Post updated – see below. 
Climategate – whodunnit?
Well, according to this story in Help Net Security, the Information Technology people might be good candidates to see what has been going on behind the scenes at UEA’s Climate Research Unit, since it seems that they have broad access and according to a recent survey, many in IT positions can’t resist peeking:
“IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people’s Christmas bonus details.”
Here’s some eye opening survey stats about what IT people do with that access:
- 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications
- 26 percent said that they were aware of an IT staff member abusing a privileged login to illicitly access sensitive information
- 48 percent of respondents work at companies that are still not changing their privileged passwords within 90 days – a violation of most major regulatory compliance mandates and one of the major reasons why hackers are still able to compromise the security of large organisations.
Remember the HARRY READ ME file from Climategate 1? That programmer was bemoaning the sad state of the database an methodologies because he had a broad view afforded by working with the data within the organizational group. He knew more than any single person he was doing work for.
In the case of the UEA Climategate 1 and 2 emails, it seems clear now that to gather up as much information as has been shown to be available, it wasn’t likely a quick in and out job. As this WUWT guest post by David M. Hoffer shows that this wasn’t just a simple hack. He wrote:
So…who had administration rights on the email system itself? There’s reason to believe that it was not any of the researchers, because it is clear from many of the emails themselves that they had no idea that things like archives and backup tapes existed.
Whoever did it likely got it from the email archive system, knew what they were doing, and they had to have broad access to get all these emails gathered together.
Then, when we see that 256 bit AES encrytion was the choice to secure the remaining nearly 1/4 of a million emails, we know that “FOIA” whoever he/she is, knows enough to choose the kind of security that would not likely be cracked in any reasonable amount of time. This probably rules out script kiddies and students at UEA who might have had accidental network access and just grabbed a few files when they thought nobody was looking.
And what about the original first “hack” of the RealClimate.org server that Gavin Schmidt squelched? When we see survey results like 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications and we know how close and interconnected UEA/CRU and GISS staff are, the likelihood that whomever left that first drop of emails on the RealClimate server probably had some shared password or other sort of access.
The sharing of system access in emails was broadly demonstrated in Climategate 2.0. For example, Dr. Phil Jones and others at CRU sent some emails out years ago that linked to papers under review at the Journal of Geophysical Research. Some WUWT readers found these early on, and sure enough, such links from years ago in the CG2 emails still worked.
A few days ago I made the issue known to Dr. Phil Jones and to the JGR journal staff so they could close this security hole. As far as I know, all have been closed. I’ve tested again tonight and the live link fails now. Now that they have been closed, I can talk about it safely without putting JGR’s manuscript system at risk.
From: Anthony
Sent: Thursday, November 24, 2011 5:10 PM
To: p.jones@uea.xxxx.xxx
Cc: grlonline@xxxx.xxx ; jgr-atmospheres@xxxxx.xxx
Subject: password enabled JGR links in Climategate 2 files
Dear Dr. Jones,
I know that you know me, and probably do not like me for my views and publications. Regardless of what you may think of me and my work, it has been brought to my attention by a reader of my blog that there are open access links to your manuscripts at JGR included in the email that are now in the public view.
Therefore, it is my duty to inform you that in the recent release of Climategate 2 files there are links to JGR journal review pages for your publications and also for the publications for Dr. Keith Briffa.
For example, this link:
http://jgr-atmospheres-submit.agu.org/cgi-bin/main.plex?el=
I have verified that in fact that link opens your JGR account and provides full access to your JGR account.
In fact there are 35 different emails in this release that contain live links to JGR/AGU author pages. Similar other links exist, such as for Dr. Keith Briffa and others at CRU.
This of course is an unintended and unacceptable consequence of the email release.
I am cc:ing Joost de Gouw Editor, JGR Atmospheres in hopes that he can take action to close this open access to these accounts. It is a holiday here in the USA (Thanksgiving) and there may not be office hours on Friday but hopefully he is monitoring emails.
JGR should immediately change all passwords access for these CRU members and I would advise against allowing transmission of live links such as the one above in the future. JGR might also consider a more secure method of manuscript sharing for review.
The open nature of these links is not publicly “on the radar” even though they are in fact public as a part of the email cache, and I do not plan on divulging them for any reason. Any mention of these links will be deleted from any public comments on my blog should any appear.
Dr. de Gouw (or anyone at JGR) and Dr. Jones, please acknowledge receipt of this email.
Thank you for your consideration.
Best regards,
Anthony Watts
So clearly, CRU and others in the emails didn’t think twice about sending around open access live links. As David M. Hoffer points out in his article, the researchers don’t seem to have a clue about security. They also leave “sensitive” files they don’t want to share under FOIA requests lying about on open FTP servers. Based on what I’ve seen so far, I don’t think any of the research staff at CRU had either broad access nor the specific tech knowledge to pull this “hack” off.
