Page 1
This is a machine translation of the final report of the OAS on the Bolivian elections.
The original can be found at http://www.oas.org/es/sap/deco/Informe-Bolivia-2019/
Secretariat for Strengthening Democracy (SFD)
Department for Electoral Cooperation and Observation (DECO)
Electoral Integrity Analysis
General Elections in the Plurinational State of Bolivia
October 20, 2019
FINAL REPORT

Page 2
Electoral Integrity Analysis
Plurinational State of Bolivia
two
TABLE OF CONTENTS
LIST OF FINDINGS ............................................... .................................................. ................. 3
DELIBERATED ACTIONS THAT WANTED TO MANIPULATE THE RESULT OF THE ELECTION ................. 3
SERIOUS IRREGULARITIES ................................................ .................................................. ............... 5
MISTAKES ................................................. .................................................. ........................................... 6
INDICATIONS ................................................. .................................................. ........................................... 6
EXECUTIVE SUMMARY ................................................ .................................................. .................... 7
ELECTORAL INTEGRITY ANALYSIS .............................................. .............................................. eleven
I.
FINDING 1: PRELIMINARY ELECTORAL RESULTS AND TRANSMISSION SYSTEMS AND
DEFINITIVE CALCULATION VIEWED ............................................... .................................................. ...... 14
II.
FINDING 2: EXISTENCE OF A HANDLING, FALSIFICATION AND PATTERN PATTERN
ADULTERATIONS OF ELECTORAL ACTS IN SIX DEPARTMENTS LOOKING FOR
BENEFIT THE SAME CANDIDATE .............................................. .................................................. ... 57
III.
FINDING 3: THE DEFICIENT CHAIN ​​OF CUSTODY DOES NOT WARRANT THAT THE MATERIAL
ELECTORAL HAS NOT BEEN HANDLED AND / OR REPLACED. ................................................ 63
IV.
FINDING 4: ACTS OF THE COMPUTERS ARE NOT RELIABLE; NOT OBSTANT, OF THE ANALYSIS
DETAILED IT IS HIGHLIGHTED THAT ACTES INCOME IN THE LAST 4.4% HAVE NUMBER
CALL FOR OBSERVATIONS ............................................... ................................................ 82
V.
FINDING 5: TREND SHOWN IN THE LAST 5% OF THE COUNT IS HIGH
IMPROBABLE ................................................. .................................................. .......................... 88
SAW.
ANNEXES ................................................. .................................................. ......................... 97
1. AGREEMENTS, LETTER OF INVITATION AND LETTER OF ACCEPTANCE
2. INFORMATION REQUIREMENTS TO THE PLURINATIONAL ELECTORAL BODY
3. REPORT OF THE NATIONAL DIRECTORATE OF INFORMATION TECHNOLOGIES
4. DOCUMENTATION RELATED TO THE PRINTING OF MINUTES AND ELECTION PAPERS
5. COMPLEMENTARY REPORT TO THE FINAL REPORT GENERAL ELECTIONS 2019 - NEOTEC
6. MINUTES OF NOVEMBER 4, 5 AND 6 LISTING FINDINGS OF THE AUDITORS REGARDING
A COMPUTER ASPECTS, SUBSCRIBED BY TECHNICIANS OF THE TSE.
7. REGISTRATION OF COMPLAINTS AND INFORMATION RECEIVED
8. TECHNICAL ANNEX OF CALIGRAPHIC PERICIA
9. MINUTES WITH INCONSISTENCIES OF VOTES VS. INDEX LIST (OUTSIDE)

Page 3
Electoral Integrity Analysis
Plurinational State of Bolivia
3
LIST OF FINDINGS
To facilitate the consultation of the findings of this audit, the following list is presented with a
classification by type of actions and omissions that took place during the electoral process and that
they definitely impacted on the certainty, credibility and integrity of the election results
from October 20, 2019.
DELIBERATED ACTIONS THAT WANTED TO MANIPULATE THE RESULT OF THE ELECTION
They are malicious actions that were intended to affect the course of the electoral process according to
I planned it officially.
Intentional and arbitrary stoppage, without technical foundations, of the Transmission System of
Preliminary Results (TREP) at the time that 83.76% of the verified records were kept and
disclosed, of 89.34% of minutes that had already been transmitted and were in the TREP system. TSE
deliberately concealed from the public, 5.58% of minutes that were already in the system
TREP but they were not published.
Introduction of servers not provided for in the technological infrastructure (servers
denominated BO1 1 and BO20 2 ), to which the information flow of the
TREP. For the redirection of the flow to the BO20 server, the IP address to which the 350 addressed
machines used in SERECI. The servers were used for transcription and verification of
records as well as for the flow of other associated data from the TREP. BO1 server registered
activity even during the time the preliminary results system was
"off".
He lied about the actual configuration of the hidden BO1 server (implemented in a network
Amazon from NEOTEC and detected by the auditing company). In addition to being a gateway between the
user and server browser as stated by the company NEOTEC, also attended other requests
Web, as you can see in its logs, and stores both Databases and electoral applications.
The Databases were accessible during the OAS audit, a situation that was validated with the
audit firm hired by the TSE (in special consultation before closing this report). The
existence of databases on a hidden server and declared as a gateway (only when detected)
It is extremely serious and deserves special investigation in further prosecution.
Audit company controls were intentionally evaded and traffic redirected
towards a network that was outside the domain, administration, control and monitoring of TSE personnel.
First way of redirecting information, until 19:40 on October 20, 2019.
Second way of redirecting information when resuming TREP on October 21, 2019.

Page 4
Electoral Integrity Analysis
Plurinational State of Bolivia
4
The parallel and uncontrolled technological scheme that was created deliberately facilitated a
environment that allowed data manipulation, impersonation of proceedings or any maneuver, facilitated
for the volatility of digital evidence.
The application provider entered directly to servers of the Official Computing so
remote, through VPN access, because he refused to work in the offices of the San TSE
Jorge where auditors and staff of the National Directorate of Technologies of the
Information and Communication (DNTIC). This person worked remotely without any supervision and
informed by email the changes made.
At the request of the members of the TSE and presented as an individual adviser voice 3 is
set up a server in an Amazon network outside the TREP and Compute through an AMI Linux machine
virtual. It should be noted that said individual was not part of the TSE workforce or the
audit or supplier companies. Access from this machine with user ec2-user (and
also raising privileges to root) on October 21, 2019 and in full execution of the TREP in
its second stage (after the cut).
False information was provided on the use of the virtual Linux AMI machine and an attempt was made to hide
intentionally the existence of the BO20 server to the team of auditors.
The TSE had a main server (BO2), its respective contingency (BO2S) and one for
publish (BO3). He deliberately lied when he said that the BO3 server was used since the server
used for the publication was not this since at the time of auditing it, it had fewer minutes than
published. Inconsistencies were found between the databases of the BO2 and BO3 servers.
It was found (in the presence of the SERECI technician, head of the company in Bolivia and
responsible for the DNTIC) that NEOTEC personnel accessed the servers and / or databases despite
of the express request of the OAS auditors who requested that from the beginning of the audit
absolutely nobody will enter the servers.
Irregularities were detected in the filing of counting and counting records that affect the
integrity of them. In an exercise that sought to analyze possible adulterations or manipulations
A sample of 4692 minutes was reviewed. In this analysis, 226 minutes were identified in which two or more
Minutes of the same voting center were filled out by the same person, denoting an action
intentional and systematic to manipulate election results and transgressing the powers of
the Board Juries determined by law. The minutes correspond to 86 voting centers of 47
municipalities of the country. The sum of their valid votes is 38,001, of which 91% (34,718) were
awarded to the Movement to Socialism (MAS).
Despite being sensitive material, minutes were burned (the number is uncertain) and more than 13,100
lists of qualified voters (or index lists), which does not allow the contrasted information to be checked
in the minutes of scrutiny and computation.
With the exception of Vocal Costas, who, according to the note, was not present.

Page 5
Electoral Integrity Analysis
Plurinational State of Bolivia
5
SERIOUS IRREGULARITIES
They are actions in which it is not clear whether or not there was an intention to manipulate aspects of the election
but that certainly caused serious violations in the integrity of the electoral process.
The metadata of the TREP images was not preserved in order to determine the authenticity
of the images and the identification of the source of acquisition of these files.
The hash value was not recorded in the software freeze report and subsequently
They made modifications to it during the electoral process. Among the changes registered are
they include modifications that involve the processing of foreign records, when they were already
entering the system. Foreign records are those used both in the TREP and in the computation
final.
The transfer of images from the primary server BO2 of the TREP to the
application server and publisher that fed the Official Computing. That is, images of the TREP,
corresponding to photographs of minutes, were entered directly from the TREP to the Computation
Official. The foregoing categorically discards the assertion that the TREP and the Official Computing
They are two absolutely independent processes.
There were images of external records incorporated through functionality
denominated "Lagging Minutes". This is outside the planned circuit for sending images of minutes.
The person in charge of this functionality entered both the image of the record and the data of the
same. Additionally, the application allowed direct entry of minutes without being transmitted from a
mobile phone. In this case, they were admitted by a SERECI official. It is important to highlight
that the TREP system has the functionality to delete images.
Residuals of Databases and the application of NEOTEC in servers were found
perimeter, which should not have had databases or versions of the application used to
the process.
The head of the company providing the software agreed with root user 4 to the system
operative in the middle of the night (by its own decision), a fact that happened after the official act of
system blind, that is to say once it was thought that the systems were ready and that no one could
access them.
The head of the NEOTEC company modified the Computing software on more than one occasion
Officer in full process. The company repurchased it (at which point it loses integrity with respect to
preserved during freezing) and put it in a productive environment during the process.
Income of at least 1,575 minutes of the TREP (environment whose network was violated and manipulated)
directly to the Official Computing.
The root user is the one who has all the privileges and permissions to perform actions on an operating system
Linux

Page 6
Electoral Integrity Analysis
Plurinational State of Bolivia
6
It was accessed during the Official Computing process directly to modify data of the Base of
Data through SQL statements (which allow you to change data without using the application), to solve
failures in a calculation algorithm. Only in this access, which was carried out 20 minutes after a
Direct access to the databases for the purpose of “un-annulping minutes”, the data of 41 tables were modified
directly on the database.
The Final Computing Database could be accessed directly, without going through the
application.
Lack of adequate preservation of evidence about the election.
The poor chain of custody did not guarantee that the electoral material has not been manipulated
and / or replaced.
Original (unfilled) original voting records were found at the TSE facilities.
It is considered anomalous that original material that should have been discarded due to errors or defects
has not been destroyed and is an indication that the destruction procedures were not followed
of defective and / or surplus sensitive material (in good condition).
MISTAKES
Misunderstandings or negligence without indications of intentionality but which could facilitate actions that
potentially they violated the electoral process
In the TREP system, the “Minutes Approver” function had the possibility of validating minutes,
even when there are differences in values ​​between Strike 1 and Strike 2. This function allowed to continue with the
Minutes process despite differences.
Authentication for the use of the computer system software was weak and allowed someone
Take control with management roles. It was found that with the same code you could open several
sessions, that a new browser tab could be opened before closing the previous one and that at
retire who was working, despite having closed the application, could be accessed with your user
without authenticating (including roles that allowed validating minutes).
In the computers of the TED of La Paz it was possible to observe the existence of test data (for
example, minutes) mixed with minutes of election day. By not removing the test data, it
It pollutes the production environment.
Interruption of the publication of the official calculation due to denial of service attacks
(DoS) against the official results publication server (October 24 and 25).
Inclusion of disabled in the list of voters for consultation of minutes of tables. That is, the
Official Computing database contained both the list of enabled and disabled.
Little or no coordination between the TEDs and the public force for the protection of the material
sensitive.

Page 7
Electoral Integrity Analysis
Plurinational State of Bolivia
7
There were at least 37 minutes of the vote abroad that presented inconsistencies with the
number of citizens who paid. That is, the minutes reflected a different number of votes than
the total number of voters in the index lists. 5
INDICATIONS
Statistical analysis and information crossing that allowed the group of auditors to have data that
could indicate abnormal behaviors and places where documents should be analyzed
Elections with greater depth.
When analyzing the use of space for observations in the minutes of the official calculation, it was found
that 12,925 minutes (37%) contained observations to make some clarification or to record a
situation occurred during the voting process and vote counting. 56% of the minutes that are
they entered directly into the official calculation and they were never published through the TREP had
observations. When analyzing the type of observations that were recorded in the 12,925 minutes, it stands out
that 18% correspond to changes / corrections in the number of votes registered for the election
presidential. The auditors also identified that, of these 12,925 minutes, 846 were minutes that only
they entered the final calculation (last 4.4%), of which 328 (39%) referred to changes in votes for
President.
The statistical analysis carried out reveals that Evo Morales' first-round victory was
statistically unlikely, and that his proclamation was given by a massive and inexplicable increase in
MAS votes in the final 5% of the calculation. Without that increase, although the MAS had achieved the
Most of the votes would not have obtained the difference of 10% necessary to avoid the second round.
This increase was based on breaks marked in the voting trend lines of the
Officialism and of the Citizen Community (CC), at national and departmental level. The size of the breaks
It is extremely unusual and questions the credibility of the process.
Information was obtained from a greater number of minutes presenting the same situation, but not having all the
backup images, these were excluded from the analysis. In Annex 9 The Minutes of these 37 tables are included. The lists of
qualified voters, whose copies are held by the audit team, are not published in this report to safeguard
the personal data of the qualified electors, since they include: full name, date of birth,
document number, photograph, signature and fingerprint.

Page 8
Electoral Integrity Analysis
Plurinational State of Bolivia
8
EXECUTIVE SUMMARY
The manipulations and irregularities indicated do not allow certainty about the margin of victory
of candidate Morales on candidate Mesa. On the contrary, from the overwhelming evidence
found, what is possible to say is that there have been a series of malicious operations aimed
to alter the will expressed at the polls.
First, on election night, the electoral court deliberately interrupted the
Transmission of results All analyzes of the technical team allow to determine that the stoppage
The TREP system was not an accident or a decision based on technical foundations. It was simply
an arbitrary decision, whose purpose included the manipulation of the computer infrastructure.
When the system resumed its operation, the next day, a hidden server appeared on the scene,
not declared and not controlled by the auditing company or by the technical staff of the electoral body.
Through it, the remaining information from the TREP corresponding to more than 1,400 minutes was processed. East
The second server did not appear in any report until the OAS audit unveiled it through
Expert studies.
Technical officials of the electoral body sent a letter 6 to the organization's audit, in the
that recognize the configuration of a server in a network outside the TREP through a Linux machine
Virtual AMI They also said they did so at the direction of the members of the TSE and in
coordination with a computer consultant who is not part of the effective plant of the Registration Service
Civic (SERECI) or the National Directorate of Information Technology (DNTIC) of the EPO nor
of the auditing company. This letter is attached without names to safeguard identity and data
personnel of those involved, however, has been sent to the Public Ministry.
The interruption of the TREP and the subsequent re-routing of the data flow to an external server
it made the system absolutely manipulable. Indeed, the expert analysis reveals that, so
deliberate, a hidden computing structure was built, with the ability to modify results
electoral, as well as erase any trace of this activity.
The official count was also affected. Although in theory this system was independent of the
transmission of preliminary results, in practice this assumption was not fulfilled. The audit team
it was verified that in the case of the vote abroad the images of the TREP were used to carry out the
official count. In addition, due to the burning or loss of original records, it also proceeded from that
form for some of the tables in national territory. In total, more than 5% of the images of the
TREP minutes went directly to computation. The link between the TREP, openly system
manipulated, and the Official Computing affects the credibility of the latter.
The statistical analysis of the results released through both systems reveals that the
proclamation of victory in the first round of then President Evo Morales was possible
Annex 3

Page 9
Electoral Integrity Analysis
Plurinational State of Bolivia
9
only by a massive increase in votes at the end of the count. The audit team found a
Significant break in the voting trends of MAS and CC at the point where it is computed
95% of the votes of the TREP.
The last 5% of the count not only shows a different trend from the previous 95%, but also presents
a very marked difference with 5% of the votes that had been computed immediately before.
Even if the assumption is accepted that the tables they reported belatedly were from rural areas
that favored the MAS, one would not see such a sharp discontinuity around an arbitrary point such as
the threshold of 95%.
Given the breaks in voting trends, the audit team proceeded to examine in detail
the minutes corresponding to the last 5% of the count. Audit technicians found that, of the
minutes that entered directly into the official calculation and were never published through the
TREP, that is, of those listed at the end of the count, 56% had observations. East
percentage is significantly higher than the average of the election (37%).
On the other hand, from this same universe of minutes, those in which the MAS was subjected to expert analysis
obtained a strikingly high percentage of votes (above 77%). The
subsequent tables, that is, those of the same voting center.
Of a total of 1,074 minutes, 59 (5.5%) were found to have serious irregularities from the point of view
expert. In some cases, it was verified that all the minutes of the same center had been completed
by the same person.
Subsequently, the universe of analysis was expanded, taking a new sample of 3,618 minutes. Of this,
167 (4.6%) with irregularities of expert interest were identified. They found themselves again different
Minutes of the same polling place that had been completed by one person, which all
lights constitutes an illegal transgression of the powers of the panel jurors and sows doubts
About the reported results. In total, 4,692 minutes were analyzed, of which 226 (4.8%)
they presented the irregularities described.
The aforementioned minutes correspond to 86 voting centers in 47 municipalities of the country.
This situation denotes a highly irregular procedure from the electoral point of view. Total,
all these tables correspond to 38,001 valid votes, of which the MAS political party obtains the
91%, that is, 34,718 votes, almost the number of votes that allows Morales to avoid the second round 7 .
The above is only taking into account an analysis of 13.5% of the polling stations. By the employer
found, a study that covered a higher percentage of minutes would undoubtedly detect a greater
number of falsifications, adulterations and manipulations.
The analysis carried out by the audit team revealed that the chain of custody of the minutes was
extremely fragile In several departments, the transfer of sensitive material from the enclosures
Morales's margin of victory in the first round was approximately 40,000 votes. Without them, the difference regarding
Mesa would have been less than 10% and, therefore, a second round would have been necessary.

Page 10
Electoral Integrity Analysis
Plurinational State of Bolivia
10
Elections to the headquarters of the TEDs did not have the necessary support of the forces of
security.
The compiled information also showed that there was no specific custody protocol for the
Official Record (Envelope A) after its reception in the Departmental Electoral Courts and not
there was standardization regarding the organization of the minutes in the different TEDs. The fact that
there have been burned electoral records evidencing the lack of protection, adequate forecasts and
poor coordination of TEDs with security forces.
The weakness of the chain of custody is a fundamental point. Since in Bolivia there is no
possibility of counting votes, the minutes are the only document available to reconstruct the
occurred on voting day Given the proven fragility of the chain of custody and
irregularities detected in the expert analysis, it is possible to infer that, if possible, analyze the
all the minutes, a significantly greater number of alterations would be found and
inconsistencies
Conclusions
The audit team has detected a malicious manipulation of the elections in two planes. At the level of
minutes, from the alteration of the same and the falsification of the signatures of the jurors of tables. TO
level of the processing of the results, from the redirection of the data flow to two
hidden servers and not controlled by TSE personnel, making possible the manipulation of data and
impersonation of minutes. To this are added serious irregularities, such as the lack of protection of
minutes and the loss of sensitive material.
The detailed findings also reveal the bias of the electoral authority. The members of the TSE,
who should ensure the legality and integrity of the process, allowed the flow of
information to external servers, destroying all confidence in the electoral process.
It should be borne in mind that this has been a limited audit exercise, both during the time
It was arranged as in relation to the components of the process that were analyzed. Exceeds this
report what happened in the pre-election stage and the findings of the OAS Observation Mission
regarding the inequality of the contest and the actions of the TSE in the pre-election phase.
However, the findings are blunt. The audit team cannot ignore the set of
manipulations and irregularities observed through field work and the analysis of more than
200 complaints 8 and communications with information received. Doing so would be an act of addition
irresponsibility and would imply breaching the mandate assumed at the time it was agreed to carry out the
audit.
The margin of victory in the first round is minimal if compared to the volume of
manipulations and alterations detected. Below is the incontrastable evidence of
Annex 7 - Complaint Register

Page 11
Electoral Integrity Analysis
Plurinational State of Bolivia
eleven
an electoral process undermined by serious irregularities, and the actions of a court that attempted against
the transparency and integrity of the elections. It is on the basis of this evidence that the
inability to validate the results of the October election.
ELECTORAL INTEGRITY ANALYSIS
Background
On October 30, the OAS General Secretariat and the Government of the Plurinational State of Bolivia
signed agreements 9 regarding the electoral integrity analysis of the elections. In these
documents, it was established that the government would guarantee all the facilities for compliance
adequate audit to the official count of the October 20 elections, as well as verification
of minutes, statistical aspects, verification of the process and chain of custody.
Based on this objective, the scope around four essential components of the process was defined
electoral:
• Infrastructure and operation of the computer systems used for the transmission of
Preliminary results and official calculation.
• Authenticity and reliability of the counting records, as well as the data entered into
system of transmission of electoral results and the official computer system.
• Comprehensive custody plan for all electoral material (minutes, ballots, voter registration).
• Flow of the data load of the preliminary electoral results and the official calculation.
It was also agreed that the authorities would give OAS experts full access to their
facilities, as well as information on the elections that the team considers relevant. He
Audit team was mandated to carry out its field work within 12 days.
On the other hand, it was established that the audit would focus on the election day of October 20 and
in the later stages and that, at the conclusion of its analysis, the group of specialists would deliver a report to the
Secretary General, who would send it to the government of Bolivia. In addition, in order to ensure the
maximum seriousness and rigor, it was established that the conclusions of the analysis would be of a character
binding on the parties involved in the process.
At the instruction of the Secretary General, a team of 36 specialists and auditors of 18
nationalities, including: electoral lawyers, statisticians, computer experts, specialists in
documents, calligraphy, chain of custody and electoral organization. The group of experts and
auditors arrived in the country on October 31 and began their activities on November 1 with a
First meeting with the plenary of the Supreme Electoral Tribunal, representatives of the Courts
Departmental Electors and members of technical areas of the electoral body. In this meeting
Annex 1 - Agreements

Page 12
Electoral Integrity Analysis
Plurinational State of Bolivia
12
they defined the contact points and the first meeting between technical teams was scheduled, which led to
out on November 2. On this date the first documents and files requested were received
to the Supreme Electoral Tribunal and an exhibition on the Bolivian electoral system was witnessed.
From this, the team of auditors began to work on the information gathering and the
analysis of the various components that were being audited. The technicians worked without interruption
collecting, systematizing and analyzing information until November 9. The team of
audit conducted 11 information requirements 10 to the Plurinational Electoral Body, for the various
audited components Additionally, more than 250 complaints were received about the process
electoral, both physically and in an email enabled for that purpose.
One of the components of the audit contemplated the transfer of field analysts at nine
departments of the country, to verify the conditions for the protection of electoral material, contrast
physical records with digital copies used for the processing of results, verify the
consistency of the information in the minutes with the index lists of registered voters and determining the
compliance with the chain of custody. For this, 9 departmental teams were formed
composed of 2 people each. Work in this area began with a meeting of each group
with the respective Departmental Electoral Courts, carried out in the city of La Paz.
The audit team had limitations to develop this component of the work plan in its
fullness, due to the political and security conditions that were experienced during work days
in the field. Initially, the field analysts were able to access the departments of La Paz, Beni,
Tarija and Pando. From this, work began on possible operations to access the rest of
the departments. On November 8, a team was mobilized to the department of
Cochabamba, and by Saturday 9 the deployment for the missing departments had already been coordinated:
Chuquisaca, Oruro, Potosí and Santa Cruz. However, on the same day 8 the security conditions
they intensified, to the point that the Cochabamba team had to move that day through the
late to the city airport directly from the headquarters of the Departmental Electoral Court. Before
that withdrawal and the social upheaval that was beginning to increase in the country, it was not possible to carry out
the deployment in the other departments. For analysis of the remaining components, the technicians of
The OAS had the necessary information and access to carry out their work.
Based on the work, on November 9, the preliminary findings were announced. Since
then, the audit team continued to receive and process a large volume of complaints about the
multiple irregularities of the electoral process. The information received, consistent with the findings
Preliminary, is presented in detail below. This document also incorporates all the
documentary and photographic evidence that supports the audit observations.
10 Annex 2 - Information Requirements to the EPO

Page 13
Electoral Integrity Analysis
Plurinational State of Bolivia
13
Below are all the findings, which are organized as follows
way:
1. The systems of transmission of preliminary electoral results and final calculation
They were flawed.
2. There were irregularities and falsifications in the filling of electoral records.
3. The poor chain of custody did not guarantee that the electoral material has not been manipulated
and / or replaced.
4. The minutes of the calculation are not reliable. However, the detailed analysis highlights that
Minutes entered in the last 4.4% have a striking number of observations.
5. Trend shown in the last 5% of the count is highly unlikely.
I.
FINDING 1: PRELIMINARY ELECTORAL RESULTS AND TRANSMISSION SYSTEMS AND
DEFINITIVE COMPUTER VICIATED
For the elections held on Sunday, October 20, 2019, the Plurinational Electoral Body of
Bolivia (EPO) approved the use of two systems for the processing of electoral results
recorded in the voting minutes: a Transmission System of Preliminary Electoral Results,
denominated TREP, and another system for the realization of the Official Computing.
The EPO had acquired these systems to conduct the 2016 referendum elections. They were
developed by the company NEOTEC, which also provided the technical support service in the tasks
of operation of these programs.
For these elections, the necessary changes were executed in both programs for adaptation to the
electoral process this year, as well as some internal adjustments to improve times
in its operation.
The main event that called into question the confidence in the electoral process of the 20th of
October 2019 in Bolivia was the shutdown of the preliminary results transmission system
(TREP). The EPO gave a press conference at 7:40 pm with the processing of 83.76% of the
verified records, of 89.34% of transmitted records. The information was made public on the portal of
free access trep.oep.org.bo.
Once the conference is over, instead of continuing to process the rest of the information,
The system was intentionally lowered. According to explanations provided by the EPO, the reason for
This decision was a problem with the number of requests on a server and the need to check
your safety. However, the audit team found other elements that had not been
transparent regarding the operation of the system. While there was a particular requirement
for consultation by the organ, there was until that moment an unpublished server to which it was sent
all the information of the TREP.

