Post updated – see below. 
Climategate – whodunnit?
Well, according to this story in Help Net Security, the Information Technology people might be good candidates to see what has been going on behind the scenes at UEA’s Climate Research Unit, since it seems that they have broad access and according to a recent survey, many in IT positions can’t resist peeking:
“IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people’s Christmas bonus details.”
Here’s some eye opening survey stats about what IT people do with that access:
- 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications
- 26 percent said that they were aware of an IT staff member abusing a privileged login to illicitly access sensitive information
- 48 percent of respondents work at companies that are still not changing their privileged passwords within 90 days – a violation of most major regulatory compliance mandates and one of the major reasons why hackers are still able to compromise the security of large organisations.
Remember the HARRY READ ME file from Climategate 1? That programmer was bemoaning the sad state of the database an methodologies because he had a broad view afforded by working with the data within the organizational group. He knew more than any single person he was doing work for.
In the case of the UEA Climategate 1 and 2 emails, it seems clear now that to gather up as much information as has been shown to be available, it wasn’t likely a quick in and out job. As this WUWT guest post by David M. Hoffer shows that this wasn’t just a simple hack. He wrote:
So…who had administration rights on the email system itself? There’s reason to believe that it was not any of the researchers, because it is clear from many of the emails themselves that they had no idea that things like archives and backup tapes existed.
Whoever did it likely got it from the email archive system, knew what they were doing, and they had to have broad access to get all these emails gathered together.
Then, when we see that 256 bit AES encrytion was the choice to secure the remaining nearly 1/4 of a million emails, we know that “FOIA” whoever he/she is, knows enough to choose the kind of security that would not likely be cracked in any reasonable amount of time. This probably rules out script kiddies and students at UEA who might have had accidental network access and just grabbed a few files when they thought nobody was looking.
And what about the original first “hack” of the RealClimate.org server that Gavin Schmidt squelched? When we see survey results like 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications and we know how close and interconnected UEA/CRU and GISS staff are, the likelihood that whomever left that first drop of emails on the RealClimate server probably had some shared password or other sort of access.
The sharing of system access in emails was broadly demonstrated in Climategate 2.0. For example, Dr. Phil Jones and others at CRU sent some emails out years ago that linked to papers under review at the Journal of Geophysical Research. Some WUWT readers found these early on, and sure enough, such links from years ago in the CG2 emails still worked.
A few days ago I made the issue known to Dr. Phil Jones and to the JGR journal staff so they could close this security hole. As far as I know, all have been closed. I’ve tested again tonight and the live link fails now. Now that they have been closed, I can talk about it safely without putting JGR’s manuscript system at risk.
From: Anthony
Sent: Thursday, November 24, 2011 5:10 PM
To: p.jones@uea.xxxx.xxx
Cc: grlonline@xxxx.xxx ; jgr-atmospheres@xxxxx.xxx
Subject: password enabled JGR links in Climategate 2 files
Dear Dr. Jones,
I know that you know me, and probably do not like me for my views and publications. Regardless of what you may think of me and my work, it has been brought to my attention by a reader of my blog that there are open access links to your manuscripts at JGR included in the email that are now in the public view.
Therefore, it is my duty to inform you that in the recent release of Climategate 2 files there are links to JGR journal review pages for your publications and also for the publications for Dr. Keith Briffa.
For example, this link:
http://jgr-atmospheres-submit.agu.org/cgi-bin/main.plex?el=
I have verified that in fact that link opens your JGR account and provides full access to your JGR account.
In fact there are 35 different emails in this release that contain live links to JGR/AGU author pages. Similar other links exist, such as for Dr. Keith Briffa and others at CRU.
This of course is an unintended and unacceptable consequence of the email release.
I am cc:ing Joost de Gouw Editor, JGR Atmospheres in hopes that he can take action to close this open access to these accounts. It is a holiday here in the USA (Thanksgiving) and there may not be office hours on Friday but hopefully he is monitoring emails.
JGR should immediately change all passwords access for these CRU members and I would advise against allowing transmission of live links such as the one above in the future. JGR might also consider a more secure method of manuscript sharing for review.
The open nature of these links is not publicly “on the radar” even though they are in fact public as a part of the email cache, and I do not plan on divulging them for any reason. Any mention of these links will be deleted from any public comments on my blog should any appear.
Dr. de Gouw (or anyone at JGR) and Dr. Jones, please acknowledge receipt of this email.
Thank you for your consideration.
