So, was climategate a hack after all?

This is going to be one of those difficult articles to write, just to make it easy to read. It’s going to get technical at points, because it has to, so there’s going to be more than a few detours to explain things, but bear with me. It’s Sunday afternoon, I’m wearing sunglasses indoors, it’s a long way to the Cook County Assessor’s office, I’ve only got half a pack of smokes left, so I’m just going to put that gas pedal right to the metal and hope for the best; let’s do it.

Norfolk police are closing down their search for whoever was behind the climategate security breach. Nobody has been arrested and it’s being put down to an external hack. I’ve always felt confident it’d end that way for a number of reasons. The main reason they were doomed not to nab them is quite simply, nobody wanted them caught. Any trial would be a huge liability and embarrassment to the climate establishment. Even what they could be charged with is a highly debatable point. Was it data theft or whistleblowing in the public interest? After the whistleblower, or FOIA as they’ve come to be known, put a dead man’s hand password into the second climategate release of emails, they became untouchable. If they go anywhere near FOIA, the blood will be ankle-deep.

I’ve also always been confident it was a leak, rather than an external hack, and still think that, despite the closing statement made by the police. I said think that, rather than believe that, so I can give you my reasoning. Let’s do the high level reasons first, and then we’ll move onto the dreaded technical details.

There’s this saying; money talks but bullshit walks and it’s very true. When you add in all that cross charging of those various public and private organisations involved, the grand total spent on the whole investigation over the course of three years, appears to come down to the princely sum of 85,000 pounds sterling. Come on, that’s nothing. It wouldn’t even buy the tea bags allowance of Norfolk constabulary for the year, and those coppers are more into their coffee than their tea nowadays. With that amount of money spent on it, we’re definitely talking about going through the motions, because despite what a lot of people might like to think, cops actually know what they’re doing and they operate in a world of realities, both at a pavement and on a political level.

On this one, all the boxes have been carefully ticked. Everyone who might conceivably be of help has been roped in; the Metropolitan Police Counter Terrorism Command (SO15), the National Domestic Extremism Team (NDET), the Police Central e-Crime Unit (PCeU), that work experience kid in the office, who seems to know an awful lot about computers, and even the private sector specialists QinetiQ. Everyone got involved and even the Guardian has had its usual exclusive interview with the guy leading the investigation. Fireproof, baby, fireproof.

They always knew that nobody wanted a result, or God forbid, a trial. A complete time waster. They did their bit in the business, the guy leading the investigation will get a gold star and they’ll get back to doing some real policing. Professionals hate having their time wasted but occasionally, it’s just the loops you have to go through.

Of all the email servers, in all the world, you gotta break into mine. We all suspected the science was being rigged, but who in the hell knew the proof of it would be sitting on an email server in an obscure centre of higher education, the University of East Anglia or UEA, as it’s more commonly known. It’s not as if it’s Princetown, MIT or an Oxbridge college. For God’s sake, even the students there refer to UEA as the University of Easy Access.

Someone knew there was gold in dem thar emails. There’s no escaping that simple fact. Even if you do believe it was an external hack, there had to be an insider, who knew it was worth the big effort of a frontal assault and the risk of a prison sentence, if they were caught. The only way an insider would have known that, was because they’d seen the emails. And if you concede that point, then why on Earth wouldn’t the insider themself just copy the emails they’d seen? I’ve yet to hear credible answers to those questions from anyone, who asserts it was an external hack attack.

Another fact that came out, is that the police have no record of any similar cyber attack on any other institution in the field of climate science research. The supposed hacker hit the email jackpot with their very first try. When it comes to significant events, once is happenstance, twice is coincidence and thrice is enemy action. At the best of times, I have a real problem with happenstance, and in this context, I just don’t believe in luck like that.

All the great whites work for money and they don’t work cheap. Of course, they could have been paid by that shadowy organisation, known only as Skeptic Central in whispered conversations in the darker corners of the internet, but the science had already been ripped apart by the climate realists. Even before climategate, it was walking wounded, a dead dude staggering, a piece of green runny stuff hobbling along between two creaky crutches.

Let’s move on to the technical details. Before I launch into them, it’s important to get inside the head of a top of the food chain hacker, or what I refer to as a great white. You have to look at the world through their eyes. They’re ghosts, ghosts in your system. They live inside there and you’ll never know they’re in there. They worked hard for it, they have it, they now own it, it’s their habitat and their bitch and the last thing they’ll ever do, is something stupid that lets you know they’re there or that they ever were there, even when they decide to get out. That’s the discipline. Hunting one of them down is like tracking someone across a desert, who doesn’t leave footprints. Just keep that in mind as you read what follows, because I’m going to examine the supposed attack, purely from the footprint aspect, because I know I can keep that article to a reasonable length.

