While Joe Romm and Keith Olberman spin the most absurd conspiracy theory imaginable related to Climategate, that it was the work of “News of the World”, Murdoch, and/or Wallis, we find another example of academic file hacking, this one far simpler but far larger in volume. Our keystone cops Romm and Olberman miss the obvious, if it was NOTW/Murdoch, why didn’t it show up in those newspapers first, instead of on blogs like CA, tAV, RC, and of course WUWT?
While they rage ridiculously, we now have an example of a scientific hack that illustrates just how simple it is to do, and how bad the academics were (at MIT no less) at preventing it even though they knew it was happening. All it took was one guy, a laptop, some simple scripts, and an unsecured network switch cabinet like this one on campus at right. Apparently the guy just shoved his laptop into the cabinet under the wires and boxes, hooked it to the switch, and MIT was none the wiser.
From the Register:
Reddit programmer charged with massive data theft
Harvard ethics fellow accused of hacking MIT
By Dan Goodin
Posted in Crime, 19th July 2011 17:43 GMT
A former employee of Reddit has been accused of hacking into the computer systems of the Massachusetts Institute of Technology and downloading almost 5 million scholarly documents from a nonprofit archive service.
Aaron Swartz, a 24-year-old researcher in Harvard University’s Center for Ethics, broke into a locked computer-wiring closet in an MIT basement and used a switch there to gain unauthorized access the college’s network, federal prosecutors alleged Tuesday. He then downloaded 4.8 million articles from JSTOR [1], an online archive of more than 1,000 academic journals, according to an indictment filed in US District Court in Boston.
…
When JSTOR blocked the MIT IP address Swartz used in September, for example, the Harvard fellow allegedly incremented a single digit and resumed his wholesale downloading binge, which was streamlined with a custom Python script. JSTOR at times responded by blocking huge ranges of IP addresses, causing legitimate JSTOR users at MIT to be denied access.
More: http://www.theregister.co.uk/2011/07/19/harvard_fellow_indicted/
It has long been speculated (and analysed) that the Climategate release was an inside job, or at the very least done by somebody with inside access. Hooking up your laptop to the intyernal network via an unsecured switch cabinet seems to be a pretty simple way to go about getting internal access.
Given how sloppy CRU was at leaving files lying around in the open (Steve McIntyre had fun with the “mole” story prior to Climategate), getting onto the internal UEA/CRU network might have been all that was needed.
h/t to WUWT reader AndiC
“researcher in Harvard University’s Center for Ethics”
Classic.
has he made the papers available to wikileaks or are they all back behind teh paywall again?
If these papers were originally written under government contracts there can be no breach alleged as he has as much right to them as anyone else as a taxpayer.
I hope that he uses this defense.
Knew it and told ya so re Norfolk police wallis etc excuse boast
If the docs were all public domain, then Swartz’s claim to be enforcing ethics is valid. But MIT does a lot of engineering and computer research for industry and commerce, so given the huge number of docs I strongly doubt that they’d all be federally financed.
JSTOR. How is paying exorbitant sums for articles that have lobbying influence in Congress for policy and budgetary considerations justified as ‘nonprofit’?
Who’s the real thief, or are they both from the same kitchen?
Looking at the hardware involved in storing the articles/data, that’s a hefty fee being charged.
Without these middlemen setting a price for what used to be open access to the public, there would now exist no incentive to purvey/liberate/uncover/FOIA.
MIT has been duped, in more ways than one. The solution is simple and cheap: Get rid of the middlemen. Isn’t MIT supposed to be home to the best & brightest?
I wouldn’t think so, given that nobody got off thier intellectual duff to go look for the obvious. Tsk, tsk.
I posted a link over at bishop hill in unthreaded about thousands of scientific papers leaked from royal society, thin the register has the full details
19,000 papers leaked to protest ‘war against knowledge’ The 18,592 documents made available Wednesday through Bittorrent were pulled from the Philosophical Transactions of the Royal Society http://www.theregister.co.uk/2011/07/21/aaron_swartz_prosecution_protest/
Dennis Wingo says:
July 23, 2011 at 8:32 am
Depends on who brings civil charges. If Jstor does, they’ll be arguing they provide a value-added service. If the Journals do, they’ll argue the same, pointing out the editing and peer review they oversee. For the criminal charges, the prosecutors will bring in both.
It would be pretty dumb to argue a non sequitur as a defense.
I suppose he could argue that charging for those value-added services on gov’t funded papers is unethical, but I suspect he won’t get much support from Harvard. I wonder how many of their papers he downloaded.
The Register goes on (or has added since publication):
Umm, remind me not to call Segal the next time I’m looking for a good analogy.
Getting inside a firewalled network is easy. The classic technique is to hand out free CDs or thumbdrives at the subway stop or on the street corner or leave a little basket of them in the reception area. Tell people that they print some kind of online birthday card or Christmas message or whatever. Do this between 7 and 9 a.m.
Somebody, all it takes is one, will grab one and proceed to their office and sit at their desk and plug it in to their work PC, which will be inside the corporate firewall. It will phone home, and Presto, you’re in.
The vast majority of hacks are done via human engineering. The more companies are aware of this, the better, and the better they’ll train their staff. The black-hatters are all very well aware already, and it’s usually the first 10 things they try, some form of human engineering. This guy getting a laptop plugged directly into the target’s hub will give him bragging rights for years.
The UEA knows EXACTLY how and who did the Climategate job; their embarrassment at how (and why) it was done is the reason they can’t “find” the culprit(s). For such an expensive, notorious “crime”, the lack of resolution to Climategate shows that the University doesn’t want the perps to be identified.
