Leaked or Hacked? The CRU Files Tell the Story

By James D. Baker

[Editors note: The notations cited below as “./(dir-name)” refer to the particular subdirectory's “dir-name" in the CRU files that have recently been released on the Internet. “./(dir-name)” is command-line notation in Unix and DOS.]

From day one of ClimateGate there has been conflict over how to frame the release: an illegal hack, or a protected leak by a whistleblower.

Many have commented that the incident has the signature of a leak. A network administrator, Lance Levsen, has conducted an analysis of the two main subdirectories of ./FOIA.

Regarding the highly ordered ./mail subdirectory, the author concludes that a hacker:

[Would] have to have access to the gateway mail server and/or the Administration file server where the emails were archived. This machine would most likely be an Administrative file server. It would not be optimal for an Administrator to clutter up a production server open to the Internet with sensitive archives.

Not being connected to the internet, access to an Administrative file server is only available to insiders.

Regarding the disorganized ./documents subdirectory, the author concludes:

I suggest that the contents of ./documents didn't originate from a single monolithic share, but from a compendium of various sources.

For the hacker to have collected all of this information s/he would have required extraordinary capabilities. The hacker would have to crack an Administrative file server to get to the emails and crack numerous workstations, desktops, and servers to get the documents. The hacker would have to map the complete UEA network to find out who was at what station and what services that station offered. S/he would have had to develop or implement exploits for each machine and operating system without knowing beforehand whether there was anything good on the machine worth collecting.

The analysis makes the case that the ./mail files were accumulated from archive files located on a UEA mail server, as opposed to a CRU departmental mail server. The case is made that the ./documents files are a collection of selectively copied files, some of which reference other files of interest that are curiously missing. Such selectivity would be expected in response to a contentious FOIA request. And since a) the FOIA officer involved operated at the UEA level, not the departmental level, and b) the contents of the./mail directory appear built from a UEA server, the author suggests that the ./FOIA file was most likely available to people on campus outside the CRU.

And since the broader UEA community is likely to include people less ethically challenged than CRU staff, access might have resulted in a leak.