Richard Black reports:
Norfolk Constabulary says there is no realistic prospect of finding the culprit within the statutory time limit of three years since the 2009 offence.
94 thoughts on “Climategate Inquiry: Ended.”
Comments are closed.
Richard Black reports:
Norfolk Constabulary says there is no realistic prospect of finding the culprit within the statutory time limit of three years since the 2009 offence.
Comments are closed.
So will those responsible come forward?
Not a chance; it is a ploy by the police to have someone fess up while they are still at legal risk (in some juristiction somewhere). Nice try though.
SteveF, there’s no reason to think this is a ploy, nor to think this announcement would convince anyone to come forward. This is just the police recognizing there are only a few months left before the case can’t be prosecuted. Even if they could figure out who did it before the deadline, they’d still need to investigate the person, build a case and bring prosecution against the culprit.
It’s perfectly normal. It’s not a trick you’d see on TV.
Brandon,
OK. Then what possible motivation do they have for a press
release, 4 months before the statute of imitations? I mean, better to sulk off, defeated by your criminal adversary in silence, than hold a press conference admitting the bad guy got away with it…. especially since he has not yet got away with it!
I still think it is a ploy.
SteveF:
It’s a relatively high-profile case, and lots of people are interested in it. It’s common for police to announce when an investigation into such a case is coming to a close. Why would they “sulk off” when doing so would just prompt people to ask a bunch of questions a press release could head off? A press release like this* will cause a bit of publicity right away, but in the long run, will draw far less attention.
People believe all sorts of foolish things. If you want to believe the police are hoping the culprit is a complete moron, you can.
*Of course, while the strategy may be sound, their implementation of it could be bad. Time will tell if the contents of the press release wind up causing them more trouble.
I find the press release a little strange. But who knows? Maybe they need to get reporters to stop calling to find out whether there might be a break soon. I’m deferring judgement on deciding what this means.
lucia, for what it’s worth, I find it strange because of its contents. Some of what was said in it seems like it will just cause more questions and attention. People are going to want to know how the police reached the conclusions they announced, and they’re going to raise questions. That seems the exact opposite of what one would expect was desired.
There seems to be some doubt over whether or not there really is a 3 year limit on prosecution under this act.
I refer to the following answer to a question on “justanswer”:
http://www.justanswer.com/uk-law/67z35-statute-limitations-time-limit-prosecution.html
I am not a lawyer, so I don’t know, but apparently the person answering the question was.
Remember, we are talking about the Norfolk Constabulary.
Ray, that’s a very interesting find. I went off a googling and found this
and this
My reading of the legislation indicates to me that the three years arises from a limitation period in respect to section (1) offences under the Computer Misuse Act set out within the Computer Misuse Act itself in section 11 which states:
Sections 2 and 3 do not appear to have three year statutes of limitations but the offences require more elements than section 1 offences.
Section 1 is unauthorized access.
Section 3 requires an intent to impair operation of the computer and would not be applicable. Section 2 which is unauthorized access with intent to commit a further offence – This would presumably relate to credit cards and the like. It’s interesting that the Norfolk Police have apparently taken the position that there was not a section 2 offence.
Schnoerkelman,
Thanks for that.
I was actually surprised that there was a statutory time limit on this, which is why I did my search.
Obviously the Norfolk Constabulary are not up to speed on this.
I also wondered if the person asking the question on the “justanswer” site, might be the culprit, trying to find out if he/her was safe yet! 🙂
Steve,
But what about the amendments of October 1st, 2008?:
“The statutory limitation on this Section 1 is abolished (formerly a charge had to be brought no later than 6 months from an arrest, and nothing older than 3 years ago could be considered).”
It will also be interesting to see if they return the 2 servers which would act as primary evidence because they will contain logs. They may well have cloned them for investigative purposes but the original would ideally comprise the actual evidence.
http://www.bishop-hill.net/blog/2012/1/17/more-from-norfolk-police.html
The Backup server used open source software called Backuppc (see CG2 email 0626) which has logs which look like this
http://backuppc.sourceforge.net/BackupPCServerLog.html
At the very least that should have provided a lot of information about access times and what may have been retrieved via the Backuppc CGI interface which looks like this.
http://backuppc.sourceforge.net/BackupPCBackupBrowse.html
Here is the amendment from 2006 as PDF
And here is the annotated document where section 11 is noted as repealed.
bob
With respect to the backup server. Does anyone know if this was truly a backup server or rather a standby server? A backup server, that is a server where backup copies are made and/or held, would not be connected to the Internet in any universe I’m familiar with. Clearly a standby server would need to be since that function would require Internet connectivity to send/receive email.
