Post updated – see below. 
Climategate – whodunnit?
Well, according to this story in Help Net Security, the Information Technology people might be good candidates to see what has been going on behind the scenes at UEA’s Climate Research Unit, since it seems that they have broad access and according to a recent survey, many in IT positions can’t resist peeking:
“IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people’s Christmas bonus details.”
Here’s some eye opening survey stats about what IT people do with that access:
- 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications
- 26 percent said that they were aware of an IT staff member abusing a privileged login to illicitly access sensitive information
- 48 percent of respondents work at companies that are still not changing their privileged passwords within 90 days – a violation of most major regulatory compliance mandates and one of the major reasons why hackers are still able to compromise the security of large organisations.
Remember the HARRY READ ME file from Climategate 1? That programmer was bemoaning the sad state of the database an methodologies because he had a broad view afforded by working with the data within the organizational group. He knew more than any single person he was doing work for.
In the case of the UEA Climategate 1 and 2 emails, it seems clear now that to gather up as much information as has been shown to be available, it wasn’t likely a quick in and out job. As this WUWT guest post by David M. Hoffer shows that this wasn’t just a simple hack. He wrote:
So…who had administration rights on the email system itself? There’s reason to believe that it was not any of the researchers, because it is clear from many of the emails themselves that they had no idea that things like archives and backup tapes existed.
Whoever did it likely got it from the email archive system, knew what they were doing, and they had to have broad access to get all these emails gathered together.
Then, when we see that 256 bit AES encrytion was the choice to secure the remaining nearly 1/4 of a million emails, we know that “FOIA” whoever he/she is, knows enough to choose the kind of security that would not likely be cracked in any reasonable amount of time. This probably rules out script kiddies and students at UEA who might have had accidental network access and just grabbed a few files when they thought nobody was looking.
And what about the original first “hack” of the RealClimate.org server that Gavin Schmidt squelched? When we see survey results like 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications and we know how close and interconnected UEA/CRU and GISS staff are, the likelihood that whomever left that first drop of emails on the RealClimate server probably had some shared password or other sort of access.
The sharing of system access in emails was broadly demonstrated in Climategate 2.0. For example, Dr. Phil Jones and others at CRU sent some emails out years ago that linked to papers under review at the Journal of Geophysical Research. Some WUWT readers found these early on, and sure enough, such links from years ago in the CG2 emails still worked.
A few days ago I made the issue known to Dr. Phil Jones and to the JGR journal staff so they could close this security hole. As far as I know, all have been closed. I’ve tested again tonight and the live link fails now. Now that they have been closed, I can talk about it safely without putting JGR’s manuscript system at risk.
From: Anthony
Sent: Thursday, November 24, 2011 5:10 PM
To: p.jones@uea.xxxx.xxx
Cc: grlonline@xxxx.xxx ; jgr-atmospheres@xxxxx.xxx
Subject: password enabled JGR links in Climategate 2 files
Dear Dr. Jones,
I know that you know me, and probably do not like me for my views and publications. Regardless of what you may think of me and my work, it has been brought to my attention by a reader of my blog that there are open access links to your manuscripts at JGR included in the email that are now in the public view.
Therefore, it is my duty to inform you that in the recent release of Climategate 2 files there are links to JGR journal review pages for your publications and also for the publications for Dr. Keith Briffa.
For example, this link:
http://jgr-atmospheres-submit.agu.org/cgi-bin/main.plex?el=
I have verified that in fact that link opens your JGR account and provides full access to your JGR account.
In fact there are 35 different emails in this release that contain live links to JGR/AGU author pages. Similar other links exist, such as for Dr. Keith Briffa and others at CRU.
This of course is an unintended and unacceptable consequence of the email release.
I am cc:ing Joost de Gouw Editor, JGR Atmospheres in hopes that he can take action to close this open access to these accounts. It is a holiday here in the USA (Thanksgiving) and there may not be office hours on Friday but hopefully he is monitoring emails.
JGR should immediately change all passwords access for these CRU members and I would advise against allowing transmission of live links such as the one above in the future. JGR might also consider a more secure method of manuscript sharing for review.
The open nature of these links is not publicly “on the radar” even though they are in fact public as a part of the email cache, and I do not plan on divulging them for any reason. Any mention of these links will be deleted from any public comments on my blog should any appear.
Dr. de Gouw (or anyone at JGR) and Dr. Jones, please acknowledge receipt of this email.
Thank you for your consideration.
