This morning, NPR's Weekend Edition covered the latest trouble with Diebold's touch-screen systems. They went to Pottsville, PA during last Tuesday's primary election.

The producer on the story had contacted us last week, prior to the story, for some background information. The resultant report, aired this morning, was generally a good --- and for a chance, accurate! --- one, we think.

By way of quick summary: Diebold spokesman Mark Radke explains the latest security hole, which had caused a lockdown of all Diebold touch-screen machines in PA, just days prior to the election, was there for a good reason --- to update software quickly, he says.

No explanation, of course, for why Diebold didn't feel it necessary to warn PA themselves about such a need for these extreme measures long ago. Especially since they were warned about the problem as long ago as January 2004.

Johns Hopkins computer science professor, Avi Rubin, says he can't think of a problem ever revealed in a voting machine as severe as this one --- the one which Radke predictably downplays --- adding that a TIVO system has more built-in security than a Diebold voting machine!

Radke says the physical security of the machines would make it impossible to exploit the security hole. Radke, of course, knows he's just spinning. Rubin makes that clear in his response, explaining how he could have compromised an election in about 5 seconds as a poll worker through this ridiculous vulnerability.

-- Listen to the full report (about 5 mins) here...

...And let us know what you thought of it in comments.

UPDATE: Barb Burt over at CommonCause, blogs on the NPR item as well this morning, giving it high-marks, along with a few other notable thoughts.

UPDATE 5/24/06: A text transcript of the NPR report is now included below...

The massive security flaw recently revealed in Diebold touch-screen voting machines --- which allows election software and systems to be overwritten with rogue software in minutes, without need of a password --- and which has sent Elections Officials from Pennsylvania to California to Iowa to every state in the union which uses them, sequestering the machines and scrambling for a solution to mitigate the problem, was previously revealed in a 2004 security report commissioned by the state of Maryland, The BRAD BLOG has learned.

The security assessment of Diebold's touch-screen voting systems was completed by RABA Technologies, and presented to the Maryland State Legislature in January 2004. The report, reviewed at the time by both Maryland election officials and officials at Diebold, consisted of "a 'Red Team' exercise to discover vulnerabilities in the actual voting system" prior to the state's March 2004 primary election.

A "Red Team" attack is used by computer security teams to attempt to hack into a computer system or software package. The results of the RABA report in 2004, spelled out specific details of the latest Diebold security problems which have been splashed across the pages of maintream media outlets from coast to coast since last Wednesday.

Maryland was one of the first states to adopt Diebold's paperless touch-screen systems in 2002 and, as previously reported, spent millions of dollars , in an initiative with Diebold at the time, to promote the new electronic voting systems to state voters.

The security problem exists in both Diebold's paperless touch-screen systems, as well as their newer models which include a so-called "voter-verified paper trail."

The BRAD BLOG broke exclusive details of the story originally on Friday before last, several days before the MSM joined the fray...but we're glad that they're all finally paying attention.

Apparently, though Diebold was apprised of the serious security problem back in early 2004, Diebold programmers and company officials appear to have done nothing to fix the flaws which were found as still present in voting systems being sold by the company this year. In March of this year, an independent security analysis of Diebold touch-screen systems deployed in Utah for the first time, confirmed the continuing presence of the same flaw and, additionally, found even more troubling details surrounding the same security vulnerability.

At least one computer scientist and E-voting expert has now described Diebold's delinquency in failing to correct the problem after two years to be "criminal" and meriting complete decertification.

Furthermore, the security vulnerability --- being described by computer security professionals as "the most serious security breach that's ever been discovered in a voting system," and "a major national security risk" --- appears to be yet another apparent violation, by Diebold, of federal Voting System Standards...

Apropos to the discussion of late concerning the unquestioning relationship between Voting Machine Company Officials and State Elections Officials (see our last entry with documents revealing Pennsylvania simply reformatted a Diebold notice and released it as their own), The BRAD BLOG has obtained exclusive video from a public meeting held in Mississippi last year in which Diebold representative Charles "Buck" Jones demonstrates the AccuVote TSx (touch-screen) machines to a number of people, including the Mississippi Secretary of State Eric Clark.

Clark, who clearly states that his mind is already made up as to the security of Diebold's touch-screen systems refuses to stick around to answer questions at the meeting. Incredibly, he's recorded in this video tape, made in 2005, describing the security of the Diebold's touch-screen machines as "the most secure thing outside of a Wells-Fargo truck."

Jones, "The Diebold Man", as described in the video, is the one trying to refute "reports you might have seen on the Internet" to some Election Integrity Advocates present at the meeting. He's the one who says directly to the camera: "I'm not gonna see it on the Internet or anything like that, right?"

BRAD BLOG readers may recall Jones as the one who'd contacted us via email on a Saturday last March just moments after we'd posted an article concerning an election in New Hampshire which had to be rerun after it was discovered the electronic voting machines had apparently recorded more votes than there were voters. The story Jones contacted us about covered the New Hampshire Union-Leader's report of the incident, which had errantly described the voting machine in question as one of Diebold's. Jones kindly informed us the Union Leader report was in error, and the faulty machine was, in fact, made by their competitor, ES&S.

We quipped at the time that it would be lovely if Diebold was as responsive to the myriad problems revealed in their own systems, as they apparently are in pointing out problems found in their competitor's systems.

Given the litany of recently revealed, irrefutable security problems found in Diebold electronic voting machines, this seems a good time to share this video with you. It was made by one of the attendees at the meeting...

"It is like the nuclear bomb for e-voting systems," said Avi Rubin, computer science professor at Johns Hopkins University. "It's the deal breaker. It really makes the security flaws that we found (in prior years) look trivial."
-- From Security Focus, 5/12/06

Pennsylvania officials warned local election registrars last week about the vulnerability in the mechanism that installs and upgrades software on Diebold equipment. It said the risk of the vulnerability being exploited was "low".
-- From AP, 5/11/06

The first graf above, quoting Rubin, comes from a superb and indepth article by Robert Lemos at Security Focus on the latest Diebold security disaster. We recommend his report for a host of reasons, amongst them; his broad coverage of dozens of the stories we've yelled and screamed about here at The BRAD BLOG over the past several months, but also because he adds loads of details to the latest Diebold mess which is finally being picked up by the mainstream media. Big time. (Here's an eye-popping compilation of scores of articles from just last Wednesday, Thursday and Friday, with many more to come.)

We point to Rubin's quote --- similar to on the record statements from of the other computer scientists and e-voting security professionals familiar with the details of the built-in "feature" in Diebold's touch-screen systems now revealed to be an extraordinary security vulnerability --- by way of contrast to the way both Diebold and the State of Pennsylvania (and subsequently the bulk of the media) reported their characterization of the problem. That would be the second graf of this story in which AP quotes PA officials describing the risk as "low."

From Diebold's Mouth to Your Ears...

We're often asked, by media folks and others, why it is that Election Officials seem to stand by their E-Voting Machines and Vendors, such as Diebold, ES&S and others, instead of holding them accountable and independently verifying their (usually unsupported) claims about the security and reliability of their voting machines --- as Leon County, FL Supervisor of Elections, Ion Sancho and Emery County, UT County Clerk, Bruce Funk, both rare exceptions --- did.

Setting aside that both Sancho and Funk have been fighting with state officials to hang on to their jobs ever since, The BRAD BLOG has obtained a few documents which underscore what's really at work in the bulk of Election Official/Election Machine Vendor relationships...

By John Gideon, www.VotersUnite.Org and www.VoteTrustUSA.Org May 15, 2006

Yes, the wheels are wobbling on the locomotives. The vendors --- ES&S, Diebold, and the rest --- attempt to keep a stiff upper lip as they both fail to perform, yet continue collecting tax-payer dollars from the county election coffers. Meanwhile some elections officials have just turned a blind-eye to what is happening while they continue to make excuses for their vendors: The private corporate American Electronic Voting Machine behemoths that are being paid to take over America's Public Electoral system.

And the Election Assistance Commission (EAC) which was put in place by the Help America Vote Act (HAVA), theoretically, to keep all of this from occurring? Well, all they do is raise their hands and shrug and tell anyone who asks, that they don't do voting systems certification so they just don't know anything. The Sergeant Schultz Defense, perhaps?

And we entrust these guys to correctly count our votes?! Are we out of our minds? Can these guys do anything right? (These questions have long ago been answered on these very pages, of course.)

From AP today...

And from the Daytona Beach News-Journal...

How much higher can the mountain of evidence get to make the case that these guys should be put out of the election business and our democracy's misery immediately and entirely?

Who the hell is running the federal Elections Assistance Commission (EAC)? OJ's jury?!

...CONTACT...
United States Election Assistance Commission
1225 New York Avenue N.W., Suite - 1100
Washington, DC 20005

Telephone: (202) 566-3100
Toll Free: (866) 747-1471
Fax: (202) 566-3127
E-mail Address: HAVAinfo@eac.gov

An article in the conservative Wall Street Journal tomorrow covers a number of E-voting meltdown/train wreck issues around the country, including the nine lawsuits currently in progress around the country to push back these damned, untested, unsecure, hackable machines and other points of which The BRAD BLOG has been reporting over the last many many months.

We're glad to see them finally take notice and report on these problems to the nation.

The niceties now set aside, the article minimizes the myriad severe problems and security issues throughout. One way of doing that, is referring to these problems as "glitches" no less than five times by our count. Another way of doing that, is quoting Election Integrity attorney Lowell Finley of VoterAction.org in half a sentence. And devoting the rest of the quotes in the piece to spokespersons from Diebold (known liar, David Bear) and ES&S, along with unsecure electronic voting proponent (and cowardly disinformation expert), AZ Sec. of State, Jan Brewer.

None of the many Election Integrity advocates, computer science or security professionals, apparently, were allowed to refute the silly apologists disinformation statements of Brewer, Bear or Ken Fields of ES&S.

Still, one passage from late in the article is just flat wrong:

Sounds a whole lot like David Bear talking there. The fact is, the so-called "Hursti Hack" in Leon County, Florida in December, 2005, covered in some detail by the mainstream media, confirmed by CA SoS and Diebold proponent Bruce McPherson's own independent analysis [PDF], proved beyond a shadow of a doubt that both a hacker and an insider could electronically manipulate the vote.

We're happy to see the national coverage. It would be nice if they could avoid such statements that are demonstrably wrong and misleading.

National media may feel free to contact us. We'll be happy to help you avoid such easily avoidable errors and will put you in touch with all manner of experts who can help you understand what's really going on here.

Guest Blogged by John Gideon

As was expected the corporate media picked-up the latest in Diebold's sordid story --- which we reported first here last Friday --- with articles by Ian Hoffman yesterday and today and even the Associated Press stepped in as well.

Unfortunately the headline of Hoffman's article yesterday characterized the security hole as being a 'glitch'; which this certainly is not. It is also not a 'flaw' as it was characterized by today's Hoffman and AP articles. (Ed note: Hoffman has been very good at reporting on all of these related stories, so we don't wish to be overly critical of him, but rather point out the inaccurate characterization.)

This is a 'feature' that was knowingly installed by Diebold. It was not a mistake or something that was overlooked in the design of the software. It is not a 'bug', 'glitch', 'flaw', 'error in programming' or any other simplistic name. Michael Shamos, a Carnegie Mellon University computer science professor and veteran voting-systems examiner for the state of Pennsylvania has said this:

Johns Hopkins University computer science professor Avi Rubin, who published the first security analysis of Diebold voting software in 2003 had this to say:

In the meantime the state of Georgia has decided that there is nothing that they have to do because their administrative rules already mitigate the problem. Of course, they made that statement without knowing what the full problem is.

A redacted copy of the Hursti "Critical Security Alert: Diebold TSx and TS6 voting systems" can be found at BlackBoxVoting.Org. Bev Harris guarantees that the redaction only resulted in 50 words being removed from this copy of the report.

Finally, I would be remiss in not pointing to this final line of Dan Goodin's article for AP:

Uh, Dan, you could have had a more timely article, and probably scooped Ian Hoffman if you had read The BRAD BLOG on Friday, where you would have found the whole story posted exclusively that day.

It's about time that the corporate media begin looking to the blogs as a source instead of ignoring us like we aren't here. Or at least admitting that they're looking to the blogs as a source, instead of only attributing those in the MSM.

Will Dan Goodin or the AP post a clarification to their story? We're not holding our breath.

Just out from Reuters...

The investigation of Diebold by the SEC, which we had heard previously about through background sources over the past several months, comes on the heels of a class action Securities Fraud litigation suit, originally reported exclusively by The BRAD BLOG just before it was filed last December.

That suit came on the heels of a growing number of reports on the reliability and vulnerability of Diebold's electronic voting machines and concerns about their larger ATM division.

Last September, just days after we reported on an anonymous Diebold insider, nicknamed "DIEB-THROAT", who pointed us to a Dept. of Homeland Security "Cyber Security Alert" about vulnerabilities in Diebold's election software, the company's stock-prices plummeted more than 15%.

While the stock price has remained lower than the nearly all-time highs it had been at just prior to the sudden drop, the price per share has been slowing inching back up over the last several months since the resignation of former CEO Walden O'Dell who was apparently pushed out just prior to the filing of the Securities Fraud suit which complained of insider trading, stock price manipulation and other malfeasance by eight current and former top Diebold executives.

O'Dell had earned criticism after sending a fundraising letter to Republicans, prior to the 2004 President Election promising to deliver the state of Ohio to George W. Bush, for whom O'Dell was a top supporter.

O'Dell was quickly replaced by the President of the Diebold Elections division, Thomas Swidarski, who is also named in the class action litigation.

Problems continue to plague the North Canton, Ohio-based company's Electronic Voting Machine division. Last Friday, The BRAD BLOG filed a detailed report on the newest security vulnerability to be discovered in Diebold touch-screen voting machines. This particular vulnerability, just the latest in a string of more than a dozen serious flaws to be discovered since last December, has been described as a "major national security risk" and last week forced the state of Pennsylvania to "sequester" all of their new Diebold touch-screen systems until an attempted "fix" can be applied to mitigate the problem...

By John Gideon, Executive Director, VotersUnite.Org and Information Manager, VoteTrustUSA.Org --- May 8, 2006

This has been another week of "Train Wrecks" across the country. Three states had major primaries with mixed success and failure, a few states had local elections with failures, and some states are preparing for May primaries and they are meeting the "oncoming locomotive" as they can't get machines or software for the machines and are having to revert to paper ballots or lever machines.

Elections Systems and Software (ES&S) is now facing investigations, lawsuits, or just plain pissed-off elections officials in West Virginia, Arkansas, Missouri, Indiana, Texas, Pennsylvania, California, and other jurisdictions. And now we learn that Diebold has a huge security vulnerability that all voting systems experts who know the details are very concerned about.

Next Tuesday, May 9, finds the train barreling down on primary elections in West Virginia and Nebraska. May 16 brings potentially hazardous primary election whistle-stops in Kentucky, Oregon and, the grand central station that is Pennsylvania.

Let's take a look at some of the continuing derailments from the past week, about which prompted Brad Friedman of The BRAD BLOG to ask of D.C. politicians and, more notably, the National Mainstream Media: "Is anybody there? Does anybody care?"

We've now been able to gather a great deal of additional information concerning details about the story we first posted yesterday on the official Pennsylvania state warning issued about the new "security vulnerability" discovered in all Diebold touch-screen electronic voting machines.

That warning, which has now brought a lock-down on all Diebold systems in PA, where early absentee (non-machine) voting is about to begin prior to their upcoming May 16th primary election, was reported by the Morning Call yesterday. The warning says the serious security vulnerability could allow ''unauthorized software to be loaded on to the system."

Public details about the warning are still sketchy as those in the know have acknowledged that the problem is so serious, they are hoping to keep the info under wraps until mitigation steps can be taken to safeguard systems.

The BRAD BLOG has been told on the record, however, by one person involved in the matter, that the vulnerability is a "major national security risk."

We've been speaking to many sources today, and we've been able to get several first hand comments on the problem from top officials and analysts directly involved in both state and federal certification of the Diebold systems, as well as from those involved in the initial discovery of the problem.

What's clear is that Morning Call's reporting that it was Diebold who found the "glitch" are flat wrong. The discovery of the "glitch" (which is anything but) emanated from the examination of Diebold AccuVote TSx (touch-screen) machines recently in Emery County, UT.

A source has told The BRAD BLOG that Diebold was "cornered" into admitting to the problem, a far cry from them having "found" it, as the Morning Call characterized it.

What's also clear is that neither Diebold themselves, nor federal officials at the Elections Assistance Commission (EAC) have been notifying states about the serious problem which apparently affects all Diebold AccuVote touch-screen systems, including both their newer TSx models, and the older TS and TS6 models.

The Diebold TSx models, with the security vulnerability still intact, were apparently used in the primary election last Tuesday in Ohio.

A document at Diebold's website describes [PDF] the TSx models as featuring "Industry Leading Security."

In Utah's Emery County, state officials are attempting to force Bruce Funk, the 23-year elected County Clerk out of his job in the wake of his having allowed a security evaluation of the county's new Diebold touch-screen systems by both computer security firm Security Innovation and Finnish computer security expert Harri Hursti. According to several sources, that analysis revealed many new vulnerabilities and problems in the Diebold touch-screen systems, including the one that seems to be at the heart of the problem now being warned about by Pennsylvania officials.

Funk --- who has since been "vilified," as one source told us, by both Diebold and Utah state officials as high as the Lt. Governor --- was forced to implement the new Diebold touch-screen systems for the first time this year against his own objections. His prudent subsequent security evaluation of the systems was arranged by electronic voting watchdog organization, BlackBoxVoting.org. (We recently interviewed Funk on the radio concerning that evaluation, and his subsequent removal from office in its wake. Listen to that interview here [MP3].)

Here's some of what we've so far been able to learn from a number of officials, both on the record and off, in Pennsylvania, elsewhere around the country and at the federal level, as well as those involved in the initial Emery County discoveries...

Just weeks before their May 16th Primary Election, the Pennsylvania Sec. of State, Pedro Cortez issued a Security Alert late Tuesday concerning a "potential security vulnerability" in Diebold electronic voting machines which could " allow ''unauthorized software to be loaded on to the system." The warning was revealed yesterday at a meeting in Schuylkill County.

Details about the warning are still sketchy this morning, and we're trying to learn more, but The Morning Call is reporting today that the "glitch" was "found" by Diebold and counties are now being instructed to lock down systems and seal the memory cards into them.

A "fix" is said to be on its way from Diebold, though that begs the question of whether the last-minute software patch will be certified by federal and/or state authorities before it's installed on machines that have already proven to be vulnerable to hackers and other failures.

(As regular BRAD BLOG readers know, even if the software is inspected by federal authorities before being installed in machines, there is no guarantee that those authorities will find the bugs and illegal code that Diebold is quickly becoming famous for. The federal so-called "Independent Testing Authority" (ITA) is paid for by the voting machine company's themselves and has overlooked gaping flaws in software submitted by the vendors for years).

Says the Morning Call today about the security warning...

As you know, those "glitches" in our elections are never Diebold's fault, or that of any of the Electronic Voting Machine Vendors who supply the equipment that doesn't actually work. It's always an untrained pollworker, or a voter who didn't read the instructions, or too darn much humidity.

So it wasn't Diebold's fault when Diebold's machines failed to work or to count absentee ballots by the thousands on Tuesday in Cuyahoga County, Ohio's Primary Election.

Look! Here's proof!

As of 5pm Wednesday, Cuyahoga County was still hand-counting the 17,000 absentee ballots which the Diebold machines, through absolutely no fault of Diebold's, were unable to count as Diebold had promised.

No word yet on whose fault it wasn't that Diebold's paper-trail printers kept jamming all day, or on the 70 Diebold memory cards (otherwise known as thousands and thousands of ballots) which went missing. But we know that wasn't Diebold's fault either. Though perhaps the part about them being so incredibly easy for anybody to change the data on those cards in about 30 seconds while they're "missing" could be Diebold's fault.

Nah. It's probably just the humidity.

Our Electoral System Meltdown continues as more and more reports come in on epidemic Electronic Voting Machine failures around the country. It's neck and neck right now as Diebold and ES&S battle it out for the prize of Worst Company, Worst Service, Worst Technology and Best Excuse Maker. But we've got a long way to go in this Election Year, so it's still anyone's contest. (Anyone's but the voters, that is.)

A "glitch" --- that's the magical word that was used no less than three times in WOOD-TV's coverage --- in the Diebold optical-scan system used for the first time in Barry County, Michigan's election yesterday forced Elections Officials to count all ballots by hand. Since it was an optical-scan system --- which uses paper ballots --- they were able to do so. That would have been next to impossible had a similar disaster befallen a touch-screen system with "paper trails" and completely impossible on a paperless touch-screen machine.

All seemed fine throughout the day on Barry County's new voting machines until the optical scanner printed out the final results at the close of the election. The report was found to have had all matter of inexplicable totals including 0 votes for some candidates and no YES votes for any of the bond issues on the ballot.

Sound familiar?

The Barry County mess, as it's being reported by WOOD-TV, sounds almost identical to the situation in Leon County, FL last December where "hackers" had exploited a security vulnerability in Diebold's optical scanner memory card causing it to print results that were virtually the opposite of the true results on the paper ballots. The "hackers", who were computer security experts, had hidden all traces of their "crime" in that mock election test, so it would likely never have been discovered.

The problem affected 15 out of 16 townships in Barry County on machines which cost $4000 a piece and were purchased because County Officials claim the federal Help America Vote Act (HAVA) forced them to do so.

WOOD-TV covers the story, "glitch" after "glitch", with both text and a video reports. Here's a few details from their text report...

Add this to our previous report on the Diebold Disaster in Cuyahoga County, Ohio during yesterday's Primary Election. The Cleveland Plain Dealer headlines their story: "First all-electronic election marred by problems".

As expected the word "Glitch" makes it's way quickly into the headlines in Columbus Dispatch's coverage ("Glitches delay voting and reporting of results") as they cover problems across a number of counties, including counties that use ES&S machines which also failed in a number of locations. Inevitably, the poll workers are blamed by officials, of course.

As to Cuyahoga, the Plain Dealer has set up a running blog on their website covering the ongoing problems. Here's the latest...