Tuesday, December 20, 2011

Evil Bunny, Evil Thoughts

Much buzz about the warrants, demands for information and seizures of computers and similar at Tallblokes, Jeff Id and the dread Steve's. Eli has been thinking evil thoughts, not that any of these folk (well, ok) actually were involved in the theft (lets be honest) of emails from the CRU, but that there was more that met the eye. J. Ferguson at Lolita's Rondez Vous and Mus Farm put it in words

Somehow I keep thinking that the warrants and the raid at Tallbloke’s are to create the impression that they are the method by which some piece of information which is about to be acted on was obtained.

This rather than revealing the extent and quality of their web surveillance.

Which everyone ignored, but No Such Agency throws a wide net out there from Fort Meade in nearby scenic Laurel, MD. Further you would not think that they would risk exposure on something minor in the run of national security to go after the CRU hackers. They are looking for bigger fish, or as likely, some of the big fish are involved in the CRU hack, and Tallbloke is unlucky enough to have a key piece of the puzzle sitting on his hard drive. How do the spooks know it is there. Silly Rabett.

64 comments:

Nick Barnes said...

If the NSA cared who hacked the emails, they would presumably know. I don't suppose they do care (surely it's below their radar), and maybe they don't know. I find it inconceivable that the Puzzle Palace would see fit to assist any law-enforcement agency in sorting out the CRU hack.

I have always found it entertaining when crypto-anarchists fantasize either that the three-letter agencies might be interested in their petty secrets, or that their algorithms would protect them from such interest. That's neither a rational threat model nor a sane capability assessment.

If the CIA wants to know what Alice says to Bob, they can put a mike in the room, a snooper chip on the motherboard, a tap on the wire, a tempest scope across the street, $10K in a plain envelope under Bob's door, or Alice on a plane to Gitmo.

EliRabett said...

No Nick, the point is that this is a wedge for them to something bigger.

dhogaza said...

"How do the spooks know it is there."

It's not that difficult to discover and track the handful of blogs that make up the bulk of the denialspherical ecosystem. You could just go down the list of invitees to that conference in Portugual from a year or so ago. I suspect DoJ is capable of doing that without any help from "spooks". It's not that hard, then, to look for posts from "FOIA" and ask for the computers etc of the blog hosts where "FOIA" spreads his blessings.

Anonymous said...

The leaking of documents just before the President of the United States and Secretary of State attended a major international conference? Jeez, they surely do not come much larger than that, as hackings go. I think the security services would feel they need to know who is pulling the strings there.

At the very least, they would need to know who has the capability to pull off a stunt like that. Many US universities do work for the Feds, and their e-mails are just as vulnerable as UEA's.

So Eli may have a point .. all the thrashing about in the undergrowth may be cover for what is already known. But that means something will break in the coming months.... let's hope.

Toby

David B. Benson said...

Some hints that the Ruskies wot done it. That might excite spooks who otherwise have too little to do...

dhogaza said...

Toby:

"At the very least, they would need to know who has the capability to pull off a stunt like that."

A large number of script kiddies, unfortunately. Sony's playstation mothership got hacked by a friggin' SQL insertion attack, and they're not alone (one of the simplest attacks on a database-backed web application, which can be prevented by very simple programming practices). A lot of large networks have random systems attached which aren't kept up-to-date and are vulnerable to being rooted by rootkits available on the internet.

Etc etc etc.

I don't assume that much skill was necessarily involved, just perseverance.

Scrooge said...

I don't like to get into conspiracy theories very much. The only reason I could think of that is if it were for international political reasons. If they do know who is responsible and now gathering evidence the old fashioned way we should hear more soon.

dhogaza said...

Scrooge:

"I don't like to get into conspiracy theories very much. The only reason I could think of that is if it were for international political reasons."

Oh, the entire denialsphere is motivated by political reasoning, that's been clear for a decade or more.

You don't need to postulate a conspiracy for this to be true ...

David B. Benson said...

Little bunny Foofoo...

Anonymous said...

dhogaza,

The fact that the hacking was carried out successfully in the lead-up to a major international conference suggests it took more than a few high-school kids chancing their arm for a year or so.

I just hope the new momentum in this investigation is maintained.

Toby

Anonymous said...

There are plenty of people out there with the cash to pay a hacker to get what they want. It's not that hard if you know what to do. The CRU computing infrastructure would hardly have had any security beyond the most basic.

Anon(1)

Anonymous said...

