Bishop Hill Operation Cabin Q&As
Jul 20, 2012 Climate: CRU Norfolk Constabulary have published the Q&A from their press conference yesterday (H/T Anthony).
The following questions and answers are an abridged version of Norfolk Constabulary’s Operation Cabin media briefing held on Thursday 19 July 2012.
How do you know it was an external hack?
In outline terms, we know it came via the internet from a number of different IP addresses, in various countries, which may have been proxy servers. The attack was, first of all, into the web server (CRUweb8) in the Climate Research Unit (CRU) at the UEA. From there, a link was established to a CRU back-up server (CRUback3).
It’s fair to say, the university has to draw the right balance between giving access to information – it’s an academic establishment and, as such, has a proportionate level of security which enables people to work remotely and access information to operate in that academic environment. As a consequence of the attack, the UEA has taken a number of measures and its ICT infrastructure now looks very different.
We identified that the attackers breached several password layers to get through and they got to a position where they employed different methodologies to return the data. We identified a significant quantity of data that was taken in this way, certainly in excess of that which was subsequently published in the two files in 2009 and 2011.
We’ve used the expression ‘sophisticated’ and that’s because that’s the view of our experts who conducted that side of the investigation for us. They identified that, as well as achieving the breach, they also took significant steps to conceal their tracks and lay false trails and change information available to us in order to frustrate the investigation. The conclusion was the person /s were highly competent in what they were doing.
That technical investigation was the primary line of investigation although we did cater for other possibilities, these were later ruled out.
Which specific countries were involved in the trail of proxy servers and which countries were either helpful or uncooperative in your investigations?
While we will not be confirming the names of the countries specifically, we can confirm there were a number across the majority of the continents.
We would underline that the use of a proxy server in any country is not necessarily evidence that the hack originated in that domain.
We worked with partners in these countries and the level of response and support we got varied from being excellent to being quite time consuming.
The logistics involved meant it was a complex picture with different legal jurisdictions and sovereignties. Sometimes it’s a procedural issue and sometimes it’s a political issue with a small or a big P.
Can you confirm that the US was helpful?
We will not confirm the identity of individual countries but we can say, in general terms, there is a healthy and productive relationship between law enforcement in the US and the UK.
Did you detect that any national government could be behind this?
No. The hypothesis was, and remains, that the person or persons responsible for this could be anyone on a spectrum from an individual right through to the other end of the spectrum, including commercial organisations and governments. It is obvious that some commercial organisations would have an interest in maintaining their commercial position; similarly there will be economies and governments which have an interest in protecting their position. To be clear, we did not get any indication as to who was responsible.
It is clear the person responsible has knowledge of this subject; did you interview all the bloggers that showed an interest?
We interviewed a number of people and the logistical issues involved meant that much of this work was carried out remotely because, physically travelling to countries, and the logistics involved in achieving that – for the anticipated outcome – would have not be proportionate.
Of course, the climate sceptic community would, in the main, give the appearance of welcoming the published data because it supports their view. Therefore, we were realistic about the prospect of them being helpful to our investigation.
Can you describe what investigations you undertook at the UEA and who you interviewed there?
The focus internally was on the IT infrastructure and working out from there. We also looked at people working at or with connections to the Climate Research Unit and, in simple terms, we were looking for anything obvious. All members of staff were interviewed. If someone had some obvious links or had an axe to grind, then that might have been a line of enquiry.
Generally speaking, it was a screening exercise which did not provide any positive lines of enquiry.
Whilst – because we have not found the perpetrators – we cannot say categorically that no-one at the UEA is involved, there is no evidence to suggest that there was. The nature and sophistication of the attack does not suggest that it was anyone at the UEA.
You say that the hacker had to go through a series of passwords; do you know that someone at the UEA would not have had access to these passwords?
Anyone with access to these passwords has been excluded as a suspect. Additionally, there was some evidence of work undertaken to break passwords.
It has been reported that the hacker accessed the server on three separate occasions, can you confirm if that’s true and if there were any further attempts to access the server after ‘climategate’ broke and have there been any recently?
The report is inaccurate. The attack was conducted over a period of time and access would have occurred on a number of occasions and certainly more than three. Of course, we only know what we know. I have already described it was a sophisticated attack; we have established a substantial amount of what happened. What I can’t say is whether we have established everything that happened.
There were no further data breaches once the story had broken in November 2009, not least because we had taken possession of Cruback3 and it wasn’t available to be accessed.
Do you know when the attacks began?
There’s a timeline of events and there has been speculation, in the media and the blogs,
that there may have been an orchestrated campaign of Freedom of Information requests to the University in the summer of 2009. It appears the attacks were undertaken late in that summer, early autumn, through to November. The first tactic that we were aware of was in September 2009.
There was news that some other institutions, including in Canada, that may have come under a similar attack at that time. Are there any other institutions that you have found that were attacked at this time?
We did have some dialogue and there were one or two that had been attacked and we did have a preliminary examination but they did not give us any indication or cause to suspect that it was in any way linked to the UEA.
What happens to Cruback3 now?
It has been returned to the University of East Anglia, having been retained as an exhibit through the course of the investigation. It was necessary to retain the actual server for this time. It contained a massive amount of data, something in the region of five terabytes.
When the second batch of e-mails was released, there was the note that came with them. Did you or your colleagues contemplate doing structural linguistics or analysis to try and trace it to a particular location in the world?
It was speculated on and it was something we did consider. Our conclusion was that it would be unlikely to take the investigation anywhere and, in fact, if you are trying to conceal your tracks it could have been constructed to mislead.
You have been restricted by the statute of limitations, would you have continued with this investigation otherwise?
The decision to close the case was a combination of the time limit and an acknowledgement that we had pursued this as far as we reasonably can.
Did you consider prosecuting people dealing in the information that was clearly stolen?
In terms of offences committed, it becomes a much greyer area. The same challenges exist in terms of identifying those individuals. An operational decision was made not to pursue this.
Reader Comments (43)
Looks to me as if the plod are themselves setting a false trail.
Of course, the climate sceptic community would, in the main, give the appearance of welcoming the published data because it supports their view.
That's the money shot right there.
So anybody at uea coukd have done it. Ie an insider.unless they were really stupid, would not use a uea computer, would come in from the outside, via the internet.
"The nature and sophistication of the attack does not suggest that it was anyone at the UEA."
Wow - says it all about the intellectual quality of the folks at UEA.
Hang on.
Everything after:
Is utter speculation.
Hasn't anyone in the plod heard of TOR?
Firstly, congrats to the Norfolk Constabulary spokesperson for that superb Q&A. You, sir/madam, would be great asset to any organisation you're working for.
Secondly, I'm glad they didn't catch the hacker. They say they have more evidence for a hack than for internal leak and I see no reason to distrust the the word of the police in this instance and at this stage. So I am glad they didn't catch the hacker.
And finally, before the cranks turn up, this IMHO is not a whitewash, cover up, conspiracy or any other mendacity of the same order. I'd say that the average detective would more likely be a climate skeptic than a climate doomsayer. It is a win-win situation for many in the rank and file of the Norfolk Constabulary whether they catch the hacker or not.
Re: Jace
Pretty much anybody who has a public facing server will find attacks from a number of different IP addresses, in various countries, which may have been proxy servers.
What they have said in their Q&A doesn't amount to much. Had they said something along the lines of:
"They used an SQL injection technique to ...."
"They used a command injection technique to ...."
"They exploited a vulnerability in the Apache server to ..."
Then it would add weight to their claim of an external hack.
To all of those of you who have made an emotional investment in the idea that the incident was a leak from a conscience troubled CRU denizen....now is the time to let go.
I , for one, will no longer be attempting to pick people up on it when they refer to a "hack" rather than a "hack or a leak". It seems to me that the balance of probabilities is now overwhelmingly that it was a hack.
Romantic as it was to imagine a "crise de conscience" from Briffa or the like, it is actually much more interesting to speculate on the identity of the hacker, and the ethics and justifiability of it.
Roll on the final release! ( Which will, however, probably be disappointing for those of us with a hard-on for bashing the Team)
While doing a bit of research before commenting I found the following computer security blog:
http://erratasec.blogspot.com/2009/11/climate-hack-used-open-proxies.html
What the blog author says is that the way alleged hacker operated was not that sophisticated. That with 5 clicks in Firefox you can get access a proxy server. That as staff at CRU had access to realclimate.org the password to that site could be obtained without any great subterfuge once the CRU computers had been accessed.
