By charles the moderator
Rodin’s The Thinker at the Musée Rodin.
Author CJ. Licensed under Creative Commons.
I have a theory.
With the blogosphere all atwitter about the emails and data “stolen” from the Climatic Research Institute at the University of East Anglia, two theories have become dominant describing the origin of the incident.
- CRU was hacked and the data stolen by skilled hackers, perhaps an individual or more insidiously some sophisticated group, such as Russian agents.
- An insider leaked the information to the NSM (non-mainstream media)
Theory number one is the preferred explanation of the defenders of CRU. This allows them to portray CRU as victims of illegal acts. It allows them to scream bloody murder and call for an investigation of the crime. How can we take the fruits of hideous crime seriously? The end does not justify the means!
One of our favorite writers, Gavin Schmidt, has expanded on this theme with the report:
He [Gavin] said the breach at the University of East Anglia was discovered after hackers who had gained access to the correspondence sought Tuesday to hack into a different server supporting realclimate.org, a blog unrelated to NASA that he runs with several other scientists pressing the case that global warming is true.
The intruders sought to create a mock blog post there and to upload the full batch of files from Britain. That effort was thwarted, Dr. Schmidt said, and scientists immediately notified colleagues at the University of East Anglia’s Climatic Research Unit.
http://www.nytimes.com/2009/11/21/science/earth/21climate.html
I believe the above statement by Gavin to be a big bunch of hooey. I believe the “hack” was a posting of the same blog comment which was posted at The Air Vent
which was also submitted here at WUWT, but never was visible publicly, because all comments are moderated and publicly invisible until approved by an administrator or moderator. Many of you have already seen it:
We feel that climate science is, in the current situation, too important to be kept under wraps.
We hereby release a random selection of correspondence, code, and documents.
Hopefully it will give some insight into the science and the people behind it.
This is a limited time offer, download now:
http://ftp.tomcity.ru/incoming/free/FOI2009.zip
Sample:
0926010576.txt * Mann: working towards a common goal
1189722851.txt * Jones: “try and change the Received date!”
0924532891.txt * Mann vs. CRU
0847838200.txt * Briffa & Yamal 1996: “too much growth in recent years makes it difficult to derive a valid age/growth curve”
0926026654.txt * Jones: MBH dodgy ground
1225026120.txt * CRU’s truncated temperature curve
1059664704.txt * Mann: dirty laundry
1062189235.txt * Osborn: concerns with MBH uncertainty
0926947295.txt * IPCC scenarios not supposed to be realistic
0938018124.txt * Mann: “something else” causing discrepancies
0939154709.txt * Osborn: we usually stop the series in 1960
0933255789.txt * WWF report: beef up if possible
0998926751.txt * “Carefully constructed” model scenarios to get “distinguishable results”
0968705882.txt * CLA: “IPCC is not any more an assessment of published science but production of results”
1075403821.txt * Jones: Daly death “cheering news”
1029966978.txt * Briffa – last decades exceptional, or not?
1092167224.txt * Mann: “not necessarily wrong, but it makes a small difference” (factor 1.29)
1188557698.txt * Wigley: “Keenan has a valid point”
1118949061.txt * we’d like to do some experiments with different proxy combinations
1120593115.txt * I am reviewing a couple of papers on extremes, so that I can refer to them in the chapter for AR4
I was the first at WUWT to see the comment above and immediately embargoed it. After discussions and many phone calls, we finally began to refer to the information after, and only after, we saw that it was available elsewhere, such as The Air Vent, and also after we knew that CRU was aware that it was circulating on the web.
Gavin’s elaborate description of the hacking attempt at RC is, in my humble opinion, nothing more than an attempt to add meat to the hacking theory in order to increase the vilification of the theoretical hackers. Gavin has demonstrated this kind of misdirection in the past in the Mystery Man incident where he attempted to obfuscate his own involvement in a data correction to station files held by the British Antarctic Survey. In this new spirit of transparency Gavin, why don’t you send Anthony the log files that demonstrate this attempted break in at realclimate.org?
After all, this is a criminal act of vandalism and of harassment of a group of scientists that are only going about their business doing science. It represents a whole new escalation in the war on climate scientists who are only trying to get at the truth. Think — this was a very concerted and sophisticated hacker attack. …Or at the next level, since the forces of darkness have moved to illegal operations, will we all have to get bodyguards to do climate science?
