Guest Post by David M. Hoffer
Since both ClimateGate 1&2 there has been considerable confusion in regard to how the emails were obtained, how the FOIA requests were managed, and what was or wasn’t possible in that context. There is no simple answer to those questions.
The ClimateGate emails span a period of nearly two decades. During that time period, email systems evolved substantially in terms of technology, implementation, operational procedures, and the job descriptions of those responsible for them. Other technologies such as backup systems, archive, and supporting technologies for legal compliance also changed (as did the laws themselves). Saying exactly what was and wasn’t possible for such simple actions as deleting an email have completely different answers over time, and also based on the technology that was implemented at any given time. With so many moving targets, it is impossible to draw any conclusions to a 100 percent certainty.
This article is written to cover the basics of how email systems and their supporting infrastructure work, and how they have evolved over time. With that as a common background, we can then discuss everything from the simple questions regarding who could delete what (and when), how the emails might have been obtained, and possibly most interesting of all, raise some serious questions about the manner in which the FOIA requests were handled at the CRU.
EMAIL 101
There are many, different email systems, and many different ways for end users to access them. The basics are common to all of them however. Each user has a “client” that allows them to access their email. It could be an internet browser based client such as the ones used by Hotmail and Gmail, or it could be an email client that runs on your desk top computer like Outlook or Eudora. For the purposes of this discussion I am going to discuss how things work from the perspective of an email client running on a desk top computer.
The email client connects an email server (or servers in a very large implementation). To send an email to someone on a different email server, the two servers must “talk” to each other. In most cases they do so over the internet. How the clients interact with the servers however, is part of understanding why deleting an email that you sent (or received) is not straight forward. The reason is that an email is never actually “sent” anywhere. Once you write an email it exists on the disk drive of the computer the client software is installed on. Press “send” and it goes….nowhere. It is still there, exactly as it was before you “sent” it.
A copy however, has now been sent to the email server you are connected to. That email server makes yet another copy and sends it to the email server the recipient is connected to. That email server then makes still one more copy and sends it to the email client on the recipient’s computer, which in turn writes it to the local hard drive. There are now a minimum of four copies of that one email.
But wait, there may be more copies. When researchers first started exchanging information via email, they were commonly years ahead of the rest of the world. Most large organizations had central IT shops, but they ran financial applications for the most part, email was a curiosity at best. Many researchers were left to run their own email systems, and it wasn’t that hard to do. Solaris was the UNIX operating system in vogue in those days, and Solaris came with a pretty good email system built in called Sendmail. There were many other options too. The bottom line was that early email systems were frequently run by researchers on their own computers.
As time went on, email became more common, and it became more important. The volume of data, performance matters, and security were all becoming beyond the skill set of anyone but someone whose full time job it was to run IT (Information Technology) systems. Researchers began giving up ownership of their own email system and central IT shops took over. Email was becoming mission critical, and a lot of data was being stored in email systems along with records of contract negotiations and other important “paper” trails. Losing email was becoming a painful matter if important information disappeared as a result. As a consequence, the systems that protected the data on email systems also began to mature and be run professionally by IT departments.
The early email systems were just a single server with local hard drives. As they grew in capacity and overall usage, plain old hard drives could no longer keep up. Storage arrays emerged which used many hard drives working together to increase both capacity and performance. Storage arrays also came with interesting features that could be leveraged to protect email systems from data loss. Two important ones were “snapshots” and “replication”.
Snapshots were simply point in time copies of the data. By taking a snapshot every hour or so on the storage array, the email administrator could recover from a crash by rolling back to the last available snapshot and restarting the system. Some storage arrays could handle keeping a few snapshots, others could maintain hundreds. But each snapshot was actually a full copy of the data! Not only could a storage array store many copies of the data, consider the question of deletion. If an email was received and then deleted after a snapshot, even by the central IT department itself, the email would still exist in the last snapshot of the data, not matter what procedure was used to delete it from the email system itself.
What if the storage array itself crashed? Since the storage arrays could replicate their data to other storage arrays, it wasn’t uncommon to have two arrays and two email servers in a computer room so that no matter what failed, the email system could keep on running. What if the whole computer room burned down? Replication to another storage array at a completely different location is also very common, and should the main data centre burn down, the remote data centre would take over. Keep in mind as you think this through that the ability of the storage arrays to replicate data in this fashion is completely and totally independent of the email system itself.
Early email systems were, as mentioned before, most often a single server with internal hard drives. A modern “enterprise class” email system would be comprised of many servers and storage arrays more like this:
If you recall that just sending an email makes, at minimum, four copies, consider what “one” copy on a large email system actually translates to. In the figure above, there are two copies on the storage arrays in the data centre. If snapshots are being used, there may be considerably more. Plus, there is at least one more copy being replicated to a remote data center, which also may have regular snapshots of data. That’s a LOT of copies of just one email! And we haven’t even started talking about backup and archive systems yet.
Let’s return to the question of deleting email. It should be plain to see that in terms of current email technology, deleting an email just from the email system itself is not a simple task if your intention is to erase every single copy that ever existed.
As an end user, Phil Jones is simply running an email client connected to an email server run by somebody else. He has no control over what happens on the server. When he deletes an email, it is deleted from his email client (and hence the hard drive on his computer), and from his view of his emails on the email server. Technically it is possible to set up the email server to also delete the email on the server at the same time, but that is almost never done, and we’ll see why when we start discussing backup, archive, and compliance.
On the other hand, are we talking about what was most likely to happen when Phil Jones deleted an email in 2009? Or what was most likely to happen when Phil Jones deleted an e-mail in 1996? The answers would most likely be entirely different. In terms of how email systems have been run in the last ten years or so however, while it is technically possible that Phil Jones hit delete and erased all possible copies of the email that he received, this would have done nothing to all the copies on the sender’s desk top and on the sender’s email server… and backup systems. Let’s jump now into an explanation of additional systems that coexist along with the email system, and make the possibility of simply deleting an email even more remote.
Backup Systems
Just as we started with email and how it worked at first and then evolved, let’s trace how backup systems worked and evolved. There are many different approaches to backup systems, but I’ll focus here on the most common, which is to make a copy of data to a tape cartridge.
At first, backup was for “operational” purposes only. The most common method of making a backup copy of data for a server (or servers) was to copy it to tape. The idea was that if a disk drive failed, or someone deleted something inadvertently, you could restore the data from the copy on tape. This had some inherent problems. Suppose you had a program that tracked your bank account balance. But for some reason you want to know what the bank account balance was a week ago, not what it is today. If the application didn’t retain that information, just updated the “current” balance as it went, you would have only one choice, which would be to restore the data as it existed on that specific day. To do that, you’d need one tape for each day (or perhaps one set of tapes for each day in a larger environment). That starts to be a lot of tape fast. Worse, as data started to grow, it was taking longer to back it up (and the applications had to be shut down during that period) and the amount of time at night where people didn’t need their applications running kept shrinking as companies became more global.
Several approaches emerged, and I will be covering only one. The most common by far is an approach called “weekly full, daily incremental”. The name pretty much describes it. Every weekend (when the backup window is longest), a full copy of the data is made to tape. During the week, only what changed that day is copied to tape. Since changes represent a tiny fraction of the total data, they could be run in a fraction of the time a full copy could. To restore to any given day, you would first restore the last “full copy” and then add each daily “incremental” on top until you got to the day you wanted.
This worked fine for many organizations, and larger ones bought “tape libraries” which were exactly what they sound like. They would have slots for dozens, sometimes hundreds, of tape cartridges, several tape drives, and a robot arm that could change tapes for both backup processes and for restore processes. The problem was that the tape library had to be as close as possible to the servers so that data could be copied as fast as possible (performance degrades sharply with distance). The following depicts the email system we’ve already looked at, plus a tape backup system:
By making regular copies of data to tape, which was a fraction of the cost of disk storage, the IT department could have copies of the data, exactly as it existed on any given day, and going as far back as the capacity of the tape library (or libraries) would allow. Now try deleting an email from say a year ago. In addition to all the copies on disk, there are at least 52 copies in the tape library. Since we have a tape library however, it is easy to make still more copies, automatically, and most organizations do.
Disaster Recovery
What if there was a major flood, or perhaps an earthquake that destroyed both our local and remote data centers? In order to protect themselves from disaster scenarios, most IT shops adopted an “off site” policy. Once the backup was complete, they would use the copy of the data on tape to make… another copy on tape. The second set of tapes would then be sent to an “off site” facility, preferably one as far away as practical from the data centers themselves.
Consider now how many copies of a given email now exist at any given time. Unlike that financial application whose “current account balance” is constantly changing, email, once received, should never change. (But it might which is a security discussion just as lengthy as this one!). Provided the email doesn’t change, there are many copies in many places, and no end user would have the security permissions to delete all of them. In fact, in a large IT shop, it would take several people in close cooperation to delete all the copies of a single email. Don’t organizations ever delete their old data?
Data Retention
The answer to that question can only be answered by knowing what the data retention policy of the organization is. Many organizations just kept everything until the cost of constantly expanding their storage systems, tape libraries and the cost of housing off site tapes started to become significant. Many organizations decided to retain only enough history on tape to cover themselves from a tax law perspective. If the retention policy was implemented correctly, any tapes older than a certain period of time would be removed from the tape library and discarded (or possibly re-used and overwritten). The copies in the offsite storage facility would also be retrieved to be either destroyed or re-used so that the offsite data and he onsite data matched.
Archive
As email systems grew, the backup practices described above became problematic. How long people wanted to keep their email for was often in conflict with the retention periods for financial purposes. They were designed for general purpose applications with ever changing data. As the amount of data in an email system started to grow exponentially due to ever larger attachments, graphics, and volume, the expense and pressure on even an “incremental” backup window became enormous. That’s where archive started to emerge as a strategy. The storage arrays that supported large email systems were very expensive because they had to be ultra reliable as well as ultra high performance. But 99% of all emails were being read on the day they were sent… and never again. Only if something made an older email important… evidence of who said what and when from a year ago for example, would an email be accessed again after it was a few days old. So why house it on the most expensive storage the organization owned? And why back it up and make a copy of it every week for years?