No doubt the more paranoid members of the climate science community will still continue to believe in a SMERSH style conspiracy.
I think this is a key sentence:
"We identified a significant quantity of data that was taken in this way, certainly in excess of that which was subsequently published in the two files in 2009 and 2011."
More to come, perhaps - can't wait!
Jul 20, 2012 at 8:17 AM | sHx
You clearly have no experience or knowledge of the UK police.
How hilariously pompous is the answer "... the person or persons responsible for this could be anyone on a spectrum from an individual right through to the other end of the spectrum, including commercial organisations and governments..."
They have detected precisely nothing. The whole Q&A could have been reduced to "we are dealing with someone far cleverer than us" or even just "we have failed."
Bottom line , how did someone external know where to find the collection or e-mails and how would they know they even existed , are they really claiming someone just got lucky ?
Re: KnR
> Bottom line , how did someone external know where to find the collection or e-mails and how would they know they even existed
Once you have comprised a computer on a network discovering this information is trivial.
Caroline
That sentence jumped out at me too, a very odd thing to say.
Damn right it does.
Totally contradicts all the propaganda that the material was 'taken out of context' etc. :)
Caroline / Eddy -
Yes that line is very amusing, and suggests there could be at least one sharp mind in the Norfolk Constabulary. Though it is not as funny as the classic comparison of UEA and UAE:
;)All this talk of "proxy servers" is interesting. It would be enlightening to know what protocol(s) the alleged attackers were using.
The most obvious attack vector is SSH if someone was using the public facing web server as a gateway into the network as described above. If that's the case, then "proxy" is a strange word to use.
It says a lot about the state of UEA's infrastructure that a public facing web server could be used to hop into their LAN. Have they not heard of DMZs and firewall rules?
Have they not heard of DMZs and firewall rules?
Jul 20, 2012 at 11:07 AM | Registered Commenterthrog
Have you not heard of HARRY_READ_ME.txt?
"could be anyone on a spectrum from an individual right through to the other end of the spectrum"
Means nothing in it so sophisticated as to suggest it is more than one person. Congratulations & one would like to hope a Nobel Peace Prize some day.
It all makes me search for synomyms for miracle so I can describe to myself the incredibleness of it all
OT, but I recall learning about a body whose job it is to register the names of racehorses. Their spokesman cheerfully admitted to a close call when asked to approve the name 'Norfolk and Chance'.. :-)
"We identified that the attackers breached several password layers to get through and they got to a position where they employed different methodologies to return the data."
Are they trying to say that some of the data was essentially freely available (e.g. FTP with a trivial password?)
After reading all the comments so far, shub is definately on to something. The Norfolk Constabulary, in a moment of lapsed pretense, fully admit that the leaked data contradicts the publicly released data from the CRU, something that has been vehemently denied by other investigations.
I have always presumed that an inside job was the most likely. Based on the Q&A points just read, it seems to me the police are clearly well informed and have conducted a thorough investigation. To one or two here or elsewhere who cast doubt on the competence or motives of the police, just remember they have access to forensic IT consultants of the very highest calibre and there is no reason for them to take any particular view on this matter - if they could have caught the hacker(s), it would have been a result, the fact they have been unable to shows the difficulty of tracing internet attacks. In this case, no material damage has been done - whilst the hack was inconvenient (and illegal) - the data placed in the public domain is not commercially sensitive, even though it may be politically embarassing, not least to UEA.
Also note that the hacker(s) took the trouble to package up the data - a lot of thought went into this and suggests to me high levels of personal motivation and also high levels of moral standards. This might seem slightly bizarre to warmistas, the point I am making is lot of thought went into this, consistent with their own moral view on the right or wrong of belief in CAGW, they worked to high standards when releasing the data, whether you agree or not with their position on CAGW.
I accept the findings of the police and I accept that this was a hack, based on their report. If something is later discovered to contradict this, well then I will change my position. Otherwise it should properly be described as a hack.
I am particularly interested by the fact that the police say the amount of data taken was significantly larger that subseqeuently released. This may just mean that a lot of irrelevant data was taken, but it could also mean that there is a lot more to be made public.
Two further points in general, addressing points made by other contributors. Firstly, my small and little known company has a public facing server and we get cyber attacks appearing in our server logs every night of the week. Most are superficial, but some are concerted attacks. We have been successfully hacked once (someone set up a phishing site on our server) and the first we knew about it was when our ISP phoned us and gave us 2 hours to clear it before they disconnected us from the internet. The world is full of individuals capable of hacking into servers and they are attempting it all the time.
Finally, 5 Tbytes of data is nothing to write home about, particularly for a university department the size of CRU. My small company with just 5 technical people have nearly 30 Tb of storage, and we use it all.
Re: ThinkingScientist
> I accept the findings of the police and I accept that this was a hack, based on their report.
They haven't issued a report, they have issued a press release and I can't tell from their press release if it was an external hack or not, it is to short on detail.
Perhaps once a few FOI have been submitted and responded to things will become clearer.
ThinkingScientist - you could well be right about it being a hack. But I am still inclined to think it was someone on the inside. Others do to: http://climateaudit.org/2012/07/18/norfolk-police-inquiry-at-east-anglia-ends/#comment-343361 (thanks to Orson's last comment on http://bishophill.squarespace.com/blog/2012/7/18/climategate-police-inquiry-closes.html?currentPage=3#comments)
TS
"5 Tbytes of data is nothing to write home about"
Quite a lot to send down a phone line without being noticed, though.
knr, it is not hard to guess that a university will have emails of their employees. How did Peter Gleick know what to ask Heartland for?
Jack Savage, since the beginning I have hinted that the leaker was Briffa. Saying that if the cops asked me questions, I would just respond, You'll never catch the Toyman! (KB Toys)
"5 Tbytes of data is nothing to write home about"
Hmm, lets see.
In 2009 Virgin Media was rolling out its 50Mbit/s broadband which was the fastest in the UK. At that speed it would take 9 days 6 hours to transfer 5Tbytes of data. On the other hand, if you were on an internal network running at 1000Mbits/s it would take 11 hours to transfer the data.
I've studied things that happened in both the First and the Second World Wars, at what in retrospect were crucial turning points. Having looked carefully at good evidence from both sides ie believers and disbelievers (as would be pertinent in a court of law as well as a scientific investigation), I have come to the conclusion that:
(1) in the First World War, there really were a series of miraculous occurrences known collectively as the Angel of Mons, whereby British/French troops were sustained on some occasions, and on other occasions the German troops turned back "inexplicably" after having, in their words, seen an army advancing on them relentlessly, riding white horses. Individual descriptions vary. This happened at a time when there was danger that the Germans would sweep through and vanquish all opposers - in stead of which, while the war was brutal and destructive, the opponents were at least put on a level footing after this series of visitations.
(2) in the second World War, there were reports of two things that defy normal reality. After the war, a leading Nazi referred to a weapon the Allies had that they could not match, he believed it was called the "Silent Minute". I could tell more but space forbids. Then at the Battle of Britain, the Luftwaffe turned back because they saw more planes in the sky than they had - even though in physical reality, the opposite was the case.
All this being, in my mind, well attested (plus I've experienced, and read about, many other well-attested miracles), I still feel that "FOIA" has all the hallmarks of the truly miraculous - humble, not obviously a miracle at the time, and delivering sorely-needed help for Science at a moment of deep distress.
After reading all the comments so far, shub is definately on to something. The Norfolk Constabulary, in a moment of lapsed pretense, fully admit that the leaked data contradicts the publicly released data from the CRU, something that has been vehemently denied by other investigations.
Absolutely.
Thank you Norfolk Police for saying the one thing that matters.
It's the Mindmaster again!
Jul 20, 2012 at 2:00 PM | ThinkingScientist
TS, I don't disagree that this could "properly be described as a hack"; but, it was only by use of a "screening fallacy" that they were able to eliminate anyone at UEA as the "hacker". As they themselves said during the course of the above Q & A:
Yet the original press release made no mention of this:
You also noted:
But in their "background" paper they acknowledged what we already knew from the release of CG2:
To date, "much of the data published in FOIA 2011" still is protected by an unknown password! The Saint (as I prefer to call RC/FOIA) clearly indicated in her/his "covering note" for CG2 that s/he had no plans to disclose the passcode "at this time".
This is getting to be like the pattern one finds in the release of IPCC reports: first there's a "press release" - which probably gets the widest distribution and readership - followed quite quickly by a release of the SPM (which will be read and reported on by far fewer) and eventually (several months down the road) the actual report.
Lots of room for shuffling peas under multiple thimbles (she says, somewhat skeptically!)
And now we have Hickman's "interview" with Julian Gregory! The one part about this that I found interesting:
Yet another "screening fallacy", perhaps?!
It may (or may not) be worth noting that Gregory is not sufficiently high up in the Norfolk plod's hierarchy to warrant a mention, but the chief honcho, Phil Gormley, arrived at Norfolk in January 2010. Gormley's career path included "[...] driving forward the merger of Special Branch and the Anti Terrorist Branch to form the new Counter Terrorism Command for the Metropolitan Police."
And let us not forget that CRU's go-to PR guy was (and for all we know quite possibly still is!) former NOTW honcho (and consultant to the MET) Neil Wallis whose good buddy, Andy Hayman was once at Gormley's desk in Norfolk.
None of the above proves anything, of course - least of all whether or not anyone affiliated with UEA was responsible for the release of CG1 and/or CG2. But I thought these coincidences were worth considering :-)
As an aside, considering the echoes in the plod's narrative (for want of a better word) from Gavin's Nov. 23/09 "reconstruction" of the details, is that they make no mention of this alleged (and never proven) RC "hack" of Nov. 17/09.
Probably just another in a series of coincidences, though!
James P; Terry S
With regard to the 5 Tb of data, I don't think the Police are stating that is the amount that was taken, only that that is the amount that resided on the server they have examined. It is not a surprising amount to find on a university department server.
The Police stated that a lot more was taken than the amount in the ClimateGate FOIA downloads, but that still doesn't imply a huge quantity of data requiring the sort of download times quoted. As far as I can see, the Police have not stated how many Mb were taken (and it is quite likely that they don't know, this would be a difficult thing to detect from a forensic analysis of a server)
For years I tried to have a rationale discussion on ClimateGate: I gave my best to stay patiently and kind. For honesty's sake, please, call it at least, if you want take ones side's part unconditionally, "probable hack", "probable theft". I never got a rationale discussion, only serious accusations...
On January 4th 2010 I have briefly noted elsewhere (click and confer last paragraph here (in a disgusting discussion, based mostly on seemingly untrustworthy, prejudging newspapers)) that the ClimateGate incident was at the time reaching a phase that might remind some "CO2-((c)(A))GW-sceptics" of some tactics in other areas under investigation, namely a phase of sitting important questions out; which is a wearisome phase, when facts are drying up.
In that discussion, additionally, I gave some of my opinions of what I was thinking at the time what the "official", "independent", non-public investigation committees and the boards of enquiries will conclude. More or less:
"... it's too long ago to investigate auspiciously ... [cf. the Norfolk-police-private-"extremism"-"team"-Q&As above: "...may have been proxy servers..." or "...there may have been an orchestrated campaign..."], ... the ('scientists'/'hackers') 'contracts'/'gentlemen's agreements' were concluded orally, respectively somewhere else (so we cannot investigate further) ..., ... it is impossible to see the agreements/contracts with individuals and/or institutes (with the fact that some of these persons and/or institutions even do not exist any longer) ... clarification is also partially impossible, for example, because of probable proprietary rights and because of lost data ..."...).
Two years and five months later I see that some of my points were quite good. The investigation(s) seem to have been a waste of time (and trust?)...
Lucia at Blackboard has an interesting question/observation or parallel: "Sophisticated and carefully orchestrated attack? Or?". WTF?
Jack Savage has a point. When corruption and coverup reaches a high enough level, you have to just give up on the truth.
Tomcat, is truth overrated? Could be true. There were for over two years - apart from most(?) main stream media - scientists and even scientific Journals (for instance Nature Climate Change) that used the term "hack" monocausal - all over the place. I never got or saw any satisfactory explanation, why the ones who used the term, haven't written for example "probable hack". Now they not just get away with their unconcealed partisanship but they feel approved. I for one feel no urge to discus any further with persons who didn't show the slightest insight.
PS: Is justice or irrefutability overrated?