Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dealing w/ Copying of Online Articles via Open Proxies?

Posted by Cliff on from the preventing-unauthorized-distribution dept.

Creosote asks: "Concerns about piracy are no longer just for the big commercial media outfits. JSTOR, one of the major repositories and distributors of online versions of scholarly journals, has been hit by crackers taking advantage of open proxy servers to download about 51,000 articles from 11 JSTOR journals. Even nonprofit academic publishers rely on income from publications to exist, so the spectre of large-scale unauthorized copying is legitimately scary to them. In a letter to librarians and publishers, the president of JSTOR notes that while the "threat of open proxies has been recognized for some time in the web community...it does not appear that network administrators, librarians, or content providers are aware that organized efforts are being employed to gain unauthorized access to restricted campus resources" through them. I work for a nonprofit publisher (a university press) that will soon be making peer-reviewed digital projects available online, and they can't all be given away for free, so this hits close to home. Are there better solutions than turning into an attack dog, ala the RIAA and the MPAA?"

6 of 34 comments (clear)

  1. Check all allowed IPs from open proxies by joebp · · Score: 4, Insightful
    From the page: We're sorry. You do not have access to JSTOR from your current location.
    It seems they have some whitelist of allowed IPs. Why not just traverse this once every so often and look for open proxies?
    Slash said: You can't post to this page.
    Another retarded open proxy problem :-(
    1. Re:Check all allowed IPs from open proxies by aminorex · · Score: 5, Informative

      Open proxies are crucial to the survival of political
      freedom.
      It's just a wrong-headed approach to access
      control, filtering by IP. The correct approach to
      access control is to require a controlled token
      to connect. An IP address is not a controlled
      token, and using it as one, as JSTOR does, is
      incompetent web service design.

      --
      -I like my women like I like my tea: green-
  2. Probably no intention to resell by Futurepower(R) · · Score: 4, Insightful


    The people who stole the articles probably have no intention to resell them. Probably, they were just doing it because they could. The articles will sit on some hard drive somewhere, and eventually be deleted.

    It would be impossible to resell the articles without revealing who stole them. Also, would you want an article from an unknown source, that could have changed it?

  3. Secure the origin server properly. by lifeless · · Score: 5, Informative

    I'm not sure where focus on IP address issues has come from... but RFC 2616 and RFC 2617 explicitly discuss secure access to WWW entities, and IP address's are not the key.

    IP address restrictions are of only limited use, due to HTTP's stateless behaviour. As I've noted in another post, chains of proxies will quickly eliminate any IP based restrictions.

    Some steps that JSTOR could take include adding cache-control headers (must-revalidate comes to mind) to prevent cache hits occuring without the JSTOR servers knowledge, and thus allow them to perform partial validation on the actual client (i.e. by checking the Via header). Note that checking the Via header is less-than-secure, but better than simply trusting the customers proxy to be secure.

    Secondly, use authentication - assign a username and password to the content, using (say) Digest authentication, which is proxy friendly. Mark the content as explicitly cachable with revalidation, and you will get 1 If-Modified-Since request per download from proxies, and be able to check the user details each time. There would be an administrative issue with this, but I'll leave creative approachs to that as an exercise.

  4. Idea for alternate academic peer review... by Syntari · · Score: 4, Interesting
    I wonder if they could shift to a slashdot-type system... Post an article, then let any accredited reader moderate it. Initially, set moderation strength based on number of articles the particular reader has published in the relevant journals (weighting them for prestige of the journal)... after that, set moderation strength according to karma, which you get by posting an article and having it moderated upwards.

    One can imagine various enrichments to this model (e.g., allowing a reviewer to go back and change his opinion of the article if he finds he cannot replicate the results in his laboratory), but I think you get the basic idea. Having everything in the open domain will indeed shut down the revenue for academic journals, but that doesn't mean that the time-honored system of peer review has to go down the drain, it just needs to be updated.

    (Note: Reviewers who haven't yet published anything, and who do not have tenure at a recognized academic institution, will be awarded zero moderation strength; this is still a closed system for academics, even though it is based on openness. The usual disclaimers for strength of encryption - to ensure no impersonations - apply.)

  5. Re:Perhaps this is the first chink . . . by reallocate · · Score: 5, Interesting

    How do you know that someone has already "paid for" the papers? Seems to me that charging a fee for a paper is a good way of acquiring revenue to keep the operation going.

    And, yes, anyone with access to a web server can publish, but I certainly wouldn't want my papers "peer" reviewed by an amorphous mob of unknown readers. Consider the puerile banalties that pass for comments here on Slashdot.

    --
    -- Slashdot: When Public Access TV Says "No"