Many organizations moved to an “archive” which was simply a way of storing email on the cheapest storage available. If someone needed an email from a year ago, they would have to wait minutes or perhaps hours to get it back. Not a big issue provided it didn’t need to be done very often. Some organizations used low performance low cost disk, some even went so far as to write the archive to tape. So, for example, the email you sent and received in the last 90 days might open and close in seconds, but something from two years ago might take an hour. Not only did this reduce the cost of storing email data, but it had the added benefit of removing almost all the email from the email system and moving it to the archive. Since the archive typically wasn’t backed up at all, the only data the backup system had to deal with in its weekly full daily incremental rotation was the last 90 days. This left an email system, with the integrated backup and archive systems, looking something like this:
For most IT shops, if you ask them how many copies of a given email they have if it was sent a year ago, they can’t even answer the question. Lots.
What does that mean in terms of FOIA requests? Plenty.
Compliance
The world was rolling along quite nicely using these general techniques to protect data, and then the law got involved. Enron resulted in Sarbanes Oxley in the United States and similar laws in other countries FOIA came in existence in most western countries. Privacy laws cropped up. Suddenly IT had a new problem, and a big one. The board of directors was suddenly asking questions about data retention. The IT department went from not being able to get a meeting with the board of directors to having the board shining a spot light on them. Why?
Because they (the board of directors) could suddenly go to jail (and some did) because of what was in their email systems. Worse, they could even go to jail for something that was NOT in their email system. The laws in most jurisdictions took what you could delete, and what you could not delete, to a whole new level. Worse (if you were a member of the board of directors) you could be held responsible for something an employee deleted and shouldn’t have…. or didn’t delete and should have. Bingo. The board of directors is suddenly no longer interested in letting employees decide what they can and cannot delete, and when. The same applied in most cases to senior management of public institutions.
Back to the original question. Could Phil Jones have deleted his emails? When? In the early days when his emails were all in a server run by someone in his department? Probably. When the email system moved to central IT and they started backing it up regularly? No. He would only be able to permanently delete any given email provided that he had access to all the snapshot copies on all the storage arrays plus the archive plus all the backup tapes (offsite and onsite). Fat chance without the express cooperation of a lot of people in IT, and the job of those people, based on laws such as FOIA, SOX and others was to expressly prevent an end user such as Phil Jones from ever doing anything of the sort, because management had little interest in going to jail over something someone else deleted and shouldn’t have.
So…did CRU have a backup system? Did they send tapes off site? Did they have a data retention policy and what was it? Did they have an archive? If they had these things, when did they have them?
With all that in mind, now we can look at two other interesting issues:
- What are the possible ways the emails could have been obtained?
- Were the proper mechanisms to search those emails against FOIA requests followed?
Short answer: No.
In terms of how the emails could have been obtained, we’ve seen various comments from the investigation into ClimateGate 1 that they were most likely obtained from accessing an email archive. This suggests that there at least was an email archive. Without someone laying out a complete architecture drawing of the email systems, archive system, backup system, data retention policies and operational procedures, we can only guess at how the system was implemented, what options were available, and what options not. What we can conclude however is that at some point in time, an archive was implemented. Did it work like the description above about archives? Probably. But there are many different archive products on the market, and some IT shops refer to their backup tapes as an archive just to confuse matters more.
In addition, without knowing how the investigators came to the conclusion that the emails were obtained from the archive, we don’t have any way to assess the quality of their conclusions. I’m not accusing them of malfeasance, but the fact is without the data, we can’t determine if the conclusions are correct. Computer forensics is an “upside down” investigation in which the “evidence” invariably points to an innocent party. For example, if someone figured out what Phil Jones username and password was, and used them to download the entire archive, the “evidence” in the server logs would show that Phil Jones did the deed. It takes a skilled investigator to sort out what Phil Jones did (or didn’t do) from what someone using Phil Jones credentials did (or didn’t do). So let’s put aside what the investigators say they think happened and just take a look at some of the possibilities:
Email Administrator – anyone who had administration rights to the email system itself could have made copies of the entire email database going back as far as the oldest backup tapes retained with little effort. So…who had administration rights on the email system itself? There’s reason to believe that it was not any of the researchers, because it is clear from many of the emails themselves that they had no idea that things like archives and backup tapes existed.
Storage Administrator – In large IT shops, managing the large storage arrays that the application servers are attached to is often a job completely separate from application administration jobs such as running the email system. Since the storage administrator has direct access to the data on the storage arrays, copying the data from places such as the email system and the archive would be a matter of a few mouse clicks.
Backup Administrator – This again is often a separate job description in a large organization, but it might be rolled in with storage administration. The point being however, that whoever had backup administration rights had everything available to copy with a few mouse clicks. Even in a scenario where no archive existed, and copying the data required restoring it from backup tapes that went back 20 years, this would have been a snap for the backup administrator. Provided that the tapes were retained for that length of time of course, the backup administrator could simply have used the backup system itself, and the robotics in the tape library, to pull every tape there was with email data on it and copy the emails to a single tape. This is a technique called a “synthetic full” and could easily run late at night when it would just look like regular backup activity to the casual observer. The backup administrator could also “restore” data to any hard drive s/he had access too… like their personal computer on their desk.
