I find it miraculous there have been no death threats.
Jay Davis
Why don’t they try a much better press release which needs only two sentences suitably adapted from eminent climate scientists to describe the real state of the police investigation:
1) “We can’t account for [this] at the moment and it is a travesty that we can’t”
2) “we know with certainty that we know f***-all”
You see? Climate science can help out in so many unexpected situations!
“The offender (s) had used methods common in unlawful internet activity to obstruct enquiries, by planting a false trail and utilising a series of proxy servers located around the world. ”
This should answer Mike and Dccowboy. I’m pretty sure the server logged all activity, and it would note whether the activity was local or remote access. It was a back up server, so probably not a lot of activity, which would make the investigators job easier than if it had been the main server.
Sometime theives are just smarter than police.
Jones’ claim that “People said I should go and kill myself. They said they knew where I lived. They were coming from all over the world.” is officially indistinguishable from a paranoid delusion.
Would revealing too much to the press give up techniques they used during the investigation. Techniques that they don’t want criminals knowing about?
Again, they provide no indication that they even looked for evidence to suggest that someone working at or associated with the UEA was involved with the crime.
This is the sentence I find most interesting. Can you guess what’s missing, to make it suitably ambiguous?
“The offender (s) had used methods common in unlawful internet activity to obstruct enquiries, by planting a false trail and utilising a series of proxy servers located around the world.”
Yes, it’s a time point. Are we talking here about a frontal assault from behind proxy servers in a supposed frontal assault to get the data, or the dissemination of the material in CG1 and CG2? Wonderfully vague stuff.
http://thepointman.wordpress.com/2010/12/17/why-climategate-was-not-a-computer-hack/
Pointman
The language of the summary is appalling; ‘data taken’? Who ‘takes’ data, most people would just copy it. If you copy it and delete it the source could claim you made it up.
Maybe UEA is covering for all the data it has ‘lost’ in the past?
… there is no evidence to suggest that anyone working at or associated with the University of East Anglia was involved in the crime …
Equally, there is no evidence that anyone working at or associated with UEA was not involved in the crime since they don’t have a clue who did it.
I’m betting the VC wanted that statement in the police report (you all know why).
“Officers assigned to this case worked on a number of other investigations simultaneously and, while specific activities relating to this and other investigations may be recorded in their pocket note books, the exact time spent on each activity is not recorded. It is therefore not possible to isolate accurately the overall hours worked by officers and staff on this investigation nor the total salary cost for this.
Over and above this, the cost for over-time and expenses in relation to this enquiry alone has been recorded against a specific cost-code. For the period December 2009 to March 2012 inclusive, this figure stands at £84,871.77.”
—————————————-
If I were in charge I believe I would assign my overtme charges to cases that were solved or at least some level of headway acheived. The taxpayers/voters might like to see their money better spent.
But, maybe that’s just me.
I see the police did not rule out the possibility of multiple perpetrators. The communications from the releaser(s) used the pronoun”we” . . . thus I still consider it reasonable that there were multiple participants and spectulate it is reasonable that at least one was inside UEA/CRU.
John
It’s ‘Normal for Norfolk’ (an alleged medical term for illnesses caused by inbreeding).
Hmm. Norfolk Constabulary, the Metropolitan Police Counter Terrorism Command (SO15), the National Domestic Extremism Team (NDET), the Police Central e-Crime Unit (PCeU), QinetiQ [utterly stupid way of spelling kinetic], the joint Norfolk and Suffolk Major Investigation Team (MIT) and Gold Group. And still deliciously clueless.
I think pickpockets at the Olympics will be fairly safe.
Is it usual at UEA to have “internal backup servers” accessible via the internet? If so, no wonder they got their panties stolen.
Apparently, they’ve never heard of an internal-only, non-routable network segment.
That there is no evidence to suggest that anyone working at or associated with the University of East Anglia was involved in the crime.
Would it then have been a crime if it was a whistle blower? Where is Sherlock Holmes when they need him?
“■That the attack was highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity.”
China??
somebody real smart on the inside.
who is smart enough to use proxy servers so it looks like it comes from the outside.
Hmm. That was my number 1 suspect on day 1.
still is.
“That there is no evidence to suggest that anyone working at or associated with the University of East Anglia was involved in the crime.”
“Again, they provide no indication that they even looked for evidence to suggest that someone working at or associated with the UEA was involved with the crime.”
The evidence of inside working has been destroyed, thus “no evidence.” The rest is all smoke and mirrors that it was sophisticated and remote.
mojo: “Apparently, they’ve never heard of an internal-only, non-routable network segment.”
Where I live and used to work (university / k12) , the IT people had heard of such things, but were forbidden to implement them until a major hack compromised all the servers. After that, and without permission, some of us spent an exhausting week implementing a firewall and rebuilding all the servers. Weeks later we got permission to make a firewall a permanent part of our infrastructure.
Note how there was no apparent effort to investigate the extent if any to which Jones and others breached their fiduciary and/or custodial duties and obligations with respect to their destructon and/or removal of data constituting the property of the taxpaers and public. Although they have some degree of discretion in performing their custodial responsibilities, it must be asked how hiding the e-mail and other data on their own personal flashdrives at home and/or destruction of this data and property is not a criminal act cognizable by UEA and the police?
The police are almost certainly fishing: hoping “FOIA” will relax and make a mistake. Obtaining those files was almost certainly _not_ the only possible offence. … imho.
So we can’t rule out an internal job carried outside of the CRU buildings by someone who knew where to look?
Alan Watt, Climate Denialist Level 7 says:
July 19, 2012 at 8:16 am
Since it was a “highly sophisticated” remote intrusion by someone who knew how to conceal their identify we can rule out Peter Gleick.
———————-
Thanks Alan. Made my day.roflmao, still chuckling five minutes later.
Nice one, Skiphill.
“highly sophisticated”! Even PC Plod indugles in weasel words every now & again, but I don’t think FOIA was this at all, more likely this is the police describing themselves! Why not just say simply “very clever” instead, pay FOIA a compliment for a change! Deja Vu, Pocket OED 1925: sophist/sophistry/sophisticated:Paid teacher willing to avail himself/herself (mustn’t leave the feminists out) of fallacies, use of sophisms, spoil the simplicity or purity or naturalness of, corrupt or adulterate or tamper with. Quite apt me thinks!
That the data was not obtained via physical access of the CRU back-up server.
###
I can’t remember the last time I access data from any type of server, let alone a backup server, via physical access. It had to have been over a decade ago. I have been tasked on several occasions with designing and implementing DRP’s, which means that I have actually “built” and configured backup servers. And I did this all from the comfort of my work-station. To tell the truth, I would have loved to have needed physical access on a few occasions because that would have required trips to Hong Kong, Seoul, and Panang.
Anthony Watts says:
July 19, 2012 at 7:35 am
@MrV I expect that if “FOIA” is going to release the remainder, he/she will do so right around November 19th, 2012, and perhaps even reveal him/herself since the statute of limitations will have expired. – Anthony
It is more likely that the release will come at a time that the data obtained will cause the most impact. Note that the statute of limitations is running from the time of the data theft not the data of data release. so the release of data could happen anytime. It is only FOIA exposing her/his identity that needs to wait till after Nov 17.
China?
Heck, China, India, SA and Brazil would be the logical ones USING the CAGW climate hysteria to destroy THEIR economic rivals for the world’s business! China in particular – at that time especially – is too smart to waste effort trying to hack false “scientific” emails and research when there are hundreds of billions of economically profitable industry and business and military databases and emails to be read!
Method. Motive. Opportunity.
All three point to an internal whistleblower (irritated by the CRU opposition to a legitimate freedom of information act resistance and hatred by the CRU staff and administrators), or morally outraged by their hypocrisies, lies, and falsely and blatantly anti-scientific “attitudes” and biases.
Still doesn’t wash. Somebody would have had to have access to those systems for a long time to gather all those documents. Perhaps I’m underestimating how sloppy the security was at UAE?
Anyhoo, I hope FOIA does come forward and let us know how it really happened. Inside job is still where my money is, no matter what this report says.
Anthony Watts says:
July 19, 2012 at 7:35 am
@MrV I expect that if “FOIA” is going to release the remainder, he/she will do so right around November 19th, 2012, and perhaps even reveal him/herself since the statute of limitations will have expired. – Anthony
Most UN-likely. Anyone who is smart enough to “orchestrate” such a “sophisticated crime” will surely know that there is a whole world of other charges they could dig and use against him. I’m sure there are a range of “terrorist” offences that could be made to fit, which do not have a sell-by date.
