The whistleblower, and whistleblower it very clearly was, had access over a fairly long period of time. He almost certainly had assistance, at least at the release stage, possibly from outside UAE. Suspects would have to fit the bill of access over a long period - more likely an IT man than a faculty member. UEA would almost certainly have been able to identify the individual to their own satisfaction. They have spent a lot of man hours on the matter and they KNOW exactly what emails were withheld. The threat did not need to be mentioned and I suspect that they dare not risk the possible release of what was withheld.

I hope that his (or her) name eventually comes out so that we can all express our acclamation.

If there is a bunch of withheld get-out-of-jail insurance mails, I for one would certainly like to have a look at those too.

In my opinion, the originally realeased ClimateGate-mails were pretty damning, and both confirmed and exceeded my darker missgivings about the poor state of climate research.

If there were more of those, however, they would only reinforce what is already common knowledge among the open minded. To function as an insurance, there would have to be proof of criminal activity on behalf of some named and higher ranking UEA members.

But I have a hard time believing that this really is the case, and the result of an agreement or stand-off ..

Almost two years have past; No admissions of wrong doing.

If world leaders tricked leaders of scientific organizations and the news media into cooperating with them to present anthropogenic climate change as the "common enemy" in order to save the world from mutual nuclear annihilation, as I suspect:

http://dl.dropbox.com/u/10640850/20110722_Climategate_Roots.pdf

Then we cannot put the genie back in the bottle now - some 40 years later.

Can we instead find an exit strategy to restore basic human right to govern?

http://dl.dropbox.com/u/10640850/20110815_Climategate_Harmony.pdf

With kind regards,
Oliver K. Manuel
Former NASA Principal
Investigator for Apollo

All we need now is evidence of security, hacking and/or networking being a long-time hobby of Briffa, and speculations will stop.

Or a long time hobby of one of his friends and colleagues in Russia. Russia, of course, being where those famous trees and that famous server are. Coincidentally...

It's even on record that Briffa did take a copy of his "emails" home. Yeah, right: of course it was only the emails.

For me this story is screaming the leaker's name left, right and centre.

"+++Has the Climategate hacker just spoken?+++"

Judging by the reaction, action and non-action of certain people at CA the answer may well be YES!

Buy popcorn options!

@ Bebben Aug 19, 2011 at 8:48 PM

I believe Gavin wrote that four or five downloads had taken place from the unnoticed 'miracle comment' at CA. But has any commenter at CA or elsewhere confirmed that he/she downloaded the zip file?

I thought I had seen this same (to the best of my knowledge unsubstantiated) claim from Gavin as well, and fairly recently. But when I went back to find it last night (in RC's Nov. 20/09 post on the matter - which is where I would have expected to find it), I could not put my mouse on it! But I see that you've now posted the link and a question over at CA. Your link is to Gavin's "reconstruction" of Nov. 23/09:

[...]Curiously, and unnoticed by anyone else so far, the first comment posted on this subject was not at the Air Vent, but actually at ClimateAudit (comment 49 on a thread related to stripbark trees, dated Nov 17 5.24am (Central Time I think)). The username of the commenter was linked to the FOIA.zip file at realclimate.org. Four downloads occurred from that link while the file was still there (it no longer is).

However, as Steve had noted in his Jan. 12/10 "The Mosher Timeline":

The link was so subtle that no Climate Audit readers appear to have downloaded the zipfile. No one mentioned it at the time and the first person to publicly refer to this hyperlink was … Gavin Schmidt. [emphasis added -hro]

However, the current version of Gavin's Nov. 20/09 "reconstruction" includes the following:

We were made aware of the existence of this archive last Tuesday morning when the hackers attempted to upload it to RealClimate, and we notified CRU of their possible security breach later that day. [emphasis added -hro]

Source: The CRU Hack

Setting aside the question of why anyone would even bother to upload to RC, clearly this was an attempt that failed. So how could anyone have downloaded it from there?! It's also worth noting that Revkin's account in the NYT [datelined Nov. 20] includes the following:

[Gavin Schmidt] said the breach at the University of East Anglia was discovered after hackers who had gained access to the correspondence sought Tuesday to hack into a different server supporting realclimate.org, a blog unrelated to NASA that he runs with several other scientists pressing the case that global warming is true.

The intruders sought to create a mock blog post there and to upload the full batch of files from Britain. That effort was thwarted, Dr. Schmidt said, and scientists immediately notified colleagues at the University of East Anglia’s Climatic Research Unit. [emphasis added -hro]

Source: Hacked E-mail Is New Fodder for Climate Dispute

Notice a few discrepancies, folks, between what Gavin told his readers and what he apparently told Revkin?! The only non-anomalous part is that this alleged "attempt to upload" did not succeed!

I also recall reading (somewhere at sometime in the past) that Gavin had chosen not to report this alleged "attempt" to the appropriate authorities. My recollection is that his excuse was something along the lines of "Oh, well ... there was just so much else going on, so we didn't". Nor, come to think of it, did he ever choose to "show his data" i.e. the server log entries demonstrating such an "attempt" (or putative "downloads").

Quite possibly his Nov. 23 "reconstruction" was an attempt to cover his "embellishments" when spinning to Revkin. But it would be a very convenient comment to highlight for the Norfolk Constabulary (and/or Scotland Yard's "eCrime Unit" who were "assisting"), wouldn't it?! Nah ... must be pure coincidence that Steve's CA and Jeff's TAV were the only 2 "beneficiaries" mentioned in Gavin's Nov. 23 "reconstruction" whose owners were initially contacted by the police. But I digress ...

Gavin was aware of this on Nov. 17. Three days later (Nov. 20) he claims that there was a "failed attempt to upload". Yet by Nov. 23, this "failed attempt to upload" had magically been transformed into 4 downloads (for which there is absolutely no corroboration)! In short, it appears that Gavin has been telling different stories to different people at different times.

YMMV, but in my books this is not a particularly good indicator of veracity. Not to mention that "Honesty is the best policy" is not a motto or maxim that immediately springs to mind when one thinks of The Team and its close associates

FWIW, with the above in mind - and a few other points - last night I posted my exercise in speculation on this matter, derived from thinking outside the Inbox, so to speak, in this same thread at CA.

Hilary,
I remember a comment - on CA - from one of the four, confirming that he did download from that link.

One point of difference seems to have been missed in the two years since climategate.
CRU is a university in the UK.
THe UK law talks about freedom of information in terms of FOI, just like Australia.
Why was the zip file style FOIA.zip, which would have bee normal useage by Americans and by English persons, with residence and knowledge of USA FOI legal matters?

We are looking for a person:
* working at or with access to CRU
* climate science savy
* climate politics savy
* computer savy
* knowledgeable about USA FOIA laws and requirements
* Either a stickler for good process (moral issue) or with a bee in his bonnet over CRU or their climate senior staff (angry about a slight or a tiff or - or a girlfriend or whatever)

Does this help at all with identification?

I agree with Maurizio. I've said it before and I'll no doubt say it again.

I believe it was a person who was ill - was it through worrying? He was aided by his colleague a "loose cannon".

Bishop Hill the thing is the only evidenced we have of any uploading to Real Climate is from Real Climate themselves, from memory I recall that they claimed to deleted this 'evidenced ' short after the story broke and there has been no independent source that has supported this claim . Given who is actual behind Real Climate and the people in the e-mails . They do have a strong interest in throwing as much dirt at these e-mails as they can in the hope some of it sticks, as after the CRU admitted their validity they could not deny them or all that was left was to devalue them.

KnR - we have the "A miracle just happened post" at CA with its link back to a file at Realclimate.

It is clear that whoever posted this knew a file was out there.

My view is it demonstrates there had been an attempt to upload a file to Realclimate.

If on the other hand you take the fanciful view that the post was a plant for purposes of disinformation then it still demonstrates advance knowledge of what was going on.

I am not clear about what the "attempted" and/or "successful" upload to RC involved. Does this mean that the leaker had passwords or the technical skills to obtain some back door into RC's website ? What level of inside knowledge would be required and what level of technical hacking skills would be required ?

The speculation is that information about access to Realclimate such as a password may have been contained within the email repository of the 3 researchers who used the CRU backup server.

I've always considered the most likely scenario to be the obvious insider who didn't like what they were up to. The other possibility is a highly organised group who intended it to look that way or happened to find that evidence and ensured it looked that way.

The other scenario is that there never was a hack or leak (it's too boring for most people and so isn't considered). All it needed was a "lost laptop/USB stick" or even someone taking work home and a boyfriend/relative gaining access to the FOI file. It could be someone with absolutely no computer expertise or no direct connection to the UEA who was lucky enough to send it to someone who then posted anonymously to hide the real origin.

Given that the UEA "lost" all their data, I think it is fair enough to say fate decreed they should also "lose" the FOI file ... all we don't know is whether it was cock or conspiracy.

I am not clear about what the "attempted" and/or "successful" upload to RC involved. Does this mean that the leaker had passwords or the technical skills to obtain some back door into RC's website ? What level of inside knowledge would be required and what level of technical hacking skills would be required ?

From my knowledge of PHP applications, such applications usually have small snippets of code where someone forgot to do the appropriate security checks. If a server has a number of such applications, any one of them could allow code to be written to the server and/or allow access to the database.

Once you have code on the server that allows you to read and write other code on the server, it is a pretty simple matter to get hold of database passwords and other upload or download files.

The situation is made worse with "public domain" software because much of it is written by amateurs and so not properly checked and anyone wanting to hack can easily obtain a complete code listing allowing them to find any week spots.

As I understand it, there are people who actively seek to "break" public domain software. Some do it for fun and see their effort as improving the code, I can imagine that anyone who breaks code will want to inform others so I assume there are secret forums where it is possible to pick up the latest security hole.

I presume the unRealClimate website was hacked by someone who made use of these forums to find a suitable "key" to get into their site.

What about the chap who the CRU used to try and sort out their code? His name, comments and frustration come up in the climategate readme/data files but I forget what he's called just now (was it Harry?). Could it have been him? He certainly had the access and IT knowledge?

... Sorry I didn't answer your question. What level of expertise? For a PHP application, you could probably get away with a basic knowledge of PHP. There may even be instructions for people without PHP.

However, as you are sending very specific information and ideally want to hide your IP address I suspect you need to acquire some software to run on your own PC. In short ... I imagine any decent programmer with a PC and a internet connection could do it if they had the time and inclination.

Mike Haseler,

I think you are right. The key is the open source backup machine in Uni’s main computer facility. The FOI2009 file was not anything to do with processing FOIA requests. UEA have published all the CRU FOIA requests and most of the leaked emails have little to do with them. Moreover some emails that that I know the CRU received that are relevant to my FOIA requests were not among the leaked emails.

What is overlooked here is that the CRU was tiny group semi-detached from UEA in its own ivory tower but with enormous kudos that allowed it to do its own thing. However, someone meaning to be helpful put an open source backup server in the UEA computer centre just for the CRU. This put it inside the secure system the UEA had developed, and it is at least possible that anyone gaining access to it might also gain access to a lot else. This, I think, is why there has been such a fuss and the police are still on the case.

Take this for instance:

http://www.scoopstudy.ac.uk/Contact%20Pages/UEA%20contact.htm

For completeness, following my comment to an earlier post, the 'exit node' from the anonymized chain ([normally] the point of connection to the final destination, and also where encryption [normally] ends) can be:
1. Anywhere on the surface of the earth where someone has volunteered their computer and connection (I've had both coasts of the USofA, Europe, Central Europe, the CIS, the middle, near & far Easts; oh, and just for completeness, Turkey)
2. On many 'spammer' or 'malware' lists, because they're sometimes used for unsavory purposes.
3. In different jurisdictions, with different privacy laws, making tracing all but impossible (there are ways, but .... )

Why are we here?
Because we're here
Roll the bones
Why does it happen?
Because it happens
Roll the bones

Think about it. If there was a large stash, and the hacker/leaker has released the more juicier bits, he wouldn't be able to bargain for his safety with the remaining less important bits, would he?

If he has salted away even more damaging stuff than what's in the Climategate set,...would someone go through all the trouble of releasing the comparatively less incriminating material, at great personal risk, only to turn around and bargain away the more incriminating material, for his/her personal safety?

Making deals with the University would violate the personal integrity of anyone who reads and *understands* these emails.

The fact, I think, is that RC responded openly to Steve McIntyre's speculation that he/she might have "struck a deal" with the UEA, because RC felt he/she needed to lay things clear on that point - "Hey, I am not a sell-out".

I wonder if RC is also getting concerned that nothing has changed. The whitewash investigations were to be expected, but in the last 6 months we've had Jones comments on the BBC about recent warming now being statistically significant, the continuing Yamal FOIA saga, the apparent ongoing Jones rehabilitation , the Paul Nurse BBC programme, Pachy's comments about integrity not applying to those compiling AR5.

If it's an inside job, UEA absolutely would have sacked the leaker unless they feared the consequences.
RC must have some information at least as good as was released before.

I suspect they've told the leaker that dismissal and loss of pension will follow another release. They think they have a tacit agreement through stalemate. RC is reminding them that they don't.

Peter Dunford I suspect they've told the leaker that dismissal and loss of pension will follow another release.

If they are a member of academic staff (lecturer, reader, professor) then I don't think dismissing them would be that easy. And their pension is probably administered by the Universities Superannuation Scheme (USS) and outside the control of the university.

Yeah, shub, but I've always assumed fear not money. If authentic, our saviour is fearless.
===============

Forgive me, shub, for misinterpreting 'sell-out' to mean anything so venal as money. There is so much in the market, and this one is no sellout, by any definition. And, I note, fearless.
=========================

I hate to raise the point, but nothing changed. The damning emails stopped and changed nothing. If there is more, it is not looking likely its going to be released.

So all great fun, but apart from bolstering the sceptical minds, nothings changed. RC maybe the only person on earth who can change it.

@Aug 20, 2011 at 3:19 AM | Unregistered Commenterhro001

Hilary,
Gavin Schmidt claimed that access to the RC website was accomplished by using a "vertical privileges escalation vulnerability" in Wordpress, something that was widely known within the hacker community:

http://scintilla.nature.com/node/863053

Another mendacity from Schimdt?

We hear nothing from the whistleblower, who's held their silence for nearly two years, and suddenly out of the blue, an enigmatic comment provoked by seemingly nothing. Sorry, no sale on that one.

Pointman

For all we know Steve and RC could be having further contact through email.

Shub,

I remember a comment - on CA - from one of the four, confirming that he did download from that link.

I went through all the comments in at least 3 related threads (including 500+ in the Mosher Timeline ... found some I'd made, that I'd forgotten about!) and the closest I found was someone having misinterpreted a comment from bender (who would never do such a thing!)

Duke C,

Thanks so much for pointing me to that article! Definitely another mendacity from Schmidt - or one of the quartet who put that together (and wait till you see what I did with it!)

