Post updated – see below. 
Climategate – whodunnit?
Well, according to this story in Help Net Security, the Information Technology people might be good candidates to see what has been going on behind the scenes at UEA’s Climate Research Unit, since it seems that they have broad access and according to a recent survey, many in IT positions can’t resist peeking:
“IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people’s Christmas bonus details.”
Here’s some eye opening survey stats about what IT people do with that access:
- 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications
- 26 percent said that they were aware of an IT staff member abusing a privileged login to illicitly access sensitive information
- 48 percent of respondents work at companies that are still not changing their privileged passwords within 90 days – a violation of most major regulatory compliance mandates and one of the major reasons why hackers are still able to compromise the security of large organisations.
Remember the HARRY READ ME file from Climategate 1? That programmer was bemoaning the sad state of the database an methodologies because he had a broad view afforded by working with the data within the organizational group. He knew more than any single person he was doing work for.
In the case of the UEA Climategate 1 and 2 emails, it seems clear now that to gather up as much information as has been shown to be available, it wasn’t likely a quick in and out job. As this WUWT guest post by David M. Hoffer shows that this wasn’t just a simple hack. He wrote:
So…who had administration rights on the email system itself? There’s reason to believe that it was not any of the researchers, because it is clear from many of the emails themselves that they had no idea that things like archives and backup tapes existed.
Whoever did it likely got it from the email archive system, knew what they were doing, and they had to have broad access to get all these emails gathered together.
Then, when we see that 256 bit AES encrytion was the choice to secure the remaining nearly 1/4 of a million emails, we know that “FOIA” whoever he/she is, knows enough to choose the kind of security that would not likely be cracked in any reasonable amount of time. This probably rules out script kiddies and students at UEA who might have had accidental network access and just grabbed a few files when they thought nobody was looking.
And what about the original first “hack” of the RealClimate.org server that Gavin Schmidt squelched? When we see survey results like 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications and we know how close and interconnected UEA/CRU and GISS staff are, the likelihood that whomever left that first drop of emails on the RealClimate server probably had some shared password or other sort of access.
The sharing of system access in emails was broadly demonstrated in Climategate 2.0. For example, Dr. Phil Jones and others at CRU sent some emails out years ago that linked to papers under review at the Journal of Geophysical Research. Some WUWT readers found these early on, and sure enough, such links from years ago in the CG2 emails still worked.
A few days ago I made the issue known to Dr. Phil Jones and to the JGR journal staff so they could close this security hole. As far as I know, all have been closed. I’ve tested again tonight and the live link fails now. Now that they have been closed, I can talk about it safely without putting JGR’s manuscript system at risk.
From: Anthony
Sent: Thursday, November 24, 2011 5:10 PM
To: p.jones@uea.xxxx.xxx
Cc: grlonline@xxxx.xxx ; jgr-atmospheres@xxxxx.xxx
Subject: password enabled JGR links in Climategate 2 files
Dear Dr. Jones,
I know that you know me, and probably do not like me for my views and publications. Regardless of what you may think of me and my work, it has been brought to my attention by a reader of my blog that there are open access links to your manuscripts at JGR included in the email that are now in the public view.
Therefore, it is my duty to inform you that in the recent release of Climategate 2 files there are links to JGR journal review pages for your publications and also for the publications for Dr. Keith Briffa.
For example, this link:
http://jgr-atmospheres-submit.agu.org/cgi-bin/main.plex?el=
I have verified that in fact that link opens your JGR account and provides full access to your JGR account.
In fact there are 35 different emails in this release that contain live links to JGR/AGU author pages. Similar other links exist, such as for Dr. Keith Briffa and others at CRU.
This of course is an unintended and unacceptable consequence of the email release.
I am cc:ing Joost de Gouw Editor, JGR Atmospheres in hopes that he can take action to close this open access to these accounts. It is a holiday here in the USA (Thanksgiving) and there may not be office hours on Friday but hopefully he is monitoring emails.
JGR should immediately change all passwords access for these CRU members and I would advise against allowing transmission of live links such as the one above in the future. JGR might also consider a more secure method of manuscript sharing for review.
The open nature of these links is not publicly “on the radar” even though they are in fact public as a part of the email cache, and I do not plan on divulging them for any reason. Any mention of these links will be deleted from any public comments on my blog should any appear.
Dr. de Gouw (or anyone at JGR) and Dr. Jones, please acknowledge receipt of this email.
Thank you for your consideration.
Best regards,
Anthony Watts
So clearly, CRU and others in the emails didn’t think twice about sending around open access live links. As David M. Hoffer points out in his article, the researchers don’t seem to have a clue about security. They also leave “sensitive” files they don’t want to share under FOIA requests lying about on open FTP servers. Based on what I’ve seen so far, I don’t think any of the research staff at CRU had either broad access nor the specific tech knowledge to pull this “hack” off.
Somebody who had the ability to peek at these emails as part of their job might just as easily have had access to the RealClimate Server too. Remember there’s almost a quarter million emails we haven’t seen. Chances are, one of those contained the key to the RC server, which allowed them to become an RC administrator and post the original FOIA story which Gavin Schmidt caught and squelched.
I and others I correspond with have our theories about who the leaker might be. From my perspective now, someone with broad system access looks to be a more likely candidate than a malicious outsider.
UPDATE: Many people in comments think I’m doing something wrong by writing to Phil Jones and AGU/JGR. In Phil Jones reply to me, he wrote: A couple of other people sent me emails about this issue.
So clearly I wasn’t the first to notify him of the open links to AGU. But more importantly, my email was also sent to AGU editors and the editor of JGR Atmospheres. Despite what troubles Jones and his group have caused over the year with skeptics, AGU/JGR has been a reasonable journal that has published skeptical papers, including my own. Protecting that relationship with skeptics who publish is valuable and the last thing we need is a scandal where papers submitted to AGU/JGR are showing up on other skeptic websites before they are reviewed because Jones sent active links around in emails. Having the knowledge of the security holes was a damned if I do damned if I don’t proposition, but I opted on the side of doing what I felt was the right course of action. If that upsets a few people, so be it. – Anthony
Discover more from Watts Up With That?
Subscribe to get the latest posts sent to your email.
Well there are actually some emails that have connections to the “higher” echelons, for example,
#2907 is from Tony Blair to Mike Hulme, (dear colleague)….
#2965 where Mike Hulme is invited to the House of Lords to -“meet you and
hear some of your ideas for the future of the Tyndall Centre and how it can
support UK science and policy on climate change.”
Id guess in the 7.zip there will be some juicier stuff than those though.
I would take this as evidence: the original release contained TXT files numbered with Unix date stamps.
For FOIA 2009, 1258053464 translates to Thursday, November 12th 2009, 19:17:44 (GMT).
For FOIA 2011, 1258124051 translates to Friday, November 13th 2009, 14:54:11 (GMT)
(this file is in the encrypted batch)
Unless the file numbering is intentional misdirection, I’d think it’s obvious that the dates encompassed by each release are about the same.
I also like #4451.
If they caught him/her they would have a big problem taking him/her to court. He/she has already outlined why he/she released the emails. She thinks the behavior of the scientists is criminal and killing people. So any court case would revolve around whether she was justified to think that way. They would be massacred, and the rest of the emails would by then have been released.
I think they are not likely to put a lot of effort into finding her.
Jurgen says:
“December 7, 2011 at 2:56 am
1DandyTroll says:
December 6, 2011 at 6:00 pm
“The real question is though, who decide’s who is clean? You, me, Mr Watts, Al Gore, …or whom?”
A valid question. Corruption can also be in your own mind, so the place to start is your own conscience. And then in science there is transparency and open discussion for safeguards :-)”
But to decide if your mind is corrupt you have to use somebody else’s blueprint for not being corrupt thereby negating your own mental safety guards called the trust. But why would you think your mind is corrupt? :-()
And transparency does not exist in climatological science for outsiders, and that is its safeguard against scrutiny. :p
The circumstances, my hope that the whole box of apples was not rotten, and this has led me to believe that this was a leak not a hack:
http://thepointman.wordpress.com/2010/12/17/why-climategate-was-not-a-computer-hack/
But the hacker story fits their victim act and their ‘whodunnit’ distraction ploy so they will never admit that until they are forced to. Maybe this ‘deepthroat’ will step out someday.
davidmhoffer says:
December 6, 2011 at 6:42 pm
“1DandyTroll; Pending on the country you live in, the information is in the public domain, that does not mean that just because the information on how to access systems and files is on the internet, in the public domain, that you have the right to legally access those systems or files.>>>
Nyet. The link is just a link, and until you follow it, you don’t actually know what is in it.”
