Paywallgate: hacker breaches MIT, downloads millions of papers

While  Joe Romm and Keith Olberman spin the most absurd conspiracy theory imaginable related to Climategate, that it was the work of “News of the World”, Murdoch, and/or Wallis, we find another example of academic file hacking, this one far simpler but far larger in volume. Our keystone cops Romm and Olberman miss the obvious, if it was NOTW/Murdoch, why didn’t it show up in those newspapers first, instead of on blogs like CA, tAV, RC, and of course WUWT?

While they rage ridiculously, we now have an example of a scientific hack that illustrates just how simple it is to do, and how bad the academics were (at MIT no less) at preventing it even though they knew it was happening. All it took was one guy, a laptop, some simple scripts, and an unsecured network switch cabinet like this one on campus at right. Apparently the guy just shoved his laptop into the cabinet under the wires and boxes, hooked it to the switch, and MIT was none the wiser.

From the Register:

Reddit programmer charged with massive data theft

Harvard ethics fellow accused of hacking MIT

By Dan Goodin

Posted in Crime, 19th July 2011 17:43 GMT

A former employee of Reddit has been accused of hacking into the computer systems of the Massachusetts Institute of Technology and downloading almost 5 million scholarly documents from a nonprofit archive service.

Aaron Swartz, a 24-year-old researcher in Harvard University’s Center for Ethics, broke into a locked computer-wiring closet in an MIT basement and used a switch there to gain unauthorized access the college’s network, federal prosecutors alleged Tuesday. He then downloaded 4.8 million articles from JSTOR [1], an online archive of more than 1,000 academic journals, according to an indictment filed in US District Court in Boston.

When JSTOR blocked the MIT IP address Swartz used in September, for example, the Harvard fellow allegedly incremented a single digit and resumed his wholesale downloading binge, which was streamlined with a custom Python script. JSTOR at times responded by blocking huge ranges of IP addresses, causing legitimate JSTOR users at MIT to be denied access.

More: http://www.theregister.co.uk/2011/07/19/harvard_fellow_indicted/

It has long been speculated (and analysed) that the Climategate release was an inside job, or at the very least done by somebody with inside access. Hooking up your laptop to the intyernal network via an unsecured switch cabinet seems to be a pretty simple way to go about getting internal access.

Given how sloppy CRU was at leaving files lying around in the open (Steve McIntyre had fun with the “mole” story prior to Climategate), getting onto the internal UEA/CRU network might have been all that was needed.

h/t to WUWT reader AndiC

Advertisements

  Subscribe  
newest oldest most voted
Notify of
Gregg

“researcher in Harvard University’s Center for Ethics”
Classic.

Darren Parker

has he made the papers available to wikileaks or are they all back behind teh paywall again?

Dennis Wingo

If these papers were originally written under government contracts there can be no breach alleged as he has as much right to them as anyone else as a taxpayer.
I hope that he uses this defense.

Adriana Ortiz

Knew it and told ya so re Norfolk police wallis etc excuse boast

polistra

If the docs were all public domain, then Swartz’s claim to be enforcing ethics is valid. But MIT does a lot of engineering and computer research for industry and commerce, so given the huge number of docs I strongly doubt that they’d all be federally financed.

rbateman

JSTOR. How is paying exorbitant sums for articles that have lobbying influence in Congress for policy and budgetary considerations justified as ‘nonprofit’?
Who’s the real thief, or are they both from the same kitchen?
Looking at the hardware involved in storing the articles/data, that’s a hefty fee being charged.
Without these middlemen setting a price for what used to be open access to the public, there would now exist no incentive to purvey/liberate/uncover/FOIA.
MIT has been duped, in more ways than one. The solution is simple and cheap: Get rid of the middlemen. Isn’t MIT supposed to be home to the best & brightest?
I wouldn’t think so, given that nobody got off thier intellectual duff to go look for the obvious. Tsk, tsk.

Jace

I posted a link over at bishop hill in unthreaded about thousands of scientific papers leaked from royal society, thin the register has the full details

Jace

19,000 papers leaked to protest ‘war against knowledge’ The 18,592 documents made available Wednesday through Bittorrent were pulled from the Philosophical Transactions of the Royal Society http://www.theregister.co.uk/2011/07/21/aaron_swartz_prosecution_protest/

Dennis Wingo says:
July 23, 2011 at 8:32 am

If these papers were originally written under government contracts there can be no breach alleged as he has as much right to them as anyone else as a taxpayer.
I hope that he uses this defense.

Depends on who brings civil charges. If Jstor does, they’ll be arguing they provide a value-added service. If the Journals do, they’ll argue the same, pointing out the editing and peer review they oversee. For the criminal charges, the prosecutors will bring in both.
It would be pretty dumb to argue a non sequitur as a defense.
I suppose he could argue that charging for those value-added services on gov’t funded papers is unethical, but I suspect he won’t get much support from Harvard. I wonder how many of their papers he downloaded.
The Register goes on (or has added since publication):

Members of Demand Progress, a nonprofit political action group Swartz founded, criticized the indictment.
“This makes no sense,” the group’s executive director, David Segal, said in a statement. “It’s like trying to put someone in jail for allegedly checking too many books out of the library.”

Of the 4.8 million documents allegedly downloaded, about 1.7 million of them were made available for purchase by independent publishers. Prosecutors said Swartz planned to dump the huge stash on one or more file-sharing sites.

Umm, remind me not to call Segal the next time I’m looking for a good analogy.

Getting inside a firewalled network is easy. The classic technique is to hand out free CDs or thumbdrives at the subway stop or on the street corner or leave a little basket of them in the reception area. Tell people that they print some kind of online birthday card or Christmas message or whatever. Do this between 7 and 9 a.m.
Somebody, all it takes is one, will grab one and proceed to their office and sit at their desk and plug it in to their work PC, which will be inside the corporate firewall. It will phone home, and Presto, you’re in.
The vast majority of hacks are done via human engineering. The more companies are aware of this, the better, and the better they’ll train their staff. The black-hatters are all very well aware already, and it’s usually the first 10 things they try, some form of human engineering. This guy getting a laptop plugged directly into the target’s hub will give him bragging rights for years.

Doug Proctor

The UEA knows EXACTLY how and who did the Climategate job; their embarrassment at how (and why) it was done is the reason they can’t “find” the culprit(s). For such an expensive, notorious “crime”, the lack of resolution to Climategate shows that the University doesn’t want the perps to be identified.
When there is a breach in computer security, the local IT find the breach and plug it. That is what the UEA did. They did NOT scratch their heads and wander off, clueless. But there is much value in claiming to be a victim without resolution; less when the bad guy is found. Then you have to answer for your conduct up to the crime (even if reasonable, you still have to demonstrate good faith in your behaviour). Which may lead some to see the crime (in this case) as either victimless or … for the UEA, legitimate.

Jeff Mitchell

This is really fun. Over 30 years ago as a student at BYU our operating systems instructor Evan Ivie was a former Bell Labs employee. He was running Unix on a couple old Vax machines. We were stoked back then with 500k cpu memory, which shows you how far we’ve come in 30 years. Anyway, one day he gave the class an assignment to hack all the other class member’s account. You had to come up with proof you accessed something like 10 other accounts by mailing yourself an email from each account accessed. It is probably the coolest school assignment I’d ever been given.
Back in those days, access to computers was through text terminals. No graphics. The school lab had a couple dozen terminals for students to use. The login program simply waited for people to log in. You typed in your login name and your password, and you were in. So I made a cshell script that imitated the login program. A student would log in, and my program would read their name and password. I’d then issue the standard warning for illegal password, then I’d spawn the real login program so that when they did it a second time, they got proper access. Then I would read the file manually, see the name and password, then I’d login as them. I’d send myself the email that was required. Then, to make things easier for me, I edited the .logout script that runs automatically after a person logs out. Using that, I spawned a copy of my password snatcher, and the person wasn’t really logged out, but I put out the standard logout message to make him think they were. I used a non printable character in the script name so that instead of being an obvious snatcher process, it showed up as a “?” on the process list like some system programs.
This had the effect of spreading my script because when they logged in again at different terminals, my program would be running when they left on the new terminals. Pretty soon, I had completed my assignment, and had over a dozen different terminals running my program. It felt just like being in a hacker movie. It was sooooo cool.
After that, I got permission from Dr. Ivie to attempt to hack the department computers to see if I could compromise the root (superuser) privileges. I was able to get all three of the department’s computers using a different technique. But that’s a story for the next time we have a hacking post.

Pete H

Who says he broke into the cabinet…In the U.K. he would have said the window was open and claimed squatters rights (soon to end). Anyway, top man for showing up the cr*p security!

