Five Myths of invulnerability in touch screen voting systems

Even though fraud is not the issue we want to rely on, it's worth countering myths about voting system invulnerability.

Touchscreen proponents will tell you the scale of conspiracy required to achieve an intrusion or software backdoor is huge.
This is not true. Most backdoors are not deliberate but simple coding errors. And most exploits are found and viruses written by a single person. Witness for example yesterday's discovery of an unintentional backdoor in Windows arising from a single line of source code missing a single word. Even if this had been deliberate, it passed all code reviews and lurked for years; it did not require any conspiracy, and was discovered by a lone hacker.

Touch Screen proponents will tell you that source code certification and escrow is enough to protect us.
This is not true. All of the documented mistakes to-date were on systems that fully passed all testing and certification, exceeded all state federal standards, and many had escrowed source.
Source code escrow has proven useless since although the code is escrowed the so far states are not allowed to look. Worse, the public has no access and the most trained eyes are prohibited by non-disclosure agreements.

Touchscreen proponent will tell you that their voting kiosks are invulnerable because they are never connected to an insecure Internet connection.
This is not true. An equivalent statement has been be made for the much more tightly regulated Automatic Teller Systems used by banks. These are never connected to the Internet, in theory. In fact, the internet worm Blaster infiltrated the ATM systems of two major banking institutions. How? Because even though it was against policy, someone somewhere did connected a computer directly to the Internet, if only for a moment.
Moreover, though any given computer might never be connected to the Internet, the software on it was almost certainly written on a computer that was connected. Indeed it was probably written in another country.

Touchscreen proponents will tell you that since future ballots may not be known at the time the vendor programs the machine they cant put anything bad in the software.
This is not true. For example, a machine could be rigged such that when a malicious voter touches the screen in a certain combination of places then whatever ballot is cast next will become the "desired" outcome for the machine. This is exactly how slot machine software has been rigged (to change the payoff schedule following a combination of coins and button presses). Other successful slot machine hacks include using the daily "testing software" to secretly re-program the systems en-mass through a backdoor. It should be noted that the security controls for successfully attacked Nevada slot machine software obey much tighter regulation than voting machine software yet hundreds of millions are stolen.

Touch Screen proponents will tell you systems can't be corrupted because Election Officials only enter data, not programs.
This is not true, and in fact is the single most common attack. Election officials work at a deliberately simplified level normally only entering ballot description file. In principle this is just data not a program in exactly the same sense that an e-mail message is just data, a word processor document is just data, and a web page is just data; the underlying program is unchanged by the data, in theory. But all of these similar cases have been compromised when bugs allowed the data to contain executable instructions.
Indeed, a newly-found Windows backdoor is entered by opening a photograph in the web browser. Theoretically, an image is pure data, but a bug placed executable instructions on the command stack. One would be truly naive to believe that elections software won't contain analogous exploitable bugs that allow program alteration via innocuous ballot description files.