Robert Graham 𝕏 Profile picture
Aug 9, 2021 91 tweets 23 min read Read on X
1/n
If you are wondering if there will be anybody at Mike Lindell's cybersymposium who can confirm or refute his "packet captures", well, there's going to be me. I'm a well-known expert on packet captures, and somewhat knowledgeable about election systems.
m.washingtontimes.com/news/2021/aug/…
2/
I've done a bunch of other techie fact checking, such as confirming that Hunter Biden email was authentic, and debunking that conspiracy-theory of suspicious DNS logs showing secret communication between Russia's Alfa Bank and Trump Tower.
3/
I don't know what Lindell's packet captures contain, but whatever it is, I'll write up a description within a few days after the event. I'll be extending this twitter thread over the next couple days just live tweeting the process.
4/ FYI: nobody is going to win the $5 million. It's impossible to disprove election fraud. It's only possible to demonstrate that claimed evidence fails to prove it.
5/ BTW, what kind of expert am I? Well, if you capture packets on the public Internet for more than a few minutes, you'll capture some that I created. Since you've been reading this thread, your home router has gotten hit by my packets.
6/ For those who know me, you might want to pile onto this thread, but only BEFORE I write up my conclusions later this week, before you know what the conclusions will be. Afterwards, it looks insecure, just agreeing with the conclusions you want.
7/ good morning cyber symposium! If you are around, I’m sitting up front to the left of the stage. Image
8/ Here’s a pic looking backwards. Btw, I’ll be the guy wearing a mask, because as you know I’m an internet troll and this is the sort of thing I do. Image
9/ Before this week, the things Mike Lindell posted were not recognizable as "packet-captures". This is what they normally look like. It's not required to look like this, but it's the level of detail I'll be getting into. Image
10/ ok, I was wrong about the contest rules. They are much better than I thought: simply proving its not election data. However, the data supplied before this week seems to have been already public registration data and not votes. Image
11/ For example, here is data that I got from the State of Georgia, a hexdump of early voting records. It's public, anybody can download it from the net.

So I don't care if it's "election data", I got that already. I'll be looking for hard evidence proving election fraud. Image
12/ Everyone is friendly and nice. Which is what I expected. We like to demonize our opponents, but really, they are almost always reasonable, kind hearted people -- even if in our own opinion they are wrong. On both sides.
13/ For a specific list of questions that I'll be trying to answer, I'll start with this, and then have additional questions depending upon the data.

Either way, I'll write things up and EXPLAIN in simple terms what the data shows.
leadstories.com/analysis/2021/…
14/ I go to a lot of cyber security conferences and have a ton of old badges hanging from the wall in my closet - I’ll just add this one to the pile. Image
15/ This is an excellent question. I'm starting on the skeptic side because, so far, he hasn't published any good data. I don't understand why he hasn't simply dumped the raw data for everyone to see.
16/ “I invited the Fakebook fact checkers” — Lindell

Also statements about inviting fake media like CNN. When he mentioned Fox News the crowd booed.
17/ they have scrolling hexdumps. For one thing they scroll too fast to read, and for another, they are too blurry to read, and lastly, even experts can’t generally read hexdumps without decoders. ImageImage
18/ The reason why the question “what’s the source of data” is so important is because we know that media reports of vote tallies where highly inaccurate, the media made lots of accidental mistakes. ImageImage
19/ We know the flaws of the NYTime live election night data feed, how it didn't accurately reflect the official counts, why it appeared to show flipped votes and jumps on one side or the other.

The question is whether such things exist in the raw data.
20/ "they work for LeadStories? fact checkers? shame on them!!! .... they are the enemies of the people"

That's me!!! That's me!!!!
I'm not feeling ashamed, though.
21/ "We are going to do a mock election... we'll show you how the routers work ... we'll show packet captures in real time".

I'm actually looking forward to this. Dominion machines can be networked, but DEF CON Voting Village didn't have networked machines to play with.
22/ "I saw Hari Hursti is here" (and some criticism of Hari).

