Message from Kevin Guthrie, JSTOR's President (LONG)

[Ann Okerson <aokerson@pantheon.yale.edu>]

This message is being forwarded to liblicense-l with the permission of
Kevin Guthrie of JSTOR.  It is a lengthy message and some of you, who are
JSTOR customers or publishers, will already have seen it.  Please feel
free to exercise a heavy finger on the DELETE key if so.

I asked if we could forward the item because, to my mind, the message is
not about JSTOR, though JSTOR is the example given.  It is about a much
larger and more fundamental issue, i.e., how and whether it is possible,
in these days of really sophisticated technologies and really smart
tekkies, for libraries (and third party aggregators) to know that the the
information they have licensed for their purposes is being used in the
ways we have all promised publishers that it will be used.

We could here get into an argument about whether all information should or
shouldn't be free, which would likely be unproductive.  The real issue
immediately before all of us, who have relied increasingly on IP
authentication, is whether we can strengthen that authentication or
whether it is on its final legs as we need to move to a different method
in order to keep our contractual obligations to information providers.

I write this on an afternoon when, less than an hour ago, we received a
message from another scholarly publisher (not JSTOR) saying, "It has been
brought to our attention that a proxy server from your institution is
available for public use and is allowing access to the _________ to
unauthorized users.  The server at IP address ___________is thus operating
outside of the terms of our mutual license agreement."

We expect to see increasing numbers of these notices and our IT security
staff will, of course immediately act to investigate and remove the
problem.

That said, where do we all go from here, or more to the point, how long
will it take us to get there?

Sincerely, Ann Okerson, liblicense-l moderator

PS. Should you choose to reply to this thread, which we hope you will,
please delete the long message below in your reply -- as otherwise our
listproc software will seize up once its daily quota has been met -- which
can happen very quickly under these circumstances!

---------- Forwarded message ----------
Date: Fri, 06 Dec 2002 15:05:16 -0500
From: JSTOR-INFO <jstor-info@umich.edu>
To: jstor-contacts@umich.edu, jstor-contacts2@umich.edu
Subject: Important Message from Kevin Guthrie, JSTOR's President

Dear JSTOR Librarians and Publishers,

I am writing today to alert you to a very disturbing development that
signals a new level of threat to institutional stewardship of
site-licensed electronic resources.  Up to now, the scholarly community
has been fortunate that there have been few large-scale efforts to gain
unauthorized access to electronic journals and other resources licensed by
colleges and universities. We regret to report that JSTOR has recently
experienced a sophisticated attack carefully designed to exploit
weaknesses in the community's present IP-address-based authentication
system to systematically and illegally download tens of thousands of
articles from the JSTOR archive.

As will be described in detail below, the attackers are gaining access to
JSTOR via unprotected proxy servers located on the campus networks of
JSTOR participating institutions and are illegally downloading large
numbers of articles.  Based on what we have learned, and the systematic
nature of the activity, we know that these techniques are being used to
access all manner of resources, not just JSTOR.  Faced with this more
threatening environment, we are convinced that it is in all of our
interests to increase our vigilance and put in place more secure
mechanisms to safeguard licensed resources.  The purpose of this message
is to provide a detailed description of our experience and what we have
learned in order to initiate a discussion of what might be the best ways
for the community to respond.  In an effort to provide as complete an
explanation as possible, aspects of this document are very technical.  
For your information we have posted background and explanatory materials
on this topic on our website at
http://www.jstor.org/resources/openproxies.html.

What Happened?
 
Over an extended period this fall, despite a variety of monitoring systems
that JSTOR has in place, an unauthorized user or users exploited
unprotected proxy servers located within the domains of participating
JSTOR sites to download illegally more than 51,000 articles from 11 JSTOR
journals (we have notified the affected publishers of this activity).  
Proxy servers, by way of background, are computers with access to the
Internet that are configured specifically to relay requests from one
machine on the network to another machine.  Proxies can serve a number of
legitimate purposes.  For example, in the case of electronic resources
authenticated by IP address, they are often used to provide remote access
to authorized faculty and students when they are away from the campus
network.  These proxies function acceptably as long as the appropriate
measures are taken to ensure that only authorized users are allowed access
to the proxies.

However, we are discovering that as proxy servers proliferate, many of
them are being set up without proper access restrictions.  It is not
uncommon, for example, for individual departments on campuses to maintain
their own proxies, or for students or staff to set up personal web servers
and to unknowingly establish an open machine.  When one of these
unrestricted proxy servers is assigned an IP number within a range to
which JSTOR has been instructed to allow access, literally anyone in the
world with access to the Internet can access JSTOR via this proxy.  These
so-called "open proxies" provide wide-open gateways to any resource
licensed using IP authentication on a campus network

How Is It Done?

>From what we have been able to reconstruct from web access logs and other
information, the attacker downloads lists of IP numbers of open proxy
servers from one of the many web sites that specialize in providing
information about open proxies.  Once they are obtained, these numbers are
tested to determine whether they are authorized for access to JSTOR.  For
IP numbers that pass that test, downloading of articles commences through
automated mechanisms.

