An anonymous person sent to a former state legislator computer disks containing the Diebold computer code that ran Maryland's election in 2004, the legislator reported. Diebold reacted with alarm and said it was treating the mailing as a theft. According to the Baltimore Sun:
Cheryl C. Kagan, a longtime critic of Maryland's elections chief, says the fact that the computer disks were sent to her - along with an unsigned note criticizing the management of the state elections board - demonstrates that Maryland's voting system faces grave security threats.
This is just the latest bad news for Diebold and the state. The state suffered major glitches during the primary election and has been pushing the company to resolve the issues.
Diebold has not confirmed that the code received by Kagan is authentic, said Mike Morrill, a spokesman for the company in Maryland. But Johns Hopkins University computer scientist Aviel Rubin reviewed one of the disks and said he believed it was genuine. If it wasn't, he said, "someone went to great lengths to make it look like it was."
"My feeling is that it may have come out of the testing labs, which means that if that's true, their procedures for protecting their clients' valuable proprietary information have failed," said Rubin, who in 2003 published a report on Diebold security flaws after discovering a copy of the code on the Internet.
"If it came out of Diebold, it's like Coca-Cola having their recipe exposed and then not learning their lesson," he said. "If it came out of the testing labs, then it's hard to blame the manufacturer."
Kagan contacted the state Attorney General's office and has been contacted by the FBI.
Based on their labels, the disks appear to be created by two companies that test the software - Wyle Laboratories and Ciber Inc., whose teams are based in Huntsville, Ala. Maryland law requires such independent testing before the equipment's use.
One disk contained software used in the 2004 election. Since Maryland now uses a later version, election officials assured the public the systems were safe. But that rather misses the point. There's no way of knowing if the current system is less vulnerable to the security holes found in the stolen version - because Diebold refuses to let others look at its code.