Schneier on Security
A blog covering security and security technology.
« Stealing Free Wireless |
| Bank Bans Cell Phones »
August 4, 2006
Open Voting Foundation Releases Huge Diebold Voting Machine Flaw
It's on their website:
"Diebold has made the testing and certification process practically irrelevant," according to Dechert. "If you have access to these machines and you want to rig an election, anything is possible with the Diebold TS -- and it could be done without leaving a trace. All you need is a screwdriver." This model does not produce a voter verified paper trail so there is no way to check if the voter's choices are accurately reflected in the tabulation.
Open Voting Foundation is releasing 22 high-resolution close up pictures of the system. This picture, in particular, shows a "BOOT AREA CONFIGURATION" chart painted on the system board.
The most serious issue is the ability to choose between "EPROM" and "FLASH" boot configurations. Both of these memory sources are present. All of the switches in question (JP2, JP3, JP8, SW2 and SW4) are physically present on the board. It is clear that this system can ship with live boot profiles in two locations, and switching back and forth could change literally everything regarding how the machine works and counts votes. This could be done before or after the so-called "Logic And Accuracy Tests".
If this is true, this is an enormously big deal.
Posted on August 4, 2006 at 11:27 AM
• 61 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"If this is true, this is an enormously big deal."
I'd be surprised if it wasn't true.
Do you suppose it is this easy to compromise the records of an ATM machine?
Dear Diebold: For some of us, our vote is more important than money. We would appreciate treatment in kind; at a MINIIMUM.
Thank you for your support.
If you have physical access anything is possible anyway, including introducing a false paper trail.
With elections a mere 3 months away, the question is will anything be done about it? Sadly, I'm guessing no.
"Do you suppose it is this easy to compromise the records of an ATM machine?"
Yes. If you can get inside the safe.
The silly thing here is that an ATM manufacturer is trying to make a voting machine, which has an entirely different set of constraints, and doesn't seem to realize that their established practices aren't going to work.
I don't really see what is so hard about this problem anyway. Just put a receipt printer, like one you can find on any cash register, inside a transparant box in the booth. When the voter is done with the touchscreen, print out what the voter has chosen and direct the voter to check the paper. If the voter is satisfied, hit yes, the printer either form feeds until the vote is on a spool out of sight, or cuts the receipt off, allowing the vote to fall into a ballot box. If the voter chooses no, the machine prints something to the effect of "Above vote Invalid", lets the voter make changes, and prints another record on the paper.
When the polls close, the machine has a tally that can be reported by CNN, but the paper votes still have to be counted. If you want to get fancy, have the machines print a barcode at the end of each vote so another machine, kept in a vault in a central location, can count and verify the results. Have humans audit a random sample of votes counted on this machine to make sure the barcodes and the printed vote match. If things get really ugly, have humans count the printed votes by hand.
You can make it extremely difficult to modify without being noticed prior to the election, even with a knowledgable, skilled group of attackers. Examples: force randomly seeded CRC checks over the entire code, make the area containing the code tamper-evident, and design the hardware such that you can't reasonably place two executables on the hardware. Such things are done in the VLT (slots owned by a government) industry all the time.
What if the paper trail consisted of printing a receipt for the voter? The voter would then verify his/her vote on the receipt and leave it in some lock box outside the voting booth. The receipts could then be used for recounts.
Of course then you have the problem of the receipt printer running low/out of ink in the middle of voting.
Just a thought.
Dont attribute to malice that which can be adequately explained by incompetence.
Just because there's incompetence, don't assume there's no malice :)
Sure, this is more grist for the mill. But, as a former game developer, I deeply wish someone would drive it into the heads of elections managers that no "logic and accuracy" test could ever ensure a fair election. Haven't these bozos ever heard of an easter egg? All this stuff is gravy; as long as the code and hardware design are kept hidden from public view, there is simply no way to ensure that the machine counts fairly, period.
I predict that a Republican congress-critter will introduce a bill, in the near future, making it illegal to open an electronic voting machine.
Kevin Zeese, a candidate for U.S. Senate has been fighting issues of democracy, paper record for elctronic voting machines and non-partisan oversign of elections for years. Check out TrueVoteMD.org and ZeeseForSenate.org for more info.
Sufficiently advanced cluelessness is indistinguishable from malice
The key, as usual, is not only to have the most competent people in charge of design, but to make sure that their goals are aligned with the alleged goals of the project. Failing either will cause failure of the project to meet goals.
To the customer, _which_ failure dominated is irrelevant.
Here is a story where people using diebolds claim their vote changed before their eyes
I forget the exact site, but I think it is www.blackboxvoting.org that has a bunch of stuff on how bad these voting machines are.
I guess all this bellyahing is being caused because Diebold CEO contributes to (or is a rabid) Republican.
But this is politiking .. not science .. Can Bruce point out "ANY" system that "can't" be hacked. What aboout buying votes for $10/piece in Jersey City that gave us JFK, along with a few folks who walked out of their graves in Chicago to help the good cause?
This is a bogus report ..the biggest argument against this junk is this paper trail argument.
What's there for a person to argue that he didn't vote what the machine says he did? Who wins this argument, pregnant chad's anyone ? There are political hacks out there who will always try to exploit any information .. particularly when they are loosing.
Oh, I have lots of questions about this board.
First, on image 4, lower left corner. Why is there an IR transceiver on this block, and why have they deliberatly included windows to make sure that IR could reach the sensors? No, they're not buttons -- count the number of pins.
Next, on image 5, why are there relays on this board? What high current switching does a voting machine need? There's a 10A fuse there, so what are they switching? It isn't the power suppy -- that's clearly offboard, and that's where you'd switch power for the LCD and such.
Image 6, there's a jumper configuration area that allows you to select three different boot areas -- EPROM, flash, and external flash. Interesting that having both switches set to "Side 1" is listed as "illegal." Is this "blow power supply" illegal, or does this do something else?
Image 11. Wait, I thought the card slot was external, see the first image. Why the dual PCMCIA slot? And note that narrow 28 pin chip in a socket with a label. I can't read the chip directly, but 28 pin narrow is a fairly rare package, the label says "PIC", and what I can see of the logo looks sort of like the Microchip logo -- and one IC that does ship in that 28 pin narrow package is the Microchip PIC microcontroller. Why is there a microcontroller stuck onto such a complex and powerful board? What code is running on it? Why is it socketed -- does the code need to be updated that frequently, and if so, why?
Why are all these features on this board? Why should I trust a voting machine with at least three different booting mechansims, multiple input/output paths, and multiple processors?
Your argument could be summarized as "because no system is absolutely secure, we shouldn't worry about any security issues." That's not an uncommon argument to hear people make, but frequency of repetition doesn't make it right.
A more sensible way to think about the problem is "what are the most serious security risks to this system, and how can we reduce those risks?"
With many of the current e-voting systems, a single person is capable of perpetrating large scale fraud without being detected. That is fundamentally different than the paper votes of the past. Having a voter-verified paper trail that is available for a recount if the election is disputed would go a long way towards making sure that election fraud is far more difficult.
--"Do you suppose it is this easy to compromise the records of an ATM machine?"
Local to the machine, possibly. But since there's no "secret ballot" requirement for an ATM it's much easier to do after-the-fact auditing. Which is where the mistakes (purposeful or not) seem to get caught.
--"If you have physical access anything is possible anyway, including introducing a false paper trail."
It's a matter of degree. It's much, much easier to fake an entire precinct's returns when you only have to flip some bits than when you have to make a few thousand fake ballots. Much less noticeable as well.
--"Just put a receipt printer, like one you can find on any cash register, inside a transparant box in the booth."
It is a simple problem to fix, which is why it's so puzzling to see all the major EVM vendors resist it so strenuously. Contrary to bob, this has gone far, far past the point of simple incompetence. Making the mistake in the first place, okay, possibly. Refusing to admit a problem once it's pointed out to you? Maybe one or two. But when they're unanimous in it? Stretches credulity.
