Operation Cabin Q&As (from the Norfolk Police here PDF)
The following questions and answers are an abridged version of Norfolk Constabulary’s Operation Cabin media briefing held on Thursday 19 July 2012.
How do you know it was an external hack?
In outline terms, we know it came via the internet from a number of different IP addresses, in various countries, which may have been proxy servers.
The attack was, first of all, into the web server (CRUweb8) in the Climate Research Unit (CRU) at the UEA. From there, a link was established to a CRU back-up server (CRUback3).
It’s fair to say, the university has to draw the right balance between giving access to information – it’s an academic establishment and, as such, has a proportionate level of security which enables people to work remotely and access information to operate in that academic environment. As a consequence of the attack, the UEA has taken a number of measures and its ICT infrastructure now looks very different.
We identified that the attackers breached several password layers to get through and they got to a position where they employed different methodologies to return the data. We identified a significant quantity of data that was taken in this way, certainly in excess of that which was subsequently published in the two files in 2009 and 2011.
We’ve used the expression ‘sophisticated’ and that’s because that’s the view of our experts who conducted that side of the investigation for us. They identified that, as well as achieving the breach, they also took significant steps to conceal their tracks and lay false trails and change information available to us in order to frustrate the investigation. The conclusion was the person /s were highly competent in what they were doing.
That technical investigation was the primary line of investigation although we did cater for other possibilities, these were later ruled out.
Which specific countries were involved in the trail of proxy servers and which countries were either helpful or uncooperative in your investigations?
While we will not be confirming the names of the countries specifically, we can confirm there were a number across the majority of the continents.
We would underline that the use of a proxy server in any country is not necessarily evidence that the hack originated in that domain.
We worked with partners in these countries and the level of response and support we got varied from being excellent to being quite time consuming.
The logistics involved meant it was a complex picture with different legal jurisdictions and sovereignties. Sometimes it’s a procedural issue and sometimes it’s a political issue with a small or a big P.
Can you confirm that the US was helpful?
We will not confirm the identity of individual countries but we can say, in general terms, there is a healthy and productive relationship between law enforcement in the US and the UK.
Did you detect that any national government could be behind this?
No. The hypothesis was, and remains, that the person or persons responsible for this could be anyone on a spectrum from an individual right through to the other end of the spectrum, including commercial organisations and governments. It is obvious that some commercial organisations would have an interest in maintaining their commercial position; similarly there will be economies and governments which have an interest in protecting their position. To be clear, we did not get any indication as to who was responsible.
It is clear the person responsible has knowledge of this subject; did you interview all the bloggers that showed an interest?
We interviewed a number of people and the logistical issues involved meant that much of this work was carried out remotely because, physically travelling to countries, and the logistics involved in achieving that – for the anticipated outcome – would have not be proportionate.
Of course, the climate sceptic community would, in the main, give the appearance of welcoming the published data because it supports their view. Therefore, we were realistic about the prospect of them being helpful to our investigation.
Can you describe what investigations you undertook at the UEA and who you interviewed there?
The focus internally was on the IT infrastructure and working out from there. We also looked at people working at or with connections to the Climate Research Unit and, in simple terms, we were looking for anything obvious. All members of staff were interviewed. If someone had some obvious links or had an axe to grind, then that might have been a line of enquiry.
Generally speaking, it was a screening exercise which did not provide any positive lines of enquiry.
Whilst – because we have not found the perpetrators – we cannot say categorically that no-one at the UEA is involved, there is no evidence to suggest that there was. The nature and sophistication of the attack does not suggest that it was anyone at the UEA.
You say that the hacker had to go through a series of passwords; do you know that someone at the UEA would not have had access to these passwords?
Anyone with access to these passwords has been excluded as a suspect. Additionally, there was some evidence of work undertaken to break passwords.
It has been reported that the hacker accessed the server on three separate occasions, can you confirm if that’s true and if there were any further attempts to access the server after ‘climategate’ broke and have there been any recently?
The report is inaccurate. The attack was conducted over a period of time and access would have occurred on a number of occasions and certainly more than three. Of course, we only know what we know. I have already described it was a sophisticated attack; we have established a substantial amount of what happened. What I can’t say is whether we have established everything that happened.
There were no further data breaches once the story had broken in November 2009, not least because we had taken possession of Cruback3 and it wasn’t available to be accessed.
Do you know when the attacks began?
There’s a timeline of events and there has been speculation, in the media and the blogs,
that there may have been an orchestrated campaign of Freedom of Information requests to the University in the summer of 2009. It appears the attacks were undertaken late in that summer, early autumn, through to November. The first tactic that we were aware of was in September 2009.
There was news that some other institutions, including in Canada, that may have come under a similar attack at that time. Are there any other institutions that you have found that were attacked at this time?
We did have some dialogue and there were one or two that had been attacked and we did have a preliminary examination but they did not give us any indication or cause to suspect that it was in any way linked to the UEA.
What happens to Cruback3 now?
It has been returned to the University of East Anglia, having been retained as an exhibit through the course of the investigation. It was necessary to retain the actual server for this time. It contained a massive amount of data, something in the region of five terabytes.
When the second batch of e-mails was released, there was the note that came with them. Did you or your colleagues contemplate doing structural linguistics or analysis to try and trace it to a particular location in the world?
It was speculated on and it was something we did consider. Our conclusion was that it would be unlikely to take the investigation anywhere and, in fact, if you are trying to conceal your tracks it could have been constructed to mislead.
You have been restricted by the statute of limitations, would you have continued with this investigation otherwise?
The decision to close the case was a combination of the time limit and an acknowledgement that we had pursued this as far as we reasonably can.
Did you consider prosecuting people dealing in the information that was clearly stolen?
In terms of offences committed, it becomes a much greyer area. The same challenges exist in terms of identifying those individuals. An operational decision was made not to pursue this.
<Ends>
By examining these emails, haven’t the police now EVIDENCE of AGW fraud? These email-admitted manipulations of data and the open corruption of science has led to theft of billions of dollars from taxpaers around the world, not to mention an on-going serious attempt to bring about the collapse of democracy AND civilization. Shouldn’t they be ARRESTING SOMEBODY? What the hell does it take to get the authorities moving on this?
So cru backup server had 5 terrabytes of data on it. Wonder how much FOIA is sitting on….
“Of course, the climate sceptic community would, in the main, give the appearance of welcoming the published data because it supports their view. Therefore, we were realistic about the prospect of them being helpful to our investigation.”
I, and Anthony, offered help in their investigations but they declined it, so I find their statement surprising.
They haven’t had the decency to contact me to tell me they had closed their investigation even though I had protested about them keeping my details on file just because I had made an FOI request.
I have now formally asked they delete all my details under the data protection act in the UK, I am awaiting a reply.
Well, much less Keystone-ish than I anticipated. Not quite up to Clouseau’s standards, maybe, but …
The major hang-up I have with the whistleblower hypothesis is the difficulty I have with imagining FOIA wearing a consensus mask so long without slipping.
Ally E. says:
July 20, 2012 at 1:05 am
“By examining these emails, haven’t the police now EVIDENCE of AGW fraud? Shouldn’t they be ARRESTING SOMEBODY? What the hell does it take to get the authorities moving on this?”
Would you arrest someone if they
-Work for you, and do as they are told.
-Makes it possible to increase your income. (taxes)
-Makes it possible to start huge government projects.
Would you?
@Ally E: “Shouldn’t they be ARRESTING somebody?”
No, because the Carbon Cultists are doing exactly what the US/UK/EU governments want. Destroying civilization, starving the poor, and enriching the rich. Why would US/UK/EU want to arrest their most loyal footsoldiers?
Vieras:
Even If the story told so far is accurate and this was an external hack, it seems fairly likely to me that someone “in the know” knew what was there. It’s a trivial step from there to having someone with more experience in the hacking arts do the actual deed.
This also reminds me of someone I used to work for who refused to use a CD/DVD emulator called Daemon Tools because he once read that it used many of the same techniques as a Rootkit, therefore in his mind Daemon Tools is equal to a rootkit and thus is equal to a virus. No amount of explaining was enough to convince him otherwise.
In the same vein, the chances of someone randomly seeking out the specific server and data to grab and make public are vanishingly small, something on the order of McKibbens’ numbers regarding 327 months of above average temperatures. EVEN IF the data was obtained via external hacking, no matter how “sophisticated” it was, it remains highly probable (to me) that there is still a whistleblower involved.
As a proper skeptic, I remain unconvinced in either direction. But it does seem highly unlikely that random hackers knew what to get and where to get it from.
“The nature and sophistication of the attack does not suggest that it was anyone at the UEA.”
So you are saying the people at UEA are ….
Some suggestions to the investigators: 1. Check your assumptions. These are needed to keep the problem-space small but some are simply bad. Restrict them to trivialities. 2. Check the quality of your information. Information from others, including your self, may be totally worthless as it may consist of made-up facts. 3. Don’t be proud of your hypotheses. They are rational reconstructions but reality often does not conform to your rationality (the most serious errors in police investigation have to do with this fixation). 4. Try to be serendipitous.
Will the end of the investigation prompt the release of the password for the Part 3 of the emails?
Just to keep the fire burning, I suppose, unless there is something in those emails that can change the game.
“Adrian Kerton says:
July 20, 2012 at 1:45 am”
From what I know about the 1984 data protection act (UK), I would suggest you will be waiting a long while for that to happen, if at all.
OK, for now, I will take their word for it that it was a hack and that it did not involve someone in CRU.
FOIA was not lying about releasing just some of the files I see. Get ready for Climategate 3 folks.
There’s a timeline of events and there has been speculation, in the media and the blogs,
that there may have been an orchestrated campaign of Freedom of Information requests to the University in the summer of 2009. It appears the attacks were undertaken late in that summer, early autumn, through to November. The first tactic that we were aware of was in September 2009.
1. It’s an interesting police press conference in which an officer of the law points to blog speculation when answering a serious question about a serious matter.
2. The linkage of FOI requesters with the alleged hacker appears to be a talking point that the officer received from someone at the Climatic Research Unit, perhaps Phil Jones himself. And I don’t mean that a specific conversation led to this, although it could have. Rather, the officer’s entire way of thinking about the matter has been heavily influenced by an interested party in the case. Included in the mindset: the CRU is the victim here; FOI requests come from malevolent sources; skeptic bloggers are pond-scum. These are articles of faith for Phil Jones and his closest associates.
Let’s play devil’s advocate for a minute, even though it obscures the situation. Pointman’s analysis is interesting but assumes one thing about CRU’s IT that are an unknown but important variables: competence and budget. The same argument he makes for the importance of the target goes for its resources and efforts to protect the material in question. There may have not been much in the way of intrusion detection, log analysis or password security and all of the hurdles may have been kid’s play to jump to get to the data.
Universities are not necessarily known to attract top notch IT security staff (outside maybe research itself) or pay top dollar for the talent they do hire – no offense intended. The folks there may be more interested in job security and having time to goof off on the job or pursue pet projects during work hours from my personal experience. So in essence, getting to the data may have been much easier than the tone of the investigation report or Pointman’s mission impossible script to hack the NSA’s coffee webcam let on. A number of items from the report support this theory (i.e. knowledge that passwords may have been brute force cracked without triggering alarms).
The real sticky point, imho, is the interest in the particular data obtained, the idea that it might (still) be there and accessible and the care with which it has been released so far. Those things give credence to the idea that someone on the inside at least pointed out the target and may have paved the way to extracting it (and put up red herrings to pursue in the investigation they must have known would follow). As I said before, inside and outside man might have been the same person, all it takes is a VPN from another virtual machine on the same computer to be both while sitting in the office. Funny enough that may put the person in question beyond the skill set of the IT staff around them and might just tie into Mosher’s claim of the motive being a personal one. What better way than put egg on the face of your head of IT and the buffoonish researchers that look down their noses at you and defraud the world than this little stunt if you’re a talented IT guy stuck at a university job?
The nature and sophistication of the attack does not suggest that it was anyone at the UEA.
Hahahaha
Tucci78 says: July 20, 2012 at 12:25 am
I like the juxtaposition of the words “individual” and “right” – even if unintentional – particularly in light of a recent promulgation uttered with funding by our federal Heimatsicherheitsdienst which defines American citizens who are “reverent of liberty” (among other sentiments) as potential terrorists.
YOf course they deny saying that right on the first page. But then, being reverent of individual liberty or against globalization is then stated as part of the profile of an extreme right-wing terrorist. So, it is the case that if you’re a right wing terrorist, then you have properties A, B, C…
And then, although they say it is not so, if you have the properties A, B and C you fit in the profile of a right wing terrorist. Therefore you are a possible right wing terrorist. These are the simple but effective wonders of such stuff as profiling and circumstancial evidence.
I’m with codetech. This was done with inside involvement, no doubt about it.
5Tb a massive amount of data?
I’ve got 2Tb on my music studio PC! This is backup server 3. What was wrong with servers 1 & 2 and I presume 4 & 5? As I say, 5Tb isn’t really a lot especially not when you consider that this is backup for the whole campus.
I’m not buying it.
DaveE.
“Whilst – because we have not found the perpetrators – we cannot say categorically that no-one at the UEA is involved, there is no evidence to suggest that there was. The nature and sophistication of the attack does not suggest that it was anyone at the UEA.”
This does imply that all the staff at UEA are pig thick (well it is in “Narchh” after all…) and they thought the sceptics were being harsh…:-)
Seriously though. In the end there isn’t significant evidence against anyone, and so the conclusion that it is an outside job is pure conjecture.
ancientmariner says: July 20, 2012 at 12:42 am
“The nature and sophistication of the attack does not suggest that it was anyone at the UEA……..”
but we are supposed to believe the good folks at UEA can understand the climate?????
Ancient, we know Phil is unable to use Excel.
Ally E. says: July 20, 2012 at 1:05 am — By examining these emails, haven’t the police now EVIDENCE of AGW fraud? These email-admitted manipulations of data and the open corruption of science has led to theft of billions of dollars from taxpaers around the world, not to mention an on-going serious attempt to bring about the collapse of democracy AND civilization. Shouldn’t they be ARRESTING SOMEBODY? What the hell does it take to get the authorities moving on this?
They certainly don’t have an open file on these. Anyway, the destruction of western civilization is likely not to be in their jurisdiction.
Well, any internal whistleblower having a reasonable amount of technical sophistication and a survival instinct could easily fake intrusion, or even create a security deficiency and see what pops in. I sure know I could.
Speculating for fun. By claiming disinterest in pursuing this further and closing the file knowing full well FOIA has scads more emails to release, might the coppers have laid a little trap somewhere deep in IT-ville for a return visit? A question for you IT experts? On the other hand, and the more likely scenario in my view, is that they may know or think they know whodunnit but don’t wish to pursue, which could be the case if government agents of another land were behind it. Which countries stand to benefit if the AGW theory and scientific ‘proof’ were proven bogus, as indeed they were? All countries p’raps?
Who is Harry? You know, of HarryReadme fame.
Maybe that can be our “Who is John Galt” catchphrase?
Jimbo says:
July 20, 2012 at 3:44 am
First of all, a backup server generally backs up more than just the email server, the vast majority of which is of no interest to anyone except those administering systems which have lost files and need to recover them. Depending on the backup software used and the retention policies defined, it most likely contains multiple copies of the same files. So that five terabytes may be less than one terabyte of unique data, most of which has nothing to do with email at all, and climate research email in particular.
Second, the police said the backup server contained approximately five terabytes, not that the intruder actually got that much. I assume someone skilled enough to compromise the backup server would be able to use the software to index and extract exactly what was wanted. This is even more reasonable if you assume it was an inside job.
Finally, a complete dump of one year’s worth of email (a common retention policy) from a typical institution would consist overwhealmingly of incredibly boring and trivial material. Long threads of “reply-all” wandering discussions over a series of loosely related topics. I drown under this stuff at work and I’m only dealing with what is sent to me. The thought of having to go through a bunch of other people’s email and try to figure out what they are doing on one specific topic is enough to make me want to put a bullet through my head. If you want to know the identity of FOIA, look for suicides shortly after the last release.
@Andrew30 says:
July 20, 2012 at 3:04 am
“The nature and sophistication of the attack does not suggest that it was anyone at the UEA.”
So you are saying the people at UEA are ….
======================================================================
I saw that too but you got there first. Dang!
That one probably qualifies as a Friday Funny, compliments of the Norfolk Police.