You are viewing ijish

Muir Russell report on CRU's computer network and security during the SwiftHack cyber-attack

July 8th, 2010 (12:19 pm)

From Sir Muir Russell's report on the "Climategate" non-scandal, page 101, section 11.3.1:

  1. IT Organisation. In common with other areas of the Science Faculty, CRU [the Climatic Research Unit of the University of East Anglia] operates largely independently of the central IS [information systems] functions of the UEA. [...] CRU has its own local [computer network] architecture based on a mix of individual PC based and server based processing. In common with many other research groups across the university, this is distinct from the UEA preferred model of client-server operation. Internet communications for CRU is however routed over the university network and through the university firewall. CRU has its own IT Manager for whom CRU is 40% of his workload. CRU originally had no central backup arrangements for the individual researchers' PCs however its IT Manager introduced automated backup (using open source software) to a simple server held securely within the Central IS machine room.
This sort of confirms my earlier guess over at the Air Vent that there was a system for backing up e-mails from Windows machines in addition to a system to back up mail right at the (central) UEA gateways. Note that although the Windows backups are managed by CRU staff, they're said to go to the "Central IS machine room", i.e. the backups are kept somewhere in UEA's central computing facilities. This is interesting.

Unfortunately, there's not much detail beyond that. From the same section, on page 102:
  1. Policy. A high level 'Information Systems Policy' and a related 'Information Security Policy'4 were agreed and put in place in 2005 under the aegis of UEA's Information Systems Strategy Committee (ISSC), which includes representatives of all four Faculties. Low level, detailed, security policies had been developed and put in place by 20075.
4 These can be downloaded from:
5 A draft Security Manual (not available for public download) was received by the Review on 8th February.
And on page 103, section 11.3.3:
  1. Information security. We found that the basic security processes had been appropriately specified and documented by the UEA's Information Systems Strategy Committee. We are constrained in our detailed findings by the fact that a police investigation into the unauthorised release of information is ongoing.

Update 2010-08-21: I wasn't entirely correct: the central UEA e-mail service did not store long-term backups of mails.


Posted by: ((Anonymous))
Posted at: July 8th, 2010 12:50 pm (UTC)
Not sure about your interpretation

Section 22 suggests to me that their files were backed up, not that their emails were backed up a second time. I also can't see the IT manager wanting this to happen as it creates a significant security risk for no reward. I'm fairly sure that it is talking about the files they are saving on their personal spaces, which it seems do not sit on a SAN like at most universities. What a whacky set-up.


Posted by: Decoding SwiftHack (ijish)
Posted at: July 8th, 2010 01:57 pm (UTC)
Re: Not sure about your interpretation

The cracked e-mails suggest that some of the e-mails were downloaded by Eudora clients and their attachments saved on the c: drive, along with the scientists' other working files. So the e-mails and attachments (as received by Eudora) would get backed up along with all the other files, even if this wasn't the original intent. At least, that's the way it looks to me at the moment.

Anyway, the setup does look pretty whacky. I think the IT Manager was overworked and under-resourced. :-|

Posted by: ((Anonymous))
Posted at: July 11th, 2010 08:13 pm (UTC)
Argh indeed.

In ordinary English: Muir Russell et al. were asked by the Norfolk Constabulary not to divulge certain gory details on how the CRU systems were set up, 'in the interest of the investigation'.

note also this:

The cops are VERY secretive!

Do you also wonder why?

3 Read Comments