While Joe Romm and Keith Olberman spin the most absurd conspiracy theory imaginable related to Climategate, that it was the work of “News of the World”, Murdoch, and/or Wallis, we find another example of academic file hacking, this one far simpler but far larger in volume. Our keystone cops Romm and Olberman miss the obvious, if it was NOTW/Murdoch, why didn’t it show up in those newspapers first, instead of on blogs like CA, tAV, RC, and of course WUWT?
While they rage ridiculously, we now have an example of a scientific hack that illustrates just how simple it is to do, and how bad the academics were (at MIT no less) at preventing it even though they knew it was happening. All it took was one guy, a laptop, some simple scripts, and an unsecured network switch cabinet like this one on campus at right. Apparently the guy just shoved his laptop into the cabinet under the wires and boxes, hooked it to the switch, and MIT was none the wiser.
From the Register:
Reddit programmer charged with massive data theft
Harvard ethics fellow accused of hacking MIT
By Dan Goodin
Posted in Crime, 19th July 2011 17:43 GMT
A former employee of Reddit has been accused of hacking into the computer systems of the Massachusetts Institute of Technology and downloading almost 5 million scholarly documents from a nonprofit archive service.
Aaron Swartz, a 24-year-old researcher in Harvard University’s Center for Ethics, broke into a locked computer-wiring closet in an MIT basement and used a switch there to gain unauthorized access the college’s network, federal prosecutors alleged Tuesday. He then downloaded 4.8 million articles from JSTOR [1], an online archive of more than 1,000 academic journals, according to an indictment filed in US District Court in Boston.
…
When JSTOR blocked the MIT IP address Swartz used in September, for example, the Harvard fellow allegedly incremented a single digit and resumed his wholesale downloading binge, which was streamlined with a custom Python script. JSTOR at times responded by blocking huge ranges of IP addresses, causing legitimate JSTOR users at MIT to be denied access.
More: http://www.theregister.co.uk/2011/07/19/harvard_fellow_indicted/
It has long been speculated (and analysed) that the Climategate release was an inside job, or at the very least done by somebody with inside access. Hooking up your laptop to the intyernal network via an unsecured switch cabinet seems to be a pretty simple way to go about getting internal access.
Given how sloppy CRU was at leaving files lying around in the open (Steve McIntyre had fun with the “mole” story prior to Climategate), getting onto the internal UEA/CRU network might have been all that was needed.
h/t to WUWT reader AndiC
As punishment I would make him read every paper.
You may mock but here’s video of Wallis and his nefarious accomplice Gromitt doing the deed
Gary Pearse says:
July 23, 2011 at 9:24 am
“5 million!! With only a handful of natural laws, there is clearly a lot of fluff in the scientific literature.”
Yes. In my Diplom thesis, i implemented and compared about 20 edge detection algorithms from the literature. Sturgeon’s Law applies: “95% of everything are cr*p.”
JK says:
July 23, 2011 at 9:37 am
“Many here will disagree with their liberal politics. But if you could just get over the fact that many of them are state employees, why not get involved with the bigger campaign for open access? There is a great opportunity for making unexpected friends here that could prove beneficial in the long run.”
What in the world gives you the idea that Climate Model Scientists are interested in openness? They have never been in the past. Climate Model Science works like a Maya priesthood, not like a science.
If you have direct access, anything is possible
Too bad this hacker didn’t hack into UVA’s email archive…
What a bunch of idiots at MIT.
They cannot find the physical port on the network of a machine that is running a constant download program?
At the easiest, you could just pull cables until you find the laptop.
No one charged with CRU “hacking”. Is this now a cold case? Do those who investigated the leak know how the e-mails made it into the public domain?
I’ve heard nothing in the British media on the progress of this investigation.
First time I have visited “Climate” Progress”- what an experience and what a misnomer.
I really do think the men in white coats need to pay them a visit….
Now this was some years ago, but as a student who worked long hours in a school lab, I had my own keys to almost everything in the building. Nearly every computer, machine or area was easily accessible to me at any hour of the day. One time, while working on a large project after hours for the professor, we went around the school and borrowed 3 pc’s for the night just to complete the calculations which at the time overwhelmed the three individual machines we had.
University science departments are about the open exchange of information for research which at least in my experience, was the great fun of working there.
They are not exactly up to pentagon standards for information security.
DirkH says:
July 23, 2011 at 10:38 am
So which one is the good one?
Bet China got there first.
Certainly off-topic but I don’t know any recent post this would be relevant.
Possible SC23 tiny tim?? 2°N 75°E
Dan Lee says:
July 23, 2011 at 9:10 am
… The vast majority of hacks are done via human engineering. The more companies are aware of this, the better, and the better they’ll train their staff. The black-hatters are all very well aware already, and it’s usually the first 10 things they try, some form of human engineering. This guy getting a laptop plugged directly into the target’s hub will give him bragging rights for years.
Except nobody is bragging. I won’t pretend to follow the hacker sites, but lots of people do, and if a hacker somewhere was bragging, we’d have heard about it by now.
Jeff Id. Back in my undergrad days I had the job of keeping what was euphemistically known as the “Animal Room” clean and the occupants well fed. This was in the Biology Department at Eastern Oregon State University. This being the 1970’s there was little in the way of use of the
the Computer-except for storage and download of data the mainframe was located some 300+
miles away in Corvallis, Oregon.Now, the Department head, who was involved in a complex small mammal study, He was security minded, to protect his data, He kept the records in a big wooden
box, properly filed, and on top of this box he kept our East Indian COBRA! Ol’ Rama called him
My job was to feed him once every two or so weeks.-carefully. When you approached his cage he’d hit the glass, hood spread and fangs out….
