Post updated – see below. 
Climategate – whodunnit?
Well, according to this story in Help Net Security, the Information Technology people might be good candidates to see what has been going on behind the scenes at UEA’s Climate Research Unit, since it seems that they have broad access and according to a recent survey, many in IT positions can’t resist peeking:
“IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people’s Christmas bonus details.”
Here’s some eye opening survey stats about what IT people do with that access:
- 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications
- 26 percent said that they were aware of an IT staff member abusing a privileged login to illicitly access sensitive information
- 48 percent of respondents work at companies that are still not changing their privileged passwords within 90 days – a violation of most major regulatory compliance mandates and one of the major reasons why hackers are still able to compromise the security of large organisations.
Remember the HARRY READ ME file from Climategate 1? That programmer was bemoaning the sad state of the database an methodologies because he had a broad view afforded by working with the data within the organizational group. He knew more than any single person he was doing work for.
In the case of the UEA Climategate 1 and 2 emails, it seems clear now that to gather up as much information as has been shown to be available, it wasn’t likely a quick in and out job. As this WUWT guest post by David M. Hoffer shows that this wasn’t just a simple hack. He wrote:
So…who had administration rights on the email system itself? There’s reason to believe that it was not any of the researchers, because it is clear from many of the emails themselves that they had no idea that things like archives and backup tapes existed.
Whoever did it likely got it from the email archive system, knew what they were doing, and they had to have broad access to get all these emails gathered together.
Then, when we see that 256 bit AES encrytion was the choice to secure the remaining nearly 1/4 of a million emails, we know that “FOIA” whoever he/she is, knows enough to choose the kind of security that would not likely be cracked in any reasonable amount of time. This probably rules out script kiddies and students at UEA who might have had accidental network access and just grabbed a few files when they thought nobody was looking.
And what about the original first “hack” of the RealClimate.org server that Gavin Schmidt squelched? When we see survey results like 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications and we know how close and interconnected UEA/CRU and GISS staff are, the likelihood that whomever left that first drop of emails on the RealClimate server probably had some shared password or other sort of access.
The sharing of system access in emails was broadly demonstrated in Climategate 2.0. For example, Dr. Phil Jones and others at CRU sent some emails out years ago that linked to papers under review at the Journal of Geophysical Research. Some WUWT readers found these early on, and sure enough, such links from years ago in the CG2 emails still worked.
A few days ago I made the issue known to Dr. Phil Jones and to the JGR journal staff so they could close this security hole. As far as I know, all have been closed. I’ve tested again tonight and the live link fails now. Now that they have been closed, I can talk about it safely without putting JGR’s manuscript system at risk.
From: Anthony
Sent: Thursday, November 24, 2011 5:10 PM
To: p.jones@uea.xxxx.xxx
Cc: grlonline@xxxx.xxx ; jgr-atmospheres@xxxxx.xxx
Subject: password enabled JGR links in Climategate 2 files
Dear Dr. Jones,
I know that you know me, and probably do not like me for my views and publications. Regardless of what you may think of me and my work, it has been brought to my attention by a reader of my blog that there are open access links to your manuscripts at JGR included in the email that are now in the public view.
Therefore, it is my duty to inform you that in the recent release of Climategate 2 files there are links to JGR journal review pages for your publications and also for the publications for Dr. Keith Briffa.
For example, this link:
http://jgr-atmospheres-submit.agu.org/cgi-bin/main.plex?el=
I have verified that in fact that link opens your JGR account and provides full access to your JGR account.
In fact there are 35 different emails in this release that contain live links to JGR/AGU author pages. Similar other links exist, such as for Dr. Keith Briffa and others at CRU.
This of course is an unintended and unacceptable consequence of the email release.
I am cc:ing Joost de Gouw Editor, JGR Atmospheres in hopes that he can take action to close this open access to these accounts. It is a holiday here in the USA (Thanksgiving) and there may not be office hours on Friday but hopefully he is monitoring emails.
JGR should immediately change all passwords access for these CRU members and I would advise against allowing transmission of live links such as the one above in the future. JGR might also consider a more secure method of manuscript sharing for review.
The open nature of these links is not publicly “on the radar” even though they are in fact public as a part of the email cache, and I do not plan on divulging them for any reason. Any mention of these links will be deleted from any public comments on my blog should any appear.
Dr. de Gouw (or anyone at JGR) and Dr. Jones, please acknowledge receipt of this email.
Thank you for your consideration.
Best regards,
Anthony Watts
So clearly, CRU and others in the emails didn’t think twice about sending around open access live links. As David M. Hoffer points out in his article, the researchers don’t seem to have a clue about security. They also leave “sensitive” files they don’t want to share under FOIA requests lying about on open FTP servers. Based on what I’ve seen so far, I don’t think any of the research staff at CRU had either broad access nor the specific tech knowledge to pull this “hack” off.