Best regards,
Anthony Watts
So clearly, CRU and others in the emails didn’t think twice about sending around open access live links. As David M. Hoffer points out in his article, the researchers don’t seem to have a clue about security. They also leave “sensitive” files they don’t want to share under FOIA requests lying about on open FTP servers. Based on what I’ve seen so far, I don’t think any of the research staff at CRU had either broad access nor the specific tech knowledge to pull this “hack” off.
Somebody who had the ability to peek at these emails as part of their job might just as easily have had access to the RealClimate Server too. Remember there’s almost a quarter million emails we haven’t seen. Chances are, one of those contained the key to the RC server, which allowed them to become an RC administrator and post the original FOIA story which Gavin Schmidt caught and squelched.
I and others I correspond with have our theories about who the leaker might be. From my perspective now, someone with broad system access looks to be a more likely candidate than a malicious outsider.
UPDATE: Many people in comments think I’m doing something wrong by writing to Phil Jones and AGU/JGR. In Phil Jones reply to me, he wrote: A couple of other people sent me emails about this issue.
So clearly I wasn’t the first to notify him of the open links to AGU. But more importantly, my email was also sent to AGU editors and the editor of JGR Atmospheres. Despite what troubles Jones and his group have caused over the year with skeptics, AGU/JGR has been a reasonable journal that has published skeptical papers, including my own. Protecting that relationship with skeptics who publish is valuable and the last thing we need is a scandal where papers submitted to AGU/JGR are showing up on other skeptic websites before they are reviewed because Jones sent active links around in emails. Having the knowledge of the security holes was a damned if I do damned if I don’t proposition, but I opted on the side of doing what I felt was the right course of action. If that upsets a few people, so be it. – Anthony
Discover more from Watts Up With That?
Subscribe to get the latest posts sent to your email.
Imagine, if you will, waking up some morning and seeing a photo on the front page of the Times with the caption: “Suspected Leaker Found Shot at UEA.” Do you jump for joy and say, “I was right! I’m sure glad I posted my suspicions on Wattsupwiththat before anybody else! Woo-hoo! Clever boots me!”
No, you’d probably think, “Holy crap. I got this guy killed. If I’m so clever, why the hell didn’t I just keep my mouth shut?”
REPLY: That’s quite an extrapolation. I don’t see angry protestors demanding “FOIA” be apprehended. Get a grip. If the Norfolk Police have stopped investigating (and all indications are that they have) I think the UEA probably doesn’t want to push the issue further. – Anthony
Just what are you trying to do here? First you tip off Jones, then you try to out FOIA. Whose side are you on, anyway?
I think I’ll stick with Pointerman.
REPLY: Read the update I’ll post in a minute, you like many others are getting the wrong idea. – Anthony
creeper00,
Anthony did the right thing. He was being professional. And it’s not just a one-off event. Note that Anthony also posts a link to RealClimate and other alarmist blogs, but they don’t return the courtesy.
NoAstronomer says: December 6, 2011 at 7:48 am
Agreed. And as I had noted recently, in November 2010, Nature‘s David Adam (who claimed to know more about the source of the leak than the Norfolk Constabulary) reported that:
For once, their “fears” were not unfounded! But the downside of this (for them) is that what might also be “unfounded” is their claim during the “press conference” to the effect that they haven’t finished going through the latest release, so they can’t confirm their authenticity.
They’ve had two-full years to figure out what might also have been copied by The Saint (as I prefer to call FOIA). Then again, they might have been too busy “redefining” the English language (and, along with their media cheerleaders, bolstering “the cause” of saving the planet!)
Anthony..As far as any Warmist goes don’t give them an inch.
As the song said: Kick em when they’re up – Kick em when they’re down – Kick them all around. Its what they have practiced for more than 20 year, now the steeled toed boot is on the other foot. don’t give them a break and don’t ever turn the other cheek. Didn’t the BEST fiasco teach us anything? they stuck an ice pick in our backs.
ONE THING THAT SCARES THE POLITICIANS THAT HAVE SUPPORTED THE CAGW POLICY’S, IS EXPOSURE THEY WERE IN ON THE SCAM ALL ALONG = THE 7z HIDDEN FILES?
Jo Nova has a finger on the pulse of the 7z files and a possible explanation that is more the more than interesting.
http://joannenova.com.au/2011/11/pointman-a-dead-mans-hand-detonator-on-hidden-emails-may-protect-climategate-whistleblower/
Climategate 2
Pointman — A dead man’s hand detonator on hidden emails may protect ClimateGate 1 & 2 whistleblower FOIA – Still behind the encrypted and locked & zipped 7 z files the real juicy bomb shells aimed at the Curupted politicians and Power Elite = ClimateGate 3- 4 – 5
He points out there are no emails released yet between key scientists and people in power
We do not have a single one of those high-level political emails but they must of course exist.
