Critical Security Hole Found in Diebold Machines

ckswift writes "From security expert Bruce Schneier's blog, a major security hole has been found in Diebold voting machines." From the article: "The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide. Armed with a little basic knowledge of Diebold voting systems and a standard component available at any computer store, someone with a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways."

Black Box Voting & The Details

[eldavojohn]

BBV released a a nice guide to how all this works. There appears to be a software access button (bottom of page 11):

The TSx also has an unmarked button hidden in the casing. On the circuit board, this switch is labeled "battery test". The switch is physically similar to many reset buttons, necessitating application of substantial force to press the button, requiring it to be depressed by about 1/5 - 1/6 inch in order to activate the switch. This switch is also software accessible. It is completely accessible for all voters in the standard voting booth configuration. The logic behind the button is unknown, but for an attacker it presents yet another way to interact with the machine, and an exceptionally convenient button switch for an attack designed to be triggered by a voter.

Well, this seems very insecure to me. BBV criticizes the three layer architecture and states that it would be very easy to target it three different ways (at each layer):

- The application can be imagined as written instructions on a paper. If it is possible to replace these instructions, as it indeed seems, then the attacker can do whatever he wishes as long as the instructions are used.

- The operating system is the man reading the instructions. If he can be brainwashed according to the wishes of the attacker, then even correct instructions on the paper solve nothing. The man can decide to selectively do something different than the instructions. New paper instructions come and go, and the attacker can decide which instructions to follow because the operating system itself is under his control.

- The boot loader is the supreme entity that creates the man, the world and everything in it. In addition to creating, the boot loader also defines what is allowed in the world and delegates part of that responsibility to the operating system. If the attacker can replace the boot loader, trying to change the paper instructions or the man reading them does not work. The supreme entity will always have the power to replace the man with his own favorite, or perhaps he just modifies the man's eyes and ears: Every time the man sees yellow, the supreme being makes him think he is seeing brown. The supreme entity can give the man two heads and a secret magic word to trigger switching the heads.

In the world of the Diebold touch-screen voting terminals, all of these attacks look possible.

The instructions (applications and files) can be changed. The man reading the files (Windows CE Operating System and the libraries) can be changed. Or the supreme entity (boot loader) can be changed, giving total control over the operating system and the files even if they are "clean software."

Specific conceptual information is contained in the report, with details and filenames in the high-security version which is being delivered under cryptographic and/or personal signature controls to the EAC, Diebold CEO Tom Swidarski and CERT.

1) Boot loader reflashing
2) Operating system reflashing
3) Selective file replacement

In addition, the casing of the TSx machines lack basic seals and security, and within the casing additional exploitations are found.

The article talks about a "standard tool you can buy at any computer store" and I believe this is referring to a PCMCIA card (what you use in laptops). I guess these are used to boot, upgrade & ready the machines for use. They do not go into detail but I wager that using a PCMCIA card with a USB port on it, you could load your own data from a thumb/pen drive. This would be small and easy to carry in. If you had access to it outside of the voting window, you could potentially use a PCMCIA card that functions as a NIC (probably with RJ45 cable port) to use cross over cable and a laptop for a 'live' attack.

Re:Black Box Voting & The Details

[TripMaster+Monkey]

Making these devices large, restricted to the government, bulky & containing GPS units in the case of them being stolen.

Not to sound pessimistic, but the government is precisely the people we need to protect this machine from. I would think that the only way to address this would be to:

• Hold of on installing the final software load approved by both parties (and perhaps a third, 'impartial' entity) until the device is installed on-site (and bolted down)
  
• Install the final software load while overseers from both parties (and the third, 'impartial' entity) verify the installation and the veracity of the software load via checksum.
  
• Secure the access door permanently (rivets, welding, whatever), and have all overseers affix tamper-evident seals.
  
• Overseers remain present throughout voting, and periodically inspect tamper-evident seals.
  

If an irregularity occurs, the entire process must be repeated and the citizens must be allowed to vote again. This will eliminate the posibility of people just tampering for the purpose of getting the precinct thrown out of the count.

Re:Black Box Voting & The Details

[maxwell+demon]

Use a thin client.

Bad idea IMHO. This allows another attack vector: Just modify the connection from the thin client to the server.

Re:Black Box Voting & The Details

[Sepper]

I still puzzles me why americans don't use something simpler...

hell, if India (with a BIGGER population) is capable of holding elections without soo much trouble, why can't the US do it?

Re:Black Box Voting & The Details

[coffeechica]

If I were at all cynical, I'd say because filling out thousands of fake ballots takes longer than tampering with the Diebold machines.

Re:Black Box Voting & The Details

[freedom_india]

I assume that in India, the manual labor required to count all the paper ballots is cheaper than it would be in the U.S.

India switched to electronic voting machines 12 years back. The last 2 General Elections and about 10 state elections have been with electronic machines.

Only difference: Our voting machines are two part and have an embedded ROM which can store 8000 votes each.

And it costs 1/20 of the cost of a Diebold.

Oh india tried to sell condoleeza the voting machines, but was brusquely turned down.

Re:Black Box Voting & The Details

[schamarty]

http://www.schneier.com/crypto-gram-0412.html#11 http://techaos.blogspot.com/2004/05/indian-evm-com pared-with-diebold.html This subject came up before, on cryptogram. I wrote a reply (first link above), referring a pretty nice paper (second link above). Summary: the Indian EVMs are much better, as much for non-technical reasons as for technical reasons!

It's not a bug, it's a feature!

[TripMaster+Monkey]

Considering that Walden O'Dell, chief executive of Diebold Inc., was quoted in August of 2003 as saying that he was "committed to helping Ohio deliver its electoral votes to the president next year", this shouldn't be too surprising.

Re:It's not a bug, it's a feature!

[gid13]

1. Do you have any stats to back this up? I am unconvinced by someone saying the word "FUD".
2. Diebold doesn't need to tamper with the election to make using their voting machines a horrible idea. As this article points out, there are extreme security flaws that allow others to tamper, which means Diebold has failed miserably at the goal of creating secure voting machines.
3. Assuming your stats are correct, is it a coincidence that the Diebold machines were installed in heavily Republican areas? Who got to decide on the voting machines/mechanisms used?
4. You say "yet another liberal urban legend" without giving any examples. Do you think there are more liberal urban legends than conservative ones? That would be a very difficult claim to defend. Which is probably why you just put it out there as if it was obvious in hopes that people would just agree. Sadly, this works all too well all too often in the political world. Your post is a couple of undefended partisan claims, and nothing more. If you're actually thinking about anything, please show us what you're thinking. Otherwise you might as well just say "REPUBLICANS RULE! DEMS SUCK! GO BUSH!" and keep contributing to the us and them sports fan mentality that American politics has become. Well that turned into a bit of a rant, didn't it?

Re:It's not a bug, it's a feature!

[Salty+Moran]

The majority of voters in largely Democratic areas in Ohio didn't even use electronic voting machines so this is kind of a moot point.

Are you implying that it is not important that republican votes be accurately accounted for? Maybe that it was a forgone conclusion that Bush would receive all or significantly close to all republican votes, so assurance of accuracy is not of significant concern?

A frightening excusatory remark indeed... I may have semi-predictable voting patterns that lead me to vote predominantly democratic, but if a voting machine picks up my vote as being for Hillary Clinton in 2008, I guarantee you I'd wish to be aware of the error regardless of what I was expected to do.

...yet another liberal urban legend...

Actually, this is FUD, not the original post. The original poster's concerns are shored up to a great extent by the very article under which the concerns were posted. What I just quoted from you is just a random claim you tossed out about some apparently nebulous web of deceit, yet I see nothing you've posted along with it that actually suggests any such thing exists.