Truck Driver – yes, you read that right, the truck driver. Google keywords like “backup tapes stolen truck” and see what you get. The results are eye popping. The companies that specialize in storing tapes off site for customers send a truck around on a regular basis to pick up the weekly backup tapes. There have been incidents where entire trucks (and the tapes they were carrying) were stolen. Did anyone steal CRU’s tapes that way? Probably not. The point is however that once the tapes leave your site and are entrusted to another organization for storage, they could be copied by anyone from the truck driver to the janitor at the storage site. Assembling 20 years of email from backup tapes could be a real hassle of course. On the other hand, an offsite storage facility frequently has as part of the service it provides to clients…great big tape libraries for automating copying of tapes. Encryption of backup tapes was a direct response to incidents in which tapes with valuable (and/or embarrassing information) wound up in the wrong hands.
But encryption has only been common for a few years. That raised an interesting theoretical question. The last email release ends in 2009, and the rest of the release is, in fact, encrypted. One can only wonder, does the CRU encrypt their backup tapes, and if so, when did they start doing that?
Administrative Foul Up – One of the biggest “cyber crimes” in history occurred when a company doing seismic processing for oil companies cycled the tapes back to their customers for the next round of data, and sent old tapes to different customers. One of their customers figured it out, and started checking out the data they were being sent which was from their competitors. It wasn’t the first time it happened, and it wasn’t the last time.
Janitor – Let’s be clear, I’m not accusing anyone, just making a point. There’s an old saying about computer security. If you have physical access, then you have access. Anyone with physical access to the computer room itself, and the right technical skills, could have copied anything from anywhere.
The FOIA Requests
There are dozens of emails that provide glimpses into both how the email systems at CRU were run, and how FOIA requests were handled. Some of them raise some very interesting questions. To understand just how complex compliance law can be, here’s a brief real world story. Keep in mind as you read this that we’re talking about American law, and the CRU is subject to British law which isn’t quite the same.
In the early days of compliance law, a large financial services firm was sued by one of their clients. His claim was that he’d sent instructions via email to make changes to his investment portfolio. The changes hadn’t been made and he’d suffered large losses as a result. His problem was that he didn’t have copies of the emails he’d sent (years previous) so his legal case was predicated upon the financial firm having copies of them. To his chagrin, the financial firm had a data retention policy that required all email older than a certain date to be deleted. The financial firm figured they were scot free. Here’s where compliance law starts to get nasty.
A whistle blower revealed that the financial firm had been storing backup tapes in a closet, and had essentially forgotten about them. A quick inspection revealed that a number of the backup tapes were from the time in question. The financial services firm asked the judge for time to restore the data from the tapes, and see what was on them that might be relevant. The judge said no.
The judge entered a default judgment against the financial services firm awarding the complainant $1.3 Billion in damages. The ruling of the court was that the financial services firm was guilty by virtue of the fact that they had told the court the data had been deleted from that time period, but it hadn’t been. They had violated their own data retention policies by not deleting the data, and were guilty on that basis alone. Wake up call for the financial industry…and everyone else subject to compliance law, which includes FOIA requests.
Suddenly deleting information when you said you hadn’t was a crime. Not deleting information when you said you had, was a crime. Keeping information could wind up being used against you. Not keeping information that it turns out you were required to keep (by the tax department for example) could be used against you. No one serious about compliance could possibly take the risk of allowing end users to simply delete or keep whatever they wanted. From their own personal accounts certainly, but not from the company email server. Ever.
In that context, let’s consider just a few words from one email in which Phil Jones, discussing with David Palmer whether or not he’d supplied all the email in regard to a specific FOIA request, says “Eudora tells me…”
These few words raise some serious questions. Eudora is an email client, similar to the more familiar Outlook. So, let us ask ourselves:
Why was David Palmer relying on Phil Jones to report back all the emails he had? Compliance law in most countries would have required that David Palmer have the appropriate search be done by the IT department. This would have captured any emails deleted by Phil Jones that were still retained by the CRU based on their data retention policy.
Was David Palmer aware of the proper procedure (to get the search done by IT)? If not, was he improperly trained and who was responsible for properly training him in terms of responding to FOIA requests? If he was aware… well then why was he talking to Phil Jones about it at all?
Phil Jones specifically says that “Eudora tells me” in his response to Palmer. Since Phil Jones evidently did the search from his own desk top, the only emails he could search for were ones that he had not deleted. But, that doesn’t mean he found all the emails subject to the FOIA request, because email that he did delete was more than likely retained on the CRU email server according to their data retention policies. As in the case of the financial company, the CRU may well have said they didn’t have something that they did. In fact, we can surmise this to be highly likely. There are multiple emails showing up in which, for example, Phil Jones says he is going to delete the message right after sending it. But we now have a copy of that specific message. Did he send it and then forget to delete it? Probably not. The more likely answer is that he did delete it, not realizing that the CRU data retention policy resulted in a copy being left on the server. If the CRU responded to an FOIA request and didn’t include an email that met the FOIA parameters because they failed to search all their email instead of just the email that Phil Jones retained in his personal folder… well, in the US, there would be some prosecutors very interested in advancing their careers…
“Eudora tells me” is even more curious from another perspective. Why “Eudora”? Why didn’t he say that he’d searched all his email? Why specify that he’d used the search capabilities in Eudora? Personally, I have three email systems that I connect to, and a different email client for each one. Searching all my email and searching all my email in just one email client are two completely different things. Most interesting!
