Finally, we have solid evidence of actual electoral fraud with electronic (DRE) voting machines.
As reported on Bradblog, authorities uncovered a conspiracy, involving election workers, to tamper with early voting results to affect state, local, and federal elections. Sez they:
Moreover: The Kentucky officials arrested and indicted today, "including the circuit court judge, the county clerk, and election officers" of Clay County, have been charged with "chang[ing] votes at the voting machine" and showing others how to do it!
Security analysis below the fold.
First, here's how it worked: the attack exploited the subtly confusing user interface of the ES&S voting terminals. It wasn't a hacker attack on the underlying operating system or whatnot, but rather a very simple trick:
Essentially, they tricked voters into leaving the 'booth' after pressing the "Vote" button on the ES&S iVotronic. That button, does not actually cast the vote, as one might think (and as these voters were told), but instead, it brings up a review screen of the voter's "ballot."
In other words, the security vulnerability was nothing more than a misleadingly labeled button, that gives the false impression of a vote being committed when it simply took the user to a summary page.
Now, this cuts both ways. On the one hand, it shows that no matter how secure you make the electronic voting machine, a poorly designed user interface can be exploited for election fraud. So even if you give these things paper trails and encrypted pipes up the wazoo, they're breakable.
On the other hand, this isn't limited to electronic voting machines. You will remember that the butterfly ballot that first triggered all this DRE mess was a paper system with the same basic problem: people didn't vote the way they thought they did. And the right person in charge of running the election can parlay that misunderstanding into a deliberate effect.
Finally, the attack involved a conspiracy of election officials and election workers. You might think that a voter-verifiable paper trail would fix this, but how? For all we know, the ES&S machines could have provided a receipt, except the voter was ushered out of the booth before it would have been printed. And if there were paper ballots, a conspiracy of election officals and workers could tamper with those as well. Well, maybe with more effort and more risk.
So overall, is this an indictment of electronic voting machines in particular? Yes, yes it is. Even though a conspiracy this big could tamper with a paper election, I believe the ES&S DRE machines made it far easier, and did not require anyone to gain access to a physical ballot box.
One final note: it is often said that despite all the security flaws, there is no evidence that DRE machines were ever hacked in a real election. This attack really strains the definition of hacking, since it's really social engineering and doesn't exploit any security flaws. I would say that there is now finally solid evidence of DRE fraud, but it doesn't involve hacking or exploiting the many vulnerabilities those machines have.