Need help of a NETWORK ADMIN - tech question but trust me, MAJOR political import!!!

Status
Not open for further replies.
All of this talk about DHCP is highly speculative. DHCP requests and ACKs are ARP packets. There are no IP addresses, since you can't talk to an IP address until you have an IP address.

Further, since Jim is dealing with logs, and we know GEMS is based on Access, that makes this a Windows issue. Windows logs for s#!* He's almost certainly looking at GEMS-specific logs, which would be traffic to/from the database and maybe among program modules, stuff far above Layers 2, 3, or 4.

Until / unless we can actually see a few lines of the logs involving this mystery address, further speculation just isn't going to be useful.
 
there's nothing speculative about it, and DHCP are broadcasts, but not at all the same thing as ARP.
 
I'll have access to detailed logs circa Wednesday.

The damn things aren't electronic. They're printouts. Gotta understand, we don't even have the ability to stick a floppy or blank CD in the thing.

But, if there's any reason to suspect funky, then...we have options.


---------------

One thing y'all have to understand: across ALL aspects of this stuff, security absolutely stinks by any modern standard. Diebold will always say "but that's OK, it's all standalone".

We have that glimmer from Alameda County in the Rob Chen memo that these boxes HAVE been routinely stuck on county intranets. That's not the only such glimmer.

But the point is, they will ALWAYS make the claim that any security holes we find are "covered by procedure".
 
the DHCP server issued a NACK to the client for the address request

client 0001A8C00100502C070C07 for the address (192.168.2.4)
Click to expand...

Taliv is right, but I'll give you some more detail.

There is a DHCP server process running on THIS MACHINE. This DHCP server process is what generated the log event. This isn't an event from firewall software or something warning of a connection attempt. It also is NOT this machine attempting to obtain an address.

(Aside: DHCP servers exist on networks so that client PCs can get addresses automatically, instead of having to have their addresses entered individually on each machine. It makes administration much easier.)

At some point, THIS MACHINE received a DHCP request from ANOTHER MACHINE asking if it could use the address 192.168.2.4. The other machine asked for this address because that was the last address it was given with DHCP, and it assumed that its situation had not changed since its last DHCP exchange. THIS machine denied that request with a NACK, probably because it's configured to use a different address range.

Now, this OTHER machine had to have been connected with Ethernet. DHCP does not enter the picture when you are using a modem connection. PPP and SLIP don't use DHCP. However, that string in the message doesn't look like an Ethernet MAC address - they are usually represented as 12 hex digits (like 00:e0:4c:c6:ab:2d or 00e0.4cc6.ab2d). It's possible that it's the other machine's name - I know Windows will put the machine's hostname in its DHCP requests.

Jim, all Windows log events are timestamped. Do you know when this event was logged? It could literally be years old. You're spinning your wheels for nothing if this was an event logged when the machine was still at the factory. Also check the system time to see if it's accurate, because the log events are stamped by the system clock.

Edit: I went over the thread again. It seems to me that if this machine is a central vote tabulator, and other machines are connected to this machine via Ethernet for the purposes of transferring vote counts, then it makes sense for this machine to be running a DHCP server. (see above note on administration) If this is the case, and another computer is connected to the LAN, it's entirely possible for that computer to request an address outside the DHCP server's address range. This would result in a NACK, which would get logged as above.

BTW, as to why a whois lookup on 192.168.2.4 results in IANA - the Internet Assigned Numbers Authority: IANA has reserved this address block for special purposes, so that's why they show up as the owner in the WHOIS database.
 
Tracert.

Do a tracert to the 192 address, see if it resolves to a "name" of a computer you know. If not start looking at the route and identify each hop in the route. When you identify the last device your route took it will be the device the 192 address/system is attached to. Check all systems connected to that device with IPCONFIG to find your source.

Charlie.
[email protected]
 
<network geek mode>

Don't bother with the tracert or trying to locate this address online, you won't find it.

IP addresses in the 192.168.x.x range are on PRIVATE, NON-ROUTABLE subnets. Whatever network this machine was on was a private, RFC 1918 compliant network (see http://www.faqs.org/rfcs/rfc1918.html). It may or may not have been connected to the Internet but unless we can look at the logs we won't know (and we still may not know even if we can look at the logs, depending upon what they contain).

Also, do we know what OS the machine in question was running? If in fact a DHCP server was running then it was probably either Windows NT4 Server or 2003 Server. It will be useful to see what other services were running on the box, so if the other system logs are available they would be relevant.

</network geek mode>

<lawyer mode>

How do we know the logs are authentic, especially since they are hard copies? Is there a sufficiently-documented chain of custody linking them to a Diebold machine? Since they are in paper form, how do we know they haven't been altered either before printing or afterwards? Are these copies the first printout or photcopies thereof? Do the original electronic log files exist and where are they?

</lawyer mode>
 
Bev Harris saw the printout happen, I *think*. Even if not, this was a smaller county with little technical competence available - I rather doubt they'd know "what to fake" (or leave out) in a log.

This is NT w/SP6.
 
If Bev Harris actually saw the log being printed out it's a start. Did it then go into her custody? If not, then where did it go?

The reason I'm belaboring this point is that if the printout is to be considered evidence then the chain of custody must be established.
 
evidence of what? that a dhcp server is running?
 
stand alone

<Sgt Friday mode>

the facts here Jim, per your 3pm note today are passing strange to this lanlord,

Senior variety...

if this is standalone, why perchance is the device running dhcp?

</Sgt Friday mode>

I'm ranting 'back door, back door'

if the machine was configured on a lan the lease had looonng ago expired.
on any type of dhcp unless the lease was set to do not expire.

the vlan/tunnel protocols are old enough that this thing may be 'calling home'

</speculation>

call Laura Chappell at Protocol Analysis institue. they do White hat security stuff.

nuff said.

r

edit for sorry grammar
 
Evidence that a machine that's supposed to be standalone BY LAW ain't?
Click to expand...

Jim, as I asked before,

when were the logs taken?
what cables have you plugged into it?


if it's supposed to be standalone BY LAW, then why have you plugged a cable into it?

regardless of how it's configured, you're not going to get any of those DHCP log entries unless you've got a cable plugged into it.


if you don't have any cable plugged into it now, i guarantee it's not generating those logs now. as was mentioned by several people, the log entries are probably old, from the time the machine was connected to a LAN so that it could collect data, regardless of when the logs were printed.
 
Jim March said:
The only LEGIT connection to the outside world a GEMS/Diebold box is supposed to make are incoming modem connections via a Digiboard and modem bank. The thing is supposed to take in data from voting terminals (touchscreen, optical scan, doesn't matter) right after the polls close so that "early results" can be fed to the press. Then people hand-carry the memory cards (PCMCIA, basically "electronic ballot boxes") in from the field and they upload those to the GEMS tabulator via PCs connected to Ethernet straight to the GEMS box.
Click to expand...

I bet you this machine runs a DHCP server to simplify connecting the ballot upload PCs, and one of the ballot upload PCs requested an address outside the DHCP server's scope. The result is the DHCP NACK which generated this log entry. Simple as that.
 
I beg to differ about tracert.

Dave Markowitz made the comment "not to both with tracert". I beg to differ. If this terminal is connected to a local/private network it will be able to tracert to 192 addresses on the local Ethernet network. Why wouldn't it? However I did see that Jim can't issue commands so this is an invalid option anyways.

Jim. If the logs show that this is happening while the other systems are not connected, sending results from their dial in connections, then it's coming from inside your network, your private, local Ethernet network. If Mr. Markowitz can prove me wrong and you can't do a tacert to the intruding 192 address, simply go to the few other systems at your location and do an ipconfig on each of them to find the ip's assigned. You have no other choice but to find it.

You guys are trying to make this much harder that it needs to be. Simply LAN's issues aren't that hard to troubleshoot.
 
Taliv: I don't understand why you can't comprehend that we can't do ANYTHING to these things. If we approached the thing with a cable in hand, the elections officials would have us under arrest by the local police in about a red-hot second.

We can't plug *anything* in. We can't load software. We can't so much as stick a blank floppy in.

It gets worse. Most of the elections officials are so paranoid and so techno-turnip stupid they won't let us look at the back end of the machine and see what's plugged in.

Do you understand the situation yet?

Endlessly saying "why are YOU doing this" is just...it's like asking why the sky is paisley.

Arright? Am I getting through here?

Now. IF there is ANY reason in the full logs to suspect wonkiness, then maybe we can change the situation via methods I can't discuss.
 
One thing y'all have to understand: across ALL aspects of this stuff, security absolutely stinks by any modern standard. Diebold will always say "but that's OK, it's all standalone".

We have that glimmer from Alameda County in the Rob Chen memo that these boxes HAVE been routinely stuck on county intranets. That's not the only such glimmer.

But the point is, they will ALWAYS make the claim that any security holes we find are "covered by procedure".
Click to expand...

So today for the logs sometime Jim? Sounds great, in the meantime since they're relying on it being standalone and trying to cover things with procedure would you happen to have a copy of the procedures? And if you know too the security level they're trying to hit (should be damned high IMHO)? Configuration procedures would be good too.
 
Yesterday evening, a total wild-arsed, purely speculative, tinfoil-hat-wearing idea popped into my head. With that disclaimer in mind:

I run an 802.11b wireless LAN in my home. I don't use an access point. Instead, I run the network peer-to-peer, and one of the peers serves DHCP to the rest, so that guest laptops and what-have-you only need to know the network name and the WEP key, and they can get a temporary DHCP address from my network.

