More on the "RC Hack"

Commenters on the earlier thread have presented another explanation of the “RC Hack”. The same idea occurred to several people and has been presented at several blogs (tAV for example). I’ll cite Steve Mosher’s below both because he knows computers and is very familiar with the facts:

If you look at all the emails you will that some bozo transmitted a logon and password ( steve, tosser) in one of the mails.

So, it’s entirely possible that at sometime Gavin or somebody else sent a admin logon and password for RC to somebody at CRU, say briffa. So that the person at CRU could upload a file. Then, the insider at CRU found this mail
and had everything he needed. A file to upload and a RC password to allow him to do it. And he completed the
irony by linking to the file by a post at CA.

just a theory.

An example of such an email with signon and password is in the ClimateGate Letters here.

I’ve sent similar emails to various people which entitle them to post at Climate Audit – Roman Mureika, Jean S, UC, Hu McCulloch, to name a few. Also Judy Curry who’s posted at CA but has probably lost her password. And a few who haven’t taken advantage of the offer e.g. Michael Tobis.

Admin status and editor status are separately defined. To upload a pdf file, Author status is enough. I’ve placed a variety of pdf’s in climateaudit directories and uploading the zip file seems analgous to (say) roman uploading a file to a CA directory. The next question to ask Gavin is whether they ever emailed a password to a CRU author. If they did, then that would seem to close the circle with the simplest explanation.

Reviewing Gavin’s statement on the matter under this theory:

At around 6.20am (EST) Nov 17th, somebody hacked into the RC server from an IP address associated with a computer somewhere in Turkey, disabled access from the legitimate users, and uploaded a file to our server. They then created a draft post that would have been posted announcing the data to the world that was identical in content of the comment posted on The Air Vent later that day.

I don’t see any reason to contest the statement that the zip file was uploaded. I don’t understand why uploading the zip file would disable access to “legitimate users” or what purpose would have been gained by doing this. Further details on this would be interesting.

The idea of unveiling the files through a manifesto at RealClimate is definitely an interesting and odd aspect to the events.


  1. David L. Hagen
    Posted Nov 24, 2009 at 11:05 AM | Permalink

    *** Andy Revkin would likely post your scenario as soon as you submit it.***
    See: Your Dot: On Science and ‘Cyber-Terrorism’: A climate scientist focuses on the cybercrime that divulged reams of emails on climate research.

    Reply Andy Revkin
    Dot Earth blogger, Reporter
    November 23rd, 2009 1:19 pm

    Thanks for reminding folks what this “Your Dot” feature is about. I’ll be posting a voice rebutting the “cyberterrorism” assertion as soon as I can get someone who’s a non-anonymous contributor to step forward with a reasoned, substantiated counterargument.

  2. Posted Nov 24, 2009 at 11:09 AM | Permalink

    Could someone using some admin password setup a e-mail server to forward all e-mail do someplace else without being noticed? Too many years?

    Could someone quit using some e-mail account that other person took control?

  3. Dishman
    Posted Nov 24, 2009 at 11:10 AM | Permalink

    The idea of unveiling the files through a manifesto at RealClimate is definitely an interesting and odd aspect to the events.

    Using their own strength (platform) against them.

    Ping Fa (Bing Sz).

  4. schnoerkelman
    Posted Nov 24, 2009 at 11:10 AM | Permalink

    I think the plain text password and login are likely. There is almost certainly a log file containing the IP used to upload the file which will contain the address of an anonymous proxy leading nowhere. Hint: google TOR network.
    I think the most likely scenario is that someone inside learned of the FOI denial, grabbed the tarball containing the information and then from an external machine (though that isn’t even a requirement) uploaded the file to RC, the various file sharing services and who knows where else. Having planted the data she then added comments on the various blogs to get the ball rolling. Not hard, something several million illegal downloaders could accomplish in their sleep.
    Another thing that I’ve not seen (please forgive me if it’s been observed elsewhere) is that these “stolen” emails are email. That means they have all traveled across the Internet and via who knows how many intermediate servers. Each and everyone of those servers may have modified, logged, copied or deleted the content of any given message. That is, none of this stuff is actually private, it has all been sent into the wild at least once. I’m sure you’ve all noticed those long messages that get tagged onto emails automatically, perhaps reading what they say might be instructive 🙂

  5. DRE
    Posted Nov 24, 2009 at 11:13 AM | Permalink

    If this is accurate doesn’t it mean that potentially there are additional email/files that the whistleblower had accesses to and might come out later?

    • j
      Posted Nov 24, 2009 at 11:50 AM | Permalink

      Yep and if I was the whistle-blower ( I’m not) I would be sending out the “best” emails first either. I send out some middling ones, watch the reaction, expect someone like Jones to make the “dedicated scientists” comment and then hit him with another batch a week later and see what he says or wipe the smile off his face. My bet is that another batch come out this weekend or earlier and these will be “better”.

      • Bob Lackey
        Posted Nov 24, 2009 at 1:48 PM | Permalink

        I agree. Gavin somewhere mentioned an attempted upload of 200 mb. What we got through Airvent was 62 mb. Unless my math fails me, there is another 138 mb floating around out there.

        I can’t wait.

  6. Enn
    Posted Nov 24, 2009 at 11:34 AM | Permalink

    Speculation abound!

    The Miracle Worker probably had user/password access with full privileges to RC’s publishing software, which I assume has upload functionality. I don’t believe this person had infiltrated the RC server itself.

    Shortly after, an RC user with access to the publishing software (thus not a casual reader) attempted to log-in but found their permissions revoked. This quite common tactic would have delayed any attempt by the ‘legitimate users’ i.e. admins, to delete the file and what would have been a published RC article announcing said file.

    Unfortunately for the Miracle Worker the RC user, or informed techie, was able to log directly into the server, rather than the software, and pull it.

  7. MrPete
    Posted Nov 24, 2009 at 11:52 AM | Permalink

    I just submitted this at DotEarth:

    I’m technically-qualified to comment. And while I use the “MrPete” handle, I’m well known in the real world as Pete Holzmann. [I can give you some CV info if you like; let’s just say I’ve been around a long time. I’ve been on the public internet about as long as anyone, having registered one of the first non-government domain names in the world…and currently advise NGO leaders worldwide on technical issues including computer and information security.]

    Prof P’s statements are certainly plausible. However, nobody has brought forth any proof that this was an external “hack” attack. In my experience, among security non-specialists by far the most common way that confidential information is released is through accidental disclosure. The second most common is purposeful disclosure by someone who either didn’t know the data was confidential, or someone who did know but released it anyway. External attack, particularly the kind that requires some kind of break in, is way down the list.

    In this case, those options look like this:

    Accidental disclosure: files placed in an easily accessed public area, possibly even indexed by a search engine. (CRU staff did that earlier this year in another situation, so this is not far-fetched.) If any of the emails retrieved contained a login and password for RC, that would also contribute to the vulnerability of RC.

    Purposeful disclosure: this could be a “whistleblower” or simply someone sharing the data with a friend, coworker or other officially non-authorised party. In any case, this situation by definition involves an insider sending the data (or a link) to an outside party.

    Hack: this is what is claimed. We have no evidence to date that this happened.

    Based on the poor security history of the Team**, we know their security arrangements are of very low quality. I’m sure my friends who specialize in testing security arrangements could have broken into their systems in a matter of seconds.

    All in all, it remains to be seen what really happened. As I said, despite the desire to blame an outside party, experience says most likely the Team themselves bear significant responsibility for the revelation of their hidden activities. In any case, secrets never remain secret forever, and scoundrels on all sides eventually receive justice.

    ** We can see the password sent in at least one email. Bad practice to send it in email, and it’s a very poor password.

  8. HLx
    Posted Nov 24, 2009 at 12:04 PM | Permalink

    This is probably not the place to post it, but could’n fint a “tip”-jar.. But here it is:

    Newest report encompassing co-author M.E.Mann:

    Click to access Copenhagen_Diagnosis_HIGH.pdf

    • hengav
      Posted Nov 24, 2009 at 2:09 PM | Permalink

      Thanks for the link HLx.

      I won’t bother to cut and paste from it. Read the executive summary. Look at the drifting polar bear. See the hockey stick in action. What a bad peice of work. No mention of skepticism. It’s all 100% certain.

      • HLx
        Posted Nov 24, 2009 at 4:11 PM | Permalink

        Lol.. I noticed the polar bear to.. had a big laugh, sent it to a friend on messenger.

    • hengav
      Posted Nov 24, 2009 at 3:49 PM | Permalink

      Page 16 of the report… page 16…”no credible scientific literature has been published since the AR4 assessment that supports alternative hypotheses to explain the warming trend”.

  9. Posted Nov 24, 2009 at 12:13 PM | Permalink

    Assuming the leaker found an admin level password to RC then he probably thought he would be able to disable other user ids. If he did that then he alone could post articles which would mean that when he posted the article linking to no one else would be able to delete the post etc.

    I would guess that in the process of trying to change the WP admin rights for other users he would have caused (accidentally) an email confrmation to be sent to Gavin who is I believe the original creator/owner of RC. Gavin would then have logged in, seen what was happening and regained control of the blog.

    This email sending may sound odd but on one of my work blogs I’ve had an absolute nightmare trying to get the original creator email address to disappear since that email address doesn’t work any more and to change the name of the admin account so I think this is quite a plausible explanation of how Gavin was alerted.

    The fact that the RC hacker (and he certainly was hacking RC even if he was merely leaking from CRU) was using a proxy server in Turkey to do his deeds sounds to me just like evidence that the guy is smart enough to hide his traces so identifying him from his online behavior will be hard.

    Assuming that the file didn’t leak via the “CharlesTM” scenario of open FTP site – though I find that quite plausible – the best way for the CRU to identify the leaker will be through internal access logs but they may not exist in which case, if the leaker had rights to the folder(s) where the leak documents were stored as part of his general duties then identifying him will be impossible.

    I’m sure that if the UEA network is reasonably speedy and the leaker had access to a reasonable USB drive or SD flash card he could have stuck that in his workstation and copied the files in about 5 minutes. The later task of uploading them would clearly then take place from some other computer well away from the university.

    If the open FTP site theory is correct then it might be possible to narrow down suspects by seeing who visited the site – that _should_ be a fairly small number – but I’d be surprised if the leaker actually downloaded the file directly in this case (he’d be using a proxy again) so proof would be hard. It occurs to me that if this theory is accurate then it is far from inconceivable that a separate document on the same site would have contained the login details – or perhaps a link to them. These academics do seem to be somewhat sloppy with IT security and to subscribe to the “security through obscurity” misunderstanding

  10. Larry Geiger
    Posted Nov 24, 2009 at 12:18 PM | Permalink

    Mann, it’s getting warm in here. I think I’ll get my hockey stick and go play before all the ice melts.

