US Election Assistance Commission - Voluntary Voting System Guidelines Vote
EAC Home
Introduction
View Guidelines
View Comments
Glossary

View Comments

Section CommentsGeneral CommentsGlossary Comments
 
Name :   Ron Crane
Organization :   N/A
Post Date :   9/30/2005

Section Comments
Section :  .20.1.3.1.4
Page no. :  
Line no.:  
Comment :  8b.

b. While Vol. II, §1.3.1.4 says that
the test lab also witnesses the build of the executable system to ensure that
the qualified executable release is built from the tested components
an unscrupulous vendor could manipulate this process to inject malware into the build,
particularly because the Guidelines do not require anyone else to build the system and to compare what was built against what the vendor sent to the "software repository".

Further, an unscrupulous vendor could modify its compiler, linker, etc., to inject malware into the voting application.13 Since the Guidelines do not require the vendor to submit the
compiler, linker, etc., for escrow by the "software repository", they do nothing to prevent this.