Operation Cabin Q&As (from the Norfolk Police here PDF)
The following questions and answers are an abridged version of Norfolk Constabulary’s Operation Cabin media briefing held on Thursday 19 July 2012.
How do you know it was an external hack?
In outline terms, we know it came via the internet from a number of different IP addresses, in various countries, which may have been proxy servers.
The attack was, first of all, into the web server (CRUweb8) in the Climate Research Unit (CRU) at the UEA. From there, a link was established to a CRU back-up server (CRUback3).
It’s fair to say, the university has to draw the right balance between giving access to information – it’s an academic establishment and, as such, has a proportionate level of security which enables people to work remotely and access information to operate in that academic environment. As a consequence of the attack, the UEA has taken a number of measures and its ICT infrastructure now looks very different.
We identified that the attackers breached several password layers to get through and they got to a position where they employed different methodologies to return the data. We identified a significant quantity of data that was taken in this way, certainly in excess of that which was subsequently published in the two files in 2009 and 2011.
We’ve used the expression ‘sophisticated’ and that’s because that’s the view of our experts who conducted that side of the investigation for us. They identified that, as well as achieving the breach, they also took significant steps to conceal their tracks and lay false trails and change information available to us in order to frustrate the investigation. The conclusion was the person /s were highly competent in what they were doing.
That technical investigation was the primary line of investigation although we did cater for other possibilities, these were later ruled out.
Which specific countries were involved in the trail of proxy servers and which countries were either helpful or uncooperative in your investigations?
While we will not be confirming the names of the countries specifically, we can confirm there were a number across the majority of the continents.
We would underline that the use of a proxy server in any country is not necessarily evidence that the hack originated in that domain.
We worked with partners in these countries and the level of response and support we got varied from being excellent to being quite time consuming.
The logistics involved meant it was a complex picture with different legal jurisdictions and sovereignties. Sometimes it’s a procedural issue and sometimes it’s a political issue with a small or a big P.
Can you confirm that the US was helpful?
We will not confirm the identity of individual countries but we can say, in general terms, there is a healthy and productive relationship between law enforcement in the US and the UK.
Did you detect that any national government could be behind this?
No. The hypothesis was, and remains, that the person or persons responsible for this could be anyone on a spectrum from an individual right through to the other end of the spectrum, including commercial organisations and governments. It is obvious that some commercial organisations would have an interest in maintaining their commercial position; similarly there will be economies and governments which have an interest in protecting their position. To be clear, we did not get any indication as to who was responsible.
It is clear the person responsible has knowledge of this subject; did you interview all the bloggers that showed an interest?
We interviewed a number of people and the logistical issues involved meant that much of this work was carried out remotely because, physically travelling to countries, and the logistics involved in achieving that – for the anticipated outcome – would have not be proportionate.
Of course, the climate sceptic community would, in the main, give the appearance of welcoming the published data because it supports their view. Therefore, we were realistic about the prospect of them being helpful to our investigation.
Can you describe what investigations you undertook at the UEA and who you interviewed there?
The focus internally was on the IT infrastructure and working out from there. We also looked at people working at or with connections to the Climate Research Unit and, in simple terms, we were looking for anything obvious. All members of staff were interviewed. If someone had some obvious links or had an axe to grind, then that might have been a line of enquiry.
Generally speaking, it was a screening exercise which did not provide any positive lines of enquiry.
Whilst – because we have not found the perpetrators – we cannot say categorically that no-one at the UEA is involved, there is no evidence to suggest that there was. The nature and sophistication of the attack does not suggest that it was anyone at the UEA.
You say that the hacker had to go through a series of passwords; do you know that someone at the UEA would not have had access to these passwords?
Anyone with access to these passwords has been excluded as a suspect. Additionally, there was some evidence of work undertaken to break passwords.
It has been reported that the hacker accessed the server on three separate occasions, can you confirm if that’s true and if there were any further attempts to access the server after ‘climategate’ broke and have there been any recently?
The report is inaccurate. The attack was conducted over a period of time and access would have occurred on a number of occasions and certainly more than three. Of course, we only know what we know. I have already described it was a sophisticated attack; we have established a substantial amount of what happened. What I can’t say is whether we have established everything that happened.
There were no further data breaches once the story had broken in November 2009, not least because we had taken possession of Cruback3 and it wasn’t available to be accessed.
Do you know when the attacks began?
There’s a timeline of events and there has been speculation, in the media and the blogs,
that there may have been an orchestrated campaign of Freedom of Information requests to the University in the summer of 2009. It appears the attacks were undertaken late in that summer, early autumn, through to November. The first tactic that we were aware of was in September 2009.
There was news that some other institutions, including in Canada, that may have come under a similar attack at that time. Are there any other institutions that you have found that were attacked at this time?
We did have some dialogue and there were one or two that had been attacked and we did have a preliminary examination but they did not give us any indication or cause to suspect that it was in any way linked to the UEA.
What happens to Cruback3 now?
It has been returned to the University of East Anglia, having been retained as an exhibit through the course of the investigation. It was necessary to retain the actual server for this time. It contained a massive amount of data, something in the region of five terabytes.
When the second batch of e-mails was released, there was the note that came with them. Did you or your colleagues contemplate doing structural linguistics or analysis to try and trace it to a particular location in the world?
It was speculated on and it was something we did consider. Our conclusion was that it would be unlikely to take the investigation anywhere and, in fact, if you are trying to conceal your tracks it could have been constructed to mislead.
You have been restricted by the statute of limitations, would you have continued with this investigation otherwise?
The decision to close the case was a combination of the time limit and an acknowledgement that we had pursued this as far as we reasonably can.
Did you consider prosecuting people dealing in the information that was clearly stolen?
In terms of offences committed, it becomes a much greyer area. The same challenges exist in terms of identifying those individuals. An operational decision was made not to pursue this.
<Ends>
@Reg Nelson
You also can’t siphon 5 TB of data of a system specifically set aside to only generate internal traffic (the vast majority to, not from it) through the external connection without raising flags. Someone spent considerable time on an open connection examining what was on that box and then took what was useful for their purpose. Or they knew to the point what was and got in and out quickly.
“Jeremy says:
July 20, 2012 at 10:33 am
“Of course, the climate sceptic community would, in the main, give the appearance of welcoming the published data because it supports their view. Therefore, we were realistic about the prospect of them being helpful to our investigation.”
This statement clearly implies that the ‘climate skeptic community” are unethical. This statement is completely false and unsupported. The “climate skeptic community” may be no angels but they are, on the whole, far more ethical than CAGW hoaxers.
”
I think they probably interviewed more than one person who told them the e-mails couldn’t have been stolen because they were already public property. And furthermore they should be investigating CRU because no hacking would have occurred if CRU hadn’t broken the law in the first place. Being “Realistic” means recognizing that a person who feels you are investigating the wrong crime is not likely to be helpful.
George E. Smith; says:
July 20, 2012 at 10:57 am
Well it seemed like at the bottom of all that gobbledegook is the conclusion that they have no idea who did it. An obvious corollary is that they have no idea whether it was inside or outside.
>>>>>>>>>>>>>>>>
I’d agree with that. Logic says that there were one or more insiders involved, it would be highly improbable that this could have happened otherwise. On the other hand, the investigation seems to have been thorough, they know quite a lot about the “how” though not the “who” but their conclusion that the evidence does not point to anyone inside is, technically, 100% accurate.
Things just don’t really add up here. The answers to these questions imply that the police asked the folks at CRU “who would want to do this” and then simply followed that line of reasoning without investigating much further.
But as to the multiple proxy assertion, I can only assume they have actual evidence of that, as well as actual evidence that the backup server wasn’t physically accessed, presumably meaning, nobody with a key to the server room logged onto the console and started browsing through huge quantities of data.
So unless there was an insider, how did some hacker go through all that data and compile it for easy access? Did they create a bot or other virus to do the work? Use Google search?
We STILL don’t know if CRU had prepared a collection of e-mails to respond to a foia request. Curious the police didn’t mention if this had been done. Someone should ask them and/or CRU.
davidmhoffer says:
July 20, 2012 at 10:14 am
Jesse James robbed trains. The quote is commonly attributed to John Dillinger, who robbed plenty of banks.
It is more important that they do not create a talking, walking hero than to reveal which insider cooperated and punish them. Who would want it revealed that the grants were misspent, data faked, FOIA laws flouted and security haphazard?
Is this how the UEA ‘does climate’?
http://arstechnica.com/science/2012/07/epic-fraud-how-to-succeed-in-science-without-doing-any/
And when your favourite pet theory unravels, what would happen in real life (not Climate life)?
http://arstechnica.com/science/2011/11/how-the-collapse-of-a-scientific-hypothesis-led-to-a-lawsuit-and-arrest/2/
Better to keep the kid gloves handy. Move along…nothing to see here…
Kaboom says:
July 20, 2012 at 4:45 am
Let’s play devil’s advocate for a minute…
The real sticky point, imho, is the interest in the particular data obtained, the idea that it might (still) be there and accessible and the care with which it has been released so far. Those things give credence to the idea that someone on the inside at least pointed out the target and may have paved the way to extracting it…
_____________________________
If the cops are correct the extracting may have been made by an outside expert who was connected to a student close to CRU.