Best regards,
Anthony Watts
So clearly, CRU and others in the emails didn’t think twice about sending around open access live links. As David M. Hoffer points out in his article, the researchers don’t seem to have a clue about security. They also leave “sensitive” files they don’t want to share under FOIA requests lying about on open FTP servers. Based on what I’ve seen so far, I don’t think any of the research staff at CRU had either broad access nor the specific tech knowledge to pull this “hack” off.
Somebody who had the ability to peek at these emails as part of their job might just as easily have had access to the RealClimate Server too. Remember there’s almost a quarter million emails we haven’t seen. Chances are, one of those contained the key to the RC server, which allowed them to become an RC administrator and post the original FOIA story which Gavin Schmidt caught and squelched.
I and others I correspond with have our theories about who the leaker might be. From my perspective now, someone with broad system access looks to be a more likely candidate than a malicious outsider.
UPDATE: Many people in comments think I’m doing something wrong by writing to Phil Jones and AGU/JGR. In Phil Jones reply to me, he wrote: A couple of other people sent me emails about this issue.
So clearly I wasn’t the first to notify him of the open links to AGU. But more importantly, my email was also sent to AGU editors and the editor of JGR Atmospheres. Despite what troubles Jones and his group have caused over the year with skeptics, AGU/JGR has been a reasonable journal that has published skeptical papers, including my own. Protecting that relationship with skeptics who publish is valuable and the last thing we need is a scandal where papers submitted to AGU/JGR are showing up on other skeptic websites before they are reviewed because Jones sent active links around in emails. Having the knowledge of the security holes was a damned if I do damned if I don’t proposition, but I opted on the side of doing what I felt was the right course of action. If that upsets a few people, so be it. – Anthony
Anthony did the right thing IMO.
As an IT admin, I *NEVER* look casually at the data I am entrusted with. That would be *poor* stewardship. I do on occasion have to view data elements to ensure that things are OK (not corrupted from a restore, etc.). If I were then to come across evidence of a crime in progress, or massive academic dishonesty and conspiracy to violate laws and to besmirch the reputations of innocent people, I can assure you that I would handle it in the most ethical manner possible, in accordance with commonly practiced ethical standards. IT folks can do jail time if they take part in the conspiracy, even if they had nothing to do with it.
Some illegal activity is reportable to ombudsmen or local authorities. In fact, the appropriate authorities is the perfect place to report in order to nip conspiracies in the bud before they embroil entire universities. However, if the university authorities are also deeply involved in the case (as Penn State has been — I think no one will disbelieve that there has been a widespread culture of corruption there), then some other safety valve must be found, in order to prevent the IT professional’s unwilling inclusion in the corruption. Simply complying with the FOIA requests, exposing the corruption to the light of day is a very effective, and defensible way to do this.
You may note that that leaves a wide spectrum of activities open for me to use — I will not ever casually “dump” data. This is a position most IT professionals take.
However, to assume that an IT professional was the one who did this is a bit rash. Most of these systems are poorly protected in other ways than just password access — often in regrettable ways. Often a casual observer in the right place at the right time can have physical access to a stack of 8mm backup tapes.
As an IT professional, although I cannot and will not say that it was the IT guys, if I ever find myself at Penn State, I will be buying their IT people many rounds of Guinness Stout, the fuel of IT professionals & BOFH’s the world around.
@Eternal Optimist
With that logic, you can rule out that guy that names Microsoft products. 🙂
@O2BNAZ, Anthony’s reply
If you, Anthony, had been in FOIA’s position, would you have leaked the mails?
Was FOIA ‘doing what is right’?
Is contributing to his discovery before he is ready to expose himself ‘doing what is right’?
Anthony,
I have seen nothing to change my original hypothesis:
FOIA is the guy whose job it was to pull together the emails for the original foia request (can’t remember his name now) and that he foolishly accepted Jones’ plea to be allowed to put that together himself. Jones was thus given access to the backup server to do this and FOIA later found a folder with that name, compiled by Jones, that was earmarked for deletion.
I think FOIA got so pissed off at being dupped – and at his own gullibility and stupidity – that he arranged the document leak. Jones knows who did it because FOIA told him – they both would lose their jobs over this. FOIA should never have allowed Jones to compile the documents in compliance of the foia request with access to the backup server (because that was HIS job), so he is as guilty at some level as Jones was for planning to delete the documents.
They were then, and still are, at a stalemate. What FOIA wants now, holding the remaining emails over their heads, is another question entirely.