You can find the Norfolk police statement, accompanying the announcement of the closure of their enquiries here. They also issued an Operation Cabin, which is what they named the investigation, Q&As sheet which you can find here. When you read through them, you can’t help but come away with the impression that it was all the work of an unknown hacker, with no indication of anyone inside being involved. They’re short on precise details but let’s take a hard look at the few ones they give.

First off, whoever the hacker or hackers were, they were sophisticated. To quote, the investigators concluded that “the attack was highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity.” Sounds very much like a great white to me.

As usual with things climategate related, I’ve no IT forensics to work with, but there’s enough information to reconstruct a reasonable skeleton outline of the attack, from what few details are given. I wrote a high level description of how an external hack is done, which you can find here. If you haven’t read it, I’d recommend reading it, as it’ll give you a context to hang the following details on. It’s not possible to deduce anything about the reconnaissance or fingerprinting stages, but the break in appears to have been done on a web server called CRUWEB8. From there, the traversal stage got them to a backup server called CRUBACK3, which is where we’re told the emails, source code and documents were extracted from. The last phase, an orderly withdrawal, appears to have been a complete disaster. Not only did they leave traces but even the supposedly misleading ones they left, the clever trackers worked out were just bum steers.

We’re told there was evidence of them trying to get through password screens. I’ll admit I’m guessing here, but someone tried a few passwords like “secret” or “administrator” and the system logged it as a failed login attempt. So what? Sorry, but that happens every day to login screens on the internet. Usually, try more than three bum guesses and the system not only logs them all, but it also locks the account anyway.

Cracking passwords doesn’t work like that. You never go near a password screen. You stay away from password screens. Password screens are not good. The usual technique is that you go after the encrypted file, containing all the logon Ids and their matching passwords. Once you get a copy of that back home to Skeptic Central, you let your favourite brute force password guesser chew away on it for a few days. Feed it enough dictionaries and nine times out of ten, you’ll get the passwords for several useful accounts, which have weak passwords. A few failed login attempts prove nothing but they do indicate it wasn’t a great white chancing their arm. They don’t go anywhere near login screens, until they’ve got a logon Id and password that they know works.

Anyway, how did they know there had been failed login attempts or even the details of the security breach? The activity logs, obviously. Okay, but wouldn’t a great white just edit the logs and delete any activity they wouldn’t want anyone to know about? The slick answer to that one is that they did actually edit the logs, but the equally slick forensic people, recovered the original logs and all was revealed. How would they have done that? To answer that one, we’re gonna have to take a technical detour here, but bear with me for a moment.

When you edit a file and save it, what actually happens is a brand new file is written to the hard disk and then the original file is marked as deleted. It’s not actually deleted from the disk but the space it occupies is effectively marked as empty, so it can be used for storing new files. All those perfectly legitimate uneraser programs you can buy, which recover deleted files, simply scan across your hard disk, marking deleted files as no longer deleted. Hey presto, you’ve got them back again. Depending on whether the space marked as deleted has already been written over or not, the uneraser will recover all deleted files, in whole or in part.

Obviously, there’s no point in editing the logs, if the originals can be recovered. The way out of that problem is to write your very own program, which scans across the hard disk, writing garbage data onto the physical space occupied by files flagged as deleted. That’s a ten minute program to write and again, you can buy perfectly legitimate secure delete programs, which do exactly that.

You might think at this point, that whatever was deleted is now definitely beyond forensic recovery but unfortunately, there’s this data recovery technique, which has various names, but I’ll go with latency. It’s about a magnetic surface, like a hard disk, having ghostly imprints of old data under what’s currently written there. Think of it as a painting on a canvas that the artist has whitewashed over, because they’re going to paint something new on top of it. If you x-ray the canvas, the old image magically re-emerges. In a similar way, it’s actually possible to recover data that’s been overwritten. That could be a bit of a problem, but there’s a couple of ways around it.

The first one is to repeatedly write garbage data into the disk space occupied by deleted files. In a sense, you’re pushing the data you want to hide, so deep into the disk surface, that it becomes unreachable by any sort of latency recovery technique.

The second is more drastic and is only rarely used. You simply destroy the hard disk.

You do that by sending some instructions to the device driver of the hard disk. Again, a little diversion is necessary to explain what a device driver is. You can buy any one of hundreds of different hard disks, made by different manufacturers, and attach them to your computer. Mechanically though, each hard disk will have its own unique way of working and your operating system, say Windows or UNIX, can’t be specially written to communicate with each and every variant. Instead, interface software, which is a standardised agreed interface between the operating system and the hard disk, is written by the manufacturer themselves for each of their products. That’s a device driver. Think of it as buying any type of toaster and knowing you’ll be able to use it at home, because it has a standardised plug. The plug is analogous to a device driver. It’s the common interface.

Device drivers are very low-level programs which do detailed physical things like reading a single sector of a disk or printing a buffer of information. Hackers love them, because the people who write them rarely consider security. While the system administrator is busy welding more layers of armour-plate onto the web server, the hacker is busy reverse engineering the device driver of something like their shared printer, because that’s going to be their way in. If data can flow to and from any device attached to a system, then potentially, it’s a way in.

It depends on the physical characteristics of a particular hard drive, but there’s stuff you can do, that is guaranteed to physically destroy the thing. For example, you can spin it, and keep spinning it until it bursts into flames. It’s like gunning your car at 100 mph in first gear, eventually you’ll see the pistons and con rods exploding out of the hood or bonnet in front of you. The problem with that one, is that you might only have burnt out the motor in the thing, but the disk surface is still physically intact. What you really need to aim for, is something called a head crash.

A hard drive is very much like a record player, except it spins at thousands of revolutions per minute and the equivalent of the arm with the needle in it, is never supposed to touch the disk. If it does touch the surface, it’ll gouge lumps out of it. That’s what’s called a head crash. Once they’re into the device driver, it usually isn’t much of a problem to persuade it to do a head crash or its equivalent. If you’re being thorough, several head crashes followed by a spin it to the limit burnout will do the job quite nicely. Good luck with any data recovery after a disk grind like that.

Again, when you think about footprints left around the system, you have to ask why the great white didn’t grind every disk in the place. As soon as the material was released, it was going to be obvious where it came from. Even if they’d been careful about not leaving any clues behind, why take any chances? Just destroy all the evidence. Bring the whole temple down on your way out.

Jeez, if only the great white had known all about this stuff, they’d have gotten away with it cleanly. Strange though, even the script kiddies know something about some of this stuff, but I guess they weren’t so sophisticated after all. Perhaps they just weren’t a great white or perhaps they never even existed in the first place.

Stepping back from the whole thing, the business of leaving no footprints behind is an exercise in sheer hard work, but it’s the only thing between them and a prison sentence, so they’re always very careful with it. You’ve got a target, you’ve had the patience to determine exactly everything that they’ve got on their box, so you do the dry runs. You put exactly the same software on your very own box, turn on all possible audit logging and take what’s called an image of the hard drive. Think of it as a photocopy or a save game point of the whole machine. Next you do your run, but against your machine, and it either gets through or it fails. Every time it fails, you do a reload game, and have a crack again. They go around that loop again and again, until they get through on their own machine.

The successful dry run tells them two things; the first is that they’ve found the way in, but the second and actually more important one, is the footprint of the hack. They”ll compare the before and after images of the C drive, to see what are the differences. It’s a bit like holding the before and after photocopies together up to a strong light, just to see the differences. Every difference you see, those are the files you’re going to visit for a quick edit, to remove any traces of the run.

They’ll do a reload game yet again and repeat the run, but this time, they’ll additionally do all the edits and secure deletes of the log files, to conceal the break in. After that, they’ll run the before and after comparison again, to make sure there are no differences. Once they’ve done all that, they’ll actually launch the attack for real, and there won’t be a single keystroke deviation from the dry run. Not one.

Anything significant they do inside the system, will also be dry run in advance, just so they can spot and erase the footprints.

Selling the idea that it was a hacker is very easy. Normally sane adults, and not a few IT professionals, who should know better, fall for it because it’s kinda sexy. It’s also a very difficult story to refute, not only because you’ve no access to the forensics, but also because any explanations rapidly descend to a level of technical detail, which lose most people. Even when you’ve access to a system, which you think might have been compromised, it can be difficult to tell if it’s actually been attacked. If you’re dealing with a great white, you’ll only ever pick up the subtle signs, such as the space occupied by deleted log files being full of garbage data, and sometimes, not even that, because that in its way, is a footprint. They’re just as likely to fill it with plausible, but misleading data.

The way you break down an alibi or cover story, is by going over all the details. When I’m told climategate was the work of a “highly sophisticated” and “highly competent” hacker, but then look at some of the details, like the footprints left all over the job, I’m unconvinced, to say the least.

I’ve always considered that if climategate was a hack, then it would have to be the work of a great white. However, I’ve never encountered one, who’s made so many dumb mistakes in the cleanup phase of a run. Too many footprints. Climategate being a hack, is just a no sale for me.


Related articles by Pointman:

Helping to catch the climategate whistleblower.

Why Climategate was not a computer hack.

Some thoughts and some questions about the Climategate 2.0 release.

Profile of the Climategate Whistleblower.

Click for a list of other articles.

36 Responses to “So, was climategate a hack after all?”
  1. Petrossa says:

    Totally agree. To me the biggest pointer is the booty itself. Nobody could ever have guessed by a mile that this was there, and even if so it couldn’t have been worth the effort and risk of your ‘great white’ to bother with.
    Makes no sense at all.
    And ockam’s razor shaves, and cuts off the external hacker as leaving too many questions open.


  2. Mindert Eiting says:

    Pointman, I’m fond of your analyses because you follow the scientific method. Let it be a Great White, then you will find no footprints. Just take a look in order to debunk this hypothesis. The problem space is giant anyhow. We have a handful of reliable data and loads of unchecked assumptions. Some authors still are fascinated by the FOIA-requests affair (what’s in a name) but for me it is obvious that it was about releasing an e-mail story just before Copenhagen. As you said, you have to know that this story exists before taking any action.

    Students are not marching any more through the streets but form small and tight task forces, when confronted with incompetence or fraud by their professors. One year ago we had here in The Netherlands the case of a fraudulent professor. His students knew his work, noted the suspect details, and formed a task force, two men and one women as far as I remember from a recent interview. They kept everything ‘top-secret’ and did some clumsy research. After getting help by an expert, they could unmask their professor, who is now sitting home, facing criminal prosecution.

    It’s a small model of FOIA. Just look at their texts, and you will see it: “Over 2.5 billion people live on less than $2 a day.” That is not the text you may expect from tree-ring experts and a Great White. Yesterday I have read that climatology students at Penn-state University get Al Gore’s charlatan movie as a part of their education. Would you pay thousands of dollars each year for an university education of this kind? Let’s proceed to some potential falsifiers of the angry-students hypothesis.


    • G. Combs says:

      Yes, I agree. If it was not a secretary/drone who had to do the grunt work of putting together the data for the FOIA request and then told to forget it, it was students or the student drone doing the grunt work on the FOIA.

      The “Over 2.5 billion people live on less than $2 a day.” certainly points to a young idealist too.

      As I said on WUWT. With the the belly aching about “climate deniers” that was going on in the e-mails, I am sure there was some verbal bitching too and I doubt if anyone cared weather or not a student(s) hear it. Once the rose tinted glasses were off, idealists have a nasty tendency to get very angry, and I think that is what happened.

      I am glad Pointman went thought the technical analysis since it solidifies the common sense analysis.

      Someone bothering to hack CRU?? If they did it would be to change their grades and not to release e-mails.


    • Mindert Eiting says:

      I have now organized my information better and made an explicit list of some trivial assumptions. From the dates of all mails in the first and second release as well a list of access times to the zip file of the first release and some simple math, it follows that information from the CRU servers must have been taken at minimum in the interval 16 September 2009 – 13 November 2009. So the Great White must have been busy with hacking during two months at least. Your standpoint, Poitman, becomes stronger and stronger.


  3. NoIdea says:


    The settling sciences,
    Deposit sediment at the bottom.
    With a froth of scum at the top.
    In between, in suspension,
    Lies in the truth, in with the muck.

    Bored with old history,
    Coring into the past.
    Like an eye before an E,
    Excepting after see,
    Not in settled science…
    Cos the laws are just a dance.

    The discs are always spinning,
    The servers smoking fast.
    A data plague of oblivion,
    Screaming to the last.
    Naive complex expertise.
    Peer reviewed to boot.
    If they ever caught a hacker,
    That would be a hoot.



  4. meltemian says:

    Good explanation Pointman, even I understood (most of) it!
    Are we ever going to know who, how and why for a fact, and will there be another release soon?

    (Spotted the references to the Blues Brothers, Casablanca and maybe Destry Rides Again?)


  5. Deadman says:

    As much as I agree with your reasoning here and in earlier posts, there is another—though, I own, unlikely—explanation for a release of information from University servers which could be considered: complete incompetence leading to an inadvertent release. I regularly receive, through a quirk in my local university’s e-mail system, copies of e-mails from various administrators and academics whose messages have at times included drafts of compensation packages, travel plans, credit card numbers, and other confidential data. (I’ve also encountered others over the years who obtained access to supposedly secure servers accidentally and, I’m fairly sure, anonymously.)
    Though I have long been inclined to reason that the Climate-gate documents were obtained by an insider, I should not at all be surprised if I learned that the collation of various e-mails was just sent to someone who was astonished and then disconcerted by what he or she found in the inbox.


