I am not seeing how the request system is vulnerable. As I understand it there is a register of absentee voters, ballots are generated (sometimes with privacy sleeves/envelopes etc) and printed with barcodes that tie ballots back to a specific voter ID up until the point that information is separated for counting.
Given knowledge of how that system works and controls put around it I doubt any such vulnerabilities could exist that could be found by statistical analysis that isn't already being done...
I also think you missed the point of my last sentence which is that you could consider the actual ballot system a lot like AES or any other cryto system you might be familiar with.
Cracking the crypto system is stupidly hard because a ton of time was invested making that so.
Instead attacking the stuff -around- the crypto system is likely to prove much more fruitful. i.e social engineering, side channel attacks
In the same way the attacks I listed above elicit the desired effect (a certain candidate having an unfair advantage) but without attacking the actual ballot system itself (which is likely far too difficult).
Essentially it's a case of lower hanging fruit, you don't need voter fraud to "steal" an election.
Thanks for having such a great conversation on this --
> I am not seeing how the request system is vulnerable.
Here's the scenario: I obtain your SSN, Name and Address to request your ballot to my address (either in the bussing example through your explicit permission or through the nefarious example like using Equifax 2017-2018 Data), then I fill it in at my address, and then mailed it in.
(Edit: to be clear, you have only provided the information to start the ballot process, or I obtained it nefariously, and submitted a ballot without your presence and pen to paper)
That's not a vulnerability? I guess I have a weird definition... I'm saying that's not what I expect when I hear someone 'voted.'
That's a vulnerability, but there's no evidence it happens in any scale.
If it did happen in any scale, people would notice because the victim of fraud, when they tried to vote, would be notified that their ballot was duplicated or already mailed in. Also, note that the address ballots go to is the voter's registered address, and many ballots going to the same address would be noticed.
Anyway. This sort of vulnerability really does exist all over real human systems, and in reality it mostly doesn't matter. People usually don't do this sort of fraud en masse.
Online vulnerabilities can be exploited at scale easily by a single malicious actor, but human vulnerabilities, like dine-and-dash, or package theft, etc, are much more rare. They're illegal, which discourages most people, and to do any of them at scale, you need a lot of people... and one of those people is likely to report it. The human factor makes scaling it up much harder.
Intercepting a lot of voter ballots either requires them all to go to the same address (which will get noticed), or for you to steal them from many addresses (which won't scale easily per above and will be noticed). Either of those schemes will be noticed when a voter attempts to actually vote.
Given knowledge of how that system works and controls put around it I doubt any such vulnerabilities could exist that could be found by statistical analysis that isn't already being done...
I also think you missed the point of my last sentence which is that you could consider the actual ballot system a lot like AES or any other cryto system you might be familiar with.
Cracking the crypto system is stupidly hard because a ton of time was invested making that so. Instead attacking the stuff -around- the crypto system is likely to prove much more fruitful. i.e social engineering, side channel attacks
In the same way the attacks I listed above elicit the desired effect (a certain candidate having an unfair advantage) but without attacking the actual ballot system itself (which is likely far too difficult).
Essentially it's a case of lower hanging fruit, you don't need voter fraud to "steal" an election.