Gavin Schmidt states categorically that the FOIA.zip was uploaded to RC around 6.20 am Eastern [Update - Aug 23, 2011: noticed that this was changed to 7:20 am] and that 4 downloads took place prior to RC regaining control of their blog.
He also observes that there is a previously unnoticed reference to the file (and I confirm that I had not previously noticed the significance of the comment here at 5.24 am blog time (7.24 am Eastern) where the name of the poster “RC” (identified as firstname.lastname@example.org ) included a hyperlink http://www.realclimate.org/FOIA.zip with a comment as follows:
A miracle just happened.
What was the miracle? Posting the file at RC or getting the file in the first place? Dunno. Gavin’s comment in full is as follows:
There seems to be some doubt about the timeline of events that led to the emails hack. For clarification and to save me going through this again, this is a summary of my knowledge of the topic. At around 6.20am (EST) Nov 17th,[Update - Aug 23, 2011: noticed that this was changed at RC to 7:20 am] somebody hacked into the RC server from an IP address associated with a computer somewhere in Turkey, disabled access from the legitimate users, and uploaded a file FOIA.zip to our server. They then created a draft post that would have been posted announcing the data to the world that was identical in content of the comment posted on The Air Vent later that day. They were intercepted before this could be posted on the blog. This archive appears to be identical to the one posted on the Russian server except for the name change. Curiously, and unnoticed by anyone else so far, the first comment posted on this subject was not at the Air Vent, but actually at ClimateAudit (comment 49 on a thread related to stripbark trees, dated Nov 17 5.24am (Central Time I think)). [SM note - actually 7.24 am Eastern] The username of the commenter was linked to the FOIA.zip file at realclimate.org. Four downloads occurred from that link while the file was still there (it no longer is).
The use of a turkish computer would seem to imply that this upload and hack was not solely a whistleblower act, but one that involved more sophisticated knowledge. If SM or JeffID want to share the IPs associated with the comments on their sites, I’ll be happy to post the IP address that was used to compromise RC.
I don’t know why Gavin wants to enter into negotiations about disclosing IP addresses. I’m not interested in such negotiations. The IP address of the commenter at CA was Russian 184.108.40.206.
Lots of theories.