Voting Machine Attacks Proven To Be Practical

An anonymous reader writes "Every time a bunch of academics show vulnerabilities in electronic voting machines, critics complain that the attacks aren't realistic, that attackers won't have access to source code, or design documents, or be able to manipulate the hardware, etc. So this time a bunch of computer scientists from UCSD, Michigan, and Princeton offered a rebuttal. They completely own the AVC Advantage using no access to source code or design documents (PDF), and deliver a complete working attack in a plug-in cartridge that could be used by anyone with a few private minutes with the machine. Moreover, they came up with some cool tricks to do this on a machine protected against traditional code injection attacks (the AVC processor will only execute instructions from ROM). The research was presented at this week's USENIX EVT."

If they own it, whats the problem?

[A.+B3ttik]

They completely own the AVC Advantage using no access to source code or design documents

What do Source Code and Design Documents have to do with purchasing something?

Re:If they own it, whats the problem?

The problem is our elections are supposed to be transparent by law.
The problem is our elections are supposed to have public oversight.
The problem is a private company can not provide public oversight.
The problem is electronic vote tabulation devices use invisible signals which no human (especially a poll watcher) can see.
The problem is China or North Korea could decide our elections and we wouldn't know.
The problem is there is no electronic vote tabulation device (or electronic vote registration poll book device) which can be validated with public oversight.
The problem is without public oversight, no election can be validated.
The problem is if our elections can not be validated, we can not hold our representatives responsible.
The problem is if our representatives can not be held responsible, they tend to ignore the rule of law.
The problem is if our representatives ignore the rule of law, they tend to ignore protecting the US Constitution against all enemies.
The problem is when the US Constitution is ignored, we no longer live in a Constitutional Republic.
The problem is when we no longer live in a Constitutional Republic, we slip into fascism.
The problem is we have slipped into fascism.
The problem is ignorance is no longer an excuse for corruption.

Re:If they own it, whats the problem?

[amicusNYCL]

Jeez, talk about going right over your head.

Re:If they own it, whats the problem?

[A.+B3ttik]

That seems to have gone right over your head.

The irony here is palpable.

Re:If they own it, whats the problem?

[Chris+Mattern]

And stop paying them, you shouldn't be in government for a salary.

Bad, *bad*, BAD idea. If you can't be in government for a salary, then you're in it for the bribes. Not that paying a decent salary renders a politician immune to corruption, but at least he doesn't have to be on the take simply to put food on the table.

Re:If they own it, whats the problem?

[adolf]

*sigh*

Troll, these days, is too common a moderation, and is often misused. It wasn't always that way around here.

I, for one, like Obama. I like many of his policies, and dislike many others, but I sure like him better than the last guy, overall. That's my opinion, of course, but it's important that I be allowed to state it -- even though I'm quite certain that others disagree.

Likewise, as an American, I support the right for anyone at all to call him a corrupt asshole, and be heard.

Sometimes, I think the mods just need to take a deep breath, and mod "Interesting" instead of "Troll" or "Flamebait," even though some less-than-savory discourse might ensue, for it is this very discourse that keeps us, as a nation, united.

But, hey, what do I know? I'm just a taxpayer. No no, that's not it -- I'm a consumer. Er, wait - that's not right either. Oh! I remember! I'm a citizen, and I own this place just like every other citizen! Even those citizens that I think are full of shit, or that I just disagree with by default -- they own this place, too!

(I think my sig sums the rest of this up neatly.)

Still not fair.

[MartinSchou]

What these "intellectuals" and "researchers" have to keep in mind, is that in reality, no one would ever dream of committing election fraud.

We all live in a utopia, where everyone has equal say, no one would ever coerce others and there's a kitten on every lap. That's why there are no such things as secret ballots. In every voting booth there will be three heavily armed guards who will watch you vote to ensure that you won't be doing anything you shouldn't do.

Have a cotton candy, drink your beer and turn on the TV. The shiny shiny is on again, you like that. You have always liked that.

</sarcasm>

Re:Still not fair.

[InsaneProcessor]

I work in the computer industry and do not trust any electronic voting system. The more complex a system (any physical system) the more susceptible it is to attack. Give me good old paper ballots any day.

Re:Still not fair.

[Runaway1956]

There's a kitten on every lap?

