Re: The paper trail will say what the machine SAYS
Look *anything* can be manipulated. The goal is to make manipulation as difficult as possible.
A printer improves things dramatically, in that the ballot "MARKS" can be both visible and barcoded. There could be random spot checks post-voting. If there was a question (say) a party/group could request re-counts using their own scanners, or manually, as long as they want to pay for it. The machines that print the scannable ballot can be trivially 100% isolated. The paper generated should be near 100% legible and scannable. The scan results could trivially be validated by alternate scanning and/or manual counting.
Every voter sould be able to physically look at the printed ballot with their votes on it and verify it before it is taken and scanned. If something was out of whack the printed names could be counted by hand as a check. As a matter of course there should be a "hand count" limit unless some sort of anomoly can be proven for a given set of ballots by a particular machine. If no resaonable descrepancy can be shown machine counts stand.
Current party systems should keep most fraud at bey. ie, I take my counting machine to precinct X eyeball count N ballots, feed them into my machine, verify, Feed the stack, Verify precinct result.
Again, you can always have fraud, someone could be tossing out paper ballots they don't like, etc. Every scanned ballot should get serialized on scan, and again you have a total count validation and cross check point. You have to make it as difficult as possible to cheat.