Policy —

Another source code leak for Diebold

Old source code to Dieobold voting machines turns up in Maryland and no one's …

Late last week, those concerned about the security of electronic voting machines had something new to worry about. According to the Washington Post, the source code to several Diebold software programs was sent anonymously to Cheryl Kagan, a former Maryland legislator who now works at the Carl Freeman Foundation.

While advocates of more secure voting have often clamored to see the source code in order to evaluate it for weaknesses, this wasn't what they had in mind. That's because no one is yet sure who first obtained access to the material and what other parties might now possess it. The discs showed up in the mail at Kagan's office along with an unsigned note trashing Maryland's election authorities. Kagan herself has criticized the insecurity of a voting machines in the past, which may have been a reason that the material was sent to her.

The discs contain source code to both the front-end software used in voting machines and the back-end software that tabulates results. Diebold officials stress that the source code in question is several years old and that significant security improvements have since been made, but critics worry that a company which can't keep a handle on its own source code is perhaps not the best choice to be safeguarding elections across the nation.

No one is even sure where the code came from. It arrived in bags bearing the marks of Wyle Labs and Ciber, two of the companies charged with doing security testing on the machines on behalf of local governments. Both companies have reported that they are not missing any discs, but the entire episode is enough to unnerve Johns Hopkins computer science professor Avi Rubin. "If, as I suspect (due to the labels on the disks), the software leaked out of the testing labs, then that is a serious problem that has to be addressed," he writes on his blog. "Don't get me wrong—I think that voting system software should be available to the public, but that is a different issue from whether or not testing labs are competent at protecting things that they are trusted with and that they believe they are supposed to protect."

Maryland is a natural place for this controversy to flare up. After numerous problems in the primary election, the state's governor was so fed up that he wanted to return to paper ballots for the actual election, something that was ruled out by Maryland's elections administrator as being unworkable.

With only two weeks to go until election day here in the US, the source code leak has spawned a new round of stories about the insecurity of the machines that will be counting our votes, and that sense of insecurity has trickled down even to local races. Candidates for local elections in my area have already sent out "get out the vote" packets, complete with a request to use optical scanning machines and not the newer touchscreens.

Channel Ars Technica