Andrew Montford has posted briefing materials handed out to the press when Norfolk Police released the decision to close the investigation yesterday. Like everything else with this investigation, the people most in the know (the bloggers) were left out of the loop while the spinners (Richard Black of BBC for example) get this info straight away.
Operation Cabin
Background Information
Introduction
Operation Cabin is the name of Norfolk Constabulary’s investigation into the unauthorised data breach at the Climate Research Unit (CRU) at the University of East Anglia (UEA) in Norwich and the subsequent publication of some of this data on the internet.
The publication of the data in close proximity to the COP 15 and COP17 climate change conferences in Copenhagen and Durban appears to have been done in order to influence global debate around anthropogenic climate change.
The investigation has been undertaken by Norfolk Constabulary, with some support from SO15 (Metropolitan Police Counter Terrorism Command), the National Domestic Extremism Team (NDET) and the Police Central e-Crime Unit (PCeU). Technical support was provided by online security and investigation experts, QinetiQ.
The investigation
The security breach was reported to Norfolk Constabulary by the UEA on 20 November 2009, following publication of CRU data on the internet from 17 November onwards.
An investigation was launched by the joint Norfolk and Suffolk Major Investigation Team (MIT), led by Senior Investigating Officer (SIO) Detective Superintendent Julian Gregory, supported by Detective Inspector Andy Guy as Deputy SIO. Strategic oversight was provided by Gold Group, initially chaired by then ACC Simon Bailey and latterly by ACC Charlie Hall.
Strategy and Parameters
The primary offence under investigation was the unauthorised access to computer material under s.1 Computer Misuse Act 1990.
The aim was to conduct an efficient, effective and proportionate investigation into the circumstances surrounding the unauthorised access with a view to:
- Establishing what data was accessed and/or taken and published
- Establishing who was responsible
- Securing sufficient evidence to mount a successful prosecution if appropriate
Lines of enquiry
At the outset it was not known if there had been a physical breach of security at the UEA or whether the data had been taken as a result of an external attack via the Internet. It was also not known if the offender(s) had connections with or was assisted by members of staff from the UEA and, as a consequence, a number of lines of enquiry were pursued to cater for these eventualities.
Summary of findings
- That the data was taken between September 2009 and November 2009 during a series of remote attacks via the Internet, which accessed an internal back-up server.
- That a large amount of data was taken and subsequently published on the Internet in two separate files in 2009 and 2011. The first was entitled FOIA 2009 and contained 3480 documents, 1000 e-mails and 1073 text files. The second was entitled FOIA 2011 and contained 23 documents, 5292 e-mails and 220,000 files. Much of the data published in FOIA 2011 was protected by an unknown password.
- That the data was not obtained via physical access of the CRU back-up server.
- That there is no evidence to suggest that anyone working at or associated with the University of East Anglia was involved in the crime.
- The offender (s) had used methods common in unlawful internet activity to obstruct enquiries, by planting a false trail and utilising a series of proxy servers located around the world.
- That the attack was highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity.
Limitation on proceedings
The Computer Misuse Act 1990 provides a limitation on commencing criminal proceedings in that criminal proceedings must be brought within six months from the date on which evidence sufficient to bring a prosecution comes to light, and that no such proceedings will be brought more than three years following the commission of the original offence
In relation to Operation Cabin, this means that proceedings would need to be commenced in the autumn of this year. This means that the police investigation would need to have been concluded by late summer in order to prepare a case for prosecution within this time constraint. It has been determined that this is an unrealistic prospect.
Resource and costs
The Constabulary carried out a proportionate investigation led by officers from the joint Norfolk and Suffolk Major Investigation Team, with some additional support internally and some assistance also provided by national and external agencies and services.
Officers assigned to this case worked on a number of other investigations simultaneously and, while specific activities relating to this and other investigations may be recorded in their pocket note books, the exact time spent on each activity is not recorded. It is therefore not possible to isolate accurately the overall hours worked by officers and staff on this investigation nor the total salary cost for this.