Somebody who had the ability to peek at these emails as part of their job might just as easily have had access to the RealClimate Server too. Remember there’s almost a quarter million emails we haven’t seen. Chances are, one of those contained the key to the RC server, which allowed them to become an RC administrator and post the original FOIA story which Gavin Schmidt caught and squelched.
I and others I correspond with have our theories about who the leaker might be. From my perspective now, someone with broad system access looks to be a more likely candidate than a malicious outsider.
UPDATE: Many people in comments think I’m doing something wrong by writing to Phil Jones and AGU/JGR. In Phil Jones reply to me, he wrote: A couple of other people sent me emails about this issue.
So clearly I wasn’t the first to notify him of the open links to AGU. But more importantly, my email was also sent to AGU editors and the editor of JGR Atmospheres. Despite what troubles Jones and his group have caused over the year with skeptics, AGU/JGR has been a reasonable journal that has published skeptical papers, including my own. Protecting that relationship with skeptics who publish is valuable and the last thing we need is a scandal where papers submitted to AGU/JGR are showing up on other skeptic websites before they are reviewed because Jones sent active links around in emails. Having the knowledge of the security holes was a damned if I do damned if I don’t proposition, but I opted on the side of doing what I felt was the right course of action. If that upsets a few people, so be it. – Anthony
Anthony,
We know the hacker was actually “you”. You are just trying to throw the investigators off your trail with this post. (sarcasm)
In reality it was probably exceptionally easy to get access to the files. It probably involved nothing more complex than a bored technician copying a batch of files to a USB thumbdrive late one night.
BTW passwords provide zero protection if someone has physical access to your computer. They can simply use a Linux USB thumbdrive to boot into a Linux session. They can then read or copy any files on your computer. It doesn’t even leave a record because no changes are made to the hard drive.
MSM is still trying to single out China as having broken ranks, however:
5 Dec: Times of India: Nitin Sethi: Durban talks: China scorches rumours of rift with India
DURBAN: China scorched all rumours that it had moved away from India’s position on Kyoto Protocol and a new global deal on Monday…
His statement came a day after developed countries had attempted to paint India as the bad boy of climate claiming it was the only impediment to talks on a new global deal in Durban and China had taken a more flexible stance…
But on the weekend news reports originating from Durban suggested that China had diluted its stance on this and was willing to a new deal right away.
Zhenhua made it clear that it had always been in favour of a new global deal but only after 2020 and that too with several important riders – most of which the western countries are inimical to completely at the moment. He noted that fast start and long term funds and technology transfer – as envisioned under the Cancun Agreements needed to be operationalised too before talks on a new deal begin in 2015.
India has stated exactly the same on various ocassions before but some developed countries have attempted to draw out a rift in the BASIC ranks, which negotiators in the developing world suggest are early signs of Europe being isolated yet again at the climate talks with its trenchant position…
Zhenhua said it was important to first see the existing commitments – under Kyoto Protocol and Cancun Agreements – first be fulfilled and the review of the existing UN convention show how well the developed countries had done in meeting their obligations.
The Indian position also got support from the African groups and other developing countries with the leader of the African group of countries saying Europe was interested in the carbon trade and not in Kyoto Protoco likening it to someone loving mangoes but disliking a mango tree.
http://timesofindia.indiatimes.com/home/environment/developmental-issues/Durban-talks-China-scorches-rumours-of-rift-with-India/articleshow/10995262.cms
@ur momisugly Polistra,
I agree with you totally. In most universities grad students seem to have access to virtually every bit of equipment 24 hours a day. The idea of a bored student poking around the mail system in late one night seems very plausible.
Just wondering if we should be referring to the FOIA leaker with a kewl name…like Deep Throat for Watergate? Maybe Deep IT?
IMHO, based on having been down the FOIA goatrope before, is that the archive was prepared by UEA IT for the FOI office using a set of search terms. That archive is then reviewed by legal and the program staff. I suspect the various actors involved saw that file and moved heaven and earth to stop its release. So, the leaker would not have needed administrator access to multiple servers and archives, IT would have delivered several CDs to FOI, management, legal, and the project office. 3mins of inattention and anyone – visitor, janitor, girlfriend, student, etc could have copied the archive and walked out with it.
To Matthew W. 5:06am
Shocking? Prehaps. Research, and this post confirms, that under the right conditions (for a given individual) about 50% will do a dirty.
I try to be a fair and honest person, giving back excess change etc. But I have my price: $6,000,000 (USD) up front, free and clear.
I think everyone should consider what their “price” is. It could save a lot of indecision later. For myself, I am pretty sure no one will be willing to meet mine.
But in the end, SPOILER ALERT, SPOILER ALERT doesn’t he succeed in blowing up the bridge? Or do I miss-remember the ending of the movie?
That was so bad that I really wish I could send data back in time to tell myself not to read it. lol
Hector Pascal says: December 6, 2011 at 4:40 am
thanks tho I don’t see the relevance to my statements. I’d say yours is the realist / statistical view, that sees the lazy 90% “consensus” as the dominant picture; but I submit that the 10% (or less) “mavericks” are as important short-term and far more important long-term. I take the success of WUWT as direct evidence of this.