Gary Pearse

5 million!! With only a handful of natural laws, there is clearly a lot of fluff in the scientific literature. The climate science examples suggest that a massive cull is needed for all scientific literature. At least the fraction of one percent of important papers should be pulled out of the morass and made a separate library.

1DandyTroll

Bah, the old laptop trick, that’s so 90’s. Use a Sheevaplug or Tonidoplug computer, or better yet go elite and change a wall outlet to a Jack PC wall outlet computer, and Bob’s you’re uncle and Mum’s none the wiser.
But, essentially, panzer-tin-foil-pants Romm and Olberman are nothing but simpleton conspiracy theorist of the worst kind, the less knowledgable ones. That’s a hoot. :p

Steve C

The guy is described as a “Harvard ethics fellow” … this was obviously, er, a practical experiment in ethics of a rather unusual sort. Alright, a very unusual sort. But as someone who groans inwardly whenever he sees a JSTOR link, I really want to support him – I’m fed up with banging my head against their paywall.

TO

“Aaron Swartz, a 24-year-old researcher in Harvard University’s Center for Ethics, broke into a locked computer-wiring closet in an MIT ”
Good heavens he sure doesn’t know much about ethics for a researcher in the ethics department. Kind of reminds me of how researchers in the climatology departments of universities tend to not know much about climatology.

Tom t

The comment by “To” is from me.

Al Gore's Holy Hologram

It’s absurd too because The Times has been at the front (just behind The Guardian) of climate change hysteria in the UK and supports cap and trade. It claims to be the only carbon neutral newspaper.

JK

I can’t help but think you’re missing the big story here, perhaps because of your climate focus.
It can be argued how close the analogy is between this hacking and climategate – anyone with an MIT library card (or most university library cards) could get access to this, while the emails were private.
But the real point is that many academics are angry and frustrated about the paywall system of journal access. They want their work read as widely as possible and see the behaviour of the journal publishers (especially Elsevier) as unethical. Many of them are trying to push the system to a more Open Access.
Many here will disagree with their liberal politics. But if you could just get over the fact that many of them are state employees, why not get involved with the bigger campaign for open access? There is a great opportunity for making unexpected friends here that could prove beneficial in the long run.
Start a campaign for PubClimate Central modelled on PubMed Central (see http://en.wikipedia.org/wiki/PubMed_Central ). Even better would be PubScience or PubKowledge Central. As long as you don’t pitch it to far as an attempt to break a conspiracy by academics to keep the public in ignorance (sorry for the caricature, but I guess you know what I mean) then I doubt you will get academics against you. Pitch it right and you might get unequivocal support (on this initiative) from some of your most implaccable scientific opponents. Seriously.

HK

And as Steve McIntyre pointed out (East Anglia’s Toxic Reputation Manager) Neil Wallis (ex-News of the World) was working for the UEA in helping them to manage their reputation, not the hackers.
So it is just about conceivable that Wallis was playing both sides, and pretending to be on UEA’s side when he’d already been behind the hacking int he first place, but that seems a little unlikely.

chopperjones

Keith Olbermann , blogging about Climategate, has the audacity to assert that “exhaustive analysis later proved that the emails merely revealed scientists’ anxiety that Climate Data and Research were being properly handled and studied”. I don’t converse with libtards all that often, but I am disheartened to see they have no idea of the real situation.

MJ

Are we sure this guy doesn’t work for the Russians?

gnomish

i have a hypothesis that somebody who puts out a book within days of the climategate leak probably had the emails for a while before then.
how bout that.

Tom t

“anyone with an MIT library card (or most university library cards) could get access to this, while the emails were private.”
One isn’t more private than the other. Just because more people have access to one doesn’t mean that people without access should be able get them.

Steve from Rockwood

As punishment I would make him read every paper.

Kevin B

You may mock but here’s video of Wallis and his nefarious accomplice Gromitt doing the deed

DirkH

Gary Pearse says:
July 23, 2011 at 9:24 am
“5 million!! With only a handful of natural laws, there is clearly a lot of fluff in the scientific literature.”
Yes. In my Diplom thesis, i implemented and compared about 20 edge detection algorithms from the literature. Sturgeon’s Law applies: “95% of everything are cr*p.”

DirkH

JK says:
July 23, 2011 at 9:37 am
“Many here will disagree with their liberal politics. But if you could just get over the fact that many of them are state employees, why not get involved with the bigger campaign for open access? There is a great opportunity for making unexpected friends here that could prove beneficial in the long run.”
What in the world gives you the idea that Climate Model Scientists are interested in openness? They have never been in the past. Climate Model Science works like a Maya priesthood, not like a science.

