[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

JSTOR Participants' Meeting and Open Proxy Information Session

Further to the discussions on this list about open proxies, JSTOR, at my
request, gave permission to post an accounting of their recent ALA session
on this matter.  It's very useful in our ongoing understanding of this
topic.  The Moderators


Attached below is a summary of the recent JSTOR Participants' Meeting and
Open Proxy Information Session held on January 26. JSTOR was very glad to
have this opportunity to continue discussions on this topic with the
library and publisher communities.

We also have a positive anecdote to share that may indicate progress in
educating the community on open proxies.  Our Technical Services Assistant
recently discovered that, despite going to several publicly available
lists of open proxy servers, he could not easily find a listed proxy that
was still unrestricted. This represents a very different situation from
the one we encountered just a few months ago, in which there would be
dozens of easily accessible open proxies on every list. Although it may be
optimistic, and there are certainly still many open proxies in existence,
we choose to interpret this finding as an encouraging sign.

We hope that this summary of JSTOR's meeting and the links to the
presentations will be helpful to you and your colleagues.

JSTOR Participants' Meeting and Open Proxy Information Session
Sunday, January 26, 2003
8:30 AM - 11:30 AM
Marriott Philadelphia (Salon F), 1201 Market Street

At the JSTOR Participants' Meeting in January, Kevin Guthrie gave a
presentation that expanded upon his open proxy communication of December
6, 2002 (http://www.jstor.org/about/open.proxies.message.html). Kevin
discussed how open proxies work and described how open proxies were
recently used to illegally download a significant portion of JSTOR
content. Kevin's full presentation is available at:


Following Kevin's presentation during the Participants' Meeting, JSTOR
also conducted a special open proxy information session. This session was
intended to 1) supply additional technical details about the problem of
open proxies; 2) provide participants with an opportunity to ask
questions; and 3) offer an opportunity for constructive discussion about
the surrounding issues of network security and authentication options.

Several JSTOR staff members and a guest speaker gave brief presentations
on each of these areas. The full presentation slides for this session are
available at:


Session Agenda:

I.   Implications for the Scholarly Community
     Heidi McGregor, Director of Publisher Relations

II.  JSTOR's Response and Technical Considerations for Campuses
     David Yakimischak, Chief Technology Officer
     Dan Oberst, Director of Enterprise Infrastructure Services, 
     Princeton University

III. The Role of the Librarian 
     Sherry Aschenbrenner, Director of User Services 

Following the above presentations, attendees participated in a discussion
of several issues that surround open proxies and network security. David
Yakimischak asked the attendees for feedback regarding several options
JSTOR could pursue to address this issue.

David posed the following questions:

Q: "Should JSTOR invest in developing a technical solution, perhaps a
secure "proxy-in-a-box" that would be made available to institutions?"

Some attendees indicated that a more appropriate avenue for JSTOR may be
to provide participating institutions with information and guidance,
rather than a new piece of software. In particular, advice about
techniques, methods, and tools for monitoring network security would be
very helpful. One attendee noted that in some ways, network security is
more of a social than a technical problem -- user education may go farther
to address the problem.

Q: "Should JSTOR consider checking the IP address of every request to the
servers to determine if that machine is running an open proxy server? It
is true that this additional layer of security could affect each user by
slowing down access."

Attendees were concerned about the potential impact this would have on
the speed of access.

Q: "Should JSTOR offer to scan institutional IP ranges for open proxies?"

It was felt that this was probably best left up to individual campuses.
Many institutions may already have established processes for addressing
these problems. Scanning of IP ranges by a third party could trigger
campus alarms set up to detect illegal activity on campus networks.

Participants also had several questions for the presenters:

Q: "What is a 'central proxy?'"

A central proxy requires every user (both those on-campus and off-campus)
to log into the proxy server before accessing restricted resources. It is
more secure than other proxy set ups, since only authorized users may
ultimately connect to licensed resources. However, since all users must
log in regardless of their location, even on-campus users must
authenticate through an institutional web site before accessing a licensed

Q: "How might Shibboleth be affected by the USA Patriot Act of 2001 and
the privacy concerns it raises?"

One advantage to Shibboleth (http://shibboleth.internet2.edu/) is that it
will offer the ability to authorize users by attributes, rather than by
personal information. For example, once the user authenticates on campus
using Shibboleth, the resource provider may only receive information that
this user is a faculty member at a particular institution. The resource
provider would not need to know the user's ID number or email address,
just that the user is a member of a group that should have access to the

An attendee mentioned that using attributes instead of personal data can
also allow more control over access. Certain users could be allowed access
to all, or a subset of resources, depending on their status.

Shibboleth would offer more privacy protection than IP-based access
offers. It may appear that IP authentication provides some sort of filter
to protect individual users. However, web log files register individual IP
addresses and it is generally quite simple to follow an IP address back to
an institution and ultimately to an individual user.

Q: "What about wireless connectivity? Is it more, or less, secure than
traditional networks?"

In regards to open proxies, wireless networks are less vulnerable than
traditional networks. Wireless networks require physical proximity to
campus, and thus are less open to misuse by unaffiliated individuals
around the world. However, it is important to note that there are other
types of security concerns with wireless networks.

Q: "Please remember that smaller schools may not have the technical
capability to participate in large-scale operations, such as Shibboleth.
We need to have an authentication option that can be implemented by a wide
variety of institutions."

This is an important point. In fact, many small schools may already be
less vulnerable to network security problems. Smaller schools may have the
ability to implement tighter security measures and limited access points
to the network.

Additional information about open proxy servers may be found on the JSTOR
web site at:


--end of excerpt--