here is bev's email to bbv forum with IP address

BevHarris
Member since Jul-11-03
1822 posts Dec-14-04, 05:04 PM (PST)

97. "it was 192.168.2.4"
In response to message #95

GEMS is said to be "not networked" and "stand alone" and "not connected to anything."
In one county, we were allowed to sit at the computer. The computer was physically disconnected from the digiboard, which was sitting on top of it. The Windows System Event log showed repeated errors saying it was trying to connect but the device wasn't connected. The only program loaded on the computer (except for basic Windows and simple accessories that come with Windows, like Notepad) was GEMS.

Now, I'm not sure whether this next message shows this particular computer calling out, or it is just a network problem -- except that these machines are also not supposed to be networked, and they are purchased as custom units directly from Diebold.

Here is one of many different kinds of messages:

FLAG-TRAIN The DHCP server issued a NACK to the client (0001A8C00100502C070C07) for the address (192.168.2.4) request.

We have several logs from several different counties, and all of the GEMS Windows event logs show various kinds of DHCP messages, and some warnings.

Bev

... a private IP address on a private LAN.

thread!

to about 1 million possibilities.

Another disappointing report from bev.

and if i undertand it right.. there has been a DHCP request OUTSIDE from another PC. And this cant be possible, if the server is "stand alone" or not "networked".. maybe a wirelesslan card was in the pc?!

or the other side is. that the "pc" was trying to make a DHCP request at the IP 192.168.2.4.

hmmm..

maybe someone else can explain more here.

... to look at the message headers to get the routing information and other tibits of information. Without the headers, not much else can be deduced.

BTW: If the original email gets forwarded the original message headers get overwritten (ie destroyed).

That IP address could have been used on my local home network, the network at the hotel across the street, the network at a Wal-Mart store down the road from me, the network at your local bank, a million high schools, etc., etc., etc.

It is a private LAN IP address if you own a SMC router!!

I have that particular IP in my LAN!!!!

Jacob Matthan
Oulu, Finland

That doesn't mean that they couldn't have an internal host machine setting the votes from some guys cubicle. Which would not be to unplausible as a matter of fact more likely.

If you were going to plug a laptop onto a network and pull a DHCP address from the pool this might be what you see. As soon as it get's a proper address it would be open to communicate on the network.

They said there were on-site techs the night of the elections.

Did they bring laptops with them? And did they plug the laptops into the office network? To connect to the Internet? See where I am going... Hop Skip and a Jump and your free to talk to any computer on the internet.

It makes you wonder just how much she actually knows about computers.

That's why she has an army of experts feeding her the information. How much sticks is anybody's guess.



http://brainbuttons.com/home.asp?stashid=13
Buttons for brainy people - educate your local freepers today!

is pretty damn weak if they don't know this address is just a local, sometimes local within a machine address.

:(

:hi:

Is an internal address, behind a Network Address Translator or a Dynamic Host Control Protocol server. It tells us nothing except something was dialing out. But not to some IP address that screams crime or conspiracy.

crime or conspiracy even if the number is not very revealing.

thread link

http://www.blackboxvoting.org/dcforum/DCForumID4408/34.html#9

edit: double post

but this address is not an internet ip address.

eg. i have 2 computers here connected together with an ethernet cable. for that connection to work i have to give each computer an ip address. so one is 192.168.0.1 and the other is 192.168.0.2. anything starting 192.168... is a local machine.

what we need to find out is what was the network this machine was talking to. how many machines in it? the number 4 at the end suggests at least 4.
what were these machines doing?
and was this network connected to any other networks, or to the internet?

Event ID 1011: The DHCP server issued a NACK to the client (MAC address) for the address (IP address) request.

This indicates the DHCP server declined to issue the specified IP address to the client using the specified MAC address.

The most common cause for this is the DHCP server not having a lease for the client, which is usually due to a router being configured to forward DHCP discoveries to a DHCP server that does not have a lease for that subnet.

so whereever the IP came from it was not over any external network or the web...

ie my router has an IP like 45.221.45.47

but all my internal IP's are suplied by the router are...

192.168.1.1

192.168.1.2

192.168.1.3 etc.

so this would suggest an internal network, or someone logging in wirelessly.

but it is assigned by probably some type of DHCP (dynamic router) which can be from the digiboard...can we find out which manufacture that digiboard was from, and any markings that tell us exactly what version it was?

Just in case anyone thinks so. Even if the ip was acquired, the computer would not be able to access the Internet without a proxy server doing the job for it. It would be inaccessible from the Internet inbound too.

Local broadband hardware will assign addresses in that range to equipment attached to it and then act as a proxy server for the internal network.

If these machines are logging error messages like that, it indicates that there is an onboard adapter installed and it is bound to TCP/IP and set to request an IP address from a DHCP server.

If the machine has a built-in ethernet adapter in the motherboard as most puters do now, this would explain the messages - it's not connected so the NIC (network interface card) could not obtain an ip address as it was instructed to do by the bound TCP/IP protocol that was installed.

