An insight into Hacker-land

UPDATED: Posted the full Pointman article instead of the much abbreviated edit version. Thanks to Pointman.

hacking chip circuits

Hacked or leaked?

Pointman argues the case for the emails being leaked from inside. Part I of his thesis is that an expert hack takes a lot of money, patience and a rare personality. (And after reading his article I believe him.) In Part II Pointman suggests that there is not a lot of money or inclination to pay such an expert. Call me  unconvinced on this second clause. Even though I’ve seen no evidence of big dollars at work in the skeptic case* I can imagine in any market worth 130 odd billion per annum that there would be players with handy shorts-ready-to-place who might like to pull some strings.

That said, the fact that the police investigation into the leak or hack has failed to find any answers combined with the obvious motivation for any half honest civil servant with a modicum of altruistic honor to act as a whistle-blower, means I find the whistle-blowing theory much more believable.

The ilk of the money-driven  sociopathic derivative trader who makes money from shorting markets, and would have the balls to organize an illegal hack, doesn’t strike me as the type of person who also read Watts Up With That or Climate Audit on their weekends. Without the in-depth knowledge of what they were looking for in the emails, it seems a tad hard to believe the money market would be hunting for ten year old messages from mediocre scientists who might be hiding measurements from Sweden that are recorded in degrees Celsius.

What makes Pointman’s post especially rewarding is the rich insight into the hacker world – – and explained so well. It’s clear he has an unusual expertise, and I appreciated the detail.

Did you know in hacker land there are script kiddies, ascendants, and invisible great white sharks?

The difference between an internal security breach and a carefully coordinated external breach is vast.

Guest post by Pointman

Copied from the original with permission

Why Climategate was not a computer hack

Industry numbers say that 80% of all reported security breaches are internal but I and most other people with knowledge of the area would say the real figure is nearer 90% or upwards. If one of the Great Whites out there in cyberspace comes after you, it’s because you have information or a particular dataset that is of real value to them and they’re prepared to work very very hard to get it. They have the patience of Job.

Despite what Hollywood and the movies would have you believe, pulling off a successful external hack is far from easy. It requires skill, talent, detailed technical knowledge and above all, patience. Hackers come in three flavours; script kiddies, ascendants and what I like to call the Great Whites. Script kiddies just find scripts laying about the internet and run them, hoping they’ll achieve whatever it says on the can. Ascendants are graduate script kiddies who’re learning to write their own scripts and are perhaps delving deeper into the manuals. They tend to trade scripts with each other and to share some of them with the kiddies for reasons of ego and status. It’s a King of the Kids thing. The overwhelming majority of them never graduate to Great White simply because it requires a massive amount of effort to master the technical requirements and, I would have to say, dedication. They also lack that last but most important ingredient; the nerve to go after hardened targets with a jail sentence attached as the punishment for failure.

The very few who make it to Great White drop off everyone’s radar and are never heard from again, except for their work but only when it’s detected. If I have to go looking for them, I usually start with their juvenile activities because that’s where they’ll have made the mistakes I can use to start locating them. The art of course, is matching the adult’s style with the juvenile’s exploits, their ‘fist’ if you will. That’s why I spend some time watching the ascendents I think are showing some promise.

If the Climategate breach was a result of a hack, then it would have to have been done by a Great White.

This outline analysis of a classical frontal assault on an organisation should make that point. I’ve organised it into distinct phases, giving an insight into what each one is about. There are some things to bear in mind while reading this article. The intended audience is the general reader; no great knowledge of IT is assumed. Where it’s come down to technical accuracy or clarity, I’ve chosen the latter. It’s about technique rather than bits or bytes. It is not intended to be nor can it be used as a guide to hacking. Finally, it is not definitive in the sense that there are a myriad of other ways of achieving the same end.

Reconnaissance

A well constructed attack will begin with a non-invasive reconnaissance phase for information. The objective of this phase is to build up a detailed view of the organisation; its departmental structure, where its buildings are located, who works in the organisation and their roles, who their external suppliers are and the services supplied, any other organisations they interact with and pretty much anything else that can be found out. Google is the prime attack tool here. It will be used in a totally exhaustive search to find every piece of information on the organisation. As each new item of information is found, it in turn is used to find out more. For example, when a name is found, an effort would be made to get that person’s resume or CV, especially for IT personnel. Their areas of technical expertise are a good guide to the exact type of systems running inside the organisation. Why recruit them otherwise? Slightly more intrusive “social engineering” techniques may also be used. Social engineering is essentially tricking information out of people and is an art form in its own right. For example, to obtain CVs one could set up a minimal but very discreet headhunting recruitment site and simply request the CVs (under the strictest of confidence, of course). That one nearly always works.

Mapping and finger printing

The next phase is to build a detailed technical picture of all the networks and computer systems of the target organisation. This would include determining all services running and each service’s manufacturer and the exact software version, all network connections; internal and external and of course all communications protocols in use.

All computers have what are called ports. Think of them as doorways into and out of the computer through which packets of data flow. The standard Intel chip has sixty-four thousand of these and usually a service operates using one or more of these ports. For instance, email usually uses two of these ports, one for incoming and one for outgoing email. Some other services only use one. There are several methods used to map the internal layout of the target but they all rely largely on sending small ‘signals’ or IP packets to selected ports and examining the result. The IP packets transmitted may be standard or deliberately malformed to provoke a response.

Determining what services are running is done in a similar manner but something called banners can be a help here. When an external server, such as an email server, gets in touch with an internal server, they have to first make contact with each other and establish a communications protocol. At the start of the conversation, normally called handshaking, a banner displaying who developed the server’s software may be shown, thus giving away details of the software’s manufacturer and possibly its version. Even though the banners can be suppressed and although the protocols are of course standardised, there are other nuances in the conversation which can be used to identify exactly the software and its version.

Using these and other methods, the services detected would be “finger-printed” and the exact manufacturer and software versions determined.

Breaking in

Now that all the technical details of the target’s systems are known, the actual breach can be attempted. It is the most dangerous phase since being noisy or clumsy will set off alarms. Like all internal work, it’s done in the middle of the night in the timezone of the target, allowing some time to recover from any mistakes. There are a number of ways of doing this but I’ll outline just two of the approaches. There are a lot more.

The classic technique is that since they now know the versions of the software, they consult the relevant manufacturer’s website to determine what security patches the version should have to cover loopholes. Armed with this information, they next try to exploit each vulnerability in turn, hoping the security patch has not been applied to the software. If just one works, they’re into the system.

The quality end of the market, tend to take a more difficult but safer approach. They obtain, usually by purchase, the relevant software, install it on a machine and proceed to find a new way to break into it. Having found the weakness, they’ll use it to gain entry to the target’s system. They never share the weakness they’ve found, of course.

If the break-in fails on a particular server, they’ll move their attention to a different one.

Concealment and promotion

Once in, the next phase begins immediately because they need to conceal the break-in as soon as possible. They will install what’s called a “toolkit” or a “rootkit”, which is essentially a set of programs they can run inside the target’s systems. These are used to “climb the privilege ladder”, which means getting themselves an administrator’s account, the one with the most privileges. Having done this, they will create legitimate logon accounts for themselves and alter all audit logs to hide the break-in. A quick way of getting an administrator’s account, is to install a keystroke logging utility or modify the log in software and then create a minor problem with the server which will oblige an administrator to log onto it to investigate. When they log out, the intruder has his logon Id and password, which he uses to create a new administrator’s account. So, the system is now their bitch? No, not yet and not by a long chalk

Traversal.

