Elsevier exposes users’ emails and passwords online

Elsevier – publisher of scientific journals such as The Lancet – has left its users’ passwords and email addresses lying around online.

What Motherboard described as a “rolling list of passwords,” along with password reset links produced when a user requested a change to their login credentials was discovered by cybersecurity company SpiderSilk. It’s unclear how many records were exposed and for how long.

Mossab Hussein, SpiderSilk chief security officer, said that most of the exposed accounts are related to educational institutions, and hence belong to either students or teachers.

To paraphrase a Twitter wit… What could go wrong besides hackers making sure all their journal submissions get accepted?

For one thing, those email addresses/passwords could be used on other, sensitive sites, as Hussein pointed out. With the depressing ubiquity of password reuse, some of them undoubtedly are sprinkled around elsewhere online.

According to Motherboard’s Joseph Cox, the credentials were displayed on Kibana, a popular tool for visualizing and sorting data.

Motherboard verified that the credentials were valid by asking Hussein to reset his own password to a specific phrase fed to him by Motherboard. Cox writes:

A few minutes later, the plain text password appeared on the exposed server.

Elsevier secured the server after getting a heads-up from Motherboard and details from Hussein. An Elsevier spokesperson sent Motherboard a statement in which the publisher blamed a misconfigured server:

The issue has been remedied. We are still investigating how this happened, but it appears that a server was misconfigured due to human error. We have no indication that any data on the server has been misused. As a precautionary measure, we will also be informing our data protection authority, providing notice to individuals and taking appropriate steps to reset accounts.

As others have pointed out, saying that the passwords are no longer exposed doesn’t explain why they were stored in plain text to begin with. Hopefully, Elsevier will pay attention to that, as well as to the misconfigured server that left them hanging on the line like a discarded beach towel.

If you’re an Elsevier user

Reset your passwords, and if you know you’ve used the same password on other website – change those too! Watch out video on how to pick a strong unique password below:

And if a website gives you the option to turn on two-factor authentication (2FA or MFA), do that too. Here’s an informative podcast that tells you all about 2FA, if you’d like to learn more:

Autor: Lisa Vaas
Twitter: <@lisavaas>
Fuente: <https://nakedsecurity.sophos.com/>

Is Elsevier Committed to Open Access?

The Dutch state secretary of education, Sander Dekker, wants all publications from Dutch scientists to be available under Gold Open Access by 2024. This would require that the publication charges levied against the author completely covers all costs. It would also mean that no member of the public would have to pay subscription fees to access the data. Dutch institutions have formed a consortium to negotiate with academic publishers about an open access policy. There was some difficulty in arriving at an agreement with Elsevier publishing, leading to the Association of Universities in the Netherlands outlining a multi-stage Elsevier boycott to encourage the publishing house to bring Elsevier journals closer to the gold open access policy envisioned by Dekker.

In the first stage, all Dutch scientists who are editors of an Elsevier journal would be asked to resign. If this resulted in no change of Elsevier’s stance on open access publishing, Dutch researchers would be asked to stop acting as reviewers for Elsevier journals. As a last resort, Dutch scientists would be asked to stop publishing their work in Elsevier journals. At the end of 2014, the negotiating consortium and Elsevier were locked in a stalemate and the roll out of this multi-stage boycott seemed inevitable. However, Elsevier and the consortium arrived at a proposed contract a year later.

The Contract Between Elsevier and the Dutch Institutions

The Dutch universities are clearly pushing for a gold open access policy but there are those who suggest that Elsevier may be trying to sabotage open access. They base this accusation on the proposed contract between Elsevier and the Dutch universities. The proposal in its current format would give all the Dutch universities the ability to publish 3,600 open access articles in Elsevier journals over the course of three years. However, there are some restrictions. According to the open access paragraph of the agreement, only articles where the corresponding author is affiliated with a Dutch institution would qualify for open access publication. This means that publications originating from Dutch universities where the corresponding author is not of Dutch origin would not benefit from the open access deal. Additionally, only a small number of Elsevier journals would be part of this open access arrangement and Elsevier has chosen to include its lesser known titles in this agreement such as Clinical Genitourinary Cancer, The International Journal of Coal Geology, and Ticks and Tick-borne Diseases. Elsevier’s most prominent journals, such as Cell, The Lancet, and Journal of Financial Economics, are excluded from the deal.

On the financial side, the subscription costs to the Dutch institutions will be increased by 2.5% in 2017 and 2.0% in 2018. Elsevier describes this proposal as a three-year open access pilot program. In each consecutive year, 133 more Elsevier journals will be added to the list of journals where researchers affiliated with Dutch institutions may publish their work in an open access format. This will mean that, in 2018, about 1 in 5 Elsevier journals will be part of this open access agreement with the Dutch universities. The open access paragraph of the proposed contract between Elsevier and the Dutch universities, therefore, doesn’t seem to be very supportive of the gold open access ideals of the Dutch institutions or government. The proposal raised subscription costs while limiting who can publish under an open access license and excluded most Elsevier journals from this arrangement.

Open Access Model

Part of the reason there has been a demand from researchers for an open access policy is the fact that they feel the current system is broken. Professor Jan Blommaert described the current publication system as completely absurd for two reasons. First, there are the high subscription costs. Second, journals wield a lot of power over what they choose to publish. They also tend to favor the work of more established names in a field, which means that good work done by a young researcher may take a much longer time to be published than a less important article by an established scientist.

Of course, under the current subscription business model, journals earn significant profits from article processing charges levied against authors who must frequently waive the copyright to their work, institutional and personal journal subscriptions, and charges levied against members of the public to access individual articles of interest. The switch to open access would mean that there would be a single revenue stream. The proposed contract between Elsevier and the Dutch universities represents minimal effort from Elsevier as opposed to enthusiastically embracing an opportunity to switch to an open access model with authors from a single country. This kind of approach only serves as further evidence for those who maintain that the publishers’ main aim is to make a profit and not freely disseminate information, therefore, major publishing houses cannot be part of the open access solution.

Autor: Enago Academy
Twitter: <@Enago>
Fuente: <https://www.enago.com/>

Web of Science owner buys up booming peer-review platform

Acquisition could lead to new commercial services in scientific peer review.

Courtesy of Clarivate. Publons co-founder Andrew Preston and Jay Nadler, chief executive of Clarivate Analytics.

The owner of the vast science-citation database Web of Science — Clarivate Analytics — is buying up a firm that has gathered hundreds of thousands of peer-review records, in a deal that could lead to new ways of organizing scientific peer review and preventing peer-review fraud.

Clarivate, a US company, said on 1 June that it had acquired Publons, a New Zealand-based start-up firm that encourages scientists to share their peer review history online to help gain credit for their reviewing activity. More than 150,000 researchers have registered with Publons, and they have shared details of some 800,000 peer reviews on its site. Although many journals request anonymous peer review, Publons privately verifies reviews, and publicly lists the number of reviews that scientists have conducted with particular journals. The firm also provides training for peer reviewers and collects post-publication reviews.

The acquisition — financial details of which were not disclosed — might mean that Clarivate and Publons will sell science funders and publishers “new ways of locating peer reviewers, finding, screening and contacting them”, says Jessica Turner, global head of the scientific and academic research business at Clarivate, headquartered in Philadelphia, Pennsylvania. Both firms already offer services that some journals use to find peer reviewers, she adds.

Together, the companies now own large data sets that detail scientific authorship and citation patterns, as well as peer-review networks, across thousands of scholarly journals. That’s a rare combination: competing science publishers tend to keep details of their favoured peer reviewers secret.

Publons — which will continue to run as a stand-alone business — is particularly keen to help publishers tackle fake peer review, says its co-founder Andrew Preston. The issue has led to hundreds of retracted papers over the past few years as journals have discovered compromised review systems. In such cases, authors typically suggest apparently genuine reviewers for their papers, but provide bogus e-mail addresses that they or their friends control, and from which they send in their own reviews.

Because reviewers on Publons verify their e-mail addresses when they register with the site, the firm is effectively building a network of trusted, verified reviewers, with details of their peer-review record, Preston points out. “We can solve a lot of the inefficiencies that come out of the anonymous, siloed nature of peer review,” he says. Publons data have already been used to analyse inefficiencies in peer review: one paper, for example, suggests that in 2015 just 20% of scientists undertook the majority of peer reviews.

Growing business

Many researchers may not be familiar with Clarivate Analytics by name. The company was officially launched as an independent firm just eight months ago. But it is influential in science because it holds the former intellectual-property and science division of Thomson Reuters, the multinational news and information company. Last year, two private-equity funds bought that division in a US$3.55-billion deal, and in October, they announced Clarivate as the name of the firm that would own it. The company owns other products alongside Web of Science, such as large patent databases and the ScholarOne system, which is used by some journals to manage their peer-review and publication processes.

Some industry observers had speculated that the private-equity funds would break up the division into parts to make a quick profit. But Turner says that they have invested in Clarivate and see “significant growth potential” in its scientific and research business.

“Publons now find themselves at the heart of the rebuilding programme to support Clarivate’s reinvention, and a vital part of the system of reference and authority needed to maintain scholarly communication in a digital, networked age,” says David Worlock, a UK-based publishing consultant with knowledge of the deal.

“If Clarivate can manage the next stages appropriately, then they have a chance to solve many of the issues around bringing pre- and post-peer review together,” he adds.

Nature doi:10.1038/nature.2017.22094

Autor: Richard Van Noorden
Twitter: <@richvn>
Fuente: <http://www.nature.com/>