Page 14
Electoral Integrity Analysis
Plurinational State of Bolivia
14
When it resumed operation the next day another hidden server appears on the scene. Through
from it, remaining information from the TREP was processed. This second server did not appear in any report
until the audit of the OAS unveiled it through the computer skills. All actors
involved omitted its existence until it was detected. On both external servers no
neither the SERECI staff, nor the DNTIC, nor the audit firm Ethical Hacking.
In light of the various findings and analyzes made by the audit team, download the TREP system not
In no case had a technical foundation. The system had a design that guaranteed the
continuity before an electrical failure and even before an interruption of the primary internet connection.
On the night of October 20, 2019 there was an intentional cut of communications and
prevented the planned contingency from being activated.
In the SERECI facilities, which had UPS, electric generator and redundant link, no
Some event occurred that justified such interruption. For this reason, on October 21, through
Note SERECI-DTRC-0843/2019 referenced as "TREP network redundant link", the director of the
SERECI asked the DNTIC for a report on the reason for the isolation to the SERECI computer center
and the reason why the redundant link was not activated. At the time of delivery of the document by
On behalf of the SERECI responsible for the OAS expert auditors, he had not received an answer.
The TREP system cut was an arbitrary decision that attempted against the integrity and transparency of the
electoral process. The above aspects show other motivations that should be investigated,
whose purpose included the manipulation of the computer infrastructure through the diversion of the flow of
TREP towards external servers.
At this point it is important to mention that the TREP system is an advertising instrument and
transparency, which allows citizens to give preliminary results in a timely manner and
expedited Although, in principle, it has no legal validity, its inappropriate use and lack of security in its
management, allows its use as a tool to control electoral information. In terms
simple, there were people who knew the processing of the results before being published and,
Due to the existence of hidden servers and serious failures in the IT infrastructure, there was a
scenario that allowed data manipulation.
In this regard, a fundamental aspect of the Bolivian case must be clarified. In theory, the TREP system
and the official computation were independent of each other. The flow of information to the first was
independent of the flow of information to the second. In the first case, photographs were used
taken through private cell phones for the transmission of information from
Same voting centers. In the second, the original record was moved to be scanned and
computed in the Departmental Electoral Courts. However, this assumption was not fulfilled.
completely, since in the case of the vote abroad the same images of the TREP were used
to proceed to its computation. In addition, due to the burning or loss of original records, it is also
He proceeded in this way for some tables in national territory.

Page 15
Electoral Integrity Analysis
Plurinational State of Bolivia
fifteen
The above clarifications are aimed at demystifying two essential points. The first of them
refers to the underestimation of manipulations to the TREP, on the grounds that this system “does not
It has legal validity. ” From this perspective, it doesn't matter what happened in the system of
transmission of preliminary results, since finally the real data are given through the computation
official. The audit team considers that this argument violates basic aspects of the integrity of
an electoral process and, in this particular case, it is a serious violation of transparency, publicity,
independence, impartiality and objectivity with which an electoral institution must act. The
manipulation of information on election results, whether preliminary or final, and not
It matters if it is to hide them, delay them or change them, it is a fact of extreme gravity.
The second point to demystify, particularly for the case that concerns us, is that there is no relationship
between the TREP and the final calculation. As mentioned, this statement is wrong. There is a link,
to the point that more than 5% of the images of the minutes of the TREP went directly to computation.
to. Transmission System of Preliminary Electoral Results
The TREP is a non-binding preliminary results system, which allows the EPO to present
results with the transmission of data and images of the minutes from the voting precincts. East
system worked by means of an application that was installed in the temporary personnel cell phones that
hired and selected SERECI (Civic Registration Service) for these purposes, except abroad
where the responsibility for the operation of the mobile application was assigned to a site manager.
The program allowed the operator to perform a first manual fingering of the voting data
from the cell phone, as well as taking a picture of the minutes, which were subsequently
transmitted to then proceed to the validation and consolidation of preliminary data. The process of
validation consisted of the contrast between the electoral data entered by the operators located in
the voting precincts and those entered by the 350 digitors located at the SERECI headquarters.
In case these do not coincide, a third instance called “Approval”, composed of
SERECI officials, was responsible for resolving inconsistencies that may arise.
All the minutes that passed the validation process would be published in a correct way
Immediate on a Web page enabled by the EPO for these purposes. The court estimated that it could
Start posting results with this system at 8:00 p.m. on the same day October 20
of 2019, presenting approximately 80% of the minutes already processed at this time. These
estimates were based on the times for scrutiny of the polls at the tables and the
communication coverage in the different areas of the country.
The Transmission of Preliminary Electoral Results (TREP) had a computer center,
implemented in the La Paz Civic Registry Service Building, ground floor, first floor, fourth floor
and fifth floor. It had UPS, Electric Generator, access VLAN and Redundant link, for
a total of 350 validators of electoral records.
The computer equipment was distributed as follows:
Ground Floor, 150 computer equipment;

Page 16
Electoral Integrity Analysis
Plurinational State of Bolivia
16
First Floor, 100 computer equipment;
Fourth Floor, 50 computer equipment;
Fifth Floor, 50 computer equipment;
According to the distribution of computer equipment, network wiring was implemented
correspondent. For this, category 6 network cables, capacity distribution switches were used
10/100/1000 Mbps, which were connected to the link switches installed in the cabinets
of communications of each floor. Also, electrical wiring was implemented (electrical circuits)
direct from the electrical distribution boards, with the aim of balancing the electric charges
generated by the computer equipment and avoid cuts due to overload.
To ensure continuous operation in the event of a power failure, a power system was installed
uninterrupted (UPS) in the CPD (fourth floor), connected to the main communications rack and the
Communications cabinets installed on the ground floor, first floor and fifth floor of the Service building
of La Paz Civic Registry.
The building of the La Paz Civic Registry Service has an electric generator on the ground floor,
that in case of electrical contingencies it is automatically lifted by feeding energy to the
communications room (CPD) on the fourth floor and the fifth, first and ground floor where
they implemented the TREP electrical circuits.
The 100 Mbps Online internet service was contracted, which was provided by the AXS Bolivia company.
The service consists of a fiber optic link between the company AXS and the Primary Data Center (San
Jorge) of the Supreme Electoral Court with 100 Mbps Online internet service exclusively for the
TREP computation. The National Directorate of Information and Communication Technologies (DNTIC)
configured the AXS 100 Mbps Internet Service over VLAN 187 Supreme Court internal network
Electoral. (Responsible DNTIC).
On the other hand, the TREP computer center had two fiber optic links, one active and the other
redundant passive The first fiber optic link installed from the Primary Data Center (San
Jorge) and the fourth floor of the La Paz Civic Registry Service building, Switch CORE.
The second Fiber Optic (Redundant) link provided by the MegaLink Company is installed until the
CPD of the La Paz Civic Registry Service with a 100 Mbps internet service. The DNTIC conducted the
Internet service configuration mentioned in redundant mode between a perimeter router
Cisco and the CORE Switch of the fourth floor CPD of the La Paz Civic Registry Service building.

Page 17
Electoral Integrity Analysis
Plurinational State of Bolivia
17
Next, the methodology that was used for data processing and validation is presented
(TREP):
Description of the originally planned IT infrastructure
The formal description of the TREP infrastructure was as follows (this should have worked):
This diagram is designed to work in a controlled manner by an audit firm - TREP formal network topology
The primary application server BO2 should receive the images of the minutes and electoral results
transmitted from the phones. This server had to replicate the minutes to the application server
secondary BO2s. In turn, the bo2s server had to replicate the minutes to the application server to
BO3 results.
It should be noted that both the primary server (BO2) and its contingency (BO2s) and publication
(BO3) they should store the same data once the electoral process was over.
However, according to the description of the NEOTEC company, the configuration used was the
following:
This diagram conforms to the NEOTEC report dated 10/28/2019 11
11 This table corresponds to the company NEOTEC. The reference to bo12 must be understood as bo21.

Page 18
Electoral Integrity Analysis
Plurinational State of Bolivia
18
As can be seen, the formal configuration was not respected by NEOTEC, because it
It included a BO1 server that was not included in the formal structure of the TREP, according to
agreed with the other actors involved (DNTIC, SERECI and the audit firm Etical Hacking).
Integration of BO1 server that was not foreseen in the technological infrastructure
The technological infrastructure used on election day included the integration of a server
BO1 that was not planned. It was used despite not having the corresponding monitoring agent.
According to reports received by the auditing company, it was prepared at the request of the TSE
to observe the results before publication. It was a server that did not have the
required hardenization and was configured incorrectly (if it was intended to be used as a
perimeter server). The introduction of a server in a production environment without controls
change or authorization violated the chain of custody of the information.
The non-forecast of this server can be seen in a communication from the company NEOTEC, that the
October 20, 2019, at 9:40 am, in the middle of the TREP process (since they were receiving the
first data from abroad), sent an email to the audit company Ethical Hacking to
Confirm the servers that would be used. In this communication, the servers are initially reflected
provided, but not the BO1 server.
Email sent by NEOTEC to Ethical Haching in which the BO1 server is not included
After recognizing the inclusion of the BO1 server, the NEOTEC company delivered the following graphic (the signs
of approval and attention are incorporated by the OAS audit team):

Page 19
Electoral Integrity Analysis
Plurinational State of Bolivia
19
Image showing the perimeter servers according to their green or red security level
The graph shows the perimeter servers secure and controlled by the audit firm Ethical
Hacking, identified with the approval sign in green, while identified with the sign
Attention in red can be seen to the BO1 perimeter server.
The detail of the servers according to their role delivered by the NEOTEC company is as follows:
This detail conforms to the NEOTEC report dated 10/28/2019 - (The BO21 server also appears in its report as
BO12)
Use of BO1 server for other purposes to those exposed
According to the analysis performed by the OAS experts, the BO1 server was not only not planned, but
which was also not used only for the purpose stated in the reports submitted to the audit team
by the TSE. The OAS team of auditors revealed that it was used since the beginning of the tasks of the
October 20, 2019 until 7:40 p.m. of the same day (time of interruption) for traffic

Page 20
Electoral Integrity Analysis
Plurinational State of Bolivia
twenty
of information corresponding to the TREP work stations arranged in SERECI offices.
SERECI data flow went through this hidden and insecure server in a private NEOTEC network.
This constitutes a first indication of the intention to avoid the use of official infrastructure
agreed prior to the election. Infrastructure manipulation was planned, taking the flow of
TREP to external servers, mocking the control of the audit firm hired by the TSE.
According to the definition of the audit company Ethical Hacking, the BO1 server should not have been used,
since he did not have the required security and did not have the monitoring agent to allow his
due control by it. In its final report, the auditing company states that no
it monitored this data flow, because it eluded its monitoring system (through which they had to flow
the data as planned to provide transparency).
In more detail, the audit firm Ethical Hacking notes the following in its report regarding this
first non-contemplated server (BO1), which was used for an unauthorized purpose: "Regarding the cut
of the TREP, although it was concluded that it was an error of omission of the protocol and should not have been made
that change without authorization, it is clear that this server was not in our monitoring range and at
redirect all SERECI traffic for the verification of minutes, such an important and delicate task to
an external server totally outside the monitoring range, we cannot attest to all the
information that was entered at that time and the electoral process loses all credibility when violated
the security protocol. "
The OAS audit experts were able to identify that this server was in an Amazon network
of NEOTEC (administered at its discretion), a fact that constitutes a serious violation of the network topology
declared for the TREP and on which the auditing company was monitoring. Is
unacceptable that during a transcendent process such as TREP (which partially feeds the Computation
Official) traffic is redirected to a private server under the exclusive control of its owner.

Page 21
Electoral Integrity Analysis
Plurinational State of Bolivia
twenty-one
The following image shows the true network topology until the interruption of the TREP:
Actual diagram of 10/20/2019 until 7:40 p.m. with TREP flow leaving towards private cloud NEOTEC
Audit evidence on traffic belonging to TREP from server BO1
OAS audit experts were able to identify concrete evidence regarding the role of the
BO1 server, which, it is reiterated, did not belong to the TREP and was implemented in an Amazon network
hired and managed by NEOTEC. It was an intentional manipulation of the formal topology
network belonging to the TREP infrastructure.
There were no measures on the server for the safekeeping and assurance of evidence (for
example, logs), and the chain of custody was not respected for being since October 20, 2019 outside
of the control of the TSE and under the control of the company NEOTEC.
Despite what was described, we proceeded to analyze the logs that were under the control of the audit firm
Ethical Hacking and those residing on the TSE servers in the TREP network.
It was possible to obtain, then, evidences that allow to affirm that said server was used for the
transcription and verification of minutes as well as for the flow of other associated data from the
of the TREP.
Summary data provided as evidence
Source IP
Destination IP
Url

Page 22
Electoral Integrity Analysis
Plurinational State of Bolivia
22
Method
Occurrences (Low: less than 200 requests)
10.1.0.222 , " 10.1.0.159 ", " / simobol_2019_3_TREP / process / VerificaActa / VerificaProxima ", POST
Occurrences 162,570
10.1.0.222 , " 10.1.0.159 ", " / simobol_2019_3_TREP / process / VerificaActa / list ", POST
Occurrences 31,556
10.1.0.222 , " 10.1.0.159 ", " / simobol_2019_3_TREP / process / Acta / list ", POST
Occurrences 7.552
10.1.0.222 , " 10.1.0.159 ", " / simobol_2019_3_TREP / process / sid3 / module ", POST
Occurrences 3,723
10.1.0.222 , " 10.1.0.159 ", " / simobol_2019_3_TREP / gkeys ", POST
Occurrences 2,670
10.1.0.222 , " 3.231.68.158 ", " / simobol_2019_3_TREP / process / Acta / list ", POST
Occurrences Low
10.1.0.222 , " 3.231.68.158 ", " / simobol_2019_3_TREP / process / Acta / row / 1702583 ", POST
Occurrences Low
10.1.0.222 , " 3.231.68.158 ", " / simobol_2019_3_TREP / process / Acta / thumbView / Image / 1702583 ", GET
Occurrences Low
10.1.0.222 , " 3.231.68.158 ", " / simobol_2019_3_TREP / process / AvanceDep / list ", POST
Occurrences Low
SSH access to BO1 taking control then as root
Additionally, it was possible to verify access via SSH (outside the application) to server BO1 and
subsequently raising privileges to work as root (achieving maximum privilege). The
following fragments show activity in BO1 during the morning of October 20, 2019,
at night (in full court of the TREP) and on October 21 when the TREP had already resumed.
Then, only three log fragments are offered as evidence of these accesses:
During the morning of October 20, 2019
Oct 20 10:05:23 bo1 sshd [2910]: Accepted publickey for ec2-user from 181.115.131.216 port 18882
ssh2: RSA SHA256: hi2C + Gu62BrRMUBuFRoHBDvFJVuq / ​​dzIy7aDZFnhaLA
Oct 20 10:05:23 bo1 sshd [2910]: pam_unix (sshd: session): session opened for user ec2-user by (uid = 0)
Oct 20 10:05:37 bo1 sudo: ec2-user: TTY = pts / 0; PWD = / home / ec2-user; USER = root;
COMMAND = / bin / cat /etc/nginx/nginx.conf
Oct 20 10:30:37 bo1 sudo: ec2-user: TTY = pts / 0; PWD = / home / ec2-user; USER = root;
COMMAND = / bin / grep client_max_body_size /etc/nginx/nginx.conf

Page 23
Electoral Integrity Analysis
Plurinational State of Bolivia
2. 3
Oct 20 10:35:01 bo1 sudo: ec2-user: TTY = pts / 0; PWD = / home / ec2-user; USER = root;
COMMAND = / bin / grep client_max_body_size /etc/nginx/nginx.conf
Oct 20 10:49:38 bo1 sshd [2912]: error: Received disconnect from 181.115.131.216 port 18882: 0:
Oct 20 10:49:38 bo1 sshd [2912]: Disconnected from 181,115,131,216 port 18882
Oct 20 10:49:38 bo1 sshd [2910]: pam_unix (sshd: session): session closed for user ec2-user
Oct 20 11:00:34 bo1 sshd [3016]: Accepted publickey for ec2-user from 181.115.131.216 port 18883
ssh2: RSA SHA256: hi2C + Gu62BrRMUBuFRoHBDvFJVuq / ​​dzIy7aDZFnhaLA
Oct 20 11:00:34 bo1 sshd [3016]: pam_unix (sshd: session): session opened for user ec2-user by (uid = 0)
Oct 20 11:01:04 bo1 sudo: ec2-user: TTY = pts / 0; PWD = / home / ec2-user; USER = root;
COMMAND = / bin / cat /etc/nginx/conf.d/bo1.conf
Oct 20 14:23:57 bo1 sshd [3016]: pam_unix (sshd: session): session closed for user ec2-user
From the night of October 20, 2019 (during TREP interruption)
Oct 20 21:30:02 bo1 sshd [4030]: Accepted publickey for ec2-user from 10.8.10.6 port 57625 ssh2: RSA
SHA256: hi2C + Gu62BrRMUBuFRoHBDvFJVuq / ​​dzIy7aDZFnhaLA
Oct 20 21:30:02 bo1 sshd [4030]: pam_unix (sshd: session): session opened for user ec2-user by (uid = 0)
Oct 20 21:39:22 bo1 sudo: ec2-user: TTY = pts / 0; PWD = / home / ec2-user; USER = root;
COMMAND = / bin / su
Oct 20 21:39:22 bo1 su: pam_unix (su: session): session opened for user root by ec2-user (uid = 0)
Oct 20 22:03:34 bo1 su: pam_unix (su: session): session closed for user root
Oct 20 22:03:34 bo1 sshd [4032]: Received disconnect from 10.8.10.6 port 57625: 11: disconnected by
user
Oct 20 22:03:34 bo1 sshd [4032]: Disconnected from 10.8.10.6 port 57625
Oct 20 22:03:34 bo1 sshd [4030]: pam_unix (sshd: session): session closed for user ec2-user
Oct 20 22:03:50 bo1 sshd [4173]: Accepted publickey for ec2-user from 10.8.10.6 port 58124 ssh2: RSA
SHA256: hi2C + Gu62BrRMUBuFRoHBDvFJVuq / ​​dzIy7aDZFnhaLA
Oct 20 22:03:50 bo1 sshd [4173]: pam_unix (sshd: session): session opened for user ec2-user by (uid = 0)
Oct 20 22:05:10 bo1 sudo: ec2-user: TTY = pts / 0; PWD = / tmp / logs; USER = root; COMMAND = / bin / cp
/home/ec2-user/.ssh/authorized_keys authorized_keys.ec2-user
Oct 20 22:05:19 bo1 sudo: ec2-user: TTY = pts / 0; PWD = / tmp / logs; USER = root; COMMAND = / bin / su
Oct 20 22:05:19 bo1 su: pam_unix (su: session): session opened for user root by ec2-user (uid = 0)
Oct 20 22:19:37 bo1 sshd [4257]: Accepted publickey for ec2-user from 10.8.10.6 port 58181 ssh2: RSA
SHA256: hi2C + Gu62BrRMUBuFRoHBDvFJVuq / ​​dzIy7aDZFnhaLA
Oct 20 22:19:37 bo1 sshd [4257]: pam_unix (sshd: session): session opened for user ec2-user by (uid = 0)

Page 24
Electoral Integrity Analysis
Plurinational State of Bolivia
24
Oct 20 22:19:38 bo1 sshd [4259]: Received disconnect from 10.8.10.6 port 58181: 11: disconnected by
user
Oct 20 22:19:38 bo1 sshd [4259]: Disconnected from 10.8.10.6 port 58181
Oct 20 22:19:38 bo1 sshd [4257]: pam_unix (sshd: session): session closed for user ec2-user
Oct 20 22:19:47 bo1 sshd [4272]: Accepted publickey for ec2-user from 10.8.10.6 port 58184 ssh2: RSA
SHA256: hi2C + Gu62BrRMUBuFRoHBDvFJVuq / ​​dzIy7aDZFnhaLA
Oct 20 22:19:47 bo1 sshd [4272]: pam_unix (sshd: session): session opened for user ec2-user by (uid = 0)
Oct 20 22:20:37 bo1 sshd [4274]: Received disconnect from 10.8.10.6 port 58184: 11: disconnected by
user
Oct 20 22:20:37 bo1 sshd [4274]: Disconnected from 10.8.10.6 port 58184
Oct 20 22:20:37 bo1 sshd [4272]: pam_unix (sshd: session): session closed for user ec2-user
Oct 20 22:22:35 bo1 sshd [4286]: Accepted publickey for ec2-user from 10.8.10.6 port 58196 ssh2: RSA
SHA256: hi2C + Gu62BrRMUBuFRoHBDvFJVuq / ​​dzIy7aDZFnhaLA
Oct 20 22:22:35 bo1 sshd [4286]: pam_unix (sshd: session): session opened for user ec2-user by (uid = 0)
Oct 20 22:37:30 bo1 sshd [4288]: Received disconnect from 10.8.10.6 port 58196: 11: disconnected by
user
Oct 20 22:37:30 bo1 sshd [4288]: Disconnected from 10.8.10.6 port 58196
Oct 20 22:37:30 bo1 sshd [4286]: pam_unix (sshd: session): session closed for user ec2-user
Oct 20 22:37:32 bo1 su: pam_unix (su: session): session closed for user root
Oct 20 22:37:33 bo1 sshd [4175]: Received disconnect from 10.8.10.6 port 58124: 11: disconnected by
user
Oct 20 22:37:33 bo1 sshd [4175]: Disconnected from 10.8.10.6 port 58124
Oct 20 22:37:33 bo1 sshd [4173]: pam_unix (sshd: session): session closed for user ec2-user
From October 21, 2019 (TREP has already resumed)
Oct 21 13:18:10 bo1 sshd [5814]: Accepted publickey for ec2-user from 186.2.94.205 port 17602 ssh2:
RSA SHA256: hi2C + Gu62BrRMUBuFRoHBDvFJVuq / ​​dzIy7aDZFnhaLA
Oct 21 13:18:10 bo1 sshd [5814]: pam_unix (sshd: session): session opened for user ec2-user by (uid = 0)
Oct 21 13:18:13 bo1 sudo: ec2-user: TTY = pts / 0; PWD = / home / ec2-user; USER = root;
COMMAND = / bin / su
Oct 21 13:18:13 bo1 su: pam_unix (su: session): session opened for user root by ec2-user (uid = 0)
Oct 21 15:31:16 bo1 sshd [5814]: pam_unix (sshd: session): session closed for user ec2-user
Oct 21 15:31:16 bo1 su: pam_unix (su: session): session closed for user root
Database and application detection on the BO1 server.

Page 25
Electoral Integrity Analysis
Plurinational State of Bolivia
25
It is also noted that databases were detected on this server and the electoral application, made
inexplicable and unacceptable in an electoral process.
The following image shows the existence of databases that are not typical of a server
perimeter:
Image taken by OAS auditors during BO1 server review
At the time of the audit it was possible to verify that the BO1 server had continued on after the
TREP detention incident, this time assigned to other tasks. To verify this fact you can
read a log fragment below:
113.163.126.70 - - [25 / Oct / 2019: 03: 56: 35 -0400] "GET / HTTP / 1.0" 200 3770 "-" "-" "-"
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 16 -0400] "GET
/simobol_2019_3_TREP/css/bootstrap.min.css HTTP / 1.1 "404 555
"https://bo.neotec.cc/simobol_2019_3_TREP/" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36 OPR / 63.0.3368.107 "
"-"
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 16 -0400] "GET /simobol_2019_3_TREP/css/sid3.css
HTTP / 1.1 "404 555 " https://bo.neotec.cc/simobol_2019_3_TREP/ " " Mozilla / 5.0 (Windows NT 10.0;

Page 26
Electoral Integrity Analysis
Plurinational State of Bolivia
26
Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
OPR / 63.0.3368.107 "" - "
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 16 -0400] "GET /simobol_2019_3_TREP/js/jquery-3.4.1.min.js
HTTP / 1.1 "404 555 " https://bo.neotec.cc/simobol_2019_3_TREP/ " " Mozilla / 5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
OPR / 63.0.3368.107 "" - "
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 16 -0400] "GET / simobol_2019_3_TREP / js / bootstrap3-
typeahead.min.js HTTP / 1.1 "404 555 " https://bo.neotec.cc/simobol_2019_3_TREP/ " " Mozilla / 5.0
(Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132
Safari / 537.36 OPR / 63.0.3368.107 "" - "
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 16 -0400] "GET /simobol_2019_3_TREP/js/bootstrap.min.js
HTTP / 1.1 "404 555 " https://bo.neotec.cc/simobol_2019_3_TREP/ " " Mozilla / 5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
OPR / 63.0.3368.107 "" - "
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 16 -0400] "GET /simobol_2019_3_TREP/simonel.png
HTTP / 1.1 "404 555 " https://bo.neotec.cc/simobol_2019_3_TREP/ " " Mozilla / 5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
OPR / 63.0.3368.107 "" - "
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 16 -0400] "GET /simobol_2019_3_TREP/js/sid3.js HTTP / 1.1"
404 555 "https://bo.neotec.cc/simobol_2019_3_TREP/" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36 OPR / 63.0.3368.107 "
"-"
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 17 -0400] "GET / simobol_2019_3_TREP / js / bootstrap3-
typeahead.min.js HTTP / 1.1 "404 555 " https://bo.neotec.cc/simobol_2019_3_TREP/ " " Mozilla / 5.0
(Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132
Safari / 537.36 OPR / 63.0.3368.107 "" - "
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 17 -0400] "GET /simobol_2019_3_TREP/js/sid3.js HTTP / 1.1"
404 555 "https://bo.neotec.cc/simobol_2019_3_TREP/" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36 OPR / 63.0.3368.107 "
"-"
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 17 -0400] "GET
/simobol_2019_3_TREP/css/bootstrap.min.css HTTP / 1.1 "404 555
"https://bo.neotec.cc/simobol_2019_3_TREP/" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36 OPR / 63.0.3368.107 "
"-"

Page 27
Electoral Integrity Analysis
Plurinational State of Bolivia
27
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 17 -0400] "GET /simobol_2019_3_TREP/css/sid3.css
HTTP / 1.1 "404 555 " https://bo.neotec.cc/simobol_2019_3_TREP/ " " Mozilla / 5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
OPR / 63.0.3368.107 "" - "
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 17 -0400] "GET /simobol_2019_3_TREP/js/jquery-3.4.1.min.js
HTTP / 1.1 "404 555 " https://bo.neotec.cc/simobol_2019_3_TREP/ " " Mozilla / 5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
OPR / 63.0.3368.107 "" - "
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 18 -0400] "GET /simobol_2019_3_TREP/js/bootstrap.min.js
HTTP / 1.1 "404 555 " https://bo.neotec.cc/simobol_2019_3_TREP/ " " Mozilla / 5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
OPR / 63.0.3368.107 "" - "
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 18 -0400] "GET / simobol_2019_3_TREP / js / bootstrap3-
typeahead.min.js HTTP / 1.1 "404 555 " https://bo.neotec.cc/simobol_2019_3_TREP/ " " Mozilla / 5.0
(Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132
Safari / 537.36 OPR / 63.0.3368.107 "" - "
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 18 -0400] "GET /simobol_2019_3_TREP/js/sid3.js HTTP / 1.1"
404 555 "https://bo.neotec.cc/simobol_2019_3_TREP/" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36 OPR / 63.0.3368.107 "
"-"
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 18 -0400] "GET /simobol_2019_3_TREP/js/jquery-3.4.1.min.js
HTTP / 1.1 "404 555 " https://bo.neotec.cc/simobol_2019_3_TREP/ " " Mozilla / 5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
OPR / 63.0.3368.107 "" - "
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 18 -0400] "GET /simobol_2019_3_TREP/simonel.png
HTTP / 1.1 "404 555 " https://bo.neotec.cc/simobol_2019_3_TREP/ " " Mozilla / 5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
OPR / 63.0.3368.107 "" - "
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 18 -0400] "GET /simobol_2019_3_TREP/js/bootstrap.min.js
HTTP / 1.1 "404 555 " https://bo.neotec.cc/simobol_2019_3_TREP/ " " Mozilla / 5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36
OPR / 63.0.3368.107 "" - "
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 18 -0400] "GET / simobol_2019_3_TREP / js / bootstrap3-
typeahead.min.js HTTP / 1.1 "404 555 " https://bo.neotec.cc/simobol_2019_3_TREP/ " " Mozilla / 5.0
(Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132
Safari / 537.36 OPR / 63.0.3368.107 "" - "

Page 28
Electoral Integrity Analysis
Plurinational State of Bolivia
28
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 18 -0400] "GET /simobol_2019_3_TREP/js/sid3.js HTTP / 1.1"
404 555 "https://bo.neotec.cc/simobol_2019_3_TREP/" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36 OPR / 63.0.3368.107 "
"-"
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 19 -0400] "GET / simobol_2019_3_TREP / HTTP / 1.1" 404 555
"https://bo.neotec.cc/simobol_2019_3_TREP/" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36 OPR / 63.0.3368.107 "
"-"
181.188.160.207 - - [25 / Oct / 2019: 04: 14: 20 -0400] "GET /favicon.ico HTTP / 1.1" 404 555
"https://bo.neotec.cc/simobol_2019_3_TREP/" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 76.0.3809.132 Safari / 537.36 OPR / 63.0.3368.107 "
"-"
It is important to unveil who or who authorized this design and the implementation of this
infrastructure, which reveals a manipulation of the official topology of the TREP. These findings reveal the
existence of an organized group whose objective was to create a hidden computing structure.
Resumption of the TREP to another server not foreseen and hidden (BO20)
The OAS audit detected that after the interruption of the TREP, the flow of transcription information
He was redirected again. This time it was directed to a server called BO20 that also
belonged to those planned for the TREP in the cloud, or to the physical teams of the National Directorate of
Technology and Communications (DNTIC). In addition to this, it was not controlled by the auditing company,
SERECI officials or DNTIC technicians. The severity of this situation increases as it is a fact.
essential that does not appear in the reports delivered by the court, and all actors omitted their existence
until detected by the OAS audit experts.
Redirect all SERECI traffic for verification and approval of minutes to a server that is in
an external network is suspicious from the point of view of information control and high risk
for the integrity of it. Being a fundamental and delicate task, no one could give technical certainty
nor take responsibility for such decision.
When consulted after this finding, the technical head of DNTIC acknowledged knowing about the
existence of this server (BO20) and claimed not to be the one who arranged that flow change, also clarifying
that it wasn't he who controlled him. It should be clarified that initially did not provide any information about this
hidden server despite having previously participated in meetings and discussions with the audit team
of the OAS that analyzed the flow of TREP data.

Page 29
Electoral Integrity Analysis
Plurinational State of Bolivia
29
Diagram showing the flow of the redirected SERECI to an external network evading controls of the auditing company
A change of such magnitude is unusual during the development of an electoral process (in that
At that time the TREP and Official Computing system were in operation). Neither is there
valid technical explanation of why the perimeter servers controlled by the
audit company. This is extremely serious and affects the transparency of the process. Nobody
was able to give explanations about the reasons why the company's controls were evaded
audit and traffic was redirected to a network that was outside the domain, administration, control and
TSE staff monitoring.
Allow this type of topologies with hidden servers and / or external networks in which the
control, facilitates the adulteration of electoral data and images and allows to hide evidence in a
highly volatile scenario. The action is compatible with the existence of an organized group whose
The intention is to redirect the flow of data to a foreign network, not foreseen or documented.
It is necessary to emphasize again that this redirection towards the BO20 server (in the cloud) does not
It was not included in any of the reports submitted by the TSE to the OAS audit team, nor was it
mentioned by technical areas until the moment of the finding of said server by the experts
auditors

Page 30
Electoral Integrity Analysis
Plurinational State of Bolivia
30
Audit evidence on the traffic belonging to the TREP from the B2O server
In a traffic analysis process, the OAS audit experts were able to obtain evidence
concrete with respect to this second manipulation of the network topology belonging to the
TREP technological infrastructure.
In this case, it was the aforementioned BO20 server (IP 18.220.48.51) implemented in a third
network and hidden from the audit team since its arrival in the city of La Paz, omitted in all reports and
not mentioned by the technicians interviewed until its detection.
As mentioned, this server was not under the control of the auditing company and the network to the
which belonged had no security under the SERECI, DNTIC and the audit firm.
The BO20 server (IP 18.220.48.51), omitted in all reports prior to the arrival of the audit team
of the OAS and whose existence was hidden until revealed by the expert auditors, was implemented
in an Amazon network by decision of the members of the TSE in the absence of the member Costas, assisted by a
advisor who was not introduced to the Mission and apparently served as a security officer for
EPO information during the electoral process. It should be clarified that this advisor was not obtained
no information or access to reports that he would have prepared on the incidents that we
occupy
As in the case of server BO1, there were no measures in the BO20 server for
safekeeping and assurance of evidence (for example, logs). Despite the prevailing conditions
Regarding the server mentioned, we proceeded to analyze the logs that were under the control of the company
Ethical Hacking auditor and those residing on servers belonging to the TREP network.
It was then possible to obtain evidence that makes it possible to assert that said server was used for the
transcription and verification of minutes as well as for the flow of other associated data from the
TREP. In this case, the requests received on the primary server of the TREP BO2 from the
server named BO20.
Segment of data provided as evidence:
Date;
Hour;
Ip Origin;
Method;
URL on BO2 server.

Page 31
Electoral Integrity Analysis
Plurinational State of Bolivia
31
A segment was extracted as evidence of October 21 after resuming the TREP:
Oct 21, 2019 @ 15: 21: 42.753", " 18.220.48.51 ", GET, " /simobol_2019_3_TREP/css/bootstrap.min.css "
Oct 21, 2019 @ 15: 21: 42.753", " 18.220.48.51 ", GET, " /simobol_2019_3_TREP/css/sid3.css "
Oct 21, 2019 @ 15: 21: 42.753", " 18.220.48.51 ", GET, " /simobol_2019_3_TREP/js/bootstrap.min.js "
Oct 21, 2019 @ 15: 21: 42.753", " 18.220.48.51 ", GET, " /simobol_2019_3_TREP/js/jquery-3.4.1.min.js "
Oct 21, 2019 @ 15: 21: 42.753", " 18.220.48.51 ", GET, " /simobol_2019_3_TREP/simonel.png "
Oct 21, 2019 @
15: 58: 42.314 "," 18.220.48.51 ", POST," / simobol_2019_3_TREP / process / VerificaActa / VerificaProxima "
Oct 21, 2019 @
16: 01: 43.451 "," 18.220.48.51 ", POST," / simobol_2019_3_TREP / process / VerificaActa / VerificaProxima "
Oct 21, 2019 @
16: 04: 00.902 "," 18.220.48.51 ", POST," / simobol_2019_3_TREP / process / VerificaActa / VerificaProxima "
Oct 21, 2019 @
16: 04: 00.902 "," 18.220.48.51 ", POST," / simobol_2019_3_TREP / process / VerificaActa / list "
The activity with this hidden server continued the following days
A segment was extracted as evidence of October 24 in which activity is recorded:
Oct 24, 2019 @ 14: 05: 55.774", " 18.220.48.51 ", GET, " /simobol_2019_3_TREP/css/bootstrap.min.css "
Oct 24, 2019 @ 14: 05: 55.774", " 18.220.48.51 ", GET, " /simobol_2019_3_TREP/css/sid3.css "
Oct 24, 2019 @ 14: 05: 55.774", " 18.220.48.51 ", GET, " /simobol_2019_3_TREP/js/bootstrap.min.js "
Oct 24, 2019 @ 14: 05: 55.774", " 18.220.48.51 ", GET, " / simobol_2019_3_TREP / js / bootstrap3-
typeahead.min.js "
Oct 24, 2019 @ 14: 05: 55.774", " 18.220.48.51 ", GET, " /simobol_2019_3_TREP/js/jquery-3.4.1.min.js "

Page 32
Electoral Integrity Analysis
Plurinational State of Bolivia
32
Image taken on the server found as BO20 at the time of IP review 18.220.48.51
Image taken by the audit team that verifies that the IP of BO20 does not belong to TREP or Computation
Another source of data within BO2 in which evidence is found:
Oct 21, 2019 @ 14: 50: 18.145 18.220.48.51 - - [21 / Oct / 2019: 13: 50: 00 -0400] "GET
/simobol_2019_3_TREP/css/sid3.css HTTP / 1.0 "200 1936
/simobol_2019_3_TREP/css/sid3.css
Oct 21, 2019 @ 14: 50: 18,145
Oct 21, 2019 @ 14: 50: 18.229 18.220.48.51 - - [21 / Oct / 2019: 13: 50: 00 -0400] "GET
/simobol_2019_3_TREP/js/bootstrap.min.js HTTP / 1.0 "200 39680
/simobol_2019_3_TREP/js/bootstrap.min.js
Oct 21, 2019 @ 14: 50: 18,229
Oct 21, 2019 @ 14: 50: 18.234 18.220.48.51 - - [21 / Oct / 2019: 13: 50: 00 -0400] "GET
/simobol_2019_3_TREP/js/jquery-3.4.1.min.js HTTP / 1.0 "200 88145
/simobol_2019_3_TREP/js/jquery-3.4.1.min.js Oct 21, 2019 @ 14: 50: 18,234

Page 33
Electoral Integrity Analysis
Plurinational State of Bolivia
33
Oct 21, 2019 @ 14: 50: 18.239 18.220.48.51 - - [21 / Oct / 2019: 13: 50: 00 -0400] "GET
/simobol_2019_3_TREP/simonel.png HTTP / 1.0 "200 1703
/simobol_2019_3_TREP/simonel.png
Oct 21, 2019 @ 14: 50: 18,239
Oct 21, 2019 @ 14: 50: 18.333 18.220.48.51 - - [21 / Oct / 2019: 13: 50: 01 -0400] "GET
/simobol_2019_3_TREP/js/bootstrap3-typeahead.min.js HTTP / 1.0 "200 7784
/simobol_2019_3_TREP/js/bootstrap3-typeahead.min.js Oct 21, 2019 @ 14: 50: 18,333
Oct 21, 2019 @ 14: 50: 18.385 18.220.48.51 - - [21 / Oct / 2019: 13: 50: 01 -0400] "GET
/simobol_2019_3_TREP/js/sid3.js HTTP / 1.0 "200 75760 /simobol_2019_3_TREP/js/sid3.js
Oct
21, 2019 @ 14: 50: 18,385
Oct 21, 2019 @ 14: 50: 37.607 18.220.48.51 - - [21 / Oct / 2019: 13: 50: 20 -0400] "GET
/simobol_2019_3_TREP/css/bootstrap.min.css HTTP / 1.0 "200 121457
/simobol_2019_3_TREP/css/bootstrap.min.css Oct 21, 2019 @ 14: 50: 37,607
Oct 21, 2019 @ 14: 50: 37.609 18.220.48.51 - - [21 / Oct / 2019: 13: 50: 20 -0400] "GET
/simobol_2019_3_TREP/css/sid3.css HTTP / 1.0 "200 1936
/simobol_2019_3_TREP/css/sid3.css
Oct 21, 2019 @ 14: 50: 37,609
Oct 21, 2019 @ 14: 50: 37.667 18.220.48.51 - - [21 / Oct / 2019: 13: 50: 20 -0400] "GET
/simobol_2019_3_TREP/js/jquery-3.4.1.min.js HTTP / 1.0 "200 88145
/simobol_2019_3_TREP/js/jquery-3.4.1.min.js Oct 21, 2019 @ 14: 50: 37,667
Oct 21, 2019 @ 14: 50: 37.671 18.220.48.51 - - [21 / Oct / 2019: 13: 50: 20 -0400] "GET
/simobol_2019_3_TREP/simonel.png HTTP / 1.0 "200 1703
/simobol_2019_3_TREP/simonel.png
Oct 21, 2019 @ 14: 50: 37,671
Oct 21, 2019 @ 14: 50: 37.718 18.220.48.51 - - [21 / Oct / 2019: 13: 50: 20 -0400] "GET
/simobol_2019_3_TREP/js/bootstrap.min.js HTTP / 1.0 "200 39680
/simobol_2019_3_TREP/js/bootstrap.min.js
Oct 21, 2019 @ 14: 50: 37,718
Oct 21, 2019 @ 14: 50: 37,766 18,220.48.51 - - [21 / Oct / 2019: 13: 50: 20 -0400] "GET
/simobol_2019_3_TREP/js/bootstrap3-typeahead.min.js HTTP / 1.0 "200 7784
/simobol_2019_3_TREP/js/bootstrap3-typeahead.min.js Oct 21, 2019 @ 14: 50: 37,766
Oct 21, 2019 @ 14: 50: 37.817 18.220.48.51 - - [21 / Oct / 2019: 13: 50: 20 -0400] "GET
/simobol_2019_3_TREP/js/sid3.js HTTP / 1.0 "200 75760 /simobol_2019_3_TREP/js/sid3.js
Oct
21, 2019 @ 14: 50: 37,817
Oct 21, 2019 @ 14: 50: 47.701 18.220.48.51 - - [21 / Oct / 2019: 13: 50: 30 -0400] "GET
/simobol_2019_3_TREP/simonel.ico HTTP / 1.0 "200 99678
/simobol_2019_3_TREP/simonel.ico
Oct 21, 2019 @ 14: 50: 47,701

Page 34
Electoral Integrity Analysis
Plurinational State of Bolivia
3. 4
Oct 21, 2019 @ 14: 50: 47.705 18.220.48.51 - - [21 / Oct / 2019: 13: 50: 30 -0400] "POST
/ simobol_2019_3_TREP / process / sid3 / module HTTP / 1.0 "200 22
/ simobol_2019_3_TREP / process / sid3 / module Oct 21, 2019 @ 14: 50: 47,705
BO20 server recognition
After the BO20 server has been detected by the OAS audit team, the person in charge of
SERECI together with the agency's technician delivered a document in the OAS offices
for the first time he showed the expert auditors the IP that confirmed the address to this server.
It should be clarified that the mentioned IP is not in any of the TREP infrastructure diagrams
and was hidden in the other documents.
Image taken from the report delivered by SERECI to the OAS on 11/6/2019 at 11:00 HS
Through re-addressing to this server there could be data manipulation, impersonation of
minutes or any maneuver, facilitated by the volatility of digital evidence, in a highly environment
manipulable Not even the auditing company, which states that the elections were vitiated by nullity, does
mention of this BO20 server.

Page 35
Electoral Integrity Analysis
Plurinational State of Bolivia
35
It is extremely serious in the context of a presidential election, which after the company
The auditor will indicate the impossibility of guaranteeing the integrity of the results.
to a finding of this magnitude that alone questions the integrity of the process.
It should be noted that the existence of this BO20 server in an Amazon network (not foreseen or declared)
finally it ends up being corroborated by a complementary report 12 that the company issued
NEOTEC, dated November 4, 2019, in which it accepts its existence since the
TREP resumption. This report was issued after the OAS audit experts unveiled
the finding and they will notify all the technical actors.
12 Annex 5 - NEOTEC Supplementary Report

Page 36
Electoral Integrity Analysis
Plurinational State of Bolivia
36
IP validation as part of an Amazon cloud network
This is the official list of declared servers for the TREP. Issued by NEOTEC and confirmed by Ethical Hacking
In this detail of servers it can be clearly seen that they are not declared (therefore they should not
used) the BO1 and in no way the BO20 that is detected in a third network outside the process.
SERECI staff, the representative of NEOTEC in Bolivia and the head of DNTIC,
They stated that there was no technical reason for the arrest of the TREP. They also said no
There was reason to redirect traffic to a third network not controlled by them and not
They were part of the decision. In this context, the figure of a professional IT consultant emerges
of the court, which was not part of the effective SERECI plant, was not hired by NEOTEC, not
It was part of the DNTIC plant and by the way it was not part of the audit firm Ethical Hacking.
This advisor apparently served as the information security officer of the EPO only
During the process, it did not present any report to the OAS audit team nor was it presented to the
audit experts as an official by the TSE. This information was also delivered by
written to the auditors, document attached without names to safeguard the identity and data
personnel of those involved, however it has been sent to the Public Ministry.
Re-addressing of the 350 machines used in the SERECI to the BO20 server
For the redirection of the information flow generated in the SERECI to the server (BO20), it was modified
the IP to which the 350 machines used in the SERECI addressed. This despite the fact that in the network of
TREP had prepared servers and under the control of the auditing company within the network, what
that would only have demanded the modification of parameters in a monitored server.

Page 37
Electoral Integrity Analysis
Plurinational State of Bolivia
37
IP captured on SERECI equipment by addressing the external network
TREP data flow in two different ways not controlled by the auditing company
Based on the aforementioned findings, the OAS audit team reveals that the flow of minutes
TREP passed through two different channels, not controlled by the audit firm, contrary
as planned.
Until the TREP stopped, as mentioned, the flow was directed towards a network server
private of NEOTEC, which did not belong to the TREP or the Official Computing, and whose operation was explained
initially as a query server of the TSE.
After TREP processing was resumed, on October 21, 2019, the flow of
information was redirected to the BO20 server, whose existence was revealed by the audit team of
the OAS, and the information entered directly to the public IP of the primary TREP server (BO2) No
There is an explanation for the flow to avoid the controls of the audit firm and there is no
justification for hiding this server.

Page 38
Electoral Integrity Analysis
Plurinational State of Bolivia
38
Diagram showing the two routes through which SERECI data flowed by avoiding monitoring
This server (BO20) was the second way through which the TREP flow was directed (in addition to BO1
which had been VIA 1 until 19:40), hiding from the TREP network and company controls
Ethical Hacking
From the detail of the reports delivered to the OAS technicians by the TSE, it follows that there was a
defined infrastructure of main perimeter servers and their respective equipment
contingency. During the interviews held with the different technicians of the electoral body and the
NEOTEC contractor, it was not possible to obtain an explanation on the reason why by stopping
operate with the BO1 equipment, and with a perimeter equipment in the optimal conditions of
operation (according to the audit reports), it was decided to modify the IP to 350 devices instead
of using the servers provided for this purpose. This fact is extremely serious, added to the fact that
It was held in the middle of the electoral process.
Main server B02 and contingency server BO3 do not have the same information
According to the information provided by the TSE, there was a main server BO2, its respective
BO2S contingency and one to publish BO3. Strangely, the BO3 server was not used for the
publication as planned and, applying bad practice, was published from the primary server
BO2. The OAS audit finally determined that the formal publication server BO3 did not
It had the same amount of minutes as the main BO2. That is, they did not have the same information
in their databases as expected in a process.

Page 39
Electoral Integrity Analysis
Plurinational State of Bolivia
39
This difference, detected during the audit, was not recorded in any report. It turns out
transcendent, since BO3 was the official publisher and no report stated what
contrary. This is another serious irregularity detected.
Image of the audit to the BO2 primary server of the TREP in which total recorded records are evidenced
Image of the audit to BO3, publication server of the TREP in which the inconsistency of the total minutes is observed
registered
In the reports initially delivered by NEOTEC to the TSE and received by the OAS, it is not described in
no moment that such inconsistency existed. That being the publishing server, how is it that
Does it contain less data than those published in the TREP? Following the finding by the OAS audit team,
NEOTEC presented a complementary report on November 4, 2019 to the TSE. In this
document, recognizes that BO3 was not used to publish data but the primary server BO2. Is
striking as it is that such important data is omitted in the reports, only recognized after the
findings from the audit team.
It is inexplicable that there is (supposedly) an adviser of the vowels as responsible for
security of the information of the EPO, it does not issue any report in this regard and allows the
reports lead one to think that the formal BO3 infrastructure was used, hiding this serious
inconsistency between the databases of BO2 and BO3.
The following graphic shows the last network topology used after manipulations:

Page 40
Electoral Integrity Analysis
Plurinational State of Bolivia
40
This diagram identifies the primary BO2 and publisher envisaged in the design (BO3) that do not have the same number of minutes
There is no TREP interruption incident report
There is no document with the life cycle of the TREP interruption incident, which describes
effectively what happened and establish the root cause. Nor is there a detailed detail of the people
who acted in such a situation and the role they played (it was mentioned among those attending the
meetings with someone who, being an advisor to the vowels, had apparently served as
responsible for information security of the EPO, but was not presented to the audit team). He
OAS audit team requested the registration documentation (ACTA) and all respondents denied
The existence of such a document. It is reiterated that said security officer did not submit a report
Some to the OAS audit team.
METADATES of TREP images were not preserved
The audit team stated that there was no preservation of the metadata of the images of the minutes
received from cell phones, vital aspect for the transparency of a process of these
characteristics. That is, no audit trails were generated to guarantee the conservation of
METADATA in order to facilitate the verification of the origin of the images. For the forensic analysis, in order to

Page 41
Electoral Integrity Analysis
Plurinational State of Bolivia
41
determine the authenticity of the images and the identification of the source of acquisition of these
The METADATA files (of all images) are vital.
Following this finding by the OAS audit team, the NEOTEC company included in its complementary report
dated November 4, 2019 an explanation of the application's action for which it does not preserve the
Exif information originally recorded on the photo.
In which case, if the image transmitted from cell phones was to be rotated or adapted for use in the
application, you could have kept the original image with its corresponding hash value, in a
separate space
In addition to the above, the application did not limit the sending of minutes only to teams that had the date
correct. Due to this, minutes have been received with dates that are not within the life cycle of the TREP.
This motivated numerous complaints and presentations from citizens and teams of researchers from
various universities This control would have been of simple implementation and would have avoided such
situation.
It does not contribute to the above, the impossibility of having the equipment and providing them with security, as
of users (volunteers) who signed up just to send the minutes.
The hash value was not recorded in the software freeze report and subsequently
modifications were made during the electoral process
In accordance with the OAS audit, the hash value was not recorded in the freezing certificate
of software. This is a bad practice since it does not allow validating the integrity of the software used
in the process with that document.
On October 20, 2019 (in full execution of the TREP) at 4:50 am the first incident occurred
caused by software deficiencies through which it was modified and recompiled,
Breaking all international standards and good practices guide.

Page 42
Electoral Integrity Analysis
Plurinational State of Bolivia
42
First modification in TREP software by NEOTEC at dawn on Sunday, October 20, 2019 at 4.50 am
In the same morning on October 20, 2019, the second update occurred. The
particularity is that only this change is made on the IP server 10.100.88.24.
It is of interest to follow this incident carefully, because the failure reveals that the minutes were not replicated
from abroad, which as is known are those that end up also being part of the Official Computing.
It is then the first incident that involves acts that finally ended up being part of the
TREP and Final Computing.
Second modification in TREP software by NEOTEC on Sunday morning, October 20, 2019 at 7:20 p.m.
This last incident triggers a new one, since modifications are made
directly on the database using SQL statements (without going through the application), something
absolutely incompatible with an electoral process.
In addition to what is described in this finding (which summarizes several events), the way they are done
the changes and the striking form of communication. After modifying the source code, in addition to accessing
through SQL statements to the database (without the physical presence of SRECI officials, DNTIC
and audit firm), the communication comes through an email.
It is recorded in this way that is at odds with good practices and removes transparency from
process. Before 8 AM on October 20, three known anomalies are known
by the NEOTEC company.
Bearing in mind that while the changes were taking place, minutes had already begun to be received from
abroad, this means that the election process was already fully operational, and despite
This continued changes and tests (as indicated in the email). Bliss
situation is totally anomalous during an election day already underway.

Page 43
Electoral Integrity Analysis
Plurinational State of Bolivia
43
Images of the TREP are part of the official calculation
Image transfer from BO2 primary server of an Amazon TREP cloud was checked
to the application server and publisher with IP address: 10.100.88.24 that forms a farm
of physical servers located in San Jorge in charge of the DNTIC that feeds the Official Computing. These
TREP images (corresponding to photographs of minutes) were entered directly from the
TREP to the Official Computing and is one of the elements through which the lack of security and
impossibility of guaranteeing the integrity of the TREP happens to have an impact on the Official Computing.
The aforementioned discards the assertion that the TREP and the Official Computing were two
absolutely independent processes. It must be clearly stated that these acts that formed
part of the flow of the TREP are the same ones that were injected into the Official Computing. It should be remembered that
this data flow from SERECI circulated until 19:40 by an undeclared, insecure and non-server
monitored (BO1) and after the resumption of TREP circulated through a third undeclared Amazon network,
omitted in the reports and that evaded the perimeter servers controlled by the auditing company
(BO20) to later insert them in the Official Computing.
In relation to this link between the TREP and the Official Computing, it is appropriate to highlight the statement of
the auditing company hired by the TSE that describes “Once informed of all the
Critical vulnerabilities that we find in TREP and despite NEOTEC's effort to remedy them, just
before the elections in a full-room meeting, we complied with warning that the software was insecure,
but that part of the critical vulnerabilities corrected was a risk that they should assess if
accept it or not to take the elections ”.
Direct entry of minutes to the application
In the TREP system, regarding Voting Abroad, there were images of minutes incorporated through
of a functionality called “Lagged Minutes”, outside the planned circuit for sending
Minutes images. The person in charge of this functionality entered both the image of the record, and
so also the data of the same.
The application allowed direct entry of minutes without being transmitted from a mobile phone. In this
case were admitted by a SERECI official. At the same time, given the possibility of
incorporate images of low sharpness or erroneously incorporated into a record, the TREP system had
of image delete functionality.
SSH access to TREP servers by NEOTEC in the middle of the electoral process.
Once the TREP process started, SSH accesses were registered to its servers and in many
cases then raising privileges to root. It is striking that servers are being accessed during
the process and, without doubt, evidences a lack of planning, compromising the security of the process.

Page 44
Electoral Integrity Analysis
Plurinational State of Bolivia
44
Some of NEOTEC's multiple accesses via SSH to TREP servers, detected by Ethical Hacking
In the report of the company Ethical Hacking, you can see a statement that clearly shows
that this aspect removed transparency from the process. When issuing changes, describe: “Agree
to the established protocol, all these accesses and changes should be in the presence of the DNTIC and of
our part as an audit firm, but Neotec flatly refused to work with us in
the facilities of the EPO and went to SERECI. ”It is expressly recorded by the experts
auditors, of this situation of manifest anomaly.
Other relevant findings
Residuals of Databases and the application of NEOTEC in servers were found
perimeter, which is at odds with good practices and constitutes an additional risk. It is important
that the perimeter servers do not have databases and versions of the application used for the
process.
The TREP system lacked use cases, indicating the absence of a methodology of
Implementation of critical systems. This, contrasted with the incidents and actions carried out during
The electoral process sets up a system that does not conform to the required standards.
In the TREP system there were no test lots that cover the widest range of possibilities
both expected and erroneous data, and to minimize the occurrence of incidents and ensure the
service availability
The drills were insufficient attentive to the meager reports, and there is no available
Results report.
In the TREP system, the “Minutes Approver” function had the possibility of validating minutes,
even when there are differences in values ​​between Strike 1 and Strike 2. This function allows you to continue with the
Minutes process despite differences.
The functionality called “TREP - Verification of Proceedings with Image Deletion”, allows
delete an image linked to a record. The head of the TREP argued that it was used in those cases

Page 45
Electoral Integrity Analysis
Plurinational State of Bolivia
Four. Five
in which the transmitted image was blurred and a new image was required to be incorporated into the
system.
The system admitted a set of parameters, one of them “Period of generation of
results, in seconds ”, whose value“ 0 ”(zero) does not show results in the publisher. Parameter
used to stop the publisher on October 20, 2019.
b. Official Computing System
For the official computation of the minutes, indicated in the electoral law and which is carried out by
each of the nine Departmental Courts (TED), the court contemplated the use of an application
which is installed in computers in each of the premises of the TED.
This system would process the minutes using the originals that were filled in each of the tables,
and that they would be physically transferred to the TEDs, using security envelopes. The process of
It began with the scanning of the minutes for digital safekeeping, then they passed to
the Full Room of each TED where they had to be analyzed for approval. The approved minutes, should
be typed and verified by visualizing previously scanned images. All data result of
This review should be consolidated and published immediately on the publication page of
Internet results. The EPO in this process decided to publish the images online again
scanned and validated records data, as well as flat files with the computed results,
so that they could be consulted by political parties and the general public.
The operation of this system was centralized in the servers of the main data center
of the EPO, located in the city of La Paz, which communicated with all TEDs through a network of
Private data hired by the electoral court. For the publication of the results processed by
This system, the TSE contracted an external service in the cloud on the Internet, in order to achieve
a greater capacity for consultation by citizens.
The EPO awaited the start of the processing of the minutes data in this system two hours later
at the end of the voting at the polling stations and estimated that it could extend from one to two days,
due to the times in the physical transfer of the minutes from the voting precincts that in some
cases are far away.
Link between the TREP system and Official Computing
Bearing in mind that in these general elections, voters who are in the
outside of Bolivia to exercise the presidential vote, the method of use of the
mobile application for TREP to operators proposed abroad.
Because the physical records would take time to be sent to Bolivia, the decision was made to send
from the TREP system, the images from outside to the official computer system. This implied that
votes from abroad entered in the Official Computing were based on the minutes received in the TREP system.
This modality would also be replicated for certain tables in the country, due to the burning of the minutes
in Chuquisaca, Potosí and Santa Cruz.

Page 46
Electoral Integrity Analysis
Plurinational State of Bolivia
46
Lack of maturity of the process in relation to software
There was a lack of maturity of the process in relation to software, on the one hand, due to the absence
of use cases and several software tests (unit test, integration test and regression test) and by
another, because the tests performed lacked a formal software acceptance process with
formal test cases.
Weak authentication
Authentication for software use was weak and allowed someone to take control with roles of
administration due to:
Poor implementation of the multiple authentication factor (with the same code
can open several sessions).
A new browser tab could be opened before closing the previous one (without authenticating).
Upon leaving who was working, despite having closed the application, you could access with
your user without authenticating (including roles that allow you to validate minutes).
Verifications of these vulnerabilities were carried out in the presence of those responsible
technicians of the SERECI, of the company NEOTEC, the DNTIC and the delegate by the TSE before the audit
OAS
It should be remembered that the company Ethical Hacking, determines that other remedies could not be remedied.
vulnerabilities detected before the electoral process, which undoubtedly raised the level of risks
of taking control with possibility of data manipulation.
The data blind procedure did not adopt basic security measures.
Although a formal procedure of cereo was carried out, later the person in charge of the
company accessed with maximum privilege to the databases. In addition, with the unique database already in
zero, from the Departmental Electoral Courts they executed a new cereo.
The access of the head of NEOTEC with the root user of the operating system significantly affects the
transparency that is sought to be guaranteed through an official act of cereo before the authorities
Electorals
It is extremely serious that the person in charge of the software provider company agreed with
root user to the operating system in the middle of the night (by their own decision) when everyone believed
that the systems were ready and nobody could access.
It is necessary to clarify that the root user (root) in the operating system used has the power to
Make any changes. That is why in an electoral process this is strictly
prohibited.

Page 47
Electoral Integrity Analysis
Plurinational State of Bolivia
47
The integrity of the preserved software was not respected before starting the process.
In the framework of the process, a software freeze was made but the values ​​of
hash After that, the software was recompiled in the middle of the process, thereby losing integrity.
This change violates the essential principles of security, by entering directly into productive without a
acceptance control, test case or authorization to release it.
All international standards and guides to good practice are categorical with respect to
they must respect all three environments (development, testing and productive), but also point out that they are not
You must modify the software in the middle of a process.
In this case, the head of the NEOTEC company modified on more than one occasion the software of the
Official Computing in the process, he recompiled it (at which point he loses integrity regarding the
preserved during freezing) and put it into production. There are multiple works of
research that establish this as an unacceptable bad practice in an electoral process.
The negative effect of the lack of use cases, software testing and
Acceptance tests as detailed previously. All this undoubtedly affects the
process transparency
Existence of residual data
The sterile environment for the beginning of the process was not contemplated. In the computers of the TED of La
Paz was able to observe the existence of test data (for example, minutes) mixed with minutes of the day
of the election. The verification was carried out in the company of the person in charge of said systems
agency, the members of the TED present and coordinators appointed by the TSE before the team of
audit.
By not removing the test data, the production environment is contaminated. Good practices in the
Electoral process management are blunt in this regard by pointing out that they cannot exist
residual test data at the start of the process
Entry of minutes of the TREP to the official Computation
As previously mentioned, minutes of the TREP (in an environment whose network was violated and
manipulated), were included in the Official Computing. From a server on a compromised network (server
BO2 - TREP) communication was established with the Official Computing network to transfer data.
The number of minutes of the TREP that are part of the official calculation (directly) are at least 1,575.
These are minutes for which there were no minutes scans but photographs and only considered
in this number those that entered directly from the TREP to the Official Computing.
Lack of adequate preservation of evidence about the election
To date, the provider and main actor in an investigation of the incidents by an election
questioned, has absolute mastery over the data and no one else can make contact without their

Page 48
Electoral Integrity Analysis
Plurinational State of Bolivia
48
authorization. This is at odds with good practices in incident management and the chain is violated
of custody.
Therefore, there is no formal preservation of the election data before further judicialization.
Additionally, the applications through which the Databases access those operating from Bolivia
suffer from the authentication weaknesses described above (take control of it with
Administrator role, even without the need to authenticate under certain circumstances and
mentioned and checked).
Failure in a calculation algorithm
There was a failure in a calculation algorithm, which evidences the lack of testing. Between the effects
It is included that you could register an incomplete record. This fault was not resolved by the application. He
Responsible for the company had to access with maximum privileges (through SQL statements) to resolve
the situation. This is a high risk fact for data integrity.
Access through SQL statements and also have the password and root access to the servers of the
Official computation by the same person of NEOTEC (without physical control by the personnel of
DNTIC) is somewhat at odds with good practices and evidences the lack of computer security that surrounded
to the process
Only in this access due to algorithm failure, which was carried out 20 minutes after an access
Directly to the databases for the purpose of “undo minutes”, the data of 41 tables were modified
directly on the database.
The team of expert auditors expressly records this succession of events that compromises the
data integrity
Direct access to the Database without going through the application
Reflected in the previous point, it was accessed during the Official Computing process directly to
modify database data using SQL statements (which allow you to change data without using
the application). This is unacceptable in an electoral process and jeopardizes the integrity of
data.
One of the reasons why they agreed in this way was the need to “undo” minutes (according to
his words), the other is an unmediated failure of the application that was previously mentioned.
The application must be the only way to access the data during the electoral process to
guarantee the integrity of it.
Interruption in publication of the official calculation
According to the report of the company NEOTEC, on October 24, 2019, from 1:33 PM (Bolivia time)
a denial of service (DoS) attack against the results publication server was initiated
http://computo.oep.org.bo. The attack lasted 16 hours and intensified in the last 6 hours causing
slow presentation of results and failures in the download of the Excel file.

Page 49
Electoral Integrity Analysis
Plurinational State of Bolivia
49
The following image included in the aforementioned report shows that the attack was only directed against the site of
computation (orange points of the graph). The TREP site (blue dots on the graph) was consulted under
normal conditions.
Image provided by NEOTEC at the time of the denial of service attack
The report was complemented with a screenshot showing that an attacker made more than
500,000 requests in one hour.
Image provided by NEOTEC showing volume of requests
On the other hand, on October 25, 2019 at approximately 6:00 AM a second began
massive attack against the server of publication of results of the Official Computing that extended until
12:00 AM approximately.
It should be clarified that the servers were never downloaded and that the other processes outside the publication
they functioned normally, unlike the TREP in which he intentionally interrupted the
processing

Page 50
Electoral Integrity Analysis
Plurinational State of Bolivia
fifty
Numerous public complaints of inconsistencies were raised among what was observed in the
Website and download queries (Excel file), which were justified by the company
as delays caused by the attack they were suffering, without providing further details.
The security strategy for this particular consisted of providing both results servers
of the TREP as to those of the Official Computing, of the DoS attack mitigation service of CloudFlare.
Before a momentous event as a presidential election, the publication of results is not
protects only with the hiring of a service, but a robust defense strategy is necessary
that has several alternative plans. In no way is it acceptable for an attack of
denial of services keep a portal in this state for so long. That affects the
information availability and generates uncertainty in the population.
Software release in the hands of NEOTEC.
The software acquired by the electoral agency is in the hands of the supplier company. It adds to
that there are no procedures for acceptance tests and software release,
remaining at the discretion of NEOTEC.
In the Official Computing process (as it happened in the TREP process) it was found that in a manner
Inconsultation NEOTEC modified the software, recompiled and released it, until it even accepted
unilaterally the risk of not resolving a failure and remedying it with SQL statements based on
data.
What is described in this section has a negative impact on the electoral process by questioning the
integrity of the results, affecting transparency and increasing risk.
Inclusion of disabled in the list of voters for consultation.
In the system used for Official Computing, there is a consultation of table minutes using the
voter identity document number. To validate this query, it is necessary to have the
List of voters in their database.
From the TSE, the NEOTEC company was provided with a list in format (.csv) that included both enabled
as disabled and a status mark that indicates which voters are enabled.
When importing it to the database, the company considered only the "full document" columns and
"nummesa", so the disabled were also included. This in addition to being a bad practice,
generated enormous distrust in the electorate and in the community in general, which also detected
in the TREP.
Citizens took captures of inquiries evidencing such a situation, which generated innumerable
Complaints received by the OAS audit team.
It is unacceptable that the disabled are included in the database. It is striking that it is delivered
that way to the company and also have an assigned table number. Do not include

Page 51
Electoral Integrity Analysis
Plurinational State of Bolivia
51
disabled in an electoral process. Once again the lack of a testing strategy is evidenced
acceptable.
Other findings
The same person (responsible for the software provider) met the following roles:
o Design, development, testing and implementation of the software.
o Already during the process:
▪ Recompiled the software
▪ No change management, testing or security procedures were applied;
▪ Accessed Databases with maximum privileges to modify data;
▪ Keeps servers, databases and the control under its exclusive control
application.
▪ Due to the above, the chain of custody has been broken since the incident.
The auditing company did not control the integrity of the data.
A non-functional functional drill was conducted, which was in charge of the delegates
Technological of each departmental TED.
The test lots used were at the discretion of the head of each TED
Departmental, no test cases were generated and the diversity of exposed cases was limited; for the
which did not cover the universe of possibilities that may arise during the election process.
The application provider entered directly to the server remotely. Access allowed
via VPN to servers of the Official Computing.
Final considerations
It should be noted that in the reports of both the NEOTEC company and the Ethical Hacking company
delivered by the TSE to the audit, it was not detailed:
Actual configuration of the BO1 server (implemented in an Amazon NEOTEC network and detected
by the auditing company). In addition to being a gateway between the user's browser and the server as
declares NEOTEC, attended other Web requests as can be seen in its logs and stores both Bases
Data as applications (unjustifiable on a perimeter server during an election);
Existence of the BO20 server (implemented in a foreign Amazon network) discovered by
OAS audit experts during the audit.
Inconsistency between the databases of the BO3 publishing server and the primary server
BO2.

Page 52
Electoral Integrity Analysis
Plurinational State of Bolivia
52
During a meeting held by the OAS audit team with the members of the TSE and representatives of
the TEDs, the president of the EPO said that the company Ethical Hacking had concluded that the elections
They had been transparent and there were no integrity issues.
After the findings of the OAS experts, the audit team contacted the CEO of
the audit company Ethical Hacking to tell you about the many irregularities
detected. The head of the aforementioned company provided reports evidencing
multiple modifications to the database and events that made it impossible to guarantee the
integrity of the process The conclusion of the aforementioned company (hired by the same court) is
diametrically opposed to the version issued by the president of the full room to the audit team.
For its part, the report of the company NEOTEC dated October 28, 2019 delivered by the TSE to
audit team did not show the anomalies later found by the audit experts. After the findings,
The NEOTEC company prepared a complementary report dated November 4 in which
to confirm that BO1 (not contemplated in the formal topology) should not be used, declares by
the first time the BO20 server (hidden in the network topology), recognizes the difference of minutes between the
BO2 and BO3 (which constitutes a serious inconsistency omitted in previous reports) and provides
explanation for the inclusion of the disabled in the list of voters for TREP consultations and
Official Computing
It is suspicious that the flow of TREP data to servers hidden in the topology of the network is redirected.
net. The OAS audit team was able to verify that the third network that hosted the BO20 detected during
The audit did not belong to the TREP or the Official Computing. In this network there were no daily tasks of
computing, nor are there functional EPO servers. It was described verbally by
DNTIC officials as a network used to perform some tests unrelated to the
electoral process. No one could justify the decision to implement a server there to redirect
the flow of the TREP, mocking all control of the audit firm, and the reasons to hide it from the team
auditor.
The role played by an “advisor” of the TSE full room has been mentioned repeatedly,
IT professional who was not presented to the OAS team of auditors but who would have had
an important role during the interruption of the TREP and related events, and that could
clarify the reasons why the SERECI data flow was derived to a network external to that of the
TREP and Official Computing (evading the perimeter servers of the audit firm), aspect no
included in the reports delivered to the OAS audit team at the beginning of the audit.
On November 11, 2019, DNTIC officials sent a report 13 in which
They recognized the creation of a virtual Linux AMI machine on Amazon detected by the experts
OAS auditors with IP 18.220.48.51, not recorded in the reports that were initially
delivered to the audit team and hidden in the network topology used for the TREP. They stated that
they did it on October 21, 2019 at the request of the members of the TSE, in coordination with NEOTEC
13 Annex 3 - Report No. DNTIC-EXT No. 0345/2019

Page 53
Electoral Integrity Analysis
Plurinational State of Bolivia
53
and with the participation of the professional presented by the authorities as an advisor to the members, to whom
consign (only this time) by full name.
In this server no specific security measures were implemented to guarantee the
log protection, control of integrity of the same or recruitment or any control by
from Ethical Hacking. No explanation about the reason is included in the aforementioned document
by which the flow of the TREP is redirected to a network outside it, although it is recognized in the
document to the adviser of the members with functional authority over the DNTIC during the electoral process.
The document mentions that the creation of the virtual Linux AMI machine in the Amazon account
It was dated October 21 and after the creation of the BO20 server until the audit request
of the OAS log verification no additional accesses have been reported. However, you are
Affirmations are false. The audit team found that the virtual machine was previously implemented
to the day of the election. Therefore, the BO20 server was configured from a machine created with
In advance of the elections. Additionally, the auditors found that the BO20 server had access
at 12:23 on October 21, 2019.
The logs showing accesses with user ec2- were found and are in the hands of the audit team.
user (and also raising privileges to root) several hours after its configuration and in full
TREP execution in its second stage (after the cut).
A thorough investigation of this BO20 server and the other items of the
TREP infrastructure and Final Computing. It is recorded, however, that the
evidence (neither in this case) nor did a reliable chain of custody begin. The latter will be a
investigative obstacle to any further prosecution.
Conclusions
In light of the background and findings described, and the accumulation of irregularities observed, it is not
It is possible for the audit team to guarantee the integrity of the data and give certainty of the results.
Evidence should be preserved, especially those housed in highly volatile environments, and
establish an adequate chain of custody to ensure the investigation of the facts. That
investigation may chronologically analyze the documents provided by the companies and the TSE at
audit team from the beginning of the audit activities and confirm the differences between the
information initially provided and subsequent reports provided after the findings of the experts
OAS auditors.
It is important to mention that most of the findings in this section are listed in a series.
of minutes / minutes prepared by the audit team, which were signed by technical staff of the
TSE 14 . These minutes can be consulted in theAnnex 6, in which the names for
14 Annex 6 - Acts with findings in the computer aspects

Page 54
Electoral Integrity Analysis
Plurinational State of Bolivia
54
Safeguard personal data and identity of those involved. However, the documents
complete have been delivered to the Public Ministry.
The audit team considers it appropriate to also include the conclusions of the audit firm Ethical
Hacking that was hired by the TSE itself. Although some findings do not include some findings
such as the difference between the BO2 database and that of the publisher, as well as the server hidden in the
BO20 cloud network, it is important to assess and document it:
“In honor of the truth, professional ethics and our commitment to information transparency
In the execution of this work, I can certify that:
1. All the information presented in this report is real, has not undergone any alteration and was
prepared following a scientific methodology, respecting all aspects concerning
Computer Security and security audit processes.
2. This report only represents a consolidated timeline since the beginning of our
participation with the TSE and the EPO for the presidential elections Bolivia 2019. All reports of
technical level were already delivered to the receiving and evaluating commission within the times that
It stipulated our contract.
3. Once informed of all the critical vulnerabilities we find in TREP and despite the effort
of NEOTEC to remedy them, just before the elections in a meeting room, we comply with
warn that the software was insecure, but that part of the critical vulnerabilities corrected was
a risk that they should assess whether to accept it or not to carry the elections.
4. Regarding the recommendations and remediations that we pass to NEOTEC to carry out in TREP and
Computer System, only applied to the TREP and not 100%, this because the times were very
Shorts to remedy some things, as NEOTEC explained.
5. Regarding the source code, we carry out an exhaustive audit of static code, especially in the
routines and functions where data is entered and the treatment given to certify that the
software does not perform fraudulent operations and that the data you enter is handled securely
and adequate, until the first time the hash of integrity was generated before the full hall and the
OAS observers. After that date the source code suffered several alterations in different
dates of which we were not participating and therefore we can no longer certify its integrity
software.
6. Regarding the cut of the TREP, although it was concluded that it was an error of omission of the protocol and should not
having made that change without authorization, it is clear that this server was not in our range
monitoring and redirecting all SERECI traffic for the verification of minutes, such a task
important and sensitive to an external server totally outside the monitoring range, we don't
we can attest to all the information that was entered at that time and the electoral process loses all
credibility when the security protocol is violated.

Page 55
Electoral Integrity Analysis
Plurinational State of Bolivia
55
7. We do not have records of the information sent from a server outside our
monitoring, we cannot attest to the integrity of the data that was recorded during the peak it generated
the alert since it is almost impossible for more than 30,000 requests to arrive every 30 seconds from SERECI
with a group of 350 operators “recording 2 minutes per minute” as indicated by Marcel Guzmán de
Red.
8. Regarding the error in the TREP algorithm that NEOTEC calls “Computer Flat”, being an error
identified of its algorithm which mentioned us that it has been taking place in all the elections (more
4 years), shows that the TREP is a fallible system and contains programming errors that
They should have been fixed long ago. These errors force the base to be accessed
of data in production during the execution of the elections and make manual changes what
subsequently falls in violation of integrity.
9. Regarding the manual alteration of the TREP and Computing databases, during the process of
Voting, whatever the reason and from a technical and forensic point of view, nullity vice all the
electoral process and loses all credibility by violating the integrity of the databases.
10. Regarding the inconsistencies with the data of the minutes that at certain times gave a
information and at other times a different one, which were observed by the same EPO and due
to the amount of direct changes to the databases and without supervision of the DNTIC or our company,
We cannot certify the integrity of the information that currently rests on the backups delivered
by NEOTEC.
11. It is for all this and in honor of the truth that after all the facts set forth in this document
and in all the technical reports that were presented during the execution of our work that
we can attest to the integrity of the election results since the whole process is vitiated by
nullity by the amount of alterations to the source code of the TREP, the number of accesses and
changes manually and with maximum privileges to databases and inconsistencies that
they appeared between TREP and the Computer System during the electoral process. ” 15
II.
FINDING 2: EXISTENCE OF A HANDLING, FAKE AND PATTERN PATTERN
ADULTERATIONS OF E