While I am comfortable discussing with IT shops how to architect email systems to protect data and properly service legal requirements such as FOIA requests, I have to admit that I wouldn’t know where to start in terms of submitting one. If I did, I just might ask for all the emails they have pertaining to FOIA requests, and I’d be specific about wanting all the email, regardless of it being in the main email system, the archives, or on backup media, and all the email that ever existed, regardless of having been deleted by end users. Then for the capper, I’d ask for their data retention policy and see if they managed to meet it in their response.
Just sayin’
dmh
Discover more from Watts Up With That?
Subscribe to get the latest posts sent to your email.
Only 10 years ago, the CPA’s for Enron and Enron were working hard with the shredders. Like your article says, that is a mere “symbolic” act at destroying files. CPA’s do like to review original source documents and have a document trail. (Enron wind is now known as GE wind)
This article is simple and well needed. It is too little and too late for the Mann/Jones world to clean up their underground activities. CPA’s are taught how to audit around the IT system and audit thru the IT systems. This article is actually a template on how fraud is caught. Jones claims some old temp data sets have been deleted. I think they exist and he hopes they can’t be restored.
Is it just possible they had lax security standards and poor enforcement? You bet it is. There are lots of hacker types hanging around universities of any size. Sometimes those guys become the unofficial IT guy because the official guys are so hard to work with, move at a snail’s pace and don’t really care if they help you or not.
It could simply be the revenge of the hacker. Maybe somebody kept treating him like a flunky and he got tired of it.
For a “research” group like CRU it is almost certain that its computing effort was provided, for many years at least, internally on research funded equipment and staff possibly as a “hobby” overseen by one of the long term researchers.
Over many years centralised IT service provision would have lagged the group’s requirement. More recently the provision of IT for the masses will have been the primary focus of the IT service – not providing support for specialist research requirements
So its quite probable that CRU have been “running” their own show for most of their history
The quality of the code fragments which leaked and the excuses about being unable to to resource even minimal change/version control with their datasets indeed indicate that CRU was/is just another shambles on the IT front: it just shouts lack of professionalism – and I would guess that this applied/applies more widely within UEA .
My money is on backup tapes – they are, as a general rule, incredibly easy to walk off with, and these days are quite small physically. Most shops rotate through a set of tapes, overwriting old data, so if part of a set gets replaced with blanks, chances are good that nobody will notice.
I have worked in storage administration since 1986. You did a pretty good job on your article, but it has actually become even more complex than your article states.
I did not see any reference to how many companies are virtualizing their tape systems. I helped IBM test their first VTS in Texas while it was still in beta in the mid 1990s. Since tapes were so difficult, expensive to handle and poorly utilized VTSs were developed. The backups for the operating system think they are writing to a bank of tape drives, but the VTS is actually writing the data to a disk raid array. The VTS then can take multiple tape images on the array(s) and stack them together with other tape images to fill today’s large capacity tape media. The VTS can automatically duplicate the physical tape and you can have multiple VTSs in different locations where the data can be automatically replicated between them for disaster recovery. Also as tape data expires and the valid data on tape drops below the desired threshold, all the data is automatically copied to new tapes in a reclamation process. The VTS can also spit out copies of tapes for vaulting and will automatically eject tapes it determines having media problems (which can still have data that could be retrieved).
Not every hacker is a Russian or Chinese Commie out to disembowel the decadent West. Not every hacker believes in Mann Made Global Warming nor the End of Civilization, Versions 101, 102, 103, 104, etc., proposed by the IPCC and preached by the Rt Rev Al Gore and his flock of Save the Earth from Human Destruction jihadists. The ‘science’ of Climate is still being fed by a baby bottle and still makes a mess in his nappy. Keep looking! Keep searching! And don’t believe everything you hear, no matter who told you, or what the subject is. Be skeptical of all college professors, all politicians, and all stock brokers. It’s a dog eat dog world out there.
Dale beat me to it…
Only the first snapshot is a full copy – and a read-only copy at that. From there on out – each additional snapshot is a read-only copy of changes that have occurred with referential pointers to the original full snapshot of where the changes occurred.
The only time snapshots become full copies again is when they are requested either manually or via scheduling – typically monthly.
Manuals for NetApp arrays usually have a nice section with a very easy to read explanation of how snapshots work with pie diagrams and all.
=8-)
_Jim
Q’s:
1) Were the e-mails moved _off_ the server in this case?
2) Would copies have existed anywhere accessible by the server?
OK, I neglected to cover this in the article itself, so great question. Unfortunately the answer isn’t static. I’ll try and keep it brief.
The message you got was the result of the email administrator assigning a storage quota. When you used up a certain amount of disk space, you got a message telling you to clean up. So, you “moved” some of your email to a “different folder”.
Could the email server “see” those emails? Probably not. The whole point of forcing you to clean up your email was to get it off the email server’s storage.
But…where did you move them to? This is ultra important.
