Need help of a NETWORK ADMIN - tech question but trust me, MAJOR political import!!!

Status
Not open for further replies.
Ok, let's try this again...

Get the port it's trying to connect to. This can be tracked to a specific application if it's legitimate. Even if it's not one of the common ports, Diebold can tell you if it's a port used by their software. Or, if it's malware, the port usage may be documented somewhere on the Internet.

Chris
 
Are these computers that are supposed to be networked using static IP's? And is the computer that's trying to make the connection a server or a client for any specific purpose? This could very well be just the computer trying to do its job properly. Have to know more.
 
Well, first, it could be trying to access 192.168.2.4 via a modem connection. Check the routing table ( "route print" ) when the machine is not connected, and when it is. That might give some more insight.

It's also possible this is something left over from development time. Maybe the programmer had a dev box reporting to 192.168.2.4, and when the code was buttoned up, that bit was left in. Pretty sloppy, if you ask me, but possible. Unless there's some element that's under Diebolds control (like, if when the modem is connected, all of a sudden 192.168.2.4 is part of a valid subnet), I doubt this is something nefarious.

Is the local network and modem connection under county control, or Diebolds?
 
Sigh. We don't have the ability to run commands
Click to expand...

Plug it into a hub (not a switch, but a hub), plug a laptop running Ethereal or any other sniffer into the same hub and let the chatty diebold box do it's thing for a few minutes or hours. Post the ethereal results here.

Chris
 
Jim,

Chances are that after 4 years the box would not be trying to renew a lease. Typical values for lease-duration are: 1 hour, 1 day, or forever. It's possible that the box was, in fact, issued a permanent-lease address back when it lived at Diebold, and is trying to renew that lease now that you've thoughtfully given it an ethernet cable to talk to.

I say it's unlikely because Diebold would have been silly to set up permanent address-leases on a network that they were plugging boxes into temporarily; permanent DHSP leases are for things like servers, that people need to be able to reach reliably at a given IP address.

-BP
 
Jim said he's looking at logs, not working at the actual machine.

Jim - Can you paste some sample log lines involving 192.168.2.4 into this thread? We might be able to see something that way.
 
Ignore my previous ramblings about ports. I completely missed Jim's post with the specific NT Log entry regarding DHCP NACK. I was wondering why everyone was so stuck on the DHCP issue.

:rolleyes:

Chris
 
If a computer is supposed to be rigged for modem only, no. There is no reason for any IP settings to exist, let alone specific IP addresses.
Click to expand...

This isn't true. A modem connection is Layer 1, like twisted pair. With modems, the Layer 2 connectivity is usually PPP, sometimes SLIP. With twisted pair, you're talking Ethernet, or maybe token ring, FDDI, WiFi, etc.. But both connections need a Layer 3 as well. That's usually, these days, IP. It could be IPX, like in a Novell environment. But there has to be some kind of end-to-end addressing.
 
Then people hand-carry the memory cards (PCMCIA, basically "electronic ballot boxes") in from the field and they upload those to the GEMS tabulator via PCs connected to Ethernet straight to the GEMS box.
Click to expand...

Could the GEMS box have DHCP services running for the purpose of providing an address to the PC you mention? Was that PC connected when the log entry was generated?

Chris
 
Could the GEMS box have DHCP services running for the purpose of providing an address to the PC you mention?
Click to expand...

Maybe.

Was that PC connected when the log entry was generated?
Click to expand...

NO. Those are only connected for very short time periods, to download ballot image data to terminals pre-election, and a smaller number of terminals as memory card upload stations immedately post-election. Any other time, the sucker is supposed to be standalone. And it's *never* supposed to be cross-wired to the county Intranet or esp. not gatewayed to the wider Internet.

Look, if we just run GEMS itself on a PC box of our own with a software firewall like Zonealarm, it'll report an attempt to make a net connection of some sort. We don't KNOW what the hell it's been doing, but we've referred to this as the "ET Phone Home" problem.

