Climategate evidence suggests release was a leak
UNIX e-mail server, at East Anglia.
Additionally, since the protocol in use for these e-mails was “POP3” (Post Office Protocol v.3), these emails were later assembled onto another, second computer for archiving and storage. One of the features of POP3 is that the emails themselves are downloaded to the client machine, and then expunged from the original server. This means that the e-mails and documents were archived on the second server, and this second server, where the e-mails would have received the filenames they bear now.
The file structure of the original FOI2009.zip file that was released via the Internet also gives clues to the origin of the leak. The copy obtained by the Homeland Security News Wire shows a directory structure which is consistent with the archiving of important documents.This system of archiving the e-mails and documents on the second server, is, according to Levsen, fully consistent with the normal data storage compliance practices that would be conducted by a Freedom of Information (FOI) compliance officer, at a public corporation (like the University of East Anglia) in the United Kingdom.
This being the case, Levsen concludes:
“For the hacker to have collected all of this information s/he would have required extraordinary capabilities. The hacker would have to crack an Administrative file server to get to the emails and crack numerous workstations, desktops, and servers to get the documents. The hacker would have to map the complete UEA network to find out who was at what station and what services that station offered. S/he would have had to develop or implement exploits for each machine and operating system without knowing beforehand whether there was anything good on the machine worth collecting.”
In short, Levsen’s conclusion is that the e-mail and data leaks were not the result of an intrusion, they were an internal leak. Climategate was not precipitated by a hacker, but by a whistle-blower.
All this illustrates what is probably the most difficult and overlooked part of a network security – that is the people within the organization, and their trustworthiness.
An old Jewish proverb relates that “Locks keep out only the honest”, often supplemented by a more recent wit who related “There is not a lock made that can’t be picked…”There is always someone who has the key, but exactly who is that person, and have copies been made ? Computer security is often only as good as the personnel and human procedures designed to protect its integrity. The evolving East Anglia saga highlights this recurring challenge.
