The Reg produces exhibit A1: A UK court IT system running Windows XP

Plus thousands of laptops on unloved Windows OS used by Ministry of Justice, it admits

Exclusive A critical crown court IT system and thousands of laptops used by the UK's Ministry of Justice run on Microsoft's obsolete and unsupported Windows XP operating system, The Register can reveal.

As recently as March 2019, the ministry was paying hundreds of thousands of pounds for a VPN to support 2,000 Windows XP laptop users – news that comes as the department admits that a critical court IT system is also running on XP boxen.

Rumours began circulating on Twitter last week after a barrister wondered whether the criminal courts' DARTS audio recording system was running on Windows XP.

Ben Rowe wondered aloud whether something he was told in court about the use of XP, the obsolete Microsoft operating system for which all updates ended years ago, was true.

The Register asked the MoJ whether this rumour, as well as a similar one about the XHIBIT court listings system, was true. We also asked whether the ministry is paying Microsoft for an extended support licence. Such a licence would mean that even though general updates – including critical security patches – for Windows XP ended years ago, the MoJ was still receiving upgrades for the elderly OS.

Yet when looking at public MoJ spending data for the first half of 2019, El Reg was only able to find a £600,000 payment to Vodafone described as "cost of providing secure Virtual Private Network to 2,000 Windows XP laptop users" made in March last year. There were no entries in spreadsheets examined by The Register for payments directly to Microsoft.

A ministry spokesman would only say: "We are in the process of upgrading our courts' computer systems. We have robust security in place as well as a specialist team constantly checking for threats."

He did, however, tell El Reg that while the MoJ wasn't going to discuss specifics, one of the two court systems was running on Windows 10 machines – and the other is said to not be internet-facing. XHIBIT is used to generate public court listings data to show which cases are being heard in crown courts every day.

Apart from the obvious, what does this mean?

Twitter personality CrimBarrister, a practising criminal lawyer, explained for El Reg what a hack against either of DARTS or XHIBIT would mean. DARTS was first introduced in the late 2000s to replace human stenographers; the last stenography contract ended in March 2012.

"On a very basic level if DARTS isn't functioning at all – say it's down due to a [denial-of-service] hack – then that court room can't sit unless they brought in a manual stenographer," explained the barrister.

CrimBarrister continued: "If someone hacked into DARTS for content, then potentially evidence or legal argument which was for some reason being given in private could be published when it shouldn't be, or evidence being given in court could be passed to a witness who shouldn't get to know in advance what another witness had said, or to, for example, criminal associates."

Crown courts in particular are full of legal arguments about whether evidence gathered by police should be revealed to juries. A criminal wanting to disrupt an ongoing trial could access DARTS and publish a recording about a piece of evidence which was ruled out by the judge. If the jury heard that argument, the entire trial would have to be abandoned.

The City of London Magistrates' Court. Pic: Chris Dorney/Shutterstock

Ministry of Justice abandons key plank of £280m IT project


The barrister concluded: "Like many of the issues facing the crown courts these days, it seems the technical security and integrity of important systems like the recording of trial evidence as it is being given is being left wide open to hacking and interference simply due to a lack of funds to make simple updates to the system."

Jonathan Black, a past president of the London Criminal Court Solicitors' Association, told The Register: "It is bizarre that the MoJ and HMCTS have at best taken their eye off this ball," adding: "Too often we receive communications from the CPS asking us to delete information containing personal information that were served unintentionally, yet vulnerable individuals unknowingly have their sensitive details available online."

Last year The Register revealed that a core plank of the MoJ's Common Platform Programme, intended to introduce sweeping new IT-based reforms to the courts, had been shelved. Before that the National Audit Office had given the MoJ a thorough dressing-down for its plans, which were based in part on making thousands of redundancies to save money. ®

Similar topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022