There's really not many people obsering the ballot box while it's being moved around. So you'd need only a few bad apples to have no witness. I'm not even convinced there's bipartisan control during that step. That makes it totally different from counting and announcing the polling station results immediately in public. After that if you tamper with the tallying everyone can call you on it. So even if you manage to win at least everyone knows you cheated.

A system is no more secure than its weakest link. Here we have two links where there used to be only one. So tamper with the paper ballots, force a recount and you win. Yeah this will cause a discrepancy with the electronic records but you said it yourself, the paper is authoritative so it does not matter.

Yay! So you're saying attacking the other link works too: hack the machine count, lose the paper ballots.

I guess that one difference of opinion we have is that I regard anything less than direct citizen oversight as useless. That includes 'chains of custody'. Even with supposedly bipartisan control. By the way bipartisan control makes it too easy for the two parties to make secret deals. I certainly hope there are in fact observers from at least three or four parties (and that car moving the ballot box around is going to get crowded).

I also have very little faith in 'investigations'. We should all remember that the ones with the most to lose in an election are the incumbents who are also in the best position to steer the investigation away from embarassing finds. Furthermore we live in a world where investigations conclude that a satisfactory explanation for 4096 overvotes is "the spontaneous creation of a bit at the position 13 in the memory of the computer" and don't cause the election to be canceled.

That could work if:

• * the manual count is really on the scene, that is in the polling station, no moving of the ballot boxes involved;
• * truly random, and making sure something is random is pretty hard;
• * unexpected, that is the decision to do a manual count in at a given polling station should not be decided in the morning otherwise it's easy for an attacker to only tamper with the ballots in the other polling stations;
• * and concerns a large enough sample to actually detect fraud, and if I remember correctly there was a study that found it's necessary to recount more ballots than one would expect, obviously particularly so in close races.

I'm unconvinced that all these (necessary but maybe not sufficient) conditions are actually met. Frankly it seems much simpler to just discard the machines, count everything by hand and be done with it.

How many years are you willing to wait for the investigation to publish its conclusions before you hold the new elections? If you're not willing to wait then all an attacker has to do is make it look like his main opponent cheated to discredit him. As long as the new election happens before the investigators figure out what happened (if ever), the attacker wins.

And that's even assuming that the powers that be actually wants a 'thorough investigation' more than for the whole episode to be forgotten as quickly as possible (further assuming they're not the ones rigging the election).

You missed the important part:

Observers can stare at a computer writing data to a USB key all they want. That won't tell them anything about what was written to it. In effect, whenever computers are involved there are no observers. So all you have is a custody chain where none of the participants can verify the integrity of the data they signed off on.

Bam! 'Should' is useless. Only 'is systematically audited' is of any use. And even so, only if there is no chance of data being tampered which means the recount must happen right away at the polling station. But that will never happen because in everyone's mind the result is already known so there is no reason to waste time and money redoing it. Furthermore when recounts actually happen it's only days after the election which leaves tons of opportunity for fraud, custody chain or not.

As an attacker, if you know there are never any recounts then you attack the digital record, nobody notices and you win. If there are recounts or you are unable to hack the digital record, then you attack the paper ballots and find a pretext to force a recount. If the paper ballots are taken to be the autoritative record then you win. If discrepancies cause the election to be done all over again, which is unlikely for national elections, you hack the result so it's in favor of your main opponent. With your opponent now being discredited you win again. In effect this system lets the attacker choose which side to attack.

The fact it's a felony never stopped anyone before.

The real question is: is driving more like composing a symphony or like playing chess? Twenty years ago I would have bet on the former and it felt that driving actually required sentience in order to be able to handle all the shape recognition issues and more. But I think that Google's autonomous cars have proven that to be largely wrong. I'm saying largely because they're still experimental and may yet hit technical roadblocks.

If creativity and sentience are irrelevant, then our superior 'intellectual capacity' essentially brings us no advantage. So then I'd rather have 'grand master' computers at the wheel.

The pleasure some people derive from driving their car is precisely the reason why they should be barred from doing so. I'm not saying that for you, staying in third gear to revv the engine is harmless enough. But some people seem to only derive enjoyment from racing around, whether on highways or in cities, or doing wheelies (on motorbikes though, which is a bit off-topic here), or other dangerous stunts. Taking them out of the driver seat would be much better for everyone (even themselves, their passengers, their spouse, their kids, etc).

As long as there is no systematic immediate manual recount in the polling place you have none of the advantages of paper. All you have is a system that can be hacked electronically, and hacked on the paper side while the ballots are being moved around or in storage waiting for a possible recount. Attackers get their choice of method so in the end this is twice as insecure.

A voter will never be allowed to verify that the software actually running on the voting computer is your 'demonstrably provable software' software. If he were allowed to do so, not only would it cause a huge backup in the line, but it would also require completely compromising the security of the system. Then that voter would also have to check that the hardware is really an unmodified Raspberry Pi board rather than one that was 'upgraded' by the NSA (or someone else).

Open-source (or provable software) and open-hardware change strictly nothing to the electronic voting opacity.

Sure, one can make a paper based voting system that can be hacked. The easiest way is to require that all ballots be moved around to a central location before they are counted. That provides plenty enough of opportunities for fraud during transport. To maximize fraud-opportunities, cost and slowness you can even claim you cannot start counting the ballots until the next day so all the ballot boxes have time to arrive and so you don't have to pay the people you hired extra for night work.

Or you can pick volunteers among the voters to count the ballots as soon as the election closes, right in the polling station. With tables of four volunteers working together and checking each other's work (in addition to the usual party representatives), you get the results within 2 hours and have a really fraud-proof system. It also scales nicely with both the number of polling stations and the population, and needs only 1% to volunteer.

Ah! Hummers are only good for little kids. Real men drive a Marauder.

NSA's message:

Of course they could not go public with part one to they only publicized part two.

Finally a drive that will work in the cloud!

There's a lot of GPL software in Ubuntu, starting with the Linux kernel. Does Tesla distribute the source code to Model S owners that ask?

It would help to know mor about your experiment. I can get quite big size improvements here by recompressing my camera's (Canon EOS) Jpeg files to... Jpeg! And with no visible quality difference either. They go from 6.7MB for the Canon file, to 3.1MB for quality 90 in imagemagick, 1.7MB for 75 and 1.4MB for 65. And ni your experiment the WebP quality scale may not exactly match the Jpeg one which makes comparisons even harder.