back to article Ransomware-hit British Library: Too open for business, or not open enough?

The British Library’s showpiece site, in a listed red brick building in St Pancras, is presided over by a large bronze sculpture depicting Isaac Newton poring over a document he’s working with, measuring it with dividers. Based on a print by William Blake, it’s tempting to see it as celebrating the Enlightenment to which the …

  1. Mike 137 Silver badge

    Keep it coming!

    Fascinating article -- not least the historical background. More of the same kind please!

  2. jcday

    It security

    Money alone isn't sufficient. There are plenty of very rich corporations out there that get hacked regularly. The reason? IT is seen as a cost with no return, IT security doubly so. The cybersecurity incidents are just rare enough for managers to see compromises as merely the cost of doing business. Managers are also very rarely held accountable for successful attacks.

    So, attitude is a big problem, as is accountability. Without these two, nothing is going to change, no matter how much money is invested.

    This is not going to be easy to fix. In the case of public sector services, such as the British Library, it means massive investment is needed now (just as we're entering a new round of austerity), but it also means new laws governing unsecured sites (whether attacked or not) and penalties of sufficient magnitude to get managers to take things seriously (just as we enter the countdown to the next election).

    Because of circumstances, what we'll actually see is reduced funding, worsening security, and an attempt to disavow any responsibility at all. You win elections through tax breaks, not better library services.

    And whoever ends up winning the next election is going to have higher priorities than fixing public service websites, so don't expect drastic changes.

    If the attack that practically shut down the NHS didn't wake us up, attacks on the British Library are unlikely to do more.

    This problem won't be fixed any time soon, and unless the public wake up to the potential consequences, it won't get fixed at all.

    1. Lurko

      Re: It security

      "just as we're entering a new round of austerity"

      See chart 1 and chart 2 in this:

      https://www.gov.uk/government/statistics/public-spending-statistics-release-november-2023/public-spending-statistics-november-2023

      Government spending is anything but "austere", whether it's on the things you might like it spent on is another matter.

      1. YetAnotherLocksmith Silver badge

        Re: It security

        Oh no, we all know it is only Austerity for us, not for them.

        Think of it like a company budget - every penny spent on staff, IT security, etc is a penny not available for executive bonuses. (Two pennies, if you leverage against it and borrow hard.)

    2. John H Woods Silver badge

      Re: It security

      I'm always saying it, but accountants who work in the IT sector should at least have an actuarial bent, if not be actual actuaries. So much of IT cost is about accurately assessing (or at least somewhat accounting for) risk. There is literally no other way to justify a back-up or business continuity system: on the bottom line it just looks like wasted money. And there's no way to properly cost a project without considering risk, either.

  3. Anonymous Coward
    Anonymous Coward

    rings a bell

    A few descriptors:

    - demotivated

    - openly disinterested (aka don't give a fuck / I'm only following orders)

    - no clue (whatsofuckingever)

    - when informed they're wrong, they shut down (metaphorically and literally, i.e. ignore further comms)

    - make you understand clearly: you're NOT welcome

    - did I mention 'demotivated'?

    ...

    The above observations have been made by more than one person over the course of the last.... I dunno, say, 15 years. Wonder if it's a reflection of the powers above, i.e. nebulous 'governance level' in BL, or simply goes above, to the usual suspects, i.e. paymasters (current, past, future).

  4. Doctor Syntax Silver badge

    Apart from the personal data is anyone claiming there were secrets to protect? The need for security for the main collection is the integrity of the administration - although if it were to facilitate the theft of some rare book it might go beyond the temporary loss of access - and, where material is digitised, the integrity of the content against both loss and corruption.

    I'm not sure if a desktop would be sufficient to rebuild a copy of the BL.

    HMG needs to put more effort into securing our public systems than farting around trying to pry into citizens private affairs with the likes of the Online Safety [sic] Act.

    1. david 12 Silver badge

      Apart from the personal data is anyone claiming there were secrets to protect?

      Libraries were onto "privacy" long before anybody else -- perhaps because lending records were the only identifiable records of anything personal that actually existed. Police were asking for lending records, and librarians were objecting, before the internet, before CTV. The only thing similar were (mostly military) establishments with door controls -- and that only told you who'd been in, not what they were reading.

  5. Anonymous Coward
    Anonymous Coward

    As it happens, I was a contractor for the British Library many years ago (about 1996), hired to prototype putting one of their more obscure catalogues (manuscripts) on the web. Most of their other catalogues were already accessible via Z39.50, the details of which I've long since forgotten but it was basically WAIS. And I'm fairly sure a general web interface followed not long after I left.

    All a very long time ago now, but the catalogues have always been publicly accessible. Whether that's public with a big-P I don't know - unless you're in the reading rooms the BL doesn't tend to deal with individuals directly, but mostly with other institutions.

    The IT at the time was... well, they had contractors in to fix the mess left by the last contractors. So perhaps a typical government IT project in that sense. I've seen better, I've seen worse.

    However it remains one of my favourite contracts - my chosen test catalogue entry was a letter from a Pope to one of the Byzantine Emperors. That, and decamping to the Moon and sixpence on a friday lunch... good times.

  6. Anonymous Coward
    Anonymous Coward

    for anyone to rebuild the Library on their desktop

    this is BLASPHEMY! The core purpose of The Library is to PROTECT and you can ONLY protect when you CONTROL. Decision on whom to grant access remains a SOLE responsibility given by God to the finest, select, group of highly qualified, RESPONSIBLE individuals, not the scum down there, on main plaza, rolling in tik-tok mud!

    1. Throatwarbler Mangrove Silver badge
      Facepalm

      Re: for anyone to rebuild the Library on their desktop

      Jesus, bob (that IS you, isn't it?), maybe think about upping your medication.

      1. Anonymous Coward
        Anonymous Coward

        Re: Jesus, bob

        I'm not sure about "Jesus Bob", but maybe it is amanfromBob1? :-)

      2. Anonymous Coward
        Anonymous Coward

        Re: for anyone to rebuild the Library on their desktop

        methinks your sarcasm detector is full of eels...

  7. Throatwarbler Mangrove Silver badge
    Trollface

    They deserve it!

    In keeping with previous victim-blaming and -punishing comments on other ransomware attacks, let me be the first to say that the Library deserves what they got for being so inept. In fact, the entire edifice should be literally burned to the ground and everyone who has ever had anything to do with it in any capacity should be driven out of their careers and homes and publicly humiliated to or beyond the brink of suicide!

    1. Anonymous Coward
      Anonymous Coward

      Re: They deserve it!

      As the name suggests, it's for people who can read.

  8. Tron Silver badge

    One cheap, simple solution for reducing the impact of this sort of thing.

    The race to digitise has seen stuff that doesn't need to be digitised made easily nickable.

    We are not a police state (quite yet). The Tories have cut the numbers of police too much. So why does an employer need passport scans? It's the BL not MI5. OK if they want to look at passports as part of an interview check do so, but why scan them and hold them (apparently insecurely). Worst case scenario, photocopy them on to paper, and put it in a folder in a locked cupboard in HR.

    Once something is digitised it is inherently less secure. Data is very portable. So don't effing digitise stuff like this if you don't need to. Paper is not evil. Paper works. The BL is proof that paper works quite well.

    Lose the idiot push to digitise absolutely bloody everything into an easily liftable pdf or jpg files, and then it won't get nicked by hackers a thousand miles away.

    Plus those who attack public sector services should be taken down as terrorists. What the hell are our governments doing if they can't even do that. Get on with it.

    1. IGotOut Silver badge

      Re: One cheap, simple solution for reducing the impact of this sort of thing.

      Once again to this argument.Look up the Windrush scandal where the sort of documents you are on about were not digitised, and just stuffed in a bunch of filing cabinets.

      1. rag2

        Re: One cheap, simple solution for reducing the impact of this sort of thing.

        But worse, those documents would appear largely not to have been retained. In the realm of secure information management there are no easy, cheap solutions.

  9. A-nonCoward
    FAIL

    How open?

    I upvoted several of the sarcasms above. Because the BL IT policies are, indeed, part of the reasons why we cannot have any of the good things.

    Years ago, for some research, I needed high quality scans of some materials at the BL. The scans exist, which should not surprise anyone, any decent library owns and uses good equipment (I once offered the University of Texas my tabletop scanner, much better quality than what they made available to the public). Those BL high quality scans were "available", but only through a complicated protocol of a small section at a time. I was able to defeat some of the nonsense with a multiple-screen rig, somehow, the browser sent the "right" signal, so that I could fetch larger areas and do a screen capture. I didn't want to outright "hack".

    We're talking several hundred year documents, "belonging to Humanity capital H", but supposedly "copyrighted" by the BL. Even Gallica, no friend of the commoner either, lets you get some JP2 if you jump some hoops. Germans and Austrians just let you have the TIFF as a single file. What is BL playing at? Not funny (and don't you tell me that I pay no British taxes. British companies were plundering my country with no excuse for many generations, if we come to account to who owns what and why).

    Vivat Aaron Swartz!

    1. Anonymous Coward
      Anonymous Coward

      Re: How open?

      Proper scanners cost money and there's a cost to the process - sorry to contradict you, but you don't put a thousand year old document on a scanjet and hope for the best. I think Beowulf was one of the first manuscripts they digitised and made available online, it was scanned (apparently) with a Metris HMX ST 225. Some details on the process are on their blog

      Scanned copies of documents are new documents and are therefore copyrighted, as you will know if you do any geneology - see for example the 1921 census, familysearch.com or or anything at scotlandspeople.gov.uk, the latter of which has taken a few hundred pounds off me over the last year or two as a result. So no, I don't like it either but it's not the fault of the BL. Unless you want UK taxes [I see you're not in the UK, let's assume I'm addressing this to someone that is] to fund something that would be pillaged wholesale by google, it has to be that way.

      1. Anonymous Coward
        Anonymous Coward

        Re: Proper scanners cost money

        Library of Congress: proper scanner that costs money (around 1M in USD when they bought it a few years back), and they only take off plastic sheets and fire it up, I don't know, maybe once a year, if that. At the same time, they have a normal, A0 scanner that _anybody_ can use for as long as they want to, unless this interferes with somebody else wanting to use it. At zero cost to the user.

        British Library: 150 dpi scan (crappy resolution, crappy colours), at 15 quid + VAT (must have gone up no doubt), or, 60 quid + VAT (must have gone up) for a 'good quality scan'. When you pay for the 'good quality scan' and get the (jpg, what else) file a week later (!), you politely point out to them you ordered 600 dpi and you only got 300 dpi (shurely shome mishtake guv?!) and a long, tedious e-mail exchange they do give you that 600 dpi, only for you to discover it's an upscaled 300dpi (no, seriously). At which point you start asking obvious question: are they really that stupid, or are they just so spiteful? Obviously, this merry context only applies when you _don't_ want to use the image on your website, because if you do, oh boy, this falls under the terms of 'worldwide distribution' and incurs a licence. Yearly Licence, if I remember vaguely from about 10 years ago, some 160 quid. Plus vat. Per year. Till universe dies. No, wait, there's more to 'the spirit' - then they proudly add this scan to their digital! collection! which is made up of (solely, I suspect) scans, but only those ordered and paid for by individuals.

        re. Scanned copies of documents are new documents and are therefore copyrighted - you're wrong, they become new documents when substantial (and arguably, creative) changes are made to them, usually those changes are introduced exactly for that purpose, i.e. to claim copyright and restrict further use. And you were charged because they have the information you want and you don't have the information you want, nothing to do with copyright but everything to do with controlling the source. And unless you go to court to prove they are lying (misinforming) you about their scans being copyrighted - they can claim whatever they want.

        2015 quote:

        "Copyright can only subsist in subject matter that is original in the sense that it is the author's own 'intellectual creation'. Given this criterion, it seems unlikely that what is merely a retouched, digitised image of an older work can be considered as 'original'."

        - why has it not been reflected in legal changes? Because it costs a lot of money to go to court to challenge each copyright claim and little people don't have that money or time to challenge, in course, every single such claim, and it takes years. On the other hand, there's less than zero interest in the 'system' (the state and institutions) to clarify the legal status, because muddy waters let them keep charging _high_ reproduction fees. Sure, it's peanuts in comparison with their budget, but every little helps, particularly as state (tax) funding is _never_ enough, regardless of how low or high (yes, it's usually scandalously low).

    2. Ken Moorhouse Silver badge

      Re: How open?

      I used to have a British Library Reader ticket. You have to give good reasons why you need it in the first place, which is a bit intimidating for casual researchers, such as myself. I did however have a very interesting meeting with one of the curators and his assistant (at their request!) which yielded a wealth of material, which ironically turned out to be easier to access from other sources. ISTR this is a question that appears on the application form: Is the material you want to peruse available more readily from other sources? Er? I don't know as the BL is surely a good starting point? It's the reason it's there, isn't it? Research is a painfully slow process and requires infinite patience because you have to order up the material you want and come down the following day to find out if it is useful or not. To get the best of it needs the kind of support I got, but who is brave enough to go through the hoops on a whim? But that is the situation the curators appear to try to engender, but they are painfully under-resourced. Google is supposedly your friend, but with the advent of AI I'm beginning to think that casual research is going to yield fake results unless you are going to use bl.uk as your homepage. In these magic mushroom days, you've got to go to the primary source, which is held at the BL. Incidentally, during my meeting, they did some searches on-line for me. The search engine they used? Alta Vista. Ok, this was many years ago, but google's strangle-hold on search was as prevalent then, as now.

  10. fg_swe Bronze badge

    Dangerous Development

    How long will "average" people trust us "computer wizards", if this kind of cr4p keeps repeating ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Dangerous Development

      "Average" people already do not trust us "computer wizards" - they are the project managers which cut deadlines and throw out the security phase of the project, which was probably the last phase anyway and tacked on only so they could say it was there. This is the result.

  11. fg_swe Bronze badge

    Change Of Mind Required

    There must be a very serious discussion in the applied computer science sphere about this kind of issues. Security must be the topmost priority and "the latest hot craze" (such as running everything on a hugely complex(read: questionable security) JavaScript VM) must be questioned.

    We must question the use of C and C++, as 70% of CVE exploits could be neutered by Memory Safe Languages.

    Projects such as seL4 and CompCert should be considered the ideal to be emulated in things such as web servers, databases. Especially RDBMS servers have a history of being extremely insecure. Pushing out a new release, improving benchmarks was long considered imperative. Security was an afterthought.

    The KISS principle should be employed wherever possible, as only simplicity makes certain security proofs possible.

    Convoluted and highly insecure stuff such as OpenSSL should be questioned at the concept level. Do we really need these complex hairballs ?

    Best practices such as formal scanners, parsers, regex checking should be written.

  12. pc-fluesterer.info
    Linux

    "let the barbarians in through the gate"

    The name of the founder of Microsoft was "Gates", not "gate", wasn't it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like