I think no commits on December 25 is not enough to go by. He's been active for about 2 years, so that's what, 1-2 Christmases? I assume he doesn't commit literally every day. So it could be a coincidence that he didn't on those particular 1-2 days. Also, in many Orthodox Christian majority countries including those in UTC+2 they don't celebrate on 12/25.
But doesn't Israel also not follow a typical work week? Eg. No commits on Friday afternoon?
Yes, that's what I mean as well: I don't really think this analysis is any near to be considered any conclusive. It's interesting. But this is it. From what I'm seeing, there really isn't very much data. The article makes it feel like there is this huge archive of commits, that draws a picture of a guy working almost every day on these projects with some very much visible gaps in time, but there really isn't. The data is quite scarce. I would need to actually do the analysis myself to decide what I'm willing to believe, and I don't think I want to do this right now. But for now, I don't think we really have anything.
…What I would really want is some input from Microsoft. I don't know what they can reveal, but I believe they must have quite a bit more data, than us. Even speaking about times, well, he must have been using Github more than to just commit stuff. And I'd imagine they have some logs. Also, it's very fair to assume than he was using VPN all the time, but it's also fair to assume that he wouldn't accidentally slip like that, revealing his real time zone in 9 commits. So, yeah, for sure there are people who have waay more data than me, and probably know how to use it properly better than me too. Not sure they will be willing to share, though.
No need to bother with a tracking image. Just scour the message headers of any message sent in the past--there's decent chance there's a few more dates lurking in those headers, and even an IP address or two.
Years ago they would include the IP of the end user. Gmail and hotmail stopped including that more than a decade ago. But they both used to. I think Gmail stopped this practice years ahead of Hotmail.
I have a relative with mental health problems who lives on the street, and he sometimes writes me from public libraries -- kind of luckily for family members who are concerned about him, the webmail service he uses still includes that info in headers. So I usually know which public library he writes from.
It's not just that there's only two Christmases. It's that Christmas fell on Sunday in 2022 and Monday in 2023, and the article already established the attacker mainly worked Tuesday-Friday. The note about the attacker never working on New Year has the same problem (New Year's Eve/Day always lines up with Christmas Eve/Day, so would not have hit the Thu-Fri window either).
But doesn't Israel also not follow a typical work week? Eg. No commits on Friday afternoon?