If you moved them to a thumb drive and stuck it in your pocket, of course the server couldn’t see it. If you moved them to anywhere on the company network however…different answer.
1. While the email server could not “see” those files, if they are network accessible, including the hard drive on your desk top computer, or a shared drive on the network, an IT administrator could restore them back to the email server with a few mouse clicks.
2. Here’s where implementation of archives makes the answer even more complicated. One of the things that enterprise class archive software does is “crawl” the network, searching for email folders, pst files, etc, that were at some point removed from the email server. It can then copy those emails to the archive, and then delete the copy you made on a shared drive or on your own desk top. You probably wouldn’t know it, because the archive software would leave a “Stub” behind. When you searched for those emails, the stub would present the index to you exactly as you would have seen it before, but now the emails themselves (should you actually open one) would be opened from the archive, not the folder you think you have them in. Plus, when the archive was set up, they would most likely have made it visible to the email server….so the emails are once again available from the email server.
3. Provided your emails were being properly backed up, there are most likely copies in the backup system no matter what you deleted or moved somewhere else.
More great questions to answer, but I’m off line for the next few hours. Will do my best to answer thenm all later today.
If we consider that the whistle-blower might be an internal IT, I bet he has a personal copy of all the emails… maybe this is why the password protected document is locked. It could contain recent emails.
mrrabbit,
“Only the first snapshot is a full copy – and a read-only copy at that.”
I think it depends on the particular vendors implementation of snapshot, flash copy, BVC or what ever the vendor calls their implementation. It is actually possible for the 1st copy to be just incremental (all done with a magic bitmap in the storage controller) or for all copies to be full copies. And some snapshot technologies let you specify which you want.
Good article. There are a few errors. The most glaring one is how snapshots work. Most snapshot technology today just maintains a list of pointers to the old blocks. They do not keep a full copy. Snapshots age and then are thrown away or become stale. You can also set the system to not throw away the blocks, too. So, if you keep the list of pointers AND the blocks, then you can keep the information in stasis.
Upgrades. When email systems are upgraded, the old emails are brought along. Sometimes the new email system allows users to use their old client. Furthermore, the PC that each person works on when upgraded or replaced is often backed up over the network or replicated. This then feeds into the topic below.
Compliance and archive. In general, all email and other relevant documents on workstations are copied into the compliance./archive system and then organized. Also all data from servers is loaded as well. Compliance and archive systems have tools to perform searches. Many compliance systems today intercept all the email before sending it to the email server so even if someone deletes an email, a copy still exists.
Decommissioning. Most people just get rid of their drives and tapes. Rather than shred them. The data on them is recoverable.
Most backup systems have pretty wide open back doors even when configured properly. And when admins do take pains to do it right, and most don’t, the backup encryption technology is often not upgraded over time – many key based systems from the 90s are crackable by direct attack using publicly available methods in a few days. Furthermore, a clever person can program a tape reader to read the data from a tape directly, which in many cases, is easily accessible from a low level. Most places have very poor chain of custody on tapes and do not use tamper proof seals on the tapes.
Looking at the emails, it looks to me like the output from a search of a compliance/archive system. That does not mean it came from one that is used by the emailers’ employers. It could be a system set up by the leaker into which data was fed, or came from a backup of a system or systems in place.
A careful social network analysis of the emails might reveal more clues.
Oh how I love this bloggsite! I learn so much every time I enter it! I have definitely learned about emails now & how back-up systems & servers work – well a bit more than I did before! Thank you.
LibertyisOurTreasure says:
November 30, 2011 at 7:29 am
Nice one, Cyril! 🙂
Mike Wilson:
As Dale mentioned earlier, replication is a full copy. Calling archiving, replication, backup, incremental backup, etc., “snapshots” doesn’t make it so unless it involves an initial full snapshot followed by snapshots that are read-only pointers to changes that reference the related full snapshot.
In others words, while replication in IT circles may not be snapshots – a snapshot can be replication.
As I said earlier, the Netapp manual does a good job of clarifiying exactly what a snapshot is compared to a simple replication, copy or backup.
Sure it is splitting hairs and circular argumentation – I won’t deny that. But the distinction is important.
I’ve watched managers in IT several times who were quite familiar with replication, backups, archiving, etc., try to solve disc space issues on Netapps, IBM arrays, as well as Sun disk arrays – delete the wrong snapshot – try to recover from the other snapshots – only to wonder why they end up with nothing.
It is a slight, “splitting hairs”, circular distinction – but an important one.
=8-)
Someone else may have already said this ……. As far as why did he say “Eudora tells me”?
In another e-mail string, he admits to not knowing how to fit a straight-line in Excel (or apparently any other program he had handy). So it does not surprise me that he only knows a little about the e-mail system.
mrrabbit,
“In others words, while replication in IT circles may not be snapshots – a snapshot can be replication.”
There are all sorts of definitions out there, but in my circle, we have always considered replication to be another copy of data on a separate computer system or separate storage controller. And a snapshot to be an additional instantaneous copy of data (whether full or incremental) within the same storage controller.
question on exchange-outlook relationship where non-cached is used.
where is the local copy kept?
there is no ost file like cached mode, is it a temp file deleted at some point?