During September, attempts to gain access to JSTOR though open proxies
were occurring daily.  On a peak day, for example, there were unauthorized
attempts to gain access to JSTOR through 23 different open proxies located
at JSTOR participating sites. Unfortunately, there are literally hundreds
of open proxies at authorized JSTOR sites, and new ones appear on a
regular basis, making the job of preventing unauthorized downloads a
difficult and never-ending one.

We hope our library participants will have patience with us as we continue
to take countermeasures to thwart these efforts.  We have had to take
pre-emptive action by suspending access to JSTOR through specific IP
addresses when we learn that they have been identified as being "open" and
when they have been targeted for unauthorized access to JSTOR.  Because
downloading content via open proxies can be automated and rapid, it is not
always possible for us to notify the affected institution in advance of
shutting off a particular IP address, as is our normal policy.  We will
continue, however, to contact institutions just as soon as we possibly
can.

Evidence of Widespread Use of this Technique

In researching open proxies, we have made some disturbing discoveries.  
The threat of open proxies has been recognized for some time in the web
community, but it does not appear that network administrators, librarians,
or content providers are aware that organized efforts are being employed
to gain unauthorized access to restricted campus resources through these
proxies.  By contrast, those who aim to take advantage of this
vulnerability are aware and are spreading the word.  This awareness is
sufficiently mature that there is a Google directory devoted to the topic
(http://directory.google.com/Top/Computers/Internet/Proxies/Free/). We
have also found web pages providing specific instructions for others to
help them exploit open proxies for particular restricted sites.  On our
web site we provide a copy of one such page, translated from its original
language, to illustrate how explicit these instructions can be
(http://www.jstor.org/resources/abuse.bible.pdf). We have edited the
translation slightly to protect the privacy of particular institutions and
resources and to avoid further promotion of these techniques.  The page
concludes with a table showing open IP addresses for a number of important
scholarly electronic resources. (If you are not located at a JSTOR
participating site, and are unable to access this page, please contact
jstor-info@umich.edu and we will be happy to send you a copy.)

This state of affairs is alarming, and the probability is high that
widespread, unauthorized use of licensed resources is taking place
continually. Unfortunately, as long as IP addresses remain the primary
authentication mechanism in use, and as long as open proxy servers
continue to proliferate, no technical solution implemented at the host
site can be 100% effective.

What can be done?

One reliable way to eliminate the problem posed by open proxies is to
migrate to more robust methods of authentication than that offered by IP
addresses.  There are a number of initiatives underway, most notably
Shibboleth (http://shibboleth.internet2.edu/) and the DLF-sponsored
project to develop a protocol to assist institutions in using digital
certificates to authenticate licensed resources
(http://www.diglib.org/architectures/digcert.htm), but these new
approaches will take quite some time to become widely adopted and used.  
JSTOR is familiar with both of these approaches and would be happy to work
with participating institutions that are ready to implement these
capabilities.  We encourage other resource providers to make their
resources compatible with these approaches as soon as practical.

Knowing that widespread use of a new authentication method is a year or
more away, we encourage all librarians and content providers to alert your
colleagues and constituents to the problem of unrestricted proxies.  
Networking staff at institutions have a vested interest in preventing
unauthorized intrusion into campus networks and should be concerned when
they hear about these efforts.  Some college and university systems groups
already scan their networks for various types of problem machines and we
suggest that unrestricted proxy servers should be added to those lists.  
Please don't hesitate to forward this message to your colleagues,
especially campus networking staff, and encourage them to contact us
directly at the email address below if that would be helpful.  I hope our
library participants will also consider contacting faculty and students at
your institutions to alert them to the problems of unrestricted proxies
and to warn them against installing them.

Perhaps the best step that could be taken in the near term would be to
create more controlled implementations of IP address authenticated access.  
Instead of authorizing all IP addresses in a campus domain, licensing
institutions can establish a limited number of machines through which all
campus access could be directed.  These machines could be configured as
closely monitored proxy servers that require users to authenticate
themselves as legitimate members of the campus community.  We are aware of
several campuses that have already enabled this form of controlled access.  
As with any security measure, there are trade-offs in convenience that
will have to be considered.  Still, this is one possible interim measure
that would help address the problem of open proxies as we migrate to a
more systematic authentication infrastructure.

More Information Available

As mentioned earlier, my aim in sending this message is to alert you to
what seems to be a new kind of challenge and to initiate a community
discussion about potential solutions.  JSTOR plans to conduct an
information session immediately following its regular ALA participants
meeting on Sunday, January 26 in Philadelphia.  We welcome our
participating publishers to attend this special session as well, and will
provide more details about that meeting to all our participants in a
future message.

Please contact us at jstor-info@umich.edu if you have thoughts, questions,
or further information to share.  Although it will take considerable
effort by campuses and content providers, we are optimistic that we will
overcome the problem raised by unrestricted proxies.  It is probably worth
noting, however, that we will not be able to "solve" the problem of others
making a concerted effort to access content illegally.  If our present
experience is any indication, the motivation to access these resources by
illegal methods is substantial and persistent.  Measures taken to thwart
the attackers were met with clever countermeasures.  It appears that we
have crossed into a more aggressively threatening environment where
sophisticated efforts to gain unauthorized access to licensed resources
must be anticipated.  A new and sustained level of vigilance is going to
be required in this new environment.

Thank you for reading this long message and for your attention to this
important problem.

Sincerely,

Kevin M. Guthrie
President 
JSTOR