ALSO: State Report Finds Sensitive Voter Registration Database Vulnerable to 'Across-the-Board Access'
Diebold, State Election Director Lamone Continue State of Denial...
By John Gideon on 10/19/2006, 8:42pm PT  

Guest Blogged by John Gideon (with additional snark provided by Brad Friedman)

The Washington Post is reporting in Friday editions that the FBI is investigating the "possible theft" of Diebold electronic touch-screen voting system source code in Maryland.

While the Maryland State Board of Elections admits that the disks contained "the software...used in Maryland in the 2004 elections," Diebold denies everything. Of course. They gave their catch-all apologia --- the software is for "versions...that are no longer in use in Maryland" --- although they were forced to acknowledge "the version of one program apparently stored on the disks is still in use in 'a limited number of jurisdictions.'"

The disks feature logos from Ciber Inc. and Wyle Labratories, Inc., two labs that test voting machines and software (sort of) for Diebold. Both firms deny the disks are theirs.

According to the article...

The disks delivered to [ex-Delegate Cheryl C.] Kagan's office bear labels indicating that they hold "source code" --- the instructions that constitute the core of a software program --- for Diebold's Ballot Station and Global Election Management System (GEMS) programs. The former guides the operation of the company's touch-screen voting machines; the latter is in part a tabulation program used to tally votes after an election.

Three years ago, Diebold was embarrassed when an activist obtained some of its confidential software by searching the Internet. The company vowed to improve its security procedures to prevent another lapse.

The release of such software poses a risk, computer scientists say, because it could allow someone to discover security vulnerabilities or to write a virus that could be used to manipulate election results."

WaPo goes on to report...

The Washington Post obtained copies of the disks Wednesday and allowed Avi Rubin, a computer scientist at Johns Hopkins University, along with a colleague and a graduate student, to review the software on the condition that they make no copies of it.

"I would be stunned if it's not real," Rubin said.

Rubin, who has said that electronic voting systems that do not produce a paper record of each vote cannot be secured, led a team that produced an analysis that pointed out security vulnerabilities in the Diebold software found on the Internet in 2003.

Sam Small, the graduate student, said the version of Ballot Station "was consistent with what we've seen previously." Small could not gain access to the GEMS software because the material on two of the disks was protected by a password."

...

The Diebold statement said "it would take years for a knowledgeable scientist" to break the encryption used on the software apparently contained on the disks delivered to Kagan. But Rubin said "the data and files were not encrypted" on the Ballot Station disk he reviewed.

So will Diebold just continue to deny that anything has happened or can happen? Will MD State Election Director Linda Lamone just pass on Diebold disinformation as she always does (despite knowing better...since she's seen the unredacted scientific reports on these systems from security organizations like SAIC and RABA?) Or will someone finally understand that this is a massive problem that needs immediate attention?

Maryland, along with Georgia, was one of Diebold's original "showcase states," implementing Diebold's hackable paperless touch-screen voting across virtually the entire state since 2002. With failure after failure, we might add.

If it's all not bad enough, in what is reported by WaPo as "an unrelated development" in the same article, a new report from Maryland state auditors revealed that the state's new voter registration database does not have proper security controls in place for access to the data...

Maryland state auditors said in a report yesterday that the State Board of Elections is not properly controlling access to a new statewide database of registered voters or verifying what changes are made to it. The report comes at a time of heightened concern over the security and effectiveness of electronic voting systems.

Legislative auditor Bruce Myers said it was unusual to allow "across-the-board access" by local election officials to a sensitive database, but Lamone defended the board's practices. In a letter released with the Office of Legislative Audits report, she wrote that the board "is unaware of any allegations of the falsification of additions or deletions to the system."

Phew! Lamone is "unaware of any allegations" of changes to the voter registration database. We feel better. If she's "unaware" of them, they couldn't possibly exist...even though the state found they could possibly exist and she's unaware of them.

Not bad enough for you yet? Read on...

The Office of Legislative Audits report also said the Maryland elections board has paid bills submitted by contractors without proper documentation and has not taken appropriate steps to safeguard its computer network and Web site.

Lamone said, "It seems inappropriate to base findings on a partially implemented system," referring to the new MDVOTERS database, which Maryland has established to comply with federal law.

She said it is appropriate for local election workers to have access to the database and said procedures are in place to verify changes. Lamone concurred with the auditors' criticism of her staff's accounting practices and said they had "obtained nearly all necessary documentation" for contractors' bills.

Providing the sort of local oversight envisioned by the auditors, she said, "simply cannot be conducted with existing resources."

Apparently Lamone --- who incredibly still has a job --- feels wide and uncontrolled access to the state's database of registered voters is just fine because it's only "partially implemented."

As usual Lamone, a Democrat by the way, uses 'smoke and mirrors' to cover for her own egregious failings as the state's elections administrator.

Have we mentioned how incredible it is that she still has a job?

UPDATE: Posted by John Gideon 11:45am Pac: The complete Office of Legislative Audits report can be found here.