  11. George
    Posted Nov 24, 2009 at 12:26 PM | Permalink

    I guess the identity of Harry has already been discussed:

    He is Ian (Harry) Harris.

    His areas of specialization are: Dendroclimatology, climate scenario development, “data manipulation” and visualisation, programming

  12. Posted Nov 24, 2009 at 12:27 PM | Permalink

    Next stage – ATTACK


  13. HankHenry
    Posted Nov 24, 2009 at 12:29 PM | Permalink

    Jeepers, Andy Revkin has to advertize on his blog for counterpoint?!? He’s from the NY Times for heaven’s sake. He can call anyone anywhere for another perspective any time he wants. Why he doesn’t and hasn’t mystifies me. I guess it’s just his settled point of view that controls. He also defended himself saying that of course he developed collegial relations with sources. Is he telling us he thinks of himself as their colleague? He’s buried deep in that Wegman circle. Isn’t he?

  14. Bernie
    Posted Nov 24, 2009 at 12:45 PM | Permalink

    WUWT has just posted the latest statements from UEA, CRU and Jones. The CRU and Jones’ statements strike me as less than figleafs. The one from the Vice-Chancellor indicates that they have circled the wagons – to use Dr. Curry’s phrase – and intended to brazen it out despite what is obvious in the emails. Something akin to the CEI suit will probably be needed in the UK.

  15. crosspatch
    Posted Nov 24, 2009 at 12:47 PM | Permalink

    MrPete’s experience seems to correlate well with my own.

    I once worked in a place where the entire office network was directly on the Internet. There was no firewall at all. They were using Microsoft for everything. This was in late 2000. The couldn’t understand how someone in Brazil was able to develop a product exactly like theirs.

    I noticed that people had shared various things out from their computers in order to speed up work on things. I also noted that the source code repository was shared out. GLOBALLY. Anyone could map a remote drive and mount their entire source code repository from anywhere on the planet and someone had. Is it “stealing” if you put a box of cookies on your front porch and someone walking by helps themself to one? Now that is probably the worst case I ever saw and that network could be the poster child for how NOT to build one but things like that happen all the time.

    People put files on a server and maybe that file is readable by everyone in their “group” and not just them. Or maybe the public has access and while there might not be a direct link to it anywhere, maybe there is an index.html file missing someplace that results in the web server giving a directory listing that can be perused by someone. Or maybe they simply dropped the file on their own computer in a directory that was shared out and they forgot that it was a shared directory that someone could see by browsing the “network neighborhood” or something.

    Sloppy operating practices such as the above have been the cause of every single data security issue I have been aware of in the places I have been employed … save one. The only issue I ever had of an actual “break in” was a former employee who knew a username/password that was used by one program when logging into other systems to collect files for processing. No person used that password, only the program, but that username had administrative privileges across the entire organization. The former employee gained secure access via VPN as that user and destroyed quite a bit of data. This was not a “random hacker” but a username that was used for a specific purpose internally that should never have been allowed to log in from outside the company.

    Most data security issues are due to sloppy practice, not “hackers”.

  16. Posted Nov 24, 2009 at 12:49 PM | Permalink

    Steve, why spend your time speculating about how it might have happened. That’s not your usual style!

    What about commenting on the ridiculous statement posted on the UEA website this afternoon. Apparently (a) there is nothing in the emails to suggest their work is not of the highest quality (b) there was a vexatious campaign to distract from reasoned debate (c) the Uni takes its FOI obligations very seriously (d) their work is supported by the IPCC (presumably ch 3, written by Jones himself!).
    There is also some stuff at the bottom about divergence and truncation that will interest you.

  17. Calvin Ball
    Posted Nov 24, 2009 at 12:51 PM | Permalink

    FWIW, it’s not smart to put sensitive info in an email for a different reason: if someone out in the internet is sniffing your traffic, default email is totally insecure, and someone can intercept anything that way. You have to specifically set up a secure link on both ends.

    Notwithstanding, it sure seems like the scientists were pretty cyber unsophisticated.

    • crosspatch
      Posted Nov 24, 2009 at 12:58 PM | Permalink

      “if someone out in the internet is sniffing your traffic”

      It is very difficult to “sniff” someone else’s traffic unless you are physically on the network gear (assuming a wired and not wireless network). In the old days with hubs, everyone on the same hub could “see” (and sniff) each other’s data. These days with switched networks, that isn’t the case. One would have to configure a port on the switch to mirror the traffic to another port for access by a sniffer. Network administrators generally have better things to do than sniff random network traffic (though it is possible for them to do it). It can be like trying to sip data from a fire hose when you are talking about network gear passing many gigabits of traffic per second.

      All bets are off, though, on wireless networks.

      • Calvin Ball
        Posted Nov 24, 2009 at 1:36 PM | Permalink

        You don’t think these guys do a lot of their work from home or Starbucks?

      • crosspatch
        Posted Nov 24, 2009 at 1:45 PM | Permalink

        That would assume what I would consider to be a ridiculous level of paranoia. It assumes someone is following one of them around with some sort of radio receiver just to get information to use to release climate data. I would think someone doing that would be much more interested in someone’s financial data.

        It just doesn’t strike me as likely that someone is following Jones around with an antenna just to grab climate data.

  18. Posted Nov 24, 2009 at 12:52 PM | Permalink

    Quotes from the Guardian re Jones “Prf rubbishes leaked email”

  19. Posted Nov 24, 2009 at 12:59 PM | Permalink

    It’s difficult to believe that, having shot themselves in one foot, they are now shooting themselves in both feet. However, a visit to the Wikipedia Group Think helps me understand:
    1. Illusions of invulnerability creating excessive optimism and encouraging risk taking.
    2. Rationalizing warnings that might challenge the group’s assumptions.
    3. Unquestioned belief in the morality of the group, causing members to ignore the consequences of their actions.
    4. Stereotyping those who are opposed to the group as weak, evil, biased, spiteful, disfigured, impotent, or stupid.
    5. Direct pressure to conform placed on any member who questions the group, couched in terms of “disloyalty”.
    6. Self censorship of ideas that deviate from the apparent group consensus.
    7. Illusions of unanimity among group members, silence is viewed as agreement.
    8. Mind guards — self-appointed members who shield the group from dissenting information.

    • HR
      Posted Nov 24, 2009 at 6:51 PM | Permalink

      I’m not a huge fan of these sorts of psycological labellings. But my experience of working in academic/scientific arenas has lead to some very similar conclusions.

      I wouldn’t get overly excited about the way people dismiss opponents and their ideas. Some of the gentlest, most supportive people I’ve worked with can be ruthless when it comes to scientific opponents. The arrogance of scientists is most often expressed through their science.

      The real thing that worries me about this group is the sense that they have the field stitched up. That they have the power to make and break individuals/journals/editors even the peer-review process. That they control the science. This is worrying. Of course we may only be talking about paleoclimatology.

    • TD
      Posted Nov 24, 2009 at 11:10 PM | Permalink

      This is my favorite email — and perfectly demonstrates your #5 — conformity. I also note, the email is discpline in front of the group.

  20. Posted Nov 24, 2009 at 1:01 PM | Permalink

    oh, sauce for the goose… I posted this in the wrong blog!

  21. william
    Posted Nov 24, 2009 at 1:09 PM | Permalink

    This is finally erupting big time on Drudge and in some of the larger MSM editorials as well as Political Blogs such as Powerline and Instapundit.

  22. Posted Nov 24, 2009 at 1:12 PM | Permalink

    This made me LOL – comment under Guardian article linked to above

    “”I am not a crook” – Dick Nixon – “I did not have sexual relations with that woman” – Billy Clinton – ” Its a load of rubbish” – Phil Jones”

  23. compy
    Posted Nov 24, 2009 at 1:17 PM | Permalink

    “…If you look at all the emails you will that some bozo transmitted a logon and password ( steve, tosser) in one of the mails…”

    Hmm. For those not familiar with earthy Commonwealth expressions, “tosser” is a rather rude pejorative (google it). Looking at the original email, I also don’t see a Steve on the distribution list. One wonders if this password was another childish insult aimed at the host of this site. If so, there would be some irony if it were in any way used in the hack.

  24. Feedback
    Posted Nov 24, 2009 at 2:27 PM | Permalink

    Don’t know if it means anything, but the Guardian article linked to by Plato Says above doesn’t use the word “hacked” or “hacker”. They are referring to “stolen” emails, and then to the “leaked” emails.

  25. Joshua Corning
    Posted Nov 24, 2009 at 2:30 PM | Permalink

    I don’t understand why uploading the zip file would disable access to “legitimate users”

    I don’t think he wrote that the upload caused the disabled access. I imagine if the permissions were not set for security that the account the hacker got in the email had permissions to disable other peoples accounts.

    If the hacker wanted the message he was trying to post on RC to remain on RC for longer then a few min the best course of action would be to prevent someone from taking it down by changing the permissions of accounts used by legitimate users.

  26. Joshua Corning
    Posted Nov 24, 2009 at 2:40 PM | Permalink

    An example of such an email with signon and password is in the ClimateGate Letters here.

    One should note that anyone who got the the original climategate file could have found the password and login and tried to put it up on RC.

    In other words one person posted the file on blogs then a second person who downloaded it found the account information and tried to post it on RC.

    I don’t know if the time line works for this scenario but if it does we could have two hackers. Of course two hackers break occum’s razor so this might be a bit much.

  27. ice core
    Posted Nov 24, 2009 at 3:26 PM | Permalink

    Posted comment #90 at Revkins blog

    I like the name ClimateGate for these events. Like Watergate, we know a ‘burglary’ was committed. Now we need to find the ‘burglar(s)’, and their bosses. It is pretty easy to identify the prime suspects; clearly suspicion should fall on McIntyre’s group who lost the appeal for the FOI release.

    I believe the FOI compliance authorities knew about the file of emails, but declined to release it since the emails are not useful for scientific purposes, the reason M’s group sought FOI release. It is likely HadCRU has already addressed some of the FOI concealment concerns.

    The most likely scenario is M’s group also knew about the file, and few days after losing the appeal, orchestrated the release in violation of the FOI appeal decision. This is similar to the kidnapping of a child, a few days after a father loses a custody trial… the suspicion would immediately fall on the father.

