back to article Climate change hackers leave breadcrumb trail

The hackers who leaked more than 1,000 emails from one of the top climate research centers may have used an open proxy to cover their tracks, but that doesn't mean authorities can't figure out who they are. Rob Graham, CEO of penetration testing firm Errata Security, said his analysis suggests that the hackers used three open …


This topic is closed for new posts.
  1. Matthew 4


    If they had any sense they would have sent it using some poor fool's unsecure wifi :)

  2. Scott 19

    Real Climate

    If you want to see them trying to explain this try Real Climate, it makes us Commenters here at El Reg look like a bunch of amateurs.

  3. Steven Jones

    Prime Suspect

    What's the odds on the trail finally leading back to Lewis?

    nb. a lesson for any would-be hackers, whistleblowers, terrorists or anybody else who wants to hide their identity online. The anonymity is only as secure as that of the intermediaries. Now if I was a secret government agency, I might consider seeding the Internet with anonymising proxies and other gateways. Or perhaps they alread have...

  4. bmo

    You can't find me...

    I'm behind 7 Boxxies.

    Yeah, thought so.

    I'll get me coat.



  5. Anonymous Coward

    If these guys are some of the best...

    Then I for one don't want to see how the bad end of the field does things.

    Reading through the README file that one poor researcher apparently wrote as he detailed his efforts to try to get their flagship research suite working, it would appear that these guys are some of the most abysmally organised spaghetti coders that you could ever hope to avoid working for.

    The flagship system seems to be not so much a working whole as a collection of vaguely working, mostly bug-ridden garbage spread out over several different user accounts, where the sparse documentation that does exist is mostly either part-missing, inaccurate or just plain wrong. The README seems to date from a time when the centre had lost their main researcher, and after a period of time had re-vamped their computing cluster and replaced whatever they had before with Sun kit. Sun compilers would seem to be fussier than what they had before, since the researcher seems to spend much time cleaning up old code to make it compile on the Sun kit.

    Normally in these sorts of situations, where one person is taking over from another you'd expect a handover period to be written into a contract, or at the very least a way for the new guy to talk to the old guy subsequently. This doesn't appear to be the case here; there is no evidence of contact and a heck of a lot of whinging, sarcasm and snide remarks from our anonymous researcher about the coding and organisational skills of the previous guy.

    All in all, I wouldn't trust a damn thing the CRU says from now on, without a full code audit by a trusted third party including re-running selected bits of their experiments on third party machines. This is the only way to be even vaguely certain that this "Del boy Trotter & Co." research outfit is getting even vaguely close to the truth (They're not intentionally lying in the research computing; its just that their code, databases, back-up policy and general organisation is so dire that it cannot be trusted at all).

    1. loopy lou

      Sadly, you're spot on

      These guys are in the hot seat now because people actually care about their results. Most bits of science are not like that, and software support is hopelessly underfunded across the board, even when the science depends on it. An application rarely has more than one developer at a time, often just a phd student, and quality control is typically nonexistent. Data analysis is even done in Excel. It is just depressing. So yes, software-dependent results in science should be treated with extreme caution.


      "For every successful simulation of global climate, there were a dozen or more groups struggling just to get their program to run."

  6. Anonymous Coward
    Anonymous Coward


    If there is a police investigation going on, I wouldn't have thought that Climate Audit would have an option to not give up the source of illigally obtained information, regardless of if they like CRU or not.

  7. Anonymous Coward
    Thumb Down

    I guess CRU are mostly pissed... the documents may show up the anthropogenic global warming myth they have helped create. And yes, it is a myth. 100% pure, unadulterated cods-wallop. Time and again we have seen stories about how the data has been "corrected" to prove the myth and how the models bare little-to-no semblance to reality etc.

    There's loads of good reasons to recycle, reuse, pollute less etc; global warming ain't one of them. Although global warming is a good excuse to raise taxes so politicians can claim more on expenses.

    Global warming is also, of course, a good way to keep the grants rolling in; that's why very few scientists will speak out against the group-think, there's no money in it.

    1. Baying Lynch Mob


      `Global warming is also, of course, a good way to keep the grants rolling in;'

      If you think scientists are in it for the research grants, then I strongly suspect you're not a scientist who's doing any research. If you wanted to make a profit, you'd go into a different career.

      `that's why very few scientists will speak out against the group-think, there's no money in it.'

      No, the reason scientists don't speak against it is because they agree with it. On the other hand, if you're a denialist lobby group, you can get money from eg. Exxon:

    2. Anonymous Coward
      Anonymous Coward


      >as the documents may show up the anthropogenic global warming myth they have helped create.

      Oh dear, you haven't bothered to read them then? Most of it is dull internal stuff, but there's a clear consensus in there that climate change is definitely at least 90% man made, and the only real argument is about how many of them want to up the official estimate to 95% or 99%

      >And yes, it is a myth. 100% pure,

      The same way that evolution and gravity are myths, yes. Sorry, but ignoring the evidence just makes most "skeptics" as credible as creationists. The world is demonstrably getting warmer, and there are only two sane explanations that fit - human accidental geo-engineering or that the Flying Spaghetti Monster is feeling cold.

