Editorial Manager and password security for academics

Today, Nature published a news feature by Cat Ferguson, Adam Marcus and Ivan Oransky (Retraction Watch) in which I am quoted about some problems with Editorial Manager (EM). This post provides the background to what I say there. Disclaimer: I am not a security expert, though the basic problems should be obvious to anyone caring about security and privacy on the web.

Editorial Manager (EM), the submission and reviewing software used by thousands of academic journals, routinely throws around passwords in plaintext. If you publish with any of the journals using EM, you’ll get emails with your password in plain text, even if you didn’t ask for it. Some configurations of EM even display the password in plain view on the user account page. This means that Editorial Manager does not safely encrypt passwords, which presents a massive security risk. Aries Systems, the firm behind Editorial Manager, defends itself by saying that (1) journal editors want these options and (2) they don’t collect financial information anyway. Those replies skirt the real issue: Editorial Manager, trusted by millions of academic authors and reviewers, fails to implement some of the most basic rules for the secure and responsible handling of passwords and user accounts.

Editorial manager

Every academic will run into the Editorial Manager system sooner or later. This is a piece of web-based software that helps the editors of academic journals to manage the submission and review procedure. Literally thousands of journals across all disciplines use it, from well-known interdisciplinary ones like PLOS ONE to niche journals like Policy and Society and Frontiers in Neuroendocrinology, to pick some random examples.

EM requires authors, reviewers and editors to register an account. With such an account, users can submit and review manuscripts. The registration procedure asks for the usual username / email / password combination — nothing very special so far. Until you start using the system a bit more and you discover that it handles your password in, shall we say, a very casual way.

Let’s just take PLOS ONE as an example (though note that any other journal using EM is vulnerable in the same ways). Say you submit a paper, or get a request to review one. You’ll get an email notifying you — with your password thrown in for good measure. In plaintext. You didn’t ask for it. In fact even if you did, it shouldn’t be able to give it to you — it should at most offer you to reset it or generate a new one. So there you go: your password in plain text.

Editorial Manager for PLoS ONE sends password in plain text

Editorial Manager for PLoS ONE sends you your password in plain text, even if you don’t ask for it

Packet sniffing and password reuse

I shouldn’t really have to explain why this is seriously problematic in multiple ways. Indeed why this is so is written all over the internet. Let me just quickly summarise. The fact that the system is sending my password to me by email means, first of all, that my password could be intercepted by any old packet sniffer. It also means, obviously, that my password can be retrieved by anyone who manages to get access to this email — either by looking over my shoulder or by more sophisticated means.

But even worse, the fact that the system can send me my password also must mean that the password is stored in plaintext form, or using easily reversible encryption (which, experts say, comes down to the same). As plaintextoffenders puts it, the password is there, waiting for someone to come and take it. And not only my password is there. The passwords of the millions of users of the thousands of academic journals using this service. That, coupled with the knowledge that about 60% of users reuse passwords across different web services, means a security risk of massive proportions. Check out this XKCD comic for the basics on password reuse.

Not only will EM send you your password in plaintext. It also doesn’t shy away from displaying plaintext passwords on profile pages, offering further proof of the lack of encryption (or the use of reversible encryption, which in terms of security risks comes down to the same). Thousands of academic journals crucially depend on this same system, making their hundreds of thousands of peer reviewers and authors sign up for it. You would think that with “periodic third party security and infrastructure audits” (according to Aries’ hosting checklist), Aries Systems would at least have ensured that the most basic lessons in user account security are taken care of. Apparently not.

Aries Systems: ‘It’s optional, so don’t worry’

While preparing this blog post in May 2013, I communicated my findings to the Editorial Manager team, because I thought it would be reasonable to give them the chance to get their act together and respond to the issue. A first email went unanswered. A reminder email then led to an email exchange with Jennifer Fleet, Director of Client Services at Aries Systems, the company behind EM. Here are the most crucial excerpts from what she wrote to me (she gracefully gave me permission to cite this):

Our software (Editorial Manager) has a variety of configuration options that are made available to our publishing customers. The inclusion of credentials in emails is an optional configuration choice. The configuration option to include log-in credentials in emails is desired by some publishers because of the high convenience factor it provides to end users who infrequently access the system. However, inclusion of credentials in emails can also be entirely suppressed and many publishers in fact do not include credentials in emails. We have a wide variety of publishing customers and each is empowered by the administrative capabilities in the system to make their own choices concerning this type of policy.

While honest, this reply show that Aries Systems doesn’t realise how important it is to handle user information in a responsible way. The defense is basically: our clients want it, so we do it. But clients should never dictate security design. As a common theme in web development has it: your responsibility goes beyond your application.

Modern, safe, and user-friendly ways of handling user account security (involving hashed+salted storage of passwords with tokenised ways of resetting (but never retrieving!) them) have been available for at least five years now. People have thought long and hard about this problem. Repeated breaches have shown how dangerous it is to use anything less than secure encryption and robust ways of resetting passwords. There is really no excuse to not use industry-standard security measures.

Aries Systems: ‘We don’t collect financial information’

Aries Systems: “We do encrypt all passwords in our databases. Also, Editorial Manager does not collect or store any financial information.

I would be happy to discuss this with you further by telephone or email, and I hope you will understand the dynamics and trade-offs under consideration.”

This typical marketing response ignores a simple technical fact: any system that offers the possibility to switch on bizarre options like sending out or displaying plaintext passwords has to store its passwords in such a way that they can be easily fetched and decrypted. That’s the problem right there.

The final defense is that Editorial Manager doesn’t store financial information. You haven’t given us your creditcard, so we’ll just handle your user accounts in an irresponsible way mmkay? First, this is a blatant disregard of the simple principle, mentioned above, that your responsibility goes beyond your application. Second, this is of course only apparently a mitigating circumstance. It is widely known that about 60% of users reuse passwords across websites.

If EM were to be hacked, how many of those passwords would match with passwords on other services that do allow financial transactions? The userbase of EM consists of highly educated people in academia. They will have creditcards, Amazon accounts, Paypal wallets, iTunes IDs, et cetera. A significant chunk of them may use the same password for some of those services. Put these things together and suddenly Editorial Manager becomes a very interesting hacking target. (I would not say this out loud here if I had not communicated all this to Aries Systems over a year ago.)

It’s not about financial information

Financial information isn’t really what most academics care about. What they do care about is the quality of the scholarly process. What if Editorial Manager or a similar system is the weakest link in the chain of peer review? What if you could easily get access to someone’s account — pass yourself off as a peer reviewer, say, or get access to an editor’s account to invite your own friends (or yourself) to peer review your own papers?

This is not mere conjecture. It’s happened already, as documented by RetractionWatch: Elsevier’s editorial system (which is basically a branded version of EM) was hacked, leading to a peer review scandal and ultimately to a couple of retractions. The details of the case aren’t known, but with a link in the chain that is as weak as EM’s lighthearted handling of password security, I wouldn’t be surprised if some form of password hacking played a role.

Let me end on a positive note. The journal Language recently transitioned to the open source Open Journal Systems, which, as far as I’ve been able to ascertain, handles passwords and account information in a much more secure and modern way. Such is the power of open source. Of course, this doesn’t really help us end users: we are unlikely to choose a publication venue on the basis of the manuscript management software they force us to use. Still, it does show that there are good models out there. Let’s hope that the dust kicked up by the Nature news story will bring change.

 

Mark Dingemanse
Max Planck Institute for Psycholinguistics, Nijmegen

Hockett on arbitrariness and iconicity

Quote

Charles F. HockettCharles Hockett had interesting views on the relation between iconicity and arbitrariness. Here is a key quote:

The difference of dimensionality means that signages can be iconic to an extent to which languages cannot; and they are, even though, as Frishberg (1975) tells us, the trend in Ameslan for over a century has been towards more and more conventionalization.

Now, while arbitrariness has its points (see, e.g., Hockett 1960a, p. 212), it also has drawbacks (Hewes, ANYAS, p. 495), so that it is perhaps more revealing to put the difference the other way around, as a limitation of spoken languages.

Indeed, the dimensionality of signing is that of life itself, and it would be stupid not to resort to picturing, pantomiming, or pointing whenever convenient. (Even when speaking we do this: for example, we utter a demonstrative such as there, which indicates relative distance but not direction, and supplement it by a pointing gesture that indicates direction but not distance.)

