catallaxy files

catallaxy in technical exile

ClimateGate an inside job

with 8 comments

There has been some debate as to whether the CRU had been hacked or whether an insider released the information. It now looks like it was an insider.

Canadian network engineer Lance Levsen, the UNIX systems administrator for the PW Group, a major Canadian publishing firm, has generated a detailed forensic analysis of the released e-mails and files.

The Saskatoon, Saskatchewan-based Levsen re-created the e-mail distribution system at UEA over the last ten years, capturing system changes by the university’s e-mail administrators during that time. Using information contained within the files that constitute the e-mails, as well as the filenames themselves, his modeling concludes and identifies the source for the leaked documents as an internal source within the University of East Anglia. The alleged “hacker”, Levson conludes, must have been someone with administrative, or “root” privileges, to UEA’s secure computer systems.

The original post can be found here.

For the hacker to have collected all of this information s/he would have required extraordinary capabilities. The hacker would have to crack an Administrative file server to get to the emails and crack numerous workstations, desktops, and servers to get the documents. The hacker would have to map the complete UEA network to find out who was at what station and what services that station offered. S/he would have had to develop or implement exploits for each machine and operating system without knowing beforehand whether there was anything good on the machine worth collecting.

The only reasonable explanation for the archive being in this state is that the FOI Officer at the University was practising due diligence. The UEA was collecting data that couldn’t be sheltered and they created FOIA2009.zip.

It is most likely that the FOI Officer at the University put it on an anonymous ftp server or that it resided on a shared folder that many people had access to and some curious individual looked at it.

The simplest explanation in this case is that someone at UEA found it and released it to the wild and the release of FOIA2009.zip wasn’t because of some hacker, but because of a leak from UEA by a person with scruples.

While we’re on the topic of insiders, whistleblowers and people with scuples it is worth comparing the CRU insider with Bradley Birkenfeld. So far the CRU insider has not identified themself nor attempted to plea-bargain for a lessor sentence following a guilty plea to a criminal offence. Rather the CRU insider has released important information to the world for no personal gain (that we have yet to see).
(HT: Offsetting Behaviour)
Update: Mitchell Porter points out that this isn’t a new story. The bottom line seems to revolve around who is correct in this exchange.

About these ads

Written by Sinclair Davidson

January 5, 2010 at 12:55 pm

Posted in Uncategorized

8 Responses

Subscribe to comments with RSS.

  1. The analysis overlooks something significant, namely that the Unix timestamps identifying the files indicate that they were at some point processed in North America.

    http://climateaudit.org/2009/12/07/a-sysadmins-perspective/#comment-208265

    and other comments up-thread.

    This was pointed out a month ago.

    Mitchell Porter

    January 5, 2010 at 1:33 pm

  2. if it wasn’t an insider, and it didn’t come from a central database, I don’t know what options that leaves.

    daddy dave

    January 5, 2010 at 4:46 pm

  3. “if it wasn’t an insider, and it didn’t come from a central database, I don’t know what options that leaves.”

    As Lance Levsen mentions, there are two parts to the zipfile: 1000+ emails which, although stretching across more than 10 years, are formatted and indexed homogeneously, suggesting a single source; and a documents directory containing code, data, and (at the top level) a jumble of random-looking files – unfinished grant applications, PDFs from elsewhere, even an amateur Photoshopping of AGW skeptics onto an ice floe.

    It looks like the emails were copied from the one place and then some highlights selected. Gavin Schmidt at RealClimate actually said “My information is that it was a hack into their backup mailserver.”

    http://www.realclimate.org/index.php/archives/2009/12/cru-hack-more-context/#comment-146364

    The documents are another story. But if you had a decade’s worth of mail to search, you could probably find a password or two being mentioned. So it’s conceivable that first the emails were copied, passwords were found, and then the other material was copied from personal filesystems.

    Mitchell Porter

    January 6, 2010 at 12:15 pm

  4. it has to be a insider/whistleblower. It seems there was knowledge of which emails and data was the most damaging or enlightening depending on which side of the East Anglia fence one sits on.

    jc

    January 6, 2010 at 12:21 pm

  5. A disgruntled insider is possible in principle. Pat Michaels and Michael Mann, now definitely on opposite sides, were once faculty at the same department at the same university (Environmental Sciences, University of Virginia). So in principle it’s possible that someone at CRU would be that opposed to what their colleagues think.

    However, I’d propose (1) that the assembly of the zipfile would not have required an insider’s knowledge (2) that the manner of its release suggests outsiders.

    Regarding (1): Given access to the emails and the private filesystems, it would not *require* an insider’s level of knowledge to select what they did. I think any recent participant at Climate Audit would consider a directory called “yamal” to be of interest, for example. I haven’t gone over the data/code side of the zipfile in any detail, but the emails have a hit-and-miss quality, if you’re searching for evidence of malfeasance. They’ve been filtered a little, perhaps by keyword searches, but there’s certainly a lot of banality left over. I suspect the same to be true on the data side.

    So I tend to think this was a fishing expedition by a person or team who had penetrated the CRU systems and who had a level of understanding possessed by the technically educated web-skeptics – e.g. the engineers and programmers who are unafraid to wade in and judge statistical procedures used by the climate researchers.

    Regarding (2): On the eve of the zipfile’s appearance on the web, RealClimate was locked down for maybe half a day, and Gavin Schmidt later wrote that the RC server had been hacked, usual users locked out, and a post scheduled containing a link to the zipfile at the Russian ftp site. The way it actually showed up was in comments at Steve McIntyre’s and Jeff Id’s blogs. The RC hack was discovered only because one of the regular users tried to access the site, and presumably they got the site host to unlock it.

    That sequence of events says to me that someone got the CRU files, made up the zipfile, stashed it on the Russian site, and intended for it to be announced to the world at RealClimate. But the plan screwed up, so instead they resorted to posting the link at their favorite skeptic blogs. If the RC hack had worked, I think people, even skeptics, would be far more inclined to think “hack” rather than “leak”; but the way things turned out has had the unintended minor side-effect of promoting the whistleblower interpretation.

    I should also repeat that the the numeric identifiers of the emails suggest reprocessing in a North American timezone.

    I think of the hackers and their backers as gung-ho types from the American Right, basically. It’s a sort of Iran-contra for the climate wars. Consider Kent Clizbe (see Sinclair’s latest post). He’s ex-CIA, has a book coming out on how KGB agents created Hollywood political correctness, and now he’s trying to shut down the AGW machine (google “NOC-NOW”) by teaming up with a fraud lawyer and writing to Michael Mann’s colleagues. Clizbe is operating within the law, but I can easily imagine a Pentagon cyberwar alumnus teaming up with some other pals from this broad milieu and deciding to extrajudicially kick some alarmist butt. (Though you hardly need posit military levels of hacking skill; university I.T. systems are not exactly hard targets, I would think.)

    Mitchell Porter

    January 6, 2010 at 2:51 pm

  6. Mitchell – don’t you think that is a bit too conspiritorial? I love a good conspiricy theory, don’t get me wrong, but the stock standard disgruntled employee, slighted or passed over for promotion, doing the dirty on his or her colleagues is the more mundane and plausible explanation. I’m just wondering why the super-secret former spooks didn’t seed the emails or documents with more incriminating stuff?

    Sinclair Davidson

    January 6, 2010 at 6:19 pm

  7. Yep, the old rule – if you’ve got a choice of a conspiracy or a cockup, bet on the cockup every time.

    ken nielsen

    January 6, 2010 at 6:51 pm

  8. “I’m just wondering why the super-secret former spooks didn’t seed the emails or documents with more incriminating stuff?”

    Risky. Unnecessary. Probably that was never even on the agenda. It was always about airing dirty laundry, not fabricating evidence.

    Mitchell Porter

    January 6, 2010 at 7:50 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: