While watching the testing of opti-scan paper ballot readers (images)..

Security Analysis of the Diebold AccuBasic Interpreter, Voting Systems Technology Assessment Advisory Board (VSTAAB), February 14, 2006

p. 36: In the longer term, or for statewide elections, the risks of not fixing the vulnerabilities in the AccuBasic interpreter become more pronounced. Larger elections, such as a statewide election, provide a greater incentive to hack the election and heighten the stakes. Also, the longer these vulnerabilities are left unfixed, the more opportunity it gives potential attackers to learn how to exploit these vulnerabilities. For statewide elections, or looking farther into the future, it would be far preferable to fix the vulnerabilities discussed in this report.

p. 35: The FEC 2002 Voluntary Voting System Standards expressly forbid interpreted code.
The inclusion of interpreted languages in a voting system causes great burdens on examiners and code reviewers, who have to be highly skilled and do considerable analysis of the compiler and interpreter in order to verify that it does not present security vulnerabilities or permit malicious code to go unnoticed.

p. 9: All of this information on the memory cards is critical election information. If it is not properly managed, or if it is modified in any unauthorized way, the integrity of the entire election is possibly compromised. It is therefore vital, as everyone acknowledges, to maintain proper procedural control over the memory cards to prevent unauthorized tampering, and to treat them at all times during the election with at least the same level of security as ballot boxes containing voted ballots.

p. 11: There are serious vulnerabilities in the AV-OS and AV-TSx interpreter that go beyond what was previously known. If a malicious individual gets unsupervised access to a memory card, he or she could potentially exploit these vulnerabilities to modify the electronic tallies at will, change the running code on these systems, and compromise the integrity of the election arbitrarily.

p. 12: None of the vulnerabilities we found would have been found through standard testing, so testing is not the answer. This is a long-term problem with the use of interpreted code on removable memory cards, and with the failure to use defensive programming and other good security practices when implementing the interpreter.

p. 13: The consequence of these vulnerabilities is that any person with unsupervised access to a memory card for sufficient time to modify it, or who is in a position to switch a malicious memory card for a good one, has the opportunity to completely compromise the integrity of the electronic tallies from the machine using that card.

p. 13: The attack could manipulate the electronic tallies in any way desired.

p. 13: The attack could print fraudulent zero reports and summary reports to prevent detection.

p. 13: The attack could modify the contents of the memory card in any way, including tampering with the electronic vote counts and electronic ballot images stored on the card.

p. 13: The attack could erase all traces of the attack to prevent anyone from detecting the attack after the fact.

p. 13: It is even conceivable that there is a way to exploit these vulnerabilities so that changes could persist from one election to another. For instance, if the firmware or software resident on the machine can be modified or updated by running code, then the attack might be able to modify the firmware or software in a permanent way, affecting future elections as well as the current election. In other words, these vulnerabilities mean that a procedural lapse in one election could potentially affect the integrity of a subsequent election.

p. 16: It is conceivable that the attack might be able to propagate from machine to machine, like a computer virus. (The same is true of the DREs, IOW "it's the memory cards, stupid.")

p. 16: The attack could affect the correct operation of the machine. For instance, on the AV-OS, it could turn o_ (I believe that should read "off") under- and over-vote notification. It could selectively disable over-vote notification for ballots that contain votes for a disfavored candidate, or selectively provide false over-vote notifications for ballots that contain votes for a favored candidate.

p. 16: In addition, most of the bugs we found could be used to crash the machine.

p. 17: It is important to note that even in the worst case, the paper ballots cast using an AV-OS remain trustworthy; in no case can any of these vulnerabilities be used to tamper with the paper ballots themselves.

p. 18: Our analysis also confirmed that the AV-OS fails to check that the vote counters are zero at the start of election day.

http://www.democracyfornewhampshire.com/files/blc/election-report-findings.pdf (PDF file)