Hackers treated as credible sources of information (D'oh!)
The Wall Street Journal and 103 hundreds of other news outlets have published articles about the stolen/leaked email files from the Hadley Climate Center University of East Anglia (UEA) Climate Research Unit, in the UK. The blogs are going nuts. Sadly, there is no critical investigation or reporting about the credibility of the leaked email files. Instead, all the news outlets are all caught up in the debate over whether this proves that the Global Warming science is a con job and conspiracy. (A sampling of the more moderate reports: Washington Post, Associated Press, and Christian Science Monitor. The blogs and tweets are more rabid: e.g. proof that “Al Gore lied!”)
Everyone is treating these stolen/leaked documents as real and undoctored, without any real evidence. I couldn’t find any critical/questioning articles when I did a web search. To this, I can only repeat Homer Simpson’s exclamation when he is hit in the face with (his own) stupidity: “D’oh!!“.
For example, the WSJ blog stated that the emails were confirmed as “genuine” by the Director of the breached organization, but a close reading of the source news article shows that the Director only states that the files “appear” to be from his organization. Hadley Climate Center UEA Climate Research Unit hasn’t actually had a chance to review the posted files or even investigate the breach.
Also, no one has questioned the claim that this was the act of “hackers”. The WSJ blog called them “Russian Black Hats” based on the report that the ZIP file first appeared on an FTP server hosted in Russia. Ridiculous! It is easy for anyone located anywhere to upload files to an FTP server with a Russian domain name.
I did find a few security bloggers commenting on this incident, e.g. Graham Cluley, and they are more reserved about the implications of this incident, given the lack of real information. Hopefully, more security experts will speak out on this in the coming days.
Now a rant for the uncritical news organizations and bloggers:
NEWSFLASH — Anyone who has the motives and skills to steal private documents and to upload them on a Russian FTP server in order to generate a public scandal also has the motives and skills to “doctor” those documents . DO NOT trust their content until it is proven genuine!
This is news/publicity incident is just more evidence of wide-spread misunderstanding about trust and credibility regarding online information, and also misunderstandings about nature of security breaches, Black Hats vs. White Hats, etc. This is another case of the meme: “If it’s on the Internet, it must be true”. Sadly, the “echo chamber” of free Internet news media and “advocacy journalism” only makes it worse. Takeaway: This is yet another call-to-arms to security experts to provide evidence-based analyisis that educates the broad public and the institutions that serve them.
[Update — Corrected the name of the breached organization]
[Update 2: See Comment #2 below for additional “connect the dots” that make the insider attack most plausible, not a “Russian Black Hat”.]