5
that1guy1981 5 points ago +5 / -0

They mined the DNS servers. The DNS servers translate www.website.com into the Internet Address. Every time any computer needs to do anything on the internet it looks up the site. So they could tell every website ever visited by the administration.

Beyond that they would need help getting inside, whether with inside help, or deliberately providing incorrect address that point them to malware and remote admin tools.

1
that1guy1981 1 point ago +1 / -0

There's no source just some guy on the internet quoting PFA statistics. If you have to "If this is true..." then what you've got is some primo, industrial grade hopium.

1
that1guy1981 1 point ago +1 / -0

Shorting pins 1&3 would short the two main pairs of two pair ethernet 10-100Mbs, and would short two very important pairs in a 4 pair ethernet used 1gbs+. Bottom line you wouldnt be able to connect at all.

You might as well advise them to use their etherNet to catch the etherBunny.

2
that1guy1981 2 points ago +2 / -0

Also choose your favorite VM environment, whether it is virtual box, or vmware player, or a half a dozen others.

2
that1guy1981 2 points ago +2 / -0

You need both, a VPN to mask the download, and a VM to open it in case it's loaded with spyware and malware.

2
that1guy1981 2 points ago +2 / -0

Use a VPN to download, open on a purpose built VM with network access disabled, in case it's loaded with spyware/malware.

2
that1guy1981 2 points ago +2 / -0

PXE operates over Bootp/DHCP routers are often configured as BOOTP/DHCP forwarders. If PXE was turned on their is a chance the router logs would capture it if they were configured as DHCP forwarders.

6
that1guy1981 6 points ago +6 / -0

Yes, to expand on what you've said.

IDRAC allows both remote control, and BIOS configuration changes. With the BIOS changes they could be configured to boot from network first essentially having them boot "Dirty" via PXE Boot during the elections. The dirty OS run its own version of the vote counting software that the auditors never see, and writes the results to the Database on Disk. Once the elections are over. They boot clean from disk. When an auditor powers them back on the PXE server isnt on the network so the boot they disk, and load the clean OS and all the clean programs, and appear good.

In sprit this has a lot of parallels to how Volkswagen cheated, albeit more technical and with a few more steps, but at the end of the day these ran DIRTY during the election, and would appear CLEAN to an auditor or anyone who powered them up.

The thing is about all this is the router logs would have a good chance of catching this via logs on DHCP forwarding, which is why the Maricopa Country Board of Supervisors is fighting tooth and nail not to turn over the logs.

2
that1guy1981 2 points ago +2 / -0

The PXE boot plus the remote IDRAC is a terrible combination. . A remote Idrac connection allows them to setup a virtual console, provision a file share over the network as a local disk, or change the BIOS boot order to include a network boot.

A virtual console would allow someone on the network to come in and have keyboard and mouse access to these machines. Database management tools capable of altering the database were found on the machines. This would allow people to come in and basically alter the results the voting machines provided at will.

Provisioning a network share as a local disk. This would allow someone to point to any files they had prepared, and have them accessible. These could log altering to alter the logs on the machines to cover their tracks or any other scenario.

Change the Bios Boot Order to include a network boot. This is perhaps the most subtle and insidious using this could tell the machines to boot and run DIRTY during the election, but after the election they would run the CLEAN version from the disk.

Technical explanation of that 3rd really insidious one. Transfering an OS over the network is data intensive, but there are Minimal OS's designed to run other OS in a containerized fashion. Meaning that instead of booting the CLEAN OS on the disk, they boot a container OS configured to run the OS and Applications on the Disk, but with very subtle variations that the OS would be unaware of. Here is one Scenario

  1. the Device is configured via IDRAC to boot from the network. This is known as a PXE Boot.
  2. Via IDRAC virtual console the device is rebooted
  3. The Device runs a container OS, which there are atleast a half dozen. The Container OS is really small and designed to be compressed for a minimal size. The Container OS then runs the OS on the disk with one subtle variation.
  4. The OS on the Disk is booted, and thinks it is reading the hard drive, it instead is reading what the container presents. The container presents the entire contents of the hard drive exactly as it is except for the directory containing the election software. That instead points to the corrupt version instead.
  5. The corrupt version appears to the OS to be in the exact same location as the Clean version, and the OS and all the logs think they are running the clean version.
  6. The Corrupt version does anything they can dream of, including purposely misreading ballots to send them to adjucation, or simply recording a fraction Trump votes as Biden votes.
  7. After the election is over they disconnect the PXE Server, and then machine runs the clean version instead. Any auditor turning on the machine sees the clean version
  8. All the logs appear normal on the machine because it believed it was running the OS, and it was, just the container OS mislead it about the location of key files. All the logs that are supposed to be there are present, and there is no evidence of tampering on the machine, because the tampering occurred beneath the OS.

The thing about this is that PXE booting requires DHCP and BOOTP, which have a high probability of hitting the router and being logged by DHCP forwarding configured on the router. Worse yet if the PXE server was configured by someone with access the routers they could simply change the normal forwading address to the rogue server they setup. In this case the evidence would be on the router and network logs at the county, instead of on the Machines. Kindof an Odd coincidence that the county is fighting tooth and nail not to turn these over.

1
that1guy1981 1 point ago +1 / -0

For the guy asking about cloud desktop, and the person responding saying you need internet access. You don't actually need internet access. Typically you look up the server hosting the info from dell on the Internet. However the lookup is based on DNS so if you put a entry in your local server you can point the image literally anywhere, and wouldn't have to be on the internet.

https://www.dell.com/support/manuals/en-us/optiplex-3240-aio/optiplex3240aio_om/cloud-desktop-screen-options?guid=guid-48e1ebc4-1c32-411c-9406-f100a874573f

1
that1guy1981 1 point ago +1 / -0

IOPS aren't a problem here because once loaded into memory the OS-Wrapper is local. The OS is local Disk, the Database is Local Disk, all the programs are local. Only the OS wrapper, the crack, and or remote administration tool is loaded from network all are very small and once initially would stay in memory.

IOPs aren't an issue because the VM is reading OS wrapper from Memory, that it got over the Network, and everything else is read from disk, with either the crack, or remote administration tool ran remotely from the network. The OS wrapper could be under 50MB. The Crack and RAT would both be less than 3MB, and once ran load would stay in memory.

Everything except for RAT or Crack, would simply be read from local disk. Minimal network transfers.

EDIT 1 -- FYI They make linux versions for just this purpose minimal size and overhead for running VMs

https://computingforgeeks.com/minimal-container-operating-systems-for-kubernetes/

EDIT 2 --ADDITIONAL FYI Fedora CoreOS for PXE boot is 10MB compressed. https://getfedora.org/en/coreos/download?tab=metal_virtualized&stream=stable

EDIT 3. This is really looking doable with less than 50MB total payload, plus the OSwrapper could also run a PXE boot server, and answer local BOOTP/DHCP requests meaning it only has to be transfered once. On a 100mb connection a 50M file could be downloaded in less than 6 seconds for the initial, and then all other machines on the network could be done at local gigabit speeds.

1
that1guy1981 1 point ago +1 / -0

Imagine the following, you could slim it down to mere few dozen Mega Bytes.

The network boot points to a custom wrapper, a minimal Linux load, that then runs the OS on the Disk as a Virtual Machine. The custom linux load contains any one of, or even all three of the following, a crack for the election program, a database tools program to alter the voter database, or a slim remote administration tool such as VNC.

The Database, is on the disk, The OS is on the disk. The Program is on the Disk. They only need to be able to use remote command and control to run the Database tool found on the machine. They could also do it without remote command control by using a program set to flip votes according to a pre-determined algorithm. They don't have to pass the OS over the network, nor the programs, nor the Database. Just have the VM Trick the OS into thinking it's C:\program files\NAME OF VOTING SOFTWARE\VOTINGSOFTWARE.exe is located elsewhere where it runs a crack first before executing the program. I've seen cracked games run where the crack is measured in the 100-200KB. They could easily write a crack thats only a few hundred KB to a couple MB.

In short these machines could be hijacked by an OS Wrapper that simply tells it that the Disk is mostly where they think it is except for 1-2 files. This could simply add either remote command and control, or a remote algorithm, that takes excess trump votes and flips them to Biden. Mostly recording the accurate ones, but flipping enough to turn it to Biden.

I could probably kludge something that does exactly that in less than 50MB. Over 10mb connection it wouldn't take more than 3 minutes to load, and then it could act as a local PXE boot for all the other machines, meaning I only have to transfer that 50MB once.

SUMMARY FOR NON-TECHNICAL PEOPLE If these devices booted from the network which they are prohibited from doing. Instead of running the clean software they could be running dirty software that writes tainted results of their choosing instead of the real results of the election. The Router and Splunk Logs would likely have this information.

2
that1guy1981 2 points ago +2 / -0

Or boot entirely from a PXE server using a disk that is remotely mounted. Nothing is written to Hard Drive except what they want to write, they could run entirely different OS, and Programs with a back door built in. If they designed it right it could read literally everything from the disk to keep the network traffic down, but instead of running the software it would run a cracked version of it from the network, with their C&C builtin. They could use the database tools on the disk to alter the database anyway they wanted.

There'd be evidence on the router logs, and evidence on the splunk servers. This is why they are fighting to the death to keep those away from the public eyes.

1
that1guy1981 1 point ago +1 / -0

Booting from a remote PXE server would very likely leave tons of evidence in the Router and Splunk logs. Even if they managed to Place a PXE server physically in the same network as the machines they took over, the command and control traffic would likely be in the logs as well.

7
that1guy1981 7 points ago +7 / -0

Bottom line here, if these machines were configured to PXE Boot before the disk. Then on election day they could be running a completely different OS then the one on the Disk. During the Elections the Machines would run dirty, but during the audits later the machines would run clean.

If they did this, then more likely then not the Splunk Logs, and the router logs would contain this information. This would be why they'd fight to the death to prevent anyone from seeing these logs. The logs could prove that these machines were configured and ran a dirty OS they designed, instead of the one presented during certification.

1
that1guy1981 1 point ago +1 / -0

Bottom line here, if these machines were configured to PXE Boot before the disk. Then on election day they could be running a completely different OS then the one on the Disk. During the Elections the Machines would run dirty, but during the audits later the machines would run clean.

If they did this, then more likely then not the Splunk Logs, and the router logs would contain this information. This would be why they'd fight to the death to prevent anyone from seeing these logs. The logs would prove that these machines were configured and ran a dirty OS they designed, instead of the one presented during certification. Basically the logs would prove that during the elections and only during the elections these machines ran from an OS that was rigged.

1
that1guy1981 1 point ago +1 / -0

If this were the case, then the router logs could show BOOTP/DHCP traffic, proving they booted something other than the programmed OS. The file transfers for it would also be fairly different in terms of total bytes transferred than normal machine traffic while working regularly.

To put it bluntly, the router / Splunk logs would be the smoking gun if these machines PXE Booted a different OS.