    Are you certain that people associated with McIntyre didn’t release the information

    Steve: Speaking for myself, this is totally and categorically untrue. In any event, the timeline is wrong. The zip file was placed in the public domain on Nov 17 the day before I was notified of the FOI decision on Nov 18.

    • ice core
      Posted Nov 24, 2009 at 4:23 PM | Permalink


      I posted those dates for the guy trying blame you for the hack at Revkins

    • HR
      Posted Nov 24, 2009 at 6:34 PM | Permalink

      Climate denier and child abductor – you’re one bad man Steve 😉

    • Tom Forrester-Paton
      Posted Nov 26, 2009 at 8:34 AM | Permalink

      I prefer “Fabrigate”, but I guess it’s too late now….

  28. Posted Nov 24, 2009 at 3:48 PM | Permalink

    I don’t understand why uploading the zip file would disable access to “legitimate users” or what purpose would have been gained by doing this.


    I don’t read this as the action of uploading disabled access. I think the disabling was a separate action. And one reason would be an attempt to prevent Gavin from removing the file, and the comment announcing its presence.

  29. R.S.Brown
    Posted Nov 24, 2009 at 4:51 PM | Permalink

    OT but FYI, there’s a problem with two out of three of the big Canadian internet routers this Tuesday evening. They’ve flatlined.
    Please see:

    for the Edmunton and Ontario routers.

    • crosspatch
      Posted Nov 25, 2009 at 2:05 AM | Permalink

      Most likely an issue between the monitoring location and the monitored location. If I had to render a guess, I would say the problem is with Cogent who peers with both dead locations and with three of the upstream peers of the monitoring network.

      Routes to my network have been flapping all day from Rogers’ perspective. I suspect all that flapping has a router somewhere damping the route announcement until it is stable for some period of time and so it is unreachable from the monitoring net.

      Cogent is known more as a low cost network than as a high performance or high reliability network.

      Rogers sees my routes flapping (as reported by BGPlay) every few minutes. The same is likely true with anyone else traversing the same path to them.

  30. FTMoney
    Posted Nov 24, 2009 at 5:19 PM | Permalink

    From: Tom Wigley
    To: Michael Oppenheimer
    Subject: Re: letter to Senate
    Date: Wed, 23 Jul 2003 20:13:12 -0600
    Cc: (omit)


    Here are some thoughts about the Soon issue, partly arising from talking
    to Ben.

    What is worrying is the way this BS paper has been hyped by various
    groups. The publicity has meant that the work has entered the
    conciousness of people in Congress, and is given prominence in some
    publications emanating from that sector. The work appears to have the
    imprimateur of Harvard, which gives it added credibility.

    So, what can we as a community do about this? My concerns are two-fold,
    and I think these echo all of our concerns. The first is the fact that
    the papers are simply bad science and the conclusions are incorrect. The
    second is that the work is being used quite openly for political purposes.

    As scientists, even though we are aware of the second issue, we need to
    concentrate on exposing the scientific flaws. We also need to do this in
    as authoritative a way as possible. I do not think it is enough to speak
    as individuals or even as a group of recognized experts. Even as a
    group, we will not be seen as having the ‘power’ of the Harvard stamp of

    What I think is necessary is to have the expressed support of both AGU
    and AMS. It would also be useful to have Harvard disassociate themselves
    from the work. Most importantly, however, we need the NAS to come into
    the picture. With these 4 institutions, together with us (and others) as
    experts, pointing out clearly that the work is scientific rubbish, we
    can certainly win this battle.

    I suggest that we try to get NAS to set up a committee to (best option)
    assess the science in the two BS papers, or (less good, but still
    potentially very useful) assess the general issue of the paleo record
    for global- or hemispheric-scale temperature changes over the past 1000
    years. The second option seems more likely to be acceptable to NAS. This
    is arguably an issue of similar importance to the issue of climate
    sensitivity uncertainties which NAS reviewed earlier this year (report
    still in preparation).

    I am not sure how to fold AGU and AMS into this — ideas are welcome.
    Similarly, perhaps some of you know some influential Harvard types
    better than I do and can make some suggestions here.

    The only way to counter this crap is to use the biggest guns we can
    muster. The Administration and Congress still seem to respect the NAS
    (even above IPCC) as a final authority, so I think we should actively
    pursue this path.

    Best wishes,

    I know type interests many re: politics and undermining fellow scientists’ careers.

    • steven mosher
      Posted Nov 25, 2009 at 4:19 PM | Permalink

      I laughed when I first read this. watching how they manage the machine

  31. FTMoney
    Posted Nov 24, 2009 at 5:23 PM | Permalink


    Just agreed to review a paper for GRL – it is absolute rubbish. It is having a go at
    the CRU temperature data – not the latest vesion, but the one you used in MBH98 !! We added lots of data in for the region this person says has Urban Warming ! So easy review to do.

    Sent Ben the Soon et al. paper and he wonders who reviews these sorts of things. Says GRL hasn’t a clue with editors or reviewers. By chance they seem to have got the right person with the one just received.

    Can I ask you something in CONFIDENCE – don’t email around, especially not to Keith and Tim here. Have you reviewed any papers recently for Science that say that MBH98 and MJ03 have underestimated variability in the millennial record – from models or from some low-freq proxy data. Just a yes or no will do. Tim is reviewing them – want to make sure he takes my comments on board, but he wants to be squeaky clean with discussing them with others. So forget this email when you reply.