Somebody who had the ability to peek at these emails as part of their job might just as easily have had access to the RealClimate Server too. Remember there’s almost a quarter million emails we haven’t seen. Chances are, one of those contained the key to the RC server, which allowed them to become an RC administrator and post the original FOIA story which Gavin Schmidt caught and squelched.
I and others I correspond with have our theories about who the leaker might be. From my perspective now, someone with broad system access looks to be a more likely candidate than a malicious outsider.
UPDATE: Many people in comments think I’m doing something wrong by writing to Phil Jones and AGU/JGR. In Phil Jones reply to me, he wrote: A couple of other people sent me emails about this issue.
So clearly I wasn’t the first to notify him of the open links to AGU. But more importantly, my email was also sent to AGU editors and the editor of JGR Atmospheres. Despite what troubles Jones and his group have caused over the year with skeptics, AGU/JGR has been a reasonable journal that has published skeptical papers, including my own. Protecting that relationship with skeptics who publish is valuable and the last thing we need is a scandal where papers submitted to AGU/JGR are showing up on other skeptic websites before they are reviewed because Jones sent active links around in emails. Having the knowledge of the security holes was a damned if I do damned if I don’t proposition, but I opted on the side of doing what I felt was the right course of action. If that upsets a few people, so be it. – Anthony
Discover more from Watts Up With That?
Subscribe to get the latest posts sent to your email.
Just another agenda driven survey that should be taken cum grano salis.
“redundancy lists” … I love that term. It goes with “surplused,” “redeployable human resources,” “excess pool,” “dumped,” and simply “laid off”.
I don’t think this was an attempt to form a professional relationship so much as a professional handling a responsibility. So rare it’s not recognized I guess.
I would agree, but 99.99% (of ppl, commenters, etc) seem not aware of this facet …
.
I have a different theory. Look at the name of the file, “FOIA”.
It seems quite possible that the actual FOIA file(s) were generated by the IT department for consideration for release in conjunction with a FOIA request (there were a few around that time), and a second part who was given access to the IT department’s work product then released/stoled it.
Besides..who said “…….love thine enemies and in doing so you will pour hot coals on their head!…”
More than a decade ago, at a University not 60 miles from UEA the IT were using the
Login Administrator and Password Admin, for access to the files on the I:Drive. You could see anyone’s files using this privilege.
Your comment is awaiting moderation.
The cast for the AGW movie:
David Beckham as………………………FOIA (doesn’t have to say anything!!)
Balderick (black adder) as………………Phil Jones (Head of Climatic Research Unit)
Christina Hendricks as……………………Christina (Head of Climactic Research Unit) (gedditt?)
Bill Nighy (actor)as………………………Anthony Watts
Daniel Craig as…………………………Steve McIntyre
Jimmy Swaggert as……………………..Al Gore (Nupty ot Nashville)
Wurzel Gummidge………………………….Patchy Morals
Perhaps in the way of a captcha?
“Please enter a CG 2.0 e-mail password for consideration in unlocking the 7Zip file (secured by 256-bit AES key) before continuing:”
_________________________
http://en.wikipedia.org/wiki/CAPTCHA
.
As R. A. Heinlein used to say,
“Certainly the game is rigged. Don’t let that stop you; if you don’t bet, you can’t win.”
The moment we start to behave like IPCC crooks, we cease to be “we” and morph into “them.” We must continue to play by the rules, and in this Mr. Watts is right.
Do Michael Mann and his co-conspirators have a huge advantage because of our playing by the rules? Absolutely. Will their corruption destroy them from within? Maybe, but not necessarily. Evil does win most of the time. Truth advances at the leisurely pace of evolution.
Oi! Don’t be calling my Anthony a Mensch!
o0h…..Wait a minute………(WIKI Mensch Answer: means “a person of integrity and honor )
Oh. Okay!
I agree it was the right thing to do and I believe everything Anthony has done, without ascribing superhumaness, to be the right thing. Expose what has gone on to the ‘uncouth triumphant truth’! Because it is what it is!
Everyone knows IT security can be inconvenient. That’s why some IT people exempt themselves from the same rules and practices the rest of us have to follows.
We also know many scientists and engineers think they are smarter than the IT people and will do anything to get around the inconveniences. Throw in a sloppy administrator who shares accounts with passwords that never change and you have a situation where virtually anybody could be using an admin account for any purpose.
I worked in an IT shop where they would change the network root admin password because it was hard-coded into so many applications, nobody knew what would break if they changed it.
In today’s business environment, you can’t get away with such practices in a large company. Apparently academia is a little behind. (I also teach part-time and I say that from experience).
~More Soylent Green!
Bob Kutz says: December 6, 2011 at 8:11 am
Yes. Well said.
