FUJ00171848
FUJ00171848
Peak Incident Management System
Call Reference PC0205805 Call Logger Deleted User -- Security Ops
Release Targeted At -- HNG-X 03.24 Top Ref AUDIT EXTRACT SVR_0324 D056-D055
Call Type Vulnerability Priority B -- Important
Contact Deleted Contact Call Status Closed -- S/W Fix Available to Call Logger
Target Date 24/12/2010 Effort (Man Days) 2.00
Summary Audit - Duplicate Message sequences are not recorded by Fast ARQ retrieval
All References Type Value
Call reference PC0206590
Product Baseline AUDIT EXTRACT SVR_0324 V056
Call reference PC0206622
Product Baseline AUDIT_EXTRACT_SVR_0324 V056-V0S55
Call reference PC0206697
Product Baseline AUDIT _EXTRACT SVR_0324 D056-D055
Call reference PC0206827
DevIntRel-Director Live Supp.Test
Release PEAK PC0207465
Cee : User Date
Gerald Barnes 05-Nov-2010 11:49:40
The Fast ARQ interface does not provide the user with any indication of duplicate records/messages.
This omission means that we are unaware of the presence of duplicate transactions. In the event that
duplicates are retrieved and returned to POL without our knowledge the integrity of the data provided
comes into question. The customer and indeed the defense and the court would assume that the duplicates
were bone fide transactions and this would be incorrect. There are a number of high profile court cases in
the pipeline and it is imperative that we provide sound, accurate records.
Progress Narrative
foate:27-Oct-2010 11:41:05 User:Penny Thomas
CALL PCO205805 opened
Details entered are:~
summary:Audit ~ Duplicate Message sequences are not recorded by Fast ARQ retrieval
call Type:v
call Priorit
rarget Re HNG-X R2
outed to:Security Ops - Penny Thomas
Date:27-Oct-2010 11:48:13 User:Penny Thomas
[he Fast ARQ interface does not provide the user with any indication of duplicate records/messages.
[this omission means that we are unaware of the presence of duplicate tran
lreturned to POL without our knowledge the integrity of the data provided comes into question. The customer and indeed the defense
land the court would assume that the duplicates were bone fide transactions and this would be incorrect. There are a number of
high profile court cases in the pipeline and it is imperative that we provide sound, accurate records.
tions. In the event that duplicates are retrieved and
jDate:27-Oct-2010 11
the Call record has
[The Call record has
44 Uscr:Penny Thomas
n transferred to the team: Audit-Dev
een assigned to the Team Member: Andrew Mansfield
Jbate:29-Oct-2010 14:02:55 User:Andrew Mansfield
[fhe Call record has been assigned to the Team Member: Gerald Barnes
JDate:01-Nov-2010 10:51:37 User:Gerald Barnes
Target Date/Time updated: new value is 02/11/2010 11:41
[Start of Response]
Jandy and T have looked at this. We think the method most compatible with existing behaviour is as follows -
FUJ00171848
FUJ00171848
[check for duplicates for HNGx In a Similar method to how duplicates are checked for in Horizon, For Horizon they are legitimately
logged in the audit log and then ignored (because it is just that identical messages are stored by mistake in more than one
transaction file). For HNGx, in the Fast ARQ case, their detection will cause them to be logged in the Queryhog and a count kept
lof how many there are; they will not be ignored.
ff this count is greater than 0 then bError will be set and the block of code
if (bError)
{
//The Fast ARC must be stopped.
CTraceFile::Trace (TL_ERROR,"The Fast ARQ is being terminated because there are %ld crypto errors, %ld errors and $1d
laps found.", 1fotalCryptoErrors, lfotalErrorsFound, 1TotalGapsFound) ;
set Status (CRFIQueryRequest ::E_ABSTRACT FILES FAILED) ;
return;
}
jodifed to log the number of duplicates found.
i will produce a prototype to confirm that behaviour is acceptable.
{End of Response]
response code to call type V as Category 40 -- Pending -- Incident Under Investigation
fiours spent since call received: 2 hours
bate: 05-Nov-2010 11:16:40 User:Gerald Barnes
[Start of Response]
It have built a prototype QueryDLL.dll which solves this problem. Now if duplicate HNGx messages are detected the Fast ARQ fails
Jat the client with the message "Filtering Failed" displayed at the bottom of its form and on the server in the QueryLog there are
Jactailed messages describing the duplicates found.
Ir attach a zip of the source (with the changes done marked up by this PEAK number) plus details of the test run in a test plan in
levidence attached and labelled "Prototype Fix".
