http://notrickszone.com/2010/11/20/climate-models-not-worth-the-paper-theyre-printed-on/

12 months makes a lot of difference to some!

Bad post. I hate going to RC and being subjected to all those unctuous articles and even more unctuous comments.

Two words - dynamic sql - big problems.

They probably had a blank SA (system admin) account password or worse the SA account password was "SA" or "password", Gary McKinnon compromised NASA workstations because the had blank administrator account passwords.

Culpability if this is the case is just as much with the owners of the hacked system as with the hackers, look at what happened to the recent hacking of the law firm that was making profits from alleged P2P downloading of movies when you P off people with more technical knowledge than you possess; same for climategate.

SQL back-end, Web front-end - generally bad news. Unless they take extreme care, an SQL injection attack will reveal much more than intended.

That is: in a web form field you include SQL code that can be executed. This has been done thousands of times.

e.g. "select username password from users"

Wikipedia explains sql injection here: http://en.wikipedia.org/wiki/SQL_injection

Although now the wiki page has been mentioned in a climate related blog I expect Connolley will be busy changing the page so that CO2 is blamed for the code injection ;)

I'm reminded of Feynman and his lock-picking.
=================

Heh, it is a nice thread at RC. Balasz has it around #30, and Isotopious is cutting close to Gavin's bone.
=====================

Interesting.

Gavin says:

"The posts we put up initially are still valid today – and the 1000’s of comment stand as testimony to the contemporary fervour of the conversation:"

This is pure propaganda. Literally a dozen of my posts went swirling down the hole at the time. Realclimate is deleting comments *now*, as we speak.

Rewriting history must be hard work indeed.

That is: in a web form field you include SQL code that can be executed. This has been done thousands of times.

It's pretty easy to prevent that from happening if you know anything about security p.

You have ask why there still trying to sell the ‘hack idea’ despite the police finding no evidence, after all it makes no differences to the contents and their implications how these e-mails got out.
Is just of case of them not being able to face up to the idea of it being an insider, or are they still hanging on to hope that they can discredit the contents by claiming ‘hack’ ?.

Still I do hope GAVIN has put his ‘evidence ‘ proving it was a hack forward to the police , as perverting the course of justice is a crime .

This must narrow it down but equally makes it possibly more likely than not that this was an inside job. Who at CRU had site admin privileges for realclimate?

As for Wordpress, I very strongly doubt that there is an open SQL injection vulnerability: it's a massively widely used and open source blog platform - someone would have encountered this and raised a bug.

I read the response comments down to around 25 and not one comment was critical of Gavin or RC. The moderator must get paid extra to delete all those other comments.

I haven't been to RC on this thread but the description quoted here sounds an awful lot like "I don't have a clue but I'm going to throw a bunch of stuff up there that doesn't point at me being sloppy."

As for Wordpress, I very strongly doubt that there is an open SQL injection vulnerability: it's a massively widely used and open source blog platform - someone would have encountered this and raised a bug.

Try looking here

This lists some of the security vulnerabilities in wordpress (there are many more). More are being found continually and some remain unpatched for relatively long periods of time.

TerryS

Ouch. I have (very) recently become (very) concerned about the apparently multitudinous security vulnerabilities of blogs.

The Bish is to be complimented on his choice of host (no pun intended; too awful).

Unlike Wordpress, as RC and others have discovered, SquareSpace is apparently regarded as pretty watertight. Which is encouraging.

Any one involved in IT security will tell you that most successful hacks are inside jobs or some one who left with the passwords. After that it is misconfiguration, followed by a failure to patch.

Like Philip B above, I can't stay long in RC's comments without risking losing the contents of my stomach (we're told they set this up for PR, apparently), but this is just jaw-hangingly delusional:

Gavin says: (Comment 31)

"...If you mean the mainstream IPCC view (i.e. most of the warming in recent decades is due to ghgs - and I note this is not a theory, but rather a result)."

Result? He's discussing the output of ClimateGate here - with the likes of Ed 'we know we know [snip]-all' Cook and Kevin 'where's the warming' Trenberth.

Give me strength.

There was a climatologist from NASA
Who could argue in terms post-Kafka
He hid the decline
Upheld the team's line
Endlessly reciting the old mantra

Slightly OT Andrew. I watched the Swedish video about AGW on Steve M's site and at one point they asked Gavin about the email in which Jones described MM05 as "garbage". Gavin looked straight at the camera and said "It is garbage". MM05 to any independent statistician is not "garbage" and anybody describing it in that way forfeits the right to call himself a scientist. The comment says all you need to know about Gavin.

Elmer bit and Elmer had a look at RC. Now Elmer feels pure manky, by the way.

There was a climatologist from Penn State
who studied tree rings and their growth rate
he found quite a few
which grew fast with CO2
but none after 1960, hence climategate.

"Gavin says: (Comment 31) '...If you mean the mainstream IPCC view (i.e. most of the warming in recent decades is due to ghgs - and I note this is not a theory, but rather a result).' "

Yes, a result of running Wank-O-Matic climate models. [Garbage in] => [Garbage out]³

Reminds me of Little Bobby Tables
http://xkcd.com/327/

Well, my theory is still that Tamino unwittingly provided the gateway into the Team circle that eventually led to Climategate - and very likely the break-in to the RC server. He was using a Hotmail account for his emails which (apparently) is notoriously easy to crack. All it would have taken is for someone to quietly snoop on his exchanges for a few months and the cat would be very much out of the bag. He also went offline for a few weeks with a mysterious double hand injury just before Climategate broke into the public domain.

I've given my opinion over at Lucia's, and I'll repeat it here. Anyone who knows a reasonable amount about the subject will conclude the attacks' most likely vector was social engineering. It's not certain, but it is almost overwhelmingly likely. Any half-competent social engineer - phisher, if you're not aware of the term - could have duped the CRU crew into revealing all the necessary information to log-in as admin on any system they had the details for.

Occam's razor strongly favours this explanation, since it explains everything in one go, and is extremely simple. All the other vectors require multiple hacks - vanishingly unlikely, in the real world, since hacking in the Hollywood sense is basically non-existent - or multiple server misconfigurations by multiple sysadmins on different networks.

Isotopious persists with an excellent stretch run, but manacker closes with comment #100. Don't miss the finish.
==================

How much RC work is on NASA time I wonder? Is it approved, tacitly or otherwise, or does Gavin wait until he gets home..?

Oh, that's been asked before, James P.

'Your tax dollars at work'...

I wonder if you have paid any attention to this, from Phil Jones

“Real Climate were given information, but took it down off their site and told me they would send it across to me. They didn’t do that. I only found out it had been released five minutes ago.”

Look at the camirror website thread where Jeff ID reports bizarre emails from Gavin during this period. (here

Patchy's doing an anniversary piece too

http://www.guardian.co.uk/environment/2010/nov/19/un-climate-rajendra-pachauri-regret

Quote Nov 2009

"IPCC studies only peer-review science. Let someone publish the data in a decent credible publication. I am sure IPCC would then accept it, otherwise we can just throw it into the dustbin."

Quote Nov 2010

He also defended the use of reports by advocacy organisations and official agencies, especially in developing countries which may not have funding for scientific expeditions.

Thats ok then.

"IPCC studies only peer-review science"

So how did the other stuff get in?

Yeah, I know, it was a long document, and they didn't have the time/money/IQ/biscuits to check it...

@TerryS

Your link is interesting.
Try this

http://www.securiteam.com/unixfocus/6N00D0AKKM.html

WordPress Charset SQL Injection Vulnerability

Executing this attack alone results in exposure of all database content on web interface without need of authentication. However, if combined with other exploits (such as cookie authentication vulnerability in http://www.cl.cam.ac.uk/~sjm217/advisories/wordpress-cookie-auth.txt), any remote user can obtain WordPress admin privilege, resulting in server compromise.

"Locks are to keep honest people honest"

Just a thought. And, BTW Gavin - I'd be real interested in seeing some logs showing said SQL injection attack. If in fact it occurred.

PS: Am I supposed to be surprised that the UEA is running old, unpatched software?

My frank take is that Gavin is lying about his hack.

I agree with hunter. He's not savvy enough to realize the injection vector but more than enough to have noticed the intrusion in the first place? Even a 2nd rate data security company would have identified the injection vector or vectors, addressed them with their customer (Gavin) in full and included full documentation for the exploit and their counter along with the bill. Its all part and parcel of the data security service itself and as far as I know personally, been that way since 1989. The only way to NOT have such is in its never having occurred.

Hottest year ever?

In conclusion to that post he says ..

"In the meantime we’ve had one of the hottest years on record"

Is it, it certainly hasn't felt like it and I know the UK and the USA had unusually cold spells at the
start of the year.

Does anyone have a link to an 'honest' assessment?

Thanks,

Nial.

"... though the actual entry point is obscure. - gavin"

The actual entry point was probably the Administrative passwords that these geniuses shared among themselves by e-mail!!!

HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA