US Election Assistance Commission - Voluntary Voting System Guidelines Vote
EAC Home
Introduction
View Guidelines
View Comments
Glossary

View Comments

Section CommentsGeneral CommentsGlossary Comments
 
Name :   Ron Crane
Organization :   N/A
Post Date :   9/30/2005

General Comments
Comment :  18. Generally, no voting system component should have resident software. Each component
should be booted from read-only media for each election. Further, elections officials should validate each medium against a widely-published cryptographic signature before each use, and should allow election observers to do the same. And such verification should, of course,
be done using a non-vendor-provided program.20

Resident software creates a variety of security vulnerabilities. First, an unscrupulous vendor simply can ship cheating software in its machines. Since there's no good way to verify what software is actually contained in a machine, and the procedure for any verification is complex, officials aren't likely to do it, and even those who do won't discover cheats emplaced by crafty vendors.

Second, resident software makes it more risky to store voting equipment, since insecure storage could permit even a relatively unskilled person to load cheating software into it. It's easier to store a batch of CDs securely than to store a county's worth of voting stations. (Of course, a semi-skilled person could replace stored machines' firmware with a
version containing a malware loader. But this is (usually) more difficult to do than merely replacing the voting application.)