Ransomware Infects All St Louis Public Library Computers

An anonymous reader quotes a report from The Guardian: Libraries in St Louis have been bought to a standstill after computers in all the city's libraries were infected with ransomware, a particularly virulent form of computer virus used to extort money from victims. Hackers are demanding $35,000 (£28,000) to restore the system after the cyberattack, which affected 700 computers across the Missouri city's 16 public libraries. The hackers demanded the money in electronic currency bitcoin, but, as CNN reports, the authority has refused to pay for a code that would unlock the machines. As a result, the library authority has said it will wipe its entire computer system and rebuild it from scratch, a solution that may take weeks. On Friday, St Louis public library announced it had managed to regain control of its servers, with tech staff continuing to work to restore borrowing services. The 16 libraries have all remained open, but computers continue to be off limits to the public. Spokeswoman Jen Hatton told CNN that the attack had hit the city's schoolchildren and its poor worst, as many do not have access to the internet at home. "For many [...] we're their only access to the internet," she said. "Some of them have a smartphone, but they don't have a data plan. They come in and use the wifi." As well as causing the loans system to seize up, preventing borrowers from checking out or returning books, the attack froze all computers, leaving no one able to access the four million items that should be available through the service. The system is believed to have been infected through a centralized computer server, and staff emails have also been frozen by the virus. The FBI has been called in to investigate.

Why do people keep using Windows?

After two decades of this crap, you'd think they would learn.

Re: Why do people keep using Windows?

Microsoft has always been about marketing instead of tech so uninformed users don't know about better solutions.

Re: Why do people keep using Windows?

People that get paid per hour love Windows.

Re: Why do people keep using Windows?

[TWX]

That's not really it at all.

Decision-makers at the top of organizations love Windows. They love Microsoft. They love all of the pretty graphs and charts and menus that make it look easy to administer a system or network. The problem is, they often start to think that they actually know how to do just that once they've been through the marketing experience meetings where the people from the vendor with a lot of knowledge make it look so simple, or else they hire people that do a very convincing job of sounding like they know what they're doing but don't. Worst, those people (either the bosses or the ignorant hirees) may be convinced that they know what they're doing far beyond reality.

Now, I will give it this much, sometimes the GUI tools can be useful. It's much easier to plot how network traffic is being passed among multiple interfaces to the WAN or to the ISP across multiple NAT firewalls with a GUI graph than it is on a text console. On the other hand, actually figuring out what's going on is often a function of the console, rather than of the GUI.

Re: Why do people keep using Windows?

Considering how many times I get paid to fix the same computer, yes.

Re: Why do people keep using Windows?

I know my customers pay me more to fix Windows than they paid for the computer, so yes. A cheap Dell desktop is only about $500, but my customers pay me much more than that to just keep Windows running. That is why I love Microsoft and the fact that they refuse to fix their problems.

Re:Why do people keep using Windows?

Ten reasons why Windows is in use:

1: AD and GPOs. Yes, CM tools like Puppet and Chef have come far, but nobody out there has as scalable and delegatable a solution as Microsoft's, especially managing desktops with all kinds of regulations and laws. The tools to image, provision, maintain, update, and secure Windows are very common.

2: Experience. You can grab a Windows guy almost anywhere. I can call Tata, Agillion, or Infosys, and have MCSEs by the company sent in to solve issues, be it an AD schema failure, best practices, reigning in things, and so on. If I don't want to bother hiring a Windows admin, there are always top notch MSPs out there like HPe which can handle everything else, be it password resets, onboarding, offboarding, SCCM updates, etc. It is far cheaper to license Windows than to hunt down UNIX admins.

3: Easy auditing. Lots of tools to help with getting the mounts TPM reports to the auditors.

4: It is a moving target. Yes, it gets nailed often... but it is because 99% of the world uses it. The time it takes to make ransomware for Macs or Linux is nowhere near worth the reward for Windows.

Re: Why do people keep using Windows?

This. Microsoft will always be about allowing malware. Since they allowed Word documents to corrupt the MBR, we've all known they don't give a damn about security.

Re:Why do people keep using Windows?

How does not running Windows protect against attacks such as the Morris Worm?

Also, how does not running Windows protect against a dedicated attacker that probably already has a backdoor on major servers?

Re: Why do people keep using Windows?

Opening a Word document, or any other Office document, shouldn't put your master boot record at risk, so that was just ridiculous of Microsoft.

Re: Why do people keep using Windows?

Why shouldn't we when it pays for most of our pay?

Re: Why do people keep using Windows?

We've found at my company that less than 1% of Word documents from external customers ruin your MBR, so upper management hasn't blocked Word documents for that reason. We can always spend the three+ hours it takes to reinstall Windows after receiving a bad Word document.

Re: Why do people keep using Windows?

Overwritten master boot records is just the cost of doing business.

Re: Why do people keep using Windows?

My company disagrees. Word features are more important than protecting our master boot records.

Re: Why do people keep using Windows?

Badly? After two decades of this crap, you'd think they would learn.

Re: Why do people keep using Windows?

[Nkwe]

Opening a Word document, or any other Office document, shouldn't put your master boot record at risk, so that was just ridiculous of Microsoft.

It doesn't, not unless you grant administrative (root) privileges to users.

Re: Why do people keep using Windows?

[dbIII]

That's a good point. MS Windows for all it's shortcomings in a system like this (it's 2017 - just use a web server as your library database front end and then whatever you want on the desktops) can be kept running or restored to bare metal if it's treated seriously instead of as a magic thing that always keeps going.
However being prepared costs time and some resources so it looks like it was ignored.

Re: Why do people keep using Windows?

[freeze128]

Because many companies require the use of specialized software that ONLY runs on Windows. Look at any industry, and you will find that software. The only companies that can do without windows are the ones that only use web browsers and email.

Re:Why do people keep using Windows?

How does not running Windows protect against attacks such as the Morris Worm?

Also, how does not running Windows protect against a dedicated attacker that probably already has a backdoor on major servers?

When was the last time computers were infected by the Morris Worm?

Re: Why do people keep using Windows?

[pete6677]

LOL, block Word documents. That would be fun to explain to your userbase, and management.

Re: Why do people keep using Windows?

[buss_error]

I used to run an OPAC. I kept the front end on a IBM-RS6000 H70, the database on a H-80, and proxies and workers on a HMC with various flavors of hardware.

It served +100 different libraries, and had a unique holdings over 10 million (that means not counting the same holding twice if you had 2 copies (or more) of it.)

Transaction Backups happened every hour and were written to WORM media.
Databases were backed up with transaction logs every 4 hours to mag tape then ejected until needed.
Complete backups were done once a week by quescesing the database, breaking the RAID 5 + 0, backing up the cold DB while restarting the hot DB. Once the cold backup was complete, the RAID was hot re-synced to the online set.

Disaster recovery was using the cold backup tape (which was a full boot tape, one of the reasons I _like_ RS6000's is you can boot from a backup), then re-running the transaction until it was all current.

Circulation systems did not have RW disks, they booted from a Linux live CD with the OPAC already open.

The run-of-the-mill systems for patrons ran windows. I didn't worry about those as I only ran the Unix/AIX/Linux side but they had image deployment systems. A tech could reimage a machine in under 2 minutes, and I guess they could have remote commanded a re-image, since they did every year anyway.

The system was since pulled down and converted to SaaS with an outside vendor. Seems they didn't want to pay for people and licenses.

And thus it is written - why Microsoft? Because it's cheap and easy to find some stumble bum that can pretend to run your shit. He might even keep it going - at least until it all falls down.

Re: Why do people keep using Windows?

[tepples]

For one thing, even without administrative access to a computer, ransomware with full access to an employee's user account can do a lot of damage. For another, administrative access might be the result of a cost-benefit analysis that concluded that avoiding the cost of paying employees to sit and produce no value for the company while waiting for the IT department to complete a review of each application or device driver that each employee requires to do his or her job outweighs the risk of being the next ransomware victim.

Re: Why do people keep using Windows?

[tepples]

Why do these companies continue to pay Microsoft for Windows licenses rather than paying CodeWeavers to improve Wine to the point where it can run the same applications?

Re: Why do people keep using Windows?

Because they need something that works now, not ten years from now, maybe, if you wish real hard?

Re: Why do people keep using Windows?

[TWX]

When I was a kid growing up, the school district used Follett MS-DOS based software. The IBM PS/2 Model 95 server was both an application server and a fileserver and ran Novell 3.12, and the clients were IBM PS/2 Model 25s, 286 PCs with no local storage, which were booted to MS-DOS 5.0 with Microsoft Client for Networks DOS client, which would boot from floppies that the librarians would use each morning, mount the share read-only to open the application, then the application would connect over IPX/SPX to the Novell server to transact. The only problem was that if a client PC was messed up the librarians had problems getting that client PC to come back up. As a high school student I figured out that each boot floppy was personalized, so if one attempted to boot a client with a floppy that had booted a machine already running it would cause a conflict (something like the Novell equivalent of a hostname) so it was simple, I wrote a number on the side of each client PC, and a matching number on each of the floppy diskettes, and the librarians would only use that disk for that PC.

That system worked pretty well for a long time. Then the district IT department replaced that PS/2 server with an NT box, left it broken for almost three months during the school year, and only fixed it when I as a student threatened to fix it. They went to complain to the school administration and were told that I would have that administration's permission to do just that if they couldn't. It was fixed a week later.

Re: Why do people keep using Windows?

There is indeed a malware which is just a VBScript embedded into MS Word, then strings together MS Office vulnerabilities to gain root/administrative access. Mostly coming from China, it was a popular phishing attack. I think it was called Daikon or something, I can't remember correctly. The best solution could be using alternative softwares which can open MS Word, like OpenOffice or LibreOffice which won't recognize those vulnerabilities in Office.

Re: Why do people keep using Windows?

[TechyImmigrant]

LOL, block Word documents. That would be fun to explain to your userbase, and management.

I'm doing fine with Latex thank you very much.

Re: Why do people keep using Windows?

[TechyImmigrant]

Opening a Word document, or any other Office document, shouldn't put your master boot record at risk, so that was just ridiculous of Microsoft.

It doesn't, not unless you grant administrative (root) privileges to users.

Because privilege escalation vulnerabilities don't exist?

Re: Why do people keep using Windows?

[TechyImmigrant]

Overwritten master boot records is just the cost of doing business.

A smart system would have three master boot records and the bios would find the first good one.

Re: Why do people keep using Windows?

[TechyImmigrant]

Because many companies require the use of specialized software that ONLY runs on Windows. Look at any industry, and you will find that software. The only companies that can do without windows are the ones that only use web browsers and email.

My industry (chip design and manufacture) runs pretty much with specialized software that only runs on Linux. You can ask for a windows version, but the sales guy would look at you funny.

Re: Why do people keep using Windows?

[Altrag]

make it look easy to administer a system or network

Sounds good up until that point. Decision makers at the top of organizations don't give a rats ass how easy something is to administer -- they hire people to do that for them.

They just want something that works. And they know they can pay somebody to fix it when it doesn't work. Yes, they "paying" part is important! These are people whose entire lives revolve around money and they intrinsically don't trust anything that's free.

And then there's the fragmentation issue. Should they use Redhat or Suse or Yellowdog (wait what?) or Ubuntu or Kubuntu? What's the difference? Explained in phrasing that makes sense to somebody with a degree in Political Science?

Then do you use OpenOffice or LibreOffice or StarOffice? Wait do we still like StarOffice? Why or why not? Will we still like LibreOffice in 3 years? If I pick OpenOffice and I send a doc file to my lawyer, will he see it properly when he loads it up in Word? Or will it have those slight font and margin differences that add up to a completely screwed up layout over the course of an entire document? Will it have them next year when Microsoft releases Office 730? Who do you call to yell at when it doesn't work right? Who do you pay to fix it?

Sure the FOSS crowd can tout their technological superiority and make untested (though likely true) claims of better software security, but they fail horrifically in any sort of business benefits when you get high enough up the org chart that you're dissociated from the technical aspects (and even somewhat from the licensing cost aspects) and are more concerned with the bigger questions of how your business will benefit (even if many of the answers you get from marketroids are misleading or outright false.)

Re: Why do people keep using Windows?

[TuringTest]

And then there's the fragmentation issue. Should they use Redhat or Suse or Yellowdog (wait what?) or Ubuntu or Kubuntu? What's the difference? Explained in phrasing that makes sense to somebody with a degree in Political Science?

That part should be easy to explain to those types. "Those are several vendors competing for the same market, so if things go wrong you can switch between them without having to completely retrain your tech people. If you start having problems with Windows too bad - Microsoft is the only provider".

Re: Why do people keep using Windows?

"several vendors competing for the same market"
But these vendors are introducing changes within their own distributions that do not cross over to work in other distributions. The major vendors all try to make their distribution slightly better than any of their competitors. And pick the wrong distribution and you may find the people developing and supporting that particular distribution stop working on or supporting it as they move onto some else. And the malware writers don't waste time on exploiting systems that have a very tiny minority of users. If you are going to spend the time to create your malware you will want to make sure you are in a target rich environment. It is foolish in the extreme to think Linux is any more secure than MS when the user base and number of applications grow. The state intelligence agencies around the world have little trouble owning all the web servers running Linux and Apache or MS and IIS. Android and it's derivatives is so full of holes that the worlds largest botnet is just waiting to be activated and exploited. Just think about how many users download their cool apps and never think twice about granting that app access to every service on the phone. It makes using Windows to access the Internet without any type of basic firewall while signed on as an administrator look like a good idea.

Re:Why do people keep using Windows?

[gsslay]

And this would never happen with other operating systems?

Randomware usually spreads either through fooling the user, and/or by exploiting flaws in their security. Are you saying that other operating systems do not have users who can be fooled and never have security flaws?

Re: Why do people keep using Windows?

The problem is that I don't have admin rights but I do have write access to all of the company doc storage. So if my account gets infected that didn't help very much.

Re: Why do people keep using Windows?

Good thing hackers are too dumb to write 3 sectors instead of just 1.

Re: Why do people keep using Windows?

Probably because they need to run apps now, not at some indeterminate time in the future when CodeWeavers might or might not "improve Wine to the point where it can run the same applications."

Re: Why do people keep using Windows?

[TechyImmigrant]

They would have to work 3 times as hard.

Re:Why do people keep using Windows?

[The-Ixian]

I want to know who decided to put the PUBLIC TERMINALS on the same network as the administrative computers. Not only that, but malware like this needs write access to network shares. So not only were ALL computers on the same network, the public terminals utilized user accounts that had write access to the same network shares as the administrative computers... unbelievable...

Re: Why do people keep using Windows?

I hear using Latex can prevent all sorts of nasty viruses.

Re:Why do people keep using Windows?

You can grab a Windows guy almost anywhere.

Indeed, and you'll end up with a system that can (thus, will) be infected by ransomware and other malware.

Re: Why do people keep using Windows?

[TWX]

Sounds good up until that point. Decision makers at the top of organizations don't give a rats ass how easy something is to administer -- they hire people to do that for them.

This has not been my experience. In my experience the top brass are wined and dined by the vendors and shown demos, and in-turn those top-brass seek to take credit for their amazing decisions to use this wonderful product that they've been shown. They simply expect it to work as-advertised and for the staff to make it so, whether or not that's practical or not or if it's even a good fit for the environment.

Re: Why do people keep using Windows?

[TechyImmigrant]

What you see is what you deserve

Re: Why do people keep using Windows?

[Altrag]

That's a justification, not an explanation. That tells me that different Linux distros exist, but I already know that. What I want to know is why I should pick one distro over another? What are the benefits and down sides of each? Does it even matter? And if not, why is there so many distros in the first place?

