International Journal of Inactivism (now supplanted by Decoding SwiftHack)

2009/11/27

What we know about the CRU attacker, part trois: the .zip file

Filed under: Climatic Research Unit crack — stepanovich @ 18:02

[cite as: F. Bi. 2009. What we know about the CRU attacker, part trois: the .zip file. Intl. J. Inact., 2:102]

I just downloaded the FOI2009.zip file containing the cracked CRU content (I used the megaupload copy), and while I don’t intend to open up the actual content inside, I did study the structure and metadata of the .zip file, and I found some interesting things:

Of the 4,662 files in the archive, 3,172 seem to have been last modified under a timezone of -0500 (somewhere in the Americas), 1,487 under a timezone of -0400, and 3 under a timezone of around -0000 (ah — now that’s closer to Britain).

The .zip file itself contains two smaller .zip files:

  • mbh98-osborn.zip, in which 2,171 of its files yielded a timezone of -0400, and 4 files had a timezone of -0500;
  • russia.zip, which contains no timezone information.

All archive members with timezone information gave a user ID (uid) and group ID (gid) of 1,002, which is very close to a nice round number.

Addendum: I’ve uploaded the program I wrote to analyze the .zip file.

Update 2009-11-29: There was a bug in the program which may potentially cause incorrect output for certain .zip files. It’s been fixed.

Advertisements

3 Comments »

  1. I don’t know if you are aware, but in the UK we refer to the FIA or a FOI request. We rarely use the term FOIA, which is the term used by the hacker.

    Comment by Turboblocke — 2009/11/29 @ 09:41 | Reply

  2. […] I mentioned that the .zip file of the cracked material contains 3 files which don’t give a -0400 or -0500 time zone. Well, here are the details of the 3 files (and some other files in their vicinity within the […]

    Pingback by What we know about the CRU attacker, part 3.2: the 3 odd files « International Journal of Inactivism — 2009/12/04 @ 13:48 | Reply

  3. […] An interesting exercise might be to try to find out, for each of the files in FOIA/documents/, which e-mail in FOIA/mail/ it was attached to. (Meanwhile, the uid (1,003) and gid (513) given by the .tar file raises interesting questions, especially when one compares them against the uid and gid given by the containing .zip file.) […]

    Pingback by Where the CRU attacker might have got the code and data files from « International Journal of Inactivism — 2009/12/26 @ 00:51 | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: