Bishop Hill More from Norfolk Constabulary
Jul 19, 2012 Climate: CRU This is a briefing document that was issued to journalists at a press conference earlier today. It contains background information on the Climategate inquiry and the decision to close it down.
Operation Cabin
Background Information
Introduction
Operation Cabin is the name of Norfolk Constabulary’s investigation into the unauthorised data breach at the Climate Research Unit (CRU) at the University of East Anglia (UEA) in Norwich and the subsequent publication of some of this data on the internet.
The publication of the data in close proximity to the COP 15 and COP17 climate change conferences in Copenhagen and Durban appears to have been done in order to influence global debate around anthropogenic climate change.
The investigation has been undertaken by Norfolk Constabulary, with some support from SO15 (Metropolitan Police Counter Terrorism Command), the National Domestic Extremism Team (NDET) and the Police Central e-Crime Unit (PCeU). Technical support was provided by online security and investigation experts, QinetiQ.
The investigation
The security breach was reported to Norfolk Constabulary by the UEA on 20 November 2009, following publication of CRU data on the internet from 17 November onwards.
An investigation was launched by the joint Norfolk and Suffolk Major Investigation Team (MIT), led by Senior Investigating Officer (SIO) Detective Superintendent Julian Gregory, supported by Detective Inspector Andy Guy as Deputy SIO. Strategic oversight was provided by Gold Group, initially chaired by then ACC Simon Bailey and latterly by ACC Charlie Hall.
Strategy and Parameters
The primary offence under investigation was the unauthorised access to computer material under s.1 Computer Misuse Act 1990.
The aim was to conduct an efficient, effective and proportionate investigation into the circumstances surrounding the unauthorised access with a view to:
- Establishing what data was accessed and/or taken and published
- Establishing who was responsible
- Securing sufficient evidence to mount a successful prosecution if appropriate
Lines of enquiry
At the outset it was not known if there had been a physical breach of security at the UEA or whether the data had been taken as a result of an external attack via the Internet. It was also not known if the offender(s) had connections with or was assisted by members of staff from the UEA and, as a consequence, a number of lines of enquiry were pursued to cater for these eventualities.
Summary of findings
- That the data was taken between September 2009 and November 2009 during a series of remote attacks via the Internet, which accessed an internal back-up server.
- That a large amount of data was taken and subsequently published on the Internet in two separate files in 2009 and 2011. The first was entitled FOIA 2009 and contained 3480 documents, 1000 e-mails and 1073 text files. The second was entitled FOIA 2011 and contained 23 documents, 5292 e-mails and 220,000 files. Much of the data published in FOIA 2011 was protected by an unknown password.
- That the data was not obtained via physical access of the CRU back-up server.
- That there is no evidence to suggest that anyone working at or associated with the University of East Anglia was involved in the crime.
- The offender (s) had used methods common in unlawful internet activity to obstruct enquiries, by planting a false trail and utilising a series of proxy servers located around the world.
- That the attack was highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity.
Limitation on proceedings
The Computer Misuse Act 1990 provides a limitation on commencing criminal proceedings in that criminal proceedings must be brought within six months from the date on which evidence sufficient to bring a prosecution comes to light, and that no such proceedings will be brought more than three years following the commission of the original offence
In relation to Operation Cabin, this means that proceedings would need to be commenced in the autumn of this year. This means that the police investigation would need to have been concluded by late summer in order to prepare a case for prosecution within this time constraint. It has been determined that this is an unrealistic prospect.
Resource and costs
The Constabulary carried out a proportionate investigation led by officers from the joint Norfolk and Suffolk Major Investigation Team, with some additional support internally and some assistance also provided by national and external agencies and services.
Officers assigned to this case worked on a number of other investigations simultaneously and, while specific activities relating to this and other investigations may be recorded in their pocket note books, the exact time spent on each activity is not recorded. It is therefore not possible to isolate accurately the overall hours worked by officers and staff on this investigation nor the total salary cost for this.
Over and above this, the cost for over-time and expenses in relation to this enquiry alone has been recorded against a specific cost-code. For the period December 2009 to March 2012 inclusive, this figure stands at £84,871.77.
Further information
Further information in relation to this enquiry has been published by the Constabulary under the Freedom of Information Act.
This material can be found at:
http://www.norfolk.police.uk/aboutus/yourrighttoinformation/freedomofinformation/disclosurelog
Reader Comments (55)
Operation Cabin... cabin!...cabin?... Is that where one holes up to avoid the worst of the storms?
Also, for such a failed and evidence free investigation, stretching to impute motive appears a bit rich:
Bear in mind that the Association of Chief Police Officers, being a company limited by guarantee, is not subject to the FOIA.
The link at the end is from their document, but it currently goes to a missing page. I found their FOI stuff for UEA with a few clicks.
Not all the information from their document has come through the copy/paste, not sure why (eg the summary of findings is empty).
Their document is in docx format, I'm using an older version of Word and needed to download the Microsoft compatibility pack to open it properly:
http://www.microsoft.com/en-us/download/details.aspx?id=3
redc - give us a clue?
On the FOI requests?
The PDF file is here with the summary of the 25 FOI requests for Operation Cabin. A link to each is in the PDF.
(it downloaded without an extension for me - like their "operations" document - I had to add the .PDF extension manually)
Redc, dowload LibreOffice. It handles docx with no problems.
Ok, reading that, I guess we can all now agree, that UEA was cracked and that the material was not leaked by a whistle blower.
Nevertheless, it does not diminish the seriousness of the climategate material.
This document is devoid of real info, and chock full of careful wording.
That the data was taken between September 2009 and November 2009 during a series of remote attacks via the Internet, which accessed an internal back-up server.
'Remote attacks' is meaningless hyperbole. It translates as 'via the internet'. This sentence is consistent with someone finding an unprotected ftp server containing info which they helped themselves to.
That a large amount of data was taken and subsequently published on the Internet in two separate files in 2009 and 2011. The first was entitled FOIA 2009 and contained 3480 documents, 1000 e-mails and 1073 text files. The second was entitled FOIA 2011 and contained 23 documents, 5292 e-mails and 220,000 files. Much of the data published in FOIA 2011 was protected by an unknown password.
Err… We know this. Everyone knows this. This is what you're supposed to be investigating.
That the data was not obtained via physical access of the CRU back-up server.
Err… We know this. And, again, it's legal jargon. It simply means someone didn't copy the files onto a thumb drive or DVD. That's all.
That there is no evidence to suggest that anyone working at or associated with the University of East Anglia was involved in the crime.
So we'll take your word for that then.
The offender (s) had used methods common in unlawful internet activity to obstruct enquiries, by planting a false trail and utilising a series of proxy servers located around the world.
You mean like anyone protecting their IP address routinely does?
That the attack was highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity.
Translation: We have no idea what happened. This means one of three things:
1. FOIA is a world class hacker and the phenomenal resources of the MET (£84K) wasn't enough to catch them or,
2. FOIA is just careful and the plod are incompetent (or didn't try very hard to catch them) or,
3. FOIA isn't a hacker at all, and they know who he is, but it's too embarrassing to arrest them.
So if there is a time limit, does FOI/? just sit and wait ?
Correct URL for disclosure logs
http://www.norfolk.police.uk/aboutus/yourrighttoinformation/freedomofinformation/disclosurelog.aspx
Notice that they aren't saying how much the investigation cost, apart from £84K specific items. It beggars belief that they don't actually know how much it cost - this is obviously a formula used to make sure the public's thirst for knowledge remains unsatisfied.
Am I correct in thinking that some UEA FOI requests were turned down as the police had got the server ('the dog ate my homework')? If so, is someone on top of this?
"The publication of the data in close proximity to the COP 15 and COP17 climate change conferences in Copenhagen and Durban appears to have been done in order to influence global debate around anthropogenic climate change."
So they no nothing but are supplying a motive?
This looks like the hand of a PR agency
An alternative explanation is that Norfolk's finest are trying to lull the culprit into a false sense of security, so that when FOIA 2012/3 is released, they hope to pounce.
Summary:
'Whoever did it was ever so clever and we couldn't find them. And nobody in UEA fessed up'
Any mention as to why officers searched Tallbloke's house and laptops with a warrant?!
Summary: 'Whoever did it was ever so clever ruling out UEA inhabitants.'
Any mention as to why officers searched Tallbloke's house and laptops with a warrant?!
Jul 19, 2012 at 4:40 PM ZT
No but presumably because CG2 was announced on Tallbloke's blog and they imagined that FOIA might have left evidence there.
Since CRU and Plod know that its only a matter of time before CG3 hits the fan they might as well release the rest of the emails now.
This is the sentence I find most interesting. Can you guess what’s missing, to make it suitably ambiguous?
“The offender (s) had used methods common in unlawful internet activity to obstruct enquiries, by planting a false trail and utilising a series of proxy servers located around the world.”
Yes, it’s a time point. Are we talking here about a hack from behind proxy servers, in a supposed frontal assault to get the data, or the dissemination of the material in CG1 and CG2? Wonderfully vague stuff but it keeps the hack meme alive and well.
http://thepointman.wordpress.com/2010/12/17/why-climategate-was-not-a-computer-hack/
Pointman
Very good spot, Pointman.
Clearly Inspector Knacker (alias Clouseau) was way out of his depth.
However if we accept that it was a hack and not a leak, then I am saddened that there was/is no one at CRU with a conscience - I had hoped there might have been.
I would be interesting to know the detail of how they can be sure that -
A) The files weren't copied locally.
B) The hack came from the internet.
If they have the level of sophistication in their security that they can be absolutely sure of this, they would almost certainly have detected the attack / theft as it happened or shortly afterwards.
What seems more likely to me, is that they are guessing or making huge assumptions and dressing it up as certainty.
Can anyone come up with a plausible explanation of why alleged hackers of such alleged sophistication would have targetted CRU in the first place? Of all the servers in all the world, why the CRU's? To me, the chances of anyone going after these files without inside knowledge of what they contained and what they were looking for seems so remote (no pun intended) as to be incredible. The Norfolk plod have made themselves look extremely stupid.
Cabin fever
Jul 19, 2012 at 6:31 PM | Buck
"they are guessing or making huge assumptions and dressing it up as certainty".
Hmmm ... now why should that remind me of Climate "science" and the IPCC !!!
Well it seems I'm not as cynical as other posters and I would take the statement mostly at face value. I'm deducing that they must have been able to view the server logs (recording all logins/file transfers of the particular files) to say what they did about more than one proxy server. The emails in the first CG release were not very old so it's likely that the server logs (or backups) were still current enough for them to trawl through.
Of course for RC/FOIA/Whistleblower it's trivial to do all this from the outside and remain anonymous, it could've been anything from lax security to an unpatched server vulnerability.
Obviously the plod don't want to say that they have absolutely no idea, the question of whodunnit is still just about anybody.
'That the attack was highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity.'
So they have no idea who did it or how, because it was so sophisticated and he/they was/were so competent in concealing his/their activity.
Rather insulting perhaps, that they thus conclude, or at least infer, that UEA staff/associates are not involved?
Pharos,
Lol, anyone within CRU/UEA with any relevant skills could be relieved not to be under suspicion but also deeply insulted to be thought so utterly incapable....
At least all the Climategate enquiries have been "consistent".
Consistent with other masterpieces of the art, like Widgery on Bloody Sunday.
I reckon the fact that decisively nipped the "inside job" hypothesis in the bud was the obvious fact that Jones, Briffa and the rest of them were self evidently more nitwitted than even the plod.
But they don't seem to have considered by far the most likely scenario. One of the CRU geniuses stashed it all onto a computer without proper security. There for any reasonably bright 15 year old to stumble across.
Hmmm ... maybe they're not so certain after all ... from the Q&A at the press conference:
Perhaps their "results" were affected by yet another "screening fallacy" ;-)
Do we take it from
that the police don't know the contents either? If that's the case, there might be far more revealing material to come.Thanks Hilary, enough room there for anything, so content zero. I'm with Pointman and have been since the day it happened. Inside job.
I've yet to see any evidence that it was an inside job.
This latest release does indeed tell us a lot! However it does not add up.
Qinetiq were involved, those people are seriously high end military grade freaking experts. If Qinetiq describe the 'attack' as "highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity." then it was a military grade job. Why on earth would those kind of people be interested in climate change? None of it makes sense.
Following on:
The above leaves me believing that the whole statement is a cover up. It was an inside job, it would be too embarrassing for the university to admit this and name the whistleblower so we get the cover up.
Must admit I have only had chance to skim, but just what did Qinetiq do?
I thought it was "email extraction":-
"Russell Inquiry: Whatever Happened To FOI2009? "
http://thegwpf.org/science-news/1258-russell-inquiry-whatever-happened-to-foi2009.html
Not in direct reply to the troll (because it will be deleted)
I would like to say that I am open minded about it being a hack. Frankly I don't care if it was or wasn't. If they are caught I hope they are brought to justice with the same swiftness and severity that Peter Gleik was. The difference between the two cases is that in spite of the illegality of hacking the CRU something of worth was gained, truth was revealed and FOIA obviously felt that potential criminal charges were a worthwhile price to pay.
Unlike some people who had to fabricate anything interesting eh?
Ray at Lucia's Blackboard made an interesting observation:
At JustAnswer the following question was posed and the answer that follows:
I went Googling and found this:
and this
I then went and located the actual legal texts. The Police and Justice act 2006 and the Computer Misuse Act 1990 as amended
From the amended Act we find (Note the brackets enclosing the entire section tagged F1)
You can click on the pieces I’ve bolded and you get (from page 180 of the 2006 act) this:
IANL but the bottom line would seem to be that there is no statute of limitations that is about to expire and either the Norfolk Police screwed up big time or there are other reasons for dropping the investigation. I leave it as an exercise for the reader to imagine what those might be.
Bob
Qinetiq:
'The publication of the data in close proximity to the COP 15 and COP17 climate change conferences in Copenhagen and Durban appears to have been done in order to influence global debate around anthropogenic climate change.'
Sorry its hard to see how that relates to a criminal investigation , given that don't know how did it they just seem to have had a 'guess' as to motive and its far from clear that COP15 or 17 would have been gone another way if there had not been a leak .
Further what suggest inside is not what is seen but unseen , there is little of daily talk seen in normal e-mails , nothing about the day to day boring business, in short someone has gone to a lot of effort to filter these e-mails , why would they if their a malicious hacker ?
Even if is was a hacker and these e-mails where collected for a particular purpose , and so the filtering of them , how would any external hacker know to go looking on CRU's services , is it really likely they got 'lucky' or did they know where to go and look because of their own knowledge or someone on the inside told them where it was ?
Bob
Truly jaw dropping discovery you made there !
If university emails are not private and in fact are public property since they are publically funded. If the hacker was an insider then surely he can have committed no crime. Even if it was an outside hack, was it a crime to publicise emails that should rightly be in the public domain anyway?
Dung
"Qinetiq:"
I know what they are, spent unproductive time there, it is what they were contracted to do that interests me.
As I understand it they were only contracted to extract emails from the server. Therefore it surprises me to see the billing as "online security and investigation experts". What online expertise are needed to extract emails from an off line server?
Bob - well done on the legal research! There are limitations on criminal offences in the UK depending on the offence: broadly speaking statutory offences have time limits; common law crimes don't. But it gets a bit messy in the detail. However you're right to highlight the "each way" prosecution rule, which means that the time limit on such statutory matters evaporates.
To the case in point: there is a shortcut - the CPS helpfully publish advice for prosecutors (come on COPFS!), in this case it can be found here:
http://www.cps.gov.uk/legal/a_to_c/computer_misuse_act_1990/
The relevant section is this:
(my bold) this does appear to have been in force in 2009, when the incident occurred.
Green Sand
I have no knowledge of
however Qinetiq could only have been of use if all the emails had been deleted from UEA servers. I have not read anywhere that either the "criminal" or the UEA had deleted them after the "crime"?Either way I maintain my position that the Norfolk plod release does not add up.
Not wishing to appear too much the pedant, but the briefing document states that they were firstly trying to establish "...what data was accessed and/or taken and published." - how hard is that?
Look at what was published and you have established the above. Money well spent...
Or, being slightly less cynical about Norfolk plod, they appear to have employed someone who either cannot properly command the English language (or someone who has excellent command thereof and meant exactly what was said) to write their briefing document.
Either way it looks somewhat shoddy.
"a series of remote attacks via the Internet, which accessed an internal back-up server."
Really ? Wow ! The UEA must have the most insecure network ever. An internal back-up server should never, ever be accessible via the internet. It should sit behind at least two firewalls making it impossible to access (unless their firewall rules are very, very poor). And all those e-mails on the back-up server ? No way. It's standard practice within the IT industry to back data up to disk before moving it to tape within 24 hours.
Plod's explanation doesn't sound at all plausable to me.
British university networks are usually outstandingly open - because the systems are generally run by individual academics, research teams or departments (who are far more interested in price / performance than security) rather than some central university authority. I actually had to set up a secure online purchasing system within a uni network once. Getting people even to think about securing machine was hard.
On the great conspiracy front? If the CRU didn't keep adequate logs then there was probably very little that the PCeU, QinetiQ or Norfolk plod could do.