Slashdot Mirror

← Back to Stories (view on slashdot.org)

Investigation Reveals How Easy It Is To Hijack a Science Journal Website (sciencemag.org)

Posted by Soulskill on from the longevity-is-an-afterthought dept.

sciencehabit writes: With 20,000 journal websites producing millions of articles — and billions of dollars — it was probably inevitable that online criminals would take notice. An investigation by Science magazine finds that an old exploit is being used on academic publishers: domain snatching and website spoofing. The trick is to find the tiny number of journals whose domain registration has lapsed at any given time. But how do they track their prey? Science correspondent and grey-hat hacker John Bohannon (the same reporter who submitted hundreds of computer-generated fake scientific papers in a journal sting) proposes a method: Scrape the journal data from Web of Science (curated by Thomson Reuters) and run WHOIS queries on their URLs to generate an automatic hijack schedule.

He found 24 journals indexed by Thomson Reuters whose domains were snatched over the past year. Most are under construction or for sale, but 2 of them now host fake journals and ask for real money. And to prove his point, Bohannon snatched a journal domain himself and Rickrolled it. (It now hosts an xkcd cartoon and a link to the real journal.) Science is providing the article describing the investigation free of charge, as well as all the data and code. You can hijack a journal yourself, if you're so inclined: An IPython Notebook shows how to scrape Web of Science and automate WHOIS queries to find a victim. Science hopes that you return the domains to the real publishers after you snatch them.

18 comments

  1. Hopefully the publishers learn a thing or two by Anonymous Coward · · Score: 1

    I hope this is a wake up call to publishers to protect their intellectual properties.

    What worries me is when bank mergers, etc. lead to financial data compromises in this way.

  2. xkcd by Anonymous Coward · · Score: 1

    Because it's the question that everyone is probably going to have, the xkcd in question is #722, "Computer Problems".

    1. Re:xkcd by Anonymous Coward · · Score: 0

      Oh, and the journal in question is the "Journal of Contemporary Art" (Zivot Umjetnosti), which is so meta.

  3. The real story here is... by Lab+Rat+Jason · · Score: 3, Insightful

    Why would you trust a journal that is so incompetent that they can't maintain something as simple as a domain?

    --
    Which has more power: the hammer, or the anvil?
    1. Re:The real story here is... by ole_timer · · Score: 1

      +1

      --
      nothing to see here - move along
    2. Re: The real story here is... by Anonymous Coward · · Score: 0

      Domain knowledge. I am okay with biologists who focus on fiendishly complex cellular details not being state of the art on best practices. While your doctor may be smart you don't necessarily expect them to be good at fixing your car. A computer security journal with the same issue? That indicates a fundamental lacking.

    3. Re: The real story here is... by Lab+Rat+Jason · · Score: 1

      You're forgetting the part where they're running a journal on the internet

      --
      Which has more power: the hammer, or the anvil?
  4. Run A Shady Business, Meet Shady People by Anonymous Coward · · Score: 4, Interesting

    Academic publishing long since passed from being a respectable enterprise, or even a respectable business, and now sits somewhere between an adult emporium and an App Store. The race to the bottom in standards, quality, ethics coupled to the soaring price and universal and ruthless exploitation(*) of academics has given the industry the reputation of midnight casino chain. And lo and behold, here arrive actual criminals, looking to rip off joints, as well as asking for protection money if not outright laundering funds. And like any shady operation, publishers shouldn't expect much help from police to help keep their opium emporium running.

    (*)Such exploitation can be, much in the same way as a drug addict's addiction, a matter of contentious perspective. Academics themselves are not blameless for allowing this situation to arise.

    1. Re:Run A Shady Business, Meet Shady People by AthanasiusKircher · · Score: 1

      Academics themselves are not blameless for allowing this situation to arise.

      True, and some academics have taken it upon themselves to found new independent open-access journals and such. We just had a story here about it a couple weeks ago.

      The problem is for junior academics, or those still looking to obtain a better job, you don't really have much choice in the matter assuming you want to keep your grants and labs and get tenure. In most fields, there are "high impact" journals, and grant review boards and tenure review committees look for those journals. Publishing in some new-fangled journal with no history or reputation will just lead those doing job reviews to scratch their heads... not to mention that your work is less likely to be cited if it's read by nobody because people in your field don't even know about this new journal.

      I agree with you that academics should take a more active role in dismantling this system. But the reality is that the academics who depend on journals aren't really in a place to break out of the system without potentially jeopardizing their careers, while those academics who are already senior enough and/or famous enough to not have to worry about that also have better things to do with their time... like actually doing important research.

      Publishing nowadays is sort of a "necessary evil" in science. The reality is that academics mostly know others in their subdisciplines and can share work directly and instantly via email or whatever, making journals less important than they were years ago for actual progress of science.

      If anything, I'd also blame the gradual shift in higher education toward scoring job performance based on publication numbers and "impact" scores, which is partly coming through administration (demanding a sort of standard metric to evaluate whom to hire and to tenure). I've seen many situations where beloved professors who are great teachers, great assets to the university community (in terms of service, collegiality, etc.), great mentors who have probably mentored more students to publish reams of stuff, etc. be kicked out the door because they didn't publish enough or in high-enough profile publications. Three of the smartest people I know in one field were denied tenure, sometimes at multiple universities, for this reason.

      So until there's a systematic change, it's hard for individual academics to stand up and refuse to participate in this publication game or to radically alter it on their own.

  5. Nobody cares by ArchieBunker · · Score: 2

    If this can happen and no one notices, are these paper sites that important in the first place?

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  6. yahweh did it in 5 words by ole_timer · · Score: 1

    I am who I am

    --
    nothing to see here - move along
  7. Public access to expiration dates? by RoverDaddy · · Score: 2

    Obviously this works because the domain system has been designed so that domain expiration dates are visible to the public. Is there any compelling public interest in making this so? Perhaps this was one of those decisions made during a more naive, simple time on the internet, that needs to be revisited.

    --
    RETURN without GOSUB in line 1050
  8. Re: Your sig by HiThere · · Score: 0

    When the government is as trustworthy as God, I'll be comfortable with them knowing as much about me as God does.
    Flag as Inappropriate

    The government is actually MORE trustworthy than God. Sorry about that.

    P.S.: I don't mean to imply the government is trustworthy. Or, come to that, that God actually knows much about you.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  9. Re: Your sig by Lab+Rat+Jason · · Score: 2

    Seems you put a lot of double speak into something that simply could have been stated as "I don't believe in God"... or did you mean to imply that you, not believing in God, would still prefer to whisper your secrets to your government rather than echo them to /dev/null/?

    --
    Which has more power: the hammer, or the anvil?
  10. Re: Your sig by KGIII · · Score: 1

    Yes, but for a brief moment, they felt important and that their opinion mattered. Of course, one might also ask, why else post if not for those reasons? We're not altruists, no matter how much we'd like to pretend we are.

    --
    "So long and thanks for all the fish."
  11. Re: Your sig by HiThere · · Score: 1

    The thing is, I *do* believe in gods, for a reasonable definition of god. I just don't believe they're infallible or all-knowing (or that they have even vaguely human perceptions or purposes). And I think that the thing I'm talking about is the same thing that those who claim direct contact with gods are talking about.

    I classify these things as gods, but also as common underpinnings of thoughts on a species, and occasionally genera-wide commonality. They are the strata of thought that Jung glimpsed and called Archetypes, but to think of them as psychological is to misunderstand them. We do not see the world, we "see" the dreams of these gods, which can be mapped to the world only via a lossy transform. But because they are common to the species, others will see the same dream, from a different perspective, of course. And please understand that dream is a metaphor. The gods never exactly dream. But they *do* make mistakes. More mistakes as we move away from the environment within which they evolved.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.