I strongly suspect we now have them in our possession.
In the high-powered risky game of whistle blowing there are ways to make the Climategate 2 leaker a less attractive target.
Pointman analyzes the ClimateGate whistleblower’s tactics and explains why he, she or they probably released those other 200,000 emails but kept them hidden behind the 4000-8000 character almost unbreakable password.
He points out there are no emails released yet between key scientists and people in power, hence the worst, most damaging emails may be kept under a ” dead man’s hand detonator”. If politicians are afraid of what might be in those released-but-hidden emails, they may not want to expose or attack the whistleblower for fear of unleashing the other emails. The hidden emails buy the whistleblower protection.
Jo
I dont disagree that Anthony did the right thing, certainly from a professional, moral and honesty driven point of view it definitely was.
For me (maybe im crooked? 😀 ) its just the certainty that playing on a slanted table can only be problematic in terms of gaining an upper hand and laying bare the web of deceit being woven?
Although having said that, the old adage- “The truth will out” holds water vapour indeed.
I have absolutely no doubt whatsoever if we discovered that the sceptical side was indeed wrong/misinformed that itd soon be put to rights by admitting it and then we could all direct our energies into “the cause”….(ok maybe not. :D)
I cant really see the likes of the “team” ever doing that in public even though they certainly do in private!
Which is rather the point of what Anthonys done- he’s shown them the path.
One theyve strayed rather a long way from.
If youve any conscience left at all Phil J, do the right thing and come clean.
dadgervais says:
December 6, 2011 at 10:26 am
If only, back in 1942/43, the allies had such an ethical chap covering their backs, they could have notified the axis that Enigma and JU-5 were compromised. “Gentlemen do not read other people’s mail” … and all that.
Let’s put the question this way, then:
Are we at war already, or do we still pretend to live in a civilized society?
If we are at war or in revolution, then yes, all bets are off. Then there is no need to criticize, to find errors and faults, to reveal fraud by legal means. Then it’s time to be up in arms: after all, our enemies are parasites above law, depriving us of our livelihood. Be prepared to die for the truth.
On the other hand, if, for the sake of our “safety and security,” personal comforts and other self-delusions, we are still pretending to live in a lawful, civilized society, we must uphold this pretense, behave in a lawful way, and show an example of integrity and civility.
Chose one… Oh, you wanna live, eat well, know that your wife and children are safe, etc. etc.? You just don’t want the climate con men take your money but you are not prepared to die for the truth? Play by the rules, then.
dadgervais says:
December 6, 2011 at 10:26 am
If only, back in 1942/43, the allies had such an ethical chap covering their backs, they could have notified the axis that Enigma and JU-5 were compromised. “Gentlemen do not read other people’s mail”
Luckily for us, the world was being saved by people like Churchill, who understood there was a time for tea and crumpets, and a time for punching people in the throat.
Yesterday I stopped by the vet’s on the way home. In the strip mall parking lot was a new model Ford Explorer left running, nobody nearby.
Have you even been tempted to jump in a vehicle like that and park it around the corner, out of sight? The driver would have deserved it, and possibly, it could have saved the owner from a future theft.
Anthony, you did the right thing by alerting them to the security hole.
Keep in mind that others had already notified them of the problem. Any blowback won’t be Anthony’s fault. He did the right thing, even if the problem was already recognized.
~More Soylent Green!
Anthony,
You may recall from days gone by, anyone who was an aware user on one of the
old regular Bell Labs Unix systems, one with the Berkely flavored modifications,
or an after-market hybrid, with just general read permission on
the system could rove the user files, and generally pull up filenames.
If the user allowed anyone in their “group” to have read permission for
a one of their files, the entire “group” shared the read permission unless the file
was specifically password protected. User + group read = rwx r– r– .
If you could read the file, you could copy it. Even if the orginating user file was
“linked” using ln to a file under the second users file directory, the other
user still had to have read permission to the original user’s file directory and then
the file itself.
A lot of regular users automatically set the file permissions to “all read” so all
other authorized users on that system had read access to most of their common
files, including their “out” box for e-mails.
If a user mistakenly, or for some reason (like revising data entries in columns in
a preexisting file) would give write permission to one of their
“group” that would involve giving the “group” both read and write permission to
both the user’s file account AND the file to be edited. All group read + write =
rwx rw- r– .
Passwords on individual files were a hassle. Unless the system administrators
set the default “permissions” for user file creation to rwx — — (read, write, and
execute for the file creator ONLY, the original Bell Labs default (rwx rwx rwx)
was generally modified to rwx r– r– . That gave the user read, write, and execute
ability on his/her file, with the group and the other system users read
permission to the file structure (filenames) only.
After a while a really active user had a file system that looked like swiss cheese
from a security point of view.
…AND THEN there were “guest” users, who had to have both a system password
to get into the system (usually from either an institutional computer system
(T- 1 or T – 3 connections) or with a modem or from a home stsyem. Their
permissions to the systems were specifically set by the administrators when the
“guest” account was set up using whatever the organizations general protocal for
outside accounts called for.
Up until the mid-1990’s home connections were intolerably slow.
In the Cimategate 1 & 2 e-mails, I don’t see any hint of mail coming from or going
to a “guest” user account.
As Neal notes above, there’s lots of hints the Climategate material came from
somewhere inside the CRU system.
Anthony,
I have read your update and can only repeat:
If any THING must remain hidden, can that THING be good?? GK
REPLY: Ask me please, “how are THINGS“? Go ahead, make my day. – Anthony
An interesting post and I support giving Jones and JGR a heads-up because if something bad had happened (someone leaked work in progress to the public) it would only make WUWT look bad.
But I don’t buy the disillusioned IT guy thing. Someone had an axe to grind. Someone was close enough to the science to see the fraud. Maybe it was someone on the inside – not a scientist as they can’t even buy groceries – but perhaps a technician or an associate who was given temporary access to a poorly secured server.
But not an IT person. They are only 16-18 years old and carry a skate-board everywhere they go. Not malicious enough to carry this out so thoughtfully. Who would have predicted Climategate 2.0? Somebody out there is very patient. Like Gore’s ex-wife kind of person.
You know what they say about revenge. Might as well dig two graves.
Dave Me says:
December 6, 2011 at 12:26 am
“we know that “FOIA” whoever he/she is, knows enough to choose the kind of security that would not likely be cracked in any reasonable amount of time. This probably rules out script kiddies and students”
Not really, they are likely to be more able than the IT staff. Also, it is not that difficult to encrypt a file and it does not take a genius to know that you need a long key.
==============================================================
It’s the default encryption option in 7-zip. Lots of people use it instead of zip. I use it. It means nothing. Once you install 7-zip if you right click on a folder there’s an option to encrypt & compress.
FYI – “the server of interest”
This was given in the Muir Report as a backup mail server in the IT facility.
It was probably just a single file for the CRU department and wasn’t even as much as a quick “in and out job” since the perp wouldn’t have had to even be on the premises all he’d need was remote login credentials. It was almost certainly an inside job but that doesn’t mean the perp was physically inside but rather just means he had credentials either because he was an insider or knew an insider who gave him a credential. The least likely thing is that this was some sort of break-in where normal security was defeated.
Anthony, you did the right thing. The security hole was on JGR’s side by the sound of it, so I would have alerted them as well (or instead of) but it was the right thing to do either way.
In regard to who the leaker might have been, there is no doubt in my mind that is was someone on the “inside” either working alone or in conjunction with others. There are a fair number of clues that are easy to spot that could help lead to the identity of at least one of those involved, but I’m not going to point anyone at them. If some day I get to say “I knew it!” that will be sufficient satisfaction for me, and I’ve no interest in seeing the person get caught. That said, there is one possibility that is being overlooked in regard to the encrypted emails themselves.
It started to become common practice to encrypt backup tapes and data at rest (on disk) with encryption about 5 or 6 years ago. It has by no means become ubiquitous. The orghanizations most commonly moving to encryption, are ones that were “burned” by a major data loss incident.
Given that the emails we can read end in 2009, and the rest are encrypted, the assumption that the balance of the emails also end in 2009 cannot be made, there is no evidence (that I am aware of) for this to be the case. FOIA has said (I’m going from memory) that the balance of the emails may some day be released, but not by him. Why would that be?
If encryption practices were put into place sometime in 2009, it could very well be that FOIA did not release the balance of the emails because s/he couldn’t. We know that those emails are encrypted, that tells us NOTHING about WHO encrypted them. If the method of obtaining the emails themselves was still in place, but resulted in access to encrypted data only, it could well be that FOIA had no other choice to get them into the public domain and is simply hoping that someone else will break that encryption key.
More Soylent Green! says:
December 6, 2011 at 1:09 pm
“Anthony, you did the right thing by alerting them to the security hole.”
I found the active JGR passwords for Briffa, Jones, and someone else and passed them along to Anthony on August 23rd, the day before Anthony informed Jones and JGR. I wondered what he’d do with the information. I figured he’d do the right thing but it’s nice to know he did the right thing the very next day.
Perhaps an interesting point to be made is that;
If it was an IT staff, and the security of the servers was so woeful, surely it is the responsibility of the IT staff to make the servers more secure and to enforce better security throughout the network and users.
This wasn’t done. So either the IT staff, who knew all about security and how to circumvent it, also didn’t upgrade it nor do his/her job, at all.
This conclusion doesn’t quite ring true either.
I’m going to with the idea of an undergrad on work experience, or a short term employee, perhaps a temp or contractor. Someone who knew all about security, somebody who found to his horror what scandal was being perpetrated, and who simply took a copy to be well considered later at his/her leisure.
Eternal Optimist :
‘IwasWorkingInTheLabLateOneNightWhenMyEyesBeheldATerribleSight’
Dang, now I’m going to have change my pass-phrase back to 7777! Seriously Email is not secure and any privacy is a courtesy, not an entitlement . If you are using an employer provided Email service, your email does not belong to you. You can’t control what happens to your email after you send it so if you wouldn’t put it on a billboard, don’t send it.
Anthony,
RE:
You’ll recall several instances in the past where Steve McIntyre called to
attention a few obvious errors in data and/or statistical methodology to
the proper US agency’s attention.
At the time he got a blatantly untrue “We already know about it.” as a
response from those authorities.
I think the same holds true of the “also been made aware of” line you got
from Phil Jones/CRU.
They’re basically telling you to go pound salt.
The Lone Ranger: A fiery horse with the speed of light, a cloud of dust and a hearty ‘Hi-Yo Silver! Away!’ as he disappears into the sunset with his faithful Indian companion Tonto. The show ending with who was that masked man? I don’t know but I wanted to thank him. The best part is he was a Texas Ranger.
Consider the willingness of scientists to cooperate with a political agenda, with reports on their research, to be used by legislators as a reason to bring life changing legislation, taxes and regulations to all of commerce and the public.
Consider the intent of the global warming group, to silence argument and prevent research disproving their claims and that it is not only dishonest, but damaging to science, education and the public.
The Artful Dodger in Dickens Oliver Twist is a pickpocket skilled in lifting valuables without detection and rushing away without notice.
The emails expose the intent to cover tracks. The hope is that no one would notice the problem.
The public has every right to expect exceptional behavior from those holding jobs that are exceptional by influence, knowledge and talent. We are in trouble when expectations are lower.
The Lone Ranger concealed his identity, was fictional fighting for truth, justice and American way. Maybe that was Superman, who lived disguised as a mild mannered reporter but the question is which side of the email exposure best describes the admirable actions of these fictional comic book characters that has captured the interest and imagination of the public for so long? The person or persons involved in the release of the emails that revealed the problem have concealed their identity and for good reason, the uncertainty of the rules that apply.
What moral code would you have your children follow, that of the fictional comic book hero or the artful dodger and those attempting to hide their work and calling it science. I doubt most parents with a little thought would want either as a guide for their children but it is worth the effort to help the next generation know the difference between right and wrong is not whether you get caught or not.
A few comments here about them being the enemy. Dont show them any mercy. Who’s side are you on. Why tip them off etc
I dont think it’s a question of winning or losing. I dont think it’s a question of us being right and them being wrong. I dont even think it’s a question of us and them
we have to accept the possibility that we might be wrong. And on the road to that truth, we have to do the right thing
“A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place.”
The key words there are: “admit to”.
I’d wager that the percentage that actually do this is much higher.
WKPD: “Nobel’s last will specified that his fortune be used to create a series of prizes for those who confer the “greatest benefit on mankind” in physics, ….”. So there you are: Nobel in Physics for FOIA!!!!!
“UPDATE: Many people in comments think I’m doing something wrong by writing to Phil Jones and AGU/JGR. In Phil Jones reply to me, he wrote: A couple of other people sent me emails about this issue.”
You did incriminate yourself by having accessed files, and trying to access the same files, you didn’t have the right to access. These days it can be illegal to access files you don’t have a right to access in EU, it pend on the country and how far they went implementing the EU directives. However, consider some states in the US, like Florida, they’re hard as* on any kind of “hacking”.
Now that Anthony has opened cordial lines of communication with professor Doctor Mr Phil Jones from England, I think he should offer a fuller range of services. For money of course.
IT security(closing loop holes) – $100
Fairness and Respect(being professional) – $250
Excel starter(how to do a trend) – $2.50