[cite as: F. Bi. 2009. What we know about the CRU attacker, part trois: the
.zip file. Intl. J. Inact., 2:102]
I just downloaded the
FOI2009.zip file containing the cracked CRU content (I used the megaupload copy), and while I don’t intend to open up the actual content inside, I did study the structure and metadata of the
.zip file, and I found some interesting things:
Of the 4,662 files in the archive, 3,172 seem to have been last modified under a timezone of -0500 (somewhere in the Americas), 1,487 under a timezone of -0400, and 3 under a timezone of around -0000 (ah — now that’s closer to Britain).
.zip file itself contains two smaller .zip files:
mbh98-osborn.zip, in which 2,171 of its files yielded a timezone of -0400, and 4 files had a timezone of -0500;
russia.zip, which contains no timezone information.
All archive members with timezone information gave a user ID (uid) and group ID (gid) of 1,002, which is very close to a nice round number.
Addendum: I’ve uploaded the program I wrote to analyze the
Update 2009-11-29: There was a bug in the program which may potentially cause incorrect output for certain .zip files. It’s been fixed.