He brings voting machines to the DEF CON hacking conference for hackers to play with, confirming they are easily hackable -- but they don't like him because he still rejects the idea that the 2020 election was hacked.
23/ The evidence that I'm here to validate is showing that it was hacked -- not that it could've been hacked. I know it could've been hacked, by either side. I'm hoping to see the raw details showing it was indeed hacked or manipulated or fraud happened.
24/ Yes, the schedule is for later today, to have breakout sessions, where (I think) I'll get to sit down and personally look at raw data -- and hopefully, get to post to the Internet for experts like Laura Chappell to see as well.
25/ Phil Waldron kicked off the breakout session. He wasn't involved in collecting the packet-captures, so didn't have clear answers. But he suggested:
1. the packet-captures come from a Chinese network
2. they are in a proprietary BLX/PLX format
But he didn't seem sure.
26/ ...but we haven't got the actual data yet, but soon. We are still dealing with lunch.
27/ They've given us access to a server on the local WiFi network that has the "data" that we are supposed to be analyzing.

We are struggling to figure out what this data contains. I've put the smaller files up on github:
github.com/robertdavidgra…
28/ So what they gave us were these "HEX.txt" files, which when decoded (`xxd -r -p filename`) produces .rtf files. One of the RTF files contains a table of IP address, the others contain something in an unknown character set.
29/ Here's the current status: nothing.

They've given us a drop of data that makes no sense that they can't explain.

They promise: just wait until later tonight, that's the "real" data.
30/ I mean: they've given us a bunch of confusing stuff they can't explain, but have not given us the "real" stuff yet. They promise the "real" stuff is coming tonight or tomorrow for us to look at.
31/ The delay is explained by a bunch of things going wrong, such as the guy who was a source of data getting a stroke.
32/ So I had the list of questions I sought to answer this morning at the top of this thread. Current progress = 0%
33/ This is incredibly frustrating. Lindell invited "cyber experts" and "fact checkers" to come and confirm the "packet captures" -- and has yet to provide us any packet captures and it's 4pm already. #ReleaseThePacketCaptures
34/ So I got some straight answers from Spider:
1. the data comes from Dennis Montgomery
2. it's the data shown in those Lindell videos
3. it's the hexdumps that have been scrolling in his videos and kiosk
4. we cyber experts will not be given opportunity to verify it Image
35/ Please don't interpret that as being disproven. This would be the WRONG conclusion. Instead, it means it's simply not confirmed. Montgomery is in the hospital and unable to come, and unable to help us, because it's in a proprietary format.
36/ The vague answers to this question is that it was retrieved with custom tools on the China side of things, as they targeted election systems via the Internet, not collected on the side of the election systems.
37/ For all that Mike Lindell attacks critics, do remember that he invited critics to come to the event, which is something I respect. On the other hand, failure to give the critics the data they were promised, well, I'm frustrated by that. I'm a pcap guy who loves pcaps.
38/ Later they will be showing pcaps from Mike Lindell's own people, that are here, that will stand behind them and explain them. I look forward to reading them.
39/ Wait, what? I'll come on stage and defend my findings. It's just that we techies are sitting in breakout rooms in the back and I wasn't aware of the live feed. I'm out front now. Let's go!
40/ Sigh. I'm here near the stage, ready to stand up and defend my claims in this thread. Just call me up on stage and let's talk. #ReleaseThePacketCaptures
41/ Many are suggesting I bum rush the stage.

Can't. They have muscled security goons that would stop me.

And it would be rude. He's doing a bit, I don't want to interrupt, I'm sure he'll invite me after.

#ReleaseThePacketCaptures
41/ By the way, this is the data they are NOT giving us, they are not allowing pcap experts to analyze this data. Showing it as a video stream like this is unreadable.
41/ Ah, man, he ended the segment and didn't invite me on stage like he'd promise. He's setting up for the "big reveal" at 7pm, which I think is member of Bolsinaro's team, the current president of Brazil who's claiming that the upcoming election is going to be hacked.
43/ Come on, Mike, you challenged me to come on stage to debate why you haven't released the packet-captures you promised. Let's do this thing! I'm around all three days! I'm ready any time, just have one of your people DM me!

I'll go back to the breakout room now.
44/ BTW, the source of the "packet-captures" is important, because it appears to be this "Dennis Montgomery" guy, as LeadStories describes:
leadstories.com/analysis/2021/…
45/ the picture from this morning was empty of people because I arrived early. There are at a couple hundred people here. Image
46/ The guy speaking on stage mentioned the packet-captures they got Jan 7, and they mentioned that while it was hard over the weekend getting them ready, that they got them ready.

BUT THEY HAVEN'T RELEASED THE PACKET-CAPTURES TO US

#ReleaseThePacketCaptures
47/ This is the cybersymposium is in this venue, by the way
southdakotaalliance.org
48/ I think this "Colorado" thing is related to this story:
coloradosun.com/2021/08/09/mes…
49/ he called me a coward claiming I ran away — I’ve been sitting here in front the entire time waiting for him to call me onstage to discuss the packet captures
50/ I'm done for the day (Tuesday). I go back tomorrow.

One guy already got kicked for sharing too much, so I guess I won't be able to share much until Thursday -- general conference related things, yes, but data related things, not until after the conference.
51/ To be clear: he gave us experts NOTHING today, except random garbage that wastes our time (e.g. a CSV needlessly encoded as RTF needlessly encoded as hex).
52/ Also be clear: all the people I've been dealing with are good people, trying to do their best in a chaotic and difficult situation. The only thing lacking for me is the one thing I'm here for: the packet captures promised before the conference.
53/ back today, there won’t be very many tweets today though Image
54/ So I had a bunch of private conversations last night where people helped clarify things. One thing they mentioned was that there's confusion about "hex", that they think we techies like to see things in hex, so that's why it was given to us this way.
55/ the Matrix does much to foster the impression that nerds prefer to see things that way — that it’s cool.
We don’t — we hate hex, it’s just sometimes it’s the only alternative. Image
56/ F***! That last tweet came out wrong, so I deleted.
Last night talking privately to friends, they stressed to me how it important it was that I'm just an observer, and that participation in things like pledges/prayer would be counter to my mission.
57/ So CodeMonkeyZ presenting Dominion source code. That looks like a lot of fun -- by fun, I mean, a lot of people are going to just wig out on the fact he's the 8chan guy. Image
56a/ All day Mike Lindell has been on stage saying the cyber experts are happily working on packet captures.

We are not. We haven't been given the packet captures we were promised.
56b/ I mentioned this because some of his PR guys came by looking to take video of cyber experts working on packet captures. They seem confused by the fact that theres no cyber experts who have seen the promised packet captures.
56c/ I mean, I can turn on Wireshark, capture some new packets right now, and show me working on them, but that's not quite the same thing. It's a pcap, not the pcap. Image
57/ To be fair, the "cyber experts" are indeed working on NEW data, like the system images shown on stage. So they are working.

It's just that no "cyber expert" at the conference is working on the OLD pcaps or proof from his Absolute Proof video.
60+/ I forked this thread, because I'm stupid. Here's the other branch:
61/ Well, this is confirmation of this thread, we haven't gotten the Absolute Proof packet captures, and it's likely we won't.


Note: the guy quoted, Joshua, has been straight forward with us this entire, I'm impressed by his integrity
62/ So the day has ended. Got to play with a bunch of new election data, like system images of election management machines, which I've been curious about.

But sadly, no packet captures.
63/ Good morning twitters for the third and last day (Thursday) of Mike Lindell’s Cybersymposium. Cyber expert here, hoping to get my hands on the cyber pcaps containing Absolute Proof. Image
64/ people ask me how the food is — it’s good solid three square meals a day, nothing fancy, but I’d say above average for such things Image
65/ This "poison pill" thing pass by so fast that I didn't quite catch what it meant. Was it about these new pieces of evidence since the start of the symposium? Or is it why they can't give us the old pcaps that were promised?
66/ FYI: if there are Antifa agitators here, I haven't seen anything like that. The outside is empty of anybody that isn't part of the conference.
67/ Sadly, at the last minute, I chickened out and didn't wear my Wall of Sheep (@wallofsheep) T-shirt (nobody else is wearing T-shirts, it's a very suits-and-tie affair).

Because having login packets in a capture file is not a "poison pill".
68/ If we receive packet captures with embedded captured logins, no, we are not committing a crime and trafficking in passwords. I mean, contact your lawyer, but I do so on the time, including live on stage at DEF CON.
69/ @kjhiggins is still annoyed with me for having captured and displayed her password on stage at a conference. Indeed, I've been caught by @hdmoore doing the same to me (very embarassing), displaying my password.
70/ I'm here to make jokes and take evidence. I'm long past caring about those who'll deliberately take jokes out of context. Someone willingly misreading jokes condemns themselves.
71/ Main conference still seems full, but cyber-experts have been slowly leaving, having flights to catch. I've got about 3 more hours, then gotta run to catch my flight.
72/ So they had one of the "cyber experts" go on stage and describe the conclusion of the group. I didn't hear precisely what was said, but my conclusion is simply: we didn't get the Absolute Proof packet captures that show the flipped votes that Mike Lindell promised.
73/ Maybe these packet captures will appear in the future. Then I'll take a look. But of course, I'm not spending another $1000 to look at them -- I'll just download them from the Internet.
74/ If this is the message you heard, "we need more time", then that's wrong.

The issue is we weren't given the data promised, it's not about time.

75/ Instead of giving us the data we were promised, the Absolute Proof of votes being flipped, Lindell dumped a bunch of new data on us, like Mesa county disk images they got yesterday. Yes, of course, that needs a lot time to search for things and analyze.
76/ But he didn't ask us here to do forensics/analysis on NEW data to find possible new evidence (which takes time) -- he invited us here to confirm the analysis that he claimed to have already performed on OLD data (which doesn't take much time).
77/ The initial analysis takes time, it's a lot of effort searching haystacks for needles. But once you find a needle, it doesn't take much time at all to confirm you've found one. Had we been given the packet captures, we could've confirmed it in a day.
78/ ok, good bye cybersymposium, time to head to the airport ImageImage
79/
Final verdict of this "cyber expert":

Number of "packet captures" or "cyber pcaps" seen = 0
Amount of "Absolute Proof" seen = 0
Amount of any evidence seen = 0
80/ Some comments on the last tweet claim that while there were no packet-captures, that they saw other pieces of evidence presented on stage. If I missed something, please correct me and point to the specific thing that I missed.
81/ Well, yes, technically, packet captures were seen. If you scroll up in my thread, you'll see some packet captures I created during the symposium.

I was clearer in the other tweets: none of the packet captures THAT WE WERE PROMISED
82/ They did give us some additional packet captures, captured after the election, which don't seem to be related to elections at all. So yes, "pcaps" but not the election pcaps showing vote flipping that we were promised.
83/ As for "intentional weakening of security", it's meaningless. It's what we call "conspiracy theories" where you go searching through something you don't understand looking for suspicious looking things that confirm your theory. Image
84/ I know how that image looks suspicious. But it's your job to create a coherent story about how this suspicious looking thing is actually malicious, not a techy's job to explain how registries, SQL, SSL, and voting machines work.
85/ If something is evidence, explain what the evidence means. Start with "I understand exactly what's going on here and here's how it's evidence", not "I don't understand what's going on and my only explanation is the theory".
86/ Remember that's what we are trying to sift through: a world of things we don't understand that look suspicious as hell, and the world of things that we do understand that we can pin down exactly what happened.
87/ it’s wrong to describe Lindells followers as gullible or other insults. Only half were impervious to the fact he didn’t deliver, another half were upset and felt it was a problem.
88/ it’s the worst half you see on Twitter, arguing their case, but they aren’t the entirety

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robert Graham 𝕏

Robert Graham 𝕏 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ErrataRob

Nov 16
🧵So let's talk about the difficulties Netflix is having streaming the Tyson v Paul fight, how the stream gets from there to your TV/computer. This will a longish thread.
In 1985 on his first fight, TV technology was based upon "broadcasts". That meant sending one copy of a video stream to thousands, often millions of receivers. A city would send the signal to a radio tower and broadcast that signal across a wide area.
In today's Internet, though, everybody gets their own stream. There is no broadcasting, no sharing of streams. Every viewer gets their own custom stream from a Netflix server. That we can get so many point-to-point stream across the Internet is mind boggling.
Read 24 tweets
Sep 17
By the way, the energy density of C4 is 6.7 megajoules/kilogram.
The energy density of lithium-ion batteries is about 0.5 megajoules/kilogram.
C4 will "detonate" with a bang.
Lithium-ion batteries will go "woosh" with a fireball, if you can get them to explode. They conflagrate rather than detonate. They don't even deflagrate like gun powder.
To get a lithium-ion battery to explode (in a fireball) at all, you have to cause physical damage, overcharge it, or heat it up.
Causing heat is the only way a hacker could remotely cause such an event.
Read 8 tweets
Jul 21
I don't want to get into it, but I don't think Travis is quite right. I mean, the original 25million view tweet is full of fail and you should always assume Tavis is right ....

...but I'm seeing things a little differently.
🧵1/n
2/n
DON'T TRY THIS AT HOME

I'm a professional, so I can take the risk of disagreeing with Tavis. But this is just too dangerous for non-professionals, you'll crash and burn. Even I am not likely to get out of this without some scrapes.
3/n
To be fair, we are all being lazy here. We haven't put the work in to fully reverse engineer this thing. We are just sifting the tea leaves. We aren't looking further than just these few lines of code. Image
Read 14 tweets
Jun 18
The reason IT support people are so bitter is that YOU (I mean YOU) cannot rationally describe the problem:

You: The Internet is down
IT: How do you know the Internet is down?
You: I can't get email.
IT: Is it possible that the email servers are down and the Internet is working just fine? Can you visit Twitter on your browser?
You: Yes, I can visit the twitter website.
IT: Is there any reason other than email to believe the Internet is down?
You: The last time I couldn't get email it was because the Internet was down.

The fact that IT doesn't call you a blithering idiot on every support call demonstrates saintly restraint, even if a little bit of their frustration leaks through.
A lot of good replies to my tweet, but so far this is the best:
I very much like this rebuttal. I was think of "driving a car" analogy, but this tweet says it much better.
Read 5 tweets
Apr 12
Uh, no, by any rational measure, only Trump has had respect for the forum.

Televised debates aren't about "debate" but charisma and media training, where they craft an answer regardless of whether they believe it.

Trump is the only candidate who gives sincere answers.
Trump is pure evil, the brutality of his answers appeals to ignorant brutes who reject all civilized norms.

But the yang to Trump's yin is a liberal elite like Rosen whose comfortable with the civilized norm of lying politicians who play this game of deceitful debates.
To be fair, Biden (and Obama and Bush before him) have stood up for important democratic principles, the ones that Trump flatly reject. But still, the system has gotten crusty. There's no reason to take presidential debates seriously as Rosen does.
Read 4 tweets
Mar 21
I've read through it.

It's the same as all Ben Cotton's analysis's, looking for things he doesn't understand and insisting these are evidence of something bad, that the only explanation is his conspiracy-theory.

I can't explain the anomalies he finds, either, but in my experience as a forensics expert, I know that just because I can't explain it doesn't mean there isn't a simple explanation.

For example, he points to log messages about mismatched versions. I know from experience that such messages are very common, I even see them in software that I write. It's the norm that when you build something from a lot of different software components, that they will not be perfectly synchronized.

That he would make such claims based solely on log messages of mismatched versions proves that he's really not competent -- or at least, very partisan willing to be misrepresent things.
In particular, I disagree with his description of these files. In the C#/.NET environments, creationg of new executables is common. In particular, these are represent web server files. It's quite plausible that as the user reconfigures the website, that these executables will be recreated.

I don't know for certain. I'd have to look at Dominion in more detail. I just know that if any new C#/.NET executables appear in the system that they are not automatically new software.Image
The certification process looks haphazard and sloppy to me, so it's easy for me to believe that uncertified machines were used in elections.

But nothing in Ben Cotton's report suggests to me that this happened. He's not looking for an explanation for the anomalies he finds, he already has an explanation, and is looking for things that the ignorant will believe is proof of that explanation.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(