That damned kitten clawed my balls, you insensitive clod!

Re:Still not fair.

The fact that we had one election "stolen" by the R's in 2004 (so say the D's), and the fact that we had the next election "stolen" by the D's in 2008 (so say the R's), should be proof, at least, that there is no ultimate ability to steal on either groups part - otherwise, once you have power, why ever let the other side win?

It would also imply the following:

If we have an illegitimate vote in 2004, then it is nonsensical for "them" to not have taken advantage of their power in 2006 and 2008. If that is true, then the belief that Diebold or some other group hacking the results is unfounded.

BTW - "a few minutes of access" is a bit of a misnomer. It's one thing for James Bond to break into a secure area and do some pinpoint damage, but breaking in and influencing millions of machines across America is unrealistic. I have been a poll worker, and there are few opportunities to hack the machines as would be needed. The system I used did an electronic read of paper ballots. While this could have been hacked, it would be unlikely to stand up to the manual count we did at the end of the day to cross-tabulate against the electronic count. If I'm not mistaken, this already had the benefits of speed and tamper-prevention requested by an earlier poster.

Re:Still not fair.

[fuzzyfuzzyfungus]

I make no claim, one way or the other, about the presence or absence of American electoral fraud; but your point doesn't really follow. Fraud isn't a binary condition(well, in the strictest sense it is; but in a practical sense it isn't). A perfect fraudster could dictate the outcome of every vote cast, without outcry. A wholly impotent fraudster could dictate the outcome of zero votes cast. Actual frauds are somewhere in the middle. If, say, you can manage a 5% nudge without drawing excessive attention, your party will win more than it deserves(probably substantially so, given the fairly low margins by which elections are often won); but a really bad electoral cycle would be beyond your power to change.

The absence of perfect fraud does not indicate the absence of fraud.

If we were meant to vote, we'd get candidates

[David+Gerard]

Americans today committed egregious acts of democracy to elect the next failed administration and the next failed Congress.

In a fabulous upset, almost no-one could bring themselves to vote directly for either of the official candidates, instead opting for a write-in vote. Popular write-ins included "the black guy", "the old guy", "McCain from 2000" and "Tina Fey." The seventeen votes for "The Invisible Man" were tallied for Joe Biden. Several tons of Liquid Paper needed to be scraped off voting machines.

The winning candidate turned out to be Noneof Theabove, 46, of Dogshit, Nebraska. Apart from the Presidency, Mr Theabove won 72% of Congressional seats and all Senate seats up for election this year.

Mr Theabove's policies include drinking, shouting abuse at the television and inchoate existential despair. "He completely embodies the national mood," said Nate Silver of FiveThirtyEight.com, just before applying for a new job flipping burgers.

A majority of US soldiers in Afghanistan stated the place was "just fine, really" and they were learning to speak Pashto rather than returning. Canada looked south and snickered, though not very much as they still had Stephen Harper to cope with. The Kingdom of Mexico stated its "regret" today that it has had to close its borders to American refugees.

Not a Bug

[the_macman]

deliver a complete working attack in a plug-in cartridge that could be used by anyone with a few private minutes with the machine.

It's not a bug! It's a feature!

Re:Not a Bug

[Shakrai]

The only problem with this is that you aren't going to get a few "private minutes" with the machine and that any competent election authority is going to seal the machine with tamper-evident seals.

I've worked as an elections inspector (poll worker) in the state of New York for the last five years. Every aspect of the machine (both the old style lever machines and the new optical scanning machines) that could be tampered with is sealed with numbered tamper evident devices. If the numbers on the seals don't match up with the records retained by the Board of Elections then you know the machine has been tampered with. This isn't rocket science people.

Our new machines go even further than that. They both retain the actual ballots themselves in a locked ballot box and retain a scanned image of those ballots on a memory card. The memory card is removed from the machine at the end of the election and hand delivered to the Board of Elections. It is designed to serve as a backup in the event that the machine is destroyed (i.e: building burns down) and the ballots are lost. The ballots themselves are only scanned by the machine and not marked in any way. In the event of an issue with the machine there is nothing stopping you from counting each ballot by hand with the Mark I human eyeball.

If you can find a way to rig an election in the State of New York then I'd be real interested in knowing about it. I've worked behind the scenes here for a long time and I haven't seen any vulnerabilities in the system. The only voting technology that I'd be concerned about is DRE (direct electronic record) -- but thankfully my state wasn't stupid enough to go that route.

Re:Not a Bug

From TFA:

"The attacker does not need to remove any tamper-evident seals; in particular, he does not need to remove the circuit-board cover."

(CAPTCHA: counted)

Re:Not a Bug

[HTH+NE1]

The only problem with this is that you aren't going to get a few "private minutes" with the machine

Surely that depends on the standards of voting privacy in your district, like whether you get a three-sided screen block or a complete booth with ceiling-to-floor curtains.

And an election can be thwarted by leaving evidence of tampering in a district you want to disenfranchise.

Re:Not a Bug

[Shakrai]

It makes me wonder what you're hiding.

I have no incentive to hide anything as I'm not an employee of the Elections Board nor an office holder with a stake in the system. I became a poll worker because of the controversy surrounding this issue. I wanted to see for myself how the system worked. I came to it as a skeptic and after learning the procedures and seeing them in action have been convinced that the system is as secure as it can be expected to be.

How often has that happened in the history of American elections?

That is exactly the kind of dramatic detail that puts my fraud-detector on alert. "Look, it's so secure that it's even secure against problems you don't have!" Typical distraction.

So now you are complaining that the system is protected against disasters just because they rarely happen? Would you be happier with a system that left less of a paper trail?

As it happens, if you google "ballots lost in fire" you get a bunch of hits on the first page about fraud and failure related to electronic voting machines.

As I said, my experience is limited to the State of New York. In NYS we don't use direct electronic recording machines. You fill out a paper ballot that is then tabulated by an optical scanner. In the event of a disputed election the paper ballot is still around and any idiot can count it with the Mark I human eyeball.

The only part of our voting process that is "electronic" is the so-called "ballot marking device" that handicapped voters use. This is a machine that prints a paper ballot for those voters who are unable to write and have to rely on another interface (audio, sip and puff, foot pedals, etc.) The printed paper ballot is in the same format as the one that you would fill out as a non-handicapped voter and can be read by any human being.

Given the complete lack of transparency at all levels of any electronic voting system I am extremely suspicious of all of them

Evidently that's not all you are suspicious of, since you seem to think that I'm trying to hide something :)

Re:Not a Bug

[Shakrai]

Surely that depends on the standards of voting privacy in your district, like whether you get a three-sided screen block or a complete booth with ceiling-to-floor curtains.

The voting booth is separate from the machine. The "voting booth" itself is nothing more than a plastic stand with a privacy screen and a supply of felt-tipped markers. The machine itself is in plain view of the election inspectors and everybody else who happens to be in the polling place. Trust me, you aren't going to be able to tamper with it without being caught during the election. After the election is another matter but that's why they have the backup memory card and myriad of seals on the machine.

And an election can be thwarted by leaving evidence of tampering in a district you want to disenfranchise.

If tampering is evident than the voting machine is going to receive closer scrutiny. The votes aren't automatically going to be discarded. If the "tampering" consists of removing the seals around the memory interface but not the ballot box and the number of ballots therein equals the number of signatures in the pool book then they are simply going to hand count the ballots (or scan them in a different machine). If the tampering consists of removing the seals around the ballot box then they will fall back on the aforementioned memory card that was removed after the election and returned to the Elections Board.

It's really not as easy to rig an election as people around here seem to think it is. I would encourage everybody who cares about this issue to volunteer to be a poll worker. The Election Boards are always looking for help and you'll get a chance to see the system from the inside. All it's going to cost you is a vacation day or two and some time. In some states you even get paid for doing it.

Re:Not a Bug

[Chris+Mattern]

The "voting booth" itself is nothing more than a plastic stand with a privacy screen and a supply of felt-tipped markers.

Or, in a lot of cases (including my own state, incidentally), an enclosed booth where you are alone with a touch-screen terminal directly connected to the voting machine. Because felt-tipped markers are, y'know, *old-fashioned*.