Sigh…and sigh again.
Theory number two is the preferred explanation of, for want of a better term, the Skeptics Camp. It is a romantic thought. Some CRU employee, fed up with the machinations, deceit, and corruption of science witnessed around him or her, took the noble action of becoming whistle-blower to the world, bravely thrusting the concealed behavior and data into the light for all to see. This theory is attractive for all the right reasons. Personal risk, ethics, selflessness etc.
I would like to offer a third possibility based on a bit of circumstantial evidence I noticed on the Web Saturday afternoon.
There’s an old adage, never assume malice when stupidity or incompetence will explain it.
A short time ago there was a previous leak of CRU data by an insider. In this case, Steve McIntyre acquired station data which he had been requesting for years, but someone inside CRU unofficially made the data available.
In this case, many commentators had various guesses as to the motivation or identity of the disgruntled mole even proposing that perhaps a disgruntled William Connelly was the perpetrator.
Of course it turned out the Phil Jones, director of CRU, himself had inadvertently left the data on an open FTP server.
Many have begun to think that the zip archive FOI2009.zip was prepared internally by CRU in response to Steve McIntyre’s FOI requests, in parallel with attempts to deny the request in case the ability to refuse was lost. There are many reasons to think this is valid and it is consistent with either of the two theories at the beginning of this post. Steve McIntyre’s FOI appeal was denied on November 13th and the last of the emails in the archive is from November 12th.
It would take a hacker massive amounts of work to parse through decades of emails and files but stealing or acquiring a single file is a distinct possibility and does not require massive conspiracy. The same constraints of time and effort would apply to any internal whistle blower. However, an ongoing process of internally collating this information for an FOI response is entirely consistent with what we find in the file.
In the past I have worked at organizations where the computer network grew organically in a disorganized fashion over time. Security policies often fail as users take advantage of shortcuts to simplify their day to day activities. One of these shortcuts is to share files using an FTP server. Casual shortcuts in these instances may lead to gaping security holes. This is not necessarily intentional, but a consequence of human nature to take a shortcut here and there. This casual internal sharing can also lead to unintentional sharing of files with the rest of the Internet as noted in the Phil Jones, CRU mole, example above. Often the FTP server for an organization may also be the organization’s external web server as the two functions are often combined on the same CPU or hardware box. When this occurs, if the organization does not lock down their network thoroughly, the security breaches which could happen by accident are far more likely to occur.
Since Friday November 20th a few users noticed this interesting notice on the CRU website.
This website is currently being served from the CRU Emergency Webserver.
Some pages may be out of date.
Normal service will be resumed as soon as possible.
Here is a screen grab for posterity.
So as part of the security crackdown at CRU they have taken down their external webserver? Network security professionals in the audience will be spitting up coffee all over their keyboards at this point.
So this is my theory is and this is only my theory:
A few people inside CRU possessed the archive of documents being held in reserve in case the FOI appeal decision was made in favor of Steve McIntyre. They shared it with others by putting it in an FTP directory which was on the same CPU as the external webserver, or even worse, was an on a shared drive somewhere to which the webserver had permissions to access. In other words, if you knew where to look, it was publicly available. Then, along comes our “hackers” who happened to find it, download it, and the rest is history unfolding before our eyes. So much for the cries of sophisticated hacking and victimization noted above.
If I had to bet money, I would guess that David Palmer, Information Policy & Compliance Manager, University of East Anglia, has an even chance of being the guilty party, but it would only be a guess.
To repeat the basic premise of this theory.
There’s an old adage, never assume malice when stupidity or incompetence will explain it.
™ CRUtape Letters, is a trademark of Moshpit Enterprises.
Incidentally, I’ve now heard that AGW will lead to greater numbers of vampires, zombies, and Godzilla attacks.
The careless/stupid scenario makes more sense than the alternatives. Whoever got into the FTP server probably found the zip file already prepared for exploitation. It makes little sense that someone would break into the server, download the entire volume, and then sort/organize hundreds of megabytes for later publication.
Like you, I believe that the CRU boys are the unwitting architects of their own outing.
Deja vu, all over again – the gang that couldn’t shoot straight!
BBC Daily Politics had a discussion today about UEA/CRU and Andrew Neil – Presenter actually asked some skeptical questions.
Well Done that man!
Prof Singer and Watson on a head to head. Around 17 minutes into the show.
http://www.bbc.co.uk/iplayer/episode/b00p6sdy/b00p6scv/The_Daily_Politics_23_11_2009/
From what IP address was the attempt to post at WUWT made?
Senator Inhofe has stated that, if the revelations continue over the Thanksgiving break, he will bring up the issue when the Environment and Public Works committee gets back to work next week.
Check out the interview in which he made the statement at:
http://www.youtube.com/user/JimInhofePressOffice#p/u/1/zH6_hmEgfCs
One can follow the issue at:
http://epw.senate.gov/public/?CFID=14409666&CFTOKEN=37691713
NK 09:05:06:
“I blame…….the Higgs Boson.”
I reckon that’s about right, NK. It’s surely no coincidence that all this stuff broke loose last week just as those chaps in Switzerland were starting up their – what’s it called? – – the Large HADCRUT Collider?
Charles–
in all seriousness, your explanation is very plausable, it certainly passes Occam’s Razor. Congratulations. Let me add one observation to Chainpin’s question of why would this file “…contain such damning evidence… Something doesn’t add up.”
It’s possible this file was put together as a potential response to the FOI request, and circulated around CRU for review and a decision as to whether to release per the FOI. When the CRU types reviewed, they opted to stonewall, and no way let this file see the light of FOI day. Someone disagreed, and posted the file. Who and why? those are the pertinent questions. My naive hope is someone who was unhappy with the CRU crew’s attempt to stonewall the public. Although it was probably a CRU crewmember with some kind of grudge.
Hmm, not sure about the cock-up theory, but one thing is for sure. Those files were gathered together by someone in the know about these things. There’s just too much of it that applies to the sort of things we are discussing for it to have been done by some random guy on the internet. Being very good at getting into servers doesn’t automatically mean that person would know what is useful, and what is not, unless of course, they’ve been following WUWT and CA since their inception. I think the extra material that was put in along with the controversial material, plus the notice that it is a random selection of a possibly bigger set, was put there to put people off the scent.
We’ve already seen an email from Jones telling people to delete emails, it’s very unlikely that he would leave that email about for a possible FOI request, along with an admission that he had already smoothed things with some FOI officers so that information could be withheld. This has to be a major embarassment for those FOI officers too.
Notice too that there are no emails to loved ones asking if they need milk, or something, collected on the way home, or speculation about a rugby match (Didn’t I see Briffa with a Wallabies shirt on in one of the photos of him?). This has all the fingerprints of someone on the inside, in the know. Hopefully, time will tell.
Charles
Your Theory III makes sense. If it was not password secured, that is it even “hacked” or just a free public download?
Recommend verifying whether CRUTape Letters is actually a “Registered” trademark, or if it is simply “Trademarked”.
Trademarks and Copyrights Frequently Asked Questions
Anyone has the right to add the TM symbol to put the public on notice that they consider the word a proprietary mark. However, it takes quite some time and expense to formally have a mark “registered”. There has hardly been time to file the paperwork, let alone have any trademark office respond. I highly doubt that it is “registered”. Thus recommend marking it as TM – a trademark, until you have official confirmation of formal registration.
James Inhofe comments
Blame President Bush. He triggered a global economic crisis.
This is classic defense playing out. They act all violated and feign outrage to distract from the content of the e-mails and guilt in manipulating both data and weights on different years by tweeking the programs.
Clinton helped a troubled intern. Jones and Mann just are protecting us from the evil sceptics. I can’t aborrt a 2 year old toddler and appeal to privacy.
They can’t manipulate data and manipulate peer review and evoke some privacy protection.
I have another theory.
The files included in this leak were extracted from the main servers in preparation for the possible successful FOI request. This was done following an internal review of likely contentious, material.
The internal review would have come up with an “Eeek, we’re screwed if this lot gets out!” response. This then triggered the purge of the main servers in preparation for a complete (apparently) opening up to external scrutiny.
My belief is that this purged material was on a back-up/DR server, and the main servers have already had this material removed. They just had not got around to purging the back-ups yet.
As to who did it/how it got out – how about either the IT support function, or…the person tasked with responding to FOI requests, the one pressurised by Jones and the VC, et al?
You don’t need an FTP server if you have a website.
Someone I work with and know wants our full client address list pronto, but they are halfway across the globe.
They email me with the request.
I upload the file via FTP to my website, conveniently named mywebsite.com, and email my colleague to type http://mywebsite.com/addresslist.zip into their browser, and to email me when they have obtained and verified the data.
I receive their email and via my ftp program, I delete addresslist.zip, or if I am devious, I upload a file of garbage with the name addresslist.zip in its place.
Job done, and unless there are active spies surveying the files on my website,
not easily hacked in the time it takes.
I can not imagine they would give out these sensitive data/code/emails, even if forced by FOIA. I can imagine they would give out some filtered information, treering data without metadata and so on. I think name “FOIA2009” was neat idea of the CRUmole.
In this case, never assume stupidity or incompetence, when malice will explain it.
Enough talk… some action at last.
http://www.taxpayersalliance.com/campaign/2009/11/cru-emails-reveal-inconvenient-truths-about-foi.html
Maybe it is my imagination but I recall someone making a comment about the irony that the data that McIntyre obtained earlier in the year was in a subdirectory named FOIA or something. The memory is vague but I do seem to recall someone making a comment about the irony of it.
I’m thinking this collection is more along the lines of “Stuff to be deleted in the event of an unfavorable ruling on the FOI request”.
Well, I have not heard anyone deny the validity of
any one email, so, it’s time to press forward with an
investigation. Don’t forget, there is 100Meg more to
come.
SJones (09:07:23) :
I agree with your theory that the file contained emails and other files intended for destruction. Why would such incriminating information be collect in anticipation of having to turn it over to your most ardent skeptics?
After all, they have spent more than the last decade hiding their activity!
I would like to offer a variant.
There is an internal, behind the scenes investigation going on. This file was created to help define the scope of the problem.
What I would like to see is the rest of the emails, the working documents, and all of the code as well as the change history for the documents and code.
In general I prefer the cock up theory of history to the conspiracy one: which does not mean conspiracy does not go on as can be seen here.
So I think this supposition quite plausible if someone in admin put the files together ready to meet an FOI request if it passed. Presumably the collection is most files and only those relevant to an FOI would have been selected for release.
How it then got into the electronic ether and to whom who knows? The possibilities are endless, from finger trouble upwards.
So pretty plausible CTM, a very useful insight indeed.
Kindest Regards
This seems like a reasonable alternate to the insider feeling outrage and posting it. Having worked with network security, users always want access to things and rarely understand the security implications of were things are stored.
And as pointed out CRU has already demonstrated once that they can’t keep proper track of where they are storing things when they put data they didn’t want released on a public FTP server.
Theory 3 is solid and I would say the most likely scenario. I might rate them something like this.
10% chance it was a hacker.
30% chance it was an insider.
60% chance that it was an open FTP server.
That is just ball park figures but gives a feel for how likely I think each scenario is. I’ll note that the hacker hasn’t felt right as an explanation from the beginning.
“We hereby release a random selection of correspondence, code, and documents.”
Has anyone discussed the phrase “Random Selection”? Doesn’t this imply a larger section of Data may have been liberated and this 61 megs was just a sample?
If so I wonder when the rest of the data will be released?
Theory 3 is the most logical presented so far. Data placed on a public ftp server is not stolen, it’s picked up like a quarter lying on the sidewalk. I would bet that CRU now knows what happened, thus they shut down the server.
The comment by Pierrehumbert is telling. He’s essentially proving Jerry Pournelle’s “Iron Law of Bureaucracy” case.
This isn’t THEIR data; it’s my data. And yours. I paid for it, as did you. It belongs to us, and we may do with it as we please. It’s not up to Pierrehumbert to dole it out to those possessing the magic key or otherwise demonstrating worthiness to his satisfaction.
Of all of the things in this case, this one is the part that’s ultimately the most damaging, this assumption that the public pays for these people to run a fiefdom as they jolly well please.
The emails and the code commentary are interesting but don’t seem to demonstrate a concerted conspiracy. Sure there’s turf wars with others and blockades to control the mechanism of peer review. This is all part of how the big boys do it everywhere, not just here. The contents of the data release will not likely yield a smoking gun so much as provide some of the data that was supposed to have been released years back via FOIA.
In sum, the travesty playing out is that this is the data that will affect the lives of billions if certain political aims are achieved. Certainly something of this level of importance ought to have been gone through with a fine tooth comb and universally agreed upon accordingly. And they have been witholding the data as if it’s part of their personal playground.
“Disgusting” doesn’t even begin to cover Pierrehumbert’s assertion.