Bish,

I hope you will forgive me, but I disagree ... and here's why:

Of Climategate, constabularies and Copenhagen: Gavin Schmidt’s ever-changing story

Have there been any updates to the 2010 "Revised Climategate Timeline?"

http://joannenova.com.au/2010/01/finally-
the-new-revised-and-edited-climategate-timeline/

To fill in information on the Climategate roots,

http://dl.dropbox.com/u/10640850/20110722_Climategate_Roots.pdf

We need additional information on

a. ) The start date of DoE contracts DE-AC02-79EV10098 and DE-AC02-81EV10739 to Phil Jones

b.) The association of Professors Owen Gingerich and Cees De Jager, and their relationship with Henry Kissinger

c.) The international agreement made on the Sun in meetings at the Bilderberg on 17-21, 1967.

http://www.cdejager.com/

http://www.fas.harvard.edu/~hsdept/bios/gingerich.html

http://en.wikipedia.org/wiki/Henry_Kissinger

O. Gingerich and C. De Jager, “The Bilderberg solar model,” Solar Ph3, 5-25 (1968): http://adsabs.harvard.edu/full/1968SoPh....3....5G

With kind regards,
Oliver K. Manuel
Former NASA PI for Apollo
omatumr2@gmail.com

@Aug 23, 2011 at 11:31 AM | Unregistered Commenterhro001

No one (until now) has made an in-depth effort at scrutinizing Gavin Schmidt's role (pre-climategate to the present) in attempting to shape the public "meme". His presence in the whole affair is ubiquitous at the least, always an arm's length away, yet neck deep in his involvement with the Team. Thank you, Hilary.

It was curious to me at the time (circa Nov. 2009) that the explanations ( I.E. Mike's Nature Trick) emanating from the spinmeisters at CRU were very similiar to what Gavin was saying in his comments at RC. Did he have an active role as a damage control spin-advisor to CRU? Does he now? Was he a source for the Webster article?

Hilary - I do suggest you also read some of the information released during the enquiries.at

http://www.cce-review.org

For example

http://www.cce-review.org/pdf/MR%2018%20Dec%20final%20IT%20Personnel.pdf

This suggests CRU were first notified by an "administrator" at realclimate. In order to notify them the administrator must have had access to and read some of the contents of the file.

I would make the observation that during the period in question that if Gavin Schmidt was involved as he has said then he would have been extremely busy on several fronts

1. Securing the realclimate website
2. Digesting the content and scope of the release
3. Notifying collegues
4. Looking out for who else may have the file.
5. Deciding what to do

There was a lot of confusion at the time which was not helped by Paul Hudsons statements which led to the erroneous viewpoint that the BBC had seen a prerelease of the file. I would place at least some of the variations in Gavin's comments as down to the "fog of war"

Clivere,

Please don't assume that I haven't read the reports (and evidence - well, at least that which has been disclosed) of all the so-called inquiries - because I have, in great depth! Suggest you might want to read our host's analysis of these inquiries:

http://www.thegwpf.org/images/stories/gwpf-reports/Climategate-Inquiries.pdf

There was a lot of confusion at the time

Quite so. But, when people tell different stories to different people at different times, then you know they are not telling the truth - and that perhaps they are choosing to create, add to and use the confusion for less than honest purposes.

So, with the benefit of hindsight and looking at the trails of who said what to whom and when - not to mention that which has never been shown that would have instantly set the matter to rest - then their choices need to be brought to light.

You see, if someone broke into my home, the first thing I'd do is call the police - and show them the evidence! RealClimate didn't do this, and CRU didn't do this. And if I'd found that someone had "hacked" into my computer and "uploaded" a file - and if I had the comfortable relationship with high profile media people (such as the folks at CRU and RealClimate seem to have) - the first thing that I'd want to do is call one of these contacts (such as Revkin) and say "Andy, let me show you the logs for the last 24 hours on our system. We've been "hacked" and these idiots dropped this file onto our system".

That would have ended matters, would it not?! The very last thing I would be doing would be calling in the likes of Neil Wallis with his "heavy-hitting tabloid expertise"!

Strangely (or perhaps not!) none of the press reports I've seen give any indication that any evidence consistent with a "hack" has ever been presented to anyone. And I'll give you fair warning, Clivere, that should such "evidence" suddenly materialize following this comment - I would find it highly suspect (if not totally devoid of credibility!) to say the least. But I digress ...

My guess as to the most likely scenario from Nov. 17 - 19/09 (given the longstanding and highly conspicuous absence of any evidence to the contrary) is that there was no "hack" at RealClimate (or if there was it was for the purpose of a single download - possibly even of a file named "FOIA.zip"!)

And that someone (possibly RC) did nothing more "criminal" - or even harmful - than placing a version of the message that he dropped later in the day at WUWT, TAV and Warren Meyer's as a comment - which, of course would never have made it past moderation! And that's the only "evidence" they've ever had of this so-called "hack" at RealClimate.

Certainly such a comment turning up on the hallowed haven of RealClimate would have caused some concern, if not alarm - just as we now know any criticisms of their work by evil skeptics cause some concern. And (notwithstanding his various subsequent claims of having "immediately" notified UEA), it really wasn't until "later that day" (i.e. the 17th - which might have been quite early on the 18th in the UK) after Gavin followed the link to the Russian server, downloaded the file and realized that at least some of the files must have come from CRU that someone from RealClimate notified the sys admin at UEA/CRU of (as he claimed on Nov. 20) a "possible security breach".

On the 17th, they would have had no way of knowing who else might have received the FOIA message, would they? Ironically, the only honest "first response" once Mosher began posting from the E-mail archive at Lucia's, probably came from poor Phil Jones in his "exclusive interview" with TGIF:

Became aware of this "three or four days ago"? Check.

Didn't call the police? They really didn't know what was in the files at that point. No doubt they were hoping that the msg received at RealClimate was the only one out there. Besides, they had more important things to worry about, like "saving the planet" (and their "reputations")! Check.

Once Good Ol' Gavin realized that RealClimate was not the only recipient of the FOIA message, he sent an E-mail (or perhaps made a phone call!) along the lines of: "Oh, sh*t, Phil ... they've got the link. Look, let's call it a "hack" and we'll point the finger at the evil skeptics. I'll fwd the msg with the link in a few minutes ... but I'll try and head things off at the pass by trying to get Lucia to take down the messages mosher has posted" Or something along those lines.

Not to mention that if there really was a "hack" why would Gavin have to keep changing his story?!

So, here's the dead giveaway:

"I only found out it had been released five minutes ago". Check.

And one way or another (beginning with Schmidt's Nov. 20 post - with his gratuitous unsubstantiated finger-pointing at Anthony Watts) that's the myth they've been attempting to sustain ever since. And they haven't been able to make it stick - anywhere! But certainly not for want of trying (including during the various and sundry enquiries when the common theme of poor beleaguered "climate scientists" being harassed by evil skeptics and their "intrusive" FOI requests was quite predominant)

The two Guardian articles of Feb. 4 were merely another variation on a theme. A little more subtle, perhaps; but certainly laying the groundwork for subsequent "interviews". Otherwise, how else to explain that they didn't even contact ctm until Feb. 25!

At this point, the only difference I can see between Climategate and Watergate is that there's never been any evidence of a "crime" having been committed during Climategate. The glaring similarity, of course, is it's the dishonesty underlying the many rather elaborate exercises in damage control and "reputation" management that will (eventually) be their undoing. The only thing that's saving their bacon, at this point, is the continued co-option and co-operation of key MSM reporters (with perhaps a little help from Norfolk's finest!)

