Security, Safety, SeamlessAccess – The Scholarly Kitchen

“Last year SeamlessAccess™, a joint initiative run by GÉANT, Internet2, NISO and STM, went into beta-mode. In light of the pandemic, that turned out to be very timely – as testified by implementers of the service seeing increases of 150% to 300% for this type of off-campus use. SeamlessAccess is based on federated identity management (FIM) and uses SAML as the underlying technology (Security Assertion Mark-up Language, an open standard designed for secure single sign-on). It offers a modern alternative to long-standing but less flexible and somewhat outmoded IP-based access solutions through a privacy-protecting, secure single sign-on service. Previous posts in The Scholarly Kitchen already gave an inside view on the benefits of federated access, shared data on huge growth in federated authentication at the start of the pandemic, and shone a light on the strategic benefits of identity management and federated authentication for scholarly publishers.

Recently, questions have been posed whether FIM and SAML are, in fact, as secure and privacy-safe as often claimed. In response, the project team behind SeamlessAccess explains why the answer is simply “Yes”….”

genomeRxiv: a microbial whole-genome database for classification, identification, and data sharing

“genomeRxiv is a newly-funded US-UK collaboration to provide a public, web-accessible database of public genome sequences, accurately catalogued and classified by whole-genome similarity independent of their taxonomic affiliation. Our goal is to supply the basic and applied research community with rapid, precise and accurate identification of unknown isolates based on genome sequence alone, and with molecular tools for environmental analysis….”

The Public Should Have Access to the Surveillance Court’s Opinions

“For decades, a special court—the Foreign Intelligence Surveillance Court, or “FISC”—has issued secret legal opinions authorizing the U.S. government to conduct sweeping programs of electronic surveillance. These opinions have had a profound impact on Americans’ rights to privacy, free expression, and free association. But many of them are entirely hidden from public view….”

Is SeamlessAccess Secure Enough? – The Geyser — Hot Takes & Deep Thinking on the Info Economy

“SeamlessAccess — the main result of the work around RA21 — is currently in beta. The goal of SeamlessAccess is to allow people to log in to content purchased by their employer or institution no matter where they are, using a technology stack that achieves “an optimal balance between security and usability.” A big part of this is a reliance on the Security Assertion Markup Language (SAML)….”

Do Right By Your (Research) Data: 2021 Intellectual Property Speaker Series – MIT Events

“Congratulations—you’ve got research data! This session will walk you through the dos and don’ts associated with research data and artifacts, the associated bits of information necessary to understand research data. These can include structured data, images, unstructured data, metadata, analysis scripts, analysis environment, and much more. 

Amy Nurnberger, Program Head for Data Management Services at MIT Libraries, will cover the tools and resources available to you for making decisions about your research data (and associated bits) with regard to use agreements, security requirements, and copyright and licensing. We’ll also explore some case studies and do a practical applications exercise.”

45 million medical scans from hospitals all over the world left exposed online for anyone to view – some servers were laced with malware • The Register

“Two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all.

Or so says research by CybelAngel, which sells a Digital Risk Protection Platform. Not only was the sensitive personal information unsecured, but malicious folk had also accessed those servers and poisoned them with apparent malware, the company added….”

Cyber AI firm helps Vatican digitize its library archives – Axios

“A cybersecurity firm is working with the Vatican to defend its priceless collection of digitized writings from hacking efforts.

Why it matters: Digitizing library archives can provide an invaluable backup should the originals be lost or destroyed, but they’re also vulnerable to cyberattacks. Without stout defenses, digital libraries can be looted or even vandalized….”

User Behavior Access Controls at a Library Proxy Server are Okay | Disruptive Library Technology Jester

“The webinar where Cory presented was the first mention I’d seen of a new group called the Scholarly Networks Security Initiative (SNSI). SNSI is the latest in a series of publisher-driven initiatives to reduce the paywall’s friction for paying users or library patrons coming from licensing institutions. GetFTR (my thoughts) and Seamless Access (my thoughts). (Disclosure: I’m serving on two working groups for Seamless Access that are focused on making it possible for libraries to sensibly and sanely integrate the goals of Seamless Access into campus technology and licensing contracts.)…”

WHOIS behind SNSI & GetFTR? | Motley Marginalia

“I question whether such rich personally identifiably information (PII) is required to prevent illicit account access. If it is collected at all, there are more than enough data points here (obviously excluding username and account information) to deanonymize individuals and reveal exactly what they looked at and when so it should not be kept on hand too long for later analysis.

Another related, though separate endeavor is GetFTR which aims to bypass proxies (and thereby potential library oversight of use) entirely. There is soo much which could be written about both these efforts and this post only scratches the surface of some of the complex issues and relationships affect by them.

The first thing I was curious about was, who is bankrolling these efforts? They list the backers on their websites but I always find it interesting as to who is willing to fund the coders and infrastructure. I looked up both GetFTR and SNSI in the IRS Tax Exempt database as well as the EU Find a Company portal and did not find any results. So I decided to do a little more digging matching WHOIS data in the hopes that something might pop out, nothing interesting came of this so I put it at the very bottom….

It should come as no surprise that Elsevier, Springer Nature, ACS, and Wiley – which previous research has shown are the publishers producing the most research downloaded in the USA from Sci-Hub – are supporting both efforts. Taylor & Francis presumably feels sufficiently threatened such that they are along for the ride….”

Academics band together with publishers because access to research is a cybercrime | chorasimilarity

“This is the world we live in. That is what I understand from reading about the Scholarly Networks Security Initiative. and it’s now famous webinar, via Bjorn Brembs october post.

I just found this, after the post I wrote yesterday. I had no idea about this collaboration between publishers and academics to put spyware on academic networks for the benefit of publishers.

What I find worrying is not that publishers, like Elsevier, Springer Nature or Cambridge University Press, want to protect their business against the Sci-hub threat. This is natural behaviour from a commercial point of view. These businesses (not sure about CUP) see their activity atacked, so they fight back to keep their profit up.

The problem is with the academics. Why do they help the publishers? For whose benefit?…”