Hacker News new | ask | show | jobs
by seagullriffic 915 days ago
Can anyone explain why this happens?

Why would they pay ransomware hackers when they would obviously have backups. Sucks to have data compromised, but presumably it's not lost. And what part of the system was designed to bad practices that this was able to happen? Aren't there lots of UK white-hats who would freely lend their services to help improve the library's infrastructure?

Presumably excluding attacks of this sort isn't arcane or impossible, because other major companies and orgs manage it. Is it secret knowledge, or something?

Surely there's a SOP to just not have this happen.
8 comments
krisoft 915 days ago
> Aren't there lots of UK white-hats who would freely lend their services to help improve the library's infrastructure?

You mean freely as in for no compensation? This is a massive public body. Do they pay the people who bolt together the shelves the books sit on? I believe they do. Then they should pay the people who audits their security posture too.

> Is it secret knowledge, or something?

Mismanagement and incompetence if you ask me.

link
seagullriffic 915 days ago
> You mean freely as in for no compensation?

I do. The BL is a national institution, and, like the NHS, would attract masses of free labour if they asked for it. There are volunteer developers and data scientists who work for charities in their spare time to help improve society.

Not everyone's so greedy that they must be compensated for every breath they take.

link
krisoft 915 days ago
> Not everyone's so greedy that they must be compensated for every breath they take.

It's not that they are greedy. It is that well performed job takes time, years and years. It is not a firefighting job you can do in your off hours on a weekend. We wouldn't ask the caretaker to work for free, we wouldn't ask the director to work for free, we wouldn't ask the desk clerks to work for free, so why are we asking IT people to work for free?

link
jen20 915 days ago
Indeed so - though not only of the library. Government in general is limited in pay bands that do not even begin to compare to private industry, so it relies on people who are altruistic if they’re any good.
link
toyg 915 days ago
The amount of skilled altruistic It professionals is vanishingly tiny.

The amount of not-very-good IT professionals, on the other hand...

link
15457345234 915 days ago
> The amount of skilled altruistic It professionals is vanishingly tiny.

That's completely untrue. The IT industry is full of altruistic individuals, in fact almost the entire open source movement proves you wrong.

What's relatively unusual is this new crop of 'all that matters is TC' types who view the industry as a means to get loaded and who do not, in any way shape or form, embody the hacker ethos and the mentality of putting something out there for the public good because that's just the type of person they are.

The industry has been taken over by utterly despicable greedheads and that's why so much of it has become the way it is, unfortunately.

link
krisoft 915 days ago
> What's relatively unusual is this new crop of 'all that matters is TC' types who view the industry as a means to get loaded and who do not, in any way shape or form, embody the hacker ethos and the mentality of putting something out there for the public good because that's just the type of person they are.

I said that people working a job should be compensated fairly. So they have a roof over their head, and don't worry about where their next meal will come, or what will happen with them when they are old. I'm glad that from here you jumped to the conclusion that 'all that matters is TC'.

link
15457345234 914 days ago
I really wasn't responding to you personally, sorry if you felt that way. I was more responding to the state of the industry as a whole.
link
toyg 914 days ago
The free-software community is vanishingly tiny; the slightly larger opensource one was built on the principle of not forcing anyone to be as altruistic as them (i.e. made it ok to be less altruistic). In both cases, the overall amount of actual participants is a small niche when counted against the totality of IT professionals. 90% of professionals literally just take.

I've been around since the late 90s and I reckon the greedheads have always been around. The difference is that they used to be easily recognizable by their suits, and now they are not.

link
crazygringo 915 days ago
I know other institutions have paid ransoms rather than go to backups, because they had never planned for an org-wide restore which would take months to execute.

Turns out there's a huge difference between restoring the occasional system, and restoring everything.

I'm not sure to what extent backup systems are being upgraded to work faster, how easy that even is, or whether it's more cost effective actually to pay the occasional ransom.

link
mschuster91 915 days ago
> Turns out there's a huge difference between restoring the occasional system, and restoring everything.

And yet it makes sense to regularly test even the "black start" scenario, just like in power grids:

- ransomware isn't the only threat to a datacenter, by far not. Particularly here in Europe, the scenario of an outright nuclear, conventional or EMP attack taking out entire sites is getting back onto the discussion table for disaster preparedness plans, but you also have to account for stuff like fires, water damage, a building collapsing, suicide bombers...

- you keep the employees sharp on their skills in DR

- you uncover where stuff is missing or (under-)documented. If you're a multinational org, it makes sense to have everything documented to a degree that an entire offsite team can just fly in and do everything needed to recover.

- you identify all the various servers that are (sometimes literally) stowed away in a cleaning storage locker but provide crucial services

- you identify bottlenecks that you can use to improve your plans. Basically, stuff like splitting out "cold" data that's rarely required to its own database so you can keep at least a rudimentary version of your service running while restoration is ongoing.

link
Pxtl 915 days ago
I assume they lost something that's timely, like a transactional DB, where the "backup" would mean accepting the loss of some important transactions.
link
PeterisP 915 days ago
In general, if your backups are made somewhere that your IT administrators can delete or overwrite, then ransomware operators will destroy or damage your backups before doing anything that would make it obvious that you're being attacked. And if your backups are moved offline, then they can still try to invisibly corrupt these backups and wait a week or two before triggering the ransom encryption.

Many organizations make backups that would protect them from accidental destruction of hardware, but not from malicious acts from someone in your network with a privileged account, and a reasonable chance of a multimillion payout means that the ransom organizations have no qualms spending quite many hours of skilled people in ensuring the victim is more likely to pay.

link
xoa 915 days ago
>but not from malicious acts from someone in your network with a privileged account

I do think it's depressingly much, MUCH harder then it should be to catch it though for normal people. This should be a turnkey thing built into all data software, NAS options like TrueNAS or whatever else, cloud services of course (though I think some now do). Ransomeware attacks, by their very nature, are extremely detectable on a technical level. Their access patterns are unique, and of course they fundamentally change the entropy of all the data on the system. This is something a watch dog should just be able to automatically detect and alert, preferably immediately freezing things. With the kind of atomic snapshots available roll back should be easy. Capabilities can separate snapshot deletion from read/write, raw storage space is quite cheap. Backups should be default pull based with a lot of controls, so that the backup system offers no administrative access over the general network at all. Etc etc. The technical ingredients are there, yet it's still hard to find stuff where someone can just click a checkbox that says "alert on ransomware pattern detection" :(. This should be a very solvable problem, or at least able to be made enormous more challenging to pull off, vs most of the security challenges in tech. It's a shame it hasn't been.

link
DharmaPolice 915 days ago
I wouldn't necessarily assume they do have backups. At least, not recent backups of 100% of their content/systems.
link
dazc 915 days ago
They have back-ups but they are mostly not digital back-ups.
link
gurchik 915 days ago
> Why would they pay ransomware hackers when they would obviously have backups. Sucks to have data compromised, but presumably it's not lost.

It's been more than a month. I think if it was this easy, they would be online by now. They said on their blog they will only begin to restore some functionality in January. A business could consider paying the random to avoid two months of downtime. Although in this case they didn't have the option to pay it.

link
eviks 915 days ago
I guess they also expected some free white-hat magic instead of doing the hard org work to have a properly working backup system
link
amelius 915 days ago
Maybe the attackers encrypted the data, and those encrypted files were backed up, maybe even overwriting older backups?
link