[Trustee] Theft from the Large Safe

[Henry Sands]

2 months ago the key to the Large Safe was reported missing, Today we hired a safe cracker to open it and re-key the lock, during this we found that the safe had been emptied of all money. The money that was stored was a mixture of Donations, Club Mate payments and Laser Cutter fees. The total stolen equates to multiple thousands, though we're not 100% sure of the figure quite yet.

If anyone has any information or knows anything regarding this, please contact the Trustees at Trus...@london.hackspace.org.uk. Any information or details provided will be held in the strictest confidence.

Since the key went missing and we suspected possible theft, we have restricted key access to trustees and will be continuing to maintain a higher level of security. We where also in the process of completely overhauling the spaces cash handling process, which is obviously more important now.

Kind regards,

Henry.

On Behalf of the London Hackspace Trustees.

[Peter "Sci" Turpin]

Sad to see the suspicions confirmed. Though since someone also drilled
out the hinges on the metal cash box some months ago it's not surprising
that it's escalated.

[henry.best1%...@gtempaccount.com]

Sorry to hear about the theft of so much money. Have the police been informed? I guess that we aren't insured for that loss.

Would it be a good idea to get a safe that needs two different keys to open it? By giving trustees only one key each, it would mean that two trustees would be needed to open it (inconvenient, I know, but better safe than sorry.). That way, the loss of one key would not totally compromise the security of the safe and the loss of two keys would be very unlikely.

Having once being the keyholder of a safe containing several million pounds worth of stuff, my sympathies go out to the keyholder that lost the key. I know how I would have felt if I had lost my key and it had resulted in the theft of those monies.

[Mark Steward]

The key was stored in a keysafe to which at least 22 people knew the code. Restricting it to trustees again (done as soon as the key was reported missing) will have significantly improved security.

Mark

--
You received this message because you are subscribed to the Google Groups "London Hackspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to london-hack-space+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mentar .]

This is a really sad state of affairs :(

Whoever did this must be one sad or desperate human being

On 24 January 2017 at 17:40, Mark Steward <marks...@gmail.com> wrote:

The key was stored in a keysafe to which at least 22 people knew the code. Restricting it to trustees again (done as soon as the key was reported missing) will have significantly improved security.

Mark

[Peter "Sci" Turpin]

I presume that 22 people were given keysafe access due to the bottleneck
of only directors having access to certain things. Perhaps we actually
need two keysafes? One for high-value access and one for more mundane
access?

On 24/01/2017 17:40, Mark Steward wrote:
> The key was stored in a keysafe to which at least 22 people knew the
> code. Restricting it to trustees again (done as soon as the key was
> reported missing) will have significantly improved security.
>
>
> Mark
>
> On Tue, Jan 24, 2017 at 5:30 PM, henry.best1%ntlworld.com

> <http://ntlworld.com> via London Hackspace
> <london-h...@googlegroups.com

> send an email to london-hack-sp...@googlegroups.com
> <mailto:london-hack-sp...@googlegroups.com>.

> For more options, visit https://groups.google.com/d/optout

> <https://groups.google.com/d/optout>.

>
>
> --
> You received this message because you are subscribed to the Google
> Groups "London Hackspace" group.
> To unsubscribe from this group and stop receiving emails from it, send

> an email to london-hack-sp...@googlegroups.com
> <mailto:london-hack-sp...@googlegroups.com>.

[Tom Lynch]

Trustees, don't take this the wrong way, we live and learn in these matters, however I have to ask this:

Why is Hackspace storing this much money on site and not banking it periodically, surely there is no urgent need for cash in that volume that couldn't come as a bankers check or debit card payment etc... 

Having worked at a supermarket cash room, the maximum till float was £100 before we posted it to the cash room, and the cash room was capped at £5k before it was dropped in the Securicor safe which we couldn't access, that was collected every day or two.

For a store with 16 checkouts doing low £10,000s in trade every day to be able to manage cash back, and change with a £5k floor limit it seems hard to justify why Hackspace would have needed 'multiple thousands' in cash rather than in the bank.

Is this something that will change in future, or was there a specific reason?

[tgreer]

It's hard to carry that much coinage to the bank. We don't happen to have a Cash Room and a Securicor safe on site.

[Tom Lynch]

Sure I appreciate that.

My point wasn’t that you’d follow the supermarket system, but that in a situation where they have all these safe guards they hold low thousands, but in the situation of a place where workshops are run regularly on lock picking, there are no staff, and all the tools are present to break in, let alone a separate issue of a lost key. It seems very unwise to hold substancial amounts of cash.

It seems less likely but still possible for this to happen again and if it was <£250 it wouldn’t seem so devastating as loosing what I presume by the description was £1,000+, thats serious money towards fixing, upgrading or replacing things for the space.

Second to that would having an online payments page be both more convenient and safer, donations via Stripe, GoCardless etc.. or even just one of those basic gadgets in the space for paying with a cheap tablet.

The point of the email was is there a reason for the cash to be kept there other than practicality of having someone bank it, whether it be bags of coins, or a stack of £50s it means someone has to find time to go to a bank and feel safe doing that. Could it be deferred through other methods like card payments or online transactions which loose a  small percentage but is safer and less work to bank if and when that does happen.

Anyways, just thoughts and ideas.

--
You received this message because you are subscribed to a topic in the Google Groups "London Hackspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/london-hack-space/0_CSstcyYXA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to london-hack-sp...@googlegroups.com.

[henry.best1%...@gtempaccount.com]

Tom,

Whilst I agree with most of what you said, I can see the difficulty in getting cash safely to the bank. 

It can only be someone with access to the account that pays it in, as the banks are legally obliged to question large payments into a third party's account, due to 'money laundering' regulations. 'Paying in books' are a thing of the past. The banks want your card and PIN. Without those they will usually refuse to accept the payment, especially if a large amount of coinage is involved.

There should, for security reasons, also be someone accompanying the payer, to be an independent witness should there be a robbery.
"I wuz robbed!", with no witnesses, could be questionable! Not that I would accuse anyone of doing that.

The difficulty is, therefore, getting a person with access to the account and some other trusted person together during the time that the bank is open in our rather ad hoc group of members. Also, the times and days these deliveries are made should be as random as possible to avoid setting a pattern.

Henry Best.

[DomK]

This is a really shirty situation For someone in the space to do this. If the perpetrator/s happen to be reading this. I hope you are caught.

[DomK]

[Tim Reynolds]

Lots and lots of people have suggested using gocardless/stripe for payments but noone is willing to spend the time implementing it.

You received this message because you are subscribed to the Google Groups "London Hackspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to london-hack-sp...@googlegroups.com.

[Tom Lynch]

I know their API pretty well and can implement it, I wrote the entire membership system for South London Makerspace.

[Mark Steward]

So do it. Everything's on git.

Mark

On Thu, Jan 26, 2017 at 7:48 PM, Tom Lynch <m...@unknowndomain.co.uk> wrote:

I know their API pretty well and can implement it, I wrote the entire membership system for South London Makerspace.

--

You received this message because you are subscribed to the Google Groups "London Hackspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to london-hack-space+unsubscribe@googlegroups.com.

[Tom Lynch]

Mark,

I’ll be honest that attitude is really hostile and doesn’t incentivise someone to spend time on it.

However, I am willing to work on this, but I have no idea how the systems that exist currently work, and how it might be best implemented, i.e. a standalone page for grabbing payments or integrated into something.

If someone at Hackspace who does the infrastructure wants to talk to me about it then I’ll look into it, but I am not going to just make assumptions about what is wanted and needed and write the code to find out it isn’t fit for purpose,.

Also someone needs, maybe a trustee needs to setup a GoCardless account with a dev login for me so I can work on it.

I realise people on mailing lists tend to spuriously say things without putting their money where their mouth is, but I am willing to help not just sit from the sidelines arm waving saying do this and that.

I am not a member of Hackspace any more, and have only visited the place about 5 times in its existence since Shoreditch so I am not familiar with the process people have for donating/contributing/etc…

I am aware also that Russ mentioned a need for it integrated into the membership system you guys wrote, this might be possible too, but again, rather than having to sit down and look at a code base I’ve never seen and understand it, someone could meet me for a coffee to help explain the basic structure and what not.

Anyways, if someone emails me directly I will look into it, but otherwise I am sorry to hear money was taken.

Tom

You received this message because you are subscribed to a topic in the Google Groups "London Hackspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/london-hack-space/0_CSstcyYXA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to london-hack-sp...@googlegroups.com.

[Adrian Godwin]

On Thu, Jan 26, 2017 at 8:39 PM, Tom Lynch <m...@unknowndomain.co.uk> wrote:

Mark,

I’ll be honest that attitude is really hostile and doesn’t incentivise someone to spend time on it.

I don't think you should take it that way. It's how we do things : your comment that suggested you could do it was a big improvement over the usual 'why don't 'we' " and Mark has merely said that it's all out there : nothing to stop you if you want to. 

I totally agree with your other comments, though. It makes sense to be sure of the requirements before you start coding.

 

[Tom Lynch]

Then I apologise for misunderstanding Mark.

[Mark Steward]

No problem and sorry for not putting it better. I also meant Github (it's all PHP currently):

  https://github.com/londonhackspace/hackspace-foundation-sites

We have a problem that all our developers are generally busy with unrelated projects and I'm still trying to find time to sort out Discourse and the vending machine code. So I'm more than happy to sit down with you or anyone else and explain how anything works if it means we get more people involved. I suspect there are people out there who are tentatively willing to help, but maybe don't have the confidence or sense that it's necessary to put themselves forward.

I'm not sure GoCardless will help that much with the laser cutter payments or Club Mate money (although Stripe might). I think the best way to fix it is to pay the cash in regularly, which unfortunately means taking up someone's time on a recurring basis.

Mark

To unsubscribe from this group and all its topics, send an email to london-hack-space+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "London Hackspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to london-hack-space+unsubscribe@googlegroups.com.

[Adrian Godwin]

Is there any method of paying in that uses a shop-based scheme, like Paypoint ? Maybe it's possible to just take the cash to a nearby corner shop.

[Tom Lynch]

I haven’t touched PHP for a long time outside of WordPress themes and plugins, so I can have a look but I am not sure if my skills are up to the challenge without blindly putting security holes in your system.

I could look into Stripe also, never used it, would you want it to associate with the user or just be a standalone payments site? The latter is more likely to happen and faster because I can knock that up with code from Makerspace and use Node.js which I am more familiar with now.

However if not I can poke about the membership system you already have, but it will need a code review.

Kind Regards


Tom Lynch

To unsubscribe from this group and all its topics, send an email to london-hack-sp...@googlegroups.com.

[henry.best1%...@gtempaccount.com]

Tom,

As nobody else has said it, thanks for your kind offer of help in this.

Henry

[Tom Lynch]

No problem, I haven’t done anything yet.

Mark: Looking at the GitHub looks like russ started the GoCardless integration back in 2014, but never finished it, any idea how far he got?

How does the system reconcile payments and expiration dates?

[Ryan]

I'm really sorry to hear this has happened.

I've been working on integrating a bunch of stuff (laser payments, accounting and membership tracking, access control, etc) at Reading for a while now, once there's something to show for it I'm sure we can share it. 

Good luck with your hunt for the contents of the safe, that really sucks. 

R

[Jan Szumiec]

No one really wants to touch PHP - that is the problem.

[Tom Lynch]

I’ve had a look, it’s not too bad, I was worried it would be based on a really intense framework.

I mean, insert name of any language no one wants to touch if it’s not their workflow.

We chose Node.js as thats what I know after maintaining our old system, and then someone else came along and suggested Perl and half a dozen other languages, but then no one wanted to work not that either, so it got made by me entirely based on what I knew and was interested in.

Kind Regards


Tom Lynch

To unsubscribe from this group and all its topics, send an email to london-hack-sp...@googlegroups.com.

[JJ]

If the problem is the volume of coinage, the average pub or corner-shop will bite your arm off to change it into twenties.  I'd change £100 of coins every time I'm at the space for a micropub that's opened near me that has no card facility.

[Peter "Sci" Turpin]

That would certainly cut the Gordian knot. We'd still have to physically
deposit it, but it'd be far less physically taxing.

[Calum Nicoll]

If carrying it in is physically a problem, I frequently carry large weights of coins to banks and would happily do this for the hackspace once a month or so - I have facilities to transport up to maybe 50kg of coins by foot and enjoy the exercise.  Need someone to accompany for security/accounting though I'd think but I am pretty available in the daytime.   

Though based on past experience, loose change typically 20/30kg per £1000 and I'd be surprised if we get more than that a month - but happy to be proved wrong - anyone know rough figures of coin value/month?

[Aden]

The myth that nobody wants to touch php.. half the web is in php. It's because nobody can be bothered.

[Russ Garrett]

On 26 January 2017 at 21:48, Tom Lynch <m...@unknowndomain.co.uk> wrote:
> No problem, I haven’t done anything yet.
>
> Mark: Looking at the GitHub looks like russ started the GoCardless
> integration back in 2014, but never finished it, any idea how far he got?

The plan was to move the payment system over from PHP to python at the
same time. I know there are people who are avoiding working on this
stuff because it's PHP, so I'd quite like not to build major new
features in PHP.

The ticket is here:

https://github.com/londonhackspace/hackspace-foundation-sites/issues/67

--
Russ Garrett
ru...@garrett.co.uk

[Tom Lynch]

I’ve never touched Python so if that is still the case I can’t help with that I am afraid.

Kind Regards


Tom Lynch

[David Sullivan]

On Thursday, 26 January 2017 01:23:52 UTC, henry.best1%...@gtempaccount.com wrote:

It can only be someone with access to the account that pays it in, as the banks are legally obliged to question large payments into a third party's account, due to 'money laundering' regulations. 'Paying in books' are a thing of the past. The banks want your card and PIN. Without those they will usually refuse to accept the payment, especially if a large amount of coinage is involved.

This isn't correct, Bethnal Green Barclays has had no issue paying cash up to about 500-600 pounds when paying into the Hackspace account (up till late 2015 anyway). They also have/had a coin sorting machine (with no extra fee) for paying in unsorted coinage.

 

There should, for security reasons, also be someone accompanying the payer, to be an independent witness should there be a robbery.
"I wuz robbed!", with no witnesses, could be questionable! Not that I would accuse anyone of doing that.

The difficulty is, therefore, getting a person with access to the account and some other trusted person together during the time that the bank is open in our rather ad hoc group of members. Also, the times and days these deliveries are made should be as random as possible to avoid setting a pattern.

All these extra systems haven't been holding people back, it's just not been done.

Sully.