Dealing w/ Copying of Online Articles via Open Proxies? 34
Creosote asks: "Concerns about piracy are no longer just for the big commercial media outfits. JSTOR, one of the major repositories and distributors of online versions of scholarly journals, has been hit by crackers taking advantage of open proxy servers to download about 51,000 articles from 11 JSTOR journals. Even nonprofit academic publishers rely on income from publications to exist, so the spectre of large-scale unauthorized copying is legitimately scary to them. In a letter to librarians and publishers, the president of JSTOR notes that while the "threat of open proxies has been recognized for some time in the web community...it does not appear that network administrators, librarians, or content providers are aware that organized efforts are being employed to gain unauthorized access to restricted campus resources" through them. I work for a nonprofit publisher (a university press) that will soon be making peer-reviewed digital projects available online, and they can't all be given away for free, so this hits close to home. Are there better solutions than turning into an attack dog, ala the RIAA and the MPAA?"
what is an open proxy (Score:2)
Re:what is an open proxy (Score:2)
Access restrictions on these materiels are commonly done on a domain limited basis. Many university libraries have a proxy server for folks who attend the university (authorized users) who aren't on campus to access these materiels. There usually is a rather open or trust-based process to access these proxies, and as such they pretty much grant global access to the materiels.
Got it?
Information wants to be free... (Score:1)
Perhaps this is the first chink . . . (Score:3, Insightful)
~~~
Re:Perhaps this is the first chink . . . (Score:5, Interesting)
And, yes, anyone with access to a web server can publish, but I certainly wouldn't want my papers "peer" reviewed by an amorphous mob of unknown readers. Consider the puerile banalties that pass for comments here on Slashdot.
Re:Perhaps this is the first chink . . . (Score:1)
With regard to the second, we're not talking about /. moderation here (Heaven forbid). Peer review could still be accomplished with a reputation-based digital signature scheme. Heck, T:n threshold could be used among several distinuguished scholars, and the votes could be blinded. There's no need for these money-grubbing middlemen anymore.
~~~
Re:Perhaps this is the first chink . . . (Score:2)
What I really take issue with is the underlying notion that all information, every created work and every published word, is somehow instantaneously free for the picking to the entire world. That's stretching the notion of open source and free software -- software development models -- into the realms of politics and philosophy. It's a ludicrous stretch.
Re:Perhaps this is the first chink . . . (Score:2)
As for peer review, the same people doing reviews of hardcopy papers can review electronic papers... I don't see why that has to change. The reviewers aren't getting paid either...
BTW, arXiv [arxiv.org] has a good selection of physics, math, and some CS papers.
What?!? (Score:2)
Er, copyright infringement, because piracy has such a "dirty" sound to it.
And coppyright infringement is either a triviality or a birthright, so the arguments here go.
*
More seriously, I sympathize. I guess the honor system is out?
Ideally, even peer-reviewed work (or, I would hope especially peer-reviewed, because it is significantly value-added) would be in the public domain anyway. The single best approach would be to acquire grant or public funding as a one-time purchase of the data.
After honor system and public domain come the tedious closed-access or copyright-suit methods, which are vulnerable to hacking and piracy, respectively. In case there are further alternatives, I'll be lurking here to hear them.
Check all allowed IPs from open proxies (Score:4, Insightful)
Another retarded open proxy problem
Re:Check all allowed IPs from open proxies (Score:1)
> access to JSTOR from your current location.
>
> It seems they have some whitelist of allowed IPs.
> Why not just traverse this once every so often and
> look for open proxies?
Because this isn't sufficient. There may be two or more hops in an open proxy chain. The authorised IP may be locked down tight, and only allow internal IP's to access it - so it would pass the routine check. But *any* of those internal IP's could also run a proxy server. And that proxy may not be locked down.
Re:Check all allowed IPs from open proxies (Score:5, Informative)
freedom [peekabooty.org].
It's just a wrong-headed approach to access
control, filtering by IP. The correct approach to
access control is to require a controlled token
to connect. An IP address is not a controlled
token, and using it as one, as JSTOR does, is
incompetent web service design.
Re:Check all allowed IPs from open proxies (Score:2)
Easy to say, but hard to implement.
When you talk about university campuses, you've got tens of thousands of authorized users that may or may not be in some centralized database. You expect JSTOR to go to each campus, set up a card table outside the cafeteria, and assign IDs to the students, faculty, staff, and other assorted parties covered by their contract?
Or, you expect the universities to all create some uniform authentication database for JSTOR to query against?
I doubt either one is going to happen (though the second, perhaps as a contract stipulation, seems slightly more likely).
It's going to be painful (Score:1)
Probably no intention to resell (Score:4, Insightful)
The people who stole the articles probably have no intention to resell them. Probably, they were just doing it because they could. The articles will sit on some hard drive somewhere, and eventually be deleted.
It would be impossible to resell the articles without revealing who stole them. Also, would you want an article from an unknown source, that could have changed it?
Re:Probably no intention to resell (Score:2)
Besides, if the 'hacking' is as simple as using an open relay to mirror the site, the perp is most likely a skript kiddy that can't understand any of the aricles anyways.
