04 December 2009

ClimateGate: Addressing the ‘not a hacker’ meme - Michael Roston - Newsbroke - True/Slant

Is it or isn't it?

Time for the CRU crew to come out with it! Is it a crime or was it a whistle blower? Everyone is waffling around about it, and frankly the uncertainty is causing more problems than either admission would.

Currently reading...

Image by p373 via Flickr

Since I published my article Friday about the concerted effort of climate change deniers to cover up the criminal origins of the leaked ‘ClimateGate’ e-mails and files, I’ve received quite a few comments that have taken the argument a step further, stating outright that it wasn’t a hacker, but an East Anglia insider who leaked the files as some sort of whistleblower.

This rebuttal has even been picked up by Chris Horner of the climate change-denying Competitive Enterprise Institute in an op-ed for the Washington Examiner, showing that beyond covering up the criminal act of hacking that resulted in the release of the Climate Research Unit’s files, ‘ClimateGate’ warriors are now taking to mainstream media outlets to fight back against the idea that an act of crime is the source of their evidentiary bounty.

Of course, climate change deniers have a clear interest in portraying their source as Woodward and Bernstein’s ‘Deep Throat’ rather than Richard Nixon’s Plumbers. If their treasure trove of e-mails and files comes from a criminal action, and perhaps a criminal conspiracy, it casts a heavy, looming shadow over their efforts to pillory the climatologists implicated. More than anything, it will suggest that the climate change deniers are so desperate to make their case that they had to rely on a possible criminal conspiracy in order to prompt a thorough-going investigation of the science behind the theory of anthropogenic climate change. And that’s not how they want to be remembered.

Before I discuss the theorizing that it wasn’t a hacker, let’s first look at the evidence that it was a crime that led to the e-mails being leaked online.

First, the University of East Anglia has stated that they were hacked. In a statement published on the university’s website, Trevor Davies, the universities ‘pro-vice-chancellor for research,’ and a climatologist himself, discussed the computer security failure that resulted in the e-mails getting out:

Given the degree to which we collaborate with other organisations around the world, there is also an understandable interest in the computer security systems we have in place in CRU and UEA. Although we were confident that our systems were appropriate, experience has shown that determined and skilled people, who are prepared to engage in criminal activity, can sometimes hack into apparently secure systems. Highly-protected government organisations around the world have also learned this to their cost.

via CRU climate data already ‘over 95%’ available (28 November) – University of East Anglia (UEA).

True, not a blunt statement that “we were hacked.” But if East Anglia didn’t want it known they were hacked, they would not have mentioned it at all in their statement on the subject as subsequent proof that the release of the file came from a whistleblower would put them back on the defensive.

Furthermore, shortly after the file was widely publicized, UEA released the following statement:

A spokesman for the University of East Anglia said: ‘We are aware that information from a server used for research information in one area of the university has been made available on public websites.

‘Because of the volume of this information we cannot currently confirm that all of this material is genuine.

‘This information has been obtained and published without our permission and we took immediate action to remove the server in question from operation.

‘We are undertaking a thorough internal investigation and we have involved the police in this inquiry.’

If a crime did not occur, East Anglia would not involve the British police. And if they hadn’t identified the work of a cyber criminal, rather than some pissed-off insider, they wouldn’t be speaking of a specific server where the files and e-mails were hosted.

Beyond the Climate Research Unit and the University of East Anglia’s statements, there is Senator Jim Inhofe who has been bellowing for an investigation of the ClimateGate files (an investigation I support, subject to some previously stated conditions). In spite of Senator Inhofe’s earlier sly praise for the timing of the hackers who stole the East Anglia files, he released the following statement about his proposed investigation:

I certainly don’t condone the manner in which these emails were released; however, now that they are in the public domain, lawmakers have an obligation to determine the extent to which the so-called ‘consensus’ of global warming, formed with billions of taxpayer dollars, was contrived in the biased minds of the world’s leading climate scientists.

It would seem even Senator Inhofe is ready to acknowledge that there’s something unseemly about the way the CRU files came to light. If there was any possibility that East Anglia leak was the work of a disconsolate whistleblower, Senator Inhofe would not be hedging his bets. Instead he would be calling for the protection of the rights of a whistleblower he believes revealed a fraud.

Moving on, a variety of bloggers have implied that there is reason to believe that someone other than a hacker was involved in securing and leaking the files.

Take Terry Hurlbut, one of the hordes of ‘citizen journalists’ in the Examiner.com network. Hurlbut offers speculation that the behavior involved in releasing the files is not the work of a hacker:

The anonymous tipster, whom many people initially assumed had “hacked” into the computers at the Climatic Research Unit (CRU) of the University of East Anglia (repeatedly called the “Hadley CRU,” by mistake), might in fact be a CRU insider who released the files for his own reasons.

The user, known only as “FOIA” (which now appears to be a reference to the British equivalent of the US Freedom of Information Act), left only one comment on The Air Vent to announce his release of his 61-MB ZIP archive. He has never been heard from since, nor has anyone stepped forward claiming to be that person since the story became widely known.

Persons knowledgeable in information security hold that this is not the behavior of a hacker. A hacker normally boasts of his act, even if he were hired or otherwise suborned to commit his act by someone else. These two reports provide illustrations of such behavior.

[...]

In all that time, the original poster of the Russian FTP link never made another comment in any forum. As discussed above, this is not typical of a hacker. A hacker would be boasting about his act, and loudly. Instead, his file sat in that anonymous FTP account for more than forty-eight hours, and the poster never made any further attempt to publicize his find. Hence the conclusion, by this Examiner and a host of other commenters, including IP security professionals, that this unknown user was one who had had access to CRU computers, in accordance with his duties at the CRU.

The attempted claim here is that the hacker hasn’t boasted about the job, and all hackers boast, so he or she does not exist. Of course, there is a clear difference here between the cases Hurlbut cites – the teenager who hacked Sarah Palin’s private e-mail account for fun, and Russian hackers who make a living off of credit card fraud – and cyber criminals who are acting like Richard Nixon’s ‘Plumbers.’ If you’re a Plumber, your client has an expectation of your discretion, so I wouldn’t be shocked if the hacker in question kept his or her mouth shut. Hurlbut is otherwise referring to ‘IP security professionals,’ but he doesn’t cite any who have commented on the East Anglia files in particular. If they are ‘IP security professionals’ who already deny the existence of global climate change, their professional opinion is certainly colored by their political viewpoint, which is of course why we need an independent investigation of this affair.

Beyond Hurlbut’s ‘no boast, no hack’ theory, he and others have suggested that the file was too well organized to have been put together by a hacker:

Other commenters have observed that the very form and organization of the archive, which expands to 168 MB of text files, word-processing documents, PDF files, raw data, and even program code, indicate that someone already having access to the system logged in through his usual channels, made the archive, and then logged out. The user’s choice of words indicate someone having a motive to disclose to the world certain activities and mindsets that the user found distasteful, at least.

Kevin Grandia, not a climate change denier, offered a similar perspective:

The folder of information contains over 3,800 separate files and it is clear that someone has taken a lot of time to pull together what they thought would be the most damaging. This is not the work of a hacker, unless that hacker is extremely well-versed in climate science, and specifically the conspiracy theories of the climate denial movement.

This package of stolen data and emails would have taken hundreds of hours to compile and someone out there knows exactly how all this went down.

What both of these statements fail to take into account is the possibility that the data and e-mails could have been hacked by one person, and sorted and compiled by another or others who knew his or her way around the debate. It’s also kind of funny that as a digital mob gets together to crowdsource their way through these files, they can’t imagine that some enterprising cabal working in concert with a hacker wouldn’t already have done the same thing.

Honestly, I don’t know, and I’m not afraid to say so. After all, if Hurlbut is relying on the word of ‘IP security professionals,’ can’t they examine the file and state unequivocally that the files were all pieced together in a manner consistent with their theory? As long as we’re in the world of speculation, it’s worth pointing out that there are credible alternative explanations to why the ‘FOI2009.zip’ file looked the way it did.

There is one last remaining theory, offered up at ‘Watts Up With That’, another blog that denies the existence of anthropogenic climate change. ‘Charles the moderator’ argues that it was neither a hacker, nor a whistleblower who released the file. Rather, someone mistakenly posted to an open server an attempt to comply with a known Freedom of Information claim filed by the Climate Audit blog:

It would take a hacker massive amounts of work to parse through decades of emails and files but stealing or acquiring a single file is a distinct possibility and does not require massive conspiracy.  The same constraints of time and effort would apply to any internal whistle blower.  However, an ongoing process of internally collating this information for an FOI response is entirely consistent with what we find in the file.

In the past I have worked at organizations where the computer network grew organically in a disorganized fashion over time.  Security policies often fail as users take advantage of shortcuts to simplify their day to day activities. One of these shortcuts is to share files using an FTP server.  Casual shortcuts in these instances may lead to gaping security holes.  This is not necessarily  intentional, but a  consequence of human nature to take a shortcut here and there. This casual internal sharing can also lead to unintentional sharing of files with the rest of the Internet as noted in the Phil Jones, CRU mole, example above.  Often the FTP server for an organization may also be the organization’s external web server as the two functions are often combined on the same CPU or hardware box.  When this occurs, if the organization does not lock down their network thoroughly, the security breaches which could happen by accident are far more likely to occur.

While it’s rather substantial leap to believe that the file had been aggregated just so by East Anglia staff so they could quickly distribute a variety of self-incriminating e-mails on the world, I won’t dismiss outright that there could have been an FOI file. But, if Charles is right, and there was a hole in CRU’s information security protocols, I don’t understand why this makes it any less of a malignant act. If someone was sitting on CRU’s servers waiting for an opportunity to strike, they sound a lot like a hacker to me, even if the law wouldn’t ultimately find them to be criminals. And knowing, as we do, that someone was sending BBC reporter Paul Hudson privileged e-mails in October makes it sound like someone was inside CRU’s servers prior to the November denial of the FOI appeal.

But the theory offered up by Charles of Watts Up With That isn’t one that’s being endorsed by the climate change denial movement. They’re stuck on the idea that some brave East Anglia Deep Throat just couldn’t take it anymore, and blew the whistle. They need that, because some anonymous soul snooping on some climatologists’ servers just doesn’t sound very good.

And it’s worth keeping in mind that if UEA is housing a whistleblower, that person has a legal framework in Britain that protects them for revealing fraud, the Public Interest Disclosure Act 1998. More than that, much as Daniel Ellsberg first went to Members of Congress with the Pentagon Papers, or Sgt. Joe Darby went to the Army’s Criminal Investigative Division in order to blow the whistle on abuses of detainees at Abu Ghraib, a theoretical UEA whistleblower could have gone to university officials, Conservative MPs in England, or even to someone like Senator Jim Inhofe in the United States. Instead we know that someone anonymously seeded a file with lots of e-mails and files on the websites of both climate change believers, and climate change deniers those who debate the scientific consensus on climate change. We also know that a BBC reporter had received some of the e-mails in question in October, and hadn’t done anything with them. It sounds like someone was on a fishing expedition, and finally found a shallow pool – the Air Vent – in which to drop their bait.

I’m ready to admit that I was wrong if evidence comes out to the contrary. You will see a blog post in this space if it turns out that way. But for the moment, it’s difficult to question that some people who have a lot to gain from denying the science of anthropogenic climate change also have a lot to gain from seeing their efforts buoyed by a whistleblower rather than a hacker. And it’s a little suspicious how many of them are getting sensitive about the leak being called a hack, and not an act of conscience.

Time for the CRU crew to come out with it! Is it a crime or was it a whistle blower? Everyone is waffling around about it, and frankly the uncertainty is causing more problems than either admission would.

Posted via web from TweetingDonal's Temporary Insanities