librarypunk - 120 - British Library Hack
Episode Date: February 5, 2024We're covering the British Library hack and its fallout. Media mentioned https://www.reddit.com/r/Libraries/comments/1aeq1ek/library_moral_dilemma_from_a_while_ago/ https://www.ft.com/content/4be5d4...68-0cc3-4881-a5fb-b5d0163de93e https://www.oclc.org/research/publications/2010/long-term-access-digital-information.html (Dorothea mentioned) https://www.bleepingcomputer.com/news/security/rhysida-ransomware-gang-claims-british-library-cyberattack/ https://www.theregister.com/2024/01/08/british_library_finances_remain_healthy/?is=b78b52a0bbc1b1a4c4446480c8d59b7f8abf7ac5db44dcfceee6104ddb4dab4f https://www.theguardian.com/technology/2023/nov/24/rhysida-the-new-ransomware-gang-behind-british-library-cyber-attack https://www.theguardian.com/books/2024/jan/15/british-library-cyber-attack-staff-users-analysis Join the Discord: https://discord.gg/QTr6Tn6YMk
Transcript
Discussion (0)
But if I used an AI voice the entire time, it will kill you.
Same.
Justin, I'm a Skalkanlcom librarian.
My pronouns are he and they.
I'm Sadie. I work IT at a public library, and my pronouns are they them?
And I'm Jay. I am a music library director, and my pronouns are E.
Reddit.
Library Moral Dilemma From a while ago.
I'm a librarian. This isn't a stir about where I work.
It's about my previous public library.
I'm in the UK in a while ago, about a year or so.
The council borough I lived in got cyberattacked,
which meant that among other things, the library systems went down and all the books that were out were just not on people's accounts anymore.
Essentially, they could have kept them and no one would know.
I found this out kind of by accident, went to renew a book that wasn't on my account, and it wasn't on my account.
And they explained, I said something like, so I could just keep them and know what would know.
And they were like, yep, of course I didn't keep them.
I returned them.
But sometimes I think about all the books they could have lost if people had known, what would you have done?
My favorite answer among all of these is just the one that's we live in a society.
I mean, I would have returned it, but like, I guess my main response to this is part of a, like, your acquisitions budget for physical materials is like knowing that eventually you will have to weed it or replace it or that also it could be lost or damaged or something.
Like, that's assumed for every single item.
And if someone really needed a book or maybe they moved or something, it's like, it's just a book.
This is my answer.
Pretty much, yeah. It's a non-problem, to be honest. But, I mean, people do it anyways. I mean, people check stuff out. And then, I mean, even when they get charged for it, they just never bring it back because, you know, that happens all the time where they just take them and walk out with them. So it's like. Don't make a fucking habit of it. But like, if you forget to return something before you move or you just like really need a book or something, I don't know. Am I telling people to steal from their public?
libraries. Is that bad? We live in a society. We live in a society. Sometimes you just need a book.
They're fucking books. We live in a society. We throw them in the dumpster anyway, eventually.
I also like that if I were a library staff member, I'd probably start taking inventory so I'd know which
books were missing. And I'm like, if your system's not already doing that, get a better system.
Like, you should have record of those books existing, even if you don't have record of them being
checked out. And like, two, like, that's so much work. My dude, that is so not worth it.
No, like inventory shouldn't be like an, so like all the, they're like catalog didn't go away. It was just like circulation record like history data that went away. Yeah. Sounds like. So like you should maybe be doing inventory like, I don't know if you're about to do a system migration or I don't know, every so often inventory really shouldn't be a like all of the time thing. I don't know. Like if you're going to do like an audit of your collection, if you're about to do like a weeding project like more.
so than regular weeding, then do inventory.
Like, I'm doing inventory in my collection right now because we're about to do a system
migration.
And I'm, you know, we've been noticing a lot of things are missing because, like, of how
things were working during the height of the pandemic before I started working there.
So it's like, oh, okay, we need to do an inventory.
Let's clean this shit out.
But don't be actively doing inventory.
Like, just fucking.
Yeah, I'm just so hugging over it.
My last library, our physical collections were so small.
I just did an inventory every year.
Yeah.
Because we had like a few thousand volumes.
And it took like generally like a couple days of not very hard work.
I think mine's like 30,000.
Like 10,000 of those are just CDs.
And it's, I have like five student workers, but not all of them are actively doing it.
And we're almost done.
Yeah.
Well, they're almost done.
I've not done any of it.
They've been doing all of it.
Let's make that clear.
I'm not doing any of this labor.
You set it up.
Yeah.
I'm going to clean up all.
of the barcode scans so that they're all normalized.
I'm going to do some open or fine bullshit on it, you know.
Yeah.
All right.
That was Reddit.
Well, there's that we live in a society one.
I'm going to upvote it.
It's way down there.
Yeah.
It wants to make me log in just to upvote.
I really hate that trend.
I just want to upvote.
We've got to know who upvoted.
No.
What I hate is when it makes you download the app on your phone because it's like an 18 plus
thing.
Oh, yeah.
But it'll always be for the most non-18 plus.
Like, I'm not looking at porn on Reddit.
I look at porn on porn sites like an adult.
But it'll make me log in.
It's like, this discussion is 18 plus.
It'll be like a kink community thing.
Yeah.
And it's like, download the Reddit app.
I'm like, I'm not a fucking school shooter.
I'm not downloading the Reddit app.
The fuck you're talking about.
Oh, my God.
It's a library moral non-dilemma.
Yeah, it's really not a problem.
Like, if you lost circulation records, good,
because you probably never would purge them in the first place.
I pray to God that,
we lose our circulation records.
Every year, I purge them.
Every year.
Yeah.
I've argued with our system librarians about purging circulation records.
And they're like, but one faculty member needs them to study something.
I don't give a fuck.
Tell them to make a new assignment.
I don't care.
Like, it's their fucking problem.
There's no reason for us to keep this data.
I'm gods.
I can do whatever the fuck I want.
And I say that shit gets expunged, anonymized every single year.
It makes me want.
to run a library just so I can force these kind of things to happen.
It's very fun.
Yeah.
I say no late fees, done.
Yep.
No circulation records, done.
I renew it an in an infinite amount of times because I don't give a fuck, done.
Yeah, basically.
I can only do that in a very limited set of circumstances.
Become a solo librarian.
It's very fun.
Yeah.
All right.
Let's see.
Do I have any new drops?
No, I didn't make anything new.
I used this one, right?
I'm on them Broward County Tic Tacs.
Yeah, I think I did.
Yeah.
Florida was in the news.
Isn't it always?
Yeah.
Well, the president of the new school did a stand-up set at McCurdy's or my friend works.
And I've been to McCurdy's Comedy Club in Sarasota.
And I've never paid to be in there, mind you.
She sneaks me in.
But that's like where Louis C.K.
Went to like work up his material for his return to comedy.
It's a shit place for shit people.
Unless you work there, then you're cool.
I had a drunk guy give me $20 there one time.
He thought I was.
with Carlos yeah he thought I was with Carlos Monsia I was just sitting at the bar
Carlos Monseo was standing there yeah Carlos Monsea and his crew were like kind of standing there
and he like tipped him all $20 I said where's my 20 he gave me 20 and I was like cool
incredible how are you like this I got the gift I got the gift to gab my life just takes
weird turns sometimes I don't know
Anyway, it's my Carlos Mancia story.
He seemed very entertained by the exchange.
Oh, he saw it.
Oh, he's standing right there, yeah.
Yeah.
I was waiting for my friend to leave.
So, like, they were only, like, the comedians and the staff were left.
And I was waiting for my friend to get out work.
So, yeah, they were standing at the bar.
Okay, so we're doing cyber.
Now the cyber is so big.
The British Library has been hacked.
It's all your fault.
Like months ago.
Like in October.
Yeah.
But the early information about the attack.
came out very shortly afterwards in little drips.
Stupid Financial Times one keeps getting locked.
Yeah, I couldn't read that one or the OCLC link either.
It wouldn't download for me.
But the British Library was attacked by Rizita, a ransomware group, took down basically all of their systems, including the Wi-Fi, apparently.
And they haven't been able to get access back to all of the services that were shut down because pretty much everything was shut down.
and then personal data of staff and patrons were put up for sale in the dark web,
and I asked for a ransom of 600,000 pounds.
Instead, the British Library is going to pay 1.7 million pounds to fix their systems.
Don't collect data you don't want getting out.
The one thing I saw was someone was asking if their passport data had been compromised,
and I was like, why did the British Library have your passport data?
It was a staff member.
Oh, was it a staff member?
Yeah.
That makes more sense because they got to travel for work.
I thought it was a reader.
God, I hope not.
No, at least one of the ones that I read said that most of the-
I was a former staff member.
Okay.
Most of the info that went up for auction was obviously pulled from HR systems.
So it wasn't- Yeah, grip it, rip it, buddy.
I showed Jay that clip from a bim-bam.
So I apologize for that.
That was my fault.
So Sadie did research for this episode.
You said there were similar-ish recent attacks, TPL and BPL.
Yeah, so a couple of months, like a month before the British Library got hacked, Toronto Public Library also got hacked.
They were able to get their systems.
Well, some of their systems are just now coming online, but they didn't lose like public computer access and Wi-Fi.
Not all of their systems went down like the British Library did.
And it was probably over a year ago now, but the Boston Public Library had.
had an attempted ransomware hack that kind of it took down their systems but they never actually
got to the hey we're ransoming your shit process they got interrupted is what they think they don't
actually know which is always interesting i said don't fuck with boston yeah truly but i think
part of the reason that makes the the british library thing interesting is that it is like the
national library tm and it's like you know toronto and public or in boston public are like really
big library systems, but like they're not cultural institutions like the British Library is. So
like British Library is like, we want to have at least one book or one copy of every book
published in the UK kind of shit, right? Yeah, they're a copyright library. Yeah. So like,
I think it's so, so the public library attacks are are kind of interesting in comparing, but I think
that the reason that this is such huge news is because the British Public Library is pretty unique
in its purpose and its scope on top of the fact that it literally fucking flattened everything.
Yeah.
I know that they will never actually release like details about what happened, but I really wish
they would because I'm super curious.
You think it was like a technical issue or do you think it was social engineering?
Or a combination of the two.
They actually, it's pretty rare to actually be able to pinpoint the exact vector of entry.
I think most of the time when I've heard of stories like this, the, it's.
It's not always clear.
Sometimes it's really obvious.
Sometimes you can absolutely pinpoint where somebody got into a system, but Boston Public never
figured out how the hackers got in.
I wouldn't be surprised if that was the case with Toronto Public or a lot of other cases.
The forensic trail is no longer there by the time that it becomes aware that there is an
attack happening.
So you can't really figure it out.
But it's pretty much going to be some form of social engineering usually is to gain the
initial access and then the technical stuff is what happens once you have some form of access.
So combo.
But one thing I thought was funny is across some of the more like tech oriented articles that I was
reading is they kept referring to rescindia as however you say it as a new group.
But like they're not really.
They're just the same hackers with a different hat on.
So like groups normally like they usually get famous for a particular kind of a
tack. And in this case, Residia is the malware that's being used to perpetuate these tax. So they just
started calling this group, Residia. And it'll probably, they'll probably change their vector at some
point once it gets too hot. And then the same hackers will take on a different name, either coined
after what malware they start using or some other sort of thing. So I just thought it was funny
that it's a new hacker group, but it's probably not. It's probably the same hackers, or the same
actors just moving between various groups and methods.
So I thought that was kind of funny.
So one of these articles had their their ransom website, which was very, it had like a countdown timer.
Yeah, here it is.
So they were selling the data for 20 Bitcoin, which is like five bucks, I think.
I don't know how much that is.
Hang on.
You can see to U.S.D.
And then 20 Bitcoin is $837,000.
So that's about 600,000 pounds.
And that's what they were selling the data for?
Yes.
They had a countdown to when it would be available.
So you can actually, it was an auction.
So the starting price was 20 Bitcoin.
But I don't know what site it was put on.
But I'm interested because I'm seeing this right here.
Rizita is a ransomware as a service.
Like, what does that mean?
So ransomware as a service is basically where they say,
we will conduct this ransomware attack for you.
Basically, you pay us.
You pick a target.
You pay us.
We do this and we split profits.
So it's like a play on the whole platform.
my service. God, there's so many of them now, the common acronym. And that's kind of why they've
risen in notoriety in the last couple of years is because they're one of the first groups to very,
do this very publicly. Be like, yeah, no, we will totally like do this for you. And that's part
of how they make their money. And it's entirely financially motivated. Like almost none of these
attacks are like politically or anything like that motivated. They're not hacktivism, which I can see
a lot of people probably jumping to, like, why would you attack a library? And it's like, it has
actually nothing to do with it being a library and everything to do. It's got a lot of data. It's got, it's got data and it's got a budget. So somebody might actually pay out for it. Yeah. So, yeah, ransomware is a services. And then the double extortion is the other thing that Residia is known for where they say, you pay us a, you know, you pay us a ransom and we'll give you back your data. Or we're going to sell it in a public option and release it on like, release it away.
anyways. That's a fairly, not new, but more calm and tactic, often because less and less people
are paying for ransoms. Like, I've seen conflicting data, but actually, I think the requested
ransoms are going up, like the amount that gets requested for a ransom is going up, but the actual
number of institutions that will pay a ransom is going down. Because you've got shit that's covered
with things like cybersecurity insurance. The U.S. and the UK both have, like, mandates to not.
pay ransoms. It's not like legally binding, but they basically say, hey, you probably shouldn't do this.
And especially in any sort of big hack, even if the British Library wasn't a government institution,
the government would still be involved in, you know, figuring out what happened and, you know,
all sorts of stuff. Like, you have a decent hack and the FBI is there when it comes to, you know,
the U.S. at least. So there are a lot of reasons why the double extortion is so popular and, well,
popular, but it's more common now and why Residia in particular has been getting a lot of news.
The other funny one, which is not directly relevant to the British Library, but I got them
confused for a second this morning and had to stop and look it up. Another group called Black Cat
has been hacking medical and health organization records and then threatening to report them
the organizations they've hacked for not reporting cybersecurity incident fast enough to government
authorities. So they'll be like, we stole data. We know exactly when we stole your data. We know you're
supposed to report this within like 14 days or whatever. And we know you didn't. So we're going to
report you to whatever institute or whatever government thing it is and let them know that you
violated this law that you were supposed to have. So we have your data and we're fucking you over
with the government. So that's kind of the other. So the double ransom is if you don't ransom,
it will sell it. That's what you mean by the double? Double extortion.
And some double extortion?
Yes.
Okay.
Yeah.
So it's basically like not only will you not get your data back, but we'll actually release it out into the wild.
Which is why if they, I think only about 10% of the data that went to auction actually got sold.
And the other 90% they just released it once the auction was over.
So yeah, that's the extortion angle on it.
Yeah, I guess if you can tell everyone in time before the auction's over that everything needs to get reset.
but a lot of those government documents that staff have, I don't think you can do that.
Like, you can't, like, putting a lock on your social security number or whatever.
I guess it's kind of easy to do in the U.S.
Like, as soon as you find out your social security number is compromised, you can put a lock on, like, your credit.
And people can't open any credit cards, but I don't know about other things.
Like, you'd still want to, I don't know, cycle your passwords on other stuff.
And I think your driver's license number stays the same at which people use driver's licenses to verify fucking everything these days,
which seems insecure because it's not meant to be a PIN number.
It's to be just an identification document.
It's like a DOI, but for you.
Same problem with social security numbers.
Like using them as like security controls was always a fucking stupid idea.
You don't get a new one.
It's like giving you a passport at birth.
Like that's fucking insane.
It's really stupid, yeah.
We actually had a scam email going around that got sent to some people at work that if you dug into it deep enough,
they would actually ask you for your entire social security number.
Basically, it was a fake login.
And if you tried to log in and it would tell you, oh, no, we don't have record of that.
Here, you can verify your identity by giving us your birth date and your social security number.
And I was just like, holy shit.
Like, on one hand, I struggled to believe that there are people who fall for this, but I know that's like my IT failing because there are absolutely people who would fall for that.
Because that's legitimate people, like legitimate businesses do that dumb shit.
So, yeah.
I just had the, you know, experience of filing my taxes.
And it's like, I don't want to get this money, this information to TurboTax or Equifax.
Like, how about you just opt me out of this whole thing?
And you can't opt out.
It's stupid.
All right.
So you wrote multiple responsibility arenas, not just an IT failure.
Yeah.
So who's to blame?
Because that's what these fish want to do.
Right.
Yes.
So the interesting thing about the cybersecurity hack.
is a lot of times they, you know, you would automatically jump to like some sort of IT failure when
actually a lot of it is actually more of like an administration and leadership failure, but they
just won't call it that. So if you have a good cybersecurity program or a good, not even necessarily
good cybersecurity program, but a good like disaster recovery plan, then you shouldn't be down for
months like the British Library has been. Basically that says like every, the fact that every system of
there has got taken down and that it has taken them months, which is not atypical. It takes a long
time to get back up, but they haven't even been able to get, like, people aren't able to check out
books or, like, their circulation and all of that still isn't back up. It's still very barebones
after, you know, three or four months of recovery. So part of it is the scope of the British Library,
and part of it is that the hack was very, clearly, very, very, very deep. Like, in contrast to like,
TPL and BPL, like the hackers didn't actually get all the way through the system before they started
encrypting shit. So the impact was less. But when it comes to like the like how you frame responsibility for
like a cyber attack like this, I watched a webinar recently from the IT director of the Boston Public Library,
which is where I heard about their hack. And he talked a lot about how the timeline of events that happened
when they, from realizing that they were currently being, having a cybersecurity incident to, like, their after actions. And he made a really good point that, like, when you're looking at like a framework for your cybersecurity program, most people start at, like, identifying where the things are and going to fix stuff. When actually he said what the major thing that they learned is that you actually need to just start with the recovery portion. So you have to know if all of these systems go down,
what are we going to do about it before you know how do we fix these systems, which was like a really
good way of framing it in my degree because that what are we going to do when everything like goes
down? That's all admin shit. That's not necessarily like the day-to-day IT stuff that happens. So like you have
to have a good disaster recovery plan. You have to you have to know like you have to know what your
risk systems will require to get back up and running. A lot of times.
it'll be like, we didn't realize that the system needed this and that's not something we backed up. So we're kind of stuck doing this or, you know, and you have to have somebody who knows risk management because there's no perfect security system. There's no perfect cybersecurity program that you can possibly run, especially on an institution the size of the British Library. So you have to have preferably a group of people who are leadership and not the technical people who can agree on what risks are acceptable to take.
So, you know, there's the basic layer of stuff to do, but a lot of times with security stuff, it will hinder, what's the word, convenience for your staff, for your patrons, for all that kind of thing. So you have to have somebody who goes, yes, we're willing to take that risk. No, we're not willing to take that risk. And that's a leadership decision. That's not an IT decision. I can make those kinds of decisions, but it's not going to be consistent or great. So like when it comes to the responsibility arenas, like there's a lot of,
stuff in the admin and leadership arena that is non-technical decisions that need to get made before
you can even start to have a recovery or have a like a cybersecurity plan going forward after
something like this. So like your IT is there to know how to execute the recovery plan and some of
the forensics and that sort of thing. They're not there to actually make the administrative
decisions about what is going to be done. So that's kind of the different things.
between like an IT lay person or like an IT day-to-day person like I am versus like an IT director or a CIA or
whatever. But one of the things that I really wish I could see the inside of this attack, which they
almost never actually go into forensic details about what happens with these sort of attacks because
of various legal reasons and also they don't want to reveal where their weaknesses were. But it's like,
I want to know how like the archivists and librarians.
of the British Library could have been pulled into a like a disaster recovery plan and how that could
have maybe affected some of this outcome. You know, so like what digital collections would,
like what digital collections or what data is the most important for them to use to run day to day
beyond obviously like circulation statistics and stuff. But the British Library is huge. So it has all
sorts of cultural information like they run exhibits and stuff too. So there's got to be a ton,
a ton of systems back there that may not look important to IT, but actually affect more of the
day-to-day running of the library that only like the subject matter experts that are archivists
and librarians would actually understand and know. I mean, there's all the like non-descriptive metadata,
like administrative metadata and preservation metadata about, because like the fucking like Baywolf
manuscript is in the British public library because they've seen it. The Sir Gowan and the Greenite
manuscript is in the British Public Library because I've seen it. They've got a bunch of Shakespeare.
They've got the fucking Magna Carta down there. They've got this whole treasure's room with all of this
old-ass shit. And I'm sure that there's like a lot of preservation metadata about that as well as
for the digitized versions of it. That's like probably extremely important. Yeah. And one of the
articles and one of the podcast transcripts that I read about this was like the people it is having the
biggest effect on are like PhD students and people who are writing books. Like the academics are
really suffering because of this attack. But I guarantee, well, okay, maybe not guarantee. That's a little
strong. But I doubt that their perspective was considered in any sort of disaster recovery planning.
And disaster recovery planning, like there's the natural disaster recovery planning where like,
you know, your library gets taken out by a flood or an earthquake or something. How are you going
to come back from that? Where is their data stored?
But then there's the added aspect from a ransomware where they're actively trying to get and or destroy your data.
So you have to have safeguards in place to prevent those on top of just sort of your basic disaster recovery sort of things.
So, yeah.
These kinds of like policies and workflows, are these the kinds of things that a library would have public facing or should have public facing?
Like other kinds of policies or strategic plans?
Or should these be internal workflows and policies?
I think sort of the sort of more general, the higher level policies and things like that should definitely be publicly available because it's that helps other institutions too. I think probably the very specific sort of recovery details are going to remain internal because a lot of that information is also going to be used by the forensic experts who come in after the sort of attack and are actually, that's almost, it's, I don't think I've ever heard of that being handled in-house. It's always going to be an
outside security firm that comes in to do the forensics to try to figure out what happened or how
certain what data has actually been exfiltrated and all of that stuff. So that's probably
documentation that will stay internal because it'll be needed for the long term investigation
portion of it. But yeah, like even and even this, not even necessarily like the sort of nitty,
gritty details of it, but just like what sort of exercises have you run? What sort of cybersecurity
framework are you working off of and how are you implementing that because a lot of them are
pretty high level themselves. So, you know, beyond just do we use this product or that product,
you know, what's your firewall configuration? Like there's that higher, yeah, policy level that
should be a lot more public facing, especially for public institutions like the British Library.
And that's why like the sort of mumness that happens around cybersecurity attacks like this like really
sort of bugs me because like, of course, I want to know the details for my own reasons, but it would
be really nice to be able to dissect something like this as somebody in a similar position and go,
okay, so these are the places where we could shore it up without necessarily having to contract
a cybersecurity expert to come in and tell us what we're doing wrong, like, if that makes sense.
And I think that the British Library hack will have a long-term effect on how cultural institutions,
deal with ransomware attacks.
So, like, I can kind of see why they're taking their time,
but I also feel like there's probably a lot about this that would be interesting
on its own merit because of the depth and breadth that this seems to have had on the institution
as a whole.
Yeah, I know a lot of the information or a lot of the systems that were really affected were, like,
I guess they have like a self-made inter-library loan, but just for like their branch
libraries, which was completely fucked, and I think they still haven't fixed it. So just like how they
transfer materials between their libraries for scholars to use and like off-site storage is completely
broken because it wasn't an external usage. It was something they built themselves. And I guess if
their catalog wasn't working properly as well, like they just can't do any research. I saw that
they also, they canceled payments for people who get paid like pennies every time their book is
circulated, one of those payment schemes like Canada has. And also they had to cancel several
grants for students and researchers because they wouldn't have enough time to do the research they
need to do. And I guess they were funding. Yeah. And that's why I think the academic community
there is going to be the ones feeling that the burn from this for a really long time is because,
yeah, I'm sure there are plenty of students who their entire timelines have been fucked because
they can't get, you know, the one thing that they really need to finish their dissertation or whatever.
So, excuse me. Yeah. And that's like a financial thing because if you're a PhD student and I don't know how
many works, but I mean, like, if you have to say like extra semesters or something because you can't
finish your fucking dissertation when you're supposed to, and you have to like pay for more
semesters a fucking grad school or something because of this, like, this is not just an inconvenience.
This is like maybe life changing for some people and not in a good way.
But if you have to drop out of your fucking PhD program because you can't afford to finish it because you hadn't budgeted for having to go longer because a British Library got hacked.
And like this is the sort of like danger of like a centralized institution like this too.
Like if you're a centralized institution of any sort, you should have absolutely solid recovery plans.
in place already for that exact reason. And that's why, like, I talk about, like, the subject matter
experts of our archivists and librarians, like, would anybody have considered that before this
happened to be a major impact? Probably not. Maybe. Depends on, you know, who was at the table when
recovery plan was made or when the disaster plan and risk management was discussed. So, yeah,
there's a lot. Like I'm always saying, who is the patron in your head?
Yeah. And who is not the patron in your head? Like, who are you leaving out with when you think of the patron or a patron? Who is that? And how is that affecting? How is that bias affecting all of the policy that you do? Exactly. And like, that's why, and like, that's why the British Library one is so interesting is because it's, it's clearly affected. They got into their HR systems because they're, we're auctioning off information about current and former staff, their catalog and their internal systems.
system, like their internal facing systems like the inner library loan thing, those are also down.
Obviously, some of their financial systems are impacted because they can't pay authors.
They can't pay or register new authors for the, what is it, the PTR, whatever that is, where they
get paid pennies for a checkout.
They can't register new authors for that either.
Oh, I hadn't even fucking thought of that.
Yeah.
I forgot they did that.
Oh, my God.
Yeah.
So people, so payments are going to resume presumably next month, but they can't
register new authors or new or new books. So if you wrote a published a book in December of
2023 and gave the British Library copy, you're not going to see, well, people can't really
check things out right now either. So there's that too. So that's going to probably affect
authors down the line who maybe rely on that money, even though I don't think it's ever,
it's a lot of money. It is still something that they do. So like just the fact that it was so
widespread, down to the fact that their computers, the staff computers and the Wi-Fi wouldn't even
work. Like, I really want to know exactly how coordinated this was. Like, was this just day in the life
of Frisidia? Yeah, they just went like, yeah, we're just, we're just going to hit the British Public
Library, or the British Library because of an opportunistic they managed to get in. Did they
deliberately try to fuck up this institution as much as possible before they actually hit the go button on
encryption and started to reveal their presence? Or was this just like, yeah, just another institution
that they happened to hit and the British Library happened to be particularly weak enough that
there's this domino effect of all of their systems that have gone down? Because usually when I hear
about something like this, it's usually not, it's usually can be isolated to a certain amount of
systems, be either because those systems were specifically targeted or because there were
systems in place to keep them separate. So like, I want to know like their network structure,
were they not following network security standards and keeping all of this stuff, you know,
segmented away from each other. So how easy was it to get from like their HR system to their
financial system? That kind of shit takes time. So to me, it seems like this is either
rescindia deciding to have a particularly chaotic effect on a major cultural institution,
which they have not declared. They've just done their.
their usual, we're going to sell this data or release it tactic?
Or was the British Library just so fucking house of cards that this ransomware attacked
completely fucked over so many systems?
I mean, it is run by like a TV guy.
Is it?
Yes, or whatever.
Anytime anyone who runs something is like a knight, but he's not a hereditary title.
So I guess, you know, he might be competent.
We won't give the benefit of the doubt.
No, if you accept that you're dumb.
Yeah, always say no to that shit.
You think you're going to be Mr. Tall Duck?
Nope, you can't be the tallest duck.
Have you seen the tall duck going around?
No.
It's just a freakishly tall duck.
And then someone was like, oh my God, I fucking forgot the meme, but I think someone was
talking about like, they were using it in a commercial for dick pills.
Oh, my God.
Like, do you want to be the tall duck?
Put a top hat on that.
What corner of the internet are you on?
No, it's not ready.
I never see any of this shit.
Just Twitter.
It's just fucking weirdos I follow on Twitter.
We have very different Twitter experiences.
I've been following people that I met at the Chicago show.
All their friends are following me.
Now I got a new group of weirdos.
I didn't get new friends from that.
How did you get new friends from that?
You sat in the corner and walked to Ash.
Yeah.
He spanked people for that.
I know he did.
I know he did.
I was networking.
That's what you call it.
Thinking about getting into leatherworking night.
Of course you are.
Well, there's a place that does leather working near me, and they do classes.
I saw all kinds of cool stuff with the leather archives.
Yeah, there was like a five-foot-long flog.
I know.
It was hanging in the archives.
That's some like, Jesus Christ, superstar shit.
Yeah.
Yeah.
Didn't look that hard to make.
Just need to learn how to make a handle, and then the rest is just long strips.
There's like tutorials online for how to make flogs out of duct tape and electrical tape.
Yeah, but I want to make something cool.
Well, they have like three classes a week down at the leather shop.
Nice.
Yeah.
Get you a hobby.
I guess. I've never been really crafty.
She's crafty. She's just my type.
And then I can help cosplayers who are really like, I want to make cool cosplay stuff.
Then I'll be fucking rich and famous.
With all your Twitter friends.
Yeah, because I know leather working.
I feel like I'm in a video game to get my leatherworking skills up.
I'm going to speck into leatherworking and gathering.
Just go to Rhinfares and be like, you want my shit?
And then make a million dollars.
Yeah.
Yeah.
Probably could.
Just like learn how to make journey.
Like, I'll do the book binding and you do the leather and then sell just those like journals and everyone's like, ooh, and then rich.
Somebody who went to a lot of medieval affairs as a teenager, that shit.
That's like half of it.
Yeah.
Is like books that people made and then like.
Cool nice.
Little little things you strap to like your legs to put your shit in.
I'm doing, become a leather worker.
I'm a respect.
I think we covered what happens next.
Was there anything else?
We've covered like everything.
Yeah.
No, I just, one of the, I, I'm really interested in seeing what the long-term impacts on cultural institutions are to come out of this.
Just because there have been plenty of other hacks on libraries, it's not uncommon.
And like I've heard about it in the news and just like from knowing people in different library systems.
So it'll be interesting to see how this one plays out in the long term when it comes to that kind of thing.
Because best case scenario is that it means.
that, for one, cybersecurity programs get more budget and a better, more thorough look,
but also that things like digital curation and what types of data are being backed up and
preserved how get a better look at because we have this gigantic use case, basically, of the
British library and what effects it had when it comes to recovery. So there could be good things
to come out of this in the long term. The VAT is that nothing fucking changes and they just
pretend it didn't happen by the time they get all of their systems back up and running,
which is the cheap way. So probably what's going to happen to be a pessimist?
I have a question for you, Sady. So the BPL has, and like, oh, I guess both BPLs, whoa,
have like internal IT. Like they have their own IT as well as all of the other people who are
creating and storing data, right? But like those like library directors or whatnot, like,
they had the ability to like create these plans and oversee everything, right? But there are maybe
at other public libraries that aren't as well funded or at certain academic libraries where
like they don't have their own IT where that might be outsourced or like, I don't have library
IT.
There's my conservatories IT, which is two people and one of them is remote, right?
And it's just me sending teams messages to them back and forth all day, right?
Or like when I was at a big state institution, like we had library IT and then shit got
reorganized and it got absorbed into main.
campus IT. And so this kind of like, you know, I can do my own privacy policies and stuff of like,
this is the kind of data I collect. This is how and when I get rid of it, et cetera, et cetera.
But there's only so much I, and I'm a library director, but there's still only so much I can do
when I don't have IT. So I guess for libraries that like don't have IT or have to outsource it where
there's like where that decentralization means that you don't have that kind of control,
that sort of admin control, like, what do you recommend?
So this one is where things get kind of, like, weirdly tricky.
Because at least for public libraries, and this was a question that Boston Public Library fielded in the webinar of theirs that I watched, is a lot of the time it's going to be a government institution that you turn to when something like this happens.
So at least for public libraries, they can be part of, I think I've mentioned this before on other episodes where we've talked about cybersecurity MS. Isaac, which is,
like the multi-state infrastructure and something.
They basically,
it's basically government institution that links together like state and local governments
and provides resources for cybersecurity monitoring and response stuff, right?
But they're also government.
So there's a certain amount of like bullshit that you have to put up with to be able to use
these free resources.
They do exist.
I don't know how that would work in an academic space.
I don't know.
Maybe you could start.
with like especially like in your situation maybe start with talking to the IT people that you are
in good terms with and just be like hey what's our disaster recovery plan like does the college
one and then you know if you can get your hands on that you can see how it trickles down to
cover library resources and then you can craft policy based off of off of that or at least
be able to tell your users like I can only control this much data this is the data that's out of
my hands, you can, you know, you have, unfortunately have to take your own personal responsibility
when it comes to that, like, data kind of thing. But I would think that it, even without library
IT, the administrative portion of that should fall over your systems. If you get something back
that's like, oh, we don't have, we don't have backups of your catalog, then you need to start
screaming, holy hell, probably at your own boss, not the IT people, because that's an administrative
decision, which is where I think a lot of people go right. So I just yell at myself.
Well, I mean, I'm sure if there's somebody up there, right? There's a dean or something.
But yeah, so that one's more complicated because it's not even necessarily like whether or not
you have IT. It's whether or not the institution that you're part of covers the library in their
disaster planning. Literally every institution that has any sort of public funding should have
a disaster recovery plan or at least a disaster recovery idea. And if they don't, then it needs to be
brought to somebody much higher than your average IT desk workers' attention. Right. So it varies so much
because so many public libraries too fall under like city or county governments. But yeah, so I would
just, I would start with not necessarily a cyber, like cybersecurity or cyber attack angle, but just
say, hey, if my major system that my user use goes down, like gets completely wide.
how are we going to get that backup and running should be a decent place to start to start gleaning some of this information out of your institution, if that makes sense.
And then from there, you can kind of make more informed decisions if that makes sense.
That was a really long-winded way of saying that.
But did that answer your question, Jay?
Yes, I have put a reminder in my phone literally right now to ask about disaster recovery and also realizing I should make better backups of my catalog.
I mean, I am doing a system migration right now, so I'm downloading.
that shit all the time anyway.
Especially if you're doing system
migration.
I mean, we're moving to WMS,
and so they already got all of our holdings records.
So she's like, oh, right, yeah.
That's the perk of WMS,
because it's just OCLC.
They already know.
Nice.
Yeah.
Yeah.
Yeah.
And then from there,
you can start talking about,
like, risk management decisions
and, you know,
cybersecurity like plans and that kind of thing.
But I think, yeah,
just the basic, like,
you know, if our whole building got wiped,
what servers are actually going to be,
prioritized coming back online is like probably the most baseline place to start with gathering that
information. Are there resources that you would recommend for institutions that are maybe wanting to
create or revise or rethink their sort of disaster recovery plans? Not off the top of my head,
but I can dig through my one note of resources and see what I can find. Usually there's plenty of public
plenty of public institutions that you can glean that sort of thing off of even if they don't
exactly match your sort of institution or whatever. So probably actually probably a local
government resource might be might be good. Most of the time they have a disaster management
like department. They might actually, they might be able to help you as well and know what
resources are the most relevant to you guarding state laws and etc. So yeah, I'll see if I
can drum up some links before we release this. Yeah, I'm looking. So the Massachusetts library system
has a lot of great public-facing the club guides about like planning and strategic planning and
all sorts of other stuff. And here's like, here's guides or how to do this. And I found it very
helpful as they gave first time the new library director. So I was just seeing if maybe they had
something on here that I could share with folks. I will be going through that. Yeah. Talk to your state
libraries, talk to your local governments. I was just going to say I'm by no means a cybersecurity
expert. This is just what I have gleaned from working IT in a couple of public institutions.
You are a cybersecurity expert. Yell at librarians. To help they listen to you. I could try.
All right. Good night.