Operation Cabin Q&As (from the Norfolk Police here PDF)
The following questions and answers are an abridged version of Norfolk Constabulary’s Operation Cabin media briefing held on Thursday 19 July 2012.
How do you know it was an external hack?
In outline terms, we know it came via the internet from a number of different IP addresses, in various countries, which may have been proxy servers.
The attack was, first of all, into the web server (CRUweb8) in the Climate Research Unit (CRU) at the UEA. From there, a link was established to a CRU back-up server (CRUback3).
It’s fair to say, the university has to draw the right balance between giving access to information – it’s an academic establishment and, as such, has a proportionate level of security which enables people to work remotely and access information to operate in that academic environment. As a consequence of the attack, the UEA has taken a number of measures and its ICT infrastructure now looks very different.
We identified that the attackers breached several password layers to get through and they got to a position where they employed different methodologies to return the data. We identified a significant quantity of data that was taken in this way, certainly in excess of that which was subsequently published in the two files in 2009 and 2011.
We’ve used the expression ‘sophisticated’ and that’s because that’s the view of our experts who conducted that side of the investigation for us. They identified that, as well as achieving the breach, they also took significant steps to conceal their tracks and lay false trails and change information available to us in order to frustrate the investigation. The conclusion was the person /s were highly competent in what they were doing.
That technical investigation was the primary line of investigation although we did cater for other possibilities, these were later ruled out.
Which specific countries were involved in the trail of proxy servers and which countries were either helpful or uncooperative in your investigations?
While we will not be confirming the names of the countries specifically, we can confirm there were a number across the majority of the continents.
We would underline that the use of a proxy server in any country is not necessarily evidence that the hack originated in that domain.
We worked with partners in these countries and the level of response and support we got varied from being excellent to being quite time consuming.
The logistics involved meant it was a complex picture with different legal jurisdictions and sovereignties. Sometimes it’s a procedural issue and sometimes it’s a political issue with a small or a big P.
Can you confirm that the US was helpful?
We will not confirm the identity of individual countries but we can say, in general terms, there is a healthy and productive relationship between law enforcement in the US and the UK.
Did you detect that any national government could be behind this?
No. The hypothesis was, and remains, that the person or persons responsible for this could be anyone on a spectrum from an individual right through to the other end of the spectrum, including commercial organisations and governments. It is obvious that some commercial organisations would have an interest in maintaining their commercial position; similarly there will be economies and governments which have an interest in protecting their position. To be clear, we did not get any indication as to who was responsible.
It is clear the person responsible has knowledge of this subject; did you interview all the bloggers that showed an interest?
We interviewed a number of people and the logistical issues involved meant that much of this work was carried out remotely because, physically travelling to countries, and the logistics involved in achieving that – for the anticipated outcome – would have not be proportionate.
Of course, the climate sceptic community would, in the main, give the appearance of welcoming the published data because it supports their view. Therefore, we were realistic about the prospect of them being helpful to our investigation.
Can you describe what investigations you undertook at the UEA and who you interviewed there?
The focus internally was on the IT infrastructure and working out from there. We also looked at people working at or with connections to the Climate Research Unit and, in simple terms, we were looking for anything obvious. All members of staff were interviewed. If someone had some obvious links or had an axe to grind, then that might have been a line of enquiry.
Generally speaking, it was a screening exercise which did not provide any positive lines of enquiry.
Whilst – because we have not found the perpetrators – we cannot say categorically that no-one at the UEA is involved, there is no evidence to suggest that there was. The nature and sophistication of the attack does not suggest that it was anyone at the UEA.
You say that the hacker had to go through a series of passwords; do you know that someone at the UEA would not have had access to these passwords?
Anyone with access to these passwords has been excluded as a suspect. Additionally, there was some evidence of work undertaken to break passwords.
It has been reported that the hacker accessed the server on three separate occasions, can you confirm if that’s true and if there were any further attempts to access the server after ‘climategate’ broke and have there been any recently?
The report is inaccurate. The attack was conducted over a period of time and access would have occurred on a number of occasions and certainly more than three. Of course, we only know what we know. I have already described it was a sophisticated attack; we have established a substantial amount of what happened. What I can’t say is whether we have established everything that happened.
There were no further data breaches once the story had broken in November 2009, not least because we had taken possession of Cruback3 and it wasn’t available to be accessed.
Do you know when the attacks began?
There’s a timeline of events and there has been speculation, in the media and the blogs,
that there may have been an orchestrated campaign of Freedom of Information requests to the University in the summer of 2009. It appears the attacks were undertaken late in that summer, early autumn, through to November. The first tactic that we were aware of was in September 2009.
There was news that some other institutions, including in Canada, that may have come under a similar attack at that time. Are there any other institutions that you have found that were attacked at this time?
We did have some dialogue and there were one or two that had been attacked and we did have a preliminary examination but they did not give us any indication or cause to suspect that it was in any way linked to the UEA.
What happens to Cruback3 now?
It has been returned to the University of East Anglia, having been retained as an exhibit through the course of the investigation. It was necessary to retain the actual server for this time. It contained a massive amount of data, something in the region of five terabytes.
When the second batch of e-mails was released, there was the note that came with them. Did you or your colleagues contemplate doing structural linguistics or analysis to try and trace it to a particular location in the world?
It was speculated on and it was something we did consider. Our conclusion was that it would be unlikely to take the investigation anywhere and, in fact, if you are trying to conceal your tracks it could have been constructed to mislead.
You have been restricted by the statute of limitations, would you have continued with this investigation otherwise?
The decision to close the case was a combination of the time limit and an acknowledgement that we had pursued this as far as we reasonably can.
Did you consider prosecuting people dealing in the information that was clearly stolen?
In terms of offences committed, it becomes a much greyer area. The same challenges exist in terms of identifying those individuals. An operational decision was made not to pursue this.
<Ends>
There are likely two laws to consider regarding limitations. One, the date the “purloining” happened, and two, the date the “purloiner” published the contents. My hunch is that the unpublished contents have a monetary value now attached, as well as the fact that these unpublished goods are stolen goods. Gonna be hard to release the last bunch in any form. These may very well stay unpublished and would likely be placed in the purloiner’s will.
This speaks directly to the attempts by many to keep their data out of the hands of FOI requests. The true “purloiners” are the scientists who sit on their data and code, essentially having “purloined” it from the public tax payer who rightfully owns it. These scientists and bloggers who have whined to high heaven about this “attack” ought to look in the fricken mirror at the true perps in this entire sad affair.
The downloading of the files was just routine surveillance conducted by British Intelligence. Since MI6 are professionals, nobody ever detects or even notices the intrusion – it happens all the time. In this instance a rouge agent sees the content of the files and chooses to publish them on the Internet. The British Government will never admit to monitoring closed networks, so we are seeing the Constabulary making lame excuses that they have no idea how this happened or who did it. This is an internal Government matter that will be handled out of the public view.
CodeTech: “Even If the story told so far is accurate and this was an external hack, it seems fairly likely to me that someone “in the know” knew what was there. It’s a trivial step from there to having someone with more experience in the hacking arts do the actual deed.”
Put yourself in the shoes of a whistle blower. You know all about Harry’s work and that the e-mails are full of juicy bits. How do you proceed if you want the world to know? The last thing you’d do would be to go around trying to find hackers to attack a server system you don’t know anything about. And even if you found someone, you can’t know if they are interested or even skillful enough to do the job. And they don’t do services for free. And even if they could and would, you’d never be sure that they’d not brag around and reveal you. So I think that we can rule out the possibility that someone from CRU would have contracted an expert to crack the server. FOIA is definitely someone who had the the motivation and the necessary skills. Miles away from an average computer user or an average CRU employee.
“Of course, the climate sceptic community would, in the main, give the appearance of welcoming the published data because it supports their view.”
As others have pointed out that statement does seem to damn CRU somewhat.
I’ll point out that just because the network logs show that the whoever took the data did so from outside the CRU network that doesn’t really tell us anything about whether they were a CRU insider or had help from inside.
Mike.
So, the server is back home. Wonder if they, you know, accidently drove it past the magnet factory very slowly. Often.
The Pointman is good! — and correct, I surmise. At the same time, I am grateful that The Great White or the Mouse-Like Insider walks free. Leave him alone.
Watching the media and govt ugliness surrounding poor George Zimmerman these days, there’s no doubt that, if identified, big trouble would loom on the horizon for this soul. ….for the education of the others…..
Also, one day, soon, I hope, like a bright brass key, a secret password will be dropped, somewhere, and whoosh! the floodgates will break and truth will flow. ….Lady in Red
“We couldn’t find evidence for anything else* so we have decided that CO2 / an external hack / the Illuminati (delete as appropriate) MUST be to blame, despite there being no evidence for that either.”
There are 2 separate investigations (or there should be). This one established that they cannot find the perpetrator of the email release. The second should now investigate the content and why this person felt the need to risk prosecution to get this information out.
@David A. Evans. You’re right not to buy it. There are so many technical inconsistencies in that statement, I wouldn’t know where to start.
Pointman
Does that mean they didn’t find evidence of the external break-in involving several proxy servers on multiple continents. Further on, it sounds like they did. You’re implying they “couldn’t think of anything else, so it must be
AGWan external hack.”I’d like to submit that the 5 TB of data trotted out may in fact be the raw capacity of the disc shelf that held crubak3’s data, not the actual content. Also: redundancy protected highly accessible server storage space is expensive (and was even more so when this took place), so the number of way-back copies of data would necessarily be low and anything but the most two or so recent increments would be stored off-disc (most likely on a tape library, less often optical storage).
“The nature and sophistication of the attack does not suggest that it was anyone at the UEA.”
A little unintentional police humor there. Also a bit of a reach. Did they check all the old employees of Hadcru? They’ve been in business for a long time. Are they certain that none of the past graduates of the computer sciences program executed the “attack.”
If a high government official’s server had been compromised, the perpetrator would be in jail now. There was no pressure from above to solve this case, even though some high ranking bureaus and experts were apparently consulted.
The fact remains that if the culprit had been caught, the ensuing trial and controversy would be a public relations disaster for the forces of AGW. All the powers that be had to do to make sure the case was not solved was leave it in in the hands of the local constabulary.
Since the release of data is ongoing (meaning info has been released from time to time) Isn’t this an ongoing tort. And as such, doesn’t it nullify the time limitations?? GK
David Ross says:
July 20, 2012 at 12:30 am
If I read Darwin’s correspondence it doesn’t make me doubt the theory of evolution. If I read Newton’s letters I don’t start to doubt the laws of motion. Why should publishing scientists’ correspondence “undermine” belief in their science unless there is something wrong with it?
============
Very good point.
“They do have students with necessary skills and the students would have a better chance of knowing more about UEA’s computer network.”
I agree with that contention. Some IT students are technically way ahead in the world of IT professor/teacher/textbook or otherwise and their skill combined with being on campus, and being bored and have time and maybe are coincidently not be too agreeable with certain bs in the climate research are more likely to have pulled this off. I have seen first hand the skill of these youngsters. They have access to everything and left a phony trail. They were/are familiar with the the backbone of the system, the server structures, etc. Maybe an IT aid, maybe working all night in the computer lab… lots of access… surrounded by others to help conceal their activity. The investigation is a farce. The perpetrator is probably some student who’s family is a big donor or other potentate, thus this investigation is not going anywhere.
Men mumble, money talks.
@blackswhitewash.com
>So cru backup server had 5 terrabytes of data on it. Wonder how much FOIA is sitting on….
According to the police, a great deal. The large remaining file may be compressed. If the raw data is tables and numbers to may be many times larger than the pwd-locked file that is already in many hands around the world.
Although fingers were pointing outwards, it could easily have been a UK-based intelligence group within government wanting to know for strategic reasons just how far they were being led down the garden path by the CRU outputs. They could easily cover their tracks. The strategic intelligence community is far more interested in the truth than the fluff and puff of the populist political agendas that feeds CAGW.
Further, there is no reason for the oil companies and China to stop a gravy train that drives energy prices higher and pays offset money. Demonic Big Oil was always a red herring.
Hasn’t the encrypted data already been “released” by FOIA? We just don’t have the code to decipher it. So once the statute of limitations runs out on the “theft” of the data no further action, criminal or otherwise, is required by FOIA to make the rest of the e-mails public. All that has to happen is someone “stumble” across the key at the appropriate time. Kind of a double shield. Seems very well thought out and I’d guess significant involvement from an insider. Furthermore I’d speculate that it was probably someone involved in the process of denying the legitimate FOIA requests. Thus their next level of protection. Very hard to come down on an employee (intern, grad student or tenured professor) if you have already conspired with them to pervert or break the law.
Can you the defense attorney- “Why did you feel it was necessary to copy the data?” FOIA: “When Mr. X told me to hide/destroy the data I [knew] it was illegal and I didn’t want to go to jail for that but I didn’t want to lose my job either so I made a copy to protect myself…” Atty:”Why did you release it?” FOIA:”I didn’t mean to – I think someone may have stolen it from me…” That trial just ain’t happening.
On the other hand If it was a just a hacker in China, Russia or Nigeria they wouldn’t be so worried about prosecution as to go to all these lengths.
Regarding the Norfolk Police comments about their interviews of outsiders, I was among those whom they interviewed. My offense was to ask, in my capacity as editor of “The Citizen Scientist,” if the released e-mails were indeed authentic. (We did not want to publish any excerpts if they were not verifiable.) Subsequently I devoted several pages to Climategate in “Hawaii’s Mauna Loa Observatory: Fifty Years of Monitoring the Atmosphere” (University of Hawaii Press, 2012). My editors were very interested in including this material and even left post-deadline space. The Climategate section included several post-deadline lines about the police interview: “Multiple investigations were announced, and one of the first was aimed at determining who leaked the e-mails. This criminal inquiry was led by the Norfolk Constabulary with assistance from various UK agencies, including the National Domestic Extremism Unit. The author was surprised to learn that his name had been added to the list of those the police wished to interrogate. In a February 2010 e-mail that requested an interview, Norfolk police officer David Irwin explained that he wanted to discuss my request for information from the University of East Anglia regarding the improperly released e-mails. During a subsequent 20-minute interview, Officer Irwin seemed satisfied by the explanation that the information, which the university never provided, would be helpful for various writings about the affair (including this book). The police had not announced the results of their investigation when the book was being finalized in spring 2011.” (Page 394.)
Assimilating FOI and the Climategate attacks is unadulterated propaganda.
It is interesting to compare the media’s prevailing attitude to Climategate vs. that towards Wikileaks. I used to think Wikileaks was a noble endeavour and I gave credence to theories that the rape charges against Julian Assange were nothing but a smear, until I saw the BBC’s Panorama documentary on him (they sometimes get it right).
David Leigh is executive editor of the Guardian (a hard left organ and one of only three media outlets chosen by Assange to receive Wikileaks files). According to Leigh, when the Guardian staff expressed concern about releasing files on Afghanistan without redacting the names of informants who had helped the U.S. (i.e. informed on the Taliban or Al-Qaeda), Assange (an informant himself) said:
“If they get killed, they deserve it, because they’re informants and therefore they deserve to die”
You can watch the video here
Relevant part at 12:47
Julian Assange is a contemptible [snip] who deserves to rot in prison.
If it was someone within the UEA – CRU, it would make sense for them to access and copy the data remotely during off-hours for two reasons: 1) You can’t copy 5TB’s of data to a flash drive and slip it in your pocket. 2) You can’t spend hours upon hours during the work day going through the data without the risk of someone noticing what you are doing. The fact there was an external hack doesn’t necessarily point to some outside party doing this.
Pointman’s article (link upthread) is bang on. I’d recommend that those asking questions read that first. This is a tremendously complex discussion, and one has to have at least a broad understanding of that complexity for the answers to even simple questions to be relevant.
I’d add these comments to Pointman’s excellent article. When asked why he robbed banks, Jesse James supposedly replied “because that’s where the money is”. A hacker attacking technical infrastructures at random is akin to a thief breaking into every building in town with no idea of what it is he wants to steal. Sort of “let’s break into all of them and see if any of them have anything interesting in them.” Jesse James had a specific thing he wanted (money) and built a profile of a specific building he could attack in any given town that was virtually gauranteed to have what he was after (bank).
In this case, the notion that an outside hacker randomly chose CRU as a target and stumbled upon a treasure load of climate emails is silly. Read Pointman’s article. This would be the equivelant of a common thief checking the back door of every building he came across to see if it was unlocked, and winding up inside Fort Knox. Possible. Highly unlikely.
For this kind of a break in to occur, there must first be motivation. Since the data in question had no direct financial value, we can rule out a modern Jesse James. Someone had to know that the embarrasing emails existed to spend the time and effort to obtain them. It matters not if they obtained them by brazenly walking up to the server and copying all the data in broad daylight, or if they did so by a sophisticated security attack initiated from outside the organization.
We still have to logically surmise that there was someone who knew the information existed which implies an insider.
“Of course, the climate sceptic community would, in the main, give the appearance of welcoming the published data because it supports their view. Therefore, we were realistic about the prospect of them being helpful to our investigation.”
This statement clearly implies that the ‘climate skeptic community” are unethical. This statement is completely false and unsupported. The “climate skeptic community” may be no angels but they are, on the whole, far more ethical than CAGW hoaxers.
Well it seemed like at the bottom of all that gobbledegook is the conclusion that they have no idea who did it. An obvious corollary is that they have no idea whether it was inside or outside. It would appear that not every person inside CRUhas access to ALL of the password levels of passwords. Ergo, evidence of password cracking attempts is also not evidence of an outside hack. Clearly ANYONE who is knowledgeable of ANY of the passwords, is in a much better position to pursue other passwords. For example, I would not have the foggiest idea what even the general nature of any of their passwords might be. I barely can keep track of the passwords, I use just for my e-mail, and even my simplest password, has far more characters than the total number of passwords, I have in use.
I am pleasantly surprised by the degree to which the police appear to have pursued this . I certainly wouldn’t call them laggards.