When there is a breach in computer security, the local IT find the breach and plug it. That is what the UEA did. They did NOT scratch their heads and wander off, clueless. But there is much value in claiming to be a victim without resolution; less when the bad guy is found. Then you have to answer for your conduct up to the crime (even if reasonable, you still have to demonstrate good faith in your behaviour). Which may lead some to see the crime (in this case) as either victimless or … for the UEA, legitimate.
This is really fun. Over 30 years ago as a student at BYU our operating systems instructor Evan Ivie was a former Bell Labs employee. He was running Unix on a couple old Vax machines. We were stoked back then with 500k cpu memory, which shows you how far we’ve come in 30 years. Anyway, one day he gave the class an assignment to hack all the other class member’s account. You had to come up with proof you accessed something like 10 other accounts by mailing yourself an email from each account accessed. It is probably the coolest school assignment I’d ever been given.
Back in those days, access to computers was through text terminals. No graphics. The school lab had a couple dozen terminals for students to use. The login program simply waited for people to log in. You typed in your login name and your password, and you were in. So I made a cshell script that imitated the login program. A student would log in, and my program would read their name and password. I’d then issue the standard warning for illegal password, then I’d spawn the real login program so that when they did it a second time, they got proper access. Then I would read the file manually, see the name and password, then I’d login as them. I’d send myself the email that was required. Then, to make things easier for me, I edited the .logout script that runs automatically after a person logs out. Using that, I spawned a copy of my password snatcher, and the person wasn’t really logged out, but I put out the standard logout message to make him think they were. I used a non printable character in the script name so that instead of being an obvious snatcher process, it showed up as a “?” on the process list like some system programs.
This had the effect of spreading my script because when they logged in again at different terminals, my program would be running when they left on the new terminals. Pretty soon, I had completed my assignment, and had over a dozen different terminals running my program. It felt just like being in a hacker movie. It was sooooo cool.
After that, I got permission from Dr. Ivie to attempt to hack the department computers to see if I could compromise the root (superuser) privileges. I was able to get all three of the department’s computers using a different technique. But that’s a story for the next time we have a hacking post.
Who says he broke into the cabinet…In the U.K. he would have said the window was open and claimed squatters rights (soon to end). Anyway, top man for showing up the cr*p security!
5 million!! With only a handful of natural laws, there is clearly a lot of fluff in the scientific literature. The climate science examples suggest that a massive cull is needed for all scientific literature. At least the fraction of one percent of important papers should be pulled out of the morass and made a separate library.
Bah, the old laptop trick, that’s so 90’s. Use a Sheevaplug or Tonidoplug computer, or better yet go elite and change a wall outlet to a Jack PC wall outlet computer, and Bob’s you’re uncle and Mum’s none the wiser.
But, essentially, panzer-tin-foil-pants Romm and Olberman are nothing but simpleton conspiracy theorist of the worst kind, the less knowledgable ones. That’s a hoot. :p
The guy is described as a “Harvard ethics fellow” … this was obviously, er, a practical experiment in ethics of a rather unusual sort. Alright, a very unusual sort. But as someone who groans inwardly whenever he sees a JSTOR link, I really want to support him – I’m fed up with banging my head against their paywall.
“Aaron Swartz, a 24-year-old researcher in Harvard University’s Center for Ethics, broke into a locked computer-wiring closet in an MIT ”
Good heavens he sure doesn’t know much about ethics for a researcher in the ethics department. Kind of reminds me of how researchers in the climatology departments of universities tend to not know much about climatology.
The comment by “To” is from me.
It’s absurd too because The Times has been at the front (just behind The Guardian) of climate change hysteria in the UK and supports cap and trade. It claims to be the only carbon neutral newspaper.
I can’t help but think you’re missing the big story here, perhaps because of your climate focus.
It can be argued how close the analogy is between this hacking and climategate – anyone with an MIT library card (or most university library cards) could get access to this, while the emails were private.
But the real point is that many academics are angry and frustrated about the paywall system of journal access. They want their work read as widely as possible and see the behaviour of the journal publishers (especially Elsevier) as unethical. Many of them are trying to push the system to a more Open Access.
Many here will disagree with their liberal politics. But if you could just get over the fact that many of them are state employees, why not get involved with the bigger campaign for open access? There is a great opportunity for making unexpected friends here that could prove beneficial in the long run.
Start a campaign for PubClimate Central modelled on PubMed Central (see http://en.wikipedia.org/wiki/PubMed_Central ). Even better would be PubScience or PubKowledge Central. As long as you don’t pitch it to far as an attempt to break a conspiracy by academics to keep the public in ignorance (sorry for the caricature, but I guess you know what I mean) then I doubt you will get academics against you. Pitch it right and you might get unequivocal support (on this initiative) from some of your most implaccable scientific opponents. Seriously.
And as Steve McIntyre pointed out (East Anglia’s Toxic Reputation Manager) Neil Wallis (ex-News of the World) was working for the UEA in helping them to manage their reputation, not the hackers.
So it is just about conceivable that Wallis was playing both sides, and pretending to be on UEA’s side when he’d already been behind the hacking int he first place, but that seems a little unlikely.
Keith Olbermann , blogging about Climategate, has the audacity to assert that “exhaustive analysis later proved that the emails merely revealed scientists’ anxiety that Climate Data and Research were being properly handled and studied”. I don’t converse with libtards all that often, but I am disheartened to see they have no idea of the real situation.
Are we sure this guy doesn’t work for the Russians?
i have a hypothesis that somebody who puts out a book within days of the climategate leak probably had the emails for a while before then.
how bout that.
“anyone with an MIT library card (or most university library cards) could get access to this, while the emails were private.”
One isn’t more private than the other. Just because more people have access to one doesn’t mean that people without access should be able get them.