Post updated – see below. 
Climategate – whodunnit?
Well, according to this story in Help Net Security, the Information Technology people might be good candidates to see what has been going on behind the scenes at UEA’s Climate Research Unit, since it seems that they have broad access and according to a recent survey, many in IT positions can’t resist peeking:
“IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people’s Christmas bonus details.”
Here’s some eye opening survey stats about what IT people do with that access:
- 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications
- 26 percent said that they were aware of an IT staff member abusing a privileged login to illicitly access sensitive information
- 48 percent of respondents work at companies that are still not changing their privileged passwords within 90 days – a violation of most major regulatory compliance mandates and one of the major reasons why hackers are still able to compromise the security of large organisations.
Remember the HARRY READ ME file from Climategate 1? That programmer was bemoaning the sad state of the database an methodologies because he had a broad view afforded by working with the data within the organizational group. He knew more than any single person he was doing work for.
In the case of the UEA Climategate 1 and 2 emails, it seems clear now that to gather up as much information as has been shown to be available, it wasn’t likely a quick in and out job. As this WUWT guest post by David M. Hoffer shows that this wasn’t just a simple hack. He wrote:
So…who had administration rights on the email system itself? There’s reason to believe that it was not any of the researchers, because it is clear from many of the emails themselves that they had no idea that things like archives and backup tapes existed.
Whoever did it likely got it from the email archive system, knew what they were doing, and they had to have broad access to get all these emails gathered together.
Then, when we see that 256 bit AES encrytion was the choice to secure the remaining nearly 1/4 of a million emails, we know that “FOIA” whoever he/she is, knows enough to choose the kind of security that would not likely be cracked in any reasonable amount of time. This probably rules out script kiddies and students at UEA who might have had accidental network access and just grabbed a few files when they thought nobody was looking.
And what about the original first “hack” of the RealClimate.org server that Gavin Schmidt squelched? When we see survey results like 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications and we know how close and interconnected UEA/CRU and GISS staff are, the likelihood that whomever left that first drop of emails on the RealClimate server probably had some shared password or other sort of access.
The sharing of system access in emails was broadly demonstrated in Climategate 2.0. For example, Dr. Phil Jones and others at CRU sent some emails out years ago that linked to papers under review at the Journal of Geophysical Research. Some WUWT readers found these early on, and sure enough, such links from years ago in the CG2 emails still worked.
A few days ago I made the issue known to Dr. Phil Jones and to the JGR journal staff so they could close this security hole. As far as I know, all have been closed. I’ve tested again tonight and the live link fails now. Now that they have been closed, I can talk about it safely without putting JGR’s manuscript system at risk.
From: Anthony
Sent: Thursday, November 24, 2011 5:10 PM
To: p.jones@uea.xxxx.xxx
Cc: grlonline@xxxx.xxx ; jgr-atmospheres@xxxxx.xxx
Subject: password enabled JGR links in Climategate 2 files
Dear Dr. Jones,
I know that you know me, and probably do not like me for my views and publications. Regardless of what you may think of me and my work, it has been brought to my attention by a reader of my blog that there are open access links to your manuscripts at JGR included in the email that are now in the public view.
Therefore, it is my duty to inform you that in the recent release of Climategate 2 files there are links to JGR journal review pages for your publications and also for the publications for Dr. Keith Briffa.
For example, this link:
http://jgr-atmospheres-submit.agu.org/cgi-bin/main.plex?el=
I have verified that in fact that link opens your JGR account and provides full access to your JGR account.
In fact there are 35 different emails in this release that contain live links to JGR/AGU author pages. Similar other links exist, such as for Dr. Keith Briffa and others at CRU.
This of course is an unintended and unacceptable consequence of the email release.
I am cc:ing Joost de Gouw Editor, JGR Atmospheres in hopes that he can take action to close this open access to these accounts. It is a holiday here in the USA (Thanksgiving) and there may not be office hours on Friday but hopefully he is monitoring emails.
JGR should immediately change all passwords access for these CRU members and I would advise against allowing transmission of live links such as the one above in the future. JGR might also consider a more secure method of manuscript sharing for review.
The open nature of these links is not publicly “on the radar” even though they are in fact public as a part of the email cache, and I do not plan on divulging them for any reason. Any mention of these links will be deleted from any public comments on my blog should any appear.
Dr. de Gouw (or anyone at JGR) and Dr. Jones, please acknowledge receipt of this email.
Thank you for your consideration.
Best regards,
Anthony Watts
So clearly, CRU and others in the emails didn’t think twice about sending around open access live links. As David M. Hoffer points out in his article, the researchers don’t seem to have a clue about security. They also leave “sensitive” files they don’t want to share under FOIA requests lying about on open FTP servers. Based on what I’ve seen so far, I don’t think any of the research staff at CRU had either broad access nor the specific tech knowledge to pull this “hack” off.
Somebody who had the ability to peek at these emails as part of their job might just as easily have had access to the RealClimate Server too. Remember there’s almost a quarter million emails we haven’t seen. Chances are, one of those contained the key to the RC server, which allowed them to become an RC administrator and post the original FOIA story which Gavin Schmidt caught and squelched.
I and others I correspond with have our theories about who the leaker might be. From my perspective now, someone with broad system access looks to be a more likely candidate than a malicious outsider.
UPDATE: Many people in comments think I’m doing something wrong by writing to Phil Jones and AGU/JGR. In Phil Jones reply to me, he wrote: A couple of other people sent me emails about this issue.
So clearly I wasn’t the first to notify him of the open links to AGU. But more importantly, my email was also sent to AGU editors and the editor of JGR Atmospheres. Despite what troubles Jones and his group have caused over the year with skeptics, AGU/JGR has been a reasonable journal that has published skeptical papers, including my own. Protecting that relationship with skeptics who publish is valuable and the last thing we need is a scandal where papers submitted to AGU/JGR are showing up on other skeptic websites before they are reviewed because Jones sent active links around in emails. Having the knowledge of the security holes was a damned if I do damned if I don’t proposition, but I opted on the side of doing what I felt was the right course of action. If that upsets a few people, so be it. – Anthony
Discover more from Watts Up With That?
Subscribe to get the latest posts sent to your email.
Don’t hold your breath waiting to be thanked by JGR or UEA.
RR
ok, that’s a big enough clue.
“we know that “FOIA” whoever he/she is, knows enough to choose the kind of security that would not likely be cracked in any reasonable amount of time. This probably rules out script kiddies and students”
Not really, they are likely to be more able than the IT staff. Also, it is not that difficult to encrypt a file and it does not take a genius to know that you need a long key.
Phil is still looking for the Any key to press to continue. 😉
Nothing in this situation surprises me any longer. I had suspected from the beginning that a system IT personality would have been in the best position to leak those e-mails. He (or she) should, of course, be given a medal. But that won’t happen, obviously, once this person is found out.
I don’t think it is a good idea to try and unmask the leaker (assuming that it was a leak and not a hack). It could possibly cause him or her problems in their future career.
boyscouts. nuff said
I don’t think we should help them catch FOIA, she or he is a godsend and should stay where they are as long as possible.
Did they acknowledge your email?
Ah, the BOFH is the first suspect, as usual!
Good throw off. Whodunit is probably closer then we think. “This of course is an unintended and unacceptable consequence of the email release”. How did ya know it was unintended, Anthony?
Yes, you meant unintended in your release.
The topology of UEA system gives clues where servers of interest could be, and who handled them. However, only a deep investigation might flush out a suspect. There could be lots of leakage sites, like storage mediums, hardware & system crash rebuilds, upgrades and what about a myriad of technicians and service providers. What about all the different campus characters from mischievous students to administrators.
2009 seems to be the extent of the files, the second tranche of Emails could very well be a hostile IT guy spilling because of the heat generated at UEA over the first lot. Who knows?
Love to be able to follow the money trail paid for the establishment of that Ruski provider.
How ever much I long to know the content of the other 220K Emails, and exposing Whodunit would reveal that 256K encryption, I’d like Whodunit to remain anonymous, for his/her own benefit. I admire Whodunit’s tenacity.
There can’t be many candidates who fit AW’s description, yet the police have still drawn a blank after 2 years. Is this due to the incompetence of the investigation, or is it perhaps due to the fact that any answer might be politically embarrassing. I am sure it suits the agenda of the establishment to be able to blame illegal hacking rather than highlighting deficiencies within the UEA.
Seriously, Anthony, well done, that was a decent and responsible act. You’ll never get a job in “Climate Science” with a conscience like that!
Re. previous comment, for non-habitués of the Register: The BOFH is the “B#st#rd Operator From Hell”. The series details the eternal power struggles between the BOFH, with his assistant the PFY (Pasty Faced Youth), and the Boss, who is crazy enough to think that he runs the show. The battle is frequently lethal, generally hilarious, and more accurate than many Bosses would care to admit.
While it may have been a laudable thing to do Mr Watts, as others have stated, dont expect to be thanked for being so honest, its not in the oppositions nature (no pun) to be that way with the rest of the world.
In fact if the roles were reversed i think theyd have used any foothold, any loophole to ensure they brought you down rather than simply seek the truth.
Personally i dont think its wise to assist them in any way shape or form as its simply helping them to continue unabated.
After all, this is a global war theyre involved in, a war based on lies and disinformation, of treachery and vilification of anyone not supporting “the cause”, and comfort shouldnt be given to enemies of freedom, especuially ones who stoop so low as these.
Having stated all of that, i can see why you did it, and i as well as others on the sceptical side will applaud you for it if only because it proves the openess, honesty and conscience the sceptical viewpoint is based on.
Something that jones et al could well learn from but unfortunately wont.
Best wishes, Charles.
Based on what I’ve seen so far, I don’t think any of the research staff at CRU had either broad access nor the specific tech knowledge to pull this “hack” off.
It only takes one. Most of my co-workers can barely run an Excel file (although admittedly they can find a trend line [/smirk]). But I can do rather more than that, certainly enough to download old e-mails and encrypt them securely. Most people aren’t aware that I can do that, because I’m not that interested in being unofficial IT support, which is what will happen if they know I can help them.
It could easily be the case here. One person might have somewhat more skill than appears.
Re: markus
The earliest email in the encrypted archive is dated Mon Feb 26 16:16:09 1990 GMT and latest is dated Fri Nov 13 14:54:11 2009. This guess is based purely upon the names of files in the encrypted archive, and the file naming convention used in the first release.
Therefore the archive could not contain post CG 1.0 emails.
I was contacted yesterday by a journo wanting help with identifying ‘foia’
http://tallbloke.wordpress.com/2011/12/05/opinion-foia-and-where-its-at-with-the-global-warming-issue/
The journo also wanted the IP address ‘foia’ posted from, but the price wasn’t right (zilch) so I declined to assist. 🙂
Not that it would have helped the journo much, as I’ve no doubt ‘foia’ would have used a proxy server to post through.
Well, it was always a leak and never a hack, wasn’t it? And by someone with more than minimal IT competence.
Of course, it is one thing to know who did it, and another to prove that he/she did it. Hence the reticence from the police and academic authorities, perhaps.
But it is difficult not to applaud the results of the exposure…
Who cares what the name of the mystery man/woman is. they have done a great service to those of us looking for the truth.
Whoever you are, many thanks.
The idea that a sophisticated person could only use 7Zip to encrypt the rest of the files is not true.
Once you had an idea to release an encrypted set, about 15 minutes on Google would have found you the right direction and tools. The software is free, the advice is free. Literally anyone with half a brain could figure it out.
I agree that the person needs to have some IT savvy – or access to someone who does, like a brother, childhood friend, that sort of thing. It really doesn’t narrow the field.
Given they seem to have had woeful security and procedures in place before the 1st release, I don’t think it helps much. We already know from plenty of other evidence they didn’t take passwords or security seriously.
I suspect we’ll know more once the second set of emails is released. My guess is they are restricted because they are either more incriminating, or might be used to determine the identity of the leaker.
The bit about IT staff peeking at sensitive data is very true, however. Most consider it a perk of the job.
Anthony: Did you get a response with a big thank you?
I’m sure a Xmas card will be in thepost.
It was the butler, it’s always the butler.
Hmmm…
Perhaps we could start our investigation by asking “Who doesn’t have access?”.
Antony, although it is morally sound to tell UEA about what you have found, it also is morally justifiable, in my view, that the truth should come out. I sincerely hope that the information does not target the FOIA chap/chapess. There is much talk about protecting whistleblowerrs etc in Government circles, however if this person is unmaksed, I suspect the full weight of the judicial system will drop on them like a stone. Never embarrass a politician unless you have megga clout.
Even as we speak, a clandestine network of hundreds of home computers is using idle cycles to crunch away at the key … \9-)