So. Is it possible that this box has a wireless network adapter living somewhere within it, serving DHCP, whereby to allow a "war-driving" black-hat with a laptop to gain access to the machine without having to even physically connect to it? Without, in fact, having to necessarily even come inside the building, depending on floorplans?

Just a thought.

-BP
 
As others have stated the 192.168.*.* is a private subnet. In other words it is not trying to contact a computer on the internet. I'm having a little trouble understanding exactly how and what error you saw that makes you think this machine is trying to contact another machine with the address of 192.168.2.4. Most likely though if this is the "server" in a voting place that has "dumb" terminals connected to it for the actual voting it is just trying to talk to one of it's "dumb" terminals. The logs would clear this up fairly quickly. Also if the machine is running the Routing and Remote Access service and the DHCP service it could be the address that this machine is assigning to the machine that connects through the modem(s) you spoke of earlier.

None of this sounds all that nefarious or suspicious to me.
 
matt-man, yep, that's pretty much what i said earlier.

chas, it's not trying to contact the machine. it's trying to give it an ip address. until DHCP is successful, there's no point in trying to traceroute, because the system won't have an IP address to traceroute to. there may be a box with 192.168.2.4, and he might be able to traceroute to it, but that would essentially be a wild goose chase, and lead you to believe you're talking to the machine in question, when in fact you're talking to a completely different computer. that make sense? nobody is saying (at least i think they're not) that you can't traceroute in an intranet with RFC1918 addressing.

Jim, i'm not trying to be overly confrontational about this. I'm just saying this is a very simple, normal setup and nothing to get excited about. What I can't comprehend is why you haven't shown the log to an election official and asked why the machine is behaving this way.
 
What I can't comprehend is why you haven't shown the log to an election official and asked why the machine is behaving this way.
Click to expand...

We have.

Dude, not only do they not know why this is going on, they have to be hand-held through the process of printing the log. And they don't have clue one about what DHCP is or any other networking concepts.

This is part of the disease we're dealing with here. Diebold has offered very low cost on-site handholding as part of the service agreement. Which means the county election officials don't have to request help from the never-enough-of-'em network geeks within the county's IS department.

So Diebold techs handle...well in some cases, *everything*. Swear to God, we know of situations where they ran the *whole* election, wildly contrary to law. But even when it's not THAT bad, they always handle system installation.
 
Oh for the love of Mike...

Macavada, yes it is cool that they are talking about Diebold machines on here. But seriously, what the heck are they doing running NT4 on a voting machine?

This is nothing. The guy who set the system up left something turned on that he shouldn't have, which is real easy to do considering Microsoft leaves EVERY FREAKING THING they touch in a compromised state. Why they aren't running some sort of *Nix OS like BSD, or even any flavor of Linux boggles my mind.

But obviously that is neither here nor there. I don't believe it's a problem. But if it's in your power Jim have the whole box replaced. Raise a stink, and the guy who set it up, put his butt in a sling. Just freak out on somebody in charge of that stuff. If they don't have spares then I don't know what to tell you. They obviously are getting paid large bucks. Pork belly companies always do this kind of stuff. Make you shell out six to eight digit figures and give you and inferior product.

FYI: ALL Microsoft OS'es are easily compromised if you have physical access to the machine. Heck if I got a floppy drive, CD-ROM drive or USB port to work with that system is dead within fiveminutes. That's why your monitors are paranoid. They've probably been warned that the system can be hosed easily. If you don't have a lock on the caselid, I can do anything I want.

Now with all that said it's a whole lot easier to manipulate the operator running the machine who knows nothing about, than it is to actually crack the machine. It's called social engineering. Look up Kevin Mitnick sometime. He was arrested for hacking machines he was GIVEN access to.

If it's a DHCP request though it's probably nothing. Again if you suspect any hijinks just raise hell. The roaches always scurry when you flip a flashlight on. Oh and get an old cop (preferably detective, retired, he'll like the action), that you trust who can read faces of the people around you. Your own worst enemies are they of your own household.
 
Status
Not open for further replies.

Similar threads

J
  • Locked
Need help on a really major project.
Replies
0
Views
468
Jim March
J
B
  • Locked
Need help quick on RKBA paper
Replies
1
Views
255
Bigjake
B
K
  • Locked
Nra Betrayal Of Trust *important*
2 3
Replies
69
Views
2K
Boats
B
C
  • Locked
Minnesota: "Growing use of private police network raises concerns" (CCW angle)
Replies
5
Views
625
TekChef
T
J
  • Locked
Internet Fosters Local Political Movements
Replies
3
Views
289
Standing Wolf
S
Back
Top