What the world really needs now are some honest, investigative journalists - on both sides of the pond - to step up to the plate and do their job.

In the meantime, I'm sure that Good Ol' Gavin really appreciates your valiant attempt to divert attention away from his antics, Clivere. Btw, here's a Helpful Hint from Hilary™: pointing the finger at Paul Hudson was a tactic he tried early in the game, didn't wash ... so try another one, eh?!

Hilary - I can see my post irritated you. I dont intend to be an apologist for Gavin Schmidt but I also am not going to accept the view that every statement he makes is intentional disinformation as opposed to a revision or clarification of his position as further information becomes available.

There is what I would describe as an informed narrative of the climategate release but still with a lot of unknowns. Like everybody else I am quite happy to speculate about the unknowns but We do need to keep in mind those things we can be reasonably sure about or are corroborated by different sources.

We know the final email included in the climategate compilation dates to the afternoon of Thursday 12 November. From that we can deduce that some if not most of the activity to compile the file postdates the sending of that email.

There is no evidence I am aware of that there was any earlier version (pre 12 November) of the file released to anyone. The Paul Hudson statements where he tried to authenticate some of the file contents are now generally accepted as being misunderstood.

We are led to believe from meeting minutes made available by UEA that that the information was compiled from the contents of a backup server in CRU. UEA have now provided a reasonable overview of what was on the backup server along with the view that the information was entirely selected and compiled by the person who published the final FOIA file.

We still dont know if it was a sophisticated external hack of the server, a less sophisticated internal hack from within UEA or a leak or whistleblower from within CRU. People have their theories with a lot of speculation but I have seen no evidence that anyone other than the publisher of the emails knows and that includes the UEA IT staff. We have no understanding of how the information was transported from the server and where it was actually compiled for the released.

The miracle post at CA on the 16th November is at present the first indication of any informed activity in blogland and the first evidence of the existance of a file. The post links back to Realclimate so whether you regard the post as genuine or a plant the realclimate site is implicated.

I cant believe you meant to say that CRU/UEA did not notify the police because we know with absolute certainty they did. We also know that Gavin Schmidt had informed CRU by 17th November and before the existance of the file was more widely known later in the week.

I have no idea if Gavin Schmidt has or has not informed any police directly himself though I would assume he has had contact with UK police. I dont know what is usually done if websites are hacked. I suspect it may vary. Given the involvement of the UK police I have no view if Gavin Schmidt should have instigated a separate parallel police enquiry given the involvent of UK police and a probable common culprit.

Note I remain intrigued that the file linked to realclimate was named FOIA.zip whilst the file that was released via the Russian server was named FOIA2009.zip. This hints at more than one version of the file being out there but alternatively may have just been a feature of the process to upload it.

Should have said miracle post at CA on 17th November

Clivere,

I can see my post irritated you.

Then perhaps you should invest in some reading glasses (or else clean the ones you're using) ... your vision throughout your "response" appears to be quite cloudy. Far from irritating me, though,I found your post amusing. And I should have thanked you for your comment which inspired me to expand on some thoughts that I had not covered in my original post.

I dont intend to be an apologist for Gavin Schmidt but I also am not going to accept the view that every statement he makes is intentional disinformation.

Good. Now, assuming that we are discussing the post on my blog - to which you initially chose to respond here rather than there for some strange reason - perhaps you'd care to revisit (with new or clean glasses), and bring back specific text which has led you to erroneously conclude that my claim is/was that "every statement he makes is intentional disinformation".

Failing that, perhaps - instead of playing silly strawman games - you'd care to point me in the direction of the amendments Gavin has made to his "reconstruction" Details comment so that your postulated "revisions or clarifications" will not be missed by those who happened to miss the press reports which diverge from that which is on the record.

Otherwise you will leave me no choice but to conclude that you are choosing to misrepresent that which I've written in order to sustain your so-called "informed narrative" - for which you seem to have only two or three points that you repeat like a mantra! [But if you choose to persist in this pattern of response, then you really will succeed in irritating me :-) And once you have succeeded in irritating me, well ... let's just say you won't be a very happy camper!]

And I'm all for "informed narratives", Clivere. But I think it's really important not to overlook any of the known facts, don't you? Once these have all been accounted for, then we can worry about your recitation of unknowns. So, let's do this, shall we?!

The miracle post at CA on the 17th November is at present the first indication of any informed activity

I've corrected the date for you. But apart from being one of your mantras, if this is your idea of an "indication of informed activity" (let alone the first such "indication") from the perspective of your very cloudy vision, do you not find it simply amazing that Gavin who (according to your exercise in speculation would have been "extremely busy") is the only person to have even noticed this - let alone thought it worthy of any mention whatsoever?!

In fact, it's almost as amazing as his bizarre choice to omit - in his "reconstruction" Details - an "indication of informed activity" that is actually ... wait for it ...documented, far more significant, and can be readily confirmed by anyone. No conspicuously absent log records required.

YMMV, but I prefer to stick with documented facts when discussing "indications of informed activity" Such as the fact that the actual first sign of any "informed activity" was on the evening of November 19, at Lucia's blackboard - on which Steve Mosher and others had chalked up some examples from the emails

Since Gavin claims that this alleged "hack" occurred on Nov. 17, can you give me one good reason (and, by Gaia, it better be a damn good one - no fog, no mush, no mantras, no diversions, and no hand-waving allowed!) ... why:

a) he would not have contacted Steve McIntyre about these "now you don't see 'em, now you do, now you don't" alleged 4 "downloads" that - according to his "reconstruction" Details allegedly originated from this hyperlinked nym that no one had noticed - and must have occurred on the 17th before he "took down" this alleged "hack"; and

b) he would not have mentioned the existence and putative source of this alleged consequence of the alleged "hack" in his Thu, 19 Nov 2009 15:48:21 -0500 E-mail to Lucia - approx. 20 minutes after Mosher began posting; and

c) there is no evidence whatsoever that a single one of these alleged 4 downloads (on the 17th) ever made its way onto the 'net

I cant believe you meant to say that CRU/UEA did not notify the police

Good. Nor is there any reason whatsoever that you should even think of believing that I said or meant to say this. But you knew that. Or you certainly would if you'd actually read what I'd written with some measure of comprehension and appreciation of context. [Helpful Hint from Hilary™: when one speaks of an action as being "The first thing I would do is ..." it does not preclude (in fact it presumes at least) a second]

Note I remain intrigued that the file linked to realclimate was named FOIA.zip [...]This hints at more than one version of the file being out there but alternatively may have just been a feature of the process to upload it.

Good for you! Maybe it was "extruding the material via a series of exotic foreign 'proxy' servers" that did it! Mind you, the result might not have been the same had such extrusion(s) been via non-exotic foreign proxy servers. Alternatively, it could have been a function of "extruding the material" from a "wordpress flatform (sic)"

But we can deal with this later ... after we've dealt with all the knowns.

There are several forms of Mantra:

Bhajan: spiritual songs.
Kirtan: repetition of God's name in songs.
Prayer: a way of communing with God.
Healing mantra
Guru mantra: the first initiation (Diksha) given by the master to the disciple.
Bija mantra: a bija mantra represents the essence of a mantra (e.g. Om).

http://en.wikipedia.org/wiki/Mantra

I think I can hear someone across the river. I cant see them clearly because I need a new pair of glasses. They appear to be aggressively pointing a finger in my direction and are making a lot of noise. I can just about make out some of what they are saying and it appears they dont like my Mantras. Om Om Om Om Om.

Do I want to build a bridge? Well the aggression and noise is a concern! Is the distance too far? Probably and doesn't look worth the effort so just leave them alone!

Oh, well ... thought I'd give "clivere" a few days to rethink his/her position in the above non-responsive reply to my questions.

For the reconrd, then, one might reasonably conclude that clivere's idea of an "informed narrative" definitely does not include addressing all the knowns.

And as an aside, one might also conclude that clivere engages in intellectually dishonest posting practices in order to sustain a rather threadbare "narrative".

http://legal-dictionary.thefreedictionary.com/libel

libel 1) n. to publish in print (including pictures), writing or broadcast through radio, television or film, an untruth about another which will do harm to that person or his/her reputation, by tending to bring the target into ridicule, hatred, scorn or contempt of others. Libel is the written or broadcast form of defamation, distinguished from slander which is oral defamation. It is a tort (civil wrong) making the person or entity (like a newspaper, magazine or political organization) open to a lawsuit for damages by the person who can prove the statement about him/her was a lie. Publication need only be to one person, but it must be a statement which claims to be fact, and is not clearly identified as an opinion. While it is sometimes said that the person making the libelous statement must have been intentional and malicious, actually it need only be obvious that the statement would do harm and is untrue. Proof of malice, however, does allow a party defamed to sue for "general damages" for damage to reputation, while an inadvertent libel limits the damages to actual harm (such as loss of business) called "special damages.

http://wattsupwiththat.com/2011/04/08/help-asked-for-dr-tim-ball-in-legal-battle-with-dr-mann/

I had decided to walk away from this thread. Getting into a flame war is counter productive. However if someone is being very foolish then I probably should make one last effort.

A good investigator will look out for and will not ignore information that contradicts their theories. They must also take care not to always assign the worst of motives to someone without first reviewing whether other alternatives exist! You run a blog and you are making serious assertions about somebody.and in doing so are including their name in headline posts. I dont consider you have substantiated those assertions.

We are in the position where there is still a lot of information that has not been placed in the public arena. Whether we ever get to see it is open to question and that by its nature invites speculation. The post release interest was huge and this means it can be hard to find real concrete information amongst the massive output. If subsequently further information such as server logs comes to light which contradicts your assertions then you are running a risk that you could have a real problem.

I did a lot of checking myself in Nov/Dec 09 and was fairly satisfied that the version of events described in the Mosher timeline largely stood up. Based on my recollection there is information posted at blogs that provides the view that realclimate had severe server issues at the time. The timeline is supportive of the view it had been taken down. Two examples follow but my recollection is there are more.

Note the lengthy period without any posts on this thread on 17 Nov. The same applies on other threads.
http://www.realclimate.org/?comments_popup=1710

Web page broken?
Sirs,

Your RSS feed doesn’t seem to function properly – my newsreader signals an error.
‘Older’ links – upto this article work fine, but the one before last (“it’s all about me(thane)”) redirects also an error page (“Coming soon: Another fine website hosted by WebFaction”).
Clicking on the ‘home’ button (top left of the page) yields also the error page, while the ‘archive’ button returns a page with:
”
Archives by Month:

Archives by Category:

”
And lastly, clicking on the ‘about’ button yields the right page, but the french version (I do write from France, but usually watch the English version, and the ‘about’ page does also not mention the “/langswitch” thing which appears on other translated articles)

My apologies for the interruption in the discussion.

Comment by koen — 18 Nov 2009 @ 9:43 AM

Whatever’s broken is not just RSS; web browser also hits the same error page, when directed to the home page. I got in ‘sideways’ via older links.

Comment by Hank Roberts — 18 Nov 2009 @ 10:45 AM

Re 139, Hank–

Curiously, I experienced this problem yesterday, but now it’s fine for me.

Pretty weird.

Comment by Kevin McKinney — 18 Nov 2009 @ 1:13 PM

http://climateaudit.org/2009/11/23/a-miracle-just-happened/

Jarkko
Posted Nov 24, 2009 at 3:35 AM

I visited that link throw CA, somewhere around 10 am. ET. Nov. 17. (Well, I visited the CA thread at 9.30 and did the google search at 10.)

By that time RC was down, and I did a google search, to find out if the link was just broken. It wasn’t. The server was already down. So, I thought the “miracle” was the crashing of RC.

Now I know better.

http://www.realclimate.org/index.php/archives/2010/11/one-year-later/
I woke up on Tuesday, 17 Nov 2009 completely unaware of what was about to unfold. I tried to log in to RealClimate, but for some reason my login did not work. Neither did the admin login. I logged in to the back-end via ssh, only to be inexplicably logged out again. I did it again. No dice. I then called the hosting company and told them to take us offline until I could see what was going on. When I did get control back from the hacker (and hacker it was), there was a large uploaded file on our server, and a draft post ready to go announcing the theft of the CRU emails. And so it began.

http://www.realclimate.org/?comments_popup=5437
Gavin–
My visitors always ask and I can’t answer: Was the break-in to the WordPress Admin area only? Or did they hack onto the hosted account on the server?

[Response: They used something to directly access the backend mySQL database (to export the password/user details to file prior to erasing them in the database) and to monitor logins to the ssh account. Neither of these things are standard WordPress functions. I conclude therefore they must have hacked both, though the actual entry point is obscure. - gavin]

Comment by lucia — 20 Nov 2010 @ 7:37 PM

Questions

If a police investigation is still open would it be a smart move to show logs of your website that could be material evidence even to a friendly reporter?

When a police investigation is intiated is it wise to be simulataneously weaving a trail of deception in parallel with the investigation particularly if it was eventually found out who released the material and they provided a different version of events?.

For completeness some more examples on this page

http://web.archive.org/web/20100106224833/http://tamino.wordpress.com/2009/08/31/open-thread-16/

Sekerob // November 17, 2009 at 12:23 pm | Reply

Anyone having trouble reaching RealClimate? I’m getting the below on the main site and all the bookmarks to specific topic threads:

WebFaction

Coming soon: Another fine website hosted by WebFaction.
Site not configured

If you are the owner of this site and weren’t expecting to see this message, it could happen for a number of reasons:

* You recently created a new website record and visited it before it got set up.
* You added a new domain in the control panel but didn’t create a site record to link it with an application.
* Your website record is set for HTTPS, but you visited a HTTP URL (or vice-versa).
* You tried to visit your website by IP address.

For more details, please take a look at the following knowledge base article: Why do I get “Site not configured” message?

WebFaction provides modern hosting with friendly customer support. Visit our main website for more information.

[Response: I got it too.]

Kevin McKinney // November 18, 2009 at 5:19 am | Reply

RC is still accessible, just not through the front door; you can get in via subject headings in a Google search.

Hank Roberts // November 18, 2009 at 5:39 am | Reply

> RC
Me too. Earlier today it was happening on and off briefly then the problem disappeared; now it’s back.

Anyone noticed whether New York is still there?

Hank Roberts // November 18, 2009 at 5:44 am | Reply

http://www.google.com/search?q=realclimate+webfaction

The “about” archive link still works:
http://www.realclimate.org/index.php/archives/2004/12/about/

And from there links into recent posts work:
http://www.realclimate.org/index.php/archives/2009/11/a-treeline-story/#comment-141684

and ‘Start Here’ works — but the “Home” link goes to that WebFaction host page.

Must be time to catch up on sleep.

Hank Roberts // November 18, 2009 at 2:48 pm | Reply

Dang. Still??

Hank Roberts // November 18, 2009 at 2:56 pm | Reply

But you can go ‘around’ the entry page via the links above and then read new material and, at least it appears, comment.

So it’s just the front door that’s broken, I guess.

David B. Benson // November 18, 2009 at 8:29 pm | Reply

I have experienced no difficulties whatsoever reaching RealClimate.

Deech56 // November 19, 2009 at 1:09 am | Reply

If anyone still has trouble getting to RC, you may need to clear the version that’s in the cache. If you can get to any page on the site, click on the “Home” link and then reload the home page that comes up. That worked for me yesterday.

Nothing like the “OMG” feeling when RC is down. It’s pretty much the essential site for climate science (with all due respect to our host).

Hank Roberts // November 19, 2009 at 3:58 am | Reply

Worked all day; now I’m seeing this again:

Coming soon: Another fine website hosted by WebFaction.
Site not configured

Going in sideways still works. Dunno.

I left email at webfaction.com, just in case nobody’s told them. Could be it’s just a few of us out in the domain system boondocks with something that will correct itself, maybe.

Frank Swifthack still exploring here

http://ijish.livejournal.com/42666.html

He also took a cache of this page in a post here so his cache is no longer upto date!!!!

http://ijish.livejournal.com/39025.html

An initial collection of inline comments made by Gavin Schmidt which relate to the IT elements of Climategate not already detailed above. I still have some other threads to look at.

http://www.realclimate.org/index.php/archives/2009/11/the-cru-hack/

950
dhogaza says:
22 Nov 2009 at 3:50 PM

More or less off topic but I’m curious … last Wednesday hitting http://realclimate.org led to a generic blog cover page with no content, as though the site were being restored …

WebFaction

Coming soon: Another fine website hosted by WebFaction.
Site not configured

If you are the owner of this site and weren’t expecting to see this message, it could happen for a number of reasons:

* You recently created a new website record and visited it before it got set up …

Was this related to the hack attempt the day before, where it was attempted to upload the purloined server content as a post to real climate?

[Response: Yes. We took the site down completely when we discovered the hack in progress. - gavin]

889
Dan Hughes says:
22 Nov 2009 at 12:31 PM

Gavin, above you said:

[Response: Note that these are selected emails - and most of the stuff discussing good science didn't make the cut apparently. I wonder why? - gavin]

To me your response would mean that someone, or group, has hacked the individual accounts of the persons whose emails have been released, focused on certain topics to include and at the same time filter out the good science.

These people must also have sufficient experience and expertise in highly technical subject areas to know what to filter out and what to include. And not simply broad aspects of the subject areas, but focused on very specific content and time frames and persons and issues. The individual accounts must also have been under hack for sufficient time for reading and understanding of all the emails in each account to know which to include and which to exclude.

Note, too, that not just emails have been released, but also documents and computer code and data. A rogue outside hacker is very unlikely to have had time to digest the contents of this much and kind of material. Again all these materials are very focused relative to specific content, time-frames of interest, and individual persons involved.

To me this seems like it would require a very significant amount of time for even someone well-versed and focused on the objective material. Isn’t it very unlikely that this much outside activity could go undetected.

[Response: Most of the files that weren't email, I think were attachments. And the selection seems likely to have been by searching for names rather than anything else. - gavin]

bi -- IJI says:
21 Nov 2009 at 11:43 PM

“We were made aware of the existence of this archive last Tuesday morning when the hackers attempted to upload it to RealClimate, and we notified CRU of their possible security breach later that day.”

This is interesting. Can you reveal more about the attempt to upload the file to RealClimate? Did the cracker crack into realclimate.org too, or is there already a publicized feature on realclimate.org allowing third parties to upload data? Where did the upload come from? etc.

– bi

[Response: I was wondering when someone would ask. It was a hack into our server around 6am Tuesday. The IP address was from a computer in Turkey. - gavin]

http://www.realclimate.org/index.php/archives/2009/11/the-cru-hack-context/

142
TCO says:
23 Nov 2009 at 3:21 PM

Was there an actual attempt to “hack” RealClimate or was there just someone attempting to post (as was done at other blogs)? If an actual hack attempt, has it been reported to the police? Details?

[Response: Yes. No. Here. - gavin]

170
Mike C. says:
23 Nov 2009 at 5:50 PM

Hi Gavin,

I hate to bother you with more questions about the attack, but perhaps you might have a few more details:

1. Who initially discovered the hacking and prevented Real Climate from being hijacked?

2. Did this same person identify the offending IP as originating in Turkey?

3. Are you aware of any measures being taken presently to track down the offender?

4. It sounds like a fairly sophisticated attack; are you confident the hole has been plugged by IT or are the methods used by the hacker still obscure?

5. Is there any additional reason–besides the obvious–to suspect the timing of the attack might be suspicious?

[Response: Me. Me (via ARIN Whois for what that's worth). No. Yes... errr... maybe. Not really (though see the BBC blog by Hudson). - gavin]

215
Paul H says:
23 Nov 2009 at 8:10 PM

Gavin,

I’m withdrawing my comment regarding Paul Hudson. For the record Paul Hudson did not mean this current set of emails in his blog post (i.e. the FOIA.zip) he was referring to a set of emails sent to him as a chain from various commentors within the climate community. I apologise for any negative aspersions I cast.

[Response: Noted. I'll remove the comment to prevent confusion spreading. - gavin]

235
gavin says:
23 Nov 2009 at 9:58 PM

Update on the RC hack. The IP address used turns out to come from a free proxy server based in Turkey and the CA comment came from a similar server in Russia. Since anyone can use these, the trail probably goes cold there. http://www.freewebproxy.org.ru/proxy-country/Turkey-01.htm

674
Alan Burke says:
26 Nov 2009 at 3:55 AM

Quoting from “Mail Online”. I hope that Hudson will reveal who sent him the stolen emails:

Climate change scandal deepens as BBC expert claims he was sent leaked emails

The controversy surrounding the global warming e-mail scandal has deepened after a BBC correspondent admitted he was sent the leaked messages more than a month before they were made public.

Paul Hudson, weather presenter and climate change expert, claims the documents allegedly sent between some of the world’s leading scientists are of a direct result of an article he wrote.

In his BBC blog three days ago, Hudson said: ‘I was forwarded the chain of emails on the 12th October, which are comments from some of the world’s leading climate scientists written as a direct result of my article “Whatever Happened To Global Warming”.’

That essay, written last month, argued that for the last 11 years there had not been an increase in global temperatures.

Read more: http://www.dailymail.co.uk/news/article-1230943/Climate-change-scandal-BBC-expert-sent-cover-emails-month-public.html#ixzz0XxC2ToVf

[Response: This came up before, Hudson was forwarded a single chain of emails involving his piece, which subsequently was part of the hack. He wasn't saying he saw all the stolen emails. - gavin]

802
bi -- IJI says:
27 Nov 2009 at 7:52 AM

Gavin:

Thanks for your reply on the RC crack attempt the last time. I have another question (if you have the time): was the FOI2009.zip file that the cracker tried to upload the same as the zip file that’s now floating around at megaupload and elsewhere?

Incidentally, I found that most of the files in the zip archive (which I downloaded from megaupload) seem to be created under a timezone of -0500 or -0400, and a uid and gid of 1,002. Hope this helps. :-)

– bi

[Response: Yes. - gavin]

http://www.realclimate.org/index.php/archives/2009/12/cru-hack-more-context/

13
David Harrington says:
2 Dec 2009 at 10:31 AM

Was it actually a hack? Or was it a leak from an insider. A leak would be a much more serious problem than a hack as it would tend to imply that someone on the inside nwas not happy with what they were seeing.

Personally I think it was a leak.

[Response: My information is that it was a hack into their backup mailserver. - gavin]

52
lgp says:
2 Dec 2009 at 1:03 PM

Gavin,

1) There was no “security breach” at CRU that “stole” these files
2) The files appear genuine and to have been prepared by CRU staff, not edited by malicious hackers
3) The information was accidentally or deliberately released by CRU staff
4) Selection criteria appears to be compliance with an or several FOIA request(s)

Being that you have insider insight from conversations with the principals involved, why don’t you tell us how they were released, instead of letting commenters continue to flog the meme that they were “stolen” by “denialist hackers”?

Or are you saving that story for the investigations :-)

[Response: Speculations based on your wishful thinking but without any facts are not worth very much. The police investigation is ongoing and I'm sure will report in due time. - gavin]

63
CF says:
2 Dec 2009 at 1:56 PM

Gavin 1: “My information is that it was a hack into their backup mailserver.”

Gavin 2: “Speculations based on your wishful thinking but without any facts are not worth very much. The police investigation is ongoing and I’m sure will report in due time.”

Earth to Gavin 2: Please tell Gavin 1 that he is making you look two-faced. Gavin 1, speculations based on your wishful thinking OR YOUR PRIVATE UNNAMED SOURCES are not worth very much.

[Response: Feel free to ignore anything I have to say on the subject then. - gavin]

84
lgp says:
2 Dec 2009 at 4:10 PM

Gavin 1: You stated “My information is that it was a hack into their backup mailserver.” Can you reveal the source of your information? Have you been interviewed yet in the investigation? Have you revealed the source’s name to the police investigators or are you witholding evidence that would help solve this heinous crime that has the “alarmists” up in arms?

[edit]

[Response: The police are indeed involved, and that would imply they have prima facie suspicion of some criminal act. I'm not going to comment further on this. - gavin]

454
Tom Scott says:
6 Dec 2009 at 5:29 AM

More is coming to light about how and why the CRU emails were hacked – see this story from the UK’s Mail on Sunday (a right-wing conservative newspaper):

http://www.dailymail.co.uk/news/article-1233562/Emails-rocked-climate-change-campaign-leaked-Siberian-closed-city-university-built-KGB.html

There is a bitter irony here. It looks as if all those good folks so eager to expose a grand conspiracy on the part of climate scientists have in fact been playing the part of (very willing, albeit unwitting) accomplices in one of the cleverest pieces of black propaganda of recent years. It seems increasingly probable that the whole exercise has been masterminded by the Russian security services – formerly known as the KGB – who have a proud track record in this respect.

Vladimir Putin, a former KGB man himself, must be delighted at the ease with which effective action to place curbs on the fossil fuel industry has been sabotaged.

[Response: Hmm... My faith in the Daily Mail investigative unit is not particularly high, and the story seems to be related purely to the ftp site where the zip file was originally put. But this was on an open 'incoming' directory, and seems very like to have simply been used as a convenient spot. I would not get too excited by this. -gavin]

http://www.realclimate.org/index.php/archives/2011/11/two-year-old-turkey/

3
Peter Backes says:
22 Nov 2011 at 10:09 AM

RCU got hacked again:

http://www.bbc.co.uk/news/world-15840562

RC was down yesterday. Coincidence?

[Response: Yes. No apparent relationship. - gavin]

271
Occupied Territory says:
25 Nov 2011 at 9:44 AM

#248 Peter Dunkelberg: Perhaps this detail about “hackers” is a microcosm of this whole global warming debate. People have their presumed answer for this (e.g. “the emails were hacked). But what is the proof they were hacked? I raised this question in a previous post and Gavin replied that someone doesn’t ordinarily get 220,000 files in their email. True enough. But, we also have forensic computer science. I have yet to hear of any forensic evidence of a hacking into these servers. My own guess is that it was an insider. I don’t have any hard evidence to back that up; it’s just what makes the most sense to me given what limited info we know.

[Response: The hacker also hacked into RealClimate last time around. Not the actions of a not-hacker. - gavin]

http://www.realclimate.org/index.php/archives/2010/11/one-year-later/

57
The Wonderer says:
21 Nov 2010 at 9:03 AM

Thank you Gavin. I am curious whether you think there is any hope that the perpetrators will be caught, and if the resources in trying to catch them have been adequate.

[Response: I have no idea. My guess is that no-one is likely to be caught unless the perpetrators show their hand again - perhaps because they are frustrated that nothing much has changed. It must be an interesting dilemma for them. - gavin]

http://www.realclimate.org/index.php/archives/2009/11/wheres-the-data/

117
MarkusR says:
28 Nov 2009 at 5:48 PM

Times Online has posted an article claiming that RC pulled their own postings:
“It was a powerful and controversial mix — far too powerful for some. Real Climate is a website designed for scientists who share Jones’s belief in man-made climate change. Within hours the file had been stripped from the site.

Several hours later, however, it reappeared — this time on an obscure Russian server. Soon it had been copied to a host of other servers, first in Saudi Arabia and Turkey and then Europe and America.”
http://www.timesonline.co.uk/tol/news/environment/article6936289.ece

[Response: The zip file was temporarily available (about 30 min) from a link to this site until we shut it down and then removed it. It was never posted as a blog entry. - gavin]

A few more inline comments spotted at

http://www.realclimate.org/index.php/archives/2009/12/unforced-variations/
http://www.realclimate.org/index.php/archives/2010/02/whatevergate/
http://www.realclimate.org/index.php/archives/2010/02/close-encounters-of-the-absurd-kind/

However not really worth reposting at this stage.

The following 3 posts appear to be the core of the "ever changing story".

http://www.realclimate.org/index.php/archives/2009/11/the-cru-hack/

As many of you will be aware, a large number of emails from the Climatic Research Unit (CRU) at the University of East Anglia webmail server were hacked recently (Despite some confusion generated by Anthony Watts, this has absolutely nothing to do with the Hadley Centre which is a completely separate institution). As people are also no doubt aware the breaking into of computers and releasing private information is illegal, and regardless of how they were obtained, posting private correspondence without permission is unethical. We therefore aren’t going to post any of the emails here. We were made aware of the existence of this archive last Tuesday morning when the hackers attempted to upload it to RealClimate, and we notified CRU of their possible security breach later that day.

http://www.realclimate.org/index.php/archives/2009/11/the-cru-hack-context/comment-page-4/#comments

156
gavin says:
23 Nov 2009 at 4:00 PM

There seems to be some doubt about the timeline of events that led to the emails hack. For clarification and to save me going through this again, this is a summary of my knowledge of the topic. At around 6.20am 7.20am (EST) Nov 17th, somebody hacked into the RC server from an IP address associated with a computer somewhere in Turkey, disabled access from the legitimate users, and uploaded a file FOIA.zip to our server. They then created a draft post that would have been posted announcing the data to the world that was identical in content of the comment posted on The Air Vent later that day. They were intercepted before this could be posted on the blog. This archive appears to be identical to the one posted on the Russian server except for the name change. Curiously, and unnoticed by anyone else so far, the first comment posted on this subject was not at the Air Vent, but actually at ClimateAudit (comment 49 on a thread related to stripbark trees, dated Nov 17 5.24am (Central Time I think)). The username of the commenter was linked to the FOIA.zip file at realclimate.org. Four downloads occurred from that link while the file was still there (it no longer is).

The use of a turkish computer would seem to imply that this upload and hack was not solely a whistleblower act, but one that involved more sophisticated knowledge. If SM or JeffID want to share the IPs associated with the comments on their sites, I’ll be happy to post the IP address that was used to compromise RC.

http://dotearth.blogs.nytimes.com/2010/07/06/was-the-east-anglia-incident-a-crime/

Gavin Schmidt, Goddard Institute for Space Studies and a founding editor and writer at Realclimate.org –

I was interviewed by Norwich police back in December and I sent them log files of the RC hack (which very clearly was criminal under both U.S. and U.K. law). [The "RC hack" Schmidt mentions was an incident immediately following the extraction of the files at East Anglia in which someone gained access to the server for the Real Climate blog and tried to upload the folders there.]

As you correctly note, U.K. police work is not performed in the media spotlight as it is here (to their credit in my opinion), but of course one would have hoped for a little more progress. At this point, it is probably clear that there isn’t any obvious route back to the culprit(s), and so my guess is that we aren’t going to find out unless they decide to break cover in some way (possibly as a result of their disappointment in the inquiries????) [link added by me]. I have no other information.

I asked Schmidt whether a criminal investigation was ever conducted into the Real Climate hack. Here’s his reply:

It would have been up to us to report it, and I didn’t think it was worth it – If you recall, we were kind of busy. ;)

I noticed the web archive back in August but failed to spot this and Frank Swifthack has not got to this yet either.

http://ijish.livejournal.com/42666.html

Four copies of posts taken from RC for 14/11/09 to 17/11/09 shows the wordpress upgrade can be dated to the 17th November. This leaves the option open for conspiracy theorists that the down time on the morning of 17th November could be associated with a wordpress upgrade. Alternatively the upgrade could have been corrective action following a hack.

http://web.archive.org/web/20091114064516/http://www.realclimate.org/index.php/archives/2009/11/muddying-the-peer-reviewed-literature/

http://web.archive.org/web/20091115065756/http://www.realclimate.org/index.php/archives/2009/11/muddying-the-peer-reviewed-literature/

http://web.archive.org/web/20091116093710/http://www.realclimate.org/index.php/archives/2009/11/muddying-the-peer-reviewed-literature/

http://web.archive.org/web/20091117181603/http://www.realclimate.org/index.php/archives/2009/11/muddying-the-peer-reviewed-literature/

Both theories will work

RC had big upgrade mid 09. Wordpress then made some security upgrades. Had the horse already bolted or was everybody pointed at the wrong barn door?

http://wordpress.org/news/category/releases/

Nov 12, 2009 WordPress 2.8.6 Security Release
Oct 20, 2009 WordPress 2.8.5 Hardening Release
Aug 12, 2009 WordPress 2.8.4 Security Release
Aug 3, 2009 WordPress 2.8.3 Security Release
Jul 20, 2009 WordPress 2.8.2
Jul 9, 2009 WordPress 2.8.1

Based on what I have located the timeline re Realclimate activity on 17th November now looks like this. In summary the site was down for a large part of the morning and a word press upgrade was performed.

(Many thanks to Frank Swifthack who got me looking more closely at the web archive after he spotted a server upgrade had taken place. I was aware of the web archive entries but had only been using it for checking user postings at RC around the date. The archive trawls different pages from sites on different dates and Frank has not picked up on this so far.)

(RC gives its time zone as -6 so I assume add 1 hour to get ET. Some of my observations will be invalid if I have misunderstood / miscalculated time zones.)

Final post on 16th November at 11.24pm (12.24 am) passed by the RC moderators before they packed up for the day.

This can be seen on this page taken from the web archive. My understanding is the date/timestamp is 09.03 am UTC = GMT which would date the archive at 04.03am ET

http://web.archive.org/web/20091117090354/http://www.realclimate.org/index.php/archives/2007/03/

Also it should be noted that at this point RC was being operated using Wordpress 2.8.1

Posts then went into the moderation queue. The last post made (and still viewable) during the morning of 17th November was made at 6.28 am (7.28 am ET)

http://www.realclimate.org/index.php/archives/2009/10/an-open-letter-to-steve-levitt/

763
FurryCatHerder says:
17 Nov 2009 at 6:28 AM

At some point RC was then taken offline and posting did not resume until the afternoon.

The events according to Gavin Schmidt as taken from several posts

"At around 6.20am 7.20am (EST) Nov 17th, somebody hacked into the RC server from an IP address associated with a computer somewhere in Turkey, disabled access from the legitimate users, and uploaded a file FOIA.zip to our server"

"the first comment posted on this subject was not at the Air Vent, but actually at ClimateAudit (comment 49 on a thread related to stripbark trees, dated Nov 17 5.24am (Central Time I think)). The username of the commenter was linked to the FOIA.zip file at realclimate.org. Four downloads occurred from that link while the file was still there (it no longer is)."

"The zip file was temporarily available (about 30 min) from a link to this site until we shut it down and then removed it. It was never posted as a blog entry"

(there was also a press article where it was mentioned the file was available for about 25mins)

"Yes. We took the site down completely when we discovered the hack in progress."

"I woke up on Tuesday, 17 Nov 2009 completely unaware of what was about to unfold. I tried to log in to RealClimate, but for some reason my login did not work. Neither did the admin login. I logged in to the back-end via ssh, only to be inexplicably logged out again. I did it again. No dice. I then called the hosting company and told them to take us offline until I could see what was going on. When I did get control back from the hacker (and hacker it was), there was a large uploaded file on our server, and a draft post ready to go announcing the theft of the CRU emails."

"They used something to directly access the backend mySQL database (to export the password/user details to file prior to erasing them in the database) and to monitor logins to the ssh account. Neither of these things are standard WordPress functions. I conclude therefore they must have hacked both, though the actual entry point is obscure."

Some observations based on these comments

1. the post at CA used a different proxy address to that used for access to RC possibly implying simultaneous use of 2 proxy addresses.

2. The post by FurryCatherder may coincide with the "hack" (check time zones)

3. I feel it would be unlikely for someone to try to release the material via a hack into RC unless they already had information about how to get access in advance possibly through information provided in the release.

4. The miracle post at CA if taken at face value (which I do) confirms Gavins statement that a file called FOIA.zip had been placed on the RC server. Alternative interpretations require an explanation for both the content and timing of the miracle post. They would also require Gavin Schmidt to be performing a major deception which appears to me to be a high risk knee jerk strategy with little to be gained and much to lose.

There are 2 blog posts on the 17th November about RC being offline and several reports on the 18th November which are all indicative of RC being shut down at server level.

RC posts resumed at 12.23pm (01.23 pm ET) on 17th November

http://www.realclimate.org/index.php/archives/2009/11/muddying-the-peer-reviewed-literature/

103
Joel Shore says:
17 Nov 2009 at 12:23 PM

The web archive has captured some pages on the afternoon of the 17th November. For example this one which was captured at 18.14 UTC = 13.14 ET

http://web.archive.org/web/20091117181422/http://www.realclimate.org/index.php/archives/2006/10/global-cooling-again/

This page shows the website had been upgraded to wordpress 2.8.6 which includes several security patches.

It also shows some progress in clearing the early mornings posts from moderation.

Why wouldn't the hacker publish the new post immediately? Also why wait 6.20am EST risking to getting caught by Gavin waking up early as a good New Yorker?

Maurizio - no idea - perhaps they needed to do it from a public location with constraints on access.