Obviously people are not ready for technology (Score:1)
1) Say nothing and absorb the losses
2) Become aforementioned "attack dog"
3) Take the materials down
Pirates would like nothing more than for content providers to do choice 1. However, that's an unlikely scenario to last for a long time and eventually the content provider will have to resort to either attacking pirates (ala RIAA) or simply take their ball and go home.
At least with #2 the stuff stays online and is accessible to legitimate users of the material. No one wins if the material goes offline.
#3 Take the materials down (Score:1)
Just like any other security issue: (Score:2)
The high road (Score:1, Troll)
Re:The high road (Score:2)
Secure the origin server properly. (Score:5, Informative)
IP address restrictions are of only limited use, due to HTTP's stateless behaviour. As I've noted in another post, chains of proxies will quickly eliminate any IP based restrictions.
Some steps that JSTOR could take include adding cache-control headers (must-revalidate comes to mind) to prevent cache hits occuring without the JSTOR servers knowledge, and thus allow them to perform partial validation on the actual client (i.e. by checking the Via header). Note that checking the Via header is less-than-secure, but better than simply trusting the customers proxy to be secure.
Secondly, use authentication - assign a username and password to the content, using (say) Digest authentication, which is proxy friendly. Mark the content as explicitly cachable with revalidation, and you will get 1 If-Modified-Since request per download from proxies, and be able to check the user details each time. There would be an administrative issue with this, but I'll leave creative approachs to that as an exercise.
Idea for alternate academic peer review... (Score:4, Interesting)
One can imagine various enrichments to this model (e.g., allowing a reviewer to go back and change his opinion of the article if he finds he cannot replicate the results in his laboratory), but I think you get the basic idea. Having everything in the open domain will indeed shut down the revenue for academic journals, but that doesn't mean that the time-honored system of peer review has to go down the drain, it just needs to be updated.
(Note: Reviewers who haven't yet published anything, and who do not have tenure at a recognized academic institution, will be awarded zero moderation strength; this is still a closed system for academics, even though it is based on openness. The usual disclaimers for strength of encryption - to ensure no impersonations - apply.)
Re:Idea for alternate academic peer review... (Score:1)
Information wants to be free! (Score:1)
What about ... (ie, no cause for concern) (Score:2)
Fact is, most of these materiels are being sold to university libraries who have open/semi open access to the materiel as a mission statement. These organizations will still subscribe whether or not these materiels are found 'in the open'. For one, they have to behave legitimately, and for another they know that the best way to continue the existence of these materiels would be to keep paying their dues.
At the same time, these dues which constantly come in support you currently, correct? Are you just trying to maximize profit or is there a genuine concern of people switching to non legitimate sources and thus a problem with continued existiece? If it's the former, SHAME! The latter, well, publicise that information. Show real data about not being able to survive and then ask slashdot again.
And who knows, open access seems to work for some academic publishers, who know that the dues to continue their existence will come in because people care to support the content. Maybe it'll even work for you.
For a commercial example of the same, do check out the baen free library and what it has done to their sales. (www.baen.com)
Open Peer Review (Score:2)
Contrary to what the poster asks I feel the peer review process could be best served by using an open model. Most reviewers give their time for free. Most of the cost of a journal goes to publishers and printers.
A collabaritve method would seem to benefit the authors, the reviers and the readers. In fact the only losers would be the publishers/printers.
I'd love to read the latest journals but not at the prices they are asking.
DRM (Score:2)
This is essentially the argument for DRM. You want to be able to provide electronic information but in a way that it cannot be duplicated at will. Both Intel and Microsoft are working hard on making this possible and within a few years better solutions will exist than exist now.
So the short answer to your question is "sort of, but in practice not for another 2 years or so". I'm sure other posters will address the sort of solutions. If you want to know what's coming Palladium FAQ [cam.ac.uk].
The more important issue as an academic press is where you are going to stand on the right to read. Academia depends on a relatively free flow of information that is inexpensive. By its very nature what you are asking to do is be able to control the downstream flow of information.
You may find that when the technology is available it is rejected by the academic community. You'll then have to decide if you are primarily a commercial agency providing digital content like Disney or Time Warner; or primarily an academic agency which supports freedom of information exchange even at the cost of lost sales.
Anyway I suggest the following essay on the moral issues. the right to read [gnu.org].
Just an idea... (Score:2)
Here's my solution: publish the articles online with deliberate errors. Make sure that people who download them legitimately know what those errors are, so they can account for them, but people doing big bulk downloads as described in the question won't know (and probably won't care). Then they can publish it as much as they like, but they'll soon realise they've got themselves a dud.
Just an idea. Whether it's practical in your situation is another question - I don't know enough about what you're doing to answer that one.
Available for download? (Score:2)
So let me get this straight,
There are a large number of these publications available for download by people within certain IP blocks. These are available to be freely downloaded by anyone in those blocks. And people are using proxies to download them? There is no other security to prevent unauthorized users from accessing the site?
Am I the only one who sees something wrong here?
I especially like the use of the word "cracker". The big bad hacker used open proxies to hax0r your download page! Seriously though, if you're counting on IP-based authentication for networks you don't have control over, you're BEGGING for problems. IP based authentication only works under the premise that the machines with those IPs can be trusted.