In the UK the Police will make use of the services of the Communications Electronics Security Group (http://www.cesg.gov.uk/about_us/index.shtml) for IT forensics. CESG are a branch of GCHQ, which is the UK equivalent of, and partner to, NSA. CESG are also behind the UK CREST IT security professional certification.

Alice

dhogaza said...

Toby:

"The fact that the hacking was carried out successfully in the lead-up to a major international conference suggests it took more than a few high-school kids chancing their arm for a year or so."

I didn't say a few high-school kids did it, I said that there are plenty of script kiddies out there who *could* do it. In other words, it's not that hard to do. Understand the difference?

My guess is that professionals were involved, but people seem to greatly overestimate how difficult it is to break into your average university or corporate (or drone-flying or uranium enrichment plant) network.

Anonymous said...

Dr. Jay Cadbury, phd.

@dhogaza

hahahaha, are you 57?

http://www.pof.com/viewprofile.aspx?profile_id=24245280

If this is you then wow did I predict exactly what type of person you were.

I think you've got more than a few extra pounds my friend. Also, complaining about everyone finding out global warming is hoax will not make your wife come back.

J Bowers said...

For Jay.

Anonymous said...


@dhogaza

hahahaha, are you 57?

Well, that's a lot less pathetic than someone who doesn't understand the difference between gross and net and who can't figure out how to solve a straightforward compound interest problem, but still runs around claiming that he has a PhD.

But then again, I guess that's the kind of customer that Phoenix U's PhD program serves...

--caerbannog the anonybunny

Anonymous said...

Dr. Jay Cadbury, phd.

I knew if I started big post hole digging I could Caerbannog to come out! I've also noticed that Caerbannog is best friends with Dhogaza, Ray Ladbury and Tamino.

Caerbannog, I used to know how to do compound interest equations and so on and so forth but I don't get paid to know it anymore. In fact, if I never learned it all, it wouldn't have made any difference in my life.

My phd is in the area of environmental fraud. My sense of honesty and fairness is unmatched. The good doctor is so fair that there is no number for his fairness.

Anonymous said...

Dr. Jay Cadbury, phd.

out of curiosity, I'm interested in the bunnies thoughts on the keystone oil pipeline. Specifically, would you prefer if the Canadiens sell the oil to the Chinese? Or is the pipleline being built bad enough?

Anonymous said...

Dr. Jay Cadbury, phd.

The good doctor knows who FOIA is and delights in knowing that you will never find him. O HO HO HO HO! Merry Christmas!

J Bowers said...

Yeah, right. Of course you know, Jay.

Gareth said...

In some respects, the least interesting part of the hack is who did it. The really fascinating part is who made the selection of emails for release? Those person or persons unknown were either intimately familiar with the themes of discourse established by McIntyre et al, or fed with enough information - keywords for searches, and so on - to enable that selection. Therein, methinks, lies the tale...

Anonymous said...

Dr. Jay Cadbury, phd.

@J Bowers

Bowers where are you living these days? I am in the United States, on the east coast.

J Bowers said...

Jay, you don't know who FOIA is.

dhogaza said...

Note to Eli - since our pest insists he knows who FOIA is, you might consider sending his IP and other relevant information to the DoJ as they seem to be showing some interest in discovering the identity of FOIA ...

Anonymous said...

Poetic justice.

~@:>

Anonymous said...

"Eli has been thinking evil thoughts, not that any of these folk (well, ok) actually were involved in the theft (lets be honest) of emails from the CRU,"

What theft of emails from the CRU?

Anonymous said...

Let's see, the public stole the emails belonging to the public from the public and gave them to the public while at the same time the public that the emails were stolen from retained the emails. LOL.

David B. Benson said...

dhogaza has a great plan.

Little bunny Foofoo would approve.

J Bowers said...

Anonymous never heard of Crown Copyright.

Anonymous said...

Note to Eli - since our pest insists he knows who FOIA is, you might consider sending his IP and other relevant information to the DoJ as they seem to be showing some interest in discovering the identity of FOIA

Oh, Eli doesn't need to send it. They already h... Oops! Have I let the cat out of the bag?

Cymraeg llygoden

Anonymous said...

I'm with Gareth on this. It's one thing to envisage any kind of 'script kiddie' of whatever age being able to hack the server and get huge stacks of emails. It's another entirely predictable thought that there are a lot of people who'd be happy to release documents in time to derail yet another climate conference.

But how does whoever-it-is set the search terms to find the few items among the gigantic set of documents most likely to meet the requirements of the second objective. Now *someone*, maybe several someones, has to provide that info.

And someone has to select the juiciest items.

And someone has to e.d.i.t. them.

MinniesMum

Snapple said...

The CIA’s Center for Climate Change and National Security “provides support to American policymakers as they negotiate, implement, and verify international agreements on environmental issues.”
http://legendofpineridge.blogspot.com/2011/01/larry-kobayashi-director-of-cias-center.html

Snapple said...

When Climategate happened, I thought maybe some Russian entity had something to do with it. I didn't know anything about climate change, but I didn't like stealing emails. Here is my first post about Climategate. I am sure now that some of my initial impressions will seem naive and mistaken, but there is some information there about Russian hackers from people who know more.
http://legendofpineridge.blogspot.com/2009/11/russias-hacker-patriots-embarrass.html

If it turns out some Russian entity was involved, I said it before the UN and the British press voiced their suspicions. Still, I am sure no big expert on hacking or climate change.

I have a lot on my blog about Russia. Some people in the West have business relationships with Russian fossil-fuel or metal companies; and the Russians sometimes insist that their western business partners to support them politically in order to be given the privilege (license) to doing business with them. Putin, for example, used to be the guy who decided who got the permission to export rare metals from Russia. In Russia, the guys who give permission (licences) are very rich.

Now that I know more, I am totally on the side of the scientists when it comes to global warming. The scientists were a little snarky when they discussed people who were constantly harassing them. Big deal. It was supposed to be private.

I do know a fair bit about Russian disinformation campaigns, and the campaign against the climate scientists uses all those dishonest techniques. I used to be a Republican until I realized that my party was TRICKING me with the same sort of disinformation tactics they used in the USSR and Russia.

Anonymous said...

Time to exercise our forecasting abilities, conies one and all...

Assuming the the Guy-With-the-Ear-Pressed-to-the-Glass-Pressed-to-the-Wall doesn't tap the hackers on the shoulders this time 'round, what date do you expect will be most likely for the third release, and why?


Bernard J. Hyphen-Anonymous XVII, Esq., (with lashings of whipped cream)

ligne said...

Gareth said... "In some respects, the least interesting part of the hack is who did it. The really fascinating part is who made the selection of emails for release? Those person or persons unknown were either intimately familiar with the themes of discourse established by McIntyre et al, or fed with enough information - keywords for searches, and so on - to enable that selection. Therein, methinks, lies the tale..."

meh. a few minutes browsing around CA is enough to see what their pet obsessions are. from there to a list of search terms is but a trivial matter.

MinniesMum said... "But how does whoever-it-is set the search terms to find the few items among the gigantic set of documents most likely to meet the requirements of [derailing a climate conference]. Now *someone*, maybe several someones, has to provide that info.

And someone has to select the juiciest items.

And someone has to e.d.i.t. them."

grep?

out of >1000 emails in the first batch, not even half a dozen could be turned into quote-fodder, despite the denialists' best efforts. obviously not a lot of manual effort had gone into the selection process. (my impression was that) all of the actual quote-mining was done on the denialist blogs after the fact.

J Bowers said...

I'm with ligne.

On when the next release will be, Sloppysecondsgate was a complete dud with the MSM almost unanimously responding with, "Ooh look, but oh what a coincidence they were released just before Durban.... yawn." I think it'll be just before AR5 WG1's release, or if there's a new set of science or paper that really leaves no option but to mitigate urgently which the likes of World Climate Report and Heartland can't cherrypick and distort without even the WSJ calling them out on it. What I doubt we'll ever see is the password unlocking the full set of 220,000 emails, simply because we already get glimpses of how much the scientists are certain of their findings with the usual scientific caveats, how genuinely and candidly concerned they are about what's happening to the climate, and how Pat Michaels is considered by his peers to be third rate and a scientific non-entity, etc. Why would they want more of that to be visibile? Anyone taking the already released cherrypicked sets as being in context and not designed to disinform through lying by omission is a complete and utter maroon, or stands to profit.

Anonymous said...

Eli,

There is no evidence that there was anything on TB computers.
The police knew that the information was on WORDPRESS machines.
So they went after that first on Dec 9th.

You might surmise that FOIA sent a mail to TB. you would be wrong.
FOIA has never operated that way.

He left a comment and a link on WORDPRESS servers.

The police have commented, when asked, "we had to be seen doing something" Nice.

I'll suggest that FOIA should drop a comment here at your blog.
not a link, just a comment.

Then we will see how you like a visit from the police because a comment was dropped on your blog.

Anonymous said...

A blog commenter said that the police said "we had to be seen doing something"

We don't actually know what the police said.

Louise

J Bowers said...

Here's my hypothesis on why Tallbloke had his laptops and router taken away: FOIA may have hacked him to check him out before his blog became a recipient of the link, and it's worth seeing if FOIA left a trail of any kind, even if it's only a remote possibility.

ligne said...

tallbloke has been at the forefront of the climategate cabal for a while now. his blog was specifically picked by FOIA to disseminate the second batch. it's not exactly a leap of the imagination to think he might have had out-of-bound contact with FOIA.

dhogaza said...

" it's not exactly a leap of the imagination to think he might have had out-of-bound contact with FOIA."

Especially since the release of the set of encrypted 200,000 e-mails came with an announcement that the passphrase would be shared with a select few.

That's evidence of a likelihood of direct contact with at least some of the climategate cabal (like that phrasing, ligne!) and, IMO, again, possibly what convinced a judge that a search warrant should be issued.

cthulhu said...

Some people are saying the hacker must have been knowledgable about the subject to pick the emails they did. I disagree. There are big errors in the in the Hacker's interpretation of the emails that on the face of it would suggest the hacker is barely familiar with the topics let alone the details.

susan said...

Seems to me I saw somewhere (I do wander at times) Tallbloke himself announcing that he had some of the emails. Am I all about in my head? Maybe so, and I imagined it. The Russian thing had been floating around for a while too, even without Snapple. We'll see, maybe
(Susan Anderson)

jyyh said...

I assumed the Russians who did it as its way easier to dump files anonymously and quite untraceably on the country ones in, and I think there's plenty interest on denial (though in the net it looks like mostly an american phenomenon (the Europeans seem to like to be quiet of CC)) also in there for the production of fossils. I've been entertaining myself by imagining what sortof background discussions were done for the Baltic Gas Pipeline due to go online shortly, but I think I don't write anything about it, it might do good for German coal use.

ligne said...

fwiw, my hunch is that the hacker was just someone who spent too much time reading CA and friends, who (possibly spurred on by the FoI crapflood) decided to take matters into their own hands.

not entirely sure about the russian connection. compromised servers can be found just about everyhere, it's about as difficult to use a server across the world as it is to use one in the next room, and computers in turkey and saudi arabia were apparently also involved in the attack.

then again, eastern europe has got quite an impressive reputation for cheap, high-quality hackers to rent.

chek said...

At the time of the BEST pre-release by Muller, Anthony made the snarky, cryptic comment: “No worries, down maybe, but not out. I still have the upper hand, they just don’t know what I know at this point. – Anthony”

This was back in mid-October and assumed by most to be related to sour grapes over BEST. In retrospect however...

frank -- Decoding SwiftHack said...

SwiftHack 2.0: Berbalang, Bernard J, Hetzner Online AG, CA, swifthack.tk -- in decreasing weirdness.

-- frank

EliRabett said...

frank, Eli mentioned this to some folk, but since the entire file is sitting out there encoded, and we have several Mbytes of decoded stuff, it should be relatively easy to break the encoding.

dhogaza said...

"we have several Mbytes of decoded stuff, it should be relatively easy to break the encoding."

No, modern encryption algorithms aren't really susceptible to such kinds of attacks, sorry.

EliRabett said...

If everything is sequential we have another clue

dhogaza said...

"If everything is sequential we have another clue"

Sorry, hooks like this just don't work with modern encryption algorithms.

Now, if enforcement efforts to grab computers of possible cohorts lead to the passphrase ... great.

But the odds of brute-forcing it are really low.

ligne said...

has there been any indication as to how the other emails were encrypted?

frank -- Decoding SwiftHack said...

ligne:

The encrypted e-mails are all in a FOIA/all.7z file, a file of the .7z format. If you use the 7-Zip program to examine the file you can see the names of the files and directories contained in it.

(7-Zip also happens to be open source, so I hope to get around to studying its source code some day.)

Reportedly, the encryption algorithm used in this case is AES (a.k.a. Rijndael), with a 256-bit key calculated by running the user-input passphrase through 524,288 passes of a one-way function SHA-256.

It's of course easy to obtain a 128-bit block of plaintext (in this case, that'll be 128 bits, i.e. 16 bytes, of 7-Zip compressed data) from a corresponding 128-bit block of ciphertext and the (256-bit) key; and doing ‹plaintext, key› → ciphertext is also easy. But there's simply no easy way to do ‹ciphertext, plaintext› → key, which is what Eli was talking about. This requires a known-plaintext cryptanalytic attack, and no such attack against the AES-256 cryptosystem is known in the public literature.

-- frank

ligne said...

Frank: thanks for the details. i'd heard about it being a 7z archive, but i hadn't realised it was its built-in encryption being used.

(though i should have mentioned that i'm reasonably knowledgeable about crypto, so i was already familiar with AES, known-plaintext attacks and the like :-) )

frank -- Decoding SwiftHack said...

ligne:

Oh OK... well, it was the .7z built-in encryption being used. :) Anyway, you can always download the whole FOIA2011.zip enchilada to take a look -- the original files.sinwt.ru copy is gone, but there are copies elsewhere (e.g.).

-- frank

frank -- Decoding SwiftHack said...

And for those who haven't come across this yet: Deep Climate had some curious observations a while back regarding the elusive files.sinwt.ru server, where FOIA2011.zip was initially uploaded.

-- frank

dhogaza said...

frank:

"But there's simply no easy way to do ‹ciphertext, plaintext› → key, which is what Eli was talking about. This requires a known-plaintext cryptanalytic attack, and no such attack against the AES-256 cryptosystem is known in the public literature."

Right, there's one key-recovery attack on AES that's about four times faster than brute force, meaning that only 2^254 operations are required, in theory, to do key recovery (which would allow full decryption). Given that the accepted age of the universe is on the order of 2^90 nanoseconds, don't hold your breath waiting for success!

ligne said...

i doubt that looking into Hetzner will get you very far. they're just a big hosting company, who will sell server space to pretty much anyone with the cash. and it's not at all unusual for a domain for one country to be hosted on a server in another.

frank -- Decoding SwiftHack said...

ligne:

Ah well... no harm trying.

Meanwhile: phantom lawsuit is phantom. Or not.

-- frank

EliRabett said...

Eli must say this is amusing.

The fact that there was a search pretty much puts a nail in heads of anyone claiming that the theft of the CRU emails was not a crime.

Too bad about the encoding tho (of course, the cops have a copy of the original file so if they were interested in the key for other reasons that might be a different thing, or is this one way??)

frank -- Decoding SwiftHack said...

Eli, all/README.

-- frank

dhogaza said...

Frank, the scienceblogs reference is to Greg Laden, who interpreted the search of Tallbloke's computer equipment as evidence that he was a suspect in the CRU theft in the first place. Which isn't true. As I, James Annan, and several other reasonable people pointed out to him. It hit WUWT and he got flooded with the usual trolls, but in this case they were actually right.

Laden backed down, and in return for Tallbloke's solicitor agreeing not to sue, offered Tallbloke the opportunity to guest-post to Laden's blog.

Greg Laden was way out of line. It's obvious the police think that searching Tallbloke's computers might lead them to "FOIA", but they've been clear that he himself is not a suspect in the theft, and to publicly accuse him of not only being a suspect, but guilty (though Laden edited a couple of times when his wrongness was pointed out to him) was really unacceptable.

Though, as I pointed out to Greg, Tallbloke is a slime ball, just not accused of hacking CRU ...

owlbrudder said...

Frank: "Right, there's one key-recovery attack on AES that's about four times faster than brute force, meaning that only 2^254 operations are required, in theory, to do key recovery (which would allow full decryption). Given that the accepted age of the universe is on the order of 2^90 nanoseconds, don't hold your breath waiting for success!"

This little bunny heard on the radio (so it must be true) that an Australian research group have developed a wire one atom high and four atoms wide, that exhibits 'good' resistivity. Evidently they have overcome a problem with similar experiments, whereby the resistivity of the wire went through the roof at atomic scales.

Anyway, the point is that this was discussed in the context of Quantum Computing and the claim was made that a QC device would be capable of solving, in a few seconds, problems that existing computers would take the rest of the life of the universe to solve. My immediate thought was 'bang goes our current crop of secure encryption algorithms'.

But then, it was only one little bunny listening to a radio programme in Australia and, anyway, AFAIK QC is not coming to a store near you any time soon. By the time we get the raw power to hack the encrypted emails, we will be up to our knees in rising tides ...

Back into my box now.

EliRabett said...

Eli's been there and done that. Color him skeptical