Just because you SAY there are monsters under the bed doesn't make it so, and I don't see any beady eyes or claws peering out at me.

Please stop spreading this FUD.

An apt idea that you might consider applying to yourself in the future.

Re:It's not a bug, it's a feature!

[tassii]

This is yet another liberal urban legend people like to spread around that Diebold somehow tampered with the election. Please stop spreading this FUD.

Unfortunately not FUD. There are documented cases where Diebold's machines subtracted one out of every 100 votes for a democratic candidate. Its only been caught on minor elections and other irregularites with Diebold's machines. From California:

http://www.verifiedvotingfoundation.org/downloads/ resources/documents/ElectronicsInRecentElections.p df

"At least one voter was able to vote twice on her "smart card", and 10 votes were inexplicably lost.

John Pilch, a retired insurance agent who worked as a polling place inspector in San Carlos, said that when polls closed at 8 p.m. Tuesday, the number of people who signed the voter log differed from the number of ballots counted by computers.

"We lost 10 votes, and the Diebold technician who was there had no explanation," said Pilch, who registered complaints with elections officials, his county supervisor and several others. "She kept looking at the tapes."

At least 250 polls opened late because poll workers were unable to start up the machines, so hundreds, perhaps thousands, of people were turned away - many of them disenfranchised because they were unable to return to the polls at a later time that day"

As well as been posted here: http://politics.slashdot.org/article.pl?sid=04/11/ 16/1737228

Re:It's not a bug, it's a feature!

[stinerman]

I would consider myself an authoritative source on the matter since I was involved in the 2004 recount in Ohio. I observed in an official capacity the recount in Clark and Shelby counties and in an unofficial capacity the recount in Greene county. I will now state some facts that you may take as you will.

Punch cards were used in all these counties. None of the equipment used was Diebold equipment. Recounts were run more loosely in Greene and Shelby counties (Republican strongholds) than in Clark county (about 50-50). I spoke with the Greene county board chairman. He said that he took responsibility for not realizing that increased voter registration would mean they would need more machines (his exact words were, "We dropped the ball on that").

On your points:

1) Most of Ohio was using Florida-style punch card ballots. A few places used optical scan. Fewer yet used the Diebold electronic machines. I cannot recall which counties had Diebold machines. If you care to research it yourself, keep in mind that most of Ohio is red except for areas near the lake and the rust belt regions of Akron, Canton, and on over to Youngstown. Columbus and Dayton are swing regions. Cincinnati is very red for a large city.

2) Yes, the security practices of Diebold, Inc. border on the criminally negligent.

3) Local boards of election, IIRC, decided how the votes would be recorded. Elections are run by our Secretary of State, but local boards are given some freedom as well. I am not sure exactly who makes the final decisions. It should be noted that our boards of election are not elected, but are appointed and must have equal numbers of registered Republicans and Democrats on them.

The only board of election under investigation of impropriety is the Cuyahoga board (the bluest county in Ohio). The allegation is that they pre-counted the "randomly" selected ballots themselves in order to make sure the count came out correctly so that they wouldn't have to recount all the ballots by hand. In our recent primary election, the same board had trouble with getting the machines running in a certian precinct. Usually our polls are open from 6:30a - 7:30p. That precinct didn't open until 1:30p, which prompted a judge to order it open until 9:30p.

The Shock! The Surprise!

[GaryPatterson]

So the closed-source company with apparent links to the incumbent government and a record of blocking any attempts to investigate their code turn out to have security flaws?

Okay - closed-source versus open-source is a non-issue, but I expected something like this from Diebold sooner or later.

I'm seriously worried though. Here in Australia a lot of ATMs have been replaced recently with shiny new Diebold machines. I've no doubt they're harder to hack, but it's not an encouraging sign.

Re:The Shock! The Surprise!

[Ohreally_factor]

Because Diebold is only interested in stealing elections, not your money. So rest easy.

Why doesn't diebold?

[Whiney+Mac+Fanboy]

Why doesn't diebold just use the same security system it uses on its ATMs? After all (quoting):

Sygate defends your ATM with multiple layers of security:

First, the system locks down all electronic points of entry - making them invisible to hackers, viruses, and worms.

Next, it monitors, analyzes, and authenticates any external source attempting to connect to the ATM- and blocks anything the software doesn't recognize.

Failing that, they should just use the blue force shields that feature prominently in their Digital Security Videohahahaha - as long as your attacker is using little yellow balls to stage their attack.

Re:Why doesn't diebold?

[RoffleTheWaffle]

"Failing that, they should just use the blue force shields that feature prominently in their Digital Security Video - as long as your attacker is using little yellow balls to stage their attack."

Yes, because I'm fairly certain that somebody somewhere has come up with an insidious plot to rig the elections with a Nerf gun.

Funny isn't it?

[Trigun]

Diebold can make a box that handles your money with no issues. They make a voting machine that is atrocious and faulty. Goes to show where priorities lie across the board.

Re:Funny isn't it?

[typical]

They make a voting machine that is atrocious and faulty.

To be fair, even if it were someone else, voting machines that submit the vote in electronic form simply have fundamental problems with accountability. Yes, Diebold has had some atrocious engineering problems, but even if you took the best group of engineers on the planet and asked them to replace the pencil or hole punch machine with a fully electronic form, they'd still have a vastly more exploitable system than the traditional system.

I view Diebold as representative of a lot of companies that get government contracts -- obtaining unneeded pork, doing a fairly half-assed job. However, while some things (like the criminal records of people presiding over the project) were a little disturbing, I'm more willing to say that Diebold probably has nothing more malicious in mind than getting as much money as possible and not caring much as to how useful (or dangerous) their work is.

The real problem is that no voting administrator wants to be in the shoes of the Florida people, where questionable ballots exceeded the margin by which Bush won. An electronic form throws away all data other than a simple vote -- it may not be more accurate, but it covers the asses of voting administrators.

The fact that the whole system is much less accountable and more open to abuse and attacks than a physical system is more an issue that not of the involved people (voting officials and Diebold) just don't care about than one that I expect that they intend to personally exploit.

"any" software, eh?

[chrish]

Installing "Goatse.cx Screensaver", please wait...

Re:"any" software, eh?

[RoffleTheWaffle]

Or...

"Who is this 'Cockmongler', and why should I vote for him?"

The Diebold Chronicles

[Billosaur]

A Finnish computer expert working with Black Box Voting, a nonprofit organization critical of electronic voting, found the security hole in March after Emery County, Utah, was forced by state officials to accept Diebold touch screens, and a local elections official let the expert examine the machines.

Black Box Voting was to issue two reports today on the security hole, one of limited distribution that explains the vulnerability fully and one for public release that withholds key technical details.

The computer expert, Harri Hursti, quietly sent word of the vulnerability in March to several computer scientists who advise various states on voting systems. At least two of those scientists verified some or all of Hursti's findings. Several notified their states and requested meetings with Diebold to understand the problem.

Oh, those plucky Finns and the trouble they cause...

Does anybody get the idea that Diebold simply threw these machines together, cobbled the code together from stuff lying around the shop, slapped some paint on them, and expected states to use them no questions asked? You would think somewhere along the line, someone would have stood up at a development meeting and said, "we'd better make sure these things are secure."

Diebold will of course now hem, haw, blame others, attack the media and anti-electronic voting groups, and reluctantly fix the problem. Just in time for the next one to crop up. Do they have any competition in this market? I don't hear a lot about other companies creating voting machines -- either there aren't any or they do a lot better job.

How this bug was found

[DingerX]

Anyone else think this is sweet?

A Finnish computer expert working with Black Box Voting, a nonprofit organization critical of electronic voting, found the security hole in March after Emery County, Utah, was forced by state officials to accept Diebold touch screens, and a local elections official let the expert examine the machines.

That's right. We've seen this before.

Turns out Diebold has a strong interest in keeping their security systems proprietary.

O'Dell Resigned for that Reason

[eldavojohn]

I believe that O'Dell resigned.

As the article you quoted states:

The Aug. 14 letter from Walden O'Dell, chief executive of Diebold Inc. - who has become active in the re-election effort of President Bush - prompted Democrats this week to question the propriety of allowing O'Dell's company to calculate votes in the 2004 presidential election.

O'Dell attended a strategy pow-wow with wealthy Bush benefactors - known as Rangers and Pioneers - at the president's Crawford, Texas, ranch earlier this month. The next week, he penned invitations to a $1,000-a-plate fund-raiser to benefit the Ohio Republican Party's federal campaign fund - partially benefiting Bush - at his mansion in the Columbus suburb of Upper Arlington.

And as USA Today reported:

"The board of directors and Wally mutually agreed that his decision to resign at this time for personal reasons was in the best interest of all parties," said John Lauer, Diebold's non-executive chairman of the board.

The announcement was made after the stock market closed. Diebold stock fell nearly 2%, or 73 cents, to $37 in after-hours trading. The stock has traded between $33.10 and $57.81 in the past year.

why do we need electronic voting?

[phlegmofdiscontent]

What's so bad about the optical scanners and the ballots where you fill in a circle? I remember a study that showed they were the most secure, you have a paper trail, and any idiot can figure it out after 13 years of standardized testing. Electronic voting, on the other hand, smacks of boodoggle, fraud & overall shoddiness.

What I would like to know..!

[parasonic]

Why does Diebold design these machines in such a way that they *CAN* be hacked? I think that involving an Operating System and software in the design of such a machine is a critical error. As a computer engineer, I realize that overcomplicating things can lead to errors. DSP's can make hardware extremely cheap, but there are places where analog circuits are cheaper and more realiable! Why hasn't Diebold designed a hardwired electronic circuit or a mechanical system with failsafes such that the machine can't be hacked, and the wrong candidate will not be selected if the machine fails? There are so many places where their current design can and will go wrong. I believe that it's time for these loonies (or preferrably someone else who has more sense) to come up with a more rudimentary and failsafe design!

Re:What I would like to know..!

[TripMaster+Monkey]

Why does Diebold design these machines in such a way that they *CAN* be hacked?

Simple. Because that is their intention.

Acccuse me of left-wing moonbattery all you like, but the fact remains that Diebold has shown themselves to be capable of making reasonably secure ATM machines. There's no defense by incompetence available to them. These ridiculous security holes can only be intentional.

Re:What I would like to know..!

[geobeck]

These ridiculous security holes can only be intentional.

My greatest fear regarding American elections is that Diebold machines will be used for a national vote to repeal the 22nd amendment, then for the following presidential acclimation--I mean, election.

Americans, please, start a grassroots movement to outlaw the use of any electronic, and therefore hackable, voting machines. Look at Canada's election process. Sure, we have only 10% of your population, but we have substantially less than 10% of your election hassles. In Canada, paper ballots are counted manually by Elections Canada volunteers, witnessed at each vote counting station by representatives from all official parties.

And for the love of Mike, start some new political parties! You may turf out the Republicans in 2008, but your Democrats are no prize either!

Re:What I would like to know..!

[Detritus]

Acccuse me of left-wing moonbattery all you like, but the fact remains that Diebold has shown themselves to be capable of making reasonably secure ATM machines. There's no defense by incompetence available to them. These ridiculous security holes can only be intentional.

You underestimate the venality of American corporate management. Many of them would bottle toxic waste and sell it as a health tonic if they thought that there was an easy dollar to be made and that they could get away with it.

Re:What I would like to know..!

[Coryoth]

The problem in Canada is that, despite having a reasonable array of parties, you're still stuck with the archaic First Past the Post voting system which sees the two major parties (the Liberals and the Conservatives), and especially Bloc Quebecois, win far more seats in parliament than is realistic given the amount of support they have. Once you get a decent system like MMP, giving the smaller parties (and the NDP) like the Greens more representative political clout things will seriously improve.

Jedidiah.

Will the US wake up one day ?

[Yvanhoe]

How come no political party makes this a central campaign argument ?

No worries here

[imkonen]

Jeez...what's everyone so paranoid about? How could a hacker possibly get access to a voting machine for a minute or two with enough privacy to load malicious software? He'd need to find one that for some reason or another had a curtain around it and hope no one thinks it's suspicious that he'd be in there alone with the machine.

Re:Cue rimshot

[dave-tx]

Come on. Tell us something we didn't know.

OK. OLN has hired a man named Stanley Cup to promote the NHL playoffs this year.

It'll never work...

[Keichann]

It's pointless talking about securing something that's inherently a terrible idea. You can't have voting performed by something that is, for most people, magical.

A good way to be certain these machines are sending the correct votes is to have a paper trail. When a person votes, a transaction id and their vote are printed to a piece of card or something, which is then put in a ballot box.

To verify that no votes have been sent by the machine without interaction, a random set of votes is selected from the result the machine sent and these are checked against the paper votes. To check that all votes have been sent correctly, a random set of paper votes are checked against the records sent by the machine. If either of these doesn't correlate, the paper votes are always assumed to be correct.

Even if this were to happen, it would (probably) take almost as much effort as counting the votes by hand!

How long would it take...

[Analogy+Man]

Suppose DieBOLD's ATM machines had a backdoor key sequence that would enable me to get the whole stack of 20's. How long would it take them to slam that door shut?

Diebold's proprietary issues

[KarmaOverDogma]

A little searching here on /. and Google will remind people how these kinds of issues have come up with Diebold Touch Screen Voting Machines before. I have to wonder why they, in particluar, seem to have more problems than other voting maching manufacturers? (no sarcasm intended).

Most of the articles I have read, including this one, point to the fact that it can only be done by someone who knows how the system works and has the correct tools, lending some politicos (including Diebold reps) to say that they really aren't that vulnerable at all or that the problem is not serious. But stakeholders in elections results are precisely the people who could have someone in-the-know and with the correct tools manipulate the results just enough to tip the scales in one candidates favor or another. California realized this and dumped Diebold. Close elections happen all the time, so possible (even plausible) scenarios are not to hard to imagine. If a Diebold machine can be rerogrammed or altered for voting results, even the "verifiable paper trail" could be made to print out alternative results (for those who don't bother to look at the print-out window).

As an Ohio voter who has used one of these machines, I think I am going to have to vote absentee from now on, since a newly passed Ohio law permits me to do so far any reason at all (e.g. I dont want to vote on a vulnerable touch screen machine).

For me, this is one more poignient example of how proprietary voting technology leaves room for problems and the need for transparency with it by proper (preferably Federal) legislation.

Vote Stealing Song

[gorehog]

---sung to the tune of Woody Guthrie's Hard Travelling
D
Diebold's stealing elections, I thought you knowed.

Diebold's stealing elections
A7
on machines with closed source code.
D
We dont need no double dealing,
G
electronic vote stealing.
A7
Diebold's stealing elections,
D
Lord.

Diebold's stealing our votes, the right that makes us free.
Diebold's stealing our votes, oh cant you see.
How can they say I'm free if their machines can vote for me?
Diebold's stealing our votes, Lord.

Diebold's stealing our votes, I thoought you knowed.
They've been shredding the paper trail at the end of the road.
It doesn't matter who you choose, when you're sure you're gonna lose.
Diebold's stealing our votes, Lord.

I'm gonna vote with pen and paper I thought you knowed.
I'm gonna see it counted at the end of the road.
I'm gonna vote with pen and paper so I know that there's a record.
And I'm gonna go vote my conscience Lord.

