It is basically virtual discs on a server somewhere.
You configure a computer to 'PXE Boot' in the BIOS and it will check the network for a PXE server, load whatever image the server sends it, and boot off of that.
Staying objective and removing my personal feelings from it, PXE booting such a sensitive machine leaves a significant risk surface if there is not some sort of validation conducted on the server side post-deployment.
If you want to experiment with PXE yourself to understand this better check out FOG https://fogproject.org/
Tons of computers are set up to boot this way by default. Having not found a device to boot from on the network they will then look to see if they have a disk to boot from.
Negligence or intended? You decide. To me, it's not a smoking gun.
Note that it would be difficult to boot a computer (with a fat OS like Windows) over the Internet as the bandwidth would be too low. PXE boot is normally done on a LAN where there is fast network access.
iPXE is the leading open source network boot firmware. It provides a full PXE implementation enhanced with additional features such as:
boot from a web server via HTTP
boot from an iSCSI SAN
boot from a Fibre Channel SAN via FCoE
boot from an AoE SAN
boot from a wireless network
boot from a wide-area network
boot from an Infiniband network
control the boot process with a script
You can use iPXE to replace the existing PXE ROM on your network card, or you can chainload into iPXE to obtain the features of iPXE without the hassle of reflashing.
iPXE is free, open-source software licensed under the GNU GPL (with some portions under GPL-compatible licences), and is included in products from several network card manufacturers and OEMs.
How is this NOT a smoking gun? Maricopa County and all the others who used PXE to boot the local machines would've had a high bandwidth modem/router set up to accomplish this, right? They said these machines weren't connected, and yet, we now have proof that they were, thanks to the Dominion whistleblower and CMZ, correct?
Even though this is months after the elections, this is still proof [they] were using nefarious methods to enact [their] plan re: 2020 elections.
Agree, not a smoking gun until we get more information's, just the fact that it's there the option means literally nothing
PXE first of all it's present on almost all the desktops and many notebooks (the network card should be PXE-Boot enabled or it won't work)
PXE can be configured in thousands way, could have been used for the first imaging of the system (sysprep /aktoolset / etc)
Also, you need a deployment infrastructure (automated or manually) with the various NS/DNS/IPs and endpoint management
Then you would have logs around in different places of what's happening (in case, the packet captures that Mike has should be able to prove it)
Another thing it's the Acronis boot manager was shown (You won't boot normally Acronis via PXE to then boot again in another protocol), it can be local or over the network or from a hidden partition / drive etc (i think, if that's legit, was probably hidden in the 'secure zone' that's a hidden partition Acronis creates), i saw some videos from CZ channel but again, just a quick view of the interface doesn't give any detail / prove anything, we need more details
Source: I'm myself an Enterprise architect with over 15 years of experience in the field
The one thing that did get my attention is he said that the "state" had the BIOS password. Well, in Texas at least, elections are run by each county and the state should have no such access. I'm working and haven't had a chance to watch the video multiple times.
Yep that's another thing, normally (depending on how the whole infrastructure is designed / implemented), you can have two or multiple type of 'password' (access) to the BIOS, standard in professional class notebook and desktops it's a user password and a superuser one, this second that's generally kept by the IT teams, can decide what the other can view, do , etc, and has higher level access (ex can wipe the machine or do other things that the normal user can't do)
I don't think the actual boot image is that big. Once the computer boot from the PXE image, then every other data read/write is done via local drive, I think.
Some enterprise environments use a custom OS, or highly customized version of an existing OS across all machines, connected to a central login server.
Rather than install the OS every time they get new hardware, or manually install updates across millions of machines, especially if they're scattered across multiple physical locations, it makes sense to have a single Operating System image that can be updated and forced out to all the machines on the network.
It's possible (though with all the shady dealings, my benefit of the doubt is pretty low on this one) that Dominion ordered a BIOS image and didn't bother to order the default to have PXE disabled, and whoever Dominion got to build their BIOS just set the default they normally do for their enterprise customers.
Point is, unless someone can force Dominion to give up the data, it's hard to way what happened, though the odds aren't int heir favor...
If they ordered a custom BIOS, it wouldn't have been from the manufacturer. Maybe through a third party channel partner, but that would still leave too many witnesses who see your election management system is configured for network booting. Even Dominion isn't that stupid.
I do think it's possible they pushed out a very lean image to a hidden partition on the drive via PXE. Post election, just delete the partition.
Nah, I'm saying there's a 1 in 1mil chance that both Dominion and whoever makes their BIOS dropped the ball, and they ended up with a "boot-from-network" by default in their BIOS by accident.
I highly doubt it, but there's a very slim chance that incompetence was at play here, in which case Dominion still can't be trusted with election integrity...
This does present a couple of questions. If the machines were set to pxe boot, they wouldn't have a running image on them for the audit unless someone went back and installed something prior handing the machines over and flipped off the pxe boot in the BIOS. The only way I am familiar with doing a permanent install from pxe is using pxe to load something like a small busybox image which will run a kickstart script to install an OS, like centos for example. We have to assume these are not diskless machines as they are NOT to be networked, and must have the ability to start on their own.
Pxe would be yet another reason to see the router configs. if those machines were set to pxe boot, then you will can check the router to see where it forwards/relays the ports 67, 69 for the bootp request for the actual image these things would pull from.
Context for the less technical.
PXE stands for Pre eXecution Environment
It is basically virtual discs on a server somewhere.
You configure a computer to 'PXE Boot' in the BIOS and it will check the network for a PXE server, load whatever image the server sends it, and boot off of that.
Staying objective and removing my personal feelings from it, PXE booting such a sensitive machine leaves a significant risk surface if there is not some sort of validation conducted on the server side post-deployment.
If you want to experiment with PXE yourself to understand this better check out FOG https://fogproject.org/
Nerds got us into this and Nerds will get us out of it! Fuck Black Hats!
Tons of computers are set up to boot this way by default. Having not found a device to boot from on the network they will then look to see if they have a disk to boot from.
Negligence or intended? You decide. To me, it's not a smoking gun.
Note that it would be difficult to boot a computer (with a fat OS like Windows) over the Internet as the bandwidth would be too low. PXE boot is normally done on a LAN where there is fast network access.
Edit: DHCP is also necessary to use PXE.
You can use iPXE to boot from the internett: IE: https://ipxe.org/
iPXE is the leading open source network boot firmware. It provides a full PXE implementation enhanced with additional features such as:
boot from a web server via HTTP
boot from an iSCSI SAN
boot from a Fibre Channel SAN via FCoE
boot from an AoE SAN
boot from a wireless network
boot from a wide-area network
boot from an Infiniband network
control the boot process with a script
You can use iPXE to replace the existing PXE ROM on your network card, or you can chainload into iPXE to obtain the features of iPXE without the hassle of reflashing.
iPXE is free, open-source software licensed under the GNU GPL (with some portions under GPL-compatible licences), and is included in products from several network card manufacturers and OEMs.
How is this NOT a smoking gun? Maricopa County and all the others who used PXE to boot the local machines would've had a high bandwidth modem/router set up to accomplish this, right? They said these machines weren't connected, and yet, we now have proof that they were, thanks to the Dominion whistleblower and CMZ, correct?
Even though this is months after the elections, this is still proof [they] were using nefarious methods to enact [their] plan re: 2020 elections.
Agree, not a smoking gun until we get more information's, just the fact that it's there the option means literally nothing
PXE first of all it's present on almost all the desktops and many notebooks (the network card should be PXE-Boot enabled or it won't work)
PXE can be configured in thousands way, could have been used for the first imaging of the system (sysprep /aktoolset / etc)
Also, you need a deployment infrastructure (automated or manually) with the various NS/DNS/IPs and endpoint management
Then you would have logs around in different places of what's happening (in case, the packet captures that Mike has should be able to prove it)
Another thing it's the Acronis boot manager was shown (You won't boot normally Acronis via PXE to then boot again in another protocol), it can be local or over the network or from a hidden partition / drive etc (i think, if that's legit, was probably hidden in the 'secure zone' that's a hidden partition Acronis creates), i saw some videos from CZ channel but again, just a quick view of the interface doesn't give any detail / prove anything, we need more details
Source: I'm myself an Enterprise architect with over 15 years of experience in the field
The one thing that did get my attention is he said that the "state" had the BIOS password. Well, in Texas at least, elections are run by each county and the state should have no such access. I'm working and haven't had a chance to watch the video multiple times.
Yep that's another thing, normally (depending on how the whole infrastructure is designed / implemented), you can have two or multiple type of 'password' (access) to the BIOS, standard in professional class notebook and desktops it's a user password and a superuser one, this second that's generally kept by the IT teams, can decide what the other can view, do , etc, and has higher level access (ex can wipe the machine or do other things that the normal user can't do)
I don't think the actual boot image is that big. Once the computer boot from the PXE image, then every other data read/write is done via local drive, I think.
Force of habit, probably.
Some enterprise environments use a custom OS, or highly customized version of an existing OS across all machines, connected to a central login server.
Rather than install the OS every time they get new hardware, or manually install updates across millions of machines, especially if they're scattered across multiple physical locations, it makes sense to have a single Operating System image that can be updated and forced out to all the machines on the network.
It's possible (though with all the shady dealings, my benefit of the doubt is pretty low on this one) that Dominion ordered a BIOS image and didn't bother to order the default to have PXE disabled, and whoever Dominion got to build their BIOS just set the default they normally do for their enterprise customers.
Point is, unless someone can force Dominion to give up the data, it's hard to way what happened, though the odds aren't int heir favor...
If they ordered a custom BIOS, it wouldn't have been from the manufacturer. Maybe through a third party channel partner, but that would still leave too many witnesses who see your election management system is configured for network booting. Even Dominion isn't that stupid.
I do think it's possible they pushed out a very lean image to a hidden partition on the drive via PXE. Post election, just delete the partition.
Nah, I'm saying there's a 1 in 1mil chance that both Dominion and whoever makes their BIOS dropped the ball, and they ended up with a "boot-from-network" by default in their BIOS by accident.
I highly doubt it, but there's a very slim chance that incompetence was at play here, in which case Dominion still can't be trusted with election integrity...
This does present a couple of questions. If the machines were set to pxe boot, they wouldn't have a running image on them for the audit unless someone went back and installed something prior handing the machines over and flipped off the pxe boot in the BIOS. The only way I am familiar with doing a permanent install from pxe is using pxe to load something like a small busybox image which will run a kickstart script to install an OS, like centos for example. We have to assume these are not diskless machines as they are NOT to be networked, and must have the ability to start on their own.
Pxe would be yet another reason to see the router configs. if those machines were set to pxe boot, then you will can check the router to see where it forwards/relays the ports 67, 69 for the bootp request for the actual image these things would pull from.
This definitely would be proof there was outside connectivity.
See part 5 of the Devolution series, which ties in Dominion
Expert level question for you. It's clear we captured unencrypted data. Can you please speculate as to why? Packet size? Or just arrogance?