[End of Response]
Response code to call type V as Category 38 -- Pending -- Potential Problem Identified
Hours spent since call received: 15 hours
jbate:05-Nov-2010 11:22:30 User:Gerald Barnes
JEvidence Added - Prototype Fix
JDate:05-Nov-2010 11
[Start of Response]
[DEVELOPMENT IMPACT OF FIX:
7:56 User:Gerald Barnes
SPECIFY THE HNG-X PLATFORMS IMPACTED:
the platform is set and is the "Audit Server"
IECHNICAL SUMMARY:
liNGx can rarely produce transactions with duplicate Journal Sequence Numbers. At the moment, when running a FAS ARQ on the audit
server, these duplicates are not noticed. This means that the evidence presented by the Prosecution Team may show duplicate
transactions without it being noticed; the Defence Team may spot this and call into the question the integrity of our data.
LIST OF KNOWN DIMENSIONS DESIGN PARTS AFFECTED BY THE CHANG!
\UDIT_EXTRACT_SVR
RE ANY OF THESE DESIGN PARTS AFFECTED BY APPROVED CPs/PEAKS in HNGX Release 2:
ves they are, but HNGX Release 2 has been live for quite a while.
RELEASE 2 IMPACT:
[the change affects FAST ARQs; FAST ARQs were brought in at Release 2.
DEPENDENCIES:
[this fix has no particular dependencies.
DOES THE FIX REQUIRE ANY MANUAL DEPLOYMENT BASELINES:
[the fix does not require any manual installation; it will just be a replacement file.
DEV EFFORT IN MANDAYS:
the coding of the fix is complete, however further regression tests need to be run.
2 days for further regression tests and the handover.
IMPACT ON USER:
INGx transactions with duplicate JSNs may not be notic
the prosecution team.
d. This will call into question the reliability of evidence presented by
IMPACT ON OPERATIONS:
[the prosecution evidence will be more consistent and so prosecution cases will go though more smoothly.
FUJ00171848
FUJ00171848
AVE RELEVANT KELS BEEN CREATED OR UPDATED?
Ht was not felt that a KEL was required because there are only two people in the prosecution team and they are both fully aware
lof the problem.
IMPACT ON HORIZON TO HNGX BRANCH MIGRATIONS
[there is no impact on migration to HNGx. All offices are now migrated to HNGx and so it is impossible that anything would affect
this now.
IMPACT ON TEST:
[the test team need to regression test Fast ARQs and filtering in slow ARQs. They need to run some specific tests when there are
lduplicate Horizon transactions (they should just be ignored as they are at the moment) and duplicate HNGx transactions (they will
Inow cause a Fast ARQ to fail wh d not to be the case).
us
RISKS (of releasing and of not releasing proposed fix):
tf the fix is not released then duplicate HNGx transactions will
call into question their evidence.
ntinue not to be noticed by the prosecution team which will
[there are no particular risks in releasing the fix. All QueryDLL fixes supplied re
jproblems.
ently have gone though with no reported
LIST OF LIKELY DELIVERABLES:
loueryDLL.d11
[LIST OF THE ABOVE ALREADY DELIVERED FOR THE PROPOSED RELEASE:
None.
tS? OF THE ABOVE ALREADY DELIVERED TO A RELEASE LATER THAN THAT PROPOS
lone.
LIST OF THE ABOVE LIKELY TQ BE REDELIVERED INTO THE PROPOSED OR A LATER RELEASE:
]ueryDLL-dll
[End of Response]
Response code to call type V as Category 55 -- Pending -- Live Fix Impact Supplied
fours spent since call received: 1 hours
Date: 05-Nov-2010 11:48:31 Usor:Gerald Barnes
Product HNG-X Platforms -- Audit Server (ARC) (version unspecified) added.
lDate:05-Nov-2010 11:48:36 Uscr:Gerald Barnes
product HNG-X Platforms -- Audit Workstation (AUW) deleted.
Product HNG-X Platforms -- Audit Server (ARC) updated to Subject.
bate: 05-Nov-2010 11:49:40 User:Gerald Barnes
lA new Business Impact has been adde
the Fast ARQ interface does not provide the user with any indication of duplicate records/messages.
[this omission means that we are unaware of the presence of duplicate transactions. In the event that duplicates are retrieved and
returned to POL without our knowledge the integrity of the data provided comes into question. The customer and indeed the defense
land the court would assume that the duplicates were bone fide transactions and this would be incorrect. There are a number of
high profile court cases in the pipeline and it is imperative that we provide sound, accurate records.
jbate:05-Nov-2010 11:50:36 Uscr:Gerald Barnes
[the call Target Release has been moved to Requested For -~ HNG-X 04.37
bate: 05-Nov-2010 11:52:23 User:Gerald Barne
target Date/Time updated: new value is 01/03/2011 11:41
Development Cost updated: new cost is 2 (Man Days)
[Start of Response]
Ir update the Development (ManDays) field.