All that’s been achieved so far is the Great White now owns a single server which is, to some extent or another, inside the organisation. The next step is to extend ownership or at least access to other servers. This is yet another very delicate technical gavotte whose precise steps I won’t burden you with but take it from me; it’s an even more difficult and time-consuming process. Paradoxically, system administrators pay more attention to what’s happening in internal systems than they do to perimeter systems. Anything strange occurring or anything new in the audit logs gets noticed, so even more care must be taken to make everything appear normal. It only ends when they’ve got access to the data they came in for and it’s been extracted but it isn’t over yet.

An orderly withdrawal

The final phase is always the cleanup and it’s done very carefully for two very good reasons. Firstly, if confidential information is known to have been accessed, it loses value. Secondly, and just as important, any traces left behind of the break-in will be used in any attempt to find the Great White. They will back out of the target’s systems, server by server, altering logs and closing down any accounts they’ve created. Any code injections will be removed as will all the trip wires they will have strung across the systems. Any internal programs they’ve had to modify will be restored from copies previously taken. At every point during the run, they will never have used an IP address that can be traced back to them and they will never ever use any of those IP addresses again. Any identities stolen will be relinquished, never to be used again. The hard drive of the attack computer used will be extracted from the machine and smashed to bits before the machine with any attendant routers and modems is consigned to the nearest furnace.

All but the first phase of such an attack can be detected by firewalls and Intrusion Detection Systems (IDS). Their answer is to do the subsequent phases very very slowly. Typically, they will ping one of the ports they’re interested in of the available 64,000 on your server in a day. This will not set off any alarms. As I said, the patience of Job. All this concerted effort to get at one mail server? Then more traversal work, to get at the backed up emails from a decade ago on a different server? And then yet another huge effort to hack across from the operations area over to the development area to get at the program source library? Simply no way. An insider job.

Anyone who thinks all of the above effort was expended to obtain apparently innocuous material from an obscure unit of an equally academically obscure university, needs an introduction to William of Occam’s razor.

This post was updated to include the full post from Pointman’s site here. I didn’t quite capture his full expertise in the short review. Thanks for his permission to do so.

I enjoy listening to a master of any topic, and Pointman writes very well.

PS: As Colin Henderson says in comments — to the person (or people) responsible for releasing all those emails. Thank you! What a difference you’ve made.

* (If you have some, I know a blogger who’d like to hear from you) 🙂 .

Photo thanks to Futase_tdkr.

Spinifex Computing is a supporter of this site. If you are a Unix or Linux developer, install small VOIP systems, are looking for a data logger, or a low power network storage provider, Spinifex might have just what you need. Plug computers have taken off in the EU and US, but are just being discovered in Australia. Why not pop in and find out more about the plug craze?

5.5 out of 10 based on 2 ratings

68 comments to An insight into Hacker-land

  • #
    FijiDave

    “The art of course, is matching the adult’s style with the juvenile’s exploits, their ‘fist’ if you will.”

    It is interesting to note the use of the word “fist” to describe a person’s signature. The author must have a background in communications or amateur radio where Morse code was common in the former and still is in the latter.

    A Morse operators “fist” is as recognizable as his face, or voice, once you’ve learned his idiosyncrasies.

    Interesting post, Jo.

    Happy Christmas to you and yours, and thanks for an interesting site. I’ve learnt a lot.

    10

  • #
    Baa Humbug

    Fascinating world of cyberspace. Thanx Pointman and merry christmas.

    Thanx to you too Jo, merry christmas.

    10

  • #
    Johann de Waal

    He knows of what he speaks. Never had enough patience, myself.
    Leak rather than ‘hack’. Undoubtedly. (‘Hacker’/’hack’ mean something different than what is common usage, to the cognoscenti).
    Although, to be fair (who, me?), University IT tends to be sloppy/dis-organised/chaotic – PYO.
    No question that the ‘lamestream’© media ignore (conspire? – perish the very thought!).

    10

  • #
    Rereke Whakaaro

    FijiDave: # 1

    The author must have a background in communications or amateur radio where Morse code was common …

    Not necessarily so, Dave.

    A lot of people with a military background, and especially those with the obvious skills and knowledge that Pointman demonstrates, are still taught Morse code as part of their basic training.

    The reason is that, as communications technology becomes more and more sophisticated, it also becomes more concentrated and therefore more vulnerable. For example, a lot of countries, including Australia and New Zealand are highly reliant on the communications satellite network, and would be significantly deafened and blinded were that network to be disrupted.

    In case of war, microwave towers are obvious (and easy) targets. Underground cable networks likewise (you can buy maps!). Voice radio can also be disrupted by jamming, or sudden bursts of electromagnetic radiation, making communication difficult.

    But Morse code signals can still get through all of the electronic noise and static, to be read by a trained operator, even if it is at a painfully slow rate of ten to fifteen words per minute.

    10

  • #
    PJP

    While I agree with what Portman writes, I think that his assumption that it can’t have been a hack could be wrong.

    He is assuming a competently designed IT infrastructure and competent system administrators. I suspect that neither were present.

    Poorly designed infrastructure and poorly administered systems, possibly leaving known one or more well known holes in the system open make it trivial for even the script kiddies to gain access (this is the ONLY way script kiddies ever succeed, going after un-patched systems with known bugs).

    So getting into the systems may not have been such a big problem.

    Knowing what to look for is a different matter.
    I tend to believe that the name of the zip file obtained gives part of it away.
    It probably was, as has been suggested before, a set of emails deliberately removed from the email archives to avoid FOI requests, but they just couldn’t face destroying all that history, so kept a “secret” backup of potentially incriminating data and emails.

    Perhaps a script kiddie stumbled upon this and recognized it for what it was.
    Perhaps someone that built this backup mentioned it a bit too freely, and someone with script kiddie skills (or contacts) went looking.

    I’m not saying that it was a hack, if most probably was an inside job, but I just don’t write off a hack quite that easily.

    10

  • #
    PJB

    9-11-17 was an inside job…

    Motive: Disgust with obvious shenanigans of those in power. Check

    Means: Access to the files and computer-use technical expertise. Check

    Opportunity: Anytime that the bosses are “not looking”. Check

    I will go with Miss Scarlet (the secretary) in the UEA office, with the desktop computer.

    QED

    10

  • #
    Jack

    Merry X-mas to all. Thanks, Jo, for all that you have done. I’ve learned plenty from this site.

    10

  • #
    FijiDave

    Rereke

    Thanks. I hadn’t considered the issues you’ve raised. I thought Morse had gone the way of the Dodo, with the exception of those who enjoy it – as I used to. I used to be quite comfortable at 30 wpm, and it was always a nice little fillip to hear someone answering you and trying to guess where he was. Of course, as soon as his callsign came through, you knew. The Russians, 30 years ago, weren’t much fun – “My name Boris. It is cold.” 🙂

    Have a good Xmas, Rereke, and thanks for your interesting comments, which I have enjoyed since finding this site last February. Good fodder for my ever-decreasing grey cell population.

    Cheers

    10

  • #
    Andrew Barnham

    Fact remains no one knows under what circumstances this information was liberated.

    It is certainly highly unlikely to be a sophisticated attack; but still within the realm of possibility.

    More likely it was either an insider job or an unsophisticated attack. Poorly managed IT infrastructure is easy to break into for an experienced IT professional. Think the movie “The Social Network” when the Zuckerman character steals all the photos of the girls off Harvard computer servers: this is a fairly accurate representation of what can, and often, happens. I consider myself such a person and I indeed did get myself into a spot of bother about 10 years ago with Church of Scientology and their online personality test but that’s another story. I have done alot of IT security analysis from point of view of trying to prevent these sort of things from happening. I am no ‘great white shark’, but I could, if I wanted, walk through a poorly managed IT setup, steal data and leave without a trace and without a great deal of effort; and I know a number of colleagues with same level of minimal skill: not your average grad but a dedicated geek who’s been at it for 15 years would of picked up the necessary skill and knowledge as a incidental part of their geek pursuits.

    In my own mind, I cannot confidently assign probability to task being either unsophisticated attack or an insider job. Insider jobs are most common, but there is sufficient level of public interest in the information that was liberated to not rule out possibility of an outside attack. The way to resolve this would be to audit the organisations IT infrastructure and verify how robust it is. If it is a shambles (likely, this is a university afterall; their networks tend to be a mess) then cannot rule out possibility of an unsophisticated external attack.

    10

  • #
    Bulldust

    This reminds me of the analysis posted on WUWT not long after ClimateGate:

    http://wattsupwiththat.com/2009/12/07/comprhensive-network-analysis-shows-climategate-likely-to-be-a-leak/

    Lance Levsen, Network Analyst, came to the same conclusion. It always makes me a tad angry when I read “the CRU hack”, because I know that it is emotive language used to move the reader to be sympathetic to the AGW case. In all probability it was a leak and therefore “hack” is the language of advocates, not analysts.

    10

  • #
    Colin Henderson

    Whoever it was – THANK YOU! You may have saved us from an unelected world government (the UN).

    Merry Christmas

    10

  • #
    David Burgess

    For conjecture, my view is that stupidity rules;

    1) There has been no display of anything that resembles competence. Pointman assumes that the UEA IT people were/are competent. A better assumption is that the UEA staff charged with guarding server backups were also incompetent.

    2) Backups/archives and/or drive images were placed on removeable media OR servers were replaced/upgraded without destroying the content of their drives.

    3) Backup media or old servers were thrown out to rubbish or second hand market.

    4) Person(s) who acquired discarded material curiously browse content before destroying the data on the acquired media. This data was most likely distributed without necessarily understanding the explosive nature of the content.

    With the exception of defence departments, few organizations are disciplined regarding the destruction of superseded media.

    No magic hacker, just sloppiness and stupdity.

    10

  • #

    I work in Internet Security, and the “hack” idea never made any sense, from a forensics sense.

    Modern email servers (Microsoft Exchange or Unix sendmail store all the email messages in a small number of files. But the ClimateGate emails were each stored in a separate file. This doesn’t make any sense if it were a hack (the Bad Guy would grab the few files, and edit out everything but the messages he wanted). However, it makes total sense if these were messages gathered over the course of six weeks for a FOIA effort.

    There were also rumors of a “mole” in the CRU, back in (IIRC) summer 2009.

    Nothing points towards an external attack. Everything points to an internal leaker.

    10

  • #
    David Burgess

    I forgot to mention the idiot(s) responsible for the loss of the data will desparately cover up their mistake. Thats why no one knows who it is.

    10

  • #

    Is it just me, but do the lame comments by Burgess look really incoherent and pathetic? Half-hearted even?

    Pointman

    10

  • #
    Mike Mangan

    I believe the whistle blower was Keith Briffa. It irritates me that not one word has been heard from this man since before the leak. His Wiki page is bereft of almost all information and is protected by some cabal of AGW zealots. The first email in the trove was to him and his name is mentioned more than any other in total. You would think at the one year anniversary of Climategate at least one enterprising journalist might ring him up and ask his opinion. But nooo, we don’t even know if he’s alive.

    10

  • #
    1DandyTroll

    It’s always funny when people in the so called know jump through a zillion hoops to reach a conclusion of elaborate, dramaturgic, doctor bloody doom style of crimes.

    Most hackers are delinquents, doing it for the mere fun of it, actually knowing almost nothing about what they do. When young there’s only two point of hacking, learning to beat the system or just understand the system, which is, and has always been, to the letter, done by trial and error.

    Dumpster diving used to be a petty crime to get “free” logon information and could be called recon but the only ones that has been diving the dumpsters since like mid 90s are the cops and stalkers. Two things really made that happen, it became considered not a petty crime due to information getting actual value and, of course, therefor, companies beefed up security.

    Maybe one could define social engineering as a type of recon tactic, and some are really good at it, but still it’s just about getting “logon information”. To actually recon more information other than everyday computer tech stuff by “hi, this is IT support …” tend to be way above the social competency for pretty much every computer nerd, especially the younger they are.

    Hacking doesn’t cost much these days other than your flat rate internet connection. You don’t even need to buy books since it’s all downloadable anyhow. The hardware is so cheap today that even a crap modem cost more in the 80’s. And only the halfwits had to pay for phone cost back in the day. Personal greed cost, not hacking.

    And while your local mob forces people into hacking directly or indirectly, usually because some hacker develop habits of illegal substances. This crowd don’t do it for ideology, and they don’t care much for weather data and some emails to release for free of charge.

    And while your local national security wizards might spend a lot of time hacking elaborate hacks, they’ll probably just do it to find an easy way in. However, and even though they spend tons of money on it, what are the chances they are interested in weather data and old emails to release to the world.

    Crazed tech savvy hippies from the greenpeace crowd probably didn’t hack the system to release emails that made them look like actual crazed hippie doom peddlers.

    Oh, maybe the oil and coal tzars payed for it? Why the hell should they when just two of ’em alone spent half a billion dollars getting the CAGW hippies to green wash ’em? And they make more money on the global warming scare than the so called 100% green “CAGW” energy producers themselves.

    Hacking is so elaborately hard these days and filled with all the dramaturgy you can feel by going to the tools menu in microsoft windows explorer, or go in the finders menu in mac os x, clicking connect to network … giving an ip address and brows the contents. You’d be surprised how many non protected networks there are. See security is time consuming and cost money, that’s why there’s such a lack of it, and of course the system today are big and admins always forget to lock down all the doors. But if you really feel the need to recon go out to the local “after work” bars. But if you want inside information on a company system you just have to surf around on the usual it-tech-experts’s forums, it is astounding how much information people give away of their companies and its systems.

    In the 80’s there essentially was no security, today it is like there is no security because most it-personel and most people using computers don’t know how to really secure a system they just think it is secure because there’s like all these security tools and measure in there, right. It’s like it has come full circle just like with cracking encryptions. The latter got a weird brake a couple of years back when three american university student instead of cracking the encryption treated the encrypted signal more like how to interpret and translate a foreign language or how you crack simple encryptions (think like what’s the most common letters and words used to start a sentence with?) So instead of cracking the encryption they just went back to the good old technique of listen to the signal and its patterns, thus in the end not very elaborate just same as always.

    10

  • #
    Bernd Felsche

    Borepatch

    Modern email servers (Microsoft Exchange or Unix sendmail) store all the email messages in a small number of files.