Perhaps FOIA is insisting Jones et al confess because he is ready to do so himself but wants it to be a confession rather than an exposure?
TerryS said “Therefore the [new] archive could not contain post CG 1.0 emails.”
This is a key observation.
Because what it means is that both the CG 1.0 and CG 2.0 emails were gathered all at one time. Which in turn means that firstly FOIA has held the latest release for two years. Secondly it means that FOIA has not further exposed themselves by carrying out a second attack against an now alerted infrastructure.
That last means that discovering who FOIA is, and will remain, virtually impossible from a purely technical standpoint.
Interesting idea the xmas party. could be the new year party climate gate 1 files where dates 1st of the 1st, and the new climategate 2.0 emails are daye 1st of the 1st, so could be the new year party?
It could be Prof Jones himself, NO that would not be right he can’t even use excel,can he.
First it could be a student. Large corps and universities especially hire students for summer work or part time because they are cheap. They can be very bright and will be given access to anything they want because they get the jobs assigned to them done quickly.
If it was someone in the IT department with access the first thing they would do is make sure more than they had access so there would always be reasonable doubt and the more people with access the better. No way short of a confession do they catch the person IMHO.
PS. we should not look to closely at who leaked the emails. Just be clad we have them.
ROTFLMFAO!
But it certainly does rule out some of the main players though. Phil Jones for instance. Press Any Key to Continue 🙂
I am not in favor of helping the copper find this hero no matter how much my curiosity bump itches.
.
Sorry, the FOIA mole is unlikely to be an insider. She changes all the comma separators to dots: ie 1,250,000 becomes 1.250.000 .
This is a European and Russian habit – so don’t worry, she is safe from the likes of Big Phil. It always was a Riddle wrapped in a Mystery inside an Enigma, and never more so than now.
.
>>>48 percent of respondents work at companies that are still not
>>>changing their privileged passwords within 90 days
This is typical computer nerd speak.
They tried this at my previous company, with compulsory changes of passwords every two months. They ended up with 60% of people locked out of their accounts, and the other 40% with their passwords written on the backs of their hands.
More liberal idealism that simply does not work in the real world.
.
For all the speculation as to the identity of the leaker, don’t forget how disappointing it was when “Deep throat” was revealed !!!
1) Congratulations Anthony, your integrity remains quite spectacularly intact. You are an example for others to follow. If only that ‘the team’ valued integrity so highly.
2) It’s not the IT guy. He wouldn’t have know what to get. IT guys are smart at IT stuff, but this guy clearly knew his way around climate science. The most important part of FOIA 1 wasn’t the emails; it was the code and data. Further, whatever encryption he used, it’s not that spectacular, it’s getting rather common place. In fact the encryption used by Wikileaks was just substandard. One key? Really? I’m not an IT expert, but even I would’ve used multiple layers of different encryption software, some 256, probably a layer of PGE right in the middle, just to catch anyone who didn’t try absolutely everything at each and every step. Crack that with your silly little network of home PC’s (re: Brian H:
December 6, 2011 at 2:48 am). Tell me this guy wasn’t smart enough to used layered encryption, he clearly spent a lot of time gathering the information, covered his tracks quite well (or they couldn’t possibly call him a hacker), and did his homework before releasing anything.
3) The smart money is on the coder who wrote the comments in the data files while he was cobbling the code and data together. ( I bet he had a fun day with at Scotland Yard during the investigation. ) He obviously realized what a pile of dog-crap this supposed ‘science’ really was and decided to do something. He couldn’t challenge these guys directly, and he knew it. He could have been the guy charged with changing the server tape, or something akin to that. I doubt there was a great deal of attention paid to network security at EAU’s climate lab prior to the FOIA file getting released. He didn’t just borrow the tape and copy it one time, he probably gathered the backups over time. There’s too much stuff there to have gotten it all on one day. In the end, the only reason he didn’t go down for this is that they couldn’t pin it on someone internal. If they did they were cooked. It was either hacked, or it was admissible as evidence. And they knew it.
Don’t know why the department’s email server was also it’s network server, but even the fact that that someone had access to both, or at least the backup tapes for both tells you something about the lack of real security surrounding the IT there at EAU.
And finally, to Lucy, yes, there are miracles, but I believe in the type of miracles where people are directed, through divine intervention, to be the right person at the right time with the right skills doing the right thing. Perhaps your understanding is correct, but God is usually much better at covering his tracks than you would suspect, in my experience.
Anyway, my $0.02,
As an IT specialist I would also like to chime in and say, unfortunately for my profession, that the 256 bit AES encryption does automatically mean it is some IT person on the inside who is doing this. A hacker is more likely to use high level encryption than is the average IT staffer since the former trusts no one and the latter tends to think everyone but them is too stupid to figure it out. 🙂
That’s really as far as I want to reveal because I don’t want to help them catch the guy.
Re; Scott Brim: December 6, 2011 at 7:00 am
Scott, my understanding is that if it’s a leak, and not a hack, it’s not punishable as a crime. It may be a civil tort, but if this information was subject to FOI, that in itself is a perfect defense.
They’ve got a problem on their hands at EAU; they cannot let it be known that this was a leak, or they’re sunk. This is all admissible, if it’s a leak. There are things in there that constitute criminal waste, fraud and abuse. It’s amazing to me that there aren’t retractions in the journals, based on some of the stuff in the code/data files, but more importantly, if it were admissible in court there are discussions of actions which constitute fraudulent use of taxpayer dollars and collusion to do so. It would at the very least be untenable for them to remain employed in government sponsored research.
As long as it’s called a hack, and whoever did it was good enough to cover their tracks well enough that the bobbies can’t say otherwise, Phil et.al. are safe. They have a vested interest in maintaining the anonymity of the leaker and thereby maintaining that the information was hacked, and they know it.
Gary Mount says:
December 6, 2011 at 5:54 am
“That was so bad that I really wish I could send data back in time to tell myself not to read it. lol”
…
Ha Ha!!
Do you think it needs more killer robots and maybe an Alien-zombie hybrid sub-plot??
Never interrupt your enemy when he is making a mistake.
Napoleon Bonaparte
If the security holes were left open, would it have been a violation of any law to use them to secure information (as opposed to malicious sabotage)? Just wondering….
As i’ve said before: FOIA should fear for his life. Torpedoing Copenhagen likely got the World Leader’s attention.as well as some global industrial / Bank types. Some how–FOIA has to arrange for the release of the encrypt key should ‘something’ happen. The attempt to figure out who FOIA is was inevitable and should be expected. FOIA (..and a few others) will go down in history but if AGW gets their way–we’ll all go down with history!!
I like what Bob Kutz says:
“They’ve got a problem on their hands at EAU; they cannot let it be known that this was a leak, or they’re sunk. This is all admissible, if it’s a leak. There are things in there that constitute criminal waste, fraud and abuse. It’s amazing to me that there aren’t retractions in the journals, based on some of the stuff in the code/data files, but more importantly, if it were admissible in court there are discussions of actions which constitute fraudulent use of taxpayer dollars and collusion to do so. It would at the very least be untenable for them to remain employed in government sponsored research.”
I made a similar point earlier (above), that CRU/UEA didn’t want the leaker to spill his or her guts, it would be worse than what they have now.
But Bob’s point is more trenchant: everything in a leak is admissable, all sorts of bad things (for them) would happen in court, so please, please, don’t find the leaker! And sure enough, the police are cooperating.
Slightly off topic, the image I used to have of the UK is taking a beating. First, Murdoch and Co. have been bribing the bobbies for years, even bribed them to teach their paraparazzi how to hack into phone mails. Now they’re apparently cooperating with UEA/CRU to NOT find the leak (IMHO). Not so Churchillian, any more.
Pamela Gray says:
December 6, 2011 at 6:10 am
Any and all attempts to form a professional relationship with the other side has turned sour. I predict this one will as well. You have been bitten so many times yet you continue to put your hand in the snake pit.
———————————————————
I agree with Pamela. Anthony should read (or re-read) Aesop’s fable:
“The Scorpion and the Frog
A scorpion and a frog meet on the bank of a stream and the
scorpion asks the frog to carry him across on its back. The
frog asks, “How do I know you won’t sting me?” The scorpion
says, “Because if I do, I will die too.”
The frog is satisfied, and they set out, but in midstream,
the scorpion stings the frog. The frog feels the onset of
paralysis and starts to sink, knowing they both will drown,
but has just enough time to gasp “Why?”
Replies the scorpion: “It’s my nature…”
There is no point in behaving like the frog. It may theoretically be the honorable thing to do, but you will get stung and drown anyway.
Reader’s Digest HARRY_READ_ME.TXT: Try stuff, and if it looks right, move on to the next step. It shouldn’t be this hard to reproduce our own results. Hmm, hand-crafted fudge factors.