[End of Response]
Ikesponse code to call type V as Category 55
Pending -- Live Fix Impact Supplied
Jbate:05-Nov-2010 11:53:24 User:Gerald Barnes
ction placed on Team:Audit-Dev, User:Gerald Barnes
JDate:05-Nov-2010 11:54:10 User:Gerald Barnes
laction has been removed from the call
JDate:05-Nov-2010 11:54:32 User:Gerald Barnes
ction placed on Team:Re1IMngmntPorum
FUJ00171848
FUJ00171848
jate:05-Nov-2010 16:13:09 User:Gerald Barnes
Product HNG-X Platforms -- Audit Server (ARC) (version unspecified) added.
IDate:08-Nov-2010 11:28:53 User:Tyrone Cozens
[the call Target Release has been moved to Targeted At -- HNG-x 04.37
JDate:08-Nov-2010 11:28:56 User: Tyrone Cozens
laction has been removed from the call
[Date:08-Nov-2010 11:29:07 User: Tyrone Cozens
Jauthorised for 04.37 as agreed with RMF members.
Date:08-Nov-2010 12:34:48 User:Gerald Barnes
f'arget Date/Time updated: new value is 30/03/2011 11:41
[Start of Response]
A fix has been prepared. It just needs merging into the source in VSS, some additional regression testing and handing over.
[End of Response]
lkesponse code to call type V as Category 46 -- Pending -- Product Error Fixed
fours spent since call received: 1 hours
JDate:24-Nov-2010 16:45:20 User:Andrew Mansfield
Sarah Selwyn has requested an audit maintenance release prior to the next DC AUDIT planned release due to go live on 14/05/2011.
rive Peaks are requested for this maintenance release: PC0205805, PC0205806, PC0206531, PC0206590, PC0206622.
[this is an edited version of the text of Sarah's original email to Sheila Bamber:
le would like to get these Peaks targeted ASAP since these are impacting SSC and the Litigation Support Group in their support of
the Post Office litigations. There is a risk that these teams will not be able to fulfil their OLs to the Post Office as defined
lin SVM/SDM/SD/0017 (Security Service Management: Service Description) .
je would like to request an earlier test and deployment slot for PEAKs that are causing a significant business impact on the SSC
land Litigation Support teams ? the PEAKs for earlier deployment are:
leco205805 and PC025806 - Litigation Support Group need to detect/highlight duplicate JSNs - enhancements to AUW to support
duplicate JSN detection and reporting
pco206531 - SSC ? takes too long to analyse events associated with ARQs due to the large volume of BAL events requires a change
to the filtering of financially significant vs benign events. A change to the presentation of the events to SSC is also required
to speed the proc
Sup.
eating requirements:
Jpco205805 and PC025806 ? use test files which include duplicate HNG-X transactions perform Fast ARQs which will now not fail on
Jtuplicate detection and checking the spreadsheet output which will now report overlaps and duplicates. Test Horizon ARQs with
duplicate JSN present to show duplicates ignored. Regression test for files with no duplicate JSNs both fast ARQ and filtering in
slow ARQs.
l'he BAL events reported in the event files output will now be of a smaller volume, nominated benign events will appear in the
rejects files (and this will constitute a large volume of total events) and the events spreadsheet will have a column heading at
the top of the spreadsheet. Regression test Gaps reporting is still present on spreadsheets. If time permits the workbook with a
Juumber of spreadsheets as described in the PEAK rather than by manual process by the litigation team. However, this is yet to be
confirmed.
(Since Sarah's original email PC0206590 and PC0206622 have been raised to deal with issues around the large number of events.
Pco206531 is now solely to deal with the presentation of events.)
jbate:24-Nov-2010 16:49:18 Uscr:Andrew Mansfield
ction placed on Team:ReiMngmntForum
Date: 25-Nov-2010 16:11:07 User:Tyrone Cozens
mn hold until new ‘‘Audit'' release decided (Adam Spurgeon looking into).
Dat e:03-Dec-2010 10:38:01 User: Tyrone Cozens
the call Target Release has been moved to:Targeted At -- HNG-X 03.24
Authorised for 03.24 as agreed with Mark Jepson.