You mean to say that:
“I’ve tested again tonight and the live link fails now.”
Does not imply that Mr Watts did not succeed before?
Don’t make a fool of yourself. EU law clearly dictates what is legal to access and what is not, our eurocrats are funny that way with details, which is why the media industry keep having problem enforcing the law against potential copyright infringers. You are not allowed to try and access a file if you don’t have the right to do so, period. It is no different than people not having the right to open a door to your home unless they have a right to do so, and what ever files that is on the kitchen table that they did not read is beside the point.
And if you have missed it, since a few years back, in EU, it is in fact illegal to link to illegal information. You should do some more reading, lol. :p
davidmhoffer says:
December 6, 2011 at 8:12 pm
“David Ball says: December 6, 2011 at 7:55 pm If they admit it is a leak, that would be the end for funding.>>>
Ya know, a forensic IT audit proving exactly who “did it” is really tough to do. But…”
That is actually the easy part, the hard part is getting the organization to disclose the information to the public even when they have a legal obligation to do so. Most organization don’t wont the rest of the world to know they’ve been hacked, especially by a hack, because it is tremendously embarrassing and, usually, cost a shit load of cash in the end.
If you want a point and click solution you can get a forensic suit for $995. Otherwise there’s a bunch of open source and gnu tools to use, for free no less.
It’s ironic really, but back in the digital stone age “forensic IT audit” was just called common system maintenance, then came the shortage of money… :-()
Anthony, you have lost the plot entirely.
Your letter sounds like a cringing ‘can’t we be friends?’
And it is claptrap to talk of morality in this case. Neither you nor any other person has a moral obligation to point out that their security sucks.
Lucy Skywalker says on December 6, 2011 at 3:52 am:
“Thank you Anthony for your high integrity and courtesy in handling this issue. ——————————————–. But the corruption of Science we’ve seen in Climate Science is not the only deep issue. If we look at the founders of Science, we see ——– Kepler — Newton —- so I won’t even name the most obvious of them – but nevertheless, I cannot discount the possibility of the miraculous, in ——-“
=======
I too can only thank, and praise Anthony for the way he is handling, not only just this issue, but all the issues he does handle here on his blog. – (After all he has not barred me yet – even though I am a complete, as Ira Glickstein calls it, “Disbeliever”)
But Lucy, why not include the man who has been misquoted by Tyndall and has also been misunderstood by Arrhenius to give us what is quite frankly “the most illogical” theory of them all, i.e. the modern version of “The Greenhouse Effect” (GHE) or should I say versions as I have seen multiple explanations for how different people perceive this well funded GHE.
Jean Baptiste Joseph Fourier produced, in 1824, a scientific paper in which he explained his findings on why the atmospheric temperature is what it is.
In Fourier (1824) we can read:
“La chaleur du soleil arrivant à l’état de lumière, possède la propriété de pénétrer les substances solides ou liquides diaphanes , et la perd presqu’entièrement lorsqu’elle s’est convertie, par sa communication aux corps terrestres, en chaleur rayonnante obscure.
Cette distinction de la chaleur lumineuse et de la chaleur obscure explique l’élévation de température causée par les corps transparens. La masse des eaux qui couvrent une grande partie du globe, et les glaces polaires opposent moins d’obstacle à la chaleur lumineuse affluente qu’à la chaleur obscure, qui retourne en sens contraire dans l’espace extérieur. “
For those who cannot read French, it has been translated by Burgess (1837) and reads as follows:
“The heat of the sun, coming in the form of light, possesses the property of penetrating transparent solids or liquids, and loses this property entirely, when by communication with terrestrial bodies, it is turned into heat radiating without light.
This distinction of luminous and non-luminous heat, explains the elevation of temperature caused by transparent bodies. The mass of waters which cover a great part of the globe, and the ice of the polar regions, oppose a less obstacle to the admission of luminous heat, than to the heat without light, which returns in a contrary direction to – [Fourier (1824, p. 141) – open space.”
So, if “heat radiating without light.” is today’s LWIR (Long Wave Infra Red) radiation, then LWIR cannot penetrate the Atmosphere at all – and ——, well? – As Fourier said elsewhere: “For the Atmosphere to be anything like the glass of a hotbox, such as the experimental apparatus of de Sassure (1779), the air would have to solidify while conserving its optical properties.” (Fourier 1827 p 586}
And I still don’t know who FOIA is, but may her/his God go with her/him
Jim:
At December 7, 2011 at 3:47 pm you say to Anthony;
“And it is claptrap to talk of morality in this case. Neither you nor any other person has a moral obligation to point out that their security sucks.”
Sorry, but you seem to not understand the difference between morality and ethics.
Ethics are the rules for proper conduct applied by a society upon its members.
Morals are the rules for proper conducted applied by person upon him/herself.
Anthony made a moral judgement that informing some people they had a problem was proper although there was no ethical reason for him to inform them.
In my opinion this demonstrates the high moral principles that govern Anthony’s behaviour. And I applaud it.
Richard
I think everyone is missing the genius in what Mr. Watts did.
Phil Jones thoughts when he received Watts’ e-mail would have had to have been “My God. . . . he knows everything we’ve had on our servers for the last ten years. . . . and right now he’s just toying with us with this “friendly warning” to hide some sensitive links. . . . . ”
The message that Anthony sent was “All Your Base are belong to us”!!!
1DandyTroll;
If you want a point and click solution you can get a forensic suit for $995. Otherwise there’s a bunch of open source and gnu tools to use, for free no less.>>>
I can sell you a tool set just as usefull for $500. Half price dude! How many you want?
There’s no such thing as a forensic tool set that you can just run and it tells you who dunnit.
Consider, for example, the guy who picks up the backup tapes to take them off site for storage. He makes a pit stop somewhere, copies the tapes, then then brings the originals to the storage facility. Electronic finger prints = 0
Example2. A server log shows that Phil Jones logged in, downloaded a bunch of email and copied it to a usb drive. Do you know how many tools you need to discover that? None. If the server logging is turned on, its on. If its turned off, there’s be zero record, but let’s assume that it was turned on, and that’s what the log says. OK, so that’s proof Phil dunnit, right?
Wrong. That’s proof that someone with Phil’s username and password dunnit. You gotta check where Phil was that time and day. If Phil was on a flight to Cancun…Phil didn’t do it. Someone with his username and password did. Well…maybe Phil did it after all. What operating system is the server running, and what security precautions are enabled to prevent someone from editing the log? Maybe Phil did it after all, but he actually had admin rights, edited the log to show a different time to give himself an alibi. Or maybe it was the sys admin in the first place, and he was trying to frame Phil and didn’t know Phil was going to Cancun that night.
These things are WAY more complicated that just buy a tool. The tool just collects info, you still need a human sleuth to put it all together.
I’ve nailed a few hackers over the years, and the dumbest things will trip them up. Once, I was sure someone was tampering with a server, but the log files were clean as a whistle. So, I ran a printer cable from the back of the server through a wall to a line printer in another room. I set it to echo every key stroke from the log files. The next morning I had a paper output showing exactly how the guy had been doing it because while he could alter the log files, he couldn’t alter what had already been printed on the printer, he didn’t even know there WAS a printer. From there it was about an hour to identify the culprit.
1DandyTroll;
“I’ve tested again tonight and the live link fails now.”
Does not imply that Mr Watts did not succeed before?>>>
It matters not one wit how many times he clicked on the link and succeeded. It means he tested the link and it operated properly. that says nothing about what he read or didn’t read.
1DandyTroll;
Don’t make a fool of yourself. EU law clearly dictates what is legal to access and what is not>>>
I’ll take your word for it. The thing that maybe you might have missed is that Anthony lives in the United States of America, and is not subject to EU law. Nor are crimes of this sort an extradictable offense. Even if he were to take a trip to the EU and be arrested there, his lawyer would argue that the EU does not have jurisdiction over actions taken in another country where those actions are legal, and he’d win on that point, hands down.
Any other things I made a fool of myself on that I can straighten out for you?
JonasM;
I would take this as evidence: the original release contained TXT files numbered with Unix date stamps.
For FOIA 2009, 1258053464 translates to Thursday, November 12th 2009, 19:17:44 (GMT).
For FOIA 2011, 1258124051 translates to Friday, November 13th 2009, 14:54:11 (GMT)
(this file is in the encrypted batch)>>>
Sorry, almost missed you comment. By “first” batch, do you mean CG1? Or something else? I’m also a bit confused about the txt files you say were in the encrypted batch. Are you saying the time stamps are not encrypted? (I’ve not looked at them myself)
Whodunit? Sources tell me that it is a mole planted deep in the team network who has gone beyond the call of duty in maintaining his cover–James Hansen.
Whodunit? Somebody dunit. Thank you!
Anthony shows moral and ethical integrity and tells ol’ Phil. Phil snaps from his wakeup call on CG 2.0 and realizes that he may have been open for all his computer secrets for years past and looses sleep. Ol’ Mann realizes ol’ Phil may have let the ‘cat out of the bag’ and now looses sleep. Someone else may then loose sleep until the wide eyed players have wider eyes. Nothing like lying when someone is dropping hints that it is game over. To lie or not to lie. Psychosis?
Maybe just a fleeting hope/dream on my part, but who knows. Whodunit, maybe somebody dunit. Anyway, somebody done did a good job.
How about one of the inner circle having serious and nagging regrets and deciding it was time to stop or at least to try and slow the runaway global warming freight train that he helped create. How about someone who resented how he had been used in creating the poster boy hockey stick. How about someone who felt that the release would perhaps help to repair his reputation or at the very least do some damage control.
I FIGURED IT OUT!!!
I KNOW WHO IT WAS!!
It was the Norfolk Police.
Think about it. They had access (they’re cops!) they have the means (they have teenage kids who are computer whiz’s) they have motive (less money for windmills, more for policing, taxes go down) and they can cover their tracks (they’ve been investigating for two years and…nothing. hmmm…)
Plus, when the prosecutors finally crumble and start doing their jobs, guess who gets to be on the front page of the newspaper making the arrests (of Phil Jones and team I mean), television interviews, book deals….
They’re probably grumbling to themselves right now because they can’t believe that with all they’ve done, the arrest warrants haven’t started flowing yet.
davidmhoffer says: December 7, 2011 at 5:37 pm : By “first” batch, do you mean CG1?
Correct. CG1 file 1258053464.txt = Thursday, November 12th 2009, 19:17:44 (GMT)
I’m also a bit confused about the txt files you say were in the encrypted batch. Are you saying the time stamps are not encrypted? (I’ve not looked at them myself)
While the files themselves are encrypted, you can view the file names in ‘all.7z’., which all reside in a folder called ‘all’. Interestingly, they do not have ‘.txt’ extension, but are bare unix timestamps. The most recent timestamp in the archive is 1258124051, which is Friday, November 13th 2009, 14:54:11 (GMT).
Once again for correct formatting:
Correct = CG1 file 1258053464.txt = Thursday, November 12th 2009, 19:17:44 (GMT)
While the files themselves are encrypted, you can view the file names in ‘all.7z’. Interestingly, they do not have ‘.txt’ extension, but are bare unix timestamps. The most recent timestamp in the archive is 1258124051, which is Friday, November 13th 2009, 14:54:11 (GMT).
I’m a systems administrator, it’s what I do for a living. And people like me ROUTINELY have the kind of access necessary to get this type of information without any hacking. It’s been 100% obvious to me, that since the very beginning this HAD to have been done by a sysadmin with full access to the systems. This was not a hack… In fact the amount of information and the way it was “outed” makes it highly unlikely, almost impossible that this could ever have been done by someone on the outside.
Back ups are a huge hole, usually. You really don’t want to be mousing around on systems, leaving an audit trail, when you can simply restore to a separate system and spend as much time as you like looking for goodies.
“0Whoever did it likely got it from the email archive system, knew what they were doing, and thy had to have broad access to get all these emails gathered together.”
This is patently wrong. There was no gathering. All the emails were kept on a single backup (redundant) mail server located within IT. This is according to a government report, “The Muir Russell Report”. I’ve posted this several times already. A bit of due diligence is all it takes to find the report but again I provide it. It may be a whitewash but I doubt they’d outright lie about what’s a very common thing in the industry i.e. keeping a copy of all email traffic for a departement on the departemental email server. Disk storage these days is so cheap it’s given away by the gigabyte and retail price is well under $100/terabyte.
http://www.cce-review.org/pdf/FINAL%20REPORT.pdf