Log in

BigCityLib: maybe SwiftHacker wanted to rile up BBC's Hudson but failed; another look at file times

September 4th, 2010 (01:33 pm)

In response to my post about the Muir Russell "Climategate" inquiry's meeting notes, BigCityLib theorizes:

For me, the most interesting bit of information from the notes is:
JCF [CRU Director Information Services Jonathan Colam-French] -- hackers were in from Oct (we believe they offered info to BBC in early October) and again mid Nov. Not sure if they were continuously hacking in the meantime.
The BBC writer referenced above is almost certainly Paul Hudson; it seems likely that, after Hudson's piece -- "Whatever Happened To Global Warming" -- generated a series of negative e-mail comments from CRU staff, the hackers shopped these emails to Hudson in hopes that he might take offense and write another story along the same lines as his original. When this did not occur, the hackers gathered further material and looked around for a place to dump it.
The relevant statement in Hudson's blog entry reads,
[...] I will in the meantime answer the question regarding the chain of e-mails which you have been commenting about on my blog, which can be seen here, and whether they are genuine or part of an elaborate hoax.

I was forwarded the chain of e-mails on the 12th October, which are comments from some of the worlds leading climate scientists written as a direct result of my article 'whatever happened to global warming'. The e-mails released on the internet as a result of CRU being hacked into are identical to the ones I was forwarded and read at the time and so, as far as l can see, they are authentic.
This is rather vague, alas. BigCityLib had tried asking Hudson to clarify on exactly what he received from his sources, but apparently hasn't received any reply.

Anyway, the Muir Russell meeting notes and Paul Hudson's words provide us with two possible times representing a 'break' in the cracker's activity, so I thought it might be useful to examine the file access times in FOI2009.zip and see how they match up with these two times. A commenter pointed out the files were probably packed in batches into .tar files, then unpacked, before being packed again into .zip files -- and due to technical reasons,1 the access times recorded in the final .zip will correspond to the time at which the .tar unpacking occurred. Anyway, here are a summary of the file access times:
  • 16 Sep 2009
    • 18:58:54 UTC: A Report of the Successful Grant Writing Meeting  22 Nov 2000.doc, briffa-keigwin.email.txt, fundingcomments.doc, ianh-greenpeace-ships.jpg, TC Research Funding.doc
  • 26 Sep 2009
    • 05:04:11 UTC: ipcc-santer2.txt
  • 27 Sep 2009
    • 00:23:55 UTC: cru-code/ directory tree
    • 19:58:58 UTC: yamal/brif-tab.prn, yamal/chron.rwm, yamal/info.txt, yamal/living.rwm, yamal/por.rwm, yamal/sf2.dat, yamal/sf2note.txt, yamal/sf2.txt, yamal/s-fos.rwm, yamal/ymiss.dat
  • 28 Sep 2009
    • 07:37:45 UTC: CRU-COF_Report.pdf, CRU-sr-external-input.pdf, CRU strategic review agenda 1.doc
    • 09:49:49 UTC: ECLAT2.doc, tims contracts.xls
  • 29 Sep 2009
    • 06:12:53 UTC: RAPID-briffa-description-16jul.doc, SOAP/SOAP-proposal-briffa-osborn.pdf, SOAP/SOAP part B 02-10-01.doc, SOAP/SOAP part B 05-10-01.doc, SOAP/SOAP part B 08-10-01.doc, SOAP/SOAP part B 09-10-01.doc, SOAP/SOAP part B 10-10-01.doc, SOAP/SOAP part B 11-10-01.doc, SOAP/SOAP part C 02-10-01.doc, SOAP/SOAP part C 03-10-01.doc, SOAP/SOAP part C 04-10-01.doc, SOAP/SOAP part C 05-10-01.doc, SOAP/SOAP part C 09-10-01.doc, SOAP/SOAP part C 10-10-01.doc, SOAP/SOAP part C 11-10-01.doc
  • 30 Sep 2009
    • 02:12:17 UTC: briffa-treering-external/ directory tree
    • 02:16:11 UTC: harris-tree/, osborn-tree3/, osborn-tree4/, osborn-tree5/, osborn-tree6/ directory trees
  • 01 Oct 2009
    • 17:08:48 UTC: yamal/93.lst, yamal/c14.lst, yamal/cofecha1.com, yamal/cofecha2.com, yamal/cores.dat, yamal/coresset64.raw, yamal/coresset80.raw, yamal/coresset82a.raw, yamal/coresset82.raw, yamal/coresset85.raw, yamal/coresset86.raw, yamal/coresset88.raw, yamal/coresset91.raw, yamal/coresset93.raw, yamal/float.lst, yamal/flxlist., yamal/input.dat, yamal/master.dat, yamal/pick1.raw, yamal/pick2.raw, yamal/picklong.com, yamal/picklong.for, yamal/read.me, yamal/reform.com, yamal/reform.for, yamal/sfwxlist.
    • 17:19:34 UTC: yamal/ars.crn, yamal/comptous.f, yamal/living.raw, yamal/por.raw, yamal/rcs.crn, yamal/res.crn, yamal/rrw.crn, yamal/std.crn, yamal/subfos.crn, yamal/subfos.out, yamal/subfos.raw, yamal/subfos.tab, yamal/sub_rbar.res, yamal/sub_rbar.rrw, yamal/sub_rbar.std, yamal/yamalsf.files, yamal/yamalsf.log
    • 19:03:03 UTC: SOAP/SOAP-D15-berlin-d15-jj.doc, SOAP/SOAP-D15-intro-gkss.doc, SOAP/SOAP-D15-marcel-kuettel.doc, SOAP/SOAP-D15-report-udesam.doc
    • 21:38:10 UTC: Adam budget.doc, ADAM second-order draft.pdf
  • 03 Oct 2009
    • 00:50:31 UTC: yamal/yamal2.crns, yamal/yamal2.rwm_crns, yamal/yamalrcs.crn, yamal/yamal.rwm, yamal/yamal.rwm_crns, yamal/yamal.rwm_detail, yamal/yamal.rwm_log, yamal/yamal.rwm_out, yamal/yamal.rwm_raw_rbar, yamal/yamal.rwm_res_rbar, yamal/yamal.rwm_std_rbar, yamal/yamal.rwm_tabs, yamal/yamal.rwm_trn_rbar
    • 00:59:59 UTC: kbmisc/ directory tree, yamal/yamal03Kcrns.ars, yamal/yamal03Kcrns.raw, yamal/yamal03Kcrns.rcs, yamal/yamal03Kcrns.res, yamal/yamal03Kcrns.std, yamal/yamal03K.dat, yamal/yamal03K.dat_crns, yamal/yamal03K.dat_detail, yamal/yamal03K.dat_log, yamal/yamal03K.dat_out, yamal/yamal03K.dat_raw, yamal/yamal03K.dat_res, yamal/yamal03K.dat_tabs, yamal/yamal.dat
    • 01:16:04 UTC: kbtree/ directory tree
  • 05 Oct 2009: (CRU's Steve Mosley: 'Appears that hackers hacked 5 Oct')
  • 08 Oct 2009
    • 14:45:24 UTC: AR4SOR_BatchAB_Ch06-KRB-1stAug.doc, circ_inconsistency.doc, idl_cruts3_2005_vs_2008b.pdf, MannHouseReply.pdf, Review-Santer-et-al-2008.doc, RulesOfTheGame.pdf, santer-etal2008review03052008.doc
    • 19:24:58 UTC: 080214_SUNYA_draft.pdf
  • 10 Oct 2009
    • 01:25:58 UTC: Mann uncertainty.doc
    • 01:26:09 UTC: letter to Mike  - 13.10.06.doc
  • 11 Oct 2009
    • 03:06:02 UTC: review_mannetal.doc, Review of Wahl&Amman.doc, review_schmidt.doc, SanteretalSciencereview.doc
    • 10:46:55 UTC: 080222_ZMZeng_Inputs.pdf
    • 12:30:52 UTC: hadcrut3_gmr+defra_report_200503.pdf, pdj_grant_since1990.xls, jones-foiathoughts.doc
  • 12 Oct 2009: (Paul Hudson reportedly received "chain of e-mails")
  • 15 Oct 2009
    • 09:19:08 UTC: marooned.jpg
  • 24 Oct 2009
    • 18:00:00 UTC: mannuncert.txt
  • 15 Nov 2009
    • 17:55:23 UTC: Extreme2100.pdf
    • 20:43:56 UTC: trend_profiles_dogs_dinner.png
  • 16 Nov 2009
    • 07:27:52 UTC: EURO4M_DoW_v2.doc
    • 16:43:25 UTC: all files in mbh98-osborn.zip
Oh well. It's hard to make out what was really going on, but here are a few notes:
  • The file ipcc-santer2.txt, which seems to be unpacked (?) at 16 Sep 2009 05:04:11 UTC, was already on the web as early as 2006, so it might not have been cracked from CRU.
  • The files in SOAP/ and yamal/ were apparently unpacked in several batches, instead of all at once like the other directory trees. But why?
  • There were long waits between 15 Oct and 24 Oct 2009, and 24 Oct and 15 Nov 2009.
  • Starting from 8 Oct 2009, the unpacked files were all document files and graphics files... with the exception of mbh98-osborn.zip. Again, why? And what does this mean in the light of Mosley's statement that the cyber-attacks appear to have started from 5 Oct 2009?

  1. Maybe I should elaborate on this point. Let me know if you'd like me to.

* * *

Update 2010-11-27: About yamal/, there's more, more, and more.