--"forget the exact site, but I think it is www.blackboxvoting.org"
That's the one. Some of the posters there are current or former election officials in various capacities. There's some good stories in there about why this crud is allowed (one reason is simply that the people in office controlling elections were elected with these, so if they question the results they put themselves at political risk, so they push down a "suck it up, there's no problem" attitude).
"I guess all this bellyahing is being caused because Diebold CEO contributes to (or is a rabid) Republican."
Actually, it's not. The security issues surrounding votoing machines have nothing to do with which CEO contributes to which campaign. Nor is it a partisan issue. Those of us who collect voting-machine oddities know that these issues affect all parties.
"What's there for a person to argue that he didn't vote what the machine says he did? Who wins this argument, pregnant chad's anyone ? There are political hacks out there who will always try to exploit any information .. particularly when they are loosing."
The voter-verifiable paper trail. That's what's there to protect voters from these sorts of attacks.
"What if the paper trail consisted of printing a receipt for the voter? The voter would then verify his/her vote on the receipt and leave it in some lock box outside the voting booth. The receipts could then be used for recounts."
Agreed. This is a voter-verifiable paper trail, and is what pretty much everybody who knows anything about computer security is advocating.
Does anyone honestly believe that your vote matters anymore?
It's between two parties anyway, the other parties don't even get a chance to debate the two parties for a Presidential election.
It's just a red and blue circus, or football game if you will, and people gather together just like those football games to cheer one of the two choices on to win.
Fixed elections or not, two choices, two parties, where is the freedom in that?
Interesting idea about barcode vote. However, how do you verify the barcode, since voters likely don't know how to read it?
@mpd and Bruce
"What if the paper trail consisted of printing a receipt for the voter? The voter would then verify his/her vote on the receipt and leave it in some lock box outside the voting booth. The receipts could then be used for recounts."
NEARLY right. What you missed is that the lock box must be inside the booth, not outside, so that it is not possible for anyone voting to 'show' their vote to someone outside the booth. This makes buying votes difficult. Also, there needs to be a mechanism that ensures the voter does actually put the vote receipt in the ballot box rather than keeping it. This is not just for the buying votes reason, but also to stop a group of people screwing up a precint by not putting the reciepts in the lock box and deliberately causing a discrepancy that way.
Diebold calls them 'electronic voting stations'. Why? Because they are doing the voting, having replaced the electorate, which is now obsolete.
I have mentioned it before, but I probably have to say it again. I consider all voting systems based on computers too insecure to be used in a democracy. The extra cost and enormous increase in security created by using humans, papers and pencils outweighs any economic and speed(?) benefits created by these machines.
I think that when examining such a critical system you should assume that both the producer and a large degree of the users want to corrupt the system. Dead wood based systems are quite resistant to attacks, and attacks are usually easy to uncover, limited and possible to locate, while these systems are almost impossible to analyse, and a single attacker can change the outcome of the whole system, without there being any reasonable trace. And analyzing the code and system will never be secure enough, as you have to assume malice on the side of the producer.
What are we supposed to do if we have these things in our polling places?
may be we should go back to putting pebbels in pitchers.
this is the most non-sensical argument.
I think Bruce has fun with this non-sense, he throws in these bum issues and wants to see how many totally useless opinions can be gathered.
Interesting - if true.
Would show that security was not one of the core goals in design of the unit. Either this or they were simply incompetent.
But in a wider sense the consequence is only relevant if you actually want democracy.
@winsnomore clearly doesn't for one.
Fortunately for Canada we have a single voting authority at the Federal level and they do use the dead tree/paper based voteing system. We go hide behind a simple three sided cardboard enclosure with our paper vote. Fill it in, fold it over twice and seal it, walk over to the box sitting in front of but seperated from (usualy by a desk) at least two election officials who watch us put it in the box and then we walk out.
They are very rigid about the rules and have nicely stopped my 8 year old son from asking questions about whom I voted for while I was putting the ticket into the box.
Would it be possible to fake a few votes, yes it would if you got ahold of the forms before hand. Would it be traceable, yes it would as recounts and audits happen.
Paper is simple, effective, elegant and probably impossible to cheat on any significant level.
Fred P had it right. Check out the slot machines. That is a better model than an ATM.
Why? Banks build in losses which are covered by fees: any dollar can replace any other dollar, but votes are unique. Slot machines, on the other hand, are verified in an extremely untrustworthy environment. Win BIG in the slots and the machine state will be verified before actual payout.
I assume that if I created a simple http form with boxes "democrat" and "republican" you would trust it to choose your next president..? ;)
You have to realize when a system is fatally flawed and impossible to repair considering the situation.
And, if you ask me, pebbles in pitchers are considerably more trustworthy than computers. I can imagine a numer of ways to verify such a system, even after the votes are cast. Trying to verify the votes after the central server prints results seems considerably harder.
This isn't so much a flaw as a complete absence of security. It's like the flaw in your bank vault being that there is no vault and the money is stacked in piles on the pavement outside the bank.
wasn't this news story released and made public way back on july 4th of this year? there are tons of information including source code for the machines at:
perhaps we are talking about difference voting machine systems?
There's more than one way to crack a voting machine, and I for one hope someone gets Mickey Mouse "elected" just to show how dumb an idea they are in general. But, it could be that it's already happened, and the results from the machines quietly ignored by the foxes we've put in charge of that henhouse. It seems statistically weird that so many elections come out dead even lately.
The machines used in my county are probably better than the Diebold ones, but they have a smart card socket that is used for each voter. Presumably, with knowledge one wouldn't need a screwdriver or much time, just a modified smart card to stick in there. The polling person does walk away (taking the card which seems to authorise the one vote) so as not to be looking over one's shoulder, so one might be able to vote a lot of times. The machines are windows-based, so I'd bet there are plenty of easy cracks.
>> "What's there for a person to argue that he didn't vote what the machine says he did? Who wins this argument, pregnant chad's anyone ? There are political hacks out there who will always try to exploit any information .. particularly when they are loosing." --winsnomore
>The voter-verifiable paper trail. That's what's there to protect voters from these sorts of attacks. - bruce
I thought the idea of secret ballot is NOT to be able to keep record of voting (part of the word is "secret" ).
Do you not fear the pandora box if you knew who voted for who ..and could prove/disapprove it. This alone will destroy modern democracy.
Don't you think a false paper trail can be generarted? Remember Dan Rather had pretty convincing paper trail too and now he is out a job.
I believe all machines (pitchers with pebbles, paper trails, mechanical, computers) are hackable, hacked and will be hacked. What you need are honest people who will address techical issues honestly .. this whole Diebold thing has been going on this site since 2004 .. it's partisan imho (or not so humble)
Bradblog.com covers this extensively with a grim example of the diebold machine called into question for the Senate race to replace now jailed Cal-R Sen. Duke Cunningham. The seat went to a republican whose staff had taken home the machines prior to the elections for "safekeeping." No shit. I wrote about this with a link to the recent bradblog.com strings here:
"I believe all machines (pitchers with pebbles, paper trails, mechanical, computers) are hackable, hacked and will be hacked."
Of course, but good security dictactes defense in depth and the ability to recover from failure. I've written about these principles a lot.
"What you need are honest people who will address techical issues honestly."
Of course. Technology is not a substitute for trusted people, but it can reduce your reliance on trusted people. Again, this is a general security principle.
"...this whole Diebold thing has been going on this site since 2004 .. it's partisan imho (or not so humble)"
Partisan in favor of who? As cynical as I am, I don't think being in favor of accurate elections should be a partisan position.
Especially in our partisan climate, it is important that we have accurate elections. It is important that, the day after election day, both the winning and the losing side believe that the election was fair and the count was accurate. It is in both party's best interests for this to be true.
walden o'dell, former ceo of diebold, started the "diebold thing" when he pledged to deliver ohio to bush. that's the part you're conveniently forgetting.
we have no proof that the election was stolen, but that doesn't matter. the loss of the voters' trust, if it continues to accelerate, will be fatal to our republic.