    Those are antiques. sendmail has been abandoned by all serious system users due to inherent security flaws, displaced by e.g. postfix as MTA (mail transport agent) and a network-aware mail storage system (for e.g. IMAP and POP). Modern mail systems run on fast filesystems that can handle many small files efficiently and store each message in its own file; aka “maildir”. Look at e.g. Cyrus out of CMU

    The antiques worked around clunky filesystems (with a limited number of files and slow file-create operations) by implementing their own within large files. Which makes the software more complicated and, especially in the case of those which dynamically compress (as if storage wasn’t 10,000 times cheaper when their software was originally crafted), any file corruption can result in all or many emails being lost.

    Keeping the messages as separate files has distinct advantages for those who need to manage systems because they don’t have to use the mail server software to e.g. perform even simple tasks like backups; they can use any utility to perform backups with a risk of the backup being worthless due to the mail-base being updated while being read for backup.

    10

  • #

    1DandyTroll, congratulations, you’ve just earnt the content-free scroll past award.

    Pointman

    10

  • #
    John McLean

    The CRU files apparently surfaced first at tomsc.ru. I am struck by the similarity to toms.cru , which might refer to a machine known at CRU as tom’s (Tom Wrigley’s?).

    I wonder if the leak didn’t come about because of an error in transferring files from one CRU machine to another, perhaps with a view to hiding those files away from FOI requests. After having read many of the files that accompanied the emails I have to say that I wasn’t impressed by the level of competence in IT matters of anyone at the CRU.

    Wouldn’t it being ironic if the CRU people scored an own goal!

    10

  • #

    @Bernd Felsche, there are certainly more modern email servers (although sendmail has much improved security after a more or less complete re-write ten years ago).

    However, the question is whether many Universities (and the CRU in particular) upgraded and migrated their old email. I have no idea, but it seems a reasonable bet that the newest, most powerful systems would be devoted to something more important than email.

    The old saying has a ring of truth: “The only reason that the Lord could create the entire heavens and earth in only six days is because He had no installed base to support.”

    Your mileage may vary, void where prohibited, do not remove tag under penalty of law.

    10

  • #
    Rereke Whakaaro

    FijiDave: # 5

    The Russians, 30 years ago, weren’t much fun – “My name Boris. It is cold.”

    Thirty years ago, if his name was Boris, then he was probably a KGB “Listener”. They were all called “Boris” 🙂

    Have a good Xmas yourself.

    10

  • #

    I may have done Pointman a disservice by only copying a third of his post, perhaps leaving out too much of his detail and not conveying the depth of knowledge he obviously has. (I would have happily posted it all but that seemed rude, not to mention, a breach of copyright without asking him.)

    Comments are welcome as always, but people commenting on hacking ought to read Pointmans whole post – which contains a lot more detail.

    Pointman: Burgess is genuine, a skeptic and knows a lot about networks, linux etc. Read his comments in that context. If you would prefer I can make this post a full guest post and reproduce your good work here. For the moment I’ll add a stronger recommendation people visit your site.

    10

  • #

    I have to say that I agree with pointman 100% (great article btw!)

    Whilst it is entirely possible that the security at CRU might be light compared to other commercial organisations (they probably never expected to get serious attention from hacking) – the fact remains that it is still hard to get into and (I am so pleased this was mentioned) out again of a network without leaving some evidence of your visit behind, let alone the problems with actually finding the stuff you’re after.

    If the IT forensic teams with the police haven’t found anything after all this time, then you have one of 3 scenarios:

    1. CRU network and system security is very poor and no logs are kept anywhere
    2. The hack was done by a serious expert who also knew what they were looking for
    3. Its an inside job by someone who just got fed up with all the crap.

    I know where my money is at.

    10

  • #
    Speedy

    This year has been a real eye-opener for a lot of people and as more people come to understand the AGW scam, then the less likely it is to succeed. At the risk of being snarky,

    There’s a lot less to this than meets the eye.

    I think they were talking about Julia Gillard but no matter…

    Thanks Jo for your wonderful work on this site. It’s a pity Big Oil doesn’t fund you but I suppose if they’ve got their finger in the scam then it’s hardly likely. Also, to all the commentators – there’s an amazingly eclectic group who gather here – and to those who just come and read; I hope they pass on their new-found understanding. And to all our trolls – best wishes!

    After all, it’s Christmas.

    Cheers,

    Speedy

    10

  • #
    Ross

    Thanks Pointman for an interesting read and to Bulldust @ 7 for the other analysis backing up Pointman’s view. Personally I’m with Mike @ 13 as the selection of emails which were released had to be done by someone very close to the “action” — whether it was actually Biffa or the person in charge of FOIA requests could be debated. But some of the emails were very recent at the time so whoever it was I just say thank you very much.

    Thanks Jo for all your hard work during the year and I hope you get some satisfaction from the obvious rise in popularity of your site. A very Merry Christmas and best wishes for the New Year to you and your family.

    All the very best to everyone else who regularly visits and contributes to the site.

    10

  • #

    I just read Pointman’s post and his analysis is deaply flawed. What pointman describes is called an external attack. That’s when you are breaking into a network without any access to the organisation’s assets. Think a bank, national security agency, etc. These organisations have extreme security protocols in place to prevent the leaking of assets, software configurations, passwords etc. This is the hardest type of hack and is really ever used because it is so labour intensive. Only spy agencies are really every going to engage in thie type of hack in this day and age.

    Now, I’m not going to speculate as to whether to climategate files were leaked or hacked, I don’t find the conversation interesting or relevent.

    But. If it were a hack it would have been one of two types. Internal hack. Phishing attack. Both are probable but, my money would be on phishing and I’ll state my reasons after explaining what the two are. Both of these methods usually involve to use of trojan horses to sit inside the operating systems and send data either all at once, or slowly over a period of time.

    Internal attack is often called the ‘disgruntled employee attack’. Someone with knowledge of network assets simply logs in and steals the data. They know to network and either have usable root access credentials or understand how to mine for those credentials.

    The phishing attack is usually done by pretending to be a website or web service. You setup an identical looking site to the service you are using and send an email link to it asking to logon and update/confirm account details. A standard tactic is to advertise a special offer or pretend there is server maintainence. The credentials are then retained by the attacker and used against the user. This relies on the laziness of people not verifying the address of the site they are logging onto and using the same login credentials for every system/software they use.

    Why would it be a phising attack?

    1.) Emails were filtered up to a certain date so, all attack emails have been removed from the released document folder.

    2.) The motley CRU resisted FOI requests. This might have something to do with them using their university account for personal use. Possibly porn surfing, social networking, etc. This would not look good for them if the university had to traul through their inboxs at each FOI request.

    Let me just slay the dragon that most hacking requires a huge amount of resources and expertise. It’s a big fat myth. I’ve worked on a number of enterprise software solutions with so many security holes you can discribe them as flyscreens. Why? Beacuse business managers are always pushing down the cost of software development to the point that most software you use today are insecure, buggy pieces of crap. There is always the intention to go back and fix the flaws but this is always trumped by the new client requesting a new feature X or an ungrade of feature Y.

    To undertake most hacks you need to be aware of a SINGLE security flaw. To program software you need to be aware of EVERY security flaw. Half the web linked software I use I could hack in a day, the same can be said for most programmers. The reason why programmers don’t hack is because earning good money building software is preferrable to the possiblity of doing hard gaol time. Only organised crime and teenagers with serious angst issues hack computers. Once a script kiddie grows up and starts earning real money applying their skill, the temptation to risk that by hacking is a distant memory.

    10

  • #
    Pete Hayes

    Waffle. You would be amazed how many high street bank systems are easily accessible!

    I am a long in the tooth guy now days but got my son into computers at a very early age. He now works in Internet security company (sorry, I will not name names due to the level he works at and the fact that he is probably data logging me even though I use up to date software to prevent the young git!)

    Around 5 years ago we were in my car driving down a UK high street. I parked up and went into a shop to buy…whatever. I came back to the car to find no son. 20minutes later he walked back to the car with his laptop in hand and a smile on his face having just met the bank manager and signed him up purely on the strength that the banks wireless system was wide open!

    To be honest, the UEA is a small university and probably has naff all in the way of experts in IT security. What, anywhere decent, computer whizz kid would waste his time trying for a degree in that place? I always have a picture of a degree printed on a toilet roll when I see the name of the place!

    I went to the oracle (my son) over the email release and after a couple of days he simply said, “Trust me
    dad, inside job”.

    Oh well, must go now, Xmas Eve feast to prepare! Have a great Xmas all.

    10

  • #
    cohenite

    It’s interesting that pro AGW sites like RC and Deltoid staunchly maintained that the emails were obtained through external hacking and not through a disgruntled insider. That is as interesting as the technical arguments because the group mind set promulgating AGW has been forced to rely on the herd mentality arguments of consensus, authority and censorship; an inside job really undermines those concepts and to the tribalists of AGW would represent a bigger threat than opposing science.

    10

  • #
    Tel

    I remember those SiS graphics cards, they were absolute rubbish.

    These days, if you aren’t running a botnet with least a few hundred nodes, you shouldn’t really even be calling yourself a hacker. Most cracks start with a computer virus… just letting the machines plug away stumbling across whatever. The result is that people regularly turn up useful stuff by accident, but not something they can use themselves; so it ultimately comes down to who they can trade with and how to find a buyer (just like various other illegal commodities manage to create illegal marketplaces). Given that all the world’s espionage agencies know about the trading of hacked data and broken machines, it seems very difficult to believe they don’t occasionally partake in a bit of buy and sell, in the name of national security of course.

    I find it entirely conceivable that with typically lax academic security procedures and students drafted as part-time sysadmins, there was quite likely an easy way in the door. Since poorly maintained laptops go in and out of those places on a daily basis, I’d be guessing that at least a quarter of those laptops would have some sort of malware. Possibly that particular broken mail server came up for sale and then got bought by someone a bit interested in the whole global warming issue.

    My argument against an inside job is that relatively few people were in a position to do the job from the inside, and even fewer would have had motive. Thus if it was done from the inside then the perpetrator would logically have had a high expectation of getting caught.

    The senior academics are all so solidly on the gravy train, they wouldn’t dream of upsetting their meal ticket, only a tiny handful of paid sysadmin staff would even exist, so that only leaves perhaps a disillusioned student doing it to take revenge after being lied to (the purest motive I can think of). Such a student should in principle be easy to identify (or at very least short listed), and it’s unlikely they would have done such a clean job that no trace was left behind.

    Of course it is entirely possible that the CRU team are fully aware of the traitor within their midst but this particular individual had the smarts to keep some ammunition as backup (possibly there are more emails, and those are worse).

    I also would not entirely write off China. A lot of probe attempts come from Chinese IP addresses and it’s kind of funny the way the Chinese government runs one of the most comprehensive firewalls in the world but still their citizens are banging away trying to break into stuff all over the world. I daresay a bit of government job creation involves building up a cyber warfare capability and subtlety isn’t a priority. Since it was China that derailed the Copenhagen talks, it just might have been China that had both the motive and the means to ensure that their coal burning can continue a few decades longer without question.

    That’s pure speculation on my part… but if the Chinese want to be treated with less suspicion they could consider not blatantly probing everyone’s servers.

    10

  • #
    @motsatt

    I’ll tell you what I think happened. The mails and documents was organized very differently in two seperate folders with the mails in chronological order and the documents in a big mess, and then all packaged in a neat little zip file. That was not done by any hackers but done on purpose by the university folks themselves to stir a confusion on how the information can have been collected. They then left the file on some server. Jones/Briffa, or whomever then contacted someone that arranged for someone to hack into the university and get the file they have prepared and don’t leave a trace back to them self witch is very easily done on the internet.

    But why? CRU had a big problem with the foi requests that called for such a desperate measure. If they refused the requests or left anything out the alarms would have rung a story MSM couldn’t hide from, with them in the focus. If they just handed the information over the impact of the mails and documents would have been so much more severe, so neither option was in their favor. But the hack? Two reasons for that. One is the police that would have looked at logs and found an actual hack had taken place and since police never voluntarily extend their own investigations they would have backed of. The other reason is to victimize scientists in general and make it ok for environmentalists to get behind them and publicly downplay the whole incident. And that strategy has been visible all 2010 where science apparently is under attack by radical evil people with hacker friends. You might worry yourselves with occams razor, I’ll stick with Confusious and Zun Tzu.

    Happy Christmas.

    10

  • #
    Roy Hogue

    Having read Pointman’s analysis and all the above I’ll favor the inside job just on the basis of how the leaked data was organized. I think his basic analysis is correct.

    A hack job is mitigated against by the technical difficulty — even if UEA security was bad — and the amount of time a hacker would have to spend looking for something of interest, i.e.; longer time in the system, greater risk of exposure.

    An insider would have easy access to everything, would know where things are and could copy files to a simple external disk drive, then put the disk in a briefcase and walk off with it. The technical difficulty is just about zero.

    From the look of it most of the work was already done and just sitting somewhere waiting to be walked off with.

    I will disagree slightly with Pointman however. 🙂 It would be very hard for even the best hacker to leave no trace at all. A file deleted or modified and then restored to its original version as he suggests, will leave tracks on the disk. For one thing, a deleted file just disappears from the directory in which it was cataloged and the space it occupied is marked as available again. But the data is still there and may not be overwritten for some time. And even if the old data is overwritten it’s possible to read old data several layers down.

    Forensic examination of a computer consists of not only looking at the files the OS currently knows about but all the free space as well, even looking as many layers down as possible. This is such an easy job with the right equipment that DOD (Department of Defense) specs for sanitizing a disk that has held classified data require overwriting the entire disk 10 times with specific bit patterns, random numbers and simulated machine instructions.

    I doubt that the disks were examined at UEA. And even if so, old and overwritten content might not be recognized as the clue it really is. But there would be something there that wouldn’t be there if the hacker hadn’t been there.

    10

  • #

    @motsatt, a simpler explanation was that the University thought that they might have to comply with the FOIA request, and so they gathered the emails. Then when the Compliance Officer told them that they didn’t need to give out the data, a disgruntled insider saved a copy of the ZIP file. Ultimately, the insider (the rumored mole?) released the file.

    Another possibility is that nobody released the file, but it was left (say, on an FTP server) where someone outside the university community could find it. This is how Mike Mann’s CENSORED data was discovered.

    I don’t think that we really need elaborate scenarios to explain this. An overall poor level of security (as is typical at universities) along with an overall poor level of Op Sec among the CRU researchers (as is typical at universities) combined with the ubiquity of USB or anonymous FTP access cover the bases pretty well.

    Probably the biggest challenger to a hacker (if you go with the “a hacker done it” scenario) is not the university’s cyber defenses, which are very likely to be unfunded and very poor indeed. Rather, it’s that pretty much everything is more or less wide open, and that the hacker would be looking for a very small needle in a very large haystack. While the level of Intrusion Detection/Log Collection/Log Analysis is likely to be very low – i.e. the risk of being detected is low – finding the data of interest would likely take a very long time indeed, just due to the volume of what would be accessible.

    And insider, on the other hand, would know where the data was likely to be. If this were done under the auspices of an internal FOIA effort, IT would have helped with searches, etc. It simply doesn’t feel like an external job. It feels like an internal (official) job that somehow ended up escaping. Whether the leak came from intent or from accident/carelessness is hard to tell.

    Again, your mileage may vary.

    10

  • #
    Dave

    Pointman’s analysis of why it was almost certainly not a ‘hack’ is excellent. To sum it up, hacking in the Hollywood sense simply doesn’t exist.

    Where Pointman falls down, however, is in paying too little attention to the third possible vector, besides external hacking and internal leaking: a social engineering – phishing – attack. A competent social engineer could have fairly easily gathered all the information and got out without leaving any traces; a competent social engineer can get the root/administrator login details far more easily than a hacker.

    10

  • #
    pat

    the censorship by BBC, holding on to those CRU emails “forwarded” to Paul Hudson for more than a month, and the censorship by the CAGW websites who refused to publish the Climategate cache,says a lot. funny how neither fact featured in the limited MSM coverage of Climategate.
    thanx to whoever did the leaking and for your persistence.
    and thanx to those websites who published for their service to the public, to science and the scientific method.

    10

  • #
    Ross

    Update on the Norfolk Police investigation into the leak

    http://www.bishop-hill.net/blog/2010/12/24/norfolk-police-speak.html

    10

  • #

    Nobody else sees the possibility that I know is possible. I know because I’ve experienced such things firsthand as well as read about them in accounts far too well authenticated to dismiss. Sometimes I have to go reading the lesser accounts and the dismissals as well, to be sure I’ve heard all the evidence.

    The reason I see this possibility is because of the language used in the communications from FOIA plus the extraordinary shenanigan of breaking into the RC system. The language used is the language of courtesy, compassionate caring, and intelligence. This is the hallmark I see in my own experiences.

    The possibility is: Outright miracle. Classical-physics-defying miracle. Like the Angel of Mons (and that’s one example you have to research carefully on all sides).

    10

  • #

    I agree with Pointman’s analysis. The hacking landscape he describes is not ethereal, it’s certainly reality. I also agree with Jo that it still remains a possibility, though I do think unlikely at this point, that what Pointman describes as a “Great White” (GW) could have been sponsored to retrieve the information in the Climategate archive. However, there are footprints in the archive – what is missing as well as what is present – suggesting that if a GW were involved, s/he would need also to have an extreme knowledge of the debate to match their GW skills, or alternatively that a sponsored GW supplied a much more substantial archive to their sponsor, who then filtered out less relevant content.

    At the time the “miracle” happened, anything was possible and all scenarios were feasible, from GW to internal “hacked off” employee. However, in the passage of a year, no supplementary Climategate release has occurred to fill in gaps or add/reinforce the content’s context – there are fragments of conversations that, if filled out, would further build on the sceptical case. This suggests that WYSIWYG, and the original release is everything there is. The Norfolk Police have also not made headway in determining that an external hack occurred, which reduces and polarises the possible sources of the archive.

    Now, at this point, either a GW competently extracted information OR it was an internal leak (a whistleblower). All other possibilities have all but evaporated, because (despite what others are suggesting) all other possibilities would have left an IP/logging trail. Even incompetently put-together IT systems log activity sufficiently by default to enable a competent IT security professional to ascertain the actions and path through the system of all but the most competent GW to determine an answer to the simple question: “internal or external?”. Norfolk Police have not yet been able to make this determination.

    My conclusion is also that the source of the leak is internal.

    10

  • #

    @Lucy

    One of the M’s (I think) announced the publication of the emails with the phrase “A miracle has happened”. Many a true word said in jest …

    Pointman

    Happy Christmas to all

    10

  • #

    @Pete Hayes: IMHO your son is right. It was a student who sat in the lab, pulled the files, slapped them on his (disposable)USB. Got home, fired up his VNP and pushed them out. The VPN explains the chinese IP addresses.

    And yes, bank security is pretty bad but, core systems are generally well protected. Mostly due to the fact that they run on ancient mainframes which were purpose built for batch jobs, which is how account transactions are processed. I had my bank account hacked 6 months ago but I took precautions on that account so I only lost $12. I never leave more than $200 in my transaction account at a time. My money is stashed where hackers can’t touch it. I don’t trust technology and I certainly don’t trust people who build software. I’ve seen way too much ridiculous code and way too much managerial tolerance of said code.

    Merry Xmas all!

    10

  • #
    Atomic Hairdryer

    Nice article, and agree with most of it.

    On the recon phase, a good IDS and a good security admin can help detect and prevent hacks. Hackers will have copies of most IDS and firewall apps and will dissect them to understand how their threat detection works. Many use simple event thresholds to trigger alarms, so understanding how those work means understanding how to probe without triggering them. Some packages have limited user documentation and limit access to raw log data limiting the ability to detect smarter attackers and are effectively useless. A smart hacker would still do a slow scan, probably via a botnet to mask any probing. This kind of attack is harder for public organisations given the volume of traffic from normal usage, plus probes from script kiddies.

    Time of attack is also a bit debateable. A decent system would allow day/night rules, so when the network is not normally expected to be in use, could implement a more restrictive firewall policy and enhanced logging. Attacking at nightime may trip more alarms than daytime when the attack may get lost in the noise or normal operations. For a university though that may be collaborating on research all over the world, that kind of security policy may not be practical. Key thing though for admins is understanding normal vs abnormal or suspect actvity and a poor choice of tools won’t help with that.

    Lastly, never underestimate social engineering and physical security. Again universities suffer from this having high student and staff turnover, and to an extent being open access. Much of the recon phase can be omitted by simply enrolling as a student and being given access to the network, or temp admin staff getting higher level access, or a cleaner getting physical access. Unis tend to suffer from theft of IT equipment, but understanding if that’s an opportunist thief grabbing a laptop for cash or a more sophisticated thief after the data can be non-trivial to determine. If sensitive data’s encrypted and protected by ACL’s, that risk can be mitigated, but many businesses still don’t do this.

    10

  • #
    stan

    I realize that there are a variety of reasons why the hack/leak question is of interest to a lot of people. In the end, the important issues are: 1) are the e-mails genuine? and 2) should they have been produced pursuant to FOIA? The answers are clearly both yes.

    So the argument made by alarmists (sometimes explicitly, sometimes implicitly) that it is somehow inappropriate to acknowledge any information gleaned therefrom (a sort of moral exculsionary rule of evidence) is bogus. The emails are genuine, the public has a right to them, and the scientists involved are certainly free to provide others they feel need to be understood to provide context (as if!). Leak or hack really doesn’t matter in the big picture.

    10

  • #
    1DandyTroll

    @pointman: ‘1DandyTroll, congratulations, you’ve just earnt the content-free scroll past award.’

    Haha, with such a windy post I made, you find nothing else to complain about but you just had to take the train of the insane.

    If I didn’t know better I should now go into the whole psychological department of what your issues are for taking offense to something written on the day before christmas, eggnog, snaps, beer, whiskey and all, but I’ll be the bigger person and refrain myself from it and just hand you the end of this here rope. :p

    10

  • #
    Roy Hogue

    Leak or hack really doesn’t matter in the big picture.

    Stan,

    True! But I suspect the interest for many of us — certainly for me — is the curiosity of the technologist inside that always wants to find out both how and why?

    10

  • #
    Bernd Felsche

    The simpler explaination is that only about 98% are corruptible.

    For some people, conscience doesn’t simply equate to “con science”.
    It’s something that they cannot defer until after retirement.

    10

  • #
    Mark D.

    Happy Boxing Day!

    I think there is another possibility and that is the intentional leak of something smelly to distract from the corpse. Has there been a FOI release since the hack/insider job?

    I agree completely with the analysis that inside jobs are simple and therefore most likely. On the other hand, talented people on the inside can create a very hard to detect pseudo-hack. And since there has been no further FOI release (that I know of) perhaps they were smarter than we think?

    10

  • #
    MikeO

    Well Pointman thanks for the analysis. I have worked with computer systems for about 30 years and have never believed it was a hack. The file “FOI2009.zip” is small 61.9 MB and looks like it was from an individuals computer. There had been a FOI request and the data collected after that who knows what happened? The main problem is whoever did it would need inside knowledge otherwise it becomes a miracle of detection. Systems I have worked with had hundreds of servers with thousands of workstations. My experience tells me a lot of people inside the CRU would have known of the file. If I had worked there and known of this file then it would be where it is today most certainly getting it out would be dead easy. Maybe the Chinese capture all mail packets between these leading AGW “scientists” and one emailed it? Let us assume the simple unless a better answer presents itself. I am fairly sure that a “SIS 315” was not involved and hacked or not isn’t this becoming pointless?

    10

  • #
    Roy Hogue

    If we assume, per Pointman, that the leaked file was put together in anticipation of being forced to comply with FOI requests, then exactly how would the release of that information have been handled? I can’t see how the data would be released directly by CRU; it would go through some UEA office somewhere. Certainly the “scientists” would be involved in identifying the relevant data. But then that data would pass to whoever was to actually deal with the FOI request.

    Now we have a whole new ball-game because some additional people have a chance to look at what would be released. This sets off an alarm all the way to the top at UEA and release per FOI is stonewalled all the more. But now someone with no personal connection with what was happening inside CRU and who just might be outraged by it, has an opportunity to sneak the file out to the world.

    Am I making sense here? Or should I drink more coffee before posting anything so early in the morning? 😉

    10

  • #
    harrywr2

    The Russians, being Europe’s single largest energy provider have an interest in keeping Western European countries ‘energy dependent’.

    No nukes + No coal = Russian Gas.

    I still can’t reconcile the fact that the largest nuclear accident in US history occurred within a few days of the release of ‘The China Syndrome’, starring the known communist sympathizer, Jane Fonda.

    I also can’t fathom why Moscow Center delayed the testing at Chernobyl until the crew that had been properly briefed on the tests went off shift.

    But what the heck, plenty of people believe George Bush deliberately blew up the World Trade Center and invaded Iraq for the oil, why would it be such a difficult stretch to believe the Russians blew up their own nuclear reactor to end Western European plans to achieve energy independence via nuclear power or that they hacked Hadley CRU in order to disrupt Western European plans to achieve ‘Energy Independence’ under the guise of ‘Climate Change’.

    10

  • #
    co2isnotevil

    I fully agree that the data was produced by an insider. If it was ‘hacked’, the hacker would have revealed themself by now for their 5 minutes of fame. There would be no reason not to admit this since it’s unlikely that there would be any prosecution owing to what else might need to be revealed at trial and the support the ‘hacker’ would receive from the skeptical community. If it was grabbed by a hacker from some open FTP site, this is even more likely to have been admitted by someone, as there is no expectation of privacy to be breached and criminal prosecution would be impossible. Only an insider has reason not to expose themselves.

    Many of the files are attachments to the emails and others were probably attachments to other emails that were not included. It looks to me like there was some sort of mail archiver which made copies of all incoming and outgoing emails. Many companies use email archivers for Sarbanes-Oxley compliance and more importantly to cover their butt in the event of some future litigation. These can generally be queried to extract messages and attachments based on senders, receivers, subject, and content. Such an archive system would be ideal for filtering results for FOIA requests, which would support that this was originally produced for such a request.

    You might notice that the email file names, NNNN.txt represent the ‘unix time’ that the email was sent, that is, NNNN is the number of seconds since Wed Dec 31 16:00:00 1969. This tells me that the key under which messages were stored was created uniformly at the time that the email was originally sent and not the result of post processing as it’s quite unusual to convert the ascii time stamp into ‘unix time’. The fact that emails originated from a variety of different kinds and versions of HW/SW, yet are archived in a uniform format, is another indication of a centralized archiver.

    This all points to a collection of files that were extracted from a mail archiver, selected using criteria that would be used for an FOIA request. Perhaps someone was tasked to produce this in order to understand CRU exposure, relative to the release of such data. Whoever did this was likely someone in IT or Legal and who had no particular attachment to ideological climate science, but after having seen what these characters were up to, decided that exposure was the best recourse.

    George

    10

  • #
    Tel

    The theory that the CRU did this to themselves as an act of self-sacrifice for a greater purpose (read greater master if you like) is not entirely without merit. The email scandal did have the effect of defusing the FOI requests, and it did that without fully satisfying those FOI requests. Moreover, the “hacked” emails were embargoed from publication by the mainstream media and forever clouded by uncertain origin, while a genuine FOI request would have been open to publication and be regarded as a pedigree source.

    I’ll call this “the Lizard drops its tail theory”, while the vultures squabble over the wriggling tail, the rest of the lizard drags itself under a rock.

    This would explain why the insider logically should be very easy to catch, but in practice has not yet been found (and no detectable progress is being made either). It would require that the Norfolk Police were either told by powers from above to ease up on the investigation or the CRU team deliberately withheld evidence from those police. Given the amount of government money riding on a carbon tax, it’s not too difficult to believe that at least one or two powerful government officials would be in a position to manipulate police priorities.

    Running with this theory for the moment, it implies that much worse evidence of the scam must exist, which would have been dragged out by FOI. That might be a good reason to start the FOI heat again, after all this lot have never actually complied with an FOI request.

    Constantly nudging the police over how that investigation is going might also be an idea — don’t let it get forgotten.

    I’d very much like to know about the various funding meetings that Jones and Mann refer to in the emails — who were the meetings with and what was said?

    It would probably also be helpful for me to point out, without naming names, that many of our most prominent colleagues in the climate research community, as well government funding agency representatives, have personally contacted me over the past few weeks to express their dismay at the way they believe this study was spun.

    Oh please do name names.

    Hopefully those contacts were via email 🙂

    I’d guess a lot of evidence has been destroyed by now, but you would be surprised how a backup tape can kick around in the corner of some safe somewhere.

    10

  • #
    MikeO

    George if I had done it I would be paranoid enough that even my nearest and dearest would not know. Would not even tell myself if possible. Consider how much rides on this in money terms robbing the mint is probably safer!

    10

  • #
    MikeO

    Tel this “This would explain why the insider logically should be very easy to catch” is rubbish.

    10

  • #
    1DandyTroll

    Sherlock bloody Holmes made the correct conclusion 123 years ago. But people today can’t make the closest of dots connect only because they think there “has to be more to it”.

    Yet it doesn’t have more to do it than simple obsession. A hacker obsesses on what is on the other side of that fence, protected as it is it has to be really frakking interesting to know, and if one could only know it all . . .

    A “simple” upstanding, security conscious, citizens will do what she thinks is needed when her employer refuses to do, by law, the right thing, that is, by law, required of ’em.

    10

  • #
    co2isnotevil

    MikeO,

    It would depend on what you had to do to get it and what your relationship with the CRU was. If you were under NDA or employment contract, they could certainly hold you accountable if you released it. If not, you’re probably OK. This is why I believe it was an insider, who would be more culpable if exposed. Certainly, anything culled from a public web or ftp server, even if only transiently present and specific to someone else, is 100% safe. I wouldn’t worry about mofia types rubbing you out because you destroyed their gravy train as for the most part, this only affects individual groups of researchers and companies engaged in collecting green tech subsidies.

    Although the way the UN is pushing it’s agenda, many of those on the receiving end of this massive redistribution of wealth from the developed world to those with no stake, interest or participation in that development, might be a little pissed off and want revenge to complement their envy and greed.

    10

  • #
    MikeO

    co2isnotevil

    Consider actions that have been taken against people such as Lomborg and that many of the warmists are fervent believers. As I said a lot of money rides on it. Murdering your neighbour is not considered as serious as robbing a bank. This is a much more serious action than “deep throat” took.

    To just embarass the powers that be is dangerous. As an example see this http://securitydigest.org/rutgers/mirror/pyrite.rutgers.edu/prestel.hacking. Note that it is written in 1988 and that the offence (forging a password) occurred in 1985. It was settled in July of 1987 so for some years they lived under the threat of 10 years jail and must have incurred significant legal expenses. Duly punished I would say! Only the foolhardy and unwise would let anyone know.

    10

  • #
    co2isnotevil

    MikeO,

    If I was the hacker, I would want them to take it to court, especially if it was grabbed off of an anonymous FTP server. They have no reasonable expectation of privacy if they fail to follow basic practices for keeping their systems and data secure. If I was an insider, or perhaps even a principle, I would be a lot more nervous about disclosure. Besides, what happened to Lomborg would be happening to those on the other side once the science flips.

    There aren’t too many who would completely fall off the gravy train, primarily those who depend on green tech subsidies where CO2 mitigation is the driver. The research money will still be spent, but towards decreasing energy costs and improving efficiency without regard to CO2 emissions, which still includes renewable power research. The same people will be doing the research, just the goals will change a bit. One goal might be to make renewable power cost effective without requiring subsidies.

    10

  • #
    crownarmourer

    As much as I hate to agree with pointman on anything he is correct it’s an inside job.
    University computer systems are notoriously poorly protected due to lack of resources and affordable tools and sloppy maintenance so even a three year old with the right tools could get in. It’s the massive amount of time sifting through emails makes it probable that someone collected these and sent them for use elsewhere.
    However if you pay attention to pointman you will notice he loves to denigrate people and loves to hurl insults around and generally loves to argue for arguing sake. Don’t you pointman.

    10

  • #

    It’s tempting to say that UEA is just another shambles on the IT front but it’s simply not true. Their IT department provides extensive services to 14,000 students and lecturers. That is large-scale and industrial level computing which cannot be achieved without a professional approach to the task. They’ve also had a couple of decade’s experience handling attempts by students to monkey around with their systems. They know how to pin down systems and data.

    Pointman

    10

  • #
    bananabender

    I find this article to be remarkably naive.

    Hackers in India, China and Russia can act with absolute impunity against Western targets knowing they have zero chance of being punished. They don’t need to take a lot of effort to hide their tracks.

    Intelligence agencies monitor all electronic data transfers. They would have no trouble intercepting emails.

    If you want data you just blackmail or bribe a sysadmin.

    Too easy.

    10

  • #
    David Burgess

    Re: bananabender

    If you want data you just blackmail or bribe a sysadmin.

    I believe you are correct. And most commonly a bribe. It is usually the cheapest, quickest and risk free way to do business.

    10

  • #
    Mustafabang

    Waffle, are you an ex-employee of the said Uni? Your comments get top marks from my Charcharodon carcharias mates here. And agree with Pointman.

    Thanks to all.

    10

  • #
    crownarmourer

    Pointman please do you have any idea how much the needed tools cost to monitor and safeguard a system it’s very expensive usually on a per user basis. Heck if the US military can’t be bothered do you honestly think UEA adequately protect there systems.
    Like I said you are correct it’s an inside job someone leaked the information it’s just that University’s don’t have the money or staff to afford all the fancy toys to protect themselves. The multi billion dollar corporation I work for has limits on what we can afford.

    10

  • #
    Roy Hogue

    Until 2008 I taught part time in the Computer Science Department of a Community College (17 years). I can say two things with considerable confidence — and mind you, the Community Colleges here in California are always hurting for money.

    1. The college district had very good security on all the administrative computers in their system of 8 or 9 colleges and a rather over-blown district office.

    2. Security of the systems used by students was another matter, with security managed by the department that owned the computers. I was never moved to try to hack into my employer’s machines. But even with all the security measures that the Computer Science Department had set up to prevent student access to forbidden stuff, including the LAN, I could simply bring up the command prompt and get access to anything on the machine; including stuff I could not reach through Windows Explorer or other GUI means. Once inside the protections I could have done a lot of harm if I’d wanted to. I never had a privileged account either. Simply logging in to the same account used by students was enough.

    So is it a good guess that UEA had little or no security? I don’t know of course. But I think probably not because they have the same incentive that the district I taught in has. It may not have been the best. And maybe no one was watching what was going on. But they probably had something in place that would require some skill to hack into. Within CRU it may well have been a different matter. But their link to the outside world would surely have been through the UEA firewall.

    Just my 2 cents in the pot for whatever it’s worth. 😉

    10

  • #

    Crownarmourer, my internet stalker. I was wondering when you’d arrive. It’s a slightly silly name; I prefer to call you Clownie. I see Père Noël didn’t leave you any commas in the stocking this year. Never mind, there’s always next year. The anonymity of the internet is a great thing so I suppose I’ll just have to put up with you.

    Pointman

    10

  • #

    Oops, forgot to wish you a great 2011 Clownie and by the way, good luck to you and L**a with the chaper 13 thingie. Losing your house isn’t a big deal anyway. I’ll still respect you afterwards …

    Pointman

    10

  • #
    crownarmourer

    Pointman why thank you for the best wishes.
    I can see you are up to your old tricks and revealing your true nature, you can never learn from your mistakes can you.

    10

  • #
    Craig Goodrich

    It was clear to me, at least, as a computer security guy, that this was a “leak”, not a “hack”, from the time the details originally came out. Notice that the most recent emails in the archive are the week before the FOIA request was officially denied, which is strong evidence that the docs and emails were painstakingly collected by a clerk (using search scripts) over the course of weeks to respond to the request.

    Note also that the notoriously lax security on academic systems is much more of a help to inside leakers than to outside hackers.

    My personal vote would be either Briffa or Harry, but it may well have been some lesser light — a research assistant, say — we’ve never heard of.

    10