[supercat]

Let's have them start with a machine that someone else has set up, give them 20 minutes alone with the machine with security seals on it, and then let's see how effective they are at compromising the system.

A good election system should be unhackable, even by someone with full insider knowledge, if there is even one honest person monitoring things. I see no good reason why an election system should be constructed that does not satisfy that criterion.

If code was changed on one storage system, comparison with a verified system would reveal discrepancies. A forensic lab would have a good chance at discovering tampering, especially if they hashed all the memory entries and compared sigs from the hashing.

The problem is that after the election the code in the machine would be exactly as it should be. To thwart forensic analysis one needs to know what types of 'residue' are left by writing to the attached storage media, but unless the systems use hardware that's designed to prevent undetectable rewrites (and I've seen no indication that Diebold has attempted to use such) an attacker could make his software undetectable after the fact.

Perhaps you don't view insider attacks as a real threat, but I see no reason to discount them. Slot machines go to great lengths to prevent insider attacks, and elections can be worth more than a few jackpot payouts.

[DBrow]

" Perhaps you don't view insider attacks as a real threat, "

With paper ballots, the insider fraud is well established and can be done by almost any group of insiders. Little technical skill is needed, just adherence to simple guidelines.

Insider fraud with electronic machines means much fewer people with the ability to pull it off, and much more chance of being caught.

I've yet to see proof, audited proof, that the Princeton fraud is untraceable, and that was my initial point- they have made scary assertions without any backup, independent analysis, or peer verification. I doubt that someone could add in residue-less code, have it alter the way the system runs, then have it completely remove itself autonomously. You disagree, OK, I respect your point of view, you have some good ideas, but I need to see proof that it is possible.

With a human in the loop, perhaps it is. Some of the projects I'm working now involve testing whether or not a customer has monkeyed with the code. Even with a human to scrub things, detection is highly probable. With no human, relying on autonomous code to cover its own tracks is not a good way to go. There are so many things that change when you diddle with a deep-down routine that it's hard to change one thing back without changing another, or leaving behind a scrap used to delete something else.

I agree that any system should be unhackable, but not all the bulletproof needs to go into code. Procedure and opsec can count as heavily as software.