The Organization of American States (OAS) gave a preliminary report this Sunday on the audit conducted on the results of the elections in Bolivia, which led President Evo Morales to call new elections.
The report details some weaknesses of the process, among which the agency cites that it was detected that the flow of transcription information, after an interruption was redirected to a server (BO20) that did not belong to those provided for the TREP in the cloud, or the physical teams of the National Information Technology Directorate (DNTIC).
In addition, it details the failure of a calculation algorithm.
"There was a flaw in the algorithm" flat computed ", which evidences the lack of testing. In addition, among the effects could record an incomplete record. This fault was not resolved by the application. The head of the company he had to access with maximum privileges (through SQL sentences) to resolve the situation. This is a high risk for the integrity of the data, "the report says.
The same person (responsible for the software provider) met the following roles:
-Design, development, testing and implementation of the software.
Already during the process:
-Recompiled the software;
-No change management, testing or security procedures were applied;
-Accessed the Databases with maximum privileges to modify data;
-Keep servers, databases and the application under its exclusive control.
-Because of the above, the chain of custody has been broken since the incident.
About the process, as observed by the OAS auditors:
-Trep 100% data flow was not monitored
– The infrastructure was not under the control and knowledge of the SERECI technical manager
-The details of vital infrastructure components were omitted
-It was operated with a server that were not in the TREP infrastructure “BO1 or“ BO ”
-Redirected to a network of servers outside the TREP and Official Computing “BO20”
-The perimeter of the TREP was not used properly, since they were sauteed.
“It is strange that the flow of data is redirected to a foreign network, not planned or documented. Nor is there a valid technical explanation as to why the perimeter servers controlled by the auditing company were not used. This is extremely serious and affects the transparency of the process, ”says the OAS.
The report states that for the redirection of the flow of information generated in the SERECI to the server (BO20), the IP address to which the 350 machines used in the SERECI were addressed was modified. This, despite the fact that in the TREP network they had prepared servers and under the control of the auditing company within the network.
It indicates that according to the information provided by the agency, there was a main server BO2, one to publish BO3 and the respective contingency. “Strangely, the BO3 server was not used for publishing as planned. The OAS audit was able to determine that the BO3 contingency server does not have the same number of records as the main BO2. That is, they do not have the same information in their databases as expected. ”
He says that residuals of outdated Databases and other versions of the application were found in perimeter servers, which according to the OAS is at odds with good practices.
“META DATA (image data received from cell phones) was not preserved, a vital element for the transparency of a process of this nature and that, as evidenced by the audit, the HASH value was not recorded in the freezing certificate of software, which he considers as a bad practice.
. (tagsToTranslate) newspaper (t) newspapers (t) santo domingo (t) dominican republic (t) listin (t) daily list (t) press (t) news (t) news (t) information (t) digital listin