[cite as: F. Bi. 2009. What we know about the CRU attacker, part 4: ho ho ho! Intl. J. Inact., 2:110]

Ho ho ho! Merry Christmas to all!¹ :) Today I looked once more at the material cracked from the cyber-attack on CRU, and this time I finally decided (!) to peer into the contents of the files. Now, the .zip file with the cracked material contains several Microsoft Word .doc files. Of these, 9 files have modification times have been doctored to read 1 Jan 2009 00:00 local time, 05:00 UTC; and of these 9 files, 5 have file sizes which aren’t neat multiples of 256:

• FOIA/documents/magicc-tomike.doc (35,341 bytes)
• FOIA/documents/potential-funding.doc (25,613 bytes)
• FOIA/documents/sealevel_params.doc (34,317 bytes)
• FOIA/documents/uea-tyndall-shell-memo.doc (23,053 bytes)
• FOIA/documents/unit-proposal.doc (30,221 bytes)

In fact, when you divide the sizes of these files by 256, you get a remainder of exactly 13. Let’s take a look at the last few bytes of the file FOIA/documents/unit-proposal.doc. They look like these:

000075C0   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
000075D0   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
000075E0   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
000075F0   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
00007600   73 68 2D 33  2E 31 24 20  65 78 69 74  0A           sh-3.1$ exit.

The other 4 files are similar. So, somehow a shell prompt and a shell command (of 13 bytes) were appended to a .doc file. I don’t know what would cause this, but it certainly doesn’t look normal to me.

Footnotes

1. And to those who don’t celebrate Christmas: Happy Holidays! :)

[cite as: F. Bi. 2009. Quick summary of, well, stuff. Intl. J. Inact., 2:109]

Shorter Kevin Grandia, 2009-12-20: The so-called “Copenhagen Accord” for climate change regulation is just a way to pretend to do something while doing nothing. [cached]

Shorter Andrew Light, 2009-12-19: It’s true that the “Copenhagen Accord” didn’t actually do anything. But instead of doing nothing under the old paradigm (that World = Developed Nations + Developing Nations), it’s now doing nothing under a new paradigm (that World = Major Greenhouse Gas Emitters + Minor Greenhouse Gas Emitters). This new paradigm of doing nothing is very meaningful — and indeed, it’s a potential game-changer! [cached]

* * *

Shorter C’S'CA, 2009-12-15: Climate models used in the IPCC reports are too simplistic, and make certain assumptions that may not be true. In fact, by building a climate model which is even more simplistic, we were able to show that the assumptions are probably not true after all! [cached]

Shorter Roy Spencer, back in 2008-05-22: Let me explain. My even-more-simplistic model gives results that are different from the not-so-simplistic models used in the IPCC reports. Therefore, clearly your model is wrong, and my model is right! You see, I’m an observationalist, not a modeler. [cached]

[cite as: F. Bi. 2009. Anti-Obama cracker web site + CRU crack = lolwut? Intl. J. Inact., 2:108]

Primo

Regarding the Climatic Research Unit cyber-attack, Jason Petry gave an explanation of the odd timestamps on 3 files in FOI2009.zip — an explanation that was so simple that it made me slap my forehead (metaphorically):

The explanation for these three files is simple enough. If you look at the UTC timestamp, and convert, you will notice that the mtime in EST is pre- Jan-1-1980, which is the earliest time that can be stored in the MS-DOS time field used to store the local mod time in the zip file format. So Info-Zip has just set the local mtime to the earliest time possible.

In other words, there’s nothing really anomalous about the timestamps of the 3 files after all, and we can perhaps go back to postulating that all the files in the archive were packed under a time zone of -0500/-0400. Thanks, Jason!

Secundo

In other news, while looking for copies of the cracked CRU material out there on the Internet, I stumbled upon an anti-Obama web site run by crackers (or cracker wannabes); they also host a copy of the CRU stuff. Two choice quotes from the CRU section:

[...] The Tides Foundation is basically a money laundering service for George Soros (Jew).

[...] In 1995, with the release of the declassifed VENO[N]A intercepts, Joe McCarthy was proven right.

The home page links to the innocent-looking Green Bay Professional Packet Radio, calling it the “Main Website”. Makes me wonder what’s going on…

[cached: 1, 2, 3]

[cite as: F. Bi. 2009. Did a system administrator just save the world? Intl. J. Inact., 2:106--107]

While the climate regulation talks in Copenhagen continue, I’m reminded of something that Gavin Schmidt wrote regarding the attempted cyber-attack on RealClimate after the CRU attack:

At around 6.20am (EST) Nov 17th, somebody hacked into the RC server from an IP address associated with a computer somewhere in Turkey, disabled access from the legitimate users, and uploaded a file FOIA.zip to our [RealClimate] server. They then created a draft post that would have been posted announcing the data to the world that was identical in content of the comment posted on The Air Vent later that day.

Now think for a moment what would’ve happened if the attack on RealClimate had succeeded. There would’ve been a blog post, ostensibly written by mainstream climate scientists, announcing that the global warming theory is a hoax and they’re finally going to Tell All. The real climate scientists would’ve been unable to reply, being shut out of their own blogs, while the ‘climate scientist’ attacker could start fielding questions from a confused public — and make them even more confused. And if the attacker could maintain this state of affairs long enough to last till Copenhagen, it can really turn the climate talks into a total train wreck the likes of which we can’t even imagine.

But none of this happened. The so-called “ClimateGate” or “SwiftHack” is now nothing more than a huge load of hot air. All thanks to one system administrator who was able to spot the attack, and promptly regain control of the web server.

* * *

And in case anyone missed this: our friendly climate inactivists Steve McIntyre and Jeff Id are saying that the CRU cyber-attacker’s comments on their blogs came from the IP addresses 82.208.87.170 (Russia) and 212.116.220.100 (Saudi Arabia). Jeff’s ‘deductions’ from these bits of information, however, are nonsense:

Then we have the release of the info from proxy servers in less than friendly countries. This is not unsophisticated and made me think of a government agency first. Someone with resources and knowledge. Who’s going to be able get a proxy link from Russia, Saudi Arabia or Turkey and which proxy sent the email to those? They knew what they were doing. [...]

It all seems to me like a whistle blower who got ticked that FOIA was ignored (illegally). Perhaps someone who heard the conversations between Phil Jones and the Govt. officials.

No, Jeff, unless you’re saying that system administrators working in a climate science department have the same kind of information as people working alongside Jack Bauer breaking into terrorist networks.

(Then again, if what McIntyre and Id say are true, they may actually lend some support to the Daily Mail’s theory that the CRU crack was the work of foreign intelligence agents. Or not. Ugh, are we confused enough yet?)

[cite as: F. Bi. 2009. What we know about the CRU attacker, part 3.2: the 3 odd files. Intl. J. Inact., 2:104--105]

Regarding the cyber-attack on the Climatic Research Unit of UEA: recall I mentioned that the .zip file of the cracked material contains 3 files which don’t give a -0400 or -0500 time zone. Well, here are the details of the 3 files (and some other files in their vicinity within the .zip):

local-mtime 1991-06-03,12:04:28  gm-mtime 1991-06-03,16:04:28  gm-atime 2009-09-30,02:12:17
  [ tz -0400 ]  uid 1002  gid 1002
  name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/_00401.rw
local-mtime 1991-06-03,12:12:42  gm-mtime 1991-06-03,16:12:42  gm-atime 2009-09-30,02:12:17
  [ tz -0400 ]  uid 1002  gid 1002
  name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/b00421.rw
local-mtime 1980-01-01,00:00:00  gm-mtime 1980-01-01,00:16:46  gm-atime 2009-09-30,02:12:17
  [ tz -0016 ]  uid 1002  gid 1002
  name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00311.rw
local-mtime 1980-01-01,00:00:00  gm-mtime 1980-01-01,00:38:26  gm-atime 2009-09-30,02:12:17
  [ tz -0038 ]  uid 1002  gid 1002
  name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00321.rw
local-mtime 1980-01-01,00:00:00  gm-mtime 1980-01-01,00:43:36  gm-atime 2009-09-30,02:12:17
  [ tz -0044 ]  uid 1002  gid 1002
  name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00331.rw
local-mtime 1991-06-03,06:15:02  gm-mtime 1991-06-03,10:15:02  gm-atime 2009-09-30,02:12:17
  [ tz -0400 ]  uid 1002  gid 1002
  name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00341.rw
local-mtime 1991-06-03,06:41:52  gm-mtime 1991-06-03,10:41:52  gm-atime 2009-09-30,02:12:17
  [ tz -0400 ]  uid 1002  gid 1002
  name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00351.rw

The odd thing about the timestamps of the three files is that the modification times as local times (local-mtime) and the modification times as UTC times (gm-mtime) don’t seem to match up, no matter how one cuts it. I can’t figure out a good explanation for this that doesn’t involve the cracker messing directly with the .zip file format to doctor the timestamps.

Well, maybe the cracker did mess directly with the .zip format after all — in that case, it’ll mean that the time stamps on all the files are much less reliable indicators of actual file access times than I had thought. And even then, it still raises the question of why the cracker would want to do this. Why have these 3 timestamps stand out? What’s the significance of the time values 00:16:46, 00:38:26, and 00:43:36?

[cite as: F. Bi. 2009. What we know about the CRU attacker, part 3.1: 16 Nov. Intl. J. Inact., 2:103]

More on the .zip file of cracked CRU material:

$ ./vomit-zip FOI2009.zip | sort -k 6 | tail -5
local-mtime 2007-02-19,11:20:22  gm-mtime 2007-02-19,16:20:22  gm-atime 2009-10-15,09:19:08
  [ tz -0500 ]  uid 1002  gid 1002  name FOIA/documents/marooned.jpg
local-mtime 2000-12-19,09:38:54  gm-mtime 2000-12-19,14:38:54  gm-atime 2009-10-24,18:00:00
  [ tz -0500 ]  uid 1002  gid 1002  name FOIA/documents/mannuncert.txt
local-mtime 2004-02-09,07:44:58  gm-mtime 2004-02-09,12:44:58  gm-atime 2009-11-15,17:55:23
  [ tz -0500 ]  uid 1002  gid 1002  name FOIA/documents/Extreme2100.pdf
local-mtime 2008-01-10,09:55:40  gm-mtime 2008-01-10,14:55:39  gm-atime 2009-11-15,20:43:56
  [ tz -0500 ]  uid 1002  gid 1002  name FOIA/documents/trend_profiles_dogs_dinner.png
local-mtime 2009-11-11,09:23:36  gm-mtime 2009-11-11,14:23:35  gm-atime 2009-11-16,07:27:52
  [ tz -0500 ]  uid 1002  gid 1002  name FOIA/documents/EURO4M_DoW_v2.doc

In plain English: the timestamps in the .zip file indicate that the most recent access (probably a read) to any of the files contained in the archive was on 16 Nov, at 07:27:52 UTC, to EURO4M_DoW_v2.doc. The contents of the file itself were last modified on 11 Nov at 14:23:35 UTC.

[cite as: F. Bi. 2009. What we know about the CRU attacker, part trois: the .zip file. Intl. J. Inact., 2:102]

I just downloaded the FOI2009.zip file containing the cracked CRU content (I used the megaupload copy), and while I don’t intend to open up the actual content inside, I did study the structure and metadata of the .zip file, and I found some interesting things:

Of the 4,662 files in the archive, 3,172 seem to have been last modified under a timezone of -0500 (somewhere in the Americas), 1,487 under a timezone of -0400, and 3 under a timezone of around -0000 (ah — now that’s closer to Britain).

The .zip file itself contains two smaller .zip files:

• mbh98-osborn.zip, in which 2,171 of its files yielded a timezone of -0400, and 4 files had a timezone of -0500;
• russia.zip, which contains no timezone information.

All archive members with timezone information gave a user ID (uid) and group ID (gid) of 1,002, which is very close to a nice round number.

Addendum: I’ve uploaded the program I wrote to analyze the .zip file.

Update 2009-11-29: There was a bug in the program which may potentially cause incorrect output for certain .zip files. It’s been fixed.

[cite as: F. Bi. 2009. Climategate, where unauthorized eavesdropping is a heroic deed. Intl. J. Inact., 2:101]

Remember the Watergate scandal, in which the then US President Richard Nixon was forced to resign after being implicated in wiretapping attempts on the political opposition? Now the global warming inactivists are calling the recent cyber-attack against CRU by the name “Climategate”. Apparently they now think that unauthorized eavesdropping is a very heroic and noble deed.

In any case, the ‘independent, non-partisan’ climate inactivist groups such as the International Climate ‘Science’ Coalition and the Heartland Institute have lost no time trying to report ‘independently’ and ‘non-partisan-ly’ on the “Climategate” affair. Joseph Bast of Heartland writes:

Last week, someone (probably a whistle-blower at the Climate Research Unit at the University of East Anglia, England) released emails and other documents written by Phil Jones, Michael Mann, and other leading scientists who edit and control the content of the reports of the Intergovernmental Panel on Climate Change (IPCC). [...]

It is possible that the emails and other documents [leaked from CRU] aren’t as damning as they appear to be on first look. [...] Looking at how past disclosures of fraud in the global warming debate have been dismissed or ignored by the mainstream media leads me to suspect they will try to sweep this, too, under the rug.

No, Joseph. They’re not damning even on first look. That’s why Bast needs to tell you what to think about the e-mails before you ‘read them for yourself’.