AdderW

If you have direct access, anything is possible

kramer

Too bad this hacker didn’t hack into UVA’s email archive…

Austin

What a bunch of idiots at MIT.
They cannot find the physical port on the network of a machine that is running a constant download program?
At the easiest, you could just pull cables until you find the laptop.

mwhite

No one charged with CRU “hacking”. Is this now a cold case? Do those who investigated the leak know how the e-mails made it into the public domain?
I’ve heard nothing in the British media on the progress of this investigation.

Don Keiller

First time I have visited “Climate” Progress”- what an experience and what a misnomer.
I really do think the men in white coats need to pay them a visit….

Now this was some years ago, but as a student who worked long hours in a school lab, I had my own keys to almost everything in the building. Nearly every computer, machine or area was easily accessible to me at any hour of the day. One time, while working on a large project after hours for the professor, we went around the school and borrowed 3 pc’s for the night just to complete the calculations which at the time overwhelmed the three individual machines we had.
University science departments are about the open exchange of information for research which at least in my experience, was the great fun of working there.
They are not exactly up to pentagon standards for information security.

DirkH says:
July 23, 2011 at 10:38 am

Yes. In my Diplom thesis, i implemented and compared about 20 edge detection algorithms from the literature. Sturgeon’s Law applies: “95% of everything are cr*p.”

So which one is the good one?

Olen

Bet China got there first.

Tom C

Certainly off-topic but I don’t know any recent post this would be relevant.
Possible SC23 tiny tim?? 2°N 75°E

Dan Lee says:
July 23, 2011 at 9:10 am
… The vast majority of hacks are done via human engineering. The more companies are aware of this, the better, and the better they’ll train their staff. The black-hatters are all very well aware already, and it’s usually the first 10 things they try, some form of human engineering. This guy getting a laptop plugged directly into the target’s hub will give him bragging rights for years.

Except nobody is bragging. I won’t pretend to follow the hacker sites, but lots of people do, and if a hacker somewhere was bragging, we’d have heard about it by now.

Douglas DC

Jeff Id. Back in my undergrad days I had the job of keeping what was euphemistically known as the “Animal Room” clean and the occupants well fed. This was in the Biology Department at Eastern Oregon State University. This being the 1970’s there was little in the way of use of the
the Computer-except for storage and download of data the mainframe was located some 300+
miles away in Corvallis, Oregon.Now, the Department head, who was involved in a complex small mammal study, He was security minded, to protect his data, He kept the records in a big wooden
box, properly filed, and on top of this box he kept our East Indian COBRA! Ol’ Rama called him
My job was to feed him once every two or so weeks.-carefully. When you approached his cage he’d hit the glass, hood spread and fangs out….
Never had any break-ins there….

DesertYote

Jeff Mitchell
July 23, 2011 at 9:17 am
###
Your story brings back memories of how a HS classmate and myself managed to give ourselves root access to our local university mainframe during the 70s. Your stunt ( and ours, which was also a trojan) would be very much more difficult these days, though idiots still put . in their paths!

DesertYote

As they say “No security without physical security”.

kadaka (KD Knoebel)

From 1DandyTroll on July 23, 2011 at 9:24 am:

Bah, the old laptop trick, that’s so 90′s. Use a Sheevaplug or Tonidoplug computer, or better yet go elite and change a wall outlet to a Jack PC wall outlet computer, and Bob’s you’re uncle and Mum’s none the wiser.

Say what? Those Jack PC’s look nothing like a normal wall outlet, no place to plug in a standard AC device, and require Power over Ethernet (PoE) unless you can also wedge in an external power supply. Hardly “covert” at all.
These days it should be possible to wedge a suitable small computer into a surge-protecting power strip. With some Ethernet ports. Well, it’s common enough to find standard RJ-11 phone jacks for spike protection for phone line-connected equipment. Who’s really going to notice some slightly-larger RJ-45 Ethernet jacks with some cables plugged into them? The computer can run as a self-booting Ethernet node, no input or output devices needed thus no connection points needed. Deploy the strip at a suitable location, plug in the cables and some devices, then wait elsewhere for it to “phone home” to a suitably anonymous IP address with whatever info you want it to harvest.
And if I can think that up just now, it’s a safe bet someone else already did and they’re available somewhere. Check your server rooms!

mfosdb

“In the early morning hours of May 24, an armed burglar wearing a ski mask broke into the offices of Nicira Networks, a Silicon Valley startup housed in one of the countless nondescript buildings along Highway 101. He walked past desks littered with laptops and headed straight toward the cubicle of one of the company’s top engineers. The assailant appeared to know exactly what he wanted, which was a bulky computer that stored Nicira’s source code. He grabbed the one machine and fled. ”
http://defensetech.org/2011/07/22/cyber-espionage-the-old-fashioned-way/

As noted by others, electronic security typically is based on the presumption of physical security. If you can get into a phone / network closet, you pretty much have carte blanch.
OK, old story: I college (before it was a criminal act) the “standard” was that if you could get ‘free computer time’ via hacking accounts, you would often get a job offer from the data center. My contribution was a discovery of a bug in the FORTRAN compiler. It didn’t know if you opened a file for “random access” if you had ever really done so before… You were admonished to write your programs to ‘zero all the data’ as it would be ‘random leftover junk’… On the old Burroughs machines, “swap” was mixed with user space. He thinks a minute…
Write program to open new file for random access. Write record one. Write record 100,000. Read records 2-99,999 looking for “ssword” Print result.
Never had to ask for computer time again…
Given the present state of things, I’d not want to be in charge of security for a site. Just too easy to put a ‘hot pixel’ on a web site, have the occasional random hit it and launch an app that “phones home”… or puts in a key logger .. or …

Roger Knights

Olen says:
July 23, 2011 at 11:32 am
Bet China got there first.

I think the China-did-it thesis has much going for it:
It would explain why the police haven’t pointed their finger at the culprit. (It would cause an international incident.)
China had the motive–it wanted justification for sabotaging Copenhagen. It wanted the other side to look like the bad guys, IOW.
China had the means–it has been fingered in several other cyber-attacks and break-ins.
As for the opportunity–well, if the UAE’s security code was at the same level as the code complained about in Harry_Read_Me, it would have been easy to penetrate.

Gil R.

Good grief — does anyone here actually have any familiarity JSTOR? From these posts, I’d reckon not. JSTOR has journals from dozens of fields, and is by no means to be considered an archive of scientific literature. Fields it has include archaeology, English lit, economics, music, etc. etc. etc. Scholars at pretty much every university in the U.S. and all over the world use it (and have to accept its Terms Of Use when logging in). It is NOT an MIT-run, scientifically oriented organization. (This is instantly obvious to anyone bothering to visit their homepage.)
And if they charge money for articles from a British scientific journal that ran centuries before today’s international copyright laws were even established, that’s because they have to pay to have them scanned page by page (often a laborious job when it comes to rare, highly brittle old volumes), host them, etc. And if people like that free-information jackass go about releasing everything they scan for free, then there won’t be as much money for other journals to be scanned over time.
The WUWT readership is usually extremely well informed, but in this case too many of those commenting have fallen short of the normal standards.

Blade

Dennis Wingo [July 23, 2011 at 8:32 am] says:
“If these papers were originally written under government contracts there can be no breach alleged as he has as much right to them as anyone else as a taxpayer.
I hope that he uses this defense.”

I’ll bet you are right. First impression looks to me like someone trying to liberate documents owned in some part by the public and who thinks he on the righteous side.
Of course there is the petard hoisting angle here to consider. No doubt that there are many leftist academics up there that have provided support to the ‘liberator’ during several other related events …
– Pentagon Papers, whether one thinks they were over-classified or not is irrelevant, they *were* classified, highly. Then subsequently liberated by a leftist swine, published by the New York Slimes, winding up in the Supreme Court.
– Wikileaks, in some respects very similar (e.g., leftist swine), but it will be along time before anyone knows the extent of the damage, the story is still being written.
Perhaps we will see a squaring off of the Political Science department versus the hard Sciences at MIT. Or perhaps not. Hypocrisy is ubiquitous among leftists. It’s a gene thing.
One thing is for sure, it’s popcorn time. 🙂

boy on a bike

I guess that’s why at my office, the “wiring closet” on each floor is a fully secured room with swipe card access and PIN, strictly limited access, CCTV monitoring etc etc.

…. “scholarly documents from a nonprofit archive service”
so what exactly is the “beef” then ?
surely he (or anyone else) could have simply asked to see them.
it isn’t the secret patent archive of Nicola Tesla is it ?
or am I missing something ?