'I thought the idea of secret ballot is NOT to be able to keep record of voting (part of the word is "secret" ). Do you not fear the pandora box if you knew who voted for who ..and could prove/disapprove it. This alone will destroy modern democracy.'
Then we're already doomed. Mail-in balloting requires signing your name: on the envelope, in my state. The election officials (Secretary of State's office for me) confirm the signature matches before accepting the enclosed ballot. This is obviously done for authentication purposes. (Yes, there have been post-election challenges to signature veracity, which go through the courts.)
Where I place my trust is that there are enough people of different parties working in the Secretary of State's office doing this task that any large-scale fraud by one side will be observed by the other. The Secretary of State is elected, and has a party affiliation, but the workers in the office are unelected, and have varying party affilications.
In other words, I trust that the competing interests of the ballot counters will keep the authentication honest overall, and prevent any party from surreptitiously recording who votes for whom. I really only worry when election observers are one-sided. A reasonable balance of competing interests is one basis for trustworthiness.
This is, of course, a standard PC motherboard feature, and that's probably why it's there. It is unfortunately also a major security problem.
Most worrying to me is the "EXT FLASH" setting of the switches. The "EXT" means "external", so it's possible to have external flash devices with code in them, and plug that into one of those convenient connectors. Then just remove the external device, flip one switch back to FLASH, and no one would suspect anything. The article says:
>A third possible profile could be field-added in minutes and selected in
>the "external flash" memory location, the interface for which is present
>on the motherboard.
I would say "field-added in seconds", not "minutes." It certainly doesn't take minutes to insert a flash card and flip one switch.
At a minimum all jumpers should be soldered in, then covered with a tamper-evident seal. Do the same thing for all the switches. Also put the seals over any open connectors, and also across any removable device and its connector (including the EPROM). If any seals are broken, the tallies are not trustworthy.
Tamper-evident physical seals won't entirely solve the problem, but it would go a long way toward making the hardware more trustworthy. Of course, you still need competing interests (i.e. mutually distrusting observers) inspecting the hardware, and probably paired keys to access the electronics inside a box (think safety deposit box: both keys needed to open it). If you don't protect the electronics after the seals are applied, then whoever thinks they're behind has a motive to disturb a tamper-evident seal, thus calling into question the trustworthiness of the tallies.
Make the cases from clear plastic, not opaque, and you have another useful tamper-evident feature. The techie voters might even appreciate what they see. I certainly would.
Re: bar-codes on printed ballots
Use MICR characters, not bar-codes. It's human-readable AND machine-readable.
>>> Then we're already doomed. Mail-in balloting requires signing your name: .......
Yes you are doomed, the biggest fraud in elections is mail in ballots .. .. more paper trail in this case means MORE fraud. Why .. one crook can (and does) file hundrerds of them .. while for actual voting you have to do 1 at a time .. what a bummer.
you are insinuniating and not .. are you really john kerry imprsonating as another_bruce .. make up your mind
We don't disagree .. but it is partisan nonetheless. If Diebold CEO was a democrat you won't be publishing this bit.
Bitching about booting mode is interesting and if there were "standards". Humans do things and learn.. most likely reason for this "mistake" are third rate politically appointed hacks (of both parties)who approved the machines in the first place.
BTW you didn't comment on the core issue, i.e. ballots should NOT have records .. don't forget that Hillary was reading : (raw) repulican FBI files for bedtime stories when Bill was somewhere wink .. wink .. ever wonder what she would do with voting records :)
I agree that the real issue is that there should be standards for electoral machines .. we should have good critical analysis and way to make sure technology serves the purpose .. but we can't have this partisan hunting and hope anything good will come out of it.
you will get folks like another_bruce to parrot non-sensical arguments and the real-bruce will get nothing positive from it.
>> if I created ..
from what I have heard .. I don't think I will be comfortable with any of your "creations" .. if you don't trust technology throw you computer into a well and start using paper and pencil.
What are we supposed to do if we have these things in our polling places?
Accusing others of partisanship would be a lot more convincing if you weren't the one who brought up specific members of a disliked party the most of anyone in the discussion.
More broadly, I too am shocked that no one has hacked an election. Unfortunately, if Mickey Mouse were to win, the general attention would be focused primarily on finding the specific culprit and much less so on addressing the root insecurities, I fear.
"More broadly, I too am shocked that no one has hacked an election."
What makes you think no one has? There are dozens of stories of election-machine problems -- local elections, mostly -- and many of these elections seem to have been decided by election-machine failure rather than actual voting totals. We don't know if the cause was random error or maliciously inserted error, but it seems a stretch to believe that all the errors were random.
Of course there is no way to prove any of this...the voting machines deliberately don't provide that avenue of recourse.
"We don't disagree .. but it is partisan nonetheless. If Diebold CEO was a democrat you won't be publishing this bit."
That's just plain idiotic. And the fact that you're saying it demonstrates that you don't read my writings very much.
Accurate voting should not be a partisan issue. I admit that many Republicans believe it to be a partisan issue, but they're wrong.
>> Do you have evidence of mail-in ballot fraud? .... State some facts. Then, I might start listening.
There is a case NOW in courts for 2004 elections where operatives of a particularly caring party are accused of filling a few thousand absentee ballots of nusring home patients.. the state is Ohio I believe.
I am doing it from memory but this is not an isolated case.
>>"We don't disagree .. but it is partisan nonetheless. If Diebold CEO was a democrat you won't be publishing this bit."
>>That's just plain idiotic. And the fact that you're saying it demonstrates that you don't read my writings very much.
>>Accurate voting should not be a partisan issue. I admit that many Republicans believe it to be a partisan issue, but they're wrong.
Why are you not addressing the core question:
- Should someone keep permanent record of how you (individually) voted in every election?
This is a trick question .. particularly for those who are always nervous about phone/bank/medical/purchase records etc. etc.
Cryptographic voting systems can allow for a secret ballot and a paper trail to coexist, with each voter carrying away a copy of their own vote that cannot by itself be used to prove which way they voted. I'm surprised this work isn't generating more attention, actually.
Barcodes: a bad idea, use an OCR-ready font like OcrA (I believe a previous commenter called them MICR fonts?)
Paper trail: obligatory, the sine qua non of electronic voting systems.
A(n encrypted) copy for the voter to take away: what for? of what possible use would this be?
Looking at the picture of the motherboard, it looks like they are using off-the-shelf hardware to keep the costs down, meaning that IR ports, USB, flash, these dippy DIP switches, come gratis.
Not only do these features, by themselves, weaken security, but the fact that it is commodity hardware means that a) more attackers will already be familiar with its weaknesses, and b) it is easier and cheaper for an attacker to create a clone to 'practice' on.
Oh, and re the 'Illegal' dip switch position that someone asked about, that's clearly because there are 4 settings (of the 2 switches), but only 3 boot areas. Clearly the 'Illegal' setting would do nothing, just fail to boot, right?
I think money is the whole issue. If everyone voting brought in a penny, nickel or dime, the costs of running an election could be covered.
Then, there'd be no arguments for saving money and if your vote counts, what's a dime? So if no perticular one individual or moral person foots the bill, everybody pitches in a minute portion of costs, Diebold has no business case to produce those boxes.
And if you believe corruption is involved, we could argue that Diebold no longer has an official excuse to put in the politician's mouth...
As for the length of time to get the results, ask CBS et al, if they'd mind running the election program longer, with more advertising revenue...
@winsnomore: You seem to be confusing people wanting a paper trail to verify AND leave at a locked box to a system which would use these papers to follow your voting history. (if this is not the case, sorry for posting this piece for no reason whatsoever)
Nobody is asking for papers that'd identify you as a voter, just something for the voter to certify the result and then leave at a secure box. If (when) needed, these certified pieces of paper could be used to recount the votes.
Of course it still leaves possibilities for cheats etc., but it's a step into the right direction.
Here where I live we still use a three-sided "stand", behind which we see the numbers available, write the number clearly on a non-identifiable official ballot, get an official stamp on it and then seal it ourselves. After this we drop it into a secure box that's under constant supervision. No extra papers can be added there at that time. IMO this is still the best voting practice when it comes to security. (Maybe this has something to do with our low corruption rate, dunno).
-Frank (yes, it's a made up name)
Yes, it's true. See the glass table top in the pictures? That's my patio table.
Here's a question I want to put to the test labs: "What were the positions of the switches and jumpers when the system was certified?" I'd bet most anything they have no idea.
I also happen to know that the RABA Technologies team commissioned by the State of Maryland to do a "trusted agent" evaluation did not open up the box either.
Black box testing is what's been done. We're supposed to trust a paperless voting system that's only had black box testing done on it?
I noticed some pretty good observations by Eric and others. The system has a built in UPS. This actually works pretty well. You can connect/disconnect AC power while in operation and the unit continues without a blink.
Good point about the infrared port. What's that doing there anyway? NIST says infrared should not be allowed on a machine like this. It's there, though. Who knows what somebody/something could be doing across the room with an infrared device (e.g., TV remote)?
``Fixed elections or not, two choices, two parties, where is the freedom in that?''
It's called "the evil of two lessers".
Anyway, I think my story trumps many others; in my voting district, the voting stations reported to a local tabulator via wifi.
Yes, you read that properly. WIFI.
802.11(a/b/g). Voting machines.
And if you think that paper ballots are immune to tampering, you're scary-naive. Entire boxes of ballots get "misplaced". Entire boxes of ballots suddenly appear without anyone knowing their genesis. People use fake ID. People vote multiple times. Dead people vote.
If you doubt my word on this, perhaps a widespread joke will cue you in on some voting fraud history:
The President , the Pope and Mayor Daley were in a life boat... and it was sinking. There was only only life jacket. So they decided to make a speech on who should have it.
The President started. " I am the leader of the free world. I have a lot of people depending on me.."
The Pope spoke next. " I am the leader of the Religious world. Many souls depend on me."
Last was Mayor Daley. " You guys make persuasive arguments. But I am a believer in the democratic process. So let's vote."
Mayor Daley won 3 to 1.
If that fails to make you realize you're incredibly embarrassed, how about wikipedia?
BTW, the Nazis marked the backs of ballots with milk, and heated them to recover the serial number, correlated that with the check-in roster where they checked IDs, and made sure that the bad Nazis didn't stay problems very long. Although they did have a big IBM mainframe for tracking all the Jews ...err... I mean railcars they were shipping around with stereotypical German efficiency, I'm pretty sure they used pencil/pen and paper for the balloting. They didn't even have the Internet to collaborate with each other on how to pull it off!
There are ways to use cryptography to achieve the hypothetical goals of the voting system*. They are routinely ignored. I say go low tech and high tech; paper trail and zero-knowledge proofs.
[*] Hypothetical, because they are hypothesized by the idealists among the voting public, and hypothetical because they are not shared by anyone involved in the political process or voting machine industry. The system is a fraud, and it's only with computers that computer security people are realizing how low the bar is actually being set. It doesn't matter as long as we have a first-past-the-post system for seats, we will have only two parties (as a virtual truism), as long as there is an electoral college voting as a bloc to eliminate third parties at the college level, and as long as corporate sponsors have significant enough influence to make both parties well-funded (they need to be, with Senate races costing something like $1M now), and indebted to their benefactors. This is voting theater. It's not like any of it really matters, elected officials are not necessarily the ones in power. That doesn't mean we shouldn't demand better, just that we're unlikely to get it as long as the system aforementioned is the one governing the decision-making process about how fair our voting system should be. We are probably the farthest away from a true Athenian democracy you could have and still call it a democracy with a straight face.
I'm not saying there aren't decent, honest folk sprinkled through the system, I'm saying that their efforts are necessary but not sufficient.
Some possibly-relevant references:
"A Protocol for Anonymous and Accurate E-Polling", Danilo Bruschi, Igor Nai Fovino, Andrea Lanzi
Whew! Rant over!
Is E-voting E-OK or not E-OK?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.