“Based on what I’ve seen so far, I don’t think any of the research staff at CRU had either broad access nor the specific tech knowledge to pull this “hack” off.”
“I once worked in a school system where the access codes design was so simple the students had figured it out and were sharing it openly within two weeks of the opening of school.”
I suspect these quotes are very, very, close to the truth.
The Team was so inept that a fascinating scenario comes to mind and it does not, necessarily, involve I.T. staff. Students are often geeks, most are I.T. savvy and not a few inquisitive. Those of the non bleeding heart liberal tendency (whose natural affinity will be with The Team – who, don’t forget, may also have lectured them) may, having smelled the rat in their bad scientific process, have disagreed with The Team. Could it be that critcal thinking students, having discovered The Cause and the bad science underlying it, were involved perhaps with the connivance of an I.T. specialist?
Any and all attempts to form a professional relationship with the other side has turned sour. I predict this one will as well. You have been bitten so many times yet you continue to put your hand in the snake pit.
It serves no purpose to speculate about who leaked these emails….. I don’t think it is a good idea to give those who would persecute this brave individual any clue to who he or she might be…. Just keep your theories to yourselves and focus on the info instead.
Mr. Watts,
I’m very pleased to see that you alerted Phil Jones and JGR to the password security risk.
Your integrity and decency is highly admirable. Please don’t ever veer off the high road.
Best regards,
Russ
If the person or pesons who leaked the email files is ever identified, it would be appropriate to award him/them a Nobel Prize, and the highst civilian award which can be bestowed by Britain or the US. Few times in history have the billions of mankind owed so much to so few.. He/they have acted tosave the world from poverty, starvation, and increasingly authoratative government action.
Yes, I wish it could be set up and run in a SETI kind of way.
Someone, please make such software. It’s for the cause.
FWIW, my view has been that the police and university could unmask the insider if they wished. I don’t think they wish to, because that person might then show the world how code was manipulated to get the desired result, etc. Things would be even worse.
If this is reasonably accurate, there is a sort of Faustian bargain going on: the insider hasn’t given up everything he or she knows, and the authorities leave the insider alone because of the further embarrassment it would cause the Climate Hockey Team should the insider tell all he or she knows.
Just a thought….
If a live copy of the backup was placed on disk storage for quick retrieval in case of a system failure, and if the hacker had gained access to the live files where the hot backup was stored, then that person could have simply copied the backup files without doing any replacement at all, leaving no traceable footprint behind. Then as you suggest, the files could have been restored offsite and then analyzed for their content at the hacker’s leisure.
Unless this person, or these people, come forward of their own volition, the hacker or hackers will likely never be identified.
But if they are indeed eventually identified, they will have to suffer the legal consequences for their actions, because they deliberately violated security rules and procedures which have potential criminal and/or civil penalties associated with them, even if the access was gained externally, and even if the content of the information was releasable under FOI rules. The potential for retribution from authorities comes with the territory of deliberately performing an act of civil disobedience, which in the greater context of the AGW debate, is really what this event represents.
Anthony,
Remember, they don’t play by your rules. If you expect a reciprocating decency you are a dreamer for a world that no longer exists.
REPLY: I play by my rules, doing what is right. I expect nothing except scorn. No good deed goes unpunished. – Anthony
I wonder if this is a self-reported, anonymous survey of IT staff, instead of a careful examination of root/admin level access logs. I ask because there might be a bit of “I know what you’re doing online, bwhahahah!” bravado from the IT staff if it’s self reported. 😉 Just wondering…
No, I completely agree with Anthony’s course of action. Regardless of what “The Team” might think, we’re interested and motivated to rescue the science from the malfeasance these emails reveal. There are other publications by other scientists at that same site. Knowingly allowing it to remain compromised is unethical.
steven mosher says:
December 6, 2011 at 12:14 am
ok, that’s a big enough clue.
———–
So Mosher works at the UEA!!
@Sophia: Well, you’ve ruined that movie. 🙂
As said IT professional, I am certain that the leaker was not an IT dude.
why ?
An IT expert would never have released ‘CimateGate 2.0’ OR ‘foia2.zip’
It would have been ‘CRUgissDat2EzeMail version 2.01875 Service pack 3.0 W95,97,Vista,7’
and for those of you trying different passwords – you can rule out
‘InTheBlueRidgeMountainsOfSiberiaOnTheTrailOfTheBristleconePine’
‘IwasWorkingInTheLabLateOneNightWhenMyEyesBeheldATerribleSight’
jokes/
That has always been my own opinion as well. Since the released files are not just “any and all”, but specifically focused on responding to a FOI request, they constitute what was specifically assembled by their FOI compliance team. Release was squelched because of the damning content.
Since this was an abrogation of their legal and moral obligation to respond, someone on the compliance team took it upon themselves to release anyway.
Could FOIA be a technically adept ethical lawyer? Nah, such a thing doesn’t exist. Does it?