A secure democratic Net is a fundamental right

There is a big story developing in evoting in the US and the difference is again in the details.

In a small county in a rural state the responsable organizers of the elections between 2004 and 2006 receive some new evoting software and hardware.

While they are doing the tests, they see that it is very simple to confuse the user to think that he has voted when he sees a screen popup vote and that if they could convince the voter that it is over and that he has to leave to voting booth (because there are people waiting) he resets the machine but in fact he changes the votes if necessary because it is only a CONFIRMATION ASKED screen.

To make it all work, they have to be all in it together. THe supervisors, the organisers, the counters and the election workers, but hey it is a small county and there is some money to be made.

So they go to their candidates and ask them money for this guaranteed victory. TO be sure they pay some people to vote accordingly in the preliminary voting period (in which many controls are absent).

I am not sure how it was discovered (and the sums are quite small) but they will all end up in jail.

But what is most interesting is that this social engineering attack (or user interface mistake) was a zero day that was discovered by others who didn't report but used it to their advantage (for some time).

So two questions remain

* shouldn't we when testing evoting procedures and installations more work/attack through scenario's and scheme's instead of a list of things to check ?

* how many more zero days are there out there in the evoting process ?