Never had any break-ins there….
Jeff Mitchell
July 23, 2011 at 9:17 am
###
Your story brings back memories of how a HS classmate and myself managed to give ourselves root access to our local university mainframe during the 70s. Your stunt ( and ours, which was also a trojan) would be very much more difficult these days, though idiots still put . in their paths!
As they say “No security without physical security”.
From 1DandyTroll on July 23, 2011 at 9:24 am:
Say what? Those Jack PC’s look nothing like a normal wall outlet, no place to plug in a standard AC device, and require Power over Ethernet (PoE) unless you can also wedge in an external power supply. Hardly “covert” at all.
These days it should be possible to wedge a suitable small computer into a surge-protecting power strip. With some Ethernet ports. Well, it’s common enough to find standard RJ-11 phone jacks for spike protection for phone line-connected equipment. Who’s really going to notice some slightly-larger RJ-45 Ethernet jacks with some cables plugged into them? The computer can run as a self-booting Ethernet node, no input or output devices needed thus no connection points needed. Deploy the strip at a suitable location, plug in the cables and some devices, then wait elsewhere for it to “phone home” to a suitably anonymous IP address with whatever info you want it to harvest.
And if I can think that up just now, it’s a safe bet someone else already did and they’re available somewhere. Check your server rooms!
“In the early morning hours of May 24, an armed burglar wearing a ski mask broke into the offices of Nicira Networks, a Silicon Valley startup housed in one of the countless nondescript buildings along Highway 101. He walked past desks littered with laptops and headed straight toward the cubicle of one of the company’s top engineers. The assailant appeared to know exactly what he wanted, which was a bulky computer that stored Nicira’s source code. He grabbed the one machine and fled. ”
http://defensetech.org/2011/07/22/cyber-espionage-the-old-fashioned-way/
As noted by others, electronic security typically is based on the presumption of physical security. If you can get into a phone / network closet, you pretty much have carte blanch.
OK, old story: I college (before it was a criminal act) the “standard” was that if you could get ‘free computer time’ via hacking accounts, you would often get a job offer from the data center. My contribution was a discovery of a bug in the FORTRAN compiler. It didn’t know if you opened a file for “random access” if you had ever really done so before… You were admonished to write your programs to ‘zero all the data’ as it would be ‘random leftover junk’… On the old Burroughs machines, “swap” was mixed with user space. He thinks a minute…
Write program to open new file for random access. Write record one. Write record 100,000. Read records 2-99,999 looking for “ssword” Print result.
Never had to ask for computer time again…
Given the present state of things, I’d not want to be in charge of security for a site. Just too easy to put a ‘hot pixel’ on a web site, have the occasional random hit it and launch an app that “phones home”… or puts in a key logger .. or …
I think the China-did-it thesis has much going for it:
It would explain why the police haven’t pointed their finger at the culprit. (It would cause an international incident.)
China had the motive–it wanted justification for sabotaging Copenhagen. It wanted the other side to look like the bad guys, IOW.
China had the means–it has been fingered in several other cyber-attacks and break-ins.
As for the opportunity–well, if the UAE’s security code was at the same level as the code complained about in Harry_Read_Me, it would have been easy to penetrate.
Good grief — does anyone here actually have any familiarity JSTOR? From these posts, I’d reckon not. JSTOR has journals from dozens of fields, and is by no means to be considered an archive of scientific literature. Fields it has include archaeology, English lit, economics, music, etc. etc. etc. Scholars at pretty much every university in the U.S. and all over the world use it (and have to accept its Terms Of Use when logging in). It is NOT an MIT-run, scientifically oriented organization. (This is instantly obvious to anyone bothering to visit their homepage.)
And if they charge money for articles from a British scientific journal that ran centuries before today’s international copyright laws were even established, that’s because they have to pay to have them scanned page by page (often a laborious job when it comes to rare, highly brittle old volumes), host them, etc. And if people like that free-information jackass go about releasing everything they scan for free, then there won’t be as much money for other journals to be scanned over time.
The WUWT readership is usually extremely well informed, but in this case too many of those commenting have fallen short of the normal standards.
I’ll bet you are right. First impression looks to me like someone trying to liberate documents owned in some part by the public and who thinks he on the righteous side.
Of course there is the petard hoisting angle here to consider. No doubt that there are many leftist academics up there that have provided support to the ‘liberator’ during several other related events …
– Pentagon Papers, whether one thinks they were over-classified or not is irrelevant, they *were* classified, highly. Then subsequently liberated by a leftist swine, published by the New York Slimes, winding up in the Supreme Court.
– Wikileaks, in some respects very similar (e.g., leftist swine), but it will be along time before anyone knows the extent of the damage, the story is still being written.
Perhaps we will see a squaring off of the Political Science department versus the hard Sciences at MIT. Or perhaps not. Hypocrisy is ubiquitous among leftists. It’s a gene thing.
One thing is for sure, it’s popcorn time. 🙂
I guess that’s why at my office, the “wiring closet” on each floor is a fully secured room with swipe card access and PIN, strictly limited access, CCTV monitoring etc etc.
…. “scholarly documents from a nonprofit archive service”
so what exactly is the “beef” then ?
surely he (or anyone else) could have simply asked to see them.
it isn’t the secret patent archive of Nicola Tesla is it ?
or am I missing something ?