Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust'

from the put-up-or-shut-up dept

A year ago, Techdirt wrote about an important lawsuit in India, brought by the academic publishers Elsevier, Wiley, and the American Chemical Society against Sci-Hub and the similar Libgen. A couple of factors make this particular legal action different from previous attempts to shut down these sites. First, an Indian court ruled in 2016 that photocopying textbooks for educational purposes is fair use; the parallels with SciHub, which provides free access to copies of academic papers for students and researchers who might not otherwise be able to afford the high subscription fees, are clear. Secondly, the person behind Sci-Hub, Alexandra Elbakyan, is fighting, rather than ignoring, the case, as she has done on previous occasions.

One manifestation of her new pro-active approach is a tweet she posted recently. It included a screenshot of an email she wrote to Nature magazine, which had contacted her about a forthcoming article on the Indian court case. Following standard practice, the journalist writing the article, Holly Else, asked Elbakyan to comment on some of the accusations the academic publishers had made against Sci-Hub. Her responses are fascinating, not least because they provide Elbakyan's perspective on several important issues.

For example, according to the publishers' comments as transmitted by Else, "Pirate sites like Sci-Hub threaten the integrity of the scientific record, and the safety of university and personal data". In reply, Elbakyan points out Sci-Hub is unique, and the use of the phrase "Pirate sites like Sci-Hub" is a clever attempt to lump Sci-Hub in with quite different sites, thus prejudging the legality of its activities. Elbakyan says that it's academic publishers -- not Sci-Hub -- which threaten the progress of science:

open communication is [a] fundamental property of science and it makes scientific progress possible. Paywalled access prevents this and is a great threat to science. Also the great threat is also when the whole scientific knowledge became the private property of some corporation such as Elsevier, that has full control of it. That is the threat, not Sci-Hub.

Elbakyan points out that Sci-Hub doesn't threaten the "integrity of the scientific record", since she simply disseminates copies of the academic papers without changing them in any way. But perhaps the most interesting part of her reply concerns the accusation that Sci-Hub threatens the safety of university and personal data. Techdirt has written previously about claims that Elbakyan allegedly has links to Russian intelligence, and that Sci-Hub is some kind of security risk. According to Else, the publishers assert:

Pirate sites like Sci-Hub compromise the security of libraries and higher education institutions to gain unauthorized access to scientific databases and other proprietary intellectual property, and illegally harvest journal articles and e-books.

Sci-Hub uses stolen user credentials and phishing attack to extract copyrighted articles illegally

These are serious allegations, and ones that have been made several times in the past. Elbakyan's response is probably the first time that she has addressed them directly:

Do they have any actual case when Sci-Hub somehow compromised the security of any library or a person? Any person that complained about credentials that were 'stolen' from them? Or is it again, nothing more than empty accusations. Nobody is complaining about 'compromised security' except academic publishers.

In other words, it is time for Elbakyan's accusers to put up or shut up. She concludes by stating that "Any law against knowledge is fundamentally unjust", and hopes that "Nature will have enough honesty to publish my comments in full.

It didn't, of course.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: academic journals, academic research, alexandra elbakyan, copyright, education, holly else, india, publishers, security
Companies: nature, sci-hub


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 3 Jan 2022 @ 3:45pm

    "Pirate sites like Sci-Hub threaten the integrity of the scientific record, and the safety of university and personal data".

    Wwwwwhhh ha ha ha ha ha haaaaaaaat?!

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 3 Jan 2022 @ 4:21pm

    Pirate sites like Sci-Hub compromise the security of libraries and higher education institutions to gain unauthorized access to scientific databases and other proprietary intellectual property, and illegally harvest journal articles and e-books.

    The academic publishers do not wish to admit that many papers are sent to Sci-Hub by the academics that wrote them. Is that because while declaring war on the public will have almost no impact on their profits, while declaring war on the academics that create their value would just turn the drift to open access into a sprint.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 3 Jan 2022 @ 4:57pm

    Re:

    It's the "pirate sites cause the bulk of malware infections" argument again, claimed by Graham Burke of Village Roadshow, Australia after he got his computer intentionally infected.

    link to this | view in thread ]

  4. identicon
    Bobvious, 3 Jan 2022 @ 5:33pm

    "Sci-Hub stole the election"

    I can't wait to find out how Sidney Powell is working in the background for the publishers.

    link to this | view in thread ]

  5. icon
    Toom1275 (profile), 3 Jan 2022 @ 6:05pm

    Re:

    And there's a bit of publishers' mafia-esque behavior to blame for part of that, as anyone who admits they provided their work to Sci-Hub would likely quickly find themselves blackballed from "legitimate" publishers.

    link to this | view in thread ]

  6. identicon
    Pixelation, 3 Jan 2022 @ 6:54pm

    greed

    Nothing better than copyright leeches. Elsevier, Wiley, and the American Chemical Society have gotten fat on the hard work of others.

    link to this | view in thread ]

  7. icon
    That One Guy (profile), 3 Jan 2022 @ 7:00pm

    If you want to talk about threats to science and progress I'm pretty sure Elbakyan nailed it by pointing out that those attempting to paywall and lock up research are vastly bigger problems than a platform designed to make sharing that research easier.

    Those that work now build upon what came before them but if that knowledge is kept from them then everyone has to start from scratch and that's a massive impediment to progress, making the publishers trying to blame Sci-Hub very much a case of the pot calling the silverware black.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 3 Jan 2022 @ 7:08pm

    Regarding the 'compromised security' claim. It's simply not true that the only ones complaining about it are publishers. I work in a university library and we frequently are made aware of bulk downloading of papers through stolen credentials. Campus IT then has to deal with the problem because stolen credentials threaten the entire network.

    link to this | view in thread ]

  9. icon
    sumgai (profile), 3 Jan 2022 @ 7:42pm

    Re:

    "Stolen" documents? No problems with rifling through student or personnel records? Sounds to me like someone was obtaining exactly what they were looking for, i.e. research papers. Let me remind you that even if this is a private school, which also receives a lot of government funding for research, public universities are completely beholden to the taxpayers of this country. I dare you to find, and share with us, any privately donated funds at your school that are earmarked by the donor to support some specific research project.... I'll be right here, and I've brought along a sack lunch, so take your time.

    If I had to guess, I'd posit that a Gestapo-like presence was brought to bear on the credential-owner in question, who in turn felt compelled to say that his/her ID had been stolen.

    But besides all of that, I have one question: you've made a generalized accusation... do you have proof that you are willing to share with us? Because if not, then I am obligated to remind you of the meme:

    Pix, or it didn't happen.

    EDIT: Just before hitting the Submit button, I realized that I have made the rash assumption that you are attending an American school. If I'm wrong about that, I apologize.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 3 Jan 2022 @ 9:58pm

    Re: Re:

    Every so often someone tries to pull the "We had to nail Aaron Schwartz to the wall" argument. It might have worked if the vested interests pushing the argument hadn't rendered themselves so woefully unsympathetic.

    link to this | view in thread ]

  11. identicon
    Dave, 4 Jan 2022 @ 12:12am

    Re:

    i.e., We call the shots, and you had better do what we tell you to.

    Classic capitalist dictatorship.

    link to this | view in thread ]

  12. icon
    PaulT (profile), 4 Jan 2022 @ 12:55am

    Re: Re:

    ""Stolen" documents?"

    Erm, the post you replied to doesn't say "stolen documents", it says "stolen credentials". His point appears to be that when this happens it is of concern to him and not just the publishers, since he has to work to protect the integrity of the whole network in case they're used to do something other than download some documents.

    That's a different argument, and one with far more validity than the idiotic one being pushed by the publishers.

    link to this | view in thread ]

  13. icon
    Scary Devil Monastery (profile), 4 Jan 2022 @ 2:42am

    Re:

    "Pirate sites like Sci-Hub threaten the integrity of the scientific record, and the safety of university and personal data".

    Translation; "We've got no argument not rooted in grift and conmanship so we'll just trot out the old claim that anyone actually progressing 'Science and the arts' will make the sky fall instead."

    The copyright cult is nothing if not predictable. Sci Hub being a website which brings primarily tax-funded studies to the public which paid for them means assholes like Elsevier risk losing their utterly redundant and highly lucrative position of standing in the way of progress in exchange for financial gain.

    link to this | view in thread ]

  14. icon
    Scary Devil Monastery (profile), 4 Jan 2022 @ 2:51am

    Re: greed

    "Nothing better than copyright leeches. Elsevier, Wiley, and the American Chemical Society have gotten fat on the hard work of others."

    The wisest of the philosophers was asked: "We admit that our predecessors were wiser than we. At the same time we criticize their comments, often rejecting them and claiming that the truth rests with us. How is this possible?" The wise philosopher responded: "Who sees further a dwarf or a giant? Surely a giant for his eyes are situated at a higher level than those of the dwarf. But if the dwarf is placed on the shoulders of the giant who sees further? ... So too we are dwarfs astride the shoulders of giants. We master their wisdom and move beyond it. Due to their wisdom we grow wise and are able to say all that we say, but not because we are greater than they.

    • Isaiah di Trani (c. 1180 – c. 1250).

    The above paraphrased most famously by Isaac Newton who boiled it down to "If I can see further it is by standing on the shoulders of giants".

    According to the US constitutional interpretation of copyright it is specifically made to 'progress science and the arts'. The copyright cult just keeps revealing that scam for what it is by at every turn insisting the only ones who get to stand on the shoulders of those giants are the people who pay the greedy third party who wants to charge a toll since the giant does not care who climbs him.

    The protectionist Red Flag Act which is copyright needs to die in fire, it's primary and present purpose always having been to further the grifter standing between the author and his/her audience.

    link to this | view in thread ]

  15. icon
    Scary Devil Monastery (profile), 4 Jan 2022 @ 2:58am

    Re:

    "Regarding the 'compromised security' claim. It's simply not true that the only ones complaining about it are publishers."

    Well, no, but in context the comparison becomes irrelevant.

    Sure, stolen credentials are trouble for any network. The issue here is that Elsevier are making the analogy of a claim that masturbation causes blindness.
    Sure, everyone will agree that blindness is bad - but the thing is that masturbation does not, in fact, cause blindness to begin with.

    Similarly the assertion that "Pirate sites like Sci-Hub threaten the integrity of the scientific record, and the safety of university and personal data" is just bullshit from start to end.

    link to this | view in thread ]

  16. icon
    Scary Devil Monastery (profile), 4 Jan 2022 @ 3:01am

    Re: Re: Re:

    "That's a different argument, and one with far more validity than the idiotic one being pushed by the publishers."

    In a context which lacks relevance.

    I'll agree that terrorism is bad.
    I have issues with any argument which begins by assuming the assertion that "education breeds terrorists" is factually true and therefore by inference asserts that education is bad.

    THAT is why the AC's comment on campus security is utterly irrelevant despite being a factually correct statement in itself.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 4 Jan 2022 @ 3:19am

    Re:

    That is a local security problem, which has little relationship to the use of Sci-Hub, and more to do with some students having the proper hacker spirit, find out how things work.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 4 Jan 2022 @ 4:51am

    Re:

    Some good points.

    It was meant to be merely derisive, since it is obvious they are full of shit on both counts. Especially the oppopsite-land claim about the scientific record. What compleat assholes.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 4 Jan 2022 @ 5:19am

    Re: Re:

    Note, the academics that do all the work of writing and reviewing papers, and editorial management of journals, are also the ones who pay for access to those same papers. Increasingly the academic publishers are being viewed as parasites who need to be eliminated before they suck all the money out of academic library budgets.

    link to this | view in thread ]

  20. icon
    PaulT (profile), 4 Jan 2022 @ 5:36am

    Re: Re: Re: Re:

    "the assertion that "education breeds terrorists""

    Erm, I'm definitely not reading that into the AC's comment. He simply seems to be saying that when people are "stealing" credentials it creates a security risk that may or may not be deliberate, but which takes time and effort to counter.

    The grifters quoted in the article take a different view of course, but I don't see it in the AC's comment. He doesn't appear to be asserting that people are using the "stolen" credentials to do deliberate harm, which is what would make them "terrorists", only that they create security risks that can be exploited whether or not the people doing it are aware.

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 4 Jan 2022 @ 6:50am

    Re: Re:

    Private corporations donate all sorts of money to public US institutions which is earmarked for industry research. The WSU apple research is funded in large part by fees paid by apple growers belonging to s professional organization and used by the public college. Rich people affected by a certain disease give money to fund its research. What are you talking about? The University of Washington is a public institutions $3 billion cash in their endowment and countless more privately endowed professorships. Again, what are you talking about?

    Everyone who has even one single reason why they think sometimes copyright is okay they're a Nazi. It's so yawn inducing listening to these hysterics all the time and you severely hurt your own cause.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 4 Jan 2022 @ 9:01am

    Re: Re: greed

    Personally, I don't have a problem with people who create a work getting fair recompense for that work (though do note that sometimes that fair recompense is nothing, as the work itself is worthless). However, granting the creator (or their employer) control over the use of that work is an antiquated and often damaging way of ensuring this, morally akin, in a very small way, to slavery, as both control people against their will.

    A better way would to be to require those who profit financially from the work to share a portion of their gains with the creator.

    Of course, none of this applies to "learned journals" who charge scientists to publish in their journals and requiring a transfer of copyright to boot. They are simply parasites who may once have provided a useful service but who now inhibit scientific progress or at least access to and participation in by the citizen scientist.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 4 Jan 2022 @ 9:06am

    Re: Re:

    anyone who admits they provided their work to Sci-Hub would likely quickly find themselves blackballed from "legitimate" publishers.

    Maybe, but making a few of the wrong scientists into "martyrs" is the sort of thing that could cause a real backlash against the monopolist publishers. Lots of people are still willing to publish papers and books with them, though it seems to me they're getting desperate in their attempts to remain relevant. (Not just with this Sci-hub fight; e.g., Taylor and Francis e-books now have a giant publisher logo on every otherwise blank page, as if to say "look, we still matter!")

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 4 Jan 2022 @ 9:09am

    Re: Re: Re:

    Erm, the post you replied to doesn't say "stolen documents", it says "stolen credentials".

    Credentials generally consist of a username and password. These are not things that can be "stolen", which makes it a pretty dubious claim. Even if they mean "copied", there's no evidence Sci-hub is copying credentials without authorization. Perhaps people are sharing them willingly, and it's the university's fault that the Elsevier etc. login credentials are good for anything on the university's network.

    link to this | view in thread ]

  25. identicon
    Michael, 4 Jan 2022 @ 2:49pm

    Re:

    Academic librarian here: Bullshit.

    There's no "threat to the network" from stolen credentials. The only possible threat that bulk downloading creates is that the horrible publishers might penalize the library by temporarily cutting off access until the matter is investigated. This is, at best, a mild inconvenience, and one that interlibrary loan can instantly route around while the issue is resolved.

    Librarians worthy of respect see the value of Sci-Hub, as well as the evilness of aggregators like Elsevier, who raise rates at 10% annually while offering nothing at all in the way of increased value (and in fact hamper access at every turn when there's a penny to be made). Elsevier's even been caught repeatedly charging for open access journals!! Who are the criminals here, again?

    https://www.techdirt.com/articles/20140319/11185526626/elsevier-still-charging-open-access-co pies-two-years-after-it-was-told-problem.shtml

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 4 Jan 2022 @ 2:50pm

    Re: Re: Re: greed

    A better way would to be to require those who profit financially from the work to share a portion of their gains with the creator.

    That seems like something that would get "creators" a fraction of tiny amounts of profit, at the cost of ordinary people having to hire accountants etc.—while a film company could come along and make a billion dollars without paying anything, because, as we all know, films are never profitable. (Also, look at music collection societies and all the Techdirt stories bitching about them. I don't want more groups like those.)

    I think we need to get rid of the idea that people are owed something by virtue of having created something that nobody agreed to pay for. We've seen that people can build up a reputation and raise money to create future art, or even sell stuff people can get for free (e.g. Andy Weir put The Martian for free online, and then people asked for and paid for a Kindle version). The tradespeople who built my house don't get anything when I have someone else make a "derived work", and nobody's pretending that's some great injustice.

    We should not be putting any unnecessary barriers on the creation of art.

    link to this | view in thread ]

  27. identicon
    OGquaker, 4 Jan 2022 @ 6:50pm

    A Nazi by any other name would smell as sweet

    My Grandfather graduated the local school, and he watched the herds race across the Antelope Valley. I was serving my second elected term on the town counsel when i confronted the US Geological Survey at a NASA-NOAA convention, why are we were forced to vote on groundwater issues, without any access to their surveys? The USGS reply? Since "privet money" went in to the reports, they were restricted, we would never see them.

    link to this | view in thread ]

  28. icon
    Scary Devil Monastery (profile), 5 Jan 2022 @ 12:48am

    Re: Re: Re: greed

    "A better way would to be to require those who profit financially from the work to share a portion of their gains with the creator."

    It speaks volumes about the origins of copyright that no such argument was ever made at its inception. It's why I keep claiming copyright needs to be abolished completely and author's rights fitted under trademark law instead - making an artist's/author's work part of their brand and protected as such.

    This neatly removes the privilege to dictate who gets to make copies while still providing the creator of a work the right to deny use of their work in commercial and/or political venues.

    "Of course, none of this applies to "learned journals" who charge scientists to publish in their journals and requiring a transfer of copyright to boot."

    Curious, isn't it, how a Red Flag Act like copyright, implemented to further middleman grifters, serves the middleman grifters so well, eh?

    link to this | view in thread ]

  29. icon
    Scary Devil Monastery (profile), 5 Jan 2022 @ 12:52am

    Re: Re: Re: Re: Re:

    "He simply seems to be saying that when people are "stealing" credentials it creates a security risk that may or may not be deliberate, but which takes time and effort to counter."

    Well, yeah.

    The major problem with that assertion is that although that much is correct, the assertion has nothing at all to do with copyright infringement.

    Now if we're talking about people copying media, and the copyright cult's spin is "People who copy media further terrorism" then the comment from an AC of "Oh, yeah, terrorism is bad, there's something to what they say" is misleading at best.

    link to this | view in thread ]

  30. icon
    PaulT (profile), 5 Jan 2022 @ 6:49am

    Re: Re: Re: Re: Re: Re:

    "the assertion has nothing at all to do with copyright infringement"

    Again, you seem to have read the comment differently to how I did. I didn't see him supporting the copyright infringement nonsense, only the fact that if credentials are compromised there's risk of other harm which has to be dealt with.

    "the comment from an AC of "Oh, yeah, terrorism is bad, there's something to what they say""

    Again, I don't think that's what he said.

    link to this | view in thread ]

  31. icon
    PaulT (profile), 5 Jan 2022 @ 6:51am

    Re: Re: Re: Re:

    "These are not things that can be "stolen", which makes it a pretty dubious claim"

    Compromised rather than stolen would be the better term of course, but if they're used without permission then it fits the general line of what's being said.

    "it's the university's fault that the Elsevier etc. login credentials are good for anything on the university's network"

    Security has its limits. If someone got hold of my credentials then it would be a problem on the networks I administer, but it's not a problem that as a global administrator of the network I have that type of access during my daily work. There are procedures in place to mitigate problems if they were to happen and safeguards to ensure that it's unlikely to happen in the first place, but it's not a design flaw that an administrator has admin access.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 5 Jan 2022 @ 7:47am

    Re: Re:

    I also work in a univ library and I'd agree -- the vast majority of librarians could care less about SciHub. The only issue is fear that, if we didn't act to block excessive downloads, then the publishers would jack up our (already exorbitant) licensing fees.

    Having said that, it always amuses me that one of the main ways the campus IT shop finds out about hacked accounts is by seeing excess downloads of journals! Admittedly, that's just correlation, not causation, but the fact that it happens repeatedly is ... "interesting".

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 5 Jan 2022 @ 8:00am

    Re: Re: Re:

    Those that download the journals wouldn't be the same ones whose taste in reading matter is for informative rather than escapist material, that is those who seek knowledge rather than a job qualification?

    link to this | view in thread ]

  34. identicon
    Anonymous Coward, 5 Jan 2022 @ 8:28am

    Re: Re: Re: Re: Re:

    Compromised rather than stolen would be the better term of course

    "Compromised" can still be misleading, as it may lead people to think Sci-Hub is compromising the accounts with a keylogger or something—when what I've heard is that people share their credentials willingly (though from the network admin point of view that does make them "compromised").

    Security has its limits. If someone got hold of my credentials then it would be a problem on the networks I administer

    But why should someone getting hold of your Elsevier credentials affect your local network? Okay, "security has limits", but that's not a hard problem for an administrator to fix: require people use different passwords for each. And certainly no admin account should ever be used to log in to third-party sites.

    link to this | view in thread ]

  35. icon
    PaulT (profile), 7 Jan 2022 @ 12:29am

    Re: Re: Re: Re: Re: Re:

    ""Compromised" can still be misleading"

    Not really. The term can be taken out of context, but in the intended context of an IT security standpoint it usually means simply that a person other than the person authorised to use the account is accessing it. If you want to infer into the term that someone must have used a keylogger rather than the more likely reason that someone shared their login or chose a terrible password / password hint / whatever. If I give a friend my password or let them use an open session so they can access some files they wouldn't normally have access to, it's still compromised even though no actual "hacking" has taken place.

    "But why should someone getting hold of your Elsevier credentials affect your local network? "

    Things seem to be getting confused here. Unless I'm very much mistaken, the AC above is referring to people getting unauthorised access to the login for the university network, which implies that people have access to other things over and above the Elsevier network.

    Apologies to all if I'm not reading it correctly, but I do read it as saying that he has concerns that coincide with Elsevier's claims but not necessarily parroting the stupidity. Although, even if that is what he's referring to, there may be licence and other issues to deal with - that is, they may be funding and not security related, but either way it's something an admin needs to deal with once the compromise has been detected.

    link to this | view in thread ]

  36. icon
    Scary Devil Monastery (profile), 7 Jan 2022 @ 1:03am

    Re: Re: Re: Re: Re: Re: Re:

    I refer to you the sentence the AC led with; "Regarding the 'compromised security' claim. It's simply not true that the only ones complaining about it are publishers."

    This is where he gives credence to the "compromised security" claim from the publishers.

    As others have also noted, his reasoning is...a bit skewed in the importance he places on "bulk downloading".

    Yes, stolen credentials can be a hazard depending on the access those credentials provide.
    But I have enough of a background in both STEM and IT to tell you that the access allowing bulk downloads of scientific articles do not pose a threat to the network. That part is bullshit from start to end.

    A "threat" comes from credentials which allow vectors of attack or access to confidential documents. If the user network consists of more than ten people a presumptive attacker having similar access is already taken for granted and the network hardened against this precise eventuality.

    The thing which raises my hackles here is that the AC describes a situation which could never happen. The credentials "stolen" would be the access login to Elsevier's page - not the university network.

    There is only one thing threatening that university network - Elsevier going bananas over bulk downloads and demanding the university come down like a ton of bricks on whatever researcher shared their login and password to Elsevier's pages with undergrads and postdocs. A legal threat, nothing to do with security.

    link to this | view in thread ]

  37. icon
    PaulT (profile), 7 Jan 2022 @ 1:25am

    Re: Re: Re: Re: Re: Re: Re: Re:

    There's multiple different types of compromised security on the table if you take into account the rest of his comment.

    "But I have enough of a background in both STEM and IT to tell you that the access allowing bulk downloads of scientific articles do not pose a threat to the network"

    That purely depends on how Active Directory or whatever is configured. It's perfectly feasible that the access granted to a user is done so via a role that contains other permissions, and that a role granted to a certain type of student would contain elevated permissions elsewhere. Perhaps they should be more granular, but my professional experience is that some companies do not do this for various reasons.

    "The credentials "stolen" would be the access login to Elsevier's page - not the university network"

    False. There are services available to allow SSO access to Elsevier without needing to use a different login. If the SSO login is compromised, then logically so are the services the SSO user has access to, even if under the hood they're separate logins.

    link to this | view in thread ]

  38. icon
    Scary Devil Monastery (profile), 10 Jan 2022 @ 8:39am

    Re: Re: Re: Re: Re: Re: Re: Re: Re:

    "That purely depends on how Active Directory or whatever is configured. It's perfectly feasible that the access granted to a user is done so via a role that contains other permissions, and that a role granted to a certain type of student would contain elevated permissions elsewhere."

    I'd have a lot of doubt in setting up a university intranet in such a way that an elevated role would allow access to the backbone. The user roles do not possess dev access. That just doesn't happen.

    "False. There are services available to allow SSO access to Elsevier without needing to use a different login. If the SSO login is compromised, then logically so are the services the SSO user has access to, even if under the hood they're separate logins."

    ...which is why single sign-on is normally used to access any services considered built-in. If Elsevier is linking their login accounts to SSO then that's an extra headache for both the university IT department and Elsevier.

    If you want a smidgeon of security what you do is two-step verification. Which is how I have to access every third-party provider outside of the intranet with, for instance.

    link to this | view in thread ]

  39. icon
    PaulT (profile), 11 Jan 2022 @ 11:37am

    Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

    "The user roles do not possess dev access. That just doesn't happen."

    Let's just say that I've seen networks that prove you wrong. Very wrong.

    "...which is why single sign-on is normally used to access any services considered built-in."

    It really isn't. For example, my current company uses SSO to manage logins to Gitlab and numerous other external services.

    "If Elsevier is linking their login accounts to SSO then that's an extra headache for both the university IT department and Elsevier."

    ...if things go wrong. For normal daily operation is a much lower overhead.

    "Which is how I have to access every third-party provider outside of the intranet with, for instance."

    Good for you on a personal level. Now, come back to me with the situation when you're managing a tens of thousands of seats with minimal staff and a salesman who's convinced management that they'd rather spend their money of an SSO option than hire one extra employee.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.