If it was a wistleblower he/she will probably be just as happy to keep their heads down and get on with life. They probably had far more effect that they had hoped for and will be trying to get on with honest science.
I would also go for an insider for two reasons,
1 How did they know there would be anything worth taking? That would have been a huge effort to do on spec.
2 Why did they only go for the UEA? Why not go for Mann’s and the rest of the teams mails as well?
As far as I know nowhere else reported attempted hacks which, under the circumstances, I’m sure they would have done.
Someone had mentioned in another post that maybe the investigation was shut down so that there would be no court case. A court case could prove embarrassing to government considering all their “warming” push, evidence for CAGW.
msg says: Perhaps I’m underestimating how sloppy the security was at UAE?
Quite possibly. That would not surprise me at all. My estimation is:
1. Outraged, real scientist inside the “community” thinks the world needs to know.
2. Someone browsing around in unprotected ftp space stumbles upon something interesting.
3. Somebody made a backup on a flash device and left it on a bus
4. Hack by someone outside ? Nah!
4 would require
– considerable knowledge and experience.
– motivation in relation to timing of cop15
– knowledge that there was something significant to be had and where to look.
Low probability does not exclude the latter option but I think it is unlikely.
If it was 1, UEA would probably not want the whole argument about malfeasance, data rigging and corrupt science to come out in public and certainly not with staff being called to give sworn testimony in a court of law.
The appropriately named Vice chancellor would probably indicated to the local plod that they did not wish to pursue the matter and in any case they were going to pay lots of money for an “independent” enquiry into the whole business.
The establishment figures that did not want more questions being asked about climate science than already were, would have spoken to Lords This and That, who would have had a descrete word with the Chief Constable who would have arranged for nothing to be done for the next 2 1/2 years.
@Mosher,
I completely agree with you, that’s the most likely case. The hilarious things is, that’s not all that hard to do. Something as simple as the Tor network would allow that, and that’s just one easily obtained example (I don’t think Tor was used; and it was probably something more sophisticated).
Oh, BTW before anyone starts fluffing on about conspiracy theorists, I would just point out that the official explanation is just that. So if anyone wants to pooh=pooh anything as a baseless conspiracy theory let’s start with that press release.
Cabin Fever
Anthony Watts says:
July 19, 2012 at 7:35 am
@MrV I expect that if “FOIA” is going to release the remainder, he/she will do so right around November 19th, 2012, and perhaps even reveal him/herself since the statute of limitations will have expired. – Anthony
FOIA 2011’s clock is only a year old. Whatever clocks are running and whatever other charges are possible, it’s too soon to be safe from prosecution.
Besides, it’s much better for those with something to hide to not know who to hide it from.
@ Alan Watt
Ouch!
@Kaboom
“It also means such an attack would have had to trace the backup regime of the email system to the backup servers, which means that multiple servers had to be intruded into at administrator level to obtain the information.”
There are several scenarios that could reduce the number of servers accessed. Someone on the inside sets up a copy of all the FOIA information and records where it is. An adminstrative account is used to gain access with the usual track-covering as the location of the server is entered and the file accessed. The file is transmitted on a slow leak basis a-la-ZoneAlarm when the Israeli’s first bought bought it or equivalent. There is a programme from McAffee that monitors exactly that sort of track-covering but it is hard for the hacker to see it. Even if it was deployed, it only results in proving the hack and giving the (false) IP address of some compromised PC in Poland or China.
Another is that a user password is hijacked and the hashes of the pwd’s are accessed and transmitted. The pwd’s are put into the hashing algorithm to crack the admins one level at a time, then ditto the slow leak. Getting that high means they could even create a new user, walk in and out for weeks, then cancel the account and use a backup of the user lists to overwrite the new one, restoring the pre-hack condition. Ditto the file that tracks that update. When you see someone walking through the front door of a system with many users you can bet there wasn’t much of a hack involved but the track-covering needs a little more knowledge of what files to edit, delete or overwrite. It does not sound very sophisticated, frankly.