And an aside, a digiboard is not an ethernet adapter. It's a specialized telecommunications device that connects computers vie regular POTS, usually, and was often used to create multilink BBS systems in the heyday of pre-arpanet days. When the card is plugged in, it would provide several 8, 16, 32 etc phone lines access to the computer, unplugged, it would do nothing.

I hope this clears up some of the confusion.



http://brainbuttons.com/home.asp?stashid=13
Buttons for brainy people - educate your local freepers today!

can act just like nics, with full DHCP capablities and such

No, tell me again in very small words, since I must be very stupid.

If you had to explain this to a 5 year old, what would you say? It doesn't seem like you think this is anything to be concerned with.

Is that clear enough?

If it were connected, which it's not supposed to be according to the report, it would not log errors like that.

The fact that it is logging THESE errors when disconnected is perfectly normal, assuming it has/had an adapter bound in the motherboard or in a slot in the machine that is not physically connected.



http://brainbuttons.com/home.asp?stashid=13
Buttons for brainy people - educate your local freepers today!

:dunce:

Me no get it . . . what all this mean for Tarzan?

but people that do not know computers and just have experience with there local networks please understand that it is much more complicated then this because the given digiboard does act as a network interface but through the serial connection. We need to know details about digiboard not your internal networks.

The MAC address is 0001A8C00100502C070C07, remember, unless this has been spoofed it is unique.

that (unless it was changed) was manufactured by Welltech Computer.

About Us


Welltech Computer Co., Ltd. was founded in 1988 in Taipei, Taiwan with the aim of linking people and the technologies, and has been an integral part of the community for over a decade. Our company is committed to promoting better Communications and Networking solutions to our customers through our strong knowledge and expertise in Voice over IP.

As the leading company in VoIP in Taiwan and with years of experience in H.323 and SIP protocol, Welltech has successfully developed FXO and FXS gateways, IP-Phone, H.323 Gatekeeper, E1/T1 Trunk gateway, SIP Proxy Server, USB phone and softphone and become a VoIP expert.

The voice quality and total solution providing ability are the reason why Welltech VoIP products are very popular in the market. From CPE side small gateways to CO side truck gateways, Gatekeeper and SIP Proxy Server, Welltech provided total VoIP solution to SOHO, multi-national corporations (MNCs), ITSP and carrier market. The new product, router integrated with voice over IP functions that support SIP protocol, is compliance with future communication trade.





NACK = If the server determines that the client cannot have the address, it will send a NACK.

dp=dweller persona

Once the client receives an offer for a suitable lease it responds with a DHCP REQUEST which includes a server identifier refering to whichever server the client has accepted the lease from. The server then responds with a DHCP ACK, or a DHCP NACK, acknowledging or retracting the offer, respectively.

dp

The MAC address is embedded in that string, the rest is other stuff.

The lease was held by a computer with a built-in NIC on a Soyo mainboard, most likely.

Assuming the computer did not have a physical or wireless connection to a network, the computer has a DHCP server, which assigns IP addresses to clients dynamically. Futhermore, the message in the original posts shows that the DHCP server responded to a request for a lease for 192.168.2.4 for the device with the MAC address 0001A8C00100502C070C07. If the computer did not have a connection to another computer, we could assume that the MAC represents a LAN adapter on the computer.

For those unfamiliar with dynamic and static IP addresses, a DHCP server relieves a system administrator from manually assigning static IP addresses by dynamically assigning IP addresses from a range of addresses. When the administrator physically (or wirelessly) connects a new computer to the network and sets it to request an IP address dynamically, the DHCP server will automatically assign an unused IP address to the computer.

As I recall, a Windows computer would not have a DHCP server runniing automatically. Just imagine if every Windows installation automatically started a DHCP server. In such a case, anyone setting up a home network would need to disable all but one DHCP server, because multiple DHCP servers would clash trying to manage their pools of available IP address.

However, as I recall, a Windows computer with networking enabled will default to dynamic-IP addressing, ie. it will by default expect to retrieve an IP address from a DHCP server when the user connects it to a network, eg. with an ethernet cable.

Assuming that the computer mentioned in the original post did not have a physical (or wireless) connection to a network, the computer has a DHCP server running on it. I can see no reason for running a DHCP server on this computer.

Note: Most routers I have used, by default use the class C network 192.168.0.0 or 192.168.1.0 with DHCP enabled. The only router I have seen using the class C network 192.168.2.0 by default was a wireless router, which used DHCP by default. Curious. How do we know that this computer did not have an 802.11b (WiFi) adapter?

Of course, the computer might communicate with the "digiboard" over TCP/IP, but without knowing anything about this digiboard I can't come to any conclusions about it.

...are serial communication boards. Probably used as modems.

If the computer communicates with the digiboard over TCP/IP and if the driver for the digiboard is set to assign the static IP address 192.168.2.4 for the digiboard, if the digiboard is disconnected the DHCP server might deny the request for the lease of the IP address to the MAC address because it can't communicate with the disconnected device (with the specified MAC address).

The machine that had this log entry was the DHCP server.

It gave an address 192.168.2.4 to some client and it just sent a message to it indicating that the client is delinquent on some message it was expected to send to the server (NACK - negative acknowledgement).

The MAC - media access control - (0001A8C00100502C070C07) is usually a hard-coded hardware identifier. A global serial number that identifies the network adapter. 00:01:A8 is assigned to Welltech Computer in Tiawan which made the network adapter chip that the client machine used. On some hardware the MAC can be changed, for instance when a fall-back machine wants to assume it's primary's identity very quickly. Pretty unusual though, so theres probably some machine in the office with a ethernet adapter with MAC=(0001A8C00100502C070C07) that was at some point in the past, connected to this machine.

Looking at the DHCP protocol, it appears the server can send a DHCPNAK when a lease expires. So a machine could have been attached weeks ago, gotten its address from this machine, and that address lease is just now expiring and the server is trying to tell the client 'your address is no good'. If the client were attached, then it would have renewed it's lease before expiration.

So that's the innocent explaination.

On my own machines, I don't see any event log messages when a normal DHCP request is processed. Only if a lease times out or is denied.

So some network connection could have occured when the machine was supposed to be stand-alone, and leave no messages in the event log. My firewall is my DHCP server and has no dhcp messages for the last month even though this machine, and my printer, both reconnect to it daily.

Just a localized RFC1918 address.

big deal.

harmonyguy
In response to message #97

If I'm not mistaken, I seem to recall the original memos making mention of the central-count configuration where the Accuvote-OS units are connected to the GEMS using TCP/IP. (port 3030 or 3031, I think)

There is a mention of this in the California Certification documents:
The AV-Optical Scan Ballot Counter (AV-OS) Firmware Versions 1.64W and 1.96.4 are certified in California under GEMS 1.18.19. The AV-OSCC variation adds a capability for performing the central count of absentee and paper provisional ballots using TCP/IP networked units.
http:www.ss.ca.gov/elections/091404_3a_c.pdf Page 2

Although it's been a while since I checked the memos, but I think that the 'modem' communication between all the Accuvote units (OS/TS) and the GEMS server is done using Point-to-Point-Protocol (PPP) via the Digiboards. I'm not clear if each Accuvote unit has a preassigned static IP address or, once the modem handshaking is complete, is assigned a dynamic IP address via DHCP from the GEMS server.

I think it's safe to say that GEMS is specifically intended to be networked, although is NOT intended to be connected to the Internet.

Something else that just dawned on me, is that if the modem connections that are available via the Digiboard, are all set up for PPP, doesn't that make it VERY easy for someone else to connect to the server? I wonder what 'other' services are running on the server? FTP? HTTP?

Hope this helps a bit.
HG

A few notes first off...

EVERY network device has a unique MAC address, which yes, can be spoofed easily.. but the number listed is not a valid MAC addy. MAC addresses are 12 characters, usually expressed as 6 pairs. That number listed is way too long to be a MAC address.

The machine in question had previously been assigned the address 192.168.2.4 by a DHCP server while hooked to network "A". It was then disconnected before the lease expired, and hooked to another network, network "B". If this was the case, it would try to renew its original IP from network "A", but if Network "B"'s subnet was say, 192.168.1.x (the most commonly assigned public range, with a 24 bit subnet mask) it would fail to find the original DHCP server, as it would be looking for a DHCP server at 192.168.2.1 (probably, but at least in that subnet) which would not be reachable on Network "B". It clearly reached a DHCP server, since it got a NACK...but that server denied the request for the specific IP the client was trying to renew.

I see this all the time on laptops.. user takes it home, uses it on their LAN, gets addy 192.168.1.x from their cable/dsl router, then comes to the office and connects. Their laptop tries to renew the 192.168.1.x address, my DHCP server denies, they get a NACK, then my DHCP assigns an IP that is valid in my subnet.

So it would have been on TWO networks, at some point. (Then again, the whole error looks bogus to me, as that mac addy is way too long.)

Then there is the Digi device.. I wish Bev et. al. would quit referring to it as Digiboard and would get specific. Digi makes a wide range of products, but not many of them are in a card form. Those that are (and are classically referred to as Digiboards) are generally port extenders.. they come with an octopus cable, and it allows you to have 4 or 8 serial devices hooked to the computer.. the board offloads some of the proccessing of the I/O from the CPU. These are traditionally used to hook a bunch of devices to a single PC.. we used to use them to hook up a bank of modems for faxing/paging solutions. It would only make sense to have it on a tabulator machine - otherwise the machine would only need a single device if it were calling out, not a bank of them. On the other hand, Digi also makes some nice little GSM wireless devices for WAN connectivity. I'd like to know what they are using specifically, and what for.

Someone mentioned APIPA - the Windows automatic assignment of IP numbers if a DHCP server could not be found. This would not be the case here... there would be no NACK if the client had not reached an actual DHCP server.

The PC does not communicate with the Digi card via TCP/IP, anymore than a PC communicates with a network card via TCP/IP. That is, the computer communicates with the card directly (well, through a hardware abstraction layer), with the driver acting as a sort of translator. Its the other way around... the computer USES the device at the other end to communicate via TCP/IP with something else... but that device is where the TCP/IP communication starts (it is at the lowest layer of the TCP protocol stack.)

It is possible that the digi was hooked to a modem, and that was the mechanism to connect INTO a remote network. It would then be assigned an IP address by that remote network, but I dont think it would get a NACK. I believe the IP address gets dumped on the client side when the modem disconnects, as the disconnection causes the modem to tear down the TCP stack (when you hang up from a modem connection and do an ipconfig /all, you dont have an IP anymore) and therefore no renewal attempt would be made, therefore no NACK.

" On the other hand, Digi also makes some nice little GSM wireless devices for WAN connectivity. "
Are we talking about providing mobile phone access to a computer?

Sure, it could do that - that is exactly what it is for. It is basically a cellular modem, that attaches to either a network or a single machine. It would be a cinch to hook it up to a Windows machine.

However, I HIGHLY doubt that this is what we are talking about in this case - but it would be a cool and easy way to do it !

I'm fairly certain she meant the standard Digi multiport serial board, which is used in conjunction with either:

a) Standard modems if, for instance the machine was the central system and was receiving inbound data (GEMS Host ?)or,

b) perhaps what we call "Short-Haul" modems, which are devices that hook into a serial port and convert that signal into one that can be sent over a phone line - often used to connect something that needs to be connected via serial cable, but is too far away to use a serial cable (something like 50 feet, I believe, maybe less). Maybe a way to hook a central computer in a voting location to a bunch of stations in the same place ? I have to admit, I haven't really looked at the voting hardware setups.

Anyway, thats PROBABLY what she was describing.. I was just venting because her lack of technical knowledge always leads to the stories lacking critical information... makes it easy to jump to random conclusions, easy for the avearge Joe or Jane to get confused.

This is the GSM device, if you are curious.. cool, eh ?

This is what she probably meant

Actually, with their low-budget crap, it was probably one of these, or older...

These are probably serial dial-up connections to the GEMS which is also a DHCP server for the touch screen machines. They dial in to report their vote totals, or whatever, but first they get their IP addresses assigned by the server so they can send this data.

Of course the GEMS could be hacked if one knew the dial-up numbers and the PPP passwords, if any. In other words, all you'd have to do is spoof the GEMS with a PC set up to emulate a touchscreen machine and you're in.

You could probably pretend to be any precinct you wanted, but there might be some conflitcs with the real ones. The log entries so far, don't prove this, do they? It's all theory but it's an easy way to hack the vote.

Requires some inside information or a way to crack those passwords quickly, or a back door and the phone numbers for the GEMS modems. How many login attempts allowed before you get locked out of the GEMS? Etc, etc. You get the drift I'm sure. Some ex-Enron trader could sit his basement and do it if he had the information, but we need PROOF!

If I'm understanding her post (it's always risky to conclude anything based only on a user's report) it sounds like the machine was disconnected from the network, trying to reconnect, and failing. That's pretty much what I'd expect from a generic Windows box that had a network card that wasn't plugged in to a network.

--MarkusQ

It would also happen if the laptop holding the lease was turned off, or carried away. You don't need to have the network card unplugged to get this message.

I was including all of these sorts of things under the rubric "unplugged", by which I meant something like "not connected via a working cable to a working network with everything properly powered up and working" -- in other words, "not correctly plugged into the network, if one even exists."

--MarkusQ

These are supposed to be standalone boxes

NACK mean No acknowledgement, which could easily mean the DHCP server ain't there to respond, not that one responded with no acknowledgement.

Windows often prints error messages like that. I'd need to see the actual error messages, but in any case, the machine wasn't supposed to be networked, the error messages complain of networking not, well, working, so no harm done. Doesn't look in the slightest bit creepy to me.

For the record, the whole fucking system is screwed up - the entire methodology is flawed, the machines are parasites on the polticial process and I was surprised Kevin Mitnick didn't win the presidency this time around.

Next time it will be my brother, hiro protagonist.

If the machine was trying to reconnect and failing, there would be no NACK. It would time out and generate a "DHCP server unreachable" error. The NACK comes from a DHCP server.

There's no guarantee that a network connection was active on the machine, because some software does weird things and error messages don't always mean what they say. So the first thing to answer, and you need an answer directly from the vendor, is: is there any situation where the machine may log this message even though it's network card has been unplugged. Like if it had a client with a DHCP lease a couple of days ago, and the lease expired. (Manuals never tell the whole story.)