Re:Not a Bug

[aschran]

If you think it's impossible to get a few private minutes with one of these voting machines you are crazy. I am not sure how you have been an election worker and still managed to come to that conclusion. In fact, you can easily get a few private HOURS with them. Ed Felten (one of the writers of this paper) annually takes photos of himself with unattended voting machines the night before Election Day.

http://www.freedom-to-tinker.com/blog/felten/unattended-voting-machines-usual

Re:Not a Bug

[jbudofsky]

The only problem with this is that you aren't going to get a few "private minutes" with the machine

I am a student at Princeton and last term I took Ed Felton's class on Security. (Ed Felton being one of the authors). This was one of the issues which he talked about. I can't speak for the State of New York, but in New Jersey the voting machines are often stored at the voting sites over night. These voting sites are more often than not, unsecured places such as Churches or Schools. Prof. Felton, on the night before an election, went to all of the election sights. A distrubing number of electronic voting machines were stored in hallways or behind unlocked doors. He has an entire slide show of pictures which he took of these machines the night before an election. Had he any malicious intentions, he could have easily tampered with the machines. I'm sure that most of the election officials are very trust worthy. It is not them who concerns me. It is the fact that anyone can simply walk into a church basement and have access to all of the voting machines for that district.

Things like this will never change

[Bandman]

Electronic bits do not have the quality of being static. Electronic votes can be changed without obvious physical evidence, and as long as they're purely electronic, it will always be like that.

Even an optical disk is more static than electronic bits that live in a database.

People need to demand paper ballots until electronic voting machines are all enhanced with built-in paper trails.

Re:Things like this will never change

[omnichad]

The printout should be made BEFORE you confirm the vote for the final time on-screen. You need to be able to confirm that the paper actually shows your correct vote.

Re:Things like this will never change

[Sandbags]

Yup. That's a good start.

I'd also love to see some kind of basic voter assessment to substantiate the vote as well. We all have a right to vote, but if yopur vote is based on fallicy or a complete lack of knowledge, you should not be allowed to register that vote.

My grandfather is a prime example of this. He's voted republican his entire life, nearly 70 years of going to the polls. I pointed out to him just before Obama's election that he couldn't, other than Right to Life and anti gun restriction, name a single Republican platform stance. Then i further asked him what his personal beliefs were on the top 25 debated items between the 2 parties. Of the 25 things, he chose the side the DEMOCRATS voiced support for. he didn't believe me, so i showed him the republican national website, and ran down the list (which took a while, it's not well organized). He voted straight democratic ticket. You see, the current Democratic platform is actually closer to what the Republicans had for a platform 50-60 years ago. He started voting replublican as a youth and then allways did, not paying ANY attention to the actual politics at stake. He figured about half his retired friends were doing the same thing...

If you can't name the candidate you're voting for, and at least 1 major platform stance out any 1 issue that candidate supports out of that candidates top 10 supported initiatives, you are not informed enough to effect MY future by registering your invalid votes. If you want to vote straight ticket, that's fine, name 3 platform stances of your party instead. If you can do that, you can vote, if not, either stay home, or only vote for the candidates you know something about. If uninformed people continue to vote, we'll need to bring voter certification back into play... (yes, I know it was used to discriminate in the past, but it would be VERY easy to ensure that did not happen in the future).

Prediction:

[chickenrob]

The nations new electronic voting system helps Obama secure a landslide victory on his historic third term.

Old News

[megamerican]

Or people can listen to a whistleblower who programmed voting machines that easily allowed fraud without a trace.

Re:Old News

[aztracker1]

LOL, not to mention the fact that paying off a developer would probably be safer, and cheaper, than a team of people to root a bunch of voting machines, when you can nab all of them. ;)

.PDF text

[guido1]

Copy/paste, some formatting, no tables. Extra carriage returns (sorry)... "Implementing the gadgets" section stripped off...

Abstract
A secure voting machine design must withstand new attacks
devised throughout its multi-decade service lifetime.
In this paper, we give a case study of the longterm
security of a voting machine, the Sequoia AVC
Advantage, whose design dates back to the early 80s.
The AVC Advantage was designed with promising security
features: its software is stored entirely in read-only
memory and the hardware refuses to execute instructions
fetched from RAM. Nevertheless, we demonstrate that an
attacker can induce the AVC Advantage to misbehave
in arbitrary ways--including changing the outcome of
an election--by means of a memory cartridge containing
a specially-formatted payload. Our attack makes essential
use of a recently-invented exploitation technique
called return-oriented programming, adapted here to the
Z80 processor. In return-oriented programming, short
snippets of benign code already present in the system
are combined to yield malicious behavior. Our results
demonstrate the relevance of recent ideas from systems
security to voting machine research, and vice versa. We
had no access either to source code or documentation beyond
that available on Sequoia's web site. We have created
a complete vote-stealing demonstration exploit and
verified that it works correctly on the actual hardware.

1 Introduction
A secure voting machine design must withstand not only
the attacks known when it is created but also those invented
through the design's service lifetime. Because
the development, certification, and procurement cycle for
voting machines is unusually slow, the service lifetime
can be twenty or thirty years. It is unrealistic to hope
that any design, however good, will remain secure for so
long.1
In this paper, we give a case study of the long-term
security of a voting machine, the Sequoia AVC Advantage.
The hardware design of the AVC Advantage dates
back to the early 80s; recent variants, whose hardware
differs mainly in featuring a daughterboard enabling audio
voting for the blind [3], are still used in New Jersey,
Louisiana, and elsewhere. We study the 5.00D version
The AVC Advantage voting machine we studied.
(which does not include the daughterboard) in machines
decommissioned by Buncombe County, North Carolina,
and purchased by Andrew Appel through a government
auction site [2].
The AVC Advantage appears, in some respects, to offer
better security features than many of the other directrecording
electronic (DRE) voting machines that have
been studied in recent years. The hardware and software
were custom-designed and are specialized for use in a
DRE. The entire machine firmware (for version 5.00D)
fits on three 64kB EPROMs. The interface to voters
lacks the touchscreen and memory card reader common
in more recent designs. The software appears to contain
fewer memory errors, such as buffer overflows, than
some competing systems. Most interestingly, the AVC
Advantage motherboard contains circuitry disallowing
instruction fetches from RAM, making the AVC Advantage
a true Harvard-architecture machine.2
Nevertheless, we demonstrate that the AVC Advantage
can be induced to undertake arbitrary, attackerchosen
behavior by means of a memory cartridge containing
a specially-formatted payload. An attacker who
has access to the machine the night before an election can
use our techniques to affect the outcome of an election by
replacing the election program with another whose visible
behavior is nearly indistinguishable from the legitimate
program but that adds, removes, or changes votes
as the attacker wishes. Unlike those attacks described
1
in the (contemporaneous, independent) study by Appel
et al. [3, 4] that allow arbitrary computation to be induced,
our attack

Re:.PDF text

Here it is without the IDIOTIC carriage returns. Yes, you are an IDIOT, guido-cock.

Abstract
A secure voting machine design must withstand new attacks devised throughout its multi-decade service lifetime. In this paper, we give a case study of the longterm security of a voting machine, the Sequoia AVC Advantage, whose design dates back to the early 80s. The AVC Advantage was designed with promising security features: its software is stored entirely in read-only memory and the hardware refuses to execute instructions fetched from RAM. Nevertheless, we demonstrate that an attacker can induce the AVC Advantage to misbehave in arbitrary ways--including changing the outcome of an election--by means of a memory cartridge containing a specially-formatted payload. Our attack makes essential use of a recently-invented exploitation technique called return-oriented programming, adapted here to the Z80 processor. In return-oriented programming, short snippets of benign code already present in the system are combined to yield malicious behavior. Our results demonstrate the relevance of recent ideas from systems security to voting machine research, and vice versa. We had no access either to source code or documentation beyond that available on Sequoia's web site. We have created a complete vote-stealing demonstration exploit and verified that it works correctly on the actual hardware.

1 Introduction
A secure voting machine design must withstand not only the attacks known when it is created but also those invented through the design's service lifetime. Because the development, certification, and procurement cycle for voting machines is unusually slow, the service lifetime can be twenty or thirty years. It is unrealistic to hope that any design, however good, will remain secure for so long.1 In this paper, we give a case study of the long-term security of a voting machine, the Sequoia AVC Advantage. The hardware design of the AVC Advantage dates back to the early 80s; recent variants, whose hardware differs mainly in featuring a daughterboard enabling audio voting for the blind [3], are still used in New Jersey, Louisiana, and elsewhere. We study the 5.00D version The AVC Advantage voting machine we studied. (which does not include the daughterboard) in machines decommissioned by Buncombe County, North Carolina, and purchased by Andrew Appel through a government auction site [2]. The AVC Advantage appears, in some respects, to offer better security features than many of the other directrecording electronic (DRE) voting machines that have been studied in recent years. The hardware and software were custom-designed and are specialized for use in a DRE. The entire machine firmware (for version 5.00D) fits on three 64kB EPROMs. The interface to voters lacks the touchscreen and memory card reader common in more recent designs. The software appears to contain fewer memory errors, such as buffer overflows, than some competing systems. Most interestingly, the AVC Advantage motherboard contains circuitry disallowing instruction fetches from RAM, making the AVC Advantage a true Harvard-architecture machine.2 Nevertheless, we demonstrate that the AVC Advantage can be induced to undertake arbitrary, attackerchosen behavior by means of a memory cartridge containing a specially-formatted payload. An attacker who has access to the machine the night before an election can use our techniques to affect the outcome of an election by replacing the election program with another whose visible behavior is nearly indistinguishable from the legitimate program but that adds, removes, or changes votes as the attacker wishes. Unlike those attacks described 1 in the (contemporaneous, independent) study by Appel et al. [3, 4] that allow arbitrary computation to be induced, our attack does not require replacing the system ROMs or processor and does not rely on the presence of the daughterboard added in later revisions. Our attack makes essential use of return-oriented programming

Questions for the savvy reader

[hessian]

1. What form of electronic voting could not be compromised?
2. What form of paper voting could not be compromised?

It may be that we must accept that no form of voting is "secure" in the sense of cannot be gamed.

At least, people have been gaming votes for as long as democracy has existed, so I don't know if they're going to stop just because we make it slightly less convenient.

Why doesn't Public Key crypto figure in to this?

[Abalamahalamatandra]

Here's what I'm trying to understand.

We have this great thing called Public Key Crypto and the PKI to go along with it.

If you presume a custom processor that will only execute code signed by an election commission, that would be a first step - the system won't run anything that hasn't been specifically approved for installation on the machine. There would be no more "last minute fixes" as we've seen in the past, where code was installed without being vetted by an election authority.

For that matter, require the software developers to store their code on a state or federal election repository, and only sign code that's been compiled on those systems, from that repository. Require that anyone who makes changes sign them with their private key and state the reason for the change.

For the results, take each ballot, strip off the identifying information, and encrypt it to the election commission, and sign it with a pre-deployed per-machine private key that's known. It would of course also be important to have a reliable time source for the device, to include that in the result file.

I would even envision that this would be a good purpose for a federal election agency - hosting the code for all certified voting systems, and being the "root of trust" that signs certificates for the state election commissions, which can then sign local and county commissions, which can then issue keys to individual election machines.

Some patches to an open-source OS, say Linux, a PKI infrastructure (along with some HSM modules to store keys) and a processor with an integrated crypto engine and TPM module would take care of all of this.

Banks do this kind of stuff all the time - what's so hard about it?

Still misses an important point

[lseltzer]

Give me a few private minutes with a paper ballot box and I can stuff it full of ballots for my candidate. That's an old-school hack.

Re:Still misses an important point

[fgouget]

It's not like you can hack 1 million votes into one computer and escape undetected.

You don't have to make one voting computer return 1 million votes for your candidate. All you have to do is hack the election software used in 30% of the polling places to give a 5% lead to your candidate. That will give you well over the 1 million votes you want (in the US) and leave no physical proof.

The only way to detect such fraud would be through statistical analysis, trying to correlate results with voting computer model while eliminating the noise caused by the comparatively huge variations from county to county. But even if you get somewhere you would most likely be ignored just like the exit poll discrepancies in 2000.

Return-oriented device Pwning?

[ehack]

Looks like return-oriented programming is a nice way to own various pieces of locked down hardware, eg. region-coded DVD drives, carrier-locked phones etc.

Re: You're too generous

[colinnwn]

I worked as an Elections Clerk. I was the person who hired the Elections Judges (poll workers) and was phone triage on elections day when they didn't know what to do with a voter.