From the contents of CG1 it is pretty obvious that someone had long-term access to read and appreciate the HARRY files and to check out the related materials. An insider only needs to go in from outside to look like an outsider. Getting in is easy. There are too many ways to list here.
That no one was prosecuted (yet) does not surprise me. Personally I think there was inside assistance (or a played fool).
Aren’t the remaining Climategate files already released but encrypted? Past practice suggest looking for a brief comment containing the key to appear somewhere on a blog post “miraculously.”
Steven Mosher says:
July 19, 2012 at 9:11 am
somebody real smart on the inside.
who is smart enough to use proxy servers so it looks like it comes from the outside.
=====================================================
And that list would be very short??
I’m with Mosher too – it is 99.9% certain to be a genuine internal whistleblower (and we all immediately think of Harry, LOL). FWIW, here’s my ‘profile’ of the person.
1) He/she will be unlikely to be directly involved in climate science (i.e. at the sharp end) because they copied whole swathes of data instead of specific incriminating ones.
2) from 1) to be able to do that probably requires lots of access time – I would have thought obviously someone in the IT department would be favourite! Having said that – it may have been grabbed as some massive file dump to DVD or something in one session and reviewed later? but I would have thought the archiving was in some sort of sectional manner requiring knowledge of the filing/archiving system.
3) Could be a junior level person? Probably not ‘well read’ but scientifically adept to recognise some flaws in the ‘science’? – because, again, they probably didn’t understand all the stuff they obtained, just bits of it and maybe had seen blogs or whatever and realised that something wasn’t right? Collecting/collating vast amounts of data would be a ‘safe’ way of getting something ‘important’ rather than random trawling?
4) Not sure of this – but if the archived data was/is ‘searchable’ – you would think that an IT person would know this, and gather ‘related’ data together using such a search? This makes me think it could possibly be a student, with relatively ‘open’ access?
5) I am fairly certain it will be a sole operator, at most two? – because more mouths may make more mistakes? Conversely (but very unlikely IMO) would be several operators, all accessing the data in smaller ‘chunks’?
Whoever or whatever – I think the person(s) is a hero and deserves the plaudits when they can bcome due!
Backup server: large files, typically a major fraction of the volume being backed up, compressed as much as possible. Still, pretty big. Take a while to transfer over an internet connection.
While it’s transferring (and AFTER your break-in has possibly attracted unwanted attention from a hypothetical Intrusion Detection system), you’re sitting there, behind 2 or 3 proxies, hoping that nobody is trying to trace your very active connection. Or pulling the network plug on your target server, which would be my first reaction as an admin in that scenario.
An hour or so later, when the transfer complete, you kill the connection, then get to work restoring your new backup image to a local filesystem.
Not. Likely.
Kelvin Vaughan says (July 19, 2012 at 7:50 am): “I would think someone considering suicide is mentally ill. If I were his employer I would put him on sick leave and make sure he gets psychiatric help!”
They probably figured Jones’s death threat against himself was no more credible than the other “death threats”.
“..by planting a false trail and utilising a series of proxy servers located around the world.”
False trails and proxies from around the world. Where have I seen this crime before?
the exact time spent on each activity is not recorded
That is because the Constabulary did not spend any time on an investigation, and all the cost went to public relations.
They knew when the files were copied, how the files were copied, and who did the copying on November 17. What we are seeing now is a Jedi mind trick an individual in a position of remarkable authority is using on the Constabulary. “These are not the droids you’re looking for.”
Activity around the exit doors is picking up and will soon become a stampede.
Steven Mosher says: July 19, 2012 at 9:11 am
Indeed. There’s an interesting “response” to a question at their press conference, today, which suggests that their “results” – if not the impression of “certainty” conveyed by their initial press release, yesterday – may well have been affected by a “screening fallacy”:
It just gets more miraculous – like turning water into wine at a wedding
So they still offer no evidence to substantiate their claims that there was a hack.
Saying your life has been threatened is a weak-kned response when there is just no redemption possible after you have disgraced yourself. Resort to poor little me to garner sympathty. Too late for that. Saying there has been no warming for 15 years is a start though. Trenbreth’s years long hunt for the missing heat that was a travesty is less admirable, especially since the quest is being paid for by the taxpayer.
By threats to his life, what Jones probably meant at the time was that since his shenanigans were made public he now knew that he was publicly disgraced as a junk science activist, that his academic life was over, and that he would spend the rest of his days greeting people at Walmart. In other words his statement was nothing but symbolic hyperbole and tantamount to an admission of guilt.
Sean says:
“So they still offer no evidence to substantiate their claims that there was a hack.”
None at all. It is completely baseless speculation, just like it always was.
Steven Mosher says:
July 19, 2012 at 9:11 am
I agree. I can’t imagine that anyone on the outside would:
1) Take what appears now to be a huge amount of Email.
2) Pull out an interesting subset (given the odd choices, I might be wrong, he may have picked several interesting pieces and randonly picked many from what was left).
3) Post in a fashion that show no mercenary interest. While self-satisfaction for all the attention it got may be adequate, it’s very odd that he didn’t release all of it. Then again, it could be that he didn’t want to call too much attention with a really large upload.
> no crimes were recorded detailing threats to life or threats of bodily harm.
So, the only death threats were from Phil Jones?
Yeah, it’s not very nice, but neither was what Jones said about John Daly’s death.
“a series of remote attacks via the Internet, which accessed an internal back-up server.”
Really ? Wow ! The UEA must have the most insecure network ever. An internal back-up server should never, ever be accessible via the internet. It should sit behind at least two firewalls making it impossible to access (unless their firewall rules are very, very poor). And all those e-mails on the back-up server ? No way. It’s standard practice within the IT industry to back data up to disk before moving it to tape within 24 hours.
Plod’s explanation doesn’t sound at all plausable to me.
“That the attack was highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity.”
I always figured it was Russian hackers. Reading through the emails the Russian researchers got hosed and I felt they might carry a grudge and have encouraged someone(s) to expose the emails.
“That there is no evidence to suggest that anyone working at or associated with the University of East Anglia was involved in the crime.”
“That the attack was highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity.”
The second doesn’t exclude the first. Nevertheless it still might have been someone at UEA using the proxies from inside the building and could not be detected anyway.
So both assertions are contradictory.
My very first thought in the first seconds was about “Harry” from the CRU files.
He was a) shaken from the mess of the data files, b) indignant about data fudging, c) access to the files and d) as a programmer, someone who has the technical understanding and capabilities to use proxies.
If the cracking was as sophisticted as officialdom indicates, it could have been an inside job with remote red herrings added to confuse the trail
Kelvin Vaughan says:
July 19, 2012 at 7:50 am
I would think someone considering suicide is mentally ill. If I were his employer I would put him on sick leave and make sure he gets psychiatric help!
========================
If I were his employer I would fire his a** and get myself psychiatric help for not doing so much sooner.
‘It rather deflates the whole episode.’ .WUWT recently published a collection of mails to Phil Jones / CRU which included clear and ugly threats, and rightly denounced them. If PJ / CRU didn’t report these formally to the police, that’s another matter, but that’s no reason, given the evidence previously published here, for dismissing the difficult experience of fellow humans (even though we might disagree with their views).
That Phil Jones/CRU did not report any death threats to the police suggests those death threats they produced were not genuine.
Peter Hannan says:
July 20, 2012 at 1:30 am
‘It rather deflates the whole episode.’ .WUWT recently published a collection of mails to Phil Jones / CRU which included clear and ugly threats, and rightly denounced them. If PJ / CRU didn’t report these formally to the police, that’s another matter, but that’s no reason, given the evidence previously published here, for dismissing the difficult experience of fellow humans (even though we might disagree with their views).
===================
Peter, every organization of any size uses mail filtering. This is most often accomplished through third party (cloud) or (less frequently) appliances and (even less frequently) software . In any event, it’s incredibly far-fetched to believe that any of these emails would have made their way through to the UEA mail servers and into Jones’ mailbox.
This is why some may question the claims of Phil Jones. Add the fact that he never reported these threats to the police makes his claims all the more dubious.
Couple of things:
As a long time computer consultant, I’ve been “inside” a lot of shops and seen a lot of ways things can be set up. Often they are set up poorly, even in good shops. The worst are truly horrendous (and schools are often deliberately very open on security issues and often have “volunteer” or intern staff doing the work, not folks with 20 years experience. Though management often will have ‘time in grade’.)