If you go to buy a laptop at your local Best Buy for example, they have a breakdown of all of the important numbers as well as a price tag. That gives you three entire sets of reasoning a person could use when choosing a laptop:
a) Most basic level is price: The higher the price, the higher the quality and/or specs (give or take a branding fee of course. Cough Apple.)

b) Next level: Other numbers. Just assuming higher is better. You'll note that few people put hard drive access times in big font, even for boxed individual drives. Those numbers are probably on the box somewhere but the big bold font is given to the RPM -- because its an easy "bigger is better" metric while still giving some useful indication of access speed.

c) Top level: Actually knowing what those other numbers mean. Not too many people need to deal with this level even if they can, but its available if they want it. If you know you're never going to use this laptop for your video collection for example, you may choose to opt out of the extra tb of hard drive space in order to save money or to get more memory for the same money. Or knowing whether a 500gb SSD is better or worse for your particular usage needs than a 2tb HDD.

Most products in a competitive market have something similar (even in situations where the numbers are kind of meaningless) just so that people who don't have the domain knowledge can still get some judgement as to what they're buying and how it stacks up to the competition. Linux distros just don't have that.

The only measures of any specific Linux distro seems to be "what I'm used to" or "what the cool kids use." And if you're going to use those measures then "Windows" or "Mac" are easier answers for most non-technical people without the whole "what's the difference" confusion.

Basically, one of Linux' main strengths from a FOSS perspective (the ability to freely fork) becomes a bit of a weakness when viewed from a business perspective (brand dilution and lack of obvious distinguishing features between distros.)

Re: Why do people keep using Windows?

[LinuxIsGarbage]

LOL, block Word documents. That would be fun to explain to your userbase, and management.

Thankfully in the intervening decades Microsoft put more effort to discourage and disallow active (Macro) content, to the point of having a seperate extension that could be blocked (.xlsm), and distrusting internet sourced files.

My favorite Microsoft security feature was when these HTML tags:
<img src="con">
<img src="com1">
<img src="nul">

Would cause a BSOD on Win 9x. Good times were had posting to forums with linked images. Same era as pinging people on IRC with the payload "+++ATH0"

Re: Why do people keep using Windows?

Deep Freeze is a good solution for Windows hosts, you set everything up the way you want it and then freeze the Windows partition. You can save stuff, install stuff, do whatever you want, but anything new since that "frozen" state gets nuked on reboot. What I'd use on public machines that don't need more than just Web access (For that, I'd just use Firefox in kiosk mode under Linux, running off a CD/DVD or internal USB under a restricted account, password protect the bootloader and the BIOS so someone can't boot it from their own media, in addition to having the public-facing machines on their own VLAN with a firewall between that VLAN and the rest of the network.

Just Roll Back to Snapshot...

Just boot into snapshot and roll it back... oh wait. STL is probably too cheap to pay for snapshot managers for public terminals...

Re:Just Roll Back to Snapshot...

[TWX]

Why would you bother? If you're maintaining your images properly then you probably have a fresher, more up-to-date image for that particular model PC than what's on it anyway, so if you're going to spend so much time rolling-back you may as well instead deploy fresh. These are public terminals, by and large, user data on the local disk shouldn't be a factor at all.

Even for those users who have their own PC for themselves, if you're providing network storage and if the use of that network storage has been your corporate policy, then content lost on the local disk is their problem, not yours. Obviously try to be polite but don't commit to restoring data that was not properly saved.

Re:Just Roll Back to Snapshot...

[PCM2]

These are public terminals, by and large, user data on the local disk shouldn't be a factor at all.

From TFA, it affected their servers as well. The system that allows patrons to borrow books and other items went down. So did access to all of the thousands of digital items the libraries offer. Re-imaging the public PCs should be simple enough, but restoring access might be hard if the systems that connect the libraries to the internet are down (gateways, firewalls, DHCP and DNS servers, etc)

Re:Just Roll Back to Snapshot...

[TWX]

I suppose. That's definitely thinking as to why I don't have every system that I use joined to the domain and why I have non-Windows machines that I can work from both as workstations and as servers, and why those that are servers are real physical boxes instead of hypervisors or some other form of VM...

Re:Just Roll Back to Snapshot...

[DigiShaman]

I work for an MSP, so dealing with Ransomware is what I do 99% of the time anyone gets infected. It's all the hotness in infections. Typically comes from drive-by infected adds, bogus browser and flash update, and e-mail attachments. The scope of infection is limited to user access. So, without local admin access, typically only the local profile gets infected, and the data they have access too via mapped drives. With local admin access, the box is hosed. IF the numbnut sys-admins granted domain user access to the Domain Administrators security group (network God mode effectively), it will hose any and all computers and servers it can find. And yes, dumb fucking admins will do that because they're too fucking lazy to be answering requests for software installation and/or securing the network. BAD IDEA!!!!

Just FYI, as a Windows system administrator, not even I have my primary login assigned Domain Admin membership. If I need to login with a Domain Admin account, I have a separate AD account used for utilitarian reasons. If I fuckup and click on something I shouldn't, at least its my ass and not bringing down the entire network (though I know better, honestly).

BTW, Veeam is a badass backup solution!!

Backups?

Probably not.

Re: Backups?

It sounds like they do have backups. Despite the security breach, someone there knew what they were doing well enough that private information wasn't compromised and backups do exist.

Source: http://www.welivesecurity.com/2017/01/20/ransomware-attack-hits-st-louis-public-library/

While they need to completely restore all the computers from scratch, I applaud them for having backups, ensuring that private information about their patrons, and refusing to pay the criminals. Good for St. Louis.

Re: Backups?

[The-Ixian]

Apparently they weren't competent enough to separate public terminals from the rest of the network though... There is just no reason that 16,000 computers should be affected by a single bit of malware. That is poor network design imo.

Re: Backups?

[The-Ixian]

Yeah, not sure where I got the 16,000 number from. Even still, my comment stands. Just substitute 16,000 with the actual number of 700.

Reading between the lines...

[grasshoppa]

...sounds like they have valid backups, so this should be considered a "success" story more than anything else.

Still, I do wonder if the admins were practicing valid security, how anything could have infected the entire system.

Re:Reading between the lines...

[Rick+Schumann]

Being a public library, it's not like they have to have backups for every single computer either. Most if not all of their workstations, including especially the ones intended for public access, would just be paved over with a standard image, and pretty much also for employee workstations. Only their server(s) would really be affected, right? So long as they have backup(s) they'd be fine.

Re:Reading between the lines...

My bet is they are well accustomed to re-imaging the public facing computers.

Re:Reading between the lines...

[grasshoppa]

Yup, that's what I'm thinking.

Just seems all too often with these ransomware stories we read how organizations have lost all their data and have to pay in order to restore it. It's good to see one where that didn't happen.

Re:Reading between the lines...

Does it take days or weeks to restore? Shouldn't it be faster than that?

Re: Reading between the lines...

With random people going to random sites that should be automatic. Have them boot from a read only network drive and the local drive formatted every boot. Reboot after each user.

Re:Reading between the lines...

Many libraries are struggling financially. This is no surprise.

I'm glad whenever someone doesn't pay ransom, and hope this doesn't hurt them too much. Perhaps this will have some nearby tech company volunteer to help them out.

Re:Reading between the lines...

[gravewax]

If it is just workstations then yeah it should be a lot faster, however it has probably affected servers and hence they need to recover data from backups which tends to take considerably longer than just blatted a workstation with a new image.

Good for St. Louis

As a St. Louisan, I'm glad they're not paying. It sounds like there are some serious issues while they restore their systems, but it sounds like they do have backups. It will take awhile to clean up the mess, but I applaud them for not giving in to the criminals responsible for this. Although many articles aren't clear about this, the library did have backups to restore from, so despite the security breach, someone knew what they were doing well enough to avoid paying the ransom demands. Good for St. Louis not giving into these demands.

Re:Good for St. Louis

I agree. I'm a STL city resident as well and I'm proud they said fuck you to that scum. As an IT pro in the area, I'm sure I could armchair quarterback their security, systems, staff, etc., like a lot of other people. But shit does happen, especially in non-profits where IT isn't always funded as well as it should be.

Kudos to their staff and administration for not bowing down and paying the ransom.

Public libraries...

Where the hobos beat off to Internet porn and illegal aliens drop off their anchor babies.

Make America Great Again

Deport all H1-B indo-chimp STREET SHITTERS.

Give American IT jobs back to Americans!

Fuck all you libtard SJWs

8====D~~~ ~. -1 THAT cock suckers!

think of the hobos

What will the library dwelling hobos do to occupy their time without computers? Masturbate in the washrooms? It's already filthy enough in there. I hope someone is planning on paying overtime for janitorial service.

HOAX ALERT, FAUX ALERT!

[Hognoxious]

Come on, you clowns. Apply some critical thinking.

St Louis ... libraries. Pull the other one, it plays a tune.

Re:HOAX ALERT, FAUX ALERT!

You're aware St. Louis is full of white people, right? Oh, who am I kidding. You aren't aware of anything, which is why you're a fucking racist.

Re:HOAX ALERT, FAUX ALERT!

[rtb61]

In this case it is the authorities who are the clowns, acting too little and too late to do anything worthwhile. A investigatory flying squad https://en.wikipedia.org/wiki/..., should be the first ones on the scene as soon as it is reported. This to gather evidence for proper investigation. This requires additional effort, as you can not just strip the victim of the core computer hardware but must provide a temporary stop gap and get it up and running, whilst the infected machines are properly analysed or even honey trapped. Real focus needs to be taken to tackle high end organised computer crime whether it be criminals or foreign agents (in reality much the same kind of criminal, a lot more exchange goes on there than is allowed, a whole lot more).

Re:HOAX ALERT, FAUX ALERT!

[omnichad]

St. Louis is about 50/50 black and white. But you're the only one who brought up race.

Surely an inadvertent target

[edtice1559]

If they are just machines for public web browsing, there i3s no data to ransom. Just reinitialize them. Firefox works great on Linux BTW and you have a much smaller attack surface.

Re:Surely an inadvertent target

Some third world idiot heard about old timey gilded-edge books and expected a first world public library to be ornamented with gold or something.

Re:Surely an inadvertent target

[techno-vampire]

I'll go one further: have it run off of a Live USB that's mounted inside the box where the users can't get at it and no persistent storage. That way, even they leave personal data behind, it goes away at reboot. Not only that, but if you set it up in kiosk mode, with Firefox opening at boot, they'll never even know they're using Linux.

Re:Surely an inadvertent target

Too complicated. Pxe boot and done.

Re:Surely an inadvertent target

Just reinitialize them.

There are 700 computers to fix. 16 staff members each working 40h/week at the rate of 1 machine/2h will take.... 2.2 weeks.

Re:Surely an inadvertent target

Just reinitialize them.

There are 700 computers to fix. 16 staff members each working 40h/week at the rate of 1 machine/2h will take.... 2.2 weeks.

Meh, you need to basically force it to boot from some kind of other media with a script on it. I could hack something together with linux to restore an identical image to each pc, and there are no doubt packages that make it trivially easy. They shouldn't need 2h a machine. The biggest annoyance is probably dealing with windows product numbers. That might be easier just to update manually. Of course if you created a linux image then it is easier.

It shouldn't be that hard to have the machines load an image automatically by first checking a remote server after boot. You could wait till the OS boots, check for an update via wget, then if it is there, you write the non active partition and then update where grub points. Sure there are details to work out and sometimes you will need manual intervention, but it is all scriptable..

Of course, in practice, find the software that already exists to automate the job and be done with it. No need to roll a custom solution.

Re:Surely an inadvertent target

I'll go one further:

All I wanted to add was one thing:

If you or anyone else reading this has any amount of free time on your hands, Please consider donating your time and computer expertise to your local library, if at all possible!

Most libraries are underfunded in general, let alone have little to no IT budget to speak of.
Government grants and such are usually one time affairs, and are great for purchasing of hardware and such, but not very great at all for paying competent and knowledgeable IT staff on a continuous.

From this particular story it seems clear the St Louis Libraries do have competent and knowledgeable IT staff, please don't mistake me as saying otherwise.
But with the time involved with the repairs they do seem understaffed if nothing else.
Even they could use any help we can afford them.

Other libraries are not as fortunate however, and could benefit that much more from our skills.
A small handful of staff working extremely limited hours due to having to work another job to pay the bills isn't that much of a force to be reckoned with.
But imagine 40 of us donating just 1 hour per week of time, that's pretty much one full time employee saving the public library nearly $100k a year they don't have to spend on a single person.

There are certainly many causes worth our time, and the library system ranks right up there with the best of them.

Re:Surely an inadvertent target

[ancientt]

I've done something like this. I ended up using a CD-R removing the hard drives. The advantage of a CD-R is that it can't be modified easily which removed 99% of the possible ways to mess with the system. (I wouldn't be as confident a USB drive couldn't be modified.) It also makes it easy to test upgrades and deploy them rapidly.

I know it would be possible to do network booting but I've tried it and it was slower and took more effort. For my purposes, I found slax easy to set up, modify and use. I tried out several other distros and justbrowsing seemed better to me. However, after testing it out on regular users, the slax install seemed easier to use and harder to mess up. I think it's because having several options confuses people. (I think that explains Apple's success. As much as I may prefer choice and don't mind learning something new, the average user doesn't want to "have to" make choices.)

If I'd had to expose it to the general public, I would have probably used a little superglue to ensure the CD didn't get pulled out, or just stuck the CD-ROM drive inside behind a cover. Yes a deviant with a pocketknife might still manage to pry open the drive or a geek with a screwdriver might replace something internal or reset the BIOS modification password but I still think it would work better than most kiosk systems I've worked with. It was simple enough that kids and old people almost never complained. (I say "almost" because we didn't connect our kiosk machines to printers. I was aiming for low maintenance and printers are pretty much never low maintenance.)

The one real irritant is that people sometimes wandered onto sites that were "Internet Explorer Only." While I possibly could have overcome some of that with IE emulation in Firefox, I choose instead to just say it was bad site design and that, for security reasons, we wouldn't be providing a kiosk with Internet Explorer. Ever.

If I'd been willing to invest more time, I probably would have built a custom distro with Suse studio. If anybody goes that route, I'd be interested in the results.

Re:Surely an inadvertent target

[Trogre]

Have you people never heard of Clonezilla?

Re:Surely an inadvertent target

[guruevi]

You must be joking, public libraries in the US have some of the largest IT budgets except perhaps public schools. On average libraries spend about 10% of revenue on IT systems vs 2-6% for comparable commercial companies, even small sites like my local libraries will spend $100k/year on a dozen computers.

They do not want 40 different people messing with their system, they'll rather spend $300k/y of a $1M budget to a local IT consulting company sending out the 18yo Cisco Certified Senior Network Systems Engineer Analyst Associate Microsoft Technicians and buy some security thing from the Gartner Magic Security App Store.

Re:Surely an inadvertent target

[FictionPimp]

When I worked at a college we could do 3000 computers in a week and still have time to play quake rocket arena.

Re:Surely an inadvertent target

[eaglesrule]

The advantage of a CD-R is that it can't be modified easily which removed 99% of the possible ways to mess with the system.

That's both an advantage AND a disadvantage. The last thing I want to have to do is have to touch hundreds of machines when there is a systems change. These days, information databases like Follett are accessible through an online portal, and I've had to update the access urls a couple of times now. Making the CD-R tamper proof, which you would need to do, would make it even more of a PITA to deal with.

PXE boot works fine too, but then you're back to maintaining the state of the image. On top of that, they get the silly notion that they should be able to print as well, and everything that entails.

So we use chromebooks and the google management suite. Policies can be set, even cloud printing for those who absolutely have to have it, then it becomes simply a matter of enrollment.

Re:Surely an inadvertent target

[LinuxIsGarbage]

Just reinitialize them.

There are 700 computers to fix. 16 staff members each working 40h/week at the rate of 1 machine/2h will take.... 2.2 weeks.

Meh, you need to basically force it to boot from some kind of other media with a script on it. I could hack something together with linux to restore an identical image to each pc, and there are no doubt packages that make it trivially easy. They shouldn't need 2h a machine. The biggest annoyance is probably dealing with windows product numbers. That might be easier just to update manually. Of course if you created a linux image then it is easier.

It shouldn't be that hard to have the machines load an image automatically by first checking a remote server after boot. You could wait till the OS boots, check for an update via wget, then if it is there, you write the non active partition and then update where grub points. Sure there are details to work out and sometimes you will need manual intervention, but it is all scriptable..

Of course, in practice, find the software that already exists to automate the job and be done with it. No need to roll a custom solution.

Windows volume licence should take care of licencing automatically (deployed image will find the KMS). While a machine might take up to 2h to deploy (seems extreme, hopefully no more than 30 min), you can have several machines working away at once. Very little of that time should involve human interaction.

Re:Surely an inadvertent target

[ancientt]

Dang it, you're right. Chromebooks are one of the best options.

Libraries are Homeless shelters

Nobody reads at the library anymore.

I'm Angry

[DaMattster]

It takes a special kind of asshole to attack a library; a place where people go to learn and access the internet. Why go after one of the poorest resources and attack those that have the least to give? Go after the fucking fortune 500 companies but not a fucking library. One only hopes that anonymous could turn the tables on these slimy thieves.

Re:I'm Angry

America is rich country. Is library in America. Filthy homeless people at library are filthy rich. Right comrade??

Re:I'm Angry

[HiThere]

I think you think this was a targeted attack, but personally I really doubt that. I think it was a target of opportunity seized by some automated bot. Which doesn't mean you should think more kindly of those who released it.

Re:I'm Angry

[HornWumpus]

By African standards? Not rich, but doing OK. Not starving.

Re:I'm Angry

[CaptainDork]

It's called, "phishing," for a reason.

Throw enough bait into the water and you might catch a bass.

Of course, you might catch a boot.

Re: I'm Angry

Maybe not starving but still malnourished but excess calories and low nutrition, fast food nation.

Re:I'm Angry

[Stan92057]

never caught a boot but i did catch a a full sized bed mattress loaded with hooks and lures...3 feet from the shore along the Schuylkill river under a bridge kids swam under every day ...me included ..catfish,eels but rarely bass :}

Re:I'm Angry

[Mike+Van+Pelt]

These vermin will go after anyone. I've seen carefully targeted spearphishing attempting to steal from a charity for terminally ill children. Stealing from a library is nothing for these scum.

Re:I'm Angry

So, attack people you don't like, and not people you care about.

Got it. You have an odd moral outlook, but perfect for the internet 24 hour rage machine ethic.

Re:I'm Angry

[JustAnotherOldGuy]

It takes a special kind of asshole to attack a library; a place where people go to learn and access the internet.

^^^^^^^^^^THIS.

-

Why go after one of the poorest resources and attack those that have the least to give?

Because the people that do this are scumbag losers without a shred of self-awareness. Sadly, some people just like to break things and fuck shit up.

Re:I'm Angry

The way the ransomware works, both the victim and the perpetrator can be unknown to one another.

Re:I'm Angry

During a trash cleanup dive in Lake Memphramagog (Quebec/Vermont border area), I once found a kitchen sink. Literally, an old enameled-steel kitchen sink. Thing weighed a ton and was a bitch to get out of the water.

This is why America can't have nice things

[shanen]

Mostly reminds me of my experiences as a volunteer trying to support the public-use computers in the Austin Public Library. That was almost 30 years ago, way before we had anything like network access problems. Basically I wound up just wiping the systems every time I visited and restoring them as well as I could to their "legal" condition. The big problem in those days was just pirated software, especially an expensive CAD package, but the big threats these days are keyloggers intercepting passwords used for email and data stored in the network...

That reminds me of a much more recent fiasco involving Amazon and a public library in Indiana. Someone created a fake Amazon account in my name and validated the email address using some kind of bug in the Android app. Amazon never volunteered any meaningful details, but I'm believing the name and email address were just a dictionary attack. However, this thing went on for a year and a half before Amazon finally stopped it. One aspect of the scam obviously involved borrowing electronic books from a public library. If that was the only thing going on, then I'm only offended by the association of my name with some rather execrable books, but I think there must have been a money trail, too, or it wouldn't have gone on for so long... (Did you know you can escalate to jeff@ when you get desperate enough? At least it seemed to work in my LONG case, though the two-step solution was obvious in my FIRST contact with Amazon's customer so-called service.)

Historical trivia. Always want to close with a constructive suggestion, but it's hard to come up with one... Follow the money and break the criminals' economic models is kind of obvious, isn't it? Easy to say, but hard to do, even if the criminals are just ingenious fools.

Re:This is why America can't have nice things

[PCM2]

The big problem in those days was just pirated software, especially an expensive CAD package, but the big threats these days are keyloggers intercepting passwords used for email and data stored in the network...

Aw, man. I've never had need to use a library terminal for any work other than looking things up in the catalog, so I never gave it much thought. Now I'll never look at one of those public terminals the same way again.

I've used internet cafes in Europe, but even years ago those would be automatically re-imaged after each customer logs out. I don't think the libraries here do anything of the kind. Imagine how many Gmail and Facebook accounts you could gain access to, even if they re-imaged the systems once per day...

So just ban bitcoin

[BarbaraHudson]

It's mostly used for illegal stuff anyway, and we have plenty of ways to transfer money that are traceable. We don't need bitcoin, or any cryptocurrency.

Re: So just ban bitcoin

Why? STL has backups and is restoring from them. That's why they're not paying the criminals. Banning bitcoin won't stop criminals from extorting money. Ruining their business model by having backups and refusing to pay, will be far more effective at stopping the criminals. STL's backups and decision to not pay are exactly what we need more of, to stop ransomware.

Re: So just ban bitcoin

[BarbaraHudson]

Bitcoin will make it harder to collect ransoms - which is the weak part of any blackmail or ransom scheme. That alone will put an end to a lot of those ransom demands - because they can't collect. The clampdown on money exchanges such as Western Union, which takes any old fake ID as proof, no matter how phony it looks, is another step forward.

If you choke off the flow of money, you won't even have to follow the money.

Re: So just ban bitcoin

[Altrag]

Except you can't trace it to any particular exchange. I mean if the criminal withdraws exactly $35000 an hour after the library paid them that amount, then sure it becomes (a bit) easier to track.

But if they withdraw it $100 at a time on a weekly basis or something just to cover their living expenses, or if they withdraw it through a Chinese or Russian bitcoin exchange or the such.. there's little that can be done.

For better or worse, Bitcoin was intentionally designed to be untraceable and while there may be the odd weakness that can be exploited, chances are they're not gaping big loopholes or this would have been a solved problem a few years ago when Bitcoin first became the currency of the underground (well "solved" in the sense that the underground would have stopped using it as soon as the flaws were discovered and we'd be having the same conversation about some new scheme.)

Re:So just ban bitcoin

[JaredOfEuropa]

How exactly would you ban it? You'd have to shut down all BTC exchanges that deal in more or less decent real currencies worldwide. Making it harder for victims (in a particular country) to obtain Bitcoin might make collecting on these schemes harder and thus more unattractive to pull off in the first place, but even that doesn't seem feasible.

By the way, Bitcoin is traceable (by everyone) but anonymous.

Re:So just ban bitcoin

[duke_cheetah2003]

It's mostly used for illegal stuff anyway, and we have plenty of ways to transfer money that are traceable. We don't need bitcoin, or any cryptocurrency.

Mostly illegal? How about almost entirely? Bitcoin has been a boom for criminal enterprises, which in my opinion is the only widespread use case they have presently.

I'm aware some people think having this semi-anonymous, decentralized, ungoverned currency around is somehow cool and/or beneficial, but is it really necessary? And given the fact it's main use is for criminal behavior, do we really need its perceived benefits when it's main use is for crime?

Sadly, the scarcity of Bitcoins which have a perceived value and their decentralized nature makes them very difficult to just 'ban.' Hell, by outlawing them, you probably increase their perceived value.

Like many of the genies we've let out of the bottle in the modern information age, this one is not so easy to put back in.

Re: So just ban bitcoin

[BarbaraHudson]

Banning bitcoin means they have to use other means - traceable means. Making the purchase, trade, or transacting in bitcoin a crime - if the business or individual being asked for ransom can't buy bitcoins, that ends that.

Re:So just ban bitcoin

[BarbaraHudson]

So shut down all the exchanges. Make it illegal to use credit or debit cards or cheques, money orders, etc. to purchase bitcoins. DDoS bitcoin exchanges, or just flood them with fake transaction attempts that never go to completion. Ban bitcoin use in commerce. China won't be happy, because they're the ones controlling the mining of bitcoins, but hey, it's a scam anyway, and an enabler of crime, so screw them.

Re:So just ban bitcoin

[BarbaraHudson]

They're actually pretty centralized - China controls the majority of bitcoin mining.

Re:So just ban bitcoin

[JaredOfEuropa]

Well it might work, but what exactly would be the legal basis to do this?

Re:So just ban bitcoin

trollin trollin trollin, Barbara keeps on trollin!

Re:So just ban bitcoin

There are a lot of cryptocurrencies to ban. Bitcoin is just the most famous.

https://en.wikipedia.org/wiki/List_of_cryptocurrencies

Re: So just ban bitcoin

Doesn't matter to Barbara Hudson now, support for Emperor Trumpentine is absolute and unquestionable, any vicious brutality will be endorsed. Any.

Re: So just ban bitcoin

[Altrag]

I think perhaps your previous post was missing a word:

Bitcoin will make it harder to collect ransoms

Perhaps that was supposed to be "Banning bitcoin"? Which would make a bit more sense grammatically to boot :P. And of course completely negates the meaning and thus my response!

Re:So just ban bitcoin

You say "China" like you mean the country, when you actually mean "China" like Chinese people.

Re: So just ban bitcoin

[BarbaraHudson]

I don't support Trump OR either Clinton (Clinton #1 removed Glass-Steigell, causing the subprime crisis years later by letting banks do stupid things, Clinton #2 - just look at the middle east, Trump - he's no Bernie Sanders, who was the only reasonable candidate - and the fact that he was left of the DINOs - Democrats in Name Only - is a bonus).

So don't be stupid with your lies - anyone can search my history and find your accusations of my supporting Trump are full of shit. You elected him, you get the government you deserve. And you better damn well hope he has a successful presidency, improving the lot of the average American, rather than cutting your nose off to spite your face like a spoiled child who didn't get their way and blames everyone (Russia! Russia!) for your candidate's loss.

Re: So just ban bitcoin

[omnichad]

You mean like gift cards? There are some many ways to anonymize money these days.

Re:So just ban bitcoin

[BarbaraHudson]

No, I mean "China" like the country, not Asians in general. China controls the majority of bitcoin mining. Stop being an ass.

Re: So just ban bitcoin

[BarbaraHudson]

EVERY gift card is traceable to the point of purchase. If you thought otherwise, you're naive as all hell.

Re: So just ban bitcoin

[omnichad]

To the point of purchase (the victim). By the time anything happens after that, it's relatively untraceable.

Re: So just ban bitcoin

I don't support Trump OR either Clinton (Clinton #1 removed Glass-Steigell, causing the subprime crisis years later by letting banks do stupid things, Clinton #2 - just look at the middle east, Trump - he's no Bernie Sanders, who was the only reasonable candidate - and the fact that he was left of the DINOs - Democrats in Name Only - is a bonus).

There you go again, lying about how Republicans wrote the law known as the Gramm Leach and Bliley Act:

Respective versions of the Financial Services Act were introduced in the U.S. Senate by Phil Gramm (Republican of Texas) and in the U.S. House of Representatives by Jim Leach (R-Iowa). The third lawmaker associated with the bill was Rep. Thomas J. Bliley, Jr. (R-Virginia), Chairman of the House Commerce Committee from 1995 to 2001.

Since you can provide no documented record of advising Bill Clinton to veto this law, it's quite obvious you are only opposing it out of convenience to attack someone you personally hate and despise. Not only that, you were praising George W. Bush's fraud based economy, and praising it even as it faltered, and then suddenly you viciously turned on Obama, when it was something you could blame on a Democrat, who you personally hate and despise.

That you throw in the Middle East, when that's been a hot mess of simmering conflict for over a century, when your God-King, Emperor Trumpentine's best remark is that he can't be blamed for any of the political decisions, and his worst is that he supports the idea of stealing the Mid-East's oil for his own enrichment, is also showing the lack of authenticity to your criticisms.

Pretending to support Bernie Sanders when it's documented you despised him is only furthering your deceits. You don't care about him, you merely use him to cloak what you know is the repugnant love you have for Emperor Trumpentine. You know if you came out and admitted you have sworn allegiance to the Lord of the Toads, you'd never be believed.

So don't be stupid with your lies - anyone can search my history and find your accusations of my supporting Trump are full of shit.

Anyone can search read this post and find you blindly support and endorse Emperor Trumpentine, and are incapable of articulating any kind of criticism against your Lord and Master, and instead vehemently denounce any opposition to him.

You elected him, you get the government you deserve. And you better damn well hope he has a successful presidency, improving the lot of the average American, rather than cutting your nose off to spite your face like a spoiled child who didn't get their way and blames everyone (Russia! Russia!) for your candidate's loss.

See? There you are, supporting Emperor Trumpentine again, telling his critics to shut up and start praising your Lord and Master. There will be no questions allowed.

Nobody even had to search your history. You provided it in this very post.

Now quick, get thee to the worship hall, and praise your Lord and Master once again. He is, in fact, your God-King, you gladly seek out his abuses.

Re: So just ban bitcoin

[BarbaraHudson]

Wrong. The gift cards still need to be redeemed at some point. They all have unique IDs.

Re: So just ban bitcoin

[BarbaraHudson]

You don't get my point - the republicans spent 20 years trying to pass similar bills, and couldn't - not even with a republican president. So along comes Bill Clinton, and signs it. Clinton - not Bush Sr., not Ronnie Star-wars Ray-guns.

Pretending to support Bernie Sanders when it's documented you despised him is only furthering your deceits.

I dare you to find ANYTHING that "documents" that, you fucktard. Oh wait - you can't. That's why all you can do is post lies on slashdot with no proof. But tell us again how it wasn't Bill Clinton who signed the law, even though it was, and I even provided the link.

Re: So just ban bitcoin

[omnichad]

That means you can maybe see the start and end. You buy it with cash, it gets traded/sold numerous times. You can see when/where it was spent, but you can't follow it back through its path

Re: So just ban bitcoin

[BarbaraHudson]

So what - you nab the people at each end. That is deterrent enough - especially since the people at both ends are the ones attempting to launder the money.

Re: So just ban bitcoin

You don't get my point - the republicans spent 20 years trying to pass similar bills, and couldn't - not even with a republican president. So along comes Bill Clinton, and signs it. Clinton - not Bush Sr., not Ronnie Star-wars Ray-guns.

Oh my, you admit that Republicans tried to pass similar bills. But you aren't saying they wrote it. And yet here you are, continuing to blame Bill Clinton, that was your focus. Because you personally hate and despise him.

You didn't say one word against the people who wrote the bill, and you most especially will not challenge Emperor Trumpentine.

Pretending to support Bernie Sanders when it's documented you despised him is only furthering your deceits.

I dare you to find ANYTHING that "documents" that, you fucktard.

It's right here, in this very thread. You're using him, with no regard or support for anything Bernie said or did, all you care about is that you can use your feigned support (recently adopted) to protect Emperor Trumpentine from criticism. That's your own agenda. Well, that and yelling about Bill Clinton because you personally hate and despise him.

As usual. Of course, you started off screaming about Bitcoin, but eh, you quickly jumped into the fact that you love Emperor Trumpentine and want to see him use the awesome power of his big bombers. That gives you a thrill, doesn't it? You just want to act out your rage, and ride like Slim Pickens.

Oh wait - you can't. That's why all you can do is post lies on slashdot with no proof. But tell us again how it wasn't Bill Clinton who signed the law, even though it was, and I even provided the link.

You're the one who can't document any evidence you opposed the Republicans when they were writing the law. Go ahead, tell us how you said one word against it. Go ahead.

Oh wait, no, you were cheering it all along, because it was a Republican idea that you finally got to advance. Only now, now, when it doesn't benefit you to deny its failure(though you personally like the banks getting a chance to screw millions of Americans), do you complain about it, choosing to attack Bill Clinton, who you personally hate and despise, and protect your lord and master, Emperor Trumpentine.

Keep showing your love for him, selflessly destroy yourself, all to get his attention, and who knows, maybe you'll succeed...in being crushed beneath his booted heel.

Re: So just ban bitcoin

[BarbaraHudson]

Bill Clinton and the democrats had a majority in both houses when he signed the law into place. If they hadn't liked it, they could have stopped it - they had absolute majorities in the House of Congress, the Senate, and they also controlled the White House. They certainly had the power to re-write it, or not pass it, and a presidential veto would not have been overridden by republicans because there just weren't enough of them.

So show me ONE SINGLE REASON why anyone should believe that Clinton was opposed to it? The dems LOVED it, or they wouldn't have passed it. They sure as hell could have changed anything they wanted - but democratic fiscal policy then was pretty much the same as the neocons, same as Hillary is to the right of what passes for moderate republicans (like there's anything "moderate" in US politics any more).

Oh No, they did not use Linux !

[stooo]

Oh No, they did not use Linux !

Kudos to the St. Louis libraries!

[mmell]

First - paying ransomware is not too far removed from negotiating with terrorists (IMHO, YMMV). If a ransomware scammer manages to kidnap your data, paying him or her only encourages more such attacks. Being given a big middle-finger (along with the bad press it generates) will only leave these data kidnappers to hide their involvement and hope they never get caught.

Second - St. Louis' libraries almost certainly can't afford to pay even one of these mutts. Libraries were once magnificent places where people went to read and borrow dead-tree media (a.k.a., books, although periodicals and reference works were also available there). While libraries have become the one publicly available free-as-in-beer places to get internet access, their core mission of providing free access to reference, literary and other materials was not directly impacted by this. One could still walk into a library, look up a desired text in the card catalog and physically access a nearly exploit-proof repository of knowledge and information. They don't have budgets for IT security which would prove to be exceedingly difficult to provide on hundreds of publicly accessible computers, nor do they have a mandate to provide electronic services.

Third - and this ties back to second - libraries in general don't have a budget for public IT. They can't afford the expertise to implement FOSS when the vast majority of the people who will maintain and use the provided services are not trained to use it. Even on their web presence, ease of implementation (which probably contributed to this problem) equals lower TCO for them.

Re:Kudos to the St. Louis libraries!

[Altrag]

not too far removed from negotiating with terrorists

There's an enormous gulf between locking someone's data and blowing them up. We tend to be a lot harder on people who murder innocents than those who just steal money (well, as long as its somebody else' money of course.)

physically access a nearly exploit-proof repository

Sure you can access it, but most library usage of the book variety is loan-based since few people want to actually sit in the library for hours on end while reading. And the systems that track the book loans are all computerized these days.

This particular library could potentially lose a handful of books depending on how old their backups were if unscrupulous borrowers figure out that the library's system has "forgotten" them and decide they don't need to return their books. Probably nowhere near $35k worth though.

Re:Kudos to the St. Louis libraries!

[duke_cheetah2003]

Third - and this ties back to second - libraries in general don't have a budget for public IT. They can't afford the expertise to implement FOSS when the vast majority of the people who will maintain and use the provided services are not trained to use it. Even on their web presence, ease of implementation (which probably contributed to this problem) equals lower TCO for them.

I'm not so sure this is accurate. I would think the library system's computer needs would be handled by the City's IT department (and cities have these now.) But really depends on the locality, I suppose. But libraries are generally administered by the city government they reside in which would in turn mean they should be under the control of the city's IT department, which definitely has a budget.

Re:Kudos to the St. Louis libraries!

[Ichijo]

They don't have budgets for IT security which would prove to be exceedingly difficult to provide on hundreds of publicly accessible computers

What's so expensive about building a Knoppix CD, duplicating one for every public computer to boot from, and removing all their hard drives?

Re:Kudos to the St. Louis libraries!

[duke_cheetah2003]

not too far removed from negotiating with terrorists

There's an enormous gulf between locking someone's data and blowing them up. We tend to be a lot harder on people who murder innocents than those who just steal money (well, as long as its somebody else' money of course.)

Yes and no. Yes, it's a far worse crime to blow things and people up, than is it to ransom their data. However, the way we deal with these two types of crime really should be the same. No deals. The more times we cave in to ransomware the worse this type of attack will get. If criminals can make money off it, they are definitely going to try to infect more computers. If no one will pay, the crime will simply go away since it's not profitable.

Re:Kudos to the St. Louis libraries!

Many libraries have access to special subsidized discounts on Internet access (provider charges and T1/fiber connection fees) and data equipment purchases and maintenance (Cisco hardware and licenses). But the funding rules are very strict, require a lot of documentation, and demand no commingling of funds with other government IT expenditures. It can be wise to run a reasonable-sized library system (and 17 branches is definitely in that market) through a separate IT department.

Re:Kudos to the St. Louis libraries!

If CD/DVD booting is too slow for their taste, then a USB stick with Knoppix or Fedora for booting the system would do.

Hack

[stooo]

Perhaps, but it seems many hack at the library !

Back Up! Back Up!...

[Streetlight]

Do I need to say it again? A good back up strategy would get them back on line pretty soon - a few hours if not less.

Re:Back Up! Back Up!...

[CaptainDork]

The "strategy" part is crucial, though.

Before I retired, I backed up every single night to external hard drives (EHD).

Every fucking evening, for 18 years, I'd take last night's backup home and bring those drives back in the morning.

I'd put in "today's" tape and take last night's home with me again.

I had seven (7) EHD and every Wednesday I'd delete an innocuous file on each server and restore it from the EHD.

The object is not to get stuff ON the EHD as much as it is to get the data back OFF the EHD.

If a server notified me that backup didn't happen (I used BackupAssist), I'd take care of it, even on weekends.

The company that replaced me (and I'm not making this up) got hit with ransomware and the lazy bastards rotated the EHD once a week!

One of the asshole partners in the Firm clicked on a goddam link in an email about a UPS delivery.

The fucking Firm has a contract with FedEx.

You send them to school and they bite the fucking teacher ...

Re:Back Up! Back Up!...

[Streetlight]

I guess I should have added the in addition to a good back up strategy you must have a good restore strategy. When there are hundreds or thousands of computers in a networked system, getting them restored can be a challenge. After all, who knows which one originated the cascade of infection. For a system available to the general public such as this library system the infection may not have been an Internet source but from a library visitor.

Re:Back Up! Back Up!...

[CaptainDork]

Good point.

A good backup strategy includes off site copies as I did, taking the EHD home each day.

I've been retired 2 years now and I'm not up to speed on the state of the art.

Can cloud backups be encrypted by local server infection of ransomeware?

I searched, but didn't find a definitive answer.

Re:Back Up! Back Up!...

[JustAnotherOldGuy]

Can cloud backups be encrypted by local server infection of ransomeware?

The short answer is "yes".

If it's not literally offline (disconnected) then it's susceptible to corruption, period.

I keep three sets of backup drives, rotating through them periodically with the last two drives stored in a safety deposit box at a local bank.

Re:Back Up! Back Up!...

[CaptainDork]

I do like the 100% off site backup idea.

During my career of 34 years, I had two (2) things that scared the shit out of me:

1.) No backup
2.) Malware or security breach

I had a Novell 3.1 server crash on me at 5:30 pm and Novell worked with me till 6:30 the next morning rebuilding it.

It was broken at the core and we didn't lose any data.

Didn't need the backup tapes then (no such thing as EHD), but I had them.

I had my share of infected computers, but it was all single-box shit.

Viruses ruled the day back then.

Later, it really didn't matter much if I had anti-virus on desktops because viruses were so, like, yesterday and crap.

It was Trojans with popup ads or false virus warnings and it drove me crazy.

Mostly, Combofix, TDSSKiller, Malwarebytes, HijackThis, etc. took care of that.

I retired two years ago.

Two years before THAT, ransomware was just coming up over the horizon.

I had my shit together and management paid out the ass for best practices.

I lectured, pleaded, shamed, ratted out everybody who was stupid. The staff (my coworkers) were most excellent and never got hit.

The owner's son, one entitled immature bitch, would click on any goddam thing because he had me to mop up the blood.

It wasn't two months after I left that the Firm got covered with ransomware because that privileged asshole clicked on a link in an email.

They didn't pay the ransom, of course, but the vendor who replaced me spent a high-dollar week putting shit back together.

The EHD stayed attached to the servers (7) 24/7 with no offsite, so they were useless.

In total, they lost two weeks of work.

For a law firm, that's damned near catastrophic.

If that had happened on my watch, I'd have been back up in a couple of days at most, but I sure as hell would have peed down both legs.

Re:Back Up! Back Up!...

[swb]

The problem with really good backup strategies is they are also really expensive, being demanding of disk I/O and disk capacity. We joke sometimes that based on usage patterns, many customers should run production on backup storage and backups to production storage because backup uses more IOPS, throughput and capacity than primary.

I don't know what their systems or processes are like in St Louis or what they had to restore, but a smaller library I worked with once had something like 5 TB of production data (basic LUN consumption for their VM environment).

A total restore from disk backup capable of aggregate throughput of 100 MB/sec is in the neighborhood of 13 hours for that much data, and I would say for most places a backup storage, system and primary storage environment capable of running restores at that rate is pretty impressive, usually it bogs someplace in the backup software (assembling data from incremental chains, decompression or something).

Improving on that can be done, but it's never cheap -- secondary production-quality storage that holds frequent replicas, for example, but it requires more storage and more money, and even if its not right, budget realities often prevent a customer from buying 2-3x needed production-quality capacity to store this.

wifi mesh network

Sounds like a perfect opportunity for some teenagers to set up a wifi mesh network inside the library and connect the mesh to the internet using burner phones. I hope someone did this! I would donate equipment to help build it if I were anywhere near St Louis.

Re:wifi mesh network

[guruevi]

Quote:
Additionally, the Library District plans to upgrade to Windows version 10 in late 2017 at an estimated cost of $20,000 and also upgrade Microsoft Office to version 10 at a cost of $48,500.

They spend about $1M/y on computer technology (~$1500/computer/year) not accounting for staff or digital databases/collections and their computers are 5 years old so they need replacement which is a separate line item. With those sorts of budgets, you'd think they have this figured out.

In comparison, I work in research, our systems last for 7-10 years, cost us an average of ~$1000/year including IT staff costs, licensing and purchasing the computer (or $3-400/year without staffing costs).

Serves them right.

These nazis will block the account of any kid who takes a screenshot of a page of their books. They monitor them with keystroke loggers, just like any criminal hacker group. Good thng for them americans are too yellow to complain. But they can't control offshore whistleblowers.

attack funded by the University of Calgary

[epine]

Ransomware Thieves Cost Canada University C$20,000 In Bitcoin

Isn't it interesting how this works?

Spin

[freeze128]

When you see a phrase like "a particularly virulent form of computer virus", that usually means "We don't even have basic protection on our systems, so we will make it sound as if the virus is really really mean".

These are self-inflicted problems

Of all places libraries should be adopting Free Software and rolling out systems that make it easy to surf anonymously / maintain them. For instance network booting may have helped this situation, alongside proper backups, and similar.

How Many???

[youngone]

I know it's not really important, but seriously? St. Louis has 16 libraries?

I did a quick count, and the city of 1.4 million people I live in has 59 libraries. St. Louis has 2.9 million people. Very few of them read apparently.

Re:How Many???

St. Louis *City* has only 315 thousand people. The city 'divorced' itself from the county in 1876. The greater St. Louis area has 2.9 million. Most the surrounding municipalities are part of the St Louis county public library system ( http://www.slcl.org/ ) which is separate from the city's library system (http://www.slpl.org/ ) . Other surrounding municipalities just roll their own ( http://kirkwoodpubliclibrary.org/ )

http://www.riverfronttimes.com/newsblog/2010/05/04/the-great-divorce-everything-you-ever-wanted-to-know-about-the-city-county-split

Re:How Many???

[CronoCloud]

While the MSA has 2.9 million, St louis proper only has 316000. Those libraries serve the residents of the City, not the entire MSA. The communities of the MSA have their OWN libraries.

16 for 316000 is actually a fairly high ratio.

Re:How Many???

[Streetlight]

I live in a city with a library district that covers the city, a couple of small/medium size towns and some unincorporated county area with a service population of about 475,000 to 500,000 or so. Not all towns or the county are part of the district. There are 17 branch libraries including three very large locations plus a bookmobile, containing 2.5 million books, 50,000 ebooks for download, many thousands of music CDs and DVDs. The great thing is that by using the Web, one can put a hold on material and have it delivered to any of the branches for pickup, usually within a couple of days if not checked out. Whenever I've been at any of the branches they are very crowded with patrons. Service is phenomenal. Sounds like we're up to that of St. Louis and the others mentioned.

Re:How Many???

[turp182]

The city of St. Louis has about 300,000 people, the county and even part of Illinois is included in your 3 million number. They all have their own libraries. I live in St. Louis, there are 2 libraries within 2.5 miles of my house (one is less than 1.2 mile, the other is the central public library which has awesome architecture and lots of art).

Pirates!

Sharing copyrighted material, eh?

Lockdown Windows

If a user can install any software (intentionally or unknowingly) then that system was not properly locked down. It is easy to whitelist binaries in Windows systems. There are Linux distro which is booth only versions, which means nobody can modify the filesystem. Users who want to save or create documents should bring their own USB sticks or blank CD/DVD because there's no write permission on the system drive.

Re:Lockdown Windows

errm you mean Kiosk versions of Linux.

Don't you hate the word "virulent"?

This is not an actual life-form. Why not just call it clever software written by thugs and thieves?

A particularly virulent form of computer virus ..

[khz6955]

"Libraries in St Louis have been bought to a standstill after computers in all the city's libraries were infected with ransomware, a particularly virulent form of computer virus used to extort money from victims".

Do you mean a Windows Word Macro virus?

St Louis who cares.

Blacks do not like to read.

Re:Lockdown Windows/RTFS

"The system is believed to have been infected through a centralized computer server."

Not exactly sure what that means, but it seems to indicate that the problem didn't originate with an end user. I expect that they were smart enough to lock down the clients which are accessible to the public.

CARD CATALOGS!

[Stubbyfingers]

STILL WORK!

The only danger to them is the occasional termite

Can't happen to my Library

My local library runs a Linux server with thin clients. The browser is the publicly facing interface. Even the high school assistants know how to restart X. I am not aware of the system ever failing, even though the admin has redundant systems in place.

In that library, everything just works.