A quick couple of notes (so to speak)...
The chords are right as far as I know. The words are mine, though they dont fit quite right in all the places. Either apply Tom Leherer's rule that "it doesnt even matter if you fit a few extra syllables into a line" or use the folk process to make it fit so you can sing it.

Also, I've got one line with no verse to put around it...

"Voting wont be so scary if the countings not binary"

The main thrust of this song is to educate and protest on the issue of electronic voting. I am a New York State resident and for those who dont know we are being sued by the feds to upgrade our nice mechanical voting machines to electronic voting. If we do not they are going to withhold federal money for the upkeep of our voting system. This is blackmail, the same kind of blackmail that was used to put the 55 mph speed limit in place.

Our voting machines have worked for a century with the same design. We trust them to do the job and know where the flaws and weak spots in the security are. We, as a group, when polled, do not show a desire to change the system at this point and our state voting commission and legeslative review boards have rejected electronic voting as an unsecure and immature technology. The peculiarities of how a state does it's voting is a state's right to decide, which is why different states have different rules about every aspect of the electoral process. Some states are proportional, some are by district. Some states use machines and others use punchcards. Election laws are made at the local level.

The lawsuit by the federal government smacks of blackmail and manipulation. Why is the federal gov trying to control the electoral process at the local level? What do they hope to gain?

Why not use bingo markers.

[Kadin2048]

I've questioned why we don't do something like this, and have the reading done by OCR.

To reduce errors you'd have to have a few rules: first, no corrections. If you fuck up, new ballot for you. (I'd prefer if you fuck up, no vote for you, but I'm guessing that won't fly.) Second, the marks have to be very distinct. That's why I'd use bingo blotters. They're like really huge magic markers that basically soak through the paper. Every old fart knows how to use one, and you could make them have to color in a fairly substantial area (like a square inch or larger) so that they can't just accidentally touch the blotter to the paper. Important elections (Presidential, Governor, etc.) go on rather largish sheets of paper, and each candidate gets a big area, with dead space in between the marking areas for each candidate equal to 5x the diameter of the marking area. So even if you're a real retard and don't color inside the lines, you've still got a lot of ways to go before you get over to the next candidate's box.

Also, there would be a test box. Just a blank box in the corner that you'd fill out, in order to make sure your marker was working and that you had the hang of things. Also, it gives the reader (human or machine) a comparison point to see what their actual marks will probably look like. (E.g. "Oh, this idiot only likes to circle the box, instead of filling it in; that's why the machine didn't read it.")

Perhaps most importantly, the indicative boxes that you mark are not placed symmetrically on the page. That is, they are placed so that they're not the same distance from the top as they are to the bottom, or from the left as on the right. This is important, since it means you can read the ballot electronically without having to orient them in one way or the other, just by measuring the distance from the mark to the edges of the sheet.

Then, use a dye in the blotters that's UV-reflective (or UV absorbent). That way they're very distinctive and easy to read through a scanning system. I'm pretty sure any pigment based marker/blotter would work here. These systems are already in existence -- the postal service uses them for automatically canceling stamps on letters (stamps are UV reflective). But the point is you can OCR them by just looking at the position on the page of the marks, you don't need punchcard-style index corners (although we'd have those too, for extra security).

I think the other thing that would help is if you gave the election officials more time between voting day and when they were expected to certify the results. Like two weeks, at a minimum. There's really no reason people should be rushing with this. Back the election up a little ways if need be, but the idea that the polls should close at 8pm and the results should be certified by 10pm is crap, and it can only lead to bad things happening ("oops! Look at this, we forgot a box of ballots! Oh, well, too late now!"). Elections are too important to rush through.

It's not pandering

[mariox19]

The more local the election boards, the less likely that a wide-spread, concerted, and coordinated effort to perpetrate voter fraud can occur. When the original post states that "government" is whom we should be protecting this from, I'm sure the meaning of government is closer to central government than local government. There is an important distinction -- and I don't think it's "anti-government Slashdot pandering" to say so.