Slashdot

The documentary "Hacking Democracy" was recently released. It's a non-technical documentary about Diebold's voting systems that have been in wide use in the US since the 2004 elections.

Background about Diebold voting machines
These machines have a slot to feed your ballot in after you've filled it out (or, on the touchscreen kind, they have a touchscreen instead). They have a slot for the vote total to come out at the end of the election, and they have a slot on the front of the machine that takes the all-important memory card.
This memory card stores the votes in a Microsoft Access database (yes, you read right) that's meant to be read with the GEMS software, which prompts for a password upon loading the file. However, the file isn't actually encrypted, and can therefore be opened in Microsoft Access.

The film demonstrates how someone could change vote totals for a specific Diebold voting machine by obtaining a Diebold memory card and card reader, accessing the contents of the card from a computer, and modifying the vote totals using Microsoft Access. Almost the entire film is Bev Harris and others wailing about how it's possible to "hack" the voting system.

Now, my question is why is it so hard to make a secure voting system? Here's a setup I came up with:

HARDWARE

At the back of the room, in a locked closet, there is a database server running a DBMS (SQL, not Access, please).
There is a row of booths and each one has a small device with an LCD and a number pad inside.

SETUP

Before the election starts, connect each device to the server (over a wired connection -- obviously not wired) and turn them all on. Each device creates a random ID key and stores it in ROM. Each device establishes a PGP-encrypted connection with the server and sends its ID key over. The server records all those ID keys in a database.

USER INTERFACE

Each device has a small LCD screen and a number pad.
The LCD screen shows a list of candidates and corresponding numbers next to them. The voter will read the screen and choose a number. He will enter the number in using the keypad and press the SUBMIT button. The device will show a confirmation screen, where the user can affirm or deny his choice. When it is affirmed, the device sends a command to the server.

RECORDING EACH VOTE

Whenever a device records a vote, it sends a command to the server -- probably an SQL INSERT statement. This information, along with its ID key, is encrypted and sent to the server. The server decrypts the message sent to it by the device, checks the sent key against the ID key list, and, if it's valid, runs the INSERT command.
OPTIONAL: There can be a paper trail by having the device spit out a vote slip into a basket behind the machine.

TALLYING THE VOTES

After the election is over, the staff turns off each device. Since the devices don't actually store any data, just take input from the user, no elaborate memory card-removing ritual is needed; the staff can just pull the plug.
The staff presses a button on the server, signaling it to print out a paper slip with the vote totals recorded in its database. This also causes the server to reset its ID key database.

ADVANTAGES

• Simple.
• Easy to use.
• Secure from voters because the data-storing machine (the server) is in the back of the room rather than there being several data-storing machines that the user directly interacts with.

DISADVANTAGES

• The staff can plug an extra device into the server and enter lots of fake votes on that.
• They can take the server apart and modify its hard drive's contents, then put it back.

SOLUTIONS TO DISADVANTAGES

• Have the ID keys preset in all the devices including the server (not a good idea IMO)
• Have the hard drive be nonremovable (although anyone with enough strength/time could still remove it).
• Right before the election, manually check that the vote totals for all candidates are 0.
• Right before the election, load a fresh disk image onto the server. This thwarts someone who tampered with it before the election.

CONCLUSION

I may be missing something, but I don't see why Diebold (and all the other voting machine manufacturers) are having so much trouble making a secure system.
I suspect that the real problem in Diebold's system is that it's possible to "hack" the election if you are a staff member, or you have unrestrained access to the machines prior to the election. This is solved by the last point in Solutions to Disadvantages, and by the paper trail mentioned in Recording Each Vote.