However, an easy way occured to me how somebody could subvert these local machines; a way that doesn't even involve modifying the software, wireless networks, or any access to the machine other than through the voting interface.
I was handed a four digit number to key in and told to check to make sure my precinct number showed up when I did that. Anyone who wanted to pile on votes in a precinct could collect a bunch of willing voters, e.g., from precincts where their candidates were shoo-ins. Then find one amenable voter in the target precinct; get that voter to tell the others the four digit code; and all of them could enter that code instead of whatever code they were given. Such an attack would presumably not be possible on paper ballots, which would already be marked with the precint when handed to the voter.
Gunnar Peterson has some other interesting thoughts about making voting safer. In it he remarks about some exploits shown to the Virginia state commission that makes recommendations about voting systems:
One of the elected officials on the commision insisted that Felten couldn't possibly have done his demo exploit without source code, because "everyone" knows you can't do an exploit without the source.I think I already gave a counter-example to this official's assertion. Denial of risk is still alive, and not just living in Egypt.
As Gunnar points out, what we really need is some sort of audit trail. You'd think a simple comparison of numbers of voters registered in a given precinct vs. those voting in it would give a clue as to whether the attack I outlined above was being used. Is anyone doing such a comparison? Quis custodiet ipsos custodies?