A Hex dump from the FOI2009.zip central directory contains some interesting tidbits.

Here it is for anyone interested…

50 4B 03 04 0A 00 00 00 00 00 00 00 21 3A 00 00
00 00 00 00 00 00 00 00 00 00 05 00 15 00 46 4F
49 41 2F 55 54 09 00 03 D0 4D 5C 49 D0 4D 5C 49
55 78 04 00 EA 03 EA 03

Converting it to text with a zipfile template reveals this:

PK vendor signature (pkzip)
10 version
0 host operating system (0=MS-DOS and OS2 FAT)
COMP_STORED (0) (no compression on central directory)
00:00:00 msdos time
01/01/2009 msdos date
0h CRC
0 compressed file size
0 uncompressed file size
5 short filename length
21 extra field length

What stands out the most is the creation/last modified date. All 4,559 files show 00:00:00 01/01/2009 in their respective local file headers, which dovetails nicely with the file name. Our leaker is a bit of a jokester.

Checked PKZIP on Wiki. Version 10 is the Enterprise edition for i5/OS IBM server platforms.

Combining this with the 4 hour offset in the .txt file names (GMT+4), and we come up with an IBM server somewhere in Central Russia. Case Solved!

CRU has it’s own server located at cru.ac.uea.uk. All current traffic is being directed to an ad-hoc server at ac.uea.uk. due to the break-in.

However, all of the CRU email addresses contained within FOI2009.zip/mail are * (@)ac.uea.uk

They DID NOT have their own mail server. This is a huge fact being overlooked and has implications regarding Phil’s recent statement that he did not delete any emails.

Phil initiated the “delete ” conspiracy on May 29, 2008 (ref: 1212073451.txt). His tone was direct and emphatic. More than likely he deleted any incriminating email in the local archive he had password access to through his client application. It is highly unlikely that he had Root Directory access to the email server at ac.uea.uk. It is likely that he wasn’t even aware of it’s existance . This would explain the presence of all those controversial emails contained in the/email folder.

artewst permalink
OK – feel free to shoot down…

The files released seem to be a strange selection. On the one hand they seem mostly relevant to, say. an FOI request, but many are far too damaging to be willingly handed over.

In one of the speculative scenarios, the e-mail and documents represent files redacted from the larger main filesystem in preparation for the contingency of an imminent FOI release and investigation.

In other words, CRU may have removed these more sensitive files from the main system and put them into a special archive file for the purpose of concealing them from any FOI releases and/or investigations while not yet deleting and wiping them altogether. If an FOI investigaton had occurred, they could simply and quickly copy the file of redacted e-mail anddocuments to offline media, wipe all the files on the main volumes and restore only the sanitized filesystem, and represent to the investigators and public that the filesystem had simply undergone some prudent maintenance to improve the performance and security of the computer systems.

After receiving a good housekeeping seal of approval from friendly investigators who see no need to unnecessarily inconvenient the esteemed “scientists” hard at work combatting global warming, normal routines could be reestablished except for greater caution with respect to deleting sensitive e-mail and files more often as recommended before in the e-mail exchanges.

Has the CRU’s servers ben locked down? Have the main players been suspended? Have measures been put in place to prevent further tampering?

The admission that they have destroyed the primary data because of “lack of storage space” is really incredible. How big it this data? TBytes?

It would be even more simple for the IT department to encourage everyone at the University to use the same password. Think of the efficiency and the reduction in maintenance. If you lose your password you can ask anyone within earshot.

“Necessary agreements” — they only possess one confidentiality agreement, with Bahrain. (They think they had others but lost them.)”

Maybe what they’re gonna try and to is see how many “post-dated” agreements they can come up with. Be very suspicious if the majority of their data falls under these newly discovered agreements.