  32. R.S.Brown
    Posted Nov 24, 2009 at 5:29 PM | Permalink

    Sorry. It’s the Edmonton and VANCOUVER routers that have died.

    This will probably show up about three jumps ahead of the Climate
    Audit address when you run a trace route.

    The home page for the Internet Traffic Report is:


  33. Posted Nov 24, 2009 at 5:38 PM | Permalink

    Based on the address of the ZIP file at RC, the leaker/hacker may have hacked into RC’s server. WordPress has an upload feature but: 1) It limits the size of files uploaded rather severely and 2) It puts the uploads in an upload directory. The Zip file was not in an ‘upload’ directory, and it was too big to be uploaded by WP’s uploading tool.

    The hacker/leaker still may have gotten the password/username through some slovenly password habits like sending them by email. But these really may have been for the server.

    (Dreamhost uses username/password AND IP.)

    Steve: Lucia, if you operate wordpress on your own server (as CA does), you can set the upload size as a parameter. It takes a few seconds to change the parameter. I don’t think that you need root level access to increase the parameter, tho I don’t know for sure. It looks like RC operates on its own server. It’s possible that the upload size parameter was tweaked.

  34. Brnn8r
    Posted Nov 24, 2009 at 7:47 PM | Permalink

    “I’ve sent similar emails to various people which entitle them to post at Climate Audit – Roman Mureika, Jean S, UC, Hu McCulloch, to name a few. Also Judy Curry who’s posted at CA but has probably lost her password. And a few who haven’t taken advantage of the offer e.g. Michael Tobis.”

    Steve, I sure hope you’re using some kind of authentication and encryption (PGP, GPG etc) when sending those? Basic SMTP doesn’t provide any encryption! and also doesn’t authenticate who you’ve sent it to. If you’ve sent any passwords out via basic email. I’d change them now!

    You’ll have no idea who else might have snooped those. There could even be bots sitting on mail servers sifting through unencrypted emails looking for the keyword “password” and phoning home with those.

  35. Chad
    Posted Nov 24, 2009 at 7:49 PM | Permalink

    Just wondering why you guys are concentrating so much sound and fury on 1000 year old tree rings, which are nearly irrelevant, when you should be taking up the challenge of discerning how alarmists have managed to plant a bunch of heaters under nearly every glacier and ice cap on earth. Now THAT would be a real scoop.

    Don’t you think its a bit absurd to spend so much time trying to determine if it was .1 degree warmer or cooler today in 1114 AD, when it really doesn’t matter at all. Honestly. So what if it were hotter then? Or 2000 years ago? Or 5000 years ago? What would any of that change about today? Would it make CO2 magically stop absorbing infrared? Would it change the vapor pressure of water? Would it send all our greenhouse emissions back into the ground? Would it make some mystical, magical “natural variation” come along and cool the planet for us, in the nick of time? What “natural variation” would that be? Billions of petajoules do not just disappear into the void. “Natural variation” is tremendous amounts of heat moving somewhere, and deserves explanation. If it is happening now, what is the cause? Where is the heat? Is it getting out? Is it the water? Is it melting ice? Was it blocked and never came in?

    How much “natural variation” there was in the past is largely trivia, and is only modestly informative about the future. I put it in quotes because in the last thousand years, it is not even clear that the variation was natural. Indeed, it is quite likely that we have been making appreciable changes to the climate for at least two milennia, when we started massively clearing forests and exchanging them for methane-spewing rice paddies and grain fields.

    • TAG
      Posted Nov 24, 2009 at 10:18 PM | Permalink

      Chad, please note that what is being done is an audit of major research projects at some of the major climate research centers in the world. It is these groups who have decided that paleoclimates are an important consideration for AGW research. So if you thin this research is not worthwhile, I suggest that you contact Michael Mann, Phil Jones, Keith Briffa etc since they are the people who are leading this research.

    • FTMoney
      Posted Nov 24, 2009 at 10:36 PM | Permalink

      “when you should be taking up the challenge of discerning how alarmists have managed to plant a bunch of heaters under nearly every glacier and ice cap on earth. Now THAT would be a real scoop.”

      Here is the scoop. Retreating glaciers evidence temperature increase. Advancing ones do too. Studies say so. And they are peer reviewed.

      Post normal science.

    • Graeme W
      Posted Nov 24, 2009 at 11:46 PM | Permalink

      Chad, you made the comment:

      “How much “natural variation” there was in the past is largely trivia, and is only modestly informative about the future. I put it in quotes because in the last thousand years, it is not even clear that the variation was natural.”

      Thank you, because you’ve made it clear that you agree that the science isn’t settled. We don’t know how much of the current climate change (I don’t think anyone disagrees that the climate has changed) is due to natural variations and how much is due to human activity (AGW). We’d all like to know.

      There’s no doubt that CO2 has the potential to warm the planet. Unfortunately, as CO2 has been going up steadily, while the global temperature has not, there are clearly other factors at play and so there is some doubt as to how much influence human released CO2 is having. Those doubts have been increased due to the release of information from CRU.

      We all want to find out the truth. If it turns out to be that CO2 from human activities is a major factor, then most of the ‘skeptics’ will accept that. They won’t however, accept the word of someone without reasonable proof, and that’s been the source of contention with the CRU group — they wouldn’t release the data to allow for an evaluation of their statements and it appears that they’ve been actively trying to suppress any statements that contradict their statements.