I also find it rather strange that an email server would not have been in a DMZ with only a very few services allowed through the firewall (DNS. SMTP, NTP).
bob
Schnoerkelman – have a look at my 17 Jan post in the link to BishopHill above where I summarised the IT as taken from various sources.
Note CRU was running as a small separate IT function within a much larger IT function
Thanks clivere, that’s what I was looking for.
If I’ve understood properly the server is indeed a backup server and would not have been visible to the Internet. Further, the email server(s) are fed via the central firewall which I would assume (yes, we all know where that leads) would be reasonably secure in terms of open ports.
Would you agree with that? If the above is correct how did someone from the Internet get to the backup server to grab the files?
I have a serious problem with the idea that telnet (grin, your tool of choice) would be passed by the central firewall…
bob
Schnoerkelman – the primary means of access to the backup server is via the CGI interface which requires use of a web browser such as IE or Firefox. My view is that the server would not be very visible to the internet but could be accessed via the internet by someone navigating through to the CRU webserver. They would likely require id/password to initially get there and then use of a further password to get access to the Backuppc CGI interface.
I have got as far as installing Backuppc to have a look at it but need to get multiple boxes networked in order to try it. At the moment I am working via the documentation which does suggest internet access is possible.
On the assumption that it was possible to actually get to the backup server’s UI via the web server do you think it likely that the central firewall would permit the data transfer from the backup server to and outside destination? This strikes me as improbable as well.
What I’m getting at here is that we need a reasonable scenario for actually getting the data from the source via the Internet to some external sink. If all of the components had been under CRU control I’d be more likely to believe that than I am with the university’s central firewall being in the middle.
bob
People who actually thought “they” were going to release any good information re:climategate please chime in.
Andrew
Schnoerkelman – restore options via the CGI interface are shown here. My view is if you can navigate to this screen then you can probably get the files wherever you are.
http://backuppc.sourceforge.net/BackupPCRestoreOptions.html
Hmmm. Don’t know. If the time limit was repealed, the announcement is hard to explain.
Steve, the 2nd link I posted above is to the online copy of the legislation:
http://www.legislation.gov.uk/ukpga/1990/18/section/11#section-11-1
and it seems to indicate that sections 11 and 12 are repealed (this is “prospective” if you look at the history timeline)
Note the brackets enclosing the entire section:
You can click on the pieces I’ve bolded and you get (from page 180 of the amendment) this:
clivere,
you can attempt to restore from the CGI but the firewall will need to be configured to pass the traffic for it to succeed. The second part is where I would expect the plan to fail.
bob
Bob – Which leads to the questions – How did they configure the firewall? Did they want users to have remote access?
clivere,
Agreed but I think the central fierwall guys would have something to say about that and I’d guess it would be something along the lines of “NO! Are you mad!?”
I do hope someone follows up on the non-existant statute of limitations thingy above, I think that’s going to be lots of fun 🙂
gotta run away and catch a train.
The press release allows for some talking points to be given official backing. It was a hack, not a leak. It was done to damage climate talks.
I think this non-event pretty much leads me to conclude the entire fiasco was a put-on, which I suspected already. And considering it has to do with climate science…I mean, why the hell not. You’re already all in for the big lie and the associated lies that surround it. There’s no reason to limit yourself.
Andrew
If FOI cannot be prosecuted, no crime has been committed. Therefore, no emails were illegally obtained (testing my Nick Stokes logic).
I find it odd that there was no hint of an inside man in the summary press release. Nor that they were able to narrow it much.
Chinese identity thieves? Estonian data pirates? Random maladjusted teenage pranksters? The universe of people who would go to such effort to obtain craploads of emails from professional weather nerds cannot be very large.
My assumption was that to deflect suspicion, an inside man staged or coordinated an external hack of materials whose content and location he already knew rather than effect a traceable leak.
It is easy to see how one could form a negative opinion of some of the email correspondents and to want to make it all public but there would be no legal protection for a prospective whistleblower because none of the unfortunate behavior in the emails was illegal. The orchestrated hack was the only way to make it public and stay in the background. (Note: I am not condoning, just speculating.)
But we may never know until the civil and criminal statutes run and he/she/they get a different employer.
That’s Mosher’s view as well and it makes sense.
Further, to Mosher’s theory, if I understand it, is the possibility that identifying the inside man, the orchestrator as it were, would be a bigger embarrassment to the university than failing to identify him.
Mosher will know if that view makes any sense.
yes.
Without going into too much detail, I’ll ask folks to read the letter that FOIA sent with the first batch of mails.
My first impression was that it read like the ramsey kidnapping note. In that note the perp tried to provide a false trail by claiming to be part of a group. FOIA did the same thing, trying to pose as a ‘we’. Given that falsehood I look at the letter the same way I look at Gleicks stuff. It’s a false trail. a diversion. a mis direction.. misdirection from what and who?
The most important misdirection is the one about motive. To read FOIA the motive is about exposing FOIA material. So, I read that as a misdirection. What real motive is he trying to hide?
Who does the release of mails hurt and who has a motive to hurt them. Who would want to hurt jones and why? If folks attend to that they will find what I did in the first hour.
Also opportunity. Does the person with opportunity have a motive. personal motive. Think about motives in a corporate setting. who wants to take down the boss and why? think about being held down or put down or frozen out. think of career path.
Beyond that there are some very bizarre facts. I leave you with this.
For a year FOIA was silent. Not that i didnt try to goad him into saying something.
Then steve said something. “maybe a deal was done”
FOIA came online to say “no deal was done”. think through that.
why does steves suposition strike a chord? why is it important to respond to that?
The second batch of mails comes out. and with a password.
the kidnapper still holds the body. you will not fire him. in fact, you will do something nice for him or else. and of course he blots out names to avoid civil issues.
Now. of course the inquiries would want to question everyone.
guess who missed his interview? why? what’s he know about his ability to lie face to face?
a con man will look you in the face and lie. he knows he can. kidnappers, use notes. always working at a distance. fear based. revengeful and smart. but lousy in face to face confrontations.
Police Q&A here
Astonishing. Anyone for whom an “inside” job would have been easy was excluded from the suspect list.
How do professionals view this issue?
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-506224.pdf
Steven Mosher said in Comment #99738
“guess who missed his interview?”
_____
Are you asking who or do you know who?
“A surprising amount of enterprise data leaks, whether from malicious origins or not, happen because of authorized users. Forty-nine percent of companies reported they experienced an internal security breach in the past year, according to Deloitte’s 2006 Global Security Survey. Of those, 31 percent experienced a breach from a virus/worm incident, 28 percent through insider fraud and 18 percent by means of data leakage (19 percent experienced the breach through other means). It’s also somewhat significant that fully 96 percent of respondents reported that they are “concerned about employee misconduct involving their information systems.”
http://www.crn.com/news/channel-programs/193100109/review-data-leak-prevention-tools.htm;jsessionid=4QdAMwQ+HSH3m5LGe5yRxQ**.ecappj01
Steve, one more observation. The Post-Doc’s and Ph.D. students are the dogs that don’t bark. They know everything and the majority of emails sent to/by an academic are from/to the people who do most of the actual work. No bad stuff on these people was released; there was no ‘Adrian isn’t working out as well as I expected’ or ‘Susan is so lazy and doesn’t know how to…’. Most supervisors bitch about their underlings and think that by applying as much pressure as possible they can turn coal into diamonds; whereas post-Doc’s think their bosses are so out of touch with modern theory and practice they should be wheeled into a retirement home.
Post-Doc’s and Ph.D. students not only know the way the way the sausages are made, it is they who turn the handle of the machine.
If anyone thinks that the people at the CRU come out rather badly in the leaked emails, I ask, can you imagine working for one?
placing FOIA.zip at RC made me think originally that it was a student. It seemed prankish, like putting a car on a college roof. Mosher has argued for someone on staff and has some plausible speculations,
JFerguson, I read that to mean that they suspected them, then their investigation led them to remove them from the suspect list.
So, Mosher, you do think RC that said there was no deal is THE FOIA?
MikeN. I think your interpretation is the more likely. No-one could have been as obtuse as my interpretation would have suggested, of course assuming that they did, in fact, know who had the passwords – sometimes more than intended.
@Steven Mosher (Comment #99738)
July 19th, 2012 at 2:29 pm
Without going into too much detail, I’ll ask folks to read the letter that FOIA sent with the first batch of mails.
My first impression was that it read like the ramsey kidnapping note. In that note the perp said just what he thought by claiming to be part of a group. FOIA did the same thing, trying using the word ‘we’. Given that fact I look at the letter the same way I look at a lot of stuff. It’s a someone justifying his actions.
So what the cops actually say, which no one has actually quoted so far, but is actually bleeding obvious to everyone.
“While no criminal proceedings will be instigated, the investigation has concluded that the data breach was the result of a ‘sophisticated and carefully orchestrated attack on the CRU’s data files, carried out remotely via the internet’.”
Which was subsequently confirmed by the attack on the Realclimate site. My guess, someone with enough money to buy some hacker time but without the intelligence to understand the case for AGW.
What they say and what they have evidence for are different things.
@Carrick (Comment #99753)
July 20th, 2012 at 5:19 am
Are you saying they are lying? They said what they have evidence for, and it’s not going to get them someone to convict, but it is outside hacking by skilled criminals.
@j ferguson (Comment #99736)
July 19th, 2012 at 12:09 pm
A fine theory, except for the fact that it’s the police carrying out the investigation, not the university.
It’s an external hack because machines from outside CRU were involved. That seems to be merely definitional. By this definition, a person sitting in his own office at his own machine could access the machine sitting next to him using a proxy server, and that access would be an “external hack”.
I think using a proxy server is, by definition, “taking significant steps to conceal their tracks”. Maybe they also connected to the proxy server through something like TOR etc.
I see entities trying to connect to my blog using TOR and/or proxy servers all the time. Based on other features of the request some are clearly trying to hack in. Others are almost certainly bots some of which may want to do something fairly harmless (like leaving comment spam.) Lots of these present fake cookies, blank or clearly wrong referrers and do other things. I suspect what they do would be called “lay false trails and change information available”.
People in IT would often dub many of the people setting these bots loose as “script kiddies”– a term to describe people who are not considered ‘sophisticated’.
I read this as coming close to saying ” we have no idea whatsoever who did this”.
It seems however that the following sentence could be equally true:
or
Basically: ‘They can’t categorically state “X” didn’t do it, but there is no evidence to suggest “X” did it’ would seem to be true for all possible X.
Honestly, I don’t get this logic. If someone was smart enough to use a proxy server why wouldn’t they think to pretend to need to break a password? Maybe get some dictionary attack software from somewhere (it’s advertized all over the place– e.g. http://en.softonic.com/s/dictionary-attack ), run it a while and then crack in? I would think nearly anyone smart enough to even be admitted to college would be smart enough to think up this step once they decided to cover tracks. (And we know they tried to cover some– the used proxy servers to drop links at blogs!)
Is September 2009 summer in the UK?
They reached a dead end. I’m not surprised. The outcome might have been the same had CRU reported to the police before the s*it hit the blogs. By the time they reported, some evidence trails were probably stale. Some auto-delete processes might have run for certain internet records. (Of course, maybe not. I do run a WP plugin to clear crud from my databases periodically. But some people don’t. )
I think this is just an admission that much of the “dealing” is simply legal. There might be some behaviors that were illegal–but some– in fact most– of whatever ‘dealing’ might encompass was and is perfectly legal.
To the extent that any of the ‘dealing’ might be illegal, those people who did the ‘dealing’ probably used anonymizing services and proxy servers too!
You only have to read what FOIA has written to see that they are a person of limited intelligence and education. Not likely to be an inside job at a university. Their writings are just your every day, mundane screed on a climate denialist blog.
lucia:
But… you… connect to a proxy through TOR… a proxy…
*shakes head*
Also, a person having access to something doesn’t mean they realize they have access to it.
>they are a person of limited intelligence and education.
At least you didn’t say they is.
JFerguson, I wish they had asked who at UEA had passwords to RealClimate?
bugs–
Is your theory that a person (singular?) of limited intelligence managed to orchestrate a sophisticated hack that permitted them to achieve the goal of obtaining damaging materials and also elude identification and capture by the police? Really? If yes, that’s a very odd theory. If it’s not your theory, you are going to have to explain to me how a person of limited intelligence managed to do this.
Brandon
I know they are all proxies… So, I get that it reads like a “duh”.
There is actually advice on the internet suggesting hackers should connect to anon services like relakks.com using TOR (or to TOR using relakks. I can’t remember the order.) It would be awfully slow, but I wandered across this advise. ( I see a fair number of hack attempts from relakks.com btw. Not tons— but some. Though the advertizing at these businesses focuses on telling customers they should want to protect themselves from advertisers and governmental big-daddy type tracking etc., the people who do try to break in to blogs do sometimes pay relakks.com the $$ to be anon. Go figure.)
True too.
It just seems to me that the theory whereby you decide people who do have passwords wouldn’t cover up that fact is inconsistent with the theory that whoever did connect, copy and distribute the materials took many steps to cover up who they were and where they were from.
Certainly, whoever did this thought about what they were doing. They did sit down and make a plan and they did think about what was required to make any evidence be as ambiguous as possible.
A little more detail on CRUBak. It had multiple backups of 60 machines. It had 22 backups of Phil Jones’ computers. The backups were in backupPC.
In the Don Keiller appeal, UEA refused to search the machine for a single email with a known date and known addressee institution (Georgia Tech). They said that it would take 22 days to search Jones’ backups and cost over £25000 (!)
RC/FOIA, starting in Sept 2009, was pretty efficient over a short interval.
two questions that the police did not address and which have not been discussed much. Why CRU? Why did the “hack” start in September 2009?
Confirmation from the police came on two points: no other UK universities were hacked. Nor elsewhere – Andrew Weaver’s laptop thefts at Victoria is totally irrelevant, disinformation in this context. So why would a “cyber-terrorist” (Revkin quoting Pierrehumbert) pick CRU?
Secondly, the police confirm that access began in September. Following unfounded speculation by real_climate_scientists, Gregory of Norfolk asserted that this was connected to Copenhagen. But any Dr Evil plot to disrupt Copenhagen by hacking CRU would surely have started long before September and would have involved other universities.
So why CRU? and why September 2009?
Maybe because the motivation was personal.
“Maybe because the motivation was personal.”
That is the most logical conclusion. The police know (or should) that figuring out the motivation is one of the most important tenets of detective work. Such a strange report we’ve gotten from them.
After reading some of the transcript with Julian Gregory, who lead the police investigation (posted over at Bishop Hill http://www.bishop-hill.net/blog/2012/7/20/interview-with-julian-gregory.html ) I have to revise my previous post: doesn’t seem the police put much effort into this at all!
Also hilarious the direct mention of Mosher. I think you ran rings around these guys, Steven; even if your theory turned out wrong, at least you bothered to “embark on a number of lines of enquiry”, which Mr. Gregory explicitly states (in a proud manner, no less) the police don’t do, unlike those (lousy) journalists.
bugs,
that the police were conducting the investigation does not rule out the possibility that people in senior administrative positions know who the “inside” orchestrator is. Recent experience at Penn State suggests that senior adminstration types may know things that police conducting an investigation do not know – and they don’t tell the police. And it seems equally possible that many of the things the police now know are not known sufficiently to prosecute and so are left unrevealed.
it also occurred to me that the “insider’ might be an insider at another institution where the more surprising emails might also have been copied, but for one reason or another, were not as accessible as at CRU.
it seems very difficult to accept the possibility that outsiders knew there was something worth the trouble to extract without inside information.
Re: j ferguson (Jul 20 11:59),
But at least at Penn State, there finally was an investigation and heads rolled. Compare and contrast that to the Duke lacrosse team incident. The administration and faculty there still won’t admit that their odious public lynching (as it were) of the team members based on a single uncorroborated accusation which was later found to be false was a mistake. In fact, they still appear to be quite proud of their behavior according to the recent WSJ op-ed piece.
bugs:
LMAO.
They are limited in intelligence and education but so brilliant as to pull off the hack of our lifetime.
+1 bugs
bugs:
I’m saying I don’t believe them, sans evidence. They wouldn’t believe me, why should I believe them?
bugs
It sounds like they have very little evidence everyone didn’t know before their recent announcement. Someone used proxies? We knew that back in Nov. 2009.
that’s my take as well. And while I’m no admirer of UEA, the police view that the use of proxy servers is beyond the technical competence of anyone at UEA seems an
unreasonable disparagement of the institution.
Lucia, I think if the investigation is really closed, they should release what information they obtained.
Without that, I see no particular reason to trust their assessment. As you pointed out if it’s just the use of proxy servers, that’s not particularly sophisticated and doesn’t explain the technical knowledge needed to put together this archive.
One doesn’t need to assume they are lying (I think that is your point to) to distrust a judgement given without meaningful documentation to substantiate how they arrived at that judgement.
(It’s really interesting that the supergenious bugs, unimpeded by our inferior intellects, would naturally glom onto the only possible explanation for distrusting their judgment to be that they’re lying.)
Carrick,
my problem, maybe shared with some others, but not bugs apparently, is that I don’t feel this was a criminal action even if by statute it is. If the police saw it as not criminal, they would likely release the information that would not compromise continuing, (ah, er, evolving) IT security measures at CRU.
But as they almost certainly see this as a criminal offense, they can’t very well say that it could be an inside job, handiwork of so-an-so, the post-doc, if by doing so they would be burdening him with an unprovable criminal allegation.
And before anyone assaults me for wanting to pick and choose which statutes to accept, I know, I know, we cannot do that, but it does appear possible that this stuff could have gotten loose in public without a criminal act.
>They are limited in intelligence and education but so brilliant as to pull off the hack of our lifetime.
The hacker is George W Bush! It all makes sense. He took a few months to unpack, then had plenty of free time by summer 2009.
@Carrick (Comment #99775)
July 20th, 2012 at 1:37 pm
Short memory, Carrick. You will recall I also said that they had the money to buy the skills.
bugs–
Interesting theory anyway. I suspect it would be difficult for a dumb but wealthy person to locate the talented for hire hacker who is willing to work in secret, not spill any beans and capable of who is capable of finding the mother-lode of CRU emails on a back up server. The only evidence in favor of your theory seems to be “bugs dreamed it up. So bugs likes the theory.” But I suspect you’ll stick with it.
@Bugs
They were of limited intelligence and education. But they had money to spend on “skills” to break into CRU to steal e-mails from researchers. And then they did the note-writing themselves. Why? They used all their means to buy hacking skills, or?
Alternatively, they are supersmart like you. They hired someone of “limited intelligence and education” to write the notes. To trick you…into not knowing about their level of intelligence and education.
.
“You only have to read what FOIA has written to see that they are a person of limited intelligence and education.”
.
You don’t consider a lot of options, do you bugs. I’m curious bugs, how do you see that FOIA is a person of limited intelligence and education? I really want to know.
bugs:
So they’re stupid and rich. /dumb
bugs:
Yeah. Big money conspiracy.
Are there still people who assume that EXXON must be involved anytime the Hockey Team gets embarrassed?
You would think that with all that money Big Oil and the Koch Brothers spent on the hack that they would (a) want to get all those emails out well in advance of Copenhagen instead of doing it in batches so close to the opening (with a bunch more in reserve) and (b) not want known they held the most damaging ones back so they could blackmail Phil Jones et al to renounce Al Gore in a press conference in the lobby of American Petroleum Institute.
Speaking of people with ingrained stupid assumptions, it would be fun to have bugs email Brian Ross that the Tea Party hacked the emails to see if he runs with it on air.
I think it was an inside job, and the use of a proxy to “hack” CRU was just for irony.
You only have to read what FOIA has written to see that they are a person of limited intelligence and education.
So I went back and read what FOIA had written. Bugs is plainly wrong. FOIA writes well, if a touch tersely, with good grasp of grammar and punctuation. Apostrophes for “today’s decisions”, properly bracketed subordinate clauses and technical language like “redactions”. Actually s/he writes like a graduate student.
Bugs doesn’t like his politics, so assumes he is an idiot. But Bugs is wrong.
George Tobin (Comment #99786)
July 20th, 2012 at 5:39 pm
I never said it was a conspiracy. It doesn’t have to be, and they probably acted alone since no one still knows who they are. It wouldn’t cost that much to buy a few hackers.
bugs
Oh? I’ve never tried to buy any but I imagine it could cost quite a bit to buy a few skilled hackers. Moreover, it would be difficult to find trustworthy hackers who you could be sure would do a good job and not subsequently roll over and sing for the cops.
If you’ve got specific experience, give us some details so we know you know whereof you speak.
bugs (Comment #99789)
> I never said it was a conspiracy. It doesn’t have to be, and they probably acted alone since no one still knows who they are.
.
In criminal law, a conspiracy is an agreement between two or more persons to break the law at some time in the future. (Wikipedia)
.
Emphasis added.
It wouldn’t cost that much to buy a few hackers.
It would take a deep wallet — and a considerable risk — to pay known criminals to go “fishing” on your behalf.
It is most unlikely anyone would try to crack the UEA and not try anywhere else.
This was not a paid fishing expedition.
Mooloo:
Yes this is what I thought to, but given the execrable quality of bugs own writing, I had dismissed this comment as more nonsense from his CAWG-fevered brain.
Mosher asks: “Who does the release of mails hurt and who has a motive to hurt them. Who would want to hurt Jones and why?”
FOIA’s target appears to be far larger than just Phil Jones. A limited subset of the emails would have been enough to hurt Jones, another individual scientists, or even a small group of scientists. If FOIA is an insider, he wanted to damage climate science or climate science activists.
It is hard to imagine breaking into CRU’s computer’s without knowing they would find something of value there. FIOA requests may have provided legal assistants and other staff access to some of the emails. The information that scandalous emails existed might have been deliberately or accidently disclosed to the person(s) who broke in.
>they had the money to buy the skills.
George W Bush has lots of money.
By the way, cut Bugs some slack. Even the US Government has made announcements about a lone-wolf conspirator. The defense counsel probably loved that. Perhaps Bugs is just getting tripped up by the newfound hatred of using ‘his’ instead of ‘his or her’
Bugs: “they”
Call in Mulder and Scully, “they” got bugs.
Andrew
I’m somewhat late to this party and I apologize if this has already been covered … but …
bugs (Comment #99751) July 20th, 2012 at 5:06 am writes:
Poor bugs! He seems to have (perhaps understandably) missed the Norlfolk plod’s subsequent “explication” which included (inter alia) overwhelming evidence of their dependence on “screening fallacies” :
Which certainly calls into question the validity of Bugs’ “revisionist” claim that any statement by the Norfolk police can be construed as subsequently confirm[ing] … the [alleged but never substantiated and never proven -hro] “attack” on the Realclimate site [emphasis added -hro]
Interestingly, this alleged (and never reported to the appropriate authorities and never proven -albeit ever-changing story) of this alleged “attack” preceded by many, many, moons the threads of the “story” now being echoed and promulgated by the Norfolk plod.
But I’m sure it must be simply coincidence
Based on what I have located the timeline re Realclimate activity on 17th November now looks like this. In summary the site was down for a large part of the morning and a word press upgrade was performed.
(Many thanks to Frank Swifthack who got me looking more closely at the web archive after he spotted a upgrade had taken place. I was aware of the web archive entries but had only been using it for checking user postings at RC around the date. The archive trawls different pages from sites on different dates and Frank has not picked up on this so far.)
(RC gives its time zone as -6 so I assume add 1 hour to get ET. Some of my observations will be invalid if I have misunderstood / miscalculated time zones.)
Final post on 16th November at 11.24pm (12.24 am) passed by the RC moderators before they packed up for the day.
This can be seen on this page taken from the web archive. My understanding is the date/timestamp is 09.03 am UTC = GMT which would date the archive at 04.03am ET
http://web.archive.org/web/20091117090354/http://www.realclimate.org/index.php/archives/2007/03/
Also it should be noted that at this point RC was being operated using WordPress 2.8.1
Posts then went into the moderation queue. The last post made (and still viewable) during the morning of 17th November was made at 6.28 am (7.28 am ET)
http://www.realclimate.org/index.php/archives/2009/10/an-open-letter-to-steve-levitt/
763
FurryCatHerder says:
17 Nov 2009 at 6:28 AM
At some point RC was then taken offline and posting did not resume until the afternoon.
The events according to Gavin Schmidt as taken from several posts
“At around 6.20am 7.20am (EST) Nov 17th, somebody hacked into the RC server from an IP address associated with a computer somewhere in Turkey, disabled access from the legitimate users, and uploaded a file FOIA.zip to our server”
“the first comment posted on this subject was not at the Air Vent, but actually at ClimateAudit (comment 49 on a thread related to stripbark trees, dated Nov 17 5.24am (Central Time I think)). The username of the commenter was linked to the FOIA.zip file at realclimate.org. Four downloads occurred from that link while the file was still there (it no longer is).”
“The zip file was temporarily available (about 30 min) from a link to this site until we shut it down and then removed it. It was never posted as a blog entry”
(there was also a press article where it was mentioned the file was available for about 25mins)
“Yes. We took the site down completely when we discovered the hack in progress.”
“I woke up on Tuesday, 17 Nov 2009 completely unaware of what was about to unfold. I tried to log in to RealClimate, but for some reason my login did not work. Neither did the admin login. I logged in to the back-end via ssh, only to be inexplicably logged out again. I did it again. No dice. I then called the hosting company and told them to take us offline until I could see what was going on. When I did get control back from the hacker (and hacker it was), there was a large uploaded file on our server, and a draft post ready to go announcing the theft of the CRU emails.”
“They used something to directly access the backend mySQL database (to export the password/user details to file prior to erasing them in the database) and to monitor logins to the ssh account. Neither of these things are standard WordPress functions. I conclude therefore they must have hacked both, though the actual entry point is obscure.”
Some observations based on these comments
1. the post at CA used a different proxy address to that used for access to RC possibly implying simultaneous use of 2 proxy addresses.
2. The post by FurryCatherder may coincide with the “hack” (check time zones)
3. I feel it would be unlikely for someone to try to release the material via a hack into RC unless they already had information about how to get access in advance possibly through information provided in the release.
4. The miracle post at CA if taken at face value (which I do) confirms Gavins statement that a file called FOIA.zip had been placed on the RC server. Alternative interpretations require an explanation for both the content and timing of the miracle post. They would also require Gavin Schmidt to be performing a major deception which appears to me to be a high risk knee jerk strategy with little to be gained and much to lose.
There are 2 blog posts on the 17th November about RC being offline and several reports on the 18th November which are all indicative of RC being shut down at server level.
RC posts resumed at 12.23pm (01.23 pm ET) on 17th November
http://www.realclimate.org/index.php/archives/2009/11/muddying-the-peer-reviewed-literature/
103
Joel Shore says:
17 Nov 2009 at 12:23 PM
The web archive has captured some pages on the afternoon of the 17th November. For example this one which was captured at 18.14 UTC = 13.14 ET
http://web.archive.org/web/20091117181422/http://www.realclimate.org/index.php/archives/2006/10/global-cooling-again/
This page shows the website had been upgraded to wordpress 2.8.6 which includes several security patches.
clivere (Comment #99799)
July 21st, 2012 at 9:27 am
Some additional strange stuff wrt RealClimate.org-
Try this URL:
http://www.realclimate.org/FOIA.zip
It goes to the RealClimate top page. No 403 “resource not found” error message. In fact, you can type a forward slash followed by any assortment of allowed characters, right to the front page you go.
So I suspect that on the morning of Nov 17,2009 the link at ClimateAudit posted by RC (http://www.realclimate.org/FOIA.zip) went to the head post, NOT to the zip file.
Additionally- Gavin claims that access was gained by direct attack on the Mysql database. Elsewhere he claims that access was gained through a vertical permissions vulnerability (I’ll find the source). Correct me if I’m mistaken,, but this vulnerability happens when lower level users are inadvertently given or use an easy hack to gain higher permissions. With a bit of detective work, it is easy to see that RealClimate has/had a tangled web of permissions. Mike Mann might step in with an inline comment on a post authored by Eric Stieg, for example. That would require super-moderator permissions.
There are currently 11 contributors listed at RC:
Gavin Schmidt
Michael Mann
Caspar Ammann
Rasmus Benestad
Ray Bradley
Stefan Rahmstorf
Eric Steig
David Archer
Ray Pierrehumbert
Thibault de Garidel
Jim Bouldin
There is also a user named “group”, not listed above. Who is “group”? What permission level does “group” have? How many users have the password for “group”?
All in all, I fell there are too many unanswered questions, and Gavin Schmidt hasn’t been completely honest.
Duke C. – They have allowed people to raise questions about this weeks announcement at RC but have not yet responded. Based on the way they work I am expecting they will respond and that may provide more info. Gavin Schmidt has previously stated he would not provide much detail whilst a Police investigation was underway.
I would agree there are lots of unanswered questions.
Duke C – one bit of speculation based on your observation. I wonder if the link to RC in the miracle post was not working properly and that RC/FOIA was trying to figure out how to make it work. The mysterious downloads could represent that activity.
My take would be that either plod do not have a clue, as the techno babble is kindergarden level at best, (and see ‘nfn’ in Google), or this is a furious cover-up to hide the fact that it WAS an inside job. To be honest, I don’t much care either way, but I’d tend to the insider obfuscating and covering tracks.
Most such ‘hacks’ are either inside jobs or socially engineered from contact with insiders, and I’d pick the former.
‘Buying’ a couple of hackers? No, this is not a B grade movie.
The RC break-in is interesting, since to me it suggests inside knowledge, or from the MySQL ‘entry path’ it suggests to me that a WordPress ‘wp-config’ configuration file with bad permissions/ownership is a possibility.
If one can read or list the config file, that gives a database name, username and p/word.
From there, with database access, someone can list usernames, change passwords, skies the limit.
clivere (Comment #99807)
July 21st, 2012 at 11:59 am
I got the feeling that it was an attention-getting banner, designed to pique the interest of any CA readers whom happened to hover over it. When clicked, it went to the RC top post with the FOIA announcement ( which was “never published” according to Gavin) and an additional link to the the Zip archive.
Which brings up another curiosity. There is no provenance for “FOIA.zip”, other than Gavin’s claim. All sources for the actual archive trace back to “foi2009.zip” posted on the server in Tomsk.
So if Gaven is telling the truth, he should make the original copy of “FOIA.zip” uploaded to RC on Nov. 17th. 2009 available.
Re: Chuckles (Jul 21 12:56),
So The Girl With The Dragon Tattoo is a B movie?
@Bro001
What a juvenile use of highlighting.
Let’s read it without the highlighting.
It’s all very mysterious
Duke C – re FOIA.zip vs FOI2009.zip.
I did have a brief conversation with someone about this last year.
Gavin Schmidt stated the contents of the files were identical but we dont know if the metadata was different. Frank was drooling over getting a copy.
I assume Gavin would have provided a copy of FOIA.zip to the UEA IT guys for their investigation on 18th/19th November. I dont see how they would have been able to pinpoint the backup server without having a copy.
Personally I think that Gavin should now host the file for us at RC so we can have a look. The irony of such an action would be a thing of beauty.
rest of htaccess restored….