“I speak from some experience here, as Google’s services are attacked every day. And yet we keep more people safe than anyone else in the world. We do that by looking at security through a collective lens, leveraging open frameworks, and relying heavily on secure open-source software.”
Category Archives: oa.security
Integrity and security in the global research ecosystem
“Open and transparent communication and dissemination of scientific information and data and sharing of research materials are essential for the global science ecosystem to operate effectively….
However, new challenges and threats are emerging as some governments and non-state actors exhibit increasingly forceful efforts to unfairly exploit and distort the open research environment for their own interests. Many countries now consider unauthorised information transfer and foreign interference in public research as a serious national and economic security risk and a threat to freedom of scientific research….
Hence, the aim of the project was to identify good practices to safeguard national and economic security whilst protecting freedom of enquiry, promoting international research cooperation, and ensuring openness and non-discrimination….”
Biosecurity in an age of open science
Abstract: The risk of accidental or deliberate misuse of biological research is increasing as biotechnology advances. As open science becomes widespread, we must consider its impact on those risks and develop solutions that ensure security while facilitating scientific progress. Here, we examine the interaction between open science practices and biosecurity and biosafety to identify risks and opportunities for risk mitigation. Increasing the availability of computational tools, datasets, and protocols could increase risks from research with misuse potential. For instance, in the context of viral engineering, open code, data, and materials may increase the risk of release of enhanced pathogens. For this dangerous subset of research, both open science and biosecurity goals may be achieved by using access-controlled repositories or application programming interfaces. While preprints accelerate dissemination of findings, their increased use could challenge strategies for risk mitigation at the publication stage. This highlights the importance of oversight earlier in the research lifecycle. Preregistration of research, a practice promoted by the open science community, provides an opportunity for achieving biosecurity risk assessment at the conception of research. Open science and biosecurity experts have an important role to play in enabling responsible research with maximal societal benefit.
Making Science More Open Is Good for Research—but Bad for Security
But a new paper in the journal PLoS Biology argues that, while the swell of the open science movement is on the whole a good thing, it isn’t without risks.
Though the speed of open-access publishing means important research gets out more quickly, it also means the checks required to ensure that risky science isn’t being tossed online are less meticulous. In particular, the field of synthetic biology—which involves the engineering of new organisms or the reengineering of existing organisms to have new abilities—faces what is called a dual-use dilemma: that while quickly released research may be used for the good of society, it could also be co-opted by bad actors to conduct biowarfare or bioterrorism. It also could increase the potential for an accidental release of a dangerous pathogen if, for example, someone inexperienced were able to easily get their hands on a how-to guide for designing a virus. “There is a risk that bad things are going to be shared,” says James Smith, a coauthor on the paper and a researcher at the University of Oxford. “And there’s not really processes in place at the moment to address it.”
Biosecurity in an age of open science
Abstract: The risk of accidental or deliberate misuse of biological research is increasing as biotechnology advances. As open science becomes widespread, we must consider its impact on those risks and develop solutions that ensure security while facilitating scientific progress. Here, we examine the interaction between open science practices and biosecurity and biosafety to identify risks and opportunities for risk mitigation. Increasing the availability of computational tools, datasets, and protocols could increase risks from research with misuse potential. For instance, in the context of viral engineering, open code, data, and materials may increase the risk of release of enhanced pathogens. For this dangerous subset of research, both open science and biosecurity goals may be achieved by using access-controlled repositories or application programming interfaces. While preprints accelerate dissemination of findings, their increased use could challenge strategies for risk mitigation at the publication stage. This highlights the importance of oversight earlier in the research lifecycle. Preregistration of research, a practice promoted by the open science community, provides an opportunity for achieving biosecurity risk assessment at the conception of research. Open science and biosecurity experts have an important role to play in enabling responsible research with maximal societal benefit.
Full article: A Librarian’s Perspective on Sci-Hub’s Impact on Users and the Library
Abstract: On December 19, 2019, The Washington Post reported that the U.S. Justice Department is investigating the founder and operator of Sci-Hub Alexandra Elbakyan on suspicion of working with Russian intelligence to steal U.S. military secrets from defense contractors. The article further discusses Sci-Hub’s methods for acquiring the login credentials of university students and faculty “to pilfer vast amounts of academic literature.” This has long been public knowledge. But the confirmation of Sci-Hub potentially working with Russian intelligence was major news. Both fronts of the Sci-Hub assault on stealing intellectual property are concerning. Since many academic researchers and their employers routinely receive defense contracts to perform sensitive research, the article helped posit that offering free access to academic research articles is perhaps a Trojan Horse strategy for Sci-Hub. To add to The Washington Post’s report, we sought out individuals at universities with a vantage point on Sci-Hub’s activities to see if there is independent evidence to support the report. We spoke to Dr. Jason Ensor who at the time of this interview was Manager, Engagement Strategy and Scholarly Communication, Library Systems at Western Sydney University Library in Australia. Ensor holds four degrees in related critical thinking fields and is an experienced business professional in software development, data scholarship and print publishing. He is also a distinguished speaker on digital humanities and linked fields, presenting regularly in national and international forums.
Evolving How We Share Rapid7 Research Data | Rapid7 Blog
“In the spring of 2018, we [Rapid7] launched the Open Data initiative to provide security teams and researchers with access to research data generated from Project Sonar and Project Heisenberg. Our goal for those projects is to understand how the attack surface is evolving, what exposures are most common or impactful, and how attackers are taking advantage of these opportunities. Ultimately, we want to be able to advocate for necessary remediation actions that will reduce opportunities for attackers and advance security. This is also why we publish extensive research reports highlighting key security learnings and mitigation recommendations.
Our goal for Open Data has been to enable others to participate in these efforts, increasing the positive impact across the community. Open Data was an evolution of our participation in the scans.io project, hosted by the University of Michigan. Our hope was that security professionals would apply the research data to their own environments to reduce their exposure and researchers would use the data to uncover insights to help educate the community on security best practices….
Yet IP addresses make up a significant portion of the data being shared in our security research data. While we believe there is absolutely a legitimate interest in processing this kind of data to advance cybersecurity, we also recognize the need to take appropriate balancing controls to protect privacy and ensure that the processing is “necessary and proportionate” — per the language of Recital 4….”
Protecting the integrity of Government Science
“Coordination is needed with related policy domains, including open science, which enhances transparency into research processes and outputs….
Efforts to implement open science can make more of the process and outputs of scientific research freely and readily accessible to other scientists, engineers, policymakers, students and educators, and the general public, while maintaining needed protections of national security, personal privacy, and other sensitive information. By making research publications, study data, analytical software and code, and study protocols more readily available for inspection and reuse—as Federal science agencies are currently doing—open science affords new opportunities to detect instances of interference, mischaracterization, and other policy violations. As such, open science is an essential enabler of scientific integrity….
Open science policies and practices provide transparency to help ensure that publications, data, and other outputs of Federally funded research are readily available to other researchers, innovators, students, and the public (taking into consideration legal and ethical limitations on access, such as national security and privacy)….
Facilitate free flow of scientific and technological information, by availability online in open formats and, where appropriate, including data and models underlying regulatory proposals and policy decisions…. ”
Academic Journal Claims it Fingerprints PDFs for ‘Ransomware,’ Not Surveillance | Vice
by Lorenzo Franceschi-Bicchierai
Elsevier embeds a unique code in every academic journal article users download. Security researchers fear this could be used to identify people who share PDFs.
Beyond Copyright: the Ethics of Open Sharing | by Josie Fraser | Creative Commons: We Like to Share | Nov, 2021 | Medium
“In a world where internet and mobile technologies are mainstream, communities, groups and organisations routinely produce materials in a wide range of digital formats. This position paper looks at some of the ways in which the impacts of openly sharing these materials, or deciding not to, is an ethical decision. This paper also looks at some of the ways in which sharing openly can be considered in terms of an organisational commitment to social responsibility….
The decision to share openly (or not) is an ethical decision….”
BALANCING OPEN SCIENCE AND SECURITY IN THE U.S. RESEARCH ENTERPRISE
A hearing before the US House Subcommittee on Investigations and Oversight and Subcommittee on Research and Technology.
SDSC’s Open Science Chain Awarded $500,000 NSF Grant
The Open Science Chain program at the San Diego Supercomputer Center (SDSC) at UC San Diego has been awarded a $500,000 National Science Foundation (NSF) grant for providing a secure method to efficiently share and verify data and metadata while maintaining privacy restrictions necessary for the reuse of the scientific data.
Interview: John Arquilla, “Bitskrieg”
“Q: Science is moving to a more “open” attitude, with some advocating making machine-readable data, all research findings, and even preliminary research openly available. From your standpoint, and given the reality of power balances in the world, does this seem advisable? Who benefits? Who loses?
Arquilla: I like the idea of more sharing, because doing so will enhance human welfare. But perhaps not in all areas, defense being a particular exception, and a number of competitive commercial areas being general exceptions. My colleague David Ronfeldt and I long ago identified a posture of “guarded openness” as an approach that encourages sharing wherever possible, preclusiveness where necessary. …”
Research Security, Collaboration, and the Changing Map of Global R&D
“The open research system, with its expanding rates of investment and interconnectedness, has delivered tremendous benefits to many nations, but it has also created new challenges to research integrity and security. Our data shows significant variations across countries in how much, and in what ways, they rely on their collaborative links to the global research network. A more nuanced understanding of those differences is critical for assessing the unique cost/benefit calculations behind decisions to limit open engagement to address security concerns….
But with a number of countries eschewing the post-World War II norms of that global research system, [the open research system] is also being manipulated through means such as foreign interference, theft of intellectual property, and breaches of research integrity….”
Security, Safety, SeamlessAccess – The Scholarly Kitchen
“Last year SeamlessAccess™, a joint initiative run by GÉANT, Internet2, NISO and STM, went into beta-mode. In light of the pandemic, that turned out to be very timely – as testified by implementers of the service seeing increases of 150% to 300% for this type of off-campus use. SeamlessAccess is based on federated identity management (FIM) and uses SAML as the underlying technology (Security Assertion Mark-up Language, an open standard designed for secure single sign-on). It offers a modern alternative to long-standing but less flexible and somewhat outmoded IP-based access solutions through a privacy-protecting, secure single sign-on service. Previous posts in The Scholarly Kitchen already gave an inside view on the benefits of federated access, shared data on huge growth in federated authentication at the start of the pandemic, and shone a light on the strategic benefits of identity management and federated authentication for scholarly publishers.
Recently, questions have been posed whether FIM and SAML are, in fact, as secure and privacy-safe as often claimed. In response, the project team behind SeamlessAccess explains why the answer is simply “Yes”….”