      Cue flames from the skeptics (please don't bother, I used to be one of you until I was presented with a decent evidence based theory. I'm still waiting for one of those from the skeptics, but you've had all the candidates demolished recently)

  8. Anonymous Coward


    That blog post basically boils down to a timeline of events and "I Googled an IP address". Well done!

    If the attacker was really dumb enough to rely on an open proxy then he deserves to get caught. Personally if I was using an open proxy for that, I'd be using it to cover the IP address of the open WiFi connection I borrowed, and if I knew what I was doing, the zombie PC(s) I was controlling.

    And I don't know what I'm doing, so I'll end with a quote for our (soon not to be?) anonymous hacker: "your either incredibly smart, or incredibly stupid"

    Beer... because it's almost 9.

  9. cirby



    Climate Audit posted the info right after the CRU folks mentioned it.

  10. Carter Cole

    my server doesnt save all the request headers

    yea i dont think that header was saved and like the others said if all they used was a proxy shame on them they could sit outside a house and use that wifi

  11. Anonymous Coward

    @Baying Lynch Mob

    I don't think that it is as simple as "If you wanted to make a profit, you'd go into a different career."

    Generally, people in academia are comfortable with the lifestyle. Many of them would be happy to stay where they are, with the odd bump up the ladder every few years. The only problem is that there is this pesky thing of finding the money to keep your department open, and paying for your research and staff.

    Finding funding is not a matter of getting rich. It's maintaining the lifestyle in a reducing pool of resources that is becoming more competitive. If putting the odd 'climate change' reference in research proposals is more likely to get the grant approved, many of the proposers may choose to do it rather than loosing their funding and their post.

    And if you have a track record of producing research that appears to back up the current accepted thinking, then it is again likely that your project will be funded. Conversely, if your research appears to counter accepted wisdom, it is easy to silence by not funding it. No funding, no research, no papers, no reputation.

    We have a political element in all of the science funding mechanisms, especially in the UK where more research is funded by government or their agencies than business.

    1. John Square

      Spot on.

      Half my family are involved in academia, either as doctorate candidates, lecturers or at a management level. My wider family includes a couple of PhD's and a research scientist.

      From extensive conversations with all of them, I concur entirely with your view.

      The money is in the easily applied "sciences": Ed Psych has masses of competition for PhD places, and plenty of money for research, especially if it's the kind of thing that applies to misbehaving middle class kids.

      You want to study the breeding habits of lugworms? Sorry boss... no cash for that... Unless, of course... Is there an environmental aspect to the work?

    2. Baying Lynch Mob
      Black Helicopters

      @AC 16:41

      I agree that it's "not as simple as that" - the grants go to the department, not scientists' pockets, and there are currently investments going into it for political reasons. But there are also significant commercial interests in promoting the "nothing to worry about, keep consuming our energy" line, while there aren't so many people who stand to gain from us all using *less* energy. (Except for the global cabal of loft insulators.)

      ``If putting the odd 'climate change' reference in research proposals is more likely to get the grant approved, many of the proposers may choose to do it rather than loosing their funding and their post.''

      "putting the odd 'climate change' reference" in a proposal does not indicate allegiance to either side of the debate. There's nothing to stop a sceptic from using the grant to fund research and, as a result, finding that sitting on our collective arses is the right course of action - the fact that there aren't any papers to that effect (that haven't been shown to be full of holes) might just be to do with there being no science behind that position.

      1. mlorrey


        Grants don't always go to the department, and theres a lot of ways to work the system, esp if the researcher writes his own grant proposals. For instance, equipment bought for one study is often sold off by the researcher afterwards. I've seen one researcher sell used equipment to another researcher for half retail and they split the profits. Then theres the stuff they keep for personal use thats always nice. I know one fellow who got a fishing cabin and all his camping equipment he'll ever need off of one expedition grant.

        As for BYM's claim a skeptic can put 'climate change' into a proposal as easily as an alarmist, the problem is that trick only works once, and good luck getting published when, as we see in the Climategate emails, the big players are intentionally blackballing any researcher or journal that doesnt stick to the party line.

        That excuse that skeptics need to get published to get taken seriously doesnt work any more, we now know for sure that the so-called 'peer reviewed literature' is rigged. You need to accept the fact that the only people who are going to trust climate scientists now are the fanatical tree hugging gaia cultists who cannot be confused by the facts.

  12. Anonymous Coward

    Well yes, acutally.

    "The same way that evolution and gravity are myths, yes."

    the model != the phenomena

    "Gravity" and "Evolution" are just names we give to the current crop of explanations that best explain the observable aspects of those phenomena.

    1. Glen 1

      easy fix

      >"The same way that evolution and gravity are myths, yes."

      >the model != the phenomena

      easy fix -

      replace "evolution" and "gravity" with "biology" and "physics" respectively.

  13. Mike VandeVelde

    a rose is still a rose

    ""Gravity" and "Evolution" are just names we give to the current crop of explanations that best explain the observable aspects of those phenomena."

    What the fungus was that??

    Anonymous Coward is just the name we give to the source of the comment that apparently was logged at 16:41 GMT which leads me to observe my best observation yet - I have an explainably phenomenal urge to stab you in the face, explanations notwithstanding.

    Wait, what?

    "Time and motion are just illusions created by your inability to perceive everything at once."

    Ah, that's better.

  14. Joshua 1


    I would have thought more effort would be going into investigating the fraud and nefarious practices being used by these researchers to secure their grant money instead of 'pin-the-tail-on-the-whistleblower' .. the 'hack' and publishing of those documents and emails was quite an eyeopener into these screwballs.

  15. Dan 10

    Just like UK gov

    In the true spirit of a government department, never mind that the truth has been exposed, or that we were lying to people in the first place, or that the whole debacle casts doubt on how we continue to get funding, or that most of the world has been taken in by this hypothetical nonsense without sufficient research or data models - NO! All we are bothered about is finding out which of our staff betrayed us by revealing the truth!

  16. Anonymous Coward
    Anonymous Coward


    Fail - they did not use the required six proxies! Unless they did, in which case, win!

    Still can't support hacking, although it has turned up some very interesting underhand tactics.

    Although, is it invasion of privacy or whistle blowing in this case? It's different to the whole nazi thing (where the guy goes around and expresses his views as abhorent or insane as they may be) in this case we have people willfully and intentionally manipulating everyone and everything around a debate.

    But then how difference is it to Government, Campaign groups and Media outlets sitting on the facts about drugs and instead publishing nonsense and one offs. This follows for most things where there are pressure groups (child protection, "drugs use", extreme porn, people trafficing, ID, communication intercept, file sharing, etc, etc, etc) the tactics these guys are using are more or less the same as all the rest, it just seems they're a bit more effective, probably becouse they know that the wind is behind them at the moment.

  17. Mike Cardwell

    Good luck

    "Assuming ClimateAudit admins log the "X-Forwarded-For:" header, the hacker's identity may already be known."

    That's a massive assumption to make. I doubt even 0.01% of websites out there log the X-Forwarded-For request header. They're using Apache, and I know for a fact that Apache doesn't do that by default. So unless they've made some unusual changes to their server config, or the application it's self logs the information, they wont have it.

    If you're going to do stuff like this, forget open proxies, use - It's safer.

  18. Pete "oranges" B.

    Free Your Mind

    That "fungus" was an attempt to demonstrate the inherent incompatibility of science and government.

    Governments deal in absolutes: justice, morality, human rights, etc. (or at least present themselves as if they do, and that such a thing is possible).

    Science, on the other hand, is always changing; It is never absolutely "right" nor is it ever absolutely "wrong," it is an open and agile system designed to provide the most comprehensive understanding of reality possible at any given moment.

    So, when government goes to science and asks of it "what is right, that we may enshrine it forever and ever in codes of law," they get what was considered most likely to be right at whatever moment they happened to be asking. What they just turned into legislation may be radically different a few hours later, but who gives a flying fish, it gives people something to believe in.

    Sort a blind men and an elephant scenario, if you catch my drift. Unless it isn't, in which case you shouldn't. Or possibly not.

  19. 100113.1537
    Black Helicopters

    Academic incentive

    "adding global warming to your grant application" is one thing - getting in the region of 16 million in grants over a 10 year period (as revealed in one of the leaked/hacked files) is something else altogether!

    For UEA the CRU was a gold mine - bringing in that kind of research funds means they shoot up the ranks of UK research universities and get lots of other funds (block grants pro-rated to research grants). While the staff researchers don't necessarily get a higher salary, they get a lot of extra support and kudos within the organization.

    So, what starts out as a good idea, gets big grant money, then gets hard to replicate ('cos the original code was cobbled together by non-programmers, PhD students etc.) - suddenly you have an incentive to "lean on the scales" a little. Then someone starts asking hard questions and you start to get defensive....

    In the end, it is the cover-up which always gets caught out - leak or hack, sooner or later this information was always going to come out and now we can claim all sorts of conspiracies. The sad fact is that these scientists are themselves really being used by groups who stand to make real money out of global warming - the politicians, bankers and major companies that are busily pushing for taxes on energy regardless of whether there will be any impact on the weather.

    In the immortal words of "deepthroat" - follow the money!

  20. copsewood

    who do you trust more ?

    Various comments on this thread tend to assume that the individual or group which hacked into the CRU system and leaked data didn't insert anything of their own or carry out any modifications of this data. If asked whether to trust a group of climate scientists operating in a typically shambolic research environment (I've provided IT support in a few) or those who illegally hack their systems (based on undisclosed funding and agenda) it's fairly obvious which group I'd trust first and which second.

This topic is closed for new posts.

Other stories you might like