Hacker News new | past | comments | ask | show | jobs | submit login
The British Library URL has been offline due to cyberattack for 10 days (bl.uk)
189 points by sph on Dec 18, 2023 | hide | past | favorite | 126 comments



Its been out since October

https://www.theguardian.com/books/2023/oct/31/british-librar...

And affecting far more than their public website - including everything from personnel records to payments to authors

https://www.thetimes.co.uk/article/7f2b670a-f52a-4f88-b6d4-d...



Extensive input from the BPL blog 15Dec:

https://blogs.bl.uk/living-knowledge/2023/12/knowledge-under...

Edit: They were legally forbidden to pay the £600,000 ransom.


> They were legally forbidden to pay the £600,000 ransom.

That should have been the case for all ransoms everywhere.


Y do you think thats NOT the case? Is it a Chernobyl type situation or is there something else I'm missing (lack of technical literacy or refusal to hire appropos consultantz in the public interest?)


Hospitals have been attacked and lives have been at risk (or people died, pretty sure there are articles on this) - paying a ransom could be okayish in this case.


In that case, hospitals would become the only profitable targets for criminals... not sure that leads where we'd like it to.


Don't you think if hospitals are carved out as an exception that the incentive structure basically gurantees hackers only really target hospitals tho?

Not really sure what Im trying to say here [blush]


I am aware of this. Come on, we are on an IT board here.

But do you really think most voters and politicians understand this? If people are dying, money is always seen as a quick solution, and who are we to blame?


But they pay "ransom" to Microsoft.


The Toronto (Canada) public library has been out since October due to a cyberattack. Maybe they went on a library attack spree. Awful.


London Ontario too

https://www.computing.co.uk/news/4157407/ontarios-london-pub...

https://www.cbc.ca/news/canada/london/cyber-incident-behind-...

Seems odd there's so many libraries being attacked at the same time, I wonder if there's some common software used at the entry point, although the British Library is somewhat different to a normal public library.


Meanwhile, the Ministry of Justice proposes a destructive digitisation of its archive of a couple of centuries worth of wills.

https://twitter.com/MoJGovUK/status/1735642204809351595


Can you clarify what is destructive?

Is there a reason the originals need to be kept, like for some kind of chemical analysis?

Or should descendants be allowed to claim them, and the rest auctioned off?

Especially for something as generally mundane as wills, it's not obvious to me why high-resolution scans don't suffice for all future historical, legal, and archival purposes.


From the site explaining what is to be done:

"Currently about 110 million physical documents are stored costing taxpayers £4.5 million per year. The consultation is seeking views on keeping hard copies for about 25 years, in recognition of their sentimental value to families, while saving them digitally longer term."

https://www.gov.uk/government/news/easier-access-to-historic...

I was wrong to call the _process_ destructive, but I disagree with the proposed disposal policy.


There's a ton of historical and anthropological reasons to keep the physical copies of artifacts like this.

I dream of a day when genetic sequencing is so affordable and trivial, that we can analyze records like this for DNA from people and other organisms that came to be deposited on these pieces of paper.

Imagine the possibilities of sequencing the geneomes of all the people who left genetic material on these wills and what that could tell us about society and people who lived in it.


Is that scientifically plausible?

I'm ignorant here -- does simple handling of paper leave a genome's worth of DNA? Is it probable that even a single skin cell was deposited, for example, and that its DNA would remain intact enough?

My impression was that in handling papers, we leave skin oils behind but generally not any cells. I'm happy to be wrong about this, though.


Think of how many people lick their digits before thumbing paper, or have small cuts that leave blood on paper when they touch it, or who sneeze on paper.

There's DNA on everything, and the ancient DNA on papers stored in an archive will one day be very valuable.


Even in a restricted context (the apparent documented information), hard copies have advantages over digital copies under two considerations.

First, they survive technological obsolescence. Consider how even reading a floppy disk is a huge pain in the ass for most people today. Now stretch the time frame.

(Some might say that all you need to do is copy the contents to a new medium when upgrading. Sure, you can do that, but it has a migration cost, and perhaps some risk. It's not a freebie. Compare that to keeping around hard copies.)

Second, they have historically been less ephemeral. Sure, we have durable, write-once media out there that manufacturers claim will last thousands of years (we'll see in...thousands of years), but that's rare.

For important stuff, you should a) keep the hard copy, b) make a digital copy, and c) create backups. You have the option of migrating or reinjesting the original source material, at least.


Hard copies have significant risks themselves - They're vulnerable to misfiling, to mishandling, and perhaps most importantly, destruction - By natural disaster or human hands.

A well organized archive can have much more redundancy, including georedundancy, for the same price. Further, it can have massively redundant metadata - Imagine if we had a reasonable checksum of every document in the archives of everyone who was interested - And then in the event the main archive was lost or offline, we could have a verified reconstruction from the archives of people who had copies of the metadata and partial copies of the data.

https://www.archives.gov/personnel-records-center/fire-1973


I think I would challenge both of these points:

> First, they survive technological obsolescence. Consider how even reading a floppy disk is a huge pain in the ass for most people today.

Most paper hasn't survived technological obsolescence, because it hasn't survived at all. Nobody's keeping anything on floppies, everything's migrated as you say:

> but it has a migration cost, and perhaps some risk. It's not a freebie.

Nobody saying it's a freebie, but it's a heckuva lot cheaper than running massive physical warehouses and libraries and museums with security guards and fire suppression systems and everything. And no, there's virtually no risk when you're always keeping distributed backup copies. We use checksums and things to prevent data corruption.

> Second, they have historically been less ephemeral.

Again, no -- hard copies have historically been far more ephemeral. Remember what happened to the Library of Alexandria? Hard copies are susceptible to fire, war, economic disintegration, and so forth.

Digital copies can both have plenty of geographically distributed official backups made and maintained, and also be open to personal backups as well if desired.

Keeping hard copies around seems like far more expense for zero benefit -- at least for things that don't have sentimental/museum value.


> Sure, you can do that, but it has a migration cost, and perhaps some risk. It's not a freebie. Compare that to keeping around hard copies.)

There is a bigger risk with hard copies since they are unique, and storing them is more expensive, so in neither of those points the simple fact that there is a risk and a cost means much, no option is a freebie



Of course.


Decentralised storage could be pretty cool for this, no?


Not if it’s destructive. Not entirely sure what the procedure is to digitize them but if the original is lost in the process, no amount of digital decentralization will help that and there are plenty of good arguments against relying on digital storage solutions for long term data storage. They’re just not long term enough (yet)


Idk, it's likely very expensive to maintain the physical copies. It's easy to say that the government should just do everything, but spending money to maintain an archive that probably is very rarely used isn't a good use of limited money. Digital copies aren't always infinitely durable, but they can be copied exactly which is something that can't be done with paper and honestly I'd guess more durable than a paper archive with a the same amount of money being spent


In order to make digital data durable, you have to store it on cassette tape. This has the same issue as physical stuff in the sense that you have to wait for it to be recalled before you can access its data, which is why tape is normally only used for backup. So they'd have to have two digital copies, paying twice the price, one for prod and one for backup. At this point when it comes to managing that, we've already exceeded the ops competencies of most tech industry teams, let alone a homeless shelter. They're really much better off just leaving the wills as they are.


Yeah, but even three copies of stuff digitally is cheaper to maintain because we can back the data so much denser, and replicating it to newer media is so much faster.


Or you can pay aws 54 U.S. dollars a month maybe as much as 100x that and it still comes out much cheaper than a large space and staff to manage digital files. Maybe to be safe keep some magnetic tapes around too


> Idk, it's likely very expensive to maintain the physical copies.

Maintaining a large paper archive is almost free in the grand scheme of things. The UK (and pretty much every single other Western nation) has an absolute ton of abandoned bunkers, silos and mines that were intended for Cold War disaster management. Most of them were built to very high standards in locations that won't flood or degrade significantly even if left cold and dark.

Using them for archive storage is trivial.

This seems like a very poor decision. We're seeing vulnerability after vulnerability pour in this year in just about every single OS out there and yet they think something like this is a good idea?

The UK government appears to be trying to shut the country down without anybody noticing until it's too late; it's very weird to watch.


> The UK (and pretty much every single other Western nation) has an absolute ton of abandoned bunkers, silos and mines that were intended for Cold War disaster management. Most of them were built to very high standards in locations that won't flood or degrade significantly even if left cold and dark.

Here in Germany, a lot of our old bunkers are effectively gone, unusable to a point where you'd need to entirely rebuild them. And that's after just 30 years... bunkers also need maintenance, because otherwise rot and mold will set in.


Paper will be destroyed, eventually, in the presence of incorrect humidity levels. It’s just a matter of when.


Yes, you have to maintain the environment but these bunkers and facilities were designed with that factor taken into consideration.

Yes, it isn't zero-effort, you can't just chuck your papers down a mineshaft and come back for them 50 years later, but it isn't in any way an insurmountable problem.


Any sort of modernization work in these bunkers is extremely expensive because of their underground construction, and most have very poor humidity control because of water seepage. "Poor humidity control" is a bit of an understatement, many Cold War bunkers will fill with water over a course of days if power to the dewatering pumps is interrupted. It's really not nearly as practical as people like to think to reuse them. Consider the case of AT&T, which owns a vast fleet of underground bunkers and keeps replacing them with a surface building on the same site because it is simply unaffordable to maintain and modernize them. New electrical service, for example, requires excavation and a ton of coring thick concrete. The costs add up fast, every little thing is more complex and more costly underground.

Fire, one of the biggest concerns in archival practice, is also much harder to manage in underground facilities. Document archive facilities are designed as distinct fire cells to mitigate the risk, and incorporating these features into bunkers would likely require rebuild from scratch. Refrigerant fire suppression systems are difficult to install because of inadequate evacuation routes; Cold War era underground facilities rarely have more than one staircase and one ladder (and the ladder shaft might be full of sand!).

The disused military bunkers of the United States are littered with failed document storage companies that have been unable to sufficiently retrofit them for this use. Seriously, I would guesstimate as many as one in six former ICBM silos was, at some point, owned by one of these operations. More than one per field usually. Almost none have succeeded, and the exceptions have the appearance that they are more hobby projects than viable services. In most cases they didn't even finish stripping the old equipment, which is a very costly process since it has to be cut up underground to hoist out.


We have a number of old salt mines. Or would they be too dry?


I don’t know the humidity of salt mines. I just know that paper is a weak format for permanent storage. Chiseled stone lasts far longer, possibly forever in the right conditions, but it’s impractical for records.

Perhaps records only need to last lifetime + 70. That should make storage concerns a lot easier.


There are costs other than volume of course, but if most wills are five or six sheets of paper then you can pack a million of them into one shipping container.

A4 is 1/16th of a square metre, so on 80gsm paper with a density of 1.2x water, 1MW (mega will) is about 25m³. An ISO standard TEU shipping container has a volume of about 30m³.

If you spaced everything out 10x you’d still only need 650 containers for all of the UK. That’s about 3% of the volume of a regular container ship, or roughly the number of containers you might see in a Hollywood standard bad guy dockyard confrontation movie scene.


You can’t just put paper in a shipping container and expect it to last longer than a few years.


Or you could put it all in like 15 terabytes and store it for like 54 U.S. dollars a month in s3 or buy a few big hard drives


no!


I visit the British Library often. It's a great place to work if no meetings are on your schedule that day. The library has been noticeably quieter the past few weeks. Perhaps it's the time of year, but many individuals use the library for researching family histories or accessing esoteric items in the catalogue. I hope this is resolved soon. Public libraries are a really wonderful utility.


I love libraries. The only other quiet public place I can think of is churches and working your remote job from churches is frowned upon.

Now that I mention it, churches should totally host remote working spots.


Speaking of Churches, the Swedish Church [1] is currently also down for similar reasons.

[1] https://www.svt.se/nyheter/lokalt/dalarna/svenska-kyrkan-bek...


Are attacks like this—ransomware—always aimed at Windows-based systems? Is that the common denominator?

I've noticed that most Internet attacks are Windows-based but somehow "Microsoft" or "Windows" never makes it into the news copy. I've wondered if MS has a massive marketing/legal outreach to make sure that doesn't happen. And to make it sound like "this can happen anywhere", and "no computer is 100% attack-proof".


Netcraft indicates Linux or unknown previous to the incident for www and bl.uk:

https://sitereport.netcraft.com/?url=http://www.bl.uk

  Hosting History
    
  Netblock owner IP address OS Web server Last seen
  Microsoft Corporation One Microsoft Way Redmond WA US 98052 13.107.213.64 Linux unknown 26-Nov-2023
  Microsoft Corporation One Microsoft Way Redmond WA US 98052 13.107.246.64 Linux unknown 25-Nov-2023
  British Library 194.66.233.215 Linux unknown 20-Jul-2023
  British Library 194.66.233.215 Linux nginx 15-May-2019
  British Library 194.66.233.215 unknown nginx 5-Jul-2016
  British Library 194.66.233.215 Linux nginx 4-Jul-2016
  British Library 194.66.233.215 unknown nginx 26-Jun-2016
  British Library 194.66.233.215 Linux nginx 21-Jun-2016
  British Library 194.66.233.215 unknown nginx 17-Jun-2016
  British Library 194.66.233.215 Linux Apache 17-Jan-2016


Does not have to be what they are running their servers on.


Very true. This website[0] by a library consultant says the library system was “Aleph 500.” The product documentation[1] says it is an Oracle on RHEL. Other components also indicate Unix flavors.

0. https://librarytechnology.org/library/3413

1. https://knowledge.exlibrisgroup.com/Aleph/Product_Documentat...


To me the share of Windows as ransomware target seems proportional to Window's use in office computers in large and medium enterprises.


No they aren't always aimed at Windows based systems but it is the most widely used operating system so of course it is targeted and exploited. Every system is vulnerable. The secret is that coders are normal people just like everyone else, they make mistakes. The real problem is that our economy is driven by money so these things don't get fixed because there's no profit in it, only features that make money get added or fixed.


This is bait, but I'll bite. From what I've seen, the common denominator is misconfiguration. We can all do it, but it seems especially concentrated in organizations with limited IT human resources largely dependent upon contracted service providers. Spend a butt load on systems and hope Bill in IT doesn't screw it up. A lot of that ecosystem happens to be Windows based.


This is a great observation. What if, back in the Ford Explorer Firestone tire explosion scandal, they said "SUVs are being recalled because tires are exploding". Makes the article much less informative.


Meta: the URL is not offline, the (web) service associated with it is. The title would be better with "URL" deleted, in my opinion.

I hope they resolve the attack issues, that's of courses incredibly crappy and I feel sorry for them. :(


It’s wrong as interpreted literally, but I’m not sure of a better way to concisely express it. Deleting URL seems to just make it more ambiguous.


"The British Library website has been offline due to cyberattack for 10 days" feels more natural to me.


That’s what a url being offline means and is understood to mean

The store is closed vs that store location is closed. Same thing


Colloquially perhaps, but it is wrong from a technological perspective, and IMO that matters.


Sounds like a middle manager adding technical terms to sound more... technical.


Not really, since in the context of a store, "location" often refers to an instance rather than it's location coordinates.

A better analogy would be saying the store's address is closed. Doesn't make sense.


OK


The URL https://www.bl.uk/ is working fine, but the site is busted.


It returns a resource but I wouldn't say it's working.


I found it confusing - if a URL is "offline", I'd expect some kind of error message like connection refused or no such domain. The URL here is not "offline", it's the BL that's offline, and the BL isn't a URL.


If it displayed the Cloudflare 502 Bad Gateway error page, would you consider the URL to be offline?

There's no Cloudflare here, but I see it as conceptually the same thing.


Custom vs default error page


Broken link. Should be https://www.bl.uk.


Yeah the mod has edited the title and added another slash (https://www.bl.uk//) which now shows a blank page.


The heritage, museum and library sectors in the UK are badly paid, even for technology and IT staff.

Frankly, I suspect that the British Library is reaping the result of decades of underfunding and under-preparing for such an eventuality despite quite clearly being a target.


As a UK citizen living overseas, I would put problems like this down to more than just underfunding. One of these is the frequent challenge with "talkers" versus "doers" and the wrong people being promoted within the bureaucracy.

This is especially the case in government orgs and those close to them which are old and extremely bureaucratic. There are many good people in these organisations who should be paid more in many cases, but they are severely limited by the system.

I find it hard to see that this wasn't something expected by many in the know at multiple levels within the British Library. Now it's an even bigger mess that they are ill-equipped to respond to.


IT workers had a £4k uplift to every band compared to all other staff in the heritage sector from my experience, and that was specifically because you can get more money working elsewhere. They're paid "normal" salaries, if look at salary distributions of the UK as a whole.

IT/technology is just abnormally overpaid as a whole. I'm not saying it shouldn't be, just that it is.


> IT/technology is just abnormally overpaid as a whole.

In the UK, IT/technology is arguably underpaid, compared to the value it generates. Just remember the TSB IT meltdown last year. (https://www.theguardian.com/business/2022/dec/20/tsb-bank-fi...)

The average salary for a solicitor is ~£70,000

https://www.checkasalary.co.uk/salaries/solicitor

The average salary for IT is ~£50,000

https://www.checkasalary.co.uk/salaries/information-technolo...

For a software engineer ~£60,000.

https://www.checkasalary.co.uk/salaries/software-engineer


I don't doubt you, but it clearly wasn't enough of an investment in cybersecurity for the UK's flagship, national library to be knocked offline for months with no end in sight.

This is less about the pay of any individual working there, but a culture of underinvestment which the UK public sector has been undergoing for the past 15 years.


>> culture of underinvestment which the UK public sector has been undergoing for the past 15 years.

It's going on for much longer than that. It's hard to think of a time when there was investment. It's also hard to think of a time when the individuals and teams who could have prevented this would be given the respect that they deserve. This is a problem in the UK that extends beyond the UK public sector because a lot of the management in large organisations has some cultural similarities.


> "abnormally"

There is no such thing as a normal salary. People are paid what the market demands.

We're not serfs. If one job offers more compensation than another everyone is entitled to leave and go elsewhere.


It looks like they defined what they meant by “normally” elsewhere in their comment. Why edit them down to one word? Seems like that is bound to lose important context.


Can anyone explain why this happens?

Why would they pay ransomware hackers when they would obviously have backups. Sucks to have data compromised, but presumably it's not lost. And what part of the system was designed to bad practices that this was able to happen? Aren't there lots of UK white-hats who would freely lend their services to help improve the library's infrastructure?

Presumably excluding attacks of this sort isn't arcane or impossible, because other major companies and orgs manage it. Is it secret knowledge, or something?

Surely there's a SOP to just not have this happen.


> Aren't there lots of UK white-hats who would freely lend their services to help improve the library's infrastructure?

You mean freely as in for no compensation? This is a massive public body. Do they pay the people who bolt together the shelves the books sit on? I believe they do. Then they should pay the people who audits their security posture too.

> Is it secret knowledge, or something?

Mismanagement and incompetence if you ask me.


> You mean freely as in for no compensation?

I do. The BL is a national institution, and, like the NHS, would attract masses of free labour if they asked for it. There are volunteer developers and data scientists who work for charities in their spare time to help improve society.

Not everyone's so greedy that they must be compensated for every breath they take.


> Not everyone's so greedy that they must be compensated for every breath they take.

It's not that they are greedy. It is that well performed job takes time, years and years. It is not a firefighting job you can do in your off hours on a weekend. We wouldn't ask the caretaker to work for free, we wouldn't ask the director to work for free, we wouldn't ask the desk clerks to work for free, so why are we asking IT people to work for free?


Indeed so - though not only of the library. Government in general is limited in pay bands that do not even begin to compare to private industry, so it relies on people who are altruistic if they’re any good.


The amount of skilled altruistic It professionals is vanishingly tiny.

The amount of not-very-good IT professionals, on the other hand...


> The amount of skilled altruistic It professionals is vanishingly tiny.

That's completely untrue. The IT industry is full of altruistic individuals, in fact almost the entire open source movement proves you wrong.

What's relatively unusual is this new crop of 'all that matters is TC' types who view the industry as a means to get loaded and who do not, in any way shape or form, embody the hacker ethos and the mentality of putting something out there for the public good because that's just the type of person they are.

The industry has been taken over by utterly despicable greedheads and that's why so much of it has become the way it is, unfortunately.


> What's relatively unusual is this new crop of 'all that matters is TC' types who view the industry as a means to get loaded and who do not, in any way shape or form, embody the hacker ethos and the mentality of putting something out there for the public good because that's just the type of person they are.

I said that people working a job should be compensated fairly. So they have a roof over their head, and don't worry about where their next meal will come, or what will happen with them when they are old. I'm glad that from here you jumped to the conclusion that 'all that matters is TC'.


I really wasn't responding to you personally, sorry if you felt that way. I was more responding to the state of the industry as a whole.


The free-software community is vanishingly tiny; the slightly larger opensource one was built on the principle of not forcing anyone to be as altruistic as them (i.e. made it ok to be less altruistic). In both cases, the overall amount of actual participants is a small niche when counted against the totality of IT professionals. 90% of professionals literally just take.

I've been around since the late 90s and I reckon the greedheads have always been around. The difference is that they used to be easily recognizable by their suits, and now they are not.


I know other institutions have paid ransoms rather than go to backups, because they had never planned for an org-wide restore which would take months to execute.

Turns out there's a huge difference between restoring the occasional system, and restoring everything.

I'm not sure to what extent backup systems are being upgraded to work faster, how easy that even is, or whether it's more cost effective actually to pay the occasional ransom.


> Turns out there's a huge difference between restoring the occasional system, and restoring everything.

And yet it makes sense to regularly test even the "black start" scenario, just like in power grids:

- ransomware isn't the only threat to a datacenter, by far not. Particularly here in Europe, the scenario of an outright nuclear, conventional or EMP attack taking out entire sites is getting back onto the discussion table for disaster preparedness plans, but you also have to account for stuff like fires, water damage, a building collapsing, suicide bombers...

- you keep the employees sharp on their skills in DR

- you uncover where stuff is missing or (under-)documented. If you're a multinational org, it makes sense to have everything documented to a degree that an entire offsite team can just fly in and do everything needed to recover.

- you identify all the various servers that are (sometimes literally) stowed away in a cleaning storage locker but provide crucial services

- you identify bottlenecks that you can use to improve your plans. Basically, stuff like splitting out "cold" data that's rarely required to its own database so you can keep at least a rudimentary version of your service running while restoration is ongoing.


I assume they lost something that's timely, like a transactional DB, where the "backup" would mean accepting the loss of some important transactions.


In general, if your backups are made somewhere that your IT administrators can delete or overwrite, then ransomware operators will destroy or damage your backups before doing anything that would make it obvious that you're being attacked. And if your backups are moved offline, then they can still try to invisibly corrupt these backups and wait a week or two before triggering the ransom encryption.

Many organizations make backups that would protect them from accidental destruction of hardware, but not from malicious acts from someone in your network with a privileged account, and a reasonable chance of a multimillion payout means that the ransom organizations have no qualms spending quite many hours of skilled people in ensuring the victim is more likely to pay.


>but not from malicious acts from someone in your network with a privileged account

I do think it's depressingly much, MUCH harder then it should be to catch it though for normal people. This should be a turnkey thing built into all data software, NAS options like TrueNAS or whatever else, cloud services of course (though I think some now do). Ransomeware attacks, by their very nature, are extremely detectable on a technical level. Their access patterns are unique, and of course they fundamentally change the entropy of all the data on the system. This is something a watch dog should just be able to automatically detect and alert, preferably immediately freezing things. With the kind of atomic snapshots available roll back should be easy. Capabilities can separate snapshot deletion from read/write, raw storage space is quite cheap. Backups should be default pull based with a lot of controls, so that the backup system offers no administrative access over the general network at all. Etc etc. The technical ingredients are there, yet it's still hard to find stuff where someone can just click a checkbox that says "alert on ransomware pattern detection" :(. This should be a very solvable problem, or at least able to be made enormous more challenging to pull off, vs most of the security challenges in tech. It's a shame it hasn't been.


I wouldn't necessarily assume they do have backups. At least, not recent backups of 100% of their content/systems.


They have back-ups but they are mostly not digital back-ups.


> Why would they pay ransomware hackers when they would obviously have backups. Sucks to have data compromised, but presumably it's not lost.

It's been more than a month. I think if it was this easy, they would be online by now. They said on their blog they will only begin to restore some functionality in January. A business could consider paying the random to avoid two months of downtime. Although in this case they didn't have the option to pay it.


I guess they also expected some free white-hat magic instead of doing the hard org work to have a properly working backup system


Maybe the attackers encrypted the data, and those encrypted files were backed up, maybe even overwriting older backups?


The URL for this post is incorrect and has a double-slash.

It should be:

https://www.bl.uk/

and not:

https://www.bl.uk//


Man if only people had access to a large online free global library.


You could call it the “genesis library” or GenLib for short


Wow, libraries general! We can call it libgen for short.


Wouldn't help. You might as well say people could use Wikipedia and Wikibooks.

A big reason people go to libraries like the British Library is for collections of rare books an manuscripts (https://www.publicbooks.org/how-to-lose-a-library/), which you're not going to find on some pirate site that scraped the (relatively) low-hanging fruit of digitally-distributed academic papers and ebooks.

You might as well say "Man if only people would spend the billions of dollars to digitize every scrap of archival paper in the world, and put it online for free."


>A big reason people go to libraries like the British Library is for collections of rare books an manuscripts

I love rare books and have donated to my library specifically to restore rare books in need. The vast majority of patrons would never notice them missing or care if they did.

>Wouldn't help...You might as well say...

So, a huge collection of books available for free won't help library patrons, and the main reason why because I can't also use it to view Chekhov's handwritten notebooks or the Leningrad codex? Ok.


> So, a huge collection of books available for free won't help library patrons, and the main reason why because I can't also use it to view Chekhov's handwritten notebooks or the Leningrad codex? Ok.

You're moving the goalposts. I'm sure the UK already as quite a few everyday lending libraries that would fill that need while the British Library is offline. Library Genesis could perhaps fill in for one of those if it was shut down because of hacking, but few people would care.


I love you guys!


TIL. Thank you!


An unfortunate number of people would only be able to access that global library using the computers at their local library.


Related:

How to Lose a Library - https://news.ycombinator.com/item?id=38657830 - Dec 2023 (21 comments)


Oh well, that is sad. Toronto Public Library's online services are still down since at least a month.


The Toronto Public Library got hit with ransomware, but they obviously can't afford to pay.

It's awful. TPL is one of the best library networks in North America, providing a vast array of valuable services to the people of Toronto.

It should be considered an essential service given how many underprivileged people depend on its services.


>vast array of valuable services

I'd argue that this is how libraries get into this mess. Instead of specializing, they adopt a scattershot approach to services, many of which aren't even related to taking care of library materials. Flashy pet projects get prioritized while less interesting things like books or computer systems languish.


Agree with you. It's a truly sad state that libraries have become the de-facto "last option" for so many people, ranging from Internet access for those too poor to afford a basic phone data plan over food [1] and showers [2] to first aid for drug users [3].

Out of all of that, only the first should be provided by a library - the rest should be a core function of any civilized government to provide in dedicated, actually properly equipped facilities. Librarians are not social workers, and they shouldn't have to be forced into that role that they've never been adequately trained nor equipped for. And libraries shouldn't be places where those in need of their actual services are afraid to go to, because they don't want to get harassed by homeless and drug users.

And yet, I shudder even thinking about how the situation would look like if the many librarians and other adjacent staff would not have stepped up to the multiple crises of completely dysfunctional local governments and widespread poverty.

[1] https://www.governing.com/now/public-libraries-step-up-to-he...

[2] https://www.slocounty.ca.gov/Departments/Library/Library-New...

[3] https://www.cbsnews.com/news/libraries-becoming-popular-plac...


The ransomware group posted some evidences -> https://www.ransomlook.io/screenshots/rhysida/British%20Libr...

and the ransomware group details -> https://www.ransomlook.io/group/rhysida


attack the incentives...

have dedicated govt agencies going after the crypto money trail, and disrupt the theives. this happened in the pipeline hack.

otherwise, the thieves will continue thieving with nothing to stop them.

thats why we have the police and other such agencies in the real world.

when thieves go after the commons (libraries/hospitals) - we the public taxpayers have every incentive to demand action of our govt as there is nobody else who can help here.

why are the british taxpayers not demanding action ?


Demanding from whom? The current government could not cook an egg.


With enough study and preparation, and enough funding, I bet the current government could, in fact, cook an egg.


The most likely outcome is, in fact, that they would pay £60m to a company (which happens to be run by well-connected friends of the Prime Minister), for them to cook an egg - just to discover 6 months later that such company never owned a pan and never cooked anything.


They could break an egg with that level of commitment, cooking it is another thing altogether


I have some doubt that the current prime minister has ever cooked an egg.


What are the incentives to not have a proper backup system and also not having digitized everything already?


cost, expense ?

i can buy locks for the doors in my house, but if thieves can break locks, i need the police too to serve as a deterrent. ie, there needs to be a negative incentive for the thieves too.


Looks like they got hacked and just shut down their web system while they rebuild a secure env/system.


Is there anything we can do to help?


The www.bl.uk website currently reads:

> Temporary holding page

> Our website is currently unavailable

> Last updated: 5pm on Friday, 8 December 2023.

> We're experiencing a major technology outage following a cyber-attack affecting our website, online systems and services, and some onsite services. However, our buildings are still open as usual. We anticipate restoring more services in the next few weeks, but disruption to certain services is now expected to persist for several months.

> Last week the attackers released some of our data onto the dark web including some personal user information. We've contacted our users to alert them to this incident and to offer advice from the National Cyber Security Centre (NCSC) on how to protect themselves, including updating their passwords on other systems.

> Because our systems are still unavailable, you can't change the password for our services. However, if you use the same password for non-British Library services, we recommend that you change it as a precaution.

> NCSC provides guidance on staying secure online, including how to create a strong password, and specific guidance for individuals who may have been impacted by a data breach.

> Analysing the data is likely to take several months. Should we find specific information has been compromised, we will alert anyone affected as soon as we can. We are continuing to collaborate with the Metropolitan Police and professional cybersecurity advisors, and are receiving support from the NCSC.

> We're really sorry for the ongoing disruption to our systems and services and we'll provide further updates when we can.

> What is currently available?

> The Library's buildings are open, but some services are limited, including access to collection items. We're regularly updating our blog with the latest information on what's currently available online and onsite so please check this before you visit.

> If you have purchased tickets for our exhibition, Fantasy: Realms of Imagination, you can still use them. Exhibition tickets can also be booked via See Tickets. Our free exhibition, Malorie Blackman: The Power of Stories, is open and no booking is required.

> All upcoming public events are going ahead as planned and you can find more information on our events blog update. We're continuing to welcome schools and families too, as well as adult learners to our courses.

> Business & IP Centre (BIPC) in St Pancras is open to support businesses as usual but digital services onsite are unavailable. You can also join BIPC events and webinars and access one-to-one support. Read our BIPC blog update to find out what help and advice we can offer during this time.

> Contacting us

> While our systems are offline, you can contact us by emailing customer@bl.uk We'll do our best to answer your queries but please bear with us. This inbox is reviewed between 08.30 to 16.30 Monday to Friday. We're experiencing a high volume of enquiries so it may take us some time to respond. We'll get back to you as quickly as we can.

> Thank you for your patience and understanding.


It's working for me.


Isn't it ironic that a library of all places completely melts down when you damage their computers? It's not like a hospital for example who could reasonably argue "of course if you manage my systems my business melts down, it's not like managing paper records is part of my core expertise, I'm busy with other things".


The other way to look at it is that a library can afford the trouble, as no one is likely to be at immediate risk of death if their computers go down.

A hospital has no choice but to be more resilient, since many other emergencies they would be most needed in (eg natural disasters) can also involve loss of access to computer systems.


Of course, I wasn't making an argument that we should make hospitals more fragile...




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: