International Journal of Inactivism (now supplanted by Decoding SwiftHack)

2009/12/26

Where the CRU attacker might have got the code and data files from

Filed under: Climatic Research Unit crack,Gavin Schmidt — stepanovich @ 00:45

[cite as: F. Bi. 2009. Where the CRU attacker might have got the code and data files from. Intl. J. Inact., 2:111]

Here’s yet another strange finding regarding the computer break-in into the Climatic Research Unit of UEA. Regarding how the cracker managed to obtain the e-mails and program code and data and other documents from the CRU computers, realclimate.org blogger Gavin Schmidt has said that

[Response: My information is that it was a hack into their [CRU’s] backup mailserver. – gavin]

Now, the main problem with this explanation is that it seems to only explain how the cracker got the e-mails, but not how he could’ve obtained the code, data, and documents. That was what I thought too, until I checked out the file FOIA/documents/communicating_cc.pdf in the .zip file of the cracked material. Although the file is called a .pdf, it’s in fact a .tar file containing a single .pdf file:

  $ TZ=GMT+0 tar tvf FOIA/documents/communicating_cc.pdf
  -rwx------ 1003/513    1489535 2006-10-03 08:04
   ./Eudora/Attach/communicating_climate_change.pdf

So, according to the path to the file recorded inside, the file was residing in a Eudora/Attach/ directory before it was wrapped into a .tar! This suggests that the cracker might not have obtained the code, data, and documents in the form of stand-alone files; rather, he might have obtained them by extracting attachments from e-mails. Certainly, this’ll explain how a cracker might be able to obtain code and data by breaking into an e-mail server — though it doesn’t prove this is what actually happened.

An interesting exercise might be to try to find out, for each of the files in FOIA/documents/, which e-mail in FOIA/mail/ it was attached to. (Meanwhile, the uid (1,003) and gid (513) given by the .tar file raises interesting questions, especially when one compares them against the uid and gid given by the containing .zip file.)

* * *

Addendum 2009-12-26: If you’re on a Windows PC with WinZip installed, you can view the contents of
communicating_cc.pdf by renaming it to communicating_cc.tar, and then opening that with WinZip.

Advertisements

8 Comments »

  1. typo
    “now he could’ve obtained”
    s/now/not

    Wish I knew more about this stuff & could be of use…

    Comment by Anna — 2009/12/26 @ 19:11 | Reply

    • s/now/not

      Argh! It’s fixed; thanks for letting me know.

      Wish I knew more about this stuff & could be of use…

      Don’t we all? 🙂 The problem with this stuff is that the information seems to be scattered all over the place. I’ll be blessed if there’s a single book somewhere that explains how to track down cyber-attackers. Also, I need more free time. 🙂

      Comment by frankbi — 2009/12/26 @ 19:36 | Reply

      • It is unlikely that they would be so stupid as to leave us clues in the stolen data. More information could be perhaps obtained by reading through the denialosphere, but who has the stomach for that?

        Comment by hidden — 2009/12/27 @ 03:18 | Reply

        • hidden:

          Then again, the denialosphere is somewhat larger than a single .zip file, and also correspondingly harder to sift through. If I can magically know which denier web site I should keep an eye on, it’ll be much easier. :-B

          Comment by frankbi — 2009/12/27 @ 03:25

        • Btw, you are correct about the source of the files. There is a myriad of attachments in those e-mails, however it will be impossible to trace all the files to their original e-mails because only some of them are mentioned directly (RulesOfTheGame, letter to Mike…) and we have only a small selection all the e-mails and files stolen.

          Comment by hidden — 2009/12/27 @ 07:08

        • hidden:

          Yeah, it’s tricky. It may also be possible that some files were actually ripped directly from scientists’ home directories…

          Comment by frankbi — 2009/12/27 @ 07:23

    • “Sounds like sloppy work to me. The attacker tar-ed up the file on a
      machine where it was stored, then copied the file elsewhere using a
      method that doesn’t preserve the file name, forgetting that he had made a
      tar file. As a result he forgot to untar it again to extract the pdf.”

      (fyi, I am channeling He Who Knows More Than Me.)

      Comment by Anna — 2009/12/27 @ 05:47 | Reply

      • I’d certainly like to meet your mystery friend. 🙂

        Comment by frankbi — 2009/12/27 @ 07:25 | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: