Post updated – see below. 
Climategate – whodunnit?
Well, according to this story in Help Net Security, the Information Technology people might be good candidates to see what has been going on behind the scenes at UEA’s Climate Research Unit, since it seems that they have broad access and according to a recent survey, many in IT positions can’t resist peeking:
“IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people’s Christmas bonus details.”
Here’s some eye opening survey stats about what IT people do with that access:
- 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications
- 26 percent said that they were aware of an IT staff member abusing a privileged login to illicitly access sensitive information
- 48 percent of respondents work at companies that are still not changing their privileged passwords within 90 days – a violation of most major regulatory compliance mandates and one of the major reasons why hackers are still able to compromise the security of large organisations.
Remember the HARRY READ ME file from Climategate 1? That programmer was bemoaning the sad state of the database an methodologies because he had a broad view afforded by working with the data within the organizational group. He knew more than any single person he was doing work for.
In the case of the UEA Climategate 1 and 2 emails, it seems clear now that to gather up as much information as has been shown to be available, it wasn’t likely a quick in and out job. As this WUWT guest post by David M. Hoffer shows that this wasn’t just a simple hack. He wrote:
So…who had administration rights on the email system itself? There’s reason to believe that it was not any of the researchers, because it is clear from many of the emails themselves that they had no idea that things like archives and backup tapes existed.
Whoever did it likely got it from the email archive system, knew what they were doing, and they had to have broad access to get all these emails gathered together.
Then, when we see that 256 bit AES encrytion was the choice to secure the remaining nearly 1/4 of a million emails, we know that “FOIA” whoever he/she is, knows enough to choose the kind of security that would not likely be cracked in any reasonable amount of time. This probably rules out script kiddies and students at UEA who might have had accidental network access and just grabbed a few files when they thought nobody was looking.
And what about the original first “hack” of the RealClimate.org server that Gavin Schmidt squelched? When we see survey results like 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications and we know how close and interconnected UEA/CRU and GISS staff are, the likelihood that whomever left that first drop of emails on the RealClimate server probably had some shared password or other sort of access.
The sharing of system access in emails was broadly demonstrated in Climategate 2.0. For example, Dr. Phil Jones and others at CRU sent some emails out years ago that linked to papers under review at the Journal of Geophysical Research. Some WUWT readers found these early on, and sure enough, such links from years ago in the CG2 emails still worked.
A few days ago I made the issue known to Dr. Phil Jones and to the JGR journal staff so they could close this security hole. As far as I know, all have been closed. I’ve tested again tonight and the live link fails now. Now that they have been closed, I can talk about it safely without putting JGR’s manuscript system at risk.
From: Anthony
Sent: Thursday, November 24, 2011 5:10 PM
To: p.jones@uea.xxxx.xxx
Cc: grlonline@xxxx.xxx ; jgr-atmospheres@xxxxx.xxx
Subject: password enabled JGR links in Climategate 2 files
Dear Dr. Jones,
I know that you know me, and probably do not like me for my views and publications. Regardless of what you may think of me and my work, it has been brought to my attention by a reader of my blog that there are open access links to your manuscripts at JGR included in the email that are now in the public view.
Therefore, it is my duty to inform you that in the recent release of Climategate 2 files there are links to JGR journal review pages for your publications and also for the publications for Dr. Keith Briffa.
For example, this link:
http://jgr-atmospheres-submit.agu.org/cgi-bin/main.plex?el=
I have verified that in fact that link opens your JGR account and provides full access to your JGR account.
In fact there are 35 different emails in this release that contain live links to JGR/AGU author pages. Similar other links exist, such as for Dr. Keith Briffa and others at CRU.
This of course is an unintended and unacceptable consequence of the email release.
I am cc:ing Joost de Gouw Editor, JGR Atmospheres in hopes that he can take action to close this open access to these accounts. It is a holiday here in the USA (Thanksgiving) and there may not be office hours on Friday but hopefully he is monitoring emails.
JGR should immediately change all passwords access for these CRU members and I would advise against allowing transmission of live links such as the one above in the future. JGR might also consider a more secure method of manuscript sharing for review.
The open nature of these links is not publicly “on the radar” even though they are in fact public as a part of the email cache, and I do not plan on divulging them for any reason. Any mention of these links will be deleted from any public comments on my blog should any appear.
Dr. de Gouw (or anyone at JGR) and Dr. Jones, please acknowledge receipt of this email.
Thank you for your consideration.
Best regards,
Anthony Watts
So clearly, CRU and others in the emails didn’t think twice about sending around open access live links. As David M. Hoffer points out in his article, the researchers don’t seem to have a clue about security. They also leave “sensitive” files they don’t want to share under FOIA requests lying about on open FTP servers. Based on what I’ve seen so far, I don’t think any of the research staff at CRU had either broad access nor the specific tech knowledge to pull this “hack” off.
Somebody who had the ability to peek at these emails as part of their job might just as easily have had access to the RealClimate Server too. Remember there’s almost a quarter million emails we haven’t seen. Chances are, one of those contained the key to the RC server, which allowed them to become an RC administrator and post the original FOIA story which Gavin Schmidt caught and squelched.
I and others I correspond with have our theories about who the leaker might be. From my perspective now, someone with broad system access looks to be a more likely candidate than a malicious outsider.
UPDATE: Many people in comments think I’m doing something wrong by writing to Phil Jones and AGU/JGR. In Phil Jones reply to me, he wrote: A couple of other people sent me emails about this issue.
So clearly I wasn’t the first to notify him of the open links to AGU. But more importantly, my email was also sent to AGU editors and the editor of JGR Atmospheres. Despite what troubles Jones and his group have caused over the year with skeptics, AGU/JGR has been a reasonable journal that has published skeptical papers, including my own. Protecting that relationship with skeptics who publish is valuable and the last thing we need is a scandal where papers submitted to AGU/JGR are showing up on other skeptic websites before they are reviewed because Jones sent active links around in emails. Having the knowledge of the security holes was a damned if I do damned if I don’t proposition, but I opted on the side of doing what I felt was the right course of action. If that upsets a few people, so be it. – Anthony
If they admit it is a leak, that would be the end for funding.
Having supported public sector IT and then also in private enterprise, i can say that both environments generally suffer from narrow subject mater experts with no time for the “details”;-) Very intelligent people sometimes lac sense and reason. OMG I’m reliving every dead end infrastructure design argument………
“single point of truth database” is probably very benign. Its common in large enterprise environments (too many chiefs!) to have multiple disparate locations or duplicated infrastructure information, thus you then have to manage at another layer and have an aggregate location that is considered ultimately authoritative. This being on the DBS page is probably some sort of DB/table data lookup that translates the many TBytes of DB and million row tables with arcane names and fields into something recognizable by someone other than the person who made it.
Noblesse Oblige says:
December 6, 2011 at 7:43 pm
Whoever FOIA may be, they are not likely to be caught. >>>
Caught? No, they won’t be caught.
Trotted out some day at a press conference to announce the tell all book contract, the movie to follow, and explain their $1 million appearance fee to any news outlets that want to interview them.
Whoever this person or person is, they’re sure drawing things out and building the suspense…
David Ball says:
December 6, 2011 at 7:55 pm
If they admit it is a leak, that would be the end for funding.>>>
Ya know, a forensic IT audit proving exactly who “did it” is really tough to do. But…
Proving that it was or was not an outside hacker isn’t that hard to do.
There’s little doubt in my mind that this was an inside job. Someone know how to do an FOIA request for their firewall and server logs? An insider can sweep for fingerprints, an outsider cannot. If there’s no activity in the logs that supports an outside hacker theory, then certainty is as close to 100% as one will ever get on the matter.
Working in the I.T. industry I could assure you that the moral fibre and calibre of the people are of the utmost quality. They take the utmost care to protect data from being lost, corrupted or being seen or used by those not authorised. A paramount quality of all those in the IT sector is that they will never make use of the data of their employer or their customers for personal gain. A pervasive and prevalent strength of selfless character in enjoyed in the industry; to perceive the trust in having the information as being an ample bonus above a meagre salary.
I could. I could be wrong.
I should tell you that the white collar crime investigation unit here in Western Australia provided some important insight some (many) years ago to a local goup of Unix users; that about 90% of the people will do something that they know is wrong; as long as they believe that they’ll get away with it. Some 8% don’t even consider getting caught as dissuasion. Less than 2% can be trusted to always do the right thing.
Anthony
Once you became aware of the nature of these breaches, you really didn’t have much choice but to do the right thing and inform them. Their thanks and appreciation (or more likely lack of it), or that they may not have done the same thing for you is irrelevant.
Good on you mate! – as we Aussies say.
“FOIA has said (I’m going from memory) that the balance of the emails may some day be released, but not by him. Why would that be?”
Because he expects that his deadman switch will “release them” by revealing the passcode under predetermined circumstances. .
I don’t really care whether Anthony tips off Jones and some journals about their breached security. That’s up to him and was IMO probably the right thing to do.
But I am appalled at the number of boneheads who have dived into the game ‘let’s work out who the leaker is’ on this thread.
If it weren’t so distasteful it would be quite amusing reading all the soi disant IT experts helpfully opining with great certitude about FOIA.
Sophia’s parallel to the behaviour of Colonel Nicholson in the movie Bridge on the River Kwai was brilliant and summed up the situation on this thread perfectly.
The police seem to have dropped the investigation into C1? Well then, let sleeping dogs lie.
FOIA, for whatever reasons, wants anonymity. He/she deserves the gratitude of every person interested in climate change policy, warmist and skeptics alike.
Just imagine where skeptics would be now, if the two climategates had never happened.
He/she should be thanked, not exposed.
Anthony,
Smart move for the long run…
Anthony
It would be worth checking to see if UEA (and other organisations linked to climategate) have installed Symantec Enterprise Vault. This is an add-on for email systems that automatically archives email after a set period, thus reducing the size of mailboxes.
However, it can operate in two modes. Most big organisations have installed it since the Sarbanes-Oxley Act came into force. The first mode is plain old archiving – if you haven’t read an email for say a month, off it goes to the archive. You can quickly retrieve it, but your mailbox bloat is reduced.
Mode two is “journaling”. In journal mode, every incoming and outgoing email is copied to a massive central store (called a journal funnily enough) before it even gets to the users inbox. Doesn’t matter if they instantly delete it – the journal has a copy. And not even the Admins can break into it to delete the journalled copy. However, if you have the right Vault tools installed, you can search it to your heart’s content – very useful for lawsuits.
If the UEA and other universities have it installed, they have no excuse for failing to comply with FOI requests. None at all. The email is all there, and it’s all readily (and cheaply) searchable.
1DandyTroll says:
December 6, 2011 at 6:00 pm
“The real question is though, who decide’s who is clean? You, me, Mr Watts, Al Gore, …or whom?”
A valid question. Corruption can also be in your own mind, so the place to start is your own conscience. And then in science there is transparency and open discussion for safeguards 🙂
Seems to me, the easiest way to protect Mr FOIA ( or miss-missis) is for eveyone to claim tis they wot done it. 🙂
I would just to remind everyone of a point that was made previously on this site, i.e. the two releases of emails thus far show lots of “sideways” emails. By this I mean that they are to and from many of the major “players” – but there are few “upwards”, or “outwards” emails.
Surely there are “upwards” emails from “players” to their bosses discussing, stance, policy, tactics, etc? Surely there are “outwards” communications with government ministers? Emails, to journals, the BBC, MSM?
Is it conceivable that FOIA found nothing that was worthy of being released?
Could a C3.0 release perhaps include such examples? What might they say?
Whether FOIA is hacker or a leaker is open to debate – I am pretty sure though that he is quite smart! 2 years after C1.0, no one has a clue to his/her identity. He was able to repeat another “release” of valuable data to the world under the gaze of the police – and has still not been caught.
To release the balance of the emails requires no further risk other than an email, a text, a snail mail letter, etc that includes the password.to the remaining files.
boy on a bike says:
December 7, 2011 at 2:43 am
Anthony
It would be worth checking to see if UEA (and other organisations linked to climategate) have installed Symantec Enterprise Vault.>>>
There are several products on the market that are similar. Having gone through the documentation on the UEA web site as regards their retention and recovery policies for deleted email and files, it is clear to me that Symantec EV or similar was not in place.
It’s in perfect accord with the paradoxical commandments Anthony, do the right thing anyway.
It’s important that the family dog NEVER be apprised of such possibility; don’t be fooled by that wagging tail …
I have read the update and agree with Anthony’s comment.
I once held the title of “Chief Technician Department of Computer Science” for a couple of years in a university and can confirm the people in charge are not stupid. They might be out of their depth at times but usually catch on fast. So I doubt anything Anthony said was new, but my guess is this stable door will be securely bolted by now.
I also think “The Saint” has everything she/he needs in the encrypted release so as not to jeopardise his/her current position with questionable activities, that is assuming she/he has not already moved to pastures new, but even that would be a pointer, so I guess again “The Saint” has now become “The Invisible Man”. 🙂
The life and work of math genius John Nash was portrayed in A Beautiful Mind by Sylvia Nasar. The book inadvertently reveals the inflated egos, back stabbing, and nastiness that perculates just below the surface in our academic institutions; especially where research and research grants are involved. Imagine yourself in Dr. Jones’ Birkenstocks for a moment, as you survey the smoking ruin of what was supposed to be your life’s work. I don’t have enough knowledge about the issues to judge whether Anthony did the right thing or not but I can speculate what Dr. Jones muttered to himself when he read Anthony’s message. It probably went something like: “screw him AND the noble steed he just rode in on”
inflated egos, back stabbing, and nastiness that perculates just below the surface in our academic institutions; especially where research and research grants are involved.
Read anything to do with the scholarly work on the “Dead Sea Scrolls” if you want another example. The parallels are eerie: a small cadre won’t allow “outsiders” even look at the Scrolls, and attack anyone who publishes anything that disagrees with them. Then, after decades of this, er, “science”, a computer program was used to reconstruct the unpublished texts. After that breakthrough, the Huntington Library allowed unrestricted access to the their full set of photographs of the scrolls.
Oh, wait, that last part hasn’t happened with climate science. Yet.
Or, if you want another example of “Protect the Paradigm at All Costs”, look up what happened to Tom Dillehay when he saw something that happened in practice not fitting what was supposed to happen in theory. Don’t you hate it when that happens?
FINDING THE “HACKER” WILL BRING HE/SHE INTO THE SPOTLIGHT.CLEARLY THE “HACKER” KNOWS MUCH MORE ABOUT UEA AND THE PLOTTERS. THIS WOULD HAVE TO COME INTO THE PUBLIC VIEW,BLOWING CLIMATE WARMING UP!
Mike M says:
December 7, 2011 at 5:20 am
The prosecutor could depose his dog.
It’s important that the family dog NEVER be apprised of such possibility; don’t be fooled by that wagging tail …>>>
Uhm… are you protecting the dog? Or the prosecutor? 😉
Oooh, what a great opportunity!
Prosecutor: Does your dog bite?
Anthony: No.
Dog: CHOMP!
Prosecutor: Ouch! I thought you said your dog didn’t bite?
Anthony: It doesn’t. This is my neighbour’s dog.
You’re all misguided about who (or what) FOIA is.
The server location should give you a clue. (A double blind)
Stolen by a compromised employee…
Passed on to Mother Russia.
To deal a death blow to AGW and especially Carbon Trading/Offsets et al.
When you get a LOT of money from selling oil and gas, you get very protective.
Or maybe it was someone in the Middle East………….
(fiction mode OFF)
[snip. Take it elsewhere. ~dbs, mod.]
Anthony:
Thankyou for sharing this with us, and congratulations on your having done the ‘right thing’.
I am shocked at some of the above comments. The Team are extremely nefarious and their machinations need to be opposed, but we lower ourselves to their level if we adopt their methods. And failure to point out the breach of AGU/JGR security would have been adoption of their methods; viz. doing whatever is expedient instead of what is right.
Richard
I think we all wish FOIA well.
So WTF are we doing here brainstorming ideas to profile them?
The massed insight here on WUWT must totally outweigh that of the Norfolk fuzz. You can be sure they are adding every post here to the “leads to follow up” file.
REPLY: Not likely, I have information that they have no interest in pursuing the case further. – Anthony
Not just IT staff but anyone with access to the backup tapes, which could be stored offsite in a data repository with staff and temporary staff.
Odd things can happen to such tapes, even in an installation with supposedly tight security, for instance, they can be thrown into wastepaper baskets and picked up by anyone. In the UK we’ve had incidents of DVDs with confidential data held by the government being lost and no one knowing where they ended up.
I don’t think it’s particularly helpful to guess at the identity of FOIA.