Title

Detailed Analysis Of The Attack And The Results

//.\\//.\\//.\\//.\\//.\\//.\\//.\\//.\\//.\\//.\\//.\\//.\\//.\\

Contents:

Analyzing the Attacks
Retrieving the Good Data
Results
Who Did It?
Conclusion

\\`//\\`//\\`//\\`//\\`//\\`//\\`//\\`//\\`//\\`//\\`//\\`//\\`//\\`//

Analyzing the Attacks

TECHNIQUES

The attacker(s) tried many tricks, most of which failed. Two techniques were somewhat successful: "stuffing the ballot box", that is, sending valid ballots with false email addresses; and "sendmail attacks", that is, initiating mail tasks with our mail server and then stalling the processes.
LOST DATA

We have been able to identify and remove all the multiple ballots. However, the direct attack on the mail server successfully brought the computer to its knees several times before we learned to set parameters to counter this type of attack. Stopping our computer in this fashion prevented the recording of some participants' votes.
Careful inspection of the vote data reveals that 3 valid and 15 false ballots were partially recorded and then lost without a trace. The email addresses were recorded but both the votes themselves and the comments were entirely lost for these ballots and no error messages were issued. It's likely that a few more were lost before they reached the stage in the process of being partially recorded. We regret that, due to our inexperience, these few ballots were lost. We believe that we can prevent such losses in the future.
Because of our inexperience, when we realized that we were under attack, we turned off logging and deleted several hundred error messages that contained no data relevant to the vote totals. It was a mistake because these messages were still relevant to the attacks, and, had we continued with our normal logging, we could have retrieved the lost ballots.

BALLOT BOX STUFFING

Although we lost some data through our inexperience, we still have plenty of data to analyze and reverse most of the attacks. We feel we were able to identify and extract all the multiple ballots.

The vote tallies at the close of La Consulta were:

968 have voted on the following items:
Pos
Votes Neg
Votes Zero
Votes On Choice

213 753 2 1. uno

197 759 12 2. dos

207 753 8 3. tres

209 753 6 4. cuatro

185 760 23 5. cinco

968 have voted on the following items:
Pos Votes	Neg Votes	Zero Votes	On Choice
213	753	2	1. uno
197	759	12	2. dos
207	753	8	3. tres
209	753	6	4. cuatro
185	760	23	5. cinco

First we wrote a program that found all IP addresses mentioned in all "Received" headers in all the email messages that generated errors. This analysis included both attack and legitimate activities at deliberate.com in the time periods covering the attacks. This procedure provided the following distribution of IP addresses associated with the incoming messages:

    1   127.0.0.1
    1   128.148.128.11
    1   128.148.5.64
    1   128.206.2.27
    2   128.206.46.228
    1   128.8.10.28
    1   128.83.42.61
    1   128.83.57.149
    1   129.118.1.21
    1   129.2.16.204
    1   130.132.143.250
    1   130.132.143.35
    3   130.132.25.76
    3   130.132.26.188
    1   130.167.14.2
    1   132.239.1.1
    1   132.239.73.6
    1   134.39.102.145
   11   139.179.10.20
    1   143.48.1.1
    1   148.233.173.55
    1   148.241.41.116
    1   148.241.96.103
   22   151.196.76.36
    1   155.54.1.1
    1   155.54.1.241
    1   155.54.3.66
    1   159.16.0.1
 1262   161.142.132.2
    1   171.64.14.23
   15   192.215.247.1
   15   192.215.247.5
    2   193.54.54.227
   28   193.76.244.22
   16   194.168.4.220
   49   194.184.120.222
    2   194.214.217.100
    1   195.220.38.221
    1   195.220.59.101
    1   195.235.29.245
    1   195.235.30.34
   49   195.244.37.8
    1   195.249.161.178
    1   195.41.46.133
    1   195.68.34.155
    1   195.68.34.27
    1   198.81.17.67
    1   198.81.17.70
   61   200.13.17.193
   27   200.13.17.220
    2   200.13.17.248
    2   200.13.19.248
   14   200.13.20.103
  288   200.13.20.150
  633   200.13.20.52
  144   200.13.21.133
    4   200.13.21.149
  327   200.13.21.175
    4   200.13.75.83
    1   200.33.150.80
   34   200.36.1.75
    1   200.42.0.132
    1   200.42.18.243
   41   204.126.140.249
    1   205.180.60.90
  690   205.218.250.3
   15   206.116.252.2
    1   206.99.50.59
    1   206.99.52.133
   25   207.248.133.21
    1   207.3.114.10
    1   207.3.118.84
    1   207.50.245.104
   10   207.81.46.2
    1   207.82.250.65
    1   207.82.251.11
    1   207.82.251.125
   50   209.218.33.127
   13   209.75.51.17
Total = 3909

Lines read = 410903

ATTACKER(S)' IP ADDRESSES

Of these addresses, we consider the following to be candidates for attacker IP addresses on the basis of having sent 10 or more emails, or belonging to the IP group with numbers starting 200.13, all the same host, data.net.mx.

139.179.10.20
151.196.76.36
161.142.132.2
192.215.247.1
192.215.247.5
193.76.244.22
194.168.4.220
194.184.120.222
195.244.37.8
200.13.17.193
200.13.17.220
200.13.17.248
200.13.19.248
200.13.20.103
200.13.20.150
200.13.20.52
200.13.21.133
200.13.21.149
200.13.21.175
200.36.1.75
204.126.140.249
205.218.250.3
206.116.252.2
207.248.133.21
207.81.46.2
209.218.33.127
209.75.51.17

Next we wrote a program to write a summary line for each error message generated from each of these IP addresses. This program searched only the bottom Received header of each incoming message for the originating IP address. The true domain name for each IP address is indicated with the -->.