I had actually been wondering this and was running some tests against my exchange 2010 box today to see when I happened to read this.
figured I would ask.
like everything on this site good article and I hope it makes people appreciate their IT depts some 🙂
I suspect a simpler explanation, considering CRU’s email system was apparently self-administered and existed outside of UEA’s normal IT infrastructure and management. That’s always been a challenge with IT in academia from my experience, users that think they know what they’re doing, and in doing so, blow gaping holes in security.
I think this explains how CRU’s email backup system was configured:-
http://www.devco.net/archives/2006/03/24/saving_copies_of_all_email_using_exim.php
Simple, convenient for users, but also simple for someone who knows where the copies are held to grab nicely organised user directories containing all incoming/outgoing emails. No need to worry about obscure archival formats either. From memory, CRU initially used Sendmail and it’s also simple to script that to copy all incoming/outgoing mail as well. It’s also still a cheap way to do compliance for organisations that didn’t buy into the Microsoft ecosystem.
For tape backups, especially the old reel types you dont need to keep one of the standard high speed tape units to read old tapes. There are desktop units ( were ?) which can read slowly and normally are used to transfer to a hard disk. A software program on the attached PC would read the data in hex ( or EBCIDIC) and converted format side by side.. Record length and block length would be shown along with headers. Once that is known or some good guess work the data is converted onto PC format. This would be for raw data. Database formatted data could have a different structure. Of course email data would have fairly standard formats.
Gee, Im glad I havent had to think about this sort of stuff for nearly 15 years
Can you say Pandora? I hope there is more to come…
Found that they uses X.www X = variable, maybe —??,, etc.
Ilkka Mononen. alias Myteurastaja.
https://sites.google.com/site/myteurastaja/home
e) p16 – an operations timetable – need to specifically mention the setting
up of a comprehensive WWW site with public and private pages….
f) on page 3 of the call- para 3 starting Global climate models… it says
that a significant challenge for the new centre is …. I am NOT sure we
have explicitly addressed the question – esp local and regional scales, cut
down model etc
g) perhaps in Suggested Research Agenda intro need to specifically mention
existing close links with Hadley, UGAMP, UKICP, IPCC….. and say will work
closely with and compliment …
The list of typos and small changes(done on John Shepherd’s version of the
draft) :
1)p3, line 1 – double comma ,,
2)p3, line 7 – major cultural divides -> major cultural and organisational
divides
3)p3, last line – double full stop ..
4)p4, list of names -Markvart – Dr not Prof
5)p7 – management structure : bullet point one : line 2 scientists We ->
scientists. We
6)p7 – management structure : bullet point 2 : delete open square bracket [
7)p7 – management structure : bullet point 3 : need a little explanation
after the Programme Leaders if only to say ‘whose role is described below’
8)p7 – management structure : text after bullet points : Council’s ->
Councils
9)p7 – ditto – ditto : if the Soton & UMIST reps are well known figures then
I think they should be named now
10)p7 – ditto – ditto – need to define the Centre’s Science Co-ordinator and
Communications Manager – is this one post or two ? what are their role’s ?
how is the Science Co-ordinatoir different from the PL’s or the ED ?
11) p8 – line 1 – I thought the Management Team mtgs should be MUCH MORE
FREQUENT than every six months, if not then what body/person is running
things in the interim ?
12) p8, para 2, line 3 ‘responsible to implement’ -> ‘responsible for
implementing’
13) p8 ditto, last line – double full stop ..
14) p8, para 3, line 2 : this JIF -> a recent JIF
14) p8, ditto, ditto, office accommodation has -> office accommodation has
already
15) p9, para 2 line 2 – double full stop ..
16) p9, challenge 1, para 2, line 3 double full stop ..
17) p10, challenge 2 line 2 delete [and alternative]
18) p12, challenge 5 para 1, line 5 double full stop ..
19) p12, ditto, ditto, line 9 ?. to ?
20) p13, para 2 methodsl -> methods
21) p19, Jim Halliday, line 2 Director, Energy -> Head of the Energy
22) p20, Nick Jenkins, email address -> ???@umist.ac.uk
23) p21, Jonathan Kohler, email address -> ???@econ.acm.ac.uk
24) p21, Tom Markvart : details are School of Engineering Sciences,
University of Southampton email ???@soton.ac.uk
Stuck-Record says:
November 30, 2011 at 8:18 am
David
Thank you for your genuinely enlightening essay.
I have a question. Do you think that the authorities (UEA and Norfolk Police) know who did this and how?>>>
Not a clue, there’s not enough info out there to even hazard a guess on that score. I will make the observation however that the skill sets to conduct investigations into who did what and when in an environment this complex are very rare. I’d be shocked if the IT department at UEA had someone with those skill sets. I wouldn’t be shocked if Norfolk Police had them…. but I’d be surprised. That’s the domain of high end security consultants and government agencies with three letter acronyms.
This was a great post. Thank you.
A couple of minor quibbles, though. First, in the example above the copies on the recipient’s computer (and his/her institution’s server) do still exist but are irrelevant to an FOI request. Document requests can only be served against you for documents under your control. Copies of documents on other people’s equiment are not your problem. Requestors wanting those copies must submit separate requests to those custodians. (And assuming that the other custodian is third-party and not a direct participant in the suit, the request is held to a higher standard than a request to a directly-involved party.)
Second, remember that (depending on the email system’s settings), deletion is generally treated as just another a differential that gets rapidly propogated to the local server, archives and storage arrays. If you delete the email on your desktop, it will be flagged for deletion on your institution’s server copy and overwritten the next time the computer decides it needs to use that particular piece of the disk. If a message was sent, received and deleted all within the time between incrementals, it may not be captured for backup at all. (That won’t be true if the institution journals all messages but journalling is uncommon except in highly litigious environments.)
Even if the message was captured for backup, the incrementals are unlikely to still exist by the time a document request comes through. Most IT shops reuse their incremental media on the same cycle as their full backups – a week or a month at most. The fulls themselves are reused on a cycle set by the IT backup needs – usually 3 or 4 back. You could keep longer but why would you?
(Yes, there are some horrific counter-examples. I remember one case where the company had an email retention policy based on business need and properly approved by the Board. They were sued and rightly disclosed their retention rules and practices along with the statement that the documents in question had been legitimately deleted in the normal course of business. During depositions, a single data center person told of having been chewed out as a young tech for ‘losing’ a file and admitted that he had been taking the tapes out of the trash and storing them in his garage at home “just in case”. He violated company policy and the law (theft, falsification of destruction records). When discovered, he was disciplined and ultimately fired for his misbehavior. The evidence showed that no one in management knew of this practice or had any idea that these tapes had not been destroyed as the records showed. Despite all this, the company was held liable for not knowing that these copies still existed.)
My (long-winded) point is that I haven’t seen annual backups of transient systems like email in years. Annual backups of your general ledger system? Yes. Email? No. Maybe public educational institutions have a different cultural attitude about document retention. In the environments where I’ve worked, the costs of managing all that data and all those copies are not trivial and the company has a strong and legitimate business incentive to keep the number of backups down to what is reasonably necessary. (Users are packrats and want to keep everything but that’s another rant entirely.)
I have to offer another quibble with davidmhoffer’s comment above that “it is sometimes possible to recover data from a drive that has been overwritten several times”. Not unless you’re still using some pretty old equipment. To understand why it’s no longer possible, we first have to understand why it used to be possible.
Remember that the 1s and 0s on the media are really little blobs of up and down magnetic ‘charge’ set down on the disk or tape. Think of it as blobs of blue and green paint for a minute. As the data is being written, little blobs are being plopped on the disk or tape. When it’s time to read, the head goes back and looks at the pattern of blobs. When it’s time to overwrite, you lay a new pattern of blobs down overtop the old pattern. Old disk and tape heads were pretty sloppy, though. If things shifted a bit or weren’t aligned perfectly, the new blob might mostly cover the old blob but still leave a sliver of the old blob visible at the edge. If you had a high-enough powered microscope and some really good software, you could sometimes tease out the pattern of misalignments and make a pretty good guess from the slivers showing about the overwritten content – at one point, as much as 7 iterations back.
Miniaturization and better alignment made that a thing of the past. Nowadays, the blobs are so small and the heads so well aligned that there’s essentially no slop. A single overwrite will completely obscure the prior data. There is, in fact, a reward offered for anyone who can recover once-overwritten data from any reasonably modern media. It has gone uncollected for several years.
Again, thank you for a great post.
Dale beat me to it…
Only the first snapshot is a full copy – and a read-only copy at that. From there on out – each additional snapshot is a read-only copy of changes that have occurred with referential pointers to the original full snapshot of where the changes occurred.>>>
There are different snapshot architectures. In a “split mirror” architecture, the first snapshot is a full copy, and additional snapshots are the incremental differences. In a Copy on First Write architecture, the first snapshot is zero new bytes, and the same is true for Redirect on Write.
You are correct that snapshots are “read only” copies of the data. In any snapshot architecture, there is usually a method to promote a given snapshot to be both read and write, but it is then called a “clone” rather than a snapshot.
The vendor you mentioned (Netapp) uses a Redirect on Write snapshot. Other platforms such as Equallogic and Compellent and ZFS are also Redirect on Write. Copy on First Write is the technique used by Hitachi Data Systems, EMC, IBM DS5000 and many others. Split Mirror is available as an option from EMC, and is inherent in the IBM v7000. My point here is that you cannot say snapshots work in any specific way. There are three main architectures, and the implementation between two vendors using the same architecture also have differences.
mrrabbit,
Also, I believe what you are describing as a snapshot, I have always referred to as a “point-in-time”. A snapshot is an instantaneous picture of the data. A snapshot may or may not involve a
a valid point-in-time depending on a number of factors. With replication, you are continually replicating a copy of the data on a server (it may be all the data or just a critical subset of it) which would be more like a video tape that is continually moving. And the replication may be synchronous or asynchronous (synchronous meaning updates are sent to both servers at the same time and asynchronous meaning the updates happen only on the secondary system (replica) a little later as bandwidth allows. But in either sync or async modes you need to momentarily pause the replication to take a point-in-time to have a valid system for recovery. Otherwise your data is what we call “fuzzy”.