But when a representation of some fourdimensional hunk of life has to be compressed into the single dimension of speech, most iconicity is necessarily squeezed out. In one-dimensional projection, an elephant is indistinguishable from a woodshed. Speech perforce is largely arbitrary; if we speakers take pride in that, it is because in 50,000 years or so of talking we have learned to make a virtue of necessity (cf. Hill 1972, pp. 313-15).

Linearity means that single devices must serve multiple functions, whereupon structural ambiguity becomes par for the course (see C. R. Peters, Origins, pp. 83-102). We hear Carbon fourteen, Strontium ninety; out of context, we do not know whether this is mention of two radioactive isotopes, or a roadside marker giving the distance to two towns on the road ahead, or the final score in the game between Carbon Free Academy and Strontium Senior High. 

It is such ambiguities, forced by limited dimensionality if by nothing else, that have given rise to the- notion of “surface versus deep structure,” which Stokoe evokes for the remark of which the present paragraph is an expanded paraphrase-his trenchant observation (ANYAS, p. 510) that in sign, as over against speech, “surface and depth more nearly coincide.” (pp. 264-5)

Hockett, C. F. 1978. “In Search of Jove’s Brow.” American Speech 53 (4): 243–313. doi:10.2307/455140.

African ideophones and their contribution to linguistics — workshop at WOCAL8 in Kyoto, Aug 2015

Organisers

Dr. Mark Dingemanse (Max Planck Institute, Nijmegen)
Prof. Sharon Rose (University of California, San Diego)

African ideophones and their contribution to linguistics

wocal8 logo

WOCAL8, August 21-24 2015, Kyoto

Africa’s linguistic diversity has impacted the study of language in many ways. The articulatory phonetics of the Khoi and San languages prompted methodological innovations in phonetics, the tonal systems of West-African languages spurred the development of autosegmental phonology, and the ornate morphology of Bantu prompted syntacticians to reconsider the balance between transformational rules and lexical elaboration. In this workshop we consider how the study of ideophones can contribute to theory and methods in linguistics.

Ideophones (also known as mimetics or expressives) are marked words that depict sensory imagery. A major word class in many African languages, they are somewhat of an inconvenient truth for the dogma that spoken languages rarely feature iconicity in the lexicon. Their phonology is marked in a way that bears a clear relation to the broader phonological system of the language, providing for a unique window into phonological structure. Their prosody and morphosyntax set them apart as special words, yet they are more deeply integrated in linguistic subsystems than is often assumed, raising interesting questions about what is in and outside grammar. Their meanings are rich and imagistic, providing unparalleled ways to talk about sensory perceptions. All of these properties represent areas where ideophones can shed light on the design features of language, the iconic affordances of speech, and the nature of human communicative competence.

This workshop gathers international experts to present recent research on ideophones and to put recent developments into theoretical context. Submissions are expected to focus on the connection between ideophone research and foundational issues in linguistics, from phonology to prosody and from syntax to meaning. We encourage papers that show how new approaches can shed light on old questions, and how the systematic study of ideophones can contribute new insights to our understanding of the structure of language and languages. One and a half centuries after the earliest descriptions of ideophones in African languages, the 8th World Congress of African Linguistics in Kyoto offers a unique chance to take stock of what we have learned so far from ideophones, and to explore ways to integrate this knowledge into the broader language sciences.

Important dates

Deadline for abstract submission: October 31, 2014

Notification of acceptance: December 1, 21014

Conference: August 21-24, Kyoto

Abstracts should follow the general guidelines established for the submission of abstracts for WOCAL 8, which can be found here: is.gd/wocal8abstracts

Universal Social Rules Underlie Languages

Illustration by James Yang

© James Yang

The September/October issue of Scientific American MIND features an article written by me and N.J. Enfield entitled “Universal Social Rules Underlie Languages”. We review recent research on conversation across cultures, including work on turn-taking, timing, and other-initiated repair.

Scientific American MIND is a psychology/brain-themed offshoot of the well-known Scientific American magazine. We’re proud to publish in the pages of this journal!