As an IT professional I abhor those in my profession that break chain of custody or browse sensitive data. I take my job more seriously than those surveyed.
Guardian journalist justifies hacking if in the public interest.
http://www.guardian.co.uk/media/2011/dec/06/leveson-inquiry-guardian-phone-hacking
Is there a difference between phone hacking and computer hacking if both are in the public interest.
In fact, broad system access rights was self-evident from the beginning. Someone with such rights would have been responsible for compiling the email data for the original FOI request. A researcher “might” have let cruft accumulate in the email archive on an individual system, but no FOI accumulation would rely on that. Hard disk space is limited and sooner or later the user would scour the older material retrieve disk space. An institution that was concerned to cover itself legally would work through the email archiving system. It would ask the subject researcher for relevant material and then also scour the archive in order to protect itself from the researcher’s carelessness.
Even if the AGW club thought their public “enemies” did the “hack” job, the police certainly would have known better. They would have to interview such individuals with “motives” as a matter of course, but it would readily become clear that few if any such individuals would have the system skills, even if they had the motives. One fact I noticed was the confused use of “.” and “,” in numbers in the readme text that accompanied the recent release. Some parts of Europe commonly use a comma to mark a decimal point while other regions – e.g. US and Britain – use a period. In the readme file BOTH forms are used suggesting either two people from different parts of the continent or one person attempting to disguise their origins.
If only, back in 1942/43, the allies had such an ethical chap covering their backs, they could have notified the axis that Enigma and JU-5 were compromised. “Gentlemen do not read other people’s mail” … and all that.
–dadgervais
p.s. Did not one of the “good guys” get some raw data from an unsecured FTP server? I suppose he should have just sent them a note instead to clean-up their act, lest someone else got the data the Team were denying him.
Anthony,
I don’t understand why you think it necessary to help close their security gaps and weaknesses.
Whats next… Will you volunteer advice to the Mafia to secure their communications from the FBI. There may not have been any leak at all, had they followed your advice. If any THING must remain hidden, can that THING be good. I think you have severely damaged intelligence gathering and endorsed secrecy. All for the purpose of a dubious brownie point. GK
REPLY: I was told in the reply from Phil Jones and from AGU that others had also been made aware of it, so I wasn’t the first. – Anthony
Anthony,
As I stated a little over two years ago on Climate Audit, “I found it interesting that the emails in question were text files with a UNIX email server’s time date stamp tracking as file names. When I opened the email text files I also found it quite interesting that someone had taken the time to delete the full email tracking headers from the file. What was the person trying to cover up from the deletion of the headers? Well I think it is quite apparent from this is that he or she was covering up the fact that it was a blind carbon copy of the email automatically send to the email administrator for archiving purposes. This is pretty much standard operating procedure for UNIX server administrators. The FOIA folder was most likely created by a server administrator for a freedom of information request.”
I didn’t state at the time that this guess about the reason for the collection of the emails was the supporting fact that the code and documents were also included in the FOIA folder was further proof of that conclusion. This latest FOIA disclosure is just more support of that conclusion. The size of the locked zip file is even more support for that conclusion. Now as to the question of who is releasing these emails, code, and documents that is up in the air. He/She could be that administrator, other IT personnel, or someone who found the collection while snooping around at the CRU and found the collection of emails, supporting code and documents. Who ever this person or group of people that is doing this has and is exposing the very ugly corruption current climate science by politics.
I know it sounds counter-intuitive for it to be a positive for Anthony to help the CRU close those open doors. I’m reminded of the practice for a while, during the Battle of Britain, for shot down Luftwaffe pilots to be taken to the officer’s mess for beers and the like. A fact i’m proud of and having felt this since I first heard of it as a kid (my Dad was a Spit pilot). Why? I don’t know.
This, of course, ensures that there will never be a Climategate 4. Reminds me of the joke about the condemned engineer on the gallows who pointed out to the hangman that the stuck trapdoor needed its hinges oiled.
It makes perfect sense that someone just swiped a CD off someone’s desk that had the filtered archive on it. A password protected file was also on the CD, because they wanted to cover themselves for potential disclosure issues in court.
It could be anyone who had access to someone’s desk. A secretary, a janitor, a grad student.
Eternal Optimist wrote: ‘InTheBlueRidgeMountainsOfSiberiaOnTheTrailOfTheBristleconePine’
I had never before thought of using passwords that I could sing. Thanks for the hint. Don’t you have to be kind of old to know that song? the modifications are funny.
I see that people are letting Anthony know whether they think he did the right thing by alerting others to ongoing security lapses. I vote with those who think he did the right thing — Anthony, you done good.
The IT People seem to be the logical choice. It may have started with one IT Person who was ticked off at what was happening, but my best guess is that the number grew as others found out.
Whoever it is let me say, “Thanks, Climategate 2.0” was a great early Christmas Gift!!!