Doing “Security Audits” of sites, I typically found SOME way in or SOME things left unsecured. It only takes one…
The argument that it took a lot of time to assemble the files misses the point that this looks like an archive being prepared BY the FOIA officer for the FOIA request (that was about to be canceled.) Whoever pulled the data off, had to pull down a large block of data, but not select or assemble it.
On the question of “inside job”: You can’t know and can’t even speculate well. It is common practice (though a bad one) to have an internal backup server that pulls backups from the remote / outside the firewall machines. These programs often run as ‘root’ to be able to read all data files. So a machine behind a modest firewall issues a remote “run FOO as root” command. A simple hack is to replace “FOO” with your desired code (that then grants you root access on that box). It then also copies data back to a machine inside the firewall – that gives an open pipe to swim up… Depending on just how tight it is, and how secured the machine at the other end, you may or may not have relatively easy access. Anyone remember the “Internet Worm” from the ’80s? Didn’t even need that much access to break in (and it is now 1/4 century old kit…)
I’d guess that the root kit on the external server let the hack reach back through the firewall and crack into the box doing the backups. Then you just have a nice little look around… Find a FOIA request archive and suck it out.
Yes, it could be ‘inside push’ with distractors; but nearly as easily (and via known methods of exploit) it could be a “crack the external server swim up the backup pipe / code”. (In sites I’ve audited, I’ve recommended a dedicated backup system for boxes outside the firewall or in the DMZ. It’s just too easy to have a firewall rule that says something like “Root allowed from that box” or “Backserve ID allowed” and then all your security hangs on the outside box.) Yes, there are ways to do remote backup safely; but they are often not what is done.
Furthermore, I’d speculate that the FOIA file was to be put onto that external server for distribution (if the request were approved). In that case, there may well have been a variety of “fetch” scripts on the box for shuttling things back and forth from inside to outside. (Too many times I’ve seen that). Now a compromise of the external box lets you ‘go fish’ in ‘the usual directories’ to see what might be there…
Heck, I’ve even had to argue with folks a dozen times about NOT “dual homing” external servers. LOTS of folks have Email, Backup, FTP, HTTP, etc. servers that have a DMZ or Public interface AND a NIC plugged into the private side “for administration”. Yes, you really do need to explain to folks that this makes their firewall kind of pointless as EVERY dual homed box is now “the weakest link”… So given how often I’ve seen this, it could simply be that the “internal backup server” had one NIC on the internal side and one on the external side…
In an ideal shop, none of that would be done. In The Real World, it is more often than not done that way.
And all that is before you get to more unusual approaches… At one site I had someone set up a wireless access point in their office. In one moment they made the entire corporate network accessible to anyone in a large area around that building… A corporate network that spanned several places in the State and a couple of foreign offices… So it could simply be someone leaving wireless bridging turned on in their office anywhere on the network, and someone wanders in, compromises a boundary box and drops some holes in it; then later comes in from remote using the holes.
So while you can speculate on “who might have done it”, without the logs and data you are just making up fairy tails… I see no evidence for making the odds anything other than 50/50 for inside vs outside (at this time).
Oh, and ‘backup servers’ are often left in states of lower vigilance than regular production servers. That they say a ‘series of remote attacks’ implies to me that they have a log file showing several attacks that eventually make it in. That, then, implies that the site did not have enough ‘tripwires’ and ‘early warning’ gizmos to raise an alarm on first intrusion attempts.
A decent “Honey Pot” with LOTS of intrusion detection modifications would catch that… (We would make ‘custom code’ for all the shells and most of the ‘navigation’ commands ( things like ls and cd that let you look around or move) and if you ran them as root but had not set a magic cookie via a secret method, it would page staff and light up monitors… Caught a lot of attempted intrusions at a very early stage that way. BUT, you must be willing to write some hidden code yourself… and have a custom OS built…
So absent indications to the contrary ( i.e. Real Data and Logs) we can’t choose between “bad security” and “high class attack” and “inside help”. Best we have is that the posting makes it look like the break in took some time, and that argues for ‘not an insider’ (or a very very clever one who know they could try for a while and not set off any alarms…)