[cite as: F. Bi. 2009. What we know about the CRU attacker, part 3.2: the 3 odd files. Intl. J. Inact., 2:104–105]
Regarding the cyber-attack on the Climatic Research Unit of UEA: recall I mentioned that the
.zip file of the cracked material contains 3 files which don’t give a -0400 or -0500 time zone. Well, here are the details of the 3 files (and some other files in their vicinity within the
local-mtime 1991-06-03,12:04:28 gm-mtime 1991-06-03,16:04:28 gm-atime 2009-09-30,02:12:17 [ tz -0400 ] uid 1002 gid 1002 name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/_00401.rw local-mtime 1991-06-03,12:12:42 gm-mtime 1991-06-03,16:12:42 gm-atime 2009-09-30,02:12:17 [ tz -0400 ] uid 1002 gid 1002 name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/b00421.rw local-mtime 1980-01-01,00:00:00 gm-mtime 1980-01-01,00:16:46 gm-atime 2009-09-30,02:12:17 [ tz -0016 ] uid 1002 gid 1002 name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00311.rw local-mtime 1980-01-01,00:00:00 gm-mtime 1980-01-01,00:38:26 gm-atime 2009-09-30,02:12:17 [ tz -0038 ] uid 1002 gid 1002 name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00321.rw local-mtime 1980-01-01,00:00:00 gm-mtime 1980-01-01,00:43:36 gm-atime 2009-09-30,02:12:17 [ tz -0044 ] uid 1002 gid 1002 name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00331.rw local-mtime 1991-06-03,06:15:02 gm-mtime 1991-06-03,10:15:02 gm-atime 2009-09-30,02:12:17 [ tz -0400 ] uid 1002 gid 1002 name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00341.rw local-mtime 1991-06-03,06:41:52 gm-mtime 1991-06-03,10:41:52 gm-atime 2009-09-30,02:12:17 [ tz -0400 ] uid 1002 gid 1002 name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00351.rw
The odd thing about the timestamps of the three files is that the modification times as local times (
local-mtime) and the modification times as UTC times (
gm-mtime) don’t seem to match up, no matter how one cuts it. I can’t figure out a good explanation for this that doesn’t involve the cracker messing directly with the
.zip file format to doctor the timestamps.
Well, maybe the cracker did mess directly with the
.zip format after all — in that case, it’ll mean that the time stamps on all the files are much less reliable indicators of actual file access times than I had thought. And even then, it still raises the question of why the cracker would want to do this. Why have these 3 timestamps stand out? What’s the significance of the time values 00:16:46, 00:38:26, and 00:43:36?