Past findings on FOI2009.zip (update: and more)

August 7th, 2010 (07:44 pm)

Tags: climatic research unit, david adam, eudora mail client, microsoft word documents, mike hulme, nature, steve mcintyre, swifthack, tarballs, time zones, yamal

Note: This blog post will be continually updated with links to my latest findings on the CRU cyber-attack. See the end of the post.

The old original International Journal Inactivism blog, in which I wrote on my early findings regarding the CRU cyber-attack, was "suspended" for a while, but it's now back up. During the suspension, I took the opportunity to summarize on this blog the main findings on the FOI2009.zip file released by the attacker; here they are:

Time zones [original write-ups at IJI]
All except 3 files in FOI2009.zip are recorded as being packaged under time zone settings -0500 and -0400, where -0400 is probably daylight saving time.
(As for the anomalous 3 files -- l00311.rw, l00321.rw, and l00331.rw, under FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/ -- a commenter Jason Petry pointed out that it's probably only because the resulting 'local time' of the files would come before 1 Jan 1980, and that's something which the .zip file structure can't handle.)
The .zip file itself contains 2 smaller .zip files:
mbh98-osborn.zip, whose members are also all in the -0500/-0400 time zone;
russia.zip, which gives no time zone information.
A graph and a complete list of file times in FOI2009.zip are available.
Mysterious extra bytes, or perhaps not so mysterious [original write-up at IJI]
In FOI2009.zip, all Microsoft Word document (.doc) files have sizes which are multiples of 256 -- except for 5 files:
FOIA/documents/magicc-tomike.doc (35,341 bytes)
FOIA/documents/potential-funding.doc (25,613 bytes)
FOIA/documents/sealevel_params.doc (34,317 bytes)
FOIA/documents/uea-tyndall-shell-memo.doc (23,053 bytes)
FOIA/documents/unit-proposal.doc (30,221 bytes)
When the file sizes are divided by 256, the remainder is exactly 13. And the 13 bytes at the end of each of the 5 files look like these:
000075E0   00 00 00 00  00 00 00 00  ........
000075E8   00 00 00 00  00 00 00 00  ........
000075F0   00 00 00 00  00 00 00 00  ........
000075F8   00 00 00 00  00 00 00 00  ........
00007600   73 68 2D 33  2E 31 24 20  sh-3.1$ 
00007608   65 78 69 74  0A           exit.
An anonymous friend of Anna commented,
"Looks like the attacker used some method of breaking into the machine where the file was stored (or where it was accessible over the network), ran something like "cat file.doc" and on his local machine ran a screen capture program to capture the results. Exiting the interactive shell on the compromised machine left the residue in the result that the attacker was too lazy to remove. This is expecially likely to be the case if normal .doc files are a multiple of 256 bytes."

Updates

More past findings
- 2010-08-11: There was another finding on FOI2009.zip which I forgot to mention: a .tar file renamed as a .pdf file.
- 2010-11-21: In case you missed these: there's also a a diagram showing how the SwiftHack archive was probably created, and then there's a summary of the SwiftHackers' known actions besides creating FOI2009.zip.
- 2011-03-12: I should probably also mention that the machine crua6.cru.uea.ac.uk -- probably used for research -- was exposed to the Internet for quite a period of time, even after SwiftHack.
Newer findings and other notes
- 2011-03-12: Just to mention a few more tidbits from back in October to December:
  1. According to blogger The Ville, CRU scientist Mike Hulme said that he had received messages from an "American" threatening to spill data from CRU, prior to SwiftHack.
  2. Nature journalist David Adam claimed he got information from "a very well placed source" which rules out the theory that the CRU incident was a leak, but the source asked Adam "not to go into details".
  3. The attackers clearly put special effort put into rearranging the Briffa/Yamal portions of FOI2009.zip. This leads me to theorize that the attackers originally wanted McIntyre to harp on the Briffa/Yamal issue.
  And some useless trivia: the router which was used by the attacker to comment "A miracle just happened" recently got a firmware update.
- 2011-12-31: added a link above to the graph and data on file times in FOI2009.zip.
For reports on possible SwiftHacker sightings, see the relevant blog post.

navigate

about

ijish

blurb

.:Introduction:.

(If you don't already know what "climate change" or "global warming" is, read Weart's excellent write-up first.)

In 2009, a UK climatology centre, the Climatic Research Unit of the University of East Anglia, was hit by a cyber-attack. E-mails and data were stolen, and published on the Internet in two batches, once in 2009 shortly before the UN Climate Change Conference in Copenhagen, Denmark, and once in 2011 shortly before the conference in Durban, South Africa. Global warming `skeptics' -- people who dispute that the Earth is warming due to mankind's burning of fossil fuels -- quickly used the e-mails to portray global warming as being a hoax, and tried to manufacture a 'Climategate scandal' of climate science.

This blog comments on SwiftHack -- the cyber-attack on climate science -- and seeks to uncover the truth behind the events surrounding the attack.

For background and more, see the links on the right side of the page.

.:Attention!:.

If you have any information pertaining to the CRU cyber-attack which you think I show know about, please e-mail me at swifthack at mail dash on dot us.

April 2012

1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30