Given Phil Jones irritation about the FOI requests, I would not be surprised if he was shooting his mouth off about methods of ducking the FOI (think out loud) in the hearing of grad students and other staff.
Grad students party, they have best buddies/significant others from other majors and above all else they are often idealistic. This ducking of FOI coupled with the grad student’s knowledge of the shoddy methods used (Harry Readme) could have easily been the topic of conversation and passed on to others including a computer type who got curious. The computer type did a bit of hacking to see if there was anything in the gossip. That person hit pay dirt and with Copenhagen coming up dug up as much dirt as possible.
If I recall the first release was to newspapers (Guardian?) and when that failed the information was released to the Bloggers. This again seems to indicate a younger person who still thought journalists and newspapers are honest and not propaganda outlets.
There are some very brilliant kids out there. I know of a twenty year old with just a high school education who routinely hacked into a military computer as a hobby. (He also informed his commanding officer of the breaches so they could fix the weaknesses.)
Gail Combs says:
“Given Phil Jones irritation about the FOI requests, I would not be surprised if he was shooting his mouth off about methods of ducking the FOI (think out loud) in the hearing of grad students and other staff.”
It could have been more than one person involved. Perhaps one of them was a low level system admin that got tired of Jones berating him because his (Jones’) Excel program wasn’t working right — it kept showing cooling instead of warming.
My money’s on the FSB acting in conjunction with one or more insiders. Anybody at UEA bought a surprisingly expensive car lately? The Russian’s are not happy with the way their data was used by the CRU.
http://www.independent.co.uk/news/world/europe/was-russian-secret-service-behind-leak-of-climatechange-emails-1835502.html
“The leaked emails, which claimed to provide evidence that the unit’s head, Professor Phil Jones, colluded with colleagues to manipulate data and hide “unhelpful” research from critics of climate change science, were originally posted on a server in the Siberian city of Tomsk, at a firm called Tomcity, an internet security business.”
As Andrei Illarionov said in 2009-
“IEA analysts point out that Russian meteorological stations cover most of the country’s territory, while the HadCRUT used data from only 25% of such stations in their calculations. Over 40% of Russian territory was not included in their global temperature calculations even though there was no lack of meteorological stations and observations. The data of stations located in areas not listed in the HadCRUT survey often shows slight cooling or no substantial warming in the second part of the 20th century and the early 21st century.” (cherry picking)
http://www.cato-at-liberty.org/new-study-hadley-center-and-cru-apparently-cherry-picked-russias-climate-data/
http://foia2011.org/index.php?id=623
“A political hurricane blew through an international scientific meeting on
climate change held in Moscow last week, sparking a major row between top
advisers to the British and Russian governments. U.K. scientists complained
that the meeting had been “hijacked” by opponents of the Kyoto Protocol,
while Russian officials accused the British delegation, led by Chief
Scientific Adviser David King, of trying to suppress dissenting views.
War cry. Russia’s Andrey Illarionov says Kyoto would trigger “undeclared
war.”
Just a guess.
It was actually Willie Sutton. Over a career of 40 years, being chased all over the US by the FBI, they think he stole about 2 million dollars A rather innocent agent, after his arrest, asked him why he only ever robbed banks. He looked at him and replied “That’s where the money is.” Doh! Folklore now.
Pointman.
He’s sorta one of my guilty heroes. Never hurt anyone but a great thief …
Pointman
CONCLUSION: Based on the Norfolk Constabulary’s Operation Cabin media briefing held on Thursday 19 July 2012, to me it is reasonable to conclude that neither the possibility of UEA/CRU insider involvement nor the the possibility of multiple perpetrators are excluded from either the CG1 or the CG2 unauthorized releases of the UEA/CRU information.
Nothing specific wrt concrete detailed facts has been released by the Norfolk Constabulary’s briefing in support of their briefing statements. Until such info is released to the public there is room for a lot of reasonable doubt about their investigation.
John
“”Of course, the climate sceptic community would, in the main, give the appearance of welcoming the published data because it supports their view…..””
It’s quite strange that the police would consider that the data should support the sceptic view!! Surely, the data should only support the CAGW view? Do they know something we don’t?
@Alan and Others
“Jesse James robbed trains. The quote is commonly attributed to John Dillinger, who robbed plenty of banks.
Actually it was said by one of the Newton brothers who dynamited so many banks in the 1920’s using nitroglycerine. Their story was featured in a movie The Newton Boys.
http://en.wikipedia.org/wiki/Newton_Gang
“According to Willis Newton, the brothers “took in more money than the Dalton Gang, Butch Cassidy’s Wild Bunch and the James-Younger Gang “
OK, OK, OK!
I got the source of the quote wrong…. prompting a correction and a correction of the correction and another correction….I think that’s what happened, correct me if I am incorrect.
Additionally, there was some evidence of work undertaken to break passwords.
What was that evidence? Did they use exploits. If yes, which ones? Or did they brute-force? Usually, after an hack this kind of information is released to inform other admins what went wrong (so everybody can take measures to protect their infrastructure). For example, you get all kind of information what exploits were used by Stuxnet/Flame/etc. (if you want to look the video up, people from Microsoft talk extensively about their findings on Stuxent at the 27C3 conference, it’s really comprehensive), but we are not meant to know what this mindermast did?
So when does, or why hasn’t Mr. FOIA retrieved the U.V. Mann emails? They’ve been written, created and protected using our taxes.
Tony Mach says:
July 20, 2012 at 11:32 pm
Additionally, there was some evidence of work undertaken to break passwords.
What was that evidence? Did they use exploits. If yes, which ones? Or did they brute-force? Usually, after an hack this kind of information is released to inform other admins what went wrong
>>>>>>>>>>>>>>>>>
Yes, true, but as a matter of security policy, once would want to keep those details confidential. Making them public would provide anyone and everyone with an interest in hacking the organization again the nature of the security tools now in place for perimeter defense. No sense handing the hacker community a map of your defense systems.
Lightrain says:
July 20, 2012 at 11:49 pm
So when does, or why hasn’t Mr. FOIA retrieved the U.V. Mann emails?
>>>>>>>>>>>>>>>
Interesting point. One would think that if this was exclusively a sophisticated hack, the geniuses behind it would have been able to go after at least one other target out of the dozens available. Inside all those emails is the information required to know exactly who was corresponding with who, at what institutions and organizations around the world. Not a single second breach?
Circumstancial evidence of course, but IMHO, further evidence to support the notion that one or more insiders were involved.
@davidmhoffer
Don’t worry about the quote! You inspired us to think and share in a friendly and exploring environment. That is all part of creating a Good Day.
Thanks
++++
“So when does, or why hasn’t Mr. FOIA retrieved the U.V. Mann emails?”
Perhaps because they are already contained in the gated file already sealed and released. No need. If FOIA is caught secretly, he may be pressured into trading silence and no-release of the pwd for immunity but if I were the IPCC I wouldn’t bank on it. Better to start doing real science than take a chance that the whole sorry saga will be opened to scrutiny. CG3 will probably be a release of the ‘first level’ of the large file, maybe containing a sequentially locked series of chapters. It does not all have to be released at once.
Does anyone doubt that there is much more to tell about the organisers and funders of this massive fraud? Clearly the climate noise is in service of a larger agenda – perhaps even a beneficial one (who knows?) Can’t pre-judge.
@Crispin.
Agreed, CG2 is probably a cluster bomb with several passwords, which can release CG3, CG4 etc.
http://thepointman.wordpress.com/2011/11/24/some-thoughts-and-some-questions-about-the-climategate-2-0-release/
I don’t think CG2 contains anything from UV, because I still think FOIA is a leaker, rather than a hacker. I’ll stick my reasons for saying so on the next blog.
Pointman
Crispin in Waterloo says:
July 20, 2012 at 7:04 pm
Completely and uselessly OT, but I think we all got it wrong. DavidMHoffer mis-remembered it being said by Jesse James. I knew that was wrong because as I said James robbed trains not banks. I mis-remembered it being attributed to John Dillinger, who certainly did rob banks.
If the question is “to whom is this quote commonly attributed?”, the answer is certainly Willie Sutton, who also robbed plenty of banks but apparently without the same prediliction for violence as Dillinger. The attribution is repeated by the FBI, see their write-up here .
However if the question is “who actually said it”, the correct answer at this point is I don’t think anyone knows. According to Snopes , Sutton denied ever saying that. Since the Newton gang was operating earlier than Sutton, it’s possible one of them did say something like that which was later mis-attributed to Sutton. But it’s equally likely the quote was made up by a reporter, as suggested by Sutton himself in his autobiography published in 1976 following his 1969 release from Attica. Snopes notes the first print appearance of this quote is March 1952, at which point Willie was awaiting trial after his final capture in February of that year and probably very much in the news. The speculation that some writer/reporter with a flair for color just made it up seems quite reasonable in the circumstances.
Crispin’s refernce to the Newton brothers may come from a report of the movie dialog here.
Look how hard it is to just establish who actually said some well-known phrase — and people think Climate Science is settled?
Now who said “It’s not what you don’t know that gets you; it’s what you know that just isn’t true”?
Will Rogers?
There is probably a name for this disease (obsessive chasing of irrelevant quote attributions), but the vast majority of references I find on this one are to Mark Twain:
Will Rogers would quite likely have said something very similiar if Twain hadn’t said it first.