What we know about the CRU attacker, part 4: ho ho ho!
[cite as: F. Bi. 2009. What we know about the CRU attacker, part 4: ho ho ho! Intl. J. Inact., 2:110]
Ho ho ho! Merry Christmas to all!1 :) Today I looked once more at the material cracked from the cyber-attack on CRU, and this time I finally decided (!) to peer into the contents of the files. Now, the .zip file with the cracked material contains several Microsoft Word .doc files. Of these, 9 files have modification times have been doctored to read 1 Jan 2009 00:00 local time, 05:00 UTC; and of these 9 files, 5 have file sizes which aren’t neat multiples of 256:
FOIA/documents/magicc-tomike.doc(35,341 bytes)FOIA/documents/potential-funding.doc(25,613 bytes)FOIA/documents/sealevel_params.doc(34,317 bytes)FOIA/documents/uea-tyndall-shell-memo.doc(23,053 bytes)FOIA/documents/unit-proposal.doc(30,221 bytes)
In fact, when you divide the sizes of these files by 256, you get a remainder of exactly 13. Let’s take a look at the last few bytes of the file FOIA/documents/unit-proposal.doc. They look like these:
000075C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000075D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000075E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000075F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00007600 73 68 2D 33 2E 31 24 20 65 78 69 74 0A sh-3.1$ exit.
The other 4 files are similar. So, somehow a shell prompt and a shell command (of 13 bytes) were appended to a .doc file. I don’t know what would cause this, but it certainly doesn’t look normal to me.
Footnotes
- And to those who don’t celebrate Christmas: Happy Holidays! :)
Quick summary of, well, stuff
[cite as: F. Bi. 2009. Quick summary of, well, stuff. Intl. J. Inact., 2:109]
Shorter Kevin Grandia, 2009-12-20: The so-called “Copenhagen Accord” for climate change regulation is just a way to pretend to do something while doing nothing. [cached]
Shorter Andrew Light, 2009-12-19: It’s true that the “Copenhagen Accord” didn’t actually do anything. But instead of doing nothing under the old paradigm (that World = Developed Nations + Developing Nations), it’s now doing nothing under a new paradigm (that World = Major Greenhouse Gas Emitters + Minor Greenhouse Gas Emitters). This new paradigm of doing nothing is very meaningful — and indeed, it’s a potential game-changer! [cached]
* * *
Shorter C’S'CA, 2009-12-15: Climate models used in the IPCC reports are too simplistic, and make certain assumptions that may not be true. In fact, by building a climate model which is even more simplistic, we were able to show that the assumptions are probably not true after all! [cached]
Shorter Roy Spencer, back in 2008-05-22: Let me explain. My even-more-simplistic model gives results that are different from the not-so-simplistic models used in the IPCC reports. Therefore, clearly your model is wrong, and my model is right! You see, I’m an observationalist, not a modeler. [cached]
Anti-Obama cracker web site + CRU crack = lolwut?
[cite as: F. Bi. 2009. Anti-Obama cracker web site + CRU crack = lolwut? Intl. J. Inact., 2:108]
Primo
Regarding the Climatic Research Unit cyber-attack, Jason Petry gave an explanation of the odd timestamps on 3 files in FOI2009.zip — an explanation that was so simple that it made me slap my forehead (metaphorically):
The explanation for these three files is simple enough. If you look at the UTC timestamp, and convert, you will notice that the mtime in EST is pre- Jan-1-1980, which is the earliest time that can be stored in the MS-DOS time field used to store the local mod time in the zip file format. So Info-Zip has just set the local mtime to the earliest time possible.
In other words, there’s nothing really anomalous about the timestamps of the 3 files after all, and we can perhaps go back to postulating that all the files in the archive were packed under a time zone of -0500/-0400. Thanks, Jason!
Secundo
In other news, while looking for copies of the cracked CRU material out there on the Internet, I stumbled upon an anti-Obama web site run by crackers (or cracker wannabes); they also host a copy of the CRU stuff. Two choice quotes from the CRU section:
[...] The Tides Foundation is basically a money laundering service for George Soros (Jew).
[...] In 1995, with the release of the declassifed VENO[N]A intercepts, Joe McCarthy was proven right.
The home page links to the innocent-looking Green Bay Professional Packet Radio, calling it the “Main Website”. Makes me wonder what’s going on…
Did a system administrator just save the world?
[cite as: F. Bi. 2009. Did a system administrator just save the world? Intl. J. Inact., 2:106--107]
While the climate regulation talks in Copenhagen continue, I’m reminded of something that Gavin Schmidt wrote regarding the attempted cyber-attack on RealClimate after the CRU attack:
At around 6.20am (EST) Nov 17th, somebody hacked into the RC server from an IP address associated with a computer somewhere in Turkey, disabled access from the legitimate users, and uploaded a file FOIA.zip to our [RealClimate] server. They then created a draft post that would have been posted announcing the data to the world that was identical in content of the comment posted on The Air Vent later that day.
Now think for a moment what would’ve happened if the attack on RealClimate had succeeded. There would’ve been a blog post, ostensibly written by mainstream climate scientists, announcing that the global warming theory is a hoax and they’re finally going to Tell All. The real climate scientists would’ve been unable to reply, being shut out of their own blogs, while the ‘climate scientist’ attacker could start fielding questions from a confused public — and make them even more confused. And if the attacker could maintain this state of affairs long enough to last till Copenhagen, it can really turn the climate talks into a total train wreck the likes of which we can’t even imagine.
But none of this happened. The so-called “ClimateGate” or “SwiftHack” is now nothing more than a huge load of hot air. All thanks to one system administrator who was able to spot the attack, and promptly regain control of the web server.
* * *
And in case anyone missed this: our friendly climate inactivists Steve McIntyre and Jeff Id are saying that the CRU cyber-attacker’s comments on their blogs came from the IP addresses 82.208.87.170 (Russia) and 212.116.220.100 (Saudi Arabia). Jeff’s ‘deductions’ from these bits of information, however, are nonsense:
Then we have the release of the info from proxy servers in less than friendly countries. This is not unsophisticated and made me think of a government agency first. Someone with resources and knowledge. Who’s going to be able get a proxy link from Russia, Saudi Arabia or Turkey and which proxy sent the email to those? They knew what they were doing. [...]
It all seems to me like a whistle blower who got ticked that FOIA was ignored (illegally). Perhaps someone who heard the conversations between Phil Jones and the Govt. officials.
No, Jeff, unless you’re saying that system administrators working in a climate science department have the same kind of information as people working alongside Jack Bauer breaking into terrorist networks.
(Then again, if what McIntyre and Id say are true, they may actually lend some support to the Daily Mail’s theory that the CRU crack was the work of foreign intelligence agents. Or not. Ugh, are we confused enough yet?)
What we know about the CRU attacker, part 3.2: the 3 odd files
[cite as: F. Bi. 2009. What we know about the CRU attacker, part 3.2: the 3 odd files. Intl. J. Inact., 2:104--105]
Regarding the cyber-attack on the Climatic Research Unit of UEA: recall I mentioned that the .zip file of the cracked material contains 3 files which don’t give a -0400 or -0500 time zone. Well, here are the details of the 3 files (and some other files in their vicinity within the .zip):
local-mtime 1991-06-03,12:04:28 gm-mtime 1991-06-03,16:04:28 gm-atime 2009-09-30,02:12:17 [ tz -0400 ] uid 1002 gid 1002 name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/_00401.rw local-mtime 1991-06-03,12:12:42 gm-mtime 1991-06-03,16:12:42 gm-atime 2009-09-30,02:12:17 [ tz -0400 ] uid 1002 gid 1002 name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/b00421.rw local-mtime 1980-01-01,00:00:00 gm-mtime 1980-01-01,00:16:46 gm-atime 2009-09-30,02:12:17 [ tz -0016 ] uid 1002 gid 1002 name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00311.rw local-mtime 1980-01-01,00:00:00 gm-mtime 1980-01-01,00:38:26 gm-atime 2009-09-30,02:12:17 [ tz -0038 ] uid 1002 gid 1002 name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00321.rw local-mtime 1980-01-01,00:00:00 gm-mtime 1980-01-01,00:43:36 gm-atime 2009-09-30,02:12:17 [ tz -0044 ] uid 1002 gid 1002 name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00331.rw local-mtime 1991-06-03,06:15:02 gm-mtime 1991-06-03,10:15:02 gm-atime 2009-09-30,02:12:17 [ tz -0400 ] uid 1002 gid 1002 name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00341.rw local-mtime 1991-06-03,06:41:52 gm-mtime 1991-06-03,10:41:52 gm-atime 2009-09-30,02:12:17 [ tz -0400 ] uid 1002 gid 1002 name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00351.rw
The odd thing about the timestamps of the three files is that the modification times as local times (local-mtime) and the modification times as UTC times (gm-mtime) don’t seem to match up, no matter how one cuts it. I can’t figure out a good explanation for this that doesn’t involve the cracker messing directly with the .zip file format to doctor the timestamps.
Well, maybe the cracker did mess directly with the .zip format after all — in that case, it’ll mean that the time stamps on all the files are much less reliable indicators of actual file access times than I had thought. And even then, it still raises the question of why the cracker would want to do this. Why have these 3 timestamps stand out? What’s the significance of the time values 00:16:46, 00:38:26, and 00:43:36?
What we know about the CRU attacker, part 3.1: 16 Nov
[cite as: F. Bi. 2009. What we know about the CRU attacker, part 3.1: 16 Nov. Intl. J. Inact., 2:103]
More on the .zip file of cracked CRU material:
$ ./vomit-zip FOI2009.zip | sort -k 6 | tail -5 local-mtime 2007-02-19,11:20:22 gm-mtime 2007-02-19,16:20:22 gm-atime 2009-10-15,09:19:08 [ tz -0500 ] uid 1002 gid 1002 name FOIA/documents/marooned.jpg local-mtime 2000-12-19,09:38:54 gm-mtime 2000-12-19,14:38:54 gm-atime 2009-10-24,18:00:00 [ tz -0500 ] uid 1002 gid 1002 name FOIA/documents/mannuncert.txt local-mtime 2004-02-09,07:44:58 gm-mtime 2004-02-09,12:44:58 gm-atime 2009-11-15,17:55:23 [ tz -0500 ] uid 1002 gid 1002 name FOIA/documents/Extreme2100.pdf local-mtime 2008-01-10,09:55:40 gm-mtime 2008-01-10,14:55:39 gm-atime 2009-11-15,20:43:56 [ tz -0500 ] uid 1002 gid 1002 name FOIA/documents/trend_profiles_dogs_dinner.png local-mtime 2009-11-11,09:23:36 gm-mtime 2009-11-11,14:23:35 gm-atime 2009-11-16,07:27:52 [ tz -0500 ] uid 1002 gid 1002 name FOIA/documents/EURO4M_DoW_v2.doc
In plain English: the timestamps in the .zip file indicate that the most recent access (probably a read) to any of the files contained in the archive was on 16 Nov, at 07:27:52 UTC, to EURO4M_DoW_v2.doc. The contents of the file itself were last modified on 11 Nov at 14:23:35 UTC.
What we know about the CRU attacker, part trois: the .zip file
[cite as: F. Bi. 2009. What we know about the CRU attacker, part trois: the .zip file. Intl. J. Inact., 2:102]
I just downloaded the FOI2009.zip file containing the cracked CRU content (I used the megaupload copy), and while I don’t intend to open up the actual content inside, I did study the structure and metadata of the .zip file, and I found some interesting things:
Of the 4,662 files in the archive, 3,172 seem to have been last modified under a timezone of -0500 (somewhere in the Americas), 1,487 under a timezone of -0400, and 3 under a timezone of around -0000 (ah — now that’s closer to Britain).
The .zip file itself contains two smaller .zip files:
mbh98-osborn.zip, in which 2,171 of its files yielded a timezone of -0400, and 4 files had a timezone of -0500;russia.zip, which contains no timezone information.
All archive members with timezone information gave a user ID (uid) and group ID (gid) of 1,002, which is very close to a nice round number.
Addendum: I’ve uploaded the program I wrote to analyze the .zip file.
Update 2009-11-29: There was a bug in the program which may potentially cause incorrect output for certain .zip files. It’s been fixed.
Climategate, where unauthorized eavesdropping is a heroic deed
[cite as: F. Bi. 2009. Climategate, where unauthorized eavesdropping is a heroic deed. Intl. J. Inact., 2:101]
Remember the Watergate scandal, in which the then US President Richard Nixon was forced to resign after being implicated in wiretapping attempts on the political opposition? Now the global warming inactivists are calling the recent cyber-attack against CRU by the name “Climategate”. Apparently they now think that unauthorized eavesdropping is a very heroic and noble deed.
In any case, the ‘independent, non-partisan’ climate inactivist groups such as the International Climate ‘Science’ Coalition and the Heartland Institute have lost no time trying to report ‘independently’ and ‘non-partisan-ly’ on the “Climategate” affair. Joseph Bast of Heartland writes:
Last week, someone (probably a whistle-blower at the Climate Research Unit at the University of East Anglia, England) released emails and other documents written by Phil Jones, Michael Mann, and other leading scientists who edit and control the content of the reports of the Intergovernmental Panel on Climate Change (IPCC). [...]
It is possible that the emails and other documents [leaked from CRU] aren’t as damning as they appear to be on first look. [...] Looking at how past disclosures of fraud in the global warming debate have been dismissed or ignored by the mainstream media leads me to suspect they will try to sweep this, too, under the rug.
No, Joseph. They’re not damning even on first look. That’s why Bast needs to tell you what to think about the e-mails before you ‘read them for yourself’.
What we know about the CRU attacker, part deux
[cite as: F. Bi. 2009. What we know about the CRU attacker, part deux. Intl. J. Inact., 2:100]
Update on the attacker who stole and uploaded private e-mails from the Climatic Research Unit (CRU) of UEA: Gavin at RealClimate has answered my query about the attacker’s initial attempt to upload the e-mails to the RealClimate site:
Can you reveal more about the attempt to upload the file to RealClimate? Did the cracker crack into realclimate.org too, or is there already a publicized feature on realclimate.org allowing third parties to upload data? Where did the upload come from? etc.
[Response: I was wondering when someone would ask. It was a hack into our server around 6am Tuesday. The IP address was from a computer in Turkey. - gavin]
So we know that
- the RealClimate upload attempt came from a machine in Turkey (!!!!!); and
- the attacker had access to the e-mails and files of an entire department.
At this point it should be clear that the attacker is most likely not just a “whistleblower” from the inside who logged in and out the usual way — and even if he’s an insider who doesn’t happen to be a cracker, he’ll have to be a pretty security-savvy insider with rather broad computing powers and privileges, such as a system administrator. And insider or not, he definitely tried to crack into another web site — the RealClimate site.
So what else can we find out about the CRU attacker? Where do we go from here? Good question…
What we know about the CRU attacker
[cite as: F. Bi. 2009. What we know about the CRU attacker. Intl. J. Inact., 2:99]
Kevin Grandia issues a challenge:
Who stole all this private data from [the Climatic Research Unit of] the University [of East Anglia] in the first place?
[...] Terry Hurlbut at the Examiner has a time line of the stolen data going public which is a good start. I am sure one of our intrepid readers will get to the bottom of this. Tell you what. I’ll race you.
Well, right now what we know is that the attacker
- is familiar with climate conspiracy theories;
- knows about how to upload a huge file to an
incoming/folder on a Russian server,tomcity.ru; and - initially tried to get the information uploaded to
realclimate.org.
Clearly not your usual “i r 31337 h4×0r u haz b33n pwn3d!!!!!!”, but other than that, there’s not a lot to go on in this case (at least for us). Perhaps the only useful lead is the initial attempt to upload to RealClimate; I’ve asked the RC folks if they can furnish any further details on it.
Update 2009-11-22: I forgot to mention one other thing we know:
- TrueSceptic reports over at Greenfyre’s blog that the e-mails in the
.ziparchive all have a modification time of 1 Jan 2009 00:00. Why the attacker felt compelled to doctor the file modification times is anyone’s guess.
![[RSS Feed]](http://frankbi.files.wordpress.com/2008/10/rss.png){kind=small}
![[Add to Technorati Favorites]](http://static.technorati.com/pix/fave/btn-fave2.png){kind=small}
leave a comment