    • Hank Hancock
      Posted Nov 24, 2009 at 11:56 PM | Permalink

      I once read that there is strong scientific evidence that prior to the Westward movement and settlement of San Fernando valley, smog from camp and cooking fires of indigenous peoples was a problem in the valley. That said, the smog didn’t affect climate. The core premise of the AGW hypothesis is climate sensitivity to C02 is the chief cause of global warming. I haven’t seen any pro-AGW studies that maintain that anthropogenic activities (land use or C02) were significant in affecting climate before the past four or five decades.

      Yes, I do think it is absurd that anyone should be concerned over .1 degree above or below that of 1114 AD, particularly in light of the fact our historical record doesn’t offer that degree of accuracy. There are quite a few AGW believers who would adamantly disagree, citing a .1 degree change either way as evidence that global warming is far worse than predicted.

  36. samuellhall
    Posted Nov 24, 2009 at 8:32 PM | Permalink

    Here is the first You Tube comment and Mann is whacked

  37. David Jay
    Posted Nov 24, 2009 at 10:30 PM | Permalink

    I probably shouldn’t bite, but I will:


    There is code and comments for the HadCRU global temperature in the leaked data. The code is a mess (as one person writes – “needles in the eyes” bad). HadCRU is widely used as the “best” global temperature measurement. They appear to has lost the original data and they appera to be unable to reconstruct past output. They are doing ad-hoc adjustments to cool the 1940s and heat modern temps.

    Simple question that goes to the base of your assumptions – how do you KNOW that temperatures are going up? How do you know that GigaJoules of heat are being absorbed by the earth?

    Not by ocean heat content. Not from the 30 year satellite record (RSS or UAH). That leaves GISS, which uses USHCN and does “adjustments” that have historic temperatures changing every month.

    I’ll be glad to do the icecap discussion as well if you wish…

    • Chad
      Posted Nov 25, 2009 at 7:14 AM | Permalink

      UAH at .13/decade, GISS, RSS, HadCRU at .16/decade….again, what is the difference? Why would I conclude anything other than the real number probably lies in between? Oh let me guess. They are ALL wrong, including that raving left-winger Christie, right? And the melting ice. That means its colder, according to you guys. And all the plants and animals documented moving poleward or up the mountains? That was just some really tricky Siberian propaganda that fooled them. Ocean temps up too? Gotta be wrong. Great Lakes too? That’s must Michigan’s lefty governer (but damn is she hot!).

      Exactly how many independant lines of evidence does it take before you conceed you are wrong?

      • Michael Jennings
        Posted Nov 25, 2009 at 5:49 PM | Permalink

        snip – I’m going to start trying to restore order to the blog. An editorial policy of the blog is that there is no point trying to debate first principles in one-paragraph bites.

      • Brian B
        Posted Nov 25, 2009 at 8:33 PM | Permalink

        snip – there is no point debating “big picture” issues in one paragraph bites. Blog editorial policy.

  38. Graeme W
    Posted Nov 24, 2009 at 11:27 PM | Permalink

    Getting back to the ‘hack’, there’s something that’s bothering me. According to the public statements, RC and CRU were aware on the 17th of the file that was uploaded to RC. The news really didn’t hit until the 19th, which meant that they knew about the file for two days.

    There’s been a few comments about the responses from CRU and RC don’t appear quite right. If they had two days to think about it and do some prelimary planning as to actions, then would that address that issue?

    My problem is that given two days to prepare, they still seemed woefully unprepared to deal with the issues when they started to hit.

    I’m guessing that they only had a few people that they let look at the file, and so weren’t able to search through the data efficiently for things that would need to be countered.

    And if you want to go down the conspiracy theory route, how was it that Gavin knew about the original post by ‘RC’ at CA before almost anyone else? This is probably more a technical question — would accessing the link to the file uploaded at RC result in log files that point back to the CA site and that post in particular? If so, then there’s an easy answer — the four downloads pointed them to that post. If not, then I find it remarkable that they were able to find it, since it’s buried amongst a lot of other completely unrelated posts.

  39. ignoranceisntbliss
    Posted Nov 24, 2009 at 11:40 PM | Permalink

    Um, hello. I pointed out that the BBC guy claims to have recieved the archive on Oct 12 (when there’s a Nov. 12th email in the archive we all have ) and you removed my comment?!?

    Steve: Dunno where it is. But this has been discussed previously and it seems he is only talking about his own email.

  40. Magnus
    Posted Nov 25, 2009 at 4:40 PM | Permalink

    Have anyone noticed this reasonig regarding FOIA in file FOIA\jones-foiathoughts.doc

    “Options appear to be:

    1. Send them the data
    2. Send them a subset removing station data from some of the countries who made us pay in the normals papers of Hulme et al. (1990s) and also any number that David can remember. This should also omit some other countries like (Australia, NZ, Canada, Antarctica). Also could extract some of the sources that Anders added in (31-38 source codes in J&M 2003). Also should remove many of the early stations that we coded up in the 1980s.
    3. Send them the raw data as is, by reconstructing it from GHCN. How could this be done? Replace all stations where the WMO ID agrees with what is in GHCN. This would be the raw data, but it would annoy them.”

    Second option seems quite revealing….

  41. Posted Nov 25, 2009 at 5:01 PM | Permalink

    Googling “Climategate” yesterday a.m.: 220,000 hits
    Googling “Climategate” yesterday p.m.: 280,000
    Googling “Climategate” today, 1 p.m.: 2.740,000
    Keep those emails rolling out to everyone you know.

    • Sean
      Posted Nov 26, 2009 at 11:26 AM | Permalink

      Awesome. Hey I know this is off topic but can someone please point me toward the email where someone at CRU (maybe Jones) says it doesn’t matter if all of the signatories to some statement are scientists or not; what’s important is that they have a very high number or something to that effect? I saw it last week but can’t find it again.

  42. Thomas
    Posted Nov 25, 2009 at 8:53 PM | Permalink

    It appears that there have may not have been any hackers and that the information was unwisely stored on a public server. The hacking story looks like a smokescreen. Check out the article and letter of complaint to Hoyt, the public editor (ombudsman) for the New York Times. Here’s the link:

  43. Duke C.
    Posted Nov 26, 2009 at 1:59 PM | Permalink

    A text search reveals that 5 of the emails contain the string “Password:”

    C:\FOIA\mail\1127614205.txt,155,”Password: 2005Nov04″
    C:\FOIA\mail\1172063883.txt,127,”password: EQ0KW0WG (Please note that these are zeros – not letters.)”
    C:\FOIA\mail\1179765915.txt,24,”password: water08″
    C:\FOIA\mail\1243527777.txt,117,”Password: 307923″
    C:\FOIA\mail\1256353124.txt,13,”Password: tosser”

    Excerpt from 125635124:
    GMT: Sat, 24 Oct 2009 02:58:44 UTC

    From: Mike Salmon
    To: Mike Salmon
    Subject: Re: Yamal 2009
    Date: Fri, 23 Oct 2009 22:58:44 +0100
    Cc: Keith Briffa , Tom Melvin ,
    Tim Osborn , Phil Jones

    I’m not thinking straight. It makes far more sense to have
    password-protection rather than IP-address protection. So, to access
    those pages

    Username: steve
    Password: tosser

    Have a good weekend!


    This Username/Password combo, IMO, is an inside joke/slur directed towards Steve M.

    Definition of “tosser” can be found here:

    So they do play fast and loose with passwords.

    That’s downright sophomoric. It’s one thing to have a personal opinion, quite another to carry it over to professional correspondence. These guys are world class Climate Scientists?

    Way to go, Mike

  44. marie elks
    Posted Nov 27, 2009 at 1:23 AM | Permalink

    To the leak: I’m leaning toward stupidity. Check out this gem embedded in 1248862973.txt:

    >>> Phil Jones wrote:
    >>>> Mike,
    >>>> See below for instructions.
    >>>> Also, just because IPCC (2007, Ch 3) didn’t point out the 6/7-month lag
    >>>> between the SOI and global temperatures doesn’t mean it hasn’t been
    >>>> known for years. IPCC is an assessment and not a review of everything
    >>>> done. If they had even read Wigley (2001) they would have seen this
    >>>> lag pointed out. I wasn’t the first to do this in 1989 either. I don’t
    >>>> think Walker was either. I think the first was Hildebrandsson in the
    >>>> 1890s. Why does it always go back to a Swede!
    >>>> file is at
    >>>> login anonymously with emails as pw
    >>>> then go to people/philjones
    >>>> and you should find santeretal2001.pdf
    >>>> Cheers

    They’re using the FTP site as a network folder! Geez, and these are supposed to be the smartest people in science?

  45. wozza.xing
    Posted Nov 27, 2009 at 7:53 AM | Permalink

    I doubt that the person was actually in Turkey – was probably using to hide her identity.

  46. Harold
    Posted Nov 27, 2009 at 8:00 AM | Permalink

    According to the site, the main CRU webserver is down:

    Maybe they’re doing some needed admin work. I was doing a quick check to see what google had indexed off the site (for obvious reasons).

  47. Posted Dec 2, 2009 at 3:59 PM | Permalink

    It was just pointed out to me by a staunch defender of CRU that the very first release of the archive was at This is the statement made by Gavin Schmidt here:

    Curiously, and unnoticed by anyone else so far, the first comment posted on this subject was not at the Air Vent, but actually at ClimateAudit (comment 49 on a thread related to stripbark trees, dated Nov 17 5.24am (Central Time I think)). The username of the commenter was linked to the file at Four downloads occurred from that link while the file was still there (it no longer is).

    The date and the time of the CA comment is 16 hours, more or less, before the date and time that Gavin Schmidt says that the file was put on his site.

    It’s worse than we thought. Not only are we dealing with a sophisticated hacker multinational hacker, he or she is also a scientist with a time machine, able to post a link to a file and have it downloaded several times before it even existed.

    One would think it would be risky to assume that you could upload a file to a root directory half a day after announcing it — since people trying to download it would be generating error messages for the missing file. So, clearly, the uploader put the comment and link up on CA first, then went back in time to put the actual file on RC.

    Or, just possibly, Gavin Schmidt is mistaken or misleading about the file’s upload time. Perhaps a time machine is more likely.

    More seriously, I think that Dr. Schmidt has inadvertently confirmed that the first upload was to his site. The evidence suggests to me that CRUW (CRU Whistleblower) is skeptical, but not an “active skeptic” — and may never have been on the website — but wanted to get the info out there somehow. And obviously the BBC gambit did not work, though CRUW gave it a month.

    ===|==============/ Level Head

%d bloggers like this: