I’m always the last to know!!! Anyway, it seems likely while I was out shopping for Christmas knick-knacks, Tallbloke was raided, and his computers were seized. Meanwhile the U.S. Department of Justice seems to have sent a request to WordPress to preserve ‘all stored communications, records, and other evidence in your possession regarding the following domain name(s) pending further legal process: http://tallbloke.wordpress.com, http://noconsensus.wordpress.com, and http://climateaudit.org (“the Accountsâ€) from 00:01 GMT Monday 21 November 2011 to 23:59 GMT Wednesday 23 November 2011.’
Based on the dates, I’m guessing this has to do with the climate 2.0 release of email. I think all three blogs are hosted on WordPress.com. I suspect the police are scouring all comments, posts, images etc. stored in their respective database for clues for something that could lead to who might have been involved in the release of the climategate emails– but that’s a guess. I believe WUWT is also hosted on WordPress.com; I note they are not listed in the letter to WordPress.
Of course I’m speculating. Feel free to speculate too!
Ya think FIOA might free a new batch of emails? This is getting pretty interesting.
dallas–
I don’t know. But right now, I suspect FOIA will lay low. I’m looking at the letter the USDOJ sent WordPress.org. I suspect someone is trying to identify any identifying information address associated any possible upload or attempt to upload by FOIA’s.
Let’s look at specific things they call out
It seems to me at a minimum, this would cover the information stored along with each comment posted to the blog. By default, with WP software, this includes IP, email as entered by the user, user name and the comment content. In my blog, comments stored in the database can have several statuses: approved, pending, spam, trash. WP will presumably have provided all of these falling in the date range stated.
Articles in 1. must also include any blog posts Jeff or any co-author published or composed during the time periods requested. This will also include any auto-saved drafts of those posts.(WP does this…)
If I have to guess,I’d say the comments are of greater interest than the posts.
Next 2.
Re Carrick (Comment #86663) on WSJ: Delingpole-Z Man Mann thread 5, Dec. 2911
December 6th, 2011 at 12:10 am
Max_OK:
But I doubt the hacker is a CRU employee. An investigation of CRU staff should have come up with something by now.
You’re assuming it’s in CRU’s interests to expose the “hackerâ€. (Again love the loaded language. It’s OK to use loaded words, when used in defense of the team no doubt.)
__________
If the police raid on Tallbloke is related to the climate 2.0 e-mail release, and it’s not in CRU’s interest to expose the hacker, CRU might be a little concerned.
Items (2) seem to relate to who can access the administrative part of Jeff’s blog, how they can access and how service is paid for. But, for example under (a) at my blog, Zeke, SteveF, PaulK, a few other people and have something someone could call “subscriber names”, “user names”, and “screen names”) Anyone who’s written a guest post has one. These people have greater access things than blog visitors. So I guess the FEDS want to know who they are. Item (h) they want to know if anyone pays for something. I’m scratching my head a little at which things are called out in a-h and which things I think they should aren’t aren’t called out. (For example: I would think they should ask for the level assigned to people who they just call “subscribers”. I’m admin and have greater superpowers. Other people are “author”. There are a few people who are currently “active” and people who have been authors who are not active. I wouldn’t think if the USDOJ wanted to know who the subscribers were, they would want to know these other things.
But I’m guessing: Mostly they are trying to figure out if a user called “FOIA” connected, when, how many times, using what IP and discover what email addresses s/he might have left.
MaxOK
I know people like to discuss CRU and their interest as if CRU has one Borg mind and ever single person at CRU has the same exact interest in exposure of whoever released the emails. But it may be that tracing who released the emails is in some people at CRU’s interest, against other people’s interest and it doesn’t affect the interest of a third group of people.
Re diogenes (Comment #86641)
December 5th, 2011 at 6:06 pm on WSJ: Delingpole-Z Man Mann thread 5, Dec. 2911
“good questions, Lucia…my take , also confirmed by Roger tallbloke, is that the police investigated and came to the conclusion that it was academic in-fighting ….”
____________
Maybe the police were just stringing tallbloke along. The police can be tricky.
Of course it’s possible tallbloke is being investigated for something unrelated to the CRU email hacking.
The terminology issue would be a fun one to fight out in court, but probably would not succeed. Joomla, Drupal and other blog software use the same terminology – different meaning
Yes FOIA is the target. But to be safe they will look at everything. Safe, as in “make sure it wasn’t Jeff ID, or Jeff’s buddy, slipping in under the commentor name FOIA”. Or that it is not one of the permissible contributors doing likewise.
Which means that all of our email addresses are in the hands of the police along with our comments on these blogs. Isn’t that nice.
lucia. that was a possibility brought up by Carrick. Of course, different people at CRU may have different interest.
Max_OK, I dinna whether they should be too concerned. This latest phase of the “investigation” looks like a sloppy mess from what I can tell. Time will tell. Maybe you’ll get your person to throw fruit at.
Max_OK–
Sure, but it would be a might big coincidence that nearly simultaneously, the FEDs were asking Automatic (i.e. wordpress) for documents from three blogs, all from dates near the time when the climategate2.0 emails appeared.
Kan–
That’s what I think.
With regard to fighting the wording– I can’t imagine why WordPress would want to try. They have no dog in the fight, so I suspect they will just interpret this is “Send us everything releveant for the appropriate time periods”. “Send us everything about anyone who can log into the admin side” etc. I have no idea whether WP could ever possibly have recorded something like a MAC number, but if they can, I’m sure they will send that along.
BarryW–
Not all. Note “from 00:01 GMT Monday 21 November 2011 to 23:59 GMT Wednesday 23 November 2011.” That’s two days.
Of course my email is no secret. Here’s an older version of the forbidden page:
http://rankexploits.com/forbidden.html
====
Oh– I saw this at WUWT
Does anyone know how or why we know it’s a cloud. I was busy deskunking the house and getting ready for T-Day during the key climate2.0 period. So, I don’t know where the info to indicate it’s a cloud was posted.
No they wont fight. But an up and coming, making a name for myself, lawyer could have fun with it if allowed.
The MAC would only be available if WordPress kept some really low level system logs. They would not do this, because those things are usually HUGE. You only turn them on when you know the issue is happening right then and you don’t keep them around for long.
Kan–
It’s interesting you mention time.
Out of curiosity, how long do you think WordPress keeps regular serverlogs? If I visit Dreamhost and look at my logs directory, right now I have zips of access logs back to 12-09. So, hypothetically, if the DOJ has served anyone with a freeze demand for my blog, on the date when the DOJ served WordPress, I’d only have that type of query log back to Friday the 4th. Say the 3rd if they are lucky in their timing. I don’t make a habit of downloading those and saving them. So, with respect to anything they hope to get from query logs, it seems to me they would be SOL.
So that would mean they would have to get information from other places. If they wanted something from any particular commenter who got through — e.g. “FOIA.org” that would at most be the commenter email, IP, the comment and their name saved in the comment entry in the comments table. That’s very little. No user agent, no referrer. Those likely wouldn’t be very helpful, but I can’t help but imagine every bit of extra information is useful.
Lucia raises a point worth discussing:
Unfortunately, the only response on the issue of MAC address is from Kan, who gets it wrong:
MAC addresses are for local networks. They are not transmitted with IP traffic (I trust nobody here is using IPv6). WordPress, as a company, has no access to your MAC address unless you physically plug your machine into their network, or their software pulls it off your machine and sends it to them. Obviously nobody does the former, and I can’t imagine any reason for the latter. Why would WordPress care about the MAC address of the people hosting blogs with their software (visitors could not have their MAC addresses found)?
As a side note, logs of MAC addresses are kept, routinely. They’re just internal logs for traffic on the network itself.
Perhaps they avoided WUWT because the traffic is too big to make it practical. Is it possible WordPress has records of not just postings, but page views as well? From that, looking at TallBloke, and The Air Vent, and climate-skeptic, they should be able to find common viewers.
MikeN–
I don’t think it would be impractical to ask WP to freeze all logs for 2 days of traffic at WUWT. Whatever WordPress has, they can freeze. I doubt if the goal is to find “common viewers”. I think the goal is to find a specific one at all. That’s “FOIA.org”.
lucia (Comment #87242)
I doubt if the goal is to find “common viewersâ€. I think the goal is to find a specific one at all. That’s “FOIA.orgâ€.
Unfortunately, I am a reader and commenter on all those blogs, as are many others. As for whether FOIA had some kind of special privileges…. her message was moderated just like any other at WUWT and she specifically asked in a second message for receipt of the first to be confirmed.
It’s not the problem of whether WordPress could handle the logs size. It’s whether they could investigate such a large traffic. Hezbollah found US and Israeli agents by analyzing cell phone data, and the Israelis who used fake British passports in Dubai were found in a similar way. If WordPress has logs of every page view, not posting, with IP addresses, then these could be compared for common viewers and followed up. ClimateAudit and WUWT probably get too much volume to be practical, but I think Tall Bloke might be feasible.
Lucia,
I doubt that the WP company keeps logs beyond what you have access to. They could, but they do not have any reason to.
Brandon,
Where did I say the MAC would be of the remote computer? The MAC information would be of which firewall, switch(s) router(s) (by the way all of these devices have a MAC) the desired traffic went through in theWP (company) networks. The huge statement comes from the size of the logs which are created watching the link-layer and TCP traffic and the routing of it.
Indeed, it might be better for FOIA not to look at those blogs from a common IP address used previously.
Kan, sorry if I misunderstood you, but I was under the impression user information was what lucia was discussing. Given that, I assumed you were referring to the user’s MAC address, not MAC addresses of WordPress’s network devices. This interpretation was reinforced by the fact you and lucia said:
Had you been referring to the MAC addresses of the company’s network devices, I’d have expected you to use a plural expression, not a singular. It’s hard to reconcile your latest reference to a multitude of MAC addresses with your usage of “The MAC.”
You can see why I interpreted your comment as I did, and I think it was quite reasonable.
Of course, you are right the company’s internal network has many devices with MAC addresses. You are also right information could be kept which would document which devices certain traffic went through. You are especially right that trying to keep logs about this information for traffic would require a great deal of space. I just don’t see what that has to do with lucia’s comment, where she said:
She was referring to a singular MAC address, and she was specifically referring to sending that MAC address to the authorities. I do not see what connection a list of MAC addresses to devices the authorities would have no interest in has to do with what she said. The authorities might be interested in any logs those devices with MAC addresses have, but that has no bearing on what lucia referred to.
I do apologize if I misunderstood you. I just don’t see any way I could have done otherwise.
With regard to fighting the wording– I can’t imagine why WordPress would want to try. They have no dog in the fight, so I suspect they will just interpret this is “Send us everything releveant for the appropriate time periodsâ€. “Send us everything about anyone who can log into the admin side†etc.
They haven’t yet been told to send anything, just preserve it. WordPress ignored the toothless command to not pass on the preservation order, so they might not voluntarily turn over the blog information without a warrant. I think WordPress may have a dog in the fight. They may want to protect their reputation with their users, and they may just be philosophically disposed to protect privacy.
On most server setups the logs are rotated or ‘rolled-over’ on a weekly or monthly basis, so they’re possibly trying to aqueeze in before they disappear?
That said, on a WordPress setup, I’d imagine that the comment_meta table in the database would have much richer pickings for them to confuse themselves, as it usually contains huge amounts of utterly irrelevant info about each and every comment made on the site.
I’m still trying to think of a set of actions that could be less effective than this, and more calculated to generate lawsuits, so far without success. truly awe-inspiring incompetence.
my 2p worth – the boys in blue just want to make it seem that they are doing something. They might be getting annoying phone calls from warmist journalists. As a course of action, impounding 2 pcs and a router does not seem to imply much technical knowledge.
MJW (#87253) :
“WordPress ignored the toothless command to not pass on the preservation order”
The preservation order was dated 9 December. They passed it on to Tallbloke & Jeff on 14 December. Hence a reasonable supposition is that WordPress conformed with the essence of the request, not alerting the individuals until after the logs had been supplied to DoJ.
Looks like the police have been embarrased into being seen to ‘do something’
Pretty incompentanly as well .. Ie Tallbloke blogged about it from his smartphone.. they left him with it…
I’ve got my Android for Word press app installed on my smartphone…
With respect to FOIA and WUWT, what would they find, someone made a comment with an email address and usr name, then had to wait for it to be noticed.. WUWT gets a LOT of comments.
I don’t think WUWT has received any contact from the police, etc ….
As a WUWT guest author, I might be concerned that the UK police ‘might harrass me’ which in turn might make me think about what I write ;(
Anyway, perfect alibi, first time I heard about climategate 2, was from a tweet by the Guardian’s Leo Hickman…
Chuckles–
Ahhh! Now I’m going to go find out what’s in comment_meta ! I never really looked in there.
Don’t know how it works in the Uk, but I am pretty sure that in the US, the DOJ would need to get a warrant to get the information from WordPress. What the notice does is ask WordPress to preserve the information so the DOJ has time to acquire the warrant. I don’t know if the DOJ needs to serve the warrant on both WordPress and the blogger (i.e., JeffID) or just on WordPress.
@Max_OK (Comment #87226):
I disagree with this last bit. For CG1.0, rather than emailed, the files were as easily taken out on a flash stick, then emailed from a remote location. The flash stick may even have been physically taken to Russia. For CG2.0, all of those could have been on the same flash stick.
The email link would never have been from CRU directly to any blog. No one is THAT stupid. If anything, they might be looking for a Russian email/IP address that both had in common. Fat chance. There IS a trail, and they have to start somewhere, but it is really unlikely that they will track it down (not unless some hacker-turned-police-gofer has some tricks up his sleeve).
I watched V for Vendetta recently and from now on, I will wear the mask of FIOA in all my communications
Maybe reception/possesion of the Climategate files is going to be the pretense used to shut down bloggers and or make future arrests.
Andrew
I believe WUWT is also hosted on WordPress.com; I note they are not listed in the letter to WordPress.
Who in their right mind would issue a warrant for a blog run by a former Television Weather man. I’m pretty sure Anthony Watts has the local Television News directors personal phone number.
The journalism world closes ranks really quickly when the police start snooping around the private communications of ‘one of their own’.
Barry Woods, that’s my take on the latest show of force by the law enforcement agencies involved. All those agents who showed at Tallbloke’s would appear to be overkill by the usual standards – if we can assume it is related to climategate2. I believe we have heard public statements by at least one climate scientist that the involved law enforcement agencies were not making a sufficient effort to apprehend the “hacker(s)”.
I suppose we can rule out a complete Chief Inspector Clouseau imitation here since the perpetrator would appear to have a reasonably good acquaintance with the three blogs being searched and might have posted there at some time. Unless the law agencies have leads from other sources their actions would appear to be akin to a fishing expedition.
I know for a fact that the UK and Dutch police can ask mobile telephony providers to save certain specified call records on production of a warrant. I imagine the same sort of rules apply to ISPs and organisations such as WordPress. And then, if the officials claim that it is a case of national security, we have just undergone in the UK 13 years of enactment, by an allegedly socialist government, of all kinds of anti-freedom measures – because they wanted to show that the “right wing” was soft on terrorism. Bottom line, if they want to search, impound and bug, then they can find ways to do it legally.
Kenneth–
On the one hand, the number of officers arriving at Tallblokes seems overkill. It’s not as if Tallbloke was likely to pull out a shot-gun to defend his laptop.
But I wouldn’t jump to the conclusion that the law agencies must be imitating Inspector Clousseau here.
First, no one likes being in the dark about what precisely the USDOJ is looking for (and even might find) when they request WordPress freeze all the files. So, I would be on pins and needles if I were Jeff, Tallbloke or SteveMc. (And this holds even though as far as I am aware there is nothing to be found in my databases. Certainly nothing that points to me having been in anyway involved in hacking into CRU!)
But if we step back and think about this: all bloggers have lots and snippets of information, so many in fact, that the blogger’s files could contain something the blogger a) didn’t put there, b) didn’t know was put there and c) never even gives a second thought to.
Let me give an example: Until recently, I was never in the habit of visiting the /logs at my host to see what sorts of hits were coming to my blog. Recently, I have been because the blog was crashing for no apparent reason. I looked at the logs and found that it’s ‘bot activity of various sorts. I want to come up with a solution to reduces alot of the negative consequences of this, and in the past few months, I’ve looked at the /logs files.
But ordinarily: while those are auto-created, I never looks at them. I never save them. I never down load them. They are deleted automatically. End of story.
But suppose authorities were hot on the trail of something has some evidence that created a reasonable expectation that looking at my server logs from Nov 21-Nov 23 might be incrementally helpful in an investigation? Then they might ask Dreamhost to freeze them. Nothing really to do with suspicions about me— but maybe there is something in there.
Once they looked, they might find something or not. Maybe someone could then complain they’d just been on a fishing expedition– but to some extent, isn’t that normal for cops? The legitimate question would be to determine whether they had reason to believe a particular spot was a good fishing hole, or whether they just chose that spot because they thought it would be a nice place to take their canoe, pull out some beers and sun themselves while pretending to be trying to catch something worth catching.
I expect this question would be asked by a judge when police request a warrant. My impression is the need a warrant to view the files the requested WP freeze. It seems UK cops had a warrant to take Tallblokes computers. I don’t know if the judicial proceeding where UK cops requested a warrant is public domain.
So, it’s still possible that despite the overkill of sending a swarm of cops over to Tallblokes that the authorities are following protocols that are known to be necessary if they have reason to believe there is something that will help them discover who might have obtained files from CRU and whether the method of obtaining them violated any laws. We just don’t know enough to know whether they are just being ham-handed Clouseau like dimwits or being thorough.
That said…. I’m glad I didn’t get a letter telling me the USDOJ requested my records from Nov. 21-23 be frozen. Of course, I can’t be confident no such letter exists, but I suspect it’s unlikely. So, no ulcers for me!
Lucia:
Actually if you wanted me to guess, it probably has to do with suspected emails and other personal correspondence between Tallbloke and the closet hacker. I’d be a bit surprised if Tallbloke were involved himself, even though the usual group has already tried and convicted him.
they are nice people, aren’t they, Carrick!
HaroldW: The preservation order was dated 9 December. They passed it on to Tallbloke & Jeff on 14 December. Hence a reasonable supposition is that WordPress conformed with the essence of the request, not alerting the individuals until after the logs had been supplied to DoJ.
I don’t think it’s reasonable to suppose WordPress has turned the logs over to the DoJ. As far as we know, they have only been told to preserve the data. Even if they had turned it over and didn’t alert anyone until they did, they still disregarded the request to not contact the blog owners: “I request that you not disclose the existence of this request to the subscriber or any other person, other than as necessary to comply with this request.” It would have been easier and safer for TypePad to comply completely, but they didn’t. That suggests to me that they wouldn’t just roll over to a warrantless request to provide the information.
Carrick–
I agree with you that the reason for seizing Tallbloke’s computers probably has to do with looking for email correspondence with FOIA.org or even just someone who knows who FOIA.org is.
If so, the contents of those emails, including the information in the headers would be potentially useful information in any investigation to find out who FOIA.org might be and ultimately to trace back to who might have obtained files off CRU computers.
Lucia, slight correction, I see I was applying my naming conventions to the WP database tables – the table is called wp_commentmeta on my systems, which (I think) is the WP default. Conatins all the metadata for each and every comment on the system.
I saw a throwaway comment at CA, where Tallbloke states that the DOJ action is at the request of the UK police, not vice versa. That said, I’d imagine any half competent lawyer could shred their reasons for the search warrant, and subsequent siezure of the computers.
The numbers and the hour – loud knocks on the door at midnight, are just farcical. All they had to do was pick up a phone, call, and ask some questions, or ask if they could pop round at a mutually convenient time. The combination does the PR image no favours, and boy do they need some favourable PR at the moment in the UK.
Chuckles
No. That’s no good. I think the UK police arriving without pre-warning is better for Tallbloke. The alternative would be that he would have learned the wanted evidence and then he would have had to wait around doing nothing to intentionally or unintentionally destroy or seem to destroy or corrupt evidence that might be of interest. Tallbloke wouldn’t know what evidence that was with any level of specificity (and, more over the cops would be unwise to follow a protocol where the informed someone of precisely what they were looking for. Imagine if the phone up a pot dealer at night and says, “Hello. We have a warrant to search for marijuana in your house. We’ll be over in an hour or so. How’s that sound to you? ” What do you think would happen?)
In this instance the police telling Tallbloke person what they were looking for would be worse that not telling them. As a practical matter, since almost anything can result in a cached file being created or destroyed, he would have had to step back from every one of his computers, not shift them (even if moving them would aid in the re-modeling going on) and wait for the cops to come by. Only at that point, after the cops came by and picked out which two computers and routers they wanted, and left could Tallbloke safely go back to using his stuff without fear that something he did could make someone accuse him of destroying evidence.
So…. serving a warrant with no warning is all around better than scheduling the visit! But the constabulary did seem to send around more cops than required. But this may be because all of them want to be able to regale their friends with stories of being involved in one of the few investigations that gets mentioned in the press. I mean…. if you were a beat cop, might you not want to be able to tell people you were involved in the ‘sexier’ sounding cases? I think a lot would enjoy that! That may be the reason a lot of them tagged along.
MJW–
But I think WP froze the logs before telling Jeff, Tallbloke and Steve. I think that was appropriate. The reason for freezing is to keep Jeff, Tallbloke or SteveMc (or anyone else) from altering records should the USDOJ later get a warrant. Clearly, if Jeff, Tallbloke or SteveMc were told in advance that their files were about to be frozen, they would at least have the opportunity to alter the files. In fact, for all we know, between the time WordPress got the letter and the time when they completed freezing the appropriate records, Jeff, Tallbloke and SteveMc may have altered something– without having the slightest awareness there was an order to “freeze”. So, it’s best that WordPress “froze” things which seems to be required by law. OTOH, not informing Jeff, Tallbloke or Steve does not seem to be required by law, and the informed them — likely after they had fully complied with the request to freeze.
I’m sure WordPress will do what is required by law. It’s bread and butter are bloggers, so it will also defend the rights of bloggers. That said, I suspect WordPress will not push interpretation of the law to the limit in it’s quest to expand the recognized rights of bloggers. But I may be proven wrong on that.
Lucia, agreed on all of that, it’s just that from a PR point of view 6 cops from different forces arriving and pounding on the door at midnight to take 2 laptops and a router out of a household that (a bit like mine really) has exotic servers and workstations all over the place, is very not smart.
The UK police have an image problem with a LOT of the populace at the moment, and this is not going to help it one little bit.
Legally, I’m very dubious about siezing and removing a couple of laptops and some computer hardware from someone when they’re not accused of, or suspected of, any crime. Plus technically I really cannot see any huge justification for the actions, as you note above.
Finally, what exactly did they say to the magistrate in order to get a warrant, and are their actions consistent with those claims?
All of which, in UK and EU law, suggest harassment, invasion of privacy and various similar terms to me.
diogenes:
Yes they actually are! Really charming people.
And their failure to communicate just what nice and charming people they really are must be due to a well-funded fossil fuel disinformation campaign, and certainly nothing at all related to necessary tactics like conflating the contents of an anti-AGW book with child molestation.
This is a fun little quote from Tallbloke:
Nice example of unintended consequences.
Not entirely OT and via Bishop Hill, this is a pretty interesting story:
Oops.
Chuckles
I don’t know what they said to the magistrate. Would court records documenting these request be publicly available in the UK? If yes, someone could go find out! 🙂
I’d be a little more patient before I decreed this was harassment etc. It might be. Or not. We need to know what the police told the magistrate when requesting the warrant. But the number of cops! (I’d put a quatloos on my theory that a bunch of cops want to be able to tell people they were involved in the “raid”. )
Carrick–
That may put the kibosh on the IPCC plan to have everyone communicate on the IPCC system which seemed at least partly motivated to put their communications out of reach of FOIA.
Mind you, it wouldn’t mean that people can’t use a system for convenience. The issue is: Does that put the contents of the communications out of reach of FOIA. The UK ruling vs. private accounts suggests the UK is leaning toward: No. It’s still in reach of FOIA.
lucia: I’m sure WordPress will do what is required by law. It’s bread and butter are bloggers, so it will also defend the rights of bloggers. That said, I suspect WordPress will not push interpretation of the law to the limit in it’s quest to expand the recognized rights of bloggers. But I may be proven wrong on that.
I’m sure they preserved the data before contacting the bloggers; but they did contact the bloggers, contrary to the request in the DoJ letter. My main point, though, is that so far there’s no evidence that any of the data has been turned over to the DoJ. As I understand the law, because the information is less than 180 days old, the only way the DoJ can force WordPad to release it is with a warrant. Older data can be subpoenaed, though in most cases prior notice must be given to the subscriber.
Lucia, I want to be clear that to me even an Inspector Clouseau imitation does not make the long arm of the law any less intimidating to those exposed to it. I am watching this episode unfold carefully as I want to know if the serving of search warrants has been constitutionally compromised by the advent of the internet and/or the panic response that gave us the Patriot Act and in the aftermath of an opposition party, that was opposed to the Act, gaining power only to renew the Act. We used to hear a lot about the Act and now nearly nothing. There are plenty of inconsistencies or should I say hypocrisies on all sides of these issues.
Mann was offended by having to appear before congress and I would generally agree that congressional hearings are a waste of time at best and the legislature taking on judicial powers at worst. Now let us hear what Mann thinks about the midnight raid on Tallbloke and the DOJ’s letters to WordPress.
Re Steve Garcia’s Comment #87267
Steve, we both are speculating about whether CRU staff were involved in the hacking. I hope the guilty has the courage to identify himself/themselves, and end the suspense.
Now let us hear what Mann thinks about the midnight raid on Tallbloke and the DOJ’s letters to WordPress.
According to commenter HG on “noconsensus”:
I believe accusing someone of a committing a crime is libel per se.
Carrick, Thanks for that Laden link…tasteful…
Looks quite close to libelous in a UK context, but IANAL.
MJW, in UK law, repetition of a libel or slander is just as much a crime as the original offence…
MJW–
You may be correct. At first I read the contents of the post and thought “No libel because no one can figure out who is accused.” But then I read the title, and in context it appears the article is suggesting Tallbloke is a criminal cyber-thief as it’s his computers that have been seized.
So far, I don’t think the constabulary has even alleged Tallbloke stole anything.
I like the comments over at Laden’s
I doubt TallBloke will sue Mann for libel, but it’d be funny if he did, considering the litigious Mann’s defamation suit for the “state pen” joke. Mann sure is a jerk (purely an expression of opinion).
Lucia, classic, clear James Annan.
Does anybody know what the underlying alleged crime is that is the basis of the anticipated warrant? I know there is some anti-terrorism eCrime statutory language out there but you really can’t squeeze this into that box. I don’t know what specific criminal statutes are implicated, if any.
Also, if someone is trying to shoehorn federal jurisdiction on the grounds that there was federal funding of the activities that are the subject of the emails wouldn’t that also make the prior refusals to release the emails pursuant to FOI requests unlawful and thus make the leaker/hacker a whistle-blower by definition?
Some lawyers may get to have a lot of fun with this before it’s over.
Carrick–
After that,all sorts of people are agreeing with James.
MJW-
I also doubt Block will sue Mann for libel. Suing people is expensive. You have to hire lawyers etc. It’s idiotic when the damages are ‘pffttt’. The main reaction to Greg Laden idiotically implying that Tallbloke is a criminal who stole emails is that people who previously had never heard of Greg Laden now think Greg Laden is an idiot. I suspect some of these people will click over to his “about” page, read it, and form the opinion that Greg Laden is a snotty, tightly nasty-piece-of-work idiot who somehow manages to function successfully in an academic setting. But almost no one will believe there is any evidence Tallbloke is a criminal based on Greg Laden’s understanding of police investigations which going by his recent blog post appears to be less than would be expected of the average 8 year old who watches police dramas on tv.
George Tobin
But whose going to pay them?
Nick Stokes should be happy anyhow. He’s one that’s likely wants everyone who posted or read the leaked emails have their computers raided.
Congrats to Nick!
I wonder if they wore brown shirts.
Hmm. We have a Godwinner! 🙂
… you folks know your ways around IT and the internet….do you think the boys in blue are doing anything more than…trying to intimidate someone? Do they have any evidence? Do they seriously think they will glean any evidence off tallbloke’s hard-drives?
They might glean somethijng off wordpress….but…spare us the paranoia. You had Rumsfeld…we had Blair
Well, he’s managed to function in quite different settings as well.
That said, he’s generally not regarded as the most tactful person ever.
toto–
He’s an anthropologist. What’s not academic about that? (Please answer in words, not by another link. Because reading that, I conclude you have merely provided more evidence that he is ok as an academic doing the things academics in his line do.)
I think people are confusing what they are after.
Possibility one is that they already know who the hacker is, and they just need this data for their prosecution, establishing the known facts that a link was posted.
More likely is possibility two that they are trying to determine the identity. Given that this happened 2 years ago with nothing found, it is unlikely that any record of postings would help find this person. There are enough proxies in between that the IP addresses are meaningless. It’s possible a thorough search didn’t happen until now, but I doubt that. Steve McIntyre and Jeff Id gave the IP addresses 2 years ago.
So what I think is a possibility, is that they are looking at all records of access to a website. Everyone who looked at the front page, even if they didn’t post. Would WordPress have this data? Also, does it receive any cookies back? The Name and e-mail are stored for when I come back to this site.
I have noticed that when I use a different name on some sites to get around bans, that the name ended up being used at The Air Vent unwittingly, because the name change carried over. I don’t know if this was done because both were WordPress sites by my browser, or if WordPress itself saw the cookie and made that change.
What if FOIA went through all these proxies to post his link, so there’s no way they can trace the IP address of that post back to him. Then a week later he goes to the website TallBloke, and his computer sends a cookie with Name=FOIA? Even if he changed that to post again, has the original cookie been seen by WordPress?
Even if cookies are not sent, just having the records of everyone who visited the site might help. If ClimateAudit’s records were also taken, this would kill the theory as it’s volume is too high. But perhaps you can investigate everyone who ever visited TallBloke’s site? Finding common visitors with Air Vent, and then doing a process of elimination. This would not work with WUWT.
diogenes–
If you want to know the answers to those questions, you should do your own digging. Start by looking into what is involved in getting a warrant in the UK and see whether you can learn the what information convinced the magistrate that a search warrant was justified. Otherwise, this story broke today. So.. no. No one knows the answer to your question and they won’t as long as people like you lack motivation to try to do anything effective.
…waits for the sneaky lil rabett to show up wioth a display of nothing very much apart from impenetrable snark….you have to wonder how his pension fund is coping with the global disaster he predicts with such certainty
Kevin,
I’m not sure what you have against Nick, but given that he has not expressed any opinions in this thread (to the best of my knowledge), your attacks on him are most unwarranted. Also, try and avoid farcical brownshirt comparisons.
diogenes–
You could wait until Eli shows up before criticizing his reaction to this post.
Zeke–
Thanks for jumping in.
lucia…as I said above thread…the national security provisions in the UK allow the boys in blue to do just about anything they want, as long as a magistrate permits….the thing is, what can they find, or what are they able to find from the contents of some interactions with wordpress? This is a n attempt to frighten people. No more than that. Did foia exchange emails direct with anyone? And even so, how hard is it to create a new email account?
diogenes–
Rhetorical questions are strongly discouraged and argument by rhetorical question is prohibited. You have posted here long enough that I think you ought to know this rule.
Your comment diogenes (Comment #87319) is full of argument by rhetorical question. For example “.do you think the boys in blue are doing anything more than…trying to intimidate someone? Do they have any evidence? Do they seriously think they will glean any evidence off tallbloke’s hard-drives?”
Please do not argue by asking rhetorical question or you will be banned and the IP’s near yours which are shared be a the name changing sockpuppet and another party will be moderated.
You seem to be asking more rhetorical questions, like
I don’t not for one second believe you are actually asking this to learn what type of things Tallbloke might have on his harddrive. I think you are trying to argue by rhetorical question.
So, I will now answer:
Obviously none of us know what the magistrates will find on Tallblokes harddrive because we do not know what is on Tallbloke’s harderive. However, at least hypothetically, it is possible that FOIA.org elected to send Tallbloke an email and that email could be on Tallblokes hardrive. If it is there, Tallbloke might know it’s there, or he might not. For example: I get email all the time. Some gets filtered by my spam rules, goes in the “trash”, which doesn’t empty on shutdown. Every now and then, I look in there, see hundreds of emails and delete. It may be that the police have reason to suspect FOIA.org might have emailed Tallblock and if so, they hope to find the email so they can inspect it. If they find it, they could have valuable information including return email address, and information in the headers.
I think many of us can agree that it is frightening to have 6 members of the police force arrive at your door asking to search your hard drives. But it doesn’t follow that frightening Tallbloke or others is necessarily their only or even main motive.
Now, on to this question:
It’s easy. But you already know that. I also can’t even begin to imagine what argument this rhetorical question was meant to advance, but I’m pretty sure you didn’t ask it because you want to know how hard it is to create a new email account.
MikeN–
I think it’s more accurate to say we don’t know– and that includes you. The police haven’t specifically indicated. I think they are following a normal practice in this.
“this”? A comment by FOIA.org containing a link from to climategate 2.0 emails appeared on sites around Nov. 21, 2011. The USDOJ letter requests a freeze on records from Nov 21-Nov 23, 2011.
Unless you are in cahoots with FOIA.org, I don’t see how you could know how many proxies there are between IP addresses.
You seem to be describing server logs which many of us discuss above. WordPress might or might not have that data. Scroll back up and see what Kan, Brandon, Ken and I said about server logs. But, basically, it seems to me that if on Dec 4. the DOJ requested Dreamhost freeze my server logs for Nov 21-23, 2001, Dreamhost would tell them those were already deleted.
Heh. [biting my tounge]
Probably “seen” but not recorded in a database anywhere. Cookies also don’t show in standard garden variety server logs. OTOH, WordPress.com blogs usually run some statistics software in php, and that might record any information sent in order to provide interesting demographic information to the blogger. So maybe WP may have recorded some cookie information and the blog operator (Jeff, Tallbloke, SteveMc and so on wouldn’t have direct access to it. )
Your theory about the volume being too high seems untenable to me period. I think traffic to WUWT could be 10 times what it is and the size of the query logs would not be cumbersome. Steve, Nick, Claude and Zeke could run things through an R script in a jiffy.
I doubt anyone intends to investigate everyone who ever visited TallBloke’s site.
As I said: I don’t think they are necessarily looking for common visitors. But also, I see no reason at all why
When I say this happened 2 years ago, I am referring of course to the first batch of e-mails, with investigators finding nothing. It is known they were given relevant IP addresses at least. If that led to nothing then, then is it likely to lead to something this time?
I disagree about the size of the query logs at WUWT being uncumbersome. If it was just running a computer program sure, but I think the investigation would require lots of manual labor as well, with seizing computers being an example.
Having to track down every user, sort them out to see who are probable suspects, comparing posting history, etc. With WUWT the number of viewers is too high. I think even with ClimateAudit it is too high. Maybe even The Air Vent.
The idea is to find the hacker not based on the e-mails that he posted or his posts on the site, but starting with the basis that he visited these sites. So you get the complete visitor logs, and track down every user.
MikeN
Who knows?
WUWT runs on Dreamhost servers. I checked last night. It seems to me that checking their logs would involve running computer programs and nothing more.
I have no idea why you think the police intend to track down every user etc. You seem to be concluding that looking at WUWT would be too difficult because the police are trying to do something I can’t even begin to imagine they would want to do.
Heck, tracking down every human entity associated with the connection in my server logs in 1 hour would be too cumbersome to do it. But looking for an already identified IP, or finding overlap between every IP that hit my blog and those that hit Jeffs over our entire period of operation would be do-able provided the logs existed. (They don’t.)
I have not been able to image a single thing the police are likely to do with server logs or WP logs that would be rendered difficult to do owing to the size of WUWT’s logs. But yes, tracking down every single person who ever connected from Nov 21-23 would be too difficult. The cant do that for Tallbloke or The Air Vent either.
MikeN–
Note to be mean… but… do you know anything about server logs and what might be in them? You seem to have learned the concept this week and the word during conversation in this post.
As far as actually seeing server logs, no, hence the questioning of whether it stores cookies, or page views.
I agree that looking through a database of IP addresses to find common visitors would be easy to do for any size blog. What I had in mind was to physically track down every viewer at a blog yes, with appropriate screening beforehand. This is why I think WUWT is too large. You think even Air Vent and Tall Bloke are too large for that as well. Do you think it is plausible at any blog?
Well… it might be possible for some small newer blogs. But robot traffic alone would make literal implementation of what you suggest impossible.
Let me explain a little why:
Here’s an entry in my server log:
173-234-250-244.ipvnow.com – – [15/Dec/2011:03:32:15 -0800] “POST /musings/wp-comments-post.php HTTP/1.1” 403 3344 “http://rankexploits.com” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)”
The useragent string depends on what you use to view my blog– I use Firefox and leave useragent strings that would indicate I was using Firefox on the Mac. I have no idea what that ‘bot was claiming.
This is your garden variety stuff left in logs. Based on what Kan said it’s possible that the server might log more– I don’t know. But this amount is pretty common. There are other was to log things, and I know WP runs a statistics script on their blogs. But what I’m showing you is generally what you might get out of a serverlog. IF. If it still exists. That’s a big if.
No one is going to find a person to interview about that hit. (It’s a bot anyway I tell you. In fact, it tried to post immediately twice more. The next to logs look exactly like the first one but with new useragents. In the 2nd attempt, it claimed it’s user agent was “”Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)”, in the third “Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)”
Then the charming bot gave up and went away.
Everyone’s logs are full of this stuff. The logs of low traffic blogs are full of this stuff. So, to implement your notion, in the first step you have to write a script that decides which of these things aren’t humans at all.
Then, figuring out which ones are humans — which is difficult to do with certainty — you start needing to figure out how to connect something like “173-208-103-137.ipvnow.com” to an actual human. (Except I’m pretty sure that hit was a bot too. They left referrer spam to a blog post with the words “forex-megadroid-review-october-2011” in the 2nd half of the title. That’s spam. I don’t want to paste in a domain that is likely to be a human.)
Now, in many cases, they might be able to make something of who looked at what if in addition to server logs they have information from the wordpress comment database. That’s included in the freeze request. Because in that case, they’d have something that connects user names & email addresses to some of the IPs. (I know, for example, that certain visitors cycle through sock-puppet names because the IP addresses of certain “names” overlap. In the case of others, I only suspect because the IP ranges are similar, but not matching. )
FWIW: I think getting the comment database from Anthony would increase the the chance the feds could identify the specific human being associated with a particular entry in the server logs. It would increase it a lot precisely because Anthony gets so much traffic and lots of people comment. So if the police were trying to do what you suggested, getting Anthony’s logs would make it easier not harder to do.
That makes sense. I think a team with resources could do it, though TallBloke has more volume than I suspected, perhaps because of the bots.
I just don’t see them doing something that failed two years ago. What would be in this new data that they could use? The posted comments and associated IP addresses, does not look like a feasible approach. If they could get it from that, that would mean they could have tracked down the hacker 2 years ago but didn’t due to lack of effort. I’m thinking something motivated a larger response effort with more resources, and now this might be something they are trying. Is this also part of the anti-terrorist task force? The Israeli assassination in Dubai and Hezbollah rounding up CIA and Mossad agents both were somewhat similar efforts.
Nick Stokes has made comments on Judy Curry’s blog attacking her for using these emails. The bigger question I have: Is it OK to use the e-mails if you are trying to assist in catching the hackers, by providing data on posts, or theories on who it might be?
If you know where to look you can find daily listings of open ports.
MikeN–
Time can be of the essence.
They may be more prepared this time and have a somewhat pre-planned a response. I think many people suspected that at some point, whoever got the first emails might pop up again. The DOJ letter to WordPress was dated Dec 4 and they were asking to freeze records from Nov. 21-23. That may be the amount of time it takes for lawyers to prepare a persuasive case for a search warrant after they identify where files pop up. (I don’t frankly know the time table.)
During Climategate 1.0, I’m pretty sure the cops weren’t even called in until after all heck broke loose on the internet. If I recall correctly:
1) People at CRU knew there was an issue. Sent emails around CRU. That there was an issue leaked out to people like… Mosher…. Were the cops called? No.
2) Gavin knew there was an issue at RC. Were cops called? I think not.
3) Comment with links to files were in moderation at Anthony’s dropped at McIntyres etc. Were cops called? No.
4) Finally, comment with links to file at TAV. Were cops called? No. (Jeff was out hunting Bambi, he didn’t even know the file was there.)
5) Mosher tells me link is at TAV. I download, read etc. I write post. But I think there were days between 1 and 5. Maybe even a week. And we don’t know when whoever got the files got them from CRU. Heck, by the time of (1), the logs at CRU might have been flushed. By the time of (4) server logs at RC might have been flushed. (Unless Gavin thought to save them. Did he? He might not have. )
If the police aren’t given any heads up that anything happened until after most server logs start self erasing… then what?
It’s certainly true the police may still find nothing this time around. But it’s not a foregone conclusion. And anyway, the fact that it might be difficult to trace this release doesn’t mean the shouldn’t look.
Mosher–
Do you mean proxies?
If by ports you mean proxy servers, I can google and find this:
http://www.proxy4free.com/
edit– I used the one with the highest rating, entered my blog, and ZBblock doesn’t block it. (ZBblock would block proxies that have been taken over by spammers.)
http://tiger-attack.forumotion.in/t1001-19-august-2011
lucia, you say:
If I remember right, this isn’t really true. As I recall, there was only a couple day window between the last e-mail and when the e-mails were released. This means if there were any logs of use at the time of the release (there may well not have been), they were almost certainly still in existence.
By the way, whole usage profiling idea brought up by MikeN is interesting. I’m relatively certain the police don’t have the skills, desire or resources to do it, but it is a possible approach. The idea isn’t that you would track down a specific person that way (though it is a remote possibility), but it can give you new information.
Now then, to do it you need information to go off of. The fact someone has visited a certain number of sites doesn’t help you much. The less information you have, the more “false positives” you’ll generate. There are probably lots of people who have visited the same sites. You may be able to refine the search, say by looking for repeat viewers, but that requires you know (or assume) things about the person. In the same way, adding more data, say the logs from WUWT could be good, but if your analysis isn’t refined enough, it can just generate more possibilities.
Also, there’s the distinct possibility the person who released the e-mails isn’t someone who comments on blogs. If they’re only a reader, rather than a commenter, it’s almost certain the logs won’t help find them.
None of this really matters though. If the police really were trying to make usage profiles, they wouldn’t request only a couple days worth of logs. They’d need much more data than that. Given the scope of their “requests,” they’re only looking for that which is directly, or almost directly, tied to the person who released the e-mails.
By the way, I cannot stress how much I advise against using “open ports.” They are proxies, but they are not operated by a web-site devoted to the provision of proxy services. Instead, they are machines which, for one reason or another, have a unsecured server you can exploit. Sometimes these are machines people leave open accidentally. Other times, they are machines someone has “cracked,” and is now using maliciously. Other times, they are machines being operated by an individual, group, or even government agency in order to gather information. This can be in the form of a “honeypot,” or something far more malicious.
Open proxies only offer the illusion of privacy. They may hide your information from the resources you want access to, but they expose it, and all of your traffic, to another, unknown entity. They can be useful if you remain aware of the risks, but you should never trust them.
I’ve heard stories (though I don’t know if they’re true) of people getting caught because the open proxies they used were ran by the same groups they were trying to “crack.” I do know the FBI has caught a number of people involved in child pornography who thought using open proxies meant they were safe.
Re: Carrick (Dec 15 14:53),
Interesting, but misleading from the Tele. You’ll see that the text of the report does not support what you quoted. And neither does the ICO’s actual statement. It does make a dubious claim about emails on private computers being subject to FOI, which I don’t think he could sustain in court, but does not say that the use of gmail is criminal.
Re: Kevin (Dec 15 17:02),
I have no interest in seeing people’s computers raided. And I don’t think Tallbloke has been up to anything nefarious, as I said just after the news broke.
“With WUWT the number of viewers is too high. I think even with ClimateAudit it is too high. Maybe even The Air Vent.”
Nope – piece of cake. Given that I know the time I need to look for, I can quickly isolate the IP addresse(s) from all of the http logs in short order. I can quickly check for geographical similarities. I can do all of this on from my living room. If necessary, I just find the owner of the IP space and find out where it is physically allocated. There are many more steps (with many fail points) in order to track the actual computer used, but they involve various levels of cooperation. The DoJ can get this cooperation (as you are witnessing) in the US and some foreign countries. Although this case appears to be a reciprocation.
Brandon, before you come flying in, trust me, I have tracked down the a specific switch (and got its MAC) in a Verizon data center in the middle of Massachusetts and identified the date and time (+/- 10 min) an upgrade was performed on the switch that severed their customers connectivity to my servers. I do not work for Verizon and am located nowhere near MA. The traffic routed over 30 hops, but they had some compelling reasons to cooperate – and that is key (not a problem for the DoJ)
I have also tracked suspicious access to my servers down to specific hotels on specific dates and times in various cities in the U.S to a single user (eventually identified) over the course of one year. This was done via specific patterns of activity. The key here was the pattern of activity – it did not change.
This falls apart if the IPs run through unfriendly locales or strong anonymizers.
By the way – all of the above I stated above is not enough to convict a ham sandwich. You would still need to determine the person actually using the device, then show how they got the files, etc etc. All we get from the above trail is the device, or a set of candidate devices used and from where they were used.
Nick, here’s the first sentence:
This is ambiguous?
I think the gist of what the Telegraph said is a correct reading of the new guidance. That said, I’m not a lawyer, you’re not a lawyer, I think what people are doing to try and bypass their accountability to the public is irresponsible and unethical, but if you find it to be of the highest ethical and legal standards, and something that should inspire greater trust by the public, so be it.
Kan, I’m at a loss as regards to what you just said to me. I don’t know what would make you think I would “come flying in,” but if you hadn’t specifically addressed me, I’d have never said anything about your latest comment.
As for what you did say to me, why did you say any of that? I have never disputed the fact one can track down network devices and their MACs. Indeed, I specifically acknowledged that can be done. The only dispute over that issue was whether or not the subject was applicable to what was being discussed, or if it was even what you had actually said. I explained why I interpreted your comment the way I did (and why I don’t think it was possible to interpret it the way you say it was meant), and you’ve never claimed my explanation was unreasonable.
I’m at a loss as to why you would now obliquely refer to that dispute without having addressed anything I said, acting as though somehow you are arguing against what I have said or would say. You seem intent on arguing against something I’ve never said while avoiding discussing what I’ve actually said.
I’m fine with you not discussing what I say, but would you please try not to preemptively argue against things I have no intention of saying?
Carrick, what the Tele headlined, and what you quoted, was:
“Civil servants have been warned that using private email accounts for official business in an effort to dodge Freedom of Information Act requests is a criminal offence.”
And there’s no basis for that in what the ICO said.
Brandon,
From #87239
“MAC addresses are for local networks.”
.
and then
.
“Why would WordPress care about the MAC address of the people hosting blogs with their software (visitors could not have their MAC addresses found)?”
.
Did I mis-interpret the parenthetical from #87239
.
My point is visitors can have their MAC found outside of the LAN. However, to get there you may need to start with local MAC addresses of internal devices – which is why I implied that WP, the company may pass that along.
I missed the your acknowledgement of this point before #87364.
By the way the statement “”MAC addresses are for local networks.” is not strictly true. There is a reason this must be a globally unique identifier.
It’s a globally unique identifier so you don’t end up with identical MAC addresses on the same network. TCP/IP does send MAC addresses, in the ‘Link Layer’ I believe, but the IP packets do not. Are you saying that WordPress software, or the hardware running this software is receiving MAC addresses of blog visitors or posters?
Kan for tracking down a user, I am assuming that the IP address of the actual postings will be a dead end because of anonymizers. I assume this because if not I would have expected a tracing two years ago. So now you don’t know the time you need to look for.
My theory would be if some of these sites are low enough volume, AND the hacker looked at the sites at a time when he did not post, AND the hacker looked at these sites from a traceable IP address, then this could be tracked if they had the manpower and skills to do it. Then again looking at TallBloke’s warrant it appears to be a fishing expedition like Ken Cuccinelli asking for Mann’s emails.
Kan, you say:
The only way their MAC address can be found from outside the LAN is if the person outside of the LAN gains access to resources inside the LAN. At the point you’re accessing that LAN, it hardly qualifies as finding the MAC address “outside of the LAN.”
The point was lucia’s comment was about a user’s MAC address. That is not something transmitted over the internet, so it is not something which could be logged. The only MAC addresses which could have been logged are ones she wasn’t talking about.
Put simply, MAC addresses are not transmitted outside of the network the devices are on. The only way visitors can have their MAC found outside of their LAN is if somebody gains access (physically or remotely) to their LAN. That should basically never happen for the average user.
It doesn’t have to be a globally unique identifier. In fact, I can list a dozen devices with the exact same MAC address, all on different LANs, all of which connect to the internet. For that matter, my laptop currently has the same MAC address as an ex-neighbor’s computer has. There’s absolutely no problem with that.
MikeN,
Which, of course, makes it not “globally unique.”
TCP/IP doesn’t send MAC addresses. What happens is TCP/IP networks maintain Address Resolution Protocal (ARP) tables which list MAC addresses and their corresponding IP addresses. If you need to find out the MAC address of a device, you can query the ARP table with the IP address to find it (the reverse can be done as well).
The only way this could happen is if WordPress was grabbing system information off your computer, which it doesn’t do.
It could also just be that the IP address used wasn’t a privately leased address. If someone used the internet from an internet cafe, or just the wireless network at a Starbucks, it could be untraceable.
This is “possible,” but not feasible given how many people visit the sites. At best, they’d probably get a list of “potential” candidates. Even then, there’s no saying the person who released the e-mails visits those sites regularly, or all at the same time, so it’s hard to imagine such a process working. It certainly wouldn’t work if they only got a couple days worth of logs.
The timeline goes like this.
Last mail is on friday nov 13th
Nov 17th the link hits WUWT
charles calls me at 735 pm.
I get home. the virus scan completes around 9. I get a CD from charles. I copy it to my HD.
The rest of tues night and all through thurs is spent with me
reading mails and skyping with MAC.
Thursday morning I get news from Mc about the paul dennis mail.
That mail tells me
1. they are real
2. the files are “out there” at other places
So, I inform charles that my promise to keep the mails secret till
Anthony touches down on US soil, is moot because we no longer
have exclusive access. Charles finds the link on Tav.
I see the link, send jeff id a msg. and start posting on Lucia
and CA. I call tom, we go to the movies (2012), Jeff Id calls
me, we chat. I watch the movie, and then come home.
pretty beat cause I had been up reading mails since tues night.
From Leo <free speech for me but no comment for thee> Hickman at the U.K. Guardian circa Dec. 15/11:
Source: http://www.guardian.co.uk/environment/2011/dec/15/hacked-climate-emails-police-west-yorkshire?INTCMP=SRCH
Tallbloke has indicated in a comment at CA that he was told by one of the non-suspicious/non-suspecting six of Norfolk’s finest that the U.S. DoJ involvement (i.e.Dec. 9 letter to WordPress fwded to Tallbloke circa Dec. 13, so we don’t really know when WP might have received it) was at their request, rather than vice versa.
Setting aside the fact that my cursory search at the Guardian for Hickman’s alleged “last week before the seizing” interview [with Tallbloke] turned up zilch, there are some (no doubt purely coincidental) parallels that one might want to consider regarding the timing of certain Guardian articles and subsequent Norfolk police interviews – and interventions – with some of those of the non-alarmist persuasion.
Consider the fact that Charles the Moderator (aka ctm of WUWT fame) was not contacted by the Norfolk plods until Feb. 25/10 – long after CG1 – and three weeks after his name was mentioned in a Feb. 4/10 article in …wait for it … The Guardian!
Consider also that the raid at Tallbloke’s followed (albeit somewhat more closely) on the heels of an “interview” at The Guardian.
No, I’m not accusing anyone of anything. But nor am I inclined to trust the word any Guardian journalist.
Not to mention that the timing of this raid (on the heels of the Durban delusion) might be considered by some to be a “pressworthy” distraction from the obvious failure at Durban – about which I have little doubt that the media hand-maidens of Big Green would much prefer that the peons be as ill-informed as they can possibly “churn”.
But – considering that this story has made it past the barricades of the BBC and [Canada’s equivalent] CBC, I do like the irony perhaps best summarized by Ben Pile (of Climate Resistance) in a recent tweet:
“Wow. It’s those saying that there’s nothing in and those seeking to find the culprit who are making #climategate a story. Well done!”
My post is Nov 19. So, not accounting for time zones of stamps, there are roughly 6 days between the last email and the first post. My impression is the police were not brought in until after stuff hit blog– and even then not immediately. (Gavin might know more. Guys at CRU might know more. But I have this impression.)
We don’t know how long any web administrator at CRU keeps server logs or other things. It may well be haphazard. But they tend to be large and I suspect often people have a default cron of some sort to get rid of these things. On my hosting service, it appears server-logs for individual accounts are kept roughly 5 days. If my memory is correct, then many traces were already swept ways before the police had the slightest clue there was something to investigate. Also, people at CRU seem to have done some sort of self investigation sometime during the 6 days between when the emails were compiled and when I wrote my first post. BUT that doesn’t mean they knew what to save. (The correct answer is likely: almost everything.)
Plus, at that time, the Norfolk police probably were ill prepared to deal with computer forensics. So, the may not have known the correct steps to take.
MikeN
I assume an investigator who hopes to find FOIA.org will tend to assume the user intended to use an anonymous IP. That doesn’t mean he will necessarily have succeeded. Read what Brandon wrote about people using what they thought were anonymizers and failing.
You should also not take someone successfully using an anonymizer in one instance as proving they know how to do this in a way that will fully work every single time. But if they do something multiple times, they may slip up in some instances and not others. You don’t know how likely slip ups are because you don’t know what they did. (That is: unless you are the leaker/hacker, you don’t know. And your comments certainly don’t exhibit a level of understanding about server-logs or computers in general that would make me trust you enough if in some movie plot, I wanted to hire a cracker!)
Also, you are discounting the possible importance of the lapse of time between the period when the emails were obtained and when the police were brought in last time.
This just proves how bad Mosh is. He actually gave money to the makers of the awful 2012. Shame.
Lucia #28283
The legitimate question would be to determine whether they had reason to believe a particular spot was a good fishing hole, or whether they just chose that spot because they thought it would be a nice place to take their canoe, pull out some beers and sun themselves while pretending to be trying to catch something worth catching.
I expect this question would be asked by a judge when police request a warrant. My impression is the need a warrant to view the files the requested WP freeze. It seems UK cops had a warrant to take Tallblokes computers. I don’t know if the judicial proceeding where UK cops requested a warrant is public domain.
I’m asking my legal counsel to request ‘the information’ from Norfolk Police which should tell me the grounds on which the warrant was granted by the court. Watch this space.
Brandon,
Please refer to IEEE STD 802-2001 Section 9 on Universal MAC addresses.
.
Section 9.2.1 specifically states “The concept of universal addressing is based on the idea that all potential members of a network need to have a unique identifier( if they are going to co-exist in the network). The advantage of a universal address is that a station with such and address can be attached to any LAN in the world with assurance that address is unique”.
You say your ex-neighbor and you both had the same MAC address. If you truly had identical 48-bit MAC addresses then you purchased your NIC from a non IEEE 802-2001 compliant manufacture.
Lucia – according to an interview by Phil Jones with Ian Wishart on 20th Nov 09 the police had not yet been involved.
http://rogerpielkejr.blogspot.com/2009/11/cru-gate-climate-conspiracy-or-much-ado.html
The above link gives the more complete version of the interviw than the abreviated version more commonly found on various websites.
The backup server at CRU was apparently taken by the police on 24th Nov 09.
Clivere– So a backup server was taken 11 days after the time stamp of the final file in the climategate 1.0 set (Nov 24 and Nov 13 respectively). The freeze order is for Nov 21-23, and the USDOJ letter is dated Dec. 4. I count 13 days between the event and the letter. We don’t know when WP froze the files for the 3 blogs.
Tallblokes computers were taken Nov 14 or thereabouts– depends on time zones. I’d speculate that the Norfolk constabulary waited until they had notice that Tallblokes WP account files were frozen before giving him a visit. The justification would be that if they visited before the WP files were frozen, there was a risk Tallbloke — or someone– might, visit his WP blog and modify content from Nov. 21-23. So, my guess– and it’s a guess is that WP finished freezing files shortly before the police visited Tallbloke on Dec. 14. So… I’d guess the process of freezing files was complete by Dec 12 to the 14.
If I were the cops, I’d be hoping to find something in collected by…. WordPress Stats… more in a moment!
They probably already have the evidence from wordpress and the university. This must be just the last wrap up evidence they need for the real suspect/hero to be revealed. This is a no brainer.
Lucia – please make sure you are distinguishing WP requests for 2011 data ie CG2 from CG1 events in 2009! Otherwise your November timeline could run into minor difficulties!
Just to follow up on Brandon’s comments, MAC addresses don’t have to be associated with real hardware, they can be associated with virtual devices, which typically generate their own locally (supposedly unique) MAC address. It’s possible to get the software confused by moving the machine or switching the network it was on, in which case you can end up with identical MAC addresses, especially if multiple systems are running the same virtual device software.
I think people are thinking of MAC addresses associated with commercial hardware devices, which are supposed to be globally unique.
The lay-out of this, for a 48-bit MAC address, is the first 24-bits are the vendor ID (venders can have more than one of these), and the next 24-bits the individual MAC device. And unless the vendor screws up, these will all be unique.
(Note these MAC addresses are commonly stored in NVRAM, so it is possible for the user to run a program to change the MAC ID of the devices on their computer, so even then, the uniqueness of the MAC address is not guaranteed.)
The list of vendor ids is maintained by the IEEE Standards Association, and a current copy of the vendor list can be found here (warning it’s big).
To give an idea of the usage, on a MAC I can run:
arp -a
and get the following list of devices on my local network
arp -a
? (192.168.0.1) at 5c:d9:98:XX:XX:XX on en1 ifscope [ethernet]
? (192.168.0.100) at 0:1e:8f:XX:XX:XX on en1 ifscope [ethernet]
? (192.168.0.101) at c4:3d:c7:XX:XX:XX on en1 ifscope [ethernet]
? (192.168.0.102) at c4:3d:c7:XX:XX:XX on en1 ifscope [ethernet]
? (192.168.0.103) at 60:33:4b:XX:XX:XX on en1 ifscope [ethernet]
? (192.168.0.104) at 0:1b:63:XX:XX:XX on en1 ifscope [ethernet]
(I didn’t see any reason to give the device numbers for the mac addresses.)
Searching through the copy of outi.txt I just downloaded I find:
egrep -i '5cd998|001e8f|c43dc7|60334b|001b63' /tmp/oui.txt
001B63 (base 16) Apple Computer Inc.
001E8F (base 16) CANON INC.
5CD998 (base 16) D-Link Corporation
60334B (base 16) Apple, Inc.
C43DC7 (base 16) NETGEAR
Since I obviously can’t cover everything in this comment read the wiki
I dunno, if the guy was actually a hacker (not an insider with some sort of access) then I’d have a hard time believing he wouldn’t know how to use a proper anonymizer, avoid obvious log trail (like log in anonymously somewhere right between two sessions as himself, recharge his Starbucks card and then proceed to do naughty activities from the same connection, etc.) You never know, of course.
Nick:
I very well would imagine the Telegraph called the ICO and got an explanation of the motive for the new guidance. That would be a basis for making the assertion, and it would have been something “the ICO said”.
You could always write the Telegraph and ask them on what basis they made this remark. If it’s wrong, I’m sure they’ll print a retraction.
Boris
Tom paid.
2012 sucked. except the part where the scientist admitted his model was wrong. I burst out laughing. nobody got it. Of all the unrealistic things in the film, that was the most unbelievable.
🙂
Re: Steven Mosher (Comment #87401)
That happened during “The Day After Tomorrow” too (more or less).
Steven Mosher–
You mean his admitting the model was wrong in the face of obvious irrefutable contrary evidence was unbelievable, right?
Kan, you seem uninterested in resolving some of our outstanding issues, and I guess that’s fine. However, you now create a new one when you say:
This couldn’t be farther from the truth. The reason my ex-neighbor and I had the same MAC address is because I changed my MAC address to match his (done to bypass MAC filtering). I did this as part of a demonstration to him of how his wireless network wasn’t truly secure. Since I didn’t intend to ever get on his network again, I saw no reason to change my MAC address to something else afterward. This possibility is mentioned by Carrick who says:
The only thing I would change about his comment is in many cases, you don’t have to “run a program” to change the MAC address of a device. It is often even easier than that. For example, you can easily change the MAC address of a machine which runs the newer versions of (perhaps the older ones too?) Windows from a menu.
Long story short: MAC addresses are not transmitted as part of internet traffic, and as such, there is no need for them to be universally unique.
Brandon:
That is technically an example of “running a program”. 😉
I admit I was being carefully vague in the details.
I can think of (legal) applications where you actually would want to change the MAC address of your machine. One example is software that was licensed to an older computer. If you change the MAC address for your new system to match the ethernet for the system you are retiring, you can just copy the software to the new system and it will run.
About as much as I want to say because I don’t encourage or enable piracy.
TallBloke, if I were you I would reinstall everything on the hard drive, to avoid any keyloggers or viruses that may have been installed.
Another example of changing MAC addresses is that most routers will have a clone MAC address feature. Comcast used to require registering every MAC address that connected to their network.
ya. models are never wrong, they are just improperly tuned.
Re: Carrick (Dec 16 11:37),
Carrick, it’s a remarkable assertion. If the ICO means it, it’s a surprising omission from a statement meant to alert users to his view of off-site computer usage. And there’s no such offence in the actual law.
And it’s not mentioned in the text of the report, which was actually written by the reporter. I think it is headliner’s imagination.
Carrick:
Aye, and I figured you were being vague on purpose. I just wanted to add that note so people wouldn’t get the impression changing a MAC address is remotely difficult. You don’t need any special software or knowledge (in most cases).
I’ve actually seen a case where the MAC address of a switch had to be manually changed because a switch, new from cisco (back then, it was still lower case), had the same MAC address as a switch on the network (which was also using its default MAC). It caused some strange problems on the network before the issue was tracked down. Nobody thought about checking the MAC addresses at first because they’re supposed to be “unique.”
MikeN – I just saw this:
“Are you saying that WordPress software, or the hardware running this software is receiving MAC addresses of blog visitors or posters?”
No, I am not saying that WP software or the company can get the MAC address of a remote TCP/IP client when it makes a connection.
.
I am saying that if I need to track down an issue with a remote TCP/IP based connection that I may need to know the MAC addresses within my network to trace the traffic back to the client. One reason, is I need to discover the actual path the particular traffic went, all the way through the edge devices, in order to determine which ISP the traffic actually traveled on.
.
What I said (and it got confused) to Lucia was that it was possible that WP the company had the low level system logs that would have this information, and could provide them to the DoJ. However, it is unlikely that WP has them as these logs get really, really large.
“It caused some strange problems on the network before the issue was tracked down. Nobody thought about checking the MAC addresses at first because they’re supposed to be “unique.â€
Brandon, now you are making me laugh – in a good way. You went through all of the logic hoops to prove that the MAC did not need to be globally or universally unique, and then tell an IT war story of what happens when it isn’t! That sir, is humorous
Kan, I greatly disagree with the description you give:
The example I provided says next to nothing about what happens with MAC addresses are not globally/universally unique. Had the second switch been sent to any company in the world aside from the one it was sent to, there would have been no problem.
All this shows is what happens when a company sells a product which doesn’t meet its own standards (similar to shipping a defective product). cisco claimed its MAC addresses were unique. The problem was that wasn’t true.
cisco could have shipped every switch they sold with the same MAC address, and this problem wouldn’t have happened. If they did that, the switch’s MAC address would have been changed when it was installed. Heck, if cisco had just said their addresses may or may not be unique, people would have known to check, and this wouldn’t have happened.
That a defect in a product can cause certain problems doesn’t tell you much about those problems in general.
Supposedly, they use to get the MAC addresses by using the serial numbers on dollar bills, and then burned the dollar bill.
MikeN, I’ve heard that quite a few times, but usually not with the bills burned. After all, why burn a bill when you could just keep it until after the device is out of use? You can even trade the bill into a bank if you know it will be destroyed due to age.
Of course, burning a one dollar bill wouldn’t hurt much, so some people may have done it. Others may have been willing to, but decided against it since it would be a crime (or for other reasons).
Steven mosher, what was it that led you to think this leak was coming? Was it the comments from Frank at ClimateAudit asking RC to contact him?
MikeN – I had a look for that but have not seen anything at Franks site. The guy has a screw loose with his inactivist rants but he is maintaining a nice collection of IT related details on CG1 and CG2 so I do keep an eye on what he posts
http://inactivism.tk/
MikeN:
Probably just an urban legend. The top 24-bits are vendor registered bits, and it isn’t that big of a deal to just use the lower 24-bits as a counter.
It’s possible in the story Brandon related, some clever person at his company reset the MAC address of the new router to the old one while configuring it for use.
MikeN
Yes. Frank asked RC “what do you want” and he asked RC to contact him.
for 2 years RC was silent while we blathered on with every stupid theory known to man. crickets.
Then he makes a comment at CA.
That comment told me something. call it a hunch
when frank came to CA and started poking about I went poking about at franks.
Seemed clear a second release was coming.
So what prompted Frank’s posts at ClimateAudit, the post by RC? It seemed bizarre at the time, but now so obvious.
Do people think that was a legit RC post?
> So what prompted Frank’s posts at ClimateAudit, the post by RC?
http://ijish.livejournal.com/38158.html
So the timeline is ?
McIntyre and others theorize that FOIA made a deal with UEA not to release more emails.
A post by RC appears at ClimateAudit, saying no deal made.
Frank sees this and restarts his blog.
Frank decides more emails are going to be released, and posts on a different thread some time later for RC/FOIA to contact him.
I and others consider Frank to be stupid to think that FOIA would contact him.
Steve Mosher decides based on this that something is up and more emails are coming.
Carrick:
I doubt it is just an urban legend. The reason this sort of thing was supposedly done is originally, there wasn’t some standardized system for assigning MAC addresses. People had to manually pick them.
That is a possibility, though I find it unlikely. There were only a handful of people who did work on the network, and it isn’t like someone could accidentally reassign a MAC address on a switch. Well, maybe someone could be dumb enough to have done that, but (I hope) not any the people there. It’d be a real trick to manage to reassign a MAC address on a cisco switch by accident, much less assign the exact same one as a pre-existing switch.
Of course, someone could have done it on purpose, but I’m at a loss as to why they would have.
MikeN, frank doesnt see it until much later. The post was august 18th and Frank went to restart his blog on nov 5th. So willard is partially right and missed the biggest clue.
So when Frank came around asking to speak to RC it made no sense to me. Especially his question about “what do you want” That made me think.. maybe RC has contacted him. ( a wrong supposition, IF we trust franks explanation for restarting his blog) then I considered the calendar.. and it seemed to make sense that another release would come out. Plus I knew he was sitting on the whole shebang ( again, thats open knowledge if you know where to look ) There were a couple other things..
MikeN
yes it seemed bizarre at the time. RC post was almost 3 months prior. So I assumed that he had contacted Frank and Frank was coming to CA to find him. That lead back to franks place where other leads appear. those leads lead to other places. and still other places, bits and pieces and getting inside his head.. lucky guess. Mostly getting inside his head. Interesting that this time he redacted personal bits. that shows either fear or compassion or both. In for a penny, however. If he is caught the rest of the mails come out. They have to know that.
Mosher/MikeN/Willard—
I don’t understand what comment by Frank was at RC or CA. Could you elaborate? I’m don’t think I even know where to look to figure out the context.
Lucia,
Willard has an explanatory link. The original comment is here.
It does explain official interest in CA.
Lucia.
RC = FOIA
he uses that when he comments at CA
he commented in August
In nov Frank showed up asking to speak to RC and asked
‘what do you want’
I assumed that RC had contacted frank.
That lead me to franks blog. where i found some things. that lead to other things. And then thinking about the dates, and RCs comment in august, I surmised he would release again.
MikeN – JeanS did make a couple of posts at BH about it including the following.
http://bishophill.squarespace.com/blog/2011/8/19/has-the-climategate-hacker-just-spoken.html#comments
“The e-mail address given with the comment is different from the address given in the original “A miracle just happened” -comment. AFAIK the latter has never been publicly disclosed, so that would have been an easy way to demonstrate that the comment is real. So deadend also in this direction.”
BTW the JeanS AFAIK is completely wrong because Steve McIntyre had previously published the email address used by RC in 2009.
Brandon, are you sure the MAC address can’t be changed via the configuration file on your cisco router? If so, it would be pretty easy to accidentally overwrite the original MAC address (copy and edit the config file from the original router, leaving in the MAC address by accident.)
I’ve never seen the claim about using serial numbers from dollar bills before. Perhaps if it is true, you can substantiate it? (How would that even work? There are 8 digits in the serial numbers, base 10, but 48-bits in a MAC address. Seems odd.)
Carrick:
cisco switches don’t really use “configuration files” in the way you are thinking. Whenever you want to modify the “configuration file,” you type a command which tells the switch which part of the file you want to modify. You also type what you want to change the modified values to. For example, you might type (this is pseudo code, not the real command):
As you can imagine, it is extremely unlikely you would change the MAC address of a device to be the same as another device unintentionally. Having to type out the new address makes it nearly impossible to do by mistake.
With that said, it is possible to transfer the configuration file of one switch to another. You rarely do so (as most switches should be configured with different addresses), but it is not impossible. It’s quite easy to do, but it does require you store the configuration file on another machine (presumably your computer). Again, this requires you copy the configuration from a switch then upload it to another switch, not something you could reasonably do by mistake (at least, not if you have any idea what you are doing).
I can’t rule out the possibility of someone inadvertently changing the MAC address of the switch in question (much less intentionally doing so), but I do find it incredibly unlikely. The way cisco devices are configured is simply not set up in such a way as to make that practical or likely.
It is true there are 48 bits in a MAC address, but bits are not in base 10 (they are in base 2). Once you convert bits to a higher base, you get a much shorter string. Specifically, if you convert a MAC address into a hex base string, you wind up with a 12 character string.
Now then, a dollar bill’s serial number is actually ten characters long, not eight. There are eight numerical digits, but there is also a prefix and suffix. The prefix lists which federal bank the bill was printed for (it is an alphabetical character, but only 12 letters are used). The suffix lists which “run” that bill belongs to, ranging from A-Z (excluding ‘o’ due to its similarity to ‘0’). This mean there are technically 10 digits, though one of them is not strictly a hexadecimal numerical.
Whether you used 8 or 10 (with some conversion for the suffic) digits, it would be quite easy to use a padding scheme to fill in the remaining digits. For example, if you just wanted to use the eight digits from a dollar bill, you could start the 12 digit hexadecimal string with “00-00.”
Now then, if I remember correctly, each “run” could actually have as many as 32 bills printed for it. This means even if you included the prefix and suffix, there could be as many as 32 bills using the same string as your MAC address. If you did not include the suffix, could be as much as ~800. If you also did not include the prefix, it could be something like ~10,000.
Given this information, using dollar bills to generate MAC addresses is obviously less desirable. However, many people are not aware of the details which go into the serial numbers of bills (and I could be misremembering them), so it is quite possible people used such a system without knowing its downsides.
As for substantiation, I’m not sure if I can find any. Google only turns up anecdotal evidence, so I am rather limited. However, I do know some people who were involved in computer networking in those times, so I’ll ask around and see what they have to say on the subject.
It occurs to me you could convert both the prefix and suffix of a dollar bill’s serial number to hexadecimal, and thus get a 12 character string (which is what MAC addresses are normally stored as). It seems a little odd to me as I know the prefix can only be one of 12 characters, and thus it could be stored in one hexadecimal digit, but I can see how people who didn’t realize (or didn’t care about) such would choose to convert it to a hexdecimal pair.
In that case, the first two digits of a MAC address would be the prefix. The next eight would be the serial number. The last two would be the suffix. This would give you an easy schema for creating MAC addresses with dollar bills without needing to use any padding.
Of course, it would still leave open the possibility of duplicates as I mentioned above, but few people would even know about that possibility (assuming I’m even right about multiple serial numbers being able to be used per run).
Lucia
http://climateaudit.org/2011/11/05/collated-a1b-model-runs/#comments
Steve Mosher, I totally missed the ‘What do you want?’ that was repeated so many times.
So you think maybe FOIA contacted Frank? Perhaps he is the one who should be raided. Something tipped him off.
What is the meaning of your Chinese reply to RC, that he is a fake?
mikeN
I thought that foia had contacted frank. That is probably not the case. But it it got me thinking. and looking
my chinese response to RC was based on another lead.
that turned out to be wrong, but lead to another path.
Do you think the There was no deal RC at ClimateAudit is FOIA?
Hmmm, why the three month delay, supposedly via BishopHill?
Did Frank see that comment and go searching? Was this link to RC’s reappearance just cover for what he actually knew?
MikeN – it is one of those odd sequence of events that you just need to sit back and gaze at in wonder.
For the moment I am assuming coincidence until I see a solid reason to think otherwise. But I wont assume my assumption is correct!
Steven doesn’t appear to give us anything more substantial than he had a feeling.
No, he has given quite a bit, if you follow him carefully. I didn’t translate, but I think I know what’s behind the Chinese. I think I know how he knew the full e-mail set was available.
I am curious as to whether Steve thought the new release was happening because SwiftHack thought it because of a joke post by some random ClimateAudit reader.
Anything to do with this?
http://wattsupwiththat.com/2011/11/24/foia2011-and-climategate-a-chinese-potus-connection/
I am way behind you on the road that you and Steven appear to have followed and I am not clear if there is much to gain in trying to follow it!
I don’t think that’s what Steve Mosher had in mind. Certainly not what I found.
Lucia, is there anything in the order to WordPress about freezing info on comments? I imagine IP addresses get stored with the comments, but the order above says posts.
I withdraw my previous thinking that they are going to do a deep resource intensive search of the entire audience. The order appears to be pretty straightforward. They catch FOIA if
1) The IP address he used when posting can be traced back to him through the proxy servers he used.
2) The e-mail address he gave when posting can be traced back to him. I severely doubt this, and suspect he used an e-mail like jhansen@nasa
2) He used that same IP address or perhaps the same proxies to make comments with a different name, and made still more comments with that different name from a less secure IP address or e-mail address that can be traced back to him.
MikeN – ok – whilst I remain curious I dont currently have any idea where you and Steven have gone.
MikeN – Frank has made mention in his latest blog post
http://inactivism.tk/