Over and above this, the cost for over-time and expenses in relation to this enquiry alone has been recorded against a specific cost-code. For the period December 2009 to March 2012 inclusive, this figure stands at £84,871.77.
Further information
Further information in relation to this enquiry has been published by the Constabulary under the Freedom of Information Act.
This material can be found at:
http://www.norfolk.police.uk/aboutus/yourrighttoinformation/freedomofinformation/disclosurelog.aspx
============================================================
One of the things I find most interesting in that disclosure log page is that for all the caterwauling that went on about “death threats” sent to Phil Jones, and the news repeated worldwide by the spinners that he was “depressed and suicidal”, the Norfolk police provided this statement which tells the real story Bold is mine:
| 69/12/13 (PDF) | Threats to life or threats of bodily harm reported to Norfolk Constabulary by members of the Climatic Research Unit at the University of East Anglia. | No information held |
The PDF reads:
June 2012
Dear whatdotheyknow.com
Freedom of Information Request Reference No: FOI 69/12/13
I write in connection with your request for information received by the Norfolk Constabulary on the 14th May 2012 in which you sought access to the following information:
Please provide a breakdown per month, the number of:
A threats to life
B threats of bodily harm
which were reported to Norfolk Constabulary by members of the University of East Anglia Climatic Research Unit in the period 1st November 2009 to 30th April 2012, inclusive.
Response to your Request
Norfolk Constabulary were made aware of emails that had been received by a member of the staff at the University of East Anglia Climatic Research Unit. No specific complaint or report was made to the Constabulary and no crimes were recorded detailing threats to life or threats of bodily harm.
This response will be published on the Norfolk Constabulary’s web-site www.norfolk.police.uk under the Freedom of Information pages at Publication Scheme – Disclosure Logs.
================================================================
Bottom line- Phil Jones and UEA weren’t concerned enough with these “death threats” to bother filing a police report or complaint, but they sure talked it up in the press, just like the whiners at ANU and those supposed “death threats” that never materialized.
But when the police say:
No specific complaint or report was made to the Constabulary and no crimes were recorded detailing threats to life or threats of bodily harm.
It rather deflates the whole episode.
I’m sure David Appell will get right on this to prove otherwise.
Anthony Watts says:
July 19, 2012 at 7:35 am
@MrV I expect that if “FOIA” is going to release the remainder, he/she will do so right around November 19th, 2012, and perhaps even reveal him/herself since the statute of limitations will have expired. – Anthony
FOIA 2011’s clock is only a year old. Whatever clocks are running and whatever other charges are possible, it’s too soon to be safe from prosecution.
Besides, it’s much better for those with something to hide to not know who to hide it from.
@ur momisugly Alan Watt
Ouch!
@ur momisuglyKaboom
“It also means such an attack would have had to trace the backup regime of the email system to the backup servers, which means that multiple servers had to be intruded into at administrator level to obtain the information.”
There are several scenarios that could reduce the number of servers accessed. Someone on the inside sets up a copy of all the FOIA information and records where it is. An adminstrative account is used to gain access with the usual track-covering as the location of the server is entered and the file accessed. The file is transmitted on a slow leak basis a-la-ZoneAlarm when the Israeli’s first bought bought it or equivalent. There is a programme from McAffee that monitors exactly that sort of track-covering but it is hard for the hacker to see it. Even if it was deployed, it only results in proving the hack and giving the (false) IP address of some compromised PC in Poland or China.
Another is that a user password is hijacked and the hashes of the pwd’s are accessed and transmitted. The pwd’s are put into the hashing algorithm to crack the admins one level at a time, then ditto the slow leak. Getting that high means they could even create a new user, walk in and out for weeks, then cancel the account and use a backup of the user lists to overwrite the new one, restoring the pre-hack condition. Ditto the file that tracks that update. When you see someone walking through the front door of a system with many users you can bet there wasn’t much of a hack involved but the track-covering needs a little more knowledge of what files to edit, delete or overwrite. It does not sound very sophisticated, frankly.
From the contents of CG1 it is pretty obvious that someone had long-term access to read and appreciate the HARRY files and to check out the related materials. An insider only needs to go in from outside to look like an outsider. Getting in is easy. There are too many ways to list here.
That no one was prosecuted (yet) does not surprise me. Personally I think there was inside assistance (or a played fool).
Aren’t the remaining Climategate files already released but encrypted? Past practice suggest looking for a brief comment containing the key to appear somewhere on a blog post “miraculously.”
Steven Mosher says:
July 19, 2012 at 9:11 am
somebody real smart on the inside.
who is smart enough to use proxy servers so it looks like it comes from the outside.
=====================================================
And that list would be very short??
I’m with Mosher too – it is 99.9% certain to be a genuine internal whistleblower (and we all immediately think of Harry, LOL). FWIW, here’s my ‘profile’ of the person.
1) He/she will be unlikely to be directly involved in climate science (i.e. at the sharp end) because they copied whole swathes of data instead of specific incriminating ones.
2) from 1) to be able to do that probably requires lots of access time – I would have thought obviously someone in the IT department would be favourite! Having said that – it may have been grabbed as some massive file dump to DVD or something in one session and reviewed later? but I would have thought the archiving was in some sort of sectional manner requiring knowledge of the filing/archiving system.
3) Could be a junior level person? Probably not ‘well read’ but scientifically adept to recognise some flaws in the ‘science’? – because, again, they probably didn’t understand all the stuff they obtained, just bits of it and maybe had seen blogs or whatever and realised that something wasn’t right? Collecting/collating vast amounts of data would be a ‘safe’ way of getting something ‘important’ rather than random trawling?
4) Not sure of this – but if the archived data was/is ‘searchable’ – you would think that an IT person would know this, and gather ‘related’ data together using such a search? This makes me think it could possibly be a student, with relatively ‘open’ access?
5) I am fairly certain it will be a sole operator, at most two? – because more mouths may make more mistakes? Conversely (but very unlikely IMO) would be several operators, all accessing the data in smaller ‘chunks’?
Whoever or whatever – I think the person(s) is a hero and deserves the plaudits when they can bcome due!
Backup server: large files, typically a major fraction of the volume being backed up, compressed as much as possible. Still, pretty big. Take a while to transfer over an internet connection.
While it’s transferring (and AFTER your break-in has possibly attracted unwanted attention from a hypothetical Intrusion Detection system), you’re sitting there, behind 2 or 3 proxies, hoping that nobody is trying to trace your very active connection. Or pulling the network plug on your target server, which would be my first reaction as an admin in that scenario.
An hour or so later, when the transfer complete, you kill the connection, then get to work restoring your new backup image to a local filesystem.
Not. Likely.
Kelvin Vaughan says (July 19, 2012 at 7:50 am): “I would think someone considering suicide is mentally ill. If I were his employer I would put him on sick leave and make sure he gets psychiatric help!”
They probably figured Jones’s death threat against himself was no more credible than the other “death threats”.
“..by planting a false trail and utilising a series of proxy servers located around the world.”
False trails and proxies from around the world. Where have I seen this crime before?
the exact time spent on each activity is not recorded
That is because the Constabulary did not spend any time on an investigation, and all the cost went to public relations.
They knew when the files were copied, how the files were copied, and who did the copying on November 17. What we are seeing now is a Jedi mind trick an individual in a position of remarkable authority is using on the Constabulary. “These are not the droids you’re looking for.”
Activity around the exit doors is picking up and will soon become a stampede.
Steven Mosher says: July 19, 2012 at 9:11 am
Indeed. There’s an interesting “response” to a question at their press conference, today, which suggests that their “results” – if not the impression of “certainty” conveyed by their initial press release, yesterday – may well have been affected by a “screening fallacy”:
It just gets more miraculous – like turning water into wine at a wedding
So they still offer no evidence to substantiate their claims that there was a hack.
Saying your life has been threatened is a weak-kned response when there is just no redemption possible after you have disgraced yourself. Resort to poor little me to garner sympathty. Too late for that. Saying there has been no warming for 15 years is a start though. Trenbreth’s years long hunt for the missing heat that was a travesty is less admirable, especially since the quest is being paid for by the taxpayer.
By threats to his life, what Jones probably meant at the time was that since his shenanigans were made public he now knew that he was publicly disgraced as a junk science activist, that his academic life was over, and that he would spend the rest of his days greeting people at Walmart. In other words his statement was nothing but symbolic hyperbole and tantamount to an admission of guilt.
Sean says:
“So they still offer no evidence to substantiate their claims that there was a hack.”
None at all. It is completely baseless speculation, just like it always was.
Steven Mosher says:
July 19, 2012 at 9:11 am
I agree. I can’t imagine that anyone on the outside would:
1) Take what appears now to be a huge amount of Email.
2) Pull out an interesting subset (given the odd choices, I might be wrong, he may have picked several interesting pieces and randonly picked many from what was left).
3) Post in a fashion that show no mercenary interest. While self-satisfaction for all the attention it got may be adequate, it’s very odd that he didn’t release all of it. Then again, it could be that he didn’t want to call too much attention with a really large upload.
> no crimes were recorded detailing threats to life or threats of bodily harm.
So, the only death threats were from Phil Jones?
Yeah, it’s not very nice, but neither was what Jones said about John Daly’s death.
“a series of remote attacks via the Internet, which accessed an internal back-up server.”
Really ? Wow ! The UEA must have the most insecure network ever. An internal back-up server should never, ever be accessible via the internet. It should sit behind at least two firewalls making it impossible to access (unless their firewall rules are very, very poor). And all those e-mails on the back-up server ? No way. It’s standard practice within the IT industry to back data up to disk before moving it to tape within 24 hours.
Plod’s explanation doesn’t sound at all plausable to me.
“That the attack was highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity.”
I always figured it was Russian hackers. Reading through the emails the Russian researchers got hosed and I felt they might carry a grudge and have encouraged someone(s) to expose the emails.
“That there is no evidence to suggest that anyone working at or associated with the University of East Anglia was involved in the crime.”
“That the attack was highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity.”
The second doesn’t exclude the first. Nevertheless it still might have been someone at UEA using the proxies from inside the building and could not be detected anyway.
So both assertions are contradictory.
My very first thought in the first seconds was about “Harry” from the CRU files.
He was a) shaken from the mess of the data files, b) indignant about data fudging, c) access to the files and d) as a programmer, someone who has the technical understanding and capabilities to use proxies.
If the cracking was as sophisticted as officialdom indicates, it could have been an inside job with remote red herrings added to confuse the trail
Kelvin Vaughan says:
July 19, 2012 at 7:50 am
I would think someone considering suicide is mentally ill. If I were his employer I would put him on sick leave and make sure he gets psychiatric help!
========================
If I were his employer I would fire his a** and get myself psychiatric help for not doing so much sooner.
‘It rather deflates the whole episode.’ .WUWT recently published a collection of mails to Phil Jones / CRU which included clear and ugly threats, and rightly denounced them. If PJ / CRU didn’t report these formally to the police, that’s another matter, but that’s no reason, given the evidence previously published here, for dismissing the difficult experience of fellow humans (even though we might disagree with their views).
That Phil Jones/CRU did not report any death threats to the police suggests those death threats they produced were not genuine.
Peter Hannan says:
July 20, 2012 at 1:30 am
‘It rather deflates the whole episode.’ .WUWT recently published a collection of mails to Phil Jones / CRU which included clear and ugly threats, and rightly denounced them. If PJ / CRU didn’t report these formally to the police, that’s another matter, but that’s no reason, given the evidence previously published here, for dismissing the difficult experience of fellow humans (even though we might disagree with their views).
===================
Peter, every organization of any size uses mail filtering. This is most often accomplished through third party (cloud) or (less frequently) appliances and (even less frequently) software . In any event, it’s incredibly far-fetched to believe that any of these emails would have made their way through to the UEA mail servers and into Jones’ mailbox.
This is why some may question the claims of Phil Jones. Add the fact that he never reported these threats to the police makes his claims all the more dubious.