[goatkarma]

One thing that is often overlooked is method that Scihub uses to obtain articles, and the impact that method has on the very researchers who use it.

Phishing scams are used to obtain the credentials of university accounts which are then used via a proxy on Scihub to obtain the requested article (it's quite clever..they seem to often silently proxy institution's Ezproxy with the phished credentials) . The same credentials given to Scihub are often not just used by Scihub, and are then used for further phishing or hacking by other third parties, causing harm to the phishing victim.

Having said that, library software providers and journal platforms should be looking at Scihub and learning from it. Users want an easy to use platform with minimal fuss or hoops to jump through.

Of course, this is just a tiny piece of the much larger problem of the rotten unsustainable commercial journal publishing ecosystem..

[ovi256]

Do you have any evidence for this ? Because otherwise it's just a piece of FUD to poison public perception of scihub.

Especially the gratuitously cruel "credentials given to Scihub are often not just used by Scihub, and are then used for further phishing or hacking by other third parties".

[goatkarma]

Sorry I didn't respond earlier, think account was rate limited due to being new.

Not sure what sort of proof you want? "Gratuitously cruel" is quite an emotive description! The simplest example is the same phished accounts used by Scihub were also used to send more phishing emails to university and non-university email addresses.

Hopefully you'll see below from my other responses, I'm not here to turn people against SH (I admire it and what they did technically with creating their own proxy on too of other University proxies is really clever stuff!), but the access to articles need to come from somewhere, and I'm just pointing out my experience from working at a university (who I'm sure is sick of paying millions PA for resource access!).

[matsemann]

Is this FUD or do you have anything to back this up with?

[goatkarma]

20 years of working in HE IT.

Random unaffiliated Scihub users in China contacting our University IT helpdesk after the phished accounts Scihub was using to proxy an article had reached it's EZproxy download limit and the 'you have been blocked' message they receive instructed them to contact our helpdesk!

[nicoburns]

You might be making quite the assumption that those account credentials were phished, rather than voluntarily donated to Scihub. Support for the project is pretty wide (probably well above 50% of academics), so I'd expect credentials from almost every university to be donated to them.

[goatkarma]

It is definitely a possibility. Our Security team have a quite rigourous follow-up process and that's never been raised but absolutely not out the realms of possibility. However some accounts for users in non academic departments have been used previously too. I can guarantee Sandra in HR has no interest in open science :-D

I should note that I am a huge advocate for OA and thinks the who journal ecosystem is a rotten house of cards waiting to tumble. I just see the direct impact of phished accounts at my institution..

[nguoi]

I think you should have indicated that you weren't certain in the original accusation.

[goatkarma]

I'm not sure if you caught the above comment but I can be certain that professonal services staff (HR, admin etc) who's accounts have been used by Scihub definitely did not give their credentials voluntarily. They have zero interest in Scihub or access to material.

[buboard]

are u sure they were really "phished"? scihub would have no problems finding volunteers who would 'phish themselves'

[HorstG]

And after donating credentials, the donor and IT are better off just claiming the password was "phished" (winkwink) when caught.

[gsich]

"proof"

[Tepix]

Proof required. You may work for Elsevier and just be spreading FUD.

[goatkarma]

I think pretty much any university could provide proof that Scihub uses phished credentials to proxy articles for their users. It's no secret in HE.

Here's the first Google link. It's far too alarmist but should at least give the gist. https://scholarlykitchen.sspnet.org/2018/09/18/guest-post-th...

One other point I missed that we have to often deal with : when phished accounts are used to mass-download PDFs, many publisher sites auto-block the IP of the requester, which in this case is the University's Ezproxy server. This then means no user at the university can access the resource till the block is lifted (or they could just use Scihub in the meantime :~D ).

[Tepix]

Have you seen this statement straight from the owner of sci-hub: https://engineuring.wordpress.com/2017/07/02/some-facts-on-s...

[goatkarma]

Interesting link thanks! I guess the pertinent part is :

I did not tell Science how credentials were donated: either voluntarily or not. I only told that I cannot disclose the source of the credentials. I assume that some credentials coming to Sci-Hub could have been obtained by phishing.

Here's what I think possibily happens : credentials are phished, with Scihub as one of the main "customers", alongside other groups or they are put into the (semi)public domain. They are then used for other nefarious purposes by non-scihub third parties (more phishing, network access etc).

Would university accounts still be phished without Scihub? Absolutely! Would the volume be so high? I'm not so sure. Plus it still causes headaches for fellow university users of the phished account if the proxy gets blocked... especially as publisher customer services are utterly terrible and institutions could be weeks without proxy access to one of the "biggie" publishers!

[cjslep]

Having said that, library software providers and journal platforms should be looking at Scihub and learning from it. Users want an easy to use platform with minimal fuss or hoops to jump through.

If you bothered to read TFA, you'd have realized this statement was already addressed by TFA's point on publishers mistaking Sci-Hub's appeal as "simple to use" like single sign-on. Which makes me question your credibility.

[goatkarma]

Err I read TFA...Just read the top comments on this HN post to see ease of use is absolutely key to why folk use it.

My perspective is from the University side of things so can only speak for that rather than from the perspective of users who do not have access to the content at all.

I've spoken to users who workflow consists of googling the article title to get the DOI, then putting that DOI into Scihub to get the PDF, without even going near the University's library system. Most of the time the Library actually has an electronic copy, but the process to get them, even with SSO, is laborious and confusing. Just look at the SSO login screens for different publishers sites : some say 'sign in with single sign on', others say 'institutional login', or 'Shibboleth login' etc. How are University users expected to jump through these hoops when the can search for the title or DOI and get the PDF instantly?

[cjslep]

And my perspective is from someone who does research on small-world networks in their spare time.

For me it's a matter of having access. I can easily find seminal papers like Kleinberg or Watts-Strogatz. Anything that is more recent and builds off of these papers tends to be locked up and I'm not able to afford buying these papers one-off, since I don't even know for sure they'll be in a direction useful to my research.