The second thing to look at is the MAC address. There are extra numbers in it -- they contain the encoded IP address:

"The MAC address in the error message above usually contains 22 
digits, not 26 digits. For example, if you have 
0018399D0100AA00A3F079, the first four hexadecimal numbers are the 
subnet address that the DHCP packet originates on. When you convert 
"00 18 39 9d" to decimal and invert it, the result is 157.57.24.0. The 
last twelve digits are the MAC address (00AA00A3F079)."

The length can vary, though I find it really odd here that the length is odd. It seems there is an extra 1 jammed in there (or a zero missing, if you look at the above as an example) and I don't know why or what that means... may be worth finding out. At any rate the mac address is 00502C070C07, which you can look up here:

http://www.coffer.com/mac_find/?string=00%3A50%3A2c

00502C soyo computer, inc.

That is, unless the hacker changed it. Now the rest of the MAC address cooincidentally contains a repeating pattern; the odds of that happening by chance are relatively low, so treat that as something that needs to be explained.

Look at all the MAC addresses from all the requests in the logs and see if there is a pattern. Do all the MAC addresses contain a repeating pattern? That might indicate someone with something to hide changing their hardware ID. Do all of them come from the same manufacturer? Keep these MAC addresses as they are fingerprints -- if they failed to hide their MAC address and you happen to seize a computer through writ with that mac address burned into it, that's evidence. Consider the possibility that these machines may be somehow talking to themselves.. see if you can get the MAC address of the machine itself from other log entries in the startup portion of the log.

I can't say much more without more details as to the log messages. However if these machines were networked while counting votes, all bets are off. There are no doubt bugs in a lot of commercial DHCP servers that could be used to crash the stack and run arbitrary code on the server.

The first digits (0001A8C0) represent the subnet which contains the DHCP server - 192.168.1.x. As I suggested above, the PC looks like it was connected to subnet 192.168.2.xxx, then moved to a different network at 192.168.1.xxx - the DHCP server in the second denied the request for the IP 192.168.2.4 because it is in a different subnet, thus the NACK. (Assuming logical 24 bit subnet mask that goes with these class C addresses).

If the machine's NIC was unplugged, it would neither try to renew nor receive a self-generated NACK, AFAIK - haven't seen that once in 10 years.

is that possible?

The fact this shows up at all means there is a DHCP server responding to the GEMS host machine, which means:

1) Most likely that the GEMS host machine *is* connected to a network, and that the DHCP server is not renewing the DHCP lease which is requested.

or:

2) How weird is this? -- there is a DHCP server running on the GEMS host machine itself.

I believe that you are right about this one.

The GEMS 'system' and its related Accuvote TS/OS machines, communicate with each other over a network. The network hardware appears to consist of the GEMS server, the Digiboard and the modems, all at the central location, and the Accuvote machines with internal or external modems at remote locations.

At an appropriate time (likely when the Accuvote machines are supposed to send results to the GEMS server), it dials the phone number of the Digiboard and, assuming it gets a successful connection, obtains an IP address from the DHCP server (which is running as a background process on the same box as GEMS) and starts its communications.

If I understand it correctly, it IS an ethernet connection, but instead of connecting the machines using a very long chunk of blue wire, it uses a couple of modems with a plain old telephone connection in between.

If I'm not mistaken, I seem to recall the original memos making mention of the central-count configuration where the Accuvote-OS units are connected to the GEMS using TCP/IP. (port 3030 or 3031, I think)
There is a mention of this in the California Certification documents:
The AV-Optical Scan Ballot Counter (AV-OS) Firmware Versions 1.64W and 1.96.4 are certified in California under GEMS 1.18.19. The AV-OSCC variation adds a capability for performing the central count of absentee and paper provisional ballots using TCP/IP networked units.
http:www.ss.ca.gov/elections/091404_3a_c.pdf Page 2

Although it's been a while since I checked the memos, but I think that the 'modem' communication between all the Accuvote units (OS/TS) and the GEMS server is done using Point-to-Point-Protocol (PPP) via the Digiboards. I'm not clear if each Accuvote unit has a preassigned static IP address or, once the modem handshaking is complete, is assigned a dynamic IP address via DHCP from the GEMS server.

Hope this helps a bit.
HG

The GEMS software is in a state where it is constantly trying to connect to a specific location on a private LAN, but only can connect when bridged to that LAN by another Internet capable computer?

I'm not a computer wiz so I hope you'll excuse me if I don't use the proper lingo...

1. IP address represents 4 units, computers?
When the polls close each precinct connects a modem to the tabulator so it can upload the results to an accumulator. The modem has more than one phone number it can call. If one is busy, it goes to the next one. Could the "4" in the IP address represent the number of phone numbers available to the accumulator?

2. NACK
If the tabulator dialed every number and wasn't able to connect to the accumulator would this produce a NACK error?

Or, if the tabulator modem connected to the accumulator modem but no data was transmitted...would this produce a NACK error?

3. Hacking
Only one person has access to the accumulator. The SOE. They have to insert a card and enter a password. Could the accumulator be hacked without the card and password?

Much thanks in advance for any and all replies to these questions!!!

1) It may or may not. The IP address can be chosen by any number of means. Allocating them sequentially for a hunt group, which is a pack of telephone numbers the way to describe, is fairly standard procedure, but it is totally up to the software developer.

2) Some people are saying that the "digiboard" used in these things mimics an ethernet, and could run DHCP. Why you'd run DHCP instead of PPP address negotiation I do not know, but I'm sure people have found a way to do it, and even written a standard. I assume these error messages are being logged in the accumulator because that would be the logical place to put a DHCP server, rather than the other way around. In that case, the first option you ask about, no. The second, maybe but it's a stretch. My personal opinion is that until we know more about the "digiboard" occams razor dictates that we assume that the DHCP messages have nothing to do with the modems, and are coming from an ethernet card.

3) Obviously more than one person has some sort of password -- the tabulators do. Or if they don't, so much the worse. If the tabulators establish an IP connection to the accumulator, and if there are no filter rules in effect for that connection, then that exposes the entire IP port range of the machine, and every service running on those ports (inlcuding the DHCP server) to attack. This applies to any ethernet card that may be present as well. Any service that is vulnerable (weak password, bug in code that can be used to crash the stack) could be compromized giving the hacker access to everything on the machine that that service had access to, which often means everything. There may be an additional challenge in defeating encryption on the results database, but in general "IP access == services are vulnerable." So the real question is, how does the accumulator check to make sure an incoming phone call really is from a tabulator?

Like I said, I'm not a computer wiz.

So, question #1 is a definite maybe? The second part to this question would involve tabulators directly connected to the main computer (accumulator). Say, 4 tabulators directly connected for recount purposes, etc.? Would this be less of a maybe?

Which goes back to redirecting question #2 at it applies to the new part of question #1, because it sounds like I'm way off on this one. If the tabulators were connected directly to the accumulator it "sounds" like this would fit the NACK error? I ask part two of question #2 because I know that this did happen. The tabulator modem and the accumulator modem connected but the data wasn't sent.

As for question #3 I'm not sure we're on the same page. This isn't an Internet connection. It's modem to modem. I don't know the technical term for this. I can only relate to this from the olden (pre-internet) days when I use to surf Bulletin Boards.

I only reviewed the security measures at the accumulator end. I'm reading this off a Diebold Election Day manual. I guess I need to go back and review what, if any, security measures are put in at the tabulator end.

As to your question..."how does the accumulator check to make sure an incoming phone call really is from a tabulator?", As I understand it, the accumulator needs to "recognize" the tabulator memory card. Also, this would cause a glaring error at the accumulator end when two sets of data are received. No?

I appreciate you taking the time to respond. My problem here is that I'm playing "guess the fraud". One private IP address and a NACK doesn't give me much to go on.

For any definite answer to #1, you need to know more about the "digiboard". Does the digiboard use IP? Does it use DHCP? Neither of these questions have been answered, so we don't know if the DHCP error had anything at all to do with tabulators -- it could be from another network connection entirely. Further, I can't tell you anything about the order in which a DHCP server would assign addresses. Every implementation is different. You would need to see for yourself -- in this case, assuming it behaves like any DHCP server started on an NT box with a default configuration might be safest, but would still be just an assumption.

So if the tabulators use IP on their modem connections, then they may have something to do with the DHCP error. If they do not, they definitely do not. Further speculation without answering this question is not time effective.

Now for question #3, modem-to-modem connections can run IP, as stated above. They can also run a number of different protocols like IPX, IPV6, DECNET, etc etc etc. If they do run IP (or another protocol), and the accumulator has not been configured explicitly to deny access to SAPs (service access points) that the tabulator has no business accessing, then any computer dialing in and pretending to be a tabulator can try to hack into those SAPs. If IP is the protocol, another word for the SAPs is "ports". So if they fire up an IP stack to communicate over the modem, odds are they are opening the accumulator up to a number of attacks by doing so. Also, establishing the IP connection might happen before any check as to whether the phone call is from a valid tabulator.

As far as the "recognizing" the memory card, what if a fake tabulator dialed in before the original tabulator, and then the original tabulator's phoneline was jammed and kept from contacting the accumulator? Do the tabulators only call in once, or do they call in many times with updated data? What if, after the tabulator was done, someone called in and updated the data with more votes? What if a fake tabulator dialed in, hacked the system, and forced any new votes from a given tabulator to be silently ignored? This is not as secure a system as the manual probably makes it out to be, as too much reliance is put on the assumption that noone who would hack the election knows the ID numbers on the memory cards.

The big thing to look at here is the Soyo MAC address. I am to understand that there are other logfiles with other MAC addresses? If so, I have posted what needs to be done with these addresses to get a clearer picture of what is going on (in another thread here at DU, and on BBV dcforums)

This is all I can provide you on the digiboard...

Modems and telephone lines are commonly configured to the GEMS computer as follows:

1. A port expansion device, such as a DigiBoard, is installed on the GEMS computer. This involves the installation of a card internal to the computer, cabling either a multi-port octopus cable or a black box with multiple ports to the DigiBoard connector on the card. Modems are cabled to either the black box or octopus cable.

2. Alternatively, an intelligent port server is installed on the GEMS computer. The GEMS PC is cabled to a hub, which in turned is cabled to the intelligent port server, which is in turned cabled to modems.

Some other "stuff"....

12. Touch the Transfer button in the Results Accumulator window.

13. In the Transfer Results window, the Type field should display a value corresponding to the modem card, the Host field the IP address of the GEMS host, and Phone the phone number of the receiving modem. This information may be changed by touching the Change button, however, this information should be correct and not require re-configuration at the polling location. Touch the OK button in order to initiate the upload.

...and...

Each vote center/machine Id corresponds to a memory card. Every memory card that has been programmed is logged in the console under the Vote Centers tab with a red down arrow located on the left-hand side of the vote center/machine Id entry, while every uploaded memory card is logged with a green up arrow.

The number of separate machines or memory cards corresponding to a vote center is defined in the No. Mem Cards field in the Vote Center Editor. Numbering on the consoles begins at 0, so that if the number of memory cards is set to 10 in the Vote Center Editor will appear on the console as being numbered from 0 to 9.

Vote centers and memory cards are relevant in the AccuVote Server consoles as well as the GEMS upload status reports, however, election results reports are concerned with report precincts only. Vote centers do not necessarily correspond to report precincts on a one-to-one basis – review the GEMS database in order to understand what the relationship between vote centers and report precincts is.

...and....

The GEMS host computer should be configured with approximately 1 modem/telephone line combination for every 10 polling locations modeming results. Telephone lines used in modem uploading are usually bundled into a so-called ‘cascade’ or ‘roll -over’ line. All modem transmissions dial a single telephone number, which connects to the head line within the cascade. If that line is busy, the call rolls over to the next line, and so on. If all lines are busy in the cascade, the transmission will not be able to complete, as the receiving line will be busy.

Often, every telephone line within a cascade is assigned in an internal number which may be used for testing purposes.
Cascade lines may roll over calls either in a linear or random manner. In a linear manner, the call will descend to the next line in sequence. Random cascading, as the name suggests, occurs in a random manner.

You obviously know computers, but I'm trying to reduce this discussion to more of a "Computer Voter Hacking for Dummies".;) Your "fraud" scenario would require a complete 2nd set of programmed Memory Cards and the ability to jam/override 100...200 different tabulators. That sounds like one major project.
:shrug:

For me, a computer dummy, the BBV "fraud" argument always fails at this point. Computer people, such as yourself, can come up with theories. But you can never explain how your theory can be pulled off. How many people would this require just in ONE county? And not to mention, you would have to not only hack the main computer you'd have to hack all the originating tabulators otherwise you'd have to keep your fingers crossed that not ONE polling place worker took the time to compare the real numbers with the hacked numbers.

I have a pretty vivid imagination, but this whole "theory" of yours seems impossible.

Edit? Only one cup of coffee....give me a break, okay.

Look out!!! Second cup of coffee..... :)

You would either have to replace all the real memory cards with the fake ones at every precinct, or break into the SOE and do the switch-a-roo there. Either way, you have to switch the real for the fake because gaud forbid..... a machine recount is done.

Now maybe this is something that the Oceans Eleven team could do, but in every County??

To determine if there is a relationship between DHCP and the digiboard. What is really needed is hardware/firmware documentation for the port cards, to see how it presents itself to the OS.

As far as hacking stuff, I think you are viewing it in the context of an external entity coming in to the system from afar and changing stuff around without the knowlege of the election workers or of the vendor.

The latter is the most dangerous of assumptions. I wouldn't go around trying to convince folks that an election system can be hacked by any rogue amateur. It's pretty silly.

The more likely scenario is that security flaws are left in the system intentionally by the vendors, rather than blatantly fraudlent software. By leaving a security flaw in the system, they can claim it was a mistake, rather than intentional.

And nothing requires you to have a second set of memory cards, just to be able to act like you have all the cards. And even that assumes you cannot bypass the card authentication process as well. As far as compromising tabulators... you own both products. Just have the tabulator compromise them as they dial in.

Plus, as far as staffing it goes, you'd be surprised what one human can do with the right equipment and a lot of preparation. I myself once reconfigured over 200 switches and routers in about 15 minutes.

Okay, I checked another manual. The "security flaw" theory doesn't work for me. The machines, tabulators, etc are bought in bulk. The voting machine or tabulator doesn't know where it is until someone programs that information in. Precinct ID, etc... It has to be told where it is.

So, for a "security flaw" to work the Oceans Eleven team would have to have an insider that made sure that each precinct got the "correct" machine.

This theory is a harder buy for me than the 2nd set of memory cards.

Keep in mind that the vendors are often the ones doing the programming, as part of a packaged setup and install service.

I don't understand, though, why you think machines would have to be put in a particular precinct? A security flaw is a security flaw. All you need is to figure out the phone number of the accumulator, hack it, and tell it to hack any tabulators that dial in. Heck, the vendors would probably even be able to get away with putting "dial home" operations into the tabulators/accumulators under the pretense of "turnkey maintainance", given the extent to which BOEs seem to completely misunderstand security issues. We already know some of them offer a complete package that includes web hosting of the returns -- when and how they get the data to their webhost, we don't quite know yet, but they get it pretty early.

....

I got this reply:

This is an error message you would see on a DHCP server, indicating that not
only was the machine networked, but it received requests from another computer
for an address out of the DHCP scope or that may have been already assigned.

More info:

http://support.microsoft.com/kb/163055/EN-US/ and
http://www.eventid.net/display.asp?eventid=1011&eventno=451&source=DhcpServer&phase=1

Basically, this indicates that the machine was both connected to a network AND
received requests for an IP address from another computer, which this machine
was apparently supposed to provide.

As an aside, you usually see DHCP NACKs with multi-homed servers, meaning that
usually this happens in servers with more than one network connection (could be
a network card and modem, 2 network cards, network card and wireless card,
etc).

If you Google DHCP NACK you'll get more info - basically this is how it works:

client > dhcp discover
server > responds with dhcp offer
client > sends dhcp request
server > responds with DHCP ACK (acknowledge) or NACK (not acknowledge, which
retracts the offer)

This is the last step in the DHCP addressing process, and a NACK should result
in re-initialization of the client, starting the process over. That is a
little oversimplified - for more detailed info please check out RFC 1541 and
2131, at http://info.internet.isi.edu/

I was just listening to the MP3 of Bev Harris on RR and BH said that they had tracked the IP address to some "unknown private corporation". Well, I find that just fascinating since the IP address listed on this thread is INTERNAL and assigned dynamically as a means of saving the programmer a bit of time (not having to manually assign addresses). If the node was attempting to call out, it seems to me that it would be trying connect with an outside IP. BH is really trying to make something of this calling out idea it seems. But as far as I can tell, she is just blowing smoke up our collective butts. Or did I miss something?

if it was networked?

A DCHP is defined as a protocol to help establish connection with an internet protocol. Why would a stand-alone machine be a DCHP server? The machine was networked and was trying to connect either to another device, presumably in the network since it was an internal IP address.

http://searchnetworking.techtarget.com/sDefinition/0%2C%2Csid7_gci213894%2C00.html

it can be set up as a node, but used as standalone if it is not physically connected to the network. If I understand this correctly, it was attempting to connect to another networked computer (or one that had been networked recently) on a private LAN (What I would refer to as internal) - no different than the two computers I have on a LAN in my home connected via my Ethernet cards using the TPC/IP protocol. Each of them have their own (private) IP address. If one of them is not physically connected to the net, the other one gets lonely and tries to connect, and when it can't, sends a very similar error message to the one in this thread. IOW, they are not trying to dial out at all, they are trying to talk to each other within the internal LAN.

it was NOT standalone.

Because the IP address was an internal; it appears as though it was trying to contact a computer within the net. This could have been a laptop being used previously for diagnostics or some other computer that had not had its certificate expire. (what I suspect). In either event, for BH to say that it was an IP from an unknown commercial company is just not factual. That is why I originally said that I thought she was telling stories.

Bev is using the term "dial out" because it sounds sinister.

David Allen
www.thoughtcrimes.org

and the people who then disconnected it from the network forgot to turn off the DHCP request, thus the arror message.

I see NOTHING sinister about this.

David Allen
www.thoughtcrimes.org

Here's the dialog that probably took place:

Bev: How can we track that IP address?

Tech: You can't. It's a private, internal IP address.

Bev: Ooooo, thanks.

Next day:

Bev: And you see, Randi, the IP address we found belongs to a private corporation who we are trying to identify. If I can raise just a bit more money...


How do I know this happened? Because I saw it happen multiple times when I was around Bev. She hears what she wants to hear and mangles what doesn't fit her preconceived notion to fit.

David Allen
www.thoughtcrimes.org

Sounds much like the exchanges I've had with Bev as well...

But in Bev-speak this translates into "private corporation." Sounds sinister, doesn't it? But it really just means the network is private, i.e., NOT part of the Internet. This is what I mean about BBV's poor communications skills. I haven't had time to read much of their forums, but it's clear that they need a better spokesperson. I hope their techies aren't as out of their depth as Bev is.

The pros will have nothing to do with her because unless what they say fits her paranoia fantasy she ignores them. So, a that is left is tech wannabes.

David Allen
www.thoughtcrimes.org

I am guessing.

Anyone with a phone can call in if it's a serial digiboard with dial-up modems.