    • Mindert Eiting says:

      I really appreciate this but I think that if you were an historian your peers wouldn’t accept the proposal. If you presented to them a rational reconstruction, they probably would. But that is the irony because reality contains all kinds of absurd event (within the laws of nature) making that the reconstruction is very likely false. Because this is not an official history journal, I could add my scenario, if Pointman agrees, as it is just for fun. The managing director of CRU (you know who I mean) has access to all mail of all his personnel and so has his secretary, female or male (to make the story more tasty). As managing directors often do, he began a sexual relationship with his secretary. After brutal finishing that relationship, the secretary took revenge and informed one of the older students about everything she or he knew. In England this blackmail position would prevent the director from taking any measure. It’s that easy but probably not true.


  6. Vieras says:

    Pointman, I love your blog. You’re usually spot on, but I think that you’re a bit off with this one. I think that you want FOIA to be a certain kind of person and are doing too much work to justify that.

    First of all, you call FOIA a Great White. White hat hackers are computer security specialists who don’t do the real cracking themselves. They specialize in finding security holes, mostly theoretical ones, and plugging them. Their work results in better online security. Let me tell you, no white hat hacker would crack UEA for climate change data. That would make them black hats. It’s nice to think of FOIA as a good, ethical white hat, but data doesn’t support that.

    Another thing is all this talk about cracking device drivers and crashing hard drives and wiping deleted files and covering your tracks. That’s too much Hollywood. The police report mentioned that FOIA used several chained proxy servers. Change your mac address, use a public wlan and a chain of proxy servers and all the police can get at most is a geographical location, but no personal information whatsoever. And even getting to that ip-address would be extremely hard as owners of proxy servers tend to not give out any information about their users. Even if the police could get authorities around the world to confiscate the proxy servers and cooperate to figure out the original ip-address, I’m fairly sure that it would lead to a dead end.

    FOIA is probably a tech student at UEA. A skilled one. That’s why the target was UEA.


  7. hro001 says:

    Hi Pointman,

    I think you and I have arrived at very similar conclusions (via different routes).

    What do we know about the Norfolk plod’s “investigation”?

    1. They were not notified of this alleged “hack” until Nov. 20, three days after The Saint’s (as I prefer to call FOIA) “comment drops” – and alleged but never proven, and never reported to the appropriate authorities, “hack” at RC for the “purpose” of an alleged “upload” of that which had been obtained from UEA.. This alleged “upload” attributed to The Saint which – considering the “mission” and risk of jeopardizing it – makes absolutely no sense whatsoever!

    If this alleged Nov.17/09 RC “hack” had occurred as per Gavin Schmidt’s (very much after the fact) Nov. 23 “reconstruction”, would Nov. 17 not have been a perfect opportunity for Schmidt to display to the world – via posting of log data which would no doubt have yielded the mother-of-all-hockey-stick-graphs – how low the dastardly “deniers” would go.

    And – for the first time ever – the alarmists would have had some actual “evidence” which would immediately lower the credibility of any and all who dispute their pronouncements of doom and gloom.

    Had Schmidt done so, is it likely that there would have been any “investigations”?! Somehow I doubt it! But he didn’t. He supposedly had at his fingertips incontrovertible “evidence” that – had he disclosed it in a timely fashion – would have shut the whole thing down from the get-go.

    With (according to Schmidt) a comment drop containing the link to the server from which could be downloaded in hand – as of Nov. 17 – what really stopped him from contacting the appropriate authorities?!

    It would have stopped The Saint in her/his tracks, would it not?! Had Schmidt gone public before any emails were posted (Nov. 19) is it likely that any reputable skeptic would have touched them? I don’t think so.

    OTOH, by strange coincidence the Norfolk plod made much ado (in one or another of their three story-lines: News Release, Background Information, and “Abridged” transcript of Media Briefing Q & A ) of a “password” breaking exercise – as did Schmidt in his “reconstruction”,

    And the very best that Schmidt has ever been able to produce is, well, an ever-changing story!

    2. The plod wasted spent one hell-of-a-lot of time “questioning” approx 40 people who had filed FOI requests pertaining to UEA’s claim of non-disclosure agreements. Those who reported on their virtual interviews, via various blogs, all indicated that the questions they were asked were highly unlikely to yield answers that be “helpful” to the plod.

    In light of which it is (almost) amusing to note that in either the Q & A or Gregory’s interview with the Guardian‘s Hickman [I could go back and check if you insist!] there was a statement that implied that the skeptics would be unlikely to be helpful because they welcomed the result [of the – let’s face facts – plod-claimed non-UEA initiated “hack”]

    3. Add to the above the rather pointless and totally over the top use of “resources” in the seizure of Tallbloke’s computers a few weeks after CG2 – which anyone could have told them would have yielded zilch (and which is, in effect, what they found)

    Notwithstanding all of the above … if you think about it, “technically” they may well be correct. If I were in The Saint’s shoes, I think I would have chosen to do my deeds from the “outside” rather than from the inside – where I would run a significantly higher risk of discovery in the act(s) and/or leaving tracks that could be traced back to me!

    However, in their “screening exercises” the plod seem to have blinded themselves to this bleedingly obvious possibility!


  8. Pointman says:

    If this means, what I think it might mean, Sunday is going to be interesting.



  9. Pointman says:

    If Anthony is closing a site for two days, pulling everyone off comment moderation, cancelling his own holidays and forewarning all media outlets to check in at a precise time this coming Sunday – he’s got a big story. I think we might be looking at climategate 3.



  10. AJC says:

    As I commented long ago the IT at CRU appears, to this outsider, to have been not just amateur (in the strict sense) but also shambolic. The quality of this CRU IT support will have varied over the years but I recall mention of archives being placed for anonymous FTP for external contacts because it was easier to do it that way.

    I don’t go for a great white – even script kiddies may well have been able to walk right in after running a off the shelf scanner. Of course they had to discover UEA/CRU. Full IP range scans were quite normal during this period. How much of the IP range was exposed? Scripts hunting for FTP servers were quite normal.

    I go for an exposure of the mailboxes to unsophisticated hacker. Failing that an unhappy insider who had access to the e-mail and other archives effectively blowing the whistle in some way.

    As to the quality of the forensic examination – if we take Sommer’s joke e-mail analysis as a benchmark that too was amateur.


    • Mindert Eiting says:

      So it is: CRU was not the CIA. I’ve worked at a comparable institution. One day, after some malware attack, I have downloaded everything of my absent collegues on USB-sticks. They were grateful and had nothing to hide of course, but it was just childs-play.


  11. Sorry Pointman, you got carried away like me!

    “UPDATE: I’ve been advised by concerned friends that speculation on the nature of this announcement has gotten out of hand in the blogosphere, and that was not my intent. My intent was to give me time to work and something very important without the distraction of this blog, emails/twitter/facebook, etc.

    As many of you know, running WUWT is a monumental task which I could not do without the help of many people. Even so, it still requires my constant attention.

    First, I am well. This isn’t a health issue for me or my family.

    Second, my announcement has nothing to do with FOIA issues or other sorts of political or social theories being bandied about on other blogs.

    It does however have something to do with one of my many projects, and it has important implications that I’m sure everyone will want to know about.

    I greatly appreciate all the concern and interest, and I look forward to being able to share all my work on Sunday. – Anthony”


  12. Pointman says:

    Flash communication from NORAD. Stand down from DEFCON 5 …



    • Pointman says:

      According to the Bishop, Anthony has told him that the big announcement has nothing to do with Muller and therefore probably not the BEST project either.

      So, it isn’t CG3 or BEST, it arrived unscheduled, caused him to cancel a family holiday (not done lightly, kids will give him hell), requires his excusive attention and at a guess, the attention of all his moderation team. My guess is that it’s another zip file, containing a lot of leaked emails and/or documents that need to be gone through.



      • Mindert Eiting says:

        Hi Pointman,
        At NTZ Ed Caryl commented “He just shot Hansen et al out of the saddle”.


      • Pointman says:

        Yes, he did. They only problem is, you’d have to be a professional gunslinger to realise that’s what the paper means.



  13. John in France says:

    Thanks Pointman.

    Just got in late. I’ve been waiting for this all week. Will read it carefully tomorrow.

    Best, John


  14. Edward. says:

    End of the day P,

    The result is the same mucker – whether it be hacked or delivered. Thus, the question is somewhat moot, an academic though intriguing conundrum.
    The content to me, has always pointed to a release of relevant stuff – ie, they were chosen items but that is only an opinion of mine.
    Whatever actually the answer is, I am eternally grateful this release/hack happened. Darkness postponed, otherwise I think that the 2009 UN-IPCC agenda 21 Greenpeace/WWF world controlling wankfest beano in Copenhagen, it would have been the stitch-up – we all fought so hard to prevent.

    Therefore I say; Cheers and thank you – to whosoever it was. The right minded and free world owes you an inestimable debt of gratitude for which [unfortunately], you can never sufficiently be recompensed.

    P.S. Beethoven: Romance No 2. playing at the moment – a perfect tonic – Ed:-)


  15. Pointman says:

    Any article to do with climategate or FOIA, naturally produces a lot of speculation, and that’s always a lot of fun for everyone. However, this piece is really about the conclusion drawn at the end of the police investigation, that climategate was a hack. The approach I took, was classic scientific method, as Mindert noticed.

    The theory is that FOIA is a great white. I can’t prove that theory but I can see if it can be disproved. I decided to concentrate the article on just the area of footprints, to disprove it, which I think I did, at least to my own satisfaction. When the article got to a certain size, I ended it there but I could have gone on. Sighs of relief all around.

    There are other indicators that they didn’t really think it was a hack.

    For instance, why did the police only impound CRUBACK3, where the data came from, and leave CRUWEB8, the server the supposed break in was done on, in place at UEA? They only bagged half the forensic evidence. If you’re chasing a great white, you need it all and you need the original disks as well; copies just aren’t good enough.

    If they seriously believed FOIA was a hacker, what was the point of getting a search warrant and raiding Tallbloke’s place? No hacker, and especially not a great white, was ever going to leave a useful IP address there, which was what they said they were after.

    Just too many holes in the story



  16. Crispin in Waterloo says:

    I think the Berkeley temperature project is Anthony Watts’ big news. Given that they used his data and announced their conclusions long before completing the research it has the odour of mendacity.


  17. Aquix says:

    I’m sticking with my own theory on climategate and I think it was both a leak and a hack orchestrated by the same person. It’s not hard to imagine that someone wanted the public to have access to the emails after reading many of them, and seen how these people behave. Just need to read the one ‘Daly email’ to get a sense of their arrogance, herd-mentality, unsceptisism and dislike for the free and transparent scientific method. But the hack was needed because he/she/they knew they would create a storm and needed to protect themselves, a policy that is evident in the FOIA 2012 bomb still waiting to be detonated with just a password. Also the environmentalists had to believe it was a hack to avoid a total witch-hunt that a simple leak would bring. And last, the main reason. The police needed to have the server logs showing a breach to conclude that it indeed was a hack and not have to, unwillingly I’m sure, open a wider investigation into the whistleblower theory. If they can show that there has been a hack they can call it sophisticated and people will in large believe it. But I think the person performing the leak had considered all this and on his own or with help of another confidant collected all the material at the university into neat *.zip files, and having legit access to the servers would not raise any suspicion in the server logs. Then from outside the university did a crude hack into the university and downloaded the already packaged files. This could have been done from anywhere using proxy servers, maybe through an open wireless network with a laptop long since discarded. This is in my view the most plausible way a leaker could get the files out to the public causing as little trouble as possible. I, as we all, salute the leaker, and hope one day to shake his hand. Because if there is one thing we know about this/these person/s we don’t know anything else about, it’s that we’re not dealing with a dummy.


    • Graeme No.3 says:

      hro001 says:
      The plod wasted spent one hell-of-a-lot of time “questioning” approx 40 people who had filed FOI requests …. who reported on their virtual interviews, via various blogs, all indicated that the questions they were asked were highly unlikely to yield answers that be “helpful” to the plod.
      This bears out Pointman’s claim that the Police were only going through the motions.

      The 3 day delay in reporting the “loss” was obviously panic at CRU and other areas, while they assessed what was released, and what was not. Followed by efforts to remove any evidence from the servers before the police saw them. The thought of numerous policemen reading the remaining e-mails but not divulging the content, would have been intolerable (and an unacceptable risk) to the guilty.

      So the police were briefed, any useful evidence had been trashed, and the investigation a farce, and obviously so to the police. Interviews and Tallbloke raid were just “going through the motions”.

      Aquix.. who was most likely to be able to read those e-mails? And have enough computer knowledge to leave an anonymous trail? Obviously someone in the UEA IT Department, or less so, some very computer literate inmate of CRU. The only question is solo or duo? I agree with Pointman that duo is more likely, with the first more upset by the behaviour of Jones et al.

      Is there any idea of the transfer time necessary for the whole file? I suspect that the leak was going on for some time, and the selection of those e-mails for release being worked on simultaneously, right up until just before the actual release. Thus file copying (internally) would have appeared as normal activity on logs and attracted no attention. Possibly aided by Jones etc. wanting e-mails “deleted” but still accessible.


  18. Graeme No.3 says:

    There is one possibility that you may have overlooked.

    You have assumed that there were 3 sorts of people.
    1. Those who hadn’t heard of UEA or the CRU, or agreed with the IPCC, and had no reason to hack.
    2. Sceptics who had heard of CRU, and suspected goings on, but probably lacked the skill to hack the servers.
    3. Great whites who could hack in, but had no reason to do so.

    But what if someone kept a great white (or 2) as a pet? Suppose a Country that was not keen on Global Warming, and wasn’t looking forward to Copenhagen where they could expect a battering, directed their sharks to have a fish (no pun intended) around the CRU site to see if they could generate some adverse publicity and derail any agreement from Copenhagen?

    I’m not saying it happened, especially as FOIA comes across as someone upset for the reasons he/she outlines in 2011. But hardly a sceptic (in 2009) as tried to get BBC and Real Climate interested in e-mails. But older and wiser now.

    Almost certainly 2 involved now, if not before. Second person has password(s) and orders to publish if anything happens to FOIA. Suggests that someone has an idea who it was, and put some pressure on, but was rebuffed.

    Would like to have been the proverbial fly when e-mails were released. Panic in all directions, and no idea how much was taken. A quick evaluation suggested that they could bluff their way out. Gathering of troops to “rebut”. Monbiot went rather quickly from “unacceptable science” to “illegal invasion of privacy” and “just doing their job” didn’t he? The 2011 release must have shaken them even more, with it now obvious that all e-mails were gathered, and perhaps that’s why orders went to Norfolk police to wind up investigation.

    But what if a great white had been there, on orders, and there are now 2 copies of the bombshell in existence?


  19. w.w.wygart says:

    Thanks for the analysis Pointman. Very well done. I don’t have the skills to knowledgeably agree or disagree with it, but I do agree with you when you surmise at the end that ‘as a story’ there are, “Just too many holes in the story.”

    We may never know what really happened unless FOIA decides to tell us; however, the situation over all seems very much like the one that the climate skeptic community was in prior to ClimateGate One. A strong hunch that ‘something’ was very wrong, a lot of [what turned out to be] very good analysis, a lot of noise and useless bickering and nobody realizing that ‘the shoe’ would eventually drop that confirmed most of our worst thoughts on the subject. So maybe we should call FOIA “The Cobbler”.



  20. Jim says:

    My twopenneth – Someone on the inside has to be involved. Someone has to know what is in the servers, what was incriminating, and where to find it. Whether they then ‘hacked’ in themselves to make it look like an outside job, or got someone to do it for them is open to conjecture. I go for the former – it would be a very dangerous thing to try and find a trustworthy accomplice who was computer literate enough to be able to do the hack, if you yourself were not skilled enough in IT to do it yourself. The leak is a career (and pension) ending act, probably doing time if caught. Not something you are going to hawk around students from the IT dept. Too many people would get to hear of it, too many chances of someone blabbing.

    Which means the leaker was IT literate themselves. Which counts out the actual climate scientists – they couldn’t program a spreadsheet macro, let alone hack into a server and cover their tracks suitably. My guess is it was some computer geek brought in to either tidy up some IT issues, and was shocked by what he was seeing, or someone who was tasked with getting all the relevant emails ready for FOIA requests, which he then discovered were being denied anyway, with claims UEA no longer had the emails being requested. The blatant lying by UEA created the righteous anger in ‘FOIA’ to release the emails that they were claiming they didn’t have.

    My guess is that UEA and the police have a very good idea who was responsible, or have narrowed it down to a fairly small list of possibles. But the last thing UEA want is a prosecution. ‘FOIA’ would immediately claim whistleblower status, which given UEA have technically committed offences under the FOI Act (although out of time for prosecution), would stand a good likelihood of standing up in court. All that dirty linen would be aired in public, on the record. All the people involved would have to give evidence under oath, with the risk of perjuring themselves if they were economical with the truth. That is the last thing UEA (or the government) want. Plus there is all the unreleased material, which may contain even more embarrassing revelations. So the conclusion of the investigation was always going to be ‘An outside hack by person(s) unknown’. No other conclusion was ever going to be reached, whatever the reality.


  21. Martin A says:

    Hello –

    Steve McIntyre seems to need help in getting UEA to respond properly to an FOI request for data on the recently returned server. He seems to be getting plenty of helpfully-intended postings but none that relly solve the problem.

    May I politely suggest, Pointman, either contacting him directly to help or putting someone with the needed expertise and motivation in touch with him.


    • Pointman says:

      Hello & Welcome Martin. I’ve read over the CA thread and the advice Steve is getting, is by and largely sound. Eudora is a very configurable piece of email software which has been around for ages. Without knowing exactly how it was configured, it’s impossible to say where the missing attachments were actually stored, in terms of a specific folder.

      However, UEA are of course playing the usual obstructionist games. There’s simply no need to restrict the search to a few best guess folders, when the whole disk can be searched. Yes, there might be a small technical problem with regard to the specific filename an attachment is stored under, but it’s solveable. After all, Eudora itself can retrieve attachments.

      Unfortunately my comments at CA seem to black hole from about a couple of months ago, so I’d be obliged if you can cut and paste this as a comment there. Hope it helps.



  22. Really appreciate you sharing this article post.Really thank you! Awesome.


Check out what others are saying...
  1. […] So, was climategate a hack after all? « Pointman's Go to this article […]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: