Mr Bates vs The Post Office

Easier to blame the "thieving" SPM's I suppose.

I think I agree with the second portion above in bold - the existence of the possibility of super-user remote access per se wasn't an issue (and I'm not sure it is today), it is the fact that it was not logged, not auditable and there were no/weak controls about how it was used, combined with the potential to modify the underlying data, meant that any evidence that was derived from the underlying data (including ARQs etc.) should have come with the caveat that that data could not be guaranteed to represent the actions of the SPM. (I'm not sure that the existence of a backdoor weakens a system provided that you can show what, if anything, it was ever used for).

What should have happened is that in the prosecutions, there should have been evidence submitted which showed that i) remote access was possible, and ii) there had been no use of remote access during the relevant time. However, not even FJ had this evidence (see the Horizon Issues trial). This is what made the prosecutions fundamentally unsound. If any defence had asked whether remote access was possible, then FJ/PO should have owned up and said 'yes', but they didn't. I'm not aware of anyone saying that a shortfall was caused directly as a result of remote access having been used, and I'm not sure the CCRC did either (see the Hamilton CoA judgment).

I could imagine that GJ's view was that remote access was there as a tool; if it was ever used, it was only used to fix things so would never give rise to something that would penalise a SPM, so why would it be relevant in a case where there was a problem?

It doesn't matter, the absence of an audit trail means any such evidence is worthless.

That’s the gist of it. From a Fujitsu POV, I can get that they might genuinely say “yes but we don’t use it like that.”

The bottom line is Horizon seems to have been built by people with no real understanding of such systems. Even the descriptions of “double entry” are wrong.

They’d have been far better off licensing or acquiring, say, TopManage and building on top of that - not only for the solid fundamentals, but because they’d have had a solid commercial ERP offering to sell elsewhere.

If the fundamental data and system architecture had been right, none of the rest would or could have happened.

Well, they did really do that with the original Horizon, which was built on top of Escher Riposte (https://www.eschergroup.com/riposte-platform/). That iteration of Horzion had the most issue, although not all of them were to do with Riposte.

Then there was the second iteration of Horizon (Horizon Online) which removed Riposte.

1. Is easy to understand I think - Horizon was detecting the hitherto undetected fraud from from those thieving SPMs - confirmation bias is a powerful thing.

2. Not so much - such a lack of curiosity.

And there’s the crux. At least one piece of evidence I believe I heard stated that Post Office had *specified* Riposte as a part of the contract.

From what I’ve gleaned, what happened was Post Office were sold Riposte, using the AnPost implementation as a reference. They then decided to extend that to meet the original joint PO/DSS contract requirement. Along the way, Riposte moved from an old Windows 3.11 system to something based off of NT. The PO scope was fundamentally different - and unsuited - to Riposte, but PO at this stage were wedded to this system “designed for postal services” and so mandated the continual shoehorning of their requirements into the space provided by Riposte. One of the early meeting documents makes it clear that (a) Riposte is now a complete different beast to the original, and (b) the various participants don’t work together and don’t understand the complete architecture.

By the end, they seem to have a product that started as a design for a milking stool and ended with orbital capability - without ever re-evaluating whether the milking stool remained a suitable base.

ICL/Fujitsu should probably have said “if you want us to stand by this product, we need to make all the architectural choices.” It doesn’t seem that that happened.

So we end up with ICL/Fujitsu as principal contractor, reliant upon underpinnings provided by a third party that were mandated by the customer, but without access to the source code of Riposte.

That’s not what I suggested above. They didn’t licence Riposte; it seems they simply bought instances of Riposte and attempted to integrate it with other components.

Rather than call Horizon software, it would be more honest to call it a contract. Jenkins, for instance, as “expert” had no ability to lift the lid on Riposte’s source code or assert its fitness - he’d just inherited a bunch of mashed-together first and third party code with (we’ve learned elsewhere) little or no proper testing.

As regards remote access, etc, either Riposte was insecure (possibly - for instance, in the An Post implementation it relied on plain text transaction log files FFS), or the PO implementation and use simply allowed ICL/Fujitsu folk to RDP in (other technologies are available) and perform tasks (this is born out by other evidence, which said if a counter user wasn’t logged in then logging was off - this fits with the Riposte architecture requiring mag stripe card user log in to initialise transaction sequencing and so on - I do wonder if sometimes they really did just hack the local files).

Horizon wasn’t - software system; it was an IT system. Because Riposte wasn’t necessarily fit for the purpose, there were too many bolt-ons and workarounds.

I maintain that, if they’d started with a proper extensible ERP or similar system, and then worked properly to build an architecture that didn’t break the basics of system audit, they’d have had a far more robust end result.

But who is to blame? Probably a mixture - PO for doing as so often happens and demanding the software they’ve been sold, and ICL/Fujitsu for saying yes.

I wonder what the original contract says?

All very good points. For those of us who've been knocking around "serious IT" for a long time, I'd say one of the big problems is they were trying to do all of this with first Windows 3.11 and then later NT 3.5.1 / 4, and were clearly inventing the wheel over a bunch of asynchronous data transfer stuff - not uncommon for the PC boys back in the day.

There's nothing they were trying to do on the distributed side that hadn't be solved thousands of times before with more robust operating systems and tools They (Escher) seem even to have developed their own messaging system, rather than just using something like TIB or even MQ and run the whole thing on something like SCO. I'd imagine anyone actually used to this sort of work would be doing the front end in something like PowerBuilder, rather than VB.

Anyhow, that's a sideshow I guess.

Not sure entirely what you mean by centralised, but this was in the early 2000s when connectivity was patchy. If it was working, terminals in branches would upload everything to a central server, but they were programmed to be able to work if connectivity was down. They would store transactions locally and then upload them centrally when connectivity was restored. They could also cope with one or more terminals in a branch going down, and sync'ing transactions between terminals locally.

OK - sorry, I know what centralised means, but in 2000, a truly centralised / dumb terminal system would rely on robust connectivity at all times. If you were in Anglesey and your broadband stopped working then you would have to close the post office. That wasn't acceptable.