First, 99.99% of the EJs are good people, but there are also bad seeds. You must guard against the EJ's as much as the voter. We had an EJ voting every day of early voting, until the Alternate Judge discovered what he was doing and reported him to us. We reported him to the County Commissioners and County Prosecutor who declined to prosecute the person for whatever (probably politically motivated) reason.

With paper ballots, the fraud would be easier to spot statistically. But any EJ that could figure out how to upload a virus to their voting machine, and get it onto the tabulating machine, could possibly edit results in a way that would make it very hard to discover.

Second, an attacker could possibly find a way to defeat a tamper seal, or could break into the storage facility of the voting machines before election day, or I am sure there are a multitude of other attacks where someone could have a short time of unsupervised access to the voting machine that wouldn't be detected by tamper proof seals.

The problem is there is no paper trail

[davidwr]

Best quote from the paper:

The absence of a paper audit trail means that the vote modification will not be detected.

... much less corrected.

You can have a very hackable machine with an immutable, hand-countable, voter-verified paper trail (i.e. printed ballots) and you'll be okay*, assuming multiple mutually-hostile parties are keeping an eye on the paper trail.

You can have a very difficult to compromise machine without a paper trail and you'll never know with certainty your results are accurate.

*There may be difficulties where a machine is needed to provide voter-verification, such as when reading back a filled-in printed ballot to a blind person. In most elections, the numbers of such ballots are less than the margin of victory. However, in some, such as the Florida Presidential race of 2000 or the Minnesota Senate race of 2008, this may not be the case. A way to handle this is for the read-back machine to be made, installed, and supervised independently of any machine that helps cast votes/print filled-in ballots.

Here's an electronic system I can trust

[davidwr]

Here's a system I can trust:

User uses a machine to prepare a printed ballot. In addition to printing the ballot the machine records a running tally. Of course, both are subject to fraud.

The user inspects the printed ballot. If the printed ballot is bogus it is invalidated and the user votes again. If the user is blind he has a trusted friend or a machine read the ballot back to him. If he uses a machine, it will be a machine developed independently from the ballot-printing machine. There is an opportunity for fraud by the friend or the ballot-readback machine but the odds of a successful collusion with the ballot-preparing machine are greatly reduced.

The user deposits the printed ballot in a ballot box just as he would a hand-filled-in ballot. In fact, some voters may choose to use a hand-filled-in ballot, although those voting in languages other than English or heavy-minority languages may be forced to use the ballot-marking machine, as might those who cannot see and who do not have someone with them.

The numbers collected by the ballot-preparation machine are unofficial and incomplete. They may have utility for spotting statistical anomalies in the official result, which of course would generate a recount.

The printed ballots are then counted, either locally or at a central location, by two machines, each developed independently and used by different teams of counters. If the results vary by enough to sway any race, a third count, probably by hand, will be done.

There, that's a system that
* I can trust, provided I can trust the people conducting the election**
* A system that has machine voting, or should I say, machine-assisted voting

**yeah yeah I know, "trust the people conducting the election" is probably impossible, but I can dream, can't I?

--
Advantages of such a system over manual-fill-in bubble-sheets:
* Arbitrary numbers of languages can be supported easily without wasting paper
* Arbitrary number of different elections can be held at the same location without wasting paper

Disadvantages:
* Cost
* Complexity
* Requires more poll watchers

Hasn't worked all the time

[zogger]

Here's a several trillion bucks and counting glaring example about how most reps and senators give not crap one what their constituents want: Public opposition including phone calls, faxes, emails, snail mails and buttonholing was running well over 90% against the casino bankers bailouts. Yet it passed, both under the shrub admin and continues today under the yomama admin. People just wanted normal bankruptcy to occur, let the real free markets sort out those ludicrous collateralized debt obligations and hedged derivatives bets and all those other pseudo financial "products" and other forms of mass leechery from the real working folks. People said in huge numbers "No, we don't need to offer millionaires and billionaires welfare when they bet wrong, they should eat their own megacapitalist dogfood..we'll deal with whatever happens, but don't subsidise those people". But nope, the US public got put on the hook to bail them out.

    GM and Chrysler, again, decades of getting it wrong in the auto industry, all the chance in the world for management, unions and investors to get it right..nope, they kept screwing up. People really didn't want to bail them out, again in huge numbers, just let them go bankrupt like normal, but, the quasi bailout happened anyway, and now we have some precedent that the executive branch can just seize corporations and run them. Seems like we fought a big fat war over that economic and governmental "blend" two generations ago, we were against that back then, and actually hung some of the high level proponents after that war. Now, it is *policy*, despite most folks being against it.

Look at the dumb wars..I sincerely doubt there is even close to a majority opinion anymore to continue these wars....but they still go on.

The bottom line is "government" doesn't give a rat's ass what "the people" want, they just go ahead and do whatever they want to do, or what they have been bribed and blackmailed into doing.. I can't give you an exact date when it happened, but voting and "representative democracy" has been broken on many levels for a long, long time now.

Now I still vote, inertia mostly and all, but I think it stopped having much meaning at the larger scales. Local elections I think your vote can make a little difference, at state and above levels though, you have your choice of the globalist screw the middle class party that subsidizes a.b and c over there at your expense, or the globalist screw the middle class party, who subsidizes x,y and z over thataway, again at your expense.

I *wish* it was different, really, I sincerely do, but not seeing it. Until such a time as the two corrupt major parties are abandoned or outlawed for major racketeering, just not seeing things getting any better. Just way too corrupt, for way too long now, it is just "business as usual", and neither party has any incentive to eliminate themselves or the other party, because they are equally corrupt, so they just are never going to go there.

My big hope, really..I hope the USA does a USSR and just dissolves as a bad idea, past prime, with no bloody revolutions. I want some real honest choice. If a regional bloc or state wants joe government to run all aspects of their lives, cradle to grave, and stay taxed at 90% with a herd of commissars overseeing them all the time...swell, let them try that, see how it works. If another wants just about no government at all, private everything, no rules except ferengi "profit at all costs!", fine, let them try that and see what happens.

  Somewhere, some state or group of previous states will go "gee..ya know..the original Constitution and bill of rights actually seems well thought out..wonder what will happen if we really, REALLY follow those guidelines and not just lie about it all the time??". THAT place I *will* move to, even if I have to fight every step of the way there.

Re:Hasn't worked all the time

[Some+Bitch]

Government should never do what the people want, individuals may be smart but "the people" are dumb as dogshit. The government's job is to do wehat they believe is right no matter what "the people" think. If they screw up they get voted out, if they're right they get another spin of the wheel.

Re: You're too generous

[Shakrai]

First, 99.99% of the EJs are good people, but there are also bad seeds. You must guard against the EJ's as much as the voter.

Indeed you must. In my state there are four of us, representing at least two different political parties. It seems unlikely to me that you could get four randomly assigned people from different political parties to all agree to rig an election.

We had an EJ voting every day of early voting, until the Alternate Judge discovered what he was doing and reported him to us.

Sounds like the system worked if he got caught. My only question would be why did it take so long? Our machines have always kept a running count of the votes cast that day that must match up with the number of people we've signed in. There are two different people who handle the signing in process (one who handles the poll book and the other who keeps a running handwritten list of the people who have voted thus far) so it wouldn't be easy to do a fake sign in to keep the numbers matching. If you tried this at my polling place I would know about it pretty quickly as I always make a point of checking the running total throughout the day.

We reported him to the County Commissioners and County Prosecutor who declined to prosecute the person for whatever (probably politically motivated) reason.

Well, that's bullshit right there. As far as I'm concerned messing with the electoral process should be regarded as a felony and punished accordingly.

But any EJ that could figure out how to upload a virus to their voting machine, and get it onto the tabulating machine, could possibly edit results in a way that would make it very hard to discover.

They could, but the machines are randomly audited and you have no way of knowing if yours is going to be one of them or not. I don't know what else you can do to protect the system at this point. You could audit every single machine but that would require manpower and resources that most Election Boards just don't have.

Second, an attacker could possibly find a way to defeat a tamper seal, or could break into the storage facility of the voting machines before election day, or I am sure there are a multitude of other attacks where someone could have a short time of unsupervised access to the voting machine that wouldn't be detected by tamper proof seals.

You've got an awful lot of "coulds" there. People could do any number of things. All you can do is make the system as secure as possible. At least with regards to New York State I haven't seen any glaring holes in the security of our electoral process or anything that I would do differently if I was in charge of the whole show.