If you are a SciAm subscriber, you can find our article online here. If you’re at a university or a research institution, you can probably also access it via the DOI. And if you’re neither of those, check out our author’s offprint (PDF).

Abercrombie on ‘paralanguage’

Quote

David_T._AbercrombieThere is an urgent need for the comparative study, over as much of the world as possible, of the full range of paralinguistic phenomena — the kind of thing for which the linguistic field-worker is best fitted. Fact-finding, not theorising, is what is wanted at this present juncture.

Abercrombie, David. 1968. “Paralanguage.” International Journal of Language & Communication Disorders 3 (1): 55–59. doi:10.3109/13682826809011441.

That was almost half a century ago. Yet apart from some striking exceptions like Adam Kendon and David Wilkins, it is only since the last decade that fieldworkers have begun to collect multi-modal data in earnest.

Media als middel

Afgelopen woensdag sprak ik op de Vakconferentie Wetenschapscommunicatie over wat we geleerd hebben in de mediastorm rond ons werk vorig jaar. Hier zijn mijn slides:

Veel wetenschappers onderhouden een haat-liefde verhouding met de media. Media-aandacht is moeilijk te krijgen en als je het eenmaal hebt nog moeilijker te controleren. Wanneer zet je door en wanneer zeg je nee? Hoe vind je de balans tussen bijsturen en meebewegen? Deze en andere vragen bespreek ik aan de hand van een concrete cases: de wereldwijde mediastorm rond ons onderzoek naar misverstanden en hoe ze opgelost worden. Aan bod komen onderwerpen als slim gebruik maken van sociale media, samenwerken met WTC-experts en inzien wanneer je geen controle hebt.

De rode draad is media als middel, niet als doel. Anders dan professionele wetenschapscommunicatoren is het wetenschappers niet te doen om media-aandacht per se. We willen overtuigd worden van het nut voordat we erin springen. We zijn bovendien heel realistisch over de nieuwswaarde van ons onderzoek: het meeste dat we doen gaat in kleine stapjes en is irrelevant voor de zevenmijlslaarzen van de media. Maar als er dan iets is dat meer aandacht verdient moet je weten wat je doet. Daarover gaat mijn presentatie. In de voorbereiding moet je een confucianist zijn: gedreven, conscientieus en met aandacht voor alle details. Als de mediastorm (of bries) eenmaal begonnen is word je een taoist: beweeg mee, laat los, en gebruik het momentum voor nieuwe dingen.

De sessie

Andere sprekers in de sessie waren Chris Jacobs, promovendus in de biologie aan de Universiteit Leiden, en Fred Balvert, wetenschapscommunicator van het Erasmus MC. Chris heeft een hele leuke website, science-explained.com, waarop hij uitlegt hoe zijn vakgebied werkt; en Fred heeft net een boekje uitgebracht met daarin tips voor wetenschappers die in contact treden met de media.

Dat deed me overigens denken aan de NWO mediagids, die ik alweer een paar jaar geleden kreeg op een voorlichtingsdag van NWO: kort en goed, vol met praktische tips, en hier gratis als PDF te downloaden.

Zbikowski on music and social interaction

Quote

Instead of probing the cultural or historical context for musical utterances, or the complex networks of social interaction that give rise to musical behavior, music theory continues to focus on details of musical discourse with an obsessiveness that is both maddening and quixotic to cultural and social theorists.

Zbikowski, Lawrence Michael. 2002. Conceptualizing music : cognitive structure, theory, and analysis. Oxford; New York: Oxford University Press.

Von Humboldt on depiction in speech

Quote

Wilhelm-von-HumboldtWhere moderation is not utterly overstepped, the wealth of sound in languages can be compared to coloration in painting. The impression of both evokes a similar feeling; and even thought reacts differently if, like a mere outline, it emerges in greater nakedness, or appears, if we may so put it, more coloured by language.

Wilhelm von Humboldt, On language, page 80. Originally published in 1836.

Von Humboldt, Wilhelm. 2000. On language: On the Diversity of Human Language Construction and Its Influence on the Mental Development of the Human Species. Trans by. Peter Heath. Cambridge: Cambridge University Press.

Malinowski on observing ‘performance’

Quote

There is no doubt, from all points of sociological, or psychological analysis, and in any question of theory, the manner and type of behaviour observed in the performance of an act is of the highest importance. Indeed behaviour is a fact, a relevant fact, and one that can be recorded. And foolish indeed and short-sighted would be the man of science who would pass by a whole class of phenomena, ready to be garnered, and leave them to waste, even though he did not see at the moment to what theoretical use they might be put!

Malinowski, Bronislaw. 1922. Argonauts Of The Western Pacific. London: Routledge & Kegan Paul.
Malinowski in a carefully staged photograph (see here for an insightful analysis)

Malinowski in a carefully staged photograph (see here for an insightful analysis)

 

Sound symbolism in language: Does nurunuru mean dry or slimy?

Guest posting by Gwilym Lockwood, PhD student in the Neurobiology of Language Department at the Max Planck Institute for Psycholinguistics.

Picture taken from Gomi 1989 ‘An illustrated dictionary of Japanese onomatopoeic expressions’

Picture taken from Gomi 1989 ‘An illustrated dictionary of Japanese onomatopoeic expressions’

When you hear the word dog, you understand it because you have learned that meaningless individual sounds mean dog when arranged in a specific order into a word – it’s not like d means “fluffy”, o means “four legs”, and g means “enjoys rolling in smelly things”. The sound of the word dog is unrelated to the thing it means – it just so happens that the combination of d, o, and g in English mean dog. The same concept in other languages is expressed with very different sounds; hond in Dutch, inu in Japanese, sobaka in Russian. The idea that the individual sounds which make up words are unrelated to the meaning of the word that those sounds express is called arbitrariness in linguistics.

Arbitrariness seems to make sense; if the sounds of language did have specific meanings, if the sounds of words were related to the things they mean, then surely all languages would sound quite similar. Given that they rather obviously do not (for example, Hawaiian has only eight consonants, while Georgian has 28, and !Xóõ, spoken in Botswana, has at least 58), it is safe to say that there is little or no relation between sound and meaning.

However, researchers have recently started to investigate this assumption. Several languages around the world use sound symbolic words called ideophones, which are used to talk about sensory imagery. Interestingly, these words seem to be directly related to their meaning (i.e. the sounds of the words are symbolic of their meaning), and even more interestingly, there seems to be something universal about these words – several experiments have shown that people who don’t speak these languages can still understand (or accurately guess) the meanings of ideophones.

We can try that out now. See if you can guess the meanings of these Japanese ideophones (answers below):

  1. nurunuru – dry or slimy?
  2. pikapika – bright or dark?
  3. wakuwaku – excited or bored?
  4. iraira – happy or angry?
  5. guzuguzu – moving quickly or moving slowly?
  6. kurukuru – spinning around or moving up and down?
  7. kosokoso – walking quietly or walking loudly?
  8. gochagocha – tidy or messy?
  9. garagara – crowded or empty?
  10. tsurutsuru – smooth or rough?
Click here to see the answers to the quiz

  1. nurunuru – slimy
  2. pikapika – bright
  3. wakuwaku – excited
  4. iraira – angry
  5. guzuguzu – moving slowly
  6. kurukuru – spinning around
  7. kosokoso – walking quietly
  8. gochagocha – messy
  9. garagara – empty
  10. tsurutsuru – smooth

.

Did you guess the meanings of these words better than you would expect? Unlike the word dog, it seems that the individual sounds in these words actually do contribute to the meaning of the words, and this is called sound symbolism. Sound symbolism is the opposite of arbitrariness, but the two can coexist perfectly happily within language.

Speakers of languages with sound symbolic ideophones, such as Japanese, often talk about how the ideophones create a very vivid image or feeling in their minds, whereas normal words don’t. When a Japanese person hears the word kirakira, meaning sparkly, it is like they can actually see the thing that is sparkly. How sound symbolism works, however, is not quite clear, and there have not yet been many neuroscience studies on it, but the research so far suggests that hearing sound symbolic words might involve other forms of sensory perception in a similar way to how people with synaesthesia associate colours to letters. My research at MPI is to investigate why certain sounds appear to be related to certain meanings across languages and how the brain processes these sounds.

Read more