The result from the first IP address that originated email:

=============
194.168.4.220    --> ntli.com
=============
22 Mar 1999 00:04:30 GMT ED akacevedo@ntli.com
22 Mar 1999 00:14:47 GMT ED imacevedo@ntli.com
22 Mar 1999 00:20:10 GMT ED iraceve@ntli.com
22 Mar 1999 00:25:22 GMT ED seaceve@ntli.com
22 Mar 1999 00:56:24 GMT ED raceved@ntli.com
22 Mar 1999 00:56:24 GMT ED raceved@ntli.com
22 Mar 1999 01:34:32 GMT ER -1.00 liaguila@ntli.com
22 Mar 1999 01:30:22 GMT ER -1.00 goagui@ntli.com
22 Mar 1999 01:30:17 GMT ET goagui@ntli.com
22 Mar 1999 00:56:24 GMT ED raceved@ntli.com
22 Mar 1999 01:41:53 GMT ER -1.00 w-agui@ntli.com
22 Mar 1999 01:09:17 GMT ER -1.00 omaceve@ntli.com
22 Mar 1999 01:45:02 GMT ER -1.00 azagui@ntli.com
22 Mar 1999 01:45:12 GMT ET azagui@ntli.com
22 Mar 1999 01:45:07 GMT ET azagui@ntli.com
22 Mar 1999 00:56:29 GMT ED raceved@ntli.com

   ---------------------------------------------------------------
  | Footnotes regarding this report.
  |
  | The codes for this report are:
  | 
  | E = Error message -> sent to a non-existent address
  | W = Warning message -> address maybe exists
  | 
  | WR = Warning message Receipt
  | WD = Warning message Clerk Timed Out from intense activity
  | ED = Error message Clerk Timed Out 
  | ET = Error message Twice -> Address tried to vote twice
  | EB = Error message Bomb -> Message deliberately crashed it's own process
  | EG = Error message Garbage -> Junk sent in
  | ES = Error message Subject -> Bad subject line
  | ER = Error message Receipt -> false address in vote data which needs 
  |                               extracting
  | 
  | Times reported are the times that the incoming message was sent.
  | 
  | This program checked the vote data for the ER messages and reported
  | the average of the votes for that address.  Note that it is -1.00 in
  | every case indicating a "NO" vote on each pregunta.
  | 
   ---------------------------------------------------------------

Notice the repetition of the strings "acev" and "agui" in the login names used in the attack from this IP address.

This naming pattern prompted us to count common strings the login names as well as the domain names for each of the attacking IP addresses. For this first IP, the results of this counting was:

=============
194.168.4.220    --> ntli.com
=============

        16 Total messages

IP's    16  100% ntli.com

logins   9   56% aceve
         7   44% agui

Because there are so many messages from some of the attacking IP addresses, we will only list a small sample from each and the count of common login strings and domain names.

============
195.244.37.8   --> leda.raksnet.com.tr 
============
22 Mar 1999 01:15:53 +0300 ER -1.00 abacev@leda.raksnet.com.tr
22 Mar 1999 01:16:33 +0300 ER -1.00 ahaceved@leda.raksnet.com.tr
22 Mar 1999 01:16:49 +0300 ET ahaceved@leda.raksnet.com.tr

         49 Total messages

IPs      49  100% leda.raksnet.com.tr

logins    8   16% aceve
          6   12% agui
          7   14% alar
          9   18% alfaro
          4    8% alons
          2    4% amado

=============
200.13.17.193   --> t1s184.data.net.mx
=============
21 Mar 1999 20:20:20 -0800 ER -1.00 b_arella@televisa.com
21 Mar 1999 20:20:41 -0800 ER -1.00 dearel@sole.pisa.intecs.it
21 Mar 1999 20:24:15 -0800 ER -1.00 irarel@sole.pisa.intecs.it

         61 Total messages

IP's     18   30% sole.pisa.intecs.it
         18   30% televisa.com
         25   41% www.subasta.com.mx

logins    3    5% arell
          8   13% arena
          5    8% arredo
          4    7% arri
         12   20% arroy
          5    8% avila

=============
200.13.17.220  --> t1s211.data.net.mx
=============
21 Mar 1999 19:49:54 -0800 ER -1.00 emcerva@televisa.com
21 Mar 1999 19:53:59 -0800 ER -1.00 escervantes@televisa.com
21 Mar 1999 19:47:09 -0800 ER -1.00 ehcerva@sole.pisa.intecs.it

         27 Total messages

IPs       7   26% sole.pisa.intecs.it
         14   52% televisa.com
          6   22% www.subasta.com.mx

logins   23   85% cerva

=============
200.13.17.248  --> t1s239.data.net.mx 
=============
21 Mar 1999 22:18:57 -0600 ER -1.00 agarell@www.subasta.com.mx
21 Mar 1999 22:19:00 -0600 ET agarell@www.subasta.com.mx

          2 Total messages

IPs       2  100% www.subasta.com.mx

logins    2  100% arell

=============
200.13.19.248  -->t2s239.data.net.mx 
=============
21 Mar 1999 20:12:48 -0800 ER -1.00 owangel@niica.on.ca
21 Mar 1999 20:13:26 -0800 ER -1.00 ucangel@televisa.com

          2 Total messages

IPs       1   50% niica.on.ca
          1   50% televisa.com

logins    2  100% angel

=============
200.13.20.103  --> t3s94.data.net.mx
=============
22 Mar 1999 08:08:16 +0800 EG Huevos@www.pnm.my
22 Mar 1999 08:08:35 +0800 EG Huevos@www.pnm.my
22 Mar 1999 08:08:13 +0800 EG Huevos@www.pnm.my

         14 Total messages

IPs     14  100% www.pnm.my

logins  14  100% huevos

=============
200.13.20.150   --> t3s141.data.net.mx 
=============
22 Mar 1999 03:09:16 +0800 EG caguense@www.pnm.my
22 Mar 1999 03:09:22 +0800 EG caguense@www.pnm.my
22 Mar 1999 03:09:21 +0800 EG caguense@www.pnm.my

        288 Total messages

IPs     288  100% www.pnm.my

logins  288  100% caguense

============
200.13.20.52  --> t3s43.data.net.mx 
============
22 Mar 1999 04:47:27 +0800 EG sientanla@www.pnm.my
22 Mar 1999 04:41:36 +0800 EG sientanla@www.pnm.my
22 Mar 1999 04:42:49 +0800 EG sientanla@www.pnm.my

        633 Total messages

IPs     633  100% www.pnm.my

logins  385   61% caguense
        248   39% sientanla

=============
200.13.21.133  --> t4s124.data.net.mx 
=============
21 Mar 1999 15:12:01 -0800 ER -1.00 agacevedo@digartz.com
21 Mar 1999 15:12:06 -0800 ED agacevedo@digartz.com
21 Mar 1999 16:14:45 -0800 ED ifacevedo@deliberate.com

        144 Total messages

IPs      11    8% ankara.bcc.bilkent.edu.tr
         15   10% autopc.com
         15   10% baxter.net
          2    1% deliberate.com
         13    9% digartz.com
          9    6% niica.on.ca
         19   13% sole.pisa.intecs.it
          8    6% televisa.com
         22   15% tvazteca.com
         28   19% vivaldi.nexus.it
          1    1% www.pisa.intecs.it
          1    1% www.subasta.com.mx

logins   50   35% aceve
          5    3% acost
         68   47% agui
         14   10% alar

=============
200.13.21.149  -->  t4s140.data.net.mx
=============
21 Mar 1999 20:07:16 -0800 ER -1.00 isangel@sole.pisa.intecs.it
21 Mar 1999 20:08:03 -0800 ET isangel@sole.pisa.intecs.it
21 Mar 1999 20:08:25 -0800 ER -1.00 j-angeles@sole.pisa.intecs.it
21 Mar 1999 20:07:45 -0800 ET isangel@sole.pisa.intecs.it

          4 Total messages

IPs       4  100% sole.pisa.intecs.it

logins    4  100% angel


=============
200.13.21.175  -->  t4s166.data.net.mx 
=============
22 Mar 1999 08:17:45 +0800 ED huevos@www.pnm.my
22 Mar 1999 08:17:52 +0800 ED huevos@www.pnm.my
22 Mar 1999 08:17:46 +0800 ED huevos@www.pnm.my

        327 Total messages

IPs     327  100% www.pnm.my
logins  327  100% huevos

=============
205.218.250.3  --> jaguar.uam.edu.ni
=============
21 Mar 1999 11:42:27 -0800 ER -1.00 hvivero@hermes.uninet.net.mx
21 Mar 1999 11:41:19 -0800 ER -1.00 ozarate@hermes.uninet.net.mx
21 Mar 1999 11:55:49 -0800 ER -1.00 calleja@hermes.uninet.net.mx

        690 Total messages

IPs     690  100% hermes.uninet.net.mx

logins   11    2% aceve
          1    0% acost
         23    3% agui
          2    0% alar
          1    0% alfaro
          8    1% alons
          1    0% amado
          5    1% angel
          6    1% arell
          1    0% arena
         12    2% arri
          4    1% avila
          8    1% ayala
         11    2% gonza
          4    1% soto
         29    4% villa
          9    1% zapata

==============
207.248.133.21  --> netra.tnet.net.mx
==============
21 Mar 1999 18:05:44 -0600 ED coacevedo@netra.tnet.net.mx
21 Mar 1999 18:07:16 -0600 ED daaceve@netra.tnet.net.mx
21 Mar 1999 18:20:25 -0600 ED liaceve@netra.tnet.net.mx

         25 Total messages

IPs      25  100% netra.tnet.net.mx

logins   10   40% aceve
          6   24% agui
          9   36% alar

==============
209.218.33.127 --> themarines.com
==============
21 Mar 1999 17:24:39 -0800 ER -1.00 ihaguilar@themarines.com
21 Mar 1999 17:24:35 -0800 ET ihaguilar@themarines.com
21 Mar 1999 17:29:56 -0800 ER -1.00 onaguilar@themarines.com

         50 Total messages

IPs      50  100% themarines.com

logins    2    4% aceve
          6   12% agui
          4    8% alar
          3    6% angel
          3    6% arell
          6   12% arena
          1    2% arredo
          2    4% arri
          7   14% cerva

Notice that many of the IP addresses on the list of candidate IPs do not appear in these lists. This means that they were not the originating IP addresses and are not our attacker(s). Their corresponding domain names appear in the false addresses.

The IP addresses listed above were the originating machines of the attacks. Where the domain name that corresponds to the originating IP address matches the domain name in the email address, those domains are implicated. The other domain names in the email addresses are innocent and were used by our attacker(s).

Because of the repetitive patterns in the login names from all the IP addresses except 205.218.250.3 --> jaguar.uam.edu.ni, we believe that we, at most, two attackers, or groups of attackers, in this data. Because the IP addresses from data.net.mx point to public access points, it is likely that a single attacker at jaguar.uam.edu.ni accessed the data.net.mx machines via telnet and orchestrated the entire barrage of attacks.

205.218.250.3 --> jaguar.uam.edu.ni

Because mail was truly sent from the following sites, but all contains the same same pattern in login names, we conclude that our attacker is also able to access these machines by telnet. It could be that s/he hacked in or that s/he has access.

194.168.4.220  --> ntli.com
195.244.37.8   --> leda.raksnet.com.tr 
207.248.133.21 --> netra.tnet.net.mx
209.218.33.127 --> themarines.com

We will add another domain to this list soon.

Regrettably we do not have data about the attack on our sendmail which brought our machine to a halt but according to our notes and memory, all these same sites were also involved in those attacks.

[[o]]|[[o]]|[[o]]|[[o]]|[[o]]|[[o]]|[[o]]|[[o]]|[[o]]|[[o]]|[[o]]|[[o]]

Retrieving The Good Data

After the successful analysis of the attacks, it was possible to remove all the bad data. However, our policy is to allow one vote per attacker rather than to remove all the votes. As vote-keepers, we have no interest in punishing our attackers, only in correcting the tallies.

Because our attacker appears to be in Nicaragua, and not in Mexico, and we have no reason to believe that our attacker is Mexican, we cannot give this particular attacker a vote.

REMOVING BALLOTS FROM DOMAINS USED IN THE ATTACKS

We begin by removing all ballots from the domains names known to be used in the attacks:

ankara.bcc.bilkent.edu.tr
autopc.com
baxter.net
digartz.com
hermes.uninet.net.mx
leda.raksnet.com.tr
netra.tnet.net.mx
niica.on.ca
ntli.com
sole.pisa.intecs.it
televisa.com
themarines.com
tvazteca.com
vivaldi.nexus.it
www.pisa.intecs.it
www.pnm.my
www.subasta.com.mx

The following report contains one summary line for each ballot removed. Note that once again, *every* voter's average is -1.00. Also, none of these fake voters put a comment into their vote. And, the time stamps come very near each other. We see these as verification that these are indeed fake voters. Again, notice the repetitive patterns in the login names.

21 Mar 1999 17:39:09 -0800 -1.00 m_agui@ankara.bcc.bilkent.edu.tr
21 Mar 1999 17:39:36 -0800 -1.00 ojaguila@ankara.bcc.bilkent.edu.tr
21 Mar 1999 17:41:13 -0800 -1.00 r-aguila@ankara.bcc.bilkent.edu.tr
21 Mar 1999 17:45:11 -0800 -1.00 yoaguila@ankara.bcc.bilkent.edu.tr
21 Mar 1999 17:48:49 -0800 -1.00 ciaguirr@ankara.bcc.bilkent.edu.tr

5 found 5 dumped 5 total.

21 Mar 1999 17:39:02 -0800 -1.00 iqagui@autopc.com
21 Mar 1999 17:39:02 -0800 -1.00 muagui@autopc.com
21 Mar 1999 17:41:13 -0800 -1.00 tiagui@autopc.com
21 Mar 1999 17:43:28 -0800 -1.00 beaguila@autopc.com
21 Mar 1999 17:43:36 -0800 -1.00 umaguila@autopc.com
21 Mar 1999 17:46:22 -0800 -1.00 aaguirr@autopc.com
21 Mar 1999 17:48:49 -0800 -1.00 d_agui@autopc.com

7 found 7 dumped 12 total.

21 Mar 1999 17:36:49 -0800 -1.00 j_agui@baxter.net
21 Mar 1999 17:40:52 -0800 -1.00 quagui@baxter.net
21 Mar 1999 17:42:22 -0800 -1.00 coaceve@baxter.net
21 Mar 1999 17:44:33 -0800 -1.00 xiagui@baxter.net
21 Mar 1999 17:46:49 -0800 -1.00 oraceve@baxter.net
21 Mar 1999 17:47:24 -0800 -1.00 apaguirr@baxter.net
21 Mar 1999 17:48:03 -0800 -1.00 beagui@baxter.net
21 Mar 1999 17:50:00 -0800 -1.00 evagui@baxter.net

8 found 8 dumped 20 total.

21 Mar 1999 15:17:19 -0800 -1.00 agacevedo@digartz.com
21 Mar 1999 17:36:58 -0800 -1.00 keagui@digartz.com
21 Mar 1999 17:39:55 -0800 -1.00 paaguila@digartz.com
21 Mar 1999 17:40:18 -0800 -1.00 ixaguila@digartz.com
21 Mar 1999 17:43:58 -0800 -1.00 v-aguila@digartz.com
21 Mar 1999 17:47:19 -0800 -1.00 zaguir@digartz.com
21 Mar 1999 17:49:45 -0800 -1.00 exagui@digartz.com

7 found 7 dumped 27 total.

21 Mar 1999 09:39:20 -0800 -1.00 hvivero@hermes.uninet.net.mx
21 Mar 1999 09:39:32 -0800 -1.00 ozarate@hermes.uninet.net.mx

[many deleted -- these don't have the same login name pattern]

   .
   .
21 Mar 1999 15:29:45 -0800 -1.00 abasur@hermes.uninet.net.mx

500 found 500 dumped 527 total.

21 Mar 1999 15:18:54 -0800 -1.00 abacev@leda.raksnet.com.tr
21 Mar 1999 15:19:03 -0800 -1.00 ahaceved@leda.raksnet.com.tr
21 Mar 1999 17:36:52 -0800 -1.00 laaguil@leda.raksnet.com.tr
21 Mar 1999 17:37:31 -0800 -1.00 jeaguilar@leda.raksnet.com.tr
21 Mar 1999 17:40:38 -0800 -1.00 p_aguilar@leda.raksnet.com.tr
21 Mar 1999 17:48:19 -0800 -1.00 ahaguir@leda.raksnet.com.tr
21 Mar 1999 18:03:33 -0800 -1.00 apalarc@leda.raksnet.com.tr
21 Mar 1999 18:08:26 -0800 -1.00 k_alarcon@leda.raksnet.com.tr
21 Mar 1999 18:09:19 -0800 -1.00 m-alarc@leda.raksnet.com.tr
21 Mar 1999 18:12:58 -0800 -1.00 rualarcon@leda.raksnet.com.tr
21 Mar 1999 18:15:14 -0800 -1.00 yialarcon@leda.raksnet.com.tr
21 Mar 1999 18:31:12 -0800 -1.00 cealfaro@leda.raksnet.com.tr
21 Mar 1999 18:31:19 -0800 -1.00 ehalfaro@leda.raksnet.com.tr
21 Mar 1999 18:34:39 -0800 -1.00 jualfaro@leda.raksnet.com.tr
21 Mar 1999 18:35:22 -0800 -1.00 mealfaro@leda.raksnet.com.tr
21 Mar 1999 18:37:57 -0800 -1.00 q-alfaro@leda.raksnet.com.tr
21 Mar 1999 18:38:55 -0800 -1.00 tialfaro@leda.raksnet.com.tr
21 Mar 1999 18:43:34 -0800 -1.00 yealcantara@leda.raksnet.com.tr
21 Mar 1999 18:43:37 -0800 -1.00 fialons@leda.raksnet.com.tr
21 Mar 1999 18:48:27 -0800 -1.00 utalons@leda.raksnet.com.tr
21 Mar 1999 18:49:27 -0800 -1.00 woalons@leda.raksnet.com.tr
21 Mar 1999 18:53:54 -0800 -1.00 emalva@leda.raksnet.com.tr
21 Mar 1999 18:54:05 -0800 -1.00 faalvara@leda.raksnet.com.tr
21 Mar 1999 18:57:48 -0800 -1.00 j-alva@leda.raksnet.com.tr
21 Mar 1999 19:05:23 -0800 -1.00 etalva@leda.raksnet.com.tr
21 Mar 1999 19:20:45 -0800 -1.00 joaran@leda.raksnet.com.tr
21 Mar 1999 19:26:10 -0800 -1.00 x-aran@leda.raksnet.com.tr
21 Mar 1999 19:26:29 -0800 -1.00 damado@leda.raksnet.com.tr
21 Mar 1999 19:35:12 -0800 -1.00 tuamador@leda.raksnet.com.tr

29 found 29 dumped 556 total.

21 Mar 1999 17:37:00 -0800 -1.00 izaguila@netra.tnet.net.mx
21 Mar 1999 17:41:06 -0800 -1.00 piaguila@netra.tnet.net.mx
21 Mar 1999 17:44:18 -0800 -1.00 waaguila@netra.tnet.net.mx
21 Mar 1999 17:45:59 -0800 -1.00 ogacevedo@netra.tnet.net.mx
21 Mar 1999 17:50:07 -0800 -1.00 ezagui@netra.tnet.net.mx
21 Mar 1999 18:04:01 -0800 -1.00 eralarco@netra.tnet.net.mx
21 Mar 1999 18:04:21 -0800 -1.00 w_aguirr@netra.tnet.net.mx
21 Mar 1999 18:05:21 -0800 -1.00 foalar@netra.tnet.net.mx
21 Mar 1999 18:05:38 -0800 -1.00 akalar@netra.tnet.net.mx
21 Mar 1999 18:08:01 -0800 -1.00 esagui@netra.tnet.net.mx
21 Mar 1999 18:12:57 -0800 -1.00 raalarco@netra.tnet.net.mx
21 Mar 1999 18:14:25 -0800 -1.00 x-alarco@netra.tnet.net.mx
21 Mar 1999 18:14:56 -0800 -1.00 v-alar@netra.tnet.net.mx

13 found 13 dumped 569 total.

21 Mar 1999 17:39:05 -0800 -1.00 n-aguil@niica.on.ca
21 Mar 1999 17:41:25 -0800 -1.00 ufaguil@niica.on.ca
21 Mar 1999 17:45:11 -0800 -1.00 ziaguilar@niica.on.ca
21 Mar 1999 17:46:29 -0800 -1.00 kaguir@niica.on.ca
21 Mar 1999 17:48:23 -0800 -1.00 deaguirre@niica.on.ca
21 Mar 1999 20:12:51 -0800 -1.00 owangel@niica.on.ca

6 found 6 dumped 575 total.

21 Mar 1999 17:36:56 -0800 -1.00 liaguila@ntli.com
21 Mar 1999 17:39:05 -0800 -1.00 goagui@ntli.com
21 Mar 1999 17:44:23 -0800 -1.00 w-agui@ntli.com
21 Mar 1999 17:46:36 -0800 -1.00 omaceve@ntli.com
21 Mar 1999 17:47:41 -0800 -1.00 azagui@ntli.com

5 found 5 dumped 580 total.

21 Mar 1999 15:17:23 -0800 -1.00 hacevedo@sole.pisa.intecs.it
21 Mar 1999 15:19:29 -0800 -1.00 zacevedo@sole.pisa.intecs.it
21 Mar 1999 17:37:28 -0800 -1.00 hiaguil@sole.pisa.intecs.it
21 Mar 1999 17:39:31 -0800 -1.00 obaguil@sole.pisa.intecs.it
21 Mar 1999 17:41:24 -0800 -1.00 s_aguilar@sole.pisa.intecs.it
21 Mar 1999 17:46:05 -0800 -1.00 otaceved@sole.pisa.intecs.it
21 Mar 1999 17:46:08 -0800 -1.00 zuaguilar@sole.pisa.intecs.it
21 Mar 1999 17:48:37 -0800 -1.00 doaguirre@sole.pisa.intecs.it
21 Mar 1999 19:47:14 -0800 -1.00 ehcerva@sole.pisa.intecs.it
21 Mar 1999 19:55:57 -0800 -1.00 eycervantes@sole.pisa.intecs.it
21 Mar 1999 19:58:57 -0800 -1.00 facerva@sole.pisa.intecs.it
21 Mar 1999 20:07:06 -0800 -1.00 hucerva@sole.pisa.intecs.it
21 Mar 1999 20:07:19 -0800 -1.00 isangel@sole.pisa.intecs.it
21 Mar 1999 20:08:28 -0800 -1.00 j-angeles@sole.pisa.intecs.it
21 Mar 1999 20:08:48 -0800 -1.00 idcervantes@sole.pisa.intecs.it
21 Mar 1999 20:10:34 -0800 -1.00 ijcerva@sole.pisa.intecs.it
21 Mar 1999 20:18:30 -0800 -1.00 jecerva@sole.pisa.intecs.it
21 Mar 1999 20:20:44 -0800 -1.00 dearel@sole.pisa.intecs.it
21 Mar 1999 20:24:17 -0800 -1.00 irarel@sole.pisa.intecs.it
21 Mar 1999 20:38:56 -0800 -1.00 ojaren@sole.pisa.intecs.it
21 Mar 1999 20:45:41 -0800 -1.00 gaaria@sole.pisa.intecs.it
21 Mar 1999 20:58:40 -0800 -1.00 okarre@sole.pisa.intecs.it
21 Mar 1999 20:59:09 -0800 -1.00 o-arredo@sole.pisa.intecs.it
21 Mar 1999 21:11:54 -0800 -1.00 i_arriag@sole.pisa.intecs.it
21 Mar 1999 21:21:58 -0800 -1.00 inarroyo@sole.pisa.intecs.it
21 Mar 1999 21:26:03 -0800 -1.00 q_arroyo@sole.pisa.intecs.it
21 Mar 1999 21:28:16 -0800 -1.00 yaarroyo@sole.pisa.intecs.it
21 Mar 1999 21:35:18 -0800 -1.00 l_artea@sole.pisa.intecs.it
21 Mar 1999 21:36:29 -0800 -1.00 n_arteaga@sole.pisa.intecs.it
21 Mar 1999 21:40:45 -0800 -1.00 ugarteaga@sole.pisa.intecs.it
21 Mar 1999 21:46:54 -0800 -1.00 itavil@sole.pisa.intecs.it
21 Mar 1999 21:52:48 -0800 -1.00 alavil@sole.pisa.intecs.it

32 found 32 dumped 612 total.

21 Mar 1999 15:16:27 -0800 -1.00 maceved@televisa.com
21 Mar 1999 17:39:05 -0800 -1.00 k-aguil@televisa.com
21 Mar 1999 17:45:56 -0800 -1.00 ohacev@televisa.com
21 Mar 1999 17:48:08 -0800 -1.00 awaguirre@televisa.com
21 Mar 1999 19:46:05 -0800 -1.00 c-cerva@televisa.com
21 Mar 1999 19:46:11 -0800 -1.00 ebcerva@televisa.com
21 Mar 1999 19:47:17 -0800 -1.00 ehcervantes@televisa.com
21 Mar 1999 19:49:56 -0800 -1.00 emcerva@televisa.com
21 Mar 1999 19:54:02 -0800 -1.00 escervantes@televisa.com
21 Mar 1999 19:58:40 -0800 -1.00 facervantes@televisa.com
21 Mar 1999 20:00:42 -0800 -1.00 fucerva@televisa.com
21 Mar 1999 20:08:50 -0800 -1.00 iccerva@televisa.com
21 Mar 1999 20:12:14 -0800 -1.00 incerva@televisa.com
21 Mar 1999 20:20:24 -0800 -1.00 b_arella@televisa.com
21 Mar 1999 20:21:20 -0800 -1.00 d-arel@televisa.com
21 Mar 1999 20:30:04 -0800 -1.00 ucangel@televisa.com
21 Mar 1999 20:30:10 -0800 -1.00 iycerva@televisa.com
21 Mar 1999 20:30:19 -0800 -1.00 itcervantes@televisa.com
21 Mar 1999 20:32:11 -0800 -1.00 larenas@televisa.com
21 Mar 1999 20:35:22 -0800 -1.00 eqarenas@televisa.com
21 Mar 1999 20:38:53 -0800 -1.00 nearenas@televisa.com
21 Mar 1999 20:41:04 -0800 -1.00 udarenas@televisa.com
21 Mar 1999 20:44:56 -0800 -1.00 eparia@televisa.com
21 Mar 1999 20:49:45 -0800 -1.00 iarredon@televisa.com
21 Mar 1999 20:56:40 -0800 -1.00 haarredo@televisa.com
21 Mar 1999 21:11:26 -0800 -1.00 iqarri@televisa.com
21 Mar 1999 21:39:37 -0800 -1.00 riarteaga@televisa.com
21 Mar 1999 21:50:50 -0800 -1.00 urarroy@televisa.com
21 Mar 1999 22:07:27 -0800 -1.00 faarroy@televisa.com
21 Mar 1999 23:31:52 -0800 -1.00 ogarriag@televisa.com

30 found 30 dumped 642 total.

21 Mar 1999 17:39:43 -0800 -1.00 ihaguilar@themarines.com
21 Mar 1999 17:39:47 -0800 -1.00 onaguilar@themarines.com
21 Mar 1999 17:42:35 -0800 -1.00 fuacev@themarines.com
21 Mar 1999 17:42:42 -0800 -1.00 esaceved@themarines.com
21 Mar 1999 17:46:12 -0800 -1.00 iaguirre@themarines.com
21 Mar 1999 17:47:29 -0800 -1.00 reaceved@themarines.com
21 Mar 1999 17:47:29 -0800 -1.00 peacev@themarines.com
21 Mar 1999 17:49:06 -0800 -1.00 ehaguir@themarines.com
21 Mar 1999 18:03:38 -0800 -1.00 d-alarcon@themarines.com
21 Mar 1999 18:04:07 -0800 -1.00 boacev@themarines.com
21 Mar 1999 18:10:03 -0800 -1.00 olalarc@themarines.com
21 Mar 1999 18:11:35 -0800 -1.00 o_alarcon@themarines.com
21 Mar 1999 19:41:02 -0800 -1.00 c_cerva@themarines.com
21 Mar 1999 20:01:26 -0800 -1.00 eycerva@themarines.com
21 Mar 1999 20:16:12 -0800 -1.00 wuangeles@themarines.com
21 Mar 1999 20:16:13 -0800 -1.00 izcerva@themarines.com
21 Mar 1999 20:18:01 -0800 -1.00 yarell@themarines.com
21 Mar 1999 20:28:36 -0800 -1.00 p-arella@themarines.com
21 Mar 1999 20:30:40 -0800 -1.00 woarella@themarines.com
21 Mar 1999 20:38:17 -0800 -1.00 iparena@themarines.com
21 Mar 1999 20:39:52 -0800 -1.00 raarena@themarines.com
21 Mar 1999 20:42:23 -0800 -1.00 yearena@themarines.com
21 Mar 1999 20:46:09 -0800 -1.00 iharia@themarines.com
21 Mar 1999 20:59:44 -0800 -1.00 qaarre@themarines.com
21 Mar 1999 21:05:50 -0800 -1.00 azarri@themarines.com
21 Mar 1999 21:08:47 -0800 -1.00 foarriag@themarines.com
21 Mar 1999 21:51:53 -0800 -1.00 ezarredo@themarines.com
21 Mar 1999 22:10:12 -0800 -1.00 i_arro@themarines.com
21 Mar 1999 22:11:28 -0800 -1.00 ifartea@themarines.com
21 Mar 1999 22:16:50 -0800 -1.00 ikavil@themarines.com
21 Mar 1999 23:27:42 -0800 -1.00 ebarro@themarines.com
21 Mar 1999 23:32:05 -0800 -1.00 ejarre@themarines.com
21 Mar 1999 23:32:08 -0800 -1.00 ivcervantes@themarines.com

33 found 33 dumped 675 total.

21 Mar 1999 17:37:04 -0800 -1.00 i_aguila@tvazteca.com
21 Mar 1999 17:39:13 -0800 -1.00 ilagui@tvazteca.com
21 Mar 1999 17:42:27 -0800 -1.00 boacevedo@tvazteca.com
21 Mar 1999 17:42:55 -0800 -1.00 uhaguila@tvazteca.com
21 Mar 1999 17:43:48 -0800 -1.00 uxagui@tvazteca.com
21 Mar 1999 17:49:20 -0800 -1.00 emaguirr@tvazteca.com
21 Mar 1999 17:49:44 -0800 -1.00 oyaceve@tvazteca.com
21 Mar 1999 18:03:16 -0800 -1.00 amalar@tvazteca.com
21 Mar 1999 18:03:27 -0800 -1.00 veagui@tvazteca.com
21 Mar 1999 18:04:21 -0800 -1.00 etalarco@tvazteca.com
21 Mar 1999 18:07:07 -0800 -1.00 izalar@tvazteca.com
21 Mar 1999 18:08:05 -0800 -1.00 kualarco@tvazteca.com

12 found 12 dumped 687 total.

21 Mar 1999 17:37:50 -0800 -1.00 j-aguilar@vivaldi.nexus.it
21 Mar 1999 17:39:05 -0800 -1.00 diaguil@vivaldi.nexus.it
21 Mar 1999 17:39:08 -0800 -1.00 isaguil@vivaldi.nexus.it
21 Mar 1999 17:40:06 -0800 -1.00 seacost@vivaldi.nexus.it
21 Mar 1999 17:47:22 -0800 -1.00 uaguir@vivaldi.nexus.it
21 Mar 1999 18:03:35 -0800 -1.00 atalarc@vivaldi.nexus.it
21 Mar 1999 18:03:38 -0800 -1.00 etaguirre@vivaldi.nexus.it
21 Mar 1999 18:04:06 -0800 -1.00 kuaguirre@vivaldi.nexus.it
21 Mar 1999 18:04:46 -0800 -1.00 e-alarcon@vivaldi.nexus.it
21 Mar 1999 18:07:28 -0800 -1.00 joalarc@vivaldi.nexus.it
21 Mar 1999 18:09:37 -0800 -1.00 iyacost@vivaldi.nexus.it
21 Mar 1999 18:09:37 -0800 -1.00 duacost@vivaldi.nexus.it
21 Mar 1999 18:12:29 -0800 -1.00 qealarc@vivaldi.nexus.it
21 Mar 1999 18:14:28 -0800 -1.00 vaalarcon@vivaldi.nexus.it

14 found 14 dumped 701 total.

0 found 0 dumped 701 total.

("0 found" means that none of messages from www.pisa.intecs.it were interpreted as valid ballots.)

0 found 0 dumped 701 total.

(Similarly, no messages from www.pnm.my were interpreted as valid ballots.)

21 Mar 1999 19:47:04 -0800 -1.00 dacerv@www.subasta.com.mx
21 Mar 1999 19:47:12 -0800 -1.00 d-cervan@www.subasta.com.mx
21 Mar 1999 19:47:21 -0800 -1.00 edcerv@www.subasta.com.mx
21 Mar 1999 19:53:59 -0800 -1.00 ekcervan@www.subasta.com.mx
21 Mar 1999 19:54:16 -0800 -1.00 epcerv@www.subasta.com.mx
21 Mar 1999 20:22:19 -0800 -1.00 i-cerv@www.subasta.com.mx
21 Mar 1999 20:22:23 -0800 -1.00 agarell@www.subasta.com.mx
21 Mar 1999 20:22:28 -0800 -1.00 enarellano@www.subasta.com.mx
21 Mar 1999 20:39:20 -0800 -1.00 duarenas@www.subasta.com.mx
21 Mar 1999 20:44:46 -0800 -1.00 searenas@www.subasta.com.mx
21 Mar 1999 20:44:49 -0800 -1.00 ziarenas@www.subasta.com.mx
21 Mar 1999 20:50:27 -0800 -1.00 guarias@www.subasta.com.mx
21 Mar 1999 20:50:32 -0800 -1.00 iwarias@www.subasta.com.mx
21 Mar 1999 20:50:33 -0800 -1.00 vuarias@www.subasta.com.mx
21 Mar 1999 21:07:10 -0800 -1.00 xuarred@www.subasta.com.mx
21 Mar 1999 21:07:12 -0800 -1.00 ararriaga@www.subasta.com.mx
21 Mar 1999 21:26:48 -0800 -1.00 iqarroy@www.subasta.com.mx
21 Mar 1999 21:26:54 -0800 -1.00 rearroy@www.subasta.com.mx
21 Mar 1999 21:41:07 -0800 -1.00 obarte@www.subasta.com.mx
21 Mar 1999 21:49:04 -0800 -1.00 alavila@www.subasta.com.mx
21 Mar 1999 21:55:00 -0800 -1.00 v_avila@www.subasta.com.mx
21 Mar 1999 21:55:04 -0800 -1.00 z-avila@www.subasta.com.mx

22 found 22 dumped 723 total.


---

At this point, the tallies for La Consulta are:
245 have voted on the following items:
Pos
Votes Neg
Votes Zero
Votes On Choice

213 30 2 1. uno

197 36 12 2. dos

207 30 8 3. tres

209 30 6 4. cuatro

185 37 23 5. cinco

MULTIPLE VOTERS
From looking at the time stamps and domain names recorded by eVote, it is apparent that three people used different, but related, email addresses to vote multiple times from mailer.data.net.mx, adventour.com, and unm.edu.
The above analysis of attacking IP addresses revealed that mailer.data.net.mx is the origin of the attack from Mexico so it is probable that this group of addresses is a real attacker revealing his/her login accounts at the data.net.mx machines.
Note the same repetition of "aceved" in the login names from mailer.data.net.mx. Also notice that the common strings in all the faked email addresses originating from mailer.data.mx (200.13 group) appear again in the login names from adventour.com. These addresses, however, are valid, and are likely to point to a responsible group of people. All these addresses were sent receipts for votes and none of them complained that their addresses had been forged.
Unm.edu (129.24.8.17), with a tiny attack of two positive ballots on March 17, is not otherwise implicated in the error messages so we conclude that although we had a total of three attacker(s), we only had two during the massive attacks of March 15 and 21.
Removing the multiple votes from these sites:
```
21 Mar 1999 15:17:20 -0800 -1.00 adaceved@mailer.data.net.mx
21 Mar 1999 17:42:14 -0800 -1.00 azaceved@mailer.data.net.mx
21 Mar 1999 17:46:16 -0800 -1.00 q_aceved@mailer.data.net.mx
21 Mar 1999 17:49:36 -0800 -1.00 o_acev@mailer.data.net.mx
21 Mar 1999 17:49:43 -0800 -1.00 puaceved@mailer.data.net.mx

5 found 5 dumped 5 total.

21 Mar 1999 17:42:10 -0800 -1.00 ijaceve@adventour.com
21 Mar 1999 17:46:14 -0800 -1.00 izacevedo@adventour.com
21 Mar 1999 19:43:05 -0800 -1.00 ducervan@adventour.com
21 Mar 1999 19:53:55 -0800 -1.00 etcervan@adventour.com
21 Mar 1999 19:59:36 -0800 -1.00 hangel@adventour.com
21 Mar 1999 20:03:19 -0800 -1.00 gocervan@adventour.com
21 Mar 1999 20:03:45 -0800 -1.00 c-ange@adventour.com
21 Mar 1999 20:04:24 -0800 -1.00 ehangele@adventour.com
21 Mar 1999 20:05:37 -0800 -1.00 hacerv@adventour.com
21 Mar 1999 20:07:04 -0800 -1.00 h-cervan@adventour.com
21 Mar 1999 20:14:07 -0800 -1.00 ivcervan@adventour.com
21 Mar 1999 20:15:39 -0800 -1.00 ukangele@adventour.com
21 Mar 1999 20:20:01 -0800 -1.00 c-arellano@adventour.com
21 Mar 1999 20:21:33 -0800 -1.00 egarell@adventour.com
21 Mar 1999 20:40:48 -0800 -1.00 umaren@adventour.com
21 Mar 1999 20:47:55 -0800 -1.00 ozarias@adventour.com
21 Mar 1999 20:50:07 -0800 -1.00 oarredondo@adventour.com
21 Mar 1999 20:56:56 -0800 -1.00 iqarred@adventour.com
21 Mar 1999 21:21:33 -0800 -1.00 iharroyo@adventour.com
21 Mar 1999 21:34:45 -0800 -1.00 liarte@adventour.com
21 Mar 1999 21:38:45 -0800 -1.00 qearteag@adventour.com
21 Mar 1999 21:43:43 -0800 -1.00 y-arte@adventour.com
21 Mar 1999 21:50:05 -0800 -1.00 s-avila@adventour.com

23 found 23 dumped 28 total.
```
As an experiment, we sent a message to majordomo@adventour.com and nothing came back. We suspect that adventour.com has a misconfigured mailer and our attacker discovered and used it.
The participant from unm.edu sent two ballots with the same poem as a comment and both identified themselves as the same person. We contacted this person and indeed, he was just trying to help and not understanding that for democracy activists, the integrity of the process is much important than the results. The first of these two ballots was removed:
```
17 Mar 1999 16:25:32 -0800  1.00 *****@unm.edu
17 Mar 1999 16:26:04 -0800  1.00 an*****@unm.edu

2 found 1 dumped 29 total.
```
Removing these ballots results in:
216 voted on the following items:
Pos
Votes Neg
Votes Zero
Votes On Choice

212 2 2 1. uno

196 8 12 2. dos

206 2 8 3. tres

208 2 6 4. cuatro

184 9 23 5. cinco

We believe that, at this point, all the false data entered during the attack has been extracted.
REGULAR VOTING ERRORS
Processing all the error messages removed 5 more voters from the data. These voters have their browsers configured incorrectly so that their receipts encountered mailer errors. These voters may or may not have corrected the problem and may or may not have voted again so these votes must be removed for an official result:
```
pu******@*************ri.edu  Good faith 0.40 ok
ME******@********te.com  Good faith 1.00 ok
fm***@**************le.edu  Good faith 1.00 ok
el**********@*************rd.EDU  Good faith 0.60 ok
al************@**********sm.mx  Good faith 1.00 ok
```
To protect these voters, these email addresses have been blocked out.
A sixth voter met a bug in eVote so that the From: email address was not correctly interpreted. (The bug was that, in the unusual event of a From: header being longer than one line, the email address can be misinterpreted.) The bug is fixed, but now the correct email address is found by eVote and the misinterpreted email address isn't recognized in the data. The receipt did not find the voter so we removed the ballot from the tally by hand.
```
vi*******@***************te.fr  Good faith  Not participated.
```
Processing these regular errors also extracted one signature from the Solidarity petition.
```
ge*****@*******md.edu  Good faith 99.00 ok
```
(The 99.00 average was the program's device to indicate that this was the Solidarity signature, not a vote in La Consulta)

245 have voted on the following items:
Pos Votes	Neg Votes	Zero Votes	On Choice
213	30	2	1. uno
197	36	12	2. dos
207	30	8	3. tres
209	30	6	4. cuatro
185	37	23	5. cinco

216 voted on the following items:
Pos Votes	Neg Votes	Zero Votes	On Choice
212	2	2	1. uno
196	8	12	2. dos
206	2	8	3. tres
208	2	6	4. cuatro
184	9	23	5. cinco

((o))|((o))|((o))|((o))|((o))|((o))|((o))|((o))|((o))|((o))|((o))|((o))

Results
- Official Results
  The official results for the Online Consulta are:
  210 voted on the following items:
  Pos
  Votes Neg
  Votes Zero
  Votes On Choice
  
  207 2 1 1. uno
  
  192 7 11 2. dos
  
  201 2 7 3. tres
  
  202 2 6 4. cuatro
  
  179 8 23 5. cinco
  
  And for the Solidarity Petition, which was not attacked:
  
  119 signatures.
- Soft Results
  When publishing the public comments offered by voters, we suggest that "soft results" be used. We suggest including the six good-faith attempts to vote, and the one good-faith attempt to sign should be included. Also, any ballots that can be retrieved from the error data should appear in the soft results. This way, fewer people will be disappointed by not finding their own comments publicly displayed.
  Because of the load on our system during the attacks, we received error messages from our own system that indicated that 13 voters were denied vote service on La Consulta and 6 signers were denied service on the Solidarity petition during the attacks. Of these, we see that 3 of the Consulta voters participated successfully later. Only two of the other 10 ballots were valid, the other ballots would have been rejected for minor formatting errors. However, the intentions of the voters were clear and small corrections allowed them to be counted in the soft result.
  This brought 10 more ballots to the Consulta and 6 more signatures to the Solidarity petition, bringing total corrections for the soft results to 16 and 7. The "soft results" are:
  
  226 have voted on the following items:
  Pos
  Votes Neg
  Votes Zero
  Votes On Choice
  
  222 2 2 1. uno
  
  206 8 12 2. dos
  
  216 2 8 3. tres
  
  218 2 6 4. cuatro
  
  193 9 24 5. cinco
  
  126 signatures.
- Excess Zero Votes
  A few voters broke the expected format on their email ballots and started the "pais:" and other field names before listing all their votes. Votes given after field names were interpreted as comments and the lack of a vote on specific items caused those votes to default to zero, or "No se'". This never affects Pregunta 1 because the software insists on seeing at least one vote. Pregunta 5 is most affected.
- Web vs Email and Language Counts
  About half of the participation came via the web pages and half from direct email.
  The web page participation has been counted by language:
```
114 web Consulta    17 English  97 Spanish
59  web Solidarity  25 English  30 Spanish  2 French  2 Italian
```
- Email Addresses
  160 voters in the Online Consulta indicated that they wanted the EZLN to receive their email addresses.
  77 signers of the Solidarity petition also gave permission to give their email addresses to the EZLN.
  These precious email lists have been forwarded to campanas@laneta.apc.org.
```
  _  _  _  _  _  _  _  _  _  _  _  _  _  _  _  _  _  _  _  _  _  _  
 |_||_||_||_||_||_||_||_||_||_||_||_||_||_||_||_||_||_||_||_||_||_|
```

210 voted on the following items:
Pos Votes	Neg Votes	Zero Votes	On Choice
207	2	1	1. uno
192	7	11	2. dos
201	2	7	3. tres
202	2	6	4. cuatro
179	8	23	5. cinco

226 have voted on the following items:
Pos Votes	Neg Votes	Zero Votes	On Choice
222	2	2	1. uno
206	8	12	2. dos
216	2	8	3. tres
218	2	6	4. cuatro
193	9	24	5. cinco

WHO DID IT?

At this time we have no ideas on how to determine the identity of our attacker from Nicaragua by further data analysis at deliberate.com. Probably the authorities at the University there can find her/him.

However, to discover the logins that our attacker might have used, we ran our analysis backwards. Starting with the original data, we removed all the ballots associated with errors. Then we removed the ballots associated with the domain names used in the attacks. These ballots, removed after the errors were removed, were sent from valid user id's and probably point to our attacker(s).

21 Mar 1999 17:39:09 -0800 -1.00 m_agui@ankara.bcc.bilkent.edu.tr
21 Mar 1999 17:39:36 -0800 -1.00 ojaguila@ankara.bcc.bilkent.edu.tr
21 Mar 1999 17:41:13 -0800 -1.00 r-aguila@ankara.bcc.bilkent.edu.tr
21 Mar 1999 17:45:11 -0800 -1.00 yoaguila@ankara.bcc.bilkent.edu.tr
21 Mar 1999 17:48:49 -0800 -1.00 ciaguirr@ankara.bcc.bilkent.edu.tr

21 Mar 1999 17:50:07 -0800 -1.00 ezagui@netra.tnet.net.mx

21 Mar 1999 21:07:12 -0800 -1.00 ararriaga@www.subasta.com.mx

21 Mar 1999 15:17:20 -0800 -1.00 adaceved@mailer.data.net.mx
21 Mar 1999 17:42:14 -0800 -1.00 azaceved@mailer.data.net.mx
21 Mar 1999 17:46:16 -0800 -1.00 q_aceved@mailer.data.net.mx
21 Mar 1999 17:49:36 -0800 -1.00 o_acev@mailer.data.net.mx
21 Mar 1999 17:49:43 -0800 -1.00 puaceved@mailer.data.net.mx

It is likely that amongst these login ids are the ones that our attacker used.

((o))|((o))|((o))|((o))|((o))|((o))|((o))|((o))|((o))|((o))|((o))|((o))

Conclusion
We conclude from this experience that, even without voter registration and when viciously attacked, online voting is more accurate and secure than traditional voting because the data trail allows complete analysis and reversal of attacks. Online voting would be absolutely accurate and secure if there was a registration process identifying each person with her/his single email address.

zapa@deliberate.com

Public comments contributed in La Consulta and the Solidarity Petition are shown at:
http://www.deliberate.com/consulta/comments