[News] Post Office Scandal -

[fly high]

This is explosive from the Law Gazette.

OMG if this is true then there is even more of a problem with the justice system then we thought.

 

[FamilyGuy]

Just to put some context around the remote access comments. I've been in the IT game 25+ years and every system I've ever seen has some sort of remote access. If you phone up your insurance company within minutes someone at the other end can pull up your details, access your account, refund you money etc. The principals of this would be no different.

The questions that need asking who be what were the access, security, processes and procedures around this? The remote access thing is a red herring in my view.

Sorry, back to the stoning everyone

I too was in "the IT game" but for over 40 years.
There is a huge - and auditable - difference between a development/support team having access to a system, and the same people being able to change data on the system.
The former is logical and beneficial, the latter is open to fraud, is unauditable and is probably illegal in many cases. It is definitely suspect and is something that should never be part of the design of a system.
Any and all adjustments to data on a system should and must be controlled, approved, audited, reported and documented.

 

[fly high]

I too was in "the IT game" but for over 40 years.
There is a huge - and auditable - difference between a development/support team having access to a system, and the same people being able to change data on the system.
The former is logical and beneficial, the latter is open to fraud, is unauditable and is probably illegal in many cases. It is definitely suspect and is something that should never be part of the design of a system.
Any and all adjustments to data on a system should and must be controlled, approved, audited, reported and documented.

False evidence by Post Office’s expert contradicted his own report

Expert suggested bug fix which would alter data without branch knowing, but told court that was impossible.

www.bbc.com

This BBC report which suggests data could be changed remotely, something the PO went along with & lawyers knew about even as they sent people to jail.

 

[Milano]

People are going to prison for this I reckon, I just hope it's the right people and not some poor scapegoats.

 

[METALMICKY]

People are going to prison for this I reckon, I just hope it's the right people and not some poor scapegoats.

Absolutely this. Jail time is definitely required. Sadly as you suggest, I think there will be some 'patsies' who will carry the can for the senior villains of the scandal

 

[Iggle Piggle]

I too was in "the IT game" but for over 40 years.
There is a huge - and auditable - difference between a development/support team having access to a system, and the same people being able to change data on the system.
The former is logical and beneficial, the latter is open to fraud, is unauditable and is probably illegal in many cases. It is definitely suspect and is something that should never be part of the design of a system.
Any and all adjustments to data on a system should and must be controlled, approved, audited, reported and documented

I don't disagree with any of that. As I said, it's the processes etc around the system access that is the question.

Some earlier posts had made reference to the "secret rooms" and remote access. Both of these are highly logical in secure environments. Access to sensitive systems will be in secure areas and limited to those that need to be there. The system has to be accessed remotely for support by a limited number of vetted staff. I would expect both of those things in any normal large scale IT programme. They shouldn't be seen as a red flag in themselves.

If data can be changed without a change process or audit, then that is a completely different story. As an aside, I've watched some of the inquiry and I do find it interesting in itself how the legal system tries to get to grips with the complexity of how the system and corporate framework hangs together.

 

[dejavuatbtn]

I too was in "the IT game" but for over 40 years.
There is a huge - and auditable - difference between a development/support team having access to a system, and the same people being able to change data on the system.
The former is logical and beneficial, the latter is open to fraud, is unauditable and is probably illegal in many cases. It is definitely suspect and is something that should never be part of the design of a system.
Any and all adjustments to data on a system should and must be controlled, approved, audited, reported and documented.

Yep, agreed. I worked in IT related departments and the only way to change data, other than a prescribed auditable process, was to change the raw data field on the system. This could only be done with a lot of blood letting and management control.

 

[Super Steve Earle]

Can't believe so many lawyers and senior staff have such terrible memories. Terrible to the point that they must have been barely functional humans for the last couple of decades.
The human interest stuff at the moment is just awful. The Post Office seems to have employed the dregs of humanity in so many roles.

 

[Westdene Seagull]

Can't believe so many lawyers and senior staff have such terrible memories. Terrible to the point that they must have been barely functional humans for the last couple of decades.
The human interest stuff at the moment is just awful. The Post Office seems to have employed the dregs of humanity in so many roles.

Supposedly some of the most intelligent and well paid professions yet every single one a liar with a poor memory. Think this shot of one of the PO's lawyers from today somewhat show's he knows he's been caught lying.

As an aside, if I ever need a lawyer I want Jason Beer - great name and even better lawyer.

 

[Westdene Seagull]

I too was in "the IT game" but for over 40 years.
There is a huge - and auditable - difference between a development/support team having access to a system, and the same people being able to change data on the system.
The former is logical and beneficial, the latter is open to fraud, is unauditable and is probably illegal in many cases. It is definitely suspect and is something that should never be part of the design of a system.
Any and all adjustments to data on a system should and must be controlled, approved, audited, reported and documented.

Another IT lifer - and let's remember applications and data generally are kept separate with only the application having access to add, change or delete data and then only with detailed audit trails.

 

[Seagull58]

I don't disagree with any of that. As I said, it's the processes etc around the system access that is the question.

Some earlier posts had made reference to the "secret rooms" and remote access. Both of these are highly logical in secure environments. Access to sensitive systems will be in secure areas and limited to those that need to be there. The system has to be accessed remotely for support by a limited number of vetted staff. I would expect both of those things in any normal large scale IT programme. They shouldn't be seen as a red flag in themselves.

If data can be changed without a change process or audit, then that is a completely different story. As an aside, I've watched some of the inquiry and I do find it interesting in itself how the legal system tries to get to grips with the complexity of how the system and corporate framework hangs together.

They had a secret room where people sat and changed data in the database directly without any audit trail. They denied that the room and the people existed. Jail time would be appropriate for the people in charge.

 

[Bodian]

Words fail me

 

[Bozza]

I don't disagree with any of that. As I said, it's the processes etc around the system access that is the question.

Some earlier posts had made reference to the "secret rooms" and remote access. Both of these are highly logical in secure environments. Access to sensitive systems will be in secure areas and limited to those that need to be there. The system has to be accessed remotely for support by a limited number of vetted staff. I would expect both of those things in any normal large scale IT programme. They shouldn't be seen as a red flag in themselves.

If data can be changed without a change process or audit, then that is a completely different story. As an aside, I've watched some of the inquiry and I do find it interesting in itself how the legal system tries to get to grips with the complexity of how the system and corporate framework hangs together.

Every system for every large corporate I've been involved in had "back door" data update access and tools for support staff.

As you say - this is completely normal.

If these access methods didn't exist then when errors occur - and all systems contain errors - then there would be no way to address and fix the incorrect data caused by the system errors.

But, as you also say, this should be limited to a small pool of staff, be fully recorded and audited.

Observing some of the public and media outrage at something I'd see as entirely normal and expected has been interesting.

Pretending that this back-end data access did not exist is not OK though, obviously.

 

[Westdene Seagull]

Every system for every large corporate I've been involved in had "back door" data update access and tools for support staff.

As you say - this is completely normal.

If these access methods didn't exist then when errors occur - and all systems contain errors - then there would be no way to address and fix the incorrect data caused by the system errors.

But, as you also say, this should be limited to a small pool of staff, be fully recorded and audited.

Observing some of the public and media outrage at something I'd see as entirely normal and expected has been interesting.

Pretending that this back-end data access did not exist is not OK though, obviously.

Not sure it's the public that is the issue - it's the PO execs and lawyers denying that there was ever access .... or at least that they never 'knew' about it. Equally, it should have been PCI-DSS compliant - unaudited backdoor access to the data is not allowed in a PCI environment.

 

[Harry Wilson's tackle]

I heard someone employed by the PO today claim that a word file, documenting wrongdoing in 2010, that had been saved to a computer, could not have been saved by him because he did not know how to save word documents. At the time. As far as he can recall.

The people on R5 at the time reviewing proceedings were openly laughing at this.

 

[Iggle Piggle]

Pretending that this back-end data access did not exist is not OK though, obviously.

This is the bit I have maybe missed along the way. Has this been denied? I'm not saying it hasn't happened - and nothing surprises me with this anymore - but the environments I've been involved in have Cameras on the way in, cameras in the room, door controlled access, no windows, smell of farts and inhabited by people slowly losing their soul.

Denying the existence is foolhardy in the extreme. It would leave a footprint akin to pointing at the Amex and saying it's not there. It's such a weird thing to deny as no IT company would ever win a bid for this kind of thing without it.

 

[Westdene Seagull]

I heard someone employed by the PO today claim that a word file, documenting wrongdoing in 2010, that had been saved to a computer, could not have been saved by him because he did not know how to save word documents. At the time. As far as he can recall.

The people on R5 at the time reviewing proceedings were openly laughing at this.

That was Jamail Singh - the Post Office LAWYER on the stand today. I'm not sure how stupid he thinks the rest of us are but the idea that a highly paid professional lawyer doesn't know how to save an MS Office file is farcical. The bloke is a grade A corrupt, lying cvnt.

 

[Eric the meek]

I heard someone employed by the PO today claim that a word file, documenting wrongdoing in 2010, that had been saved to a computer, could not have been saved by him because he did not know how to save word documents. At the time. As far as he can recall.

The people on R5 at the time reviewing proceedings were openly laughing at this.

My money's on Jarnail Singh. More slippery than a pocketful of eels.

 

[Eric the meek]

My money's on Jarnail Singh. More slippery than a pocketful of eels.

Edit: I wrote this BEFORE I read @Westdene Seagull above.

 

[Westdene Seagull]

My money's on Jarnail Singh. More slippery than a pocketful of eels.

You're dissing eels there !