JDate:03-Dec-2010 10:38:10 User:Tyrone Cozens
ction has been removed from the call
FUJ00171848
FUJ00171848
flate:03-Dee-2010 11:41:12 User:Gerald Barnes
target Date/Time updated: new value is 24/12/2010 11:41
[Start of Response]
fix will now be prepared and tested. It will then be stored in VSS-InfDom. It will be handed over on the 24th December
[End of Response]
Response code to call type V as Category 40 -- Pending -- Incident Under Investigation
jDate:14-Dec-2010 1
{Start of Response]
It has now been decided that the detection of duplicate HNGx messages will not terminate the FAST ARCs. Duplicates will be logged
by QueryDLL at the server initially in QueryHandler.log and eventually in the close log both for Horizon and HNGx transactions.
jbuplicate HNGx transactions will also be logged by the client in its spreadsheets but duplicate Horizon transactions will be
eliminated at the server silently since they are known always to be benign.
[End of Response]
lkesponse code to call type V as Category 46 -- Pending -- Product Error Fixed
Hours spent since call received: 4 hours
8:50 Uscr:Gerald Barnes
Date:22-Dec-2010 10:48:52 Uscr:Gerald Barnes
Reference Adde 590
Jatc:22-Dec-2010
Reference Added:
9:17 User:Gerald Barnes
PCO2OG622
Date:22-Dec-2010 10:49:37 User:Gerald Barnes
Reference Added:
jbatc:22-Dec-2010
Reference Added:
pate:22-Dec-2010 1
[Start of Response]
It add a test report for this PEAK and the four associated PEAKs PC0206590, PC0206622, PC0206697 and PC0206827.
[End of Response]
Response code to call type V as Category 46 -- Pending -- Product Error Fixed
Hours spent since call received: 37 hours
1:49 User:Gerald Barnes
Jbate:22-Dec-2010 1
evidence Added - Test
2:44 Uscr:Gerald Barnes
[Date:29-Dec-2010 1:
Reference Added: Product Baseline AUDIT EXTRACT SVR_0324 v056
Reference Added: Product Baseline AUDIT EXTRACT SVR_0324 V056-V055
date: 29-Dec-2010 12:41:58 User:Gerald Barnes
[Start of Response]
Fixed by version 4.1.0.1 of NWB Legato Rec
JAUDI'T_ EXTRACT SVR_0324 V056-V055.
[End of Response]
Response code to call type V as Category 46 -- Pending -- Product Error Fixed
liours spent since call received: 4 hours
ver-exe and version 4.0.0.4 of QueryDLL.dll handeed over in
jDate:29-Dec-2010 12:42:13 Uscr:Gerald Barnes
[the Call record has been transferred to the team: Dev-Int-Rel
jbate:31-Dec-2010 08:05:04 User:PIT Automated User
Reference Added: Product Baseline AUDIT EXTRACT SVR_0324 D056-D055
Date:05-Jan-2011 08:28:27 User:Lionel Higman
{Start of Response]
[End of Response]
Response code to call type V as Category 49
[the Call record has been transferred to the team: Live Support Team
[fhe Call record has been assigned to the Team Member: Unassigned
jDate:11-gan-2011
Added:
6:55 User:Victoria Hancock
AK PCO207465
lReferen
Date:49-dan-2011 14:16:04 User:John Rogers
{Start of Response]
lfested in LST as part of Audit Release 3.24
lbuplicate message sequences are now recorded in the Query Handler and Closure (RFI) log files, for both Slow and Fast ARQs.
FUJ00171848
FUJ00171848
[End of Response]
Response code to call type V as Category 60 -- Final -- S/W Fix Available to Call Logger
outing to Call Logger following Final Progress update.
lbefect cause updated to 7 -- Design - High Level Design
JDate:19-Jan-2011 15:03:29 User:John Rogers
[fhe Call record has been transferred to the team: Live Supp.Test
fhe Call record has been assigned to the Team Member: Release to Live
Date:16-Mar-2011 15:20:06 Usor:Mark Ascott
the Call record has been transferred to the team: RM-x
bate:27-Apr-2011 16:02:21 User:John Budworth
{Start of Response]
lapplied to live 03/02/2011 as part of Audit Release 03.24.
[End of Response]
Response code to call type V as Category 60 -- Final -- S/W Fix Available to Call Logger
touting to Call Logger following Final Progress update.
Date: 27-Apr-2011 16:04:51 Uscr:Penny Thomas
CALL PC0205805 closed: Category 60 Type V
Root Cause Design - High Level Design
Logger Deleted User -- Security Ops
Subject Product — HNG-X Platforms -- Audit Server (ARC) (version unspecified)
Assignee Deleted User -- Security Ops
Last Progress 27-Apr-2011 16:04 -- Penny Thomas