Hell, download the code for yourself:

http://www.equalccw.com/dieboldtestnotes.html

Maybe Diebold techs have been plugging small PCs into the wire without anybody knowing. Maybe it's trying to initiate modem calls. Maybe it's checking to see if the box WAS cross-wired to the county LAN so it can establish a session outwards through the firewall to God knows where. We know a Diebold tech in Alameda County gave the modem pool fixed IP addys of 166.107.248.210 to 220 (see Rob Chen memo at the above link). Now go to:

http://www.acgov.org

Now go ping www.acgov.org - I just got 166.107.72.47 - does it look to y'all like Rob Chen made the modem pool IPs compatible with the county LAN subnet?!? Gee, I wonder why he'd do THAT?

We haven't been able to hack at a real box. Just getting these damned logs was a breakthrough.
 
NO. Those are only connected for very short time periods
Click to expand...

That entry is a response to a DHCP request and wouldn't happen if there was nothing to request an address. DHCP isn't generally routed (can be done, but not normally and certainly not over the Internet), so it would have to be on the same network as the GEMS box. I've run DHCP services before and I've never seen a NACK without there being a requesting system online actively requesting the IP address.

Chris
 
jim, were the logs on this server taken recently? at the time the DHCP log entry occured, did you have any network cables physically connected? (ethernet, phone, wireless, etc)
 
That entry is a response to a DHCP request and wouldn't happen if there was nothing to request an address. DHCP isn't generally routed (can be done, but not normally and certainly not over the Internet), so it would have to be on the same network as the GEMS box. I've run DHCP services before and I've never seen a NACK without there being a requesting system online actively requesting the IP address.
Click to expand...

>What!?<

Wait. These things are supposed to be standalone 'cept for very specific times. That's in the manuals.

Now, if it was just one county where this is happening, then OK, they've left some gear and wires still up.

But...it's ALL of 'em. Hard to believe every county would screw up in that fashion!?

:confused:
 
Are the computers with the Diebold software "black boxes" that the county receives, plugs in, and then just watches? Or does the county install the software on computers they provide? If the later, it's possible that someone was working with an image that wasn't completely "clean".
 
The fact that it's trying to contact a private IP instead of a public IP suggests that this is unlikely to be something nefarious.
Click to expand...

That all depends on exactly how these boxes communicate. If you have a "closed system" where the modems dial in to a number that leads directly to your "master" server, and Diebold isn't involved at all, then yeah, it wouldn't be useful to open sockets to weird IP addresses. But, if there is a possibility for Diebold to be involved... if the modems connect to telephone lines that have any ability to dial out into the world, or if the machine they call into is something that Diebold has some form of control over, then there could be something dirty going on.

I really think the only way to tell would be to get a packet sniffer on the same segment as one of these machines while it's doing its' thing. I'm not sure if Knoppix comes with Ethereal, but it would sure as heck come with tcpdump. Either could do the trick.
 
Are the computers with the Diebold software "black boxes" that the county receives, plugs in, and then just watches? Or does the county install the software on computers they provide? If the later, it's possible that someone was working with an image that wasn't completely "clean".
Click to expand...

"Black Boxes" all right. It's WAY illegal to load other stuff on there. Every bit of code has to be at least accounted for. If it's "Commercial Off The Shelf" it doesn't need source code review but it still gets listed.

Not to say it hasn't been done. Half the King County WA elections management was fired for loading MS-Access on and doing most of their ballot development work in that instead of GEMS. This was...Sept. '03 I think. The Seattle Times wrote it up. One of the Diebold internal EMails talked about Access being a handy "hack tool" on the database, and mentioned "King County is famous for it". Somebody with employee access released all 15,000 EMails (summer of '03, to Wired magazine), somebody else checked King County based on that...whooops.

Access ain't an FEC-approved election program. GEMS is (which has an Access back-end runtime, but not the full dang version).

This stuff is supposed to be a *very* carefully controlled environment...not a general PC you surf the web on :scrutiny:. Which doesn't mean security was always *followed* y'understand. But in this case, the SAME weird network errors appear on more or less all the boxes, or at least close variants. So...whatever it is, either a misconfiguration screwup OR an incompetently set up back door, it's a good bet Diebold did it, not the counties.

:scrutiny:
 
Jim:

(posted in the other thread as well)

I can probably help you track this down, but I'll need more information from you. I'm a sysadmin/netadmin by trade (radiology networking), so I'm reasonably familiar with this sort of stuff. If you're interested, PM me, and I'll give you my phone number, or we'll figure something out so I can talk to you a little more directly; it'll be a lot easier to troubleshoot semi-interactively.

Just as an initial impression, I'm going to guess that this thing is trying to get a DHCP lease because it was originally configured over the network (yes, four years ago, when it was built), and they just never removed the card or disabled it in Windows. Odds are, it's just carelessness (never ascribe to malice that which can be adequately explained by stupidity), but I'll help you figure it out if you like.
 
But in this case, the SAME weird network errors appear on more or less all the boxes, or at least close variants. So...whatever it is, either a misconfiguration screwup OR an incompetently set up back door, it's a good bet Diebold did it, not the counties.
Click to expand...

I'm leaning towards my "testing" theory... this couldn't be any kind of "back door" without properly routing traffic to 192.168.2.4, and making sure that there's going to be some sort of network connection available.
 
Rehashing:

This box has two normal functions. Accepting modem connections for receipt of early votes and local network activity for uploading of final vote results from pcmcia cards via a small number of PC on the local network.

As a result, I wouldn't be suprised if the machine were trying to get it network config via DHCP even while its not connected to a LAN, thus the error message. Its possible that the box provides DHCP services, but you wouldn't expect DHCP requests when the box is not connected to a network. If you are connecting it to you own LAN for testing, then you might see the latter.

If this is the only evidence of the box "trying to make a network connection" then I wouldn't be suspicious.
 
Folks, I've got a computer that's trying (and failing) to make contact with *something* at an IP address of 192.168.2.4 - I can't ping it, I can't make any contact with it so far. I need to know who owns that number (or subnet) and swear to God, I need it *STAT*. I'm fairly geeky but I haven't had to deal with this.
Click to expand...

(Haven't read all the thread yet, but I'll chime in anyway.)

If whatever it is is firewalled, you might not be able to ping it. Get nmap (http://www.insecure.org), run it on that address, and see if any service ports show up as open. Run it with the OS detection option for further clues.
 
Even if the modem answers incoming calls only, the caller has to have a network address in the same range as the answering modem for them to talk, Assuming TCP-IP is the only network client installed.

In that case either the ip address is manually assigned or DHCP assigned. Depending on the system and settings, if the connection is not present it can cause log messages until the connection is established.

So the log can say cannot connect to ip address repeatedly until a modem connection is made. At which time the address is found, the data is transferred, and the connection is dropped. Then the log will start saying it cannot connect again, until the next modem connection.

I would have to see more info to know if this could be emulated on an outside PC dialing into the black box or other nefairous situations. The black box that is accepting incoming only, is either never connected to an outside phone line or never connected to a router, only then is it the least likely for someone to mess with it. At that point only physical presense in the building might someone be able to mess with them.

If outside lines are connected it might be possible to emulate a caller and fool the black box, or the router could be programed to translate a public IP address into the private one and the box could be accessed from outside of the network.
 
listen,

in order to get that message, two things have to happen. first, your box MUST have an active network interface that you inserted a cable into. (not the modem)

second, you MUST have an active DHCP server on that network that is configured with a different scope than your box was recently using.


the only suspicious thing here is what you guys are doing with this box. if I were the system administrator responsible for this box, and thought it was misbehaving, the first thing i would do would be to inform the state or diebold. the last thing i would do is ask a gun forum on the internet, disclosing ip addresses and configuration in the process. seems like doing anything else would be appreciably shy of career enhancing.
 
Status
Not open for further replies.

Similar threads

J
  • Locked
Need help on a really major project.
Replies
0
Views
470
Jim March
J
B
  • Locked
Need help quick on RKBA paper
Replies
1
Views
257
Bigjake
B
K
  • Locked
Nra Betrayal Of Trust *important*
2 3
Replies
69
Views
2K
Boats
B
C
  • Locked
Minnesota: "Growing use of private police network raises concerns" (CCW angle)
Replies
5
Views
629
TekChef
T
J
  • Locked
Internet Fosters Local Political Movements
Replies
3
Views
290
Standing Wolf
S
Back
Top