[cite as: F. Bi. 2009. What we know about the CRU attacker, part deux. Intl. J. Inact., 2:100]
Update on the attacker who stole and uploaded private e-mails from the Climatic Research Unit (CRU) of UEA: Gavin at RealClimate has answered my query about the attacker’s initial attempt to upload the e-mails to the RealClimate site:
Can you reveal more about the attempt to upload the file to RealClimate? Did the cracker crack into realclimate.org too, or is there already a publicized feature on realclimate.org allowing third parties to upload data? Where did the upload come from? etc.
[Response: I was wondering when someone would ask. It was a hack into our server around 6am Tuesday. The IP address was from a computer in Turkey. – gavin]
So we know that
- the RealClimate upload attempt came from a machine in Turkey (!!!!!); and
- the attacker had access to the e-mails and files of an entire department.
At this point it should be clear that the attacker is most likely not just a “whistleblower” from the inside who logged in and out the usual way — and even if he’s an insider who doesn’t happen to be a cracker, he’ll have to be a pretty security-savvy insider with rather broad computing powers and privileges, such as a system administrator. And insider or not, he definitely tried to crack into another web site — the RealClimate site.
So what else can we find out about the CRU attacker? Where do we go from here? Good question…